Corporate compliance annual report 2017: Avoiding the issue?

Even some of Iberia’s biggest businesses are still not properly addressing the issue of compliance, yet lawyers sometimes face the challenge of convincing them that their reputation could be at risk –  meanwhile, doubts persist about the wisdom of acting as external legal advisers to clients’ compliance committees    

 There are still many companies – even among the largest market players – that have, as yet, failed to fully get to grips with the issue of compliance. And even among those that are taking the issue seriously, lawyers report that many are starting from scratch in terms of developing compliance programmes. While this suggests that law firms have an opportunity to cash in on what is a relatively untapped market, the problem remains that many businesses in Iberia are still not completely convinced of the need to be compliant. This is despite the fact that they are running the risk of severely damaging their reputation, or even worse, going out of business altogether.

However, the most sophisticated companies are not only ensuring they are legally compliant, but they are now taking the next step and consulting lawyers on how to foster a culture of compliance within their organisation. Meanwhile, some organisations are setting up compliance committees – acting as an external legal adviser to such bodies is a potential source of work for lawyers, though when entering into such situations, it is important that they exercise considerable caution. As some lawyers warn, law firms that advise companies’ compliance committees need to ensure that they do not potentially leave themselves vulnerable to being held liable for any breaches of regulations by their client.     
There are many major companies that are only just beginning to address the issue of compliance, according to Ester Navas, partner at Baker McKenzie. “There are a lot of big companies that need to work from zero,” she says. Ontier partner Ramón Ruiz de la Torre says that, to effectively advise clients on compliance, it is necessary to have a “tighter relationship” with them, so as “to get close to your client and understand what they need”. He adds that, if companies are going to have a compliance programme, it is important that they comply with it, as if they do not, the consequences could be worse than not having a compliance programme at all.

Culture of compliance
Some large multinational companies, such as IBEX 35 companies, want to move from “compliance in only the legal sense and more to cultural compliance”, says Eversheds Sutherland Nicea partner María Hernández. For other clients, it is important for law firms to explain to boards of directors about “the value of a culture of compliance”. She adds: “For example, research has shown that companies that are declared ethical outperform the rest of their market competitors.” However, Hernández adds that it is not possible to completely eliminate all compliance-related risk. Baker McKenzie partner Cecilia Pastor says that a business that is not sufficiently compliant will lose business. She adds that when it comes to expanding into new jurisdictions, businesses that are not compliant with local rules and regulations often need to make the decision to not go into the market in question.
Another concern for companies looking to expand abroad is that, while adapting their compliance programme to meet international standards, it is also important that local compliance risks are identified, according to Deloitte lawyer Borja Almodóvar. He adds that computer programmes are being developed that manage compliance. According to Almodóvar, compliance officers need more visibility within companies. “Companies need to find a way to develop this visibility,” he adds.
The concept of compliance is extremely broad and affects the functioning of businesses’ day-to-day operations, explains Ashurst Madrid managing partner María José Menéndez. She continues: “There is no single effective method of having good compliance, businesses have to be very vigilant and this can involve creating supervisory bodies.” Menéndez adds that organisations also have an opportunity to embed compliance into the automation of their businesses, though this can be challenging.
Hernandez says that one opportunity for lawyers is to act as “external members” of clients’ compliance committees where the lawyer acts as an adviser on “best practices”. In such instances, it is important that there is a clear “dividing line between those who are part of the decision-making body and those who act as an adviser to the decision-making body”, according to Pastor. Almodóvar says that a lawyer can advise a compliance officer/committee in order to recommend what to do in relation to each matter, but they should not make decisions on behalf of them. He adds: “As the public prosecutor says, you can externalize some of the compliance function, but not all.” Almodóvar says that, from the point of view of criminal responsibility, “only those who actively participate in an offence can be held liable”. He continues: “Neither the compliance officer, compliance committee or external advisers can be held responsible for offences committed by other employees or managers, provided they have fulfilled their responsibility in the area of compliance.”

Training sessions
Pastor says that there is a trend for clients’ requirements in relation to compliance to change. She adds: “The requests are changing, it used to be the basic ‘can you audit this?’ Now, it’s increasingly ‘can you do a training session?´ We’re going from design to deployment”. Another partner remarks that it is important that clients consult lawyers on their compliance programmes rather than simply “cutting and pasting a compliance programme from the internet”. Another problem that has been observed by some lawyers is clients entering joint ventures with partners in other jurisdictions, but then only one of the joint venture partners educating their own staff about compliance issues, with the other partner failing to do likewise.
Compliance officers in companies in Spain often lack sufficient authority, according to one partner. “I’ve never seen a compliance officer in Spain with the authority to stop business,” the partner says. “I’ve never seen a compliance officer say ‘no’ to the CEO.” However, another partner remarks that the Spanish criminal code will change this situation. Compliance should be an imperative for business because they “cannot afford to do bad business”, according to one lawyer. Law firms also warn that there have been recent cases where clients have had to close businesses in foreign jurisdictions because of compliance issues, even though the businesses were profitable enterprises.
Clients are turning to law firms to ask for training on how to deal with “dawn raids”, says one partner. “This can involve training receptionists, for example, on what protocols to follow,” the partner adds. “For example, it’s important that clients do not destroy information.”

Portugal: Fight against terrorism
Contentious matters relating to compliance will increase in Portugal, according to Uría Menéndez-Proença de Carvalho partner Nuno Salazar Casanova. He adds that this will be partly due to new measures introduced by the Bank of Portugal following the global crisis, which had a severely damaging effect on the Portuguese banking sector. He adds that compliance matters related to financial institutions and the “financing of terrorism” will also be a feature of the market in future.
There is an increasing number of new laws that require companies – particularly those in the energy, banking, capital markets or insurance sectors – to adopt “written compliance mechanisms and compliance programmes, the infringement of which may imply the assessment of severe penalties and ancillary sanctions,” says Sofia Ribeiro Branco, partner at VDA – Vieira de Almeida. She adds that using compliance as a “defence tool is a new hot topic for lawyers, as sanctions may be significantly reduced (or maybe not imposed) if companies succeed in demonstrating they have strong compliance programmes which they implement and enforce”.
One of the major opportunities for law firms in Portugal relates to advising clients on the creation and implementation of compliance policies and programmes, namely in relation to combating money laundering and terrorism financing, as well as the issue of data protection, says MLGTS partner Tiago Félix da Costa. He adds that there is also significant work for law firms in regulated industries such as health and telecommunications where regulation is increasing. Meanwhile, the European Union’s General Data Protection Regulation (GDPR) will bring about dramatic changes related to data protection and privacy. Félix da Costa also says that “unlike in Spain, Italy and other countries, Portugal does not have a clear definition of how companies’ liability should be exempted if they prove to have adequate compliance programmes”.
Hugo Rosa Ferreira, partner at PLMJ, says that there is generally an increasing awareness of the importance of compliance in Portugal. He continues: “Regulators are more active in the fight against financing criminal activities – also, board directors need to know there are new regulations and they need to be fully compliant.” Rosa Ferreira adds that anti-money laundering considerations are becoming increasingly important to law firms and that, when engaging with clients, the ‘Know Your Customer’ (KYC) process – as well as identifying the Ultimate Beneficial Owner (UBO) – is crucial. According to one partner, the issue of KYC is a particular problem for Portuguese banks that have relationships with banks in Angola in that there can be “problems with KYC information”. The partner adds: “Portuguese banks have to identify the origin of funds and they have to ensure subsidiaries are aware of the origin of funds.” Lawyers say there have been cases of US banks looking to buy banks with subsidiaries in Angola but have had to abandon such deals because of uncertainty related to the KYC process.
However, there is not a real “compliance culture in Portugal within small and medium-sized enterprises,” according to Tiago Ponces de Carvalho, lawyer at Abreu Advogados. He continues: “There is a lack of concern about compliance and it can be difficult to demonstrate to clients that, in addition to image and reputational damage, there could be an economic problem in the sense they could suffer financially due to non-compliance.” Ponces de Carvalho adds: “Nevertheless, it is quite clear that adequate legal advice, internal audits and appropriate training are the right tools to overcome that initial kind of reluctance.”

Lack of enforcement    
Carlos Pinto Correia, partner at Linklaters, says the crisis has shown that there was a widespread “lack of compliance and checks and balances”. He adds that, as a result, there has been a rise in litigation involving disputes between companies and regulators, shareholders, customers and auditors. Pinto Correia also says that there have been few court decisions in which fines have been applied for non-compliance: “There is a lack of enforcement and there is no culture of shareholder activism [in Portugal].”
New regulations on data protection and new regulations on money laundering are the two recent major milestones in compliance, according to Paulo de Sá e Cunha, partner at Cuatrecasas. “Consequently, clients face the challenge of preventing reputational damages, for example, perhaps relating to the spread of information on social media,” he says. Clients need to see compliance programmes as “potential litigation problems,” Sá e Cunha adds. It is for this reason, according to one partner, that litigators are “in a better position [than lawyers from other practice areas] to evaluate compliance risks”.
CCA Ontier partner Henrique Salinas says that, in cases of suspected non-compliance, regulators want to “really check there is a compliance programme, because then they could potentially say the business did not act in accordance with your own compliance programme”. However, Salinas adds that smaller companies often complain that they have to comply with many onerous regulations that are not really applicable to smaller businesses. Despite this, Salinas says that businesses that are not compliant face reputational risks as well as potentially having their company shut down.
The law in relation to compliance is much clearer in Spain than it is in Portugal, according to Sá e Cunha. “In Portugal, we try to block liability, but in Spain the law helps litigators,” he adds. One of the key issues related to compliance is that, especially with regard to financial institutions, “compliance doesn’t generate revenue,” says one partner. “So there is a constant stress between business and compliance – another major struggle is the culture, you need to train staff in compliance.” However, the partner adds that if clients believe that by not-being compliant they will be able to generate more revenue, they should be warned that if they are found to be non-compliant by a regulator that extra revenue could be “clawed back”. In addition, the partner says there is a lack of enforcement in relation to compliance in Portugal, partly because there are few prosecutors specialised in the relevant fields of financial crime. Meanwhile, Salazar Casanova says that the majority of companies in Portugal are small and medium-sized enterprises, so it can be difficult to “convince them to spend money on compliance”. With regard to the issue of how smaller companies are impacted by compliance, another partner remarks that “60 per cent of the rules may not make sense [for smaller companies] – the laws are not tailored to all types of companies”.
The first step for clients concerned about the issue of compliance is a risk assessment, one partner explains. “Clients have to understand the specific risks associated with their industry – the main problem is in less regulated sectors where it can be difficult to sell compliance to clients.” Directors need to understand that being a member of a board is a “risky business”, lawyers say. “We need to explain to directors that they are personally liable for fines imposed on a company – for example, fines in relation to breaches of labour rules.”
The risk of facing litigation – as well as financial risks and reputational risks – are “increasing every day,” lawyers say. Furthermore, there is a lack of “adequate early detection” of potential compliance-related risks. In addition, businesses that are non-compliant are at risk of a backlash from their clients, with customers likely to be less collaborative if they find out about regulatory breaches, lawyers warn.