Saud Advogados

Introduction The Brazilian Law No. 9,613/1998(“Brazilian AML Law”) is a landmark for the regulatory anti-money laundering and combating the financing of terrorism (“AML/CFT”) landscape, indicating an active role for obligated persons – whether legal entities or natural persons. In the past few years, technological developments – particularly in the financial sector trough innovation, crypto-assets, artificial intelligence and digital platforms – have created a more complex framework for money laundering, requiring regulators and authorities to constantly adapt to keep pace with these changes. In this regard, in August 2025, the Federal Revenue of Brazil (“RFB”) published the Normative Instruction No 2,278 (“IN 2,278”), which brings a key regulatory shift: payment institutions, including fintech companies and participants in payment arrangements, are now required to comply with the same regulations applicable to banks and other institutions submitted to Brazilian AML Law and Law No. 12,865/2013 (“Payment Arrangements Law”). The IN 2,278 signals heightened enforcement efforts from Brazilian authorities, especially in the wake of recent money laundering scandals related to fintech and criminal organizations. On this matter, AML/CFT compliance programs must implement and constantly update Know Your Client (“KYC”) policies, as these policies represent an essential safeguard to mitigate liability arising from clients’ potential unlawful activities. This article seeks to examine KYC, outlining its mechanisms and evaluating its effectiveness in AML/CFT enforcement. The foundations of KYC Know Your Client refers to a structured set of procedures set to collect, validate, and verify clients’ information, ensuring appropriate due diligence in their identification, qualification, and risk classification. While primarily applied by financial institutions, KYC is also mandatory across different sectors to prevent unlawful activities, as well as mitigate regulatory exposure. On this subject, under Article 9 of Brazilian AML Law, the duty to implement KYC measures extends beyond financial institutions to a wide range of obligated persons from different sectors. These include but are not limited to: (i) securities; (ii) insurance, capitalization and private pension; (iii) real estate; (iv) luxury or high-value goods; and (v) virtual assets’ operators. Amongst other obligations, these obligated persons are responsible for monitoring clients’ data and transaction history and to report of any suspicious or atypical transactions to the Financial Activities Control Council (“Coaf”), which is Brazil’s Financial Intelligent Unit. Further to that, some sectors are regulated by special authorities and need to comply with targeted regulation, such as the financial institutions by Brazilian Central Bank (“BCB”), the insurance market by Superintendency of Private Insurance (“SUSEP”) or the securities market by the Securities and Exchange Commission (“CVM”). For all sectors that do not have a specific regulatory authority, supervisory responsibility rests with Coaf. Failure to comply with KYC and other AML/CFT obligations may result in severe sanctions, including, but not limited to warning and monetary fines – which are capped at BRL 20 million, as well as sanctions for the administrators involved, as temporary disqualification, for up to ten years, from serving as an officer or director of regulated entities. In addition to that, companies involved money laundering scandals might face serious reputational damage, as seen previously in Operation Car Wash – Brazil’s largest anti-corruption and AML taskforce. Know Your Client: in practice Brazilian authorities require obligated persons to implement and maintain customer due diligence procedures proportionate to their size and operations – in other words, a tailored KYC for the risk of each company. The framework follows the risk-based approach recommended by the Financial Action Task Force (FATF) and adopted by COAF and other regulators, requiring enhanced measures for higher-risk situation Client identification must include the collection, verification, and validation of data, including for remote transactions – which can be specially challenging. Qualification involves assessing the client’s financial capacity, determining whether they are a politically exposed person (“PEP”), and ensuring sufficient information to establish a reliable risk profile. Risk classification, in turn, must reflect categories defined in the company’s internal assessment. The reoccurrence of these analysis needs to be proportionate to the client’s risk classification, ensuring that higher-risk clients are subject to more frequent revalidation. For fintech, implementing robust KYC can be particularly challenging. Their highly digital and fast-paced operations, with restricted human and financial resources, increase exposure to clients who may attempt to conceal their identities through complex structures. For this reason, it is not uncommon for companies to outsource KYC procedures to specialized firms or outside counsel, particularly in cases involving more complex analyses where independent expertise adds value to the compliance process. A central component is the identification of the Ultimate Beneficial Owner (“UBO”), defined as the individual who ultimately control, influence, or benefit from a legal entity, directly or indirectly. Obligated persons must extend risk classification to administrators, partners, representatives, and proxies, and are prohibited from initiating relationships without completing the required identification and qualification procedures. This requirement is especially sensitive given the use of shell companies, front men/company and other mechanisms designed to obscure the UBO and disguise unlawful activities, which significantly heightens the complexity of AML/CFT compliance for financial institutions. Case study and conclusions In 2025, a massive scandal was discovered involving one of Brazil’s biggest criminal organizations that disguised billions of reais through fintechs and other financial institutions for money laundering. At the time these unlawful acts were perpetrated, certain payment institutions, including fintech companies and participants in payment arrangements, were not subjected to AML/CFT regulation. Hence, the scheme remained invisible to authorities. This criminal organizations employed several strategies to conceal and disguise the UBO. This case shed light on the deficiencies in KYC procedures, which stemmed from the regulatory gaps created by the IN No. 2,278. As of this regulation, one of the obligations is the submission of the e-Financeira, a digital report of high-value financial transactions that enables authorities to monitor suspicious activities more effectively. This obligation, alongside with properly designed and affectively enforced KYC policies, could have mitigated or even prevented the unlawful acts. While no compliance framework ensures absolute prevention, robust AML/CFT mechanisms significantly reduce exposure to acts unlawful acts, as well as it serves as a defensive mechanism against regulatory sanctions and a strategic tool for safeguarding corporate integrity and reputation. Ultimately, the growing role of KYC in Brazil’s regulatory framework reflects a broader global trend toward heightened accountability for AML/CFT. For companies operating in this environment, compliance is no longer confined to meeting minimum legal requirements; it demands a culture of vigilance, ethical responsibility, and continuous improvement. In this regard, entities that prioritize KYC not only mitigate legal and reputational risks but also position themselves as trusted players in a market where integrity has become a decisive competitive advantage. Authors: Leonardo Kozloswki , Isabelly Nunes, Salim Saud.

Introduction The Economic Crime and Corporate Transparency Act 2023 (“ECCTA 2023” or the “Act”) constitutes a landmark development in the United Kingdom’s (“UK”) legal framework to combat financial crime and reinforce corporate accountability. Enacted in 2023, the Act introduces two key provisions: the creation of the new corporate offense of failure to prevent fraud, entered into force in September 1st, 2025, and the expansion of the identification doctrine through the senior manager regime, entered into force in December 26, 2023. These new provisions are expected to generate significant challenges for companies both within and outside the UK, as the scope of exposure is broad with potential extraterritorial implications - such as organizations incorporated in the UK and multinationals with UK operations. In this regard, the most effective way to address these challenges is to implement or enhance compliance programs to prevent fraud and ensure appropriate oversight of senior management. This article aims to present the key challenges posed by these new provisions and highlight practical measures that companies should adopt to mitigate them. An essential component of this approach is the periodic review of compliance programs, ensuring that they remain tailored to the company’s risks, regulatory requirements and corporate structures. Preliminary considerations The United Kingdom has progressively reinforced its legal framework to address economic crimes and enhance corporate accountability. A key milestone was the UK Bribery Act of 2010 (“UKBA”), which introduced the pioneering corporate offense of failure to prevent bribery. Under this strict liability regime, organizations may be held criminally liable for bribery committed by an associated person intending to benefit the organization, unless them can demonstrate that adequate procedures had been implemented to prevent such conduct. The ECCTA 2023 represents an evolution. It complements and expands the UKBA by introducing the failure to prevent fraud offense, applicable to large organizations - defined as those meeting at least two of the following criteria: (i) more than 250 employees, (ii) annual turnover exceeding £36 million, or (iii) total assets exceeding £18 million. In addition, the Act expands the identification doctrine, enabling corporate liability for offenses committed by senior managers acting within the scope of their authority, even if they do not hold formal executive titles. Taken together, the UKBA and ECCTA 2023 establish a robust legal framework that shifts the burden onto organizations to proactively prevent misconduct, rather than merely responding to it. This evolution underscores the UK’s enduring commitment to enhancing transparency, accountability, and ethical conduct in corporate environments. As mentioned before, the Act contains provisions with extraterritorial effects. Companies inside and outside the UK may still fall within the scope of ECCTA 2023 if they have relevant UK connections, such as UK-based customers, operations, or assets. Under the senior managers regime and failure to prevent fraud offense, liability may arise regardless of incorporation or location, provided that there is a demonstrable UK nexus. Hence, these companies have an ongoing obligation to continuously monitor and periodically review the effectiveness of their compliance programs. Periodic compliance review as a strategic response Companies subject to the ECCTA 2023 - as well as those operating under other robust anti-corruption frameworks - should carry out periodic reviews of their compliance programs. Such reviews are critical not only to confirm that existing procedures remain adequate, but also to ensure that the program evolve in response to shifting regulatory expectations and emerging risks. The absence of this continuous reassessment exposes organizations to heightened liability, particularly in jurisdictions that demand demonstrable and proactive compliance efforts, as the UK. A compliance review is a structured and in-depth evaluation of a company’s compliance framework. It usually includes a thorough document review, which includes compliance-related policies and internal procedures, training materials and sessions provided, sample analysis of relevant third parties to check whether the appropriate procedures are being carried out. In addition, one effective tool during the review is to perform a general compliance perception assessment, involving structured interviews with key personnel to capture insights on the program’s effectiveness. The findings can then be used to identify and address specific opportunities for improvement, ensuring that the compliance framework remains both responsive and robust. In this regard, periodic reviews have proven to reinforce a culture of integrity. They also promote accountability, particularly at the senior management level, since these leaders are typically engaged in the review process and bear responsibility for supporting compliance across the organization in order to meet the broader governance expectations – expanded by the ECCTA 2023. Within the context of the failure to prevent fraud offense, a well-structured and regularly reviewed compliance program serves as a strategic defense, both to mitigate risks and liability. The reviews may be conducted internally by the compliance department, however, when conducted by outside counsel, it provides added value by ensuring independence, minimizing potential conflicts of interest, and enhancing the credibility of the assessment before regulators and stakeholders. Conclusion The Act has increased legal and operational exposure for large organizations with direct or indirect links to the UK – mainly due to the introduction of the failure to prevent fraud offense. In response to this heightened regulatory landscape, the periodic review of the compliance program assumes a strategic role. By systematically evaluating the practical effectiveness of the internal compliance programs, the review enables organizations to identify and remediate deficiencies before they escalate into regulatory consequences. For Brazilian companies with operations, clients, or assets in the UK, or for UK companies with a presence in Brazil, the September 2025 enforcement underscores the urgency to act. Implementing and maintaining reasonable prevention procedures is essential not only to support a defense under the ECCTA 2023, but to also foster a culture of integrity and accountability across all levels of corporate governance. This resonates with the spirit of the Brazilian Clean Companies Act. Taken together, these legal frameworks highlight the need for companies operating transnationally to align compliance programs to both jurisdictions, embedding continuous monitoring, periodic reviews, and strong governance practices. Authors: Isabela Vidal, Leonardo Kozloswki , Salim Saud.

Introduction Internal investigation is one of the key elements of a corporate integrity program and, in Brazil, it is considered a cornerstone by the Office of the Comptroller General (Controladoria-Geral da União – CGU), the federal authority responsible for issuing structured guidelines to prevent, detect, and remediate corruption and related offenses. The subject is regulated by the Clean Companies Act (Law 12,846/2013 – CCA), which establishes the civil and administrative liability of legal entities for acts committed against national or foreign public administration that are performed in the legal entities’ interest or benefit. The CCA is further detailed by Federal Decree 11,129/2022 (the “Anti-Corruption Decree”), which outlines the mechanisms and procedures for an integrity program, including the handling of reports and internal investigations. This article aims to connect CGU’s recommended practices with the practical challenges and solutions encountered by companies and outside counsel in connection with internal investigations. Preliminary Considerations: Internal investigations are fundamentally linked to promoting a culture of trust and encouraging the practice of speaking up. This requires safeguarding whistleblowers and preventing retaliation. However, an investigation may be ineffective if its processes are not clearly communicated through ongoing training and employee engagement—regardless of the employee’s position or seniority. Investigations may be initiated in various ways: through a report—anonymous or identified—via a whistleblower channel, a direct report to the compliance department, line manager or other assigned departments, internal or external audit findings, notifications from public authorities, or media coverage. Regardless of how a matter arises, protecting anonymity is critical to fostering a trustworthy environment. At the same time, it is worth noting that employee access to the compliance department is equally important, especially given its central role in guiding and supporting internal investigations, including when external counsel is retained. It is essential to understand that investigations are fact-finding exercises. The objective is to determine whether the alleged conduct occurred, analyze the circumstances surrounding them, identify involved individuals, and assess whether there was a breach of applicable laws or internal policies. Planning an Internal Investigation Investigations are not to be a wild goose chase. Careful planning is essential to ensure that the investigation is both efficient and trustworthy. A structured yet adaptable investigation plan allows the investigation team to define scope and prioritize key issues to be examined. The plan should be formalized in a document that sets forth rigorous standards and protocols to uphold the confidentiality, impartiality, and consistency throughout the investigation process. Although each investigation and its plan are unique, effective planning typically includes: (i) a clear description of the allegations (ii) the potential risks to the company and the adoption of any precautionary measures, (iii) an initial document review strategy, (iv) a list of potential individuals to be interviewed, (v) a timeline for execution, and (vi) an evaluation of whether outside counsel should be engaged. As part of the investigation planning phase, companies should assess the need for precautionary measures to safeguard the integrity of the process. These measures may include the temporary suspension of an employee, reassignment of duties, or suspension of a third party’s activities. Such actions are not punitive but preventive in nature, designed to avoid interference with the investigation, protect evidence, and prevent retaliation against witnesses or whistleblowers. The decision to implement precautionary measures must be carefully evaluated based on proportionality, legal risk, and potential business disruption. When properly justified and documented, these actions reinforce the seriousness of the company’s compliance efforts while respecting the rights of the parties involved. Document review is often the starting point for establishing a factual foundation and, in complex cases, can extend to the review of emails and other communications involving potentially implicated individuals through forensic review. This phase typically precedes interviews, which help contextualize or corroborate the documentary evidence. Interviews  Interviews with the relevant individuals are a vital source of information in internal investigations. A well-conducted interview is often a cornerstone of any effective investigation, regardless of the complexity of the investigation. Preparation is key. Experienced attorneys often prepare a structured outline of questions while maintaining flexibility to adapt their approach based on the interviewee’s responses. Key best practices include: (i) creating a respectful and neutral interview environment, (ii) providing only the necessary information about the case, and (iii) providing applicable legal warnings, such as the Upjohn Warning – which reminds the interviewee that the attorney leading the investigation represents the company, not the individual. These legal warnings often protect the integrity of the investigation. Ultimately, integrating document review with the interview planning allows for focused and accurate questioning, as well as to minimize unexpected development during the interview and to identify inconsistencies or potential contractions in the interviewee’s statements. In addition, the order in which the interviews are conducted has a profound importance and is evaluated on a case-by-case. When deciding the timing of an interview, the investigation team should consider (i) whether there will be unique or multiple opportunities to interview the individual, (ii) whether the interviewee is a key witness or potentially implicated individual, and (iii) whether the person can help contextualize or explain documents. In general, individuals potentially implicated in the alleged conduct are interviewed last. This allows the investigation team to gather and analyze relevant information – including inconsistencies or contradictions – so that relevant evidence may be presented and challenged during the final interviews. Another best practice is to have two people present during the interview: typically, a lead interviewer and a note-taker. This ensures a well-organized process, reduces potential contradictions about the content covered during the conversation and provides a witness in case of any inappropriate behavior by the interviewee. Investigation Report Following the interview phase, the investigation team conducts a comprehensive evaluation of all collected information. This includes identifying any gaps that may require follow-up or additional data from the company. In this regard, the investigation team evaluates the probative value and relevance of the information collected according to its objectivity or subjectivity and credibility, whether it is based on documents, direct observations or testimonies Contradictory evidence is not unusual, and evaluating such tensions is fundamental to reaching objective conclusions. The investigation report serves as the official paper-record of the work performed. If the investigation was initiated internally (rather than by authorities), the report also demonstrates the company’s compliance with the CCA and the Anti-Corruption Decree by proactively identifying and responding to potential misconduct. The report may also play a critical role for cooperation with authorities in the event of potential enforcement actions or leniency negotiations under Brazilian law. In fact, CGU recommends that companies notify authorities that would be competent to investigate the allegations in advance when launching internal investigations. Although recommended by the CGU, this is not a legal requirement and its convenience should be assessed carefully on a case-by-case basis. Best practices for the report include: (i) clear and objective language, (ii) a detailed description of the allegations and scope of the investigation, (iii) the methodology and investigative steps taken, as well as the conclusions. If applicable, it should also indicate whether there was a breach of internal policies, applicable law, and recommendations for remediation, consequences, or improvements in the compliance program. In addition, to reinforce a culture of compliance and speaking up, to the extent possible, reporters should receive updates on the status throughout the investigation. This builds trust among employees and leadership while enhancing the credibility and effectiveness of the compliance program in the eyes of regulators, particularly in the event of future scrutiny. Conclusion Internal investigations play a fundamental role in effective compliance programs. Despite their relevance, investigations can present substantial practical challenges. Many companies—particularly those with less mature compliance structures—may lack clear policies and procedures, dedicated resources, or engaged leadership. In addition, is not uncommon for external counsel to encounter operational difficulties such as limited access to documents, uncooperative employees, or cultural resistance. If not addressed, these barriers can compromise the quality and credibility of the investigation and its outcomes. Therefore, strengthening internal investigations protocols and procedures, fostering a robust compliance culture at all levels of the organization, and ensuring the independence and support to investigation teams are essential steps toward building an effective, credible, and trustworthy compliance environment within the companies. Also, engaging external counsels in internal investigations not only adds technical expertise but also affords the significant benefit of attorney-client privilege. This privilege protects confidential communications between the company and its legal counsel made for the purpose of obtaining legal advice. It is particularly valuable during interviews and while formulating conclusions and recommendations. By ensuring privileged status, the company gains greater control over sensitive information, which is essential in managing regulatory exposure, reputational risk, and potential litigation. Furthermore, legal oversight enhances the credibility and defensibility of the investigation, especially if findings are later scrutinized by authorities or presented in court. Authors: Caroline Rosa, Leonardo Kozloswki, Isabela Vidal