Yates e as tendências em Compliance

Por Edmo Colnaghi Neves

O DOJ, Departamento de Justiça norte-americano, vem investigando e aplicando multas altíssimas ao longo das últimas
duas décadas às empresas que de alguma forma estejam sujeitas ao FCPA- Foreign Corruption Practice Act e venham a
violar este diploma legal, praticando atos de corrupção no exterior.

As penalidades aplicadas às empresas têm sido de centenas de milhões de dólares, dentre outras sanções e abrangem as
pessoas jurídicas que por um motivo ou outro tenham que se subordinar a esta norma e os motivos são variados, não se
limitando às empresas norte-americanas, mas incluindo também as empresas que estejam inscritas na Bolsa de Nova York
ou atuem em território norte-americano, dentre outros motivos.

Há alguns meses, a Procuradora Geral do DOJ, Sally Yates, emitiu um Memorando demonstrando as novas tendências do
órgão, que passou a ser conhecido como o Memorando Yates, cujo objeto é a responsabilidade dos indivíduos por ilícitos
praticados no âmbito das negociações das empresas, estabelecendo um novo foco das investigações e punições: os
executivos e demais funcionários que praticarem ou participarem de referidos ilícitos nas empresas.

Assim como o advento da Lei Brasileira Anticorrupção, ou da empresa limpa, decorreu de várias influências, fazendo aqui
uma breve interpretação histórica, como, por exemplo, do estabelecimento do comprometimento do Brasil com algumas
iniciativas da OCDE, da mesma forma é possível que no futuro estas novas diretrizes estabelecidas no Memorando Yates
venham ter repercussão aqui. Vale lembrar que a própria Lei Anticorrupção, ao estabelecer a responsabilidade objetiva das
empresas, ressalva, em um de seus parágrafos, a responsabilidade subjetiva dos administradores, sem entrar em maiores
detalhes, no entanto.

O Memorando inicia ressaltando o que já é de conhecimento cediço que as corporações são ficções jurídicas, que ali quem
comete os ilícitos são alguns indivíduos que têm autonomia e livre arbítrio para cometer os ilícitos e, assim sendo, nada
mais eficaz que direcionar as investigações e as punições aos indivíduos.

Ressalta, no entanto, que o desafio é enorme, haja vista que nas grandes empresas as decisões muitas vezes são tomadas em
vários níveis hierárquicos, cada qual com uma parcela de culpa e que o conhecimento do ilícito também, por vezes, é difuso
e as provas que podem servir de base para punições são reproduzidas em milhares de documentos que precisam ser
analisados cuidadosamente para reconstruir os fatos, além do aspecto de existirem várias restrições legais para se ter acesso
a tais documentos.

O fato é que o DOJ estabeleceu uma força tarefa, incluindo procuradores com especialidade tanto em matéria civil quanto
procuradores com especialidade em matéria penal para, atuando conjuntamente e com constante troca de informações, fazer
frente a este desafio de persecução dos indivíduos das empresas que cometam os ilícitos relativos à corrupção.

O Memorando deixa claro que as empresas que não se dispuserem a revelar tais informações, criando restrições sobre dados
de altos executivos ou executivos com muito tempo de casa ou qualquer outro tipo de limitação de informações sobre as
pessoas, não irão obter o acordo que buscam perante o DOJ e assim sendo não terão os benefícios respectivos.
Defende-se que tais novas diretrizes tem, dentre outros benefícios, o desenvolvimento dos Programas de Compliance das
empresas, na medida em que os Programas bem sucedidos são aqueles em que o tom da liderança é forte, evidente e claro e
a persecução dos indivíduos vai estimular estas iniciativas dos profissionais que lideram as empresas.

Em Novembro de 2012 o DOJ e a SEC (Exchange Comission) já haviam publicado um guia sobre o FCPA, estabelecendo
detalhes de um Programa de Compliance efetivo, em que já se ressaltava que em uma organização de negócios, o
Compliance começa com o Conselho de Administração e a Diretoria estabelecendo o tom apropriado para os demais níveis
de decisão da empresa.

O Memorando ressalta seis princípios fundamentais para reforçar a investigação dos indivíduos pelo DOJ: 1. Para que a
empresa seja elegível aos benefícios de um acordo, deve identificar todos os indivíduos envolvidos, independentemente da
sua posição; 2.a investigação civil e criminal deve ter foco nos indivíduos desde o início. 3 Deve haver a comunicação
contínua entre os procuradores civis e criminais durante a investigação.

Os demais Princípios estabelecem que: 4. Ressalvadas circunstâncias extraordinárias, o DOJ não vai isentar os indivíduos
de penalidades civis e criminais quando resolver a questão com a empresa. 5. As questões envolvendo as empresas não
poderão ser concluídas sem que haja um plano estabelecido sobre as sanções aos indivíduos e 6. Os procuradores civis
devem ter um foco consistente nas empresas e nos indivíduos e avaliar a capacidade deles de pagar as multas e
indenizações.

Certamente a legislação brasileira já apresentava institutos para tratar da responsabilidade dos administradores e respectivas
penalidades antes do advento da Lei Anticorrupção, como se vê na Lei das Sociedades Anônimas e no Código Penal, por
exemplo, mas com aquela o tema veio a ser reforçado e ampliado, porém não é somente disto que estamos tratando aqui.

Tais diretrizes do Memorando podem afetar diretamente as empresas brasileiras que atuem em território norte-americano,
que estejam inscritas na Bolsa de Nova York ou que por vários outros motivos estejam diretamente vinculadas ao FCPA,
como a realização de negócios com bancos norte-americanos, por exemplo.

O Memorando não só estabelece novas diretrizes, como também altera de modo prático a postura das investigações e o
posicionamento nos acordos com o DOJ. Ressalte-se por fim que tais diretrizes e posturas podem futuramente influenciar as
normas e as investigações de modo prático no país, como ocorreu com o comprometimento estabelecido no passado com as
políticas da OCDE.

Edmo Colnaghi Neves é Mestre e Doutor em Direito do Estado e Associado Fundador do Instituto Compliance Brasil
Ethics and compliance programs in a global and brazilian
context: the six principles of compliance
In determining what may be required for a Brazilian-based company for anti-corruption compliance, attention must be given
to global anti-corruption compliance practices. Among the considerations should be the best practices guidelines of the
OECD and other international organizations as well as the anti-corruption legislation, regulations and guidance of the
jurisdictions in which a Brazilian company may be doing business.

A common framework exists in most countries that have implemented legislation as a party to the OECD Anti-Bribery
Convention. The FCPA and the US Sentencing Guidelines; the UK Bribery Act and its Ministry of Justice’s Guidance for
Commercial Organisations, the French anti-corruption laws and its French Central Service for the Prevention of Corruption
Guidelines, and, of course, Brazil’s laws on corruption, such as Law 12.846/16, the Brazil’s Company Clean Act1, its
Decree 8.420/152, normatives, and related instructions and regulations.

Although there may be peculiarities unique to each jurisdiction, all of these new laws are similar in what they expect in an
ethics and compliance program (E&C Program). If a Brazilian company really follows the new law in Brazil, it is likely to
be in compliance with US and UK law.If a company complies with the FCPA and the UK Bribery Act, they will be in
compliance with most anti-bribery laws in most of the world. But for Brazil, they will still need to cover additional issues to
be in compliance with anti-corruption laws in Brazil.

Any E&C Program must, at the very least, address what may be referred to as the Six Principles of Compliance. Although
these Six Principles are not legally binding in most situations, they reflect the hallmarks of an effective E&C Program. A
company’s E&C Program is an important part of the negotiations as to the disposition of an investigation. Even if an E&C
Program does not detect or prevent prohibited conduct, an effective program can result in a declination or lessen penalties
and consequences.

Here are the Six Principles common to an effective global E&C Program:

1. Top-Level Commitment:

The tone at the top from the highest level of management is the most critical component of an effective E&C Program. Top-
level commitment means “Walking the Walk” and not just “Talking the Talk.” Legal compliance is not limited to one
individual or one group of individuals within a company. It extends to boards of directors, audit committees, and others in
senior positions within the company or its governing boards or committees.

The commitment from senior management is directly reflected in the behavior and actions of middle management. The tone
at the top must reinforce ethics and compliance as drivers of a culture of compliance throughout the company.

The effectiveness of top-level commitment will also be measured by whether adequate funding and necessary resources are
provided for compliance. Compliance officials must have “appropriate” stature within the company as well as adequate
independence and automony, including the ability to report directly to senior management, the board of directors, or any
audit committee or similar entities with oversight functions.

2. Proportionate Procedures

Companies must design, implement, and enforce policies and procedures that are tailored to their structure and to the nature
of their corruption risks. Many different factors need to be considered in determining how best to develop a company’s
policies and procedures. Such things as sectorial risk, geographical areas of activity, the kind of business, the size of the
company, and how the company is organized are among the many factors that need to be taken into consideration.

The E&C Program should provide ways to motivate middle management. An effective form of whistleblowing system
needs to be created that provides a non-retaliation policy and available channels to encourage and motivate employees who
speak up. An E&C Program should provide channels for seeking guidance. Companies should also have in place adequate
policies and procedures to handle the information in a proper manner. Companies receive information from countless
sources. The inflow of information can be overwhelming. The policies and procedures should ensure that information is
carefully considered on a timely basis. Mishandling information can severely harm a company.

3. Risk Assessment

A risk-based approach is a hallmark of an effective E&C Program. Brazil adopted the risk-based approach in its guidelines.
The effectiveness of an E&C Program will be judged by the degree to which it evaluates compliance risks in its decision-
making process. Companies must have an ongoing process of assessing their actual risks and the impact of a particular risk.

It is important that an E&C program be tailored not just to address legal risks. The E&C Program must be designed to deter
and prevent employee or third party misconduct, whether or not the misconduct constitutes a violation of law. As part of
this process of assessing risk, companies need to take steps to mitigate risks within their own organizations. Whether it be a
segregation of functions, altering the assignment responsibility, or taking a number of other measures, much can be done to
lessen the likelihood of a violation.

4. Due Diligence

On an ongoing basis, companies need to reexamine their risk assessment process to ensure that it is focused on relevant
risks. Too many companies focus on the risk of a legal enforcement action or the likelihood of being caught. Instead, the
risk assessment process should focus on the underlying conduct itself. Effective due diligence should include instances
when a company decides not to engage an agent or distributor.

Much has been written about how to conduct an internal investigation. Not as much has been written about the steps leading
to an internal investigation. Difficult judgment calls can arise when determining whether to launch an internal investigation.
In many respects, it is much like a preliminary inquiry to determine whether to launch a formal investigation.

As part of the due diligence process, agreements with third parties should include clauses that address compliance concerns.
Among the the “standard” clauses include representations and warranties that the agent or distributor: (1) has not in the past,
and will not in the future violate anti-corruption laws; (2) is not affiliated with any government official (directly or through
a close family member); (3) will permit access to the company to conduct audits when needed to ensure compliance with
corruption laws and contractual requirements; (4) can be terminated if the company has reason to believe that the agent or
distributor has violated (or intends to violate) an anti-corruption law, and (5) will check and address conflicts of interests on
an ongoing basis.

5. Communication and Training

A zero-tolerance policy on corrupt practices must be clearly conveyed within and outside the company. Senior management
must ensure that its leaders provide strong, explicit, and visible support for corporate compliance policies. Communications
and other messaging must reinforce and promote compliance policies through in-person meetings, emails, telephone calls,
incentives, and bonuses.

Anyone who may be potentially exposed to corruption situations must be trained to understand what characterizes
corruption, the risks associated with corruption, and the best practices to prevent corruption.

Comprehensive policies and procedures will not by themselves demonstrate an effective E&C program. To be effective, the
polices and procedures must still be actively enforced, must promote awareness and understanding of the E&C Program’s
purpose and importance, emphasize personal accountability and responsibility, and integrate company values into a
framework for employee decision-making.

6. Monitoring and Review

A company should regularly review its compliance program to ensure that it is kept current for addressing evolving risks
and circumstances. Appropriate controls must be put in place to ensure that the corruption-prevention policies are properly
enforced. Mechanisms must also be put in place to incentivize compliance and discipline violations.

A company should “sensitize” its third parties to the company’s expectation of compliance with its policies. A company
must take action if a partner or third-party acting on its behalf fails to abide by its policies.

Conclusion – Preventive v. Curative Action

These Six Principles are the hallmarks of an effective E&C program. Companies with a culture that focuses on values, risk
management, and innovation are more likely to succeed. Similarly, the independence of compliance officials is critical to
the effectiveness of an E&C Program.

The most important role of compliance is to prevent and deter fraud and non-compliant behavior. It is essential that
compliance officials be involved before major business decisions are made. More successful programs are those where
management and compliance officials have built ethics and compliance into the regular functioning of their companies as
opposed to just another layer of controls.

Successful E&C Programs echo the clear tone at the top and help reinforce the even more important tone in the middle.
These people celebrate the ethical leadership that they embody. They outbehave, and they outperform. They work together
to help to accomplish their goals in a compliant matter.

In short:

• Set the Program Goals:

• Increase employee comfort with speaking up;
• Ensure employees use the company values as a framework for
decision making;
• Strengthen the ethical culture;
• Improve risk management capabilities;
• Strengthen ethical leadership;
• Meet all regulatory requirements for effective E&C Programs
and best practices; and,
• Improve third-party oversight and management.
• Set the Education and Communication Goals:
• Reinforce the code of conduct, ethical standards, and company
policy;
• Promote awareness and understanding of the E&C Program’s
purpose and importance;
• Emphasize personal accountability and responsibility;
• Influence employee behavior and the ethical climate in the
organization;
• Promote alignment between core values and day-to-day
operations; and,
• Integrate company values as a framework for company
decision-making.
Less effective E&C Programs are led by those who check their boxes and look away. As a practical matter, all they create is
a paper program in the hope of mitigating a penalty that may be imposed at some future date.
In contrast, effective E&C Programs are led by those who hit their marks and lean in. Effective ethics and compliance
leaders set ambitious goals, seek useful resources, and use rigorous metrics in to inspire change and elevate behavior. They
weave their programs through their companies to enhance the effectiveness of the E&C Program. Escrito por Renata
Fonseca de Andrade.
Brazil’s continuing corruption problem
When Petrobras was named the most ethical global oil and gas company in 2008, few would have imagined that the
company would now find itself at the centre of the biggest corruption investigation in Brazilian history.

But a criminal probe is indeed continuing into alleged corruption at Brazil’s largest business.

A number of directors at state-run Petrobras are accused of taking bribes from construction companies, in return for
awarding them lucrative contracts.

Public prosecutors and federal police claim that bribes of up to 5% of contract values were being skimmed off.

And it is further alleged that some of these funds were funnelled to officials in the ruling coalition of the Workers’ Party and
Brazilian Democratic Movement Party.

In the wake of the continuing investigation, the federal prosecutor’s office has launched a three-month, economy-wide anti-
corruption campaign, including increased punishments for those found guilty, and improvements to the recovery of the
proceeds of crime.

But as the Petrobras scandal continues to dominate the headlines in Brazil, how much of a corruption problem does the
country have?

‘Peach and act’

The Petrobras investigation, named Operation Lava Jato (or Car Wash in English), may be the biggest corruption probe in
Brazil’s history, but it is far from the first.

Instead for many commentators, corruption is endemic and institutionalised in Brazil.

Take the case of former billionaire Eike Batista, once the richest man in the country.

He fell from grace last year after his energy, mining and shipbuilding empire collapsed, and he was charged with insider
trading and market manipulation, charges he denies. Standing trial this year, the case was suspended back in February after
the presiding judge – who had ordered the seizure of 1.5bn reals ($388m; £252m) of the businessman’s assets – was found
to be driving one of Mr Batista’s luxury cars.

Separately, Mr Batista, 58, who was once worth as much as $30bn (£20bn), was fined 1.4m Brazilian reals in March by
regulators for failing to alert investors about the imminent takeover of his EBX Group.

Meanwhile, both Brazilian investigators, and the US’s FBI, are continuing to investigate allegations of corruption at last
year’s World Cup in Brazil.

“Unfortunately, despite the importance and the recurrence of the subject, ethics is not yet in fact valued by a large number
of companies operating in Brazil,” says Douglas Linhares Flinto, founder and president of the Brazilian Institute of
Business Ethics.

A non-profit pressure group, it was set up back in 2003.

Mr Flinto adds: “Many businesses can talk about ethics, and even highlight it in the list of the company’s values hung on
the wall and emphasized on the website.

“However, corporate actions prove that ethics is not a value to be pursued and used on a daily basis.

“And this is the biggest problem of the business world – the inconsistency in which many companies preach and act.”
‘Mitigate risk’

One of the factors behind prevalent corruption in Brazil is the high level of bureaucracy in the country, according to
Transparency International, the global organisation that monitors the problem. It says that companies in Brazil face a
number of regulatory hurdles to do business, which opens up opportunities for bribery.

Separately, a 2009 survey by the World Bank Group found that almost 70% of Brazilian business owners and managers said
corruption was a major obstacle.
Yet despite such findings, the Brazilian government says it is working hard to tackle the issue.

It points to a new Anti-Corruption Law that came into force last year, and highlights the continuing investigations into
Petrobras and Mr Batista as a sign of the renewed efforts. Inspired by the new law, a think tank called the Brazil
Compliance Institute was set up last December by lawyer Sylvia Urquiza.

It aims to promote best practice and help companies meet their duties under the new regulations, and has been backed by the
International Business School of Sao Paulo and Candido Mendes University.

Google’s compliance director, Camila von Ancken, and Ana Leao, compliance manager at global drinks giant Diageo are
among the experts who have worked with the institute.

Mrs Urquiza says: “Managers’ accountability for irregularities committed in the name of the company, attitudes that can
mitigate punishment, suggestions of good practices… are some of the points that the institute clarifies.

“[We do this] through workshops, lectures and meetings.”

Petrobras has also increased efforts to prevent misconduct, and late last year issued a new code of conduct. It has also
developed ethics courses for staff, as well as introducing more stringent controls on the management of suppliers.

A Petrobras spokeswoman says: “[Supplier] companies must provide detailed information on structure, finance and
compliance mechanisms and combating fraud and corruption, among other things, being evaluated by the process known as
Due Diligence of Integrity.”

“The aim is to increase safety on the procurement of goods and services and mitigate risks related to fraud and corrupt
practices.”

Back at the Brazilian Institute of Business Ethics, Mr Flinto says that despite the recent controversies, he is hopeful that the
country may now be changing for the better, and that the recent high profile scandals will lead to better standards in the
future.

“All this is turning a page in the history of my country and, more than that, it will be a milestone in the improvement of
ethical standards of government and companies, and an entire society that can, in a short time, reach the strict standards of
more developed nations,” he says.

“I am convinced that ethics is coming to Brazil to stay. Brazil will never be the same.”

Written by the BBC’s columnist, Donna Bowater at 16/09/2015.

Segurança da Informação e Compliance
Quando ouvimos sobre segurança da informação, automaticamente pensamos em TI – Tecnologia da Informação. Na
verdade, segurança da informação vai muito além de TI.
Informação é todo e qualquer ativo, dado ou conteúdo desenvolvido e/ou gerenciado, os quais devem ser protegidos de
forma adequada e compatível com a missão da organização. Já por segurança da informação, temos os procedimentos de
proteção das informações contra ameaças à sua disponibilidade, integridade e confidencialidade, de modo a se evitar riscos
e vulnerabilidades, visando preservar a sua estrutura e assegurar a continuidade dos negócios.
Vale lembrar, ainda, que a transmissão da informação se dá por diversos meios: e-mail, papel, voz, pen drives, CDs, DVDs
e por aí vai. Ou seja, as vulnerabilidades estão por toda parte!
Além destas possibilidades de transmissão da informação, ainda temos as situações de home office, acesso remoto,
representação por terceiros, grandes volumes de base de dados, procedimentos inadequados de descarte de informações,
compartilhamento de senhas, utilização de equipamentos pessoais no ambiente corporativo, bem como deficiências de
segurança física e lógica. Isso só para começarmos a refletir sobre os cuidados necessários no gerenciamento e segurança da
informação.
Na outra ponta das preocupações sobre o tema, lembremos que, sob a justificativa da liberdade de expressão, falhas de
segurança da informação no ambiente corporativo podem ser o meio para cometimento de uma série de crimes como
calúnia, difamação, favorecimento à prostituição, incitação ao crime, pedofilia, discriminação, revelação de segredo
profissional, dentre outros, todos descritos no Código Penal, conforme bem citados na edição da Revista Eletrônica da
CAASP, edição deste mês de Agosto.
Só para colocar um pouco mais de “lenha na fogueira”, não nos esqueçamos dos aspectos de produtividade: você sabe quais
os programas utilizados pelo colaborador? Quais terminais ele utilizou? E em que ele trabalhou? Que sites acessou? Quanto
tempo ele ficou conectado nas redes sociais? E as questões trabalhistas? Interesses pessoais, empreendedorismo virtual,
sites indevidos e a produtividade do dia, do mês, do ano, jogada na lata do lixo. E sabe quem paga essa conta? A empresa.
Pior se ela for a sua empresa!
O que fazer? Proibir acessos? Restringir? Liberar?
Já que em algum momento comentei sobre terceiros, quero registrar a percepção de má gestão do risco de segurança da
informação também para os terceiros, mesmo em um ambiente altamente profissional, pois via de regra, “esperam”
auditorias ou punições para investir em prevenção. Mas daí as perguntas: até onde posso controlar os terceiros? Quais as
“áreas cinzentas”? Minha empresa está sujeita a possíveis danos colaterais?
Para não só evitar problemas, mas também para conscientizar colaboradores e terceiros, em todos os seus níveis, é
necessário disciplinar condutas, prover treinamento adequado e conscientizar as pessoas continuamente sobre os riscos e
perigos relacionados à segurança da informação e suas consequências.
As atividades de segurança da informação fazem parte das atribuições de qualquer compliance officer, e estão inseridas no
contexto de gestão de riscos, no sistema de controles internos, no padrão normativo por meio de políticas e procedimentos,
na confiabilidade das informações e reportes periódicos, bem como na aprovação e adequação de novos produtos.
A informação é um dos maiores patrimônios das empresas e as ameaças são as mais diversas e estão em constante evolução.
Logo, é necessário identificar e tratar as vulnerabilidades, evitando os riscos desconhecidos.
Por fim, a confiança dos clientes é consequência da credibilidade e as atitudes dos colaboradores e dos terceiros definem a
imagem das organizações.

É o momento de amadurecer e aprender! Governança da segurança da informação e práticas de compliance caminham

juntas no trajeto de sobrevivência dos negócios.

Publicado em 08/2015 por Emerson Siécola de Mello

COMENTÁRIO: Eu diria que a questão da Segurança da Informação se baseia nos pilares: 1) Planejamento com base em
uma visão holística da questão: como você mesmo menciona, a questão vai muito além da tecnologia; 2) Conscientização
de todos os envolvidos; 3) Auditoria sistematizada.

http://www.lecnews.com/web/curso-preparatorio-de-compliance/