Forensic Procedures in Securities Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Common types of securities-related investigations and related forensic procedures

Each investigation is unique in many respects, owing to the nature of the alleged wrongdoing, the jurisdiction involved and the company’s industry; however, there remains a basic framework applicable to most investigations, including some common processes and procedures. Most forensic investigations have the following key elements:

  • a triggering event;
  • a preliminary analysis;
  • planning and coordination;
  • discovery of data and other evidence;
  • interviews;
  • compilation and analysis of facts;
  • conclusion of findings; and
  • reporting of findings, recommendations and remediation.

Most of these elements will be repeated during an investigation as allegations are clarified and additional information is assessed resulting in additional planning, discovery, interviews and analysis being performed.

In this chapter, we consider some common areas for securities-related investigations and techniques that can be deployed, including data collection and processing considerations.

Accounting-related fraud

While perhaps not as prevalent as in the early part of this century, accounting fraud remains a focus of global enforcement agencies. When accounting fraud occurs, it can have a significant impact on shareholders, company customers and vendors, and overall market confidence. Large-scale accounting cases remain, with notable recent European examples involving NMC Health plc, Finablr plc and Wirecard AG. Recurring enforcement actions from the US Securities and Exchange Commission highlight that the prosecution of those engaging in accounting fraud remains a priority even if the scale of misconduct under investigation in recent years has not been as significant as in the past. Given the increased uncertainty surrounding the projected global economic forecast, arising from ongoing high inflation, continued disruption in the supply chain, challenges in the labour force and increased borrowing costs, the pressure on companies and the scrutiny of their performance rises. It is during these times that there is increased incentive or pressure for potential wrongdoers to engage in misconduct. Motives for committing financial-related fraud can be widespread, ranging from increasing the value of company shares and stock options, to the need to meet analyst expectations, or to obtain necessary increases in funding through equity or debt providers. However, corporations do not commit fraud – fraud schemes are perpetrated by individuals within the company, frequently with the assistance of outside third parties. It is important when investigating misconduct to identify the personal motivations of individual employees, such as: promotion and advancement; bonus and increased compensation; stock options and stock incentive plans; and personal egos and standing in the community.

The most common accounting-related fraud schemes involve intentional acts resulting in:

  • overstatement of revenue and assets;
  • understatement of expenses and liabilities;
  • inaccurate application of accounting estimates;
  • misapplication of generally accepted accounting principles; or
  • false statements or omission of information material to the users of financial statements.

Several of these schemes start off small, with the fraud occurring to rectify a short-term deficit in a company’s earnings. Accelerating revenues or deferring expenses in the current quarter can enable the company to meet or exceed analyst expectations, with the thought being that the business is expected to pick up in the subsequent quarter so entries can be reversed and nobody will be harmed. When the increase in business fails to materialise, the fraud often needs to continue to hide the activity. Over time it can grow significantly, becoming increasingly complex and more damaging.

Techniques for investigating revenue schemes

A revenue scheme involving the posting of fictitious sales is relatively straight- forward to orchestrate but can initially be challenging to detect. By nature, these sales are not real and fraudsters must deploy means to conceal the fact that no cash will ultimately be received. A detailed analysis of accounting records and data in the following areas can reveal trends indicative of potential fictitious sales:

  • cash receipts: review for cash being misallocated to other customer accounts, or other invoices within the same customer receivables balance, thereby falsely recording the settlement of fake invoices (a scheme known as lapping);
  • write-offs: large write-offs of customer account balances, unsupported by legitimate collection efforts can be an indicator of inappropriate activity; and
  • unusual accounting entries: entries that transfer receivable balances to other asset categories with no expectation of being collected, or to offset a liability.

Cut-off schemes are well known to enforcement agencies and most often involve recognising revenue on genuine sales but earlier than permitted under relevant accounting guidance. Cut-off scheme fraud is often perpetrated by:

  • entering into ‘side agreements’, written or oral, with customers whereby the company agrees not to enforce contractual arrangements until certain later dates (or provides a right to return unsold products);
  • shipping products to customers before the order request date;
  • shipping products to intermediate holding locations rather than the customer; or
  • amending shipment terms so the customer takes ownership of the goods at shipment versus delivery.

Documents may be manipulated, amended, backdated or otherwise altered to document the transaction under terms inconsistent with the actual agreement with the customer. Investigative techniques will frequently involve:

  • data analysis on sale trends, including timing of large sale transactions at the end of the quarter and evidence of financial records being left ‘open’ to record sales after the actual quarter close;
  • reconciliation of the timing of transactions in the accounting system (structured data) to what was actually occurring at the transaction date, often obtained through interviews, email records, customer correspondence or other forms of unstructured data;
  • review of changes in credit terms on customer accounts, including for specific invoices; or
  • analysis of subsequent returns of products, issuance of credit notes to customers that can be offset against future purchases, or write-offs of receivable balances of quarter-end sales.

The investigative techniques previously discussed can also assist in discovering other revenue fraud often perpetrated with the assistance of a third party such as ‘channel stuffing’ or ‘round-tripping’.

Techniques for investigating earnings management

With public companies commonly announcing anticipated earnings per share values, coupled with analysts’ expectations, there is pressure to meet or exceed targets.

While there are many ways in which companies can manage earnings, a common method is the intentional misapplication (i.e., manipulation) of accounting estimates. Accounting estimates are an appropriate and necessary part of preparing financial statements and include allowances for doubtful debts, inventory reserves, impairment of long-lived assets, sales returns and warranties, and contingent liabilities, to name a few.

Financial fraud involving the manipulation of accounting estimates is investigated through the following techniques:

  • assessing, over time, the consistency of the methodology applied, including the basis of the calculation, the source of the data used and whether any current developments render historical practices insufficient or invalid;
  • determining whether factors that could impact the estimate are intentionally omitted (e.g., if, as part of a new sales campaign, increased warranty periods are offered but are not factored into the estimate calculation);
  • considering the integrity of data used to form estimates to confirm that it has not been doctored or amended (e.g., amended historical warranty or right of return data to ‘justify’ a lower warranty provision);
  • conducting reviews of emails, interviews and general business trends to assess whether assumptions used do not accurately reflect management’s true knowledge and belief at the time the estimates were made; and
  • assessing and re-computing estimates to ensure that the mathematical model calculations are accurate and factor in all the required input and assumptions, and that these are accurate.


Corruption investigations are typically multifaceted and complex due to the nature of corrupt payments and the majority frequently involving several jurisdictions.

Corruption can be straightforward such as lavish entertainment and gifts, donations to charities and hiring of relatives of government officials. These transactions can typically be quantified and traced within accounting and corporate records. Schemes involving kickbacks to secure contracts can increase the level of complexity as they commonly involve the use of third parties (e.g., agents) and are recorded as apparently genuine transactions within the company’s books and records. Investigation techniques seek to gather circumstantial evidence that suggests that payments may not be for the stated purpose, and ring-fence the issue through document review and interviews, thereby ‘boxing in’ those involved in the scheme.

While each investigation differs, common techniques include:

  • data analytics and research on third-party suppliers, including the amount and frequency of payments, the timing of payments relative to key project milestones, one-off vendor payments and spending on higher-risk service providers;
  • evaluating a company’s compliance with its own internal policies and procedures, including procurement controls around sourcing and vendor identification, the number of bids or tenders, the vendor evaluation and selection processes, vendor due diligence procedures, contracting (including payment terms), and purchase order and invoice processing;
  • background research into higher-risk vendors, including ownership and management, relevant skills and resources, a track record of similar project delivery, transparency of work performed and costs incurred, reputation and past allegations of misconduct;
  • reviewing commissions and bonuses paid to third parties and company; and
  • reviewing emails using tailored search terms and the chronology of the project (e.g., request for information, request for proposal, bid submission, commencement date, significant change order submissions and acceptance, and milestone payments).

Money laundering

Money laundering involves the transfer of funds that are the proceeds of illegal acts, the transfer of unreported funds (above specified monetary limits) or the transfer of funds not in compliance with the relevant country’s banking laws. Although money laundering is a diverse and often complex process, it generally involves three stages: placement, layering and integration. Those investigating allegations of money laundering benefit from the fact that money laundering transactions have a digital footprint with virtual and physical connections. Analysing data and making connections between different bank accounts and individuals or corporations is the cornerstone of these investigations.

Investigative techniques include:

  • extraction and analysis of customer, transaction and monitoring alert data;
  • in-depth public record research of high-risk customers and persons of interest to identify personally identifiable information that can be used to link individuals, accounts and corporations;
  • use of data analysis techniques to detect the initial placement of funds – these techniques seek to identify deposits that are:
    • large cash sums with little known about the origin of the cash;
    • small value amounts with high frequency; or
    • inconsistent with the business that is alleged to have generated the funds;
  • identification of layering patterns through ‘flipping transactions’ or round- trip transactions between entities that appear to lack a legitimate business purpose – appropriate analyses would identify large, frequent transactions between the same accounts (or a number of common accounts) for similar amounts on and around the same dates; and
  • investigation of extraction patterns through a review of accounts that appear to control the transaction flows inside a complex interconnected transaction network.

Economic sanctions

Sanctions have taken on unprecedented global priority as a historic number of countries (including some that had rarely or never used them before) deployed them in response to Russia’s February 2022 invasion of Ukraine. The United States, already the most expansive and aggressive user of sanctions for decades, issued several rounds of measures that collectively are unprecedented in scope and complexity. The UK not only similarly used sanctions as never before, but is also showing signs of considering moving in some ways toward a more enforcement-ready posture. And the US Department of Justice has very publicly announced that it is on high alert for signs of, and is ready to bring criminal prosecutions for, violations and evasion (going so far as to call sanctions ‘the new FCPA’). In this environment, companies can expect governments around the world – including but not only the US and UK – to initiate investigations and civil and criminal actions. And in the US at least, sanctions programmes other than the one for Russia – Iran, Cuba, and North Korea, for example – remain priorities, and will also continue to generate enforcement risk.

Sanctions violations – even purely regulatory, non-criminal ones – share many factual characteristics with corruption and money laundering ones. Liability can turn on the identities and geographical locations of counterparties, intermediaries and banks; the degree to which company and financial records accurately reflect parties’ identities and other material details; the particulars and documentation of financial transactions; and the degree to which company personnel were aware of, or at least on notice as to, key facts at the time problematic transactions were approved and executed (as reflected in company emails, memos, and other internal documents). Sanctions investigations will therefore tend to involve the same kinds of investigative techniques as those described above for corruption and money laundering investigations.

Cryptocurrencies: an emerging area of focus

The intersection of cryptocurrency and securities laws and regulations has increasingly become a controversial topic. Over the past year, the US Securities and Exchange Commission (SEC) Chairman Gary Gensler has attempted to define how one of the leading market enforcement agencies should regulate the crypto space, singling out Bitcoin as the sole crypto commodity and reiterating that ‘everything but Bitcoin’ could be considered a security. With the SEC’s 2023 landmark cases against industry leaders Binance and Coinbase, it is becoming increasingly apparent that financial investigators will need to have a strong grasp of crypto in the context of securities investigations as cases proliferate and regulatory precedent is established.

Crypto and securities

In the realm of cryptocurrencies and blockchain technologies, ‘everything but Bitcoin’ represents a vast, diverse and complex ecosystem of crypto tokens, companies and financial products. A variety of other blockchains exist outside of the Bitcoin blockchain, to include the second largest cryptocurrency blockchain, Ethereum. Ethereum facilitates the creation of a virtually unlimited number of tokens such as ERC-20 tokens and ERC-721 tokens (more commonly referred to as non-fungible tokens or ‘NFTs’) through the use of smart contracts, self-executing programs on the blockchain that execute a set of functions that automatically enforce a set of actions once a set of conditions are met. Smart contracts facilitate technology like decentralised finance (DeFi), where peer-to-peer crypto trading, lending, investing and more can occur without the use of a centralised institution. In the SEC’s lawsuit against Binance, it charged Binance for the unregistered offering and sale of securities, specifically citing the sale of the ERC-20 tokens SOL, ADA and MATIC, among others. Binance has refuted the SEC’s claims, and as at the date of writing this consequential case for the crypto industry remains open.

Forensic procedures

Similar to investigations involving Bitcoin, investigations involving Ethereum, ERC-20 tokens and NFTs involve the tracing of funds by analysing activity recorded on the blockchain or blockchains, with the goal of identifying sources and destinations of funds, along with the parties involved with transfers. As with Bitcoin, the Ethereum blockchain is a distributed, immutable and public ledger organised and moderated among a series of nodes, or computer networks. Though complex and unreadable to human eyes in its raw format, blockchain data is made interpretable to investigators through the use of blockchain analytic tools. Both open-source block explorers such as Etherscan for ETH (the native cryptocurrency for the Ethereum blockchain, as well as ERC-20 and NFT tokens), and proprietary blockchain analysis software such as TRM Labs and Chainalysis can be leveraged in cryptocurrency investigations to interpret the blockchain data, identify key parties involved in transactions, and visualise the flow of funds.

There are, however, some major differences an investigator needs to be aware of when conducting a flow of funds analysis in an investigation involving Bitcoin versus ETH, ERC-20 tokens and NFTs. Bitcoin is an Unspent Transaction Output (UTXO) model while Ethereum is an account-based model. Though these differences are technically complicated, they can be thought of as the difference between peer-to-peer cash transactions in the case of Bitcoin, and bank account to bank account transactions, in the case of Ethereum, with Ethereum being an account credit and debit system.

DeFi applications commonly use ERC-20 tokens, such as Tether (USDT) as their native cryptocurrency. In order to use ETH within DeFi applications to exchange between tokens, and partake in other activities, you need ETH to be ERC-20 compliant. To accomplish this, ETH can be converted into Wrapped Ethereum (wETH), which is a tokenized ERC-20 version of ETH pegged one-to-one in value. By initiating a conversion transaction with a smart contract, an individual can send their ETH and receive back wETH minus transaction fees, colloquially referred to as gas. This conversion process is critical to note when investigating activity within DeFi, as conversion must occur from ETH to wETH in order to purchase NFTs, trade between currencies, invest or participate in a host of other financial activities.

Data collection

The data collection phase of a cryptocurrency investigation will closely mirror its traditional fiat currency investigation counterpart. Unstructured data sets such as emails, text messages, internal communication platforms and similar sources will provide critical information in reconstructing what and how certain acts occurred. However, the divergent variable between crypto and fiat investigations in the data collection phase involves the type of information targeted. Instead of traditional fiat currency identifiers, investigators will be looking for cryptocurrency addresses, transaction hashes or key word searches pertaining to known crypto exchanges, marketplaces and similar institutions. In the example of Ethereum, knowing that addresses start with ‘0x’ would aid in triaging information outside of the world of Bitcoin.

Upon collecting this information, investigators would then be able to pivot to the aforementioned blockchain explorers and investigative software. Taking crypto identifiers such as addresses and transaction hashes and inputting them into these tools would unveil critical information such as where funds were sent to, where funds were received from, potential services used in transferring funds, and other crypto addresses potentially connected to parties subject to the investigation. Not only does this advance the flow of funds investigation but permits investigators to re-query unstructured data sets with new information retrieved to identify new evidence.

Legal roadblocks

Using block explorers and proprietary investigative software to trace funds increases the chances a centralised institution such as a crypto exchange will be identified where funds could have been cashed out (converted from cryptocurrency to fiat). In these instances, further information will need to be obtained through subpoena power, as centralised blockchain institutions utilise their own accounting systems, leveraging hot and cold wallets, with hot wallets being internet connected and cold wallets being disconnected. Funds cannot be traced through these institutions via the previously discussed methods because of how they store funds, in cold wallets, and send funds, in hot wallets. These institutions co-mingle customers’ funds and utilise their own internal accounting systems to track funds and take advantage of lower transaction fees. When a centralised institution is identified and records for the subject’s account are acquired through the appropriate legal process, not only will the subject’s transaction data be returned and tracing then can further commence, but also identifiers relating to the subjects connected email address, banking information and linked devices, along with technical data, can be obtained.

Conversely, when DeFi institutions such as decentralised exchanges (DEXs) are identified as conversion points in transactions, there is no comparable central authority to send legal process to. DEXs are entirely administered by smart contracts triggered when individuals using Externally Owned Accounts (non-smart contract Ethereum accounts controlled by users) initiate transactions. As such, there is no controlling individual or entity because the entire operation is merely decentralised, self-executing computer code. Albeit more complicated and requiring a higher level of expertise, tracing transactions through DEXs is possible when using proprietary blockchain analysis software. In such cases, it is most productive to trace the funds through the DEX in pursuit of finding a nexus to a centralised institution. Acquiring identifying information for the sending and receiving parties of a transaction when DEXs are used to affect a transaction is a complex area for which there is currently no easy solution.

In August 2023, US District Court for the Southern District of New York issued a ruling involving Uniswap, the world’s largest DEX. Uniswap faced a class action lawsuit alleging that it was responsible for losses relating to certain scam tokens on the platform. In dismissing the lawsuit, the court likened illicit activity occurring on DEXs to third-party misuse of software, declining to stretch federal securities law to fit DEX activity and noting clarification would come from Congress, rather than a regulatory enforcement body.

Data governance considerations in forensic procedures

Data scope

Data collection, processing, analysis and review is a critical component of all investigations. While many data processing procedures are well established, given the continued expansion of data collections across international boundaries, the emergence of new technologies, applications and platforms, and the shift in technologies used by people around the world to communicate, new issues have emerged and modern techniques are necessary to effectively capture information relevant to an investigation. Some of these are discussed below.

Structured and unstructured data review

Data can be classified as unstructured (data that is not organised in any predefined manner, e.g., chats, audio, text messages, video and social media logs) or structured (made up of defined data types that are organised in tabular formats, e.g., enterprise resource planning accounting data, transaction records and Excel files). Semi-structured data has a hybrid of both structured and unstructured elements; email data falls under this category. While the actual content of the email is unstructured, it does contain structured data such as the names and email addresses of the sender and the recipient and the date the email was sent.

It is important to identify the available structured and unstructured data that might be useful to the investigation and assess how best to combine, process and search the information. Organisations must understand the nuances between both types of data to best assess how these data sets are governed, preserved and extracted for investigative purposes.

Data hosting considerations

With data being frequently collected from multiple jurisdictions, it is important to consider any restrictions with regard to whether collected data is permitted, either through regulations or contractual obligations, to leave the premises in which it is stored. For instance, data removed from an office building without appropriate permissions and safeguards may be subject to security and privacy breaches. The isolation of some data from other data – referred to as air locking – places data in a ‘quarantine’ state permitting it to be analysed outside a larger network, adding increased safety against cyberattacks and other malware infecting the main network. On the other extreme, cloud-based solutions for data hosting are becoming increasingly widespread, propagated further by the rise of remote working. Cloud-based solutions allow for the storage of large volumes of data, which can be accessed from different devices, and for easier scalability. Whereas in previous years, certain jurisdictions were slow to adopt cloud-based solutions, the rise in acceptance has seen exponential growth in recent years, which has enabled further adoption of this flexible solution.

Complex data issues and solutions

Off-channel business communications, including ephemeral messaging

As tech companies develop an ever-growing suite of online communication platforms, companies across the world face the imminent issue of business discussions on unapproved methods of communication, otherwise known as off-channel business communications. Off-channel business communications are restricted at financial institutions by regulations issued by the SEC and Commodity Futures Trading Commission (CFTC) that require businesses to retain documentation of all business communications for a stated number of years. Breaching such regulations carries significant consequences, evidenced by the SEC and CFTC issuing a combined US$2 billion of penalties between December 2021 and September 2022 against broker-dealer or registered investment adviser (RIA) entities from some of the world’s largest banking institutions.

Criminal enforcement has also weighed in on the use of such messaging, going beyond just the financial services sector. In early 2023, United States Assistant Attorney General Kenneth A Polite, Jr announced amendments to the Department of Justice (DOJ) Criminal Division’s Evaluation of Corporate Compliance Programs (ECCP). One amendment that garnered significant debate pertains to how company compliance programmes manage risks related to the use of personal devices and messaging applications (e.g., WhatsApp, WeChat, Line or Telegram). This is not the first time that the DOJ has raised concerns regarding the use of ‘ephemeral’ messaging and encrypted applications, and the potential inability of the company to preserve and make available as part of an investigation such communications. However, the latest pronouncement makes it clear that if a company does not turn over these type of communications, ‘prosecutors will not accept that at face value’ and that a ‘company’s answers – or lack of answers – may very well affect the offer it receives to resolve criminal liability’.

The above should make it clear that companies need to take proactive steps to manage how employees engage in business communications. Corporations need to assess the risks, balanced with the business needs of utilising messaging applications. This should result in: (1) the development of an internal programme or policy that identifies which employees can use ephemeral messaging, for what particular purposes, why the use is necessary, and what information can be communicated through ephemeral messaging; (2) a record maintained of those employees permitted to use ephemeral messaging including the scope of such use; and (3) appropriate training of such employees (and those groups supporting them, e.g., IT) on the use of ephemeral messaging and the associated risks. Firms may find it useful to review their current record-keeping systems and verify they conform with regulations. Having a solid record-keeping infrastructure is crucial, so delineating policies and procedures regarding preservation is a necessary first step.

When allegations surface that a company may have breached securities laws, investigations will have to consider off-channel business communications and the use of ephemeral messaging applications. Factors that may impact collections efforts include:

  • bring-your-own-device (BYOD) or corporate issued devices. A company’s ability to gather relevant information may be complicated by the company’s decision to provide phones to employees, permit employees to use a personal device – BYOD – or operate a hybrid model. Convincing employees to permit the company to download technology that can (1) prevent certain apps from being downloaded; and (2) have communication exchanges gathered and preserved, is challenging, especially if the employee is using a personal device or working in a jurisdiction with heightened privacy laws.
  • Use of mobile device management software (MDM): Companies may deploy MDM that can assist IT departments to manage in a secure manner access to corporate data sources, but can also serve to restrict software, including apps, being installed on mobile devices. MDM software will permit a company to understand and monitor what apps are being downloaded, and may restrict such downloads, but typically without certain configurations do not permit the company to access the underlying data or communications included in the apps or device. Middleware solutions may be deployed to assist in the preservation and capture of the underlying data or messages.

Significant challenges stem from both the diversity of communication platforms and the sheer volume of data they produce. Because providers tend to be different, separate approaches must be taken with each. Some may be easier to analyse than others, such as Zoom and Slack, which are easily collected as a result of all data residing in the cloud. This data can be extracted (provided the organisation has the correct licensing) and reviewed (provided the processing software was properly deployed). The review of the data, however, can be more difficult in practice, as emerging communications providers format their data differently, which in turn may require processing software to be edited to incorporate different providers’ unique data.

While the preservation of communications is of paramount importance, it can often be difficult to retain data on certain applications. For example, chat programs such as Signal market themselves on the ephemeral nature of their messaging apps. This makes it exceedingly difficult to capture and retain all necessary data in a compliant manner.

Technology assisted review

Modern issues require innovative solutions. One of the potential solutions for reviewing data given the sheer size of files collected is the use of active learning technology and machine learning. Within electronic discovery, active learning goes by a few names, but one of the most common on the review end is technology assisted review (TAR). An increased reliance on machine learning can allow for quicker and more decisive review metrics by speeding up the review process as well as yielding more relevant results.

While new techniques and solutions are extremely valuable in reducing the time and costs to complete an investigation, it is vital that any tools employed will be accepted by relevant law enforcement or regulators. Discussing the approach will minimise the risk of having to re-collect or re-process data.

Legal roadblocks to performing certain procedures

Emerging data privacy concerns

National and international data-related legal provisions are now a common complication when conducting an investigation. Prior to data being transferred across borders, it is necessary to consider the relevant data privacy laws, especially if the data includes personal identifiable information. Further complicating the matter is the consideration of advanced security procedures to comply with blocking statutes and country-specific security laws. Compliance with these laws will be necessary at all stages of the process, including data collection, migration, security and privacy. Failure to comply can lead to significant penalties and fines for the violator.

Privacy laws, state secret and blocking statutes

Cross-border investigations need to consider an increasing number of privacy laws, state secret regulations and blocking statutes. In the European Union, the handling of data needs to be performed in accordance with the General Data Protection Regulation (GDPR), which protects the personal data of persons based in the EU. Several governments have passed legislation that prohibits information considered as sovereign state secrets from being exported outside country boundaries. A prominent example is China’s state secret laws, which present compliance challenges due to the ‘ambiguity of China’s law, and the inconsistent way it is enforced’.[2] Key European legislation, known as blocking or localisation statutes, may restrict the transfer of data to protect the commercial interests of the country, including perceived extraterritorial interference by other countries such as the US.

Organisations must understand that, to comply with such laws, clients may require that data remain on-site or in-country, which could create additional challenges for data collection and processing. This may also require a proactive review of relevant documents in country for state secret information and the exclusion of those documents so they are not exported overseas.


[1] Frances McLeod is the founding partner, Jerry Hansen and Neil Keenan are partners, Alejandro Gomez-Igbo is a director and Pete Bott is a senior associate at Forensic Risk Alliance. The authors also thank Meredith Fitzpatrick, director of cryptocurrency investigations and compliance.

[2] Megan Zwiebel, ‘Six Things About State Secrets to Consider When Engaging in Internal Investigations in China (Part Two of Two)’, Anti-Corruption Report (13 July 2016),

Unlock unlimited access to all Global Investigations Review content