Colombia’s corporation’s regulator – the Superintendency of Corporations – has recently expanded the scope of companies covered by the obligation to adopt Ethics and Transparency Programs (“PTEE” by its Spanish acronym and most common reference locally), while substantially reinforcing their content1.
The companies within the scope of this new regulation are required to prevent and manage either transnational bribery2, domestic corruption3, or both risks, depending on the general criteria set by the regulation or its sector-specific provisions4.
The PTEE must be designed according to the size, needs, structure and risk profile of the company, driven by a strong ethical culture together with the following hallmarks:
- A competent Compliance Officer having full oversight over the BTEP. The Compliance Officer must be granted sufficient autonomy and resources: appointment by the board of directors, direct access to the board or its equivalent, etc.
- A risk map that identifies, evaluates and control domestic corruption and/or transnational bribery risk, with a special focus on (i) country-risk, (ii) sector-risk and (iii) third-party risk.
- Widely disclosed and easily accessible compliance policies and procedures, approved directly by the board of director or its equivalent. These policies and procedures must contain express provisions regarding (i) gifts and hospitality, (ii) remunerations and commissions for employees, partners, intermediaries, suppliers, agents, consultants and joint-venture partners, (iii) political financing and (iv) sponsoring and charitable donations.
- Risk-based third-party due diligence (partners, intermediaries, suppliers, agents, consultant and joint-venture partners, distributors, advisors, etc.), meaning that the intensity of the due diligence should vary depending on the third-party risk-profile: industry, country, size, nature and amount of the transaction, etc.
- Accounting control procedures intended to ensure that books, records and accounts are not used to hide acts of corruption.
- An internal reporting system to report suspicious activities related to corruption or transnational bribery providing confidentiality and anonymity.
- A training program, for internal and external stakeholders, with a special focus on risk-exposed personnel.
- Internal investigation mechanisms, to assess the existence of a misconduct and remedy it
- An effective disciplinary system to sanction any violation of the BTEP by employees or corporate officers.
- A process to retain and preserve documents related to the functioning of the PTEE and to all international transactions.
Some more original features are also worthy of note:
- The identity and contact of the Compliance Officer must be reported to the Superintendency, as well as the board minutes approving the compliance officer’s appointment.
- The Compliance Officer can be outsourced if it complies with the requirements set in the regulation.
- The company must translate all the BTEP, its policies and its training programs into the languages of the foreign countries where the company operates.
- The BTEP must be “dynamic” – e, be easily modifiable.
Finally, the Superintendency specifies that the PTEE should be regularly improved through periodic testing and review. An update is necessary every time that identified changes have an impact on the risk profile of the company. In any case, such an update must take place no less than every two years.
1 Circular Externa 100-000011 del 9 de agosto 2021.
2 Companies having realised transactions with foreign counterparts for over 100.000.000 Colombian pesos, provided that they have either (i) annual revenues over 30.000.000.000 Colombian pesos or (ii) assets representing over 30.000.000.000 Colombian pesos.
3 Companies having realised transactions with the Colombian State for over 500.000.000 Colombian pesos, provided that they have either (i) annual revenues superior to 30.000.000.000 Colombian pesos or (ii) assets superior to 30.000.000.000 Colombian pesos.
4 The revenue and asset threshold are significantly lowered for specific sectors such as pharmaceutical construction, manufacturing, mining, energy, IT, auxiliary to financial services and automotive.
Compliance and Data Privacy Director
Antoine F. Delacarte