Nicaragua: Benefits of a Comprehensive System of Good Compliance Practices in Companies

The term "Compliance" became popular around the 1970s-1980s with the creation of laws to promote corporate self-regulation processes, social responsibility, protection of information and prevention of anti-corruption acts after scandalous corporate cases related to corruption, bribery of public officials and money laundering in the United States of America. Therefore, many limit it to mere compliance with regulations governing a particular sector or with compliance programs against money laundering and anti-corruption risks.

However, an adequate compliance model should aim for more than regulatory compliance and avoiding legal sanctions to be a comprehensive system of good business practices.

Compliance under a comprehensive system consists of a set of practices and policies designed and adopted to:
a) identify and ensure compliance with the existing and applicable legal framework for companies;
b) identify and classify risks that the company may face, and establish internal mechanisms to prevent, mitigate and react to them;
c) avoid consequences and take advantage of the benefits of compliance; and
d) create a safe, ethical, and transparent work environment that allows them to achieve their objectives and enjoy a good corporate reputation.

This comprehensive compliance system prevents companies from being affected by financial penalties, serious reputational impacts, loss of customers, suppliers, and employees, among others. Likewise, this generates a series of benefits such as: protection and security in business, guarantee in the functionality and operability of the companies, a competitive advantage against others, in the access to public or private contracting or in the possibility of carrying out business with companies, entities or organizations, both national and international, that impose as a requirement the existence of this type of systems.

Although the definition is clear and the benefits of compliance are detailed, they are not implemented on a day-to-day basis due to the lack of knowledge of good practices. Let's start with the following question: What are the minimum compliance practices under a comprehensive system?

1. Identification of obligations:

Every company must identify the obligations it must comply with, the temporality of these, as well as the risks or consequences of non-compliance, after drawing up a list of the following documents:

1.1 Legal framework applicable to each company: Today there are general laws, regulations, and norms applicable to all types of companies and other more specific ones whose applicability will depend on their line of business or industry.

Among the most important and general laws, regulations, and norms for all types of companies are corporate; labor; tax; consumer protection; data protection; intellectual property; and social security.

1.2 Corporate and internal company documents: Every company has corporate documents, regulations and/or internal policies that regulate the way in which it will operate, the way in which decisions are made, the control of the company, the fulfillment of obligations, and the functions, benefits, and responsibilities of its members. Among the most important documents of the company, we can find: Articles of Incorporation; Bylaws; Minutes or Resolutions of Decision-Making Bodies; among others.

1.3 Contractual agreements: It is normal for companies to enter into different types of agreements or contracts either among the members of the company or with third parties, which are crucial when defining benefits and obligations. A breach of contractual obligations could generate great consequences for companies depending on what is agreed in such agreements or contracts.

It is important to constantly monitor the amendments or modifications made to the above documents because, at the time of a breach, it will not be possible to claim ignorance of them.

All these documents must be properly organized and securely filed, and every company must comply with the legal requirements regarding their preservation.

2. Risk management:

Secondly, companies must establish and comply with a process for identifying, evaluating, and mitigating risks in the different areas of the company.

It should be noted that each company is different and may face different types of risks, so there is no single management applicable to all companies. However, it is necessary that companies can perform, as a minimum, the following actions:

2.1 Identify all possible risks it may face, based on the probability that they may occur at any time, and establish action plans to prevent, mitigate and/or solve them.
2.2 Conduct research and obtain relevant information on the development and risk assessments of the sector to which it corresponds.
2.3 To prepare manuals of policies, measures, and procedures for risk prevention.
2.4 Apply due diligence for the establishment of good relations and risk mitigation.
2.5 Training of company workers.
2.6 Surveillance, monitoring, evaluation, and improvement of compliance.
2.7 Engage external consultancy and advice, as well as the execution of external audits on existing risk management.

Constant monitoring of these actions helps to ensure maximum coverage of known and unknown risks as they arise.

In relation to the actions mentioned in 2.4, 2.5, 2.6 and 2.7, the following points should be highlighted:

2.4. 1 Due diligence for the establishment of good relations and risk mitigation:

In principle, the due diligences summarized in this section are actions that people considered as "Regulated Entities" in terms of prevention of Money Laundering/Financing of Terrorism, and Proliferation of Weapons of Mass Destruction (ML/FT/FP) must comply with, since they have the responsibility to implement the prevention, detection and reporting of these activities and crimes associated with ML in accordance with a Risk Based Approach.

However, it is recommended that these actions should be carried out by all companies to mitigate operational, legal and ML/TF/PF related risks, since nowadays all types of companies may face this type of risk and their consequences. These due diligences are:

2.4.1.1 "Due Diligence of Clients": It is essential that companies apply the necessary measures to know the natural and legal persons with whom they establish and maintain or intend to establish business or service relationships, whether they are regular or occasional clients.

The practices must be directed mainly to the identification of the client, to try to know the purpose and real nature of the business relationship, its final beneficiaries, and to the knowledge of the origin and provenance of their funds.

a) Identification of the Client: This should be done through the verification of identification documents contemplated in the national legislation and those that the companies consider pertinent. Additionally, reliable data or information from an independent source must be used to verify the identity of the clients.

b) Purpose and nature of the business relationship: For this purpose, information should be gathered on the type of activity carried out by the people with whom they wish to do business and whether they are in line with the purposes of the business project.

c) Beneficial Owners: In Nicaragua, Nicaraguan corporations are obliged to comply with the identification and registration of their beneficial owners. Compliance with this obligation has become a prerequisite to be able to register or carry out acts related to the operations of the companies with public and/or private institutions.

Therefore, companies must request certificates or certifications of compliance with this obligation, as well as all supporting documents that support the identification of the beneficial owner.

d) Origin and source of funds: It is essential to obtain information on the activities from which the funds or assets of a client originate, the country or geographical area, and the companies or persons related to or from whom the funds are to be used in a business relationship or operation. At no time should it be permitted to use funds to deposit, manage or facilitate the transfer of funds from business and/or income belonging to another natural or legal person with whom there is no relationship.

2.4.1.2 "Due Diligence of Workers": Every company should implement due diligence measures for its employees, from the recruitment and selection program to those who are already part of the company, whether as new entrants, permanent or temporary workers, to ensure their integrity and ability to carry out a good compliance. This is important, since it is not enough to establish all the practices or actions indicated here, but it is necessary to show the willingness of all workers and members of the companies to do things correctly.

2.4.1.3 "Due Diligence of Business Allies": Companies should formulate and implement a due diligence policy with respect to their business allies, to obtain identification information on them. In this regard, it is important to keep an identification profile of each one and the contracts through which the alliance relationship has been established.

2.4.1.4 "Due Diligence of Suppliers": This due diligence shall be based on a record of contracted services, modalities, payment methods, frequency of service provision and delivery of goods, as appropriate.

It is important that all documents supporting those due diligence are retained. This information should be updated periodically according to the risks and their levels of significance that have been identified.

2.5.1 Training of company workers:

Compliance is the responsibility of all members of the company, regardless of position. It is of utmost importance to promote a culture and awareness of compliance in a comprehensive system through training. All workers must be clear of the consequences of non-compliance with obligations, and that not only fall to the company but also to any individual who is a party and violates any compliance practice, being able to face financial, civil, criminal, and other sanctions.

It is advisable, if possible, to establish a disciplinary system that establishes sanctions in case of any non-compliance.

2.6.1 Surveillance, monitoring, evaluation, and improvement of compliance:

It is worth highlighting the importance of establishing a system for surveillance, monitoring, evaluation, and improvement of the compliance system, for which it is necessary to have a compliance area or person. This could vary depending on the size of the company and the organizational structure. Today, the responsibility for compliance may fall on any of the following persons: a) Senior management or senior officers of a company; b) Compliance Officer either internal or external; c) Legal or accounting or auditing firms.

In any case, the person, or people responsible for compliance must perform the following minimum functions:

a) Ensure compliance with the good practices mentioned in this article.
b) Subject risk management and the comprehensive compliance system to periodic analysis and review to adapt it to new political, social, or economic circumstances as they arise and to avoid new risks.
c) Supervise the implementation of the compliance system measures and verify their effectiveness.
d) Detecting any inconvenience or non-compliance with established procedures and practices.
e) Providing and implementing recommendations on detected violations or opportunities for improvement and taking appropriate corrective actions to improve the effectiveness of the compliance system.

2.1.1 Consulting and Advice

In view of the existing information on compliance issues and the lack of knowledge of these, it is advisable to consult and seek advice from experts in these matters, in any of these minimum practices and any other that has not been mentioned here, to have an effective comprehensive compliance system.

Also, it is advisable that in case you already have a compliance system within your company, engage the services of external audits by independent professionals outside the company to assess the operational efficiency and propose necessary corrections or improvements; and that they can confirm the good management of the company by the staff or area of compliance they have.

The above-mentioned practices are not the only ones in an integral compliance system, and others can be added to adapt to the company's line of business, but they will allow companies to enjoy the benefits of compliance. Thus, compliance moves away from being merely a regulatory compliance and approaches the term of facilitator or strategic ally.

We could conclude that compliance under the integral system is an invaluable tool for companies since by implementing these good minimum practices they not only protect themselves against sanctions or damages for non-compliance, but also allow them to have a better control over their risks, business, resources, personnel and commercial information, facilitating their operations and allowing a constant growth and improvement at an internal level; and a good positioning in the market.

Author:
Maryeling Guevara
Associate, ARIAS Nicaragua
maryeling.guevara@ariaslaw.com

The information provided by ARIAS® is presented for informational purposes only. This information is not legal advice and is not intended to create, and does not constitute, an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.