This document follows up the provisions of Law No. 9699 of 2019 “On Criminal Liability of Legal Entities for Domestic Bribery, Transnational Bribery, and other Crimes” (hereinafter the “Law”). The Law establishes criminal liability of legal persons for corruption crimes, committed by their employees or third parties on their behalf or in their interest in Costa Rica. At the same time the Law provides for the possibility to reduce the amount of sanctions by 40 per cent if the entity has appropriate measures for preventing corruption crimes in place.
The Law also defines a minimum list of such measures (the “Model”) that provides details on and complements the Regulation. The document stresses that the set of such measures can be introduced either independently or as a part of the management system of an entity or a group of companies.
1. Risk assessment
In the first place, when developing its Model, an entity should assess the risks that the commission of crimes under article 1 of the Law (domestic and transnational bribery, accounting fraud and falsification of other documents with the aim to conceal unlawful activities) may imply.
The entity should take into consideration the nature of its activities throughout the risk assessment process. The Regulation identifies the following risks:
- country-specific risks - the prevalence of certain crimes in specific countries,
- sectoral risks - the possibility to face risks in the field where the entity operates,
- interaction risks – the risks that stem from the relationships that the entity cannot fully control, such as the interaction with intermediaries, especially if they earn a commission, and membership in consortiums and business alliances,
- commercial risks – related to the amount and price of completed business transactions and transparency of commercial activities of the entity,
- risks related to the public sector – depend on the degree of interaction with public officials in certain areas of activities of the entity.
The document suggests using the following sources of information for conducting risk assessment:
- interviews with key employees (for instance, with those who interact with suppliers and operate in the field of marketing, finance, internal audit, and top management),
- analysis of audit reports, telephone conversations and past violations in this or other similar entities, or a consultation with a lawyer, auditor or other competent specialist.
The entity should develop relevant criteria in order to conduct the assessment. Every kind of risk should be assessed in terms of: a) its probability; and b) potential impact (financial and reputational) on the entity. The overall estimate of risks is obtained by multiplying respective indicators and can be employed to set the absolute limit which cannot be exceeded.
Each risk assessed in this manner should be classified in accordance with the further action it requires:
- risk that requires immediate action without further analysis;
- less serious risk that allows more detailed analysis;
- risk that does not require additional control measures.
The result of the risk assessment may demonstrate that:
- there is no need to take any steps to respond to the risk (if it is not critical and the costs of eliminating it potentially exceed the benefit),
- it is necessary to minimise the risk (control measures are adopted to reduce the risk to an acceptable level),
- it is necessary to eliminate the risk (by terminating the activities that generate this risk; this measure is applied to the critical risks, when the measures to minimise it cannot be adopted).
2. Due diligence
The entity should conduct due diligence of the third parties, assessing:
- the necessity and lawfulness of the services they will provide to it,
- reasonableness and proportionality of payment,
- past failures to provide services,
- investigations and bribery charges against them, involvement in civil proceedings and facts of prosecution,
- cautions, fines and delayed inspections,
- financial difficulties and insolvency applications, lack of production capacity and virtual lack of ongoing activities,
- lack of official state, corporate, legal or tax registration, suspension of business activities, licenses or permits for over a year,
- impossibility to confirm the physical location of a transaction,
- affiliation of the bank account to be used for paying the fees to the third party with this third party,
- potential links to/influence of public bodies and entities, politically exposed persons, etc.
The information generated by the risk assessment and due diligence should be properly documented in digital form and/or on paper and periodically updated.
3. Prevention of corruption
According to the Regulation, the entity should adopt the following documents to establish a system for countering corruption:
- regulating formal aspects: definition of ethical values, codes of conduct, policy on the management conflict-of-interest situations, provisions obliging to abide by the corporate policy,
- regulating informal aspects: analysis of corporate compliance culture (conducted at least annually), including the assessment of prevention, detection and response mechanisms to detect misconduct, fraud, corruption, shortcomings of internal control with a view to preventing and eradicating them,
- explicitly prohibiting bribery and other crimes under article 1 of the Law and providing for the obligation to respect domestic and international standards along with the provisions of internal documents of the entity,
- determining available confidential channels for reporting violations without fear of reprisals and procedure for processing tips and protecting whistleblowers, and providing for the obligation to report in good faith in understanding the consequences of the violation of such obligation,
- defining the role of the division/individuals responsible for compliance and the ways of communication of the employees with them;
- providing for the obligation to introduce, maintain and constantly improve the Model and the consequences of the failure to comply with the corporate compliance policy,
- regulating other measures for reducing the risk of offences.
4. Anti-corruption divisions
The entity should appoint an internal/external individual (officer(s)/division) to control the introduction of and compliance with the Model; in SMEs these functions may be directly performed by the top manager or founder, founding member, owner, partner or shareholder, responsible for managing the entity.
The competent individual/division should have the necessary resources and sufficient powers to carry out their tasks, functional autonomy within the entity along with the direct access and the possibility to report on the functioning of the Model and submit proposals on its improvement to the top management.
5. Complaint handling procedure and protection of whistleblowers
In designing the system for reporting violations, the entity should:
- establish easily accessible and secure reporting channels,
- inform whistleblowers about the confidentiality of their identity,
- establish the procedure for determining the priority, completeness and relevance of information, as well as a risk-based classification of complaints,
- determine the procedure for investigating the merits of reports and protecting whistleblowers and witnesses,
- set the time limits for processing tips, investigating alleged offences and making follow-up recommendations.
6. Awareness-raising and training
The entity should raise awareness about the existing prevention policy among its employees and third parties. In addition, it should provide training also regarding the Model, the policies, procedures, processes and instruments that have been adopted to implement it, the situations where suspicions of violations may arise, the procedure for reporting violations and protecting whistleblowers, and the consequences of non-compliance with the Model.
The organisation should establish a system of sanctions for those who do not abide by the compliance policy, both among the employees of the entity and different third parties.
The adopted Model should be verifiable, monitored and assessed to detect failures, flaws and opportunities to improve it.
The entity should conduct the external audit of its financial statements at least once every three years, verifying the facts of:
- opening the accounts that are not reflected in the statements,
- conducting the operations that are not registered or are inadequately reflected in the statements,
- including non-existent expenditures in the statements,
- indicating wrong subject of expenditures,
- using forged or altered documents,
- deliberately destructing accounting records before the legal deadline.
The entity should also carry out internal audit at least once a year.