Risk & compliance management
Legal and regulatory framework
What legal role does corporate risk and compliance management play in your jurisdiction?
The overall compliance culture in Ukraine is very low. The level of risk and compliance management is in general much lower than, for example, in EU countries or the US. The absence of a proper legal framework and a low level of enforcement are still one of the major factors in this regard.
However, Ukraine needs to adjust its regulations to EU and further international standards. Based on this, from a regulatory perspective, specific industry sectors are more and more confronted with an increasing level of regulatory compliance obligations. Individuals and entities subject to financial monitoring, banks and professional capital markets participants are facing more and more compliance obligations based on changes in Ukrainian law.
There are also individual initiatives from newly established anti-corruption authorities that must use anti-corruption systems when fulfilling certain requirements and an increasing number of published guidelines on how to manage corruption risks.
A minority of Ukrainian businesses, mainly the international ones with a local presence in Ukraine, have established a robust compliance management system to cover certain liability risks they mainly face abroad but also more and more in Ukraine.
However, in the majority of cases, Ukrainian companies still establish and implement compliance management measures in a very formalistic way, if at all, and with a poor level of compliance culture.
Laws and regulations
Which laws and regulations specifically address corporate risk and compliance management?
There are no general legal regulations on risk and compliance management applicable to all sectors and companies. For most companies, it is up to their discretion whether to introduce any risk and compliance management systems depending on the particular business needs and risks.
However, there are certain areas where the law introduces statutory requirements for different types of companies regarding risk and compliance management systems.
The Law of Ukraine No. 1700-VII dated 14 October 2014 ‘On Corruption Prevention‘ (Anti-Corruption Law) provides for both general anti-corruption obligations applicable for all and specific anti-corruption requirements for certain types of individuals and entities.
The National Agency on Corruption Prevention (NACP) as a newly established federal anti-corruption authority, responsible for corruption prevention in public authorities and SOEs published several legal acts and guidelines in the area of corruption prevention, which include the following:
- Procedure for conducting inspections regarding the organisation of work on prevention and detection of corruption (approved by the NACP Order 11/21 dated 18 January 2021);
- Methodical recommendations on applying certain provisions of the Anti-Corruption Law regarding prevention and settlement of conflict of interest, compliance with restrictions on corruption prevention;
- Methodical recommendations on preparation and implementation of anti-corruption programs of legal entities (approved by the NACP Decision No. 734 dated 22 September 2017); and
- Methodical recommendations on the activities of authorised departments (officials) responsible for prevention and detection of corruption (approved by the NACP Decision No. 317 dated 13 July 2017).
Although the NACP is regulating publicly owned companies and authorities, these laws and guidelines are becoming a baseline for best practices expected from the private sector. However, the amount of caselaw concerning corruption violations in the private sector is still very low.
Law of Ukraine No. 361-IX dated 6 December 2019 ‘On Prevention and Counteraction the Legalisation (Laundering) of Proceeds from Crime, Financing Terrorism and Financing the Proliferation of Weapons of Mass Destruction‘ (Law on Financial Monitoring) establishes an obligation of performing risk management for the reporting persons and entities.
The reporting persons and entities must ensure a functioning risk management system and apply a risk-oriented approach concerning their business activities.
The following legal acts cover certain obligations from the risk and compliance perspective for Ukrainian banks:
- Resolution of the Board of the National Bank of Ukraine (NBU) No. 64 dated 11 June 2018 ‘On Approval of the Regulations on the Organisation of the Risk Management System in Banks of Ukraine and Banking Groups‘ (NBU Regulations on Risk Management); and
- Decision of the Board of the NBU No. 814-rsh dated 3 December 2018 ‘On Approval of the Methodical Recommendations Concerning the Organisation of Corporate Management in Banks of Ukraine‘ (NBU Methodological Recommendations).
The following legal acts govern risk and compliance management systems of capital market participants:
- Law of Ukraine No. 738-IX dated 19 June 2020 ‘On Capital Markets and Organised Commodity Markets‘ (to enter into force on 1 July 2021) (Capital Markets Law); and
- Decision of the National Securities and Stock Market Commission (NSSMC) No. 955 dated 22 July 2014 ‘On Approval of the Principles of Corporate Governance‘ (NSSMC Principles of Corporate Governance) establishes additional risk management requirements for the stock market participants.
The NSSMC is now at the final stage of the development of the obligatory Standards of corporate governance for professional capital market participants.
Types of undertaking
Which are the primary types of undertakings targeted by the rules related to risk and compliance management?
The Ukrainian legal framework is rather fragmented as to the regulation of risk and compliance management.
General obligations of the Anti-Corruption Law apply to all individuals and companies. At the same time, some specific anti-corruption compliance requirements apply only to particular categories of entities and individuals.
The Anti-Corruption Law establishes an obligation for three categories of companies to adopt their anti-corruption programmes:
- state-owned and municipal-owned enterprises;
- companies in which:
- 50 per cent or more shares are owned by the state or municipality;
- the average number of employees for the financial year exceeds 50 people; and
- income from sales of products, works or services for the financial year exceeds 70 million hryvnia;
- companies participating in the public procurement with a bid above the value of 20 million hryvnia.
The majority of Ukrainian state authorities and some of the state-owned enterprises are obliged to adopt their anti-corruption programmes, as well as appointing anti-corruption officers or establish anti-corruption departments, depending on the number of employees working in the respective enterprise.
Under the Law on Financial Monitoring, the reporting entities that fall under specific requirements to their risk management systems (subject to initial financial monitoring (SIFM)), include the following:
- all types of financial institutions: banks, insurance companies and insurance brokers, credit unions, pawnshops, etc;
- payment organisations, participants or members of payment systems;
- commodity and other exchanges that conduct financial transactions with goods;
- the majority of professional stock market participants (providing clearing, depository service, trading with financial instruments, etc);
- postal operators, other companies performing transfer of funds (postal transfer) and foreign exchange transactions;
- branches or representative offices of foreign companies providing financial services in Ukraine;
- special reporting institutions and subjects (unless providing the same services under employment agreement):
- auditors and auditing firms;
- accountants and accounting firms;
- tax consultants;
- attorneys, attorney bureaus and associations;
- companies providing legal services;
- persons providing services of establishment, operation or management of legal entities;
- providers of intermediary services in the course of the sale and purchase of the real estate, as well as consultants on the issues sale and purchase of the real estate for a fee;
- persons that trade in cash for precious metals and precious stones and products made from them; and
- persons conducting lotteries or gambling, or both;
- providers of services related to the circulation of virtual assets; and
- other legal entities, which by their legal status are not financial institutions, but provide separate financial services.
Another type of company that falls under the risk and compliance management requirements is any professional capital market participant, as well as joint stock companies. Both are required to implement corporate governance standards based on the standards provided by the NSSMC.
Regulatory and enforcement bodies
Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?
Ukrainian law empowers several state authorities within their powers to exercise control over the fulfilment of risk and compliance management obligations by the determined companies and individuals.The State Financial Monitoring Service of Ukraine is authorised to perform monitoring and control over the reporting persons subject to the Law on Financial Monitoring, namely:
- to require from the reporting persons to comply with the anti-money laundering legislation and in case of violations of the same – to take measures against such persons;
- to submit information to and receive information from the Ukrainian law enforcement authorities if there are sufficient grounds to believe that the analysed financial transaction may be related to the money laundering;
- to analyse ways and financial schemes of money laundering; and
- to summarise the information on the state of prevention and counteraction in the state on an annual basis.
The NBU conducts an assessment of the implementation and performance by Ukrainian banks of compliance and risk management policies and mechanisms based on the assessment of banks under the Supervisory Review and Evaluation Process (SREP) methodology. It is performed on an annual basis and includes, among others, analysis of the internal controls and corporate governance systems. The NBU’s powers include, among others:
- analysis of the banks’ activities, internal bank documents, the results of self-assessment provided by the banks;
- inspections of processes, operations and risk management tools introduced by the banks;
- interviews with bank executives and other bank employees; and
- assessment of the interaction of the bank’s board and the frequency of meetings with the Chief Risk Officer (CRO) and the Chief Compliance Officer (CCO).
The NSSMC performs control over the implementation and performance of corporate governance standards of the professional stock market participants, as well as provides methodological support in the development of such standards. The NACP, among other powers:
- monitors and exercises control over the performance of legal acts with regard to ethical conduct, managing conflicts of interest for public authorities and other persons having the same legal status;
- evaluates the efficiency of performance of anti-corruption officers or departments where they are mandatory;
- approves anti-corruption programs of public authorities;
- approves the dismissal of anti-corruption officers in public authorities;
- has the right to inspect the anti-corruption activity in both public authorities, state-owned and municipal-owned enterprises and certain companies participating in public procurement; and
- initiates an investigation of the alleged corruption.
Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?
Given the absence of comprehensive general legislation in the area of compliance and risk management, there is no unified definition of ‘risk management’ and ‘compliance management’ applicable to all possible realities.
The Law on Financial Monitoring defines ‘risk management’ for the reporting persons as measures aimed at creating and ensuring the functioning of the risk management system, which includes, in particular, identification (detection), assessment or re-assessment, monitoring and control of risks to minimise them.
Compliance, in turn, is defined by the Capital Markets Law as a continuous process regulated by the internal documents aimed at ensuring and improvement of internal processes related to the activities in the capital and organised commodity markets and their correspondence to the relevant statutory requirements and business strategy approved by the supervisory bodies of relevant companies.
There is no precise definition of compliance management in Ukrainian law yet.
Are risk and compliance management processes set out in laws and regulations?
The Law of Ukraine ‘On Joint Stock Companies’ foresees that the audit committee of the supervisory board must review the efficiency of the audit and risk management system efficiency at least once per year.
The Capital Markets Law provides that investment firms organise their risk management systems in a way that their information systems used for trading allow the investment firms to:
- be resistant to external interference;
- have the technical capacity to ensure the proper execution of operations directly related to trading (including algorithmic trade);
- ensure compliance with the limits and restrictions set by the operator of the regulated market, to which the investment firm is the participant, and the rules of such market, as well as the limits and restrictions set by the investment firm;
- prevent the sending of erroneous bids or quotations and the performance of any transactions that could potentially lead to price instability in the organised market or otherwise violate the integrity of capital markets or harm investors; and
- minimise the possibility of their use for manipulation or illegal use of insider information, or both.
Clearing companies must adopt their rules, which include the description of the obligatory risk management system.
Every entity performing professional services on the capital markets must provide the NSSMC with the information on internal control systems, including compliance, risk management and internal audit systems. Such service providers must ensure that the mentioned internal control systems are in place and are efficient throughout the whole period of their market activity.
Companies providing professional services on the capital markets must also implement corporate governance standards, which include, among others, the establishment of the risk management committee within the supervisory board.
The NBU Regulations on Risk Management foresee the following elements of risk and compliance management:
- for each type of risk (credit, operational, compliance, liquidity, etc) – adoption of a relevant internal policy, identifying methods and mandatory tools for managing the risks and establishment of processes, information systems and reporting system;
- establishment of a compliance department;
- establishment of a risk management department;
- introduction of the CCO position; and
- introduction of the CRO position.
Both CCO and CRO must be independent to efficiently perform their functions. The supervisory board of the particular bank appoints and dismisses the CCO and CRO and determines the financial resources to be allocated for the performance of compliance and risk management functions. The CCO and CRO report directly to the supervisory board. These two functions must be separated from other defence lines established in the bank. The management board obeys the instructions of the CCO and CRO and does not interfere with their activities. The particular functions of CCO, CRO and their departments are outlined in the NBU Regulations on Risk Management.
Standards and guidelines
Give details of the main standards and guidelines regarding risk and compliance management processes in your jurisdiction.
The most common approach for Ukrainian businesses is to follow the mandatory statutory obligations established by Ukrainian law, which only foresees obligations regarding risk and compliance management systems for a limited number of sectors and entities. There are no standards or guidelines applicable to all entities and individuals.
Nevertheless, it is becoming more common among the banks and other reporting individuals and entities falling under the mandatory risk and compliance management requirements to request certain documents from the businesses they provide services to confirming the availability of the risk management system.
Another approach, especially in large international companies, is to conduct audits of their local business partners to get an understanding of whether they introduced a risk-based approach that would also impact the risks such international companies are exposed to.
As to the main standards and guidelines, undertakings follow mandatory legal acts of the relevant public authorities (eg, parliament, government, sectoral authorities such as NBU, NACP, etc). Other legal acts such as recommendations adopted by public authorities, although not being mandatory per se, are, in individual cases, also followed.
Apart from the legal acts governing certain areas of business activities, affected businesses also may establish and implement further, non-obligatory standards, like the following:
- the Ukrainian Network of Integrity and Compliance (UNIC) principles and membership requirements;
- the Organisation for Economic Co-operation and Development (OECD) guidelines and policies:
- Anti-Corruption Ethics and Compliance Handbook for Business (2013);
- Good Practice Guidance on Internal Controls, Ethics, and Compliance (2010);
- Compliance Risk Management: Managing and Improving Tax Compliance (2004); etc. and
- International Organization for Standardization (ISO) Standards:
- ISO 31000:2018 – Risk management – Guidelines;
- ISO/TR 31004:2013 – Risk management – Guidance for the implementation of ISO 31000;
- IEC 31010:2019 – Risk management – Risk assessment techniques;
- ISO 31022:2020 – Risk management – Guidelines for the management of legal risk;
- IWA 31:2020 – Risk management – Guidelines on using ISO 31000 in management systems; and
- ISO 37301:2021 – Compliance management systems.
Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?
Most activities falling under specific statutory requirements regarding risk and compliance management cannot be performed in Ukraine unless there is a local undertaking such activity.
According to the NBU Regulations on Risk Management, both CCO and CRO must be independent to efficiently perform their functions. The supervisory board of the particular bank appoints and dismisses the CCO and CRO and determines the financial resources to be allocated for the performance of compliance and risk management functions. CCO and CRO report directly to the supervisory board. These two functions must be separated from the other defence lines established in the bank. The management board obeys the instructions of the CCO and CRO and does not interfere with their activities. Particular functions of both CCO and CRO and their departments are outlined in the NBU Regulations on Risk Management.
Companies providing professional services on the capital markets must also incorporate corporate governance standards, which include, among others, the establishment of the risk management committee within the supervisory board.
What are the key risk and compliance management obligations of undertakings?
Given the absence of the general legal requirements regarding the risk and compliance management, any relevant obligations in this area apply only to specific regulated entities like, for example, entities and individuals acting under the Law on Financial Monitoring as well as banks and professional capital market participants. Their obligations in this area are generally well-prescribed and clear.
The Anti-Corruption Law requires the following companies to introduce their internal anti-corruption programmes:
- state-owned and municipal-owned enterprises;
- companies in which:
- 50 per cent or more shares are owned by the state or municipality;
- the average number of employees for the financial year exceeds 50 people; and
- income from sales of products, works or services for the financial year exceeds 70 million hryvnia; and
- companies participating in the public procurement where the price of procurement is equal to or exceeds 20 million hryvnia.
According to the Law on Financial Monitoring, the reporting entities and individuals must ensure the establishment of a functioning risk management system and apply a risk-oriented approach in their activities. The key obligations of the reporting entities with regard to risk management include the following:
- applying the risk-based approach in their activities and taking appropriate measures to minimise the risks; and
- managing the risks associated with the introduction or use of new and existing products, business practices or technologies, including those that provide for the financial transactions without direct contact with the client.
According to the NBU Regulations on Risk Management, banks have extensive risk and compliance management obligations. Their key obligations include the creation of departments or positions directly responsible for compliance and risk management, reporting obligations of such departments or positions to and control over their activities by the supervisory board and management board of the bank.
Liability of undertakings
What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?
Due to the fragmented nature of the Ukrainian compliance and risk management legal framework, there are no omnibus risk and compliance obligations for governing bodies or senior management, or both, of all types of legal entities in all areas of business activity.
The key principle established by the Civil Code of Ukraine and applicable to the governing bodies of all companies is that they must act in the interests of the company, in good faith and reasonably and not to exceed their powers.
The Anti-Corruption Law requires management and shareholders of companies to ensure regular assessment of corruption risks in their activities and implement anti-corruption measures. Companies’ officers, as well as any other employees, are obliged to:
- refrain from participating in corruption offences related to the company’s activities;
- withhold from the conduct that can be considered as readiness to commit a corruption offence related to the company’s activities; and
- inform the anti-corruption officer, company’s management or shareholders about incitement to commit or committing a corruption offence related to the company’s activities and of any conflicts of interest.
In the areas where specific regulation exists, for example with regard to reporting individuals and entities, the obligations of governing bodies and senior management of legal entities are generally outlined by the specific law.
The National Bank of Ukraine (NBU) Regulations on Risk Management provide that members of the supervisory board of the bank (the analogue of the council of the bank) are responsible for the following:
- ensuring the functioning and control over the effectiveness of the risk management system;
- approval of the internal bank documents on risk management issues, and monitoring of their implementation, compliance and timely updating;
- approval of the list of limits (restrictions) for each type of risk and the procedure for escalation of violations of risk limits;
- approval of the recovery plan and ensuring the performance of functions related to the recovery of the bank;
- appointment and dismissal of the Chief Risk Officer (CRO) and Chief Compliance Officer (CCO);
- approval of the budget for the risk management and compliance departments, determining the remuneration for the CRO and CCO;
- determining the nature, format and scope of information on risks, considering management risk reporting; and
- taking measures to prevent conflicts of interest in the bank, promoting their settlement and notifying the NBU of conflicts of interest arising in the bank.
In turn, the board of the bank performs the following functions in relation to risk and compliance management:
- ensures the development and approval of internal bank documents;
- ensures the preparation and submission to the bank’s supervisory board of management reports on the risks to which the bank is exposed, including information on the new products or significant changes in the bank’s activities;
- ensures the preparation and submission to the bank’s supervisory board of proposals regarding the necessity to make changes to the risk management strategy and policy;
- ensures control over the notification of the relevant departments and employees of the bank of information on changes to the risk management strategy and policy, other internal bank documents on risk management;
- develops measures to promptly eliminate deficiencies in the functioning of the risk management system, implement the recommendations based on the results of the risk assessment, inspections of the internal audit department, external auditors and state authorities;
- approves the value of limits for each type of risk according to the list of limits (restrictions) determined by the bank’s supervisory board; and
- provides administrative support to the CCO and CRO, risk management and compliance departments.
There is no direct civil liability foreseen for risk and compliance management deficiencies for companies or their employees.
However, there is always a possibility of civil damage compensation claims of private persons against a company based on possible damages caused by the violation of risk and compliance management requirements.
There is also a possibility that the company subject to a particular risk and compliance management statutory requirements may file a lawsuit against the management that violated the regulatory requirements and caused liabilities for the company.
Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?
The Law on Financial Monitoring foresees the following consequences for compliance management deficiencies:
- a written warning from a regulatory authority;
- licence or permit revocation;
- the obligation to suspend a responsible officer of subject to initial financial monitoring (SIFM);
- a fine;
- a settlement agreement with SIFM, including a monetary obligation and an obligation to take measures to eliminate or prevent further violations of financial monitoring requirements, to ensure improving the efficiency of the risk management system, etc; and
- liquidation of an undertaking by the NBU decision (for banks) or a court ruling (for other undertakings).
An undertaking may face various fines based on the specific deficiency revealed. The maximum fine of up to 7.95 million non-taxable minimum incomes (approximately 135.15 million hryvnia) can be imposed for the failure to ensure proper organisation and conduct of primary financial monitoring, lack of proper risk management system, and repeated non-compliance with the requirements of the financial monitoring authorities to eliminate identified violations.
In case of multiple violations revealed the following thresholds apply for a total fine amount:
- 10 per cent of the annual turnover, but not more than the approximately 135.15 million hryvnia for financial institutions; and
- a double amount of the benefit received as the result of the violation, which constitutes approximately 27.03 million hryvnia.
The NBU by its Regulation on applying sanctions by the NBU (approved by the Resolution of the Board of the NBU No. 346 dated 17 August 2012) establishes the following fines for violations of financial monitoring and regulatory requirements in the banking sector:
- 400,000 hryvnia for the failure of the bank to apply a proper risk-oriented approach to taking unproportionate measures to a certain risk category;
- 135.15 million hryvnia for the failure of the bank to properly organise the internal bank anti-money laundering system, as well as for the absence of a proper risk management system; and
- 0.01 per cent of the registered charter capital of the bank, which must be not lower than 200 million hryvnia. This means that the fine for the violation of the NBU risk and compliance management requirements may potentially constitute at least 20,000 hryvnia. Usually, the charter capital of banks is much larger than the required minimum amount. This fine applies to the banks committing other unspecified violations of financial monitoring or NBU regulatory requirements.
Another measure that can be taken by the NBU for the improper risk management system is restriction, suspension or termination of certain bank transactions.
Do undertakings face criminal liability for risk and compliance management deficiencies?
Employees (authorised representatives’ of the company) whose misconduct benefitted the company may be held criminally liable for their actions.
Criminal sanctions are applied for the following risk and compliance management deficiencies:
- money laundering;
- intentional provision of the false data by SIFM;
- disclosure of the financial monitoring secrecy, including the information about the provision of the data subject to financial monitoring, regulatory authority requests in this regard, data about financial operation subject to financial monitoring control; and
- failure to ensure fulfilment of obligations (statutory or the ones provided in the company’s constitutional documents) regarding taking measures aimed at preventing corruption by company’s officers, if this led to a corruption or corruption-related offence.
The Criminal Code of Ukraine generally foresees three types of sanctions applicable to such undertakings:
- a fine of up to 1.275 million hryvnia;
- compulsory liquidation of an undertaking; or
- the confiscation of property.
A company sanctioned for a crime is obliged to compensate all damages, losses and the amount of illegally obtained benefit as the result of the violation.
Liability of governing bodies and senior management
Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?
Ukrainian civil legislation does not distinguish compliance and risk management obligations of executive and supervisory bodies. Senior management have general fiduciary duties and may face civil liability for their actions or inaction, including the lack of performance under their risk and compliance management obligations. The undertaking stakeholders are entitled to file a damage compensation claim in case the compliance and risk management violations resulted in a financial loss.
Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?
Failure of the company’s management to take measures required by law and aimed at corruption prevention may potentially lead to their personal liability in a form of an administrative fine of up to 4,250 hryvnia.
The SIFM management is subject to administrative penalties for:
- violation of the financial monitoring legislation – a fine from between 5,100 and 34,000 hryvnia;
- provision of unclear or false data about risky operations, asset quality and other SIFM data by a bank – a fine from between 34,000 and 170,000 hryvnia; and
- violation of the NBU regulations governing risk assessment of transfers, currency control – from between 1,700 and 68,000 hryvnia.
Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?
Criminal sanctions can be applied to individual managers for the following deficiencies associated with risk and compliance management:
- money laundering – imprisonment term from three to 12 years with a debarment to hold specific positions up to three years and property confiscation;
- intentional provision of the false data by SIFM – a fine up to 51,000 hryvnia with a debarment to hold specific positions up to three years; and
- disclosure of the financial monitoring secrecy, including the information about the provision of the data subject to financial monitoring, regulatory authority requests in this regard, data about financial transaction subject to financial monitoring control – a fine from between 51,000 and 85,000 hryvnia with a debarment to hold specific positions up to three years.
Corporate compliance defence
Is there a corporate compliance defence? What are the requirements?
The compliance defence line concept was implemented by the National Bank of Ukraine (NBU) for banks and banking groups in the NBU Regulations on Risk Management. Banks are required to establish a three-line risk management system:
- first line – on the level of business units responsible for the operational management of risks in business units;
- second line – on the level of risk department and compliance department; and
- third line – on the level of internal audit conducting assessment and evaluation of the risk management system efficiency.
The third line is represented by the activity of the bank supervisory board responsible for the strategic risk management of the entire undertaking, preparation and implementation of the core internal regulations related to compliance and risk management. The bank supervisory board, in particular, establishes thresholds for each designated risk and consequent reaction.
The risk management department is responsible for the ongoing assessment of the risk level to the risk capacity of the undertaking, control of Chief Risk Officer (CRO) and Chief Compliance Officer (CCO) performance, remedial actions towards revealed risks and operational risk management of the entire undertaking.
Discuss the most recent leading cases regarding corporate risk and compliance management failures.
The NBU regularly imposes fines for specific compliance management violations, which mostly relate to improper risk assessment of bank transactions and the lack of overall robust compliance management at the place.
Sanctioned financial institutions tend to object the NBU fines imposed for risk and compliance management violations based on the conformity of the claimant with all ‘formal requirements’. The Sberbank Case demonstrates one of the most significant fines imposed for repeated failure to identify risky financial operations (total amount of risky transactions of approximately €89,285,714); improper identification of the publicly exposed persons; non-provision of the financial monitoring data and violation of the suspension of the financial transactions. In December 2018, the NBU imposed a fine of 94,737,499 hryvnia on JSC Sberbank. Sberbank successfully objected to the imposed fine in the administrative courts in two instances. The NBU initiated a final review of the case in the Supreme Court of Ukraine at the beginning of 2020. The NBU claims that compliance and risk management systems in Sberbank do not meet the requirements of the Law on Financial Monitoring and that Sberbank is funnelling sufficient funds under fictional agreements out of Ukraine.
The Sberbank Case by the Supreme Court of Ukraine is important for the risk assessment management due to the following:
- the case raises a number of issues related to the qualification of the compliance management failure impacting the enforcement practice about the same; and
- the final review by the Supreme Court may establish a practice of a single interpretation of the case law related to the compliance management failure.
Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?
The Anti-Corruption Law applies several obligations to undertaking conducting state functions and state-owned enterprises, or both:
- public authorities and state-owned enterprises conducting state governance functions are required to establish an anti-corruption department within an undertaking. Such a department should have the anti-corruption officers which number is proportionate to the overall number of employees of the undertaking (eg, one officer for up to 200 employees). The anti-corruption department is responsible for: (1) corruption prevention activities within the undertaking; (2) advising employees on obligations of state servants (eg, conflict of interest situations, asset declarations, reporting about corruption, etc); (3) whistleblower’s protection; and (4) reporting to the National Agency on Corruption Prevention (NACP) about violation of the anti-corruption legislation;
- public authorities, state-owned and municipal-owned enterprises, some other companies (state/municipal share at least 50 per cent, more than 50 employees, and annual income exceeding 70 million hryvnia) and undertakings participating in public procurement tenders with a bid above the value of 20 million hryvnia are required to implement their anti-corruption programmes. The anti-corruption programme must include the following:
- an explicit explanation of the anti-corruption measures, standards and procedures, including the regular corruption risk assessment;
- rights and obligations of the undertaking employees;
- whistleblowing rules; and
- measures for corruption events (eg, reporting to the NACP); and
- public authorities, state-owned and municipal-owned enterprises, as well as undertakings participating in public procurement tenders with a bid above the value of 20 million hryvnia are required to establish and maintain internal and regular whistleblowing channels.
Framework covering digital transformation
Please provide an overview on the risk and compliance governance and management framework covering the digital transformation (machine learning, artificial intelligence, robots, blockchain, etc).
Ukrainian legislation governing issues related to the digitalisation of risk and compliance management is under development. Most of the digital transformation tools conducting automated data processing (eg, artificial intelligence, machine learning) require the development of the data protection legislation. The current Law on Personal Data Protection is expected to be updated in 2021. The Ministry of Digital Transformation of Ukraine and the Parliament are cooperating to develop the legislation in the field of automated data processing under the European Union standards.
The Law on Financial Monitoring applies general financial monitoring requirements to the subject to initial financial monitoring (SIFM) conducting operations with virtual assets. However, the core legislation related to the virtual assets’ management, risk and compliance management requirements for the providers on the market was not adopted by the Parliament yet.
Update and trends
Key developments of the past year
What were the key cases, decisions, judgments and policy and legislative developments of the past year?
The most influential legislation in the field of compliance and risk management was adopted before 2020.
One of the expected changes is the development of the Standards of corporate governance for professional capital market participants – a regulation called to ensure effective corporate governance of the professional participants in the capital and commodity markets. These standards elaborate on: (1) separation of compliance, risk assessment and internal audit functions in the management systems and their duties; (2) qualification requirements for officers ensuring internal control functions; and (3) requirements for the officers sufficiently influencing the risk profile of the undertaking.