International Compliance

Transcription

1 International Compliance Legal Requirements of Business Organisation in over 30 Countries Bearbeitet von Dr. Konstantin Busekist 1. Auflage Buch. Rund 800 S. In Leinen ISBN Format (B x L): 16,0 x 24,0 cm Recht > Handelsrecht, Wirtschaftsrecht > Unternehmensrecht > Compliance Zu Inhaltsverzeichnis schnell und portofrei erhältlich bei Die Online-Fachbuchhandlung beck-shop.de ist spezialisiert auf Fachbücher, insbesondere Recht, Steuern und Wirtschaft. Im Sortiment finden Sie alle Medien (Bücher, Zeitschriften, CDs, ebooks, etc.) aller Verlage. Ergänzt wird das Programm durch Services wie Neuerscheinungsdienst oder Zusammenstellungen von Büchern zu Sonderpreisen. Der Shop führt mehr als 8 Millionen Produkte.

2 IV. Defence by demonstrating adequate compliance management activities The reaction to non-compliance is the least developed of the three basic pillars of standard compliance programmes. Exceptions to this are the financial services sector and, to some extent, subsidiaries of multinationals. However, in the case of the latter, the response functions are usually maintained by the parent, which potentially has a negative impact on the quality of the response. 3. Management responsibility The culture of a company predetermines the manner in which the company s management will act. Consequently, the company must ensure that there is a culture of compliance both inside and outside the company. It is not appropriate to ask the employees to act in conformity with a compliance policy if the management itself fails to do so. It is the management s duty to constantly and appropriately advise the employees of the standard to which they must adhere, and provide a positive example by complying with that standard. Regular open discussions on compliance and the penalties for non-compliance contribute to increased awareness of the fact that compliance is in the best interests of the company, and that non-compliance will not be tolerated. In order to create a positive corporate culture, companies should have a set of rules contained in the code of conduct that clearly describes the key duties of Employees and company values. The code should establish the framework for honest and ethical conduct of employees in their everyday working duties. The code should also create a framework for subsequent internal guidelines that will provide further details regarding sensitive topics and give employees clear instructions regarding proper procedures in critical situations. Practice Many small businesses in the Czech Republic are family-owned and managed, thus overcoming the principal-agent issues and dilemmas posed by complex organisational structures. As noted above, raising awareness regarding compliance issues by way of regular trainings and communications from the top is rare in many of the Czech mid-sized and large businesses. Codes of conduct, if adopted at all, tend to be formal documents that are not referred to when issues arise. Generally, employees must acknowledge that they received the code of conduct, and agree to abide by its terms, only once upon their being hired. Moreover, even in well-established businesses, including subsidiaries of multinationals, middle and top level management often struggle to meet the high ethical standards which are expected of them while carrying out their responsibilities. This can be seen in a number of high-profile Czech investigations into managerial misconduct. A lack of oversight from a parent company, perseverant past legacies and the I can attitude may expose the company to serious compliance issues and sanctions. 4. Duties of the company Management is obliged to suitably organise the work process and divide responsibilities amongst employees. Management may supervise employees either directly or delegate this task to other employees. If management chooses to delegate, it must select Dušek/Kraus/Štička 139

3 qualified, responsible employees in order to satisfy the requirements of labour and commercial law. Management must choose employees responsible for supervision carefully; the employees must have the necessary knowledge and ability to perform the entrusted supervisory tasks. Management must correctly inform and instruct these supervisory employees, and train them regularly regarding the legal regulations that they must comply with. Simply providing the supervisory employee with written documents that explain the standards applicable to their position is inadequate; management must introduce measures to ensure that supervisory employees actually read these materials and understand them. Management should also check whether supervisory employees are capable to apply the instructions and compliance measures in specific everyday situations. Any responsibilities that management cannot properly or effectively exercise should be delegated to other persons. However, supervisory duties are breached when the related duties are distributed to such an extent that no one feels responsible for them. The tasks and responsibilities must be appropriately defined. Organisations beyond a certain size have the duty to establish internal audit procedures and provide the audit team with sufficient resources and the necessary authority to perform random tests of controls undertaken by the company. 5. The duty of risk identification 6. Czech Republic One of management s main duties is to identify and assess the relevant compliance risks. As already mentioned, management should assess whether risks are necessary and/or appropriate. Identification and assessment of risks provides a basis for choosing an appropriate and reasonable type of compliance management system. Similarly, risk identification will determine the scope of preventive measures. The magnitude of the risk depends on the likelihood of its occurrence and the potential impact such noncompliance will have on public perception. Practice Generally speaking, and with the possible exception of selected industries (primarily the financial services sector), formal risk assessments are only sporadically performed by Czech businesses (usually only as part of internal audits), if at all. This can lead to the business being unprepared to deal with compliance challenges that arise, or wasting resources on control activities that may not address significant risks. 6. Duty to control The duty to control requires that companies introduce appropriate control and monitoring mechanisms into their daily business practices. Management cannot simply rely on the employees to properly perform their obligations without any monitoring. This duty applies regardless of how carefully management selects employees and even if there is no reason to question the employees abilities. The control mechanisms should cover a significant part of the activities undertaken by the employees so that the employees feel that their work might be checked. Infrequent, random checks of the employees work is not enough; it is more appropriate to routinely control and test the employees. The organisation s processes and internal control design should also be controlled and tested. Random checks without prior notice must be performed regularly 140 Dušek/Kraus/Štička

4 IV. Defence by demonstrating adequate compliance management activities in order to ensure that employees are aware that any non-compliance with the rules will be detected and punished. According to recent case law, it is necessary for organisations with average compliance risks to have at least monthly controls. During these controls, employees must adhere to simple compliance rules. The frequency with which checks, compliance audits, internal controls and/or risk reassessments should be performed depends on the nature of the compliance risks which the company faces, the company s organisational structure, and the nature of previously assessed risks. If there are any indications of non-compliance, the management must investigate and, if any irregularity is found, introduce a timely and appropriate response. Audits need to be performed only if tests of processes are insufficient to identify non-compliance. Practice Czech legal precedent regarding non-compliance suggests that management overriding controls, rather than failure of existing controls, often accounts for more severe damages to companies. Control deficiencies can often cause instances of non compliance amongst the lower levels of management, or by employees. Such control deficiencies include a lack of segregation of duties, deficient authorization/approval process, and a lack of controls regarding possible conflicts of interests. 7. Effectively introduced controls The fact that a company currently has a compliance programme does not necessarily mean that it has fulfilled its duties. It is important that the controls function effectively and detect any problems once they arise. Proof of appropriate control procedures can be required years after an issue arises, at the time when the problem is identified, or at a time when the employees responsible for the control system are forced to defend the system in court. Audits of the control system must be carried out to assess its appropriateness, implementation status, and operating effectiveness. Appropriate control measures includes the following: a culture of compliance (basis for appropriate and effective control; it is determined by the management s approach to control measures and the tasks of the supervisory body); compliance objectives (basis for compliance risk assessment; defined by the management); compliance risks (determined based on compliance objectives and assessed in view of the likelihood of occurrence of problems and their potential consequences); compliance programme (documented principles and measures aimed at risk minimisation, compliance with regulations and prevention of non-compliance); compliance organisation (defines roles and responsibilities); compliance communication (includes information regarding the compliance programme and organisation for employees and, if appropriate, third parties); and compliance monitoring and improvements (monitoring of appropriateness and effectiveness of control, correction of errors and system optimisation). Mandatory compliance duties are essential for all of the basic control requirements outlined above. For example, the area of compliance risks includes the duty to assess the company s risk profile in respect to compliance. Compliance organisation includes the duty to clearly assign responsibilities for supervision within the organisation so as to Dušek/Kraus/Štička 141

5 6. Czech Republic prevent any overlap. Compliance communication involves the duty to consistently inform employees of relevant regulations, and for management to create a dialogue with the employees regarding compliance. Compliance monitoring and improvements comprises of the duty to undertake random checks in areas with especially high risks and to introduce corresponding internal controls. Thorough consideration and performance of all of these basic duties constitutes compliance with the duty to act with due managerial care, so long as special circumstances that may require deviations from the standard are also taken into account. Practice In the Czech Republic, effective embedding of internal controls is often hindered by, inter alia, the following factors: There is often a lack of communication between the foreign management (primarily from Asia) and local employees with regards to what management expects based on their obligation vis-a-vis the parent company and country of origin and what is permissible under local laws and cultural norms. This often leads to frustration on both sides and feelings of isolation amongst foreign management. Non-critical translation of compliance materials and manuals from other jurisdictions often leads to misunderstandings and is counter-productive. Because of past events, many people still feel uncomfortable reporting issues via the whistle-blowing hotline and would prefer a more personal approach to discuss potential grievances. V. Treatment of non-compliance by the authorities Depending on the duty that has been breached, the company may either be liable for breach of a legal duty (an offence) or for breach of contract. To determine which has been breached it is necessary to consider whether the company breached only a private law obligation, or whether it also breached a duty under public law. The public authorities are not competent to handle breaches of private law, thus, it is solely up to the parties to determine how they will resolve the situation. Typically, breaches of private law duties result in the duty to pay damages. In contrast, the relevant public authority is competent to initiate proceedings ex officio for offences that constitute a breach of one or more duties created by public law. For example, pursuant to Section 2(3) of Act No. 141/1961 Coll., the Code of Criminal Procedure, a State attorney must initiate a criminal prosecution for every criminal offence which he becomes aware of. Typically, breaches of public law duties result in the imposition of penalties. Certain offences breach both private and public law. In these cases, the offending entity is usually obliged to compensate damages and, at the same time, is punished by a public authority. A few examples of how non-compliance is treated in different legal fields is found below. 1. Corruption In general, corruption of public officials is perceived as a significant and pressing issue. A case involving improperly influenced public contracts in Zlín provides a good example. 142 Dušek/Kraus/Štička

6 A local politician, who was also one of the shareholders of the Square Transaction Company, influenced insolvency proceedings against the company by bribing the insolvency trustee. He also took bribe money in his function as a town council member responsible for assigning public contracts. The total damage allegedly amounted to CZK 330 million. A total of 38 entrepreneurs (both individuals and legal entities), including the politician, were tried. Some of the accused are still awaiting sentencing; others have received sentences of up to 5 years imprisonment. 2. Antitrust law Cartels are a major issue in the Czech business world. Unfortunately, their existence is very difficult to prove and the penalties imposed by the Office for the Protection of Competition are frequently cancelled subsequently on the grounds of insufficient evidence. The highest fine imposed to date for a cartel agreement CZK 979,221 million was imposed on 16 companies engaged in the manufacture of gas-insulated switchgears. This case involved a practice called bid rigging. The companies mutually agreed on the prices of switchgears offered by individual members of the cartel so as to ensure that public contracts would be awarded to pre-determined companies from the group. The cartel was revealed in 2006 when one of the members took advantage of the leniency programme and provided the Office with relevant evidence. The confessing company received no fine. Then, in 2007, fines of almost one billion CZK were imposed on the other companies. However, these fines were later cancelled by administrative courts due to an insufficient explanation regarding the liability borne by each of the companies involved. Furthermore, in 2006, a cartel of several medical distributors who co-ordinated the discontinuation of the supply of certain medicines to three major hospitals had to pay a fine totalling CZK 113,064 million. 8 This was not overturned. The second biggest telecommunication provider in the Czech Republic, UPC Czech Republic, was fined EUR 16,000 in 2014, and put on a blacklist that prohibited it from bidding for public contracts for three years. Said sanction was handed down by the Office for Protection of Competition on the grounds that the cable operator violated the Public Procurement Act by providing false information in a tender bid for providing data services to a company called Net4Gas. Specifically, this information concerned its business relationship with other companies and could have affected the candidate s qualifications in the tender. UPC Czech Republic carried out an internal investigation in which it concluded that the mistakes were made by an individual and the subsequent failure of internal controls Data protection V. Treatment of non-compliance by the authorities The Office for Personal Data Protection is the competent administrative authority in the area of personal data protection. The Office regularly imposes fines for noncompliance with the Personal Data Protection Act. This area recently received a great deal of publicity after the pension company of the Komerční banka leaked personal data of clients and potential clients. In July 2013, a client of the company accessed the personal data of almost fifty thousand potential clients on the company s website by accident. He was able to access names, addresses, birth identification numbers and the amounts in savings accounts. The bank first denied any responsibility, but then admitted its mistake and provided a prompt remedy. The bank also had to pay a fine of CZK 1.8 million Dušek/Kraus/Štička 143

7 6. Czech Republic 4. Occupational safety Compliance with regulations in the area of occupational safety and health protection is monitored by the State Authority for Labour Inspection. The Authority systematically performs inspections and penalises breaches of regulations. For example, in 2013, the Authority imposed a total of 2,341 fines for a total amount of CZK 227 million. The Authority often focuses on specific types of employers at certain times. For example, in the first half of 2013 it focused on employees of private security agencies; the Authority discovered that private security guards often worked for periods exceeding the time permitted by the law without being paid mandatory bonuses for overtime work. As a result, the Authority imposed a number of fines. Based on findings obtained by the Police of the Czech Republic, a district labour inspectorate performed an inspection of a construction site in Brno in co-operation with immigration officials. Two subcontractors were investigated. In one case, it was determined that 10 persons were being illegally employed. Additionally, six EU citizens were working at the construction site without an employment contract, an agreement to complete a job, or an agreement to perform work they performed this work without a basic labour law relationship and the controlled entity allowed this illegal work. Furthermore, four foreigners from non-eu Member States worked for the same controlled entity. Two of them performed dependent work without the necessary employment permits, and two other foreigners were staying in the Czech Republic illegally without a residence permit. The Police of the Czech Republic expelled all four nationals of the non-eu Member States. After completion of the administrative proceedings, the district labour inspectorate issued an administrative decision in which it imposed a fine of CZK 2,500,000 on the controlled entity for allowing illegal work as defined in Section 5(e)(1), (2) and (3) of Act No. 435/2004 Coll., on employment. The amount of the fine was strongly influenced by the number of persons the controlled entity allowed to work illegally, and also by the fact that the foreigners had performed dependent work without having an employment permit and, in two cases, without even having a permit to reside in the Czech Republic Tax law Tax evasion is a crime that the courts deal with frequently. The very first judgement to ever force the dissolution of an entity received great attention recently. Lax Prag had failed to levy VAT and file tax returns for several years. Both the executive directors and the company itself stood trial and the company was dissolved as a result of the court s order. It should be noted, however, that the sole purpose of the company s existence was to perpetrate a crime. Natural persons have also been punished for tax evasion. The case of Mr. Lubomír Podlipný, who traded in liquefied gas and intentionally reported lower sales compared to reality on monthly tax returns from 1999 to 2002, is a typical example. During the subsequent year, he failed to file tax returns for gas purchased with zero excise tax and sold the gas to minor customers at gas stations. He thus ultimately caused damage exceeding CZK 16 million. He was sentenced to six years imprisonment Dušek/Kraus/Štička

8 VI. Recommendations to avoid mistakes VI. Recommendations to avoid mistakes typically made by foreign investors It is important to understand the local risks: the Czech Republic ranked 57 th out of 177 countries surveyed in the 2013 Corruption Perceptions Index of Transparency International, with a score of 48 (where 100 denotes a corruption-free country). According to other governance indicators, the Czech Republic is a relatively high risk country compared to Western European EU members. Yet, enforcement of compliance standards is on the rise, as suggested by media reports, making it more difficult to get away with things that were commonplace in the past. Thus, the first imperative is to perform a thorough compliance risk assessment, carefully evaluating the significance of the risks that your business faces, and how effective your existing compliance system is at addressing these risks. This assessment should be performed regularly to capture the dynamics of societal change. If the risk profile of your business demands it, appoint a sufficiently senior local resident as the head of compliance, vested with both preventative and detective roles who reports directly to the parent. Ensure that local management implements a balanced compliance programme and monitor how they implement it as one of the key performance indicators. Regularly review the compliance programme for effectiveness. To align your expectations concerning ethics and compliance with actual behaviour: publish a code of conduct reflecting the circumstances of the local business, do not underestimate the importance of communication of key messages (and when communicating, take into consideration local context and examples), regularly train all staff to understand your expectations, and seek regular compliance acknowledgement. Be diligent in selecting key employees and third party contractors and do not fail to repeat the diligence regularly based on the risk profile of the employee and the third party. Make sure grievance and whistle-blowing mechanisms are user-friendly and open to local staff. Take into consideration the discomfort that many locals have with reporting such issues. Adopt data analytical tools that focus on high risk areas and ideally provide instant reports of potentially risky transactions or operations. If it is not practical to implement an independent local response mechanism to noncompliance, make sure there are alternatives available (external advisors, the central team) to respond promptly to instances of non-compliance identified. Dušek/Kraus/Štička 145

9 7. Finland Page I. Compliance in Finland II. The most relevant fields of law in Finland that a business will have to cover with its compliance management activities Anti-corruption Antitrust law Money laundering Data Protection Product safety Environmental law a) Environmental Protection Act b) Other legislation on environmental protection Labour law and occupational safety Foreign trade law Tax law III. Liability of business, management and shareholder for non-compliance occurring during the course of business General Business liability Liability of Management Shareholder s liability IV. Minimum requirements of an adequate compliance organization Managerial commitment Organizational duty Risk assessment duty Control and monitoring obligation Evidence of an effective CMS I. Compliance in Finland As in many other countries, it is becoming more and more important in Finland for a business to be regarded as a valuable member of society. Arguably, limiting environmental footprints, being good employers, having a corporate social responsibility agenda etc., are no longer unique selling points for large corporations; rather, they are necessities. In this context, compliance with applicable law is of vital importance, as non-compliance may damage the business reputation. Moreover, non-compliance can have serious legal consequences and lead to severe sanctions being imposed on the business and/or responsible business representatives. In this chapter the main features of compliance and liability in relation to key Finnish legislation will be outlined, including a short description of how effective compliance programs can be structured so as to avoid non-compliance. 146 Mannerkoski