The possibility to enter into a non-prosecution agreement in cases of internal investigation and self–reporting
ŠunjkaLaw, Serbia; Regional Representative Europe, IBA Anti-Corruption Committee
In the case of an internal investigation, it is generally possible to enter a non-prosecution agreement. If a criminal offence is discovered as result of an internal investigation, the corporation should submit the criminal application with all collected evidence during the process of internal investigation to the prosecutor’s office. The criminal application should be submitted against the individual(s) who were deemed to have committed criminal offence and/or individual(s) who did not perform the duty of supervision and control properly. The criminal application must also mark the legal position of the corporation as a victim of crime, willingness to join and to support the prosecutor in a future criminal procedure and to submit a request for damage compensation, if any. After receiving the criminal application, the prosecutor will, if enough evidence of suspicious activity towards the existing criminal offence is found, open official criminal investigation and will use and check the evidence, and fact findings collected in the internal investigation. If legal thresholds are met, the prosecutor will, in general, allow the non-prosecution agreement. The self-reporting, admitting the crime and damage compensation and cooperation during the investigation procedure, will be circumstances in favour of the corporation and the individuals who committed the crime to ask to conclude a non-prosecution agreement and to have better, or favourable, conditions in that agreement.
The existence of a legal privilege on the results of the internal investigation
Legal privilege in Serbia covers everything that the client presents to an attorney-at-law or anything and everything that the attorney-at-law discovers, comes into his or her possession, or in any other way is discovered in his or her preparation of work, during the work and even after the termination of the representative relationship. The obligation to keep secret all that was discovered under legal privilege is not time-limited, this is a lasting obligation. Legal privilege extends to all the attorney’s associates, employees, clerks, trainees and any experts engaged during the work. The attorney-at-law can disclose information under the legal privilege only in certain cases, for example, if the client agrees; to prevent the perpetration of a ‘hard’ and ’heavy’ crime; in a litigation case between an attorney-at-law and their client, if it is necessary for the attorney-at-law to protect their interest; and in an attorney defence case when the position of attorney is more important than information under legal privilege. Apart from these exceptions, accordingly, the aforementioned results of an internal investigation are under legal privilege and protected.
Data privacy considerations
Serbia introduced the new Data Protection Law in August 2019. The Serbian Data Protection Law is similar to the EU General Data Protection Regulation (GDPR). Similar to the GDPR, the Personal Data Protection Law deems processing of personal data lawful when it is performed on the basis of consent, for one or more specific purposes, when processing it is necessary to execute the contract concluded with the data subject or to take action, at the request of the data subject, before concluding the contract, and when processing is necessary to comply with the legal obligations of the operator.
During the internal investigation, personal information should be considered as:
- any information pertaining to an individual, regardless of the form in which it is expressed;
- the information carrier it is stored on, on whose behalf the information is stored;
- the date of the creation of the information;
- the location where the information is stored;
- the method of finding the information (directly, through listening, viewing, etc, or indirectly, by inspecting the document in which the information is contained etc), or other properties of the information.
During the internal investigation, the corporation’s statutory documents are usually and generally collected, which would describe the rights and powers within the entity, labour contracts and management contracts, the rules of procedure and the job classification system, to determine who is responsible for what, who is authorised and the scope of authorisation, contracts and contract documents, signature specimens, cash flow and bank statements, orders and decisions regarding the particular case, the compliance programme, the internal anti-corruption programme, emails or other communication, messages, etc.
During the internal investigation the person leading the investigation should be permanently aware that conducting interviews and taking statements is entirely voluntary. If the employee, as the interviewee, accepts, then their statement may be taken in accordance with the provisions of the Civil Law Code, which can be notarised before the public notary. According to the voluntary principle of participation in an internal investigation, there is no obligation for the employees to cooperate. Usually, during the introductory part of an internal investigation, it is suggested to the employees that in the event of cooperation they will have certain legal benefits, whatever the result of the investigation may be. If an employee agrees to cooperate during the internal investigation, he or she can engage legal counsel at his or her own expense, but the presence of legal counsel is not mandatory.
When conducting internal investigation and taking statements from the employee, the best practice includes three main steps. The employee is firstly, with his or her consent, recorded in audio or video when making his or her statement on the matter. Secondly, the statement is transcribed in written form, which is provided for the witness to read and, if necessary, complete, add or amend. Lastly, such a written statement is notarised before the public notary, in the presence of the employee signing the statement. During the internal investigation, the employee should be treated with respect and appreciation, regardless of the position in a concise internal investigation or potential official investigation. The employee must be protected against insults, threats and any other kind of attack or pressure.
Internal cross-border investigation of cyber attack
The Serbian company collects blood samples, from customers who are willing to deposit a blood sample to a blood-sample bank in the United States. The Serbian and US company have a mutually concluded agreement of their business cooperation, which established governence of the US law and juridiction of the court in San Francisco. The US company has EU staff and representatives from the United Kingdom and the Netherlands. The internal general counsel of the US company comes from the UK and the main business representatives come from the Netherlands. The Serbian company, according to its ordinary course of business, collected local fees from customers and, according to three invoices of the US company, paid and transferred money. After a few months the US company declared the default of the Serbian company, because they did not receive the money. The internal investigations started in both companies separately as a first agreed step. A US company discovered that they recognised some strange email communications, but they did not react because they did not deeply analyse strange emails and correspondence. The Serbian company discovered fake emails with fake invoices, and they realised their own mistakes in the payment process, because on all three invoices there were different accounts and banks from the regular payment process before the event. As a second step, a joint cross-border internal investigation was agreed and performed. Both companies engaged outsourced independent IT experts from different expert companies, with the task of clarifying where and on which side was the primary attack and intrusion into the system and if the system was still compromised, not just because of the financial issue and loss, but also because of the data protection issue of very sensitive customer information – blood samples and test results of the blood samples.
The joint experts committee created an IT fact-finding report and concluded that the first intrusion was on the side of the US company and because of no timely reaction and lack of control, this attack was not discovered. Later, the criminals communicated with the Serbian company, using emails of US companies and sent fake invoices to the Serbian company. Because of the lack of financial control, the Serbian companies paid fake invoices to the criminals. The joint experts committee excluded compromising the system in the part of the personal data sensitivities.
The conclusion was that it was a cyber attack scheme known as ’midmen fraud’, where cyber criminals were actually operating in the middle of two companies.
This kind of investigation should concern not only general criminal rules, but also IT expertise with cross-border elements, US and EU Single Resolution Board regulations, data protection and sensitivities and high potential reputational damage and credibility risks for both companies.
This case has resulted in criminal proceedings against cyber criminals from Romania, living in the UK and damage claims against several banks because of lack of anti money laundering control of the accounts of cyber criminals. The case came before the Serbian Cyber Prosecutor Office, with international legal assistance procedure in the UK, and cooperation with the Federal Bureau of Investigation.