CRIME PREVENTION MODEL:
NEW LAW ON ECONOMIC CRIMES
Within the crime prevention and prosecution system, experts identify four significant stages: crime prevention, detection, investigation and prosecution, and finally, criminal punishment.
The Crime Prevention Model (“CPM”) covers the first two stages of this system within companies, i.e., the prevention and detection of punishable conduct. This model, in practice, consists of a system of organization, administration and internal supervision that goes beyond the mere document that contains it, and which must guarantee, through internal protocols and procedures, its effective application within the company.
- The need for an CPM before and after the recent legal amendment
Under the paradigm of Law No. 20,393, prior to its substantial modification in 2023, criminal liability was attributed to the legal entity when the perpetrator of the offense had committed it in its interest (direct or indirect) or for its benefit, and provided that the commission of the offense was a consequence of the breach by the company of its duty of management and supervision, which was understood to have been fulfilled if a DMP had been adopted. In addition, the list of offenses for which the legal entity could be liable was quite limited.
The amendments introduced to said law by the new Law No. 21,595 («Economic Crimes Law») eliminate the need for the crime to have been committed for the direct benefit of the company, now being sufficient for the crime to have been committed within the framework of its activity and to have been favored or facilitated by the lack of effective implementation of an adequate crime prevention model. The new law also significantly expands the number of offenses for which companies can be held criminally liable.
Thus, we see two significant changes to the system of imputation of criminal liability to the legal entity: it is no longer necessary for the commission of the crime to provide it with a benefit, nor is it sufficient to merely implement a DMP “on paper”; instead, its implementation must be effective and appropriate to the specific legal entity. In the absence of a DPO, the company can be held criminally liable for a wide range of behaviors. On the contrary, an effectively implemented DMP allows the company to exempt itself from criminal liability.
In other words, the mere existence of a DMP is not enough to safeguard the company; a simple declaration of intent is not enough. In turn, companies are required to conduct a thorough analysis of their different business areas and to apply ad hoc protocols and procedures that, in practice, achieve this prevention and detection of punishable conduct. The legislator establishes a high standard of requirements for legal entities, because it considers them, in some degree, responsible for the acts committed within them, and thus imposes on them a duty of vigilance and detection, under penalty of being punished together with the perpetrators.
- Essential elements of an effective DPM
1. Identification of criminal (and other) risks
For a DMP to be considered effective, it is essential to have a thorough understanding of the risks to which the company is exposed. The current catalog of economic crimes is extensive, and it is to be expected that the probability of occurrence of each of them within a company is not equal; therefore, knowing the activities or processes in which the legal entity is more vulnerable to the occurrence of a regulatory breach will allow focusing its efforts in the right way.
With respect to the previous analysis, two observations are necessary. First, it is advisable not to limit the examination of risks exclusively to those covered by the Economic Crimes Law: the criminal liability of the legal person is obviously central to proper compliance. However, this is not the only concern of a diligent company; in fact, there are other risks to be taken into consideration when making this analysis, as the company may incur in regulatory breaches that are not a source of criminal liability, but do generate civil or administrative liability, or reputational damage, for example. Therefore, while the DMP should address crime prevention and detection, it is healthy for the company to have a compliance program that goes beyond this.
In second place, in order to measure the risk and correctly calculate the affectation on the company, it is necessary to combine the impact that a breach may have on the company, which will be seen from different points of view, and the probability of occurrence of the breach itself, i.e. the level of exposure.
For example, a company that sells office supplies has a small probability of occurrence of the crime of terrorist financing, but the impact of its materialization, however improbable, is considerably high at all levels of analysis.
Finally, this review of risks in the company is not set in stone; as we will see below, within the essential elements of a DMP, the law imposes the need for constant review and updating of the model, which is extensive to this risk review.
2. Establishment of protocols and procedures for the prevention and detection of criminal behavior.
The next step in the preparation of a DMP in accordance with the recent Economic Crimes Law is the logical continuation of the first step, i.e., to take charge of those risks detected in the different activities or processes of the company. In practice, this is materialized in protocols and procedures aimed at preventing and detecting potential unlawful conduct, which must be expressly incorporated into the employment and service contracts of employees, including the company’s top executives.
The regulation provides some light on what it understands as the minimum necessary in this aspect, specifying that a secure complaints channel and internal sanctions for cases of non-compliance must be considered, similar to what was indicated in Law No. 20,393, prior to its amendment. However, fulfillment of this requirement is not satisfied only by complying with these parameters: in order to be able to speak of an effectively implemented DMP, it is necessary to have robust internal regulation that addresses the potential risks for the company, with adequate means for its promotion and employee training in this regard.
(i) General preventive protocols and procedures
As mentioned above, it is necessary to understand this requirement of the DMP as something that goes beyond a mere declaration of intent: effective procedures and protocols must be implemented, focused especially on the prevention of irregularities.
This clearly exceeds the process of investigating and sanctioning, since both are part of the detection and management of irregularities, but do not directly seek to prevent them, regardless of whether they serve as a deterrent to sanctioned conduct.
In order to implement a system that prevents the occurrence of questionable behavior and effectively minimizes the risk to which the company is exposed, it is necessary to have an internal structure that serves as a guide for workers with respect to activities that may expose the company. This structure must include specific regulations, known to the workers; processes of communication, dissemination and training processes for the work team; periodic gathering of relevant information; and evaluations of workers, especially those in positions of greater exposure.
For example, a company that has frequent dealings with government officials should have a strict protocol regarding the interaction with them, or if there is a large number of suppliers, the due diligence process with respect to them should be regulated with greater zeal.
This is what we mean when we say that the DPM must be adapted to each company and its particularities; although there are minimum requirements that must be followed by all legal entities, a succesful crime prevention system must focus on the specific risks of those who implement it.
(ii) Secure whistleblowing channel
The need to have a secure whistleblowing channel as an integral part of the CPM is one of the Economic Crimes Law Innovation. The wording of the previous regulation made reference to maintaining a procedure for reporting or pursuing pecuniary responsibilities against those who fail to comply with the crime prevention system, however, it did not specifically mention a channel for reporting and initiating the internal investigation and sanction procedure.
These reporting channels have proven to be effective not only in detecting potential criminal conduct, but also for other types of conduct that affect companies in terms of compliance.
The recently issued ISO standard [
International Organization for Standardization] 37008/2023 sets out the basic principles of a whistleblowing channel, namely independence, confidentiality, competence and professionalism, objectivity and impartiality, and legality, which must be taken into account when establishing the internal whistleblowing channel.
In addition, the existence of a known whistleblowing channel, backed by the company and with guarantees for participants, also acts as a deterrent to potential unlawful conducts; or, in other words, the lack of a secure whistleblowing system makes it easier for collaborators to act unlawfully or for these same conducts to prosper over time due to a lack of oversight.
A strict sanctioning scheme is of little use if it is not possible to report non-compliance in a secure manner. This is especially evident in large companies, where employee supervision is harder, although it is no less true for medium-sized companies, which benefit from this type of regular channels that allow employees themselves to report suspicious behavior.
(iii) Sanctioning scheme
A crime prevention system or, in general, any internal regulation aimed at protecting workers and the company, and which seeks to ensure compliance with internal parameters, values and protocols, cannot be considered complete without a sanctioning scheme for those who fail to comply with these provisions.
Of course, we are not talking here about non-compliance with the Economic Crimes Law, since these are criminal offenses and should be punished by the competent courts; instead, we are talking about non-compliance with the internal rules that the company itself imposes to prevent and detect the occurrence of risky behavior.
This sanction scheme must be known by the workers. The law indicates that internal regulations must be expressly incorporated into employment contracts, including the company’s top executives.
Responsible parties
Another innovation of the amendment to Law No. 20,393 is the replacement of the figure of the person in charge of crime prevention with the obligation to designate one or more persons responsible for applying the internal protocols that we saw in the previous section.
The legislator seeks that companies not only dictate internal regulations to impose the expected parameters of conduct of their workers, but also actively monitor their compliance and improvement through one or more persons in charge who, for this purpose, must have adequate independence and effective powers of direction and supervision.
But what do we mean by adequate independence? This aspect, as well as many others of this new update, is still being debated by experts; however, the consensus is that at least the person or persons in charge should act autonomously without oversight from other relevant executives of the company, reporting to the board or management directly. This can be inferred from the literal meaning of the law which, in addition to speaking of the need for independence, also indicates that they must count with direct access to management, and can also be inferred from the obligation to be subject to the protocols and procedures, which does not exclude the relevant executives; therefore, the supervisor of this regulation should not be accountable to one or more of these executives.
4. Periodic third-party evaluation and improvement or updating mechanisms
Prior to the changes introduced by Law No. 21,595, the system contemplated the so-called CPM Certification Entities, which, according to General Rule No. 302 of the Financial Market Commission (“CMF”), must be registered in the “Registry of Crime Prevention Model Certification Entities” maintained by said authority.
The CPM review system changes diametrically with this amendment, since, as of the entry into force of the changes to Law No. 20,393, the periodic evaluation of these models must be conducted by independent third parties, which will not have the status of Certification Entities. The FMC has recently issued an opinion on this matter in its Official Letter No. 119,066 dated December 15, 2023. indicating that, once the term for the entry into force is completed, its competence to supervise these entities will cease and that, regarding these “independent third parties” that will take their place, the CMF will not have the authority to register or supervise them.
The law only requires them to be independent third parties; therefore, and without a specific statement from the authority in this matter, it is possible to understand that any third party with the necessary skills and knowledge to review a DMP may perform this task.
However, the lack of determination by the legislator should not be understood as a relaxation of the review of the models; on the contrary, the burden of proving the effective implementation of the CPM is placed, now more than ever, on the legal entity itself. Precisely, the legislator’s motivation in eliminating the figure of the Certifying Companies was to prevent companies from having a sort of “formal ace” through the certification of their DMPs, and, instead, to leave the assessment of the seriousness and effectiveness of the model solely in the hands of the judge. Thus, if the company fails to demonstrate that the assessments by independent third parties have been carried out with the necessary zeal, this will affect the credibility and seriousness of the CPM, damaging the company’s possibility of obtaining the respective exemption from criminal liability.
Finally, the law requires the company to also consider models for improving or updating its DMP based on the evaluations received by these third parties. A certification attesting the existence of a model that complies with the legal minimums is no longer enough, now an in-depth evaluation is required, which must include in its analysis the effectiveness of application of this internal regulation, and being the company’s duty to correct, improve and update the deficiencies that could be present in the system implemented to prevent illicit activities.
5. Beyond Law No. 21.595
As we can see, 2024 will be a challenging year for companies. The changes in the requirements regarding the criminal liability of the legal entity are very relevant, and the need to adapt not only the internal regulations, but also the way of conceiving the company’s exposure to the numerous criminal risks foreseen by the law, poses a challenge even for the most prepared and rigorous companies.
It is undeniable that the focus of everyone’s interest and concern is on Law No. 21,595, but we must be aware that, in order to be an integral, sustainable and long-lasting company, it is not enough to worry only about the pressing matters, but it is also necessary to take advantage of this opportunity to expand the company’s commitment to the environment. compliance and anticipate future changes that are undoubtedly coming.
Author:
Valentina Chinni