Compliance and Investigations: the highlights that marked April 2026

The month of April 2026 began marked by significant movements in the Compliance and Investigations landscape, highlighting an increasingly dynamic regulatory environment driven by new expectations of governance, transparency, and risk management.

National Highlights

CGU reinforces corporate accountability: signs of regulatory maturity and impacts on integrity programs

In April 2026, Brazil’s Office of the Comptroller General (Controladoria-Geral da União – CGU) issued sanctioning decisions against five legal entities for harmful acts committed against the Public Administration. The penalties included fines, debarment from contracting with the government, and the requirement to publicly disclose the sanctions. In addition, the CGU denied motions for reconsideration in other proceedings, thereby upholding penalties previously imposed. This development demonstrates the consistent use of administrative enforcement mechanisms and the growing expectation that organizations maintain controls capable of preventing, detecting, and responding to fraud and corruption risks in public procurement.

According to the CGU, some of these decisions resulted from the conclusion of Administrative Accountability Proceedings (Processos Administrativos de Responsabilização – PARs) related to investigations into corruption, bid-rigging, cartel conduct, and money laundering involving contracts in the healthcare sector. These cases resulted in a five-year debarment from bidding and contracting with the Federal Government, as well as disqualification from Brazil’s Unified Supplier Registration System (SICAF), pursuant to the Public Auction Law (Law No. 10,520/2002). In parallel, another decision addressed sanitary irregularities in the supply chain, holding a company liable for fraud against administrative oversight involving inputs that failed to meet regulatory standards, and imposing both a fine and an obligation to publish the decision publicly for 45 days.

From a Compliance standpoint, these decisions reinforce that risk is not limited to the act of contracting itself: it permeates the entire cycle of interaction with public authorities and regulated supply chains, requiring due diligence on third parties, procurement governance, quality-control and traceability mechanisms, and robust internal reporting and investigation procedures. The requirement of public disclosure, in particular, heightens the reputational dimension of enforcement and underscores the importance of swift, well-documented, and legally consistent responses, including in dealings with authorities and in the implementation of remediation measures.

Finally, the CGU emphasized that the proceedings complied with due process guarantees, including full defense rights and the opportunity to present evidence, reaffirming its institutional commitment to integrity, transparency, and the proper use of public resources. For organizations seeking sustainable growth in regulated environments, the message is a positive one: investing in “operationally effective” integrity programs, with risk-proportionate controls and evidence of effectiveness, is not merely a compliance requirement, but also a competitive advantage in markets that value predictability and institutional trust.

INTEGRideiasand the evolution of public integrity: AI, processes, and risk management at the center of governance

On April 23, 2026, Brazil’s Office of the Comptroller General (Controladoria-Geral da União – CGU) held the INTEGRideias webinar, focused on the use of artificial intelligence combined with integrity initiatives and risk monitoring. The event brought together managers, public officials, and specialists to share practical experiences aimed at strengthening governance and integrity in the public sector. In this context, the initiative reinforces an important trend: effective integrity programs have increasingly moved toward a management-oriented approach, driven by processes and risk-based prioritization, rather than relying exclusively on formal and reactive controls.

In presenting the experience of the Federal Institute of Paraíba (IFPB), the event highlighted the importance of a strategic integrity approach connected to decision-making and operational workflows, with emphasis on process mapping and risk management as tools to anticipate failures, standardize activities, and enhance certainty in administrative execution. The message is pragmatic: risk is not an “exceptional event,” but rather an inherent component of management that must be understood, addressed, and monitored in a controlled manner in order to improve efficiency and institutional predictability.

The Federal University of Ceará (UFC) then presented applications of AI to support governance and integrity routines, such as the analysis of regulatory documents, the automated completion of process-mapping forms, and the identification of risks based on historical data, pointing to potential gains in productivity and reduced rework when processes are well designed. This experience suggests a path toward greater maturity: technology tends to generate value when it is built upon consistent process design, appropriate metrics, and reliable datasets, thereby strengthening the ability to monitor and continuously adjust controls.

At the same time, the discussion itself underscored a critical point for Compliance: the use of AI in integrity functions requires governance, including human validation, clear criteria, and institutional regulation, in order to ensure reliability, traceability, and accountability for the outcomes and recommendations generated by automated systems. In practical terms, the lesson is straightforward: integrating people, processes, and technology tends to raise the standard of integrity and risk management, provided that automation is treated as a tool to support technical judgment (rather than replace it), with controls proportionate to the criticality of the administrative decision.

Bill on “fraudulent management” in publicly held companies: tougher criminal enforcement and practical effects on governance and compliance

A bill currently under consideration in the Brazilian Senate seeks to strengthen the State’s response to significant fraud in the capital markets by creating new criminal offenses applicable to publicly held companies and increasing fines. The proposal, introduced at the end of March, amends provisions of the Law on Crimes Against the National Financial System and aims to align the treatment of fraud involving listed companies with that already applicable to financial institutions, on the grounds that both attract funds from a large number of investors and therefore require equivalent criminal protection.

The bill proposes the creation of the offense of “fraudulent management of a publicly held company,” punishable by imprisonment from three to twelve years and a fine, as well as “reckless management,” punishable by imprisonment from two to eight years and a fine. It also provides for enhanced penalties where the conduct results in judicial reorganization, bankruptcy, or an equivalent insolvency regime. In addition, the proposal allows the fine to be increased by up to one thousand times where the adjudicator determines that, in light of the defendant’s financial condition, the sanction would be ineffective even at the statutory maximum, signaling an explicit preference for penalties with a stronger deterrent effect.

The most sensitive technical issue lies in the breadth of the proposed concepts and their potential to create legal uncertainty for officers, directors, and board members, particularly if the line between legitimate business risk and criminally relevant conduct is not described with sufficient precision. In practice, overly broad criminal definitions tend to increase the costs of compliance and decision-making, with indirect effects on risk appetite, the attractiveness of management positions, and the structuring of insurance arrangements and governance mechanisms—an issue that has already drawn attention from market participants and legal practitioners alike.

Another relevant impact stems from the procedural framework: because non-prosecution agreements generally depend on offenses carrying a minimum sentence of less than four years, the new penalty structure may significantly reduce the viability of this mechanism in certain scenarios, thereby changing incentives for cooperation and case-resolution strategies. For publicly held companies and their managers, the debate reinforces the importance of integrity programs capable of translating “good governance” into concrete evidence, such as robust documentation of the decision-making process, risk-proportionate internal controls, third-party management, and effective reporting and investigation channels, in order to reduce exposure and increase predictability in an evolving regulatory environment.

STJ and the Anti-Corruption Law: joint liability in corporate groups returns to the center of the debate

The First Panel of Brazil’s Superior Court of Justice (STJ) has once again examined the scope of Article 4 of Law No. 12,846/2013, particularly the rule that preserves the liability of a legal entity even after corporate reorganizations, as well as the provision establishing joint liability among parent companies, subsidiaries, affiliates, and consortium members, limited to the payment of fines and full compensation for damages. The case revives a recurring discussion in complex corporate structures: to what extent corporate links and contractual arrangements justify keeping companies within the same group as defendants in proceedings aimed at investigating harmful acts against the Public Administration.

In the most recent judgment, which remains pending due to a request for further review, the reporting justice indicated an understanding that companies belonging to the same group may be brought into proceedings involving another company within the conglomerate, precisely to preserve the production of evidence and, where appropriate, to allow the application of joint liability with respect to fines and restitution obligations. The controversy typically centers on the systematic interpretation of the main provision of Article 4—which ensures the continuity of liability in events such as mergers, incorporations, spin-offs, and corporate transformations—and paragraph 2, which establishes joint liability within the group, as well as on how the nexus between benefit, community of interests, and the patrimonial scope of liability is determined.

The debate takes place in a context in which the Panel has already consolidated an important precedent by holding that the main provision of Article 4 does not operate as a “condition” for joint liability, but rather as a rule governing the continuity of liability, reinforcing the legislative intent to avoid gaps and prevent corporate restructurings from undermining the effectiveness of the sanctions regime. When this interpretive approach prevails, it tends to increase the relevance of integrity due diligence in corporate transactions and consortium arrangements, as well as of governance mechanisms capable of evidencing controls, decision-making autonomy, and adequate risk segregation within corporate groups.

For Compliance programs, the practical signal is clear: beyond policies and training, greater emphasis is placed on the ability to demonstrate “operational integrity,” including risk mapping by business unit and by third parties, risk-proportionate internal controls, documentation of decision-making processes, and continuous monitoring of sensitive contracts—especially in structures involving cross-shareholdings and long supplier chains. In a scenario of potential expansion of joint-liability risk, companies that invest in governance and evidence of effectiveness are better positioned to navigate restructurings, disputes, and investigations with greater predictability, thereby preserving value and business continuity

New auditing standard sharpens the “fraud lens”: what changes for governance and compliance

The global independent auditing agenda is undergoing an important adjustment in response to the evolution of fraud typologies and to market expectations regarding transparency. In this context, the revision of the international fraud standard ISA 240 (Revised) has attracted particular attention, as it clarifies the auditor’s responsibilities, strengthens the assessment of and response to risks through a “fraud lens” approach, and enhances transparency for users of financial statements, especially in entities whose securities are publicly traded.

In Brazil, local adoption follows the same direction: the equivalent standard (NBC TA 240 (R1)) reinforces that primary responsibility for the prevention and detection of fraud lies with management, while at the same time requiring the auditor to apply greater rigor in considering material misstatements resulting from fraud and their effects on the audited financial statements. In line with the international revision, the text also emphasizes the need for more structured communications with management and those charged with governance throughout the engagement, as well as greater clarity regarding how the issue was addressed in the audit.

From a practical standpoint, the change shifts the focus from reaction to risk-based prevention: audits are now expected to require more robust evidence that the company understands its main fraud drivers (including those associated with technology), assesses controls and responses, and maintains active governance over the issue, with more frequent and more qualified interaction. For the market, this tends to reduce ambiguity regarding the role of each actor: the company is responsible for controls and the integrity of information, while the auditor is responsible for planning and performing procedures that provide reasonable assurance that the financial statements are free from material misstatement due to fraud—without conflating that role with that of a law-enforcement investigation.

For Compliance programs and internal controls, the message is both positive and straightforward: the more mature the organization’s fraud-risk management is—supported by well-designed processes, decision trails, consistent records, and effective governance—the greater its ability to respond to the new communication and transparency requirements with predictability and lower operational friction. At the international level, ISA 240 (Revised) applies to audits of periods beginning on or after December 15, 2026, and the convergence movement in Brazil reinforces the opportunity to anticipate adjustments and align governance, risk, and integrity practices with the new standard as early as possible.

International Highlights

FCPA: the enforcement bar remains high, and does not distinguish nationality

A recent study conducted by Robert Luskin and Bridget Vuona, based on a detailed analysis of all Foreign Corrupt Practices Act (FCPA) enforcement actions between 2016 and 2025, concluded that there is no empirical evidence that U.S. anti-corruption law is enforced more rigorously against foreign companies or, conversely, that it disproportionately disadvantages U.S. companies. According to the authors, both narratives—widely circulated in public debate—lack support in the data.

The research shows that, although foreign companies often face more severe outcomes, such as deferred prosecution agreements or guilty pleas, this difference does not stem from bias on the part of enforcement authorities, but rather from objective factors considered by the Department of Justice (DOJ). In particular, the study found that foreign companies tend to make less frequent use of voluntary self-disclosure and to adopt less cooperative postures during investigations, which directly affects the nature and severity of the resolutions reached.

In testing the consistency of DOJ enforcement based on its own public criteria, the authors identified a relatively uniform application of guidelines on penalty assessment and cooperation to companies “in like circumstances,” regardless of nationality. The divergence in outcomes therefore appears to be less related to the company’s origin and more to the quality of its institutional response to potential violations—especially with respect to transparency, timely remediation, and effective cooperation with the authorities.

From a Compliance perspective, the study reinforces that proper anti-corruption risk management goes far beyond the formal existence of policies. The maturity of integrity programs, the effectiveness of whistleblowing channels, the readiness to conduct independent internal investigations, and the strategic decisions surrounding self-disclosure are all central factors in mitigating legal, financial, and reputational risks in cross-border contexts.

Public-private cooperation and rapid response: compliance lessons in combating “pig butchering”

Cryptoasset investment scams based on social engineering—often referred to as “pig butchering”—have become one of the most harmful typologies in the digital ecosystem, combining the gradual grooming of victims, inducement to make transfers, and the subsequent layering and laundering of funds, often through messaging channels and platforms designed to mimic legitimate services. In this context, the compliance challenge is no longer limited to detecting unusual transactions; it now extends to user protection, the integrity of digital channels, and the capacity for rapid incident response.

On April 23, 2026, the U.S. Department of Justice announced coordinated actions through the Scam Center Strike Force, including criminal charges, the seizure of a Telegram channel used for recruitment, and the takedown of 503 domains associated with fake “investment platforms.” The announcement also highlighted the restriction of more than US$700 million in cryptoassets allegedly linked to the laundering of proceeds from these schemes, underscoring the operational priority of disrupting financial flows and enabling asset recovery.

A particularly relevant aspect for the market is the emphasis on public-private collaboration: following alerts from the authorities, organizations such as JPMorgan Chase, Microsoft, and Meta adopted voluntary internal measures to mitigate fraud occurring within their environments and the misuse of their names, reinforcing the expectation that mature companies will act proactively to reduce risks and preserve evidence. This type of cooperation is likely to become increasingly decisive in accelerating takedowns, containing damage, and supporting investigations, while still requiring sound governance and clear standards on privacy, security, and compliance.

For Compliance, AML, and Anti-Fraud programs, the central message is that effective controls must integrate prevention and response: monitoring brand impersonation and communication channels, maintaining readiness to trigger containment measures and preserve records, and ensuring agile coordination among legal, security, and business teams—especially where there is exposure to cryptoassets and digital payments. In a context of sharply rising reported losses in the United States, program maturity is also measured by the ability to act early through procedures that reduce risk, protect users, and support defensible decision-making.

Shift in SEC enforcement and its impact on the regulatory landscape

The recent appointment of David Woodcock as the new Director of the Division of Enforcement of the U.S. Securities and Exchange Commission (SEC) sends a clear signal of the regulator’s strategic repositioning with respect to both its priorities and its approach to capital markets enforcement. Woodcock assumes office on May 4, at a particularly sensitive institutional moment, marked by changes in the Division’s leadership and by an explicit direction from current SEC Chairman Paul Atkins to return the agency’s work to its “original intent”: the direct pursuit of fraud, manipulation, and conduct that causes actual harm to investors.

In 2025, the SEC filed 456 enforcement actions, in what the agency itself described as a year marked by an atypical rush to initiate cases before the presidential transition and by the aggressive use of novel legal theories under the prior Commission. That movement is now being publicly reassessed, with a clear message of a return to the “basics” of enforcement—albeit with a high degree of technical sophistication.

From the standpoint of companies and their officers, this repositioning by no means signals regulatory leniency. On the contrary, the expectation is for a more selective, deeper, and evidence-driven enforcement approach, with less tolerance for real weaknesses in internal controls, accounting practices, disclosure processes, and mechanisms designed to prevent market abuse. This selectivity is likely to increase the impact of each investigation, thereby amplifying financial, regulatory, and reputational risks.

In this environment, compliance programs and corporate governance structures are no longer assessed solely from a formal perspective, but increasingly examined for their actual effectiveness. Structures capable of demonstrating active prevention, continuous monitoring, appropriate incident response, and consistent documentation gain strategic importance. Particular attention should be given to coordination among legal, finance, internal audit, and investor relations functions, especially in organizations exposed to the U.S. capital markets.

In short, although the current regulatory discourse emphasizes a “return to basics,” the environment taking shape is one of greater technical rigor and less room for structural weaknesses. Making strategic investments in compliance, supported by highly specialized legal counsel, is becoming an indispensable element of organizational sustainability and institutional resilience in an increasingly demanding regulatory context.

CGU Observatory

In April 2026, the administrative proceedings initiated by the CGU involved several public bodies under the authority’s oversight for purposes of commencing the PAR.

Authorities Involved:

– Office of the Comptroller General (CGU)

– Ministry of Mines and Energy

– Ministry of Finance

– Ministry of Communications

– Ministry of Integration and Regional Development

Subject Matter of the Allegations:

– Fraud in a public procurement procedure involving the national Public Administration;

– Improper conduct, including the payment or offer of an undue advantage, directly or indirectly, to a domestic public official or to a related third party;

– Concealed use of an intermediary to obtain an undue advantage from the national Public Administration;

– Financing, funding, sponsoring, or subsidizing an unlawful act provided for under the Anti-Corruption Law (Law No. 12,846/2013); Irregularities or fraud in public tenders or government contracts.

This material is for informational purposes only. Our Compliance and Investigations team is available to provide specific legal advice.