The Guidelines are approved after two preliminary versions (projects) issued in 2019 and 2020, which were brought to the attention of the citizens for their comments. While those preliminary documents provided guidelines on how to implement prevention models, we would like to emphasize that the Guidelines have a more practical approach, providing examples of what actions to take. In this alert, we include the Guidelines' main points.
As a presupposition of an ideal prevention model, the Guidelines refer to the commitment, leadership and firm support of the governing body, stating that it might manifest itself in: (i) the adoption of the zero tolerance policy regarding corruption; (ii) the active participation (as participants or speakers) in training; (iii) the allocation of budgetary funds for the purchase of technological equipment and/or materials to ensure the operation of the prevention model; and (iii) the creation of incentives to ensure compliance with the above model.
As for the minimum elements that a prevention model must have to be considered adequate, the Guidelines contain a reference list of actions for implementation, the main ones being the following:
Minimum elements
|
Actions
|
Identification, assessment and mitigation of risks
|
Preliminary stage: Designate a person (employee or external advisor) who will be in charge of the implementation (support: employment contract or service provision); identify processes/areas whose management through the prevention model is necessary, approve road map or risk identification and management policy.
Risk identification:
- Identify internal and external factors that impact risk identification: business model, economic sector, and regulatory environment, as well as interaction with public officials (frequency and modality).
- Establish appropriate methodology (brainstorming, surveys and interviews).
- Identify activities, operations, processes, and/or areas with greater exposure to risks (use of petty cash, gifts and attention, donations, payment of commissions).
Risk assessment:
- Establish methodologies that allow the analysis of the causes of risk generators and consequences of their materialization.
- Develop a database or catalog of crime risks.
- Make estimates (qualitative or quantitative) of the magnitude of risks, based on the knowledge and experience of experts and industry experiences.
- Develop risk matrix, risk map or heat map.
Risk mitigation:
- For each prioritized risk, establish control (s) to apply. Ensure that the risk is reduced to a tolerable level.
- Establish preventive, detection and corrective controls. These may be financial (prohibition of use of cash) or non-financial (due diligence).
- Evaluate effectiveness of controls: execute periodic self-evaluations, compliance audits and improvement of controls.
|
Prevention officer
|
- Knowledge of the organization: critical and/or key processes, of the economic sector, of business partners and stakeholders
- Experience: academic background, work experience and leadership
- Economic and moral solvency (not having a judicial or police record, not exercising office in a public entity, state company or political party that could generate conflicts of interest, not being on the OFAC sanctions list or similar)
|
Complaints procedure
|
Complaints channel:
- Implement complaints channel (virtual or face-to-face) that allows proper numbering, registration and classification.
- Designate a person (employee or external) or internal body responsible for the complaints channel and for conducting internal investigations.
- Ensure the proper handling of the complainant's personal data.
Policies or incentive scheme: economic (promotions, bonuses, training, etc.) or dissuasive (publication of disciplinary measures or sanctions)
Internal investigation procedures:
- Establish methods for conducting internal investigations, including mechanisms for collecting evidence (statements, interviews).
- Be cautious about the impartiality of the person in charge of the investigation (conduct due diligence to rule out possible conflicts of interest).
- Implement a security system of the information collected (use software with licenses or secured physical spaces).
Application of disciplinary measures:
- Appoint a disciplinary officer.
- Establish a catalog of violations, disciplinary measures and applicable sanctions, as well as mechanisms for recording and monitoring compliance with rules.
|
Dissemination and regular training
|
- Conduct trainings for all staff and for those areas or collaborators exposed to risks, including business partners, as appropriate.
- Monitor the media (number of accesses to available resources) and training plans (continuous monitoring).
- Evaluate the effectiveness of dissemination and training policies (evaluations, interviews, surveys).
- Provide a guidance and consultation channel on the prevention model.
|
Continuous evaluation and monitoring
|
- Conduct monitoring and/or periodic supervision of the effectiveness of the model (internal or external audits, formation of monitoring committees).
- Evaluate staff in relation to compliance with the prevention model (establish performance indicators).
- Oversee improvements derived from the analysis of experiences (updating and/or incorporation of controls) and communication to the rest of the company (feedback meetings, publications).
|
In addition to referring to the minimum elements, the Guidelines emphasize the importance of carrying out due diligence processes, specifying that this must not only be done before the contractual relationship, but whenever necessary (e.g., if an event or piece of news that involves such persons arises). Likewise, this must be done if a legal person wishes to develop new activities, introduce new products or services to the market and make use of new technologies, among others.
Finally ,the Guidelines, like the regulation, highlight the importance of keeping evidence (mainly documentary) of the actions carried out in order to prove to the SMV that the prevention model is adequate and can be used to mitigate risks faced by the legal person.
You can find the full text of the Guidelines here.
We trust that this information is relevant to you and your company. If you require a deeper understanding of the topic, do not hesitate to contact us.

Estudio Echecopar is a member firm of Baker & McKenzie International, a Swiss Verein with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner or equivalent in such a law firm. Similarly, reference to an "office", means an office of any such law firm.
Before you send e-mail to Estudio Echecopar, please be aware that your communications with us through this message will not create a lawyer-client relationship with us. Do not send us any information that you or anyone else considers to be confidential or secret unless we have first agreed to be your lawyer in the matter. Any information you send us before we agree to be your lawyers cannot be protected from disclosure.
@2021 Estudio Echecopar
All rights reserved.
No part of this publication may be reproduced in any form or by any means without the written permission of Estudio Echecopar.