On December 9th 2021, the Decree-Law No. 109-E/2021 was published, whose effects will only be reflected in the Portuguese legal system from its entry into force – June 9th 2022.
This Law, which creates the National Anti-Corruption Mechanism (“MENAC”) and approves the General Regime for the Prevention of Corruption (“RGPC”), aims to act in advance: that is, instead of focusing on punitive measures of the corruption phenomena, it rather seeks to prevent it, by implementing for the purpose internal control systems, risk prevention or management plans, codes of ethics and conduct, training programmes, whistleblowing channels and the designation of a compliance officer.
MENAC is a public independent authority, with powers of initiative, control and sanction, whose purpose is to promote transparency and integrity, and ensure the effectiveness of its corruption prevention policies, namely by developing programmes in educational establishments, supporting public entities in the application of the RGPC, disseminating information on corruption and related offences, and analysing criminal proceedings – regarding crimes of corruption and related offences – which have already been judged with the aim of strengthening knowledge on these infractions.
RGPC is applicable to (i) legal persons headquartered in Portugal, to Portuguese branches of legal persons headquartered abroad, and (ii) in all cases, provided they employ at least 50 employees. In turn, independent administrative entities with regulatory functions in economic activities, namely the Bank of Portugal (Banco de Portugal), are subject to this regime, even if they employ less than 50 employees.
The mentioned entities, subject to the observation of the RGPC, must adopt and implement a Regulatory Compliance Program (“PCN”) that includes:
(i) a Prevention Plan of Risks of Corruption and Related Infringements (“PPR”);
(ii) a Code of Conduct;
(iii) a Training Programme;
(iv) an Internal Communication Channel; and
(v) the appointment of a Compliance Officer.
PPR should identify, analyse and classify the risks and situations that may expose the entity to acts of corruption, as well as provide measures to reduce the likelihood and impact of these risks: in other words, it should be divided into 3 areas – (i) identification of the areas of activity with risk of the practice of acts of corruption; (ii) the likelihood of its occurrence and its impact; and (iii) the description of the preventive and corrective measures in place.
The implementation of the PPR implies the preparation of an interim evaluation report (in October) and an annual report (in April of the following year), which must be published on the Intranet and on its official web page on the Internet. Furthermore, the PPR shall be reviewed every three years or whenever there is a change in the entity’s corporate structure.
The Code of Conduct should establish the set of principles, values, and rules of action in the field of professional ethics, as well as to specify the sanctions – disciplinary and criminal – applicable to violators, publishing it on the Internet and Intranet. In the event of non-compliance with any of the rules of the Code of Conduct, a report must be drawn up identifying the rules violated, the sanction applied, and the measures adopted or to be adopted. Furthermore, similarly to what happens with the PPR, the Code of Conduct must be reviewed every three years or whenever there is a change in the organisation structure of the entity.
In accordance with the obligation to carry out Training Programmes, the entity must seek to inform its managers and workers of the corruption prevention policies and procedures implemented, the content and training of which should vary according to the different exposure of each professional to the risks identified. Finally, such trainings count as hours of continuous training which the employer must provide to the employee.
The Internal Communication Channel aims to allow its employees to report acts of corruption and related infractions, among others: to this end, the entity must keep a record of the reports received and retain it for at least five years or, regardless of this period, while judicial or administrative proceedings relating to the complaint are pending.
In relation to the Compliance Officer, who guarantees and controls the application of the PCN, it should be noted that he/she carries out his/her functions in an independent and permanent manner, with autonomous decision-making, and the entity should ensure that he/she has the internal information and the human and technical means necessary for the right performance of his/her function. In the case of a group relationship between various entities, a single Compliance Officer may be designated.
Finally, MENAC will be responsible for promoting and supervising the implementation of the RGPC, having sanctioning power in case of non-compliance with the obligations imposed by the RGPC. In fact, MENAC may apply sanctions:
(i) Up to €44,891.81 in case of non-adoption of the PPR, the Code of Conduct or the non-implementation of an internal control system (the latter is required only to public entities and concerns the organization plan, policies, methods and adequate risk management procedures in order to ensure the good development of the activities to which the entity is bound); and
(ii) Up to €25,000.00 if the required reports, reviews, publications, and communications referred to above are not prepared.