The Evolution of Risk Management in Global Investigations
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
2.1Sources and triggers for investigations
Corporates have traditionally approached investigations reactively, after the event, as an issue for legal functions and law firms that is largely concerned with suspicions of criminal activity or other misconduct. Such investigations were predominantly an exercise in detection, appropriate reporting and remediation. With the evolution of compliance departments and advances in forensic fact-gathering and analysis, investigations are increasingly regarded as key elements of a sound control environment and generally considered to support a company’s commercial agenda.
Now, problems can be discovered through a variety of novel and increasingly proactive ways, and can arise from both internal and external sources.
From an internal perspective, problems can come to the fore during transactional due diligence, or in the course of routine compliance activity, such as conformance reviews, financial and other audits, or corporate surveillance activity. Problems may also be signalled by industry-wide regulatory enforcement, or in a discrete area concerning allegations against an employee that indicates broader risk. Corporate awareness of risk may also be triggered through traditional or social media, political pressure, customer complaints, allegations arising in civil litigation, statements made in evidence in regulatory or criminal proceedings, and disclosures by competitors and whistleblowers. Corporations are now also encouraged to use artificial intelligence to sift through their own data to uncover indicia of potential wrongdoing.
Problems may also be first identified through the direct intervention of a government agency, which may have learned of the issue on its own, through a third party or another agency. The provision of information between law enforcement and regulatory authorities (whether through informal communication protocols, established statutory gateways or recognition of competing jurisdictions) is a rapidly growing area, domestically and internationally.
Given the myriad of potential avenues for a crisis to develop, corporate counsel must always be on the lookout for the seeds of problems and be prepared to take appropriate steps to prevent the matter from taking root and distracting the company from its core business. Moreover, if a serious problem is identified and cannot be easily contained, an effective response may require a significant level of communication with, and ongoing reporting obligations to, multiple entities, including the company’s board and senior management; its legal, compliance, risk and audit functions; external auditors; prosecutors, regulators or other government agencies; litigation counterparties; investors; customers; commercial partners; competitors; trade bodies; and other interest groups. In many cases, the simple gathering of facts and their analysis can be one of the least complex elements of the undertaking. Far more complex is the juggling of competing, often cross-border, legal principles, interests and priorities that these ongoing communication and reporting processes require. These are considered further below, together with some of the complicated legal issues they present.
2.2Responding to internal events
Not all internal issues raised will require investigation. Take, for example, the self-described whistleblower who writes to senior management to raise points already conclusively determined in a disciplinary hearing, in relation to which there are no wider considerations or further rights to appeal. Where facts are not in issue, the person has exhausted his or her legal remedies and does not bring forward new bona fides issues, a corporation should not be deterred from operating efficiently and need not reinvestigate the underlying facts. Those concerns that do merit fresh investigation will not necessarily arise only in the context of criminal allegations or regulatory misconduct; some will emerge during transactional due diligence or in the control environment. There may also be instances where even if the allegation is true, it does not amount to a violation of law or company policy.
2.2.1Compliance operations and transactional due diligence
A critical aspect of any effective transactional due diligence – whether an acquisition, a joint venture or simply a one-off transaction – must necessarily be to identify risks lurking beneath the surface of a target business or transaction counterparty. In particular, attention to areas that can give rise to successor liability should be of paramount concern to the risk-assessment team on any due diligence. In the anti-money laundering arena, in relation to the United Kingdom, compliance with the Proceeds of Crime Act 2002 is only as effective as the quality of the due diligence, ongoing monitoring and surveillance techniques employed by the company. Similar considerations apply to compliance with international sanctions, where certainty as to the true source of remitted funds, the purpose of the payment and the identities of the payor and payee are central. ‘Adequate procedures’ required under the UK Bribery Act 2010 will include the ability to assess counterparty risk to avoid participation in a corrupt transaction. In the United Kingdom, there has been a concerted move to replicate the corporate ‘failure to prevent’ offence in section 7 of the Bribery Act 2010 in other arenas, increasing the focus on the adequacy of prevention measures within corporations. Part 3 (sections 44 to 52) of the Criminal Finances Act 2017 created the offence of failing to prevent the facilitation of tax evasion, with the corresponding defence of ‘reasonable prevention procedures’. In January 2017, the UK government consulted on the introduction of a general corporate offence of failing to prevent economic crime going beyond bribery and tax evasion, whereby companies would be liable for fraud by their employees or contractors in the absence of proof of adequate procedures to prevent the conduct.
The concerns in the United States are similar. The Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have stated in their Resource Guide to the Foreign Corrupt Practices Act (FCPA) that they will be less likely to prosecute an acquirer that conducts effective pre-transactional due diligence, remediates, folds the acquired entity into its compliance programme and voluntarily discloses the conduct. In 2018, US Deputy Assistant Attorney General Matthew Miner stated that the DOJ’s revised FCPA Corporate Enforcement Policy (providing for a presumption of a declination of prosecution with disgorgement of ill-gotten gains, assuming no aggravating circumstances, for companies that voluntarily disclose, fully co-operate and fully remediate) would apply to acquirers in a merger or acquisition. In March 2019, the DOJ formally codified this policy. Further, while declinations under the FCPA Corporate Enforcement Policy are usually public and come with a statement of facts, Mr Miner recently said, in remarks he delivered at the American Bar Association’s Third Global White Collar Crime Institute Conference, that ‘there may be instances where a company self-discloses and [the DOJ] decide[s] a public declination is neither necessary nor warranted’. He noted that ‘if a company self-discloses misconduct that was discovered in the context of a merger or acquisition, and [prosecutors] determine that the conduct and financial impact was de minimis, [the DOJ] may be open to a company’s request that [the DOJ not] disclose the declination’. Without delving into the pros and cons of voluntary disclosure, US law enforcement and regulatory agencies generally treat acquirers similarly even when the disclosure does not relate to potential FCPA violations, but to other issues such as money laundering and trade sanctions.
Given these expectations in the United Kingdom, United States and elsewhere, a party offering to warrant that it has not engaged in corrupt practices or other criminal activity will not provide adequate comfort without objective assessment of the risk profile, which is, itself, an exercise in investigation and analysis. For example, in the case of the three primary areas of financial crime risk (money laundering, sanctions, bribery and corruption), further enquiry may be required to investigate and assess the risk presented by politically exposed persons (PEPs), transactions involving higher-risk jurisdictions or business practices, complex transactional structures characterised by opacity as to source of funds and ultimate beneficiaries.
In each case it is not only the primary due diligence activities that require investigative skills, but also the response to the information delivered by standard or enhanced due diligence that may itself stimulate wider investigation. Concerns in open-source materials (such as reports from internet research and reports by Amnesty International and Transparency International’s Corruption Perception Index), and information already held on file, in bespoke due diligence reports by third-party vendors and in responses from counterparties to questionnaires and pre-contractual enquiries (which are particularly prevalent in public sector contract due diligence) may all trigger separate lines of enquiry. Red flags such as opaque ownership structures, prior enforcement actions against the counterparty, engagement in high-risk geographies or the presence of PEPs in the ownership or control structure can all raise the risk profile of a person, entity or proposed transaction, putting the company on notice that further investigation is required.
Ironically, for companies straining to deliver strong due diligence, flagging issues of concern in clear, contemporaneous records at the primary due diligence stage may pose a significant danger. That record may create disclosable evidence of a company’s state of knowledge and awareness, or the fact it was on notice, at a material time, and in the absence of an adequate investigative response, this record itself may assist in incriminating the company despite the positive steps taken to identify the issue in the first instance.
As such, it is the initial response that separates the strong organisation from the weak and moves compliance culture from a tick-box habit to best-in-class governance and control. The tools available to the acquiring company to assess possible exposure beyond the initial indicative information are a blend of the traditional and the innovative. The review of source documents and interviewing of witnesses are standard investigative steps that will remain highly relevant in these circumstances. So too will access to open-source information including historical media content analysis, materials held by ratings agencies and analyses based on public records, a company’s data, disclosures and third-party commentary, social media, a company’s public statements and reports, and bespoke assessments. Reports from third-party investigators (which can range from analysis of public records and open-source material to more detailed data searches, including ‘dark web’ internet content review) may also be available.
Additionally, internal and external audit reports may flag control weaknesses and identify intended remediation plans. These will not constitute privileged documents, although they may be subject to significant confidentiality controls. Action logs should be traced to ensure that audit recommendations were implemented and can be used as evidence of such. Similarly, analysis of compliance remediation and restructuring plans, conformance reviews of compliance systems and controls, published results of thematic reviews by regulators and other third parties, evaluation of whistleblower logs or statements made by company executives in the public domain (e.g., records of evidence adduced at UK parliamentary select committee or US congressional committee hearings) may also corroborate or appease initial concerns, or may serve to trigger further investigation into wider issues.
Some financial institutions go beyond this level of investigative activity and maintain an intelligence-based client evaluation process, aimed at building customer profiles in anticipation of commercial decisions and regulatory obligations. This is not for the use of investigators in the detection of misconduct but is research and analysis to provide the bank with the broadest range of commercial information about a client, customer or counterparty, from identification and verification through to commercial development strategy and market profile, to enhance the bank’s strategic decision-making in a highly regulated environment. While these processes are driven by commercial objectives, the underlying activity necessary to inform the bank as to the risk profile is no different to the skills applied during a regulatory enforcement investigation or in anticipation of criminal prosecution, and this is why, within banks, there is a gradual migration of employees from ‘investigations and enforcement’ functions within legal and compliance to ‘financial intelligence’ units within business teams or as separate risk or compliance teams. These units do not, however, operate as legal advisers and therefore do not benefit from the same protections afforded to legal advisory staff, such as the attorney–client privilege and work-product protections (considered further below).
2.2.2Policy guidance, opinion procedures and dialogue with public authorities
More formal, alternative third-party sources can provide a higher degree of comfort, subject to the availability of information and the legal and practical constraints as to its use. Use of these sources may be more appropriate where a company has identified a problem while undergoing due diligence. Nevertheless, practitioners should approach these resources with caution.
In the United States, for example, the DOJ may, on submission in writing by a relevant party, provide valuable guidance through the FCPA opinion procedure. Similar to SEC no-action letters, opinion procedures enable a corporation to obtain an opinion from the DOJ as to whether certain specified, prospective – not hypothetical – conduct does not violate the FCPA. The principles require disclosure of the entire intended transaction. An executed contract is not a prerequisite and in most cases the opinion would be sought prior to a requesting party’s entering a contract. The DOJ’s opinion will typically set forth a number of remedial or proactive steps, or both, that the company must take to receive protection from enforcement. For example, in Opinion Release 08-02, a US company sought comfort from prosecution surrounding its proposed purchase of a UK company in the oil and gas sector. The UK company had a large number of government customers. The acquirer informed the DOJ that it had inadequate time and access to information to perform sufficient anti-corruption due diligence on the target. It further informed the DOJ that it could not disclose whether it had identified any possibly illicit payments owing to the confidentiality agreement it signed to receive access to information from the target. In its opinion, the DOJ said it would not initiate an enforcement action, so long as the acquirer disclosed any corruption concerns upon acquisition, conducted rapid and deep diligence (outlined in the opinion) once it owned the target, disclosed any potential violations it uncovered, and quickly folded the target into its compliance programme. In a 2018 keynote address at the Ninth Global Forum on Anti-Corruption Compliance in High Risk Markets, US Deputy Assistant Attorney General Miner encouraged the use of the opinion procedure process, noting that it is underutilised, and stating that in terms of response times, the DOJ ‘can, to a degree, expedite [its] analysis based on timing needs’. As Mr Miner outlined, the DOJ will respond within 30 to 45 days of receiving all necessary information.
As demonstrated by the few opinions issued each year, practitioners are often wary of this process, and will likely remain so, despite Mr Miner’s encouragement. First, if the DOJ says no, the company is left without any flexibility to make its own risk-based decision. It must comply. Additionally, as Opinion Release 08-02 demonstrates, the DOJ will often impose conditions and requirements in its opinion that must be adhered to meticulously. Further, seeking an opinion may risk tipping off the government about a larger problem. Opinion procedures are also a limited tool, as they apply only to anti-corruption concerns.
The United Kingdom does not have a process similar to the DOJ opinion procedure. There remains no formal basis on which to approach the Serious Fraud Office (SFO) for guidance as to whether a party’s conduct infringes the Bribery Act 2010, for example. This evaluation is left to the reporting party, with the more binary decision as to whether or not to make an early self-report to the SFO in relation to which co-operation credit is sought. The SFO will publish operational guidance and Codes of Practice from time to time (e.g., on issues of treatment of evidence, witnesses and legal representation at interviews, deferred prosecution agreements (DPAs), corporate self-reporting and, most recently, corporate co-operation) and, like the DOJ and SEC’s Resource Guide to the FCPA, also publishes its related prosecution policies and protocols (such as the Bribery Act Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions, Guidance on Corporate Prosecutions, etc.). These are not, however, consultative processes aimed at clarifying the SFO’s approach to legal interpretation or jurisdictional issues (as in the case of the DOJ opinion procedure or SEC no-action letters). The SFO has made clear on a number of occasions that its role is not that of ‘regulator, an educator, an advisor, a confessor, or an apologist’ but of investigator and specialist prosecutor. It remains to be seen whether, under SFO Director Lisa Osofsky’s leadership, which commenced in August 2018, the SFO’s policy will continue as before or develop a more US-style approach in this and other regards.
In terms of formal statements, a party dealing with the SFO is limited to the guidance contained in judgments and agreed terms of settlement under DPAs, of which there have only been five to date, four concerning the section 7 offence under the Bribery Act 2010 of failing to prevent bribery (three of which also involved substantive bribery offences). More informal statements of policy and approach have been made in speeches by SFO staff to professional audiences, but these remain indicative statements of policy intent and are not analogous to the DOJ opinion procedure.
In the United Kingdom, although the Financial Conduct Authority (FCA) issues policy statements from time to time, it will not give its blessing to a product, service, contractual undertaking or other course of conduct, nor will it make available records it holds in its supervisory or enforcement capacity that companies may rely on when evaluating an intended counterparty. This reluctance is a combination of statutory obligation in relation to the management of confidential information (enshrined in the Financial Services and Markets Act 2000 (FSMA)) and because as a regulatory body it is subject to judicial review should it exceed its jurisdiction. Records of authorisations, published enforcement notices and decisions of the disciplinary tribunal are in the public domain, but there is no ‘surgery service’ to help companies determine the correct approach to the interpretation of their regulatory responsibilities relating to specific counterparty risks. Informal discussion, in the course of ‘close and continuous’ supervisory dialogue pursuant to a firm’s Principle 11 obligations, may shed light on the approach that the FCA may take, but these will not constitute formal policy guidance or policy statements to rely on for the purposes of transactional due diligence or otherwise. A regulated entity is left with the unenviable task of accumulating a body of know-how as to the likely FCA reaction and expectation based on its continued engagement, which is made harder by a considerable degree of personnel turnover at the regulated entity and the regulator itself.
2.2.3Tensions inherent in the management of privilege and confidentiality
In the United Kingdom and the United States, where similar (but not identical) doctrines of legal professional privilege exist, and in civil law jurisdictions that do not recognise the concept of privilege but rely heavily on the doctrine of professional secrecy, significant pressure points arise as a company seeks to keep material privileged and confidential while also satisfying the appetite of public bodies (regulators, prosecutors and legislators) and customer or investor groups for unguarded candour. There may even be a significant strategic divergence within a company’s own board and management on the balance to be struck between transparency and established legal controls. These tensions emerge in investigations and, as a consequence, in the course of corporate activity.
For the company, tension immediately arises between the various duties owed to customers, shareholders and employees, on the one hand, and the protection of the right of confidentiality as between lawyer and client on the other. Many would focus on the expectations of regulators and prosecutors in respect of valid claims to privilege, and the difference of opinion between those parties and the company as to the status of information (whether disclosable or not). Yet, it is often tension, error, omission or indecision in the company that creates the greatest scope for complexity, long before any debate with authorities or before the courts has begun.
In a transactional context, for example, a target may want to share information so that an acquiring company can assess its exposure to certain risks. The target may hold a volume of documents and information ranging from initial fact-finding witness-interview material to the conclusive investigation report into the precise issues of concern. Yet the target will fear that waiver of privilege over that material may open it up to collateral waiver risk and an inability to defend speculative discovery requests in civil claims at a later date. As such, while non-disclosure may damage the prospects of the transaction or create future litigation risk, unbridled waiver may facilitate third-party litigation down the road.
One possible solution, as an alternative to relying on the concept of a ‘limited waiver’, has been the application of the common interest doctrine to the disclosure to the acquirer for a specific and limited purpose. An example of effective use of a common interest privilege agreement is a joint venture business (A), the main investor in which is corporation (B), which invites investment by a venture capitalist (C). A faces substantial patent litigation in relation to the underlying product, constituting a substantial risk to the viability of the business. There exists a legal opinion as to the merits, sought by A in the ordinary course of the litigation. It is privileged and confidential as against B and C, who are not parties to the action but have a common interest in its outcome as they are aligned in wanting it to fail. Their investment may even support that. This is the typical circumstance in which a common interest privilege disclosure will be made to two parties, to inform their investment decisions, who are then subject to contractual duties of confidentiality to guard against arguments in litigation over waiver of privilege.
On these grounds the acquirer can satisfy itself that it has made a true and fair evaluation of the risk, but this still leaves open questions as to how this risk assessment can subsequently be articulated in public statements if privilege is to be maintained and how the decision to advance can be justified to investors in the absence of a subsequent waiver of privilege. There is, however, conjecture in the United Kingdom as to the balance between risk and value in the application of the common interest doctrine in circumstances where authorities suggest a limited waiver may be sufficient. In the United States, the concept of limited waiver, generally, does not exist.
Similarly, a regulated entity will be concerned as to how it can defend a commercial decision to a regulator without sharing the contents of a privileged document. If it does share privileged material, what is the status of that disclosure? Will the restrictions over a regulator’s dealings in confidential information, or a specifically worded, limited waiver be sufficient to ensure there will be no onward disclosure or gradual widening of the waiver, weakening subsequent defences to disclosure in civil or criminal proceedings? Under English law, disclosure to a regulator on specific terms as to confidentiality, privilege and entitlement on the part of the regulator to make limited onward disclosure for a specific statutory or other legal purpose would not necessarily result in a wholesale waiver.
At the heart of a claim to the protection of privilege is a duty to maintain confidentiality; yet in commercial circumstances the goals of candour and transparency, the disclosure duties set out in financial reporting standards and the reasonable investor test are at odds with the goal of maintaining enforceable claims to privilege in all instances. Counsel therefore often faces the unenviable task of electing which legal risk to prioritise.
In many boardrooms, in common with the views of many regulatory enforcement teams and prosecutors, there is a growing distaste for opportune (though arguably valid) claims to privilege that may obscure a complete understanding of the facts, and increasingly a premium is placed on holding nothing back. This may see the pendulum swinging towards greater disclosure and less concern about privilege, until a company cannot protect against litigation risk that would have been defensible had privilege not been waived. In the United Kingdom this moment has not fully arrived. While debates within the boardroom may rage in relation to the value of greater transparency and the reputational dangers of over-reliance on privilege and confidentiality, there is still a legitimate reliance on the protections afforded by legal professional privilege. In turn, this is being met with a greater level of scrutiny and challenge by public authorities, and episodes of intense litigation on issues of privilege appear to be increasing. Prosecutors and regulators press for greater levels of disclosure but cannot legitimately demand waiver of privilege as a key ingredient of a co-operative dialogue. Instead, they challenge perceived invalid claims or, in the United Kingdom, encourage it as part of the ‘co-operation credit’ debate to which many companies contemplating a DPA are sensitive. At the same time, the decisions in The RBS Rights Issue Litigation and ENRC provided further guidance on the limited extent to which materials created during an investigation may be withheld on the grounds of legal advice privilege and litigation privilege. The RBS Rights Issue Litigation and ENRC highlight, among other things, the difference between the United States’ and the United Kingdom’s approaches to privilege and interview notes: whereas the interview notes in question would likely have been protected under the attorney–client privilege and work-product doctrine had US law applied, they were not covered by legal advice privilege in the United Kingdom. The first decision in ENRC was highly controversial, in large part owing to the findings, fatal to ENRC’s claim for litigation privilege, that a criminal investigation was not ‘adversarial’ litigation and that reasonable anticipation of a criminal investigation did not necessarily equate to the reasonable contemplation of a criminal prosecution. The ENRC decision was, however, challenged before the Court of Appeal, which concluded that litigation (in the form of criminal proceedings) was reasonably in contemplation at the time when ENRC had instigated its own internal investigation and that the other ingredients for litigation privilege were present. As such, litigation privilege applied to the notes of interviews with employees, former employees, company and subsidiary officers and other third parties. While the appeal decision in ENRC provides welcome relief in respect of the potential availability of litigation privilege in investigations, the United Kingdom remains significantly at odds with the United States on the applicability of legal professional privilege generally, which is an obvious cause for concern in cross-border investigations. Furthermore, as observed in the ENRC appeal judgment, the United Kingdom is also at odds with international common law in terms of the scope of legal advice privilege. Although discussion of the scope of legal advice privilege featured in the ENRC judgment, the Court of Appeal was clear that any re-examination of the ambit of legal advice privilege must be left for the Supreme Court.
In the United States, where prosecutorial demand for privilege waiver for a corporation to receive full co-operation credit was once common, federal prosecutors may no longer ask for a waiver of the privilege, although corporations must disclose all relevant facts, including against its employees, to receive co-operation credit. Further, the fact that a corporation does not waive the attorney–client privilege during a government investigation cannot be used against a corporation when determining whether it ‘co-operated’.
In practical terms there is some hope for reconciliation of these conflicts by creating separate documents during the investigation: reports to management containing legal advice on investigative outcomes (privileged) having a separate purpose to reports of findings to regulators (not a privileged purpose). Additionally, facts themselves are not privileged and may be presented to law enforcement and regulators, with careful handling to present them as only facts and not the product of specific counsel interviews, without waiving the privilege. In the United Kingdom, fact-finding interviews can be conducted on the basis that the interviewee is not the client and the purpose of the interview is not the giving or receiving of legal advice (consistent with the decisions in The RBS Rights Issue Litigation and ENRC ), working on the assumption that notes of the interview will not be privileged communications and should be drafted with that in mind. In the United States, however, the same material may be covered by the attorney–client privilege and work-product doctrine. This presents a significant legal and practical concern in the management of transatlantic investigations, as it raises the threat of subject-matter waiver in the United States. Ex post facto advice to management on the content or outcome of interviews, however, is likely to attract privilege. Yet, ultimately, there may be a point of strategic principle for a board and its advisers to determine: to waive or not to waive.
2.2.4Whistleblowers, complaints and concerns
While certain investigations will be triggered by established controls or ‘accidental’ awareness of conduct risk, a very substantial proportion of matters under investigation will be instigated by virtue of a company’s policy and practice on raising concerns, namely staff exit interviews, employee helplines and voluntary communications by staff, customers, former employees and members of the public. Together these forms of communication fall into a single, growing class of investigation trigger: whistleblowing.
Whistleblower complaints present a significant overhead for a company, in both financial and reputational terms. The number of complaints received does not necessarily determine how ‘healthy’ an organisation is as regards conduct risk; a significant flow of concerns may indicate a more risk-aware body of employees who feel free to challenge or raise issues without fear for their future employment. The key data is in the nature of allegations and the extent to which points raised are substantiated.
There are a series of primary investigative goals, before the underlying facts are conclusively determined. These are (1) the assessment of the credibility of the complaint and complainant (establishing whether it is a bona fide concern, and whether the matter has been previously raised and determined), (2) the duty owed to the complainant and any other parties in the circumstances (confidentiality and other safeguards of persons and evidence), and (3) whether a full investigation is necessary and, if so, the precise extent of allegations under investigation. Many companies will have clear policies on handling whistleblower complaints, but different companies and jurisdictions will apply varying standards and expectations as to the treatment of complainants. Some principles of general application are nonetheless emerging, namely:
- Whether complainants are actually whistleblowers if they do not class themselves as such is a matter that can be objectively assessed; it is the nature and context of the concern raised, and the policies and procedures triggered by those concerns, that determine the duty owed to them (such as a right to anonymity, the duty to report to authorities, employment protection and so on).
- How the concern is raised does not determine it as whistleblowing. The issues do not have to be raised in correspondence, through a helpline or formal complaints log: concerns can be raised orally in exit interviews, in informal email correspondence, during tribunal proceedings, by voicemail or in passing in social conversation in the office.
- A sensible rule of thumb is to ask whether the substance falls into the categories either defined in the policy on raising concerns or, in the unlikely event of there not being one, whether it constitutes the form of concern or complaint that a regulator would expect (or best practice would require) to be treated with the controls and protections afforded to a whistleblower.
- In cases of doubt, the rights of the individual to protection should override the interests of the company such that complainants should be treated as whistleblowers and afforded necessary protection until the issue is clarified.
- There has been increased focus on the importance of protection of those raising concerns, including ensuring no steps are taken to identify those complainants seeking or entitled to anonymity. The FCA and the Prudential Regulatory Authority have reiterated their expectations as to the appropriate management of complainant confidentiality and the duties owed by regulated sector companies and individuals.
- Care should nonetheless be taken to distinguish between genuine whistleblower cases and the raising of grievances contrary to process, although some allegations may be so significant or toxic to the company’s reputation and financial interests that even an issue arising in an employment context but raised inappropriately or otherwise resolved may need to be investigated (e.g., an allegation of bribery made notwithstanding the existence of a compromised exit).
- A whistleblower may be the source of an allegation but need not (and probably should not) be involved in steering process or in determining or influencing the strategy or outcome. There is no obligation to provide a whistleblower with information in relation to findings, and there may be a significant downside in doing so in terms of loss of privilege and confidentiality. However, a whistleblower should be made aware that the allegations have been taken seriously and are being addressed.
- Loss of bona fide status (e.g., in circumstances where spurious allegations are made for financial gain, employment protection or to blackmail) may result in the individual losing enhanced ‘whistleblower’ protection,[38,  but this must be contrasted with jurisdictions encouraging whistleblowing through ‘bounty’ schemes such as that offered by the US SEC’s Office of the Whistleblower that do not impose any good faith requirement on the bounty recipient.
- Bounty schemes and similar arrangements may influence the jurisdiction in which matters are first raised, but a company cannot rely on regulatory issues staying within that jurisdiction. As noted above, regulatory information gateways provide for the sharing of information between regulators and prosecutorial authorities in different jurisdictions (e.g., between the FCA and SEC, and between the DOJ and the SFO). As such, there should be an assumption of wide knowledge.
- Whistleblower initiatives are slowly gaining traction across the globe. A number of regulators (such as the IRS and SEC) in the United States in particular have established practices. However, there are significant cultural diﬀerences and enhanced data protection laws in certain European jurisdictions (particularly those whose current laws reﬂect the reaction to the intrusions of secret intelligence services in the 20th century, and where it is necessary to respect the legitimate reasons why these countries may continue to wrestle with the idea that staﬀ should be encouraged to report colleagues’ misconduct). There are some active reward programmes in Europe, such as the UK Competition and Markets Authority offering rewards of up to £100,000 for information on cartel activity, although these are much more limited than the incentives available in the United States. In October 2019, however, the European Union adopted a Directive on the protection of persons who report breaches of Union law, which may encourage more whistleblowers to come forward. The new rules require (1) companies to create reporting channels and (2) a response within a fixed timescale. EU Member States will have two years from publication in the European Union’s Official Journal (expected in late 2019) to comply. Outside the European Union, Australia’s new whistleblower protection laws became effective in July 2019, requiring companies to have a whistleblower policy from January 2020. However, the importance given to information from whistleblowers, the protection they are afforded and, accordingly, their willingness to come forward, vary widely across the world.
2.2.5The role of the internal audit function
Many companies do not have (whether as a consequence of funding limitations, strategy or structural considerations) free-standing internal investigations capability. Some will have delegated that responsibility to the internal audit function. Even within that sector, which does have specific investigative capability, there may be examples of investigations having been undertaken by the internal audit functions as part of their ordinary control function activity. As internal investigation capability and practice have grown as a priority for business, so has the recognition that this is not the role of an internal audit function.
In a well-governed business, the purpose of internal audit is to provide the board with independent objective assurance as to the effectiveness of the enterprise-wide control framework. In summary, this means the identification of the appropriate controls in respect of specific (financial and other) risks and the assessment of their efficacy: identifying the risk to which the control relates; identifying the risk ‘owner’; measuring the effectiveness of the control; mandating improvements where breaches or weaknesses are observed and escalating material control weaknesses to senior management or the board as necessary; tracking remedial action; and assessing the improved control environment. The DOJ’s guidance on the evaluation of corporate compliance programmes asks companies to query how often internal audits are conducted in high-risk areas, whether the company audited its compliance programme and what control tests the company has generally undertaken.
These activities are closely connected to, but not synonymous with, investigations. Internal audits are systematic reviews of the group-wide risk control framework and are not event-driven. They do not concern themselves with the investigation of complaints or claims with free-ranging subject matter or context, but are limited to the structure of the control framework devised by senior management.
Internal audit is not part of a legal function providing advisory services, so the output is not subject to legal privilege as a matter of English law (even where audit staff may be legally qualified, they are not tasked with providing legal advice to a client). In the United States, there is a practical refinement: where for a particular exercise members of the internal audit team are designated as working under the direction and control of the legal department, as its agent, for the purpose of providing expert assistance to the legal department in rendering legal advice to management then privilege will attach to their communication. In the United Kingdom, this may be theoretically possible in circumstances where the audit team forms part of a working group under the control of a legal counsel or team, yet the very distinct role differentiation between audit and legal functions in UK corporate governance makes this a hard argument to sustain. Usually, an audit report that addresses legal issues, setting them out with clarity, identifying the controls, possible breaches and remediation recommended, and then identifying a lack of action in response to the recommendation can present dangers for an organisation. The report will be an unprotected disclosable document that presents a regulator, prosecutor or civil litigation claimant with a perfect platform – a charter for enforcement or a document undermining the credibility of a defence in a civil action. But this is not to suggest that internal audit has no role in internal investigations. On the contrary, it is one of the most important company functions, yet the timing and structure of its involvement in investigations is critical.
Internal audit output permits a pre-emptive, focused approach to investigation that is not simply limited to the complaints and concerns raised but operates within a risk-based evaluation culture. Internal audit reports allow a group-wide perspective on control weaknesses that enables investigators to concentrate resources in the most pressing areas of concern (whether in terms of reputational or financial risk) to the board, as opposed to responding piecemeal to each issue as it presents itself. This is important for an effective investigation function, as successful performance generates greater reliance and workloads can escalate aggressively once business leaders identify the value it can deliver. An internal audit function can therefore help to align an investigative function’s input and output with the business’s strategic risk management agenda.
Internal audit activity can also coincide with investigations, with the two functions reviewing similar subject matter, each with distinct purposes, strategies and methodologies, creating the obvious danger of conflicting or partly inconsistent outcomes (at least one of which will not be a privileged document and may contain stark conclusions in relation to the cause of a control breach). An internal audit, ideally, should occur subsequent to an investigation and may even rely on the contents of an investigators’ report to focus the audit process. However, audit programmes tend to be cyclical, thematic or random, and internal auditors are understandably resistant to pressure from any part of the company to suspend or reschedule a standard audit (as this itself could constitute a breach of policy or control deficiency). Enhanced levels of communication between functions may assist in avoiding this risk, but a clash may be inevitable.
What steps can be taken to mitigate this risk? It may be possible to argue that audit is a limited process for a specific purpose, and not a comprehensive factual review. Investigation reports do have to distance their findings from time to time from historical and problematic, strident or oversimplified audit reports, and this can cause an issue where there are different findings on the same or similar facts in close proximity to each other. A forensic investigation is likely to be more comprehensive as it is likely to have included a wider range of evidence, including document reviews, e-discovery and, crucially, witness interviews. Furthermore, lawyers may be able to obtain more detail in the course of a formal interview dialogue where witnesses consider the implications of their responses more than in a control assurance review. It is essential, therefore, that the scope and purpose of an investigation be distinguished at the outset from a narrower control review or audit.
2.2.6The role of the compliance function
A number of the observations above in respect of internal audit apply equally to the compliance function and are not repeated here. The standard control environment model is a three-legged stool: legal, compliance and risk, each with distinct but collaborative functions, with internal audit acting as a monitor separate from those operational controls. While positioning investigative capability within the legal function maximises claims to privilege and creates the opportunity for deploying the forensic expertise of litigation lawyers in investigative roles, it is by no means standard in the market, and many companies still engage compliance teams in investigative activity. The advantage is the natural connection between investigation, control assurance, control remediation and regulatory liaison, but the separation of roles avoids the risk of conflicts of interest (where, for example, a compliance function has been responsible for implementation of controls and measurement of their effectiveness, but is then charged with investigating breaches and establishing personal accountabilities).
As compliance functions are developing, particularly in the regulated financial services sector after the global financial crisis, a consensus is developing within companies and regulators that the proper home for conduct risk, whistleblowing and certain categories of investigation is the compliance function. There is an increasing pattern of financial crime risk management (policy ownership for bribery and corruption, money laundering, sanctions) being owned by the compliance function, and this has led a significant proportion of companies to extend the responsibility for investigation of these areas to compliance teams as well.
There is, however, a significant difference between ownership of policy and risk, on the one hand, and investigation of a suspected breach on the other, and significant governance concerns arise where the owners of a risk investigate the adequacy of their own conduct. For example, initial public criticism of banks’ handling of issues over the London Inter-Bank Offered Rate (LIBOR) focused on the decision within some firms not to escalate concerns beyond the compliance function or the conduct of inadequate, early investigation by compliance teams within the affected businesses lines. Independent legal teams then proceeded with more thorough investigation of the issues, benefiting from the application of privilege where applicable (noting the points above and in Chapter 35 in relation to The RBS Rights Issue Litigation and ENRC decisions) as well as acting independently of the business. Learning from this episode, a number of banks restructured their compliance functions, separating the three legs of the stool more emphatically. They created greater levels of governance and control as between the respective functions, with operational framework agreements in place to ensure formal triggers for referral from compliance to legal in certain circumstances where the value or subject matter identifies a level of enhanced legal risk (e.g., bribery and corruption, financial sanctions, high-value fraud, or other systemic control breaches that could have material financial or reputational implications).
2.3Considerations for investigations triggered by external events
2.3.1Contact by authorities
In the UK regulated sector, where open and transparent supervisory dialogue is expected, it is comparatively rare for a business to find out about issues for the first time as a result of unilateral contact from a regulator. Ordinarily the regulated entity’s report to the regulator leads to further investigation. By contrast, however, contact from prosecutors, competition authorities and, in certain circumstances, civil litigants may occur without prior warning. In the United States, corporates frequently learn of an investigation for the first time from prosecutors, and criminal referrals from regulatory agencies to the DOJ are common. The following does not seek to list all circumstances in which contact from authorities may trigger investigation, but it highlights certain aspects of unsolicited contact that may raise legal concerns.
The first challenge for a company is to discern the nature and purpose of the authority’s enquiries, and in particular to distinguish between an investigation by a regulator and one by a prosecutor. While a company may be inclined to treat the two forms of organisation as synonymous, they are not. They discharge different duties, carry different powers (although they sometimes overlap) and have different expectations regarding co-operation. Accordingly, a company’s approach to dealing with a regulator may differ from its response to a prosecutor.
A prosecutor investigating a matter is normally seeking evidence to decide whether a crime has occurred and whether individuals or the company should be criminally charged. If it proceeds with a prosecution, it carries the burden of proof (with certain limited jurisdictional and subject-matter exceptions). Apart from specific mandatory reporting regimes, there is no obligation to volunteer information about misconduct to a prosecutor in the absence of a subpoena, warrant or other court order. It is an offence to obstruct an investigation, but obstruction does not extend to failure to volunteer evidence in the absence of compulsion; however, the provision of false, misleading or incomplete information to a prosecutor could amount to an offence of obstruction of justice in the United States or perverting the course of public justice in the United Kingdom. In the United States, it is a crime to destroy evidence, even in the absence of compulsion or the initiation of a proceeding, when the purpose is to avoid its disclosure in an anticipated criminal or regulatory investigation or proceeding. Further, the Fifth Amendment right against self-incrimination extends only to individuals, not corporations. Therefore, ancillary Fifth Amendment protections, such as the act of production doctrine, which permits an individual to hold back documents if the mere act of producing them, as opposed to their content, will be incriminating, does not apply to corporates., 
In dealings with UK prosecutors, while opportunities for mitigation and leniency exist through demonstrable co-operation (and a company may regret not being able to obtain co-operation credit later on), co-operation is a matter of pragmatic choice rather than legal obligation. The starting point remains unchanged: under what valid power does the prosecutor seek the evidence, what are the company’s reasonable defences and how tactically does the company respond? While principles of co-operation with government agencies in the hope of gaining leniency or mitigation are more clearly defined and have a longer tradition in the United States, the general rule of law remains intact and questions of powers, defences and tactics are no less germane.
Where a prosecutor, police or investigative agency, competition authority or other public body serves a subpoena, order or warrant entitling it to documents and electronic information, or to enter, search and seize, monitor or restrain, the challenge for the affected organisation is twofold: (1) to provide information or permit access and activity within the confines of the power granted; and (2) to ensure the company is not left behind (and preferably remains in front) in its own understanding of the relevant facts.
In the United States, grand jury subpoenas are the most common tool prosecutors use to gather information against a corporation in a criminal investigation. Various civil and regulatory enforcement agencies, such as the SEC and Commodity Futures Trading Commission, may also issue subpoenas. General principles to follow when responding to a subpoena include issuing hold notices to the relevant employees and, if appropriate, third parties, to ensure that all information requested or potentially relevant to the enquiry (emails, other electronically stored information, hard-copy documents, etc.) is retained; controlling insider lists to identify those now aware of facts that may constitute inside information; preparing witness lists (to ensure they do not receive updates or advice on the matter, which may contaminate their evidence); and giving consideration to the treatment of witnesses (whether they require independent legal advice, or should be removed from the office environment through suspension or relocation so as not to risk evidence tampering, collusion or undue influence over other witnesses). In a criminal matter, defence counsel will almost always engage with the prosecutor to determine the company’s status as a witness (potentially having relevant information, but no criminal liability), subject (the largest category, in which the government does not yet have sufficient information to determine criminal liability) or target (the government is gathering evidence to bring criminal charges against the company). Counsel will also almost certainly work to narrow the scope of the information requested.
A number of important general principles apply also to the execution of search warrants and the conduct of dawn raids:
- The order or warrant must be reviewed to ensure that the party serving or executing it has the requisite power. (Does it catch the correct entity? Is it the correct site or office? Are the search area and the items the authorities are searching for described with the requisite particularity? Are there date or time discrepancies? Is it signed or executed? In the United Kingdom, does it bear the correct court seal? Does the person conducting the inspection have the requisite authority in that jurisdiction?)
- All relevant parties need to ensure the full scope and context of the search is understood (and where electronic searches are undertaken, endeavour to agree on relevant keyword searches and the exclusion of out-of-scope material, such as privileged documents or personal data).
- As with a subpoena, it will generally be necessary to issue hold notices immediately after receipt of the order or warrant with instructions not to destroy or spoil evidence or to give false or misleading information. As well as the obvious practical importance of preserving relevant evidence, there is also significant value in being seen to co-operate as an initial response.
- Individuals executing the order should be subject to identity verification to ensure that execution is in accordance with the terms of the order and that their identification is recorded (in the event that the order is breached and an individual’s identity becomes relevant to any proceedings arising as a consequence).
- Staff, including reception and a designated dawn raid team, should be trained in advance as to how to conduct any interaction with investigators from the moment of first access to the premises. This includes training and instruction on not answering apparently casual questions on the subject of the search. The informal question to the unready on the walk along the corridor is a well-established source of information for experienced investigators. Any questions asked of staff should be noted. Employees may be informed of their legal rights not to speak to investigators and their right to counsel. Additionally, if the company is willing, the employees may be told that the company will provide legal counsel to them at no cost if investigators wish to speak to them or if they are later contacted. The company may not, however, instruct employees not to speak to investigators. That is the employee’s choice.
- A separate room should be set aside as a base for investigators and discussions between legal function representatives and the visitors so that debate and investigative activity does not take place within earshot of those under investigation.
- Local IT support (technology, plus a nominated IT representative) should be made available in the same room to ensure the IT environment can be explained to investigators and accessed. A log of access and copies of materials reviewed or seized should be made as the matter progresses so that a company’s own investigators and lawyers can subsequently review the same material and evaluate compliance with the order or warrant.
- A written log should be kept of all places searched and items seized. Legal counsel should be present, if possible, to assert objections based on the attorney–client privilege, to identify commercially sensitive information or the sensitive personal information of customers or employees and to object if the search exceeds its authorisation. None of this, however, can be obstructive. The remedy for an improper search or seizure is to be had in court, not while the search is being conducted.
- Seek to agree with the investigators in advance on the definition and scope of principles such as legal privilege, commercial confidentiality, relevance, personal data and other material the company would contend falls outside the terms of the order, and to a protocol for handling these materials during and after the search.
- Consider whether it is necessary and appropriate to prepare a press release or public disclosure (e.g., stock exchange announcement) confirming the on-site inspection and its scope or purpose. In the United States, it may be advisable to convene a ‘town hall’ meeting with employees to discuss the search and the looming investigation, but in the United Kingdom, this practice is not favoured as it could tip off individuals who do not intend to comply, triggering evidence tampering or impacting the integrity of witness testimony.
Many of the points in Section 2.2.4 on internal whistleblowers apply equally to whistleblowers from outside the organisation. There are, however, further legal sensitivities in dealing with external sources of concern that merit consideration.
While an employee cannot be prohibited or discouraged, contractually or otherwise, from reporting concerns to regulators or law enforcement, an employee will probably otherwise be subject to a contractual duty of confidentiality in respect to matters arising within the company and may often have a sense of loyalty to the company. Hence an internal whistleblower presents a more limited threat of public or further disclosure than an external whistleblower. Where an employee does not respect his or her obligations, care should be taken on the issue of enforcement of contractual and other duties of confidentiality, as a first response that apparently seeks to silence someone speaking up can appear extremely unattractive to the media, regulators and other authorities. This has, more recently, become very sensitive in the context of sexual assault and discrimination claims and campaigns initiated by whistleblower complaints – including the #MeToo movement – with an increasing number of organisations publicly stating that they will not enforce confidentiality undertakings against complainants who are victims of such conduct in the workplace, notwithstanding their presence in employment contracts and compromise agreements, or choosing not to include them in newly executed agreements.
External whistleblowers frequently adopt a multi-level strategy for ensuring their concerns receive attention. First, they communicate through the formal whistleblower route, challenging the company to demonstrate the efficacy of its response. At the same time, or shortly after, they write directly to the board, senior management and shareholders, frequently copying in other third parties. Frustrated by inaction, they may turn to media interviews to increase pressure. Communication with regulatory authorities and other public bodies may follow.
It may be tempting to regard these scattergun approaches as self-evidently undermining the credibility of the issues raised and the complainant, but they are in fact remarkably effective strategies for ensuring the matter receives urgent attention, and the tools at hand for stopping wider publication are limited. Injunctive relief rarely succeeds in the face of a public interest justification.
Dialogue with the whistleblower, giving the clear impression that the company is grateful to the person for having spoken up and that an investigation is now under way, helps to reduce wider dissemination risk or slows the timetable. However, this must be balanced with the need to avoid encouraging the whistleblower to believe he or she is in charge, will be informed of the outcome of the investigation or in some way will influence the company’s strategy in dealing with the issues.
A helpful counter to the lack of control a company has over the conduct of external whistleblowers is the lack of access they have to company confidential material and staff. By the same token, however, the company has limited line of sight into external whistleblowers’ dealings with third parties, including public authorities. It is, therefore, advisable to invite the whistleblower to meet or speak with a member of the legal function to establish what he or she knows, has done so far and is intending to do next.
Finally, internal and external whistleblowers may have protected status, whether as employees or former employees under various EU, UK and US laws, or as a consequence of a company’s policy and practice. Whether or not they are protected as a matter of law, it is essential that all whistleblowers are, and are seen to be, immune from retribution. This requires the application of significant care in the treatment of their complaints, evidence, the handling of witnesses, their anonymity (whether or not requested) and the reporting of facts within the organisation, recognising that ordinary line-reporting duties may be suspended to protect the identity of the whistleblower and avoid reprisal.
Unexpected media reports or more aggressive or intrusive media behaviour (such as undercover investigative journalism) can trigger an investigation in extremely pressurised circumstances. The media body running the story will often have completed its investigation before the company is aware of the matter. In the worst cases, the first a company learns of the facts is in the publication or broadcast, although various broadcasting codes and voluntary editorial principles encourage the opportunity for a right of reply, so most coverage will follow a short period of discussion of content between the media and the subject of the story, yet not enough to accommodate an investigation and fully informed response. The company’s investigation is therefore under time pressure from its first step, with media, customers, shareholders, regulators and government agencies pressing for answers or redress before the company’s senior management has been able to evaluate the facts or take advice on the risk they present.
Even if it has been aware of the broader issue, and is undertaking some form of investigation, sudden and intense media scrutiny can require a company to adjust the level of response to be seen to understand public demand for resolution. Companies that were otherwise intending to adopt a more passive approach, or undertake low-key investigations and adopt a reactive media and customer stance can appear to be on the back foot as they scramble to intensify investigative efforts.
All of this can, of course, play out as complaints and concerns become part of a viral episode through social media, reducing timelines to hours and days, not weeks and months. From a practical point of view, there is an immediate balance to be struck between thorough investigation and a sufficient grasp of the facts to allow the company to demonstrate a clear strategy that can be articulated publicly (consider, for example, the initial days of the Deepwater Horizon accident in the Gulf of Mexico in 2010).
Above all, these pressures require strong triage skills and pre-existing crisis management and investigations governance, which allows incident response, investigation, legal risk management, media, shareholder and customer relations strategies to follow well-practised routines so that precious time is not taken up debating who is leading and what the right first step may be. Setting up an investigations steering group and having effective policies and processes in place that are respected by senior management will ensure that emergency investigations are not obstructed by administrative chaos.
2.3.4Customer and competitor complaints and regulatory response
As well as direct complaints to the company and civil litigation (which trigger the fact-gathering process), customers and competitors may refer complaints to regulators, consumer bodies and ombudsmen. Individual incidents may be sufficiently problematic to merit investigation in their own right. However, even with low-value customer complaints there comes a point where a volume of similar-fact criticisms raise concerns as to the fairness of underlying sales processes and adequacy of complaints handling systems, or perhaps even broader questions of breaches of systems or controls, that may combine to catch a regulator’s attention.
While it might be hoped that a company’s own monitoring of complaints levels and sources should trigger deeper investigation into the underlying issues, it will sometimes take unilateral regulatory enquiry and enforcement processes to bring about a non-voluntary, full evaluation, including thematic reviews, ‘skilled persons appointments’, market studies and industry sweeps. Such investigations will have a significant distinguishing feature: the company’s in-house investigators will not set the parameters of the investigation (though they can add significant value in debates with regulators over scope and process and may be heavily involved in the activities that follow, by partnering the external firm in a skilled person’s review, for example). The in-house function will remain critical in the parallel process of evaluation of evidence as it comes to light so that advice may be taken to develop a response to regulatory or legal liability.
2.3.5The influence of political agendas
The regulatory agenda is often set, adjusted or inflamed by the political climate, such that external regulatory or criminal investigations would not commence but for political pressure or the sudden availability of funding. The political agenda itself may change overnight in the face of public or media pressure.
Take, for example, UK parliamentary politics in the wake of the LIBOR regulatory settlements in the summer of 2012. Prior to the announcements that summer, the former Director of the SFO, Richard Alderman, had declined to commence an investigation into LIBOR manipulation citing insufficient resources to pursue the matter following budget cuts and a concern that the SFO might duplicate efforts by the Financial Services Authority and the Office of Fair Trading, which he considered better placed to determine the issues. He stepped down in April 2012 and the issue came to the public’s attention in June 2012 when the first regulatory settlements were announced.
There followed a period of intense criticism in the media, growing public outcry and then questions in the House of Commons in late June 2012 as to why the SFO was not investigating the issues. Shortly after the Prime Minister’s appearance in the House of Commons to answer questions on the issue, the Chancellor of the Exchequer announced that emergency funding was being made available, and on 6 July 2012 the SFO announced it was commencing an investigation. While the banks in question had either resolved matters with their regulatory bodies or were in the process of doing so, they then faced parallel investigations into the same matters (but on a different, criminal footing concerning the conduct of individuals as opposed to the regulatory breaches by the corporations). Formal requests for witness evidence were served in the weeks and months following. Prosecutions of individuals followed in 2015 and 2016 and continue in the United Kingdom and United States.
Although banks had already conducted their own investigative activity – in certain cases some years prior to the individual prosecutions – the purpose and nature, timescale and outcomes of the SFO’s enquiries were different from the regulatory investigations by UK, US and other prosecutorial authorities, and different again to the multiple competition authority enquiries on the same issues that had already occurred, requiring a flexibility in approach by banks’ investigations teams, not to mention significant capacity to handle such large-scale and long-running matters.
2.3.6Investor complaints and shareholder derivative lawsuits
While this section considers the external causes of investigations, and complaints and claims by investors may appear to fall more obviously into the ‘litigation’ than ‘investigations’ workload for a company, claims and complaints are rarely so neatly delineated. The reality for many companies is that allegations raised by shareholders can trigger twin legal activities: a defence strategy in cases where issues of liability are plainly articulated and facts are either already established or may be simply assessed; and separate investigations into wider concerns raised by the complaint, or where the facts are far from clear and the allegation cannot be adequately responded to without an investigation.
A major sensitivity in matters of this nature, which can be overlooked in pursuit of the defence of the civil action, pursuit of the HR agenda and rebuttal of individual shareholder complaints, relates to the ongoing disclosure and transparency obligations arising from stock exchange listing rules. It is one thing to investigate sufficiently to position a company to defend litigation on the balance of probabilities, or to be able to respond to a letter of concern or questions from the floor in an annual general meeting, but another to investigate to a point where a public statement can be made with sufficient accuracy to satisfy the reasonable investor test.
While a company may wish to respond speedily to concerns raised by an investor, and in other circumstances considered above a ‘triage’ approach enables early management of matters under investigation, dealing with investor complaints carries a further layer of complexity and a balance needs to be struck, in risk-management terms, between the urgency to make a statement to the market and the time it may take to investigate facts sufficiently to permit that statement to be adequately precise and informative. The publication of false or misleading statements through inadequate or incomplete investigation simply increases the range of potential legal liabilities and further delays resolution.
A final category of external trigger is the complaint by a competitor (whether directly to the company or to a regulatory or criminal authority that then notifies the company).
On first analysis this seems to be little different from any other external trigger, but a complaint or concern raised by a participant in the same market raises a number of wider risks that impact the complexion of the subsequent investigation. In certain ways a competitor complaint has more in common with whistleblowing (and may even be regarded as such by authorities) in that it may create forms of protected disclosure, confidentiality obligations and behavioural expectations from particular authorities. This is certainly the case in competition matters where leniency or immunity is sought following a self-report to a competition authority following a tip-off or complaint by a competitor. This immediately limits the scope for communication of issues (including even the existence and subject matter of the investigation) among staff and will have a particular bearing on the management of evidence, including witness handling and interview processes. It will also affect the extent to which there may be ongoing communication outside the organisation where, for example, witnesses may exist within the competitor organisation but further dialogue is not possible without the consent of, and careful choreography by, the relevant authority.
1 William H Devaney and Joanna Ludlam are partners at Baker McKenzie LLP.
2 US Department of Justice (DOJ), Evaluation of Corporate Compliance Programs, April 2019, Sections I.A – D, II.B and III.A (noting the importance of risk assessments, training, communications, confidential reporting structures and investigative processes to inform an effective corporate compliance programme and identifying, inter alia, root causes and systems vulnerabilities). See https://www.justice.gov/criminal-fraud/page/file/937501/download.
3 Those necessary to enable a person or organisation to comply with reporting duties under §§ 330 to 332 and to avoid commission of separate money laundering offences under §§ 327 to 329 of the Proceeds of Crime Act.
4 A Resource Guide to the US Foreign Corrupt Practices Act (2012), 28 (discussing pre-transactional due diligence). See also US Department of Justice, Opinion Release 14-02 and Opinion Release 08-02.
5 See Matthew Miner, US Deputy Assistant Attorney General, Keynote Address at the American Conference Institute, 9th Global Forum on Anti-Corruption Compliance in High Risk Markets (25 July 2018).
6 See US Department of Justice, Justice Manual (JM) § 9-47.120 – FCPA Corporate Enforcement Policy, at 4 (M&A Due Diligence and Remediation).
7 Matthew Miner, US Deputy Assistant Attorney General, Remarks at The American Bar Association’s Criminal Justice Section 3rd Global White Collar Crime Institute Conference held in Prague, Czech Republic (27 June 2019).
9 See John Cronan, Acting Assistant Attorney General, US Department of Justice Criminal Division, Presentation at the American Bar Association, White Collar Conference (1 March 2018) (conveying DOJ’s intention to ‘reward self-disclosure, full cooperation, [and] timely and appropriate remediation’ by declining to bring cases against companies investigated for criminal violations other than under the FCPA).
10 For example, as evidence relevant to the offence in the United Kingdom of failing to prevent bribery under section 7 of the Bribery Act 2010 or in support of a regulatory enforcement for a suspected systems and controls breach under Principle 3 of the Financial Conduct Authority’s (FCA) Principles for Businesses.
11 These can provide a high degree of comfort to corporations. See, for example, US Department of Justice Foreign Corrupt Practices Act Opinion Procedure Release 14-02 on successor liability principles, which assesses how the DOJ would approach the question of whether it would pursue wrongful pre-acquisition conduct by the target company where the target was not within the reach of the FCPA at the time of the alleged misconduct.
12 Securities and Exchange Commission (SEC) no-action letters allow individuals or entities unsure of the legality of a product, service or action to request a letter from the SEC discussing the facts, applicable laws and rules, and providing a conclusion about whether SEC staff would recommend an enforcement action. See https://www.sec.gov/.
13 For Opinion Procedure Releases, see https://www.justice.gov/criminal-fraud/opinion-procedure-releases.
14 For US Deputy Assistant Attorney General Matthew Miner’s Keynote Address at the 9th Global Forum on Anti-Corruption Compliance in High Risk Markets on 25 July 2018, see https://www.justice.gov/opa/pr/deputy-assistant-attorney-general-matthew-s-miner-remarks-american-conference-institute-9th.
16 https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/. These are objective statements of position, not subjective opportunities for evaluation of specific conduct.
17 ‘Ethical business conduct: an enforcement perspective’ – speech by David Green QC, former Director of the Serious Fraud Office (SFO), to PricewaterhouseCoopers on 6 March 2014.
19 (1) Serious Fraud Office v. Standard Bank PLC (now known as ICBC Standard Bank PLC), 30 November 2015, Case No. U20150854. The SFO’s press release with the deferred prosection agreement (DPA) and statement of facts can be found at https://www.sfo.gov.uk/2015/11/30/sfo-agrees-first-uk-dpa-with-standard-bank/; (2) Serious Fraud Office v. XYZ Limited, 11 July 2016, Case No. U20150856. The identity of the defendant has been redacted from the press release dated 8 July 2016 and final redacted judgment dated 11 July 2016 pending ongoing proceedings, with the full DPA, statement of facts and full judgment due to be published when those proceedings are concluded; (3) Serious Fraud Office v. Rolls-Royce plc and Rolls-Royce Energy Systems Inc, 17 January 2017, Case No. U20170036. The SFO’s press release with the DPA and statement of facts can be found at https://www.sfo.gov.uk/cases/rolls-royce-plc/; (4) Serious Fraud Office v. Tesco Stores Limited, 10 April 2017. The judgment, DPA and statement of facts can be found at https://www.sfo.gov.uk/cases/tesco-plc/; and (5) Serious Fraud Office v. Serco Geografix Ltd, 4 July 2019. The SFO’s press release with the DPA and statement of facts can be found at https://www.sfo.gov.uk/2019/07/04/sfo-completes-dpa-with-serco-geografix-ltd/.
20 e.g., speech to the Annual Bribery and Corruption Forum by Ben Morgan, Joint Head of Bribery and Corruption, SFO, 29 October 2015, in which the principles of co-operation credit and the application of the DPA jurisdiction were further explored.
21 Sections 348 to 353 of the Financial Services and Markets Act 2000 (FSMA) govern the FCA’s treatment of information provided subject to duties of confidence and include certain exceptions to restrictions on disclosure of confidential information.
22 Under Principle 11 of the FCA’s Principles for Businesses, a firm must deal with its regulators in an open and co-operative way and must disclose to the appropriate regulator anything relating to the firm of which that regulator would reasonably expect notice.
23 In the United States, the common interest doctrine varies from state to state. Under New York law, its application is limited to communications related to pending or anticipated litigation, rather than an anticipated merger or other commercial activity. Ambac Assurance Corp., et al. v. Countrywide Home Loans, Inc., et al., 27 N.Y.3d 616, 627 to 629 (2016). In Delaware, which is generally considered the leading jurisdiction for corporate law, however, the privilege is much broader. ‘A client has a privilege to refuse to disclose and to prevent any other person from disclosing confidential communications made for the purpose of facilitating the rendition of professional legal services to the client . . . (3) by the client or the client’s lawyer or a representative of the lawyer representing another in a matter of common interest.’ Del. R. Evid. 502(b)(3). The law applies ‘especially within the context of a pending transaction’ when discussion ‘involved legal issues regarding the transaction’. 3Com Corp. v. Diamond II Holdings, Inc., No. 3933-VCN, 2010 Del. Ch. LEXIS 126, at *13, *24 & n. 18 (Ch. 31 May 2010).
24 Gotha City v. Sotheby’s (No.1)  1 WLR. 114 confirmed that where advice is shared with another party on a confidential basis, the waiver of privilege as between them did not constitute a waiver of privilege as against the wider world. In Property Alliance Group v. Royal Bank of Scotland  EWHC 1557 (Ch), Mr Justice Birss applied Gotha and confirmed that waivers of privilege can be made for a limited purpose and that this would prevent the person to whom the document was disclosed from using it in circumstances outside the limited purpose.
25 See, e.g., Pac. Pictures Corp. v. United States Dist. Court, No. 11-71844, 2012 U.S. App. LEXIS 7643 (9th Cir. 17 April 2012) (rejecting the theory of ‘selective waiver’ and holding that a party who provides attorney–client privileged materials to the government may not thereafter claim the privilege in civil litigation).
26 e.g., FSMA, section 348.
27 In Property Alliance Group v. Royal Bank of Scotland  EWHC 1557 (Ch), the documents in question had been provided to various regulators on the basis that confidentiality and privilege would be preserved as against third parties. The agreements with the regulators contained ‘carve-outs’, which permitted the regulators to share the documents with other third parties (such as other government or regulatory agencies) and to make the material public or to disclose it further. Birss J found that those carve-outs did not amount to a general waiver of privilege and stated: ‘The fact that the carve-outs recognise the regulator’s rights and obligations to take a step, which might go as far as even publishing the information in the document, makes no difference if that has not happened. Until they do, I fail to see why the confidentiality and privilege would not be preserved.’
28 Re The RBS Rights Issue Litigation  EWHC 3161 (Ch); Serious Fraud Office (SFO) v. Eurasian Natural Resources Corporation Ltd  EWHC 1017 (QB) 8 May 2017; Serious Fraud Office (SFO) v. Eurasian Natural Resources Corporation  EWCA Civ 2006.
29 JM § 9-28.710–9-28.720.
31 See Upjohn Co. v. United States, 449 U.S. 383, 395-96 (1981).
32 See United States v. Stewart, No. 15CR287, 2016 U.S. Dist. LEXIS 103516, at *5 (S.D.N.Y. 22 July 2016) (in-house counsel waived privilege over defendant’s communications by disclosing them to the Financial Industry Regulatory Authority, because counsel’s disclosure contained not only unprivileged facts, but also the contents of privileged communications, i.e., counsel’s questions to the employee).
33 Note, however, that if the test for litigation privilege is met, interview notes may be covered by litigation privilege.
34 See, e.g., SEC v. Roberts, 254 F.R.D. 371, 375 (N.D. Cal. 2008); SEC v. Schroeder, No. C07-03798 JW, 2009 U.S. Dist. LEXIS 39378, at *20 (N.D. Cal. 27 April 2009); Nat’l Union Fire Ins. Co. of Pittsburgh, PA v. AARPO, Inc., No. 97-CV-1438, 1998 U.S. Dist. LEXIS 21342, at *4 (S.D.N.Y. 24 November 1998); see also City of Pontiac General Employees’ Retirement System v. Wal-Mart Stores Inc, et al., Case No. 5:12-cv-5162 (W.D. Ark 2012), Order 5 May 2017. An internal investigation conducted by non-lawyer investigators, not under the direction of counsel, nor in contemplation of litigation, is protected by neither the attorney–client privilege nor the work-product doctrine.
35 The Federal Rules of Evidence state: ‘When the disclosure is made in a federal proceeding or to a federal office or agency and waives the attorney–client privilege or work-product protection, the waiver extends to an undisclosed communication or information in a federal or state proceeding only if: (1) the waiver is intentional; (2) the disclosed and undisclosed communications or information concern the same subject matter; and (3) they ought in fairness to be considered together.’ Fed. R. Evid. 502(a). As interpreted, Rule 502(a) generally tends to narrow the scope of waiver.
38 In the United Kingdom, the Public Interest Disclosure Act 1998 sets out protections for whistleblowers who are dismissed or affected as a consequence of making a disclosure as a whistleblower. Section 17 narrows the definition of protected disclosures to those made ‘in the public interest’. Section 18 provides that tribunals may reduce compensatory payments in circumstances where the disclosure was not made in good faith.
39 In the United States, one eligibility requirement for whistleblower retaliation protection under the Dodd-Frank Act is that the whistleblower report conduct he or she ‘reasonably believes’ constitutes a violation. 18 U.S.C. § 1514A(a)(1). The employee’s ‘reasonable belief’ must be both subjectively and objectively reasonable, and a good faith requirement has been interpreted as part of subjective reasonableness. Day v. Staples, Inc., 555 F,3d 42, 54 (1st Cir. 2009); Ashmore v. CGI Group Inc., 138 F. Supp. 3d 329, 344 (S.D.N.Y. 2015).
40 Pursuant to the Dodd-Frank Act, the SEC provides monetary awards to individuals, providing they meet certain criteria, who provide information leading to an enforcement action in which over US$1 million in sanctions is ordered. Awards range from 10 to 30 per cent of the amount collected. See https://www.sec.gov/whistleblower/.
43 US Department of Justice, Evaluation of Corporate Compliance Programs, § 9. See https://www.justice.gov/criminal-fraud/page/file/937501/download.
44 See United States v. Kovel, 296 F.2d 918 (2d Cir. 1961).
45 e.g., the obligation in the United Kingdom to submit suspicious activity reports under section 330 of the Proceeds of Crime Act 2002.
46 See 18 U.S.C. § 1519.
47 See United States v. Hubbell, 530 U.S. 27 (2000).
48 For the UK financial services industry, this is to be contrasted with the duty of open and co-operative dealings with the FCA, whereby evidence of a control breach would be reported without delay and significant regulatory implications could arise from a failure to do so. A US corporate’s duty to disclose is limited. See Chapters 9 and 10 on co-operating with authorities.
49 In the United Kingdom, with the introduction of the Serious Fraud Office’s DPA power in 2015.
50 There is no legal obligation to co-operate in an investigation in the United States. Under the Principles of Federal Prosecution of Business Organizations, however, a corporation’s willingness to co-operate is a factor in determining whether to charge the corporation. But, a corporation’s refusal to co-operate alone is not justification for prosecution. See JM § 9-28.700. Formal obligation aside, from a more pragmatic perspective, US and UK entities under a DPA or NPA, or parties subject to monitorships, may find they have little choice but to disclose, as might a member of the heavily regulated financial services sector, which could face adverse findings in relation to the duty to deal openly and transparently with its regulator.
51 See also, JM § 9-11.151, defining ‘target’ and ‘subject’.
52 See e.g. SEC v. KBR, Release No. 34-74619 (1 April 2015) – fining and imposing remedial relief against KBR for violating Rule 21F-17, which prohibits impeding an individual from communicating directly with the SEC staff about a possible violation of the securities laws. KBR’s violation stemmed from it requiring employees to sign confidentiality agreements as part of internal investigations, stating that they would not disclose interviews or the subject matter of interviews or investigations to anyone without the KBR legal department’s prior approval, threatening disciplinary action up to termination for breaching the confidentiality agreement.
53 FSMA, section 166.
54 In the United Kingdom, information a reasonable investor would be likely to use as a basis for his or her investment decisions. See the FSMA and Article 7 of the Market Abuse Regulation relating to inside information. These provisions require a high degree of precision in the accuracy of factual statements.