Highlights of Brazil

Authors: Fátima A. Carr/Mônica Leite/Anna Lygia Rego/Sylvia Urquiza/Débora Pimentel/Carolina Fonti-
Trench, Rossi and Watanabe

The notion of compliance, although being much present in the discourse of business companies is not always explored in such a way as to generate practical results. One of the reasons for such may be a cultural one: as not all agents understand the compliance dynamics in the concrete case, it ends up in becoming a too much abstract notion and, as such, is not included in the list of priorities of the organizations.

Therefore, one may raise the following question: what does the compliance activity consist of? The answer will naturally depend on the internal structure and on the economic activity itself in which the company is engaged. However, in general terms, we may define compliance as the practice developed in an institution with the purpose of ensuring the compliance with laws, regulations and rules which are applicable to all activities performed by it, even when if it is not part of its business purpose or core business. It is relevant to highlight that said rules may be internal, governmental or derive from self-regulating structures. By establishing an analogy with the Law, compliance would act as custus legis, in other words, a real law watchdog, in a broad sense.

This surveillance with regard to the compliance of regulations (whether governmental or not) is an essential tool to achieve excellence in services, especially taking into consideration that the fulfillment of rules is a very effective way to mitigate risks, especially those of operating nature arising from human, technical or process failures. Within this scope is the legal risk, which is nothing but the risk of losses associated to the non-fulfillment of regulations, and so the direct association between compliance and risk mitigation is clear.

The risk prevention is closely related to cost decrease. Therefore, the compliance activity, depending on how it will be structured, may constitute a tool for the optimization of productive processes, especially when it sets procedures to avoid damage to third parties (civil liability), breach of contracts, regulatory problems, damage to the image, among other aspects.

(a) Structuring the compliance area

Ideally a compliance area gathers professionals of interdisciplinary background such as administration, law, engineering, chemistry, medicine, among others, depending on the sector in which the company conduct its business, so that when a compliance policy is prepared, the compliance with the applicable provisions of the laws must be ensured in a consistent manner with the technical and commercial specifications of the business.

Under the corporate governance viewpoint, it is relevant that the compliance area is structured as an independent body from the management and the commercial area of the organization. At first, it shall report directly to the management of the company in order not to be pressured or captured by the areas that will be monitored by it. In addition to its preventive role, compliance has a whistle blower function and may point out irregularities observed during the monitoring of the company's activities.

As previously mentioned, the structuring of a compliance program must be performed, preferably by an interdisciplinary team. This way, in addition to the involvement of the legal sector, the elaboration of a program (or even the formation of the compliance area) must be performed jointly with the process management area, and its performance must be coordinated with the areas responsible for the operating risk control and internal audit of the company. The compliance sector should be made accessible to all employees who must consider it, whenever necessary, as a kind of ombudsman, who may express the opinion about the interpretation of certain internal policies and practices. If it is triggered towards the solution of an inquiry, the compliance will decide if it is necessary to activate other areas, such as, for example, the legal department. In several organizations, legal support and compliance are performed by the same professionals.

In order to be effective, a compliance policy must be grounded on requirement and publicity. With respect to the first issue, it means that the senior management of the company must approve, and cause all team to comply with the principles of such policy. With respect to the second issue, this once more is related to the highly cultural aspect of this practice. It is essential that each employee knows the policy and uses its best efforts to comply with the rules and regulations to which is subject his/her activity, even if this implies less optimistic short-term commercial results.

(b) Compliance and the Legal Department

Although some similarities are shown in their activities, it should be important to highlight that compliance and legal support are distinct tasks. However, it is fundamental that, within the organization, the legal and compliance departments perform in a coordinated manner, constantly exchanging information about the company's reality and aligning positions about the themes. It would be highly harmful, for example, if the legal department and compliance had different opinions about the interpretations of the same regulatory issue. Divergences may naturally occur, but direction to the employees must be the same. Otherwise, the legal area and compliance, instead of favoring the company's daily activities, would hinder the best performance of their activities.

A basic difference between the legal department and compliance lies in the scope of performance. As a rule, the themes approached by compliance are more general, not necessarily linked to a specific transaction and also involve internal policies and internal manuals of the company's procedures. Some general issues, and not always legal ones, are considered as major themes to the compliance activity, such as: prevention to money laundering, jurisdiction policies, insider trading, policies such as "know your customer", e-mail monitoring and conference calls. While the legal analysis is more tied to a specific problem and to the norms that govern the concrete case.

(c) Compliance and Audit

There are relevant differences that must be taken into consideration with respect to the audit activity, when compared to the compliance one. In fact, one audit in processes may raise issues, which are concerned with the compliance activity. However, while it has absolutely preventive purposes, the audit has a detective role, as a rule.

Therefore, many times being based on the policies elaborated by the compliance, the audit will formulate its tests and will suggest certain improvement in internal controls. The audit detects failures in processes, while compliance helps in its own elaboration, performing in a preventing manner.

(d) Corporate Investigations

The practice of illicit or irregular activities by the employees, partners and suppliers, may bring legal and economic consequences to a company, thus, jeopardizing their transactions and even their continuity.

So it is very important that corporate investigations are carried out when any of those practices is suspected in order to check its truth and then to define actions to be adopted in each case in compliance with the purposes of the company.

The Brazilian laws do not set limits and/or specific requirements for the company to start internal investigations, and any breach of law or even of the company's conduct code may give room to such proceeding.

Once the occurrence of suspected activities is noted, a linked plan of investigative phases is initiated in order to obtain the highest number of possible pieces of evidence that will clarify the facts and will give support to future actions to be taken by the company. One should highlight that the phases to be observed will be reviewed and adapted on a case-by-case basis so that the best procedure is chosen to accurately achieve the purpose of the investigation.

Notwithstanding the obvious need to organize an action plan, certain internal investigation phases, such as the collection of documents and interviews with the involved employees, are essential to solve the suspicions.

In the document review, a relevant number of physical and electronic files is collected, in order to preserve the information that will serve as evidence to the case. By making a detailed analysis of those data, one may highlight and separate the more relevant information that will help in the organization of a real plan to identify the involved employees as well as to the efficient guidance of its respective interviews. The confidentiality of the collected documents must be respected (see item 25.1 below - "Internal communication and monitoring").

Additionally, if there is any suspect of irregular activities, the interview with the employees involved is not only allowed but advisable as well. Note that no authorization for advice, associations, unions or any other organization is necessary to carry out the corporate investigations in Brazil. If there is any type of suspect in the company, one expects the employee to cooperate with the audit investigations and/or procedures.

Note that, on the other hand, the 5th article, clause II, of the Federal Constitution, provides that no one will be forced to act against his own will, except due to the enforcement of the law, so the employee may participate in the interview, but the investigators may not force him to answer the questions made. It should also be highlighted that compel the employee to participate in the interview is regarded as a criminal fact, as provisioned in article 146 of the Brazilian Criminal Code.

Due to the aforementioned legal implications, the interview made with the employee must be supported on the strictest confidentiality in order to avoid future claims of moral damage by the interviewee based on his exposure to judgment and false interpretation from his workmates.

One of the most relevant issues when the practice of irregular activities is verified by the employees consists in the company's reaction time when it is informed about the facts, as the delay in the case assessment may result in the tacit waive of the acts practiced by them.

There are no provisions in the Brazilian legislation that govern the necessary time period for the conclusion of an internal investigation. One understands that the limit must be reasonable according to the scope of the procedure. If the suspect of an investigation action is focused on one individual only, whose staying away is necessary in favor of the continuation of the internal procedure, one sees that, in principle, 30 days would be a reasonable period to finish the investigations, being observed that the employees will have his compensation kept during this period.

According to the internal investigation results, the company may forward the evidence and information found to the Head of Police or to the Public Prosecution Service, requesting, respectively, the start-up of police investigations, or even, of a criminal legal action against the suspect. Note that the referred evidence, provided they demonstrate, with a high level of certainty, the involvement of the employee with irregular activities in the company, may be used in his/her dismissal as a just cause, taking into consideration his/her acts are included in the roll as set by article 482 of the Consolidation of Labor Laws.

25.1. Compliance: General Aspects

In this section, some crucial themes with regard to the compliance activity will be approached, which are recurrent in practically all the productive segments, regardless of their economic characteristics. However, section 25.2 below will be dedicated to the compliance themes in the scope of the financial markets.

(a) Internal Communication and Monitoring

Currently, the physical and electronic files monitoring in a company means one of the main tools used for the prevention of illegal activities practiced internally by employees. However, regardless of the current use of this type of monitoring, the Brazilian laws are clear when they set the limits to its practice, also providing severe sanctions in case of violation.

Firstly, it is important to clarify that the all electronic data stored in the computers of a company is its own property. However, pursuant to the 5th article, X, of the Federal Constitution, fiscal and financial documents as well as banking information, have their confidentiality duly protected as they are regarded as inviolable personal information. Getting the data or documents without the owner's consent or without a legal authorization is a crime, as provided for in the article 10 of Complementary Law nr. 105/2001. The penalty for this crime is imprisonment from 1 (one) to 4 (four) years and a fine penalty.

Therefore, one must make the distinction between the personal data of one employee and the data stored in the company's computer that is used by him/her. While the personal data refer to information and documents related to the employee's private life, the company's data refer to the files which result from the work performed by the employee, which are associated to the relation that exists between employee and employer.

So, one can be noted that in the cases of internal investigation, the employee's personal document and collection of information may only occur if the company has , in principle, his/her prior consent to make the analysis, resting clear that the data were only extracted after the employee's due notification. If the employee does not grant authorization, the investigators must not access those data.

The issue with regard to the possibility of monitoring of e-mail use and access to internet is directly linked to the limitation of the right to the employee's intimacy due to the employer's directive power and it is also liable to divergent interpretations as there is not any legal regulation about the issue.

Notwithstanding the constitutional protection, that ensures the inviolability of the correspondence confidentiality and other means of communication, as well as of intimacy of the private life, honor and of people's image, the right to indemnity by the material or moral damage in case of violation being ensured, the Superior Labor Court has already recognized the employer's right to obtain proof for the dismissal of the employee by means of the corporate e-mail monitoring (AIRR 613/2000).

According to this precedent, the employer is authorized to track all electronic messages under the justification that there is not any intimacy to be preserved in corporate e-mails, considering that it is not intended for private purposes. This precedent, however, must be interpreted with moderation, taking into consideration that currently it is not reasonable to demand the employees to remain totally isolated from their private relations and appointments.

Thus, the adoption of any control system demands a broad transparence in the implementation process, informing what is being done, the reasons why the company did it and what changes to the employees as from the adoption of this tool, alerting that : (i) the use of the company's means of communication refers to professional activities; (ii) that its use will be monitored by the company and (iii) that the use of personal passwords only serves to protect against the access of strangers on the company's internet and to the company's information.

Therefore, it must formalize a "The Use and Control Policy of the Electronic Means of Communications" to the employees, clearly pointing that the company monitors the company's communication via internet, with the specification that the equipment are supplied to the employee as a work tool.

Likely, it is important that the company adopts the necessary precautions so that the monitoring will not be used abusively and indiscriminately, preventing the configuration of violation to privacy and intimacy of its employees by excessive and unnecessary acts, being extremely relevant that the monitoring be performed in a moderate, generalized and impersonal manner.

With regard to the correspondence by means of personal e-mail accounts (ex., name@yahoo.com, name@hotmail.com), they are protected by the confidentiality, as per 5th article, XII, of the Federal Constitution. Taking into consideration that currently there is not a consensus in the Brazilian courts relative to the nature of the electronic communication and also that the current Brazilian law characterizes as a crime the violation of someone else's correspondence without authorization (5th article, XII, of the Federal Constitution), the best - and safest - understanding would be that the e-mail has the referred constitutional protection, subject to the rules and conditions of telephone calls interception, pursuant to the provisions the Law nr. 9.262/96.

In internal investigations if the employee authorizes the analysis of his/her personal data it is possible that the investigators review those pieces of information. However, if there is the need to retransmit the information to third parties, a specific authorization is necessary for that purpose, or its content may be only disclosed by means of legal authorization for use before the Brazilian Justice.

With regard to telephone calls interception, the Brazilian law is clear when it sets that the restriction to the individual right of privacy of the communication could only occur by means of court order, based on the assumptions and forms as provisioned in the law. According to the 5th article, XII, of the Federal Constitution, jointly with the provision in Law nr. 9.296/96, the interception of telegraphic communication and of data can only occur by means of court order.

There is however, a precedent of the Regional Labor Court, 3rd Region, provisioning that the monitoring of employees' private calls, mainly those who work at "telemarketing", would be inserted in the employer's directive power, provided with the awareness of those. Note that the referred understanding, as in the monitoring, must not be used in an abusive and indiscriminately form.

One should highlight that the penalty for the crime of interception of telephone calls, eletronic messages or telematics communications or the violation of in camera proceeding, without legal authorization or with unauthorized objectives in law is imprisonment from two (2) to four (4) years and a fine penalty.

(b) Prevention from Money Laundering

In Brazil, the prevention from crimes of money laundering or occultation of properties, rights and values is governed by Law nr. 9.613, as of March 3rd, 1998, which creates the Financial Activities Control Council ("COAF") with the purpose of disciplining, applying administrative penalties, receive, examine and identify the suspect occurrences of illicit activities.

The edition of this law originates from the structuring of the Brazilian markets, that began to demand compliance and disclosure procedures in order to provide higher safety to consumers and investors, in harmony with the agreements celebrated by the international community, specifically in the Vienna Convention, of which Brazil is the signatory.

In order to materialize the fight against such crimes, Law nr. 9.613/98 demands that the people described in its 9th article, among them the financial institutions, authorized institutions to operate through the Brazilian Central Bank and other companies, implement prevention programs to the money laundering crimes ("AML Programs"), checking procedures and clients' identification (KYC - "know your costumer policy"), and recording and communications procedures of suspect operations ("red flags").

With regard to the prevention of money laundering crimes, articles 10 and 11 of Law nr. 9.613/1998 set that the people subject to this law must observe, in general terms, the following practices:

(i) identify their clients and keep their updated records ;

(ii) keep records and communicate to the competent authority all transactions in national or foreign currency, securities, bills of exchange, metals or any asset that can be convertible into currency, which exceeds the limit set by the referred authority;

(iii) keep the files and records described in the items (i) and (ii) above during the minimum period of 5 (five) years , to count from the conclusion of the respective transactions;

(iv) keep records of the transactions mentioned in item (ii) above,, when the natural person or the legal entity and its related entities have performed, in the same calendar month, transactions with the same person, conglomerate or group, which jointly exceed the limit set by the competent authority;

(v) to fulfill, within the time period as set by the competent judicial body, the requests formulated by COAF, which will be processed in camera proceeding;

(vi) monitor the transactions that may constitute in serious evidence of the crimes being studied, or relate to them and must also communicate the proposal or performance of said transactions to the competent authority.

The communications to the competent authorities, as provisioned in items (ii) and (vi), must be performed by the aforementioned entities, within the period of 24 (twenty-four) hours, and those entities are not obliged to acknowledge of said acts to their clients.

With regard to the implementation of a money laundering prevention policy grounded on the "Know your costumer - KYC"s principle, it should be clarified that this happens due to the need to ensure that the relations established by the companies that are subject to regulations and their clients are well conducted and grounded on ethical and legal standards. It is possible to define it as the obligation of diligence that one must employ to identify clients and find information, which are relevant in the development of the activities between them. Although specifically applicable in the financial system, the KYC policy has been incorporated by other companies in others business sectors due to the social responsibility principle adopted by them, especially for the purpose of prevention of drug trafficking, money laundering and terrorist acts.

The adoption of the KYC policy leads the company to search and obtain as much information as possible about the client prior to contracting and also to monitor the activities developed by the client based on its performance background. For such, the company adopts a routine of good practices and implements systemic safety mechanisms in the beginning and during the course of relations with the client.

To obtain information, the company - within the criteria defined by it as being reasonable of agreement with its type of business and the possible applicable minimum legal requirements being observed - sets the "due diligence" extension that will conduct, identifying information external and internal sources to determine if a client or a transaction are suspects the need to be reported to the authorities. That is, in the KYC policy there are not strict criteria specifying the clients' documents to be kept by the company.

Relative to the implementation of identification programs of suspect activities the companies should perform training sessions with the employees internally as well as the development of internal documentation (forms, records, checklists). It is important to make the figure of "red flag" as something common, that is, situations in which one alert must be established such as, for example in cases in which the clients refuse to render information if the record information are inconsistent, if the client discusses the KYC policy in a very strong manner, if the person in charge has no powers to negotiate for the company, etc.

(c) Asset Safety and Frauds

Fraud is a dishonest maneuver with the intent of keeping someone in an error so that he/she perform an action that he/she would not perform if the fraud did not exist. The referred act materializes in the criminal law in several crimes, such as corruption, theft and embezzlement. In a company, specifically, it is possible the check the so-called occupational fraud, in which the agent uses his position for own enrichment or for others by means of the bad use or deviation of funds and assets from a company.

Nowadays, the frauds may occur in any type of organization. The internal controls as well as the well defined business processes are actions which make it difficult, minimize and also help in the identification of possible frauds. However, these acts ca not be easily eliminated from companies.

One can not state that there is a full effective measure in the prevention of frauds but the companies must use all the internal procedures in the organization as the investment in the company's control of fraud still superposes to the costs related to the checking of an eventful illegal practice. With the referred control, one can assure in the company the existence of mechanisms which are sufficient for the eventful fraud to be detected as soon as possible.

So, the existence of adequate management tools is important, with an integrated vision of all the process which exists in the company. Some aspects are relevant in the fraud prevention such as, for example, special attention assigned to the payment processes, including the approval of amounts to be paid, the issuance and signature of checks and the due conciliation of expenses in the Accounting. In addition, the compliance and the observance of contracted clauses are also important prevention mechanisms.

One should observe that the biggest risks of the company occur due to the lack of internal controls. Therefore, in order to establish an effective anti-fraud program it is always necessary to keep the high quality of the control environment and also make the employees aware that it is active. The performance of training sessions is essential to accomplish the referred objective. In addition, the explicit discussion about the intolerance to fraud is essential.

The fraud is usually found due to internal or external anonymous denouncement, alteration in the company's staff, internal or external audit, denouncements from suppliers or even police investigations. Therefore, in order to be possible to identify or realize the occurrence of frauds in a certain environment or universe, it is important to keep effective means of communication of frauds to the employees, giving formal training of the denouncement channels.

And the company being aware of any case of fraud, it must demonstrate the quick and effective reaction capacity in the process of investigation, punishment and correction of possible occurred irregularities. This is an important prevention mechanism as it informs the other employees about the level of the company's tolerance with regard to those situations.

The fraud investigation should be followed-up by a specialized attorney office or even an audit company, always observing confidentiality when conducting the internal investigation (see item above - "Corporate Investigations").

It is important to note that, in addition to direct frauds, represented most of the times by theft, embezzlement, corruption and other frauds may occur, with indirect damages to the company at first but, much more harmful in the long term. This is the case, for example of the payments of taxes, contributions and fees.

Many times, due to the lack of effective controls, payment forms, such as ISS (services tax) and INSS (Social Security) are falsified and bring not only losses of a value directly involved but also the establishment of criminal investigations against the company's directors due to tax evasion, the transcript of tax assessment notice with penalties and high interest rates and the companies being prohibited to participate in public bids. One should highlight that the Federal Police and the Public Prosecution Service have been investigating cases like these on a frequent basis.

(d) Accounting Controls and SOX (Sarbanes-Oxley Act)

With the purposes of finishing with the accounting frauds being found in North-American companies, the Sarbanes-Oxley Act, also known as SOX or SARBOX, was passed in 2002 with the total support from the US Government and investors. The law is very comprehensive and sets stricter standards for US state-owned companies as well as to publicly-held companies.

The frauds verified in the United States in companies such as Enron and WorldCom showed how unaware the shareholders were about the doubtful activities practices by some companies, such as participations not recorded in the books, acknowledgment of improper revenues, etc.

The fear of a noxious behavior by the administrators has generated a crisis of confidence in the accounting practices and in the corporate governance. The suspicions about the integrity of the balance sheets and financial statements have deeply affected the market, have triggered the bearish scenario in the Stock Exchange and has motivated the creation of SOX by the US Government.

In order to establish the confidence from investors in the companies' shares which are placed in the US market, SOX decided to expand the responsibility of the companies' administrators with regard to the internal controls and to the extension and truthfulness of the information. It should be important to highlight that within the format presented by SOX, whose rules are proposed by the SEC - Securities and Exchange Commission (an institution that is equivalent to the Securities Commission in Brazil) -, the companies' compliance with the US laws is essential to the companies' securities admission in the US market, regardless of the company's location.

Created for the purpose of giving transparency and protecting the investors, the law literally revised the rules for corporate governance relative to the disclosure and issuance of financial reports.

According to the Law, there is a simple proposition: good corporate governance and the business ethical practices are laws. And this does not affect only the US companies or the units of those companies in other countries. All the companies that have their shares traded in the United States also suffer with the impact of changes brought by the Law.

When SOX became in force, Brazil had already Law nr. 10.303/2001, amendment of Law nr. 6.404/1976, which established stricter rules with regard to corporate governance and the obligation to render broad information to the market, including with regard to the open capital companies' financial statements. In addition, this same diploma has altered the provision in Law nr. 6.385/76, in order to reinforce the CVM functions relative to the protection of market investors in general.

Notwithstanding certain similarities between the guidelines as set by the Brazilian and North-American legislations, SOX presents peculiarities that need to be observed by the companies in order to make them compatible with the legal system of the two countries.

Generally speaking, the main SOX legal norms that deal with the adequate internal control of the company consist of:

(i) the setting up of an Audit Committee, granting this committee independence in the analysis and review of the financial statements, internal controls and the external auditor's activities (section 404). At least one member of the committee must be an expert in finance (US Gaap); otherwise, the reasons of his absence need to be presented;

(ii) the president's and the financial director's certification that they reviewed and checked the financial statements and the accounting reports and that the information contained in them are complete and truthful (section 302); and

(iii) the auditor is prohibited to render services to the company concomitantly with the audit company.

With regard to the disclosure of information, SOX sets that:

(i) the disclosure of annual statements about companies' internal control;

(ii) adoption of a code of ethics for the company's financial directors; and

(iii) information about the changes in the financial or operating results or even the ones which are not contained in the financial statements (the same must be quick and on a frequent basis).

The responsibilities created by SOX are of the interest to all companies that want to be updated about the strict practices in force in the USA and which have global influence.

SOX gives priority to the internal control and the most adequate forms of disclosure and the issuance of financial statements, thus increasing the transparency in the corporate world and contributing to the increase of reliability in this sector.

(e) Corruption and FCPA (Foreign Corrupt Practices Act)

The Foreign Corrupt Practices Act, or also referred to as FCPA, consists of a legal provision introduced in the North-American legislation in 1977, whose purpose is to hinder the corruption practices of public agents so as to preserve the integrity of international commercial relations.

This act of corruption practices overseas prohibits the US companies and their subsidiaries and employees, even if they are not Americans, to offer, promise and authorize or pay any amounts or "things of value" to any Foreign Authority with the purposes of influencing any act or decision from the Foreign Authority in order to obtain or retain the business, to ensure unfair advantage or even lead the foreign public agent to make bad use of its attributions.

It is important to notice that the term "things of value" includes gifts, trips, entertainment and other favors of value that are not merely nominal. With regard to the "Foreign Authority" term, this includes (i) any authority from a governmental agency or department, (ii) any authority from an organization or business held by the government, (iii) any political party and (iv) any authority from a political party or any candidate.

Those activities are prohibited whether they are practiced directly or indirectly by means of any person or organization. It is also illegal to amend documents with the purpose of hiding the practice of any of those activities.

Any violation may result in punishment of criminal nature to the company and the employee. The violation of foreign guidelines will also be in most cases a violation of the legislation of the country itself. In Brazil, the natural persons that in anyway participate in any act of corruption are subject to the penalty of imprisonment from 1 to 12 years.

In cases of violation, FCPA establishes that the companies may be penalized in amounts that may reach US$2.000.000,00. With regard to the managers, directors, employees, agents and shareholders that perform on behalf of the company, the penalties may reach US$100.000,00 and/or imprisonment of up to 5 years, and the penalties may not be paid by the company. With regard to the Alternative Fines Act, those fines may reach higher amounts (up to two times the derived illegal benefit amount).

In the civil scenario, penalties of up to US$ 10.000,00 may be imposed against any company, as well as against the manager, director, employee, agents and shareholders who perform no behalf of the company, due to the violation of the anticorruption provisions. Additionally, additional penalties may be imposed without exceeding the gross amount of the assessed illegal benefits or limitation specified in dollar, which may vary according to the violation (US$5.000 to US$100.000 for a person and US$50.000 to US$500.000 for any other person).

One should be highlighted that the FCPA prohibits only "corrupt payments" with the intention of influencing the receiver to use in a wrongful manner his official position in order to manage the business in a wrongful manner in favor of the company. This way, usual business lunches, printed materials, pens with the logo and other similar practices in which nominal value items are given to clients without the intention to induce the receiver to use his/her official position in a wrongly manner are not prohibited and can be kept.

25.2. Compliance applied to the Financial Market

(a) The Central Bank and the CVM: Regulatory and Institutional Aspects

The Financial Institutions conduct activities that, due to their nature, need operating controls and legal restrictions in order to discipline its internal performance and in the market as well so as to minimize the risks which are inherent to its performance and others related to it such as, for example, to obstruct the practices which are contrary to the public order, to protect the assets and data of their clients, to prevent frauds, hinder crimes such as tax evasion ones and diminish the risk of default , among others.

In Brazil, the activities regarded as private of Financial Institutions, as can be seen in article 17 of Law No. 4.595/64, encompass the collection, intermediation or investment of financial funds of their own or of third parties, in national or foreign currency and the custody of property value of third parties. In the performance of said activities, it is possible to check the incidence of the mentioned controls, in the form of a conduct standard imposed to the Financial Institutions by the current regulations and legislation. This conduct standard has been developing in several scenarios, including the criminal one: the non-compliance by the Financial Institution of certain restrictions being imposed by the legal system may result in the configuration of crime with the consequent imposition of a penalty to the responsible people, as per the terms of the law. It should be reminded that some corporate governance rules which are applicable to Financial Institutions also reach companies contracted by them, as well as correspondents and representatives.

With the purpose of implementing normative and operating structures that would provide the financial market with prudent guidelines, the Basel Agreement was executed in 1998. With the purpose of complying with those standards and set the referred guidelines in the Country, the National Monetary Council ("CMN") edited Resolution No. 2.099/94, which sets the minimum amounts of capital and adjusted net capital, in an amount that is compatible with the degree of risk of assets operations of the institutions which are authorized to operate by the Central Bank. Therefore, the Institutions must keep a minimum of its capital so as to support possible significant losses without causing major losses.

In 2004, the Basel Agreement was revised, with the purpose of seeking for a more accurate measure of the several risks incurred by the internationally active banks. The implementation of the New Basel Agreement in the Country is being done gradually. The first formal manifestation of the Brazilian Central Bank for its adoption was given by Notice 12,746, of December 9th, 2004, which established a simplified schedule with the first phases to be accomplished for the implementation of the new capital structure.

In the scope of the National Financial System, the most important regulating entities are the CMN and the Securities Commission ("CVM"). The Brazilian Central Bank ("Banco Central") performs as an executing agency of the monetary policy instituted by the CMN and inspects its application by the Financial Institutions and can also determine Corporate Governance additional conducts to be followed by Financial Institutions, if it judges that the already adopted ones are insufficient or inadequate in the concrete case.

There are several regulatory acts aimed at disciplining Corporate Governance. For illustration purposes, Resolution No. 2.554/98 can be mentioned, which determines the duty of the Financial Institutions and balanced to keep internal controls related to their activities, which are consistent with the nature, complexity and operating risks under which the Financial Institution performs. Said controls must ensure the protection to their financial, operating, managerial and information systems as well as the compliance with the applicable laws and regulations, including internal audit, by the institution itself or by an authorized third party.

CMN also edited Resolution No. 2.804/2000, through which it requires the Financial Institutions and other authorized ones to operate through the Central Bank, to implement control systems structured jointly with its operating profiles, which may allow the checking of their respective liquidity risks. The control systems dealt by Resolution must be periodically reevaluated so as to guarantee the permanent follow-up of the status undertaken in all operations practiced in the financial and capital markets. Resolution 3.380/2006 of CMN, in its turn, disciplines the conducts to be implemented by the Financial Institutions and the other authorized ones to operate through the Central Bank in order to mitigate the operating risks which are inherent to their activities. Operating risk is understood as eventful internal and external frauds, labor demands, insufficient safety, among others.

With regard to the securities, CVM enacted on April 28th, 2003, Instruction No. 387. By means of this rule, CVM attributed to the Stock Exchanges the competence to set the conduct rules to be followed by the stockbrokers, in their relations both with the clients and with the other participants of the market, taking into consideration the general principles listed in this rule.

With respect to non-resident investors, Resolution 2.689/2000, issued by CMN, sets for the Financial Institutions, a policy known as Know Your Client Policy, by which the Non-Resident Investor's Representative Institution is responsible for its updated files and registry with CVM. Besides those determinations, the Financial Institution is in charge, in this case, of the registry at the Central Bank of the funds entered in the Country and commits to provide the Central Bank and CVM with information required by them, among others. The non-fulfillment of those provisions may prohibit the representative institution from exercising its functions under this Resolution.

The Financial Institutions and related ones have Corporate Governance duties also with regard to the criminal aspect. In this regard, Law 9.613/98 provisions about crimes of "laundering" occultation of property, rights and values as well as the use of the Financial System for those illicit acts.

Resolution 301/99, amended by Regulatory Resolution 463/08, of CVM, reiterates the duty of Financial Institutions to keep the files of their clients updated and to adopt control measures as previously set in order to confirm their file information. It also deals with the duty in identifying the individuals considered as politically exposed and the monitoring and communication to CVM of the clients' transactions which present suspects of crimes as provisioned in Law 9.613/98 and its antecedents, including terrorism and its financing.

Following the recommendations of the Finance Action Task Force on Money Laundering ("GAFI"), a multilateral organization from which Brazil is a member since 2000, recently, the Brazilian Central Bank enacted Rulings (Circular) Nos. 3,461 and 3,462, through which improved the criteria to be observed by the Financial Institutions on preventing and combating money laundering and terrorism financing.

Therefore, the Brazilian applicable legislation and regulation grant the Brazilian and Foreign Financial Institutions as well as representatives of Foreign Financial Institutions in Brazil the duty to check evidence, which are internally noticed, of the crimes as defined by Law 9.613/98 and its antecedents.

(b) Prevention from Money Laundering in Financial Transactions

As a signatory of several international conventions on corruption and money laundering, Brazil has adopted several policies in order to hinder the practice of those illicit acts. Truly, the country has adapted its normative system in order to facilitate investigation and criminal and administrative prosecution of those who perform such illicit acts, as well as those who have the legal responsibility to help in the surveillance of such practices.

The most comprehensive and relevant country's norm that addresses the subject is Federal Law
No. 9.613, of March 3rd, 1998, which depicts laundering or occultation of property, rights and values such as crime, subject to the penalty of 3 (three) to 10 (ten) years and a fine. In addition, the referred law created responsibilities to several market agents in the fight and investigation of those illicit acts.

It is important to highlight that, as per 9th art. of the referred law, those who are subject to its provisions are the legal entities who hold as main or accessory activity, in periodic or permanent character, cumulatively or not: (i) funding, intermediation and use of funding from third parties, in national or foreign currency; (ii) the purchase and sale of foreign currency or gold as a financial asset or exchange instrument, or (iii) custody, issuance, distribution, settlement, negotiation, intermediation or administration of securities.

The following are also subject to the same obligations:

I. The Stock Exchanges and the mercantile & futures exchanges;
II. The insurance companies, the insurance brokers and the complementary social security companies or capitalization companies;
III. The credential card administrators or credit cards, as well as consortium administrators for the acquisition of goods and services;
IV. The administrators or companies that use cards or any other electronic means, whether magnetic or equivalent which, allow the transfer of funds;
V. The leasing and factoring companies;
VI. The companies that make the distribution of cash or any movable goods, real estate, goods, services or even grant discounts in the purchasing, by means of contest or similar method;
VII. The branches or representations of foreign entities which perform any of the activities listed in this article in Brazil, even if this occurs on a casual basis;
VIII. The other entities whose operation depends on the authorization of the regulating agency of the financial, exchange , capital and insurance markets;
IX. The natural persons or legal entities, whether national or foreign ones, which operate in Brazil as agents, directors, proxies, commissionaires or by any other form represent interest of the foreign entity which performs any of the activities referred to in this article;
X. The legal entities who perform real estate promotion activities or the purchase or sale of real estate;
XI. The natural persons or legal entities which commercialize jewelry, precious metals and stones, art objects and antiques, and
XII. The natural persons or legal entities which commercialize luxury or high value goods or which conduct activities involving a great volume of funds in cash.

(c) Responsibilities

As previously mentioned, Law 9.613/98 sets a series of rules and obligations to be followed by people who are subject to their determinations, such as, such as the identification obligation and maintenance of the clients' records, maintenance of the records of transactions, whether in national or foreign currency, which involve securities, bills of exchange, metals among others.
The Securities Commission, within its scope of performance, considering the agents regulated by it, reported about the responsibilities in the prevention of money laundering by means of the Normative Instruction No. 301, as of April 16, 1999 ("IN CVM 301"), further amended by Normative Instruction No. 463, as of January 8th, 2008 ("IN CVM 463"). Instruction CVM 301 norm specifies the filing information to be kept, conducts to be observed and inspection responsibility, also determining that CVM must be notified within the period of twenty-four hours to count from the occurrence which objectively allows to do so, all the transactions, or transaction proposals which may constitute in serious evidence of crimes of "laundering" or occultation de property, rights and values originating from crimes listed in 1st art. of Law No. 9.613, of 1998, including terrorism or its financing. The training obligation of the employees and the maintenance of data and documents for the period of 5 (five) years are also ratified in this Instruction.

The Central Bank, through Circular No. 3,461/09, consolidated in a single normative all the rules for the maintenance of the financial operations and services' registry, and expanded the requirements for bank clients identification by means of Know Your Costumer policies.

Among other measures, Circular 3,461 introduced the concepts of permanent clients and eventual clients, including differentiation between Financial Institutions' liability with respect to the two types of clients. The rule establishes specific criteria of permanent clients' enrollment, including, for instance, requirement for obtaining monthly and equity revenue value, in case of individuals, average monthly billing of the twelve previous months, in case of legal entities; account information of the owner and recipient of the funds involved in the financial operation or service, to even the provided statement on the purposes and nature of the business relationship with the institution.

Other change introduced by Circular 3,461/2009 was the expansion of the scope of identification of "politically exposed individual" for all clients of Financial Institutions, in such a way that the institutions may adopt the same evaluation and risk criteria used for "politically exposed individual" for all clients.

Additionally, Circular 3,461/09 establishes the need of identification of the transactions final beneficiaries. Article 2nd, III, § 2nd of Circular 3,461/09 determines that the account information with respect to legal entity client shall comprise the individuals authorized to represent it, such as the corporate interest chain, until it reaches the individual characterized as final beneficiary. Circular 3,461/09 also determines that financial institutions shall pay special attention to clients and operations where it is not possible to identify the final beneficiary.

With the purpose of updating and improving the prevention measures regarding money laundering in international transactions, the Central Bank enacted Circular 3,462/09, which determines that the payment orders itself shall contain more detailed information of the operation, with name and identity document of the involved parties, address and bank account, when applicable. In this sense, the Financial Institutions authorized to operate in the exchange market shall adopt measures to know the methods and practices used by its correspondents abroad in order to suppress money laundering and terrorism financing practices.

The non-fulfillment of obligations set by Law 9.613/98, Circular No. 3,461/09 or IN 301 may bring the agent to a warning, pecuniary fine, temporary disability or even, annulment of authorization to make transactions or operation to be applied by the competent authority, as per violation occurred and the agent's regulatory system.

(d) Politically Exposed Individuals (FATF/COAF)

Following a schedule set due to provisions of the International Convention for the Suppression to Terrorism Financing, adopted by the United Nations General Assembly on December 9th, 1999 and published by Brazil by Decree No. 5.640, as of December 26th, 2005, as well as by the United Nations Convention, dated October 31st, 2003, against Corruption, adopted by the United Nations General Assembly on October 31st, 2003 and published by Brazil by Decree No. 5.687, as of January 31st, 2006, an evaluation report of Brazil relative to the prevention rules and fight against money laundering and terrorist financing was published by the Finance Action Task Force on Money Laundering (Financial Action Task Force/Groupe d'Action Financière - "FATF/GAFI") . The referred report, known as "The Forty GAFT recommendations", showed an analysis of the financial and capital market regulations which were in force in Brazil at that time.

The Financial Action Task Force on Money laundering is an inter-governmental body create in 1989 at a G7 meeting held in a country and aims at the development and promotion of national and international policies to fight money laundering and terrorism. Currently, the Group is formed by members of 34 countries, including Brazil.

After the publication of the recommendations, a group of work made up of members of the Securities Commission ("CVM"), of the Financial Activities Control Council ("COAF") and of GAFI was organized in order to deepen the study about the Brazilian legislation deficiencies and, specially, to coordinate efforts with the Brazilian authorities aiming at solving the detected problems.

As a result of the referred study, CVM edited the Instruction Norm No. 463 ("IN CVM 463"), as of January 8th, 2008, which amended Instruction Norm No. 301, dated April 16th, 1999, which deals with the identification, filing, registry operations, communication, limits and administrative responsibility provisioned in clauses I and II of article 10, I and II of article 11, and articles 12 and 13, of Law No. 9.613, dated March 3rd, 1998, with regard to the "laundering" or occultation of property, rights and values.

The major innovations introduced by Instruction CVM 463 refer to (i) strict inspection of transactions involving (a) Politically exposed Individuals , (b) non-resident investors, specially when constituted under the form of trusts and companies with bearer bonds, (c) investors with large fortunes generated by financial institutions areas which are focused on clients with this profile ("private banking"); (ii) the identification of the final beneficiary of transactions, and (iii) updating of filing data from clients every 24 (twenty-four) months.

To the same effect, Circular No. 3,461/09, of the Brazilian Central Bank, establishes follow-up and control measures that shall be adopted by Financial Institutions with regard to operations with Politically Exposed Individuals. The transactions performed by individuals that fit such classification shall be monitored by the Financial Institutions, which are responsible for the identification of those that fit or not in this criteria.

(e) Insider Trading

One can define Insider Trading as the practice of use of privileged information relative to the businesses and status of a company in its own benefit.

The Brazilian Law, pursuant to laws 6404/76 and 6385/76, admits as insiders certain persons that, due to their status, have access to the so-called privileged information, such as:
1. Managers, Director and Executive Officers;
2. Members of any bodies, created by the by-laws, with technical functions or with the purpose of providing counseling to administrators;
3. Subordinates of the above mentioned persons;
4. Third parties trusted by those people;
5. Major shareholders.

As per the Brazilian law, the managers and the people in their same rank are in charge of promptly disclosing the relevant information, more specifically the relevant facts, which occur in the company's businesses which may influence, in a careful manner, in the market investors' decision, of selling or buying securities of their issuance.

The occurrence of Insider Trading may bring about
1. Administrative Inquiry in the scope of CVM

CVM may set up administrative inquiry against the administrators, members of the agencies created by the By-Laws with technical or consulting functions and members of the fiscal council. Once the violation is evidenced, CVM may impose the following penalties on the violators:
a) Warning;
b) A Penalty;
c) Suspension of activities as the administrator of the open capital company or of entity of the securities distribution system;
d) Ineligibility to perform the aforementioned positions;
e) Suspension of authorization or registry for the performance of activities as set in Law No. 6385/76;
f) Annulment of authorization or registry as mentioned in the aforementioned item;
g) Temporary prohibition, of up to twenty years at the most, for performing certain activities or operations, for the members of the distribution system or other entities who depend on authorization or registry before the Brazilian Securities Commission; and
h) Temporary prohibition, of up to ten years at the most, for acting, direct or indirectly, in one or more operations modalities within the securities market.

2. Civil and Criminal Lawsuit

The person damaged by the Insider Trading may propose:

a) Civil lawsuit against the managers, members of technical and consulting agencies which have been created by the By-Laws and statutory audit committee members in order to claim indemnity for losses and damages;
b) Civil lawsuit to cancel the transaction; and
c) Criminal lawsuit that, in case the pieces of evidence gathered along the inquiry are conclusive in the sense that there was public criminal action crime (as in the case of larceny), must be proposed by the member of the Public Prosecution Service. In this case, CVM must notify the Public Prosecution Service about the information.

Finally, one must bear in mind that any CVM administrative decision may be reversed by court decision.

(f) Non-equitable practices and manipulation of market artificial conditions

The referred illicit acts- both being considered grave failure - are regulated by means of one of the first normative instruction acts provisioned by CVM, Resolution No. 08 of 1979.

The concept of non-equitable practice applied in Brazil is provisioned in the normative text itself, as transcribed below:

‘'in the securities market, that one from which it results, directly or indirectly, effective or potentiality, a treatment to any of the parties, in negotiations with securities, which places it in an improper imbalanced or unequal position due to the other participants of the transaction.''

Now the production of market artificial conditions is approached as follows:

‘'those created due to negotiations by which their participants or intermediaries, by action or felonious omission provoke, directly or indirectly, changes in the flow of orders of purchase or sale of securities;''

25.3. Sarbanes-Oxley and FATF: some international practices applicable to the financial markets

(a) SOX

Sarbanes-Oxley law was signed on July 30th, 2002 by Senator Paul Sarbanes and by State Representative Michael Oxley, after a series of disastrous frauds, as an attempt to recover reliability in the financial market. According to the wording contained in the rule itself, the Sarbanes-Oxley law may be defined as a rule to protect investors, with the improvement of the correction level and trust of the information disclosed by companies under the law that regulates the capital markets, and to other purposes.

With its application focused in open capital companies that hold Securities in North-American Stock Exchanges, SOX has been transforming the scenario of audits and internal controls as it established full disclosure policies, mitigating the risks which the investors are subject to.

We can mention as important members of the SOX normative body, (i) the personal certification that the CEO/CFO of the company must do about the quality of internal controls and the financial statements, (ii) the requirement for a higher disclosure in any financial transaction, (iii) the increase of the responsibilities of the audit committee, (iv) the increase of regulation lying on the independent auditors, (v) increase of regulation about insider transactions, etc.

According to the Brazilian Law, we can see some clear reflections of the internationally consacreted practices with focus on treatment of information. One of them is under the Regulatory Resolution 232/95 of CVM, which establishes that the publicly-held companies shall be transparent with regard to the market value of their financial tools. In addition, the Regulatory Resolution 308/99 of CVM demonstrates the same intent, which regulates the performance of independent auditors. In addition, we have the operating risk norms and internal controls (Resolutions 3.380, as amended) which presents provisions inspired in Sarbanes-Oxley's.

(b) FATF

The Globalization and its effects also made crimes to become more sophisticated, often in a faster pace than regulation itself. Undoubtedly, the money laundering crime is one of the most global ones, as was able to support its expansion in the "gaps" between legal systems, taking advantages of failures and lack of cooperation among countries to handle the amounts originating from other crimes.

During the G7 meeting in 1989, a discussion about a system to fight money laundering and the financing of terrorist activities was initiated, thus creating the FATF (Financial Action Task Force), an international task force with members of G-7 and other guest countries.

In 1990 40 task force recommendations were created, whose scope was to bring general guidelines so that the member countries themselves, in the context of their own legal system, would create norms to prevent money laundering and the financing of terrorist activities.

Among the recommendations addressed to the governments, we can highlight the criminalization of money laundering, the legal entities being responsible for that, the possibility of property seizure originating from crimes by the authorities, among others.

The other recommendations are made with the focus on the Financial Institutions, always grounded in the principle of obtaining as much information as possible about the client, the transaction and the channels used. To illustrate, one can mention the ‘'know your client'' policy , the obligations to keep files of banking transactions during five years, the due diligence in the contracting of bank correspondent, etc.