The Supreme Decree No. 002-2019-JUS, published on January 9th, 2019, approves the Regulation of Law No. 30424, which develops the requirements and standards of the Compliance Programs (“Prevention Model” as it is called by the Regulation) that companies must implement to be legally protected in case its employees, officers, directors, shareholders or third parties acting on behalf of the company commit any crime of corruption and/or money laundering.

With the publication of the Regulation, all the elements of the Prevention Model are defined, granting exonerating effects of liability for those companies that have complied with their timely implementation, in order to effectively detect and mitigate the risks of commission of corruption and money laundering crimes.

Elements of the Prevention Model

A) Minimum Elements

1. Risk identification, evaluation and mitigation:

(i) The identification of risks includes the construction of a risk profile, characterization of risk typologies (commercial, economic, reputational), definition of information sources and criteria for risks identification.

(ii) The risk assessment requires analyzing statistical data (probability of occurrence) and measuring the effects it could cause in the organization (impact).

(iii) Mitigation involves defining and implementing proportional and appropriate controls to prevent the risks identified, according to their probability of occurrence and possible consequences. In addition, the Regulation provides examples of financial and non-financial controls, and highlights the importance of due diligence procedures in relation to business partners and company projects.

2. Compliance Officer appointed by the highest governance body of the company:

Emphasis is placed on the need to appoint the Compliance Officer on Anticorruption/Anti-Money Laundering affairs and provide him/her with sufficient autonomy, authority and resources to guarantee the operation and continuous improvement of the prevention model.

3. Implementation of reporting procedures:

The Regulation establishes the need to implement reporting channels to communicate any suspicion of corrupt practices or acts of money laundering, or –in general– violations of non-compliance with the prevention model.

4. Dissemination and periodic training of the prevention model:

The Regulation defines the scope of the dissemination (internal and external) of the Compliance Program, frequency of training sessions (at least once a year) and training modalities (face-to-face, virtual), specifying minimum thematic content of these activities (company policies, risks to which it is exposed, reporting channels, sanctions, etc.).

5. Evaluation and continuous monitoring of the prevention model:

It is established that the governing/managing body of the company must supervise the prevention model at least once a year, in order to detect weaknesses of the compliance program and implement corrective actions that make it effective.

B) Complementary elements:

In addition to the minimum elements mentioned in the preceding section, the Regulation contemplates the development of complementary components, aimed at improving the prevention model. They are the following:

6. Policies for specific risk areas:

The importance of addressing policies and controls for sensitive areas linked to business activity is highlighted by the Regulation, such as facilitation payments, gifts, sponsorships, travel and contributions to political campaigns, among others.

7. Record of activities and internal controls:

It is required the implementation of accounting-financial control mechanisms that record all the transactions carried out by the company. In this sense, it provides specific duties: (i) the implementation of the internal control system corresponds to the governing or administration body; (ii) its periodic evaluation is in charge of the internal or external audit body; and (iii) its supervision relies on the Compliance Officer.

8. Integration of the prevention model in the business processes of the company:

The prevention model shall be applied transversally to all business processes of the company (not only to risk areas).

9. Appointment of an internal audit body:

It is specified that the internal audit function must be differentiated from the position of Compliance Officer.

10. Implementation of procedures that guarantee the interruption and timely remediation of risks:

The Regulation provides the need to implement disciplinary measures for infractions to the prevention model and to establish a communication policy of alleged criminal acts to the competent authorities.

11. Continuous improvement of the prevention model:

It is foreseen the execution of a procedure for the periodic improvement of the Prevention Model, which allows it to be corrected or enhanced in the face of new circumstances (violations of compliance policies or controls, appearance of new risks, regulatory changes relevant to the sector, among others).

The performance of the Superintendence of Securities Market (SMV for its Spanish acronym) and other additional aspects of relevance:

The Regulation establishes basic guidelines for the preparation of the Technical Report, which the SMV –at the request of the Prosecutor’s Office– must issue on the effectiveness of the prevention model.

It is established that the SMV may assess (i) certifications related to risk management and compliance systems, issued by specialized local or foreign entities; (ii) other measures and procedures –not provided for in the Regulations– that the company has adopted to prevent risks of a criminal nature.

For more information, please contact José Reaño ( and/or José Luis Medina (

Av. San Felipe 758, Jesús María, Lima-Perú +511 619 1900