Romania: Recovering the Money – the Main Priority in the Public and Private Sector
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
In summary
This chapter provides relevant insight into the main priorities (from an investigations perspective) of both the public and the private sector in Romania, respectively the investigations in the pharma sector and the cybersecurity issues arising in the context of the constant development of the online commercial relations and services.
Discussion points
- The main investigative focus of the Romanian enforcement authorities
- The most relevant investigations in the pharma sector
- Issues arising when conducting an internal investigation in respect of a company’s subsidiary located abroad
- Cybersecurity issues, including our most recent case law with regard to phishing attacks
- Banks’ AML and KYC obligations that may save the money at the last minute
- Anticipated developments
Referenced in this article
- The National Anti-Corruption Directorate (DNA)
- The Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT)
- EU Directive 2019/1937 on the Protection of Persons Who Report Breaches of Union Law (the Whistleblower Directive)
- Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems (the NIS Directive)
- Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the AML Directive)
- Federal Bureau of Investigation – Internet Crime Complaint Center (FBI IC3)
The state’s focus: investigations in the pharma sector
Romania’s enforcement efforts have been focusing on allegations of corruption in certain key industries, with the healthcare sector taking the limelight. The interest shown by the enforcement authorities is in line with the statement of the former Head Prosecutor of the National Anti-corruption Directorate (DNA), Laura Codruța Kövesi, that bribes in the healthcare sector are higher than in the infrastructure sector and that the price in healthcare-related public procurement is 10 times higher than the initial price of acquisition.
In one of the several high-profile investigations in the healthcare sector, the DNA alleges that healthcare professionals accepted luxury trips, gifts and money from 11 of the top 20 pharma companies operating in Romania in exchange for prescribing oncology drugs produced by these companies instead of cheaper generic drugs.
Public procurement within the healthcare and IT sectors is also making headlines. Two former presidents and several executives of the National House of Health Insurance and a leading global IT company are currently being investigated in connection with an alleged breach of public procurement law relating to the implementation of the national card reading system. The DNA alleges that the contract price was inflated, unjustified and resulted in a detriment to the public budget.
The Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) has also shown an interest in the healthcare sector, as it has been investigating the corrupt practices of an alleged criminal organised group connected to medication required for organ transplantation. DIICOT alleges that pharmaceutical companies used various methods (such as sponsorship agreements) to bribe healthcare professionals and decision-makers within medical facilities from the organ transplantation sector in exchange for prescribing their medicines.
One of the largest networks of private clinics appeared on the enforcement authorities’ radar, as it is being investigated for allegedly claiming amounts from the National House of Health Insurance for medical services already paid for by the patients.
The most recent investigation in the pharma sector
At the beginning of 2020, employees of a major European pharma company specialised in generic pharmaceuticals leaked 2GB of internal documents to a highly regarded Romanian journalist. Since then, the journalist has published several articles in respect of wrongdoings involving the company.
The main allegation is that the company has been bribing doctors in Romania for over a decade, by offering them money, holiday trips or incentives as speakers in exchange for prescribing its pharmaceutical products.
One of the documents leaked to the press includes an Excel table comprising names of doctors, their potential for prescribing company products, sponsorships made to the latter and an amortisation column. According to a company employee, cited by the journalist, the doctors would receive approximately 10 per cent of the prescription’s value through sponsorship agreements.
The company conducted an internal investigation led by the head of the legal department, attorneys and several persons from relevant departments of the company. According to a press release, the pharma company announced that the internal investigation with respect to its Romanian subsidiary had shown that the bribery allegations were unjustified as regards the Romanian subsidiary’s employees, and that it was even less likely that the alleged operation had been conducted from the seat in its home country.
However, according to the same journalist, the DNA started a criminal investigation into alleged bribery with respect to the pharmaceutical company and several company employees came forward to the prosecutors with information allegedly incriminating the company.
It should be noted that, under Romanian law, legal entities, except for state and public authorities, may be held criminally liable for offences committed in the performance of the legal entity’s commercial activity, in its interest, or on its behalf.
The scope of individuals who may trigger criminal liability of a corporate entity is very broad and includes legal representatives (eg, a director or manager), employees, agents, and even third parties who commit criminal offences for the benefit or in the name of the entity. In practice, for a corporate entity to be criminally liable, the investigative body must prove that the entity benefited from the criminal activity of the individual perpetrating the offence or that the conduct was performed by the individual within the scope of his or her services for the corporate entity (whether under an employment contract, services contract, or otherwise).
A particularly risky situation appears when legal entities are operating in Romania by means of their local branch, as the branch itself cannot be held criminally liable. That is because the branch does not have legal personality – one of the conditions for corporate criminal liability under Romanian law.
In the case of misconduct of individuals working for or acting on behalf of the local branch located in Romania, should the conditions of corporate criminal liability be met, the mother company located abroad may be held criminally liable and prosecuted for the actions of the individuals who acted on Romanian territory.
In the context of an internal investigation performed in respect of a company’s subsidiary located abroad, several aspects should be considered, with particular emphasis on whistleblowers, attorney-client privilege and witness interviews during internal investigations, which we will briefly address below.
Whistleblowers
Although whistleblowing in the private sector is not broadly regulated, whistleblowing in the public sector is. The law protects individuals who report a breach of law committed within a public authority or state-owned company. Reporting misconduct cannot trigger disciplinary misconduct against the employee, except where such reporting is purely vexatious or in bad faith. Financial incentive schemes for whistleblowers do not exist under Romanian law.
Under the public sector legislation, a whistleblower may report misconduct related to a defined list of crimes, including corruption and assimilated offences, offences against the financial interests of the European Union, discriminatory treatment or practices, public procurement and non-reimbursable financing.
Whistleblowers in the public sector benefit from a presumption of good faith. Upon request from a whistleblower subject to a disciplinary investigation, the authority or entity must invite the press or broadcast media and a representative of the union to the disciplinary hearing. Any sanction imposed against a good-faith whistleblower in the public sector is likely to be overturned.
A change in respect of whistleblower legislation in Romania will occur once the Parliament of Romania transposes EU Directive 2019/1937 on the Protection of Persons Who Report Breaches of Union Law (the Whistleblower Directive).
The new law will establish safe channels for reporting both within an organisation and to public authorities. It will also protect whistleblowers against dismissal, demotion and other forms of retaliation and require national authorities to inform citizens and provide training for public authorities on how to deal with whistleblowers.
Penalties will be imposed against those who attempt to hinder reporting, retaliate against whistleblowers, attempt to bring proceedings or who reveal the identity of the whistleblower. Any threats or attempts to retaliate against whistleblowers are also prohibited.
Member states must comply with the new EU Whistleblower Directive by 17 December 2021. With regard to legal entities with more than 50 and fewer than 250 employees, member states have another two years after transposition to comply (ie, until 17 December 2023).
Internal investigations
Internal investigations are triggered by information from various sources, such as whistleblowers, employees, internal audits, lawsuits, business partners, media reports, as well as from the prosecutor or other government authority. Audits commenced by the Romanian tax authority could bring to light wrongdoing that could create the need to investigate. Corporations must treat any allegations of misconduct very seriously.
The best practice for commencing an internal investigation is to prepare a plan establishing the scope, approach, responsibilities and steps relating to communication and disclosure, preservation of evidence, and securing witness testimony while information is still fresh in the minds of the various participants in or witnesses to the alleged misconduct. The preparation and execution of this plan are essential for a successful investigation in a manner that allows the company to argue an efficient and consistent corporate culture of compliance within the investigation, while limiting exposure and mitigating the potential risks of a formal investigation.
Attorney-client privilege and witness interviews during internal investigations
Legal privilege protects confidential communication between an attorney and client, if the communications relate to the seeking and receiving of legal advice. For legal entities, the definition of a ‘client’ is limited to persons who legally represent the entity (based on the legal entity’s charter), or are empowered by the entity to seek and obtain advice on behalf of the legal entity.
If communication is shared with third parties or parties who are not considered ‘clients’, that communication may no longer be considered confidential and loses its privilege. In this context, it should be noted that, under Romanian law, communications with in-house legal counsel who are not admitted to the Bar are not protected by legal privilege.
To this end, to protect the privilege and confidentiality of an internal investigation, companies should retain an external attorney to coordinate and execute the investigation and ensure that retention is explicit in a written agreement and registered in the attorney’s registry of contracts.
A more sensitive aspect appears when interviewing witnesses during an internal investigation. If an attorney conducts interviews to provide legal advice on a matter, the records or a report of the interviews may be privileged. Best practice would see attorneys recording interview notes as their ‘impression’ of an interview, rather than as a verbatim transcription.
Anticipated developments
We expect the Romanian authorities to continue their enforcement efforts in respect to allegations of corruption in the healthcare sector in 2020, especially given the covid-19 context. According to the UN Office on Drugs and Crime (UNODC), in ordinary times, not during pandemics such as this one, approximately 10 to 25 per cent of all money spent on procurement globally is lost to corruption. In the EU, 28 per cent of health corruption cases are related specifically to procurement of medical equipment.
In Romania, there have been several media articles in respect of acquisitions of medical devices used for protection and sanitary materials from companies that have other objects of activity (eg, distribution of beverages) at very high prices. Given the supply and demand of such products and the weak oversight of the authorities caused by the health systems being on the brink of collapse, certain individuals are taking advantage and are using public money in order to enrich themselves.
The medicines, medical devices and sanitary materials used in the fight against covid-19 are purchased by the Ministry of Health by means of Unifarm SA (state-owned company). The budget of Unifarm SA for 2020 has been increased by 1.15 billion lei (approximately €240 million) for this purpose.
The private sector’s focus: cybersecurity issues
The constant development of online commercial relations and services has a significant role in the global economy nowadays. This development and the increasing value of online operations was shortly followed by an increase in online criminal activities.
Currently, the risk of malicious entities exploiting the vulnerabilities of the online environment is as high as possible, leading to significant economic and social consequences, which for companies may translate into business compromise, financial losses and even bankruptcy, while for the European Union it may result in its economy being damaged.
Romania has implemented Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems[1] (the NIS Directive) through Law No. 362/2018. The law requires operators of essential services and providers of digital services to have adequate security measures and to report serious incidents to the competent national authority, the Romanian National Computer Security Incident Response Team (CERT-RO).
Failure to comply may result in a fine ranging from 3,000 lei (approximately €625) up to 5 per cent of the turnover registered for the previous year.
Moreover, in September 2019, CERT-RO and its partner, the Special Telecommunications Service, obtained funding from EU Funds for the development of an early and real-time information alert system on cyber incidents that will provide real-time warning, increase the security level of the national cyberspace (ie, public institutions, private companies and individual users) and ensure the national capabilities for prevention, identification, analysis and response to cybersecurity incidents.
On the criminal side, the Romanian Criminal Code has a dedicated chapter on cybercrime, which covers crimes such as illegal access to a computer system and illegal interception of computer data transmission. Computer-related fraud and forgery are also provided in different chapters.
The most severe cybercrime allegations are handled by DIICOT, which over the past few years, has successfully indicted several individuals for cybercrimes related to ransomware attacks and man-in-the-browser/man-in-the middle threats. The number of new cases increased in 2019 (8.4 per cent more than in the previous year) and in 2020 an even higher increase is expected due to the covid-19 outbreak that is forcing most people to work from home.[2]
On an international level, Romania is part of the Council of Europe’s Convention on Cybercrime, the only binding international instrument on this issue, and in 2019, DIICOT relied on cooperation with similar agencies in other countries for its cybercrime indictments with foreign elements.
Recent cases
Cybercriminals are increasingly focusing on one of the most economically damaging attacks – business email compromise (BEC), which is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.
BEC is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds. Perpetrators are aiming at high-level employees with financial powers of control, making such attacks more professional and convincing while finding new modus operandi to take advantage of this technique.
Targeted companies are usually companies with frequent wire transfers or with foreign suppliers.
In December 2019, a major European company manufacturing machinery and equipment for pharmaceutical, metals, food and chemical industries was the victim of a BEC scam through the vulnerability of one of its suppliers. The perpetrators managed to infiltrate the computer system of the supplier, created false email addresses for several of the latter’s employees, ‘hijacked’ some of its real email accounts and performed several exchanges of email communications with the victim company.
The perpetrators intercepted an ongoing transaction and misled two of the victim company’s employees to change the bank account of an invoice where the payment should have been made, thus causing damage of approximately €200,000.
A similar modus operandi was performed last year by perpetrators against a global leading company in the automotive industry. In this case, the perpetrators illegally accessed both the computer system of the victim company and also the computer system of one of its suppliers, with the purpose of accessing the email addresses of certain employees.
During the same period, the fraudsters created false email addresses for several of the supplier’s employees and performed exchanges of emails between these email accounts with the purpose of misleading them and obtaining a material benefit by hijacking the amount of approximately €150,000 pertaining to the invoices issued by the supplier.
A recent report of the Federal Bureau of Investigation – Internet Crime Complaint Center (FBI IC3) stated that there was a 136 per cent increase in identified global exposed losses between December 2016 and May 2018.
In 2019, FBI IC3 recorded 23,775 complaints about BEC, which resulted in more than US$1.7 billion in losses. Based on the victim complaints filed with the IC3, financial sources indicate that fraudulent transfers have been sent to 115 countries.
BEC scams continue to grow and evolve, targeting small, medium-sized and large business and personal transactions exploiting the way corporations do business, taking advantage of segregated corporate structures, and internal gaps in payment verification processes. At the low-tech end, where social engineering reigns, awareness and training for staff are the key.
Cybersecurity management
As cybercriminals are becoming more and more sophisticated, it is getting harder for victims to tell what is real and what is fake and spot red flags. To combat these potential destructive challenges, companies should be one step ahead of cybercriminals, proactively anticipating and minimising IT risks.
This could be prevented with a healthy and strong IT security, which involves a series of measures such as internal policies, user awareness and training, risk analysis and assessment, vulnerability and security alerts management, access rights management, network and information system configuration management, and security plans.
Cyberattacks are no longer a question of ‘if’, but a matter of ‘when’, and companies should develop a cybersecurity strategy through corporate policies and clear procedures in order to protect themselves, shield their activity and reduce their business risks, as well as ensuring that employees are informed and aware of them.
The below situations could be potential signs of a business email compromise:
- an unsolicited email or phone call;
- a request for absolute confidentiality;
- an unusual request in contradiction with internal procedures;
- direct contact from a senior official you are normally not in contact with;
- pressure and a sense of urgency; and
- threats or unusual flattery or promises of reward.
Another wise step could be to assess, monitor and manage potential IT risks through an internal investigation based on the industry’s standard risks. Any issues arising from the assessment should be identified and documented through a closed-loop process of issue investigation, analysis of the root cause and remediation.
If a fraudulent transfer has already occurred, time is of the essence. First, the financial institution should be contacted and requested to block the transfer of the funds and second, the competent criminal investigation authorities should be contacted.
Finally, an internal investigation (including IT and forensic) should be conducted to identify the dysfunctions and vulnerabilities through a due diligence process followed by a fast and adequate implementation of the security update measures and procedures.
Banks’ AML and KYC obligations. Can the money be saved at the last minute?
When a cyberattack has occurred and money is to be transferred, banks should have a say and perform their anti-money laundering (AML) and know your client (KYC) obligations provided by Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing[3] (the AML Directive) transposed at national level by Law No. 129/2019 (the AML Law).
First, pursuant to the AML Law, a bank must perform customer due diligence (or KYC) before it carries out an occasional transaction that amounts to €15,000 or more (whether that transaction is carried out in a single operation or in several operations that appear to be linked).
This means that banks should retain identification data contained by the following documents from each client:
- from individuals – identity cards, passports or residence permits;
- from legal entities – constitutive act, registration certificates or their extracts;
- from ultimate beneficial owners – documents showing the identity of the real beneficiary, respectively the individual who ultimately owns or controls the client and/or the individual on whose behalf a transaction, operation or activity is performed.
Second, credit institutions have an obligation to report cross-border transactions that amount to €15,000 or more to the National Office for Prevention and Control of Money Laundering (ONPCSB) within three working days of the transaction date.
Needless to say, in the above cases, as the transactions amounted to approximately €200,000 and €150,000, the bank (which, coincidentally or not, was the same recipient financial institution in both cases) should have reported them immediately to the ONPCSB.
In addition, if a bank deems a transaction as suspicious, it must immediately report it to the ONPCSB before carrying it out and cannot perform it for 24 hours as of the moment the report is registered at the ONPCSB. For similar situations to the cases described above, the AML Law does not provide a rule that could trigger a ‘red flag’ in the event the incoming money is transferred again within a short time frame to another bank. However, this could be seen as a suspicious transaction, especially since the AML Law provides that a suspicious transaction report should be sent to the ONPCSB ‘in any other situations or in regard to elements that are able to raise suspicions regarding the nature, economic purpose or the scope of the transaction, such as the existence of certain anomalies regarding the client’s profile’.
An even more challenging situation could be the one of instant payments, which may complicate fraud prevention and especially mitigation of risks considering that, since 2017, a multitude of instant payment schemes have been launched. While these instruments are providing clear benefits to the financial sector and commerce, they can also involuntarily accelerate various frauds.
Such transactions provide money launderers better options for money mule accounts and also make it harder for financial institutions to block suspicious transactions.
Anticipated developments
In this digital age, especially during and because of the pandemic, ‘distance does not prevail’ is more accurate than ever and attacks are carried out from anywhere in the world. The pandemic is forcing the majority to work from home, which increases the number of potential victims of cyberattacks.
Companies should now focus even more on cyber-secure teleworking because of the lack of direct contact between contractual partners and establish corporate policies and clear procedures on teleworking, secure teleworking equipment and remote access, and increase security monitoring. In this respect, the European Cybercrime Center (EC3) set up by Europol recently published a how-to guide on safe teleworking with tips and advice for businesses and employees.[4]
Moreover, recent FBI IC3 reports show that cybercriminals have turned more towards conducting BEC through exploitation of cloud-based email services. The scams are initiated through specifically developed phishing kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds.
Companies may better protect themselves and their employees against BEC through several available measures, such as educating their employees about BEC scams, including preventive strategies on how to identify phishing emails and how to respond to suspected compromises, as well as enabling multi-factor authentication for all email accounts.
Last but not least, any suspicious request for immediate transfers or for changing the payment details for due amounts should be confirmed by live contact (directly or by telephone, videoconference, etc).
Concluding remarks and recommendations
Both the investigations into allegations of corruption and the cyber-related issues require a well-established investigation plan combined with a complex preparation of a defence plan from both cross-border and multidisciplinary angles.
The best practice for commencing an internal investigation is to prepare a plan establishing the scope, approach, responsibilities and steps relating to communication and disclosure, preservation of evidence, and securing witness testimony while information is still fresh in the minds of the various participants in or witnesses to the alleged misconduct.
The preparation and execution of this plan are essential for a successful investigation in a manner that allows the company to argue an efficient and consistent corporate culture of compliance within the investigation, while limiting exposure and mitigating the potential risks of a formal investigation.
On the other hand, the company’s anti-bribery and AML policies, as well as related training sessions organised for a company’s employees, could help build the company’s defence in the event of a formal investigation by the competent authorities.
Taking into consideration the anticipated developments above, due to the specific conditions in the context of covid-19 prevention measures (urgent and large medicine and medical supplies acquisition, working from home, online meetings), it is clear that the near future will give the authorities the opportunity for significant investigations and for the private sector to mitigate the risks or to recover the defrauded amounts.
In the case of misconduct triggering either an internal or a formal investigation, or in the event a company is a victim of cybercrime, considering the cross-border implications of such investigations, from our experience, the best way to deal with such an issue is by contacting and retaining a multidisciplinary law firm with a wide presence across multiple jurisdictions that has the capacity to handle such a complex issue. The same course of action should be taken as a preventive measure, for performing a risk analysis and suggesting a risk mitigation plan.
Notes
[1] The NIS Directive is available (in several languages) at https://eur-lex.europa.eu/eli/dir/2016/1148/oj.
[2] The DIICOT Activity Report for 2019 is available (only in Romanian) at https://www.diicot.ro/images/documents/rapoarte_activitate/raport2019.pdf.
[3] The AML Directive is available (in several languages) at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L0849.
[4] The EC3 Guide is available (in several languages) at https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/safe-teleworking-tips-and-advice.