Saud Advogados

Introduction The Economic Crime and Corporate Transparency Act 2023 (“ECCTA 2023” or the “Act”) constitutes a landmark development in the United Kingdom’s (“UK”) legal framework to combat financial crime and reinforce corporate accountability. Enacted in 2023, the Act introduces two key provisions: the creation of the new corporate offense of failure to prevent fraud, entered into force in September 1st, 2025, and the expansion of the identification doctrine through the senior manager regime, entered into force in December 26, 2023. These new provisions are expected to generate significant challenges for companies both within and outside the UK, as the scope of exposure is broad with potential extraterritorial implications - such as organizations incorporated in the UK and multinationals with UK operations. In this regard, the most effective way to address these challenges is to implement or enhance compliance programs to prevent fraud and ensure appropriate oversight of senior management. This article aims to present the key challenges posed by these new provisions and highlight practical measures that companies should adopt to mitigate them. An essential component of this approach is the periodic review of compliance programs, ensuring that they remain tailored to the company’s risks, regulatory requirements and corporate structures. Preliminary considerations The United Kingdom has progressively reinforced its legal framework to address economic crimes and enhance corporate accountability. A key milestone was the UK Bribery Act of 2010 (“UKBA”), which introduced the pioneering corporate offense of failure to prevent bribery. Under this strict liability regime, organizations may be held criminally liable for bribery committed by an associated person intending to benefit the organization, unless them can demonstrate that adequate procedures had been implemented to prevent such conduct. The ECCTA 2023 represents an evolution. It complements and expands the UKBA by introducing the failure to prevent fraud offense, applicable to large organizations - defined as those meeting at least two of the following criteria: (i) more than 250 employees, (ii) annual turnover exceeding £36 million, or (iii) total assets exceeding £18 million. In addition, the Act expands the identification doctrine, enabling corporate liability for offenses committed by senior managers acting within the scope of their authority, even if they do not hold formal executive titles. Taken together, the UKBA and ECCTA 2023 establish a robust legal framework that shifts the burden onto organizations to proactively prevent misconduct, rather than merely responding to it. This evolution underscores the UK’s enduring commitment to enhancing transparency, accountability, and ethical conduct in corporate environments. As mentioned before, the Act contains provisions with extraterritorial effects. Companies inside and outside the UK may still fall within the scope of ECCTA 2023 if they have relevant UK connections, such as UK-based customers, operations, or assets. Under the senior managers regime and failure to prevent fraud offense, liability may arise regardless of incorporation or location, provided that there is a demonstrable UK nexus. Hence, these companies have an ongoing obligation to continuously monitor and periodically review the effectiveness of their compliance programs. Periodic compliance review as a strategic response Companies subject to the ECCTA 2023 - as well as those operating under other robust anti-corruption frameworks - should carry out periodic reviews of their compliance programs. Such reviews are critical not only to confirm that existing procedures remain adequate, but also to ensure that the program evolve in response to shifting regulatory expectations and emerging risks. The absence of this continuous reassessment exposes organizations to heightened liability, particularly in jurisdictions that demand demonstrable and proactive compliance efforts, as the UK. A compliance review is a structured and in-depth evaluation of a company’s compliance framework. It usually includes a thorough document review, which includes compliance-related policies and internal procedures, training materials and sessions provided, sample analysis of relevant third parties to check whether the appropriate procedures are being carried out. In addition, one effective tool during the review is to perform a general compliance perception assessment, involving structured interviews with key personnel to capture insights on the program’s effectiveness. The findings can then be used to identify and address specific opportunities for improvement, ensuring that the compliance framework remains both responsive and robust. In this regard, periodic reviews have proven to reinforce a culture of integrity. They also promote accountability, particularly at the senior management level, since these leaders are typically engaged in the review process and bear responsibility for supporting compliance across the organization in order to meet the broader governance expectations – expanded by the ECCTA 2023. Within the context of the failure to prevent fraud offense, a well-structured and regularly reviewed compliance program serves as a strategic defense, both to mitigate risks and liability. The reviews may be conducted internally by the compliance department, however, when conducted by outside counsel, it provides added value by ensuring independence, minimizing potential conflicts of interest, and enhancing the credibility of the assessment before regulators and stakeholders. Conclusion The Act has increased legal and operational exposure for large organizations with direct or indirect links to the UK – mainly due to the introduction of the failure to prevent fraud offense. In response to this heightened regulatory landscape, the periodic review of the compliance program assumes a strategic role. By systematically evaluating the practical effectiveness of the internal compliance programs, the review enables organizations to identify and remediate deficiencies before they escalate into regulatory consequences. For Brazilian companies with operations, clients, or assets in the UK, or for UK companies with a presence in Brazil, the September 2025 enforcement underscores the urgency to act. Implementing and maintaining reasonable prevention procedures is essential not only to support a defense under the ECCTA 2023, but to also foster a culture of integrity and accountability across all levels of corporate governance. This resonates with the spirit of the Brazilian Clean Companies Act. Taken together, these legal frameworks highlight the need for companies operating transnationally to align compliance programs to both jurisdictions, embedding continuous monitoring, periodic reviews, and strong governance practices. Authors: Isabela Vidal, Leonardo Kozloswki , Salim Saud.

Introduction Internal investigation is one of the key elements of a corporate integrity program and, in Brazil, it is considered a cornerstone by the Office of the Comptroller General (Controladoria-Geral da União – CGU), the federal authority responsible for issuing structured guidelines to prevent, detect, and remediate corruption and related offenses. The subject is regulated by the Clean Companies Act (Law 12,846/2013 – CCA), which establishes the civil and administrative liability of legal entities for acts committed against national or foreign public administration that are performed in the legal entities’ interest or benefit. The CCA is further detailed by Federal Decree 11,129/2022 (the “Anti-Corruption Decree”), which outlines the mechanisms and procedures for an integrity program, including the handling of reports and internal investigations. This article aims to connect CGU’s recommended practices with the practical challenges and solutions encountered by companies and outside counsel in connection with internal investigations. Preliminary Considerations: Internal investigations are fundamentally linked to promoting a culture of trust and encouraging the practice of speaking up. This requires safeguarding whistleblowers and preventing retaliation. However, an investigation may be ineffective if its processes are not clearly communicated through ongoing training and employee engagement—regardless of the employee’s position or seniority. Investigations may be initiated in various ways: through a report—anonymous or identified—via a whistleblower channel, a direct report to the compliance department, line manager or other assigned departments, internal or external audit findings, notifications from public authorities, or media coverage. Regardless of how a matter arises, protecting anonymity is critical to fostering a trustworthy environment. At the same time, it is worth noting that employee access to the compliance department is equally important, especially given its central role in guiding and supporting internal investigations, including when external counsel is retained. It is essential to understand that investigations are fact-finding exercises. The objective is to determine whether the alleged conduct occurred, analyze the circumstances surrounding them, identify involved individuals, and assess whether there was a breach of applicable laws or internal policies. Planning an Internal Investigation Investigations are not to be a wild goose chase. Careful planning is essential to ensure that the investigation is both efficient and trustworthy. A structured yet adaptable investigation plan allows the investigation team to define scope and prioritize key issues to be examined. The plan should be formalized in a document that sets forth rigorous standards and protocols to uphold the confidentiality, impartiality, and consistency throughout the investigation process. Although each investigation and its plan are unique, effective planning typically includes: (i) a clear description of the allegations (ii) the potential risks to the company and the adoption of any precautionary measures, (iii) an initial document review strategy, (iv) a list of potential individuals to be interviewed, (v) a timeline for execution, and (vi) an evaluation of whether outside counsel should be engaged. As part of the investigation planning phase, companies should assess the need for precautionary measures to safeguard the integrity of the process. These measures may include the temporary suspension of an employee, reassignment of duties, or suspension of a third party’s activities. Such actions are not punitive but preventive in nature, designed to avoid interference with the investigation, protect evidence, and prevent retaliation against witnesses or whistleblowers. The decision to implement precautionary measures must be carefully evaluated based on proportionality, legal risk, and potential business disruption. When properly justified and documented, these actions reinforce the seriousness of the company’s compliance efforts while respecting the rights of the parties involved. Document review is often the starting point for establishing a factual foundation and, in complex cases, can extend to the review of emails and other communications involving potentially implicated individuals through forensic review. This phase typically precedes interviews, which help contextualize or corroborate the documentary evidence. Interviews  Interviews with the relevant individuals are a vital source of information in internal investigations. A well-conducted interview is often a cornerstone of any effective investigation, regardless of the complexity of the investigation. Preparation is key. Experienced attorneys often prepare a structured outline of questions while maintaining flexibility to adapt their approach based on the interviewee’s responses. Key best practices include: (i) creating a respectful and neutral interview environment, (ii) providing only the necessary information about the case, and (iii) providing applicable legal warnings, such as the Upjohn Warning – which reminds the interviewee that the attorney leading the investigation represents the company, not the individual. These legal warnings often protect the integrity of the investigation. Ultimately, integrating document review with the interview planning allows for focused and accurate questioning, as well as to minimize unexpected development during the interview and to identify inconsistencies or potential contractions in the interviewee’s statements. In addition, the order in which the interviews are conducted has a profound importance and is evaluated on a case-by-case. When deciding the timing of an interview, the investigation team should consider (i) whether there will be unique or multiple opportunities to interview the individual, (ii) whether the interviewee is a key witness or potentially implicated individual, and (iii) whether the person can help contextualize or explain documents. In general, individuals potentially implicated in the alleged conduct are interviewed last. This allows the investigation team to gather and analyze relevant information – including inconsistencies or contradictions – so that relevant evidence may be presented and challenged during the final interviews. Another best practice is to have two people present during the interview: typically, a lead interviewer and a note-taker. This ensures a well-organized process, reduces potential contradictions about the content covered during the conversation and provides a witness in case of any inappropriate behavior by the interviewee. Investigation Report Following the interview phase, the investigation team conducts a comprehensive evaluation of all collected information. This includes identifying any gaps that may require follow-up or additional data from the company. In this regard, the investigation team evaluates the probative value and relevance of the information collected according to its objectivity or subjectivity and credibility, whether it is based on documents, direct observations or testimonies Contradictory evidence is not unusual, and evaluating such tensions is fundamental to reaching objective conclusions. The investigation report serves as the official paper-record of the work performed. If the investigation was initiated internally (rather than by authorities), the report also demonstrates the company’s compliance with the CCA and the Anti-Corruption Decree by proactively identifying and responding to potential misconduct. The report may also play a critical role for cooperation with authorities in the event of potential enforcement actions or leniency negotiations under Brazilian law. In fact, CGU recommends that companies notify authorities that would be competent to investigate the allegations in advance when launching internal investigations. Although recommended by the CGU, this is not a legal requirement and its convenience should be assessed carefully on a case-by-case basis. Best practices for the report include: (i) clear and objective language, (ii) a detailed description of the allegations and scope of the investigation, (iii) the methodology and investigative steps taken, as well as the conclusions. If applicable, it should also indicate whether there was a breach of internal policies, applicable law, and recommendations for remediation, consequences, or improvements in the compliance program. In addition, to reinforce a culture of compliance and speaking up, to the extent possible, reporters should receive updates on the status throughout the investigation. This builds trust among employees and leadership while enhancing the credibility and effectiveness of the compliance program in the eyes of regulators, particularly in the event of future scrutiny. Conclusion Internal investigations play a fundamental role in effective compliance programs. Despite their relevance, investigations can present substantial practical challenges. Many companies—particularly those with less mature compliance structures—may lack clear policies and procedures, dedicated resources, or engaged leadership. In addition, is not uncommon for external counsel to encounter operational difficulties such as limited access to documents, uncooperative employees, or cultural resistance. If not addressed, these barriers can compromise the quality and credibility of the investigation and its outcomes. Therefore, strengthening internal investigations protocols and procedures, fostering a robust compliance culture at all levels of the organization, and ensuring the independence and support to investigation teams are essential steps toward building an effective, credible, and trustworthy compliance environment within the companies. Also, engaging external counsels in internal investigations not only adds technical expertise but also affords the significant benefit of attorney-client privilege. This privilege protects confidential communications between the company and its legal counsel made for the purpose of obtaining legal advice. It is particularly valuable during interviews and while formulating conclusions and recommendations. By ensuring privileged status, the company gains greater control over sensitive information, which is essential in managing regulatory exposure, reputational risk, and potential litigation. Furthermore, legal oversight enhances the credibility and defensibility of the investigation, especially if findings are later scrutinized by authorities or presented in court. Authors: Caroline Rosa, Leonardo Kozloswki, Isabela Vidal