Internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. This chapter provides a brief overview of the key considerations that will allow a Swiss-domiciled company to conduct an effective internal investigation. The topics addressed in this article include typical triggers of an internal investigation, specific questions that must be addressed by the company if an investigation is about to be launched, the impact of secrecy obligations on data collection in Switzerland, the use of specific findings with regard to pending or anticipated court or other official proceedings and questions on cross-border data transfer from Switzerland. We conclude this chapter by highlighting certain practical recommendations for Swiss companies to prepare for potential future internal investigations.
- Set-up of an internal investigations (governance, scope and work product)
- Conduct of an internal investigation (data collection and review process, e-discovery and employment aspects)
- Particular aspects to be considered with regard to cross-border aspects of investigations (data protection, secrecy obligations and blocking statutes)
Referenced in this article
- Federal Data Protection Act of 19 June 1992 (Status as of 1 March 2019) SR 235.1
- Federal Data Protection and Information Commissioner
- Swiss Code of Obligations of 30 March 1922 (Status as of 1 January 2020), SR 220
- Swiss Financial Markets Supervisory Authority
- Swiss Penal Code of 21 December 1937 (Status as of 3 March 2020), SR 311.0
Over the past decade, internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. While this is particularly true for regulated financial institutions, catalysed especially by US Department of Justice (DOJ) investigations, internal investigations have also become market practice good governance tools for non-regulated entities. In the wake of tightened national and foreign anti-bribery and corruption laws, law enforcement with draconian penalties (and disgorgements of profits) against corporations and convictions of individuals, internal investigations are regularly initiated in connection with bribery, fraud and other compliance matters.
Triggers for internal investigations
An internal investigation should be initiated in case of (plausible and sufficient) indication of criminal activities affecting, or in connection with, an entity’s business. According to recent studies by PwC (2018), 39 per cent of the respondents (listed and non-listed enterprises) experienced fraud within the last 24 months, with more than 12 per cent stating that they did not know whether their organisation had been a victim of fraud in this period. If criminal activities primarily affect the enterprise internally (eg, in case of internal fraud, mobbing or sexual harassment allegations), a company is often not interested in initiating a public prosecution. Even if the criminals are outside the company that suffers the damage, the company often does not involve public authorities as it may feel threatened by risks to its reputation.
Companies should also consider initiating an internal investigation in case of (alleged) material non-compliance with internal or external rules and policies.
For regulated financial institutions, the threshold for initiating an internal investigation is generally lower than for non-regulated entities. The Swiss Financial Markets Supervisory Authority (FINMA) generally expects financial institutions to investigate significant incidents in appropriate detail and to assess the robustness of internal processes and policies.
Furthermore, FINMA may also formally request a financial institution to conduct an internal investigation and produce a report to FINMA as part of its ongoing supervision to ensure that the institution continues to meet its licensing requirements at all times. FINMA may also directly mandate an investigation. In this event, FINMA would typically instruct an independent third party (normally a law firm or audit firm) to conduct the investigation and to prepare a report to the regulator. Notably, the costs of such internal investigation (which can be considerable) generally have to be borne by the investigated entity itself.
Internal investigations may also be triggered by investigations or inquiries of other governmental or regulatory authorities (such as tax or competition authorities) in order to determine the risks for and the defence strategy of the company investigated.
Finally, internal investigations can be a useful tool in a post-M&A situation. As acquisitions are often based on a red flag due diligence only, a post-acquisition investigation can reveal facts that a seller did not wish to disclose (or did not even know itself) in the fear that it might lead to a reduction of the purchase price.
Set-up of an internal investigation
If an internal investigation is about to be launched, a company must address a variety of questions in order to make the investigation as efficient and legally robust as possible. The success and robustness of an internal investigation largely depend on the decisions taken at the very beginning of the investigation.
Naturally, the initial questions to be resolved differ if an investigation is not conducted on a voluntary basis but is rather imposed by a regulator. The topics discussed here focus on conducting a voluntary investigation. If an investigation is imposed by a regulator, the latter will to a large extent dictate the details of the conduct.
The project governance structure needs to be determined at the very beginning of an internal investigation. Key for the success of a voluntary internal investigation is that, at the top, a steering committee composed of persons with the necessary influence in the company supports and supervises the project. The steering committee should establish and supervise the project management team, consisting of both internal (and, depending on the individual circumstances, also external) personnel with adequate knowledge, expertise and independence who closely manage the project on a day-to-day basis. A project office may provide administrative support both to the steering committee and to the project management.
The governance structure also needs to be carefully formalised to provide best protection for Swiss and foreign legal and work product privilege.
Mandate and scope
Before launching an internal investigation, the project management should be given a clear and unambiguous mandate and task. The mandate should be based on an initial analysis of the issue. The board of directors of the company, as the ultimate supervisory body, is often best-placed to determine the mandate, except in case of matters with low substantive risks, small scope and those that do not involve top management. The mandate should formalise the topic and the goal of the investigation. Accordingly, at the outset of the investigation, the company should prepare a formal document (eg, a resolution of the board of directors, an engagement letter or a memorandum) authorising the investigation and outlining the specific scope of the investigation. Furthermore, resources (personnel and IT) and a budget need to be allocated. Finally, the mandate should also state what the incident triggering the investigation was.
During an investigation, a company regularly obtains sensitive information about employees, competitors and other third parties. When defining the scope of the mandate, it is therefore paramount that the company is aware of the obligations and risks associated with obtaining certain information (eg, ad hoc publicity obligations) and creating certain work products (eg, production requests by third parties in civil litigation proceedings and criminal investigations). With regard to the latter, the company must assess to what extent the results and work products of the internal investigation (eg, a final written report or interview records) may have to be disclosed to third parties and how such risk may be mitigated.
Reporting and communication
Clear reporting lines need to be established and a comprehensive reporting system implemented. As a rule, the steering committee should formalise in writing who reports what to whom at what point and in what format. Periodic reporting is advantageous (eg, in case of ad hoc publicity obligations of the investigated entity). The reporting concept should also determine when and how matters must be escalated internally and a plan for any external communication (media concept), including the respective competences, should be set-up. Communication is a necessary part of the immediate measures to be taken after the initiation of an internal investigation as external communication can have a significant influence on public opinion about the company. Proper dealing with the media may help maintain or reestablish public (and particularly investor) confidence in the company.
Finally, at the outset of the investigation, it should already be considered how the final product of the investigation will be presented. This is often a written report setting out:
- the methodology, process, as well as available data and information;
- the facts established; and
- conclusions, including proposals to improve, for example, control mechanisms and compliance in general.
However, a written report may not always be recommendable, in particular with regard to the risk that the work product be (involuntarily) disclosed to a regulator, in a civil proceeding or in the course of a criminal investigation. This holds true even if the investigation is conducted by Swiss outside legal counsel, as the applicability of Swiss legal privilege to investigation work products has been limited by recent decisions of the Swiss Federal Supreme Court. If the investigation is conducted in-house, it should be noted that there is no in-house legal privilege under Swiss law. Against this background, we see an increasing tendency to request verbal reporting in a board of directors meeting, possibly combined with a key findings presentation.
Confidential or disclosed investigation
A decision must be made at the outset of an internal investigation about whether the investigation will be disclosed to employees or whether it should be conducted on a confidential basis. In Switzerland, it is not necessary to obtain approval from employee representatives or similar bodies to conduct an internal investigation. Also, it is not necessary to inform employees about whom an investigation will be conducted.
In our experience, there is no general rule as to whether an internal investigation should be conducted confidentially or be disclosed to employees (in addition to employees involved). Rather, the best set-up has to be assessed on a case-by-case basis, also in light of the scope of the internal investigation and the number of employees involved. In the case of post-M&A investigations, information from employees may provide the most useful results.
In-house versus external counsel
Internal investigations may either be conducted in-house (eg, by using internal business people, in-house lawyers or internal audit employees) or by independent external investigators. In our experience, the advantages of having the investigation conducted by external investigators (with substantial support by the investigated company’s internal staff) are the absence of conflicts of interest, broader market expertise, experienced, specifically trained staff and well-established collaboration with related service providers (eg, forensic e-discovery service providers). In addition, the independence of external investigators is often a key factor for third parties (such as shareholders, but also regulators and authorities) to add credibility and reliance to the internal investigation.
When choosing an external investigator, a company should carefully consider whether to task its longtime legal counsel or another outside legal firm. While a longtime corporate counsel will be very familiar with the company and could get swiftly up to speed with an internal investigation, which may save time and cost, there is also a risk that a company’s longtime counsel (and even more so the company’s auditors) lack independence and may become subject to ethical conflicts and divergent incentives.
Conduct of an investigation
Secrecy obligations provided by various Swiss laws and regulations can have an impact on or may hinder internal investigations in Switzerland. Strong secrecy obligations apply to banks, securities firms and certain other financial institutions. Moreover, there are also general secrecy provisions regarding business secrets and economic espionage, as well as contractual confidentiality obligations that may oblige a company to secrecy. The respective provisions are set forth in a variety of laws and regulations. They apply not only to individuals but also to legal entities (eg, banking secrecy and similar secrecy rights, including data protection). The Swiss data protection act is currently under review and, in the future, only individuals will be protected by the data protection act, similar to the situation in the European Union.
Furthermore, the investigator must ascertain that the data established in the frame of a specific investigation can be used as evidence in court proceedings, if necessary, and must avoid any breach of the prohibitions set forth in the Swiss Penal Code (PC) to gather evidence in Switzerland in connection with foreign proceedings (article 271 PC).
The company may review its own files and may interview employees if the employee consents. In cases of severe misconduct, it can prove advantageous to mandate external experts familiar with interview techniques and tactics. For a review of e-mail correspondence, the rules applicable to electronic discovery must be observed. These rules also apply for a review of, for example, letters addressed to an employee in the files of the company. Further measures include the collection of audio and video material, GPS data analysis or observations by private investigator firms. It must be noted that all such measures are only permitted as long as the personal rights and the health of the employee are not infringed. For further measures such as the tapping or recording of telephone conversations, it may become necessary to involve state prosecutors as the company is prohibited from using such far-reaching and delicate measures. The company should be careful not to unnecessarily escalate the data retrieval as, for example, the use of espionage software may render other instruments (such as a termination of the employee) void.
As in other jurisdictions, a key part of any internal investigation in Switzerland is the electronic discovery of data. Electronic discovery is mainly governed by guidelines, issued by the Federal Data Protection and Information Commissioner (FDPIC), about internet and email supervision by employees (latest version September 2013). In prudentially supervised companies such as banks and insurers, legal obligations may serve as a justification for the supervision of secondary data in e-mails such as recipients or time of sending.
If the company has implemented an internal regulation about supervision of email and message traffic (which we strongly recommend), such internal regulation may justify the retrieval of information from emails and messaging services – in particular if the employee has consented to such internal regulation beforehand, for example, as part of his or her employment agreement. However, the company in each case has to meticulously observe the principle of proportionality in actions taken against employees. Unless there is a strong suspicion of employee misconduct, the company must not supervise the entire behaviour of the employees in question (eg, by installing a video camera supervising the employee all day long). If the company has a clear and present suspicion of abuse, it may review emails specifically concerning a certain employee. However, this does not include emails labelled as private or archived in an electronic folder. If emails are unlabelled or labelled other than ‘private’, the company may assume that they are business-related and may review them.
While a company generally has the right to request and review all business-related data (including emails and text messages), particular issues arise in connection with the use of web-based services such as WhatsApp, where it is generally not practically possible to gather related data stored on non-Swiss servers.
As a rule, in Switzerland, internal investigations do not require the approval of employee representatives or workers’ councils. As mentioned above, it is also not necessary to inform employees about pending investigations, in particular if the company’s interests in keeping the investigation confidential outweigh the employees’ interests. In our experience, however, it is advisable in many cases to inform employees beforehand. They often learn about the investigation themselves anyway and usually consent to it, for example, by granting access to emails and documents.
Under Swiss employment law, employees must participate in interviews and provide truthful and complete information. If an employee becomes subject to criminal prosecution, certain limitations to the employee’s duty to cooperate may apply. However, there is no uniform opinion in Switzerland on whether the employee can refuse to cooperate (specifically based on the privilege against self-incrimination) or whether self-incriminating statements by the employee made during internal investigations are inadmissible evidence in a (subsequent) criminal governmental investigation. The Swiss Federal Supreme Court has yet to rule on this question. If an employee participates in an interview, the company may, as a rule, assume that the employee also implicitly consents to the investigation. It is not entirely clear under Swiss law whether or not the employee has the right to request attendance of his or her own attorney. Under certain circumstances, however, legal representation can be encouraged to facilitate the conduct of the interview and for the employee to feel more protected and thus more likely to cooperate. The company generally does not need to provide an attorney for the employee at the company’s cost. However, in view of their duty of care towards employees, companies in our experience often do provide access to an attorney at the company’s cost in case of investigations triggered by regulators or authorities. In practice, companies regularly pay these fees as a result of directors and officers liability insurance coverage.
It is disputed under Swiss law whether the employer must inform the employee about its suspicions prior to holding the interview. Pursuant to the Swiss Code of Obligations, the employer may only retrieve data about a specific employee to the extent that such data retrieval is required for the proper performance of the employment or to determine the suitability of the employee. The interpretation of this rule is, however, highly disputed in Switzerland.
The company must, furthermore, determine if and to what extent employee interviews should be recorded. If detailed minutes are taken, a court may subsequently find that such employee’s value as a witness in court is diminished.
Use of findings
The use of the findings of an investigation in the context of court or other official proceedings depends on the type of proceeding in question. As a general rule, the ‘fruit of the poisonous tree’ doctrine is not applicable under Swiss law. In criminal investigations, a court will usually ask whether the evidence could have been obtained legally by the state authorities and whether a balancing of interest (severity of the crime or infringement of personal rights by the obtaining of the evidence) weighs in favour of using the evidence (which is typically the case). In civil proceedings, evidence obtained by illegal means will only be taken into consideration if the interest in finding the truth clearly prevails. In administrative proceedings, the rules for criminal proceedings are usually applied.
Hence, a company conducting an investigation has a strong interest to obtain evidence through legal means, especially as gathering evidence by other means may expose the company itself to criminal actions.
Data transfer abroad
To the extent that data gathered is transferred abroad, the rules of article 273 PC (and other similar secrecy rules), which effectively prohibits the disclosure abroad of non-public third-party information with a sufficient nexus to Switzerland, need to be complied with, in particular by appropriately redacting relevant third-party information. However, documents may be transmitted in unredacted form if the third party has consented to the disclosure of its details and if no state interests are involved.
The Federal Data Protection Act furthermore prohibits any transfer if, in the country of the recipient, there is no data protection comparable to Swiss data protection. As Swiss data protection today extends to legal entities the same way it does to natural persons, this is often not the case. Furthermore, US data protection regulation is deemed insufficient from a Swiss data protection law point of view. However, a transfer may be permitted without consent if it is necessary to enforce claims in court, or in case of overarching public interests (pure private interests are not sufficient). Furthermore, there is a group privilege (subject to prior notification of the FDPIC) to transfer data within a group of companies. If a cross-border transfer is a problem, the storage and analysis of the data is typically done in Switzerland and the results are only transmitted abroad in an anonymous manner. As a consequence, the servers used in the investigation should be located on Swiss territory and be accessed from and reviewed in Switzerland.
For investigations initiated by a foreign authority or proceedings in a foreign court, article 271 PC also needs to be observed. Acts undertaken in Switzerland for and on behalf of (or for the benefit of) a foreign state that, in Switzerland, would be acts done by a public authority are prohibited unless expressly authorised by the federal government, to avoid circumvention of mutual judicial and administrative assistance procedures. It must be noted in this regard that the collection of evidence, even in civil law court proceedings, is considered as an act reserved to state officials under Swiss law (as Switzerland has no concept equivalent to that of US pretrial discovery) and accordingly is subject to the limitations of article 271 PC. As article 271 PC protects Swiss public authorities, it has no extraterritorial application. Accordingly, article 271 PC does not come into play in circumstances where evidence is collected and reviewed outside Switzerland, including, for example, if interviews with Swiss employees are conducted abroad, just across the border from Switzerland. Notably, even consent by the involved persons does not prevent the actions taken in Switzerland from being illegal. Even acts prior to the initiation of court proceedings may sometimes be considered illegal. As a rule, a party in foreign court proceedings may (with certain specific limitations) submit its own documents to support its position in the foreign proceedings. However, it may not file documents compelled by a court order (similar rules apply to third parties being called as witnesses). A third party may only respond to general enquiries.
In connection with internal investigations conducted in Switzerland, article 271 PC may become an issue if the investigation is conducted with a view to later providing the work product or documents collected to foreign authorities or courts.
Article 271 PC and article 273 PC do not apply to the company in cases where information is provided through administrative or judicial assistance channels. In particular, in connection with foreign proceedings and investigations, the company should to the extent possible request foreign authorities and courts to seek information through the route of administrative or judicial assistance.
Early preparation highly recommendable
In light of the issues summarised above, a Swiss-domiciled company is well-advised to prepare early for possible internal investigations. In summary, we strongly recommend the following steps to be taken.
- Allocation of competence. The company should establish whether the compliance, legal or risk departments are competent to analyse trigger incidents and to determine who should lead an investigation.
- Allocation mechanism for investigation budget. The company needs a mechanism to allocate a budget quickly to the investigation team (costs of internal investigations can be very considerable; in particular, if non-Swiss lawyers have to be involved).
- Training of employees. Ideally a company should build up certain competences (including training) in the relevant departments (which are typically compliance, legal or internal audit).
- As part of this training, standard proceedings and standard documents such as interview forms, among others, can be prepared. Larger companies may consider obtaining forensic software and reviewing their document management systems in the context of their suitability for investigations.
- Employment contracts and regulations may be reviewed and adapted to permit the company to send employees on garden leave and to review their emails. The entity’s email policy will ideally state that the email may not be used for private purposes.
- Furthermore, the company should issue a regulation on email supervision. Among the further documents that can be prepared are regulations concerning document retention and application for Sunday and night work for the project team.
- The company may also consider establishing a whistleblowing policy, which should establish a clear reaction mechanism and prevent disadvantages to the whistleblower.