• The Colombian Corporations Commission (La Superintendencia de Sociedades) (“Superintendencia”) has issued Resolution 100-006261, which requires the overwhelming majority of companies that are supervised by the Superintendencia and engage in international transactions to adopt and implement a compliance program – called a Business Transparency and Ethics program – by April 30, 2021.  The program must be designed to prevent and detect violations of anti-bribery laws, in accordance with 2016 guidance.
  • This is another example of how compliance standards across Latin America and the United States have been converging in recent years on a set of standards, even if some differences remain.
  • For example, both Colombian and U.S. guidance emphasize the importance of tailoring compliance programs to the most salient risks for the company; continually improving compliance programs; performing adequate due diligence on third parties; and ensuring a commitment by management to compliance, both in terms of company culture and resources allocated to the program.
  • The new Resolution provides a further reason for multinational companies with business activities in the Americas and Colombian companies expanding in the region to establish a strong compliance program.


On October 2, 2020, the Superinendencia issued Resolution 100-006261, which expands the universe of companies that must adopt and implement Business Transparency and Ethics (i.e., compliance) programs in accordance with 2016 guidance.[1]  Under Article 7 of the Transnational Corruption Act, Ley 1778, the existence and execution of an effective transparency program is a mitigating factor when the Superintendencia is evaluating whether to apply penalties to companies that it finds have engaged in transnational bribery.  The newest expansion of the resolution captures the overwhelming majority of companies that operate in Colombia and abroad or engage in international transactions and that are otherwise supervised by the Superintendencia.[2]  Companies operating in Colombia under the jurisdiction of the Superintendencia and meeting certain criteria[3] have a fairly short time period, until April 30, 2021, to implement their compliance programs.  Under the Resolution, the Superintendencia may verify a company’s compliance with these obligations at any time.  While the Superintendencia has the authority to order fines, temporary debarment from government contracts, and temporary ineligibility for receipt of government incentives or subsidies when companies violate anti-bribery laws, it is unclear what sanctions the Superintendencia would pursue for companies that fail to properly implement an ethics program designed to mitigate transnational corruption risk and whether they are equipped to enforce the resolution.[4]  Nevertheless, companies that fail to implement the compliance program face risk if they are not in compliance by April 30th, as well as the possibility of greater penalties if they are found to have engaged in transnational bribery.  As explained below, the good news is that, given the similarities between the Colombian guidance and guidance in other countries in the region, compliance with the Colombian guidance should not be difficult for companies that have compliance programs in place that already comport with the guidance issued elsewhere.

The Superintendencia’s guidance on compliance programs dates back to 2016, but its recent application to a broader range of Colombian companies as of January 1, 2021 demonstrates the Superintendencia’s commitment to adopting a universal compliance standard starting in 2021.  Like many other compliance guidelines developed by Latin American regulatory bodies in recent years,[5] the Superintendencia’s guidance is thematically oriented towards combating corruption and fraud, focusing on risk assessment and mitigation, third party due diligence, dedication of resources to the compliance function, and commitment of senior and middle management to the promotion of a culture of compliance.  The guidance from 2016 notes that it is inspired by “international best practices”[6] and draws on international models, including the Organization for Economic Co-operation and Development (“OECD”) Good Practice Guidance on Internal Controls, Ethics and Compliance; guidance under the U.S. Foreign Corrupt Practices Act (“FCPA”); and guidance under the U.K. Bribery Act.

Companies already operating in, or contemplating operation in, the Americas (and elsewhere) will benefit from a universal approach to strengthening their compliance programs, especially given recent updates and enforcement priorities from regional authorities and regulatory agencies that post-date the Superintendencia’s 2016 guidance.  In particular, Colombian issuers of securities in the United States and Colombian companies with operations in the United States should ensure that their compliance with Resolution 100-006261 also addresses the Department of Justice (“DOJ”) Evaluation of Corporate Compliance Programs, originally issued in 2017, updated in April 2019, and further refined as recently as June 2020.[7]  The current iteration of the DOJ’s guidance focuses on three “fundamental questions” that prosecutors should ask when evaluating corporate compliance program: 1) whether the “corporation’s compliance program [is] well designed,” 2) whether the program is “being applied earnestly and in good faith,” and 3) whether it works in practice.[8]  While this guidance differs from the Colombian guidance in its framing and form, Colombian and U.S. guidance share many common substantive themes.

Risk Assessment and Continuous Improvement

Both the Colombian and U.S. guidance advise that companies should conduct periodic risk assessments to determine the most salient risks for their operations; tailoring compliance programs and policies to those risks.  Under the Colombian guidance, risk assessment may include an evaluation of the geographic and economic areas of operation, interactions with third parties, and the level of reliance on government contracts, permits, and licenses.  While guidance from both Colombia and the United States notes the importance of assessing compliance programs periodically and as tailored to a particular risk profile, recent DOJ guidance in particular has focused attention on a company’s ability to incorporate “lessons learned” from its own control gaps, risk assessments, and  the experiences of its industry peers.  Both sets of guidance acknowledge that compliance should be a process of continuous improvement, whereby a company routinely collects data on the efficacy of its compliance program, including through audits and control testing, and reassesses the program’s structure and resource allocation based on its evolving risk profile.  While the Colombian guidance less explicitly references the role that incorporating “lessons learned” plays in improving a compliance program, in practice, companies seeking to implement the Colombian guidance will need to make sure their programs are evolving and address any gaps or deficiencies identified through a process of continuous assessment.

Third Party Due Diligence

Contracting through third parties presents a situation “where [] particular types of misconduct [are] most likely to occur.”[9] The Colombian guidance emphasizes that a compliance program should include procedures for conducting thorough due diligence on third-party contractors and consultants.  That diligence should be oriented towards reviewing the reputation, relationships, and past misconduct of third parties, as well as ensuring that payments made to third parties are legitimate and not part of an effort to transmit or conceal bribes.  Colombian guidance further suggests including terms in contracts with third parties that incorporate agreements to prevent transnational bribery.  Once again, there is congruence between Colombian and U.S. guidance regarding management of third parties.  Companies seeking to abide by Colombian guidance should therefore keep in mind the DOJ’s approach on third party due diligence, which views third party controls not only as a relevant consideration in the procurement process, but as an important factor in contract management, controls testing, and determining the allocation of compliance resources.

Compliance Resources and Commitment of Senior and Middle Management

Colombian and U.S. guidance highlight the importance of having a program that is effective in practice and tailored to specific risks across business lines and geographies.  Both countries’ guidance advise that an effective compliance function has adequate resources, authority, and autonomy within the company, as well as the support and commitment of high‑level and middle management to foster a culture of compliance through its communications and actions.  Colombian compliance guidance explicitly refers to the need to designate a qualified, trustworthy, and experienced individual to manage the company’s program; supported with adequate resources and retaining sufficient independence to properly identify risks and raise concerns to higher level management.

Both sets of guidance emphasize continuous training for employees, the availability of accessible policies and procedures[10] that lay out compliance and ethics goals in a clear and simple manner, and the creation of confidential channels, through which employees can report misconduct and irregularities without fear of retaliation.


Although compliance guidance in Colombia (and Latin America generally) is not identical to the recently updated guidance in the United States, compliance standards in Latin America and the United States continue to converge.  Significantly, the expansion of the Colombian regulation to new industries also highlights efforts by the Superintendencia to develop a cross-industry standard that will enhance anti-corruption efforts in the country.  The new Resolution provides yet another reason for companies operating in Colombia to adopt compliance best practices with reference to the guidance in Colombia, the United States, and elsewhere in the region.

[1] See Superintendencia de Sociedades, External Circular No. 100-0000003.

[2] Previously, Colombian guidance covered companies that conducted international business through intermediaries, contractors, and subsidiaries, as well as companies engaged in specific industries such as pharmaceuticals, construction, and energy.  See Superintendencia de Sociedades, Resolution No. 200-000558.

[3] The new criteria capture companies that, in the prior calendar year, engaged in international transactions totaling at least 100 times the minimum monthly wage and that have earned revenue or assets of at least 40,000 times the minimum monthly wage.

[4] See Transnational Corruption Act, Ley 1778, Art. 5.

[5] See e.g., Clean Company Act, Decree No. 8,420/2015, arts. 42-43 (Brazil, 2015); Ley 27.401, arts. 22-23 (Argentina, 2017).

[6] External Circular No, 100-0000003, Sections I, IV.1.

[7] United States Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (updated June 2020).

[8] Id.

[9] Id. at 8.

[10] Colombian Guidance emphasizes in the first instance the creation and development of a “Manual de Cumplimiento,” which in practice serves purposes similar to a Code of Ethics.  The Manual de Cumplimiento should be a reflection of internal norms and should align with how the company practically handles risk management.