On September 1, 2024, the amendments introduced by Law No. 21,595 —the Economic Crimes Law (ECL)— to Law No. 20,393 (Corporate Criminal Liability Law) entered into force. With nearly one year of experience now accumulated, we believe it is important to reflect and share several insights that may help support continued successful implementation and development.
Before that, to briefly contextualize: the ECL introduces significant changes, including: first, the incorporation of a broad set of criminal offenses—across multiple areas—into the catalog of crimes that can trigger corporate criminal liability; second, changes to the criteria for attribution of liability, with greater emphasis on the company’s line of business or core activity; third, modifications to what is expected from Crime Prevention Models (CPMs) or compliance programs, so that they can be considered effectively implemented and ultimately serve to exempt a company from criminal liability; and finally, the elimination of certification, replaced by the requirement of an independent reviewer—not as a legal benefit, but as an element that every model must incorporate.
These major changes triggered significant movement within companies, causing considerable concern among senior leadership. However, they also created—as never before—an opportunity to bring visibility to Compliance functions, presenting a complex but compelling challenge for their specialists.
This led to strict timelines to finalize CPM updates as quickly as possible, but it also provided a chance to restructure and rethink them with greater attention and resources. From here, important differences began to emerge—particularly between companies that had already understood the importance of compliance and therefore had experienced and trained staff to face such major changes, and those that had adopted a CPM merely due to stakeholder pressure or had not meaningfully addressed the matter at all.
For the former, the work focused mainly on reviewing risk matrices and identifying areas for improvement based on the risks inherent to the company’s operations; building bridges with departments that oversee operational processes (such as cybersecurity, environmental management, HR, and occupational/industrial risk prevention), enabling efficiencies and avoiding duplicative controls; strengthening awareness and training efforts across the organization; and, finally, aligning this work with the independent evaluator to proceed with the periodic reviews required by Law No. 20,393.
For the latter, greater confusion emerged: feeling the need to start everything from scratch due to lack of knowledge or mistrust in what was already in place; difficulties distinguishing risks inherent to their business activity from those irrelevant or inapplicable; and, in cases where development was done in-house or through external implementers, ending up with CPMs that were generic, unclear, or disconnected from the company’s operational processes, among other issues.
In any case, it is likely that companies are still adjusting and refining their programs—which is logical and expected with such a significant regulatory shift. Nevertheless, the greatest challenge, for both Compliance departments and senior executives, will be time. As urgency brought attention and resources, we know that time—and the intense legislative agenda of recent years—will inevitably shift focus elsewhere, cooling motivation and redirecting resources.
For this reason, we believe that Compliance’s core objective today should be to use this window of opportunity to embed a culture of compliance, integrity, and transparency throughout the organization. This is impossible without the support of senior management, of course, but it will also fail without close collaboration with other departments. A good policy or operational process is not one that simply inserts “Compliance controls” into its workflow because the area requires it—often seen as arbitrary or of little value—but one that incorporates the operational safeguards needed to conduct business normally and efficiently, while also embedding regulatory or self-regulatory protections for those executing those tasks. In other words, it requires building strategic and symbiotic partnerships between Compliance and the rest of the company.
Finally, in a context of global crisis, legislative challenges, and significant business uncertainty, it is essential that senior management understand (and continue to understand) that the greatest value of a Compliance program lies in its continuity and ongoing evaluation. It is true that significant efforts have been made to meet the new legal requirements; however, it will be futile if attention fades and Compliance is once again pushed to the margins of corporate decision-making. On the contrary, companies and their executives must understand that one of their strongest future protections will be the decisions they take today—guided by their principles, policies, and procedures, with continuous documentation of their application and the implementation of remediation measures whenever needed.
Focusing on how results are achieved is what will distinguish those seeking to promote healthy economic and business development from those who have contributed to demonizing it.
Por Francisco Bilbao, Director Legal & Compliance
Publicada en El Mercurio Legal
