Evaluación de Tercero Independiente en Modelos de Prevención | Anguita Osorio
Requisito de la Ley 20.393 para programas de compliance efectivos en Chile
Analysis: Independent Third-Party Assessment in Prevention Models
Following the reform introduced by Law 21.595, Article 4° N°4 of Law 20.393 requires that the Crime Prevention Model be subject to periodic assessments conducted by independent third parties. Without that review, the model loses its exculpatory value at trial, however sophisticated its documentary design may be.
Article 4° N°4 - Law N°20.393
"Provision for periodic assessments by independent third parties and improvement or update mechanisms based on such assessments."
Legal implication: Without periodic independent assessment, the Prevention Model cannot be invoked as an exemption from corporate criminal liability, regardless of its design or implementation.
Regulatory Context: Expansion and Normative Convergence
The catalog of offenses applicable to legal entities was multiplied by Law 21.595. A Prevention Model designed three years ago and never revisited is unlikely to cover today's criminal risks stemming from the 21.663 Cybersecurity Framework Law, the reform to Law 19.628 on personal data, or the new economic and environmental offenses. Independent assessment is the mechanism through which an organization demonstrates —before the Public Prosecutor's Office and the courts— that its risk matrix and its controls are kept current with this expanding regulatory landscape.
Constitutive Element of the CPM
Without evidence of external review, the model is deemed incomplete. Prosecutors and courts have refused to treat as an exemption programs that were never audited by a third party with verifiable independence.
Substantive Effectiveness Standard
The 'serious organizational failure' doctrine set by the Corpesca ruling requires distinguishing unused manuals from systems with documented operation. The evaluator must verify records, interview the prevention officer, and review actions taken in response to real alerts.
Transversal Regulatory Integration
Recent practice requires the evaluator to examine how the model articulates with sectoral obligations already under supervision —CMF, ANCI, SMA, FNE— so that a single incident does not catch the organization in two regulatory jurisdictions with misaligned defenses.
Assessment Standards: International Convergence and Local Practice
Chilean regulatory practice has progressively adopted international assessment criteria
International Reference Frameworks
Multiple recognized frameworks exist for compliance program assessment. The U.S. Department of Justice (DOJ) provides an example of criteria that distinguish between formal compliance and substantive effectiveness. Other frameworks include ISO 37001 (anti-bribery systems), ISO 37301 (compliance management systems), and OECD guidelines. Chilean jurisprudence has progressively adopted these international standards, as evidenced by the Corpesca case where a merely formal model was rejected.
- Design adequacy for specific risksConsidering sectoral risk profile and applicable crime matrix
- Autonomy and independence of the Prevention OfficerCritical element recognized in national jurisprudence as determinant of effectiveness
- Empirical evidence of operationDemonstration of effective operation beyond formal documentation
Strategic Implications of Independent Assessment
Assessment transcends formal compliance to constitute a corporate governance tool
Intersection with Specific Regulatory Frameworks
Independent assessment must consider the growing complexity of the Chilean regulatory environment. The prevention model operates at the intersection of multiple regulatory obligations that require integrated analysis:
Cybersecurity and Computer Crimes
Convergence between Law 21.595 (cybercrimes) and Law 21.663 (cybersecurity framework). Essential Services face dual obligations requiring coordinated assessment.
Personal Data Protection
Integration with Law 19.628 and future reform. Improper data processing can constitute both administrative infractions and crimes underlying criminal liability.
Sectoral Regulations
Coordination with specific frameworks: CMF for financial sector, SEC for energy, CNE, CEN, SMA for environment, DGA for water, SUBTEL for telecommunications, UAF for money laundering, SII, DT, FNE for antitrust, among others.
Independence and Technical Competence Criteria
Evaluator independence is not merely formal. It requires absence of conflicts of interest, demonstrable technical competence, and deep understanding of the applicable regulatory framework. Jurisprudence has emphasized that assessment must be substantive, not ceremonial.
Practical Application in Chile
DOJ methodology is already reflected in Chilean jurisprudence and regulatory practice
Antitrust - Supermarkets
In the supermarket collusion case, TDLC applied a fine reduction to Walmart, recognizing that its compliance program was 'comparatively very superior' and represented 'a very relevant advance'.
A demonstrable investment in a robust and operational program has tangible benefits, being recognized by Chilean authorities.
Corruption - Corpesca Case
First legal entity convicted in oral trial in Chile. Despite having a CPM, the court qualified it as ineffective due to 'serious organizational defect'. The Prevention Officer had no autonomy to supervise senior management.
The mere existence of manuals and nominal officer is irrelevant without genuine compliance culture and commitment from the highest level.
Frequently asked questions
What is prevention-model certification?
Prevention-model certification is the validation, by an entity authorized by the Financial Market Commission (CMF), that the implemented model meets the requirements set in Law 20.393 on corporate criminal liability. It has a maximum validity of two years and provides evidentiary value before the Public Prosecutor and the courts.
Is certification mandatory?
It is not mandatory. Law 20.393 does not require certification, but recognizes it as a way to evidence effective implementation of the model. In practice, companies facing significant regulatory exposure, operating in regulated sectors or participating in public procurement tend to certify in order to reduce reputational risk and reinforce defense in possible indictments.
Who can certify?
Only entities registered and authorized by the CMF in the registry of prevention-model certifying firms may certify. Autonomy and independence is a regulatory requirement: a certifier may not simultaneously provide design or implementation services to the same client.
What is evaluated during certification?
The evaluation covers four axes: autonomy and resources of the prevention officer; consistency between the documented model and effective operations; coverage of the model against the applicable predicate-offense catalogue (including those incorporated by Law 21.595); and traceability of monitoring, training and reporting channels.
How much does it cost and how long does it take?
Cost and duration depend on company size, number of business units and prior model maturity. Typical engagements run six to twelve weeks and involve fieldwork, document review and interviews with key areas. Recertification every two years benefits from the documentation generated in the first cycle.
Transform Your Legal Challenges into Competitive Advantages
Discover how our innovative approach can drive your business
