Legal and regulatory framework

Legal role

What legal role does corporate risk and compliance management play in your jurisdiction?

Together with the growth and complicated nature of the Russian economy, businesses in Russia essentially need to create effective models of managing the risks related to compliance, using applicable laws and regulations. It is believed that the concept of compliance started to develop in Russia in the early 2000s, and has obtained particular legal meaning in Russia only during recent years.

Nonetheless, the reasons for establishing corporate risks and compliance management systems within Russian organisations vary and still do not relate altogether to the obligatory statutory requirements.

The main spheres that are commonly subject to compliance management in Russia are anticorruption; antitrust; combating money laundering and terrorism financing; and personal data protection. Compliance itself is a broad concept and needs to be clarified and narrowed for the purposes of this overview.

Since Russian legislation and regulations provide extremely limited guidance on requirements for implementing risk management and compliance measures within the abovementioned spheres, this chapter shall selectively deliberate over these spheres.

In general, risk and compliance management in Russia remains more integrated with the financial public sectors, and with those corporations that are dealing with international markets, rather than with purely local market players.

Laws and regulations

Which laws and regulations specifically address corporate risk and compliance management?

There are only few acts in Russia that provide risk and compliance-related requirements, or guidelines describing a basis for building up respective management systems within entities in Russia. Among them are the following main specialised statutes, that impose obligations on performing risk and compliance management within the entities:

  • Federal Law No. 273-FZ On Combating Corruption, dated 25 December 2008 (article 13.3);
  • Federal Law No. 115-FZ On Combating Money Laundering and the Financing of Terrorism, dated 7 August 2001;
  • Federal Law No. 39-FZ On Securities Market, dated 22 April 1996 (article 10.1);
  • Federal Law No. 414-FZ On Central Depositary dated 7 December 2011 (article 8); and
  • at the same time, lots of rules of law that indirectly form a framework of risk and compliance management activity in Russia are represented by administrative, criminal or other sanctions and are set down in the Code of Administrative Offences or the Criminal Code of the Russian Federation.

Types of undertaking

Which are the primary types of undertakings targeted by the rules related to risk and compliance management?

Russian legislation has not yet ventured deeply into regulation of the undertakings that may be referred to risk and compliance management. This particularly relates to entities such as limited liability companies.

Meanwhile, joint stock companies have comparatively more guidance with respect to risk management and compliance, compared to limited liability companies. This has been the case since the adoption of the model Corporate Governance Code - a document introduced by the Central Bank of Russia in 2014 that is aimed at building up the general compliance principles within joint stock companies and listed companies.

Regarding risk and compliance management frameworks, the most heavily regulated sphere is still the financial sector. Thus, risk and compliance management regulations within credit organisations are constantly being adopted by the Central Bank of Russia (eg, the regulations on internal control in credit organisations and bank groups issued by the Central Bank of Russia on 16 December 2003).

In 2013, the Central Bank of Russia introduced the Basel III principles that provide governance for the capital adequacy calculations of Russian banks and require implementation of risk management procedures. The principles are aimed at improving the financial standing of Russian credit organisations and bringing Russian banking regulation closer to internationally recognised standards.

In 2016, the Central Bank announced its initiatives in active development regarding the institution of compliance practices (abiding by the code of corporate ethics; combating money laundering and financing of terrorism; regulating conflicts of interest; confidentiality compliance; the policies of Chinese walls; etc) for national financial institutes.

In December 2017, the Central Bank introduced an informational letter on applying a risk-oriented approach when combating money laundering and financing of terrorism, which suggests guidelines to all financial institutions with respect to risk and compliance control in order to comply with Financial Action Task Force recommendations.

Among common undertakings mentioned within Russian legislation, or often voluntarily undertaken by Russian organisations, are the following:

  • designation of departments, structural units and officers responsible for the prevention of bribery and related offences;
  • adoption of protocols on cooperating with law enforcement authorities;
  • development and implementation of policies and procedures designed to ensure ethical business conduct;
  • adoption of a code of ethics and professional conduct for the employees; and
  • creating policies for identifying, preventing and resolving conflicts of interest.

Regulatory and enforcement bodies

Identify the principal regulatory and enforcement bodies with responsibility for corporate compliance. What are their main powers?

Since there are almost no pure and complex compliance obligations imposed by Russian legislation, along with the compliance framework that leads to specific liability of the non-complying entities, most of the regulatory and enforcement bodies that may be related to corporate compliance control have a common scope of powers that varies depending on the nature of each body and its purpose.

Said powers typically consist of administrative discretions (powers of providing obligatory instructions, controlling and supervisory powers, powers of withdrawing licence or suspending the activity of particular entity, initiating cases on administrative offences, etc) or criminal ones (these fully belong to investigative authorities such as the investigative committee, Ministry of Internal Affairs, etc).

Bearing in mind the aforementioned scope of legislation that can be directly or indirectly related to corporate compliance, the following main regulatory and enforcement bodies can be mentioned:

  • the Central Bank of Russia;
  • the Public Prosecutors Office of the Russian Federation;
  • the Federal Antimonopoly Service;
  • the Federal Financial Monitoring Service (Rosfinmonitoring); and
  • the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications (Roskomnadzor).

Definitions

Are ‘risk management’ and ‘compliance management’ defined by laws and regulations?

Compliance itself is not yet legally defined in Russia. In the meantime, there are certain statutory provisions that show their influence on risk and compliance management activity within the entities.

Anti-corruption compliance

A comparably new article 13.3 to the Federal Law No. 273-FZ On Combatting Corruption dated 25 December 2008 requires all companies in Russia to develop and adopt measures aimed at preventing corruption. Although article 13.3 lists six broadly defined measures that companies may develop and adopt, it does not describe the steps companies should take to implement those measures, neither the law does explain whether the above measures are either mandatory or exclusive.

The ‘all possible measures’ provision, contained in article 13.3, can be interpreted to extend the requirements of Federal Law No. 273-FZ On Combating Corruption, to go even beyond the common requirements of the Foreign Corrupt Practices Act or the UK Bribery Act.

Anti-money laundering compliance

Federal Law No. 115-FZ On Combating Money Laundering and the Financing of Terrorism was enacted on 7 August 2001 in compliance with the Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime, signed in Strasbourg, France, which was ratified by Federal Law No. 62-FZ, dated 28 May 2001.

Said statute contains criteria for the volume of operations subject to mandatory control, lists those operations and determines the organisations conducting operations with money or other property that should inform an authorised agency about these operations, which, among others, mainly include credit organisations.

As a main aim, the law requires credit organisations to take all reasonable and available measures to identify the beneficial owners of their clients. However, this law does not provide the list of particular measures or guidelines that the credit organisations must follow regarding the identification process of the beneficial owner of the client. A non-exhaustive list of such measures is set out in the clarifications issued by Rosfinmonitoring and the Central Bank

Antitrust compliance

In Russia, discussion of the concept of antitrust compliance started around 2011, and by 2013 the Federal Antimonopoly Service had included antitrust compliance into their strategy and into the independent direction of further work. It has been declared as a priority development aim of the antitrust legislation and law enforcement practice due to its preventive function.

The Federal Antimonopoly Service recently developed a draft law aimed at implementation of special compliance measures within entities, that shall possibility lead to mitigating liability that arises out of antitrust violations.

Data protection compliance

Federal Law No. 152-FZ On Personal Data dated 27 July 2006 regulates all personal data that is processed by data operators or third parties in Russia. Personal data under the said law is represented by any information (directly or indirectly) related to an identified or identifiable individual (data subject).

Data protection laws apply to all data operators, and third parties acting under the authorisation of data operators. A data operator can be represented by a legal entity or individual that both:

  • organises or carries out (alone or jointly with other persons) the processing of personal data; and
  • determines the purposes of personal data processing, the content of personal data and the actions (operations) related to personal data.

The main obligations imposed on data operators to ensure the personal data is processed properly are the following:

  • defining the categories of personal data, the purposes of data processing and the duration of processing;
  • obtaining the data subject’s consent (unless otherwise provided by the law);
  • appointing a data protection officer, adopting the data protection policy (and other required documents) and taking other appropriate security (especially technical and organisational) measures to prevent unauthorised or unlawful data processing and a breach of the data protection legislation; and
  • notifying Roskomnadzor of various circumstances for the purposes of registration (unless otherwise provided by the law).

According to the described statute, since 1 September 2015 all personal data operators shall be required to keep personal data of Russian citizens in Russia. Namely, it requires that databases that store personal data should be kept on servers on Russian territory. This requirement has quickly become an element of internal compliance of probably most of the businesses in Russia.

Processes

Are risk and compliance management processes set out in laws and regulations?

In general, risk and compliance management processes are usually not set out within the Russian legal framework. At the same time, the financial and public sectors may be the exception to said conclusion.

Standards and guidelines

Give details of the main standards and guidelines regarding risk and compliance management processes.

Unfortunately, there is no single legal source containing requirements, guidelines or recommendations on performance of risk and compliance management by entities in Russia.

The Corporate Governance Code could be mentioned in addition to the specialised legislation given in question 2.

The Central Bank of the Russian Federation approved the new version of the Corporate Governance Code on 21 March 2014. The Corporate Governance Code represents a set of voluntary principles and recommendations on corporate governance for joint-stock companies - primarily those that are subject to listing.

Although compliance with the Corporate Governance Code is not mandatory, a company that wishes to list on a stock exchange shall usually need to comply with the Corporate Governance Code.

Notwithstanding the fact that the Corporate Governance Code is primarily recommended for application within the joint stock companies and listed companies, all types of entities are free to refer to this document as a means of guidance.

The Corporate Governance Code regulates the following spheres:

  • shareholder rights and the fair treatment of shareholders;
  • the board of directors;
  • the corporate secretary;
  • incentive arrangements (remunerations and payments to directors, the CEO and key management);
  • risk management and internal controls;
  • disclosure of information; and
  • certain important corporate actions, for example, material transactions, reorganisations, mergers and acquisitions, the listing and delisting of shares and increases of share capital.

Obligations

Are undertakings domiciled or operating in your jurisdiction subject to risk and compliance governance obligations?

Many entities incorporated in Russia that have a foreign participation in their charter capital tend to satisfy the compliance-related requirements of the foreign jurisdictions. Such situations often result in Russian entities adopting compliance policies and other related measures that are similarly complex and effective such as, for example, those in the United States, the European Union or the United Kingdom.

Notwithstanding the fact that the Russian legislation in general does not prescribe the obligatory rules for adopting such measures and standards of the latter, their voluntary implementation positively affects the business activity of such entities and provides chances for exemption from liability, or at least mitigating it.

At the same time, no forms of entities are deprived from the option to establish certain internal corporate policies or regulations that impose obligations regarding compliance governance within such an entity. Compliance governance may therefore become one of the functional obligations (or even the primary one) of the board member(s) or other corporate bodies of the legal entity. Obligatory division of the compliance governance obligations within legal entities is, however, not yet prescribed by the existing legislation.

Meanwhile, if compliance obligations are not directly delegated to certain persons within the legal entity (board members or employees), under the general rule the liability for violating the compliance obligations would mainly lie with the entities’ CEO.

What are the key risk and compliance management obligations of undertakings?

As mentioned in question 3, in general, there are no pure risk and compliance management-related obligations established in Russia; however, those that are recommended and effectively accepted by the businesses are as follows:

  • designation of departments, structural units and officers responsible for the prevention of bribery and related offences;
  • adoption of protocols on cooperating with law enforcement authorities;
  • development and implementation of policies and procedures designed to ensure ethical business conduct;
  • adoption of a code of ethics and professional conduct for the employees; and
  • creating policies for identifying, preventing and resolving conflicts of interest.

Liability

Liability of undertakings

What are the risk and compliance management obligations of members of governing bodies and senior management of undertakings?

A member of the entity’s management shall ensure that the company fully complies with its public law obligations. Therefore, for instance, if the entity breaches its legal obligations due to its CEO’s bad faith or unreasonable actions or omissions that resulted in company losses, such losses may be recovered from the CEO. The company will be restricted from indemnifying the CEO for his or her actions or omissions that result from the company’s breach of its public law obligations.

Do undertakings face civil liability for risk and compliance management deficiencies?

Entities or individuals may, in general, be held liable for the violation of civil law obligations that consist of compliance requirements arising out of the contracts or existing under law.

Do undertakings face administrative or regulatory consequences for risk and compliance management deficiencies?

Anti-corruption compliance

The administrative liability of legal entities for corruption offences has been introduced to the Code of Administrative Offences by Federal Law No. 280-FZ of 25 December 2008 in view of ratification of the United Nations Convention against corruption (UNCAC) of 31 October 2003, the Criminal Law Convention on corruption (Strasbourg, 27 January 1999) and the adoption of the Federal Law On Counteracting Corruption.

Article 19.28 of the Code of Administrative Offences provides for the liability for illegal transfer, proposal or promise of property valuables to a domestic official or an authorised representative of a commercial or any other entity, as well as to an official of a public international organisation on behalf or in the interests of a legal entity, and unlawful rendering thereto of monetised services. The article provides for two qualifying elements: large-scale and extra-large-scale with regard to committed actions (equivalent to illegal gratification in the amount of 1 million roubles and 20 million roubles respectively). In 2016, article 2.6 of the Code of Administrative Offences was added with a new part, determining that a foreign legal entity that committed, outside the Russian Federation, an administrative offence provided for by article 19.28 of the Code of Administrative Offences, which was aimed against the interests of the Russian Federation, is subject to administrative liability on a common basis. The limitation period for liability for the offence provided by article 19.28 of the Code of Administrative Offences is equal to one of the maximum periods established by the Code of Administrative Offences - six years after the committed offence.

Currently, the minimal amounts of liability (1 million roubles, 20 million roubles and 100 million roubles) are provided for transfer, proposal or promise of illegal gratification on behalf or in the interests of a legal entity. Furthermore, article 19.28 provides for obligatory confiscation of money, securities, other property or cost of monetised services and other property rights constituting the subject of gratification.

Application of article 19.28 of the Code of Administrative Offences interprets an offence committed in the interest of a legal entity as an action by result of which a legal entity attains any business goals; satisfies its current or potential needs; achieves any benefits or advantages; or relief (mitigation) of liability or obligations. A Russian law enforcer therefore has a wide range of instruments for demonstrating the involvement of a legal entity in corruption offence.

Despite the fact that voluntary actions undertaken by a company to prevent corruption actions by its employees are not always taken into consideration by the law-enforcing bodies, due implementation of such measures may be one of the few defences of a legal entity in court. Legislative initiatives aimed at reforming of the practice of use of article 19.28 of the Code of Administrative Offences testify to the fact that the main condition for mitigation of or relief from liability may be active cooperation with the law enforcement authorities aimed at efficient investigation of the corruption offence.

Nevertheless, it is important that the company and its structural subdivisions are responsible when fulfilling their duties as envisaged by article 13.3 of Federal Law No. 273-FZ On Counteracting Corruption, aimed at development and application of anticorruption measures. An integrated approach is required for the organisation of internal control and creation of an efficient system for prevention of corruption, for example, by introducing compliance programmes as well as readiness for a prompt legal defence of one’s interests if the law enforcement authorities bring any charges.

Antitrust compliance

A main financial sanction that may be imposed by Federal Antimonopoly Service in Russia is an administrative fine. The amount of such fine may range from 1 per cent to 15 per cent of a company’s annual turnover in the affected market (0.3 per cent to 3 per cent for price-regulated markets and ‘mono-product’ companies), and in case of collusion relating to public tenders, 10 per cent to 50 per cent of the starting price of the affected tender. One common feature of all such fines is that they are issued pursuant to the Code of Administrative Offences, and the Code expressly provides that administrative liability is fault-based. This means that a company may be held administratively liable - and be ordered to pay a fine - only if the unlawful conduct (anticompetitive behaviour in this instance) was the fault of the company.

Personal data protection compliance

Breach of the established legal order for the collection, storage, use or distribution of personal data may entail the following administrative sanctions:

  • warning or administrative fine, 300-500 roubles (for individuals);
  • warning or administrative fine, 500-1,000 roubles (for officials); or
  • warning or administrative fine, 5,000-10,000 roubles (for legal entities).

Do undertakings face criminal liability for risk and compliance management deficiencies?

For the purposes of this question, it should be borne in mind that, according to the Criminal Code of the Russian Federation, only individuals may be subject to criminal liability.

Anti-corruption compliance

Anti-corruption related criminal offences set out in the Criminal Code of Russia include:

  • receiving a bribe (article 290);
  • bribing an official (article 291); and
  • completing commercial bribery (article 204).

These articles were clarified and detailed in the summer of 2016.

Antitrust compliance

Article 178 of the Criminal Code of the Russian Federation establishes criminal liability for cartel activities that prevent, restrict or eliminate competition.

Personal data protection compliance

Under article 137 of the Criminal Code of the Russian Federation, unauthorised and illegal collection or distribution of personal data or privacy data may lead to the following criminal sanctions:

  • a criminal fine of up to 200,000 roubles;
  • salary amount for the period of 18 months;
  • forced labour for 360 hours;
  • correctional works for 12 months;
  • compulsory works for two years, with or without disablement for three years;
  • arrest for four months; or
  • imprisonment for up to two years.

Liability of governing bodies and senior management

Do members of governing bodies and senior management face civil liability for breach of risk and compliance management obligations?

In 2013, the Supreme Arbitrazh Court of the Russian Federation issued Decree No 62 on losses recovery from management bodies of a legal entity directly allowing the possibility to recover from a company’s management losses that became a result of that management’s abuse of its power.

Generally, board members and CEOs in Russia are directly liable to the company and indirectly liable to shareholders for actions performed in bad faith or unreasonably against the interests of the entity. CEOs and board members are, by default, not liable to third parties. Management must prove that their actions and decisions were made in good faith and in the company’s best interest.

Additionally, the CEO bears subsidiary liability for company debts in case of its insolvency if:

  • he or she fails to submit the petition when the company becomes insolvent; or
  • his or her acts or omissions cause the company’s insolvency.

The aforementioned causes of insolvency may as well be connected to the failures on risk and compliance management of the respective entity.

Do members of governing bodies and senior management face administrative or regulatory consequences for breach of risk and compliance management obligations?

Yes, the CEO and responsible members of management also bear personal administrative liability for a sufficient number of administrative offences. Personal administrative liability of the entity’s management may, in general, entail fines, dismissal or disqualification.

Under the Code of Administrative Offences, the management of the entity (whose duties include responsibility for compliance procedures of the company) may incur personal administrative liability for each violation of the statutory regulations, performed by the entity.

Do members of governing bodies and senior management face criminal liability for breach of risk and compliance management obligations?

Under the Criminal Code of the Russian Federation, any person who is governing the activity of the entity (including the CEO and members of the management board who are responsible for compliance issues) can be held criminally liable for any violation of statutory provisions that constitute a criminal offence. Criminal sanctions in such cases may include a fine, community service or imprisonment.

Corporate compliance

Corporate compliance defence

Is there a corporate compliance defence? What are the requirements?

Unfortunately, there are still no provisions of the Russian legislation that establish compliance as the universal means of defence for any type of liability (however, the opposite initiatives are being actively discussed in the sphere of antitrust compliance).

In the meantime, most applicable legal sources of sanctions contain provisions that lead the investigating authority to consider the compliance measures performed by the entity or by the certain individuals as the mitigating circumstances (article 4.2 of the Code of Administrative Offences of the Russian Federation and article 61 of the Criminal Code of the Russian Federation).

Recent cases

Discuss the most recent leading cases regarding corporate risk and compliance management failures?

It appears that most demonstrative cases of liability that follow failures within an organisation and its performance of risk and compliance management relate to the sphere of recent supervising activity of the Central Bank of Russia, and to the application of article 19.28 of the Code of Administrative Offences described above.

Thus, a poor system of compliance and internal control within a credit organisation has appeared as one of the substantive grounds for withdrawing the bank licence of JSC Regional Commercial Bank in September of 2016 (see Order of the Central Bank of Russia dated 19 September 2016 No. OD-3139).

In a meantime, failure to prove that a bribe was not given by the employee for the benefit of his employer, and absence of any compliance procedures within the respective legal entity, did not set the grounds for applying mitigating circumstances by the public prosecutor office in case of CJSC Grinn under article 19.28 of the Code of Administrative Offences in 2012. This resulted in a fine of approximately US$1.1 million together with the confiscation of a bribe of around US$700,000.

Government obligations

Are there risk and compliance management obligations for government, government agencies and state-owned enterprises?

Usually, with the participation of the state, entities tend to establish a variety of internal compliance management procedures and policies as prescribed by the statutes governing the activity of such entities (see Rosatom, Rosavtodor, Rostekh and others).

At the same time, broad incorporation of such measures also relates to the financial sector and the Central Bank of Russia (see the Risk Management Policy of the Central Bank of Russia).

Digital transformation

Framework covering digital transformation

What are the key statutory and regulatory differences between public sector and private sector risk and compliance management obligations?

The main difference is that the rules prescribing the necessity to establish compliance and internal control in the public sector are binding for the entities, and involve state participation. At the same time, adoption of such measures in the private sector has not yet become obligatory (except for credit organisations and related entities).