Beginning an Internal Investigation: The UK Perspective

5.1Introduction

The trigger points for a potential internal investigation are increasingly diverse. Sources include employee allegations, whistleblowing, supplier or customer complaints, findings from internal or external audits, press reports, social media, blogs, third-party litigation and contact from government or regulatory authorities who may independently have uncovered an issue. In addition, potential issues may be uncovered during other internal investigations.

The focus of this chapter is on the key factors relevant to a company’s decision whether, when and how to launch an internal investigation and to highlight key considerations when undertaking document preservation, collection and review. These decisions are often made under significant time pressure and with only limited information. They can, however, have serious repercussions.

5.2Decision whether to notify any relevant authorities

A key initial question upon a potential issue coming to light is whether there is an obligation to notify any relevant authorities – which is likely, in turn, to impact the form of the internal investigation. Whether there is such an obligation will turn on the regulatory status of the company uncovering the issue, the expectations of the relevant authorities and the issue itself.

Firms regulated by the Financial Conduct Authority (FCA) are under a duty to deal with their regulators openly and co-operatively and to disclose appropriately anything relating to them of which the FCA would reasonably expect notice.^[2] The FCA Handbook sets out a non-exhaustive list of situations where a company is under an explicit notification duty, including where there has been a significant failure in the company’s systems or controls, there has been a significant breach of a rule imposed by the FCA, employees may have committed significant fraud against customers, or a significant infringement of any applicable competition law has, or may have, occurred.^[3] Although the timing of the notification will depend on the circumstances, the FCA expects a firm to discuss relevant matters with it ‘at an early stage, before making any internal or external commitments’ and in certain cases the notification obligation can be immediate.^[4] Dual-regulated firms owe similar obligations to the Prudential Regulation Authority (PRA).^[5]

Persons working in the ‘regulated sector’ (a wider concept than just firms regulated by the FCA) must submit (either directly or through their firm’s nominated officer) a suspicious activity report (SAR) to the National Crime Agency (NCA) in respect of information that comes to them in the course of their business if they know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing, or even just attempting the latter.^[6] Even if a person does not work in the ‘regulated sector’, they may still wish to make a voluntary SAR and an accompanying application for a ‘defence against money laundering’ if they suspect that property they are dealing with is in some way criminal, and that by dealing with it they risk committing a relevant money laundering offence.^[7]

It may also be necessary to consider whether there are any notification requirements to professional bodies (e.g., the Solicitors Regulation Authority^[8] or, for accountants, their applicable supervisory body^[9]) or to the Information Commissioner’s Office (for example if a personal data breach may have occurred).^[10]

While there is no legal duty on a company to self-report to the Serious Fraud Office (SFO), the Deferred Prosecution Agreements Code of Practice (the DPA Code) states that it will be a public interest factor against prosecution if a company self-reports ‘within a reasonable time of the offending coming to light’;^[11] a point that has been strongly endorsed by the courts in the DPA judgments handed down to date.^[12] Likewise, in August 2019, the SFO published guidance on actions that companies being investigated by the SFO can take to increase their chances of earning ‘co-operation credit’ (Corporate Co-operation Guidance), which refers to reporting to the SFO ‘within a reasonable time of the suspicions coming to light’.^[13] This reference to ‘reasonable time’ allows some scope for a company to conduct at least a preliminary investigation into a potential issue prior to self-reporting, as reflected in a speech given by the current Director of the SFO, who acknowledged that companies ‘have a duty to their shareholders to ensure allegations or suspicions are investigated, assessed and verified, so they understand what they may be reporting before they report it’.^[14]

5.3Decision whether and when to launch an internal investigation

In addition to considering whether and when to notify any relevant authorities, the company will also have to assess whether it would be in its interests to conduct an internal investigation. This is an important decision as, once begun, an internal investigation can be difficult to stop or limit without damaging the company’s credibility.

There are, in general, a significant number of advantages to undertaking an internal investigation, including, principally, the ability to gain a better understanding of the facts to allow for more informed decision-making and the exploration of possible defences. There can also be significant financial benefits if the results of the investigation allow the company to apply for leniency or immunity (principally available in the competition sphere) or to self-report and co-operate with an external investigation to gain a discount on a potential future financial penalty (or avoid prosecution altogether). Undertaking an internal investigation can also help to show adequate procedures and a corporate culture where compliance is taken seriously, with wider benefits should the company’s compliance framework later be assessed (whether in the context of this or another investigation). Linked to this, an internal investigation can also allow for proper remediation and the implementation of corporate changes that might help to avoid the issue arising in future. Electing not to investigate can mean a company is in a purely reactive position with regard to any parallel external investigation or news story.

In certain circumstances, the factors in favour of conducting an internal investigation can be particularly acute. This can include where a company is effectively required to investigate to comply with its regulatory obligations (for instance to ensure compliance with the FCA Principles for Businesses)^[15] or for directors to comply with their fiduciary and other statutory or common law duties.^[16] A company may also have existing internal corporate governance codes or compliance policies that require an investigation to take place in the circumstances. On the other hand, in certain cases, authorities have been known to instruct companies not to conduct an internal investigation at all (for instance if it risks employees being ‘tipped off’ that they are under investigation, denying the authority the chance to monitor the relevant individuals covertly). Indeed, the FCA has stated that: ‘Whether and how a firm investigates internally must now be looked at from the point of view of whether doing so will assist or inhibit the FCA’s investigation.’^[17]

There are, however, a number of potential downsides to conducting an internal investigation that in certain circumstances can allow a company to conclude not to investigate or to do so only in response to external requirements. These downsides include the potentially high costs and resource requirements of the investigation, the distraction from the day-to-day job, and the publicity and reputational risk that the investigation (should it be made public) might incur. Depending on the outcome of any investigation, companies may need to notify stakeholders (such as insurers, auditors, lenders – particularly where the facts may constitute an event of default – and affected third-party clients, customers and counterparties), and listed companies may be required to make a disclosure to the market. There is also the risk that the internal investigation might result in the creation of non-privileged documents that could assist regulators and prosecutors, as well as potential civil claimants (such as customers or shareholders), to the detriment of the company, or that the investigation might uncover misconduct beyond the scope of the initial allegation.

Alongside the decision whether and when to conduct an internal investigation is the decision whether to instruct external legal counsel to advise on or even conduct the internal investigation. In addition to providing investigations expertise and increased resources, the engagement of external counsel can also bolster the independence of the investigation, which is important in a criminal or regulatory context, and provide an external viewpoint to balance the views of internal stakeholders. External counsel also help to increase the likelihood that privilege may apply to certain investigation documents, especially where the in-house legal team that might otherwise be running the investigation hold dual business and legal functions.

5.4Oversight and management of the investigation

On taking the decision to undertake an internal investigation, a threshold issue to determine will be the governance structure for the investigation, including who will have day-to-day management of the investigation and whom they will report to. The structure chosen will vary depending on the company and the issue.

It is common for responsibility for day-to-day management of the investigation to be given to the internal legal or compliance team, although alternatives include oversight by the board as a whole, the audit committee or a specially constituted board subcommittee. The chosen entity would likely also be the ‘client’ for the purposes of instructing external legal counsel, with a consequent effect on the analysis of when legal advice and litigation privilege may arise. In any case, it will be important for potentially implicated individuals to be excluded from the investigation team, which should be kept under review in case additional individuals are implicated during the investigation. Further, where external advisers have been brought in to conduct an independent review, to preserve this independence, it may be necessary to limit the ability of the client to instruct or influence the review beyond clearly defined parameters.

The question of whom the investigation team will report to will often be determined by a company’s existing corporate governance structure and framework of delegated authorities. However, in certain cases the company may choose to constitute a specific review body, such as a special subcommittee of the board or a panel of senior employees and external advisers. In such cases, the terms of reference of this body will need to be clearly defined, including what matters are to be referred to it, what powers it holds and how it is to interact with existing governance bodies in the company.

Where, as is common, the issue involves subsidiaries (some of which may not be wholly owned), it may be necessary to include considerations as to corporate separateness in the governance structure, including the possible need to report to the boards of these subsidiaries.

Whatever governance structures are selected, it will be important to keep these under review and be flexible as to potential amendments to reflect the changing scope of the investigation as new issues arise.

5.5Determining the internal investigation’s scope

Having a clearly defined scope, as reflected in written terms of reference and an investigation plan, is important to set clear objectives and the steps to help avoid a wide-ranging, unfocused investigation, with consequent wastage of time, resources and cost. Clearly setting and justifying the scope will also better allow the investigation to be auditable if queries arise in the future.

A number of variables will feed into the decision on scope, and there is no one-size-fits-all solution. A narrow scope can help to focus resources and reach a quicker conclusion, but it may risk missing potential conduct or valuable context. A wider scope can help to demonstrate that the investigation has been comprehensive, but it can be expensive and slow. In any case, the scope will be affected by the issues (including whether the company is facing criminal, regulatory or civil claims risk), the time pressures (especially if the company is in a race against co-infringers to apply for leniency) and whether there are concurrent investigations by authorities or internal investigations in other jurisdictions.

Part of defining the scope will also include a decision as to the final deliver­ables. While the default may be the production of a factual summary report alongside legal advice as to the company’s exposure, there is a risk the former may not be privileged. An alternative is for the investigation team to provide only oral updates on the factual findings. Other deliverables can include advice on potential self-reporting, employment law advice on disciplinary action against implicated employees, and proposals as to mitigation and remediation activities to help ensure the conduct is not repeated. The FCA Handbook states that a firm’s willingness to volunteer the results of its own investigation, whether protected by legal privilege or otherwise, is welcomed by the FCA and is something the FCA may take into account when deciding what action to take.^[18] Likewise, the DPA Code notes that co-operation (which is a public interest factor against prosecution) will include a company sharing its internal investigation report (including source documents) with the SFO; a point which has been highlighted by the courts in the DPA judgments handed down to date.^[19]

Companies must also assess whether the scope and terms of reference need to be agreed in advance with any authorities that are aware of the issue to be investigated. The benefits of doing so include potentially building co-operation credit with the authorities, reducing the risk of the authorities later criticising the scope of the investigation and allowing the authorities an opportunity to express their preferences as to the final deliverables and the practical conduct of the investigation. The SFO has been particularly concerned about the potential for internal investigations to ‘trample over the crime scene’, and early engagement can help to avoid later criticism of the investigation team’s actions.^[20] Further, the FCA Handbook states that if a firm anticipates that it will disclose a report of its internal investigation to the FCA, the potential use and benefit to be derived from the report will be greater if the FCA has had the chance to comment on its proposed scope and purpose.^[21]

Finally, at the scoping stage it can be helpful to assess what external resources may be required during the investigation, including the potential use of forensic accountants, asset tracers, private investigators, third-party experts, public relations firms, and local and foreign counsel.

5.6Document preservation, collection and review

In any internal investigation, it is critical to consider at the earliest possible opportunity the practicalities for the preservation, collection, review and analysis of relevant material. In its Corporate Co-operation Guidance, the SFO states that co-operation includes preserving available evidence and producing it to the SFO in an ‘evidentially sound’ format.^[22] Any decisions should then be recorded in a written investigation plan to preserve a clear audit or ‘chain of custody’ trail.

Although in the early stages of an investigation it may not be appropriate to conduct formal interviews, the investigation team may wish to consider conducting informal ‘scoping interviews’ to assist with scoping out the issues and identifying where relevant material might be stored. Care will need to be taken, given the preference of a number of authorities that they be consulted prior to interviews (even those relating to the location of evidence) to avoid the possibility of the internal investigation tainting the recollection of witnesses.

5.6.1Preservation

An important first step in document preservation is to identify who might hold information relevant to the investigation. The pool of people is likely to be broader than just those implicated in the conduct and may also include individuals reporting to them, individuals to whom they reported, secretaries and assistants, individuals in other departments they interacted with, and third parties outside the organisation. In some investigations, wider business units or offices might also be relevant.

In general, a company would then issue a hold notice (also known as a document retention or document preservation notice) to such individuals asking them to preserve (and not alter, discard, delete or destroy) all materials (including hardcopy materials) they may hold relevant to the investigation. Beforehand, however, the company should consider whether circulation of the hold notice may risk tipping off individuals relevant to the investigation if there is a risk they may destroy documentation or otherwise frustrate the investigation. In its Corporate Co-operation Guidance, the SFO states that genuine co-operation is inconsistent with ‘putting subjects on notice and creating a danger of tampering with evidence or testimony’.^[23] Potential solutions to address this risk include delaying the circulation of the hold notice until relevant materials have already been secured or carefully drafting the content of the hold notice so that it does not necessarily reveal the specific circumstances or content of the internal investigation (subject, however, to the data privacy considerations discussed below). The company should also consider the risk of a possible leak and whether the description in the hold notice may go beyond relevant market disclosures.

Companies should take care to keep a clear record of the recipients of these hold notices, especially where they are not circulated centrally, but instead are cascaded via the reporting structures of the organisation. As part of this, companies may wish to ask employees to acknowledge their receipt and understanding of the hold notice, though this can create an administrative burden and raises the possibility that an employee may refuse to acknowledge receipt. A middle ground may involve requesting an email read-receipt instead.

In support of the hold notices (which are issued to, and place the burden of preservation on, the relevant individuals), companies should also consider implementing background procedural steps to help ensure the preservation of relevant data. This can include the suspension of regular document destruction processes, activating permanent email holds (so that individuals cannot permanently delete data from their inbox), retaining computer drive backups (so that if individuals delete data from a shared drive, it can be recovered), retaining employee devices and preventing the recall of documents from archives without appropriate authorisation. It is good practice to implement these before the circulation of the hold notice to reduce the risk of individuals deleting data.

Preservation also requires companies to be alert to the risk of ageing technology or bespoke systems and to take steps to ensure that the data stored within them remains accessible during the investigation.

When issuing hold notices or implementing procedural steps to help ensure the preservation of relevant data, companies should carefully consider the potential application of data privacy rules and appropriately document their consideration of the data subjects’ interests. In particular, key considerations under the General Data Protection Regulation (GDPR) would include ensuring appropriate transparency (so that the data subjects are aware of the scope and purposes of the preservation), data minimisation (so that no more data is preserved than is necessary) and storage limitation (so that the data is not stored for longer than is necessary).

5.6.2Collection

Having preserved all relevant data, the next step is to identify what should be extracted and made available for potential review. A key part of this involves identifying which individuals are most likely to hold data relevant to the investigation (referred to as ‘custodians’) and which other sources might yield relevant documents (including any third-party sources). Companies will also need to identify what categories of material to collect, with a non-exhaustive list of options including emails, electronic documents, external storage devices, mobile phones, tablets, internet messaging and chatroom data, telephone recordings^[24] and hard-copy materials.

Companies should also identify any material they are unable to access (such as private email accounts, messaging applications or social media) as the relevant authorities may have statutory powers that allow them to access these sources. In its Corporate Co-operation Guidance, the SFO has stated it will consider it a mark of co-operation for companies to alert the SFO if there are any such inaccessible sources.^[25]

Depending on the circumstances of the investigation, it may be desirable to instruct an external forensic provider to undertake the data collection. This will be especially important in the criminal context where issues relating to the forensic integrity of the underlying data and chain of custody are key.

When undertaking the collection, the decision will need to be taken whether the affected individuals should be notified. Relevant factors include the terms of any applicable data privacy policies at the company (including the existing description of the purposes for which the company might process the individuals’ data) and the likelihood that giving notice may result in individuals destroying documents or otherwise frustrating the investigation. In certain circumstances, express consent may be required from employees, especially if required by local data privacy laws or if the employees use their own devices.

When undertaking the collection, it will also be necessary to consider the requirements of applicable data privacy rules more generally. Considerations as to data minimisation can require the collection to be limited by date range and search terms (even before the data is ingested into a review platform) and the principles of integrity and confidentiality require the data to be stored securely and only accessible with appropriate authorisation.

For both preservation and collection, it will be necessary to record all steps taken and keep any decisions under review as the investigation identifies new custodians, sources and date ranges.

5.6.3Review

Having collected the data, in all but the smallest reviews, it is advisable to upload it to a document review platform. This allows for easier searching, tagging and management of the data and will create an audit trail if questions arise in relation to specific documents.

The next stage will be to assess the appropriate searching criteria to help narrow the scope of the review and identify the most relevant documents. Tools here include applying date range, custodian and data source filters and identifying relevant search terms. If the timing allows, there are significant benefits to testing the potential searching criteria and refining them before starting the full review. A clear record should be kept of all decisions taken, including the reasons for refining or abandoning any provisional search criteria. There are also significant benefits to considering the appropriate type of data de-duplication to conduct.

Increasingly, many vendors are offering technology-assisted analytics and technology-assisted review (TAR), which allow for the review platform to learn from initial reviewer coding decisions and identify similarly relevant documents from the remaining data set. This can allow the technology to prioritise these documents, ensuring they are brought to the attention of the review team sooner, or even automatically code the documents. The success of this technology will, however, depend significantly on the quality of the initial ‘seed set’ of coding decisions and the complexity of the issues it is being asked to assess.

In any case, it is common to structure the review around a series of ‘tiers’, with an initial triage stage for relevancy, followed by second and potentially third-tier reviews by more senior individuals to focus the set and apply more complex coding. In a number of cases, first-tier and even second-tier reviews are outsourced to specialist external document review teams, which can free resource within the investigation team to concentrate on management of the review and the other elements of the investigation.

To ensure accuracy and consistency of coding, it will be necessary to draft document review protocols and accompanying coding forms for each tier of the review, together with organising training for the reviewers. It is also common to organise regular quality control or calibration sessions with the reviewers, where they can ask questions of the senior team, and to set up a process for the rapid escalation to the senior team of key documents identified during the review.

In drafting the document review protocol and coding forms, it will be important to consider how the internal review may interact with any existing or potential parallel external investigation. In particular, if there is the possibility that relevant documents may be produced to an authority, there may be benefits at this stage to asking reviewers to code for privilege, data privacy, bank confidentiality and other jurisdiction-specific issues.

5.6.4Data located in multiple jurisdictions

Particular complexities can arise where data relevant to the internal investigation is located in other jurisdictions (including where it is hosted on cloud-based or group-wide servers that might be physically located overseas).

It will often be necessary to get local data privacy advice before preserving and collecting data for review, including on whether and how the data may be transferred to the jurisdiction where the review is taking place. If transfer of the data is not permissible, it may be necessary to conduct a local review within the foreign jurisdiction.

There are also wider strategic considerations to bear in mind before deciding to collect and transfer data from other jurisdictions. In particular, consideration should be given to the risk of transferring documents into a jurisdiction where they might not otherwise have been available to authorities or to claimants during disclosure in civil trials (although this should be balanced against the risk that in not collecting this data the company may be found to be non-co-operative or frustrating the investigation).^[26] Likewise, where the data is held by a subsidiary, considerations as to corporate separateness may require the two companies to enter into co-operation and information sharing agreements with respect to the investigation. It is common in these agreements (especially where the subsidiary is not wholly owned) for the subsidiary to retain a right of consent prior to its data being disclosed to any authority.

The UK authorities tend to be more willing than their US counterparts to engage with companies’ representations as to limitations imposed by overseas jurisdictions. A risk remains, however, that in failing to collect, transfer and review relevant data, a company may be found to be non-co-operative or obstructive of the authorities’ investigations.

5.6.5Importance of record-keeping

As referenced above, it is critical at all stages of an internal investigation to keep clear records of key decisions taken, including the drafting of detailed, auditable summaries of the methodology undertaken for data preservation, collection and review. It will also be important to preserve originals of all relevant documents and devices and maintain a full chain of custody records.

The FCA Handbook states that where a firm conducts an internal investigation, it will be ‘very helpful’ if the firm maintains a proper record of the enquiries made and interviews conducted.^[27] Likewise, in its Corporate Co-operation Guidance, the SFO has emphasised the importance of maintaining an audit trail of the acquisition and handling of digital, hard-copy and financial material, and the potential need for companies to identify a person to provide a witness statement covering such issues.^[28]

Footnotes