On 31 March 2021, Resolution SMV N° 06-2021-SMV/01, was published in the newspaper El Peruano, through which the Superintendency of the Stock Market (SMV in Spanish) approved the 'Guidelines for the Implementation and Operation of the Prevention Model' (hereon, 'Guidelines').

The Guidelines establish the rules that, voluntarily and referentially, legal persons may follow for the design, implementation and operation of their prevention models, in line with the provisions of Law No. 30424, which regulates the administrative responsibility of legal persons (hereon, 'Law') and its regulations[1]. Let us recall that, in accordance with the provisions of the Law, legal persons who employ an appropriate prevention model may be exempted from liability in the event a crime is committed for their benefit.

The Guidelines are approved after two preliminary versions (projects) issued in 2019 and 2020, which were brought to the attention of the citizens for their comments. While those preliminary documents provided guidelines on how to implement prevention models, we would like to emphasize that the Guidelines have a more practical approach, providing examples of what actions to take. In this alert, we include the Guidelines' main points.

As a presupposition of an ideal prevention model, the Guidelines refer to the commitment, leadership and firm support of the governing body, stating that it might manifest itself in: (i) the adoption of the zero tolerance policy regarding corruption; (ii) the active participation (as participants or speakers) in training; (iii) the allocation of budgetary funds for the purchase of technological equipment and/or materials to ensure the operation of the prevention model; and (iii) the creation of incentives to ensure compliance with the above model.

As for the minimum elements that a prevention model must have to be considered adequate, the Guidelines contain a reference list of actions for implementation, the main ones being the following:

Minimum elements


Identification, assessment and mitigation of risks

Preliminary stage: Designate a person (employee or external advisor) who will be in charge of the implementation (support: employment contract or service provision); identify processes/areas whose management through the prevention model is necessary, approve road map or risk identification and management policy.

Risk identification:

  • Identify internal and external factors that impact risk identification: business model, economic sector, and regulatory environment, as well as interaction with public officials (frequency and modality).
  • Establish appropriate methodology (brainstorming, surveys and interviews).
  • Identify activities, operations, processes, and/or areas with greater exposure to risks (use of petty cash, gifts and attention, donations, payment of commissions).

Risk assessment:

  • Establish methodologies that allow the analysis of the causes of risk generators and consequences of their materialization.
  • Develop a database or catalog of crime risks.
  • Make estimates (qualitative or quantitative) of the magnitude of risks, based on the knowledge and experience of experts and industry experiences.
  • Develop risk matrix, risk map or heat map.

Risk mitigation:

  • For each prioritized risk, establish control (s) to apply. Ensure that the risk is reduced to a tolerable level.
  • Establish preventive, detection and corrective controls. These may be financial (prohibition of use of cash) or non-financial (due diligence).
  • Evaluate effectiveness of controls: execute periodic self-evaluations, compliance audits and improvement of controls.

Prevention officer

  • Knowledge of the organization: critical and/or key processes, of the economic sector, of business partners and stakeholders.
  • Experience: academic background, work experience and leadership.
  • Economic and moral solvency (not having a judicial or police record, not exercising office in a public entity, state company or political party that could generate conflicts of interest, not being on the OFAC sanctions list or similar).

Complaints procedure

Complaints channel:

  • Implement complaints channel (virtual or face-to-face) that allows proper numbering, registration and classification.
  • Designate a person (employee or external) or internal body responsible for the complaints channel and for conducting internal investigations.
  • Ensure the proper handling of the complainant's personal data.

Policies or incentive scheme: economic (promotions, bonuses, training, etc.) or dissuasive (publication of disciplinary measures or sanctions).

Internal investigation procedures:

  • Establish methods for conducting internal investigations, including mechanisms for collecting evidence (statements, interviews).
  • Be cautious about the impartiality of the person in charge of the investigation (conduct due diligence to rule out possible conflicts of interest).
  • Implement a security system of the information collected (use software with licenses or secured physical spaces).

Application of disciplinary measures:

  • Appoint a disciplinary officer.
  • Establish a catalog of violations, disciplinary measures and applicable sanctions, as well as mechanisms for recording and monitoring compliance with rules.

Dissemination and regular training

  • Conduct trainings for all staff and for those areas or collaborators exposed to risks, including business partners, as appropriate.
  • Monitor the media (number of accesses to available resources) and training plans (continuous monitoring).
  • Evaluate the effectiveness of dissemination and training policies (evaluations, interviews, surveys).
  • Provide a guidance and consultation channel on the prevention model.

Continuous evaluation and monitoring

  • Conduct monitoring and/or periodic supervision of the effectiveness of the model (internal or external audits, formation of monitoring committees).
  • Evaluate staff in relation to compliance with the prevention model (establish performance indicators).
  • Oversee improvements derived from the analysis of experiences (updating and/or incorporation of controls) and communication to the rest of the company (feedback meetings, publications).


In addition to referring to the minimum elements, the Guidelines emphasize the importance of carrying out due diligence processes, specifying that this must not only be done before the contractual relationship, but whenever necessary (e.g., if an event or piece of news that involves such persons arises). Likewise, this must be done if a legal person wishes to develop new activities, introduce new products or services to the market and make use of new technologies, among others.

Finally ,the Guidelines, like the regulation, highlight the importance of keeping evidence (mainly documentary) of the actions carried out in order to prove to the SMV that the prevention model is adequate and can be used to mitigate risks faced by the legal person.

You can find the full text of the Guidelines here.

We trust that this information is relevant to you and your company. If you require a deeper understanding of the topic, do not hesitate to contact us.


[1] Los Lineamientos han sido elaborados tomando como marco de referencia no solo la citada Ley, sino también estándares internacionales de la experiencia extranjera (Estados Unidos, Reino Unido), organismos multilaterales (Naciones Unidas, OCDE) y diversas normas o documentos de gestión (ISO 37001, ISO 31010, ISO 19600, UNE 19601, COSO ERM 2017).