Key Issues on Compliance Programmes and their Enforcement in Russia
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
In recent years, Russia has joined the mainstream in terms of its legislative attack on corruption and bribery in the business sector and in its efforts to both educate its business community on best practices when it comes to anti-corruption and oversee and enforce anti-corruption measures. Without minimising the scale of the problem that Russia faces in achieving those objectives, this article provides an overview of recent anti-bribery and corruption legislative measures and the guidance provided to the Russian business community with regard to those measures and their enforcement.
- Recent anti-corruption legislation provides for corporate as well as individual liability for bribery in both the public and private sector
- Extensive official guidance from the Ministry of Labour on how best to build a compliance infrastructure within an organisation and how best to monitor its effectiveness
- Materials posted online by the enforcement authorities support the task of providing compliance training to both employees and those of third-party service providers
- Obstacles to effective and efficient internal investigations, including strict personal data protection legislation being rigidly applied and limitations on attorney–client privilege
- New opportunities for self-reporting but benefits of self-reporting still open to question
Referenced in this article
- Law on Combating Corruption
- Law on Advocates’ Activities and the Advocates’ Community
Unprecedented official guidance from regulators across the globe on corporate compliance programmes has been released in recent years. The guidance has ranged from the Criminal Division of the US Department of Justice’s Evaluation of Corporate Compliance Programs released in early 2019 and the French Compliance Function Guide, to the updated guidance on Evaluating Compliance Programmes published in the United Kingdom in January 2020.
Following several large cases involving cooperation between the National Financial Prosecutor’s Office, the French Anti-Corruption Agency and UK Serious Fraud Office, the regulators in the United Kingdom (the 2019 Corporate Co-operation Guidance) and France (the Guidelines on the Implementation of the Convention Judicial Public Interest Agreement) issued helpful guides on cooperation with the authorities, which set out regulators’ expectations on data retention and investigation efforts.
Russian authorities have also been busy providing practitioners with insight into the government’s expectations for anticorruption compliance programmes. For the most part, the available guidance on building a compliance programme is consistent with international precedent, although there is still little insight specifically into the conduct of internal investigations and ensuring the possibility of retaining and furnishing evidence, including e-data. What can be said specifically is that, when rolling out a compliance programme in Russia, appropriate provisions in employment contracts and internal HR procedures are of paramount importance.
With that in mind, the Ministry of Labour and Social Security (the Ministry of Labour, the employment regulator) and the standards communicated by it play a key role in the compliance process.
Russia introduced an explicit requirement for companies to implement compliance measures in 2012. The law sets out a basic list of measures that serve as an example of the minimum a company should consider implementing to comply with the requirement. The list is non-exhaustive and includes:
- introduction of a designated anti-corruption function;
- cooperation with the authorities;
- rolling out policies and procedures to ensure a good-faith operation;
- issue of a code of ethics and business conduct;
- prevention and resolution of conflicts of interest; and
- preventing unofficial reporting and the use of forged documents.
There are no specific standards set by law, even for those measures.
There is also no liability specified for failure to comply with those requirements: the Prosecutor’s Office has been making modest efforts to enforce them by issuing written binding orders to comply with the requirements following an inspection. Non-compliance with those orders may entail serious consequences, including potential criminal liability for individual members of management who were responsible yet failed to act.
Having a set of compliance measures is intended to have a tangible effect on a company’s liability for corruption. Companies can be held liable under the Code of Administrative Offences for undue payments made on their behalf or in their interests and for the illegal employment of former government and municipal officials, unless they have taken all possible measures to prevent the offence (corporate guilt).
Enforcement practice is not consistent: although in some cases companies were able to successfully plead that their anti-corruption compliance measures were sufficient, in a large number of cases the courts have hardly conducted (if at all) any analysis of the company’s measures and whether they could serve as a condition for releasing the company from liability.
Elements of compliance: Russian Ministry of Labour practical guidance
The Ministry of Labour is the authority responsible for the ‘development and implementation and advisory/methodological support of measures aimed at preventing corruption in organisations, monitoring the implementation of those measures, and methodological support of such measures’.
In this capacity, the Ministry of Labour has issued practical guidelines and recommendations concerning measures to prevent corruption in Russia, and it has been very active in fulfilling this function. Since 2014, it has issued a large number of guidelines and recommendations. We will review the most significant of these below.
State organisations and state companies in Russia, for the most part, roll out their anti-corruption compliance programmes following those guidelines and recommendations, and many privately held companies also rely on them. Although the documents issued by the Ministry of Labour are non-binding recommendations, they serve as benchmarks for the Prosecutor’s Office and courts.
The guidelines and the early recommendations were issued in an environment in which anti-corruption compliance was still very new in Russia and, thus, contain a considerable amount of tutorial material on overseas and international anti-corruption regulations, best practice summaries and sample documents.
The guidelines were issued in Russian, and we are not aware of any reliable translation.
Anti-corruption compliance system
The Guidelines for the Development and Adoption by Organisations of Measures to Prevent and Combat Corruption was central to the first set of guides passed by the Ministry of Labour in early 2015. It included the Ministry’s insight into what reasonable compliance measures should look like. The guide was last updated in 2018.
In October 2019, the Ministry issued another set of guidelines called Measures to Prevent Corruption in Organisations, which largely reiterates the same provisions but is more detailed and better organised. In line with globally evolving best practices, the more recent recommendations have more of a focus on anti-corruption risk assessment and third-party risk management.
According to the recommendations, the minimum set of compliance policies for a company includes an anti-corruption policy, a code of ethics and a code of business conduct. Other important areas to be covered by a company’s normative acts are anti-corruption risk assessment, conflicts of interest, communication and training, internal monitoring and control, and management of third parties (eg, due diligence review, avoiding conflicts of interest and anti-corruption clauses).
The principles that, according to the Ministry, the anti-corruption policies of a company should rest on do not come as a surprise to experienced practitioners. They are:
- tone from the top;
- communication of anti-corruption regulations to employees and their involvement in anti-corruption procedures;
- effective compliance;
- adequate assessment of risks;
- communication of expected compliance standards to business partners;
- liability and inevitable punishment for employees irrespective of their position; and
- regular internal monitoring and control.
The guidelines describe what an anti-corruption programme might look like, offer a sample set of measures and outline the process for the introduction and renewal of compliance programmes.
Organising a compliance function is an area in which management enjoys broad discretion. Companies are offered a lot of freedom on how they want to structure their compliance function and what department will be responsible for compliance. Importantly, the compliance unit must have a direct reporting line to top management (but the document is silent on reporting thereafter), be sufficiently staffed and be given the resources and powers to exercise its functions.
The guidelines, in their first edition in 2015, introduced the requirement for companies to conduct anti-corruption compliance risk assessment. They broadly outlined procedures for risk assessment and associated record-keeping. In 2019, risk assessment procedures were addressed specifically by the Ministry of Labour in a special set of recommendations.
Dealing with conflicts of interest and enforcing the relevant policies and procedures is central to effective compliance. The Ministry devotes a large part of the document to explaining the general and more industry-specific rules (eg, detailing the risks for the financial sector and medical and pharmaceutical companies).
The expected standard of cooperation with the authorities includes a number of commitments, including:
- reporting corruption;
- non-retaliation against reporters (Russian legislation on this is, however, pending);
- cooperation with investigators and inspectors; and
- retention of evidence.
Companies are recommended to participate in nationwide anti-corruption initiatives, such as the Anti-Corruption Charter of Russian Business.
Anti-corruption risk assessment guidelines
In September 2019, the Ministry of Labour released Recommendations on the Procedure for Assessing Corruption Risks in an Organisation. The 25-page document is essentially a detailed guide to what anti-corruption risk assessments should be. It also encloses sample documents introduced by companies in Russia, such as a risk assessment plan, a risk modelling report and a comprehensive risks map.
In 2017, the Ministry had already taken steps to issue recommendations for anti-corruption risk assessments, but the 2017 guide only applied to state authorities and state corporations or companies. The new set of recommendations is offered to all entities.
When working on the 2019 risk assessment guide, the Ministry apparently conducted extensive research into international best practice and widely accepted standards of anti-corruption risk assessment.
In our view, the document provides very good guidance, although, in our practice of advising clients in Russia on compliance risk assessment, we seldom come across procedures and records anywhere near so detailed and sophisticated.
The guidelines are organised as a step-by-step procedure for the identification, analysis and ranking of corruption risks. They consistently promote the idea of adequacy of risk assessment procedures for the specific company into which they are to be introduced, for example, based on its size, industry sector and available resources.
The basic recommendation is to start with a calendar plan, identify the priority areas and then progressively roll out risk management procedures to all other aspects of the company’s activities. This is a very reasonable recommendation, and clients could benefit from taking it on board. Instead of waiting for the right moment to conduct a comprehensive risk assessment of the entire business, it makes sense to prioritise and start with the high-risk areas.
In identifying high-risk areas, companies are predictably invited to follow value-based and risk-based approaches. Government-facing functions are a priority, including sales via state procurement, obtaining licences, permits and approvals, and dealings with state officials in the course of inspections. Examples of other high-risk areas listed by the Ministry include procurement for company needs, real estate transactions, disposing of property including non-core assets, budgetary functions (providing loans, marketing and sponsorship), use of intermediaries and remuneration or bonus schemes for employees. Companies are reminded that compliance risks can be created not only by their own employees but also by third parties (agents, consultants and distributors, among others).
When assessing risks, companies are expressly advised to take into account their exposure to the laws of other countries where they (or their business partners) operate, including the US Foreign Corrupt Practices Act and the UK Bribery Act.
The standard set by the Ministry for risk assessment procedures includes collection of data through document review and interviews with key employees, risk modelling, identification of existing risks and controls and their owners, risk ranking, gap analysis and identification of remedial risk mitigation actions.
Employees’ obligations and motivation
In October 2019, the Ministry of Labour published its Memorandum on Employee Duties and Motivation in Organisations.
The Ministry explained that the obligation to comply with anti-corruption policies and procedures should be made part of the employment contract and that disciplinary (employment law) sanctions should be consistently applied to employees who fail to meet those obligations.
In addition to the inevitable sanctions for those in breach of their employment contracts, companies are encouraged to introduce monetary and non-monetary benefits as motivation for compliance on the part of their employees. Companies should not discourage employee compliance by setting key performance indicators that lead employees to prioritise performance over compliance.
As everyone with experience in this market is well aware, it is very difficult to sanction employees and especially to terminate their contracts for corruption-related offences in the absence of a valid court verdict against the non-compliant employees. It remains to be seen if enforcement practice will move in the direction of giving companies more opportunity to sanction rogue employees.
In recent years, our firm has won several cases in Russia for clients arising from the termination of the contracts of employees who, according to internal investigations, had failed to comply with internal compliance policies and procedures. Nonetheless, the dominant practice for parting company with the non-compliant employee remains the mutually agreed separation agreement, often coupled with a monetary sum paid to the employee.
Compliance function structure
The Ministry of Labour updated its model job description for the compliance role in 2018. Formally, the guidelines apply to state corporations and state-owned entities; however, private businesses can benefit from this example.
The document sets a ratio of one to 100 as a recommendation for the size of the compliance unit relative to the overall number of employees. In our experience, this is a very generous ratio that is seldom met in the headcount of compliance units in private clients.
Internal investigations remain a relatively unregulated area in Russia. The compliance function guidelines explain, however, that compliance officers should have a right to conduct internal checks, including interviewing employees, subject to this function being included within the scope of their functions by internal regulations.
Prosecutor’s Office guidance
The Prosecutor’s Office (together with its territorial subdivisions) is the main driver of enforcement practice for corporate corruption offences, as it is the authority in Russia that investigates corporate corruption cases under article 19.28 of the Code of Administrative Offences.
Prosecutors also perform the function of overseeing compliance with anti-corruption laws in accordance with the international treaty obligations of Russia. Designated anti-corruption compliance departments have been established at all levels of the Prosecutor’s Office. As part of this function, they make enquiries into the existence of corporate compliance programmes. Prosecutors are frequent speakers at compliance conferences and roundtables.
The anti-corruption compliance department of the Prosecutor’s Office on its designated website publishes a wide range of educational materials that compliance managers may find helpful in their work, especially if they have limited resources. Local companies with international best practice support from global headquarters can also benefit from those materials. Particularly worthy of mention are the Prosecutor’s memoranda on Corporate Liability for Corruption and Gifts to Public Officials.
The Prosecutor’s website even hosts videos with role-played high-risk situations, which fit very well into internal compliance training programmes.
The ability to conduct effectively internal investigations into corruption and related allegations is a hugely important element of an effective compliance programme; however, this aspect of the work of compliance managers and counsel remains a blank area in the Russian regulatory framework. There is almost no official guidance or reliable enforcement practice.
Practitioners often have to rely on their own interpretation of local laws and follow international best practice. This makes internal procedures (eg, investigation policies, rules on the use of corporate devices and IT systems and use of the company’s property for private purposes) key to the process, and companies should properly issue them as local normative acts.
The most problematic aspects of internal investigations include the treatment of personal data, correspondence and private information collected during the investigation, protection of attorney–client communications and work products and reporting internal findings to the authorities.
Personal data, correspondence and private information
The Law on the Protection of Personal Data and legislative requirements for the localisation of individuals’ data in Russia has set the bar very high in protecting privacy in any internal investigation conducted in Russia.
In the absence of any official clarifications or court practice, the safest option to comply with the data privacy requirements is to seek written consent from all those being interviewed to any transfer of that person’s personal data (even to associated companies in the same corporate group). Two options are possible:
- consent can be obtained in advance of any investigation being required, but should clearly state the purpose (ie, verification of correspondence to internal company policies and procedures); or
- specific consent can be obtained from the data owners at the beginning of the investigation.
If, for any reason, it is not possible to obtain consent, the investigating entities may invoke other legal grounds for personal data processing that do not require the employees’ consent. For example, as the ultimate goal of internal anti-corruption investigations is to eliminate non-compliance with legislation and (probably) local internal policies, the processing of data of employees within the investigation can based on such legal grounds as:
- the necessity to achieve the objectives set out in Russian legislation; or
- the necessity to exercise the rights and legitimate interests of the operator or third parties.
Although this approach seems logical and is based on the law, we are not aware of any positive enforcement practice using this interpretation.
Properly documenting the investigation is essential. Companies should officially initiate the investigation with an order of the general director appointing individual investigators as the authorised representatives of the employer. In this case, the investigators will have access to the employees’ data on behalf of the employer even without the written consent of the employees. The investigation must be completed within strict deadlines and end with another order of the general director reporting the findings.
Internal investigations do not usually target information about an employee’s private life, but today’s working environment makes it impossible to draw a clear division between one’s private and professional life, especially for those who work with 24/7 availability. It is, therefore, commonplace for employees to store some pieces of information about their private life (eg, private photos, documents and correspondence) on their corporate devices. This information, if accidentally found, should be ignored and not used in the investigation. Search terms should be carefully formulated to minimise the risk of encountering this information.
There is criminal liability in Russia for the illegal collection or distribution of data about an individual’s private life containing a personal or family secret without his or her consent, although a criminal prosecution for truly unintended collection of information on an individual’s personal life cannot be justified. An appropriate internal policy on use of corporate IT solely for business purposes can be helpful in supporting a position that all information found on corporate IT must be business-related or in supporting an argument that by placing such information on corporate IT the employee has de facto consented to it being accessed.
Protection of attorney–client communications and work product
It is common knowledge that the Russian legal system has a different approach to the concept of legal privilege when compared to common law jurisdictions.
In Russia, irrespective of the area of law, legal advice and representation in court proceedings may be provided by advocates (practitioners who are the members of a Bar) and other legal practitioners persons with few limitations. However, professional secrecy is protected only in relationships between clients and advocates.
Article 9 of the Federal Law on Advocates’ Activities and the Advocates’ Community defines an advocate’s secret very broadly: any information related to the provision by the advocate of legal services to his or her client. The article also provides three types of guarantee against disclosure of this sensitive information:
- prohibition on calling and questioning advocates as witnesses concerning matters known to them in relation to their legal services;
- prohibition on searching advocates’ premises, except on the basis of a court order; and
- prohibition on using materials contained in the advocate’s file (called a dossier) as evidence for prosecution of the advocate’s clients.
The Criminal Procedural Code provides additional guarantees to protect advocates from pressure from the law enforcement authorities. In particular, it establishes a special and complex procedure for initiating criminal cases against advocates. A decision on the initiation of a criminal case against an advocate must be taken by the Regional Head of the Investigative Committee. Mandatory escalation of the matter to this high level is aimed at decreasing the risk that low-level officers put pressure on the advocate by commencing an arbitrary criminal case against him or her.
In post-Soviet Russia, the Constitutional Court, in a number of cases, stressed that advocates enjoy special protection from search and seizure. Some cases have been escalated to the European Court of Human Rights (ECHR), where legal advisers other than advocates have been seeking similar treatment.
In a recent and important case against Russia (Kruglov and others v Russia), the court stated that it would be incompatible with the rule of law to leave without any particular safeguards to the relationship between clients and their legal advisers who, with few limitations, practise, professionally and often independently, in most areas of law, including representation of litigants before the courts.
In this regard, the court found that searches without judicial authorisation of the premises of the applicants in that case, who were practising lawyers but not advocates, had been conducted arbitrarily. The ECHR underlined that practitioners who do not have advocate status should, therefore, enjoy the same safeguards on the protection of privileged documents and information as advocates possess.
It remains to be seen how this ECHR opinion will affect Russian practice. Thus far, Russian law has not been amended. It still provides protection for privileged information only to legal professionals who are advocates. We believe that unless and until privilege protection is introduced as a new law, any documents and information seized from the premises of those professionals who are not advocates would be admissible evidence in Russian courts.
Even the participation of advocates in an investigation is not an absolute guarantee against disclosure of their privileged documents. Cases of attorney–client privilege violation by Russian law enforcement authorities are still reported even where advocates are involved.
However, the community of advocates vigorously defends its members and their exclusive rights provided by the law – with cases of violation receiving massive press coverage and having decreased substantially over recent years. All those efforts have had a positive effect on law enforcement practice and have resulted in a more cautious approach by the law enforcement authorities towards violating attorney–client privilege. Violations of Russian law concerning attorney–client privilege and involving advocates is now rare.
In view of the above, and taking into account the unpredictable law enforcement environment in Russia, it is not surprising that companies hire advocates to conduct internal investigations.
Self-reporting under Russian law
In 2018, Russian law was updated to include provisions on the voluntary disclosure of corruption offences by companies. (A similar provision of self-reporting agreements violating antitrust law had been part of Russian law since 2017.)
In particular, companies are released from liability for a corporate corruption offence if they contributed to the uncovering of the offence, assisted in the administrative investigation or the uncovering and investigation of the crime, or if they faced extortion. At the same time, Russian law contains no liability for the non-reporting of corruption offences.
The enforcement practice around those new legal provisions remains inconsistent. There have been a number of cases where the courts applied this provision to release companies from liability; however, there have also been cases where courts declined to apply this provision in seemingly similar circumstances. The enforcement authorities have not issued any guidance for evaluation of a company’s efforts towards self-reporting and, in their public presentations, have mostly concentrated on the proper timing of self-reporting.
In respect of timing, a decision to release from liability on the grounds of self-reporting can be taken either by the enforcement authorities at an early stage of proceedings under the Code of Administrative Offences or by the courts in the subsequent public proceedings; thus, self-reporting could very easily lead to no benefit at all if the prosecutor declines to release the company from liability and proceeds to bring the case to court
Clearly companies should carefully consider the risks related to self-reporting on a case-by-case basis. Among the other factors to be taken into account are the following:
- commencement of a criminal investigation into corruption involving employees of the company or business partners;
- known facts of self-reporting of a suspected individual in his or her personal capacity;
- disruption to business caused by various investigative measures;
- self-reporting triggers under applicable anti-corruption laws in other jurisdictions; and
- the potential amount of the fine that could imposed for the offence (fines could reach 100 times the amount of a bribe or proposed bribe).
To some, the very notion of comprehensive anti-corruption legislation and compliance practices in Russia may come as a complete surprise, but only if you missed out on the fact that Russia’s days as ‘the Wild East’ are many years behind it.
This is not to say that Russia will likely be making a rapid climb up the Transparency International Corruption Perceptions Index any time soon. What it does mean, however, is that in driving home the message of ethical business practices and the importance of eradicating bribery and other forms of corruption, a multinational corporation no longer has to reference the FCPA or the UK Bribery Act; instead, it can reference the (almost identical) obligations of the business under Russian law and the substantially similar local guidance on meeting those obligations.
 Federal Law No. 273-FZ of 25 December 2008 ‘On Combating Corruption’, article 13.3 introduced 3 December 2012.
 Article 19.28 of the Code of Administrative Offences. Only individuals can be penalised for criminal offences in Russia; companies are liable for the ‘administrative offence’ of corrupt payments, a concept similar to the crime of corporate corruption.
 Article 19.29 of the Code of Administrative Offences.
 Article 2.1 of the Code of Administrative Offences.
 Decree No. 610 of the Government of 19 June 2012 (as amended) ‘On the Approval of the Regulations on the Ministry of Labour and Social Security of the Russian Federation’.
 For example, generally, practitioners who are not members of a Bar cannot act as defence attorneys in Russian criminal proceedings.
 Article 448, sub-clause 1.10 of the Criminal Procedural Code.
 See, for example, Resolution of the Constitutional Court No. 33-P, dated 17 December 2015.
 ECHR judgment dated 4 February 2020.
 In the case in question, the investigating authorities had obtained judicial authorisation for the searches in respect of the advocates, in accordance with the procedure prescribed by law. For example, para 121, 122, 137 of the ECHR judgment re: Kruglov and others v Russia, dated 4 February 2020.
 Article 19.28 of the Administrative Code, note 5.
 Article 14.32 of the Administrative Code, note 5.