Regulatory compliance annual report 2015: Decision time

As the need for effective compliance programmes increases, lawyers report that clients are taking a more proactive approach to the issue – however, many are still a long way from incorporating compliance into the culture of their organisation

The incentive for companies in Spain to have an effective compliance programme has never been greater. The introduction of the reformed Spanish Criminal Code next month will mean that companies that have proper compliance processes in place will be in a good position to defend themselves if they are ever accused of committing a crime. Many clients have woken up to this issue and consequently law firms are being inundated with compliance work, with the result that some expect to be recruiting new lawyers for their compliance practices in the near future. The message from lawyers to clients is this: Don´t see compliance as a burden, instead see it as a way of making your business more attractive to clients. The prospect of becoming compliant may be overwhelming for some organisations, but if they examine their internal procedures, they may often find they already have a burgeoning compliance programme in place, which can be built upon. However, as a number of lawyers in Portugal warn, the compliance regime is in a transitional phase, with many regulations needing to be adapted in order for them to be made more appropriate for smaller businesses.

Increasingly, organisations are taking a proactive approach to the issue of compliance. Bird & Bird counsel José Luis Lorente says that, increasingly, companies are adopting a preventative approach with regard to the issue of compliance. He adds: “Cross-border companies that cover different jurisdictions want all-encompassing compliance plans – they´re saying ´we need this designed and implemented´, now companies in the US, for example, want a broader approach and are looking to revisit their internal structures.” Cuatrecasas, Gonçalves Pereira associate Irene Martínez Saltó says companies have awoken to corporate compliance requirements and, consequently, Spain is at the end of the “first stage”. She adds: “It is now getting into Spanish culture and we are entering the 2.0 stage of corporate compliance with the reform of the Spanish Criminal Code of 2015.”

Establishing a defence
The new reformed code will come into effect on 1 July, 2015. Since 2010, it has been possible for Spanish companies to be held criminally liable for a number of crimes committed by their employees. But Baker & McKenzie partner Rafael Jiménez-Gusi says the reform to the criminal code “establishes as an effective defence for companies” the existence of a compliance programme adopted and approved by the company´s governing body which includes the following: risk analysis; standards and controls to mitigate identified risks; specific standards and controls for the company´s finances; an obligation to report to the compliance body of the company any potential risks and breaches of the standards and controls; and a disciplinary system to properly sanction the individuals that violate the compliance programme.
Adriana de Buerba, partner at Pérez-Llorca, says it is often the case that companies from other jurisdictions in which corporate criminal liability has a longer tradition already have a compliance culture, but she adds: “Compliance requires a change in the company’s business culture and this is something that you have to build internally little by little – for this reason we cannot ´sell compliance’ to clients, but we can help them to become compliant.” De Buerba says that when the reformed Spanish Criminal Code comes into force, compliance will not become compulsory as it was initially foreseen in the proposal for the Criminal Code amendment, but it will be “highly advisable”.
Bird & Bird senior associate Paula Fernández-Longoria says that clients are now demanding that compliance becomes a part of their culture. “Clients also know that it also impacts on their reputation – compliance will enable them to sell better to their clients,” she adds. Alejandro Touriño, partner at Ecija, says that clients now know that compliance is demanded by their customers. He adds: “They say they will be compliant with regard to data protection, for example, because it is important for clients.”

Wider, deeper, bigger
Compliance has undergone a “three-pronged” evolution, according to Baker & McKenzie partner Cecilia Pastor.  “It´s wider in scope, it´s deeper and is permeating the culture more – the most serious businesses are building compliance into their culture, and compliance is becoming bigger in the sense that the enforcement actions are bigger,” she adds. Enric Doménech, partner at BDO, says that the financial sector is generally more advanced than other sectors with regard to the “establishment of the compliance function” and that often advisers have to work to convince companies in other sectors about its importance. “Companies need to show transparency to the market as well as compliance with the rules,” he says.
Pastor says that when a client makes enquiries about the issue of compliance, the starting point is finding out what processes the client currently has in place. She adds: “I would ask what do you have? Do you have an ethics code? What is the business model?” Lorente says the message to convey to clients is “it´s better to be safe than sorry”. He adds that the reputational risk of non-compliance is “huge”.
De Buerba says that some clients are worried about compliance, but they can start addressing the issue by looking at what rules they have in place with regard to certain areas in which the law establishes specific compliance requirements, such as data protection or sexual harassment, for example. She adds that the most important thing is that clients have to be “fully committed” to becoming compliant. Pastor adds: “If clients are not fully committed, they are wasting their time and money.” Martínez Saltó observes that it is more often the case now that clients have a specific budget for compliance and that they want to check that they have the correct procedures in place.

Embargoed countries
De Buerba says news about several high profile cases in which criminal charges have been brought against companies has helped to raise awareness among clients about the issue of compliance. Another driver of Spanish clients´ concerns about compliance is the need of many companies to set up operations abroad, according to Pastor. “Such companies may be selling to embargoed countries – for example, the Russian embargo is a killer, trade compliance is an issue,” she adds. Fernández-Longoria argues that, in general, compliance is “not part of the culture” in Spanish companies. However, Touriño points out that the term compliance can cover a range of different topics. He adds: “With regard to corporate compliance, this culture does not exist in Spain, but when it comes to data protection, for example, Spanish clients do have this culture.”
Lorente says the Single Supervisory Mechanism for European Banks is a “huge concern” for clients in the banking sector. He adds: “Banks are disoriented about who they will report to.” Pastor says that Baker & McKenzie´s Madrid office is being “swamped” with compliance work. “We are thinking of taking on more lawyers,” she adds. De Buerba says that with regard to compliance in relation to potential economic crime, the Criminal Code foresees compliance as a cause for “exemption of the companies’ criminal liability”. She continues: “Internally, Pérez-Llorca has created a multidisciplinary team to provide advice in corporate compliance which always involves criminal and corporate lawyers and also might include lawyers from other practice areas – for instance anti-trust or labour – depending on the client’s needs.”

Ignorance of the issue
Pastor says that one of the first problems lawyers can face when talking to clients about compliance is “ignorance of the subject matter” and of the extent of the issue. “When you talk compliance to an in-house lawyer, they may not understand how far reaching it is as there is not a visible example out there.”
De Buerba says there is often a conflict between clients´ business and legal interests. “The business part might feel that compliance undermines their ability to do business, but, in fact, compliance gives you the tools to do business safely,” she says. Doménech says compliance is not an issue to be considered only as a cost for companies, but as a way to “achieve business goals”. Touriño says some legal departments “leave compliance to the last minute”.
Borja Almodóvar, associate at Deloitte Abogados, says there is often fear among some staff in organisations when they consider the issue of compliance: “There is a fear about what the boss will think and whether the boss will ignore the issue of compliance – but companies need to see compliance as a way of making their businesses work better, companies need to tell employees how to act.”
Fernández-Longoria says companies such as those in the pharmaceuticals sector, as well as banks, tend to have their compliance functions in-house. But she adds: “There is a lot of work for external lawyers ´localising´ multinationals compliance policies.” Touriño says cybersecurity and data breaches will be among the biggest issues for clients over the next year. Meanwhile, Martínez Saltó says companies are concerned about the issues of bribery and corruption. “Business between the public and private sectors used to be done in a different way,” she adds. “There is now concern, for instance, about the statutory rules regarding granting of inducements to public officials or, within the private sector, about the boundaries between legitimate sales promotions and the beginning of corruption.”
Regarding the opportunites for law firms in the coming year, Lorente says banks are facing a “tsunami of regulation” including Basel III and MiFiD II, while the Fintech sector is also expected to be increasingly regulated. Meanwhile, Fernández-Longoria emphasises that it is important that clients consider the issue of compliance from the outset of any project.

Portugal: Helping not hindering
Alexandra Maia de Loureiro, partner at SRS Advogados, says that, in the financial sector, there is generally an increase in regulation. “The regulation is more complex and this is creating an increased flow of work,” she says. Maia de Loureiro adds that banks and financial institutions have enlarged their compliance functions and this has created an increased demand for legal advice. “More basic compliance work is done in-house, but external lawyers are needed to interpret new regulations,” she continues.
Vieira de Almeida partner Magda Cocco says Portuguese companies are increasingly incorporating the compliance function into their structures. She adds that, in an increasingly “data-driven” world, data protection and cybersecurity are becoming bigger issues with the result that sectors such as telecoms, insurance and distribution are taking more action to address these issues.
Alexandre Jardim, partner at Pbbr, says that, with economic activity being increasingly regulated, the big challenge is to make clients understand that the rules “help them to develop” their businesses. “Business people within companies often think the rules are annoying and that they constitute a significant burden,” he adds.
Cocco says the banking sector is well aware of the importance of compliance. She adds: “They understand it is critical for the financial system – any incident will be damaging for clients.” Paulo Costa Martins, senior associate at Cuatrecasas, Gonçalves Pereira in Lisbon, says some regulations are not adjusted for organisations of different nature. “For example, anti-money laundering regulations are mainly designed for banks and are not adjusted for other types of financial companies,” he says. Cocco says regulations that stipulate banks and financial institutions must meet their clients “face-to-face” is another example of the negative impact regulations can have on innovative ways of providing services.

Barrier to entry
Abreu Advogados partner Inês Sequeira Mendes says that, in the case of smaller clients, the high burden of regulation can prevent them doing business. “It can be a barrier to entry [into a market], so we are still in a transitional phase, the regulations can´t apply in the same way to all companies.” SRS Advogados associate João Santos Carvalho says that in a typical medium-sized bank, the in-house legal department will handle most compliance-related matters and will allocate up to 60 to 70 per cent of its resources in handling such matters. He adds: “Specific matters or projects may however be outsourced to external firms.”  
Cátia Pedro of Ernst & Young says there is considerable demand from clients in less regulated sectors for compliance advice as such companies generally do not have compliance teams. She adds that there are often potential conflicts between businesses´ legal counsel and their compliance function. Maia de Loureiro explains that a company´s compliance officer does not always have a good relationship with the business side of the organisation. “The compliance officer may look for external legal advice to validate their argument,” she adds.
According to PLMJ partner Ricardo Oliveira, the global recession marked a “breaking point”. He adds: “We´re now dealing with diverging trends, the world is becoming more complex and there is a greater compliance burden – companies finances are more strained and the drive for more preventative compliance has been weakened, and there is now a more reactive stance.” Oliveira says that companies’ attitudes to legal service providers have also changed with the result that lawyers have become cheaper. But he continues: “Things will bounce back, there is more compliance work available.”

Not the ‘bad guy’
Sequeira Mendes says compliance practices are a useful way for law firms to facilitate cross-selling. She adds: “Regulations cover all areas – competition, data protection, tax and the environment, for example.” Cocco says fees for compliance work are not going down: “Clients consider our experience and they want a good compliance programme.”
Who should be responsible for compliance within organisations? Jardim says the head of legal and the compliance officer should “not be the same”. He adds: “The compliance officer should not be seen as the bad guy.”
Maia de Loureiro says banks now have to measure the reputational risk related to non-compliance. She adds: “There is a risk of losing clientele, while the Bank of Portugal can impose sanctions in cases where banks did not properly evaluate reputational risk.”
Pedro says that, in the case of many clients, the culture of compliance needs to be developed. “Communication within the organisation is important – the approach needs to be this is the right way to do things and this is better for everyone in the long run,” she says. Jardim says external legal advisers have a key role to play in explaining wider developments and trends in compliance to clients. He adds: “External legal advisers can also be helpful to clients be helping them to hedge the burden of regulation with the sustained development of their business.”
Maia de Loureiro says that if organisations use external lawyers to handle compliance matters, there is no potential conflict of interest. Meanwhile, Sequeira Mendes says external lawyers are able to give a more objective “outside view” of clients´ compliance processes.
Cocco says that, with the increased internationalisation of companies, clients need to ensure their processes are compliant with Portuguese regulations. She adds: “With new technology platforms, big data and data privacy will become extremely important issues in the future – technology companies are analysing data protection as there are huge amounts of data being processed.” Costa Martins says that one current issue of interest in the financial sector is the rendering of financial activities on a cross border basis through electronic devices – such as via tablets, for example – and how the use of those electronic devices shall be viewed in Portuguese law in the context of compliance. Pedro says compliance is an opportunity for clients to control risk by minimising fraud and reputational risks. Meanwhile, Oliveira urges companies to not fight the compliance trend and be more proactive in addressing the issue.
Servulo partner José Lobo Moutinho says there will be an increased demand for compliance advice related to the pharmaceutical industry, environmental law and public procurement in the coming year.
Compliance is a minefield for all organisations and advancements in technology will only serve to make the minefield even more difficult to navigate. However, as daunting as it may seem, clients who tackle this issue head-on will be in the best position to protect their reputation and grow their business in the future. IL