Regulatory framework for foreign investment
The Panamanian Constitution reserves “retail activities” for Panamanian nationals. Various statutes have limited the application of the prohibition to activities that involve the sale of goods to consumers.
By statute, the private sector (national or foreign) may not participate in water and sewage services; in other words, these services are reserved to the State. Likewise, electricity transmission services (as distinguished from generation and distribution) is also by statute reserved to the State.
Certain activities in Panama are reserved totally or partially for Panamanian nationals, based on constitutional provisions and regulated by statute. For example, commercial fishing in national waters is reserved for Panamanian nationals. Similarly, broadcast radio and television is reserved for Panamanians, but foreign persons may own up to 35% of corporations holding concessions for those activities.
Another type of restriction in Panamanian statutes prohibits foreign governments from owning land and participating in certain industries. For example, foreign corporates and entities controlled by foreign governments may not hold a majority stake in public service of telecommunications corporations. Similar restrictions are found in mining.
Foreign persons may not own real estate within 10 kilometers of the border with other countries.
Exchange control or currency regulations
The monetary unit in Panama is the Balboa. However, the U.S. Dollar (US$) is the legal tender of Panama and the same nominal value as the Balboa. There are no capital controls or foreign currency controls in Panama. Forced currency is prohibited in Panama’s Constitution and the parties may enter into obligations and establish payments in the currency they freely agree upon.
Grants or incentives
Investments (national or foreign) may qualify for incentives provided they are made in certain areas designated by law.
Individual employment contracts / Termination regulation
- Termination of employment contracts is regulated by the Labor Code, which grants special protection to employees.
- There is a process that can be followed before the Ministry of Labor to reduce personnel based on “economic grounds”, but companies normally carry out reductions without pursuing that process.
Capital gains in the sale of shares are taxed at 10%. The buyer must withhold 5% of the price paid and the seller may accept the amount so withheld as its definitive tax or file a return to obtain a credit for the difference between the amount withheld and the taxed caused by the gain realized in the transaction. In an asset transaction, the tax treatment will depend on the asset being transferred. For example, real estate is levied with two taxes: transfer tax (2%) and capital gains tax (10%). The buyer must withhold 3% of the purchase price, leaving the seller to accept the amount so withheld as its definitive capital gains tax or file a return to obtain a credit for the difference between the amount withheld and the capital gains taxed caused by the gain realized in the transaction. There are stamp taxes that may apply to the documentation granted. The issuance of shares does not cause any taxes.
Antitrust jurisdiction triggering events/thresholds
Corporate concentrations that affect competition will be subject to antitrust review. The threshold at which concentration may affect competition is 25%. Parties to a transaction that affects competition may submit a petition to the antitrust authority to review and approve, which approval may be granted without or with conditions. A concentration that is approved by the antitrust authority may not be reviewed by the authority or subject to judicial review. Without such approval, within three (3) years after perfected both the authority or a court (upon petition by a third party) may review the transaction and impose sanctions (including divestment) if found detrimental for competition.
Signing/closing meeting documents
Closings are ordinarily carried out through the delivery of documents set forth in definitive agreements, including share certificates duly endorsed in the case of share transactions. Payment is usually made through wire transfers.
In the case of asset deals, special documentation, formalities and filings depend on the type of asset. For example, real estate is only transferable through a public deed (“escritura pública”) granted before a notary public, which deed must then be submitted for registration and actually registered in the Panama Public Registry Office.
Gap requirements between signing and closing
In the case of share transactions, there are no such gaps required by law, except for tender offers of publicly traded shares. In the case of asset transactions involving real estate, for example, such gaps arise because registration of the public deed takes at least 24 hours.
Proof of identity and authority to sign
Corporate resolutions in the case of legal entities, accompanied by a good standing certificate of the jurisdiction of incorporation, and passport or other identification document for the person signing. All documents granted or executed outside Panama must be authenticated by a Panamanian Consul or through the Apostille (Hague Convention (1961) on legalization of document).
- Simple contracts are executed by written signature. Public deeds are granted by a Notary Public upon personal appearance and execution by signatories before the Notary Public.
- In the case of simple contracts, written signature by the persons signing on behalf of corporate parties thereof will suffice – ie, the parties validate whether the persons are duly authorized to enter into an agreement on behalf of the corporate party.
- Individuals with legal capacity may enter into contracts and grant deeds by written signature.
- In the case of foreign companies, it is customary to require powers of attorney duly legalized by a Panamanian Consul or through the Apostille.
Notary impact on transaction timetable
Authentication of signatures by notaries is viable and may be obtained during the execution ceremony, provided that signatories are physically present at such ceremony. Post execution authentication is viable, provided the signatory is in Panama and customary identification documents (eg, passport) is produced to the notary.
Changing of stockholders, officers and directors
Changes of stockholders in the books of the corporation may be regulated in its articles of incorporation and/or by-laws. In the absence of such regulation, it is usually accomplished through the Secretary of the corporation, who customarily requires the share certificate and its endorsement in order to make annotations in the share register.
Changes of directors and officers requires corporate resolutions to be submitted to a Notary Public for issuance of a public deed, which deed must then be filed and registered with the Panama Public Registry Office.
Private limited company
Transfer of title of shares is usually accomplished through the Secretary of the corporation, who customarily requires the share certificate and its endorsement.
Execute document in counterpart
It is customary to avoid counterparts in order to minimize stamp taxes, which are caused and payable with respect to each counterpart. Signature pages of contracts may be executed in different jurisdictions to be consolidated in a single counterpart, with each signature being authenticated in compliance with the law in the jurisdiction of execution, including legalization by “apostille”.
Strictly enforced undertakings
Strict enforcement of undertakings will be available soon, upon signing and promulgation (ie, publication in the Official Gazette) of recently adopted legislation that reinstated provisions of the Judicial Code that were repealed a few years ago.
Damages are available.
Required due executions legal opinions
None required by statute, but in cross border transactions (particularly for indebtedness) it is customary for legal opinions (debtor’s and creditors’ counsel) to be issued.
Panama, March 9, 2020. Partners Francisco Arias, Ricardo Arias, and associate Cristina De Roux contributed with Chambers & Partners, providing their professional insights into Panama’s legal securities market.
The online Panama chapter is available here.
Or a PDF version is available to download here.
Pablo Epifanio, Senior Associate, Morgan & Morgan
The stock market is undoubtedly one of the most important economic forces in the world. Every year, billions of dollars are moved through stock exchange operations, and year after year, in most jurisdictions, the stock market is promoted as a tool for financing or capturing capital for issuers and as an investment for thousands of participants seeking to place their funds in higher yield investments.
Thus, it is not unreasonable to foresee that although the stock market has had such a positive and important purpose, and in which transactions are increasingly sophisticated and complex, may be used for illicit purposes, particularly those related to financial crimes, including laundering of assets, financing of terrorist groups, among others.
This article succinctly analyzes the implications and scope of the compliance measures established in Agreement 6-2015 adopted by the Superintendency of the Securities Market of Panama, based on Law 23 of April 27, 2015, by which measures are being taken to prevent money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction (the “Compliance Act”).
Regulatory Framework for Compliance Measures in Panama
The Compliance Act approved in 2015, regulated by Executive Decree No. 363 of August 13, 2015, which adopts measures that allow entities regulated under it to prevent the use of their platforms and businesses for purposes related to the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
The Compliance Act classifies those regulated entities: regulated non-financial entities, regulated financial entities and professional activities subject to supervision. The Compliance Act within the regulated financial entities includes the majority of the participants in the securities market, establishing that the provisions of the same apply to:
a) Self-regulated organizations;
b) Securities Firms;
c) Investment Managers;
d) Pension Fund Management;
e) Unemployment Fund Management;
f) Investment Companies;
g) Self-Managed Investment Companies;
h) Investment Advisers; and
i) Administrative Service Providers of the Securities Market.
An important fact to note is that the Compliance Act, Executive Decree 363 and Agreement 6-2015 do not include the issuers of securities registered with the Superintendency of the Securities Market within their scope of application. This is likely to be the case, since most of the essential intermediaries to carry out a public offering and issuance of securities are subject to regulations, including custodians, payment agents, brokerage firms and investment advisors, they are, in short, those that have a direct relationship with investors. At the same time, the issuer would unlikely be able to properly and efficiently apply due diligence measures to investors with whom it usually does not have direct contact.
The Compliance Act seeks more than anything to establish the regulatory framework applicable to regulated entities in order to facilitate the adequate identification of customers with a risk-based approach, detect funds of illicit origin, establish guidelines regarding the due diligence that regulated entities must applied to their customers, in terms of the application of the “know your customer” policy and encourage the adoption of risk policies.
For the purposes of accurately understanding the applicable legislation on compliance, it is important to keep in mind the definition of “customer” under the Compliance Act: “natural or legal person, as defined by the legal provisions that apply for each economic or professional activity indicated in the Law, with which the regulated financial entities, regulated non-financial entities and activities carried out by professionals subject to supervision establish, maintain or have maintained, in an usual or occasional manner, a contractual, professional or business relationship for the supply of any product or services inherent to its activity.”
Lastly, the Compliance Act empowers the respective regulatory authorities for the activities carried out by the different regulated entities to oversee the compliance with the Compliance Act and adopt regulations that adjust to the reality of each regulated activity.
- Sectoral Regulation Applicable to the Securities Market
The Superintendency of the Securities Market has adopted Agreement 6-2015 of August 19, 2015 (the “Agreement 6-2015”), through which it issued the provisions applicable to regulated financial entities supervised by the Superintendency of the Securities Market, to the prevention of the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
The regulated financial entities supervised by the Superintendency of Securities Market under Agreement 6-2015 have the obligation to maintain due diligence and care in their operations in order to reasonably prevent such operations from being carried out with funds from activities related to the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
Thus, the regulated entities under the supervision of the Superintendency of the Securities Market must have the mechanisms, policies and methodologies required to manage the risk of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction, taking in consideration factors such as: the risk profile of the activity exercised by the regulated entity, the profile and types of customers of the regulated entitity, the products and services offered by the regulated entity, the distribution or commercialization channels used by the regulated entity, the location of the facilities of the regulated entity, of its customers and final beneficiaries, and the risk of the custodian or correspondent services of the regulated entity.
For the evaluation of the factors described above, regulated entities must apply a “risk-based approach”, which is nothing more than an understanding of the level of risk according to their nature, in order to focus their efforts effectively. Thus, regulated entities subject to supervision must classify their customers by applying a risk-based approach to: (i) high risk customers, (ii) moderate risk customers and (iii) low risk customers; and they should review this classification at least once a year. With this approach in mind, the regulation gives certain entities flexibility to assess the risks in the services they provide, so that they can apply reinforced measures against major risks, basic measures against usual risks and simplified measures against minor risks, managing and / or mitigating risks, as the case may be.
Agreement 6-2015 specifically establishes the minimum information and documentation that should be requested and verified from customers, both for natural and legal persons, as part of the simplified due diligence that regulated entities subject to supervision of the Superintendency of the Securities Market must apply, which include: complete general information, a copy of the customer’s identification, bank and commercial references, support of funds, detail of activities to which he / she is dedicated, among others.
For the purposes of simplified due diligence in the case of legal persons, Agreement 6-2015 seeks to fully identify the final beneficiary of the legal entity and imposes measures and requirements to be obtained from each customer that is a legal entity for that purpose. For the purposes of the final beneficiary, Agreement 6-2015 states that it shall be understood as such, any natural person who individually or by common agreement with other persons, directly or indirectly, is the owner or has the right to exercise the vote with respect to ten percent (10%) or more of the issued and outstanding shares of a legal entity. In addition to the foregoing, the following must also be fully identified: (i) in the case of companies: the administrators, representatives, attorneys-in-fact and signatories of the legal entity; (ii) in the case of private interest foundations: the members of the founding council, founder and protector; and in the case of trusts: the trustee and the trustor.
Agreement 6-2015 establishes that regulated entities under it will have to apply full-range or enhanced due diligence measures for their customers or activities that may represent a high risk, in order to deepen the information of this type of customers. The Superintendency of the Securities Market, as well as other regulators of activities under the Compliance Act, has issued a guide of indicators of suspicious operations and activities in order that the regulated entities can identify high risk customers and timely apply the measures of full-range due diligence.
Among the types of customers that should be subject to full-range or enhanced due diligence, we have, among others:
a) Natural or legal persons or related business persons with natural or legal persons domiciled or incorporated in jurisdictions considered high risk by national or foreign organizations;
b) Individuals or legal entities that appear in national or foreign lists related to the prevention of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction;
c) Politically exposed persons (PEP), close relatives and close collaborators;
d) Legal persons that receive or offer the correspondent service, with special attention to those domiciled in jurisdictions that have not effectively implemented the recommendations regarding the prevention of money laundering, terrorist financing and financing of the proliferation of weapons of mass destruction;
e) Businesses with a high volume of operations in cash or quasi-cash; and
f) Businesses with a high volume of international transfers to and from countries and high-risk countries that have not implemented the recommendations regarding the prevention of money laundering crimes, financing of terrorism and financing the proliferation of weapons of mass destruction.
When applying full-range or enhanced due diligence measures, regulated entities supervised by the Superintendency of the Securities Market shall require the same information and minimum documentation established for simplified due diligence, and in addition shall: (i) obtain the approval of senior management at the beginning of the business relationship; (ii) update the records of information and documentation, at least one (1) time each semester; (iii) continuous intensified monitoring throughout the commercial relationship and / or (iv) apply any other measure determined by the senior management of the regulated entity.
Simplified due diligence is the most basic policy, procedures and measures defined in the Compliance Act that may be applied by regulated entities to their customers, and are only applicable if in accordance with the risk policies of the regulated entities, based on a risk approach, it is determined that the customers to apply it are of low risk.
Executive Decree No. 363, which regulates the Compliance Act, expressly establishes the simplified due diligence measures allowed to regulated entities:
a) Reduce the documentary review process;
b) Reduce the frequency of customer identification updates; and
c) Reduce the monitoring of the business relationship and the scrutiny of operations that do not exceed the minimum amount established by supervisory bodies.
Although it does not appear so, simplified measures significantly reduce the economic and managerial burden of due diligence measures for regulated entities, especially in cases where it is evident that the business relationship is not or can not be used for illicit purposes.
An important point to be highlighted is Article 28 of the Compliance Act that establishes that the regulated entities – whether they are intermediaries or not in the securities market – will apply simplified due diligence measures to their customers that are legal persons and are listed in a stock exchange recognized by the Superintendency of the Securities Market. That is, to the issuers of common shares or participation quotas, which are duly registered in the Superintendency of the Securities Market and listed on a stock exchange, simplified due diligence measures will be applied by law. Therefore, regulated intermediaries may apply their simplified due diligence measures to their issuing customers, provided that the before mentioned comply with the conditions established in Article 28 of the Compliance Act.
The main purpose of the compliance regulation in question is based more than anything on prevention, that is why in cases where a customer of a regulated entity does not facilitate compliance with the relevant measures of due diligence, the regulated entity may not open the account or start the business relationship or make the proposed transaction.
Agreement 6-2015 establishes that any new account or commercial relationship must comply with the evaluation of the financial and transactional profile of the customer, in order to measure the risk of the products or services offered. For these purposes, “financial profile” means “the result of the analysis of a set of socioeconomic and demographic characteristics and variables that are presented by a customer and verified by the regulated entity at the time of opening the account or beginning of the business relationship; and that it must be enriched with updated and historical information, with the purpose of establishing the common practice that the customer will maintain with the regulated entity.”
Basically, the analysis and processing of the financial documentation required in the course of the simplified or enhanced due diligence measures gives rise to the financial profile that the regulated entity must develop for each customer. On the other hand, the “transactional profile” refers to the “contrast between the financial profile and the frequency and capacity of a customer’s actual transaction in one or several periods of time.”
In conclusion, the obligation of each regulated entity supervised by the Superintendency of the Securities Market is to perform an analysis based on criteria in terms of capacity and financial transaction volume of each customer and then make the contrast between said analysis and the reality of each case.
Agreement 6-2015 establishes two important obligations in regards to the employees of the regulated entities supervised by the Superintendency of the Securities Market: the first obligation is to have a “Know Your Employee” policy, which seeks that regulated entities have personnel selection procedures and supervise the behaviour of their employees, especially those who perform positions related to customer management, fund management, control of information and other important controls. It is also important that regulated entities establish a profile of this type of employees, which shall be updated at least once a year.
The second obligation of the regulated entities in regards to their employees is the obligation to carry out continuous and specific trainings at least once a year, to the employees with roles related to the management, communication and handling of customer and supplier relationships, receipt of funds, transaction processing, product design and services, compliance, risk, human resources, technology and internal auditing in a way that allows them to be updated on the different types, cases and regulations of money laundering, terrorism financing and financing of the proliferation of weapons of mass destruction.
One of the most important tools that the Compliance Act and the Agreement 6-2015 gives to the regulated entities supervised by the Superintendency of the Securities Market are the Suspicious Operations Reports (ROS) and the Unusual Operations Reports (ROI) to the Financial Analysis Unit (UAF). Many times we tend to use these terms as synonyms when they are different and have different implications.
“Suspicious operation” is understood as an operation that can not be justified or sustained against the financial or transactional profile of the customer or that which may be related to illicit purposes. On the other hand, “unusual operation” is understood to be one that is not consistent with a financial or transactional profile declared by the customer or that exceeds the parameters set by the regulated entity in the due diligence process performed on the customer, and that consequently must be justified.
Thus, unusual operation means in short an alert for the regulated entity that the operation is not regular, based on the expected behavior of the customer or exceeds the criteria set for the customer in terms of financial capacity or volume of transactions, and the customer must be required to sustain the operation. Suspicious operation, on the other hand, is one that has no way to be justified or that can reasonably be considered to be linked to the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
Executive Decree No. 363 that regulates the Compliance Act establishes that the regulated entities must have measures that allow the timely detection of unusual operations in order to analyze them and rule out or corroborate the unusual operation. Unusual operations that can not be corroborated or verified according to the customer’s profile may be reported by the regulated entity as suspicious transactions.
In addition, operations suspected of being related to the crimes of money laundering, financing of terrorism, financing of the proliferation of weapons of mass destruction shall be reported as suspicious transactions to the Financial Analysis Unit within 15 calendar days from the detection of the event, transaction, operation or control failure.
In addition, the regulated entities have the obligation to report transactions in cash or quasi-cash, for amounts exceeding the sum of Ten Thousand Dollars (US$10,000.00), legal currency of the United States of America, within the first 10 business days of each month. “Quasi-cash” means, for these purposes, cashier’s checks, travel checks, orders issued to bearer, multiple endorsements, blank endorsements, and other negotiable documents.
All reports to the Financial Analysis Unit must be made through the compliance officer, who will be the liaison person with said entity in regards to the regulated entities supervised by the Superintendency of the Securities Market.
Agreement 6-2015 establishes the obligation for regulated entities supervised by the Superintendency of the Securities Market to adopt, through its Board of Directors, a Prevention Manual that must be reviewed at least one (1) time a year and must contain at least:
1) Mechanism, policies and methodologies for administration and policies for mitigating the risk of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction;
2) The classification of customers according to the risk-based approach;
3) The “Know Your Customer” policy;
4) The “Know Your Employee” policy;
5) The periodicity of the reviews and updating of the information and documentation of the customers;
6) Policies relating to correspondent relations;
7) Policies relating to customers or high-risk activities;
8) Policies regarding the confidentiality and protection of information;
9) Contingency plans for information retrieval in cases of disasters;
10) Internal control policies;
11) Norms of self-evaluation of the degree of risk and good practices for the prevention of the crimes of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction;
12) Ethical norms and standards;
13) The liaison person with the Financial Analysis Unit;
14) Management of ROS and other reports to the Financial Analysis Unit;
15) Formation of the Ethics and Compliance Committee and the Audit Committee.
Regarding the Ethics and Compliance Committee, Agreement 6-2015 provides that all regulated entities supervised by the Superintendency of the Securities Market must have one to approve the opening of accounts or the commencement of business relations for customers or activities requiring full-range or enhanced due diligence measures to be carried out, and the follow-up to this type of high risk customers. This committee must be formed by at least three (3) members of the Board of Directors. The Ethics and Compliance Committee must also plan, coordinate and ensure compliance with current regulations on the prevention of money laundering, financing of terrorism and financing of the proliferation of weapons of mass destruction.
Likewise, Agreement 6-2015 provides that all regulated entities supervised by the Superintendency of the Securities Market must have an Audit Committee that is responsible for the execution, evaluation and effectiveness of the internal control systems of the regulated entity, in order to monitor the internal measures and softwares used in relation to the protection of information, prevention of unlawful acts and compliance with current regulations on the prevention of money laundering crimes, financing of terrorism and financing the proliferation of weapons of mass destruction.
All regulated entities supervised by the Superintendency of the Securities Market must update the information and documentation of their customers at least one (1) time per year for all customers and one (1) time per semester for customers subject to full-range or enhanced due diligence measures. At the same time, they must safeguard the information, documentation and records of the operations carried out, for a minimum period of five (5) years from the termination of the commercial relationship with the customer.
The Compliance Act classifies sanctions in two types: Generic Sanctions and Specific Sanctions. Generic sanctions are those established by said Law for breaches of the provisions of the Compliance Act or its sectoral regulations, including as such Agreement 6-2015, for which there is no specific sanction, which will consist of a fine of US$5,000.00 to US$1,000,000.00. Specific Sanctions are those applicable to specific breaches of the Compliance Act or its sectoral regulations, as regulated by the regulatory authority of the respective activity. The Superintendency of the Securities Market has not regulated the specific sanctions to date, for which generic sanctions (fines) will be applied pursuant to article 60 of the Compliance Act.
The fines imposed for breaches of the Compliance Act may be collected through the coercive jurisdiction of each supervisory body, or through the coercive collection process before the General Revenue Directorate. These fines are without prejudice to any civil or criminal liability that may arise.
Executive Decree No. 363 provides a clear picture in terms of the seriousness of the infractions, since it lists some breaches as infractions with minor severity, medium severity and maximum severity. This allows the regulated entity to identify the level of severity of the sanction for the non-compliances listed.
Finally, Executive Decree No. 363 gives the supervisory bodies of each activity the right to cancel, withdraw, restrict or remove licenses, Certificates of Competence or other authorizations from regulated entities that violate the provisions in force regarding compliance, subject to the verification of the sanctioning processes that correspond.
It is a true and lawful translation into English of the original document written in Spanish. Panama, March 12, 2018. Michelle Williams – Authorized Public Translator – Resolution No. 5775 of November 12, 2014, Republic of Panama.
Morgan & Morgan contributed to the first edition of the Latin American corporate investigations guide
Panama, January 31, 2020. Partners Inocencio Galindo, Ricardo Aleman, Kharla Aizpurua Olmos, and associate Joy Paull Torres contributed with the first edition of the Latin American investigations guide, a frequently asked questions for conducting corporate investigations in various jurisdictions on Latin America.
This publication of the international law firm Hogan Lovells provides an overview from leading legal experts across the region.
The publication is available here.
Or a PDF version (Panama Chapter) is available to download here.
Panama, November 6, 2019. Jose Carrizo, head of the Litigation and Dispute Resolution practice of Morgan & Morgan, contributed with the Panama chapter of The Arbitration Review of the Americas 2020, providing a comprehensive analysis of the arbitration system in Panama, its legislation and every aspect that confirms the country as an international and regional center for the resolution of arbitral disputes.
The publication can be download here.
Fanny Evans, Senior Associate, Morgan & Morgan
In 2013, Virginia Ginni Rometty – CEO of IBM, said “I would like you to think of big data as the next natural resource that can be to our era what steam, electricity and oil were for the Industrial Age.”
Probably, you have read or heard: Data is the new oil! Data is the new bacon! Data is the new currency! These analogies have become very popular because data is now considered one of the most important commodities.
This is the result of the emergence of many successful Social Networks that, although they are not payment platforms, have turned the data into a source of value.
The need for a data-protection compliance program in business is becoming increasingly important after several high-profile leaks of companies’ data. Some of the biggest data breaches over the last two years include T-Mobile, Marriot, British Airways, Quora, Google, Orbitz and just recently, Capital One bank in the United States. A successful data breach may occur in less than one minute. Yet, businesses may take more than weeks to realize a breach has occurred.
When giving the first steps into complex waters like data protection, it is very common that companies get lost in the avalanche of legal requirements or in developing that product or service that might result attractive to its clients. However, for a business, changing the focus to issues that they may consider more interesting should never be an option because the results of data breaches include many types of damages: fromreputational to financial. Sometimes it can even affect an entire country as happened with, in my opinion, the wrongfully or unjustifiably called “Panama Papers”.
In the European Union, data protection is a fundamental right, and the General Data Protection Regulation (GDPR) which came into force on May 25th, 2018, is the new framework for protecting that right. Other countries are looking to the GDPR as they develop or implement their own laws to protect data.
Even if companies have an “it will not happen to me” approach to data breaches, in many countries, legislation is forcing them to rethink their reasoning. Here is where compliance plays an important role to help to plan a data-protection compliance program.
Here are five steps that can help as guidance when drafting or reviewing your data-protection compliance program:
- Understand your risks and legal and ethical obligations
One of the most important elements when building a data-protection compliance program is considering your risks and what is most important and mandatory to the business, instead of jumping into the requirements of a legislation without fully understanding your needs because not all risks or obligations are managed in the same manner or to the same extent. This program needs to set out the appropriate guidance in key areas.
Having said the above, the first step should always be to understand the business necessity to comply. This involves a careful analysis of what your obligations are, what the risk of breaching those obligations might be and what risks your company is willing to take.
- Document and review your policies
Your data-protection compliance program should be properly documented. Once the obligations and risks are understood, it is vital to document them. It is not just enough to know you are data privacy compliant. Your data-protection compliance program should be clearly verifiable and readily accessible through accurate reports and documentation for internal or external examinations.
The compliance officer shall perform a formal review on a regular basis to ensure that the data-protection compliance program is progressing as planned and that it is adjusted to meet any changes in legislation or the business.
- Allocate ownership
The responsibilities and tasks related to confidentiality and data-protection may overlap with other business policies, such as information technology security, recordkeeping, risks and audit, human resources, management of confidential information and others as it requires various skills to succeed. Therefore, the most advanced and elaborated data-protection compliance program will fail if there is no clear ownership of the tasks. Each business will structure the ownership differently, but it is vital that who is the owner of each task of the program is clearly understood and that the owners have the necessary resources, including training, so that they are competent to fulfil their role in a manner that is consistent with the business’ compliance culture.
- Provide training and the necessary resources
Always train your staff. If you have an informed team it will reduce your risk. Raise staff awareness.
Not only does training staff reduce the risk of breaches, it also demonstrates compliance before internal and external inquiries. For example, if an organization was to experience a data breach and they had documented their staff training on data protection, this would be used as evidence to prove that they had taken the appropriate steps to prevent a data breach and were taking the legislation seriously, if any.
Training should aim to ensure that all members of the team have an understanding of the data that they will have access to and the risks entailed. Training should be provided on a regular basis, and it ought to be performed again whenever there are significant changes to positions, structures, risks or obligations, or when actual issues arise. Also, the business shall incorporate data protection training into its process for onboarding new employees.
Businesses shall embed data-protection compliance program into it culture so that protecting information becomes second nature. This aspect, training and continuing education, should always include senior management.
- Review the Financial Action Task Force (FATF) Guidance on the Risk-Based Approach
A risk-based approach to compliance involves identifying the areas of high risk within the business’s compliance universe and building and prioritizing its compliance programs around these risks.
In order to assist both public authorities and the private sector in applying a risk-based approach, the FATF has adopted a series of guidance in co-operation with relevant sectors. Businesses shall review the guidance applicable to its industry to make sure that the appropriate mitigation measures in accordance with the level of risk are taken.
Data is one of the most important assets a business has. For that reason alone, data protection compliance program should be a top priority for any business.
Panamá, October 29, 2019. Partners Jazmina Rovi and Francisco Linares contributed to the Panama chapter of Getting the Deal Through: Market Intelligence-Shipping 2019, a publication with an analysis of the evolution and the regulatory scenario of the maritime industry globally.
To complete article can be read on the following link:
Analissa Carles, Associate, Morgan & Morgan
On May 19, 2016, the concept of a “Bankruptcy,” as the legal term was defined, ceased to exist under Panamanian law. Law 12 of 2016 (the “Insolvency Law”) entered into force on that date and introduced new proceedings into our legal system. These proceedings are referred to as Reorganization and Liquidation.
The enactment of the Insolvency Law sought not only the protection of the rights of creditors, but also to achieve a differentiation between “efficient” and “non-efficient” companies, depending on the reasons and circumstances that give rise to their insolvency status.
For “efficient companies”, the law introduces the “Reorganization Proceeding,” the main purpose of which is the recovery and continuation of the company as an economic unit and employer.
A Reorganization Proceeding pursues similar objectives as the bankruptcy protection provisions established in Chapter 11 of the United States Bankruptcy Code. Thus, a Reorganization Proceeding allows the restructuring of a company’s debt obligations and can be initiated at the request of the insolvent company or by its duly organized creditors through a “Board of Creditors.” The insolvency petition must be accompanied by a series of documents that include, among others, the company’s financial statements, an inventory of its assets and liabilities, payroll obligations and the Reorganization Plan, in which the debtor must provide a financial, organizational, operational and competitiveness restructuring project with the intention of solving the causes that led to the company’s failure to make required payments, its imminent insolvency or foreseeable lack of liquidity.
This Reorganization Plan is significant in that it serves to initiate the proceeding itself. Subsequently, when the creditors formally join the proceeding to submit evidence of their credits, the Reorganization Plan must be subjected to a vote by the established Board of Creditors, who must either approved or reject said plan. The result of this vote will decide whether: a) the company will in effect be reorganized through the execution of said plan; b) the culmination of the proceeding without any agreement, in which case the bankruptcy protections would be lifted and the debtor would have to negotiate with each of its creditors separately; or, c) the Judicial Liquidation of the Company.
Judicial Liquidation Proceeding
The Judicial Liquidation Proceeding, as the name implies, focuses on liquidating “inefficient” companies in a prompt and orderly manner. This can be initiated at the request of the debtor by means of a Voluntary Liquidation or by means of a duly substantiated petition from a creditor, which in this case would be a Compulsory Liquidation.
In either case, the petition must be accompanied by a series of requirements and documentation. In the case of a Voluntary Liquidation petition, provided all requirements are met, the court will issue a resolution declaring that the company is in liquidation.
For Compulsory Liquidation, provided all requirements are met, the request will be accepted and the debtor will be given an opportunity to answer the creditor’s petition. The court will then set a date for an initial hearing. If the debtor opposes the petitioner’s claim against it and the judge deems such opposition to have sufficient grounds, it shall deny the claim and the proceeding shall terminate. However, if the court deems said opposition to have insufficient grounds or if the debtor does not even submit any opposition, the debtor may: a) allocate sufficient funds for the payment of the debt; b) agree with the requesting creditor for the hearing to be suspended in order for the parties to reach an arrangement; or, c) submit to a Reorganization Proceeding. If, however, the debtor does not choose any of the aforementioned options, the judge will issue a resolution for a Liquidation Declaration, with the corresponding legal effects.
It has been interesting to see the development and execution of this relatively new law before the courts of Panama, especially since it also provides for the creation of new Insolvency Circuit Courts, as well as the Fourth Superior Court of the First Judicial District, consisting of three justices elected by the Supreme Court, in full, with exclusive jurisdiction over insolvency proceedings. However, to date, these courts have not been created and, therefore, the Civil Circuit Courts are currently in charge of hearing such proceedings. These circumstances have forced the judges ruling over these cases to become overly reliant on the technical criteria of the Bankruptcy Administrators appointed by them within the proceeding. Consequently, said Bankruptcy Administrators, who serve as an assistant of the Court, must have the legal and accounting capacity to warn of possible irregularities within the proceeding, from the initial scrutiny of the insolvency application, together with all the supporting documentation. They must also be able to determine if, indeed, they are facing an efficient company that can improve its current financial condition, and they must even make recommendations against the aforementioned Reorganization Plan, before it is submitted to the Board of Creditors for their vote. This level of expertise, although not expressly required by law, has become a necessity given the unforeseen preponderance that the expert input of these Bankruptcy Administrators has acquired.
There are many conceptual and practical elements to analyze in Law 12 of 2016. However, as is often the case, only through the practice and application of this law has allowed both lawyers and financial institutions to fully grasp the challenges ahead. Regardless of the above, the objective of the Law is positive – especially since, previously, a bankruptcy declaration was a de facto death knell for a company. It is therefore worthwhile to focus efforts on maximizing the advantages created under the law in order to obtain the desired results. These, however, will ultimately depend to a large extent on the good will and good faith dealings of both creditors and debtors.
Alvaro Tomas, partner and Vice President of Operations of the Fiduciary Unit of Morgan & Morgan
The Panamanian government has issued Law 99 of October 11, 2019, which establishes a General Tax Amnesty Law (“Amnesty”) that includes the elimination, for a limited period, of the penalties and surcharges caused by non-payment of the obligations with the National Treasury for corporations and private interest foundations. This law also includes amnesty for various types of interests and penalties resulting from non-payment of other taxes (for example: property or income tax).
Tax Amnesty Terms
The Amnesty Law will be extended until February 29, 2020 with exoneration as follows:
Full exoneration (100%) for those who pay in October and November 2019;
95% for those who pay in December 2019;
90% for those who pay in January 2020 and;
85% for those who pay on February 29, 2020.
The aforementioned Amnesty is the perfect opportunity to bring your legal vehicle into good standing without additional charges or to proceed with its dissolution instead of being struck off (which is the legally correct manner).
At Morgan & Morgan we have a range of seasoned professionals working alongside the young talent that can help you with the administration of your corporate vehicles and foundations. Please write to firstname.lastname@example.org if you are interested in more information.