Understanding Peru’s New Compliance Program Reform of Law

Photo Credit: Radio Nacional

By Facundo Galeano, a Legal Fellow with CIPE’s Anti-Corruption and Governance Center

On July 1, 2017, Peruvian law n. 30.424 came into effect. It regulates the administrative responsibility of legal entities for the offence of transnational active bribery. In article 17.1, the law establishes that legal entities can be exempt from liability of the crimes if, prior to the commission of the crime, a compliance program is adopted and implemented in the organization. This new law is intended to help businesses reduce corruption related risks.

According to the new law, a compliance program must appropriately fit an organization’s nature, risks, needs, and characteristics, consisting of appropriate surveillance and control measures to prevent such crimes or to significantly reduce the risk of their commission. Article 17.2 lists all the minimum requirements needed for compliance programs and states that the requirements of the compliance program will be developed in the law’s regulation.

Only seven months later, in February 2018, the Legislative Decree n. 1352 was enacted, which broadens the scope of the legal entities’ administrative responsibility. As a result of the new decree, the executive branch will approve and then enforce the minimum requirements of compliance programs listed in Article 17.2 of the original law and its regulation. The regulation’s requirements of compliance programs were pre-published on the Justice and Human Rights Ministry’s official web page in February 2018. Although the executive branch has not yet formally approved the requirements, the information published gives the public a sense of what to expect.

Photo Credit: International Organization for Standardization

Countries often look to ISO 37001 as their guide when designing anti-corruption requirements for companies. ISO 37001 provides guidance to firms for establishing, implementing, maintaining, reviewing, and improving an anti-bribery management system.

Peru’s yet-to-be implemented regulations cover almost all the requirements needed for an effective compliance program according to the ISO 37001. That said, the regulations are less specific than the ISO 37001. For example, unlike ISO 37001, Peru’s regulations do not mention the required qualifications of the people responsible for implementing, evaluating, and improving the compliance program at a company.

The new regulation also does not address the due diligence with enough specificity. The regulation lists in its risk mitigation chapter all the financial and non-financial controls the compliance program needs, but it does not address, as ISO 37001 does, the due diligence of specific transactions, projects, activities, and business associates separately. The lack of specificity matters because, with the expanding scope of corruption enforcement globally, companies need guidance on how to properly invest into doing due-diligence of their third parties.

The new regulation dedicates a whole chapter to the implementation of the compliance program for mid-sized, small, and micro companies. These companies are only obligated to have compliance programs that comply with at least one of the minimum requirements of article 17.2 of the law, in what appears to be a very soft special treatment for these types of companies.

In conclusion, the new regulations focus more on what to do than on how to do it. The regulations give companies clues about what kinds of compliance programs would help exempt them of legal consequences of employees paying bribes, but the lack of specificity creates uncertainty for firms as they seek to implement sufficiently robust compliance programs. The longer-term impact of these regulations remains to be seen.