CGU’s Institutional Strengthening & What It Means for Companies

Following the initiatives adopted over the past years, the Brazilian General Comptroller’s Office issued key announcements on Brazil’s Integrity Day (10 September 2025), significantly reinforcing its institutional role in promoting integrity. While multijurisdictional investigations have not been its primary focus, this framework strengthens preventive controls, harmonizes sanctioning criteria, and improves coordination with other bodies—laying the foundation for more robust enforcement (including across borders) in the future.

 

WHAT HAS CHANGED – KEY ANNOUNCEMENTS ON CGU’S INTEGRITY DAY

 

Eight Administrative Announcements (September 2025)

Published through Portaria 3.032/2025, these Enunciados consolidate CGU’s interpretations under the Anti-Corruption Law (Law 12.846/2013) and Decree 11.129/2022. Key points include:

 

• Temporal reach of Decree 11.129/2022: its sanctioning provisions apply even to facts occurring before its enactment.
  
  
• Definition of undue advantage: broadened to include gifts and hospitality, which may only be accepted if linked to an institutional interest and subject to objective value limits.
• Mandatory cumulation of sanctions: whenever a company is sanctioned with a fine, the sanction of publishing the condemnatory decision must also be imposed.

 

Leniency Agreements – Public Consultation (July–August 2025)

CGU and the Federal Attorney General’s Office (AGU) launched a consultation on a new joint Ordinance (“Portaria”) to replace the Portaria 4/2019. The draft is expected at the end of September, and it includes clearer rules for marker requests, voluntary disclosure, calculation of undue benefit, treatment of confidential data, and safeguards against double penalties.

 

Our firm submitted key contributions to the public consultation with comments stressing the need for legal certainty and predictability, incentives for self-disclosure, transparency, and confidentiality, among others, which can be found here.

 

Integrity Programs in Public Procurement

Through Law 14.133/2021 and Decree 12.304/2024, compliance programs have become mandatory in high-value contracts, serve as tie-breaking criteria, and are a condition for the requalification of sanctioned companies. The CGU has just launched Portaria 226/2025, which regulates the Decree by defining procedures, criteria, and methodology for the evaluation of integrity programs in these scenarios. According to the CGU, if a contracted company does not submit the required documentation or fails to implement it according to the threshold, there are consequences, such as disqualification from bidding, contracts, or inability to reinstate the company’s eligibility. Also, misrepresentation or false declarations in connection with program evaluation can lead to administrative liability.

Importantly, CGU has also been encouraging state and municipal authorities to adopt similar parameters. This is particularly relevant in Brazil, where 70% of municipalities have fewer than 20,000 inhabitants, and, at the local level, procurement standards are often less rigorous, creating higher exposure to irregularities. Companies involved in municipal or regional contracting should therefore expect increased scrutiny and proactively adapt their compliance structures.

Project Helene – Data-Driven Supplier Risk (Oracle–CGU–OECD)

Following a presentation at the GACIF/OECD in March, CGU and Oracle officially launched Project Helene during Integrity Day. This Project is a joint initiative by CGU and Oracle, under the OECD’s Tech-Connect for Integrity program.

• It uses open datasets and machine-learning models (Oracle Cloud Infrastructure) to profile companies previously sanctioned by CGU and to predict the likelihood that other suppliers could face sanctions.
  
  
• In practice, Helene supports risk-based triage in public procurement and signals that third-party due diligence in Brazil is moving toward predictive analytics and greater transparency in feature engineering.
  
  

You can find Project Helene’s report here: OECD/Oracle–CGU report EN version | PT version


Enforcement in Practice – Record of Administrative Proceedings (PARS)

In September 2025, the CGU opened 40 Administrative Proceedings of Liability (Processos Administrativos de Responsabilização – PARs) in connection with unlawful payroll deductions at the National Social Security Institute (INSS). This surge underscores that enforcement is no longer confined to high-profile corruption scandals but now reaches systemic, day-to-day practices directly impacting citizens. As a result, the CGU reached in September this year the historic record of 76 PARs initiated in 2024 — the highest in its history — a milestone driven mainly by these INSS-related cases.

 

WHY IT MATTERS – PRACTICAL IMPACTS FOR COMPANIES

• Fines & Sanctions Become More Quantifiable and Transparent: The Enunciados, together with the Second version of the Dosimetry Report (May 2025), provide empirical data on how CGU identifies as undue advantage, applies factors and reductions, allowing companies to benchmark risk and provision more accurately.

 

• Third-Party & Supplier Risk under Greater Scrutiny: Project Helene and successor liability rules mean stricter due diligence obligations on supply chains and transactions.

 

• Procurement & Contractual Strategy Must Align with Integrity Requirements: Compliance programs are mandatory for large-value contracts, decisive in tie-breaks, and required for requalification after sanction.

 

• Reputational & Operational Risks Amplified: INSS-related PARs show risks extend beyond headline corruption into systemic practices, requiring stronger data governance and partner management.

 

• More Predictable Leniency Framework: The forthcoming Portaria on Leniency Agreements, after consultation, standardizes procedures and clarifies negotiation rules, improving legal certainty and timing for companies. This Portaria, in addition to new cooperation initiatives, such as the Cooperation Agreement (ACT) between CGU/AGU and the MPF, as well as ongoing discussions with CADE, will contribute to incentivizing self-disclosure.

 

RECOMMENDED ACTIONS FOR CLIENTS

• Carefully review compliance program effectiveness: Ensure that policies, training, reporting channels, and monitoring mechanisms can be objectively demonstrated. In Brazil, regulators increasingly demand evidence of effectiveness (e.g., disciplinary records, monitoring reports, documented remediation), not only formal codes or policies.
• Use dosimetry data to model potential financial exposure: Apply the parameters from CGU’s Dosimetry Report to simulate sanction outcomes under different scenarios (e.g., with and without mitigating factors such as cooperation or an effective integrity program). It allows for more accurate provisioning in financial statements and calibration of D&O and liability insurance.
  
  
• Prepare procurement documentation across subsidiaries and consortia: For public contracts, companies must prove that all group entities and consortium partners maintain integrity programs aligned with CGU standards. Document internal controls, ethics training, and compliance certifications in advance so that they can be readily submitted during bidding or requalification.
  
  
• Strengthen supplier and partner due diligence: Expand due diligence processes to capture the CGU’s broadened definition of undue advantages (including gifts and hospitality) and potential successor liability. Incorporate red-flag monitoring, beneficial ownership checks, and automated risk screening—particularly relevant for sectors heavily engaged in government procurement.
  
  
• Reassess policies on gifts, hospitality, and sponsorships: Align internal guidelines with CGU’s Enunciados, which now only allow gifts and hospitality if tied to a legitimate institutional interest and subject to objective limits. Communicate these boundaries to commercial and operational teams to avoid inadvertent breaches.
  
  
• Engage with upcoming leniency regulation: Monitor the final text of the new joint CGU/AGU Portaria and consider active participation in public consultations. Companies should also rehearse internal protocols for marker requests, voluntary disclosures, and calculation of undue benefits, to be ready for swift decision-making in case of investigation.
  
  
• Enhance governance over data and consumer-facing processes: The INSS case illustrates how irregularities in mass processes can trigger PARs. Companies should reinforce data protection, consent management, and complaint-handling mechanisms to mitigate the risk of widespread administrative liability.