Beyond the paper shield: Noting differences between U.S. and Brazilian anti-corruption law

At some point in my professional practice, I began to question how integrity systems actually operate in countries widely regarded as institutionally organized, particularly the United States. This curiosity was not academic. It came from day-to-day exposure to public procurement, enforcement limits, and the operational realities of infrastructure projects.

While reviewing U.S. compliance standards, I encountered the Department of Justice’s Evaluation of Corporate Compliance Programs (ECCP). The document is often cited globally, but rarely examined from the perspective of jurisdictions where enforcement and operations do not always move at the same pace.

Infrastructure projects are where compliance systems are tested, not in theory, but in routine operational pressure.

In simple terms, the ECCP guides federal prosecutors when deciding how to proceed against a company under investigation, usually in criminal matters. The framework revolves around three direct questions: Is the compliance program well designed? Is it implemented in good faith? And does it actually work in practice?

At first glance, this approach resembles Brazil’s Anti-Corruption Law (Law No. 12,846/2013). The similarity, however, is limited. Brazil did not replicate the U.S. model, nor should it be treated as such. Still, with the enactment of Decree No. 11,129/2022, particularly Articles 56 and 67, Brazilian regulation moved closer to an effectiveness-based analysis.

The difference lies not in structure, but in enforcement logic.

Different systems, different risks

In the United States, prosecutors focus heavily on whether a compliance program is effective at preventing and detecting misconduct. In Brazil, the initial inquiry is historically more formal: whether an integrity program exists at all. If it does, and if the company cooperates, this may mitigate penalties under Article 7 of Law 12,846/13, as regulated by Decree 11,129/2022.

The 2022 Decree was a significant improvement. It reduced the purely symbolic approach that existed under the previous 2015 regulation. Yet Brazil’s Anti-Corruption Law applies not only to bribery, but also to procurement fraud—a critical distinction, as bid-rigging remains a primary corruption vehicle in Latin America, further reinforced by Brazil’s New Public Procurement Law (Law No. 14,133/2021).

This distinction matters. Infrastructure projects are where compliance systems are tested, not in theory, but in routine operational pressure.

Regulation on paper, versus reality on the ground

One persistent challenge in accountability systems is the assumption of constant oversight. In countries with continental dimensions like Brazil, this assumption quickly collapses.

Compliance frameworks may look elegant in manuals. But they struggle in practice when, for example, a piece of heavy equipment breaks down in a remote municipality, and the only available service provider operates informally. Urgency fees appear. Facilitation payments are suggested. The situation is familiar to anyone who has worked on infrastructure projects.

This gap between regulation and reality defines the compliance challenge in high-risk construction markets. Bridging it requires going beyond what I refer to as the “Paper Shield”—the belief that well-written policies and annual online training are sufficient substitutes for operational control.

They are not.

Headquarters and construction sites rarely speak the same compliance language

In practice, many companies maintain integrity manuals that would satisfy any internal audit review. Meanwhile, at construction sites located dozens of kilometers away, subcontractors may not even be aware of basic anti-corruption protocols.

This disconnect is not theoretical. It manifests in everyday conduct, from informal benefits offered to public officials to side arrangements financed by contractors. The contradiction between official policy and field behavior is obvious. A compliance program that never reaches the site supervisor does not fail partially. It fails entirely.

Many corporate compliance models assume regulatory stability and predictable administrative behavior. In Brazil, routine permits may require navigating overlapping municipal, state, and federal authorities, each operating under different timelines and informal expectations. When professionals trained exclusively under U.S.-based assumptions encounter this environment, compliance is often perceived as a corporate formality rather than a practical guide for decision-making.

Strict liability and limited discretion

Brazilian enforcement often surprises foreign practitioners. In certain respects, it is more punitive than the U.S. system.

Brazil’s Anti-Corruption Law operates under strict liability. Unlike the U.S. system, where establishing “intent” is often central to liability, Brazilian authorities do not need to prove that a company’s leadership intended to commit a crime. It is sufficient to demonstrate that an unlawful act occurred and that the company benefited from it, whether administratively or civilly.

If the act occurred, liability follows.

This differs significantly from the FCPA’s focus on willful misconduct. To further narrow negotiation space, Decree 11,129/2022 introduced a mechanical penalty formula, limiting the discretionary flexibility commonly associated with U.S. enforcement actions.

Leniency agreements and civil non-prosecution agreements exist in Brazil, but they are strictly regulated by statute. Prosecutors operate within predefined boundaries. Arguments based on good faith after the violation carry limited weight compared to the U.S. approach. The implication is straightforward: Prevention must function before misconduct occurs. Once it happens, liability is largely unavoidable.

Learning from local mechanisms: Clearance certificates

Ironically, Brazil’s extensive bureaucracy provides a practical compliance mechanism worth attention. The system of Negative Clearance Certificates verifies, through government databases, whether companies have outstanding tax liabilities, labor violations, environmental sanctions, judicial judgments, or debarments.

Unlike in the U.S., where due diligence is often a private risk assessment, these certificates are mandatory state-issued barriers to entry. They are official, automated, and difficult to circumvent.

Incorporating systematic verification of such certificates into supplier onboarding and subcontractor approval processes creates an objective control recognized locally. A subcontractor unable to present valid clearance certificates represents a quantifiable compliance risk, not a cultural nuance.

This mechanism satisfies both the DOJ’s expectations regarding third-party monitoring and Brazil’s due diligence requirements, effectively connecting two regulatory logics.

The financial reality of ineffective compliance

The financial consequences of failure clarify the issue. Under Law 12,846/13, fines may reach 20 percent of gross revenue. In the low-margin construction sector, a fine of this magnitude—calculated based on the previous year’s gross revenue—often exceeds the project’s profit margin, posing an existential threat to the company.

Beyond that, companies face mandatory publication of sanctions, suspension of public financing, and debarment from government contracts. In a country with more than five thousand municipalities, many dependent on public funding for infrastructure projects, debarment can effectively end a company’s operations.

Simultaneously, companies may face administrative investigations, criminal proceedings, and civil liability actions. Managing this multi-front legal exposure consumes significantly more resources than investing in a compliance program that actually functions at the operational level.

Conclusion: Documentation to operation

Effective compliance in high-risk infrastructure markets cannot be managed remotely through documentation alone. Controls must operate where decisions are made: During procurement, licensing, and daily operations.

Compliance professionals must understand not only legal prohibitions, but also the operational pressures that generate violations. Training must address real scenarios faced by field personnel, not abstract cases drawn from foreign precedents.

The question, ultimately, is simple: will compliance remain confined to policy documents, or will it adapt to the realities it claims to regulate?

Editor’s note: William Carvalho, a U.S.-based internal controls and GRC leader with over 15 years of experience across multinational environments, lent his expertise to Compliance Week in editing this column.