Risk & Compliance Management in Greece

Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

The focus of the EU on the subject of corporate governance in the past few decades has resulted in the development of some ground rules regarding the Greek corporate environment. More specifically, in early 2000, a series of best practice principles based on recommendations from the Organisation for Economic Cooperation and Development were issued by the Hellenic Capital Markets Committee, and from that point on pieces of legislation regarding corporate governance and risk management began to be adopted gradually, as mentioned below. Nevertheless, it seems that there is no legal role for corporate risk and compliance management defined under the Greek legal framework. Following the world financial crisis in 2008, and as a result of the Greek recession, Greek enterprises prove willing to incorporate in their structure best practices regarding risk and compliance management functions and thus, for this purpose, new pieces of legislation have already been adopted in the form of the incorporation of EU directives and sound amendments to the existing legislation.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

The main pieces of legislation set out below are considered to be of the highest priority for Greek undertakings:

• Law No. 3016/2002 On Corporate Governance, Remuneration and Other Issues as amended in force, providing the minimum corporate governance requirements for listed companies;
• Law No. 2190/1920 On Public Limited Companies applies to both non-listed and listed public limited liability companies (under the corporate form of a societe anonyme (SA)), setting rules for the general meeting, the roles of the board of directors, relationships between members of the board of directors and the company, rights of minority shareholders, etc;
• Law No. 4490/2017 On the Statutory Audit of the Annual and Consolidated Financial Statements, Public Oversight of the Audit Work is referred to by every undertaking that is obliged to keep financial statements;
• specific legislation containing risk and compliance obligations applies to credit institutions (Law No. 4261/2014) and insurance undertakings (Law No. 4364/2016); and
• for listed companies, apart from the obligations imposed by the above discussed legislation, a set of basic principles and best practices has been introduced by the Hellenic Governance Code For Listed Companies, published in October 2013, by the Hellenic Corporate Governance Council.

Further to the above, the following lists the most important areas related to compliance and risk management applied to and concerning all of the previously mentioned undertakings but mainly the credit institutions and, where relevant, the financial institutions too:

• supervisory framework for credit institutions: Law No. 4261/2014 (as mentioned above), Decision of the Governor of the Bank of Greece No. 2577/2006, Law No. 3746/2009 On the Insurance of Investment and Deposits Fund;
• protection of bank secrecy and confidentiality: Legislative Decree 1059/1971, as applicable, on the protection of bank deposits;
• protection of market abuse: Law No. 3340/2005, as applicable, on insider dealing and market manipulation, in combination with Law No. 4443/2016 on market abuse regulation transposing Regulation (EU) No. 596/2014 and several guidelines of the Hellenic Capital Market Commission;
• markets in financial instruments and transparency (covering areas of investor protection - Markets in Financial Instruments Directive (MiFID) and Inside Trading): Law No. 3606/2007, as amended by Law No. 4514/2018 transposing the MiFID II directive, regarding markets in financial instruments and Law No. 3556/2007, as applicable, on transparency regarding issuers whose shares are admitted to an organised financial market;
• money laundering: Law No. 3691/2008, as applicable on the prevention and suppression of legalising income from criminal activities and financing of terrorist activities, was amended by Law No. 3932/2011, under which the Anti-Money Laundering, Counter-Terrorist Financing Commission was renamed as the Anti-Money Laundering, Counter-Terrorist Financing and Source of Funds Investigation Authority. According to this law, as amended by Law No. 4389/2016, the said national authority aims to combat the legalisation of proceeds from criminal activities and terrorist financing, assisting in security and sustainability of fiscal and financing stability by collecting, investigating and analysing any suspicious transactions forwarded to it by legal undertakings and natural persons, under special obligation, together with any other information as regards the relevant crimes. In addition, Banking and Credit Committee Decision No. 281/2009 on the supervision of credit institutions by the Bank of Greece regarding legalisation of income from criminal activities and financing of terrorist activities is also applicable;
• combat against bribery: Law No. 2656/1998, as applicable, on the ratification of the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions; and OECD Guidelines (2011) on responsible behaviour of multinational companies globally;
• data protection: Law No. 2472/1997, as applicable, on the protection of natural persons with regard to the processing of personal data; Law No. 3471/2006, as applicable, on data protection in electronic communications: Decisions by the Data Protection Authority; and of course the new law implementing the EU General Data Protection Regulation (GDPR) 2016/679, which is due to be issued in May 2018;
• consumer protection: Law No. 2251/1994, as applicable, on consumer protection; Law No. 3862/2010, as applicable, on payment services in the internal market; Decision of the Governor of the Bank of Greece No. 2501/2002 on the informing of interested parties regarding credit transactions and relevant contract terms; and
• protection of competition: Law No. 3959/2011, as applicable, on the protection of free competition.

Moreover, for undertakings active in financial markets (namely collective investment undertakings and portfolio investment companies), Decision 3/645/30.4.2013, as amended by Decision 10/773/20.12.16, of the Hellenic Capital Market Commission contains detailed provisions regarding risk measurement and prediction of risk exposure and risk for the contracting party.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

As stated in article 1 of the above-mentioned Law No. 3016/2002, provisions regarding corporate governance in general, and thus, also including types of risk and compliance management, apply to companies in the legal form of an SA (defined and organised by Law No. 2190/1920) which, additionally, are admitted in a regulated financial market (listed companies).

In addition, for specific categories of undertakings, such as financial and credit institutions and insurance undertakings, particular pieces of legislation apply, imposing tailored obligations on them. Specifically, for credit institutions, Law No. 4261/2014, transposing EU Directive 2013/36, includes a set of corporate governance as well as specified risk management provisions. Moreover, for insurance undertakings, Law No. 4364/2016, transposing Directive 2009/138, introduces detailed provisions on governance systems and risk management.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

The supervisory body for listed companies is the Hellenic Capital Market Commission. It is responsible for monitoring the compliance of listed companies with the provisions of Law No. 3016/2002 and Law No. 4449/2017 on corporate governance and obligatory audits. That said, Decision 5/204/14.11.2000 of the Commission refers to detailed obligations of listed companies regarding the subjects of internal organisation regulation and audit. Non-compliance with the above-mentioned issues results in administrative fines being imposed by the Commission.

By the same token, the Hellenic Competition Commission has broad enforcement powers in the area of collusive practices, abuses of dominance and merger control. This body is empowered to take decisions on finding an infringement of the Competition Act and to impose administrative fines. It also forms a policy for combating antitrust behaviour, competition distortion, etc, through its reports and opinions.

Moreover, according to the Articles of Association of The Bank of Greece (as applies, after the last amendment by Law No. 4099/2012), the latter is entrusted with the overall monitoring of the financial and insurance sectors as well as of other types of undertakings. In this regard, it is competent for the review of certain procedures regarding risk management (eg, annual review of the cash flow plans of credit institutions according to Law No. 4261/2014) and for the imposing of administrative sanctions according to the relevant legislation. Furthermore, in a transnational context, the European Central Bank through the Single Supervisory Mechanism, is in charge of supervising the systemically significant credit and financial institutions. Moreover, the Bank of Greece is responsible for specifying the recommendations and guidelines conducted by the Committee of European Banking Supervisors and hereafter the European Banking Authority.

Special reference has to be made to the Anti-Money Laundering, Counter-Terrorist Financing and Source of Funds Investigation Authority. This authority has been restructured into three individual units: the Financial Intelligence Unit, the Financial Sanctions Unit and the Source of Funds Investigation Unit. The president is an acting Public Prosecutor to the Supreme Court appointed by a Decision of the Supreme Judicial Council, and serves on a full-time basis.

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

In the Greek legislation concerning listed companies, there is no definition of the terms ‘risk management’ and ‘compliance management’. However, the results to be attained by the establishment of such systems are indeed described in legislation. For instance, according to Law No. 3016/2002, the audit committee is responsible, among other things, for the monitoring of the internal organisation regulation and the Articles of Association of the company, as well as for the company’s compliance with the applicable legislation. Additionally, according to Law No. 4364/2016 for insurance undertakings, the risk management systems in place shall include the strategies and policies suitable for the identification, measurement, monitoring, management and reporting of the risks faced by the company, in an individual or collective manner, along with any interdependencies connected to them.

Processes

Are risk and compliance management processes set out in laws and regulations?

The national legal framework provides a sufficient description of the process followed for risk and management compliance. Specifically in the separate pieces of legislation listed above, the regulatory and supervising bodies shall follow the exact processes to meet their target and achieve their goal.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

For listed companies, apart from the obligations imposed by the above discussed legislation, a set of basic principles and best practices has been introduced by the Hellenic Governance Code For Listed Companies, published in October 2013 by the Hellenic Corporate Governance Council. The aim of the Code is to enlighten the members of the board of directors of listed companies regarding corporate governance areas that are not covered by legislation, and thus to provide a complete best practices approach.

In general, the standards introduced by the Code are divided into the general principles addressed to all SA companies and the special practices to be applied only by listed companies. Especially for the latter, some of the additional requirements to those of legislation are: the obligation to disclose a statement for the identification of the core risks faced by the company, as well as the main features of the internal control system applied and the adoption of detailed policies regarding conflicts of interest of members of the board of directors.

As for the context, the Code contains four sections, each covering the following areas: the board and its members; internal control; remuneration; and relations with shareholders.

Furthermore, according to the Decision of the Governor of the Bank of Greece No. 2577/2006 concerning credit and financial institutions, these undertakings are obligated to abide by the standards of an efficient organisational structure, and have a sufficient internal audit system with primary focus on the functions of internal review, risk management and regulatory compliance.

Instruction No. 51/13.03.2013 of the Hellenic Capital Market Commission is considered to be a reference point with regard to compliance management for companies providing investment services. The said Instruction contains clarifications about transposing European Securities and Markets Authority guidelines of 6 July 2012 (ESMA/2012/388) into the Commission’s supervisory practice. These guidelines are based on two main axes: the competences of regulatory compliance function (risk assessment, supervisory programme, reports submission, etc) as well as the organisational requirements of the regulatory compliance function (efficiency, independency, permanency of the function, etc).

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

According to Law No. 4449/2017 and Act No. 2577/9.3.2006 of the Governor of the Bank of Greece, compliance and risk management apply to undertakings having their registered seat and operating in Greece.

Specifically, Law No. 4449/2017 is applicable to companies that have their shares listed in a regulated financial market in Greece and that are additionally governed by Greek law or the laws of any EU member state.

Regarding credit institutions, according to Act No. 2577/9.3.2006 of the Governor of the Bank of Greece, branches of foreign credit institutions are obligated to disclose to the Bank of Greece the internal audit processes adopted, as well as the results from the audit performed by the home state supervising authority and the external auditors concerning the branch activities with regard to the related provisions (namely prevention and suspension of money laundering, processes aiming to the transparency of transactions and sufficient informing of the interested parties and any other obligation applicable to undertakings under the legislation of the host country).

What are the key risk and compliance management obligations of undertakings?

Listed Companies

Law No. 3016/2002 on corporate governance introduced the obligation for participation in the board of directors of non-executive and independent non-executive directors, with certain criteria determining when independence is indeed secured (article 4). Additionally, listed companies became obligated to set an internal audit function characterised by autonomy from the other functions of the company and monitored by non-executive members of the board of directors, without any member of the board of directors to be allowed to also be a member of the audit function. Duties of the audit function include the monitoring of the corporate and legal obligations of the company and referral to the board of directors of cases of interest collision. With regards to consequences of non-conformity with the said provisions, Law No. 3016/2002 provides for an administrative fine issued by the Hellenic Capital Market Commission.

In principle, Law No. 2190/1920, on public limited companies, as in force and amended by Law No. 3873/2010 and Law No. 3884/2010, provides the legal framework for risk and compliance management on listed and non-listed companies, limited by shares. Law No. 3884/2010 focuses on shareholders’ rights and additional corporate obligations regarding shareholders’ information in the context of general meeting preparation, while Law No. 3873/2010 provides for the drafting and disclosure of a corporate governance statement for all listed companies.

According to Law No. 2190/1920, the members of the board of directors are responsible for fulfilling the scope of company’s management and in general the corporate object. They are also entrusted with the duties provided, namely, duty of loyalty, duty of care, obligation for a non-competitive conduct, etc. Furthermore, they are required to disclose and publish the annual financial statement, the annual management report and the corporate governance statement, where applicable (article 22a). The said obligation, in combination with the one that calls for carrying out an internal audit, is of utmost importance for the purposes of the regulatory provisions in force. Reference should be made to the audit carried out in terms of the law, the statute and the decisions of the general meeting (articles 39a, 40 and 40a). The annual management report (article 43a, 43b) should comply with the obligations of risk management and of the battle against corruption and bribery.

According to article 7a, the appointment and the cessation for any reason whatsoever of the following persons are subject to publication: namely, the persons who carry out the management of the company or have the power to represent the company jointly or individually, or are competent to carry out regular audits.

Further to the above, the Articles of Association may specify the matters in respect of which the power of the board of directors is exercised in whole or in part by one or more members thereof, company directors or third parties, as stipulated in article 22. It may also authorise or require the board of directors to entrust the internal audit of the company to one or more members or third parties, without prejudice to other provision of the law. Such persons may authorise other members or third parties to exercise the powers conferred on them. Thus, related to article 22a, every member of the board of directors shall be responsible to the company for any fault committed during their management of the company’s affairs. They shall be responsible for any omissions or false entries in the balance sheet concealing the actual position of the company. The annual management report and the corporate governance statement, where applicable, shall be drawn up and are also subject to this kind of obligation to be published.

The content and the information of an annual management report is specified according to article 43a, and may differ depending on the size of the company and depending on whether the company under consideration is a subsidiary of another company that requires a consolidated management report or a separate report. It is further clarified that the provisions for the corporate governance statement under article 43bb regarding, specifically SAs with transferable securities admitted to trading on a regulated market, specifies the content of the corporate governance statement that must be incorporated in the management report of said companies. The content of the corporate governance statement also differs depending on the size of the company.

The duties of board of directors members follow in exactly the same vein, providing that they shall keep absolute secrecy on confidential matters of the company, while refraining from any action pursuing their own interests contrary to the company’s interests. They are also required to disclose to the other members of the board of directors their own interests, which may arise from company’s transactions falling within their duties.

Furthermore, the company must disclose its remuneration policy, making it available on its website and also including it in the corporate governance statement. Any remuneration paid out of the profits to a member of the board of directors shall be taken out of the balance of the net profits after the deduction of amounts set aside as regular reserves, and of the amount required for the distribution to the shareholders. Any other remuneration or compensation not specified by the Articles of Association, for any reason whatsoever, shall be deemed to be chargeable to the company only if approved by special resolution of the general meeting. The said obligation is enforced by the existence of a Remuneration Committee provided in Law No. 3016/2002 as mentioned above.

There is also a significant obligation for members of the board of directors regarding shareholder information. To be more specific, members of the board of directors should provide the general meeting with extensive information for the election of a candidate to the board of directors with regard to the reasons justifying the nomination, a detailed curriculum vitae (including information on the current activity of the candidate, their participation on other boards of directors and other positions, distinguishing between the positions they hold in companies belonging to the same group and positions they hold in companies outside the group, etc) and the criteria to determine whether the candidate is in a conflict of interest (indicating in particular any relationship between the company in which the candidate works or is mainly employed and the company for whose board they are a candidate). This duty also refers to the obligatory information processes that have to be applied before a general meeting takes place, regarding shareholders’ rights. Besides this, pursuant to article 39, rights of minority interest matter greatly.

It has also to be pointed out that the law in question specifies the definition of an affiliated company, something really important for the identification of an independent non-executive member of the board of directors, according to Law No. 3016/2002.

Greek public limited companies (as well as branches and agencies of foreign public limited companies) are audited in respect of drawing up the balance sheet, the financial administration and general operations. Furthermore, the Minister of Commerce may, whenever they deem it necessary, carry out such inspections through the appropriate employees of the Ministry or through the inspectors of public limited companies.

Credit and insurance undertakings

As stated above, Law No. 4261/2014 applicable to credit institutions includes details of corporate governance as well as specified risk management provisions. That said, credit institutions are obligated to establish a sound and efficient corporate governance system that contains a clear organisational structure including efficient division of competences, internal audit systems consisting of appropriate administrative and auditing processes as well as an effective system for the detection, monitoring, management and reporting of risks faced, or possibly faced, by the institution. Moreover, remuneration policies and strategies shall be in line with efficient risk management. The above system shall be appropriate for dealing with the complexity of the risks as well as being suitable for the activities of the institution, and will be closely monitored by the board of directors. Particularly for important credit institutions (as defined in article 68 of Law No. 4261/2014), a risk management committee consisting of non-executive members of the board should be in place, having the obligation to report to the board of directors and to provide assistance throughout risk management.

With regard to insurance undertakings, Law No. 4364/2016 introduces a set of provisions on governance systems and risk management that is very similar to that for credit institutions, as discussed above. As for specific provisions, article 32 of Law No. 4364/2016, among others, provides the minimum of risks targeted by the system. It also foresees that specific risk management policies shall be set out in order to address each one of the risks concerned.

Public interest undertakings (listed, insurance, credit and financial undertakings)

Law No. 4449/2017, on the statutory audit of annual and consolidated financial statements, and public oversight of the audit work, is referred to by the undertakings that are obliged to keep financial statements. The audit must be carried out according to the international auditing standards by an auditor, which may be either an auditing accountant or an auditing company. The provisions ensure the objectivity and the independency of the auditor throughout the whole procedure. The auditor conducts an audit report in which they present the conclusions of the audit, having taken into account any reports of third countries’ audit work. The audit report must be conducted in writing and must include very specific information and data of the controlling undertaking, as well as the opinion and the conclusions of the auditor, who bears full responsibility for the report. It is worth mentioning that the auditors are also subject to a system of quality assurance (quality control). The competent body for this quality control is the Hellenic Accounting and Auditing Standards Oversight Board.

According to article 44 of the said law, every public interest undertaking has an audit committee, consisting of mainly independent and experienced members. This committee may be either an independent committee or a committee of the board of directors of the controlled undertaking, but the president shall be independent. The committee informs the board of directors about the results of the statutory audit, explains the importance of such an audit and generally monitors the procedure of statutory audit ensuring the procedural integrity. It also monitors the financial informing by submitting recommendations and suggestions, and monitors the efficiency of the internal systems audit as well. The principal regulatory and enforcement bodies for the supervision of compliance with provisions regarding the committee are the Hellenic Capital Market Commission and the Bank of Greece (see question 4).

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

Greek law for an SA (Law No. 2190/1920) foresees, as mentioned above, a broad set of competences for the board of directors and for non-members exercising management duties delegated by the board. In a nutshell, the board is responsible for deciding upon any corporate issue regarding the management of corporate affairs, the company’s assets and of course the representation of the company. In that sense, a key obligation of the board is to abide by the duty of loyalty and to always act for the benefit of the company, ensuring that there is no conflict of interests.

Specifically for listed companies, according to Law No. 3016/2002, board members are responsible for aiming at the long-term improvement of the company’s value and also for the safeguarding of the general corporate interest. In that sense, the pursuance of personal interests contradicting the ones of the company is not allowed according to the said legislation. The internal audit committee is responsible for monitoring the above issues and non-compliance causes the imposing of administrative sanctions against the board.

Moreover, with regards to public interest entities, mainly listed companies, credit and insurance undertakings, subject to Law No. 4449/2017, the audit committee in place is entrusted with monitoring the quality of the internal audit systems and the risk management systems, subject to the obligations of the board. That said, the board members are subject to administrative sanctions in cases of improper establishment and functioning of the said committee along with the members.

Do undertakings face civil liability for risk and compliance management deficiencies?

Yes, third parties have the right to file a claim for damages against an undertaking according to the laws for civil liability (specifically the provisions for wrongful acts pursuant to the provisions of the Greek Civil Code), in cases where non-compliance of the said undertaking with the applicable legislation has caused damages to the party concerned.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

In the case of sector-regulated enterprises, namely credit institutions and insurance companies, the special legislation applicable, as discussed above, provides for specific administrative and regulatory sanctions for the undertakings’ non-adherence to risk and compliance obligations. That said, for credit institutions, non-operation of a corporate governance system, containing efficient risk management among others, results in a series of severe administrative and regulatory measures and fines imposed by the Bank of Greece (inter alia, dismissal of responsible persons, revocation of the institution’s licence, financial fines of up to 10 per cent of the annual finance revenues, etc). Moreover, legislation for insurance institutions (namely, article 256 of Law No. 4364/2016) foresees a reprimand or fine of up to €2 million placed upon the undertaking, the members of the management and any other person responsible for non-compliance with it. Lastly, the Hellenic Capital Market Commission and the Bank of Greece are responsible for imposing administrative sanctions on companies active in the financial markets sector.

As far as listed companies are concerned, deficiencies regarding risk and compliance management are not punishable by an administrative sanction, and other regulatory consequences affecting the undertaking as such do not apply. However, board members do face administrative consequences in some areas of corporate governance covered by the above-mentioned legislation (see question 15).

Do undertakings face criminal liability for risk and compliance management deficiencies?

No, there is no such provision for criminal liability of legal persons in Greek law. Instead, natural persons are subject to criminal liability (see question 16).

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

Members of the board of directors of an SA are liable against the company for any fault that occurred during the exercise of their competences as managers of the corporate affairs (article 22a of Law No. 2190/1920). However, proving that they have acted as a prudent business person would have excludes the above liability. Additionally, the law was amended in recent years to include cases of non-compliance with board obligations regarding the drafting and disclosure of annual economic statements, the management report and the corporate governance report (in cases that are applicable), according to the applicable laws.

Thus, the company has a right to claim for damages towards the members of the board in cases where their decisions and actions have caused the said damages. With regard to the board’s liability against the company creditors, the former are held liable for the damages they have caused by fault to the latter, according to the civil legislation for wrongful acts, as provisions of Law No. 2190/1920 serve the purpose of safeguarding the creditors’ interests and thus, non-compliance with them during the exercise of their duties, forms a wrongful act. Lastly, it is of importance to mention that the legal entity of the company is jointly and severally liable along with the board members against its creditors.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

As discussed in question 10, board members of listed companies face administrative sanctions for non-compliance with the corporate governance obligations of Law No. 3016/2002 and Law No. 4449/2017. The Hellenic Capital Market Commission is responsible for imposing a reprimand or fine ranging from €3,000 to €1 million on the persons performing the duties of board members (members of the audit committee might also be sanctioned according to Law No. 4449/2007), except for credit and insurance companies, for which the Bank of Greece is the supervisory authority (see question 12).

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

According to the Greek legal system, the persons faced with civil liability are those entrusted with the representation of the company as well as with the management of its corporate affairs. Therefore, members of the board of directors of an SA face criminal liability for breach of their legal obligations, according to articles 54-seq of Law No. 2190/1920 (inter alia, submission of false statements regarding the payment of corporate capital and the issuing of shares, omission of the annual balance sheet completion), as well as being accused of committing the crimes of articles 375 (embezzlement) and 390 (infidelity) of the Penal Code. Criminal liability of the responsible persons is also incurred for the breach of tax and social insurance law obligations, as well as for non-compliance with competition law.

With regard to credit institutions, the relevant legislation (article 59 of Law No. 4261/2014) foresees the criminal liability of the board members, the president, the auditors and the responsible directors and employees of the credit institution whose actions have caused (among other things): the omission or forgery of the appropriate listing of an important transaction; the submission of false or inaccurate reports or data to the Bank of Greece; or the obstruction of the company practices review by the Bank of Greece.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

As discussed above, the Hellenic Corporate Governance Code has been published for listed companies. As regards the implementation of the Code, it is voluntary and based on a ‘comply or explain’ approach, meaning that in cases where a listed company deviates from the Code standards, it has to provide detailed reasoning regarding such necessity. Additionally, a company has to provide specific information about the alternative measures followed by it in order to tackle the issues for which a deviation from the Code provisions has been chosen. Among other things, risk mitigating actions have to be described in detail and should be in line with the overall principles enshrined in the Code.

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

Novartis

According to the testimonial evidence of the protected witnesses, it is alleged that the multinational pharmaceutical company Novartis has applied a system of bribery of doctors and officials to promote the use of Novartis medicines by patients, thereby multiplying company profits and succeeding over other competition in the pharmaceutical market. It is also presumed that Greek politicians may be involved in this case. In addition, this bribery is alleged to have involved illegal exports of pharmaceuticals in consultation with doctors and pharmaceutical warehouses. It is considered to be a crucial case as Greece is a reference country for drug pricing in 29 countries around the world.

This case is still pending, but was selected to be analysed because it constitutes a matter of particular concern to Greek society. What precedes is more of a news and current affairs circumstantial recording rather than unassailable proof of what has taken place.

Fines to construction companies

Another representative example derives from a ruling of the Hellenic Competition Commission, based on Greek antitrust law, that had a severe impact on the earnings of companies involved. Its judgment on the case found that 15 major Greek construction companies had formed a trust against public construction competition. The fines incurred following the 626/2016 judgment of the Commission were approximately €80 million, which were the highest fines among similar cases within the EU. Considering that the combined earnings of the four major companies for 2016 were €2.4 million after provisions of approximately €79 million were realised for the above fine, it is evident that its impact on their viability was crucial.

Siemens

A typical example involving bribing of public officials is the well-known Siemens case that was revealed in 2008 in Greece. According to the given facts, a series of bribes were paid to a number of public officials and politicians concerning the purchase from the Hellenic Telecommunication Company of several telecommunication systems and security systems used by the Greek authorities to ensure public safety during the Olympic Games held in Athens in 2004. The case is under scrutiny by the Greek judiciary system.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

As discussed above, the Greek legal framework, in which risk and compliance management provisions are included, addresses companies of the legal form of an SA. Additionally, the obligations imposed on the undertakings differ according to their form as listed or non-listed. Additionally, as already noted, there is specific regulation of certain types of activities of companies, such as credit and insurance providing. That said, whether the ownership of the undertaking is private or public does not play a role in defining the obligations concerned.

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

One of the key differences between the private and public sectors is that for the latter there is a special supervisory framework. Specifically, for public administrative entities, the General Inspector of Public Administration, appointed by the government for a specified period of time, is the authority responsible for ensuring the efficient and effective functioning of public administration, the monitoring of its performance and the detection of any corruption and maladministration phenomena. Some of the main competences of the said authority are the conducting of all kinds of inspections, post-inspections and investigations in the civil service and the public sector, including public enterprises and other state-controlled enterprises, and the conducting of annual auditing of the financial statements of the inspecting and controlling bodies of public administration and other categories of civil servants.

Update and trends

Update and trends

Updates and trends

Implementation of MiFID II

Law No. 4514/2018 transposing the MiFID II Directive (2014/65/EU) was published in the Official Gazette in January 2018. As stated in the explanatory memorandum of the new legislation, the purpose of the new legal framework is to establish a stricter context for the operation of activities related to financial instruments. The goal is to achieve greater transparency and security for all interested parties and better coordination of market supervision throughout the EU.

Current issues regarding the GDPR

The new Regulation introduces a common framework of provisions regarding the way personal data of EU citizens are collected, processed, stored, transmitted, utilised and destroyed (either in electronic or physical form) by both private undertakings (irrespective of their size and area of activity) and public sector bodies. The Regulation obliges companies and organisations to reorganise their technical systems through the mapping of procedures related to personal data storage and process. Additionally, the above shall establish appropriate technical mechanisms that will enable them to list and eliminate any possible threats of data leak to malicious users. Undoubtedly some questions regarding the implementation have been raised as some points have not yet been absolutely clarified (eg, any time limitations as regards the storage of personal data, while time pressure is still an issue) and the date set for the final implementation is 25 May 2018.

In conclusion, taking into account how recent the GDPR legislation is and also that there are no guidelines for the proper compliance, the questions raised will be resolved mainly in practice. Undertakings face the inherent risk of high level of fines, which can reach the amount of €20 million or 4 per cent of the annual global turnover (of the group or holding). However, companies and organisations should consider the data protection officer and processor as ‘tools’, assisting them with their compliance obligations in order to avoid the severe fines that could emerge from data leaks and not as another set of obligations among the numerous already imposed on them.

Social security obligations for shareholders and board of directors members

According to Law No. 4387/2016 regarding the reform of the National Security System, members of the board of directors of an SA with commercial, trading or production scope, who are also holders of at least 3 per cent of the total shares of the company, are obliged to submit financial contributions for social insurance.