Budusan & Asociatii SPARL news, updates and analysis | Page 1 of 1

Liana Iacob and Florentina Frumușanu explore how companies can comply with the new Romanian whistleblowing obligations

The new Romanian Whistleblower Law no. 361/2022 (the ‘Whistleblower Law’) came into force on 22 December 2022, setting forth new obligations for the major employers. The law transposes with a one-year delay the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of Union law, and its scope is to facilitate whistleblower reports on potential breaches of EU law within private entities, as well as public authorities, institutions or other public entities.

The new piece of legislation is thus expected to impact the manner in which companies manage reported instances of fraud. From this perspective, we note that the latest Kroll Global Fraud and Risk Report (which does not cover Romania but covers important EU member states such as France, Germany and Italy) highlights an average 72% trust ratio in corporate internal control systems intended to detect fraud and corruption risks. Thus, the perceived likelihood of corporate control failure is, on average, 28%. Basically, based on data from well-developed European economies, prior to the Whistleblower Law coming into force, three out of ten instances of internal fraud risked going undetected.

This percentage may very well be higher in Romania, as a developing country, and, also, possibly higher than what a company may deem acceptable in terms of internal fraud risk when doing business locally. Second, awareness should exist that the decision to report a potential instance of internal fraud is not an easy one for the employee concerned, but is often made at considerable personal risk, such as alienation from colleagues and potential negative impact on reputation and career. So, there are serious incentives for the employee to keep silent, which is in fact detrimental for the company that will eventually bear the costs of corporate fraud.

These two reasons, and not necessarily the sanctions in the new Whistleblower Law, should steer corporate behaviour towards an effective implementation of the new regulation, rather than a merely formal compliance with the newly defined (and, again, generally well-known at this point) obligations set forth by the law, to decrease the risk of fraud going undetected and, ultimately, mitigate the company’s financial, reputational and potentially legal exposure.

As the addressees of the new law are medium and major companies, it is likely that internal control mechanisms are already in place. However, effective compliance with the Whistleblower Law should require a certain fine tuning of the current internal control systems. As a starting point, corporations should (re)assess their record-keeping systems with the aim of detecting and correcting any record-keeping weaknesses. Efficient and coherent internal record keeping is often paramount when investigating any instance of internal fraud, if at all possible endeavour, absent which investigation and corroboration risks becoming protracted and highly costly.

On the premise that the legal mechanisms defined by the Whistleblower Law have been properly put in place, when receiving a whistleblower report, clear rules and procedures should be set in place, eg, by defining and implementing a whistleblowing policy, the scope of which should match that of the Whistleblower Law, describing the reporting channels and processing systems, as well as the applicable roles and responsibilities in the organisation. Very importantly, such policy should deal with how an investigation should occur, and define at a minimum the appropriate, independent and free of conflict of interest people/departments to conduct such investigation; the safeguards in place to ensure the confidentiality of both the reporting person and those potentially accused of wrongdoing; the report acknowledgement timeframe; the prerogative of the investigating team to receive direct access to records (as well as the necessary corporate steps to redefine or adjust such accordingly, depending on the specific circumstances of each case), taking into account potential privacy and other legal restrictions that may be applicable; the type and structure of interviews (including whistleblower interviews) to be performed during the investigation; and, in all cases, the diligent follow-up on the findings and outcomes of the investigation (always within the maximum term set forth by the law). Finally, but equally importantly, the policy should deal with how to report suspected criminal activity, including matters such as assessment of reporting obligations and deadlines, and assistance by specialised outside counsel (where necessary). To conclude, given the new Whistleblower Law, fraud investigations should be carried out in accordance with a dedicated policy tailored to comply with the new regulations. Although the Whistleblower Law is a new regulation and defining the reports likely to be made on its basis calls for speculation, the pre-existing national legal framework in the field and the practice developed on its basis may provide certain insights into its potential practical effects. As a reasonable assumption, reports may concern internal fraud (eg, misuse/misappropriation of corporate assets, instances of collusion with third-party suppliers, customers, distributors to the detriment of the company or for illicit gain etc), workplace policy breaches, and even corruption.

A company facing a suspicion of fraud must consider a number of issues in order to become or remain compliant. A fraud allegation is a serious issue and fraudulent behaviour can create a multitude of problems for the company. However, the company should always keep in mind that all businesses, without exception, are vulnerable to fraud, and avoid the two extreme reactions, namely, overreacting or, to the contrary, having no reaction at all. One should keep in mind that the initial steps taken in addressing suspected fraud can either hinder or greatly help the company’s efforts, and from this perspective, preservation of evidence is key. We would like to go back to the point made above, and stress again the recommendation to periodically assess the record-keeping systems to detect and correct any blind spots, because fraud suspicions should be probed and scrutinised, with the focus of the investigation being to identify information that supports or disproves the fraud allegations. Securing all potential evidence can be done discreetly, without unnecessarily alerting the suspected perpetrator, when efficient record-keeping and back-up systems exists. Also, electronic evidence, which is in general easy to tamper with, should be preserved, including computers, corporate phones and other electronic devices. It goes without saying that access to data should have been secured by the already existing employment policies and contractual documents. Another common mistake that companies should avoid is collecting and assessing the evidence and subsequently acting without the assistance of a team of forensic specialists and legal professionals to mitigate and, where possible, avoid the concurrent risks that generally arise in the context of a suspected fraud: the risk of accusing an employee without sufficient evidence and the risks of breaching legal or statutory obligations on the reporting of suspected criminal activity. When faced with an allegation of fraud, a company needs to consider who is leading the investigation and what resources they need to complete the investigation, and determining an investigative team is an important step in the process.

Equally important is the company’s reaction to employees and managers potentially involved in the fraud. As a general safeguard, companies should make sure that internal policies on fraud detection, fraud investigation and whistleblowing have been notified to and accepted and acknowledged by the entire company staff and that job descriptions contain the professional obligation to comply with such. While the way a company should deal with a suspected employee or manager should normally be determined on a case-by-case basis, depending on the specific circumstances of each matter, as a general recommendation, the company should avoid disclosing the suspicion to the person of interest in the initial stages of discovery and investigation (to avoid potential evidence-tampering behaviours).

Immediate termination of employment or management contract (or immediate initiation of legal procedures with this aim, if applicable) may make gathering evidence more difficult. The company may, however, consider instating restrictions on the employee’s access to company data, including access to archives, irrespective of the way they are kept, as well as securing the relevant corporate premises (eg, offices) to ensure no relevant company items (eg, documents, computers, phones etc) are removed, altered or destroyed. Given the digital transformation of the last decade, the company should consider appropriate internal policies to ensure that such access restrictions on electronic systems and devices may also be set in place remotely, and that the staff acknowledge and accept such possibility as a prerogative of the company. All interactions with the people of interest should be governed by the applicable workplace policies defining appropriate conduct and best practices to mitigate the risk of countercharges on the part of such people, eg, that they were pressured by the company or that the fundamental rights of their employment (eg, reputation, privacy in general) have been infringed upon (which is often a common defence strategy).

In all instances, compliance monitoring is paramount. The mere allegation of fraud can be a daunting challenge for a business, and, as such, the roles and responsibilities of compliance officers as the people in charge of preventing, detecting and investigating fraud are of great importance. Perhaps the first challenge faced by compliance officers is a cultural one: while compliance should be an integral part of the organisation’s ethics, it sometimes tends to be seen as a burden rather than a benefit. As, under the current regulations, compliance has become more and more an integral part of the corporate structure and functioning, as opposed to a separate process, organisations should focus on ensuring a correct implementation of compliance elements not solely from a fraud-avoidance perspective, but also as a premise for a more effective investigation into suspected instances of fraud, should they occur. With these in mind, fraud investigations are often complicated, involving multiple disciplines and parties as well as complex financial data analysis. As the key objective of the investigation remains gathering and preserving evidence, the quality of available data is cardinal, and one of the major challenges to be overcome. When data and information is available, the huge volume of data compliance officers must review to find evidence may be problematic in our digital society, where massive packages of information travel instantly and communications are often encrypted, and/or password protected. The digital transformation has also led to transformation of fraud patterns, with new types of fraud appearing periodically. Ensuring staff co-operation may also be problematic, as staff generally have the same incentives to stay silent as highlighted above for the whistle-blowers. Finally, in addition to the high responsibility incumbent upon them in their professional capacity, it is not impossible for compliance officers to be subject to external pressures. Support and protection from the organisation of the professional and personal independence of the compliance officer, as well as access to reasonable resources and training, are constant requirements for the efficient fulfillment of professional duties. Companies can only evaluate the effectiveness of their compliance policies and employee performance through a compliance monitoring strategy. Thus, compliance monitoring is a crucial tool for a company to determine if its compliance policies are appropriate, up to date and responsive, as well as for identifying compliance risks and taking action to mitigate such.

Companies should be aware that white-collar crime prosecution is very common in Romania, where dedicated and even elite (for major crime cases) investigative and prosecution units have been functioning for decades now and have a rich practice in prosecuting fraud and corruption in the business environment, and business crime in general (eg, tax evasion, contraband, corporate environmental offences, abuse of professional duties etc). While gathering and interpreting the available pieces of evidence remains a prerogative of the prosecution, in the vast majority of cases, review of corporate records remains a starting or, at least, a crucial point in such judicial probes, and corporate co-operation, including in relation to or in the course of the forensic activity, is possibleand, in general, accepted in accordance with the applicable rules of procedure.

Return to the Disputes Yearbook 2023 menu