Crisis Management for Law Firms

26 February 2026

  • Canada
  • Compliance
  • Litigation
  • White collar crime

Trust is the only thing a law firm sells.

It takes years to build a reputation and minutes to damage it. In a crisis, that reality becomes visible. Client calls increase. Internal questions surface. Reporters start asking questions. Recruiters take note.

What begins as an individual lapse, a client controversy, or an internal weakness quickly becomes a communications test. How leadership responds, who speaks, and how consistently the message is delivered will determine how the firm is judged.

Crisis management in a law firm is not primarily a legal problem. It is a leadership problem, expressed through communication.

The Added Complexity Facing Modern Firms

Legal practice is more exposed than it was even a decade ago. Firms operate across jurisdictions and serve sophisticated clients. Expectations about transparency and accountability are not the same everywhere. What sounds careful in one jurisdiction can sound evasive in another.

When something goes wrong, reactions do not stay local. Clients, regulators, employees, and the media may all respond at the same time, often in different markets. If offices or practice groups answer differently, confusion grows and scrutiny increases.

Staying silent rarely helps. If the firm does not explain what is happening, it loses control of the narrative.

Where Law Firm Crises Begin

Most law firm crises originate in one of three areas:

  1. Individual behaviour
  2. Client-related risk
  3. Systemic issues within the firm itself

Individual misconduct is usually the most visible.

Widely reported cases in recent years involving senior partners at major firms have followed a familiar pattern. An incident at a firm event is initially treated as isolated. Leadership hesitates, weighing relationships and reputational risk. Within weeks, the issue moves beyond the room. Focus shifts from the conduct itself to how the firm responded. What began as a behavioural issue becomes a test of leadership judgment.

Hesitation changes the narrative. Once that shift occurs, the firm is no longer addressing behaviour. It is defending its decision not to act.

Technology has created a different kind of exposure. Several firms have faced scrutiny after courts or opposing counsel identified AI-generated citations that did not exist. Internally, the explanation was familiar. A junior lawyer relied on a tool. Supervision was assumed rather than confirmed. Externally, those details mattered far less than the perception that basic controls had failed.

The communications challenge is not explaining how the error occurred. It is addressing the confidence gap that follows. Courts and clients do not reward technical explanations when oversight appears weak.

Client-related crises are often the most difficult to navigate publicly.

Firms may believe that engagement letters create a buffer between client and firm. In practice, when a client becomes controversial, that distance collapses. Media coverage rarely distinguishes between legal advice and endorsement. Once the firm’s name appears in the same headline, it becomes part of the story.

Communications strategy must reflect the fact that clients, regulators, employees, and journalists will interpret the situation through different lenses. A single message rarely satisfies all of them.

Systemic and cultural issues present a different communications risk.

Pay disparities, unclear promotion criteria, tolerance of poor behaviour, or weak reporting channels often develop over time. When lawyers leave and speak openly about their experiences, internal issues become external narratives. Culture becomes part of the firm’s public identity.

What a firm can say credibly in a crisis depends on what it has done consistently before one. Reputation limits the range of believable responses.

* * *

Where Law Firm Crisis Communications Often Falters

Lawyers are trained to be careful and precise. That is usually a strength. However, in a crisis, it can backfire. Statements may be technically accurate, but they leave obvious questions unanswered.

The pattern is familiar. A carefully worded statement is released. Reporters and clients focus on what was not said. Follow-up questions arrive. Another clarification is issued. Each round keeps the story alive. What felt prudent inside the firm can look like hesitation from the outside.

Mixed messaging makes things worse. Different partners speak to different audiences. Offices respond on their own. Legal advice and communications advice are not aligned. The result is inconsistency, and inconsistency weakens credibility.

In a reputational crisis, people form views quickly. Once confidence slips, it is hard to rebuild.

What Effective Law Firm Crisis Communications Looks Like

Effective crisis communications is disciplined and coordinated. It begins with a clear understanding of what is known, what is not known, and what can responsibly be said. Acknowledging facts early, without speculation, builds credibility. Overstatement creates risk. Evasion creates suspicion.

Decisions reinforce messages. Policy changes, leadership actions, or the appointment of an independent investigator often carry more weight than carefully chosen language.

Structure matters. One spokesperson. Clear internal guidance. Alignment between leadership, legal counsel, and communications advisors. Without that alignment, even strong decisions can appear uncertain.

Above all, the institution must come first. Communications strategies that appear designed to protect a single individual at the expense of the firm tend to fail. That risk is greatest when senior figures are involved. Allegations concerning senior partners attract heightened scrutiny and test whether the firm’s standards apply consistently or only when convenient.

Externally, the focus should remain on process and oversight rather than contested detail. Internally, communication must reduce speculation while respecting confidentiality. The objective is to demonstrate that the firm’s standards apply consistently.

Anything less invites doubt.

Crisis as a Communications Test

Every crisis ultimately becomes a communications test.

The underlying issue matters. So does how leadership responds, how consistently it speaks, and whether actions align with words.

Firms that respond with clarity, fairness, and coordination are more likely to preserve trust, even in serious situations. Firms that respond slowly or unevenly often extend the story and deepen reputational harm.

Crisis communications is not about spin. It is about protecting credibility when it is under pressure. And for law firms, that credibility is the business.

Since Brazil’s General Data Protection Law (LGPD) came into force in 2020, the country has taken steady steps to solidify its data protection framework. The Brazilian National Data Protection Authority (ANPD) has become an increasingly active regulator, issuing guidelines that clarify key roles and responsibilities under the LGPD.

One of the most recent and significant developments is ANPD Resolution No. 18, which defines the scope, duties, and governance expectations for Data Protection Officers (DPOs) in Brazil. While the DPO role was already part of the LGPD, this resolution sharpens the regulatory focus and introduces new formalities and responsibilities—especially relevant for multinational companies operating in Brazil.

Here’s what foreign businesses and their counsel need to know—and do—to remain in compliance:

DPO Appointment Must Be Formal and Documented

The DPO must be formally appointed by the data controller through a written, dated, and signed document. This document must outline the DPO’s activities and duties, and must be readily available to the ANPD upon request. This is not a formality to overlook: an undocumented DPO designation could lead to enforcement risks.

Backup Required: Designate a Substitute DPO

While small data controllers are often exempt from appointing a DPO, the Resolution requires that they still establish a reliable communication channel for data subjects—ensuring the exercise of data protection rights. This applies even to subsidiaries or low-volume processors.

Disclose DPO Identity Publicly

Companies must publish the DPO’s name and contact details prominently on their website. For corporate DPOs, the name of the legal entity and the responsible individual must be disclosed. This is a public-facing requirement—easily verifiable by the ANPD or data subjects.

Controllers Must Empower the DPO

Brazilian law now places affirmative obligations on data controllers to provide the DPO with adequate resources and autonomy. This includes access to senior leadership and freedom from interference, especially in decision-making related to data protection.

Identity and contact information

The data controller must publicly disclose, in a prominent and easily accessible location on their website, the DPO’s identity and contact details. At a minimum, this should include (i) full name, for individuals; or the business name/title of the entity + full name of the responsible person, for legal entities; and (iii) information on communication means enabling the exercise of data subject rights and receiving communications from the ANPD.

Key DPO Responsibilities

  • Responding to data subject complaints
  • Interfacing with the ANPD
  • Advising on incident response, data mapping, DPIAs, and internal policies
  • Promoting internal awareness and training
  • Ensuring risk mitigation strategies are in place

These obligations are not merely symbolic—they may require dedicated local support and a carefully structured compliance program.

No Strict Liability, But Conflict of Interest Rules Apply

DPOs are not personally liable for the controller’s actions. However, conflicts of interest must be proactively managed. A DPO cannot simultaneously hold a role involving strategic decisions about the processing of personal data—unless directly related to their duties.

Multinational organizations must take care when appointing global or regional DPOs with overlapping roles to avoid compliance pitfalls.

Failure to Comply Can Trigger Enforcement

If conflicts are not disclosed, or DPOs are inadequately appointed, the ANPD may apply sanctions. Controllers must document their decision-making, implement conflict-mitigation measures, or appoint alternative professionals when needed.

Final Thoughts: Legal Risk or Strategic Advantage?

With Resolution No. 18, Brazil aligns more closely with global data protection regimes, but with its own unique requirements. For foreign companies, the message is clear: the DPO role in Brazil is a regulatory obligation—not just a best practice.

Properly structuring this role offers not only legal certainty, but also the opportunity to demonstrate accountability and build trust with Brazilian consumers and regulators alike.

For international counsel, this is a strategic area where legal guidance is not just helpful—it’s essential.

Summary

The Loi visant principalement à améliorer la transparence des entreprises came into force in Québec on March 31, 2023, imposing new obligations on businesses in the province. The law requires businesses to disclose information about their ultimate beneficial owners (UBOs) to the Registraire des entreprises. UBOs are individuals who possess voting rights, fair market value of shares, or de facto control over the business. Certain entities are exempt from disclosing their UBOs. The information disclosed will be accessible to the public, except for the date of birth and, in some cases, the home address.

On March 31, 2023, the Loi visant principalement à améliorer la transparence des entreprises (Act mainly to improve the transparency of enterprises) came into force in Québec, imposing new obligations for businesses in the province.

The new law modifies the Loi sur la publicité légale des entreprises (Act respecting the legal publicity of entreprises) and seeks to increase corporate transparency, namely by requiring businesses to provide to the Registraire des entreprises (the “REQ”) information about their bénéficiaires ultimes, i.e. ultimate beneficial owners (“UBO”).

An UBO is, namely, any individual who:

  • possesses at least 25% of voting rights;
  • possesses at least 25% of the fair market value of all shares; or
  • has enough influence to exercise de facto control of the business.

All UBOs of a business must be disclosed, although some entities such as non-profit organizations, legal persons established in public interest, public corporations, financial institutions and trust companies are not required to disclose their UBOs. For every UBO, the following information is required to be communicated to the REQ:

  • names and aliases;
  • home address (and optionally, business address);
  • date of birth;
  • type of control exercised or percentage of shares, interests, or units held;
  • date at which he/she became an UBO and date at which he/she ceased to be one.

Most of this information will be accessible to the public, with the exceptions of the date of birth and, in cases where a business address is provided, the home address. The names and home addresses of minors are also hidden from public access.

By providing access to shareholder information, the Province of Québec was already the only Canadian corporate jurisdiction that required public disclosure of the names and domiciles of the three principal shareholders. The province again takes the lead by forcing disclosure of corporations’ UBOs. For now, in the rest of Canada, the identity of UBOs for privately held companies is not a matter of public record.

Entities doing business in Québec should ensure to conduct a proper examination of their organizational structure, so as to correctly and fully disclose the information required by the new transparency rules. Any failure to do so can lead to immediate revocation of the business’ registration under the REQ, as well as to fines ranging from CAD 1,000 to CAD 40,000.

The new rules only require the businesses themselves to take the necessary measures to confirm the identities of their UBOs. Professional advisers do not have any due diligence obligations in this regard.

The purpose of this post is to provide information about (i) the need of Brazilian companies for providing the Country-by-Country Reporting pursuant to the OECD Rules, Action 13 of the Base Erosion and Profit Shifting Actions (“BEPS Actions”) and (ii) the need to disclose the name of the final beneficial owner of entities with equity participation in Brazilian companies, or owners of assets in Brazil.

Country-by-Country Reporting Regulation

Normative Instruction RFB No. 1681 (“IN 1681/2016”) established the rules for the Brazilian companies to be compliant with the Country-by-Country Reporting Regulation (“CbCR”). The CbCR shall be presented annually considering the financial results of the previous fiscal year, as part of the fiscal declaration (ECF, which includes the information related to the corporate tax income return). Such declaration should be filled in accordingly with the list of mandatory information determined by IN 1681/2016 and pursuant to RFB Normative Instruction No. 1,422, of December 19, 2013.

The CbCR is the result of the BEPS Project (Base Erosion and Profit Shifting) of the OECD’s initiative, contained in Action 13 of the BEPS Actions, aiming the enhancement of transparency while taking into consideration compliance costs.

Multinational groups are obliged to deliver the CbCR if consolidated revenues for the fiscal year preceding the tax year of the declaration are equal to or greater than BRL 2.26 billion (or 750 million Euros, or if the local currency of the final controller of the group is equivalent to the mentioned amounts, as of January 31, 2015).

The Brazilian subsidiary is (or may be considered) a substitute of the final controller and, as such, bound to fulfill the CbCR in the following cases:

  • it is the final controller of the multinational group is not obliged to deliver the CbCR in its jurisdiction of residence;
  • the jurisdiction where the ultimate controller is located has signed an international agreement with Brazil, however, still not ratified by the competent authorities before the deadline for delivering the CbCR; or
  • there has been a systemic failure of the jurisdiction of residence of the final controller of the multinational group that has been notified by the Brazilian Federal Revenue Office to the resident entity for tax purposes in Brazil.

In case the Brazilian subsidiary is exempt from submitting the CbCR, it will still need to provide the identification and the jurisdiction of residence for tax purposes of its parent company.

The deadline for providing the information will be the date for completing the ECF, to expire on 30 July 2018 for the fiscal year 2017. Failure to comply will expose the Brazilian subsidiary to the payment of a penalty of BRL 1,500.00 (USD 410 or EUR 340) per month. Submission of an incomplete CbCR may subject the Brazilian subsidiary a fine of 3% over the value omitted, inaccurate or incomplete.

Need to disclose beneficial ownership and how to do it

Brazilian companies are obliged to provide information on the person authorized to represent them, on the respective chain of equity interest, until the individuals characterized as final beneficial owner.

This information shall be provided when a Non-Brazilian entity present its application to obtain the Federal Corporate Taxpayers’ Registry (“CNPJ”). If the Non-Brazilian entity already has a CNPJ, it must update the CNPJ with the beneficial owner information by 31 December 2018.

Obtaining a CNPJ is mandatory for Non-Brazilian entities that have equity participation in Brazilian companies or other assets – financial investments, real estate, airplanes, ships, among others in Brazil.

This obligation is in force by means of the Brazilian Federal Revenue Office Normative Instruction No. 1634 (“IN 1634/2016“). IN 1634/2016 contains a list of information to be provided and documents to be delivered for that purpose.

On October 25, 2017, the procedure became mandatory also for Brazilian entities after publication of the ADE COCAD (Executive Declaratory Act – Registration Management General Coordination) No. 9/2017.

Fail to comply with the procedure can result in suspension of the CNPJ. This suspension could result in inability to execute bank transactions, financial investments and obtaining loans and, ultimately, prevent the remittance of dividends to other countries or even the receipt of funds by means of a loan or capital injection from the respective parent companies abroad.

Such information is not protected under fiscal secrecy, but the public employees shall not disclose this information pursuant to functional obligation of not disclosing information unless if summoned by court order.

The requirement for presenting the information on the beneficial owner is already familiar for investors in Brazil. The Brazilian financial institutions are responsible for obtaining information of their client up until the beneficial owner, pursuant to Circular Letter No. 3.461/2009 of the Brazilian Central Bank. The information provided to financial institutions are subject to bank secrecy.

These Brazilian financial institutions are severe on the provision and updating on the foreign parent companies. It is usual for companies with foreign shareholders to receive notices and warnings of possible blocking or closing the accounts if the required documents are not presented in full.

The author of this article is Paulo Yamaguchi

Larry Markowitz

Practice areas

  • Corporate
  • Private Equity
  • Start-up
Contact Larry

Contact Larry





    Read the privacy policy of Legalmondo.
    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Brazil | DPO Requirements – What foreign companies must do to stay compliant

    13 April 2025

    • Brazil
    • Compliance
    • Privacy - Data Protection

    Trust is the only thing a law firm sells.

    It takes years to build a reputation and minutes to damage it. In a crisis, that reality becomes visible. Client calls increase. Internal questions surface. Reporters start asking questions. Recruiters take note.

    What begins as an individual lapse, a client controversy, or an internal weakness quickly becomes a communications test. How leadership responds, who speaks, and how consistently the message is delivered will determine how the firm is judged.

    Crisis management in a law firm is not primarily a legal problem. It is a leadership problem, expressed through communication.

    The Added Complexity Facing Modern Firms

    Legal practice is more exposed than it was even a decade ago. Firms operate across jurisdictions and serve sophisticated clients. Expectations about transparency and accountability are not the same everywhere. What sounds careful in one jurisdiction can sound evasive in another.

    When something goes wrong, reactions do not stay local. Clients, regulators, employees, and the media may all respond at the same time, often in different markets. If offices or practice groups answer differently, confusion grows and scrutiny increases.

    Staying silent rarely helps. If the firm does not explain what is happening, it loses control of the narrative.

    Where Law Firm Crises Begin

    Most law firm crises originate in one of three areas:

    1. Individual behaviour
    2. Client-related risk
    3. Systemic issues within the firm itself

    Individual misconduct is usually the most visible.

    Widely reported cases in recent years involving senior partners at major firms have followed a familiar pattern. An incident at a firm event is initially treated as isolated. Leadership hesitates, weighing relationships and reputational risk. Within weeks, the issue moves beyond the room. Focus shifts from the conduct itself to how the firm responded. What began as a behavioural issue becomes a test of leadership judgment.

    Hesitation changes the narrative. Once that shift occurs, the firm is no longer addressing behaviour. It is defending its decision not to act.

    Technology has created a different kind of exposure. Several firms have faced scrutiny after courts or opposing counsel identified AI-generated citations that did not exist. Internally, the explanation was familiar. A junior lawyer relied on a tool. Supervision was assumed rather than confirmed. Externally, those details mattered far less than the perception that basic controls had failed.

    The communications challenge is not explaining how the error occurred. It is addressing the confidence gap that follows. Courts and clients do not reward technical explanations when oversight appears weak.

    Client-related crises are often the most difficult to navigate publicly.

    Firms may believe that engagement letters create a buffer between client and firm. In practice, when a client becomes controversial, that distance collapses. Media coverage rarely distinguishes between legal advice and endorsement. Once the firm’s name appears in the same headline, it becomes part of the story.

    Communications strategy must reflect the fact that clients, regulators, employees, and journalists will interpret the situation through different lenses. A single message rarely satisfies all of them.

    Systemic and cultural issues present a different communications risk.

    Pay disparities, unclear promotion criteria, tolerance of poor behaviour, or weak reporting channels often develop over time. When lawyers leave and speak openly about their experiences, internal issues become external narratives. Culture becomes part of the firm’s public identity.

    What a firm can say credibly in a crisis depends on what it has done consistently before one. Reputation limits the range of believable responses.

    * * *

    Where Law Firm Crisis Communications Often Falters

    Lawyers are trained to be careful and precise. That is usually a strength. However, in a crisis, it can backfire. Statements may be technically accurate, but they leave obvious questions unanswered.

    The pattern is familiar. A carefully worded statement is released. Reporters and clients focus on what was not said. Follow-up questions arrive. Another clarification is issued. Each round keeps the story alive. What felt prudent inside the firm can look like hesitation from the outside.

    Mixed messaging makes things worse. Different partners speak to different audiences. Offices respond on their own. Legal advice and communications advice are not aligned. The result is inconsistency, and inconsistency weakens credibility.

    In a reputational crisis, people form views quickly. Once confidence slips, it is hard to rebuild.

    What Effective Law Firm Crisis Communications Looks Like

    Effective crisis communications is disciplined and coordinated. It begins with a clear understanding of what is known, what is not known, and what can responsibly be said. Acknowledging facts early, without speculation, builds credibility. Overstatement creates risk. Evasion creates suspicion.

    Decisions reinforce messages. Policy changes, leadership actions, or the appointment of an independent investigator often carry more weight than carefully chosen language.

    Structure matters. One spokesperson. Clear internal guidance. Alignment between leadership, legal counsel, and communications advisors. Without that alignment, even strong decisions can appear uncertain.

    Above all, the institution must come first. Communications strategies that appear designed to protect a single individual at the expense of the firm tend to fail. That risk is greatest when senior figures are involved. Allegations concerning senior partners attract heightened scrutiny and test whether the firm’s standards apply consistently or only when convenient.

    Externally, the focus should remain on process and oversight rather than contested detail. Internally, communication must reduce speculation while respecting confidentiality. The objective is to demonstrate that the firm’s standards apply consistently.

    Anything less invites doubt.

    Crisis as a Communications Test

    Every crisis ultimately becomes a communications test.

    The underlying issue matters. So does how leadership responds, how consistently it speaks, and whether actions align with words.

    Firms that respond with clarity, fairness, and coordination are more likely to preserve trust, even in serious situations. Firms that respond slowly or unevenly often extend the story and deepen reputational harm.

    Crisis communications is not about spin. It is about protecting credibility when it is under pressure. And for law firms, that credibility is the business.

    Since Brazil’s General Data Protection Law (LGPD) came into force in 2020, the country has taken steady steps to solidify its data protection framework. The Brazilian National Data Protection Authority (ANPD) has become an increasingly active regulator, issuing guidelines that clarify key roles and responsibilities under the LGPD.

    One of the most recent and significant developments is ANPD Resolution No. 18, which defines the scope, duties, and governance expectations for Data Protection Officers (DPOs) in Brazil. While the DPO role was already part of the LGPD, this resolution sharpens the regulatory focus and introduces new formalities and responsibilities—especially relevant for multinational companies operating in Brazil.

    Here’s what foreign businesses and their counsel need to know—and do—to remain in compliance:

    DPO Appointment Must Be Formal and Documented

    The DPO must be formally appointed by the data controller through a written, dated, and signed document. This document must outline the DPO’s activities and duties, and must be readily available to the ANPD upon request. This is not a formality to overlook: an undocumented DPO designation could lead to enforcement risks.

    Backup Required: Designate a Substitute DPO

    While small data controllers are often exempt from appointing a DPO, the Resolution requires that they still establish a reliable communication channel for data subjects—ensuring the exercise of data protection rights. This applies even to subsidiaries or low-volume processors.

    Disclose DPO Identity Publicly

    Companies must publish the DPO’s name and contact details prominently on their website. For corporate DPOs, the name of the legal entity and the responsible individual must be disclosed. This is a public-facing requirement—easily verifiable by the ANPD or data subjects.

    Controllers Must Empower the DPO

    Brazilian law now places affirmative obligations on data controllers to provide the DPO with adequate resources and autonomy. This includes access to senior leadership and freedom from interference, especially in decision-making related to data protection.

    Identity and contact information

    The data controller must publicly disclose, in a prominent and easily accessible location on their website, the DPO’s identity and contact details. At a minimum, this should include (i) full name, for individuals; or the business name/title of the entity + full name of the responsible person, for legal entities; and (iii) information on communication means enabling the exercise of data subject rights and receiving communications from the ANPD.

    Key DPO Responsibilities

    • Responding to data subject complaints
    • Interfacing with the ANPD
    • Advising on incident response, data mapping, DPIAs, and internal policies
    • Promoting internal awareness and training
    • Ensuring risk mitigation strategies are in place

    These obligations are not merely symbolic—they may require dedicated local support and a carefully structured compliance program.

    No Strict Liability, But Conflict of Interest Rules Apply

    DPOs are not personally liable for the controller’s actions. However, conflicts of interest must be proactively managed. A DPO cannot simultaneously hold a role involving strategic decisions about the processing of personal data—unless directly related to their duties.

    Multinational organizations must take care when appointing global or regional DPOs with overlapping roles to avoid compliance pitfalls.

    Failure to Comply Can Trigger Enforcement

    If conflicts are not disclosed, or DPOs are inadequately appointed, the ANPD may apply sanctions. Controllers must document their decision-making, implement conflict-mitigation measures, or appoint alternative professionals when needed.

    Final Thoughts: Legal Risk or Strategic Advantage?

    With Resolution No. 18, Brazil aligns more closely with global data protection regimes, but with its own unique requirements. For foreign companies, the message is clear: the DPO role in Brazil is a regulatory obligation—not just a best practice.

    Properly structuring this role offers not only legal certainty, but also the opportunity to demonstrate accountability and build trust with Brazilian consumers and regulators alike.

    For international counsel, this is a strategic area where legal guidance is not just helpful—it’s essential.

    Summary

    The Loi visant principalement à améliorer la transparence des entreprises came into force in Québec on March 31, 2023, imposing new obligations on businesses in the province. The law requires businesses to disclose information about their ultimate beneficial owners (UBOs) to the Registraire des entreprises. UBOs are individuals who possess voting rights, fair market value of shares, or de facto control over the business. Certain entities are exempt from disclosing their UBOs. The information disclosed will be accessible to the public, except for the date of birth and, in some cases, the home address.

    On March 31, 2023, the Loi visant principalement à améliorer la transparence des entreprises (Act mainly to improve the transparency of enterprises) came into force in Québec, imposing new obligations for businesses in the province.

    The new law modifies the Loi sur la publicité légale des entreprises (Act respecting the legal publicity of entreprises) and seeks to increase corporate transparency, namely by requiring businesses to provide to the Registraire des entreprises (the “REQ”) information about their bénéficiaires ultimes, i.e. ultimate beneficial owners (“UBO”).

    An UBO is, namely, any individual who:

    • possesses at least 25% of voting rights;
    • possesses at least 25% of the fair market value of all shares; or
    • has enough influence to exercise de facto control of the business.

    All UBOs of a business must be disclosed, although some entities such as non-profit organizations, legal persons established in public interest, public corporations, financial institutions and trust companies are not required to disclose their UBOs. For every UBO, the following information is required to be communicated to the REQ:

    • names and aliases;
    • home address (and optionally, business address);
    • date of birth;
    • type of control exercised or percentage of shares, interests, or units held;
    • date at which he/she became an UBO and date at which he/she ceased to be one.

    Most of this information will be accessible to the public, with the exceptions of the date of birth and, in cases where a business address is provided, the home address. The names and home addresses of minors are also hidden from public access.

    By providing access to shareholder information, the Province of Québec was already the only Canadian corporate jurisdiction that required public disclosure of the names and domiciles of the three principal shareholders. The province again takes the lead by forcing disclosure of corporations’ UBOs. For now, in the rest of Canada, the identity of UBOs for privately held companies is not a matter of public record.

    Entities doing business in Québec should ensure to conduct a proper examination of their organizational structure, so as to correctly and fully disclose the information required by the new transparency rules. Any failure to do so can lead to immediate revocation of the business’ registration under the REQ, as well as to fines ranging from CAD 1,000 to CAD 40,000.

    The new rules only require the businesses themselves to take the necessary measures to confirm the identities of their UBOs. Professional advisers do not have any due diligence obligations in this regard.

    The purpose of this post is to provide information about (i) the need of Brazilian companies for providing the Country-by-Country Reporting pursuant to the OECD Rules, Action 13 of the Base Erosion and Profit Shifting Actions (“BEPS Actions”) and (ii) the need to disclose the name of the final beneficial owner of entities with equity participation in Brazilian companies, or owners of assets in Brazil.

    Country-by-Country Reporting Regulation

    Normative Instruction RFB No. 1681 (“IN 1681/2016”) established the rules for the Brazilian companies to be compliant with the Country-by-Country Reporting Regulation (“CbCR”). The CbCR shall be presented annually considering the financial results of the previous fiscal year, as part of the fiscal declaration (ECF, which includes the information related to the corporate tax income return). Such declaration should be filled in accordingly with the list of mandatory information determined by IN 1681/2016 and pursuant to RFB Normative Instruction No. 1,422, of December 19, 2013.

    The CbCR is the result of the BEPS Project (Base Erosion and Profit Shifting) of the OECD’s initiative, contained in Action 13 of the BEPS Actions, aiming the enhancement of transparency while taking into consideration compliance costs.

    Multinational groups are obliged to deliver the CbCR if consolidated revenues for the fiscal year preceding the tax year of the declaration are equal to or greater than BRL 2.26 billion (or 750 million Euros, or if the local currency of the final controller of the group is equivalent to the mentioned amounts, as of January 31, 2015).

    The Brazilian subsidiary is (or may be considered) a substitute of the final controller and, as such, bound to fulfill the CbCR in the following cases:

    • it is the final controller of the multinational group is not obliged to deliver the CbCR in its jurisdiction of residence;
    • the jurisdiction where the ultimate controller is located has signed an international agreement with Brazil, however, still not ratified by the competent authorities before the deadline for delivering the CbCR; or
    • there has been a systemic failure of the jurisdiction of residence of the final controller of the multinational group that has been notified by the Brazilian Federal Revenue Office to the resident entity for tax purposes in Brazil.

    In case the Brazilian subsidiary is exempt from submitting the CbCR, it will still need to provide the identification and the jurisdiction of residence for tax purposes of its parent company.

    The deadline for providing the information will be the date for completing the ECF, to expire on 30 July 2018 for the fiscal year 2017. Failure to comply will expose the Brazilian subsidiary to the payment of a penalty of BRL 1,500.00 (USD 410 or EUR 340) per month. Submission of an incomplete CbCR may subject the Brazilian subsidiary a fine of 3% over the value omitted, inaccurate or incomplete.

    Need to disclose beneficial ownership and how to do it

    Brazilian companies are obliged to provide information on the person authorized to represent them, on the respective chain of equity interest, until the individuals characterized as final beneficial owner.

    This information shall be provided when a Non-Brazilian entity present its application to obtain the Federal Corporate Taxpayers’ Registry (“CNPJ”). If the Non-Brazilian entity already has a CNPJ, it must update the CNPJ with the beneficial owner information by 31 December 2018.

    Obtaining a CNPJ is mandatory for Non-Brazilian entities that have equity participation in Brazilian companies or other assets – financial investments, real estate, airplanes, ships, among others in Brazil.

    This obligation is in force by means of the Brazilian Federal Revenue Office Normative Instruction No. 1634 (“IN 1634/2016“). IN 1634/2016 contains a list of information to be provided and documents to be delivered for that purpose.

    On October 25, 2017, the procedure became mandatory also for Brazilian entities after publication of the ADE COCAD (Executive Declaratory Act – Registration Management General Coordination) No. 9/2017.

    Fail to comply with the procedure can result in suspension of the CNPJ. This suspension could result in inability to execute bank transactions, financial investments and obtaining loans and, ultimately, prevent the remittance of dividends to other countries or even the receipt of funds by means of a loan or capital injection from the respective parent companies abroad.

    Such information is not protected under fiscal secrecy, but the public employees shall not disclose this information pursuant to functional obligation of not disclosing information unless if summoned by court order.

    The requirement for presenting the information on the beneficial owner is already familiar for investors in Brazil. The Brazilian financial institutions are responsible for obtaining information of their client up until the beneficial owner, pursuant to Circular Letter No. 3.461/2009 of the Brazilian Central Bank. The information provided to financial institutions are subject to bank secrecy.

    These Brazilian financial institutions are severe on the provision and updating on the foreign parent companies. It is usual for companies with foreign shareholders to receive notices and warnings of possible blocking or closing the accounts if the required documents are not presented in full.

    The author of this article is Paulo Yamaguchi

    Leopoldo Pagotto

    Practice areas

    • Antitrust
    • Business Ethics and Compliance
    • Contracts
    • Corporate
    • Privacy and Data Security
    • White collar crime
    Contact Leopoldo

    Contact Leopoldo





      Read the privacy policy of Legalmondo.
      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

      Québec’s New Transparency Rules for Businesses’ Ultimate Beneficial Owners

      24 May 2023

      • Québec
      • Compliance
      • Investments

      Trust is the only thing a law firm sells.

      It takes years to build a reputation and minutes to damage it. In a crisis, that reality becomes visible. Client calls increase. Internal questions surface. Reporters start asking questions. Recruiters take note.

      What begins as an individual lapse, a client controversy, or an internal weakness quickly becomes a communications test. How leadership responds, who speaks, and how consistently the message is delivered will determine how the firm is judged.

      Crisis management in a law firm is not primarily a legal problem. It is a leadership problem, expressed through communication.

      The Added Complexity Facing Modern Firms

      Legal practice is more exposed than it was even a decade ago. Firms operate across jurisdictions and serve sophisticated clients. Expectations about transparency and accountability are not the same everywhere. What sounds careful in one jurisdiction can sound evasive in another.

      When something goes wrong, reactions do not stay local. Clients, regulators, employees, and the media may all respond at the same time, often in different markets. If offices or practice groups answer differently, confusion grows and scrutiny increases.

      Staying silent rarely helps. If the firm does not explain what is happening, it loses control of the narrative.

      Where Law Firm Crises Begin

      Most law firm crises originate in one of three areas:

      1. Individual behaviour
      2. Client-related risk
      3. Systemic issues within the firm itself

      Individual misconduct is usually the most visible.

      Widely reported cases in recent years involving senior partners at major firms have followed a familiar pattern. An incident at a firm event is initially treated as isolated. Leadership hesitates, weighing relationships and reputational risk. Within weeks, the issue moves beyond the room. Focus shifts from the conduct itself to how the firm responded. What began as a behavioural issue becomes a test of leadership judgment.

      Hesitation changes the narrative. Once that shift occurs, the firm is no longer addressing behaviour. It is defending its decision not to act.

      Technology has created a different kind of exposure. Several firms have faced scrutiny after courts or opposing counsel identified AI-generated citations that did not exist. Internally, the explanation was familiar. A junior lawyer relied on a tool. Supervision was assumed rather than confirmed. Externally, those details mattered far less than the perception that basic controls had failed.

      The communications challenge is not explaining how the error occurred. It is addressing the confidence gap that follows. Courts and clients do not reward technical explanations when oversight appears weak.

      Client-related crises are often the most difficult to navigate publicly.

      Firms may believe that engagement letters create a buffer between client and firm. In practice, when a client becomes controversial, that distance collapses. Media coverage rarely distinguishes between legal advice and endorsement. Once the firm’s name appears in the same headline, it becomes part of the story.

      Communications strategy must reflect the fact that clients, regulators, employees, and journalists will interpret the situation through different lenses. A single message rarely satisfies all of them.

      Systemic and cultural issues present a different communications risk.

      Pay disparities, unclear promotion criteria, tolerance of poor behaviour, or weak reporting channels often develop over time. When lawyers leave and speak openly about their experiences, internal issues become external narratives. Culture becomes part of the firm’s public identity.

      What a firm can say credibly in a crisis depends on what it has done consistently before one. Reputation limits the range of believable responses.

      * * *

      Where Law Firm Crisis Communications Often Falters

      Lawyers are trained to be careful and precise. That is usually a strength. However, in a crisis, it can backfire. Statements may be technically accurate, but they leave obvious questions unanswered.

      The pattern is familiar. A carefully worded statement is released. Reporters and clients focus on what was not said. Follow-up questions arrive. Another clarification is issued. Each round keeps the story alive. What felt prudent inside the firm can look like hesitation from the outside.

      Mixed messaging makes things worse. Different partners speak to different audiences. Offices respond on their own. Legal advice and communications advice are not aligned. The result is inconsistency, and inconsistency weakens credibility.

      In a reputational crisis, people form views quickly. Once confidence slips, it is hard to rebuild.

      What Effective Law Firm Crisis Communications Looks Like

      Effective crisis communications is disciplined and coordinated. It begins with a clear understanding of what is known, what is not known, and what can responsibly be said. Acknowledging facts early, without speculation, builds credibility. Overstatement creates risk. Evasion creates suspicion.

      Decisions reinforce messages. Policy changes, leadership actions, or the appointment of an independent investigator often carry more weight than carefully chosen language.

      Structure matters. One spokesperson. Clear internal guidance. Alignment between leadership, legal counsel, and communications advisors. Without that alignment, even strong decisions can appear uncertain.

      Above all, the institution must come first. Communications strategies that appear designed to protect a single individual at the expense of the firm tend to fail. That risk is greatest when senior figures are involved. Allegations concerning senior partners attract heightened scrutiny and test whether the firm’s standards apply consistently or only when convenient.

      Externally, the focus should remain on process and oversight rather than contested detail. Internally, communication must reduce speculation while respecting confidentiality. The objective is to demonstrate that the firm’s standards apply consistently.

      Anything less invites doubt.

      Crisis as a Communications Test

      Every crisis ultimately becomes a communications test.

      The underlying issue matters. So does how leadership responds, how consistently it speaks, and whether actions align with words.

      Firms that respond with clarity, fairness, and coordination are more likely to preserve trust, even in serious situations. Firms that respond slowly or unevenly often extend the story and deepen reputational harm.

      Crisis communications is not about spin. It is about protecting credibility when it is under pressure. And for law firms, that credibility is the business.

      Since Brazil’s General Data Protection Law (LGPD) came into force in 2020, the country has taken steady steps to solidify its data protection framework. The Brazilian National Data Protection Authority (ANPD) has become an increasingly active regulator, issuing guidelines that clarify key roles and responsibilities under the LGPD.

      One of the most recent and significant developments is ANPD Resolution No. 18, which defines the scope, duties, and governance expectations for Data Protection Officers (DPOs) in Brazil. While the DPO role was already part of the LGPD, this resolution sharpens the regulatory focus and introduces new formalities and responsibilities—especially relevant for multinational companies operating in Brazil.

      Here’s what foreign businesses and their counsel need to know—and do—to remain in compliance:

      DPO Appointment Must Be Formal and Documented

      The DPO must be formally appointed by the data controller through a written, dated, and signed document. This document must outline the DPO’s activities and duties, and must be readily available to the ANPD upon request. This is not a formality to overlook: an undocumented DPO designation could lead to enforcement risks.

      Backup Required: Designate a Substitute DPO

      While small data controllers are often exempt from appointing a DPO, the Resolution requires that they still establish a reliable communication channel for data subjects—ensuring the exercise of data protection rights. This applies even to subsidiaries or low-volume processors.

      Disclose DPO Identity Publicly

      Companies must publish the DPO’s name and contact details prominently on their website. For corporate DPOs, the name of the legal entity and the responsible individual must be disclosed. This is a public-facing requirement—easily verifiable by the ANPD or data subjects.

      Controllers Must Empower the DPO

      Brazilian law now places affirmative obligations on data controllers to provide the DPO with adequate resources and autonomy. This includes access to senior leadership and freedom from interference, especially in decision-making related to data protection.

      Identity and contact information

      The data controller must publicly disclose, in a prominent and easily accessible location on their website, the DPO’s identity and contact details. At a minimum, this should include (i) full name, for individuals; or the business name/title of the entity + full name of the responsible person, for legal entities; and (iii) information on communication means enabling the exercise of data subject rights and receiving communications from the ANPD.

      Key DPO Responsibilities

      • Responding to data subject complaints
      • Interfacing with the ANPD
      • Advising on incident response, data mapping, DPIAs, and internal policies
      • Promoting internal awareness and training
      • Ensuring risk mitigation strategies are in place

      These obligations are not merely symbolic—they may require dedicated local support and a carefully structured compliance program.

      No Strict Liability, But Conflict of Interest Rules Apply

      DPOs are not personally liable for the controller’s actions. However, conflicts of interest must be proactively managed. A DPO cannot simultaneously hold a role involving strategic decisions about the processing of personal data—unless directly related to their duties.

      Multinational organizations must take care when appointing global or regional DPOs with overlapping roles to avoid compliance pitfalls.

      Failure to Comply Can Trigger Enforcement

      If conflicts are not disclosed, or DPOs are inadequately appointed, the ANPD may apply sanctions. Controllers must document their decision-making, implement conflict-mitigation measures, or appoint alternative professionals when needed.

      Final Thoughts: Legal Risk or Strategic Advantage?

      With Resolution No. 18, Brazil aligns more closely with global data protection regimes, but with its own unique requirements. For foreign companies, the message is clear: the DPO role in Brazil is a regulatory obligation—not just a best practice.

      Properly structuring this role offers not only legal certainty, but also the opportunity to demonstrate accountability and build trust with Brazilian consumers and regulators alike.

      For international counsel, this is a strategic area where legal guidance is not just helpful—it’s essential.

      Summary

      The Loi visant principalement à améliorer la transparence des entreprises came into force in Québec on March 31, 2023, imposing new obligations on businesses in the province. The law requires businesses to disclose information about their ultimate beneficial owners (UBOs) to the Registraire des entreprises. UBOs are individuals who possess voting rights, fair market value of shares, or de facto control over the business. Certain entities are exempt from disclosing their UBOs. The information disclosed will be accessible to the public, except for the date of birth and, in some cases, the home address.

      On March 31, 2023, the Loi visant principalement à améliorer la transparence des entreprises (Act mainly to improve the transparency of enterprises) came into force in Québec, imposing new obligations for businesses in the province.

      The new law modifies the Loi sur la publicité légale des entreprises (Act respecting the legal publicity of entreprises) and seeks to increase corporate transparency, namely by requiring businesses to provide to the Registraire des entreprises (the “REQ”) information about their bénéficiaires ultimes, i.e. ultimate beneficial owners (“UBO”).

      An UBO is, namely, any individual who:

      • possesses at least 25% of voting rights;
      • possesses at least 25% of the fair market value of all shares; or
      • has enough influence to exercise de facto control of the business.

      All UBOs of a business must be disclosed, although some entities such as non-profit organizations, legal persons established in public interest, public corporations, financial institutions and trust companies are not required to disclose their UBOs. For every UBO, the following information is required to be communicated to the REQ:

      • names and aliases;
      • home address (and optionally, business address);
      • date of birth;
      • type of control exercised or percentage of shares, interests, or units held;
      • date at which he/she became an UBO and date at which he/she ceased to be one.

      Most of this information will be accessible to the public, with the exceptions of the date of birth and, in cases where a business address is provided, the home address. The names and home addresses of minors are also hidden from public access.

      By providing access to shareholder information, the Province of Québec was already the only Canadian corporate jurisdiction that required public disclosure of the names and domiciles of the three principal shareholders. The province again takes the lead by forcing disclosure of corporations’ UBOs. For now, in the rest of Canada, the identity of UBOs for privately held companies is not a matter of public record.

      Entities doing business in Québec should ensure to conduct a proper examination of their organizational structure, so as to correctly and fully disclose the information required by the new transparency rules. Any failure to do so can lead to immediate revocation of the business’ registration under the REQ, as well as to fines ranging from CAD 1,000 to CAD 40,000.

      The new rules only require the businesses themselves to take the necessary measures to confirm the identities of their UBOs. Professional advisers do not have any due diligence obligations in this regard.

      The purpose of this post is to provide information about (i) the need of Brazilian companies for providing the Country-by-Country Reporting pursuant to the OECD Rules, Action 13 of the Base Erosion and Profit Shifting Actions (“BEPS Actions”) and (ii) the need to disclose the name of the final beneficial owner of entities with equity participation in Brazilian companies, or owners of assets in Brazil.

      Country-by-Country Reporting Regulation

      Normative Instruction RFB No. 1681 (“IN 1681/2016”) established the rules for the Brazilian companies to be compliant with the Country-by-Country Reporting Regulation (“CbCR”). The CbCR shall be presented annually considering the financial results of the previous fiscal year, as part of the fiscal declaration (ECF, which includes the information related to the corporate tax income return). Such declaration should be filled in accordingly with the list of mandatory information determined by IN 1681/2016 and pursuant to RFB Normative Instruction No. 1,422, of December 19, 2013.

      The CbCR is the result of the BEPS Project (Base Erosion and Profit Shifting) of the OECD’s initiative, contained in Action 13 of the BEPS Actions, aiming the enhancement of transparency while taking into consideration compliance costs.

      Multinational groups are obliged to deliver the CbCR if consolidated revenues for the fiscal year preceding the tax year of the declaration are equal to or greater than BRL 2.26 billion (or 750 million Euros, or if the local currency of the final controller of the group is equivalent to the mentioned amounts, as of January 31, 2015).

      The Brazilian subsidiary is (or may be considered) a substitute of the final controller and, as such, bound to fulfill the CbCR in the following cases:

      • it is the final controller of the multinational group is not obliged to deliver the CbCR in its jurisdiction of residence;
      • the jurisdiction where the ultimate controller is located has signed an international agreement with Brazil, however, still not ratified by the competent authorities before the deadline for delivering the CbCR; or
      • there has been a systemic failure of the jurisdiction of residence of the final controller of the multinational group that has been notified by the Brazilian Federal Revenue Office to the resident entity for tax purposes in Brazil.

      In case the Brazilian subsidiary is exempt from submitting the CbCR, it will still need to provide the identification and the jurisdiction of residence for tax purposes of its parent company.

      The deadline for providing the information will be the date for completing the ECF, to expire on 30 July 2018 for the fiscal year 2017. Failure to comply will expose the Brazilian subsidiary to the payment of a penalty of BRL 1,500.00 (USD 410 or EUR 340) per month. Submission of an incomplete CbCR may subject the Brazilian subsidiary a fine of 3% over the value omitted, inaccurate or incomplete.

      Need to disclose beneficial ownership and how to do it

      Brazilian companies are obliged to provide information on the person authorized to represent them, on the respective chain of equity interest, until the individuals characterized as final beneficial owner.

      This information shall be provided when a Non-Brazilian entity present its application to obtain the Federal Corporate Taxpayers’ Registry (“CNPJ”). If the Non-Brazilian entity already has a CNPJ, it must update the CNPJ with the beneficial owner information by 31 December 2018.

      Obtaining a CNPJ is mandatory for Non-Brazilian entities that have equity participation in Brazilian companies or other assets – financial investments, real estate, airplanes, ships, among others in Brazil.

      This obligation is in force by means of the Brazilian Federal Revenue Office Normative Instruction No. 1634 (“IN 1634/2016“). IN 1634/2016 contains a list of information to be provided and documents to be delivered for that purpose.

      On October 25, 2017, the procedure became mandatory also for Brazilian entities after publication of the ADE COCAD (Executive Declaratory Act – Registration Management General Coordination) No. 9/2017.

      Fail to comply with the procedure can result in suspension of the CNPJ. This suspension could result in inability to execute bank transactions, financial investments and obtaining loans and, ultimately, prevent the remittance of dividends to other countries or even the receipt of funds by means of a loan or capital injection from the respective parent companies abroad.

      Such information is not protected under fiscal secrecy, but the public employees shall not disclose this information pursuant to functional obligation of not disclosing information unless if summoned by court order.

      The requirement for presenting the information on the beneficial owner is already familiar for investors in Brazil. The Brazilian financial institutions are responsible for obtaining information of their client up until the beneficial owner, pursuant to Circular Letter No. 3.461/2009 of the Brazilian Central Bank. The information provided to financial institutions are subject to bank secrecy.

      These Brazilian financial institutions are severe on the provision and updating on the foreign parent companies. It is usual for companies with foreign shareholders to receive notices and warnings of possible blocking or closing the accounts if the required documents are not presented in full.

      The author of this article is Paulo Yamaguchi

      Martin Aquilina

      Practice areas

      • Art
      • Contracts
      • e-commerce
      • M&A
      • Privacy and Data Security
      Contact Martin

      Contact Martin





        Read the privacy policy of Legalmondo.
        This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

        Brazil – Reporting and Disclosure of  final beneficial owner

        9 October 2018

        • Brazil
        • Compliance
        • Corporate

        Trust is the only thing a law firm sells.

        It takes years to build a reputation and minutes to damage it. In a crisis, that reality becomes visible. Client calls increase. Internal questions surface. Reporters start asking questions. Recruiters take note.

        What begins as an individual lapse, a client controversy, or an internal weakness quickly becomes a communications test. How leadership responds, who speaks, and how consistently the message is delivered will determine how the firm is judged.

        Crisis management in a law firm is not primarily a legal problem. It is a leadership problem, expressed through communication.

        The Added Complexity Facing Modern Firms

        Legal practice is more exposed than it was even a decade ago. Firms operate across jurisdictions and serve sophisticated clients. Expectations about transparency and accountability are not the same everywhere. What sounds careful in one jurisdiction can sound evasive in another.

        When something goes wrong, reactions do not stay local. Clients, regulators, employees, and the media may all respond at the same time, often in different markets. If offices or practice groups answer differently, confusion grows and scrutiny increases.

        Staying silent rarely helps. If the firm does not explain what is happening, it loses control of the narrative.

        Where Law Firm Crises Begin

        Most law firm crises originate in one of three areas:

        1. Individual behaviour
        2. Client-related risk
        3. Systemic issues within the firm itself

        Individual misconduct is usually the most visible.

        Widely reported cases in recent years involving senior partners at major firms have followed a familiar pattern. An incident at a firm event is initially treated as isolated. Leadership hesitates, weighing relationships and reputational risk. Within weeks, the issue moves beyond the room. Focus shifts from the conduct itself to how the firm responded. What began as a behavioural issue becomes a test of leadership judgment.

        Hesitation changes the narrative. Once that shift occurs, the firm is no longer addressing behaviour. It is defending its decision not to act.

        Technology has created a different kind of exposure. Several firms have faced scrutiny after courts or opposing counsel identified AI-generated citations that did not exist. Internally, the explanation was familiar. A junior lawyer relied on a tool. Supervision was assumed rather than confirmed. Externally, those details mattered far less than the perception that basic controls had failed.

        The communications challenge is not explaining how the error occurred. It is addressing the confidence gap that follows. Courts and clients do not reward technical explanations when oversight appears weak.

        Client-related crises are often the most difficult to navigate publicly.

        Firms may believe that engagement letters create a buffer between client and firm. In practice, when a client becomes controversial, that distance collapses. Media coverage rarely distinguishes between legal advice and endorsement. Once the firm’s name appears in the same headline, it becomes part of the story.

        Communications strategy must reflect the fact that clients, regulators, employees, and journalists will interpret the situation through different lenses. A single message rarely satisfies all of them.

        Systemic and cultural issues present a different communications risk.

        Pay disparities, unclear promotion criteria, tolerance of poor behaviour, or weak reporting channels often develop over time. When lawyers leave and speak openly about their experiences, internal issues become external narratives. Culture becomes part of the firm’s public identity.

        What a firm can say credibly in a crisis depends on what it has done consistently before one. Reputation limits the range of believable responses.

        * * *

        Where Law Firm Crisis Communications Often Falters

        Lawyers are trained to be careful and precise. That is usually a strength. However, in a crisis, it can backfire. Statements may be technically accurate, but they leave obvious questions unanswered.

        The pattern is familiar. A carefully worded statement is released. Reporters and clients focus on what was not said. Follow-up questions arrive. Another clarification is issued. Each round keeps the story alive. What felt prudent inside the firm can look like hesitation from the outside.

        Mixed messaging makes things worse. Different partners speak to different audiences. Offices respond on their own. Legal advice and communications advice are not aligned. The result is inconsistency, and inconsistency weakens credibility.

        In a reputational crisis, people form views quickly. Once confidence slips, it is hard to rebuild.

        What Effective Law Firm Crisis Communications Looks Like

        Effective crisis communications is disciplined and coordinated. It begins with a clear understanding of what is known, what is not known, and what can responsibly be said. Acknowledging facts early, without speculation, builds credibility. Overstatement creates risk. Evasion creates suspicion.

        Decisions reinforce messages. Policy changes, leadership actions, or the appointment of an independent investigator often carry more weight than carefully chosen language.

        Structure matters. One spokesperson. Clear internal guidance. Alignment between leadership, legal counsel, and communications advisors. Without that alignment, even strong decisions can appear uncertain.

        Above all, the institution must come first. Communications strategies that appear designed to protect a single individual at the expense of the firm tend to fail. That risk is greatest when senior figures are involved. Allegations concerning senior partners attract heightened scrutiny and test whether the firm’s standards apply consistently or only when convenient.

        Externally, the focus should remain on process and oversight rather than contested detail. Internally, communication must reduce speculation while respecting confidentiality. The objective is to demonstrate that the firm’s standards apply consistently.

        Anything less invites doubt.

        Crisis as a Communications Test

        Every crisis ultimately becomes a communications test.

        The underlying issue matters. So does how leadership responds, how consistently it speaks, and whether actions align with words.

        Firms that respond with clarity, fairness, and coordination are more likely to preserve trust, even in serious situations. Firms that respond slowly or unevenly often extend the story and deepen reputational harm.

        Crisis communications is not about spin. It is about protecting credibility when it is under pressure. And for law firms, that credibility is the business.

        Since Brazil’s General Data Protection Law (LGPD) came into force in 2020, the country has taken steady steps to solidify its data protection framework. The Brazilian National Data Protection Authority (ANPD) has become an increasingly active regulator, issuing guidelines that clarify key roles and responsibilities under the LGPD.

        One of the most recent and significant developments is ANPD Resolution No. 18, which defines the scope, duties, and governance expectations for Data Protection Officers (DPOs) in Brazil. While the DPO role was already part of the LGPD, this resolution sharpens the regulatory focus and introduces new formalities and responsibilities—especially relevant for multinational companies operating in Brazil.

        Here’s what foreign businesses and their counsel need to know—and do—to remain in compliance:

        DPO Appointment Must Be Formal and Documented

        The DPO must be formally appointed by the data controller through a written, dated, and signed document. This document must outline the DPO’s activities and duties, and must be readily available to the ANPD upon request. This is not a formality to overlook: an undocumented DPO designation could lead to enforcement risks.

        Backup Required: Designate a Substitute DPO

        While small data controllers are often exempt from appointing a DPO, the Resolution requires that they still establish a reliable communication channel for data subjects—ensuring the exercise of data protection rights. This applies even to subsidiaries or low-volume processors.

        Disclose DPO Identity Publicly

        Companies must publish the DPO’s name and contact details prominently on their website. For corporate DPOs, the name of the legal entity and the responsible individual must be disclosed. This is a public-facing requirement—easily verifiable by the ANPD or data subjects.

        Controllers Must Empower the DPO

        Brazilian law now places affirmative obligations on data controllers to provide the DPO with adequate resources and autonomy. This includes access to senior leadership and freedom from interference, especially in decision-making related to data protection.

        Identity and contact information

        The data controller must publicly disclose, in a prominent and easily accessible location on their website, the DPO’s identity and contact details. At a minimum, this should include (i) full name, for individuals; or the business name/title of the entity + full name of the responsible person, for legal entities; and (iii) information on communication means enabling the exercise of data subject rights and receiving communications from the ANPD.

        Key DPO Responsibilities

        • Responding to data subject complaints
        • Interfacing with the ANPD
        • Advising on incident response, data mapping, DPIAs, and internal policies
        • Promoting internal awareness and training
        • Ensuring risk mitigation strategies are in place

        These obligations are not merely symbolic—they may require dedicated local support and a carefully structured compliance program.

        No Strict Liability, But Conflict of Interest Rules Apply

        DPOs are not personally liable for the controller’s actions. However, conflicts of interest must be proactively managed. A DPO cannot simultaneously hold a role involving strategic decisions about the processing of personal data—unless directly related to their duties.

        Multinational organizations must take care when appointing global or regional DPOs with overlapping roles to avoid compliance pitfalls.

        Failure to Comply Can Trigger Enforcement

        If conflicts are not disclosed, or DPOs are inadequately appointed, the ANPD may apply sanctions. Controllers must document their decision-making, implement conflict-mitigation measures, or appoint alternative professionals when needed.

        Final Thoughts: Legal Risk or Strategic Advantage?

        With Resolution No. 18, Brazil aligns more closely with global data protection regimes, but with its own unique requirements. For foreign companies, the message is clear: the DPO role in Brazil is a regulatory obligation—not just a best practice.

        Properly structuring this role offers not only legal certainty, but also the opportunity to demonstrate accountability and build trust with Brazilian consumers and regulators alike.

        For international counsel, this is a strategic area where legal guidance is not just helpful—it’s essential.

        Summary

        The Loi visant principalement à améliorer la transparence des entreprises came into force in Québec on March 31, 2023, imposing new obligations on businesses in the province. The law requires businesses to disclose information about their ultimate beneficial owners (UBOs) to the Registraire des entreprises. UBOs are individuals who possess voting rights, fair market value of shares, or de facto control over the business. Certain entities are exempt from disclosing their UBOs. The information disclosed will be accessible to the public, except for the date of birth and, in some cases, the home address.

        On March 31, 2023, the Loi visant principalement à améliorer la transparence des entreprises (Act mainly to improve the transparency of enterprises) came into force in Québec, imposing new obligations for businesses in the province.

        The new law modifies the Loi sur la publicité légale des entreprises (Act respecting the legal publicity of entreprises) and seeks to increase corporate transparency, namely by requiring businesses to provide to the Registraire des entreprises (the “REQ”) information about their bénéficiaires ultimes, i.e. ultimate beneficial owners (“UBO”).

        An UBO is, namely, any individual who:

        • possesses at least 25% of voting rights;
        • possesses at least 25% of the fair market value of all shares; or
        • has enough influence to exercise de facto control of the business.

        All UBOs of a business must be disclosed, although some entities such as non-profit organizations, legal persons established in public interest, public corporations, financial institutions and trust companies are not required to disclose their UBOs. For every UBO, the following information is required to be communicated to the REQ:

        • names and aliases;
        • home address (and optionally, business address);
        • date of birth;
        • type of control exercised or percentage of shares, interests, or units held;
        • date at which he/she became an UBO and date at which he/she ceased to be one.

        Most of this information will be accessible to the public, with the exceptions of the date of birth and, in cases where a business address is provided, the home address. The names and home addresses of minors are also hidden from public access.

        By providing access to shareholder information, the Province of Québec was already the only Canadian corporate jurisdiction that required public disclosure of the names and domiciles of the three principal shareholders. The province again takes the lead by forcing disclosure of corporations’ UBOs. For now, in the rest of Canada, the identity of UBOs for privately held companies is not a matter of public record.

        Entities doing business in Québec should ensure to conduct a proper examination of their organizational structure, so as to correctly and fully disclose the information required by the new transparency rules. Any failure to do so can lead to immediate revocation of the business’ registration under the REQ, as well as to fines ranging from CAD 1,000 to CAD 40,000.

        The new rules only require the businesses themselves to take the necessary measures to confirm the identities of their UBOs. Professional advisers do not have any due diligence obligations in this regard.

        The purpose of this post is to provide information about (i) the need of Brazilian companies for providing the Country-by-Country Reporting pursuant to the OECD Rules, Action 13 of the Base Erosion and Profit Shifting Actions (“BEPS Actions”) and (ii) the need to disclose the name of the final beneficial owner of entities with equity participation in Brazilian companies, or owners of assets in Brazil.

        Country-by-Country Reporting Regulation

        Normative Instruction RFB No. 1681 (“IN 1681/2016”) established the rules for the Brazilian companies to be compliant with the Country-by-Country Reporting Regulation (“CbCR”). The CbCR shall be presented annually considering the financial results of the previous fiscal year, as part of the fiscal declaration (ECF, which includes the information related to the corporate tax income return). Such declaration should be filled in accordingly with the list of mandatory information determined by IN 1681/2016 and pursuant to RFB Normative Instruction No. 1,422, of December 19, 2013.

        The CbCR is the result of the BEPS Project (Base Erosion and Profit Shifting) of the OECD’s initiative, contained in Action 13 of the BEPS Actions, aiming the enhancement of transparency while taking into consideration compliance costs.

        Multinational groups are obliged to deliver the CbCR if consolidated revenues for the fiscal year preceding the tax year of the declaration are equal to or greater than BRL 2.26 billion (or 750 million Euros, or if the local currency of the final controller of the group is equivalent to the mentioned amounts, as of January 31, 2015).

        The Brazilian subsidiary is (or may be considered) a substitute of the final controller and, as such, bound to fulfill the CbCR in the following cases:

        • it is the final controller of the multinational group is not obliged to deliver the CbCR in its jurisdiction of residence;
        • the jurisdiction where the ultimate controller is located has signed an international agreement with Brazil, however, still not ratified by the competent authorities before the deadline for delivering the CbCR; or
        • there has been a systemic failure of the jurisdiction of residence of the final controller of the multinational group that has been notified by the Brazilian Federal Revenue Office to the resident entity for tax purposes in Brazil.

        In case the Brazilian subsidiary is exempt from submitting the CbCR, it will still need to provide the identification and the jurisdiction of residence for tax purposes of its parent company.

        The deadline for providing the information will be the date for completing the ECF, to expire on 30 July 2018 for the fiscal year 2017. Failure to comply will expose the Brazilian subsidiary to the payment of a penalty of BRL 1,500.00 (USD 410 or EUR 340) per month. Submission of an incomplete CbCR may subject the Brazilian subsidiary a fine of 3% over the value omitted, inaccurate or incomplete.

        Need to disclose beneficial ownership and how to do it

        Brazilian companies are obliged to provide information on the person authorized to represent them, on the respective chain of equity interest, until the individuals characterized as final beneficial owner.

        This information shall be provided when a Non-Brazilian entity present its application to obtain the Federal Corporate Taxpayers’ Registry (“CNPJ”). If the Non-Brazilian entity already has a CNPJ, it must update the CNPJ with the beneficial owner information by 31 December 2018.

        Obtaining a CNPJ is mandatory for Non-Brazilian entities that have equity participation in Brazilian companies or other assets – financial investments, real estate, airplanes, ships, among others in Brazil.

        This obligation is in force by means of the Brazilian Federal Revenue Office Normative Instruction No. 1634 (“IN 1634/2016“). IN 1634/2016 contains a list of information to be provided and documents to be delivered for that purpose.

        On October 25, 2017, the procedure became mandatory also for Brazilian entities after publication of the ADE COCAD (Executive Declaratory Act – Registration Management General Coordination) No. 9/2017.

        Fail to comply with the procedure can result in suspension of the CNPJ. This suspension could result in inability to execute bank transactions, financial investments and obtaining loans and, ultimately, prevent the remittance of dividends to other countries or even the receipt of funds by means of a loan or capital injection from the respective parent companies abroad.

        Such information is not protected under fiscal secrecy, but the public employees shall not disclose this information pursuant to functional obligation of not disclosing information unless if summoned by court order.

        The requirement for presenting the information on the beneficial owner is already familiar for investors in Brazil. The Brazilian financial institutions are responsible for obtaining information of their client up until the beneficial owner, pursuant to Circular Letter No. 3.461/2009 of the Brazilian Central Bank. The information provided to financial institutions are subject to bank secrecy.

        These Brazilian financial institutions are severe on the provision and updating on the foreign parent companies. It is usual for companies with foreign shareholders to receive notices and warnings of possible blocking or closing the accounts if the required documents are not presented in full.

        The author of this article is Paulo Yamaguchi