Adam Brzezinski of MoneyGram, Alex Florescu of Nepi RockCastle, Asli Sahinkaya of Setur, Christian Blatchford of Energo Pro, Deniz Sanli of American Gaming Systems, Eleni Stathaki of Upstream Systems, Ernest Jedrzejewski of Amgen, Ioana Regenbogen of ING, Joanna Przybyl of Revetas Capital, Mark Erdelyi of Yettel Hungary, Marta Ziolkowska-Nasinska of Fererro, Mary Chaidou of AIG, Stefan Orosi of Prima Bank Slovensko, Wioletta Kaloska of Symfonia, Zita Toth of Primaenergia, describe what is at the top of the agenda for their compliance and risk functions and how they nurture a culture of compliance within their companies.
At the Top of the Agenda
All Those Weird Things
“In recent years, the speed of adopting new legislation and other regulations has accelerated enormously,” says Stefan Orosi of Prima Bank Slovensko. “The compliance agenda is not an agenda that has any coherent boundaries. It can be anything. In practice, this often means that a matter becomes a compliance matter the moment it is determined that it is not a business matter or a matter in any other traditional area, such as HR or marketing. Sometimes I humorously tell my colleagues that the compliance agenda includes ‘all those weird things that nobody understands or wants to deal with.’”
Regulations and Regulators
“A practical problem occurs when a regulation exceeds a reasonable measure,” says Orosi, echoing the feeling of the 75% of General Counsel who point to regulations as one of their biggest compliance concerns. “I do not dare to claim – because it would be irresponsible on my part – that some regulations are unnecessary,” he adds, but “it often happens, and we know the old saying that ‘the road to hell is paved with good intentions.’ In an effort to achieve the right thing, and due to the shortness of the assessment process, regulations also affect subjects and areas that objectively do not need it or need it to a lesser extent. Then there is a situation where you want to comply with the regulation, not because it is right and makes sense, but simply to avoid a sanction.” Specifically, when it comes to compliance concerns, Mary Chaidou of AIG points to “the unforeseen audits and questions raised by the local regulator,” and, of all responding GCs, 28% highlighted data protection and cybersecurity, 17% mentioned AML and sanctions, another 17% whistleblowing, and 13% antitrust regulations.
The GDPR and Trickledowns
“If we refer to concerns as matters of very high importance for us and not as worries or anxiety (as we trust we are in control of managing these areas of risk in order for both the bank and our clients to be safe and secure), for sure, due to the increased level of digitalization, cybersecurity is an area where we are constantly investing our resources and capabilities, as well as data security and privacy which are closely connected,” explains Ioana Regenbogen of ING, with one general counsel of a global fashion retailer explaining that data privacy becomes particularly critical when putting new types of products on the market these days.
“Being responsible for privacy, it is impossible not to mention the GDPR compliance,” says Adam Brzezinski of MoneyGram. “We are committed to strengthening our privacy program and ensuring compliance with all quickly developing privacy laws around the world.” And indeed, it is not just the GDPR that GCs in CEE have to stay on top of, with Eleni Stathaki of Upstream Systems explaining: “We are based in the EU, so we must be GDPR-compliant. In addition, we have a presence and/or operations in third countries, where similar legislation has been enacted since the GDPR came into force – for example, the LGPD in Brazil and the NGPD in Nigeria. I call this the trickledown effect of the GDPR. The similarity with EU regulations helps us to a certain degree as the GDPR still represents the gold standard in my view, but there are still small differences between all pieces of legislation.” At the end of the day, Brzezinski is urging all to take it one step at a time: “Let’s face this – though it is something that many are still too afraid to admit – 100% compliance rarely exists. We are focusing on the most critical areas first and work our way through them.”
The AML Balancing Act
“The prevention of money laundering, of course, is a constant responsibility, and the adequate application of current financial and economic international sanctions on Russia is also a key duty for us to hold,” says Regenbogen.
And often, like in other areas of compliance, a balance needs to be struck. “When it comes to implementation, our biggest challenge and concern is to properly balance compliance requirements and business objectives,” Joanna Przybyl of Revetas Capital explains. “The best example to be mentioned here are the AML/KYC checks which we are obligated to perform on our counterparties. When applying AML procedures very strictly, in theory, we should get to clean KYC results – which turns out to be impossible. Certain analyses performed recently have shown that the number of money laundering cases increases year by year despite the introduction of more and more complex legal regulations on the topic. Therefore, the challenge here is to find the proper balance between remaining diligent on KYC checks and identification and the allocation of the risk and allowing for a continuation of the business.”
On Whistleblowing Eve
Like many CEE countries, Poland is on the eve of the implementation of the Whistleblower Protection Directive, according to Marta Ziolkowska-Nasinska of Fererro. Though she notes it has yet to be applied into local law, Wioletta Kaloska of Symfonia too points to it as at the top of their compliance agenda – a recurring theme in EU jurisdictions. Stathaki says they are “in the process of rolling out our new whistleblowing policy. We already have such procedures in place, but they are somewhat fragmented, so we will now be consolidating them.”
(Enhanced Scope of) Competition Authorities
One of the main challenges, Zita Toth of Primaenergia highlights, is “meeting antitrust requirements to not share sensitive information or any relevant data with third parties or competitors.” She explains that in Hungary, “the energy industry is quite a strong market in terms of competitors, especially in the field of propane and butane gas distribution, where there are only three players in the field.”
In fact, the competition authority was most often pointed to in Hungary of all CEE jurisdictions, especially because besides its primary competence, the Hungarian Competition Authority also acts in the field of consumer protection. Mark Erdelyi of Yettel Hungary notes that “the Hungarian Competition Authority is very active, also in terms of the Unfair Commercial Practices Directive and misleading advertising. Despite our continuous efforts towards compliance, we face investigations more often than we would be happy to. We just finally closed a case involving a HUF 1.8 billion fine imposed on us with a settlement – and we could turn into crediting customers extra balance for telecommunication services a substantial amount of the fine.”
Doing the Right Thing
“Assuming the COVID-19 pandemic is behind us, ESG was and continues to be a top priority for the company,” says Alex Florescu of Nepi RockCastle. ESG is flagged by 18% of General Counsel as something that has started and will continue to impact compliance functions.
Petr Prouza of PPF Telecom notes that they “are developing in a stable path, ESG is, of course, new and a very important topic (and we have finalized our first ESG reports, this is developing quickly!).” But it is not just about reporting, according to Ernest Jedrzejewski of Amgen: “I am very proud and feel privileged to work for a company like Amgen. Here, ‘doing the right thing’ is part of our culture and is supported by our robust compliance program as well as the collaboration among relevant teams including the legal function. We are a mature, well-recognized organization that always aims for setting higher standards for ourselves. For example, Amgen has always been an organization where ESG has played an important role for us and we wanted to go beyond ‘complying with local laws and best practices.’”
Going Beyond Policy
“The biggest problem with compliance – across its many segments – is bringing the policies that you have developed off the page,” says Christian Blatchford of Energo Pro. “Creating a policy in the first place can be challenging because you need to marshal a lot of information, including underlying national and international laws, conventions, guidance, best practice, and so on. Ultimately, though, this is just a matter of study and, if in doubt, you can look to precedents and get outside help. Once the policy is in place, the temptation is to consider the job done. Merely signing a declaration or participating in periodical training is, however, not enough.” Implementation of or adherence to compliance policies was highlighted by 7% of General Counsel.
“I think the biggest compliance concern is having to convince people that compliance is crucial,” adds Asli Sahinkaya of Setur. “Compliance is still misunderstood by many as the duty of the legal team only. They expect you to lead projects on your own, with no one else contributing and every action taken by the legal team only. I think it still is a challenge for most of us,” she adds, with Blatchford also stressing that “management needs to take steps to imbed the substance of the policy in people’s minds so that it affects their behavior on a day-to-day basis.”
Tackling Compliance Risks Head On
Educate, Educate, Educate
When it comes to managing compliance risks, “the first thing to do is to train and educate employees. Afterwards, control whether they had the sufficient understanding and apply this in their daily business,” argues Deniz Sanli of American Gaming Systems. And 60% of General Counsel agree and point to regular training and counseling with their business colleagues as key. Joanna Przybyl of Revetas Capital focuses on “creating awareness within the business/commercial teams about the legal requirements and their proposed implementation – in particular via training,” and Mark Erdelyi of Yettel Hungary too talks about “running awareness activities and quarterly workshops to the markcom team.”
“I have introduced annual antitrust training and compliance training as well, first within the frame of classroom training with risk assessment workshops,” says Zita Toth of Primaenergia, adding: “during the past two years, I held them online.”
Fostering a constant two-way dialogue is a recurringly mentioned tool towards this goal. “I choose to work closely with the business and IT teams, discussing the need for compliance on real cases,” says Asli Sahinkaya of Setur. “I try to understand their business needs and create a common ground. When this happens, I think they see that you both are on the same side, and begin to cooperate,” she adds. And Joanna Przybyl of Revetas Capital agrees, pointing out that “creating a forum for communication between business and compliance teams is key – a standalone compliance function that does not understand the business will only cause frustration and will jeopardize the business which, in turn, may result in limited respect for the compliance policies in general.”
It is also important to roll up your sleeves and chip in early, according to Eleni Stathaki of Upstream Systems: “With respect to the development of company offerings, we like to get involved very early on in product development and make sure that the privacy-by-design principle is followed.”
Turn to Others for Help
In response to compliance challenges, 20% of General Counsel report looking at external counsel for support. Mark Erdelyi of Yettel Hungary says they also involve external lawyers in areas of risk much more than in other legal fields: “All outgoing markcom materials are reviewed by us, and the large marketing communication campaigns are reviewed by not just our legal team, but an external legal committee, which consist of three lawyers from different firms.” Adam Brzezinski of MoneyGram says they “engaged an external DPO provided by a reputable law firm to help with strengthening the privacy program and to ensure it is regularly tested and revisited.” Speaking of the arrangement, he adds: “I am super happy as this ensures lack of conflict of interest between the DPO’s role and privacy operational work that is being done by the in-house team. We are being regularly audited, which helps identify risk and address them accordingly.”
Instead of looking outward, 16% of General Counsel choose to either strengthen or focus their in-house teams to adjust to perceived risks.
“A step we will need to consider is the designation of a dedicated compliance officer,” says Marta Ziolkowska-Nasinska of Fererro. “The responsibility of such a person would be to implement or verify existing compliance regulations, conduct internal investigations and audits of the implemented compliance procedures, and provide internal training. Currently, the compliance function in companies is occupied either by a lawyer and exists within the legal department or there is a separate risk and compliance department including professionals from various professions, as is the case of bigger and more regulated sectors (i.e. banking). After implementation of the [amendment to the Act on the Liability of Collective Entities for Criminal Offences], we will surely observe the evolution of this function in Poland as we did in the case of data protection officers a few years ago.”
Looking out and looking in are, at the same time, not mutually exclusive. Erdelyi, who spoke about externalizing high-risk areas, also mentions his company’s “Competition Law Competence Center, which was established in the legal team whereby only its members, 2-3 lawyers having relevant expertise may provide competition law advice. And, always, at least 2 lawyers shall confirm legal standpoint on less obvious cases.”
Turn to Tech
4% of GCs report having turned to technology solutions. Toth, who stressed the importance of training, had to deliver them online during the pandemic, and she did this “within a frame of the Moodle training platform that we created and set up with IT colleagues.”
Similarly, Christian Blatchford of Energo Pro says that “specifically in relation to our group ABC/AML policy, we are working on the implementation of a new software solution that will address training,” but also “the delivery of reports and requests for gifts and hospitality as well as a whistle-blowing function.”
Nurturing a Culture of Compliance
Educate, Educate, Educate Some More
“Training and communication are the most effective tools to spread a culture of compliance and ensure that the company employees understand and apply the company rules and ethical values into their daily work,” says Deniz Sanli of American Gaming Systems. 63% of General Counsel mention internal training as a critical component of nurturing a culture of compliance.
Marta Ziolkowska-Nasinska of Fererro says they “invest a significant amount of time in communicating legal matters (i.e., alerts, newsletters) and providing internal training to raise awareness among employees to decrease legal risk and ensure compliance. We adopt yearly training programs where we refresh key topics (e.g., corporate governance, contract management, antitrust, anti-bribery, dawn raids), but also introduce new ones, subject to current business needs (i.e., the liability of board members and managers, whistleblowing).”
According to Eleni Stathaki of Upstream Systems, this helps establish the imperative of compliance: “In my view, it is imperative for all people in the organization firstly to understand why there is a need for a certain policy and subsequently to familiarize themselves with and to trust the process. I feel that the key to achieving this is to offer to employees the proper training.”
It is also important to set up a system to check if the content of the training has been digested, according to Zita Toth of Primaenergia: “First it needs to be read by the participants and I also set up test questions that they need to answer. So it is not a simple presentation but a study and then a test that is compulsory for everyone for several years now.”
However, as Christian Blatchford of Energo Pro explains: “Culture is a human phenomenon and my experience is that the colleagues most switched on to compliance issues are those who have taken part in personal training sessions at a senior level (fixing the beady eye on them!) or have actually addressed a potential irregularity as part of their work activities. There is nothing like talking about what we are doing, and why, to make abstract issues real and give people that little flash of realization that situation ABC is, in fact, something more than it seems and should be looked at carefully from the perspective of policy XYZ.”
Make Compliance Handy
13% of General Counsel stressed the importance of ensuring that being compliant is not a strain – and it is part of their role to make tools as easily available to the whole organization as possible.
For example, Mark Erdelyi of Yettel Hungary says they made sure they “have the documents – i.e., the templates we have created and which are to be used when concluding contracts, etc. – available.” To make things quick and easy, Marta Ziolkowska-Nasinska of Fererro highlights they are “on the eve of a legal lawbot launch that will provide quick responses to basic and most repeated legal topics without the need to involve lawyers.”
Compliance Does Not Exist in a Void
8% of General Counsel point to some form of a feedback loop. Ernest Jedrzejewski of Amgen, who prides himself on the fact that at Amgen, “’doing the right thing’ is deeply embedded in the culture – a part of its DNA since over 40 years when we were established as a small biotech in Thousand Oaks,” argues that “having an open dialogue about new challenges, getting feedback, and listening to our employees is what makes the difference for us.”
Set the Tone
Top-down communication is critical according to 6% of General Counsel. Jedrzejewski highlights that their “robust compliance program” includes “creating awareness and understanding and setting expectations – from the very top – that ‘doing the right thing’ is the Amgen way.” And the General Counsel of a different pharmaceutical company also emphasizes the importance of the “tone from the top” through “the general management’s continuous support in raising the importance of compliance by asking if each project was endorsed by compliance” and through the fact that “compliance is also a member of the leadership team and shapes new initiatives from the creation stage.”