The International Investigations Review: Colombia

Introduction

In Colombia, the authorities empowered to investigate and prosecute corporate conducts depend on the specific topic under investigation. The General Prosecutors Office (GPO) investigates criminal activities conducted by individuals, the Superintendence of Companies investigates corporate activity related to transnational bribery and money laundering, the Superintendence of Industry and Commerce investigates anticompetitive conduct by individuals and corporations and the Financial Superintendence of Colombia investigates matters related to securities and banking law.

The investigative powers of each authority depend on whether the case is administrative or criminal. Nevertheless, different authorities can investigate the same party at the same time for the same conduct if the conduct violates different laws or provisions.

The above-mentioned authorities have special powers to conduct investigations, including dawn raids. The Superintendences have inspection, supervision and control functions under which they can even perform dawn raids on corporate premises without a judicial warrant. In contrast, while the GPO also has the ability to conduct dawn raids, it does so under judicial warrant, because the GPO can search private domiciles and intercept communications.

Government priorities can affect the prosecutorial function. Even though, there is a separation of functions between the government and each authority, certain investigations have been prioritised upon specific request of the government, especially when there are effects on public policy that it has prioritised.

Business are legally obliged to cooperate with the authorities conducting corporate investigations. Nonetheless, authorities must undertake such investigations in compliance with the due process principles of the Political Constitution of Colombia (the Constitution), the Administrative Code and the Code of Civil Procedure. Authorities can impose significant fines on individuals and legal entities that are proven to be blocking an investigation, hence preventing the authority from accessing the information under investigation, through illegitimate means.

Conduct

i Self-reporting

Business are in general not obliged to self-report internal wrongdoings to authorities in Colombia. However, self-reporting to law enforcement agencies may be advisable under certain circumstances. The statutorily required company auditor does have a legal obligation to report to authorities corrupt conduct that it detects in the course of its auditing activities. Failure to do so will trigger legal consequences for the auditing company and the auditors themselves.

The administrators of a company (i.e., its management and the statutory auditor) also have a legal duty to inform shareholders and investors as soon as they become aware of internal wrongdoing.

Business companies that self-report can apply for immunity provided they confess and commit to cooperate with the competent authority until the end of the investigation. First applicants can obtain immunity from the Superintendence of Companies2 for fines up to the equivalent of approximately US$50 million when they provide evidence of corruption, confess and cooperate. Regarding antitrust behaviour, first applicants can obtain immunity from the Superintendence of Industry and Commerce3 for fines of approximately US$25 million in the case of companies and approximately US$500,000 in the case of individuals.

In accordance with provisions of the Criminal Code, employees, managers and directors under investigation for crimes can to try to mitigate criminal sanctions by applying to the GPO for a reduction in penalties and imprisonment; the success of the application will depend on the extent and value of the information that the individual provides to the prosecutor and the level of cooperation.

ii Internal investigations

Companies can conduct their own internal investigations and this practice is highly recommended for businesses that suspect wrongdoing. A thorough and complete investigation should provide the company with the elements necessary to determine the likely consequences of the possible violation and to determine whether it can and should self-report, or not.

Internal investigations can include the analysis of documents, witness interviews and e-discovery on employees' working tools. The law grants legal privilege to work product from both internal and external counsel.

If adequate protocols are followed, internal investigations are covered by attorney–client privilege and can be used for leniency applications, when there is evidence of wrongdoing. To be privileged, discussions with counsel must correspond to legitimate consultations related to a specific concern of the company, not merely of the individuals, and must correspond in nature to legal advice provided to the company. Companies do not typically retain their own counsel for interviews with employees. However, if an allegation against an employee is made, the company must follow specific protocols that allow the employee to submit his or her defence on the case.

When companies apply for leniency, the procedure deals with the individuals involved. Usually these individuals retain their own counsel when formal proceedings are started.

On the criminal side, the grant of a request from the GPO for confidential information in the course of a criminal investigation requires prior authorisation from a judge. Administrative authorities such as the Superintendence of Companies and the Superintendence of Industry and Commerce do not require a judicial warrant for their requests for information (provided that the information is relevant for the investigation).

iii Whistle-blowers

During the past few years, the GPO, the Superintendence of Industry and Commerce and the Superintendence of Companies have constructed robust programmes for whistle-blowers to report potential illegal conduct. Hence, whistle-blower reports of potential illegal conduct have become more common and effective in terms of uncovering wrongdoing.

The GPO whistle-blower programme includes a witness protection programme. This programme is open to victims and witnesses who are providing information in criminal proceedings. Under the programme, individuals can be relocated to another area and granted the financial and psychological assistance needed to initiate a new life.

Leniency programmes are operated under administrative rules by both the Superintendence of Industry and Commerce and the Superintendence of Companies. These procedures do not have a witness protection programme. The leniency programmes of these two authorities contemplate both complete and partial amnesty for fines for businesses and individuals who confess to having participated in unlawful conduct and who provide timely, detailed and effective assistance to the authority competent for detecting, investigating and prosecuting the conduct involved.

Leniency benefits are available even if the authority is already aware of the conduct and has initiated an investigation.

Companies should contemplate anonymous internal reporting hotlines, following the guidelines of the anti-money laundering (AML) and anti-bribery and corruption (ABC) administrative authority, the Superintendence of Companies, and they must ensure whistle-blowers are protected from retaliation for their claims.

Enforcement

i Corporate liability

In Colombia, legal entities cannot be considered criminally responsible for AML, ABC or antitrust violations. Under Colombian laws, criminal responsibility is reserved for individuals. However, legal entities responsible for such violations may face consequential civil and administrative liability. Investigations against legal entities can be run in parallel with criminal investigations against their employees and third parties acting on their behalf.

The civil liability of legal entities entails the obligation to indemnify third parties for harm resulting from torts that are proven within criminal proceedings or as part of independent civil proceedings.

Questions of administrative liability are determined in administrative sanctioning proceedings carried out by the applicable administrative authority. The Superintendence of Companies is the regulator in charge of investigating and penalising transnational bribery and even violations of local corruption laws, as well as AML and ABC conduct. Furthermore, the Superintendence of Companies can investigate obliged entities for not complying with their regulatory requirement to implement AML and ABC programmes. The Superintendence of Industry and Commerce is the regulator that oversees antitrust, data privacy, consumer protection and industrial property matters.

Depending on the defence strategies of individuals and legal entities, parties should carefully evaluate the benefits and downsides of having the same counsel. For instance, during a criminal investigation against an employee, the legal entity may be recognised as a victim; therefore, having the same counsel will trigger conflicts that can and should be anticipated from the outset. Similarly, during administrative antitrust investigations, in which legal entities and individuals can be subject to fines for their own participation and activities, an employee may base its defence on the existence of corporate guidelines whereas the legal entity may flag up individual behaviour running contrary to existing compliance programmes, training programmes and internal controls.

ii Penalties

The Superintendence of Companies (acting as transnational bribery administrative authority) can impose fines of up to 200,000 legal minimum monthly salaries (approximately US$50 million at the time of writing). In addition to monetary fines, the Superintendence of Companies may request the debarment of the legal entity from public procurement proceedings for up to 20 years and from eligibility for public subsidies and benefits for up to five years, and it may order the publication of the final sanctions on the website of the legal entity and in the public trade record kept by the Chamber of Commerce, for up to one year.

The Superintendence of Industry and Commerce (acting as the antitrust administrative authority) can impose on legal entities that breach the competition regime specific performance orders and fines of up to 100,000 legal minimum monthly salaries (approximately US$25 million at the time of writing), and of up to 2,000 legal minimum monthly salaries (approximately US$500,000 at the time of writing) on individuals participating in the infringement of the competition regime. The fine on individuals cannot be paid, directly or indirectly, by the legal entity.

Similarly, the Superintendence of Industry and Commerce (acting as data privacy administrative authority) may impose orders and fines of up to 2,000 legal minimum monthly salaries (approximately US$500,000 at the time of writing) on legal entities in breach of the data privacy regime.

In criminal proceedings, legal entities may face indirect criminal liability in Colombia, which includes:

  1. civil liability: the legal entity may be required to respond for all damages caused by the punishable act of an individual related to it, once the sentence is final;
  2. piercing the corporate veil: this measure seeks to identify the individuals who own the legal entity and may face responsibility for the offences. The GPO can take this measure at any stage in the criminal process;
  3. debarment from contracting with public entities or private legal entities using public resources: when an individual is convicted of crimes against the public administration or any of the crimes contemplated in Colombia's anti-corruption statute,4 that individual will be permanently debarred from contracting with the Colombian state. In addition, debarment will apply to the legal entities for whom the convicted individual acts (or acted when he or she committed the crime) as administrator, legal representative, member of the board of directors or controlling partner, and to their parent companies and subsidiaries; and
  4. suspension and cancellation of legal status: at any stage of the criminal process and before indictment, the prosecutor may request the suspension as a preliminary measure, to effect the temporary closure of commercial establishments when it is proven that the legal entity is dedicated, partially or totally, to criminal activities.

iii Compliance programmes

The obligation to implement compliance programmes in Colombia is only applicable to companies upon the direction of the regulators, to mitigate AML and ABC risks. This obligation applies to any entity in the financial sector supervised by the Financial Superintendence, as well as to entities in the non-financial sector whose financial statements indicate that they meet certain legal thresholds.

For instance, all entities classified as foreign trade operators have this obligation under the supervision of the Directorate of National Taxes and Customs. Examples of foreign trade operators are customs brokers, port companies, users of free zones, permanent customs users and high-volume exporters, among others.

In this regard, legal entities in the non-financial sector that fulfil the criteria defined in Chapter X of the Basic Circular of the Superintendence of Companies must implement an AML system and submit reports of suspicious transactions to the Financial Analysis and Information Unit. In 2021, the general obligation applies to entities under permanent oversight of the Superintendence and reporting total assets or revenue equal to or greater than 40,000 legal minimum monthly salaries (equivalent in 2020 to approximately 35 billion Colombian pesos or approximately US$10.2 million). Chapter X includes other criteria that, if met, would trigger the obligation, including providing services for virtual assets, among others.

The data privacy regime does not include an obligation to implement a compliance programme, but there is an obligation to have an internal manual of data protection procedures. However, there is a possibility of receiving a lenient treatment from the Data Protection Authority when internal procedures demonstrate efforts by the party to fulfil requirements in accordance with the accountability principle. Any data controller or processor in Colombia must have a privacy policy, an internal procedures manual and the capacity to demonstrate having obtained proper authorisation from data subjects to process their data (consent).

The antitrust regime provides no benefits for implementing a compliance programme (nor does it impose an obligation to have one). However, the current Superintendent has been very emphatic about the need to promote antitrust compliance programmes and the value of this kind of programme when duly implemented.

Considering that criminal proceedings in Colombia are brought against individuals, the implementation of proper compliance programmes by legal entities may be used as an argument for the lack of corporate involvement in the criminal activity of an employee. This may support the victimisation of the legal entity for both the acts of the employee and the employee's active intent in the wrongdoing.

According to the Superintendence of Companies regime (for AML systems) and guidelines (for ABC programmes), the following are the basic elements of suitable compliance programmes.

For a proper AML system, legal entities should:

  1. appoint a compliance officer;
  2. design an AML system, including all the applicable policies, procedures and the creation of a risk matrix;
  3. demonstrate approval of the AML programme by the top corporate management body;
  4. design and implement audit and monitoring mechanisms related to AML matters;
  5. implement a training programme on AML obligations and measures, and publicise the AML system among relevant stakeholders; and
  6. define proper due diligence procedures and include criteria to apply enhanced due diligence procedures when required on account of greater exposure to AML risks.

For a proper ABC programme, legal entities should:

  1. include a pledge by senior management committing to a culture of compliance;
  2. implement methods for risk identification, measurement and analysis for the activities of the company and definition of the mechanisms of control for transnational bribery and other forms of corruption;
  3. set up all the documents, protocols, policies and procedures necessary for the programme;
  4. appoint a compliance officer;
  5. define proper due diligence procedures to identify third-party risks of corruption;
  6. design and implement audit and monitoring mechanisms to ensure compliance with the programme;
  7. implement an effective training and communication programme for employees and third parties; and
  8. set up adequate communication channels to convey the message on compliance and to receive feedback, and set up a whistle-blower hotline.

iv Prosecution of individuals

Criminal proceedings in Colombia are brought against individuals. For this reason, the direct consequences of criminal conduct, including imprisonment and criminal fines, are imposed on individuals.

Legal entities may cover the legal fees of the defence of individuals related to the entity. However, legal entities should consider potential conflicts of interest between the defence of the individual and the legal entity's interests, as mentioned in Section III.i.

Legal entities should consider the nature of the criminal investigation into individuals acting as an administrator, legal representative, member of the board of directors or controlling partner of the entity. If the conduct under investigation is related to crimes against the public administration or to any of the crimes contemplated in Colombia's anti-corruption law,5 a further conviction for such crimes will generate a permanent debarment of the individual and the legal entity from public procurements, as indicated in Section III.ii. The debarment will cover contracting not only with public entities, but also with private entities using public resources, and will affect not only the legal entity, but also its parent companies and subsidiaries.

Proven criminal offences could constitute a just cause for firing an employee. This decision must follow the due process defined in the Constitution, the labour legislation and the employee handbook. Disciplining an employee may affect his or her cooperation during an internal investigation and even put leniency applications before the authorities at risk, as the authorities expect to received full cooperation from the leniency applicant (including its employees and any individuals involved).

Internal investigations must respect and guarantee employees' intimacy and privacy. As mentioned in Section II.ii, proper data protection measures should be taken in advance to grant legal entities legal access to the employees' sources of information. If this is not possible, legal entities must obtain proper consent and authorisation before accessing information that may contain the personal data of employees.

International

i Extraterritorial jurisdiction

Administrative authorities in Colombia only have powers to conduct investigations against companies and individuals for illegal conduct that has effects or violates protected legal rights or property in the Colombian territory in accordance with the territorial principle.

Colombian criminal law has extraterritorial effect on persons in the following circumstances:6

  1. persons who commit a crime abroad against the existence and security of the state, the constitutional regime, the economic and social order or the public administration, or falsify national currency or engage in the crime of financing terrorism and administration of resources related to terrorist activities.
  2. persons who, in the service of the Colombian state, enjoy immunity recognised by international law and commit a crime abroad.
  3. persons who, in the service of the Colombian state, do not enjoy immunity recognised by international law and commit a crime abroad other than those mentioned in Section I, when he or she has not been brought to trial abroad;
  4. Colombian nationals, in Colombia after having committed a crime in foreign territory, who are then punished under Colombian criminal law with a custodial sentence;
  5. foreigners in Colombia, after having committed a crime abroad to the detriment of the state or a Colombian national;
  6. foreigners who have committed a crime abroad to the detriment of a foreigner, provided that these conditions are met:
    • the crime occurs in Colombian territory;
    • the crime warrants a custodial sentence in Colombia the minimum for which is not less than three years;
    • the crime is not a political crime; and
    • the request for extradition has not been granted by the Colombian government. When the extradition is not accepted there will be a criminal proceeding.

The Colombian Criminal Code also has extraterritorial effect for prosecuting cross-border bribery of a foreign public official in international transactions.

ii International cooperation

Colombia's government has recently been more active in cooperating with other countries' law enforcement and prosecutorial functions. The recent 'FIFA-gate' corruption case is an example of the GPO providing assistance in a multi-jurisdictional case.

In addition, cooperation of this kind is not necessarily provided under treaty obligations – some is conducted under multilateral agreements that do not provide for the possibility of extradition but allow for exchanges of relevant information where it is legally permissible to share the information without violating confidentiality and due process.

iii Local law considerations

Strict data privacy, attorney–client privilege and confidentiality within each investigation are due process principles that should be fully and properly considered by every authority, as these are fundamental values included in the Constitution. A breach of any of these principles containing fundamental rights could render an investigation illegal and evidence gathered in breach of due process cannot be included in an investigation.

Year in review

The Superintendence of Companies issued Resolution 100-006261 on 2 October 2020, in which it defined new criteria for determining whether companies must adopt an ABC programme. The changes introduced increased the number of companies obliged to implement this kind of programme (although this is not applicable for branches of foreign entities). The changes extend the obligation to companies in any economic sector (previously limited to only five sectors) and reduce substantially the financial thresholds.

Similarly, the Superintendence of Companies modified the regulation of AML programmes through its External Circular 100-000016 of 2020, as amended in April 2021. The changes focused on substantially reducing financial thresholds and including certain types of companies regardless of their financial results; the conduct of activities related to virtual assets was also included among the new criteria. Similarly, the new Resolution included certain activities, with lower financial thresholds, with a view to implementing a regime of minimum prevention measures (like a scaled-down AML system).

The surveillance of the proper implementation of these programmes has been characterised by a strictly formal approach. The fines for not implementing an AML system have been based simply on the fact of non-compliance with deadlines and formalities, and deep analysis of the material effect of the lack of such formalities is absent from the reasoning underlying the latest decisions.

Regarding corruption and antitrust, the Superintendence of Industry and Commerce has taken a position in sanctioning acts of corruption such as restrictions on competition in state contracting (bid rigging). To support one of its own decisions, in which it levied a fine of around US$82 million, the administrative authority used evidence that was furnished as part of the evidentiary submission in a criminal procedure.7

The Superintendence of Industry and Commerce's position on data privacy is that it has jurisdiction on data processing carried out by foreign companies when the processing is performed, even partially, in the Colombian territory. For this purpose, the Superintendence currently arguing that by installing cookies on devices located in Colombia, the processing (or at least the initial collection) of personal data takes place in Colombia and the processing of such data must therefore comply with the Colombian data protection regime.

Conclusions and outlook

In recent decisions of the Superintendence of Industry and Commerce in antitrust matters, the current administration decided to certify copies of the submissions filed by the defence attorneys with the Superior Council of the Judiciary (the highest disciplinary authority for attorneys). The Council is to rule on the possibility of disciplinary offences arising from the vehement tone of the arguments presented by the defence attorneys. In the opinion of the Superintendence ('reading between the lines'), the arguments of the defence attorneys include accusations of improper behaviour by public officials of the Superintendence, and the Superintendent himself, and for this reason the authority sent the file to the Superior Council to pronounce on whether those arguments include libellous statements.

This new position adopted by the Superintendence has produced varied reactions, between those who argue that it may affect the right of defence of individuals, by limiting the forcefulness of defence lawyers' statements, and those who support the Superintendence's position because they believe that unrestrained arguments of this kind may become defamatory of public officials.

Also of note, there has been a greater degree of coordination between the Superintendence of Industry and Commerce and the Superintendence of Companies. In a recent case8 in which multiple companies (including a foreign company) were fined for bid rigging, the Superintendence of Industry and Commerce sent copies of a file to the Superintendence of Companies to investigate possible acts of transnational bribery.

Footnotes

1 Carolina Pardo is a partner and Angelica Navarro and Luis Castell are associates at Baker & McKenzie SAS.

2 Law 1778 of 2016.

3 Law 1340 of 2009 and Decree 1523 of 2015.

4 Law 1474 of 2011.

5 See footnote 3.

6 Article 16 Colombian Criminal Code.

7 Superintendence of Industry and Commerce, Resolution No. 82510 of 2020, confirmed by Resolution No. 30343 of 2021.

8 Superintendence of Industry and Commerce, Resolution No. 30343 of 2021.

Get unlimited access to all The Law Reviews content