‘Compliance’ itself is not yet legally defined in Russia. In the meantime, there are certain statutory provisions that show their influence on risk and compliance management activity within the entities.
A comparably new article 13.3 to the Federal Law No. 273-FZ On Combating Corruption dated 25 December 2008 requires all companies in Russia to develop and adopt measures aimed at preventing corruption. Although article 13.3 lists six broadly defined measures that companies may develop and adopt, it does not describe the steps companies should take to implement those measures, neither the law does explain whether the above measures are either mandatory or exclusive.
The ‘all possible measures’ provision, contained in article 13.3, can be interpreted to extend the requirements of Federal Law No. 273-FZ On Combating Corruption, to go even beyond the common requirements of the US Foreign Corrupt Practices Act or the UK Bribery Act.
Anti-money laundering compliance
Federal Law No. 115-FZ On Combating Money Laundering and the Financing of Terrorism was enacted on 7 August 2001 in compliance with the Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime, signed in Strasbourg, France, which was ratified by Federal Law No. 62-FZ, dated 28 May 2001.
The said statute contains criteria for the volume of operations subject to mandatory control, lists those operations and determines the organisations conducting operations with money or other property that should inform an authorised agency about these operations, which, among others, mainly include credit organisations.
As a main aim, the law requires credit organisations to take all reasonable and available measures to identify the beneficial owners of their clients. However, this law does not provide the list of particular measures or guidelines that the credit organisations must follow regarding the identification process of the beneficial owner of the client. An inexhaustive list of such measures is set out in the clarifications issued by Rosfinmonitoring and the Central Bank.
In Russia, discussion of the concept of ‘antitrust compliance’ started around 2011, and by 2013 the Federal Anti-monopoly Service had included antitrust compliance into their strategy and into the independent direction of further work. It has been declared as a priority development aim of the antitrust legislation and law enforcement practice due to its preventive function.
The Federal Anti-monopoly Service recently developed a draft law aimed at implementation of special compliance measures within entities, that shall possibility lead to mitigating liability that arises out of antitrust violations.
Data protection compliance
Federal Law No. 152-FZ On Personal Data dated 27 July 2006 regulates all personal data that is processed by data operators or third parties in Russia. Personal data under this law is represented by any information (directly or indirectly) related to an identified or identifiable individual (data subject).
Data protection laws apply to all data operators, and third parties acting under the authorisation of data operators. A data operator can be represented by a legal entity or individual that both:
- organises or carries out (alone or jointly with other persons) the processing of personal data; and
- determines the purposes of personal data processing, the content of personal data and the actions (operations) related to personal data.
The main obligations imposed on data operators to ensure the personal data is processed properly are the following:
- defining the categories of personal data, the purposes of data processing and the duration of processing;
- obtaining the data subject’s consent (unless otherwise provided by the law);
- appointing a data protection officer, adopting the data protection policy (and other required documents) and taking other appropriate security (especially technical and organisational) measures to prevent unauthorised or unlawful data processing and a breach of the data protection legislation; and
- notifying Roskomnadzor of various circumstances for the purposes of registration (unless otherwise provided by the law).
According to the described statute, since 1 September 2015 all personal data operators shall be required to keep personal data of Russian citizens in Russia. Namely, it requires that databases that store personal data should be kept on servers on Russian territory. This requirement has quickly become an element of internal compliance of probably most of the businesses in Russia.
Back to top