Risk & compliance management

The overall compliance culture in Ukraine is very low. The level of risk and compliance management is in general much lower than, for example, in EU countries or the US. The absence of a proper legal framework and a low level of enforcement are still one of the major factors in this regard.

However, Ukraine needs to adjust its regulations to EU and further international standards. Based on this, from a regulatory perspective, specific industry sectors are more and more confronted with an increasing level of regulatory compliance obligations. Individuals and entities subject to financial monitoring, banks and professional capital markets participants are facing more and more compliance obligations based on changes in Ukrainian law.

There are also individual initiatives from newly established anti-corruption authorities that must use anti-corruption systems when fulfilling certain requirements and an increasing number of published guidelines on how to manage corruption risks.

A minority of Ukrainian businesses, mainly the international ones with a local presence in Ukraine, have established a robust compliance management system to cover certain liability risks they mainly face abroad but also more and more in Ukraine.

However, in the majority of cases, Ukrainian companies still establish and implement compliance management measures in a very formalistic way, if at all, and with a poor level of compliance culture.

The Ukrainian legal framework is rather fragmented as to the regulation of risk and compliance management.

General obligations of the Anti-Corruption Law apply to all individuals and companies. At the same time, some specific anti-corruption compliance requirements apply only to particular categories of entities and individuals.

The Anti-Corruption Law establishes an obligation for three categories of companies to adopt their anti-corruption programmes:

• state-owned and municipal-owned enterprises;
• companies in which:
  • 50 per cent or more shares are owned by the state or municipality;
  • the average number of employees for the financial year exceeds 50 people; and
  • income from sales of products, works or services for the financial year exceeds 70 million hryvnia;
• companies participating in the public procurement with a bid above the value of 20 million hryvnia.

The majority of Ukrainian state authorities and some of the state-owned enterprises are obliged to adopt their anti-corruption programmes, as well as appointing anti-corruption officers or establish anti-corruption departments, depending on the number of employees working in the respective enterprise.

Under the Law on Financial Monitoring, the reporting entities that fall under specific requirements to their risk management systems (subject to initial financial monitoring (SIFM)), include the following:

• all types of financial institutions: banks, insurance companies and insurance brokers, credit unions, pawnshops, etc;
• payment organisations, participants or members of payment systems;
• commodity and other exchanges that conduct financial transactions with goods;
• the majority of professional stock market participants (providing clearing, depository service, trading with financial instruments, etc);
• postal operators, other companies performing transfer of funds (postal transfer) and foreign exchange transactions;
• branches or representative offices of foreign companies providing financial services in Ukraine;
• special reporting institutions and subjects (unless providing the same services under employment agreement):
  • auditors and auditing firms;
  • accountants and accounting firms;
  • tax consultants;
  • attorneys, attorney bureaus and associations;
  • notaries;
  • companies providing legal services;
  • persons providing services of establishment, operation or management of legal entities;
  • providers of intermediary services in the course of the sale and purchase of the real estate, as well as consultants on the issues sale and purchase of the real estate for a fee;
  • persons that trade in cash for precious metals and precious stones and products made from them; and
  • persons conducting lotteries or gambling, or both;
• providers of services related to the circulation of virtual assets; and
• other legal entities, which by their legal status are not financial institutions, but provide separate financial services.

Another type of company that falls under the risk and compliance management requirements is any professional capital market participant, as well as joint stock companies. Both are required to implement corporate governance standards based on the standards provided by the NSSMC.

Given the absence of comprehensive general legislation in the area of compliance and risk management, there is no unified definition of ‘risk management’ and ‘compliance management’ applicable to all possible realities.

The Law on Financial Monitoring defines ‘risk management’ for the reporting persons as measures aimed at creating and ensuring the functioning of the risk management system, which includes, in particular, identification (detection), assessment or re-assessment, monitoring and control of risks to minimise them.

Compliance, in turn, is defined by the Capital Markets Law as a continuous process regulated by the internal documents aimed at ensuring and improvement of internal processes related to the activities in the capital and organised commodity markets and their correspondence to the relevant statutory requirements and business strategy approved by the supervisory bodies of relevant companies.

There is no precise definition of compliance management in Ukrainian law yet.

The Law of Ukraine ‘On Joint Stock Companies’ foresees that the audit committee of the supervisory board must review the efficiency of the audit and risk management system efficiency at least once per year.

The Capital Markets Law provides that investment firms organise their risk management systems in a way that their information systems used for trading allow the investment firms to:

• be resistant to external interference;
• have the technical capacity to ensure the proper execution of operations directly related to trading (including algorithmic trade);
• ensure compliance with the limits and restrictions set by the operator of the regulated market, to which the investment firm is the participant, and the rules of such market, as well as the limits and restrictions set by the investment firm;
• prevent the sending of erroneous bids or quotations and the performance of any transactions that could potentially lead to price instability in the organised market or otherwise violate the integrity of capital markets or harm investors; and
• minimise the possibility of their use for manipulation or illegal use of insider information, or both.

Clearing companies must adopt their rules, which include the description of the obligatory risk management system.

Every entity performing professional services on the capital markets must provide the NSSMC with the information on internal control systems, including compliance, risk management and internal audit systems. Such service providers must ensure that the mentioned internal control systems are in place and are efficient throughout the whole period of their market activity.

Companies providing professional services on the capital markets must also implement corporate governance standards, which include, among others, the establishment of the risk management committee within the supervisory board.

The NBU Regulations on Risk Management foresee the following elements of risk and compliance management:

• for each type of risk (credit, operational, compliance, liquidity, etc) – adoption of a relevant internal policy, identifying methods and mandatory tools for managing the risks and establishment of processes, information systems and reporting system;
• establishment of a compliance department;
• establishment of a risk management department;
• introduction of the CCO position; and
• introduction of the CRO position.

Both CCO and CRO must be independent to efficiently perform their functions. The supervisory board of the particular bank appoints and dismisses the CCO and CRO and determines the financial resources to be allocated for the performance of compliance and risk management functions. The CCO and CRO report directly to the supervisory board. These two functions must be separated from other defence lines established in the bank. The management board obeys the instructions of the CCO and CRO and does not interfere with their activities. The particular functions of CCO, CRO and their departments are outlined in the NBU Regulations on Risk Management.

The most common approach for Ukrainian businesses is to follow the mandatory statutory obligations established by Ukrainian law, which only foresees obligations regarding risk and compliance management systems for a limited number of sectors and entities. There are no standards or guidelines applicable to all entities and individuals.

Nevertheless, it is becoming more common among the banks and other reporting individuals and entities falling under the mandatory risk and compliance management requirements to request certain documents from the businesses they provide services to confirming the availability of the risk management system.

Another approach, especially in large international companies, is to conduct audits of their local business partners to get an understanding of whether they introduced a risk-based approach that would also impact the risks such international companies are exposed to.

As to the main standards and guidelines, undertakings follow mandatory legal acts of the relevant public authorities (eg, parliament, government, sectoral authorities such as NBU, NACP, etc). Other legal acts such as recommendations adopted by public authorities, although not being mandatory per se, are, in individual cases, also followed.

Apart from the legal acts governing certain areas of business activities, affected businesses also may establish and implement further, non-obligatory standards, like the following:

• the Ukrainian Network of Integrity and Compliance (UNIC) principles and membership requirements;
• the Organisation for Economic Co-operation and Development (OECD) guidelines and policies:
  • Anti-Corruption Ethics and Compliance Handbook for Business (2013);
  • Good Practice Guidance on Internal Controls, Ethics, and Compliance (2010);
  • Compliance Risk Management: Managing and Improving Tax Compliance (2004); etc. and
• International Organization for Standardization (ISO) Standards:
  • ISO 31000:2018 – Risk management – Guidelines;
  • ISO/TR 31004:2013 – Risk management – Guidance for the implementation of ISO 31000;
  • IEC 31010:2019 – Risk management – Risk assessment techniques;
  • ISO 31022:2020 – Risk management – Guidelines for the management of legal risk;
  • IWA 31:2020 – Risk management – Guidelines on using ISO 31000 in management systems; and
  • ISO 37301:2021 – Compliance management systems.

Most activities falling under specific statutory requirements regarding risk and compliance management cannot be performed in Ukraine unless there is a local undertaking such activity.

According to the NBU Regulations on Risk Management, both CCO and CRO must be independent to efficiently perform their functions. The supervisory board of the particular bank appoints and dismisses the CCO and CRO and determines the financial resources to be allocated for the performance of compliance and risk management functions. CCO and CRO report directly to the supervisory board. These two functions must be separated from the other defence lines established in the bank. The management board obeys the instructions of the CCO and CRO and does not interfere with their activities. Particular functions of both CCO and CRO and their departments are outlined in the NBU Regulations on Risk Management.

Companies providing professional services on the capital markets must also incorporate corporate governance standards, which include, among others, the establishment of the risk management committee within the supervisory board.

Given the absence of the general legal requirements regarding the risk and compliance management, any relevant obligations in this area apply only to specific regulated entities like, for example, entities and individuals acting under the Law on Financial Monitoring as well as banks and professional capital market participants. Their obligations in this area are generally well-prescribed and clear.

The Anti-Corruption Law requires the following companies to introduce their internal anti-corruption programmes:

• state-owned and municipal-owned enterprises;
• companies in which:
  • 50 per cent or more shares are owned by the state or municipality;
  • the average number of employees for the financial year exceeds 50 people; and
  • income from sales of products, works or services for the financial year exceeds 70 million hryvnia; and
• companies participating in the public procurement where the price of procurement is equal to or exceeds 20 million hryvnia.

According to the Law on Financial Monitoring, the reporting entities and individuals must ensure the establishment of a functioning risk management system and apply a risk-oriented approach in their activities. The key obligations of the reporting entities with regard to risk management include the following:

• applying the risk-based approach in their activities and taking appropriate measures to minimise the risks; and
• managing the risks associated with the introduction or use of new and existing products, business practices or technologies, including those that provide for the financial transactions without direct contact with the client.

According to the NBU Regulations on Risk Management, banks have extensive risk and compliance management obligations. Their key obligations include the creation of departments or positions directly responsible for compliance and risk management, reporting obligations of such departments or positions to and control over their activities by the supervisory board and management board of the bank.

Due to the fragmented nature of the Ukrainian compliance and risk management legal framework, there are no omnibus risk and compliance obligations for governing bodies or senior management, or both, of all types of legal entities in all areas of business activity.

The key principle established by the Civil Code of Ukraine and applicable to the governing bodies of all companies is that they must act in the interests of the company, in good faith and reasonably and not to exceed their powers.

The Anti-Corruption Law requires management and shareholders of companies to ensure regular assessment of corruption risks in their activities and implement anti-corruption measures. Companies’ officers, as well as any other employees, are obliged to:

• refrain from participating in corruption offences related to the company’s activities;
• withhold from the conduct that can be considered as readiness to commit a corruption offence related to the company’s activities; and
• inform the anti-corruption officer, company’s management or shareholders about incitement to commit or committing a corruption offence related to the company’s activities and of any conflicts of interest.

In the areas where specific regulation exists, for example with regard to reporting individuals and entities, the obligations of governing bodies and senior management of legal entities are generally outlined by the specific law.

The National Bank of Ukraine (NBU) Regulations on Risk Management provide that members of the supervisory board of the bank (the analogue of the council of the bank) are responsible for the following:

• ensuring the functioning and control over the effectiveness of the risk management system;
• approval of the internal bank documents on risk management issues, and monitoring of their implementation, compliance and timely updating;
• approval of the list of limits (restrictions) for each type of risk and the procedure for escalation of violations of risk limits;
• approval of the recovery plan and ensuring the performance of functions related to the recovery of the bank;
• appointment and dismissal of the Chief Risk Officer (CRO) and Chief Compliance Officer (CCO);
• approval of the budget for the risk management and compliance departments, determining the remuneration for the CRO and CCO;
• determining the nature, format and scope of information on risks, considering management risk reporting; and
• taking measures to prevent conflicts of interest in the bank, promoting their settlement and notifying the NBU of conflicts of interest arising in the bank.

In turn, the board of the bank performs the following functions in relation to risk and compliance management:

• ensures the development and approval of internal bank documents;
• ensures the preparation and submission to the bank’s supervisory board of management reports on the risks to which the bank is exposed, including information on the new products or significant changes in the bank’s activities;
• ensures the preparation and submission to the bank’s supervisory board of proposals regarding the necessity to make changes to the risk management strategy and policy;
• ensures control over the notification of the relevant departments and employees of the bank of information on changes to the risk management strategy and policy, other internal bank documents on risk management;
• develops measures to promptly eliminate deficiencies in the functioning of the risk management system, implement the recommendations based on the results of the risk assessment, inspections of the internal audit department, external auditors and state authorities;
• approves the value of limits for each type of risk according to the list of limits (restrictions) determined by the bank’s supervisory board; and
• provides administrative support to the CCO and CRO, risk management and compliance departments.

There is no direct civil liability foreseen for risk and compliance management deficiencies for companies or their employees.

However, there is always a possibility of civil damage compensation claims of private persons against a company based on possible damages caused by the violation of risk and compliance management requirements.

There is also a possibility that the company subject to a particular risk and compliance management statutory requirements may file a lawsuit against the management that violated the regulatory requirements and caused liabilities for the company.

Employees (authorised representatives’ of the company) whose misconduct benefitted the company may be held criminally liable for their actions.

Criminal sanctions are applied for the following risk and compliance management deficiencies:

• money laundering;
• intentional provision of the false data by SIFM;
• disclosure of the financial monitoring secrecy, including the information about the provision of the data subject to financial monitoring, regulatory authority requests in this regard, data about financial operation subject to financial monitoring control; and
• failure to ensure fulfilment of obligations (statutory or the ones provided in the company’s constitutional documents) regarding taking measures aimed at preventing corruption by company’s officers, if this led to a corruption or corruption-related offence.

The Criminal Code of Ukraine generally foresees three types of sanctions applicable to such undertakings:

• a fine of up to 1.275 million hryvnia;
• compulsory liquidation of an undertaking; or
• the confiscation of property.

A company sanctioned for a crime is obliged to compensate all damages, losses and the amount of illegally obtained benefit as the result of the violation.

Ukrainian civil legislation does not distinguish compliance and risk management obligations of executive and supervisory bodies. Senior management have general fiduciary duties and may face civil liability for their actions or inaction, including the lack of performance under their risk and compliance management obligations. The undertaking stakeholders are entitled to file a damage compensation claim in case the compliance and risk management violations resulted in a financial loss.

Failure of the company’s management to take measures required by law and aimed at corruption prevention may potentially lead to their personal liability in a form of an administrative fine of up to 4,250 hryvnia.

The SIFM management is subject to administrative penalties for:

• violation of the financial monitoring legislation – a fine from between 5,100 and 34,000 hryvnia;
• provision of unclear or false data about risky operations, asset quality and other SIFM data by a bank – a fine from between 34,000 and 170,000 hryvnia; and
• violation of the NBU regulations governing risk assessment of transfers, currency control – from between 1,700 and 68,000 hryvnia.

Criminal sanctions can be applied to individual managers for the following deficiencies associated with risk and compliance management:

• money laundering – imprisonment term from three to 12 years with a debarment to hold specific positions up to three years and property confiscation;
• intentional provision of the false data by SIFM – a fine up to 51,000 hryvnia with a debarment to hold specific positions up to three years; and
• disclosure of the financial monitoring secrecy, including the information about the provision of the data subject to financial monitoring, regulatory authority requests in this regard, data about financial transaction subject to financial monitoring control – a fine from between 51,000 and 85,000 hryvnia with a debarment to hold specific positions up to three years.

The compliance defence line concept was implemented by the National Bank of Ukraine (NBU) for banks and banking groups in the NBU Regulations on Risk Management. Banks are required to establish a three-line risk management system:

• first line – on the level of business units responsible for the operational management of risks in business units;
• second line – on the level of risk department and compliance department; and
• third line – on the level of internal audit conducting assessment and evaluation of the risk management system efficiency.

The third line is represented by the activity of the bank supervisory board responsible for the strategic risk management of the entire undertaking, preparation and implementation of the core internal regulations related to compliance and risk management. The bank supervisory board, in particular, establishes thresholds for each designated risk and consequent reaction.

The risk management department is responsible for the ongoing assessment of the risk level to the risk capacity of the undertaking, control of Chief Risk Officer (CRO) and Chief Compliance Officer (CCO) performance, remedial actions towards revealed risks and operational risk management of the entire undertaking.

The NBU regularly imposes fines for specific compliance management violations, which mostly relate to improper risk assessment of bank transactions and the lack of overall robust compliance management at the place.

Sanctioned financial institutions tend to object the NBU fines imposed for risk and compliance management violations based on the conformity of the claimant with all ‘formal requirements’. The Sberbank Case demonstrates one of the most significant fines imposed for repeated failure to identify risky financial operations (total amount of risky transactions of approximately €89,285,714); improper identification of the publicly exposed persons; non-provision of the financial monitoring data and violation of the suspension of the financial transactions. In December 2018, the NBU imposed a fine of 94,737,499 hryvnia on JSC Sberbank. Sberbank successfully objected to the imposed fine in the administrative courts in two instances. The NBU initiated a final review of the case in the Supreme Court of Ukraine at the beginning of 2020. The NBU claims that compliance and risk management systems in Sberbank do not meet the requirements of the Law on Financial Monitoring and that Sberbank is funnelling sufficient funds under fictional agreements out of Ukraine.

The Sberbank Case by the Supreme Court of Ukraine is important for the risk assessment management due to the following:

• the case raises a number of issues related to the qualification of the compliance management failure impacting the enforcement practice about the same; and
• the final review by the Supreme Court may establish a practice of a single interpretation of the case law related to the compliance management failure.

The Anti-Corruption Law applies several obligations to undertaking conducting state functions and state-owned enterprises, or both:

• public authorities and state-owned enterprises conducting state governance functions are required to establish an anti-corruption department within an undertaking. Such a department should have the anti-corruption officers which number is proportionate to the overall number of employees of the undertaking (eg, one officer for up to 200 employees). The anti-corruption department is responsible for: (1) corruption prevention activities within the undertaking; (2) advising employees on obligations of state servants (eg, conflict of interest situations, asset declarations, reporting about corruption, etc); (3) whistleblower’s protection; and (4) reporting to the National Agency on Corruption Prevention (NACP) about violation of the anti-corruption legislation;
• public authorities, state-owned and municipal-owned enterprises, some other companies (state/municipal share at least 50 per cent, more than 50 employees, and annual income exceeding 70 million hryvnia) and undertakings participating in public procurement tenders with a bid above the value of 20 million hryvnia are required to implement their anti-corruption programmes. The anti-corruption programme must include the following:
  • an explicit explanation of the anti-corruption measures, standards and procedures, including the regular corruption risk assessment;
  • rights and obligations of the undertaking employees;
  • whistleblowing rules; and
  • measures for corruption events (eg, reporting to the NACP); and
• public authorities, state-owned and municipal-owned enterprises, as well as undertakings participating in public procurement tenders with a bid above the value of 20 million hryvnia are required to establish and maintain internal and regular whistleblowing channels.

Ukrainian legislation governing issues related to the digitalisation of risk and compliance management is under development. Most of the digital transformation tools conducting automated data processing (eg, artificial intelligence, machine learning) require the development of the data protection legislation. The current Law on Personal Data Protection is expected to be updated in 2021. The Ministry of Digital Transformation of Ukraine and the Parliament are cooperating to develop the legislation in the field of automated data processing under the European Union standards.

The Law on Financial Monitoring applies general financial monitoring requirements to the subject to initial financial monitoring (SIFM) conducting operations with virtual assets. However, the core legislation related to the virtual assets’ management, risk and compliance management requirements for the providers on the market was not adopted by the Parliament yet.

The most influential legislation in the field of compliance and risk management was adopted before 2020.

One of the expected changes is the development of the Standards of corporate governance for professional capital market participants – a regulation called to ensure effective corporate governance of the professional participants in the capital and commodity markets. These standards elaborate on: (1) separation of compliance, risk assessment and internal audit functions in the management systems and their duties; (2) qualification requirements for officers ensuring internal control functions; and (3) requirements for the officers sufficiently influencing the risk profile of the undertaking.