Production of Information to the Authorities
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
There are many situations in which a company may face a choice, or a demand, to disclose documents and information to a law enforcement authority or regulator. These range from responding to a raid on corporate and individual premises, to compliance with a subpoena or other compulsory process, to the voluntary provision of information during a self-disclosure. The types of information and the circumstances in which a company is obliged – or even able – to produce relevant documents is circumscribed by various laws. For example, a company must address concerns regarding confidentiality, employee privacy, data protection and legal privilege (and, in certain jurisdictions, bank secrecy restrictions or blocking statutes). This becomes additionally complicated in cross-border cases where multiple legal regimes may apply and may conflict with one another. Add to this the not uncommon scenario of authorities from different countries seeking the same (or slightly different) information and it becomes a legal and practical minefield. This chapter cannot hope to cover the immense number of variables that a company may face in these circumstances, but it does seek to provide practical guidance on some of the most important points.
11.2Production of documents to the authorities
11.2.1Formal requests for disclosure (and related document hold issues)
220.127.116.11Commonly used powers (UK)
Most regulatory and enforcement authorities have formal powers to compel individuals and companies to produce documents and provide information.
In the area of financial crime and corruption involving the United Kingdom, the most likely authority to be seeking to investigate and prosecute will be the Serious Fraud Office (SFO). It has powers to seek the production of documents and information at both a pre-investigation stage in relation to bribery and corruption cases under section 2A of the Criminal Justice Act 1987, and, once it opens a formal investigation, under section 2 of the same Act. These powers can be exercised against companies and individuals to produce documents and information, including by way of compelled interview where there is no right to silence (although the individual cannot be later prosecuted regarding matters arising from the interview, unless the information is found to be false). A failure to provide the documents and information within the time specified in the production notice is a criminal offence, unless the recipient can show that it had a reasonable excuse not to comply (such as an injunction preventing production).
In the field of financial markets regulation, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have powers to compel the production of documents, contained in Part 11 of the Financial Services and Markets Act 2000 (FSMA). The key provision is section 165, subsections 1 to 6 of which are set out below as an example of how information-gathering powers are conferred:
165 Regulators’ power to require information: authorised persons etc.
- Either regulator may, by notice in writing given to an authorised person, require him–
- to provide specified information or information of a specified description; or
- to produce specified documents or documents of a specified description.
- The information or documents must be provided or produced–
- before the end of such reasonable period as may be specified; and
- at such place as may be specified.
- An officer who has written authorisation from the regulator to do so may require an authorised person without delay–
- to provide the officer with specified information or information of a specified description; or
- to produce to him specified documents or documents of a specified description.
- This section applies only to–
- information and documents reasonably required in connection with the exercise by either regulator of functions conferred on it by or under this Act; and
- in relation to the exercise by the PRA of the powers conferred by subsections (1) and (3), information and documents reasonably required by the Bank of England in connection with the exercise by the Bank of its functions in pursuance of its financial stability objective.
- The regulator in question may require any information provided under this section to be provided in such form as it may reasonably require.
- The regulator in question may require–
- any information provided, whether in a document or otherwise, to be verified in such manner; or
- any document produced to be authenticated in such manner, as it may reasonably require.
‘Authorised person’ is defined in section 31 of the FSMA and means, very broadly, a person providing a regulated financial service.
The FCA has set out its policy in relation to its exercise of enforcement powers under the FSMA (and other legislation) in its Enforcement Guide and the FCA’s report on its approach to enforcement. The Enforcement Guide is useful as it not only sets out the FCA’s approach to its task as the United Kingdom’s financial markets regulator, but also it reflects the general approach of UK regulators to their document production powers.
In paragraph 4.7 of the Enforcement Guide, the FCA states that its standard practice is to use its statutory powers to require the production of documents, the provision of information or the answering of questions in interview. The FCA suggests that this is for reasons of fairness, transparency and efficiency. The Enforcement Guide goes on to suggest, however, that it will sometimes be appropriate to depart from this standard practice, as it relates to document production, for example in cases:
- involving third parties with no professional connection with the financial services industry, such as the victims of an alleged fraud or misconduct, in which case the FCA will usually seek information voluntarily;
- where the FCA has been asked by an overseas or EEA regulator to obtain documents on their behalf, in which case the FCA will discuss with the overseas regulator the most appropriate approach.
In the second scenario, it is important to consider the effect of regimes and jurisdictional protections colliding. For example, how might the US right to silence mesh with the UK compelled disclosure regime? The Enforcement Guide states that the FCA will make it clear to the company or individual concerned whether it requires him, her or it to produce information or answer questions under the FSMA or whether the provision of information is voluntary.
Similar (but unique) powers also lie in the hands of the Competition and Markets Authority, the National Crime Agency, the police, Her Majesty’s Revenue and Customs, and the Health and Safety Executive. Many of these authorities may also apply for and obtain search warrants and use these powers more often than their US counterparts do.
18.104.22.168Commonly used powers (US)
In the United States, most federal agencies, including the United States Department of Justice (DOJ), the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) may issue subpoenas (or administrative orders) and compel individuals and companies to produce documents and testimony. In the case of the DOJ, a subpoena may compel the production of documents in connection with either a civil or criminal investigation. The CFTC’s regulations provide that:
The Commission or any member of the Commission or of its staff who, by order of the Commission, has been authorized to issue subpoenas in the course of a particular investigation may issue a subpoena directing the person named therein to appear before a designated person at a specified time and place to testify or to produce documentary evidence, or both, relating to any matter under investigation.
Additionally, state agencies and each state’s attorney general can compel the production of documents and testimony. As an example, Section 352 of the New York General Business Law permits the Attorney General to commence an investigation of an individual or corporation and to seek documents and testimony in connection with that investigation. The Securities Act, the Securities Exchange Act, the Investment Advisers Act and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct.Before a subpoena can be issued, the staff of the SEC must obtain a formal order of investigation.
Criminal offences for refusing to comply with a request, providing false or misleading statements, or concealing documents, generally supplement such powers.
22.214.171.124Scope and timing
In practice, a company can do little to resist complying with a formal request for disclosure without resorting to court proceedings to challenge the validity or scope of the request. However, it can likely negotiate with the relevant authority regarding the scope of documents responsive to the request and the production date to limit the scope of the request to what is proportionate and reasonable.
Broadly drawn requests are unfortunately not uncommon, as investigators seek to ensure the requests will capture all relevant information. Early engagement with the relevant authority will typically ensure that both parties can agree on scope and a timetable for production: a request looking back over a long period, or even without any time limit, could involve a lengthy resource-intensive review and expensive production exercise. This may not be in the interests of the prosecuting agency or the company if a more targeted request could produce the information. Whether an agreement to narrow the scope of the request is possible is likely to depend, in large part, on factors outside the company’s control – such as the nature and scope of the authority’s investigation (which the authority may be unwilling to share and is likely to base on information and evidence outside the company’s knowledge). However, the company and its legal advisers should nonetheless seek a reasonable, proportionate and practically achievable production: for example, by seeking to agree to produce documents relating to X project, between Y and Z dates and if necessary to produce the documents in tranches.
It becomes increasingly difficult to manage the response to multiple authorities, particularly if they are in different countries and have different areas of focus. Similarly, a company must consider whether the production notice extends to materials held overseas.
For responding to broad document requests involving large volumes of data, a company may decide to use artificial intelligence or technology assisted review (TAR) to improve the accuracy and speed within which relevant documents are identified. This is becoming increasingly accepted in the United Kingdom. The SFO confirmed its use of artificial intelligence technology in the deferred prosecution agreement (DPA) case of SFO v. Rolls-Royce PLC.
In the United States, while TAR might be used appropriately in responding to subpoenas or document requests in some limited instances, its use would likely be subject to an agreement regarding its use with the requesting agency.
126.96.36.199Practical steps on receipt
Upon receipt of a document request, a company should – in most cases – immediately issue a document retention (or hold) notice (DRN) (if one is not already in place). A company should take care not to inadvertently tip off data custodians, who may also be suspects. In some cases, issuing a DRN is not appropriate; for example, where the company is investigating matters outside the public domain and needs to collect documents covertly at the outset. The issuing of a DRN will assist the company to demonstrate that it has taken steps to preserve all potentially relevant documents in existence at the date of the request. The DRN should track the terms of the production notice, and be sent to all personnel who may have responsive documents, including the IT department and records department. The term ‘document’ should be widely drawn to include any paper or electronic records present on any media (including instant messaging applications) belonging to the company or its employees, including corporate information located off-site. The company may also need to manage complicated issues around data privacy and personal media.
The DRN should confirm that employees must not delete, alter, conceal or otherwise destroy company documents. Simultaneously, the company should take steps to secure and preserve all relevant information held on the company’s servers and backup tapes, including through external providers. It should also immediately suspend routine document and data destruction processes.
Most authorities will have their own technical standards, which the collection and production of electronically stored information must meet. It is therefore likely that a company seeking to respond to a subpoena or production notice will want to consider instructing a forensic IT specialist company to assist with the collection and production efforts. This will have the added benefit of ensuring that a company can demonstrate the independence of this analysis, that it is taking clear co-operative steps, and protects employees, as far as possible, from having to give evidence in any subsequent proceedings.
11.2.2Informal requests for disclosure: voluntary production and co-operation
A company may wish to consider voluntarily providing documents to an authority as part of a self-report or to demonstrate its co-operation with an investigation. Government investigators and investigating authorities regularly hold out the possibility of co-operation credit to companies to encourage them to provide information about their own misconduct.
From February 2014, DPAs have been available in the United Kingdom to the SFO and Crown Prosecution Service for disposing of corporate criminal conduct relating broadly to economic crime (including, in particular, fraud, corruption and money laundering). The SFO and the English courts have emphasised that one of the most important factors for a DPA is early reporting and co-operation by the company. Co-operation should be ‘genuinely proactive’. This includes the voluntary production of relevant documents, the importance of which has been demonstrated in one of the early DPA cases of SFO v. Rolls-Royce PLC, discussed later in this chapter. In the United Kingdom, the Director of the SFO since August 2018, Lisa Osofsky, has explained that corporate co-operation means ‘making the path to a case easier’ for the prosecutor. This means that companies will be expected to provide the SFO with evidence it does not already have and guide the SFO’s investigation to help it focus on the most relevant lines of enquiry, including in respect of assistance with future prosecutions of individuals.
In August 2019, the SFO updated its Operational Handbook to provide guidance on corporate co-operation (Corporate Co-operation Guidance), confirming a non-exhaustive list of good practices that SFO officers should consider when assessing an organisation’s co-operation with the SFO, with a view to potentially being offered an invitation to enter into DPA negotiations. The Corporate Co-operation Guidance sets forth detailed provisions on the SFO’s expectations regarding the preservation and provision of materials relating to digital and hard-copy evidence, financial records and analysis, industry and background information, dealing with individuals connected to the investigation, and more contentious issues such as witness accounts and waivers of privilege. The Corporate Co-operation Guidance confirms that ‘cooperation means providing assistance to the SFO that goes above and beyond what the law requires’ and that this includes identifying individuals involved in the misconduct.
In the United States, too, the authorities have routinely emphasised that they will consider self-reporting and co-operation with government investigations as a key factor when determining whether to charge a corporation. The DOJ encourages corporations to conduct internal investigations and voluntarily self-report misconduct. The Justice Manual states that prosecutors may consider voluntary disclosure when determining whether to bring charges for criminal misconduct. Under the DOJ’s Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy, which has been incorporated into the Justice Manual:
[W]hen a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth below, there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offense or the nature of the offender.
Importantly, voluntary disclosure is just one factor that is considered in determining whether to bring an action against the corporation. In November 2019, the DOJ revised its definition of ‘voluntary self-disclosure’ in FCPA matters. To receive credit for voluntary self-disclosure, a company will need to disclose ‘all relevant facts known to it at the time of disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue’. These changes were necessary to harmonise the standards of the Corporate Enforcement Policy with prior guidance by the DOJ and to acknowledge that a company might not be in a position to know the full extent of wrongdoing at the time of the initial disclosure. The Corporate Enforcement Policy does provide benefits to a company that does not voluntarily self-disclose misconduct but does fully co-operate with an investigation and implement timely and appropriate remediation.
Timing is important, both for a potential DPA and in relation to anti-cartel regimes, which often provide an amnesty only to the first discloser.
As has been noted above, the FCA’s standard practice is to rely on its statutory powers to require the production of documents. While there is merit in adopting this policy, and it does avoid the risks to companies of voluntarily disclosing documents to the FCA set out below, nothing prevents the FCA from seeking voluntary production. Principle 11 of the FCA’s Principles for Businesses states: ‘A firm must deal with its regulators in an open and co-operative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.’ A materially identical provision is included in the PRA’s Rulebook as Fundamental Rule 7. While this chapter focuses on the approach of the FCA, it is worth remembering that the PRA has similar enforcement powers (and is using them with increasing frequency). Both regulators interpret these obligations to proactively bring matters to their attention widely, and are prepared to take enforcement action against firms and individuals for failures to discharge these obligations (even in the absence of other underlying failings). Prudential Group (fined £30 million for failing to inform the Financial Services Authority (FSA) of its proposed acquisition of AIA until after it had been leaked to the media), Goldman Sachs (fined £17.5 million for not disclosing an SEC investigation into its staff and members of The Goldman Sachs Group), the Co-operative Bank (issued a final notice for failing to notify the PRA without delay of two intended personnel changes in senior positions) and Bank of Scotland plc (fined £45.5 million for failure to inform the FSA about its suspicions that fraud may have occurred at the Reading-based impaired assets team of Halifax Bank of Scotland) are recent examples. This places regulated firms in a different position from other corporates: it reduces the scope for the decision whether to self-report or not.
Principle 11 is mainly intended as a supervision tool and sets out a broad duty of co-operation that the FCA often relies on to oblige the production of documents prior to formal investigations being commenced (sometimes, but not always, for the purpose of deciding whether an investigation should be commenced and, if so, in respect of which firms and individuals). The FCA’s view of what is meant by being open and co-operative within Principle 11 is set out in the FCA Handbook, in the ‘Supervision’ section (referred to as SUP). SUP 2.3 provides that ‘open and co-operative’ includes a regulated entity making itself readily available for meetings with the FCA, giving the FCA reasonable access to records, producing documents as requested, and answering questions truthfully, fully and promptly. Where a formal investigation has been commenced, the FCA would not seek to rely on Principle 11 as a substitute for its other statutory powers that compel production. While it would be a clear breach of Principle 11 to fail to comply with a statutory request for the production of documents, a failure to comply with a voluntary request for the production of documents would not, of itself, result in disciplinary proceedings. The Enforcement Guide does state, in the context of co-operation, that:
The FCA will not bring disciplinary proceedings against a person for failing to be open and co-operative with the FCA simply because, during an investigation, they choose not to attend or answer questions at a purely voluntary interview. However, there may be circumstances in which an adverse inference may be drawn from the reluctance of a person (whether or not they are a firm or individual) to participate in a voluntary interview. If a person provides the FCA with misleading or untrue information, the FCA may consider taking action against them.
The Enforcement Guide further provides that if a person does not comply with a requirement imposed by the exercise of statutory powers, he or she may be held to be in contempt of court. The FCA may also choose to bring proceedings for breach of Principle 11. Therefore, while there is no guidance indicating that a failure to produce documents voluntarily (as opposed to attending a voluntary interview) would result in an adverse inference being drawn, a decision by a company not to produce documents voluntarily in any particular case should not be made without careful forethought and proper advice on the potential consequences.
As this suggests, the Enforcement Guide recognises the importance of an open and co-operative relationship with the firms it regulates to the effective regulation of the UK financial system. When deciding whether to exercise its enforcement powers, the FCA considers, among a number of factors, the level of co-operation demonstrated by a firm. When weighing the level of co-operation, the FCA considers whether the firm has been open and communicative with it.
Voluntarily disclosing documents carries a risk that the authority may not give any meaningful credit and may nonetheless decide to prosecute or expand an investigation already under way. Therefore, the company should weigh the likelihood of the authority being able to serve a formal request for disclosure in the relevant jurisdiction.
In some instances, a formal notice for disclosure will be preferred: for example, where a company has obligations of confidentiality, preventing voluntary disclosure. The most common examples are lawyers and financial institutions, who could both face an action for breach of confidence for supplying documents or information without a formal regulatory request. In some self-reporting circumstances, it may be appropriate for a company to seek such a notice from the relevant authority to ensure that it does not open itself up to civil action. The notice should be narrowly drawn, in consultation with the regulator, and should not affect the company’s co-operation credit. Likewise, in some situations, the company may prefer to ask to be provided with a formal document request to demonstrate that they have been compelled to produce the documents to the authorities and have not done so voluntarily.
11.2.3Production of information to multiple authorities
The increasingly complex and multi-jurisdictional nature of investigations means that a company may face requests for formal disclosure from more than one authority. These could be authorities with different mandates within the same jurisdiction, or authorities with similar mandates from different jurisdictions. In either case, multi-authority investigations demand holistic strategies and systems to allow a company to keep track of evidence disclosed to (or seized by) different authorities. A company may also want to consider if there is any strategic advantage to disclosing to one authority before another. However, recent large-scale global investigations into the manipulation of LIBOR and foreign exchange rates demonstrate the ever increasing levels of intra- and international co-operation between regulators. Practical steps a company can take when faced with multiple requests for formal disclosure include:
- early engagement with each authority, to communicate expectations and practical difficulties of responding to multiple requests;
- identifying and prioritising information that is commonly responsive to the requests rather than focusing on responding to each individual request in isolation;
- maintaining clear production schedules; and
- ensuring a system for Bates numbering for each authority.
11.2.4Documents and data outside the jurisdiction
In cross-border fraud or corruption cases, not all of a company’s documents will be located or even accessible in the same jurisdiction as the investigating authority. In assessing timely disclosure of documents in connection with obtaining credit for ‘Full Cooperation in FCPA Matters’, the DOJ will consider ‘disclosure of overseas documents, the locations in which such documents were found, and who found the documents’. Importantly ‘[w]here a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents’. A company should consider what documents are stored overseas, and which of these it should provide to investigators. Recent judicial decisions have furthered the powers of UK authorities to obtain information located outside the jurisdiction for the purposes of an investigation, and the Corporate Co-operation Guidance confirms that co-operating organisations should supply relevant material that is held abroad, where it is in the possession or control of the organisation. A company in receipt of a formal production notice will need to assess whether the notice extends to documents outside the jurisdiction and, if so, the extent to which the company has ‘custody or control’ over documents held by subsidiaries or overseas branches. The board of a parent company will not necessarily control the management of a subsidiary.
The Corporate Co-operation Guidance also confirms that the SFO will expect co-operating organisations to identify relevant material in the possession of third parties and assist the SFO in obtaining it. Companies should also inform the SFO about relevant material that the company is unable to access (such as messaging apps and bank accounts).
Where production is voluntary, a company may take a more holistic view of the investigation and production (subject to local law restrictions). The extent to which it may want to voluntarily disclose information may depend on the ability of the investigating authority to obtain that information itself. However, given the increasing co-operation between authorities on the international stage, careful voluntary production of material is likely to be preferable, and vital if the company seeks co-operation credit. As previously noted, to receive credit for full cooperation under the FCPA Corporate Enforcement Policy, a company cannot simply refuse to produce certain documents on the basis that production is prohibited by rule or regulation. Rather, the company ‘bears the burden of establishing the prohibition’ and ‘should work diligently to identify all available legal bases to provide such documents’.
188.8.131.52Mutual legal assistance
In the United Kingdom, sections 7 to 9 of the Crime (International Co-operation) Act 2003 (CICA) govern requests to obtain evidence from abroad in relation to a prosecution or investigation taking place in the United Kingdom, shaping the mutual legal assistance (MLA) powers of UK authorities. Under CICA, an MLA request can only be made if it appears to the investigating authority that an offence has been committed or there are reasonable grounds for suspecting that an offence has been committed, and either proceedings in respect of that offence have been instituted or the offence is being investigated. The request must relate to the obtaining of evidence ‘for use in the proceedings or investigation’. But, it could allow an investigating agency to have foreign law enforcement officers launch raids, arrest suspects or conduct interviews on its behalf. If the implementation of an MLA request in the requested state requires a court order, then the court in the requested state is likely to apply the relevant principles in its own jurisdiction to satisfy itself that the requested order is justified.
Note that among the vast majority of EU Member States, European investigation orders (EIOs) now allow streamlined access to evidence and information in criminal investigations. EIOs work on the basis of mutual recognition, and judicial authorities can use them to request assistance with ‘any investigative measure’ (although the EIO itself will identify a number of investigative activities that it does not permit). More specifically, the EIO:
- replaces the previous fragmented legal framework for obtaining evidence within Europe by providing a single instrument;
- imposes a strict 30-day deadline for the Member State to accept the request, and 90 days to comply;
- limits the reasons for which the Member State can refuse the request;
- introduces a standard form; and
- prioritises the necessity and proportionality of the measure as part of the rights of the defence.
EIOs were created by EU Directive 2014/41/EU, which came into force in the United Kingdom on 31 July 2017 (transposed through the Criminal Justice (European Investigation Order) Regulations 2017). The United Kingdom has opted into the EIO regime even though it has chosen to exit the European Union.
In April 2018, the European Commission issued a proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters. The proposal aims to reform cross-border access to electronic evidence and make MLA across Member States more efficient. It would allow Member States to request electronic evidence directly from service providers established or represented in a Member State that provide services in the European Union (regardless of the location of the data requested). The regulation would require the service provider to respond within 10 days or, in cases of emergency, six hours.
In December 2018, the Council of the European Union agreed its position on the proposal, which is currently with a European Parliament committee. The United Kingdom has decided not to opt into the proposal, stating that ‘it is not clear how new EU legislation will be a practical and effective way to address the global issue of providing lawful access to data held anywhere in the world’.
In February 2019, the UK Parliament passed its own legislation on cross-border access to electronic evidence, the Crime (Overseas Production Orders) Act 2019. This new legislation gives UK authorities (including the SFO and FCA) the power to apply to a UK court to compel a company operating or an individual based outside the United Kingdom to provide electronic data stored abroad. This new law allows UK authorities to sidestep the notoriously slow process of seeking MLA in favour of obtaining an overseas production order, which can be served directly on the person storing the electronic data. This legal development brings the United Kingdom into alignment with the US regime. In 2018, the US federal government passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, explicitly authorising US law enforcement agencies to obtain data held by US cloud service providers regardless of where in the world the data is physically stored. The CLOUD Act also created a framework by which foreign countries (such as the United Kingdom) could seek disclosure of data held by US cloud service providers, without US co-operation or oversight.
The MLA process can be cumbersome, but is a very real threat in the event a company does not co-operate. A company should also not overlook the significant scope for informal direct investigator-to-investigator co-operation. Agencies such as Interpol have dedicated programmes to share information between, and support investigations by, investigating agencies in different countries. Communications between the SFO and DOJ are frequent. The FCA, specifically, has a broad discretion to assist foreign regulators. This discretion is set out in section 169 of the FSMA. The statutory power is supplemented by relevant FCA policy. Subsection 169(4) sets out the considerations in the FCA’s decision as to whether to assist a foreign regulator. It provides:
(4) In deciding whether or not to exercise its investigative power, the regulator may take into account in particular:
(a) whether in the country or territory of the overseas regulator concerned, corresponding assistance would be given to a United Kingdom regulatory authority;
(b) whether the case concerns the breach of a law, or other requirement, which has no close parallel in the United Kingdom or involves the assertion of a jurisdiction not recognised by the United Kingdom;
(c) the seriousness of the case and its importance to persons in the United Kingdom;
(d) whether it is otherwise appropriate in the public interest to give the assistance sought.
In an early decision on this section, Financial Services Authority v. Amro International, the Court of Appeal held that there was nothing in section 169 that required the FCA’s predecessor body to satisfy itself of the correctness of what it was being asked to investigate or gather by way of information. At the SEC’s behest, the FCA could seek any document that it reasonably considered relevant to the investigation the SEC was conducting. The Court of Appeal made clear that the only requirements the FCA must meet were contained in the statute. The Court of Appeal also noted that in exercising these powers, the stricter rules attaching to the drafting of a subpoena did not apply and the description of the documents sought would be acceptable provided the recipient could identify the documents he or she was required to produce.
In addition to the FCA’s statutory powers, a number of memoranda of understanding are in place between UK regulators and their overseas counterparts (most notably the SEC and other US regulators) concerning co-operation and information sharing. Recent years have seen significant co-operation between the SEC and the FCA and its cognate agencies.
Similarly, the United States has entered into mutual legal assistance treaties (MLATs) with more than 70 foreign jurisdictions, which can be used for the sharing of information and taking of evidence abroad. Some US authorities also have memoranda of understanding in place with sister agencies outside the United States, which can allow for inter-agency sharing of documents.
Recent public policy statements made by UK and US prosecuting authorities demonstrate how important they consider international co-operation to be. In the United Kingdom, SFO Director Lisa Osofsky has publicly affirmed her intention to leverage international contacts she made through her previous roles as a federal prosecutor for the DOJ and Deputy Counsel at the Federal Bureau of Investigation to strengthen the SFO’s investigational capacities. As part of her oral evidence to the House of Commons Justice Committee in December 2018, she anticipated that the ‘shared use of important intelligence information’ would help ‘crack open’ cases.
Ms Osofsky also confirmed that the SFO is preparing for a no-deal Brexit during her testimony before the House of Commons Justice Committee. If the United Kingdom leaves the European Union without a deal, the SFO will need to rely on pre-existing multilateral treaties for the continued sharing of information and co-operation, and could lose access to some European intelligence-sharing programmes. However, it is likely that international agencies will work together with the SFO to find workable solutions as there is a shared benefit to continuing co-operation and intelligence-sharing. Therefore, while a no-deal Brexit may slow down the process and make it more expensive, it is unlikely to stop access to European information and intelligence.
Ms Osofsky has indicated her aspiration to build on the SFO’s co-operation with other agencies and civil society to share best practices. She brought in the US-qualified co-head of Jenner & Block’s London investigations practice, Peter Pope, to spend a year at the SFO, to ‘assist with building and consolidating relationships with authorities in other jurisdictions and to act as an adviser in case reviews and on compliance issues’ according to a press release issued in September 2018. Before Ms Osofsky’s arrival, the DOJ had already seconded a lawyer to the SFO, enabling the exchange of ideas, experience and best practice regarding the investigation and prosecution of economic crime with the SFO’s US counterpart.
In the United States, the DOJ has recently adopted a ‘no piling on’ policy regarding penalties. This policy explicitly includes co-operation with foreign agencies. Former Deputy Attorney General, Rod Rosenstein, explained in remarks in May 2018 that the policy discourages ‘disproportionate enforcement of laws by multiple authorities’ by ‘instructing Department components to appropriately coordinate with one another and with other enforcement agencies in imposing multiple penalties on a company in relation to investigations of the same misconduct’.
Responding to an investigation (and conducting an internal investigation) will require data about individuals to be processed. Such an exercise will engage a number of data protection considerations. A company cannot assume that complying with the data protection requirements in the investigated jurisdiction will mean compliance with overseas data protection laws. Local law may also restrict a company’s ability to transfer individual data overseas. The European Union’s General Data Protection Regulation (GDPR) came into force on 25 May 2018 and applies within the EU and to those data controllers and processors outside the EU who offer goods and services to EU consumers. Chapter 5 of the GDPR deals with transfers of data to third countries (and international organisations) and re-enacts existing restrictions on transferring data to countries that do not have adequate privacy protections in circumstances where other ‘appropriate safeguards’ are not in place. The GDPR introduces a limited derogation to its principles based on ‘compelling legitimate interests’, which could cover non-repetitive transfers to foreign regulators, but would require prior notification to the relevant data protection authority.
Under the GDPR, supervisory authorities from EU Member States may issue fines of up to €20 million or 4 per cent of an organisation’s global turnover from the preceding financial year (whichever is higher) for GDPR breaches. Before issuing a fine, the UK’s data protection supervisory authority, the Information Commissioner’s Office (ICO), must serve a written ‘notice of intent’ to an organisation, which allows the recipient to make representations. In July 2019, the ICO issued notices of intent to fine British Airways (approximately £183 million) and hotel group Marriott International (approximately £99 million) for GDPR breaches. These are the first fines publicly proposed by the ICO for GDPR infringements. If ultimately issued, these fines will represent the most significant penalties ever issued by the ICO and the largest penalties imposed by any regulator to date under the GDPR. British Airways and Marriott International will now have the opportunity to make representations to the ICO as to the authority’s proposed findings and sanction. Under the GDPR ‘one stop shop’ provisions, the data protection authorities in the EU whose residents have been affected will also have the chance to comment on the ICO’s findings.
Blocking statutes prevent the disclosure of certain documents for the purpose of legal proceedings in a foreign jurisdiction, except pursuant to procedures set out in an international treaty or agreement. Article 1bis of the French Blocking Statute provides:
[I]t is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof with a view to foreign administrative or judicial proceedings or as a part of such proceedings.
There has historically been very little enforcement of the French Blocking Statute – with some companies choosing to ignore it completely. However, as a consequence of the Sapin II law, which was implemented in June 2017, France’s financial crime agency (Parquet National Financier (PNF)) has begun to lead cases involving the enforcement of the Blocking Statute, signalling that the French authorities are considering the issues raised by the Blocking Statute in more depth.
The French government is currently considering a report submitted by a French member of parliament in June 2019, which includes recommended reforms to the French Blocking Statute. The report calls for amendments to force foreign authorities to co-operate with French authorities instead of ‘systematically’ bypassing conventions of international co-operation. The report also calls for a significant increase in penalties for any violations of the French Blocking Statute. The French anti-corruption regulator (Agence Française Anticorruption (AFA)) is responsible for ensuring compliance with the Blocking Statute.
The joint guidelines on the French equivalent of the DPA (convention judiciaire d’intérêt public (CJIP)) recently issued by the PNF and AFA indicate the French authorities’ willingness to enter into coordinated settlement discussions with foreign enforcement authorities in cases involving multi-jurisdictional misconduct. The new guidelines do not set out any differences in complying with the Blocking Statute when co-operating with foreign enforcement authorities. Therefore adherence to the Blocking Statute is expected. However, the guidelines suggest that when the PNF negotiates a joint settlement with other authorities, it may propose that the AFA act as a monitor to prevent a violation.
The French authorities have traditionally taken any derogation from the letter of the law seriously and insist on the use of MLA requests and inter-agency communications. This can leave companies in the unenviable position of being caught between authorities (if the US authorities, for example, expect production directly from the corporate). In such circumstances, agency-to-agency communications should be encouraged. Similarly, Article 271 of the Swiss Criminal Code prohibits a person performing an ‘official act’ on behalf of a foreign authority on Swiss soil. This can block the collection of evidence located in Switzerland intended for use in proceedings outside the country.
China is another jurisdiction to have enacted laws to block the transfer of information to foreign government authorities in criminal proceedings. On 26 October 2018, China enacted the International Criminal Judicial Assistance (ICJA) law with immediate effect, prohibiting institutions, organisations and individuals within China from providing evidentiary materials and assistance to foreign countries in criminal proceedings (e.g., before seeking to comply with a subpoena from a foreign government authority in a criminal investigation) without approval from the competent Chinese authorities. In accordance with the ICJA law, this legislation is to be applied in a manner that does not harm national sovereignty, security or public interests, giving the Chinese government broad discretion to refuse or block foreign governments’ requests for assistance. The ICJA law governs all requests for ‘judicial assistance’ between China and foreign jurisdictions in relation to international criminal proceedings, including the service of documents, evidence collection, witness testimony, seizure and confiscation of illegal assets, and the transfer of convicted persons.
A decision to refuse to disclose documents or information due to a blocking statute may not be respected by the requesting authority and could affect any co-operation credit available – leaving the company between a rock and a hard place. This demands early and detailed dialogue with the relevant authority alongside expert local counsel who can educate the regulators about the relevant laws and any potential workarounds for production of information.
Bank secrecy laws prohibit banking officials from releasing confidential information about a customer to third parties outside of financial institutions, unless compelled by law. Sometimes, such a disclosure is criminalised. A bank under investigation may seek to rely on this secrecy. It should also be cautious not to infringe this secrecy inadvertently in providing information to a regulator. Note, though, that a historic deference to the banking secrecy rules of foreign jurisdictions, premised on comity or respect for the acts of foreign governments, may slowly be eroding. Even Switzerland, in recent times, has stripped away a number of its many layers of secrecy through international agreements, and, in our experience, has become, in practice, more willing to co-operate with requests for information.
Sending data outside a jurisdiction may be contrary to state secrecy laws. Some jurisdictions, such as China, have wide definitions of what amounts to a state secret. The Law of the People’s Republic of China on Guarding State Secrets, at Article 8, defines state secrets to include ‘secrets in national economic and social development’ and ‘secrets concerning science and technology’. Similarly, Kazakhstan treats some geological data as a state secret. The consequences of violation can be serious. Article 111 of the Chinese Criminal Law makes violating state secrets a capital crime. In countries such as China, where many companies are state-owned, this is not straightforward. Again, locating expert local counsel is a must.
State secrecy laws may also restrict certain categories of documents to authorised eyes only. This is particularly pertinent for defence companies. Withholding production of such documents will require careful negotiation. Remember that the investigating agency is likely to have authorised persons of its own, who can review the documents. Finding a practical way for these to be produced by external lawyers (where prior authorisation is unlikely) will likely be more difficult and undoubtedly will increase the time it will take to respond to a request for documents and may require the review of documents ‘in country’ instead of producing the documents to the US authorities. Another potential workaround is production of information through MLATs and memoranda of understanding that allow a company to first produce documents to a local authority and thereby comply with the relevant regulations.
184.108.40.206Whose rules of privilege apply?
It may not be clear whose rules of privilege apply when a company discloses in one jurisdiction documents created in another. English courts will generally apply English law to the question: theoretically, an unprivileged document in its country of origin could be privileged in England and vice versa. In the United States, there is no general rule, although government agencies will generally apply privilege principles broadly, although subject to certain procedural requirements, such as the production of privilege logs.
Companies should also be aware that some countries do not have developed principles of legal privilege and special care is required in creating or sending otherwise privileged documents to such jurisdictions. Likewise, in some jurisdictions privilege does not extend to communications with in-house counsel and the role of internal counsel may be held by someone who is not an attorney, and therefore privilege may not be recognised in connection with their communications.
Further complications come when dealing with international regulatory bodies. In Akzo Nobel, for example, the European Court of Justice held that the law of the European Union superseded that of the relevant national jurisdictions; therefore, in competition cases internal counsel’s advice will not be privileged – nor will that of external legal advisers who are not EU-qualified lawyers.
11.3Documents obtained through dawn raids, arrest and search
During a raid (or execution of a search warrant) on corporate premises, it is important to seek to obtain and understand the terms of the warrant. Check simple facts such as the premises’ address, the date and relevant powers and authorisations. If appropriate, a company may challenge the scope of the warrant (if it is unduly wide or based on erroneous facts or information). Importantly, the company and its advisers should ensure during the raid that documents outside the terms of the warrant are not seized (unless taken under relevant search and sift powers, or as can be justified under ancillary legislation) and take care both during the raid and afterwards to protect legally privileged materials. In the United States, it is nearly impossible to challenge the scope of a warrant that calls for the immediate search of a specific location. More likely, a company would have to seek to suppress evidence obtained pursuant to a warrant in a later proceeding. There may, however, be opportunities to challenge the scope of a warrant seeking electronically stored information before the data is actually collected and produced. As an example, where a company is asked to execute a warrant on behalf of the government, such as when a service provider is asked to collect electronic information of a third party, there may be additional opportunities for a company to challenge the scope of a subpoena. It is likely that the vast majority of documents obtained during a search will be electronic. It is important to agree to a process with the authorities for dealing with any electronic media that is privileged. In the United Kingdom, most investigative agencies have developed sophisticated procedures in this area. The SFO’s policy and system for dealing with material covered by legal professional privilege (LPP) is explained in its Operational Handbook:
When the SFO requires the production of material, or seizes material pursuant to its statutory powers, all material which is potentially protected by LPP must be treated with great care to:
• Minimise the risk that LPP material is seen or seized by an SFO investigator or a lawyer involved in the investigation.
• Ensure that any LPP material which is seized is properly isolated and promptly returned to the owner without having been seen by an SFO investigator or a lawyer involved in the investigation.
• Ensure that any dispute relating to LPP is resolved in advance of the material being seen by an SFO investigator or a lawyer involved in the investigation.
• Ensure that where an SFO investigator or a lawyer involved in the investigation inadvertently sees LPP material, measures are in place to ensure that the investigation and any subsequent prosecution is not adversely affected as a result. Care must always be taken that LPP material is not viewed by the SFO staff involved in the investigation.
The Operational Handbook then sets out a procedure for dealing specifically with electronic material that may be privileged. Under this procedure, the SFO will first notify the company’s lawyers if it believes that IT assets it has seized might contain privileged material (in practice, it is prudent for the company’s lawyers to advise the SFO of the potential existence of privileged material at an early stage). A list of search terms should be agreed (including names of lawyers, relevant firms, etc.) to enable the identification and isolation of the material for review by independent counsel. Independent counsel will review the material using search software and return only non-privileged material to the SFO investigative team to examine. It is normally possible to have productive discussions with investigators to determine the relevant search terms that might identify privileged material. It is then possible to make representations on the client’s behalf to independent counsel about the extent of privilege. This procedure updates and works alongside the well-established ‘blue-bagging’ approach used for hard-copy materials that may be privileged, by which authorities will send seized documents that may be potentially privileged, sealed in an opaque bag, to the custody of an independent legal adviser (usually a barrister) for review.
The DOJ has used three different procedures for reviewing potentially privileged information, each of which requires a ‘neutral’ third party to first review potentially privileged data. In certain instances the court may review the data on its own. A court may also appoint a ‘special master’ to handle the review of privileged information. In other instances, a team of individuals referred to as a ‘taint team’ may be used to review the files. When a taint team is used, an ethical wall will be placed between the individuals who review the documents and those who are actually participating in the investigation. Importantly, courts have had differing reactions to the use of taint teams and may not always conclude that the procedures implemented to screen materials were sufficient.
11.4Disclosure of results of internal investigation
In most instances, a company will have to make expansive disclosures regarding its internal investigations to get full co-operation credit. The DOJ has issued guidance in the Justice Manual that explicitly states that companies will have to self-report on both the results of internal investigations and on individual misconduct to receive any co-operation credit. Whether such thorough disclosures are in the best interest of the company is something that will need to be determined in a timely manner.
11.4.1Self-reporting of misconduct not yet known to regulators
A company’s decision as to whether to self-report is often complicated. There may be opportunities for a company to internally address misconduct without it coming to light. However, it can be very difficult for a company to keep its misdeeds from being disclosed to the relevant authorities. Whistleblower rewards provide incentives for employees to report misconduct. Federal statute provides protections for whistleblowers, and in 2017 the SEC imposed financial penalties on financial institutions that attempt to prohibit employees from seeking those bounties. Disgruntled employees can report corporate misconduct as retaliation, to attempt to prevent prosecution of themselves or simply because they do not feel that the corporate is handling the issue appropriately via its internal process. In the United Kingdom, broadly speaking, those working in the field of financial services are subject to suspicious activity reporting obligations. This means that banks, accountants and transactional lawyers must make reports to the authorities of suspicions of money laundering (including acquiring assets which may be tainted by fraud or corruption). A failure to make a report is a criminal offence – as is tipping off the subject of the report (which in some instances may be the individual’s own client). Investigative journalism and non-governmental organisations also continue to be important sources of information for regulators – as the ‘Panama Papers’ scandal illustrated.
A failure to self-report misconduct before it becomes otherwise known to the authorities can have a significant impact on the resolution of the corporate investigation. The Justice Manual (which governs the conduct of Assistant US Attorneys during the course of civil and criminal investigations, including FCPA investigations) provides that:
Even in the absence of a formal program, prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall cooperation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program. However, prosecution may be appropriate notwithstanding a corporation’s voluntary disclosure. Such a determination should be based on a consideration of all the factors set forth in these Principles.
As we have already noted, under the FCPA Corporate Enforcement Policy, receiving full credit for voluntary self-disclosure requires, among other things, prompt disclosure of ‘all relevant facts known to it at the time of the disclosure, including as to any individuals substantially involved in or responsible for the misconduct at issue’. The recent amendments to the Corporate Enforcement Policy clarify that a company does not need to disclose information regarding all individuals that may have been involved in wrongdoing. Instead, it is required to disclose ‘any individuals substantially involved in or responsible for the misconduct at issue’. Moreover, the company will have to disclose ‘on a timely basis . . . all facts relevant to the wrongdoing at issue, including: all relevant facts gathered during a company’s independent investigation; attribution of facts to specific sources where such attribution does not violate the attorney–client privilege, rather than a general narrative of the facts; timely updates on a company’s internal investigation, including but not limited to rolling disclosures of information’.
The Deferred Prosecution Agreements Code of Practice (the DPA Code) issued by the SFO and the Crown Prosecution Service indicates that, to be eligible for a DPA, a company will likely have to report voluntarily any misconduct within a reasonable time of becoming aware of it – and prior to it becoming known to the authorities. In fact, in a number of the five DPA cases, the companies self-reported their misconduct to the SFO in circumstances where the SFO had no prior knowledge of the misconduct and, in all likelihood, would not have learnt about the misconduct if the company had not self-reported.
But, in the Rolls-Royce case, which was concluded by a DPA in January 2017, the company did not self-report to the SFO the conduct that led to the SFO’s investigation. Instead, the SFO became aware of the need for an investigation through internet postings by a whistleblower. The fact that Rolls-Royce did not self-report weighed against the SFO offering a DPA; yet, Rolls-Royce chose to co-operate fully with the investigation after the SFO approached the company, and undertook its own internal investigation (in close consultation with the SFO). In total, Rolls-Royce collected over 30 million documents and subjected them to electronic document review as part of this investigation. One of the main features of Rolls-Royce’s co-operation was that it provided all materials requested by the SFO voluntarily, without the SFO having to compel it to provide information. Rolls-Royce also chose not to perform any legal professional privilege review over the documents (instead allowing independent counsel to resolve issues of privilege) and worked with the SFO as the SFO used sophisticated artificial intelligence searches to interrogate the data. This process led to the SFO uncovering information that may not have otherwise come to its attention. Ultimately, SFO counsel described the extent of Rolls-Royce’s co-operation with the investigation as ‘extraordinary’.
While the decision to provide documents voluntarily to the SFO was one of a number of measures taken by Rolls-Royce to demonstrate its co-operation with the investigation, this decision was of fundamental importance to the court when deciding to approve the DPA. Rolls-Royce’s voluntary disclosure of investigation documents therefore mitigated its failure to voluntarily disclose misconduct.
11.4.2Production of reports of investigation
To obtain co-operation credit, prosecuting and government agencies require that companies provide the complete factual findings of an internal investigation, including relevant source documents. The Justice Manual recognises ‘the sort of cooperation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is disclosure of the relevant facts concerning such misconduct’.
Similarly, the DPA Code provides that co-operation will include ‘providing a report in respect of any internal investigation including source documents’.
Careful consideration should be given to the manner of disclosure of information. In the United States, the consideration for credit is that the relevant facts are disclosed. The format of the disclosure is irrelevant. The Justice Manual makes it clear that a company does not have to waive privilege to receive co-operation credit. If a company chooses not to waive relevant privileges, it is unlikely to be able to share the investigative reports prepared by counsel conducting the investigation. Instead, it will have to carefully craft presentations that disclose only non-privileged facts. Preparation of such reports can be time-consuming and costly. Further, in preparing any written presentation materials, the company will have to ensure that neither the mental impressions nor advice of counsel are included. Because there can be no claim that the materials are privileged, a company should also expect that they will have to produce presentation materials in any related civil litigation.
In the United Kingdom, there is currently much debate over the production of the first accounts of witnesses, which may have been taken by investigating attorneys. The SFO’s preference is that these are taken so that legal privilege does not apply. It also indicates that it does not consider all privilege claims over interview materials to be made out under English law and until the Court of Appeal’s decision in The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation (ENRC), was actively challenging such assertions. Where a valid claim for privilege exists, co-operation credit will be given for the disclosure of interview memoranda. A failure to disclose will be considered co-operation neutral. As Alun Milford, then SFO General Counsel, has previously said: ‘If a company’s assertion of privilege is well-made out, then we will not hold that against the company: to do otherwise would be inconsistent with the substantive protection privilege offers.’ In two of the UK cases in which the court has approved DPAs, the company made oral disclosure only of the content of witness interviews. However, Rolls-Royce chose to provide the interview memoranda to the SFO – even though it considered the memoranda to be privileged – on the basis of a limited waiver of privilege. This was another way Rolls-Royce used the voluntary disclosure of documents to counterbalance its failure to voluntarily disclose the misconduct. Other materials voluntarily provided to the SFO by Rolls-Royce included regular reports on the findings of the internal investigations; unfiltered access to the ‘digital repositories or email containers’ for over 100 past and present employees; general access to hard-copy documents at Rolls-Royce; and key documents identified by the internal investigations. Finally, Rolls-Royce held off interviewing potential witnesses until the SFO had the chance to do so. How a company makes its employees available to investigating authorities is important, and this chapter will now turn to this issue.
The SFO has recently affirmed its position on witness accounts and privilege as part of the Corporate Co-operation Guidance, which confirms that a company’s failure to waive privilege means that it will not attain the corresponding factor against prosecution in the DPA Code, but that the SFO will not penalise the company in this regard. The Corporate Co-operation Guidance suggests that while an organisation will not get the full co-operation credit potentially available in these circumstances, the SFO will not automatically refuse a DPA if it can demonstrate other co-operative factors pointing against a public interest in prosecuting the company, in accordance with the DPA Code.
11.4.3Identification of witnesses to authorities
In connection with its initial assessments of whether to co-operate with authorities, companies will have to consider the implications of disclosing information about key employees. As noted above, US and UK authorities have indicated that co-operation will require disclosure of facts relevant to the misconduct of individual employees.
In the United States, authorities have made clear that obtaining facts relevant to individual prosecutions is a top priority. The Justice Manual provides that ‘[i]n order for a company to receive any consideration for cooperation under this section, the company must identify all individuals substantially involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the Department all relevant facts relating to that misconduct’.
Additionally, the ‘unequivocal co-operation’ necessary to be eligible for a DPA in the United Kingdom includes identifying relevant witnesses, disclosing their accounts of the alleged misconduct and any documents shown to them and, where practicable, making those witnesses available for interviews by investigators – together with ongoing co-operation with the authorities.
When seeking a DPA, a corporate should consider liaising closely with the SFO, which may wish to undertake witness interviews, or interviews under caution, with individuals prior to corporate counsel doing so. The Corporate Co-operation Guidance confirms that the SFO will expect organisations to identify individuals responsible for the suspected wrongdoing (and support the SFO’s disclosure obligations in its prosecution of individuals) and potential witnesses, and that co-operating companies should consult with the SFO before interviewing potential witnesses or suspects, taking HR actions or other overt steps. Once the individuals have been identified to the government or prosecuting authorities it may be difficult, if not impossible, for those individuals to continue working for the company. A company may feel pressure to terminate the employee or place that individual on leave, which could have a significant impact on the operations of a business unit. Even if the company does not terminate an employee under investigation, targets of a government investigation are likely to engage their own counsel who may advise the employee to stop co-operating with its employer – leading to a ‘walk or talk’ decision. Depending on the nature of any employment agreement, a company may have to advance the individual the fees and costs associated with individual representation. Also, since 2004, the United Kingdom has imposed an extensive Code of Practice for Disciplinary and Grievance Procedures on employers, which sets out standards of procedural fairness that a UK employer should comply with if it takes action that will detrimentally affect an employee’s employment.
In the United States, certain portions of internal investigations are protected by the attorney–client privilege and the work-product doctrine, and courts routinely uphold those privileges. This can be true even where the purpose of an investigation is to ensure regulatory compliance, or where non-lawyers are involved in key parts of the investigation.
Generally, the attorney–client privilege entitles a party to withhold from production (1) communications, (2) with an attorney, his or her subordinate or agent, (3) made in confidence, (4) for the primary purpose of securing an opinion of law, legal services or assistance in a legal proceeding. It applies to corporations as well as individuals, and therefore protects communications between corporate employees and a corporation’s in-house and external legal counsel on matters within the scope of the employees’ corporate responsibilities. Communications between non-legal corporate employees can also be privileged where an attorney neither authors nor receives the communication, if the communication contains or refers to previously transmitted legal advice or identifies specific legal advice that the non-attorneys will seek from attorneys in the near future. Additionally, the work-product doctrine protects documents and tangible things, otherwise discoverable, prepared in anticipation of litigation and in connection with a threatened or pending government investigation. The doctrine can apply to documents prepared by both attorneys and non-attorneys. Attorney notes, research, and compilations of background materials, memoranda, investigative reports, witness statements; and materials prepared by non-legal personnel such as investigators are examples of the types of documents that may be protected. Work-product containing an attorney’s mental impressions is referred to as ‘opinion’ work-product and is afforded greater protection than other ‘ordinary’ work-product.
In the United Kingdom, privilege attaches to (1) confidential communications between a lawyer and his or her client for the purpose of seeking and receiving legal advice in a relevant legal context, including factual reporting (legal advice privilege), and (2) confidential communications between a lawyer and his or her client and/or a third party, or between a client and a third party, provided that such communications have been created for the dominant purpose of obtaining legal advice, evidence or information in preparation for actual litigation, or litigation that is ‘reasonably in prospect’ (litigation privilege). English case law has traditionally called into question the availability of litigation privilege for documents created during a regulatory investigation, as an investigation alone lacks the adversarial character of litigation. In the recent ENRC decision, the Court of Appeal looked at the issue of when a corporate might reasonably contemplate prosecution (and therefore the necessary ‘litigation’) in the context of a self-reporting process, commenting as follows:
[W]e are not sure that every SFO manifestation of concern would properly be regarded as adversarial litigation, but when the SFO specifically makes clear to the company the prospect of its criminal prosecution . . . and legal advisers are engaged to deal with that situation, as in the present case, there is a clear ground for contending that criminal prosecution is in reasonable contemplation.
But, the Court went on to say that no particular action in the course of engagement with a regulator will allow a company to say that at a particular date it contemplated a criminal prosecution and privilege crystallised. Every case will turn on its own facts, and the evidence will be assessed in the round.
The corporate must also have created the documents for the dominant purpose of the contemplated litigation. In ENRC, even where ENRC might have created documents for the dominant purpose of merely investigating ‘the facts to see what had happened and deal with compliance and governance’, the Court said this:
Although a reputable company will wish to ensure high ethical standards in the conduct of its business for its own sake, it is undeniable that the ‘stick’ used to enforce appropriate standards is the criminal law and, in some measure, the civil law also. Thus, where there is a clear threat of a criminal investigation, even at one remove from the specific risks posed by the SFO should it start an investigation, the reason for the investigation of whistle-blower allegations must be brought into the zone where the dominant purpose may be to prevent or deal with litigation.
So, litigation privilege may well cover a significant proportion of documents created in the course of an internal investigation into possible criminal activity after the regulator has made clear there is a prospect of prosecution. Again, though, why the corporate created particular documents is important. If a corporate creates documents specifically to disclose to the regulator, then it seems unlikely that a claim to litigation privilege against that same regulator will succeed, at least in relation to the final versions of these documents.
The Court of Appeal also discussed the policy behind applying litigation privilege in this area:
It is, however, obviously in the public interest that companies should be prepared to investigate allegations from whistle blowers or investigative journalists, prior to going to a prosecutor such as the SFO, without losing the benefit of legal professional privilege for the work product and consequences of their investigation. . . . The remedy for the SFO is not to allow prevarication and delay . . . to prevent a timeous investigation, when it becomes clear that the company is not wholeheartedly reporting its own conduct and making appropriate waivers of privilege.
It went on to make clear that determining the extent of co-operation by a company (in an analysis of whether a DPA was in the public interest) included determining ‘whether the company was willing to waive any privilege attaching to documents produced during internal investigations, so that it could share those documents with the SFO’. But, as noted above, past practice in both the United Kingdom and the United States suggests that a corporate does not need to waive privilege over all its investigation documents to receive co-operation credit.
On 2 October 2018, the SFO announced that it would not appeal the ENRC decision further to the Supreme Court.
In presenting the underlying facts of an internal investigation, a company must be mindful of the inherent risk that such a presentation will be deemed a privilege waiver in any subsequent proceedings. If a disclosure of privileged information to a federal office or agency is deemed intentional, the privilege will be waived in any federal or state proceeding. However, if a disclosure of privileged information is unintentional, it will not create a broad waiver so long as the holder of the privilege took steps to prevent the disclosure and then promptly took reasonable steps to seek return of any inadvertently disclosed information. Accordingly, if a company decides that it does not intend to waive privilege, it should devise reasonable steps that highlight the company’s decision not to waive privilege, including providing written notice of the intention not to produce privileged materials in any letter or other correspondence that accompanies a document production. Courts in England and Wales have held that a company can share the contents of a privileged communication with a regulator or other third party, keeping the privilege intact, so long as this desire is made clear, the disclosure is confidential and the communication is not proliferated widely.
The SFO has clarified its position on privilege considerations as part of the Corporate Co-operation Guidance, confirming that if an organisation decides to assert legal privilege over relevant materials (such as first accounts, internal investigation interviews or other documents), the SFO may challenge the privilege assertion where it considers it necessary or appropriate to do so. The Corporate Co-operation Guidance also includes an additional step for companies, by requiring organisations claiming privilege over materials to provide certification by independent counsel that the material is privileged. This is a departure from current practice and will serve as an additional cost for organisations under investigation.
11.6Protecting confidential information
Companies producing information to the government should take steps to protect the confidentiality of that information. Although information produced in response to a grand jury subpoena must be kept confidential, in the absence of a formal request, documents and testimony provided to the DOJ, SEC or other government authority can be shared with others. In many instances, documents under the control of a government agency can be subject to requests made pursuant to the Freedom of Information Act (FOIA). Further, documents typically shielded from disclosure by the FOIA and other regulations are not exempt from production to the United States Congress, which can, in turn, make the information public.
The procedures necessary to shield confidential information from disclosure can be quite complex. Each regulatory body has its own procedures for seeking confidential treatment of information. The SEC, for example, requires that each page of a document containing confidential information be stamped with a specific legend and that a request for confidential treatment go to the individual receiving the documents and the Office of Freedom of Information and Privacy Act Operations. Many states have their own versions of the FOIA governing the treatment of information provided to, among others, state attorneys general. Further, while some congressional committees may implement their own procedures for seeking confidential treatment of information, an entity producing documents will have to consider what regulations apply to the information sought and whether the specific regulations prohibit disclosure in response to the request.
In the United Kingdom, the High Court confronted these issues in Standard Life Assurance v. Topland Col. The SFO had disclosed information it had obtained through its section 2 powers to a Standard Life employee that it wished to interview. The SFO later discontinued the related investigation. Standard Life then used some of this information as part of civil proceedings against Topland. The court noted that the SFO was not entitled to disclose any material obtained by it during an investigation except for the purpose of its investigation (which was the original purpose of the disclosure in this case). A person who wished to prevent disclosure of genuinely confidential information, either by the SFO or by a person it had disclosed documents to, would need to rely on judicial review proceedings or seek an injunction to prevent a breach of confidence. This suggests that, to avoid relying on these indirect remedies, a company should agree with the SFO before disclosure how the SFO might control the further dissemination of confidential or sensitive documents. Safeguards may include the SFO returning the documents following a short time or notifying a disclosing party before the SFO intended to disseminate documents further. On the other hand, a company may also wish to construct potential safeguards around material produced to it during DPA negotiations and that may otherwise be discoverable in subsequent civil proceedings against it.
Companies have an incentive to co-operate with a government investigation, especially if co-operation credit does not necessarily require self-reporting of the misconduct. But self-reporting will assist companies alongside the voluntary provision of relevant materials. The additional advantages of co-operation – control of the investigation process, orderly production of materials and managing press intrusion – are likely to be great when weighed against the disruption and publicity of formal actions including raids, arrests and prosecutions. In cross-border investigations, companies will need to devise due process safeguards to protect the rights of individuals and respect local law requirements. Ensuring local law specialists are instructed to work as part of a multidisciplinary team will be key.
1 Hector Gonzalez, Rebecca Kahan Waldman and Caroline Black are partners and Lisa Foley is an associate at Dechert LLP.
2 Financial Conduct Authority (FCA), Enforcement Guide (January 2016), available at
https://www.handbook.fca.org.uk/handbook/EG/; and FCA Mission: Approach to Enforcement (April 2019), available at https://www.fca.org.uk/publication/corporate/our-approach-enforcement-final-report-feedback-statement.pdf.
3 Whether the FCA compels testimony from an individual can have an impact on whether that information can be used in connection with a criminal proceeding in the United States. The Second Circuit Court of Appeals has held that testimony compelled by the FCA cannot be used against a defendant in a criminal prosecution. See United States v. Allen, 864 F.3d 63 (2d Cir. 2017).
4 Other federal agencies, such as the Consumer Financial Protection Bureau and the Federal Trade Commission, are authorised to issue subpoenas. Other agencies are required to seek the assistance of the United States Attorney’s Office in seeking documents and testimony. For a discussion of the use of administrative subpoenas, see www.justice.gov/archive/olp/rpt_to_congress.htm.
5 For information regarding criminal matters, see Justice Manual § 9-13. The Civil Division is authorised to issue subpoenas by a number of statutes.
6 17 C.F.R. § 11.4(a).
7 Section 19(c) of the Securities Act of 1933, 15 U.S.C. § 77s(c); Section 21(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78u(b); Section 209(b) of the Investment Advisers Act of 1940, 15 U.S.C. § 80b–9(b); and Section 42(b) of the Investment Company Act of 1940, 15 U.S.C. § 80a–41(b).
8 For information regarding procedures for obtaining a formal order of investigation, see sections 2.2.3 to 2.3.4 of the Enforcement Manual of the Securities and Exchange Commission Division of Enforcement, available at https://www.sec.gov/divisions/enforce/enforcementmanual.pdf (28 November 2017).
9 18 U.S.C. §§ 401, 1001; see also 7 U.S.C. §§ 9, 13(a)(3). Rule 17 of the Federal Rules of Criminal Procedures, governs subpoenas, including grand jury subpoenas and Rule 17(g) authorises federal courts to exercise its contempt powers for non-compliance. (‘The court (other than a magistrate judge) may hold in contempt a witness who, without adequate excuse, disobeys a subpoena issued by a federal court in that district.’)
10 Serious Fraud Office v. Rolls-Royce PLC and Rolls-Royce Energy Systems Inc (Case No. U20170036)  Lloyd’s Rep FC 249.
11 For example, employees’ use of disappearing messaging services, such as WhatsApp, raises issues. In March 2019, the Department of Justice (DOJ) relaxed its prior guidance to companies regarding employees’ use of those services, removing from the Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy a requirement that employees be prohibited from using those services. Instead, the revised policy requires that each company seeking timely and appropriate remediation credit ‘appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.’ Justice Manual § 9-47.120.
12 Deferred prosecution agreements (DPAs) were introduced by s.45 and Sch. 17 of the Crime and Courts Act 2013.
13 Crown Prosecution Service and Serious Fraud Office, Deferred Prosecution Agreements Code of Practice – Crime and Courts Act 2013, 11 February 2014, at para. 2.8.2(i).
14 Serious Fraud Office v. Rolls-Royce PLC and Rolls-Royce Energy Systems Inc (Case No. U20170036)  Lloyd’s Rep FC 249. Rolls-Royce first came to the attention of the Serious Fraud Office (SFO) in early 2012, when a whistleblower raised concerns about Rolls-Royce’s business in China and Indonesia. After a lengthy investigation, Rolls-Royce accepted responsibility for criminal offending over 24 years, in seven different countries. Ultimately, Rolls-Royce was granted a DPA, and paid approximately £800 million in financial penalties to authorities in the United Kingdom, United States and Brazil.
16 Corporate Co-operation Guidance, SFO Operational Handbook (6 August 2019).
17 See, e.g., memorandum dated 5 July 2007 from Paul J McNulty re Principles of Federal Prosecution of Business Organizations available at https://www.justice.gov/sites/default/files/dag/legacy/2007/07/05/mcnulty_memo.pdf.
18 Justice Manual §§ 9-28.900, 9-47.120.
19 Justice Manual § 9-28.900. (‘Even in the absence of a formal program, prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall co-operation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program.’)
20 See Justice Manual § 9-47.120.
21 Justice Manual §§ 9-28.300, 9-28.900, 9-47.120.
22 Justice Manual § 9-47.120.
23 Justice Manual § 9-47.120.
24 Justice Manual § 9-47.120 at note 1.
25 Justice Manual §§ 9-28.300, 9-28.900; see also https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international-conference-foreign.
26 See, e.g., European Commission Notice on Immunity from Fines and Reduction of Fines in Cartel Cases, Official Journal C 298, 8 December 2006, p. 17.
27 The Financial Services Authority was the predecessor to the FCA.
28 See Enforcement Guide, at para. 4.7.3.
29 Enforcement Guide, at para. 4.7.4.
30 In 2015, Deutsche Bank AG entered into a DPA with the DOJ and settlements with the US Commodity Futures Trading Commission, the Department of Financial Services and the FCA, in connection with its role in manipulating LIBOR rates. DB Group, a subsidiary of Deutsche Bank, also pleaded guilty to wire fraud for its role. Together, Deutsche Bank and its subsidiary agreed to pay over US$2 billion in penalties to US authorities and US$344 million to the FCA – then the second-largest fine in the FCA’s history.
31 Bates numbering is a method of indexing legal documents for easy identification and retrieval.
32 Justice Manual §9-47.120(3)(b).
33 Justice Manual §9-47.120(3)(b).
34 Production notices seeking documents held outside the jurisdiction of the investigating authority are complicated. For example, the authors take the view that a request made under s.165 of the Financial Services and Markets Act 2000 captures documents in a company’s custody or control outside the United Kingdom. In the 2018 case of R (on the Application of KBR Inc) v. The Director of the Serious Fraud Office  EWHC 2368 (Admin), the High Court held that the SFO’s compulsory document production powers under section 2(3) of the Criminal Justice Act 1987 could have extraterritorial application, but to issue a notice to a non-UK company in respect of documents held outside the United Kingdom, there must be a ‘sufficient connection’ between the overseas company and the United Kingdom. Overseas companies should assess the factual connection to the United Kingdom (in terms of its connection to the subject matter of the SFO’s investigation), rather than from a business perspective. The UK Supreme Court has granted KBR leave to appeal this decision. In the case of R (on the application of Tony Michael Jimenez) v. (1) First Tier Tax Tribunal and (2) Her Majesty’s Commissioners for Revenue and Customs  Civ 51, the Court of Appeal applied the ‘sufficient connection’ test set out in KBR in determining that HM Revenue and Customs, the UK tax authority, is authorised to serve a ‘taxpayer notice’ on a UK taxpayer resident overseas to obtain information about that individual’s tax position.
35 For the United Kingdom, see Lonrho v. Shell Petroleum  1 WLR 627.
36 See Justice Manual § 9-47.120.
37 Crime (International Co-operation) Act 2003, s.7(5).
38 Crime (International Co-operation) Act 2003, s.7(2).
39 See, e.g., Reuters, ‘Monaco raids Unaoil offices over global oil corruption probe’, available at
43 Overseas production orders (OPOs) will only be available where the United Kingdom has a ‘designated international co-operation agreement’ (DICA) with the country in which the OPO will be served. The United States and the United Kingdom have been negotiating such an agreement since 2015. This means that the United States is likely to be the first country directly affected by OPOs. The fact that a DICA is a precondition of an OPO means we are unlikely to see OPOs in practice in the immediate future.
44 Financial Services Authority v. Amro International  EWCA Civ 123.
45 See www.state.gov/j/inl/rls/nrcrpt/2012/vol2/184110.htm; see also In re Premises Located at 840 140th Ave. NE, Bellevue, Wash., 634 F.3d 557, 563–64 (9th Cir. 2011) (‘In recent decades, the United States has ratified an increasing number of bilateral treaties with other nations to facilitate legal proceedings, known as mutual legal assistance treaties or MLATs . . . . As their names suggest, these treaties provide for bilateral, mutual assistance in the gathering of legal evidence for use by the requesting state in criminal investigations and proceedings. Viewed through the lens of reciprocity, MLATs represent a direct approach to achieving reciprocity with other nations, in addition to the indirect approach taken by congressional expansion of the scope of § 1782. The ratification of MLATs in recent decades can be seen as yet another step toward the goal of greater legal assistance by, and for, other nations, at least with respect to requests by foreign governments for use in underlying criminal investigations and proceedings.’).
46 Lisa Osofsky, evidence to House of Commons Justice Committee, 18 December 2018.
50 The United States does not have a comprehensive, federal data protection law. There are, however, numerous state and federal laws that govern the treatment of personal data. At the federal level, there are protections for, among other things, data collected from children, from financial institutions and that includes medical information. See, e.g., Federal Trade Commission Act, 15 U.S.C. §§ 41 to 58; Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 to 6506; Financial Services Modernization Act (Gramm-Leach-Bliley Act), 15 U.S.C. §§ 6801 to 6827; Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1301 et seq. (and the rules and regulations promulgated thereunder); Fair Credit Reporting Act, 15 U.S.C. § 1681.
51 Data Protection Act 2018 (UK implementation of GDPR), Schedule 16.
54 Despite its very protective wording, the French Blocking Statute has received a very limited application – only one criminal conviction (under Article 1bis) has ever been recorded (Cass. Crim, 12 December 2007, n°07-83.228).
55 Raphaël Gauvain, ‘Rétablir la souveraineté de la France et de l’Europe et protéger nos enterprises des lois et mesures à portée extraterritoriale’, National Assembly report (26 June 2019).
57 For an English case dealing with the French Blocking Statute, see Secretary of State for Health v. Servier Laboratories; National Grid Electricity Transmission v. ABB  WLR 4383.
58 See most famously Article 47 of the Swiss Federal Act on Banks and Savings Banks (1934).
59 See, e.g., Switzerland’s entrance, in October 2013, to the Multilateral Convention on Mutual Administrative Assistance on Tax Matters, and agreement to increase transparency and exchange financial information with approximately 60 other countries.
60 Akzo Nobel Chemicals v. European Commission (Case C-550/07, European Court of Justice, 14 September 2010). Here, the Court held that internal company communications with in-house lawyers subject to a European Commission investigation were not covered by legal professional privilege, as, for the purposes of such an investigation, an in-house lawyer was not sufficiently independent.
61 For the United Kingdom, see s.50 of the Criminal Justice and Police Act 2001. In the United States, prosecutors will often establish what are referred to as ‘taint teams’ to review potentially privileged information. Justice Manual § 9-13.420 (Searches of Premises of Subject Attorneys) provides guidance for the review of material seized not only from an attorney’s office but also from ‘searches of business organizations where such searches involve materials in the possession of individuals serving in the capacity of legal advisor to the organization’.
62 See s.19(5) of the Police and Criminal Evidence Act 1984.
63 Cited in R (on the application of Colin McKenzie) v. The Director of the Serious Fraud Office  EWHC 102, at  (original emphasis). In this unsuccessful challenge to this procedure, the essential question was whether, as a matter of law, the process for isolating files that may contain legal professional privilege (LPP) material into an electronic folder for review by an independent lawyer must itself be carried out by individuals who are independent of the seizing body. The court held that the procedure set out in the SFO’s Handbook for isolating material potentially subject to LPP, for the purpose of making it available to an independent lawyer for review, was lawful.
64 See Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, available at https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf.
65 See, e.g., Order Appointing Special Master, United States v. Cohen, Dkt No. 30, Case No. 18-mj-3161 (S.D.N.Y. 27 April 2018).
66 Searches of Premises of Subject Attorneys, Justice Manual, § 9-13.420.
67 See, e.g., Order Appointing Special Master, United States v. Cohen, Dkt No. 30, Case No. 18-mj-3161 (S.D.N.Y. 27 April 2018); Order, United States v. Gallego, Dkt No. 65, Case No. 4:18-cr-01537 (D. Ariz. 6 September 2018).
68 The Value of Cooperation, Justice Manual § 9-28.700; Cooperation: Disclosing the Relevant Facts, Justice Manual § 9-28.720; FCPA Corporate Enforcement Policy, Justice Manual § 9-47.120, available at https://www.justice.gov/criminal-fraud/file/838416/download (full cooperation requires, among other things, prompt disclosure of ‘all facts related to involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents’).
69 The November 2019 amendments to the FCPA Corporate Enforcement Policy acknowledge that a company may not know all facts relevant to misconduct at the time of a voluntary self-disclosure. The revised policy emphasises that in order to receive cooperation credit, a company should ‘make clear that it is making its disclosure based upon a preliminary investigation or assessment of information, but it should nonetheless provide a fulsome disclosure of the relevant facts known to it at the time’. Justice Manual § 9-47.120 at note 1.
70 See Section 922(h) of the Dodd-Frank Wall Street Reform and Consumer Protection Act, 15 U.S.C.A. § 78u-6(h)(1)(A) (2010).
71 See https://www.sec.gov/news/pressrelease/2017-14.html (announcing penalty imposed on BlackRock Inc., based on its inclusion of language in separation agreements requiring former employees to waive any incentives they might be entitled to for reporting the company’s misconduct); https://www.sec.gov/news/pressrelease/2017-24.html (announcing penalty imposed on HomeStreet Inc. for improper accounting and steps taken to impede whistleblowers).
73 Justice Manual § 9-28.900 (internal citations omitted).
74 Justice Manual § 9-47.120(3)(a). The Justice Manual has recently been revised to acknowledge that a company may not necessarily be in possession of all of the relevant information at the time of its initial disclosures. In such circumstances, a disclosing company should make clear that it is making an initial disclosure based on its preliminary investigation or assessment of information. Justice Manual § 9-47.120 at note 1.
75 Justice Manual § 9-47.120(3)(a) (emphasis added). This change makes the disclosure requirements consistent with prior guidance issued by the US Attorney’s Office and other provisions of the Justice Manual.
76 Justice Manual § 9-47.120 (3)(a).
77 DPA Code, para. 2.8.2(i).
78 SFO v. Standard Bank plc (Case No. U20150854)  Lloyd’s Rep FC 102 and SFO v. XYZ Ltd (Case No. U20150856)  7 WLUK 220;  Lloyd’s Rep FC 509. In the case of SFO v. Tesco Stores Limited  Lloyd’s Rep FC 283, Tesco identified issues in its financial statements, and referred itself to enforcement authorities after revealing that revenues had been incorrectly recorded as profits and made an announcement to the market. In SFO v. Serco Geografix Ltd. (Case No. U20190413)  7 WLUK 45, the company disclosed material discovered after an initial SFO investigation found no evidence of any dishonest or fraudulent activity.
79 See Justice Manual § 9-28.720 (Cooperation: Disclosing the Relevant Facts).
80 DPA Code, para. 2.8.2(i).
81 See Justice Manual § 9-28.720. The FCPA Corporate Enforcement Policy refers to Justice Manual § 9-28.720 and states that a company will not have to waive privilege to receive full co-operation credit.
82  EWCA Civ 2006.
83 Alun Milford, then SFO General Counsel, ‘Speech to compliance professionals’ (given to the European Compliance and Ethics Institute, Prague, 29 March 2016.)
84 See, e.g., SFO v. XYZ (Preliminary Judgment) Crown Court, Southwark, U20150856 (20 April 2016): ‘[C]o-operation includes identifying relevant witnesses, disclosing their accounts and the documents shown to them: see para. 2.8.2(i) of the DPA Code of Practice. Where practicable it will involve making witnesses available for interview when requested. In that regard, XYZ provided oral summaries of first accounts of interviewees, facilitated the interview of current employees, and provided timely and complete responses to requests for information and material, save for those subject to a proper claim of legal professional privilege.’
85 In securing DPAs, both Tesco and Serco received co-operation credit for refraining from interviewing witnesses at the request of the FCA/SFO. See SFO v. Tesco Stores Limited (Case No. U20170287)  Lloyd’s Rep FC 283 and SFO v. Serco Geografix Ltd. (Case No. U20190413)  7 WLUK 45.
86 SFO Operational Handbook, Corporate Co-operation Guidance, p. 5.
87 The Value of Cooperation, Justice Manual § 9-28.700; see also Cooperation: Disclosing the Relevant Facts, Justice Manual § 9-28.720. The November 2019 amendments to the FCPA Corporate Enforcement Policy made the various provisions regarding disclosures of individuals involved in wrongdoing more consistent.
88 DPA Code, para. 2.8.2(i).
89 Where a defendant in the United Kingdom is suspected of committing a criminal offence, and is questioned in relation to it (whether while under arrest or voluntarily), the questioner must administer a ‘caution’ for any evidence provided in the interview to be admissible in subsequent proceedings. The caution sets out interviewees’ rights and how any evidence they provide at interview may be used against them in a trial. An organisation or company can be interviewed under caution through a nominated spokesperson, who will attend the interview to answer questions on its behalf.
90 ACAS ‘Code of practice on disciplinary and grievance procedures’ (2015) available at https://www.acas.org.uk/media/1047/Acas-Code-of-Practice-on-Discipline-and-Grievance/pdf/11287_CoP1_Disciplinary_Procedures_v1__Accessible.pdf.
91 See In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014); Cicel (Beijing) Sci. & Tech. Co. v. Misonix, Inc., No. 17CV1642, 2019 WL 1574806 (E.D.N.Y. Apr. 11, 2019); In re Gen. Motors LLC Ignition Switch Litig., 80 F. Supp. 3d 521, 530 (S.D.N.Y. 2015).
92 In re Kellogg Brown & Root, Inc., 756 F.3d 754, 760 (D.C. Cir. 2014), at 760. (‘In the context of an organization’s internal investigation, if one of the significant purposes of the internal investigation was to obtain or provide legal advice, the privilege will apply. That is true regardless of whether an internal investigation was conducted pursuant to a company compliance programme required by statute or regulation, or was otherwise conducted pursuant to company policy.’) (Citation omitted.)
93  EWCA Civ 2006.
94 At .
95 At .
96 At .
97 At .
98 At .
99 Kirstin Ridley, ‘UK fraud office backs down in ENRC privilege battle’, Reuters (2 October 2018), available at https://uk.reuters.com/article/uk-britain-enrc-sfo/uk-fraud-office-backs-down-in-enrc-privilege-battle-idUKKCN1MC1N0.
100 See Fed. R. Evid. 502(a).
101 See Fed. R. Evid. 502(b).
102 See Gotha City v. Sotheby’s  1 WLR 114 (CA).
103 Fed. R. Crim. Pro. 6(e).
104 5 U.S.C. § 552.
105 17 C.F.R. § 200.83
106 See, e.g., New York Freedom of Information Law, Public Officer’s Law §§ 84 to 90.
107 Standard Life Assurance Ltd v. Topland Col (Rev 1)  1 WLR 2162.