Strategic Considerations in Cross-Border Investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
This chapter offers insight into how to navigate the modern complexities of cross-border securities investigations, in particular those involving the US Securities and Exchange Commission (SEC) and the Department of Justice (DOJ). In contrast to purely domestic investigations, cross-border investigations may involve uncertainty as to whether information, documents and witnesses that reside outside an authority’s traditional territorial jurisdiction are nevertheless subject to the authority’s reach. While jurisdictional complexities, data privacy protections and incompatible legal systems may constrain cross-border efforts, recent multilateral and bilateral agreements may catalyse investigations. At the same time, the subject of a cross-border securities investigation must consider the dichotomies in information and access between it and its regulators. Careful cooperation and coordination with the SEC, the DOJ and foreign agencies is a crucial element in successfully resolving any cross-border securities investigation in a manner most favourable to one’s client.
Initial strategic considerations
To the extent self-reporting is an option, the first strategic consideration in a cross-border matter involving securities laws is whether, when, to whom and how a company should report potential securities-related misconduct. Whether the misconduct is suspected or confirmed through an internal investigation, a company must weigh the potential benefits, risks, need and wisdom of self-reporting. The myriad considerations in this holistic inquiry include the ability to control the information flow to regulators, the likelihood of cooperation credit and reduced penalties, the reputational impact (such as influence on share prices) and the costs of outside counsel. Different jurisdictions have different rules on announcing or publishing the identity of a suspect, target or defendant.
Critical to the calculus of whether and how to report to and cooperate with securities regulators is the increased cooperation and information sharing among enforcement governments. When dealing with a singular regulator in a single jurisdiction, a company may have a greater opportunity to influence the enforcement narrative to its benefit. However, information that is shared in one jurisdiction may easily become known in another jurisdiction, potentially with different exposure for liability and without any required notice to the subject of investigation.[2]
Thus, the subject of an investigation must assume that any information that is shared with one regulator will be known by every other relevant regulator across multiple jurisdictions. From this assumption, the driving force behind self-reporting is determining which jurisdiction has the most onerous regulatory regime so that the subject is ahead of compliance with any self-disclosure requirements. For example, while the threshold for reporting regulatory breaches to the UK Financial Conduct Authority (FCA) or the UK Prudential Regulation Authority (PRA) is very low, a party must weigh the relative investigation burdens by foreign authorities.
At the same time, cross-border investigations may involve multiple regulators with different enforcement cultural nuances (beyond strict legal authority). A company must also take these local cultures into consideration, including the aggressiveness of enforcement and prosecution, differing treatment of witnesses, risk of heightened regulatory scrutiny across businesses and changing political pressures on enforcement. For example, in 2018, the DOJ announced a new ‘anti-piling-on’ policy aimed to ‘discourage disproportionate enforcement of laws by multiple authorities’, recognising the increasing number of simultaneous investigations across numerous jurisdictions, the potential inequity of cumulative prosecution and the need to credit companies (where appropriate) for penalties paid in other jurisdictions.[3] Under this policy, the DOJ considers the totality of fines and penalties imposed by all government agencies to avoid ‘piling on’ excessive punishment. Yet two years after the announcement of this policy, a senior DOJ official warned companies against using the policy ‘offensively or tactically’ with the DOJ, undermining the potential to use the anti-piling-on policy to successfully defend against charges.[4] Further, given the attention paid to investigations into multinational corporations and high net worth individuals, regulators may compete with each other to secure the highest penalties from the investigation’s subject. All of these dynamics must factor into a company’s decision to self-report and cooperate.
Basics of coordination among international regulators
Generally, a regulator’s direct ability to access evidence abroad (i.e., outside its jurisdiction)is limited.[5] However, regulators and securities authorities have a wide range of informal and formal tools for coordinating securities investigations, including mutual legal assistance treaties (MLATs), memoranda of understanding (MOUs) and specific agreements between countries in relation to particular subjects.[6] These tools can serve to manage constrictions such as confidentiality assurances, bank secrecy laws, dual criminality requirements or weak legal authority in a foreign counterparty to access information and data abroad. Such coordination tools have only grown in recent years.
Traditionally, MLATs were a common method through which the SEC and other US enforcement authorities enlisted the cooperation of foreign authorities during cross-border investigations. MLATs are bilateral agreements that authorise government attorneys to request and obtain evidence – physical, documentary and testimonial – located abroad. Outside the DOJ’s criminal investigations, the SEC is one of a few civil regulators in the United States to which MLATs are available. The United States has signed MLATs with over 70 countries, including every Member State of the European Union.[7] However, the MLAT process has been widely criticised as being too slow for modern cross-border investigations, leading to more recent agreements and tools to accelerate and facilitate obtaining evidence abroad. Yet the MLAT process continues to be used in investigations and enforcement actions; recent attention has even been given to the risk of US prosecutors using MLAT requests to suspend statutes of limitations that would otherwise have expired.[8]
In 2002, the International Organization of Securities Commissions (IOSCO) formed a non-binding agreement – the Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information (MMOU) – to standardise the protocol of information sharing among international securities regulators. The MMOU created incentives for jurisdictions to enact legislation enabling information sharing among international regulators, and more than 100 securities and derivatives regulators are now signatories to the MMOU (including the SEC and the US Commodity Futures Trading Commission (CFTC), the Hong Kong Securities and Futures Commission, the FCA and the Australian Securities and Investments Commission).[9] The result has been to ‘increas[e] and expedit[e] the SEC’s ability to obtain information from a growing number of jurisdictions worldwide’.[10]
Specifically, the MMOU provides for: (1) sharing of information and documents held in regulators’ files; (2) obtaining information and documents regarding transactions in bank and brokerage accounts, including the beneficial owners of such accounts; and (3) taking or compelling a person’s statement or testimony.[11] Prior to the MMOU, the SEC relied on bilateral MOUs for individual countries; in light of the MMOU, the SEC staff now recommends the negotiation of a bilateral MOU only if a foreign securities authority is empowered to provide assistance beyond that required by the MMOU, such as the ability to compel testimony or the gathering of internet service provider (ISP) and phone records.[12] The MMOU further provides that shared information may be used in administrative and civil proceedings and provided to law enforcement authorities.
As of 2019, the SEC (and the CFTC) is also a signatory to IOSCO’s 2016 Enhanced Multilateral Memorandum of Understanding (EMMOU), which specifically addresses information sharing among securities and derivatives regulators and enhances cross-border enforcement cooperation.[13] The EMMOU provides for new types of assistance for signatories, including: (1) compelling testimony under oath; (2) obtaining auditing information and other information relating to review of financial statements; (3) freezing or sequestering funds or assets; (4) obtaining subscriber identification records from telephone companies and ISPs; and (5) obtaining recordings of telephone conversations or other electronic communications maintained by regulated financial institutions.[14] Other signatories include securities authorities from Switzerland, the United Arab Emirates, the United Kingdom, Canada, Singapore, Korea and Hong Kong.[15]
In March 2018, the US Congress passed the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), in part to address delays associated with MLAT requests for electronic information (such as emails, texts or social media posts). The CLOUD Act authorised US law enforcement agencies to obtain data in the possession, custody or control of communications service providers (CSPs) subject to US jurisdiction, regardless of where in the world the data is physically stored. This provision resolved an ambiguity in a prior law by clarifying that even if a CSP subject to US jurisdiction stores data outside the United States, it must still produce that data to US enforcement authorities when served with a subpoena or warrant. In 2019, the United Kingdom and the United States executed the first bilateral agreement pursuant to the CLOUD Act.
As signatories to the MMOU and the EMMOU, the SEC and the CFTC are required to give overseas regulators the ‘fullest assistance permissible’. However, regulators may consider whether an overseas regulator has abused or overused its requests to the counterparty regulator, and whether the demands of the overseas regulator have had a negative impact on the counterparty regulator’s own resources. Although the subject of a securities investigation cannot anticipate such dynamics, the potential for inter-authority tension, along with the ever-more-likely inter-agency cooperation, must factor into the subject’s strategic considerations.
Of course, in addition to these formal channels, international regulators may also informally choose to share investigative strategies and information on an ad hoc basis. For example, overseas regulators may attend interviews conducted by the SEC or the CFTC at the discretion of the US authority. As noted above, self-disclosed information from financial institutions is likely to be shared – very quickly – between regulators, both local and international. Potential subjects of securities investigations must also be aware of non-governmental organisations that enforce relevant rules: for example, the Egmont Group of Financial Intelligence Units consists of the financial intelligence units of more than 160 countries and provides a platform to exchange information.[16]
Importantly, many of these information-gathering tools are available to government securities enforcement attorneys, during both investigations and legal actions – not private parties defending against potential or actual charges of securities law violations. In the United States, for example, even individual criminal defendants pursuing evidence and testimony abroad after charges have been filed must request that a court issue letters rogatory to foreign countries; courts lack the authority to order the government to exercise its MLAT powers to request evidence and testimony from foreign countries when the letters rogatory method proves ineffective.[17] Letters rogatory are less formal than MLAT requests and compliance is left to the discretion of the courts in the requested country. Thus, subjects in securities enforcement investigations (even more so than defendants in securities enforcement actions) face significant dichotomies in accessing evidence abroad that is not within their own control.
Management of evidence production to various international agencies
Responding to the SEC and other international securities regulators generally entails providing relevant, non-privileged information, including documentary and testimonial evidence. Such responses range from complying with a subpoena or other compulsory process to the voluntary provision of information.[18] In practice, although there is little a company can do to resist complying with formal or compulsory requests without resorting to court proceedings, a company may negotiate with the relevant authority regarding the scope of documents responsive to the request, as well as the timing of production, to its benefit and as part of its holistic strategy.
A company’s strategy in managing a cross-border investigation becomes more complicated as it must manage responses to multiple authorities in different jurisdictions with differing areas of focus. Even in light of the increasing international cooperation among regulators, a company facing requests for formal disclosure may want to consider whether there is any strategic advantage to disclosing to one authority before another. At the same time, there are no restrictions in the United States regarding a firm sharing information about a domestic regulatory investigation with overseas authorities.
Within the United States, if there are parallel investigations by the DOJ and the SEC, the SEC may expect a company to voluntarily produce evidence simultaneously to the DOJ so as to avoid necessitating the issuance of a grand jury subpoena by the DOJ, which is governed by grand jury secrecy requirements of Rule 6(e) of the Federal Rules of Criminal Procedure, and which would limit sharing of evidence with the SEC by DOJ prosecutors. Thus, a US company should be prepared to make simultaneous productions as part of its cooperation.
In any event, a company must maintain the utmost organisation when identifying and processing information and documents, while managing regulators’ expectations and maintaining a strategic, global view of the investigation. Importantly, evidence production also implicates questions of legal privilege (including choice-of-law) questions – discussed in detail in Chapter 5 – as well as data privacy issues, discussed below.
Protecting against breach of data privacy and other laws in one jurisdiction while satisfying expectations of cooperation in another
Although there are few grounds on which a company can object to a national regulator providing information to overseas regulators, one such ground is that local laws may restrict a company’s or the regulator’s ability to transfer individual data overseas. Previously, a cooperating company may have considered voluntarily handing over more data than specifically required to demonstrate its willingness to cooperate (and, perhaps, to secure time to further internally investigate potential misconduct). Today’s modern era is saturated with electronic data, causing friction for a company subject to a cross-border investigation between satisfying the expectations of cooperation with regulators in one jurisdiction, while complying with more restrictive data privacy laws in another. Indeed, some countries, including France, have instituted civil or criminal liability for violation of their data privacy laws through blocking statutes.[19]
Notably, data protection in the United States is governed by various state and federal laws, rather than a unified data privacy law. Other jurisdictions have more comprehensive regimes. For example, the EU General Data Protection Regulation (GDPR) (in effect 25 May 2018) applies both within the European Union and to data controllers and processors (as defined in the regulation) outside the European Union, and restricts transferring data to countries that do not have adequate privacy protections.[20] The European Commission determines whether a country has adequate protection for EU data on a case-by-case basis; it has recognised that, for example, the United Kingdom, Japan, New Zealand and Switzerland provide adequate protection, but it has not recognised the United States.[21]
However, the GDPR introduced limited derogations to its principles based on ‘compelling legitimate interests’, including public interest, and covering non-repetitive transfers to foreign regulators. Significantly, the United Kingdom’s data protection authority has provided guidance that SEC-registered firms based in the United Kingdom can rely on the public interest derogation under the local data protections law to transfer records containing personal data to SEC staff during examinations.[22] Other potential solutions include redacting protected personal information before producing documents to authorities, though this may not be practical for high volumes of data.
Other jurisdictions have passed data privacy laws to, among other things, protect personal data and regulate how companies process and disclose personal data, including, but not limited to, Japan, Russia, India, Canada, the United Arab Emirates, Mexico, Taiwan and China.[23] Because of potentially applicable blocking statutes regulating – and, in some instances, criminalising – the production of protected information for foreign legal proceedings, companies operating internationally may consider the necessity of initiating proceedings in the United States or home jurisdictions to determine their disclosure-related rights and obligations, before taking action in a regulatory investigation. While courts may cite comity and defer to foreign statutes limiting access to information, there is a risk that courts may find that the importance of the information, weighed with the relative interests of the requesting and resisting countries, compels production of the protected data. Similarly, the DOJ has indicated that it does not look favourably on what it considers overly broad assertions of data privacy laws as grounds for withholding what the DOJ considers to be relevant documents.
Protecting jurisdictional defences in a country while responding to regulatory inquiries
Companies subject to cross-border investigations, even when cooperating with authorities, must not lose sight of jurisdictional defences to investigation and prosecution. For example, there are no mechanisms that enable an overseas regulator to request information directly from firms in the United States. In the United States, however, the DOJ and the SEC are able to subpoena documents from corporate entities present in the United States, and are generally entitled to documents of related, overseas entities, where the documents are within the ‘possession, custody, or control’ of the US-based entity. Notably, although US courts have required parent corporations to produce documents held by their foreign subsidiaries, the converse is not always true; a foreign subsidiary is generally not required to produce documents held by the US parent corporation. Yet this fact-specific test depends on the details of a subpoenaed entity’s corporate structure, business practices and method of electronic document storage. In the United Kingdom, the FCA and the PRA do not have express powers to require the production of information or documents where they are located in an overseas subsidiary, but a firm is expected to take reasonable steps to ensure that members of its group provide regulators with the requested data where they are within the firm’s possession or control.
Another jurisdictional consideration for lawyers counselling in cross-border securities investigations is the location of individual defendants and witnesses: where the individual resides, or where any interview with regulators takes place, may affect the admissibility of the individual’s testimony and the individual’s exposure to civil and criminal liability, separate from any corporate exposure.[24] As an initial matter, it is important to try to clarify whether an individual is considered by the regulator to be a suspect or target, or merely a witness. Counsel must also consider the risks and benefits of allowing individuals to be questioned by regulators voluntarily versus being compelled under court order. Moreover, foreign nationals may be able to challenge the statutes under which they are prosecuted on extraterritoriality grounds, and foreign jurisdictions are able to push back against US law enforcement’s expansive jurisdictional approach.
In sum, despite the expanding reach of national regulators, international companies should not accept that cooperation in a cross-border investigation requires abandoning all jurisdictional defences.
Familiarisation with local regulatory rules, cultures and trends will assist in successfully navigating cross-border investigations into potential securities misconduct. A core strategic consideration in investigations spanning the globe is access and control of information and data. Cooperation and information sharing among regulators is likely only to increase. Taking a global view of enforcement of securities laws will ensure that a subject can move towards the ultimate goal of finalising an investigation.
Footnotes
1 Scott S Balber is the managing partner and Pamela K Terry is a senior associate at Herbert Smith Freehills New York LLP.
2 See John D Buretta, Megan Y Lew, and Courtney A Gans, ‘Co-operating with the Authorities: The US Perspective, Global Investigations Review’, The Practitioner’s Guide to Global Investigations, Volume I: Global Investigations in the United Kingdom and the United States (4th ed. 2020).
3 U.S. Dep’t of Justice, Policy on Coordination of Corporate Resolution Penalties (9 May 2018), available at https://www.justice.gov/opa/speech/file/1061186/download.
4 See Clara Hudson, ‘DOJ official warns against exploiting the anti-piling on policy’, Global Investigations Review (9 December 2020), available at https://globalinvestigationsreview.com/just-anti-corruption/enforcement/doj-official-warns-against-exploiting-the-anti-piling-policy.
5 See Chapters 1 and 2 for the jurisdictional reach of relevant enforcement agencies.
6 See generally Evan Norris, ‘How Enforcement Authorities Interact’, Global Investigations Review (19 August 2019), available at https://globalinvestigationsreview.com/review/the-investigations-review-of-the-americas/2020/article/how-enforcement-authorities-interact.
7 Evan Norris and Morgan J Cohen, ‘How US Authorities Obtain Foreign Evidence in Cross-Border Investigations’ (13 October 2020), available at https://globalinvestigationsreview.com/review/the-investigations-review-of-the-americas/2021/article/how-us-authorities-obtain-foreign-evidence-in-cross-border-investigations.
8 See Aruna Viswanatha and Dave Michaels, ‘Justice Department Accused of Abusing Process to Extend Statute of Limitations’, Wall Street Journal (2 February 2020), available at https://www.wsj.com/articles/justice-department-accused-of-abusing-process-to-extend-statute-of-limitations-11580657654.
9 U.S. Securities and Exchange Commission, ‘International Enforcement Assistance’, https://www.sec.gov/about/offices/oia/oia_crossborder.shtml (accessed 29 August 2021).
10 id.
11 id.
12 U.S. Securities and Exchange Commission, ‘SEC’s Cooperative Arrangements with Foreign Regulators’, https://www.sec.gov/about/offices/oia/oia_coopfactsheet.htm (accessed 29 August 2021).
13 id.; see IOSCO’s Enhanced Multilateral Memorandum of Understanding Concerning Consultation and the Exchange of Information (2016), Article 3(2), available at https://www.iosco.org/about/pdf/Text-of-the-EMMoU.pdf.
14 U.S. Securities and Exchange Commission, ‘SEC’s Cooperative Arrangements with Foreign Regulators’, https://www.sec.gov/about/offices/oia/oia_coopfactsheet.htm (accessed 29 August 2021).
15 Evan Norris and Morgan J Cohen, ‘How US Authorities Obtain Foreign Evidence in Cross-Border Investigations’ (13 October 2020), available at https://globalinvestigationsreview.com/review/the-investigations-review-of-the-americas/2021/article/how-us-authorities-obtain-foreign-evidence-in-cross-border-investigations.
16 id.
17 United States v. McLellan, 959 F.3d 442, 471 (1st Cir. 2020).
18 The Securities Act, the Securities Exchange Act, the Investment Advisers Act and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct. See 17 C.F.R. § 11.4(a).
19 See French Penal Code Law 80-538.
20 See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 Apr. 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Official Journal of the European Union L 119 at 1-88 (4 May 2016).
21 See ‘Adequacy decisions: How the EU determines if a non-EU country has an adequate level of data protection’, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en; ‘Data protection: Commission adopts adequacy decisions for the UK’, European Commission (28 June 2021), https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183.
22 U.S. Securities and Exchange Commission, Division of Examinations, 2021 Examination Priorities, at page 11, available at https://www.sec.gov/files/2021-exam-priorities.pdf (accessed 29 August 2021).
23 See Edward T Kang, Paul N Monnin and Daniel J Felz, ‘Multinational Aspects of SEC Investigations’, at nn. 59-66, SEC Compliance and Enforcement Answer Books (2020 edition), available at https://www.alston.com/-/media/files/insights/publications/2019/09/26751311seccomplianceanswerbook2020.pdf.
24 See Chapter 3 for unique considerations for representing individuals versus entities.