MVCompliance | Regulatory Compliance Programme

2022-06-17
See pdf

Introduction

The Portuguese Government approved a set of measures, including a general framework for preventing corruption. This happened under the National Anti-Corruption Strategy 2020-2024, approved by the Council of Ministers Resolution No. 37/2021, of 6 April 2021.  

Decree-Law No. 109-E/2021, of 9 December 2021, approved the Portuguese Framework for the Prevention of Corruption (the Portuguese Anti-Corruption Framework) and created an independent administrative entity, the National Anti-Corruption Mechanism (MENAC). MENAC replaced the Council for the Prevention of Corruption to promote transparency and integrity in public action and ensure the effectiveness of policies to prevent corruption and related offences. 

The Portuguese Anti-Corruption Framework requires public and private entities with 50 or more employees to adopt a regulatory compliance programme, which must include: (i) a risk prevention or management plan, (ii) a code of ethics and conduct, (iii) training programmes, (iv) reporting channels and (v) the designation of a compliance officer ("Responsável pelo Cumprimento Normativo").

This regulation also determines the implementation of internal control systems that ensure the effectiveness of the instruments of the regulatory compliance programme and the transparency and impartiality of procedures and decisions. It also provides sanctions, particularly administrative sanctions, for the non-adoption or deficient or incomplete adoption of regulatory compliance programmes.

Having the adaptation of the entities covered by this framework in mind, it was established that it would come into force and gradually take effect as follows:

  • The Portuguese Anti-Corruption Framework comes into force on 7 June 2022; and
  • The sanctioning regime will take effect from 7 June 2023, except for companies with 50 to 249 employees, where it will take effect from 7 June 2024.

 

Corruption

No unequivocal definition of corruption exists. However, there is consensus that corruptive conduct involves the abuse of public power or service duties to benefit the third party against payment of a sum of money or any other benefit.

Articles 372 to 374-B of the Portuguese Criminal Code provide for crimes of undue receiving of advantage and corruption crimes.

Corruption crimes have essentially two outlines: active and passive corruption, depending on whether the perpetrator is, respectively, offering/promising or requesting/accepting an undue material or non-material advantage. Another critical difference is whether the action requested or performed is contrary to the service duties of the corrupted officer.

Corruption crimes in international trade and private practices (set out in Law No. 20/2008 of 21 April 2008, as well as those included in the Criminal Liability Regime for Anti-Sporting Behaviour, approved by Law No. 50/2007 of 31 August 2007) are also included in the concept of corruption, even when there is no abuse of public power or function.

It is essential to mention that in society, the concept of corruption has a broader meaning. It includes other crimes perpetrated in the performance of public duties, such as embezzlement, economic participation in business, extortion, abuse of power, prevarication, influence peddling or money laundering.

Corruption and related offences comprise the following criminal offences: corruption, receiving and offering an undue advantage, embezzlement, economic involvement in business, extortion, abuse of power, prevarication, influence peddling, laundering or fraud in obtaining or diverting a subsidy, grant or credit.

 

Regulatory Compliance Programme

The Portuguese Anti-Corruption Framework imposes the adoption of a regulatory compliance programme by:

  • Legal entities, including branches, headquartered in Portugal with 50 or more employees;
  • State, autonomous regions, local authorities and corporate public sector companies with 50 or more employees; and
  • Independent administrative entities with regulatory functions and the Bank of Portugal.

Entities, either public or private entities, that do not meet the above requirements are not exempted from implementing instruments for the prevention of risks of corruption and related infractions. These must be adjusted to their size and nature.

The regulatory compliance programme must include the following minimum mandatory instruments:

  • Risk prevention or management plans;
  • Code of Ethics and Conduct;
  • Training programmes and awareness actions;
  • Reporting channels; and
  • Appointment of a Compliance Officer (“Responsável pelo Cumprimento Normativo”), whose role is to ensure and monitor the implementation of the regulatory compliance programme.

This regime also determines the implementation of internal control systems and prior assessment procedures that ensure the effectiveness of the instruments of the regulatory compliance programme.

The board of directors is responsible for adopting and implementing the regulatory compliance programme.

Entities must implement the regulatory compliance programme until 7 June 2022.

 

Minimum Mandatory Instruments 

  • Code of Coduct: Document establishing a set of ethical and deontological principles, values, and rules that the organisation’s employees must comply with;
  • Risk Prevention Plan: Instrument of internal risk control and management, i.e., control and management of the possibility of occurrence of some events with a negative impact on the organisation's objectives;
  • Reporting Channel: An internal reporting channel for corruption must be managed with independence, impartiality and absence of conflicts of interest, and ensure secrecy, confidentiality and data protection;
  • Trainning Programme: To ensure all employees clearly understand and embrace policies and procedures that affect their duties and responsibilities; and
  • Compliance Officer: Responsible for ensuring and controlling the application of the regulatory compliance programme, namely by implementing, controlling and reviewing the risk prevention plan.

 

Prevention Plan for Corruption Risks and Related Offences

The Prevention Plan for Corruption Risks and Related Offences (Risks Prevention Plan) is an essential instrument of control and management of internal risk, i.e. of control and management of the possibility of occurrence of any event with a negative impact on the organisation’s goals.

A Risks Prevention Plan should cover the whole organisation and its activity, including administration, management, operational or support areas.

Corporate groups can adopt and enforce a single Risks Prevention Plan covering the entire organisation and activity of the group, including management, operational or support areas of the corporate group entities.

A Risks Prevention Plan must include:

  • Identification, analysis and ranking of risks and situations that may expose the entity to acts of corruption and related offences, including the ones associated with the performance of duties by the members of the management and administrative bodies, considering the reality of the sector and the geographical areas in which the entity operates;
  • Preventive and corrective measures to reduce the probability of occurrence and impact of the risks and situations identified.

It must also contain:

  • The entity's areas of activity with risk of engaging in acts of corruption and related offences;
  • The likelihood of occurrence and foreseeable impact of each situation, in a way that would make it possible grading of risks;
  • Preventive and corrective measures to reduce the likelihood of occurrence and impact of the risks and situations identified. In cases of high or maximum risk, the most comprehensive prevention measures, being enforcement the priority; and
  • Appointment of a person responsible for the implementation, control and review of the Risks Prevention Plan, which may be the Compliance Officer.

 

Enforcement Control of the Risks Prevention Plan

To ensure that new or existing risks are adequately addressed, the execution of the Risks Prevention Plan should be subject to a review of internal controls, particularly:

  • Preparation, in October, of an interim evaluation report on situations of high or maximum risk identified;
  • Preparation, in April of the following year, of an annual evaluation report that quantifies the degree of execution of the preventive and corrective measures and the expectation of their full implementation.

Entities must ensure that the Risks Prevention Plan and relevant reports are disclosed to employees through the Intranet and official Internet website, if applicable, within ten days from implementation, review or amendments.

Public entities have an additional reporting obligation. They must report the Risks Prevention Plan and relevant reports to the Government members responsible for their management, supervision or control; the inspection services of the appropriate governmental area; and to MENAC within ten days from implementation, review or amendments.

the Risks Prevention Plan must be reviewed every three years or whenever changes occur, for instance, changes in the entity’s articles of association or corporate structure.

 

Code of Conduct

The Code of Conduct includes a set of ethical and deontological principles, values and rules that govern an organisation's activity and by which the members of its management bodies and employees should abide in their internal relationships as well as with customers, suppliers and stakeholders.

The Code of Conduct does not have an inside limitation. It may also be addressed to third parties, i.e., entities outside the organisation but which are contracted by or act on behalf of the organisation, in cases where the organisation may be responsible for their actions or omissions, under the "principal/ commissioner" liability regime.

The Portuguese Anti-Corruption Framework expressly requires the Code of Conduct to include the disciplinary sanctions for failure to comply with the Code’s rules under the law and have criminal sanctions for acts of corruption and related offences. On the other hand, it is necessary to adopt a specific procedure if a violation occurs. In other words, a report must be drawn up identifying the rules infringed, the sanction applied, and the measures implemented or to be implemented.

The Code of Conduct must be disclosed through the Intranet and official Internet website, if applicable, within ten days from its implementation, review or amendments.

Public entities have an additional reporting obligation. They must report the Code of Conduct to the Government members responsible for their management, supervision or control; the inspection services of the appropriate governmental area, if any; and to MENAC within ten days from implementation, review or amendments. The communications will be carried out through an electronic platform managed by MENAC.

The Code of Conduct must be updated every three years or whenever changes occur, for instance, changes in the entity’s articles of association or corporate structure.

 

Internal Reporting Channels

The Portuguese Anti-Corruption Framework itself states that the adoption of internal reporting channels for acts of corruption and related offences falls within the Whistleblowing Directive (EU) 2019/1937, which was transposed by Law No. 93/2021, of 20 December 2021, into Portuguese law.

This means that corruption and related offences are also included in the scope of the breaches set out in the Portuguese Whistleblowing Law, and the whistleblower may benefit from the relevant protection once specific (cumulative) conditions are met, namely:

  • The reporting person is acting in good faith;
  • The reporting person has a serious reason to believe that the information is accurate at the time of the report or public disclosure;
  • The information relates to a covered breach, i.e., a reportable breach; and
  • The complaint is made through appropriate report channels.

Each entity is free to choose how to implement the reporting channel. Regardless of the means chosen, the confidentiality of the reporting person or anonymity (if requested by the reporting person) must always be ensured. Complaints may be made anonymously.

The reporting channel must ensure the possibility of the complaint being made:

  • In writing: by post, via one or more physical complaint boxes, or an online platform, e.g., on the Intranet or Internet; or
  • Verbally: via a telephone line or other voice messaging system; or
  • Both.

 

Follow-up on internal complaints

The follow-up to an internal complaint is subject to mandatory deadlines, namely:

  • Seven days: the entity will notify the reporting person on the receipt of the complaint and inform in a clear and accessible manner the reporting person of the requirements, competent authorities and means and admissibility of an external complaint;
  • Three months from the reception of the complaint: the entity will inform the reporting person of the measures envisaged or adopted to follow up on the complaint and why. Following the complaint, the entity will take the appropriate internal actions to verify the allegations contained in the complaint and, where necessary, to bring to an end the breach reported, including by opening an in-house investigation or informing the competent authority to investigate the breach;
  • 15 days after the respective conclusion: the reporting person may request, at any time, for the entity to communicate the result of its analysis of the complaint.

Within the scope of the reporting channels, it is advisable to adopt a whistleblowing policy with specific procedures for information, response and handling of complaints.

Internal reporting channels can be operated:

  • Internally, for the purpose of receiving and following up complaints, by persons or services within the organisation; or
  • Externally, for the purpose of receiving complaints on behalf of the organisation, e.g. by external whistleblowing platform providers, external consultants, auditors.

Of these two options, the use of an external entity may prove to be the most appropriate option, as the Portuguese law requires that the independence, impartiality, confidentiality, data protection, secrecy and absence of conflicts of interest of whoever is in charge of managing the channel and following up on complaints is guaranteed.

If, however, the organisation chooses to manage and follow up on complaints itself, it is recommended that at least an assessment by an independent third party is made to verify that all safeguards, including response times and prompt follow-ups with the reporting person, are met, failing which fines may be imposed.

 

Training and Awareness Programme

Internal training shall ensure that administrative, management and other employees know and understand the policies and procedures to prevent corruption and related offences. In this case, the training hours count as statutory training time provided by the employer to the employee.

The Portuguese Anti-Corruption Framework does not foresee specific content for training or time sessions.

Each organisation is responsible for defining the content of its training programme and developing the necessary training actions for employees according to a risk-based approach.

Training must be transversal, although the content must be adapted to the respective recipients.

Training should take into account the different exposure of the board of directors, senior management and other employees to the risks of corruption and related infractions.

Along with internal training actions, the promotion of awareness-raising actions, both internally and externally, is another component necessary for implementing a PCN effectively.

Each organisation must inform its employees and the entities with which it relates – in its supply chain – of the policies and procedures in force that must be complied with and the consequences of non-compliance.

 

Compliance Officer (Responsável pelo Cumprimento Normativo)

The Portuguese Anti-Corruption Framework establishes that the Compliance Officer must be in a senior management position or equivalent. However, it does not determine what specific qualifications RCNs should have for performing their duties. However, we anticipate that they should be appointed based on their professional qualities and, in particular, their expertise in law and compliance practice.

The Compliance Officer is not a new “role". The Portuguese Anti-Money Laundering Law (Law 83/2017, of 18 August) expressly provides for the designation of a Compliance Officer in anti-money laundering and terrorist financing measures. Similarly, the Data Protection Officer (DPO) under the General Data Protection Regulation (GDPR).

Although the Portuguese Framework does not establish the specific duties of the Compliance Officer, unlike what the Portuguese Anti-Money Laundering does, regarding money-laundering prevention, and GDPR for the Data Protection Officer (DPO), the Portuguese Anti-Corruption Framework imposes that the exercise of the Compliance Officer duties is performed independently, permanently and with decision-making autonomy. RCN must also have the internal information and human and technical resources necessary for the proper performance of their duties.

The question may arise whether the Compliance Officer for anti-money laundering or DPO can also act as the Compliance Officer for the Portuguese Framework. The answer to this question is not universal since it can depend, among other things, on the size and structure of the organisation itself and the procedures in place. If the entities covered are in a group relationship, the Portuguese Anti-Corruption Framework expressly states that a single person responsible for regulatory compliance can be appointed.

Although not legally specified, the Compliance Officer duties can be allocated to a team, but there should be a specific interlocutor with employees and competent authorities.

 

Internal Control and Prior Assessment Procedures

The entities covered, public and private, must implement an internal control system, which should include, among other things, the organisation plan, policies, methods, procedures and good control practices that consider the main corruption risks identified in the Risks Prevention Plan.

The internal control system must be proportionate to the nature, size and complexity of the entity and its business and be based on adequate risk management, information and communication models. The internal control system must also be supported by procedures manuals.

The implementation of the internal control system should also be subject to regular monitoring through random audits, with the results and conditioning factors being reported upstream, and the adoption of the necessary corrective or improvement measures.

The internal control system must be fit for preventing or repairing situations of conflict of interest :

  • In public entities, members of the administrative bodies, managers and employees must sign a declaration of absence of conflict of interests (form to be defined) in procedures in which they intervene relating to: (i) public procurement; (ii) granting of subsidies, subventions or benefits; (iii) urban, environmental, commercial and industrial licensing; licenciamentos urbanísticos, ambientais, comerciais e industriais; (iv) sanctioning procedures. In a case of a potential or existing conflict of interest, they must also disclose the issue to their manager or, in their absence, to the Compliance Officer.
  • In private entities, prior risk assessment procedures should be established in relation to third parties acting on their behalf, as well as suppliers and customers. To identify situations of conflict of interest, these procedures must be suitable for the title of beneficial owners, image and reputation risks and commercial relations with third parties.

 

Penalties

Very Serious misdemeanour

FINES FROM € 2.000 TO € 44.891,81 (LEGAL PERSONS) OR UP TO € 3.740,98 (NATURAL PERSONS)

  • Failure to adopt of implement a Risk Prevention Plan or if the adopted/ implemented Plan lacks any of the required elements; 
  • Failure to adopt a Code of Conduct or to adopt a Code that does not take into account the criminal norms regarding corruption and related offences or the risks of the Entity's exposure to these crimes; and
  • Failure to implement an Internal Control System.
Serious misdemeanour
 

FINES FROM € 1.000 TO € 25.000 (LEGAL PERSONS) OR UP TO € 2.500 (NATURAL PERSONS)

  • Failure to draw up control reports over the Risk Prevention Plan;
  • Non-revision of the Risk Prevention Plan or the Code of Conduct;
  • Failure to publicise the Risk Prevention Plan or the Code of Conduct and monitoring reports to employees; 
  • Failure to communicat the Risk Prevention Plan or the Code of Conduct and/ or control reports;
  • Failure to report in case of breach of the Code of Conduct or incomplete reporting.
 

Liability 

Liability for the perpetration of administrative offences lies upon:

  • Legal persons, when the acts are carried out by the members of their bodies, agents, representatives or employees in the performance of their duties or in their name and on their behalf. When the agent acts against the explicit orders or instructions of the legal persons or similar entities, their responsibility is excluded;
  • Owners of managerial bodies or managers, the person responsible for regulatory compliance and those responsible for the management or supervision of the areas of activity in which the administrative offence is committed when they engage in the acts or when, knowing or having knowledge of the acts, they do not adopt measures to put an end to them.

Directors or managers of legal persons or equivalent entities are alternatively liable:

  • For the payment of fines imposed prior to the beginning of the term of office when they are accountable for the insufficiency of assets for payment; or
  • For payment of fines imposed prior to the beginning of the term of office but where the final decision is only notified during the term of office and non-payment is attributable to them.

When several persons are liable to pay the fines, they are jointly liable.

 

If you wish to learn more, please download the PDF below. 

view all articles
search
TERMS OF USE COOKIE POLICY COPYRIGHT © MACEDO VITORINO.