The essentials of risk and compliance management in Greece

Legal and regulatory framework

What legal role does corporate risk and compliance management play in your jurisdiction?

The focus of the EU on the subject of corporate governance in the past few decades has resulted in the development of some ground rules regarding the Greek corporate environment. More specifically, in early 2000, a series of best practice principles based on recommendations from the Organisation for Economic Cooperation and Development were issued by the Hellenic Capital Markets Committee, and from that point on pieces of legislation regarding corporate governance and risk management began to be adopted gradually, as mentioned below. Nevertheless, it seems that there is no legal role for corporate risk and compliance management defined under the Greek legal framework. Following the world financial crisis in 2008, and as a result of the Greek recession, Greek enterprises prove willing to incorporate in their structure best practices regarding risk and compliance management functions and thus, for this purpose, new pieces of legislation have already been adopted in the form of the incorporation of EU directives and sound amendments to the existing legislation.

Which laws and regulations specifically address corporate risk and compliance management?

The main pieces of legislation set out below are considered to be of the highest priority for Greek undertakings:

• Law No. 3016/2002 On Corporate Governance, Remuneration and Other Issues as amended in force, providing the minimum corporate governance requirements for listed companies;
• Law No. 2190/1920 On Public Limited Companies applies to both non-listed and listed public limited liability companies (under the corporate form of a societe anonyme (SA)), setting rules for the general meeting, the roles of the board of directors, relationships between members of the board of directors and the company, rights of minority shareholders, etc;
• Law No. 4490/2017 On the Statutory Audit of the Annual and Consolidated Financial Statements, Public Oversight of the Audit Work is referred to by every undertaking that is obliged to keep financial statements;
• specific legislation containing risk and compliance obligations applies to credit institutions (Law No. 4261/2014) and insurance undertakings (Law No. 4364/2016); and
• for listed companies, apart from the obligations imposed by the above discussed legislation, a set of basic principles and best practices has been introduced by the Hellenic Governance Code For Listed Companies, published in October 2013, by the Hellenic Corporate Governance Council.

Further to the above, the following lists the most important areas related to compliance and risk management applied to and concerning all of the previously mentioned undertakings but mainly the credit institutions and, where relevant, the financial institutions too:

• supervisory framework for credit institutions: Law No. 4261/2014 (as mentioned above), Decision of the Governor of the Bank of Greece No. 2577/2006, Law No. 3746/2009 On the Insurance of Investment and Deposits Fund;
• protection of bank secrecy and confidentiality: Legislative Decree 1059/1971, as applicable, on the protection of bank deposits;
• protection of market abuse: Law No. 3340/2005, as applicable, on insider dealing and market manipulation, in combination with Law No. 4443/2016 on market abuse regulation transposing Regulation (EU) No. 596/2014 and several guidelines of the Hellenic Capital Market Commission;
• markets in financial instruments and transparency (covering areas of investor protection - Markets in Financial Instruments Directive (MiFID) and Inside Trading): Law No. 3606/2007, as amended by Law No. 4514/2018 transposing the MiFID II directive, regarding markets in financial instruments and Law No. 3556/2007, as applicable, on transparency regarding issuers whose shares are admitted to an organised financial market;
• money laundering: Law No. 3691/2008, as applicable on the prevention and suppression of legalising income from criminal activities and financing of terrorist activities, was amended by Law No. 3932/2011, under which the Anti-Money Laundering, Counter-Terrorist Financing Commission was renamed as the Anti-Money Laundering, Counter-Terrorist Financing and Source of Funds Investigation Authority. According to this law, as amended by Law No. 4389/2016, the said national authority aims to combat the legalisation of proceeds from criminal activities and terrorist financing, assisting in security and sustainability of fiscal and financing stability by collecting, investigating and analysing any suspicious transactions forwarded to it by legal undertakings and natural persons, under special obligation, together with any other information as regards the relevant crimes. In addition, Banking and Credit Committee Decision No. 281/2009 on the supervision of credit institutions by the Bank of Greece regarding legalisation of income from criminal activities and financing of terrorist activities is also applicable;
• combat against bribery: Law No. 2656/1998, as applicable, on the ratification of the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions; and OECD Guidelines (2011) on responsible behaviour of multinational companies globally;
• data protection: Law No. 2472/1997, as applicable, on the protection of natural persons with regard to the processing of personal data; Law No. 3471/2006, as applicable, on data protection in electronic communications: Decisions by the Data Protection Authority; and of course the new law implementing the EU General Data Protection Regulation (GDPR) 2016/679, which is due to be issued in May 2018;
• consumer protection: Law No. 2251/1994, as applicable, on consumer protection; Law No. 3862/2010, as applicable, on payment services in the internal market; Decision of the Governor of the Bank of Greece No. 2501/2002 on the informing of interested parties regarding credit transactions and relevant contract terms; and
• protection of competition: Law No. 3959/2011, as applicable, on the protection of free competition.

Moreover, for undertakings active in financial markets (namely collective investment undertakings and portfolio investment companies), Decision 3/645/30.4.2013, as amended by Decision 10/773/20.12.16, of the Hellenic Capital Market Commission contains detailed provisions regarding risk measurement and prediction of risk exposure and risk for the contracting party.

Give details of the main standards and guidelines regarding risk and compliance management processes.

For listed companies, apart from the obligations imposed by the above discussed legislation, a set of basic principles and best practices has been introduced by the Hellenic Governance Code For Listed Companies, published in October 2013 by the Hellenic Corporate Governance Council. The aim of the Code is to enlighten the members of the board of directors of listed companies regarding corporate governance areas that are not covered by legislation, and thus to provide a complete best practices approach.

In general, the standards introduced by the Code are divided into the general principles addressed to all SA companies and the special practices to be applied only by listed companies. Especially for the latter, some of the additional requirements to those of legislation are: the obligation to disclose a statement for the identification of the core risks faced by the company, as well as the main features of the internal control system applied and the adoption of detailed policies regarding conflicts of interest of members of the board of directors.

As for the context, the Code contains four sections, each covering the following areas: the board and its members; internal control; remuneration; and relations with shareholders.

Furthermore, according to the Decision of the Governor of the Bank of Greece No. 2577/2006 concerning credit and financial institutions, these undertakings are obligated to abide by the standards of an efficient organisational structure, and have a sufficient internal audit system with primary focus on the functions of internal review, risk management and regulatory compliance.

Instruction No. 51/13.03.2013 of the Hellenic Capital Market Commission is considered to be a reference point with regard to compliance management for companies providing investment services. The said Instruction contains clarifications about transposing European Securities and Markets Authority guidelines of 6 July 2012 (ESMA/2012/388) into the Commission’s supervisory practice. These guidelines are based on two main axes: the competences of regulatory compliance function (risk assessment, supervisory programme, reports submission, etc) as well as the organisational requirements of the regulatory compliance function (efficiency, independency, permanency of the function, etc).

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

According to Law No. 4449/2017 and Act No. 2577/9.3.2006 of the Governor of the Bank of Greece, compliance and risk management apply to undertakings having their registered seat and operating in Greece.

Specifically, Law No. 4449/2017 is applicable to companies that have their shares listed in a regulated financial market in Greece and that are additionally governed by Greek law or the laws of any EU member state.

Regarding credit institutions, according to Act No. 2577/9.3.2006 of the Governor of the Bank of Greece, branches of foreign credit institutions are obligated to disclose to the Bank of Greece the internal audit processes adopted, as well as the results from the audit performed by the home state supervising authority and the external auditors concerning the branch activities with regard to the related provisions (namely prevention and suspension of money laundering, processes aiming to the transparency of transactions and sufficient informing of the interested parties and any other obligation applicable to undertakings under the legislation of the host country).

What are the key risk and compliance management obligations of undertakings?

Listed Companies

Law No. 3016/2002 on corporate governance introduced the obligation for participation in the board of directors of non-executive and independent non-executive directors, with certain criteria determining when independence is indeed secured (article 4). Additionally, listed companies became obligated to set an internal audit function characterised by autonomy from the other functions of the company and monitored by non-executive members of the board of directors, without any member of the board of directors to be allowed to also be a member of the audit function. Duties of the audit function include the monitoring of the corporate and legal obligations of the company and referral to the board of directors of cases of interest collision. With regards to consequences of non-conformity with the said provisions, Law No. 3016/2002 provides for an administrative fine issued by the Hellenic Capital Market Commission.

In principle, Law No. 2190/1920, on public limited companies, as in force and amended by Law No. 3873/2010 and Law No. 3884/2010, provides the legal framework for risk and compliance management on listed and non-listed companies, limited by shares. Law No. 3884/2010 focuses on shareholders’ rights and additional corporate obligations regarding shareholders’ information in the context of general meeting preparation, while Law No. 3873/2010 provides for the drafting and disclosure of a corporate governance statement for all listed companies.

According to Law No. 2190/1920, the members of the board of directors are responsible for fulfilling the scope of company’s management and in general the corporate object. They are also entrusted with the duties provided, namely, duty of loyalty, duty of care, obligation for a non-competitive conduct, etc. Furthermore, they are required to disclose and publish the annual financial statement, the annual management report and the corporate governance statement, where applicable (article 22a). The said obligation, in combination with the one that calls for carrying out an internal audit, is of utmost importance for the purposes of the regulatory provisions in force. Reference should be made to the audit carried out in terms of the law, the statute and the decisions of the general meeting (articles 39a, 40 and 40a). The annual management report (article 43a, 43b) should comply with the obligations of risk management and of the battle against corruption and bribery.

According to article 7a, the appointment and the cessation for any reason whatsoever of the following persons are subject to publication: namely, the persons who carry out the management of the company or have the power to represent the company jointly or individually, or are competent to carry out regular audits.

Further to the above, the Articles of Association may specify the matters in respect of which the power of the board of directors is exercised in whole or in part by one or more members thereof, company directors or third parties, as stipulated in article 22. It may also authorise or require the board of directors to entrust the internal audit of the company to one or more members or third parties, without prejudice to other provision of the law. Such persons may authorise other members or third parties to exercise the powers conferred on them. Thus, related to article 22a, every member of the board of directors shall be responsible to the company for any fault committed during their management of the company’s affairs. They shall be responsible for any omissions or false entries in the balance sheet concealing the actual position of the company. The annual management report and the corporate governance statement, where applicable, shall be drawn up and are also subject to this kind of obligation to be published.

The content and the information of an annual management report is specified according to article 43a, and may differ depending on the size of the company and depending on whether the company under consideration is a subsidiary of another company that requires a consolidated management report or a separate report. It is further clarified that the provisions for the corporate governance statement under article 43bb regarding, specifically SAs with transferable securities admitted to trading on a regulated market, specifies the content of the corporate governance statement that must be incorporated in the management report of said companies. The content of the corporate governance statement also differs depending on the size of the company.

The duties of board of directors members follow in exactly the same vein, providing that they shall keep absolute secrecy on confidential matters of the company, while refraining from any action pursuing their own interests contrary to the company’s interests. They are also required to disclose to the other members of the board of directors their own interests, which may arise from company’s transactions falling within their duties.

Furthermore, the company must disclose its remuneration policy, making it available on its website and also including it in the corporate governance statement. Any remuneration paid out of the profits to a member of the board of directors shall be taken out of the balance of the net profits after the deduction of amounts set aside as regular reserves, and of the amount required for the distribution to the shareholders. Any other remuneration or compensation not specified by the Articles of Association, for any reason whatsoever, shall be deemed to be chargeable to the company only if approved by special resolution of the general meeting. The said obligation is enforced by the existence of a Remuneration Committee provided in Law No. 3016/2002 as mentioned above.

There is also a significant obligation for members of the board of directors regarding shareholder information. To be more specific, members of the board of directors should provide the general meeting with extensive information for the election of a candidate to the board of directors with regard to the reasons justifying the nomination, a detailed curriculum vitae (including information on the current activity of the candidate, their participation on other boards of directors and other positions, distinguishing between the positions they hold in companies belonging to the same group and positions they hold in companies outside the group, etc) and the criteria to determine whether the candidate is in a conflict of interest (indicating in particular any relationship between the company in which the candidate works or is mainly employed and the company for whose board they are a candidate). This duty also refers to the obligatory information processes that have to be applied before a general meeting takes place, regarding shareholders’ rights. Besides this, pursuant to article 39, rights of minority interest matter greatly.

It has also to be pointed out that the law in question specifies the definition of an affiliated company, something really important for the identification of an independent non-executive member of the board of directors, according to Law No. 3016/2002.

Greek public limited companies (as well as branches and agencies of foreign public limited companies) are audited in respect of drawing up the balance sheet, the financial administration and general operations. Furthermore, the Minister of Commerce may, whenever they deem it necessary, carry out such inspections through the appropriate employees of the Ministry or through the inspectors of public limited companies.

Credit and insurance undertakings

As stated above, Law No. 4261/2014 applicable to credit institutions includes details of corporate governance as well as specified risk management provisions. That said, credit institutions are obligated to establish a sound and efficient corporate governance system that contains a clear organisational structure including efficient division of competences, internal audit systems consisting of appropriate administrative and auditing processes as well as an effective system for the detection, monitoring, management and reporting of risks faced, or possibly faced, by the institution. Moreover, remuneration policies and strategies shall be in line with efficient risk management. The above system shall be appropriate for dealing with the complexity of the risks as well as being suitable for the activities of the institution, and will be closely monitored by the board of directors. Particularly for important credit institutions (as defined in article 68 of Law No. 4261/2014), a risk management committee consisting of non-executive members of the board should be in place, having the obligation to report to the board of directors and to provide assistance throughout risk management.

With regard to insurance undertakings, Law No. 4364/2016 introduces a set of provisions on governance systems and risk management that is very similar to that for credit institutions, as discussed above. As for specific provisions, article 32 of Law No. 4364/2016, among others, provides the minimum of risks targeted by the system. It also foresees that specific risk management policies shall be set out in order to address each one of the risks concerned.

Public interest undertakings (listed, insurance, credit and financial undertakings)

Law No. 4449/2017, on the statutory audit of annual and consolidated financial statements, and public oversight of the audit work, is referred to by the undertakings that are obliged to keep financial statements. The audit must be carried out according to the international auditing standards by an auditor, which may be either an auditing accountant or an auditing company. The provisions ensure the objectivity and the independency of the auditor throughout the whole procedure. The auditor conducts an audit report in which they present the conclusions of the audit, having taken into account any reports of third countries’ audit work. The audit report must be conducted in writing and must include very specific information and data of the controlling undertaking, as well as the opinion and the conclusions of the auditor, who bears full responsibility for the report. It is worth mentioning that the auditors are also subject to a system of quality assurance (quality control). The competent body for this quality control is the Hellenic Accounting and Auditing Standards Oversight Board.

According to article 44 of the said law, every public interest undertaking has an audit committee, consisting of mainly independent and experienced members. This committee may be either an independent committee or a committee of the board of directors of the controlled undertaking, but the president shall be independent. The committee informs the board of directors about the results of the statutory audit, explains the importance of such an audit and generally monitors the procedure of statutory audit ensuring the procedural integrity. It also monitors the financial informing by submitting recommendations and suggestions, and monitors the efficiency of the internal systems audit as well. The principal regulatory and enforcement bodies for the supervision of compliance with provisions regarding the committee are the Hellenic Capital Market Commission and the Bank of Greece (see question 4).