Jab of Compliance for Companies in Central and Eastern Europe

In summary

The increased focus of companies in Central and Eastern Europe (CEE) in tackling large-scale corruption through corporate criminal liability has resulted in an increasing number of companies being prosecuted each year. Companies have, therefore, been paying closer attention to their compliance efforts. This article discusses the influence of the covid-19 pandemic on the shifting focuses of prosecuting authorities in the CEE region, the compliance status of companies and corporate investigation, as well as provides an outlook on the future.

Discussion points

• States’ shopping sprees for medical devices during covid-19 emergencies
• Influence of the pandemic on corporate investigation and compliance processes
• Digital corporate investigations
• Internal policies for digital-age compliance in the CEE region
• Zero-based redesign of the compliance management system

Referenced in this article

• Supreme Audit Office report: ‘Money spent in connection with epidemiological situation in the Czech Republic’
• Association of Certified Fraud Examiners’ report: ‘Fraud in the Wake of COVID-19: Benchmarking Report’
• US Department of Justice’s manual to the Evaluation of Corporate Compliance Programs
• Group of States against Corruption
• OECD Working Group on Bribery
• Compliance management system as per the section 8, subsection 5 of Act No. 418/2011 Sb

Common ground in Central and Eastern Europe

The region of Central and Eastern Europe (CEE) is a unique place that stands out owing to its rich tapestry of languages and its abundance of cultures – each embedded in national histories vastly different from one another. This contrasts with the closeness kept by a few groups of nations that share substantial parts of their histories (eg, Slovakia and the Czech Republic – formerly Czechoslovakia).

The legislative and legal landscape of CEE countries and their approach towards compliance is also influenced by each of their current political affiliations. The concept of corporate criminal liability is still a relatively new concept for many white-collar crime practitioners and prosecuting authorities in CEE countries. The concept more or less followed the concept of individual criminal liability, which has created room for many difficulties in application.

Most CEE jurisdictions either allow companies to release themselves from criminal liability if they prove that they have an effective compliance management system (CMS) in place that is able to prevent the investigated criminal behaviour, or consider an effective CMS as a mitigating circumstance for which the company must react with zero tolerance to non-compliant behaviour. Having an internal process in place to investigate non-compliance is understood to be a part of any effective CMS.

For example, in the Czech Republic, companies can release themselves from criminal liability if they prove that they have adequate measures (an effective CMS) in place that could have prevented the crime.^[1] In September 2018, non-binding internal guidelines – later modified in 2020 – for Czech public prosecutors were issued. This is relatively atypical for the CEE region. The guidelines were inspired by international guidelines, such as those by the US Department of Justice (DOJ), UK anti-bribery guidelines and the compliance standards ISO37001 and ISO19600, and are in the form of an internal document that is intended to be used as non-binding guidelines by public prosecutors.^[2]

The investigation process in each CEE country is unique, and cross-border investigations across several European jurisdictions have often presented an array of practical challenges. However, thanks to the decades of work put in by the European Union, the Organisation for Economic Co-operation and Development (OECD) and the Council of Europe, a clear trend is becoming apparent in which divergencies can be converged, and multi-jurisdictional corporate investigations or compliance audits can be conducted more easily than ever before.

Unfortunately for some companies, this does not only apply to corporate investigations and compliance audits; law enforcement authorities are also actively cooperating with each other much more frequently and much more swiftly, with this cooperation also extending abroad to their counterparts in jurisdictions such as the United States and the United Kingdom.

Anti-corruption, anti-terrorist financing and anti-money laundering efforts have also started to improve in terms of both the quantity and quality of enhanced coordination and communication at the multi-jurisdictional and global levels. As a result, there is an increasing number of local and multi-jurisdictional corporate investigations triggered by vigilant companies, which are highly observant for any signs of non-compliance that could trigger a Foreign Corrupt Practices Act (FCPA) investigation, if CEE authorities opened an investigation and requested information from their US counterparts. This makes sense as companies are handsomely rewarded – under, for instance, the FCPA by the DOJ if they detect misconduct early and if they investigate and report their findings to the DOJ – with significantly milder repercussions.

There are no practical out-of-court solutions in the CEE countries once a company is investigated or prosecuted. Unless the charges are dropped by the prosecuting authorities, the company faces lengthy prosecution in public proceedings.

Companies’ growing vigilance is accompanied by increased interest among CEE authorities in investigating and prosecuting companies, which is a trend that started approximately 10 years ago when CEE jurisdictions, pushed by the OECD and its Working Group on Bribery^[3] and the Group of States against Corruption,^[4] started to focus on corruption, by implementing corporate criminal liability, among other things. It took some time before prosecuting authorities actually turned their attention towards companies.^[5] Nowadays, it is increasingly difficult to lead multi-jurisdictional investigations while satisfying all the relevant countries’ statutes and to make sure that the company is not punished twice for the same crime.

To some extent, this trend was slowed down by the covid-19 pandemic and related local restrictions. The pandemic compelled several countries in the CEE region to close their doors to their neighbours, except for essential travel; declare a state of emergency; and shift their attention towards domestic concerns.

Although this trend may have slowed on at a ‘formal’ level, prosecuting authorities are nonetheless becoming more and more digitally savvy and are developing their IT capabilities, thus enabling them to investigate and communicate on an informal basis while waiting for the formalities to be completed – a process which can be enormously lengthy.

This article was also based on results from our study, a new edition of the Wolf Theiss Guide to Corporate Investigations in Central, Eastern and Southeastern Europe, which discusses corporate investigation in detail in individual countries. It discusses the influence of the covid-19 pandemic on the shifting focuses of prosecuting authorities in the CEE region, the compliance status of companies and corporate investigation, as well as provides an outlook on the future.

State-of-emergency bonanza

As soon as the covid-19 pandemic hit the CEE region, national governments declared states of emergency, arguing that a general lockdown was needed and that certain items and services needed immediate, non-tendered purchasing. The demand for medical supplies (face masks, gloves, ventilators, hospital beds, intensive care supplies, covid-19 tests, laboratory supplies and hospital infrastructure) skyrocketed, at one time peaking by several thousand per cent.

Public procurement contracts also soared in number, many of them deviating from standard procedure and failing to apply appropriate (or any) checks. This simplification (or inobservance) of the public procurement process has resulted in governments hand-picking their contractors without public bidding or other competitive procedures.

Most governments kept the state of emergency in place even after the markets in those items had soared. This led to price hikes, the development of a huge resellers’ market and a number of scandals where governments used the covid-19 pandemic as an excuse to justify buying massive quantities of low-quality items from shell companies affiliated with public servants, overlooking local distributors in the process.

For example, the Czech government paid more than US$10 million to a shell company connected with money laundering schemes.^[6] The Czech Supreme Audit Office, which audited most of the transactions, noted: ‘Purchases of protective equipment were accompanied by chaos, significant price differences, shortcomings in their quality, and transportation issues.’^[7]

A similar situation arose throughout the CEE region. For example, in Ukraine, authorities have been able to deal directly with suppliers without going through the federal procurement system Prozorro. Ukrainians anticipate that this streamlining may have resulted in abuses of procurement procedures during the pandemic.

In Serbia, a recent purchase of medical supplements for approximately €10 million was executed without a public tender. The Ministry of Health approached a small number of bidders on its own initiative, and the contract was awarded to a pharmaceutical company whose management allegedly has close ties with the current ruling political elite.^[8]

Czech parliament members have already set up a parliamentary commission for investigating government spending during the state of emergency, which could amount to US$1 billion over the year of its duration. Moreover, a stringent review is ongoing into the compensation paid to companies during the lockdowns, penalising companies for any mistakes they made, often reclaiming the compensation.

However, as countries gradually emerge from lockdown, many companies – particularly in the European Union – are readying themselves to pick up the crumbs of the massive €1.8 trillion recovery fund and NextGenerationEU programme, which will be used to reignite the European economy through public grants to fund modernisation, innovation and environmental protection. Since, in the CEE countries that are EU member states, prosecution authorities’ focus on areas involving public funds and subsidies and public tenders is a priority, companies must ensure that they stay compliant.

Is compliance immune to covid-19?

As the economic impact of the covid-19 pandemic intensifies, companies and their management are focusing on how they will survive in the short term. Some areas of business are clearly struggling to stay afloat or are having to cope with severe disruption, whereas others are experiencing a rapid growth in their operations and sales.

Overall, ‘business-first’ logic seems to rule the roost, and the mantra of ‘no time for compliance’ is being heard more often. However, even where the situation is desperate, the ends do not justify the means. Criminal activity is no less prohibited, and a state of emergency makes the consequences more, not less, severe. Although government authorities may appear to be busy dealing with more urgent matters, prosecuting authorities are surprisingly active in investigating crimes pertaining to the pandemic.

Not only were most businesses affected by the pandemic, but fraudsters and criminals too, as indicated in the report from the Association of Certified Fraud Examiners. The longer the lockdowns persisted, the more frequent fraudulent and corrupt behaviour became, increasing by almost 80 per cent on average.^[9]

By contrast, companies admitted that it had become more difficult to investigate and, in particular, detect misconduct.^[10] This poses an especially high risk to companies whose employees are having to endure a work environment fraught with uncertainty, a prolonged lockdown and a sense of urgency in their day-to-day business.

Altogether, this creates a particularly demanding scenario for companies’ board members and managing directors, who must on the one hand deal with a short- to medium-term lack of liquidity, government restrictions and supplier shortages, and on the other hand must ensure compliance by their company – all of which form part of their management duties.

Although all those events and risks are currently fogging up companies’ compliance goggles, now is the time for companies to endorse culture. How do you protect your business and eliminate unnecessary risks? And what should be done to prevent various entities from using these times as an opportunity for self-gain?

A representative of a company who is wondering whether its compliance management system is effective may consider the following questions.

• Is the company’s management on all levels committed to compliance, with a zero-tolerance attitude? Would the company’s subordinates confirm it if asked anonymously?
• Can the company convincingly explain to local prosecuting authorities why it has opted for the measures it has implemented and how they could detect a crime?
• Can the employees explain why they follow concrete procedures?
• Are the company’s internal policies adjusted to take into account local laws?

Conduct and (online) tone from the top

With the current focus on financial resilience, we often look at leadership’s approach to a company’s compliance. However, is their role really the only one that is key?

Indubitably. Commitment by management (on all levels) is the most critical element of a functioning CMS – even more so in times of great uncertainty. Exemplary leadership is a key driver for employee behaviour. Senior and middle management should frequently express their commitment to compliance to help ensure employees understand that compliance remains a priority for the company, as employees will look to their leaders for guidance on how to do business and how to work in spite of government restrictions, as well as for peace of mind.

This requires some clarification. Employees often incorrectly assume that phrases such as ‘expressing commitment to compliance’ are merely ‘empty corporate speak’; however, a leader does not have to be detached from employees. On the contrary, the more the leader is detached from subordinates, the less genuine and credible he or she is perceived. There is no reason why a leader cannot express commitment to compliance through a meme posted in a team WhatsApp chat if it fits.

Compliance management systems: fake versus real

Despite its key role, it still comes as a surprise to many companies that authorities in the CEE region also expect them to have a real CMS in place. A real CMS must be effective and well-implemented, with a clearly defined and simple process flow. It must be adapted to the firm’s needs and support its business.

By contrast, a ‘fake’ CMS exists where risk assessment is only theoretical, where it does not operate as an organic process, does not adapt to the business set-up and where responsibilities and process flow are only superficially defined. This type of ‘compliance’ is compliance by declaration only.

What if non-compliance causes Investigations under lockdown?

Compliance is also a business concern, and it is costly if performed badly. Failures are expensive and damaging to reputation. Companies and members of their boards face significant fines or bans from participating in public tenders if they fail to investigate non-compliance, as most countries in the CEE region actively prosecute companies for crimes, in particular those pertaining to bribery.

Companies’ board members must not only implement appropriate procedures to prevent misconduct, but must also investigate any detected misconduct, which often includes formal corporate investigation. If a board member suspects misconduct but does not ensure that it is diligently investigated, then he or she risks liability for breach of fiduciary duties, and the company could hardly claim that it had an effective CMS in place if its CEO does not follow it.

Most jurisdictions in the CEE region either allow companies to release themselves from criminal liability if they prove that they had an effective CMS in place or consider an effective CMS as a mitigating circumstance; thus, the company must react with zero tolerance to any non-compliance and conduct its root cause analysis to be able to effectively improve the CMS.

This may be problematic from a practical point of view. Many activities are currently being carried out remotely. Trips and personal meetings have been cancelled or severely limited. Consequently, conducting investigations, third-party checks or compliance training is a challenge; many companies are either withholding their internal compliance meetings and trainings or doing them via videoconferencing. These are vital elements of a CMS.

The same applies for dealing with misconduct. Remote hearings of witnesses or potential suspects takes time and might be more complicated, but companies should not feel discouraged by this, since a great deal of corporate investigation can be done remotely. The trend of shifting investigations into the digital sphere was becoming apparent even before the covid-19 pandemic.

On this basis, companies should apply and strictly abide by the ‘document everything’ rule so that, at a later date, they are able to prove how certain decisions were taken. Whistle-blower protection is also increasing in importance, with various irregularities and fraud currently becoming more frequent. Companies should, therefore, invest attention in maintaining and developing whistle-blowing platforms to sustain their level of compliance and prepare their business for the aftermath in the event that non-compliance occurs and the authorities return with questions.

For corporate investigations, the situation in the field has changed rapidly over the past year. Companies’ corporate investigation environments may look very different today from what they looked like a year ago and certainly from what they will look like in the coming years – perhaps because the covid-19 virus may become a common threat or perhaps because its constant mutations will keep human vaccination efforts busy for a few years yet.

For example, the impact of the covid-19 pandemic on interpersonal relationships has been enormous. There is little to no direct interaction between co-workers, which is often one of the sources of non-compliance in companies, since colleagues feel safer confiding in their colleagues than in their superiors.

There is also reduced motivation to report issues of concern as the uncertainty and sense of urgency caused by the pandemic might make employees more disorganised, meaning that chaos and non-compliance suddenly becomes the standard way of working. Disruption of employees’ working routines may also cause problems for investigators, who may struggle to find suspicious working patterns, given that there may not be any reliable routines to follow – even usual work might appear suspicious.

The absence of the usual tools – human resources, time and personal interaction – and logistical barriers to conducting in-person interviews, also makes investigations more detached from employees. Usually, the smallest changes in facial expression and body language can be hugely important sources of information for interviewers, and personal contact affects the interviewee subconsciously – via neurochemistry – in terms of their reaction to the situation, the presence of interviewers and the inescapability of the interview.

With videoconferencing tools such as Zoom and Microsoft Teams, the only sign the interviewer can rely on is the voice of the interviewee. Moreover, a convenient internet outage on the interviewee’s side following an unpleasant question can bring an early end to the surprise question. The problem of how video interviews can be seen by interviewees as confidential enough also remains, which results in interviewees being cautious.

On the other hand, remote interviews have several benefits, especially for non-confrontational interviews: interviewees tend to be more open and talkative; elimination of the need to have several people physically in the same place allows for a larger number of interviews to be held within a shorter time frame, which increases efficiency; and the possibility of screen sharing and simultaneous discussion on the contents of certain documents by participants appears to have been very useful in practice.

Finally, having limited access to potentially relevant data means that existing IT infrastructures must provide complete data sets for investigations. Companies that are not yet using clouds should find a dependable solution for collecting data on the work of remote employees. However, such data might not be available due to privacy concerns; therefore, companies should strive to have in place, or swiftly adopt, the internal policies necessary to govern working conditions during the pandemic and should inform employees about any compliance audits that may include their personal data.

In some CEE countries, companies are completely prohibited from reviewing data relating to employees who have not been informed beforehand that their data may be reviewed in the event of non-compliance. In others, such review must be very carefully balanced against employees’ privacy interests.

Post-covid world: an opportunity to improve processes

If the best time to prepare for the crisis was before it happened, the second-best time is now. Crises and urgency help companies to focus. Focus is particularly important when it comes to setting up compliance measures as it enables companies – driven by a sense of urgency – to select only the truly important measures and omit the less important ones.

In theory, this is a no-brainer. CMSs must be simple, clear and easily understandable to employees. This would exclude complex and lengthy processes in which important measures are often diluted by unimportant ones, which often results in less focus but a greater obligation. This, in turn, feeds the sense of chaos felt by the average employee who, in the end, may choose simply to ignore it.

So what should be done with existing policies and procedures?Companies’ CMSs are generally designed to function under ‘normal’ operating conditions. A CMS that mitigated risks effectively before may have now become ineffective or even too restrictive, obstructing the normal operation of day-to-day tasks. Other measures may be ineffective and may give companies a false sense of security.

It is, therefore, essential for companies to conduct new risk assessments to understand the areas where they may have exposures or gaps.Existing risks may need to be reprioritised. One highly recommendable solution is the implementation of a graded CMS that is designed to work under various conditions. With this solution, the ‘covid-19 mode’ could be triggered if the situation deteriorates, with some measures being alleviated and other more stringent measures being established, and vice versa if situation improves.

The digital world removes the ‘geographical’ obstacles to business, compliance and corporate investigations, greatly enhancing their efficiency; however, this is a double-edged sword. CEE countries regulate many things differently (privacy laws, employee interviews, data-gathering and reviewing, etc), and the regulations have geographical obstacles. Companies should have local jurisdictional obstacles in mind when implementing or unifying regional measures. There have been several occasions where a local company had no local internal policies but had merely adopted mother company’s European policies, which, alas, were highly insufficient locally.

Corporate investigation should not be exempt from this process. The trend in digitalisation and the shifting of companies’ employees, documentation and activities online (where possible) will continue regardless of the covid-19 pandemic, which is merely accelerating change. Companies have been handed an opportunity to understand new obstacles to their investigative activities, to revisit policies, to re-establish priorities and to develop a better understanding of their IT infrastructure and employees.

Zero-based redesign of the CMS

The best way to significantly improve CMSs and processes – in particular for larger companies – is to apply a zero-based redesign.

For most people (sometimes also the ones tasked with maintaining or creating a CMS), the decision to omit or delete something and to focus on selected key areas is notoriously difficult. The fear of omitting some measures, even though in practice they pose no benefit or do not mitigate any risk, may be paralysing. Minor measures have been stacked on top of one another in old CMSs, resulting in an overcomplicated and stiff set of procedures and rules.

Typically, compliance measures are not monitored for effectiveness over the long term. The worst-case scenario is that, despite employees changing as the company grows, measures continue to be applied just because they have been applied since time immemorial (even though new compliance employees may have no idea why the measures were set in the first place, and there is no original risk analysis nor other documentation). In this scenario, the company would be functioning with a bulk of old, ineffective and redundant measures based on pre-digital risk assessment that should no longer be relied upon.

Corporate criminal liability being implemented almost CEE-wide, together with the push from international and European organisations to investigate and prosecute corruption, have resulted in FCPA-like investigations being more common and professional. If an event of non-compliance occurs and prosecuting authorities open an investigation, they will assess the company’s CMS.^[11] Companies must shine and show that their CMS is effective and that the criminal activity was possible only because of its sophistication. The worst-case scenario tends to be that the company cannot show either.

Notes