Legal and regulatory framework
Legal role
What legal role does corporate risk and compliance management play in your jurisdiction?
The overall compliance culture in Ukraine is very low. The level of risk and compliance management is in general much lower than, for example, in EU countries or the US. The absence of a proper legal framework and a low level of enforcement are still one of the major factors in this regard.
However, Ukraine needs to adjust its regulations to EU and further international standards. Based on this, from a regulatory perspective, specific industry sectors are more and more confronted with an increasing level of regulatory compliance obligations. Individuals and entities subject to financial monitoring, banks and professional capital markets participants are facing more and more compliance obligations based on changes in Ukrainian law.
There are also individual initiatives from newly established anti-corruption authorities that must use anti-corruption systems when fulfilling certain requirements and an increasing number of published guidelines on how to manage corruption risks.
A minority of Ukrainian businesses, mainly the international ones with a local presence in Ukraine, have established a robust compliance management system to cover certain liability risks they mainly face abroad but also more and more in Ukraine.
However, in the majority of cases, Ukrainian companies still establish and implement compliance management measures in a very formalistic way, if at all, and with a poor level of compliance culture.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
There are no general legal regulations on risk and compliance management applicable to all sectors and companies. For most companies, it is up to their discretion whether to introduce any risk and compliance management systems depending on the particular business needs and risks.
However, there are certain areas where the law introduces statutory requirements for different types of companies regarding risk and compliance management systems.
Corruption prevention
The Law of Ukraine No. 1700-VII dated 14 October 2014 ‘On Corruption Prevention‘ (Anti-Corruption Law) provides for both general anti-corruption obligations applicable for all and specific anti-corruption requirements for certain types of individuals and entities.
The National Agency on Corruption Prevention (NACP) as a newly established federal anti-corruption authority, responsible for corruption prevention in public authorities and SOEs published several legal acts and guidelines in the area of corruption prevention, which include the following:
Although the NACP is regulating publicly owned companies and authorities, these laws and guidelines are becoming a baseline for best practices expected from the private sector. However, the amount of caselaw concerning corruption violations in the private sector is still very low.
Financial monitoring
Law of Ukraine No. 361-IX dated 6 December 2019 ‘On Prevention and Counteraction the Legalisation (Laundering) of Proceeds from Crime, Financing Terrorism and Financing the Proliferation of Weapons of Mass Destruction‘ (Law on Financial Monitoring) establishes an obligation of performing risk management for the reporting persons and entities.
The reporting persons and entities must ensure a functioning risk management system and apply a risk-oriented approach concerning their business activities.
Banking
The following legal acts cover certain obligations from the risk and compliance perspective for Ukrainian banks:
Capital markets
The following legal acts govern risk and compliance management systems of capital market participants:
The NSSMC is now at the final stage of the development of the obligatory Standards of corporate governance for professional capital market participants.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
The Ukrainian legal framework is rather fragmented as to the regulation of risk and compliance management.
General obligations of the Anti-Corruption Law apply to all individuals and companies. At the same time, some specific anti-corruption compliance requirements apply only to particular categories of entities and individuals.
The Anti-Corruption Law establishes an obligation for three categories of companies to adopt their anti-corruption programmes:
The majority of Ukrainian state authorities and some of the state-owned enterprises are obliged to adopt their anti-corruption programmes, as well as appointing anti-corruption officers or establish anti-corruption departments, depending on the number of employees working in the respective enterprise.
Under the Law on Financial Monitoring, the reporting entities that fall under specific requirements to their risk management systems (subject to initial financial monitoring (SIFM)), include the following:
Another type of company that falls under the risk and compliance management requirements is any professional capital market participant, as well as joint stock companies. Both are required to implement corporate governance standards based on the standards provided by the NSSMC.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
Ukrainian law empowers several state authorities within their powers to exercise control over the fulfilment of risk and compliance management obligations by the determined companies and individuals.The State Financial Monitoring Service of Ukraine is authorised to perform monitoring and control over the reporting persons subject to the Law on Financial Monitoring, namely:
The NBU conducts an assessment of the implementation and performance by Ukrainian banks of compliance and risk management policies and mechanisms based on the assessment of banks under the Supervisory Review and Evaluation Process (SREP) methodology. It is performed on an annual basis and includes, among others, analysis of the internal controls and corporate governance systems. The NBU’s powers include, among others:
The NSSMC performs control over the implementation and performance of corporate governance standards of the professional stock market participants, as well as provides methodological support in the development of such standards. The NACP, among other powers:
Definitions
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
Given the absence of comprehensive general legislation in the area of compliance and risk management, there is no unified definition of ‘risk management’ and ‘compliance management’ applicable to all possible realities.
The Law on Financial Monitoring defines ‘risk management’ for the reporting persons as measures aimed at creating and ensuring the functioning of the risk management system, which includes, in particular, identification (detection), assessment or re-assessment, monitoring and control of risks to minimise them.
Compliance, in turn, is defined by the Capital Markets Law as a continuous process regulated by the internal documents aimed at ensuring and improvement of internal processes related to the activities in the capital and organised commodity markets and their correspondence to the relevant statutory requirements and business strategy approved by the supervisory bodies of relevant companies.
There is no precise definition of compliance management in Ukrainian law yet.
Processes
Are risk and compliance management processes set out in laws and regulations?
The Law of Ukraine ‘On Joint Stock Companies’ foresees that the audit committee of the supervisory board must review the efficiency of the audit and risk management system efficiency at least once per year.
The Capital Markets Law provides that investment firms organise their risk management systems in a way that their information systems used for trading allow the investment firms to:
Clearing companies must adopt their rules, which include the description of the obligatory risk management system.
Every entity performing professional services on the capital markets must provide the NSSMC with the information on internal control systems, including compliance, risk management and internal audit systems. Such service providers must ensure that the mentioned internal control systems are in place and are efficient throughout the whole period of their market activity.
Companies providing professional services on the capital markets must also implement corporate governance standards, which include, among others, the establishment of the risk management committee within the supervisory board.
The NBU Regulations on Risk Management foresee the following elements of risk and compliance management:
Both CCO and CRO must be independent to efficiently perform their functions. The supervisory board of the particular bank appoints and dismisses the CCO and CRO and determines the financial resources to be allocated for the performance of compliance and risk management functions. The CCO and CRO report directly to the supervisory board. These two functions must be separated from other defence lines established in the bank. The management board obeys the instructions of the CCO and CRO and does not interfere with their activities. The particular functions of CCO, CRO and their departments are outlined in the NBU Regulations on Risk Management.
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes in your jurisdiction.
The most common approach for Ukrainian businesses is to follow the mandatory statutory obligations established by Ukrainian law, which only foresees obligations regarding risk and compliance management systems for a limited number of sectors and entities. There are no standards or guidelines applicable to all entities and individuals.
Nevertheless, it is becoming more common among the banks and other reporting individuals and entities falling under the mandatory risk and compliance management requirements to request certain documents from the businesses they provide services to confirming the availability of the risk management system.
Another approach, especially in large international companies, is to conduct audits of their local business partners to get an understanding of whether they introduced a risk-based approach that would also impact the risks such international companies are exposed to.
As to the main standards and guidelines, undertakings follow mandatory legal acts of the relevant public authorities (eg, parliament, government, sectoral authorities such as NBU, NACP, etc). Other legal acts such as recommendations adopted by public authorities, although not being mandatory per se, are, in individual cases, also followed.
Apart from the legal acts governing certain areas of business activities, affected businesses also may establish and implement further, non-obligatory standards, like the following:
Obligations
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
Most activities falling under specific statutory requirements regarding risk and compliance management cannot be performed in Ukraine unless there is a local undertaking such activity.
According to the NBU Regulations on Risk Management, both CCO and CRO must be independent to efficiently perform their functions. The supervisory board of the particular bank appoints and dismisses the CCO and CRO and determines the financial resources to be allocated for the performance of compliance and risk management functions. CCO and CRO report directly to the supervisory board. These two functions must be separated from the other defence lines established in the bank. The management board obeys the instructions of the CCO and CRO and does not interfere with their activities. Particular functions of both CCO and CRO and their departments are outlined in the NBU Regulations on Risk Management.
Companies providing professional services on the capital markets must also incorporate corporate governance standards, which include, among others, the establishment of the risk management committee within the supervisory board.
What are the key risk and compliance management obligations of undertakings?
Given the absence of the general legal requirements regarding the risk and compliance management, any relevant obligations in this area apply only to specific regulated entities like, for example, entities and individuals acting under the Law on Financial Monitoring as well as banks and professional capital market participants. Their obligations in this area are generally well-prescribed and clear.
The Anti-Corruption Law requires the following companies to introduce their internal anti-corruption programmes:
According to the Law on Financial Monitoring, the reporting entities and individuals must ensure the establishment of a functioning risk management system and apply a risk-oriented approach in their activities. The key obligations of the reporting entities with regard to risk management include the following:
According to the NBU Regulations on Risk Management, banks have extensive risk and compliance management obligations. Their key obligations include the creation of departments or positions directly responsible for compliance and risk management, reporting obligations of such departments or positions to and control over their activities by the supervisory board and management board of the bank.
Liability
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
Due to the fragmented nature of the Ukrainian compliance and risk management legal framework, there are no omnibus risk and compliance obligations for governing bodies or senior management, or both, of all types of legal entities in all areas of business activity.
The key principle established by the Civil Code of Ukraine and applicable to the governing bodies of all companies is that they must act in the interests of the company, in good faith and reasonably and not to exceed their powers.
The Anti-Corruption Law requires management and shareholders of companies to ensure regular assessment of corruption risks in their activities and implement anti-corruption measures. Companies’ officers, as well as any other employees, are obliged to:
In the areas where specific regulation exists, for example with regard to reporting individuals and entities, the obligations of governing bodies and senior management of legal entities are generally outlined by the specific law.
The National Bank of Ukraine (NBU) Regulations on Risk Management provide that members of the supervisory board of the bank (the analogue of the council of the bank) are responsible for the following:
In turn, the board of the bank performs the following functions in relation to risk and compliance management:
There is no direct civil liability foreseen for risk and compliance management deficiencies for companies or their employees.
However, there is always a possibility of civil damage compensation claims of private persons against a company based on possible damages caused by the violation of risk and compliance management requirements.
There is also a possibility that the company subject to a particular risk and compliance management statutory requirements may file a lawsuit against the management that violated the regulatory requirements and caused liabilities for the company.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
The Law on Financial Monitoring foresees the following consequences for compliance management deficiencies:
An undertaking may face various fines based on the specific deficiency revealed. The maximum fine of up to 7.95 million non-taxable minimum incomes (approximately 135.15 million hryvnia) can be imposed for the failure to ensure proper organisation and conduct of primary financial monitoring, lack of proper risk management system, and repeated non-compliance with the requirements of the financial monitoring authorities to eliminate identified violations.
In case of multiple violations revealed the following thresholds apply for a total fine amount:
Banking
The NBU by its Regulation on applying sanctions by the NBU (approved by the Resolution of the Board of the NBU No. 346 dated 17 August 2012) establishes the following fines for violations of financial monitoring and regulatory requirements in the banking sector:
Another measure that can be taken by the NBU for the improper risk management system is restriction, suspension or termination of certain bank transactions.
Do undertakings face criminal liability for risk and compliance management deficiencies?
Employees (authorised representatives’ of the company) whose misconduct benefitted the company may be held criminally liable for their actions.
Criminal sanctions are applied for the following risk and compliance management deficiencies:
The Criminal Code of Ukraine generally foresees three types of sanctions applicable to such undertakings:
A company sanctioned for a crime is obliged to compensate all damages, losses and the amount of illegally obtained benefit as the result of the violation.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Ukrainian civil legislation does not distinguish compliance and risk management obligations of executive and supervisory bodies. Senior management have general fiduciary duties and may face civil liability for their actions or inaction, including the lack of performance under their risk and compliance management obligations. The undertaking stakeholders are entitled to file a damage compensation claim in case the compliance and risk management violations resulted in a financial loss.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Failure of the company’s management to take measures required by law and aimed at corruption prevention may potentially lead to their personal liability in a form of an administrative fine of up to 4,250 hryvnia.
The SIFM management is subject to administrative penalties for:
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
Criminal sanctions can be applied to individual managers for the following deficiencies associated with risk and compliance management:
Corporate compliance
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
The compliance defence line concept was implemented by the National Bank of Ukraine (NBU) for banks and banking groups in the NBU Regulations on Risk Management. Banks are required to establish a three-line risk management system:
The third line is represented by the activity of the bank supervisory board responsible for the strategic risk management of the entire undertaking, preparation and implementation of the core internal regulations related to compliance and risk management. The bank supervisory board, in particular, establishes thresholds for each designated risk and consequent reaction.
The risk management department is responsible for the ongoing assessment of the risk level to the risk capacity of the undertaking, control of Chief Risk Officer (CRO) and Chief Compliance Officer (CCO) performance, remedial actions towards revealed risks and operational risk management of the entire undertaking.
Recent cases
Discuss the most recent leading cases regarding corporate risk and compliance management failures.
The NBU regularly imposes fines for specific compliance management violations, which mostly relate to improper risk assessment of bank transactions and the lack of overall robust compliance management at the place.
Sanctioned financial institutions tend to object the NBU fines imposed for risk and compliance management violations based on the conformity of the claimant with all ‘formal requirements’. The Sberbank Case demonstrates one of the most significant fines imposed for repeated failure to identify risky financial operations (total amount of risky transactions of approximately €89,285,714); improper identification of the publicly exposed persons; non-provision of the financial monitoring data and violation of the suspension of the financial transactions. In December 2018, the NBU imposed a fine of 94,737,499 hryvnia on JSC Sberbank. Sberbank successfully objected to the imposed fine in the administrative courts in two instances. The NBU initiated a final review of the case in the Supreme Court of Ukraine at the beginning of 2020. The NBU claims that compliance and risk management systems in Sberbank do not meet the requirements of the Law on Financial Monitoring and that Sberbank is funnelling sufficient funds under fictional agreements out of Ukraine.
The Sberbank Case by the Supreme Court of Ukraine is important for the risk assessment management due to the following:
Government obligations
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
The Anti-Corruption Law applies several obligations to undertaking conducting state functions and state-owned enterprises, or both:
Digital transformation
Framework covering digital transformation
Please provide an overview on the risk and compliance governance and management framework covering the digital transformation (machine learning, artificial intelligence, robots, blockchain, etc).
Ukrainian legislation governing issues related to the digitalisation of risk and compliance management is under development. Most of the digital transformation tools conducting automated data processing (eg, artificial intelligence, machine learning) require the development of the data protection legislation. The current Law on Personal Data Protection is expected to be updated in 2021. The Ministry of Digital Transformation of Ukraine and the Parliament are cooperating to develop the legislation in the field of automated data processing under the European Union standards.
The Law on Financial Monitoring applies general financial monitoring requirements to the subject to initial financial monitoring (SIFM) conducting operations with virtual assets. However, the core legislation related to the virtual assets’ management, risk and compliance management requirements for the providers on the market was not adopted by the Parliament yet.
Update and trends
Key developments of the past year
What were the key cases, decisions, judgments and policy and legislative developments of the past year?
The most influential legislation in the field of compliance and risk management was adopted before 2020.
One of the expected changes is the development of the Standards of corporate governance for professional capital market participants – a regulation called to ensure effective corporate governance of the professional participants in the capital and commodity markets. These standards elaborate on: (1) separation of compliance, risk assessment and internal audit functions in the management systems and their duties; (2) qualification requirements for officers ensuring internal control functions; and (3) requirements for the officers sufficiently influencing the risk profile of the undertaking.