Brazil: the need to set limitations on criminal liability of compliance officers

Back to Criminal Law publications
Back to Business Crime publications

João Augusto Prado da Silveira Gameiro
Trench Rossi Watanabe, São Paulo


Although the culture of compliance is spreading increasingly rapidly and comprehensively in Brazil – even as a reaction of society and, especially, of the corporate world to the recent cases of political corruption – the fact is that this approach to business is still relatively new and is undergoing a process of development and consolidation. Brazil is experiencing a period of intensification in the fight against corruption, which goes hand-in-hand with the development of institutions, including the need for broad access to education, falls in inequality, and greater political engagement.[1] A technical approach to these new concepts is therefore essential so that compliance can develop in line with the rules which already exist in Brazil’s legal system.

In this context, some statements have been made regarding possible unrestricted criminal liability of compliance officers in the event of a company being involved in corruption or other conduct which could be characterised as a criminal offence. This attempt to expand the exposure of compliance officers causes more uncertainties when we observe the tendency of United States authorities and other jurisdictions around the world, to punish individuals – and not legal entities – involved in corporate wrongdoing with more severe sanctions.[2]

The clarification of this mistake depends on the correct understanding of what compliance is and the exact duties of a compliance officer.

Compliance should not be considered a new and independent area of law or a matter limited to the legal sphere. It is, in fact, a phenomenon which originated in the 1960s, when the idea of social responsibility began to be developed, the fight for civil rights intensified, and certain values started to dictate the conduct of individuals, changing labour relations and personal interactions within corporations. In the decades that followed, this process has expanded to address issues such as climate change, the prevention of corruption and data privacy.[3]

With the aim of adapting to this new reality, companies started to seek a posture of compliance, which materialised in a programme consisting of a ‘set of disciplines introduced in the company to enforce legal and regulatory standards, policies and guidelines established for its activities, as well as a tool to prevent, detect and treat any deviation or non-conformity therein’.[4] Adopting a more critical view, it is possible to argue that companies put aside their traditionally reactive stance and began to act as agents of social change. They became entities which not only understood the new values, but actively promoted them. There is progress from the superficial concept of mere compliance with standards towards an awareness of modern trends in best business practices.[5]

In this context, the compliance officer will be the individual within the internal structure of the legal entity, who will receive a mandate from the senior management granting them authority to develop, apply, and monitor the integrity programme. It is important to highlight that, in this new reality in which the legal entity bases its action on ethical standards, the integrity programme is not merely limited to a formal document. In fact, the programme must be an effective instrument for action and transformation.[6] Consequently, the compliance officer must have the necessary means to exercise their role, including: a position with the same status as other key departments of the legal entity; sufficient and adequate financial, material, and human resources; autonomy to make decisions and implement the required actions; competence to ensure that signs of irregularities are found; and existence of a direct line of communication with the highest hierarchical level of the legal entity that guarantees independence.[7]

Considering that: (1) companies are adapting their internal policies to continue seeking profit, but within certain ethical standards; (2) to achieve this objective, they have invested material, financial and human resources; and (3) they have selected people with the necessary experience and training to coordinate this activity. The following must be also be answered. Would it be reasonable to accuse the compliance officer (the individual who, in reality, is assisting the public administration in preventing and suppressing corruption) for any and all crimes in which the company may be involved? Would it be reasonable to make the compliance officer responsible for avoiding the occurrence of any corporate wrongdoing and, if any corporate wrongdoing does occur, making them an author or accessory of the crime? The correct and rational answer is no.

The increasing complexity of business organisations, with structures, division of tasks, and lines of command increasingly influenced by their global operations, makes it difficult to identify exactly which individual procured or encouraged the commission of a certain conduct that resulted in a crime. As examples, it is possible to mention companies which operate with different business units, sometimes in totally different sectors, but under the umbrella of the same legal entity; technical departments that have a fundamental role in the company’s operation, but who do not have decision-making power; and individuals who hold certain positions with lines of report not only in Brazil, but also abroad. If, on the one hand, there is an increase in internal efficiency, these new structures create a challenge for the authorities to identify who actually had responsibility and power over a certain decision. Nevertheless, this obstacle does not remove the burden for the accusation to describe the conduct executed by each one of the individuals involved in the crime, despite some decisions that try to make this criminal procedure rule more flexible.[8]

The individual who acts as a compliance officer, as well as any person who holds some type of management position in a certain legal entity, cannot be held responsible for the practice of a certain crime based only on the position they hold. Such a situation would imply strict criminal liability, which is explicitly prohibited under Brazilian law. Article 13 of Brazil’s Criminal Code states that ‘[t]he result, on which the existence of the crime depends, is only attributable to the person who caused it. A cause is considered to be an action or omission without which the result would not have occurred’; and Article 29 determines ‘[w]hoever, in any case, contributes to the crime, will be subject to the penalties, to the extent of [their] guilt’. Only those who commit wilful or negligent conduct with a chain of causation with a result provided by law as a crime can be held criminally liable.

Brazil’s courts, including the Superior Court of Justice, have also repeatedly ruled ‘to deny the criminal charges that, even in corporate crimes and criminal conspiracies, appoint criminal liability to individuals, taking into account only their positions in the company, failing to demonstrate their link with the criminal conduct, which constitutes not only a violation to the right of defence and due process of law, but also a situation of strict criminal liability, which is repudiated by the national legal system’.[9]

Therefore, the person who holds the position of compliance officer could only be found guilty in the criminal sphere if there is evidence that they participated in conduct that effectively contributed to committing an offence through wilful or negligent conduct.[10] The inclusion of a compliance officer as a defendant in a criminal lawsuit is inadmissible based simply on their position within the hierarchy of a legal entity. For example, the compliance officer can only be accused of committing a crime of corruption if there is evidence that they promised an undue advantage to a public agent, or that they ordered a third party to make such a promise, or that they participated in a decision-making process so that bribes could be promised.

A more controversial issue concerns the possibility of considering the compliance officer as a guarantor (‘garantidor’) under Brazil’s criminal law, which would allow criminal liability in cases where there is an omission in the exercise of their duties.

As provided in Article 13, paragraph 2, of the Criminal Code, an omission will be considered criminally relevant when the individual who was responsible for the omission should and could otherwise act. Still according to the law, the individuals who have this duty to act are those who: (1) by law have an obligation of care, protection, or surveillance; (2) have assumed the responsibility of preventing a result; and (3) with their previous behaviour, created the risk of the result occurring. According to the jurisprudence, the figure above would be that of the guarantor – the person who has a special relationship with a certain value protected by law and, therefore, has the duty and legal power to act to avoid a result and any omission can be considered a real action.

The attribution of the position of guarantor to the compliance officer is based on the following rationale: from the moment a certain person is empowered by senior management to prevent and repress undue practices, they assume the responsibility of protecting the company’s ethical compliance and cannot omit themselves if aware of any action that could attack this legal asset. If the compliance officer becomes aware of the occurrence of a crime within the company and does nothing, the compliance officer could, in theory, also be considered the author of that crime.[11]

It is important to stress that, although the assignment of the position of guarantor to the compliance officer is controversial, this method does not imply an indiscriminate attribution of criminal liability for any and all events.

As mentioned above, the compliance officer’s role is to structure, implement and manage the integrity programme.[12] There is a position that defends that the compliance officer is an individual with a limited role, who would only have province over the information flow within the scope of their own professional competence and should only report to senior administration evidence of the practice of an illegal act. Such a superior, in turn, would have responsibility for taking the appropriate measures against those illegal acts.[13] This would mean that the compliance officer would not assume the responsibility of preventing the practice of any and all crimes within the company in which they operate.[14] In fact, the compliance officer would act as someone who only provides assistance to the board, who has a clearly-defined role and who can only be held responsible for acts carried out within their sphere of competence, under the risk of creating situations of real injustice.

Furthermore, another element of the guarantor’s role, in addition to the duty to act, is the power to act, which means the physical possibility of avoiding the practice of a certain illegal action.[15] Again, this is something incompatible with the corporate role of a compliance officer, from whom coercive measures cannot be expected against employees – or even against the company’s top management – to prevent crimes from occurring.

Even though considered a guarantor, the compliance officer is required to comply with the strict duties imposed. Nothing else. Despite playing an important role, the presence of a compliance officer does not relieve other company employees from also fulfilling their individual responsibilities. In the conflicting case, we would still have a serious technical-legal problem, since the compliance officer could be held responsible for not preventing the occurrence of crimes by third parties who, in turn, are fully responsible for their own acts. In summary, ‘[...] the structure that will be responsible for the corporate compliance sector, whether it is centred on one person, on a group of people, or on an external representative, will not define the decisions to be taken by this company. It is only the warning about evident risks inherent in decisions. The statement may seem somewhat obvious, but it is often assumed that the compliance officer can and should do the impossible to avoid any type of illegal or unwanted conduct in the company. If so, the compliance officer should, in fact, be the company’s chief executive and not just a management advisory area’.[16]

If, in general terms, the current process of unprecedented change in Brazil can be considered positive, we are still subject to side effects, with the possibility of compliance, initially perceived with the objective of avoiding or reducing criminal accountability risks, paradoxically, ending up as an instrument of greater legal exposure for companies and individuals who are making efforts to foster a culture of ethics.

Fortunately, the solution of minimising such negative effects is straightforward. We must analyse all new concepts in light of the principles protected by Brazil’s democratic and republican state, such as legality, presumption of innocence, and dignity of the individual. If any alleged evolution does not fit these parameters, we are certainly not talking about evolution.


[1] For more about aspects of underdevelopment in Brazil and its relationship with corruption, see Raphael Rodrigues Soré, A Lei Anticorrupção em contexto: estratégias para a prevenção e o combate à corrupção corporativa, Belo Horizonte: Fórum, 2019, p 36.

[2] For example, the Yates Memo, of 9 September 2015, produced by the US Department of Justice (DoJ), see www.justice.gov/archives/dag/file/769036/download, last accessed 23 February 2021. The same approach has been adopted by the US Securities and Exchange Commission (SEC), which tried to establish parameters for the adoption of legal measures against compliance officers see https://fcpablog.com/2015/07/20/sec-we-arent-targeting-compliance-professionals-but/

[3] For more information on this historic process, see Ethics & Compliance Initiative (ECI) Timeline of Business Ethics and Compliance, see www.ethics.org/resources/free-toolkit/ethics-timeline, last accessed 23 February 2021.

[4] Carla RahalBenedetti, ‘Criminal compliance: instrumento de prevenção criminal corporativa e transferência de responsabilidade penal’, Revista de Direito Bancário e do Mercado de Capitais, Vol 59, p 303, Jan 2013 (free translation).

[5] Ana Paula Candeloro, et al, Compliance 360º: riscos, estratégias, conflitos e vaidades no mundo corporativo, São Paulo: Trevisan, 2012, p 253.

[6] ‘This individual [compliance officer] must have sufficient authority, stature, access, and resources to get the job done’. The Ethics and Compliance Handbook: a practical guide from leading organizations (Ethics and Compliance Officer Association Foundation: New York, 2008), p 29.

[7] Brazilian Comptroler-General Office (Controladoria-Geral da União– CGU). Programa de Integridade – Diretrizes para Empresas Privadas. Brasília, September 2015. www.gov.br/cgu/pt-br/centrais-de-conteudo/publicacoes/integridade/arquivos/programa-de-integridade-diretrizes-para-empresas-privadas.pdf. US DoJ Criminal Division, Evaluation of Corporate Compliance Programs, June 2020, see www.justice.gov/criminal-fraud/page/file/937501/download, accessed 24 February 2021.

[8] This tendency can be detected in recent decisions, such as that of Brazil’s Superior Court of Justice (STJ), which, despite ruling out the possibility of the Public Prosecutor filling so-called ‘generic criminal charges’, allows the accuser to press ‘general charges’, reducing the level of details regarding the description of the contribution of each individual in the corporate environment to the commission of a wrongdoing: ‘It is important to clarify that general charges cannot be mistaken with generic charges, since the national law does not allow a generic complaint. However, in cases of corporate crimes and criminal conspiracy, it is possible to admit general charges, that is, an accusation that, although it does not detail the actions of the defendant, shows, even in a subtle way, the connection between his/her conduct and the criminal act.’ STJ – RHC 54075/RS, Justice Reynaldo Soares da Fonseca, 5th Chamber, j 27 June 2017.

[9] STJ, HC 349.073/SP, Justice Min Maria Thereza de Assis Moura, Ruling Justice Sebastião Reis Júnior, 6th Chamber, j 26 April 2016.

[10] For example, the case of the compliance officer of the National Labour Relations Board, who admitted during his trial that he had misappropriated approximately US$400,000 during the period he served at that US federal agency, see www.justice.gov/usao-dc/pr/former-compliance-officer-national-labor-relations-board-pleads-guilty-stealing-more, accessed 24 February 2021. More recently, a UBS bank compliance officer was sentenced in London to three years in prison for taking advantage of her position of trust at the financial institution to obtain relevant information and pass it on to a friend in an insider trading scheme, see www.reuters.com/Article/us-britain-ubs-insiderdealing-idUSKCN1TS2L1, accessed 24 February 2021.

[11] For example, that would be the case of Peter Madoff, brother of Bernard Madoff, responsible for one of the largest Ponzi Schemes in history, which generated losses of around US$60bn to investors. Peter Madoff served as Chief Compliance Officer at his brother’s investment firm and, during investigations, it was found that he made false statements to investors; Peter Madoff claimed that he performed periodic compliance reviews of the investment firm’s operations when, in fact, such reviews were never carried out. As Peter Madoff was considered a ‘gatekeeper’, the omission of which allowed his brother to continue putting the Ponzi Scheme into practice. He was sentenced to ten years in prison by the Federal Court of Manhattan for fraud, see https://archives.fbi.gov/archives/newyork/press-releases/2012/peter-madoff-former-chief-compliance-officer-and-senior-managing-director-at-bernard-l.-madoff-investment-securities-llc-sentenced-in-manhattan-federal-court-to-10-years-in-prison, accessed 24 February 2021.

[12] Renato de Mello Jorge Silveira and Eduardo Saad-Diniz, Compliance, direito penal e lei anticorrupção. São Paulo: Saraiva, 2015, p 144.

[13] Érika Mendes de Carvalho and Daiane Ayumi Kassada, O compliance officer é autêntico garante no âmbito dos crimes omissivos impróprios ambientais? Boletim do Instituto Brasileiro de Ciências Criminais, São Paulo, n 280, March 2016.

[14] José Danilo Tavares Lobato and Jorge Washington Gonçalves Martins. Considerações preliminares acerca da responsabilidade criminal do compliance officer. Boletim do Instituto Brasileiro de Ciências Criminais, São Paulo, n 284, July 2016.

[15] Cezar Roberto Bitencourt, Tratado de Direito Penal Parte Geral 1, 20th ed São Paulo: Saraiva, 2014, pp 311–312.

[16] Helena Regina Lobo da Costa and Marina Pinhão Coelho Araújo, Criminal Compliance, p 223; and Renato de Mello Jorge Silveira and Eduardo Saad-Diniz, Compliance, direito penal e lei anticorrupção, São Paulo: Saraiva, 2015, pp 144-145.