On 22 April 2026, the Greek Parliament voted to lift the parliamentary immunity of 13 sitting MPs in connection with the “OPEKEPE scandal”- the unfolding investigation into how Greece’s payment authority for EU agricultural subsidies allegedly became, in the words of European Chief Prosecutor Laura Kövesi, an “acronym for corruption, nepotism and clientelism.”

The European Public Prosecutor’s Office (EPPO) is investigating an alleged organised fraud scheme that diverted hundreds of millions of euros over several years. The fallout has been severe: Greece has been fined €415 million, the OPEKEPE government agency (acronym for: “Payment and Control Agency for Guidance and Guarantee Community Aid” in Greek) has been dissolved, and successive waves of resignations have swept through the ranks of implicated officials and MPs since mid-2025.

For compliance practitioners, the more interesting story is what was occurring on the ground and how it managed to look entirely ordinary on paper. According to the EPPO, between 2019 and 2022, individuals with no real link to farming presented themselves as new or young farmers and drew farm aid subsidies based on false declarations of land ownership, fictitious leases, and fabricated livestock counts.  The Greek state ended up paying European money out against pastures declared on archaeological sites, olive trees inside a high-security military airport, and even a banana plantation on Mount Olympus! The head of a Greek livestock-farmers’ federation publicly stated that Greece declared 11 million to the European Union, while in fact had just over five million animals.

Modern compliance frameworks are built around procedural rigor—defined workflows, multi-level approvals, documentation requirements, and, increasingly, automated checks. These systems are designed to ensure consistency, traceability, and efficiency. On their own terms, they often perform exactly as intended. But they also share a systemic limitation: they validate information based on its conformity to expected inputs. When those inputs are inaccurate, incomplete, or deliberately constructed to meet system criteria, even well-designed controls can produce outcomes that appear entirely legitimate.

This dynamic is consistent with OECD work on data-driven integrity, which stresses that corruption and fraud risks often become visible only when information is tested across datasets, indicators, and patterns, not merely reviewed for procedural completeness. The challenge, of course, is that verifying underlying data is inherently difficult and often resource-intensive.

Any system that relies on self-declared information faces a version of the same risk. Controls can ensure that information is collected, reviewed, and approved. But they cannot, on their own, guarantee that the information reflects reality. For many compliance experts, this will feel familiar. The issue is not that the risk is unknown, but that it is often addressed within defined risk categories rather than examined as a broader system dependency.

What cases like OPEKEPE bring to the forefront is the extent to which control environments rely on inputs that can be engineered to meet their own logic. The implication is not to expand controls indiscriminately, but to interrogate more closely where processes depend on self-declared or weakly corroborated information, how easily those inputs can be constructed to satisfy requirements, and whether existing monitoring is capable of distinguishing between formal compliance and substantive reliability. In this sense, the relevant question for companies is not only whether controls are robust, but whether they are being meaningfully stress-tested with simulations against the way misconduct can actually occur. Because the vulnerability is, in many systems, not that controls can be bypassed, but that they can be convincingly satisfied.

Kristina Marie Tremonti

Policy and Legal Analyst specializing in Governance, Rule of Law and Institutional Accountability