Recovering the Money: the Main Priority in the Public and Private Sector in Romania
This article provides relevant insight into the main priorities (from an investigations perspective) of both the public and the private sector in Romania, respectively the investigations in the pharma sector and the cybersecurity issues arising in the context of the constant development of the online commercial relations and services.
- The main investigative focus of the Romanian enforcement authorities
- The most relevant investigations in the pharma sector
- Issues arising when conducting an internal investigation in respect of a company’s subsidiary located abroad
- Cybersecurity issues
- Banks’ AML and KYC obligations that may save the money at the last minute
- Anticipated developments
Referenced in this article
- The National Anti-Corruption Directorate
- The Romanian Directorate for Investigating Organised Crime and Terrorism
- Directive (EU) 2019/1937 on the Protection of Persons Who Report Breaches of Union Law
- Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems
- Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
- Federal Bureau of Investigation – Internet Crime Complaint Centre
The state’s focus: investigations in the pharma sector
Romania’s enforcement efforts have been focusing on allegations of corruption in certain key industries, with the healthcare sector taking the limelight. The interest shown by the enforcement authorities is in line with the statement of the current Head Prosecutor of the National Anti-Corruption Directorate (DNA), Crin Nicu Bologa: bribes in the healthcare sector are between 5 per cent and 18 per cent of the contract value. The former Head Prosecutor of the DNA, Laura Codruța Kövesi, has also stated in the past that bribes in the healthcare sector are higher than in the infrastructure sector and that the price in healthcare-related public procurement is 10 times higher than the initial price of acquisition.
In one of several high-profile investigations in the healthcare sector, the DNA alleges that healthcare professionals accepted luxury trips, gifts and money from 11 of the top 20 pharma companies operating in Romania in exchange for prescribing oncology drugs produced by those companies instead of cheaper generic drugs.
Public procurement within the healthcare and IT sectors is also making headlines. Two former presidents of the National House of Health Insurance and a leading global IT company were indicted in connection with an alleged breach of public procurement law relating to the implementation of the national card reading system. The DNA alleges that the contract price was inflated, unjustified and resulted in a detriment to the public budget.
In another high-profile corporate investigation in the IT sector, the DNA indicted a former prime minister for alleged corruption. The DNA alleged that the former prime minister indirectly received a US$800,000 bribe from the representatives of an Austrian IT company in exchange for adopting several government decisions favourable to the company. According to the DNA, the bribe was paid to a consultancy company by means of off-shore companies and used in favour of the prime minister to cover expenses related to the election campaign.
Corruption related to the 2009 presidential election campaign also made the headlines as a Romanian politician and the daughter of the then president of Romania received jail time for corruption. When the DNA issued the indictment in 2017, it alleged that money collected from corruption, embezzlement and tax evasion was used to pay for services rendered during the presidential election campaign.
Several individuals were indicted, among which were the then minister of the Ministry of Regional Development and Tourism, who was sentenced to eight years’ imprisonment for money laundering and instigating others to take bribes, and the daughter of the then president of Romania, who was sentenced to five years’ imprisonment for instigating money laundering and embezzlement. The decision is not final and is subject to appeal.
The Directorate for Investigating Organised Crime and Terrorism (DIICOT) has also shown an interest in the healthcare sector as it has been investigating the corrupt practices of an alleged organised criminal group connected with medication required for organ transplantation. The DIICOT alleges that pharmaceutical companies used various methods (such as sponsorship agreements) to bribe healthcare professionals and decision-makers within medical facilities from the organ transplantation sector in exchange for prescribing their medicines.
One of the largest networks of private clinics appeared on the enforcement authorities’ radar as it is being investigated for allegedly claiming amounts from the National House of Health Insurance for medical services already paid for by patients.
The most recent investigation in the pharma sector
At the beginning of 2020, employees of a major European pharma company specialised in generic pharmaceuticals leaked 2GB of internal documents to a highly regarded Romanian journalist. Since then, the journalist has published several articles in respect of wrongdoings involving the company.
The main allegation is that the company has been bribing doctors in Romania for over a decade by offering them money, holiday trips or incentives as speakers in exchange for prescribing its pharmaceutical products.
One of the documents leaked to the press includes an Excel table comprising the names of doctors, their potential for prescribing company products, sponsorships made to the latter and an amortisation column. According to a company employee, cited by the journalist, the doctors would receive approximately 10 per cent of the prescription’s value through sponsorship agreements.
The company conducted an internal investigation led by the head of the legal department, attorneys and several persons from relevant departments of the company. According to a press release, the pharma company announced that the internal investigation with regard to its Romanian subsidiary had shown that the bribery allegations were unjustified in respect of the Romanian subsidiary’s employees, and that it was even less likely that the alleged operation had been conducted from the seat in its home country.
However, according to the same journalist, the DNA started a criminal investigation into alleged bribery in respect of the pharmaceutical company, and several company employees came forward to the prosecutors with information allegedly incriminating the company.
Under Romanian law, legal entities, except for state and public authorities, may be held criminally liable for offences committed in the performance of the legal entity’s commercial activity, in its interest, or on its behalf.
The scope of individuals who may trigger criminal liability of a corporate entity is very broad and includes legal representatives (eg, a director or manager), employees, agents, and even third parties who commit criminal offences for the benefit or in the name of the entity.
In practice, for a corporate entity to be criminally liable, the investigative body must prove that the entity benefited from the criminal activity of the individual perpetrating the offence or that the conduct was performed by the individual within the scope of his or her services for the corporate entity (whether under an employment contract, services contract or otherwise).
A particularly risky situation appears when legal entities operate in Romania by means of their local branch as the branch itself cannot be held criminally liable. That is because the branch does not have legal personality – one of the conditions for corporate criminal liability under Romanian law.
In the case of misconduct of individuals working for or acting on behalf of the local branch located in Romania, should the conditions of corporate criminal liability be met, the mother company located abroad may be held criminally liable and prosecuted for the actions of the individuals who acted on Romanian territory.
In the context of an internal investigation performed in respect of a company’s subsidiary located abroad, several aspects should be considered, with particular emphasis on whistle-blowers, attorney–client privilege and witness interviews during internal investigations.
Although whistle-blowing in the private sector is not broadly regulated, whistle-blowing in the public sector is. The law protects individuals who report a breach of law committed within a public authority or state-owned company. Reporting misconduct cannot trigger disciplinary misconduct against the employee, except where the reporting is purely vexatious or in bad faith. Financial incentive schemes for whistle-blowers do not exist under Romanian law.
Under the public sector legislation, a whistle-blower may report misconduct related to a defined list of crimes, including corruption and assimilated offences, offences against the financial interests of the European Union, discriminatory treatment or practices, public procurement and non-reimbursable financing.
Whistle-blowers in the public sector benefit from a presumption of good faith. Upon request from a whistle-blower subject to a disciplinary investigation, the authority or entity must invite the press or broadcast media and a representative of the union to the disciplinary hearing. Any sanction imposed against a good-faith whistle-blower in the public sector is likely to be overturned.
A change in respect of whistle-blower legislation in Romania will occur once Parliament transposes Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law (the Whistle-Blower Directive).
On 5 March 2021, the Ministry of Justice published a draft law for public debate. The new law will establish safe channels for reporting both within an organisation and to public authorities. It will also protect whistle-blowers against dismissal, demotion and other forms of retaliation and require national authorities to inform citizens and provide training for public authorities on how to deal with whistle-blowers.
Penalties will be imposed against those who attempt to hinder reporting, retaliate against whistle-blowers, attempt to bring proceedings or reveal the identity of the whistle-blower. Any threats or attempts to retaliate against whistle-blowers are also prohibited.
Member states must comply with the EU Whistle-Blower Directive by 17 December 2021. With regard to legal entities with more than 50 and fewer than 250 employees, member states have another two years after transposition to comply (ie, until 17 December 2023).
Internal investigations are triggered by information from various sources, such as whistle-blowers, employees, internal audits, lawsuits, business partners and media reports, as well as from the prosecutor or other government authorities. Audits commenced by the Romanian tax authority could bring to light wrongdoing that could create the need to investigate. Corporations must treat any allegations of misconduct very seriously.
The best practice for commencing an internal investigation is to prepare a plan establishing the scope, approach, responsibilities and steps relating to communication and disclosure, preservation of evidence, and securing witness testimony while information is still fresh in the minds of the various participants in or witnesses to the alleged misconduct. The preparation and execution of the plan are essential for a successful investigation in a manner that allows the company to argue an efficient and consistent corporate culture of compliance within the investigation, while limiting exposure and mitigating the potential risks of a formal investigation.
Attorney–client privilege and witness interviews during internal investigations
Legal privilege protects confidential communication between an attorney and client, if the communications relate to the seeking and receiving of legal advice. For legal entities, the definition of ‘client’ is limited to persons who legally represent the entity (based on the legal entity’s charter) or are empowered by the entity to seek and obtain advice on behalf of the legal entity.
If communications are shared with third parties or parties who are not considered clients, those communications may no longer be considered confidential and lose their privilege. In this context, under Romanian law, communications with in-house legal counsel who are not admitted to the Bar are not protected by legal privilege.
To this end, to protect the privilege and confidentiality of an internal investigation, companies should retain an external attorney to coordinate and execute the investigation and ensure that retention is explicit in a written agreement and registered in the attorney’s registry of contracts.
A more sensitive aspect appears when interviewing witnesses during an internal investigation. If an attorney conducts interviews to provide legal advice on a matter, the records or a report of the interviews may be privileged. Best practice would see attorneys recording interview notes as their ‘impression’ of an interview, rather than as a verbatim transcription.
We expect the Romanian authorities to continue their enforcement efforts in respect of allegations of corruption in the healthcare sector in 2021, especially given the covid-19 pandemic.
According to the UN Office on Drugs and Crime, in ordinary times, not during crises such as the covid-19 pandemic, approximately 10 to 25 per cent of all money spent on procurement globally is lost to corruption. In the European Union, 28 per cent of health corruption cases are related specifically to procurement of medical equipment.
In Romania, there have been several media articles in respect of acquisitions of medical devices used for protection and sanitary materials from companies that have other objects of activity (eg, distribution of beverages) at very high prices. Given the supply and demand of those products and the weak oversight of the authorities owing to the health systems being on the brink of collapse, certain individuals are taking advantage and are using public money to enrich themselves.
The medicines, medical devices and sanitary materials used in the fight against covid-19 are purchased by the Ministry of Health by means of the state-owned company Unifarm SA. The budget of Unifarm SA for 2020 was increased by 1.15 billion lei for this purpose.
Part of the acquisitions from 2020 have been investigated by the DNA and have led to the indictment of the former director of Unifarm SA for alleged corruption and breach of public procurement rules. According to the DNA prosecutors, the former director of Unifarm SA requested €760,000 from an intermediary representing a private company for the award of a contract for the purchase of 250,000 hazmat suits and 3 million surgical masks, in breach of public procurement rules.
The former director of Unifarm SA is also under investigation for abuse of office as he allegedly awarded a private company with a 4.5 million lei contract for the purchase of 1.5 million three-ply surgical masks, in breach of public procurement rules.
In 2020, the DNA focused more on corruption allegations than on allegations of abuse of office (as it used to in past years). That may be because, according to the DNA’s activity report for 2020, the DNA closed 124 investigations into alleged abuse of office owing to the Constitutional Court Decisions Nos. 405/2016 and 392/2017. Those decisions changed the elements of the crime of abuse of office and established that an individual can only be held criminally liable for abuse of office in the event of an act performed in ‘breach of law’ as opposed to any act performed ‘in a defective manner’. It is expected that this trend will also continue in 2021.
The private sector’s focus: cybersecurity issues
The constant development of online commercial relations and services has a significant role in the global economy nowadays. This development and the increasing value of online operations was shortly followed by an increase in online criminal activities.
Currently, there is a high risk of malicious entities exploiting the vulnerabilities of the online environment, leading to significant economic and social consequences, which for companies may translate into business compromise, financial losses and even bankruptcy, while for the European Union it may result in its economy being damaged.
Romania has implemented Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems (the NIS Directive) through Law No. 362/2018. The Law requires operators of essential services and providers of digital services to have adequate security measures and to report serious incidents to the competent national authority: the Romanian National Computer Security Incident Response Team (CERT-RO).
Failure to comply may result in a fine ranging from 3,000 lei to up to 5 per cent of the turnover registered for the previous year.
In September 2019, CERT-RO and its partner, the Special Telecommunications Service, obtained funding from EU funds for the development of an early and real-time information alert system on cyber incidents that will provide real-time warning, increase the security level of the national cyberspace (ie, public institutions, private companies and individual users) and ensure the national capabilities for prevention, identification, analysis and response to cybersecurity incidents.
On the criminal side, the Criminal Code has a dedicated chapter on cybercrime, which covers crimes such as illegal access to a computer system and illegal interception of computer data transmission. Computer-related fraud and forgery are also provided in different chapters.
The most severe cybercrime allegations are handled by DIICOT, which over the past few years has successfully indicted several individuals for cybercrimes related to ransomware attacks and man-in-the-browser and man-in-the-middle threats. The number of new cases increased in 2019 (8.4 per cent more than in the previous year), and it increased again in 2020 (12.87 per cent more than in the previous year).
On an international level, Romania is part of the Council of Europe’s Convention on Cybercrime, the only binding international instrument on this issue, and in 2019 DIICOT relied on cooperation with similar agencies in other countries for its cybercrime indictments with foreign elements.
Cybercriminals are increasingly focusing on one of the most economically damaging attacks: business email compromise (BEC).
BEC is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. It is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds.
Perpetrators are aiming at high-level employees with financial powers of control, making those attacks more professional and convincing while finding new modus operandi to take advantage of this technique. Targeted companies are usually companies with frequent wire transfers or with foreign suppliers.
In December 2019, a major European company manufacturing machinery and equipment for pharmaceutical, metals, food and chemical industries was the victim of a BEC scam through the vulnerability of one of its suppliers. The perpetrators managed to infiltrate the computer system of the supplier, created false email addresses for several of the latter’s employees, ‘hijacked’ some of its real email accounts and performed several exchanges of email communications with the victim company.
The perpetrators intercepted an ongoing transaction and misled two of the victim company’s employees to change the bank account of an invoice where the payment should have been made, thus causing damage of approximately €200,000.
A similar modus operandi was performed in 2019 by perpetrators against a global leading company in the automotive industry. The perpetrators illegally accessed both the computer system of the victim company and the computer system of one of its suppliers, with the purpose of accessing the email addresses of certain employees.
During the same period, the fraudsters created false email addresses for several of the supplier’s employees and performed exchanges of emails between those email accounts with the purpose of misleading them and obtaining a material benefit by hijacking approximately €150,000 pertaining to the invoices issued by the supplier.
A recent report of the Federal Bureau of Investigation – Internet Crime Complaint Centre (FBI IC3) stated that there was a 136 per cent increase in identified global exposed losses between December 2016 and May 2018.
In 2019, the FBI IC3 recorded 23,775 complaints about BEC, which resulted in more than US$1.7 billion in losses. Based on the victim complaints filed with the IC3, financial sources indicate that fraudulent transfers have been sent to 115 countries.
BEC scams continue to grow and evolve, targeting small, medium-sized and large business and personal transactions, exploiting the way corporations do business and taking advantage of segregated corporate structures and internal gaps in payment verification processes. At the low-tech end, where social engineering reigns, awareness and training for staff are the key.
As cybercriminals are becoming more and more sophisticated, it is getting harder for victims to recognise what is real and what is fake and to spot red flags. To combat those potential destructive challenges, companies should be one step ahead of cybercriminals, proactively anticipating and minimising IT risks.
This could be prevented with healthy and strong IT security, which involves a series of measures, such as internal policies, user awareness and training, risk analysis and assessment, vulnerability and security alerts management, access rights management, network and information system configuration management and security plans.
Cyberattacks are no longer a question of ‘if’ but a matter of ‘when’, and companies should develop a cybersecurity strategy through corporate policies and clear procedures to protect themselves, shield their activity and reduce their business risks, as well as ensuring that employees are informed and aware of them.
The below situations could be potential signs of a business email compromise:
- an unsolicited email or phone call;
- a request for absolute confidentiality;
- an unusual request in contradiction with internal procedures;
- direct contact from a senior official that the individual is normally not in contact with;
- pressure and a sense of urgency; and
- threats or unusual flattery or promises of reward.
Another wise step may be to assess, monitor and manage potential IT risks through an internal investigation based on the industry’s standard risks. Any issues arising from the assessment should be identified and documented through a closed-loop process of issue investigation, analysis of the root cause and remediation.
If a fraudulent transfer has already occurred, time is of the essence. First, the financial institution should be contacted and requested to block the transfer of the funds, and second the competent criminal investigation authorities should be contacted.
Finally, an internal investigation (including IT and forensics) should be conducted to identify the dysfunctions and vulnerabilities through a due diligence process followed by a fast and adequate implementation of the security update measures and procedures.
Banks’ AML and KYC obligations: can the money be saved at the last minute?
When a cyberattack has occurred and money is to be transferred, banks should have a say and perform their anti-money laundering (AML) and know-your-client (KYC) obligations provided by Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, transposed at the national level by Law No. 129/2019 (the AML Law).
First, pursuant to the AML Law, a bank must perform customer due diligence (or KYC) before it carries out an occasional transaction that amounts to €15,000 or more (whether that transaction is carried out in a single operation or in several operations that appear to be linked).
This means that banks should retain identification data contained by the following documents from each client:
- from individuals: identity cards, passports or residence permits;
- from legal entities: constitutive act, registration certificates or their extracts; and
- from ultimate beneficial owners: documents showing the identity of the real beneficiary, respectively the individual who ultimately owns or controls the client or the individual on whose behalf a transaction, operation or activity is performed.
Second, credit institutions have an obligation to report cross-border transactions that amount to €15,000 or more to the National Office for Prevention and Control of Money Laundering (ONPCSB) within three working days of the transaction date.
In the above cases, as the transactions amounted to approximately €200,000 and €150,000, the bank (which, coincidentally or not, was the same recipient financial institution in both cases) should have reported them immediately to the ONPCSB.
In addition, if a bank deems a transaction as suspicious, it must immediately report it to the ONPCSB before carrying it out and cannot perform it for 24 hours as of the moment the report is registered at the ONPCSB.
For similar situations to the cases described above, the AML Law does not provide a rule that could trigger a red flag in the event that the incoming money is transferred again within a short time frame to another bank. However, this could be seen as a suspicious transaction, especially since the AML Law provides that a suspicious transaction report should be sent to the ONPCSB ‘in any other situations or in regard to elements that are able to raise suspicions regarding the nature, economic purpose or the scope of the transaction, such as the existence of certain anomalies regarding the client’s profile’.
An even more challenging situation could be the one of instant payments, which may complicate fraud prevention and especially mitigation of risks, considering that, since 2017, a multitude of instant payment schemes have been launched. While those instruments are providing clear benefits to the financial sector and commerce, they can also involuntarily accelerate various frauds. Those transactions provide money launderers better options for money mule accounts and also make it harder for financial institutions to block suspicious transactions.
In this digital age, especially during and because of the covid-19 pandemic, ‘distance does not prevail’ is more accurate than ever, and attacks are carried out from anywhere in the world. The pandemic is forcing many people to work from home, which increases the number of potential victims of cyberattacks.
Companies should now focus even more on cyber-secure teleworking because of the lack of direct contact between contractual partners; establish corporate policies and clear procedures on teleworking, secure teleworking equipment and remote access; and increase security monitoring. In this respect, the European Cybercrime Centre, set up by Europol, recently published a how-to guide on safe teleworking, with tips and advice for businesses and employees.
Recent FBI IC3 reports show that cybercriminals have turned more towards conducting BEC through exploitation of cloud-based email services. The scams are initiated through specifically developed phishing kits designed to mimic cloud-based email services to compromise business email accounts and request or misdirect transfers of funds.
Companies may better protect themselves and their employees against BEC through several available measures, such as educating their employees about BEC scams, including preventive strategies on how to identify phishing emails and how to respond to suspected compromises, as well as enabling multi-factor authentication for all email accounts.
Finally, any suspicious request for immediate transfers or for changing the payment details for due amounts should be confirmed by live contact (directly or by telephone, videoconference, etc).
Concluding remarks and recommendations
Both the investigations into allegations of corruption and the cyber-related issues require a well-established investigation plan combined with complex preparation of a defence plan from both cross-border and multidisciplinary angles.
The best practice for commencing an internal investigation is to prepare a plan establishing the scope, approach, responsibilities and steps relating to communication and disclosure, preservation of evidence and securing witness testimony while information is still fresh in the minds of the various participants in or witnesses to the alleged misconduct.
The preparation and execution of this plan are essential for a successful investigation in a manner that allows the company to argue the existence of an efficient and consistent corporate culture of compliance within the investigation, while limiting exposure and mitigating the potential risks of a formal investigation.
On the other hand, the company’s anti-bribery and AML policies, as well as related training sessions organised for employees, could help build the company’s defence in the event of a formal investigation by the competent authorities.
Taking into consideration the anticipated developments above, owing to the specific conditions in the context of covid-19 prevention measures (urgent and large medicine and medical supplies acquisition, working from home and online meetings), it is clear that the near future will give the authorities the opportunity for significant investigations and for the private sector to mitigate the risks or to recover the defrauded amounts.
In the case of misconduct triggering either an internal or a formal investigation, or in the event that a company is a victim of cybercrime, considering the cross-border implications of those investigations, from our experience, the best way to deal with such an issue is by contacting and retaining a multidisciplinary law firm with a wide presence across multiple jurisdictions that has the capacity to handle such a complex issue. The same course of action should be taken as a preventive measure for performing a risk analysis and suggesting a risk mitigation plan.
 The interview of the Head Prosecutor of the DNA is available (only in Romanian) at: https://spotmedia.ro/stiri/eveniment/exclusiv-crin-bologa-sef-dna-despre-repornirea-anticoruptiei-avem-dosare-importante-cu-persoane-si-prejudicii-importante-nu-fac-compromisuri-interviu-video?fbclid=IwAR3vUxvIgdDt5k2Fvy1CafUwUhJjrpaTpMCMRjpgjvBKLoK9_d5Zi1rVPKU.
 The media article covering this decision is available at: https://www.usnews.com/news/world/articles/2021-03-02/romanian-politician-and-ex-presidents-daughter-get-jail-terms-for-corruption">www.usnews.com/news/world/articles/2021-03-02/romanian-politician-and-ex-presidents-daughter-get-jail-terms-for-corruption.
 The draft law can be found (only in Romanian) at: http://www.just.ro/proiect-de-lege-privind-protectia-avertizorilor-in-interes-public/.
 The DIICOT Activity Report for 2019 is available (only in Romanian) at: www.diicot.ro/images/documents/rapoarte_activitate/raport2019.pdf.
 Directive (EU) 2015/849 is available (in several languages) at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015L0849.
 The European Cybercrime Centre guide is available (in several languages) at: www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides/safe-teleworking-tips-and-advice.