Corruption is still very much on the radar in CEE. Transparency International’s 2013 Corruption Perceptions Index did not paint a glowing picture. For an analysis of how the region fared in 2013, see our commentary:The 2013 Corruption Perceptions Index shows stagnation in CEE/SEE, Turkey and Central Asia.

In February, the European Commission (EC) published its EU Anti-Corruption Report. The report analyses corruption and steps taken in EU countries to prevent and fight it. The EC underlines many issues, notably in several CEE countries, ranging from inconsistent political will to address corruption, poor enforcement of anti-corruption rules, systemic problems, and lack of institutional capacity.

The EU Anti-Corruption Report includes the results of the 2013 Eurobarometer surveys on perceptions and experience of corruption. A staggering 95% of Czechs agree that corruption is widespread in their country. More significantly, 71% of Czech businesses say that corruption is a major obstacle for doing business, the highest percentage in the EU. Meanwhile, 25% of Romanians said they were asked or expected to pay a bribe in the past year, the highest percentage in the EU (where the average is 4%). At the same time, the EC is praising the activity of certain ant-corruption prosecutorial bodies (e.g. the one in Romania).

It is true that the region has been plagued by more high-level corruption scandals in 2013, and that enforcement is, in many countries, still weak and often politically motivated. However, the prosecution and conviction of public officials, company executives and companies for corruption appears to be on the rise. Many countries are tightening their grip with the adoption of strategic frameworks and ambitious policies to fight corruption. Some industries – e.g. life sciences, pharmaceutical, IT, construction – are more and more attracting the attention of authorities, as well as some practices, with public procurement topping the list.

Internal investigations on the rise

There is a rise in internal investigations activity in CEE, not only as a result of public authorities probing into suspicious practices, but also investigations initiated by companies pre-emptively. A portion of these stem from FCPA-led procedures at a parent company level.

The spectre of corporate criminal liability is proving to be a strong incentive for companies to look more closely at what’s going on in their own backyards. ‘Criminal liability’ is a relatively recent development in CEE (implemented for example in 2001 in Hungary, 2006 in Romania, 2008 in Serbia, 2012 in the Czech Republic, draft law being discussed in Slovakia). The scope of corporate criminal liability provisions is generally broad and there is a trend towards harsher fines and an increased focus on the recovery of proceeds of crime.

More and more, local subsidiaries are initiating internal investigations in cases where there is a suspicion that a crime (especially bribery or fraud) has been committed. Generally companies have an obligation to know what is going on internally and to mitigate consequences resulting from criminal activities. Hence companies have a duty to investigate allegations or instances of suspicious conduct. In addition, corporate assets are at risk of being frozen should they be considered proceeds of crime, a determination that can be made at the preliminary stages of criminal proceedings, which can have a significant impact on the life of a company.

This is coupled with the fact that many CEE countries are considering or have adopted whistleblower protection. See our article on the Czech whistleblower draft legislation. A new whistleblower framework recently came into force in Hungary. It includes the concept of whistleblowing systems in the workplace, as well as the possibility for companies to appoint an external ombudsman to facilitate disclosure.

Most CEE countries have general reporting obligations for corruption/bribery crimes. In certain countries, leniency may be invoked in some instances of timely reporting, giving yet another incentive to be pro-active in identifying potential misconduct and cooperating with authorities. Issues such as timing of reporting (especially with cross-border investigations) determination of the competent authority and extent of cooperation must be carefully considered.

Corporate compliance is becoming a real driver, and with it the on-going duty to monitor and remedy. Board members, senior managers, compliance and legal officers are more and more pro-active in investigating potential breaches, with a view to minimizing damages and hope for immunity or leniency.

Practical considerations when conducting internal investigations in CEE

Protecting legal privilege. In order to prevent the compelled disclosure of an investigation’s findings or work product, it should ideally be led by an external lawyer qualified in the relevant jurisdiction. In CEE, the close cousin to the Anglo-American ‘legal privilege’ concept is the notion of ‘professional secrecy/duty of confidentiality’, which creates a duty to protect the secrecy of all communications and documents exchanged between a lawyer and his/her client in the course of providing legal services. Professional secrecy can be invoked by locally qualified lawyers (e.g. ‘advokat’, ‘ügyvéd’) and their staff. It is not clear whether it extends to foreign qualified lawyers, though it is expected the courts would answer this question with pragmatism. As professional secrecy cannot be invoked by other professionals (accountants, tax advisors, IT specialists, etc.), it is critical to structure the team to preserve the applicability of legal privilege: experts should be hired by – and report to – external counsel.

Addressing data protection concerns. Data protection issues should be reviewed early in the process as they may have an impact on the timing, scope and methods of investigation. In CEE, privacy and data protection principles are embodied in a complex set of constitutional, civil, labour and criminal law provisions. Many countries have implemented EU Directive 95/46/EC on data protection, which is quite restrictive. While in-country review will avoid some issues related to cross-border data transfer, local law specificities, such as collection and processing formalities, information notices and consent of data subjects, treatment of electronic data, etc., must be addressed.

Channeling communications. Clear communication protocols must be established at the outset, especially in cases of cross-border investigations, including determining who reports to who among local management, parent company management, local counsel, foreign counsel, external service providers, etc. It is also critical to be aware – and beware – of potential conflicts of interests, e.g. between parent company and management of subsidiary. In some cases, ring-fencing senior management and reporting directly to the board may be necessary.

Mastering local language. High-level local language proficiency is essential to conducting effective searches and reviewing documents. While technology can be leveraged for this purpose (e.g. to identify communication patterns, construct key-word searches, analyse e-mail threads…), finding a provider with sophisticated language capabilities and good technical support may be a challenge, and costly. Proficiency in local language (covering slang, jargon, dialects, and codes), customs and cultural norms is also essential when conducting interviews.

Adapting to local environment. Internal policies and procedures are not always as sophisticated in local subsidiaries. For example, procedures pertaining to data retention and preservation may be deficient, which may require pro-active measures at the start of an investigation to avoid data spoliation. More generally, corporate compliance culture is weaker in CEE, though the mindset is changing. This may be relevant in the context of implementing remediation measures in response to an internal investigation’s findings. Building a culture of compliance in the region is still a work in progress.