Beginning an Internal Investigation: The UK Perspective
Company investigations arise from a diverse range of sources: from internal issues such as employee allegations, whistleblowing, supplier or customer complaints and audit findings, to external triggers such as reports in the press, on blogs and on social media, allegations in third-party litigation and approaches from regulators or other authorities, who may independently have uncovered an issue.
The focus of this chapter is on the factors relevant to a company’s decision whether, when and how to launch an internal investigation, and to highlight key considerations in conducting the early stages of an internal investigation. These decisions are often made under significant time pressure, and with only limited information, but they can have serious repercussions.
5.2 Whether to notify any relevant authorities
A key initial question when a potential issue comes to light is whether to notify any relevant authorities – which is likely, in turn, to impact several aspects of the internal investigation. Whether a notification is required or desirable will turn on the regulatory status of the company or the individuals uncovering the issue, the expectations of the relevant authorities and the issue itself.
Firms regulated by the Financial Conduct Authority (FCA) are under a duty to deal with their regulators openly and co-operatively and to disclose appropriately anything relating to them of which the FCA would reasonably expect notice. The FCA Handbook sets out a non-exhaustive list of situations where a firm is under an explicit duty to notify. Although the timing of the notification will depend on the circumstances, the FCA expects a firm to discuss relevant matters with it ‘at an early stage, before making any internal or external commitments’, and in certain cases the notification obligation can be immediate. Dual-regulated firms owe similar obligations to the Prudential Regulation Authority (PRA).
Obligations to notify may also arise under anti-money laundering legislation. Persons working in the ‘regulated sector’ (a wider concept than just firms regulated by the FCA) must submit (subject to certain limited exceptions) a suspicious activity report (SAR) to the National Crime Agency (NCA) in respect of information that comes to them in the course of their business if they know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing, or even just attempting the latter. Even if a person does not work in the ‘regulated sector’, they may still need to make a SAR and an accompanying application for a ‘defence against money laundering’ to avoid the risk of committing a money laundering offence if they suspect that property they are dealing with is in some way criminal.
While there is no general legal obligation to report crime to the authorities, it may be in a company’s interests to self-report suspicions of criminal conduct to the Serious Fraud Office (SFO). The Deferred Prosecution Agreements Code of Practice (the DPA Code) states that it will be a public interest factor against prosecution if a company self-reports ‘within a reasonable time of the offending coming to light’; a point that has been strongly endorsed by the courts in the DPA judgments handed down to date, and which is reflected in the SFO’s ‘Corporate Co-operation Guidance’ and chapter on ‘Deferred Prosecution Agreements’ in its Operational Handbook. It has been acknowledged by the Director of the SFO that ‘reasonable time’ allows a company to conduct at least a preliminary investigation into a potential issue before self-reporting.
Finally, certain companies will need to consider whether they are required (both at the outset of the investigation and on an ongoing basis) to make a disclosure to the market in relation to the potential issue that has come to light. If a market disclosure is required then it is easier to conclude that the company should also inform the relevant authorities.
5.3 Whether and when to launch an internal investigation
Conducting an investigation is not without risk, and the risks should be considered carefully before an internal investigation starts. Once begun, an investigation can be difficult to stop or limit without damaging the company’s credibility.
There can be a significant number of advantages to undertaking an internal investigation, including, principally, the ability to gain a better understanding of the facts to allow for more informed decision-making and the exploration of possible defences, and to increase a company’s ability to react effectively to any external investigations or adverse publicity. There can also be significant financial benefits if the results of the investigation allow the company to apply for leniency or immunity (principally available in the competition sphere) or to self-report and co-operate with an external investigation to gain a discount on a potential future financial penalty (or avoid prosecution altogether). Undertaking an internal investigation can also help to demonstrate that a company has adequate procedures and a corporate culture that takes compliance seriously, with wider benefits should the company’s compliance framework later be evaluated. Linked to this, an internal investigation can also allow for proper remediation and the implementation of compliance enhancements that might help to avoid similar issues arising in future.
Sometimes, the factors in favour of conducting an internal investigation are acute. For example, where a company has to investigate to comply with its regulatory obligations (for instance the FCA Principles for Businesses) or for directors to comply with their fiduciary and other statutory or common law duties. A company may also have existing internal corporate governance codes or compliance policies that mandate an investigation. On the other hand, authorities have been known to request that companies do not conduct an internal investigation at all (for instance if it risks employees being ‘tipped off’ that they are under investigation, denying the authority the chance to monitor the relevant individuals covertly). Indeed, the FCA has stated that: ‘Whether and how a firm investigates internally must now be looked at from the point of view of whether doing so will assist or inhibit the FCA’s investigation.’
There are, however, a number of potential downsides to conducting an internal investigation, which may in certain circumstances lead a company to decide not to investigate. These downsides include the potentially high costs and resource requirements of an investigation (including distraction from business as usual) and the reputational risk that might occur should the investigation become public. An investigation may, depending on its outcome, mean that companies have to notify stakeholders (such as insurers, auditors, lenders – particularly where the facts may constitute an event of default – and third-party customers), or make a disclosure to the market. There is also the risk that the internal investigation might result in the creation of non-privileged documents that could assist regulators, prosecutors or potential civil claimants (such as customers or shareholders), to the detriment of the company, and the risk that the investigation might uncover misconduct beyond the scope of the initial allegation.
When deciding whether and when to conduct an internal investigation, companies will also consider whether to instruct external legal counsel to advise on or conduct the investigation. In addition to providing investigations expertise and additional personnel, the engagement of external counsel can also bolster the independence of the investigation, which is important in a criminal or regulatory context, and provide an external viewpoint to balance the views of internal stakeholders. Engaging external counsel also increases the likelihood that privilege may apply to investigation documents.
5.4 Oversight and management of the investigation
One of the first issues to address at the outset of an internal investigation is to put in place an appropriate and robust governance structure, including who will have day-to-day management of the investigation and whom they will report to. The structure chosen will vary depending on the company and the issue.
Day-to-day management of the investigation is often given to the internal legal or compliance team, who will, therefore, likely be the ‘client’ for the purposes of instructing external legal counsel, with a consequent effect on the analysis of if and when legal advice and litigation privilege may arise. In any case, it will be important for potentially implicated individuals to be excluded from the investigation team, which should be kept under review in case additional individuals are implicated as a result of information that comes to light during the investigation. Where external advisers have been brought in to conduct an independent review, it may also be appropriate to limit the ability of the client to instruct or influence the review beyond clearly defined parameters, to preserve this independence. Further, if the issue under investigation arose as a result of whistleblowing, it will be important to bear in mind the rights of the whistleblower when designing the governance structure, particularly if the whistleblower has requested anonymity.
The question of whom the investigation team will report to will often be determined by a company’s existing corporate governance structure and framework of delegated authorities, and it is common for the investigation team to report to the board as a whole or the audit committee. However, in certain cases the company may choose to constitute a specific review body, such as a special subcommittee of the board or a panel of senior employees and external advisers. In such cases, the terms of reference of this body will need to be clearly defined, including what matters are to be referred to it, what powers it holds and how it is to interact with existing governance bodies in the company.
Where, as is common, the issue involves subsidiaries (some of which may not be wholly owned), it may be necessary to consider and reflect corporate separateness in the governance structure, such as reporting to the boards of those subsidiaries.
Whatever governance structures are established, it will be important to keep them under review and be able to amend them if new issues arise.
5.5 Scoping the investigation
A well-defined scope, reflected in written terms of reference and an investigation plan, helps to ensure that the objectives of the investigation are clear and to avoid a wide-ranging, unfocused investigation, with consequent wastage of time, resources and cost. Clearly recording the scope, and its justification, will also better allow the investigation to be auditable if queries arise in the future.
A number of factors will affect the scope of the investigation. A narrow scope can help to focus resources and reach a quicker conclusion, but it may risk missing informative context. A wider scope can help to demonstrate that the investigation has been comprehensive, but it will increase the costs and time of the investigation. The appropriate scope will be affected by the nature of the issues (including whether the company is facing the risk of criminal, regulatory or civil action), the time pressures (especially if the company is in a race against co-infringers to apply for leniency) and whether there are, or are likely to be, concurrent investigations by authorities.
Defining the scope will also include deciding what the final deliverables will be. In some cases the default – a written report of factual findings – will be considered necessary, even though there is a risk that it may not be privileged. For example, in certain circumstances it may be advantageous to provide a written report to the authorities. The FCA Handbook states that a firm’s willingness to volunteer the results of its own investigation, whether protected by legal privilege or otherwise, is welcomed by the FCA and is something the FCA may take into account when deciding what action to take. Likewise, the DPA Code notes that co-operation (which is a public interest factor against prosecution) includes a company sharing its internal investigation report (including source documents) with the SFO; a point that has been highlighted by the courts in the DPA judgments handed down to date. However, in other circumstances it may not be considered necessary or desirable to produce a potentially non-privileged written report. An alternative is for the investigation team to provide only oral updates on the factual findings. Other deliverables may include legal advice as to the company’s exposure to litigation or investigation risk, self-reporting, employment law advice on disciplinary action against implicated employees, and mitigation and remediation proposals.
Companies must also assess whether to agree the scope of the internal investigation in advance with any authorities that are aware of the issue to be investigated. The benefits of doing so include potentially building co-operation credit with the authorities, reducing the risk of the authorities later criticising the scope of the investigation and allowing the authorities an opportunity to express their preferences as to the final deliverables and the conduct of the investigation. The SFO in particular has expressed concerns about the potential for internal investigations to ‘trample over the crime scene’, and early engagement can help to avoid later criticism of the investigation team’s actions. The FCA Handbook states that if a firm anticipates that it will disclose a report of its internal investigation to the FCA, the potential use and benefit to be derived from the report will be greater if the FCA has had the chance to comment on its proposed scope and purpose.
Finally, at the scoping stage it can be helpful to assess what external resources may be required during the investigation, which could include forensic accountants, asset tracers, private investigators, public relations firms and foreign counsel.
5.6 Document preservation, collection and review
In any internal investigation, it is critical to consider as early as possible the practicalities for the preservation, collection, review and analysis of relevant material. In its Corporate Co-operation Guidance, the SFO states that co-operation includes preserving available evidence and producing it to the SFO in an ‘evidentially sound’ format. Any decisions regarding data preservation and review should be recorded in writing to preserve a clear audit and ‘chain of custody’ trail.
Although in the early stages of an investigation it may not be appropriate to conduct formal interviews, the investigation team may wish to consider conducting informal ‘scoping interviews’ to assist with scoping the investigation and identifying where relevant material might be stored. Care should be taken, given the preference of a number of authorities that they be consulted prior to interviews (even those relating to the location of evidence) to avoid the possibility of criticism that the internal investigation might have tainted the recollection of witnesses.
Document preservation is extremely important and must be addressed as early as possible. It can, in certain circumstances, be a criminal offence to destroy or dispose, or permit the destruction or disposal, of documents that may be relevant to an external investigation, and both the SFO and the FCA have brought prosecutions for such offences.
An important first step in document preservation is to identify which ‘custodians’ might hold information relevant to the investigation and which other sources might yield relevant documents (including any third-party sources). The sources of potentially relevant material may include emails, other electronic documents, external storage devices, mobile phones, tablets, internet messaging and chatroom data, telephone recordings and hard copies. Companies should also identify any material they are unable to access (such as private email accounts, messaging applications or social media), as the relevant authorities may have statutory powers that allow them to access these sources. In its Corporate Co-operation Guidance, the SFO has stated it will consider it a mark of co-operation for companies to alert the SFO if there are any such inaccessible sources.
The pool of custodians is likely to be broader than just those implicated in the suspected misconduct and may also include individuals reporting to them, individuals they reported to, secretaries and assistants, individuals in other departments they interacted with, and third parties outside the organisation. In some investigations, wider business units or offices might also be relevant.
In general, a company will issue a hold notice (also known as a document retention or document preservation notice) to such individuals asking them to preserve all (and not alter, discard, delete or destroy any) materials (including hard copies) they may hold relevant to the investigation. Beforehand, however, the company should consider whether circulation of the hold notice risks tipping off individuals relevant to the investigation who might destroy documentation or otherwise frustrate the investigation. In its Corporate Co-operation Guidance, the SFO states that genuine co-operation is inconsistent with ‘putting subjects on notice and creating a danger of tampering with evidence or testimony’. Potential solutions to address this risk include delaying the circulation of the hold notice until potentially relevant documentation has been secured or carefully drafting the hold notice so that it does not reveal the specific circumstances or subject matter of the investigation (subject, however, to the data privacy considerations discussed below). When drafting a hold notice a company should also consider the risk of it leaking and listed companies should consider whether the description in the hold notice is inside information.
Companies should take care to keep a clear record of the recipients of hold notices, especially where they are not circulated centrally, but instead are cascaded via the reporting structures of the organisation. As part of this, companies may wish to ask recipients to acknowledge their receipt and understanding of the hold notice, though this can create an administrative burden and raises the possibility that a recipient may refuse to acknowledge receipt. A middle ground may involve requesting an email read-receipt instead.
In support of the hold notices (which are issued to, and place the burden of preservation on, the relevant individuals), companies should also consider what other steps they can take centrally to preserve relevant materials. This may include the suspension of regular document destruction processes, activating permanent email holds (preserving emails regardless of whether individuals delete emails from their inboxes), creating computer drive backups (so that if individuals delete data from a shared drive, it can be recovered), imaging custodians’ devices and preventing the recall of hard-copy documents from archives without appropriate authorisation. As noted above, it is good practice to implement these before the circulation of the hold notice to reduce the risk of individuals deleting data.
Companies should also be alert to the possibility of relevant data being stored on legacy systems and take steps to ensure that such data remains accessible during the investigation.
When issuing hold notices or taking other steps to preserve relevant materials, companies should carefully consider the potential application of data privacy rules and appropriately document their consideration of data subjects’ interests. Key considerations under the General Data Protection Regulation (GDPR) will include identifying a lawful basis under the GDPR for the preservation, ensuring appropriate transparency (so that, subject to certain exceptions, the data subjects are aware of the scope and purposes of the preservation), data minimisation (so that no more data is preserved than is necessary) and storage limitation (so that the data is not stored for longer than is necessary).
Having preserved all potentially relevant materials, the next step is to identify what should be collected for review. This will usually be a smaller and more focused set of materials, and identifying them will involve assessing where the materials relevant to the investigation are most likely to be found, keeping in mind the scope of the investigation.
Depending on the circumstances of the investigation, it may be desirable to instruct an external forensic services provider to collect the data. This will be especially important in the criminal context where issues relating to the forensic integrity of the underlying data and chain of custody are key.
The company will need to consider whether to notify the affected individuals of the data collection. This will depend, among other things, on the terms of any applicable data privacy policies at the company and the likelihood that giving notice may result in individuals destroying documents or otherwise frustrating the investigation. In certain circumstances, express consent may be required from employees, especially if prescribed by data privacy laws or if the employees use their own devices.
It will also be necessary to consider the application of data privacy rules to the collection more generally. In particular, requirements to minimise the data collected can require the use of date range and keyword search terms (even before the data is ingested into a review platform) and principle of integrity and confidentiality may require the data to be stored securely and to be accessible only with appropriate authorisation.
Having collected the data, in all but the smallest reviews, it is advisable to upload it to a document-review platform. This allows for easier searching, review and management of the data and will create an audit trail if questions arise in relation to specific documents.
The next stage will be to assess the appropriate searching criteria to help narrow the scope of the review and identify the most relevant documents. Available tools include applying date range, custodian and data source filters, and identifying relevant keyword search terms. If the timing allows, there are significant benefits to testing the potential searching criteria and refining them before starting the full review. There are also significant benefits to considering the appropriate type of data de-duplication to conduct.
Increasingly, vendors are offering technology-assisted analytics and technology-assisted review (TAR), in which the review software identifies links between documents or learns from initial reviewer coding decisions to identify similarly relevant documents from the remaining data set, so they can be brought to the attention of the review team sooner, or even automatically coded. The utility of this technology will, however, depend significantly on the quality of the initial ‘seed set’ of coding decisions and the complexity of the issues under review.
In any case, it is common to structure the review around a series of ‘tiers’, with an initial triage stage for relevancy, followed by second and potentially third-tier reviews by more senior individuals to focus the set and apply more complex coding. First-tier and even second-tier reviews are often outsourced to specialist document review service providers, which can free resource within the investigation team to concentrate on management of the review and other elements of the investigation.
To ensure accuracy and consistency of coding, it will be necessary to produce document review protocols and accompanying coding forms for each tier of the review, and to ensure the reviewers are fully briefed. It is also common to carry out regular quality control or calibration sessions with the reviewers, where they can ask questions of the senior team, and to set up a process for the rapid escalation to the senior team of key documents identified during the review.
In drafting the document review protocols and coding forms, it will be important to consider how the internal review may interact with any existing or potential parallel external investigation. In particular, if there is a possibility that relevant documents may be produced to an authority, there may be benefit in asking reviewers to code for privilege, data privacy, bank confidentiality and other jurisdiction-specific issues.
5.6.4 Documents located in multiple jurisdictions
Particular complexities can arise where documents, or other data, relevant to the internal investigation are located in other jurisdictions (including where data is hosted on cloud-based or group-wide servers that might be physically located overseas).
It will often be necessary to get local data privacy advice before preserving and collecting data held overseas, including on whether and how the data may be transferred to the jurisdiction where the review is taking place. If transfer of the data is not permissible, it may be necessary to conduct a local review within the foreign jurisdiction.
There are also wider strategic considerations to bear in mind before deciding to collect and transfer data from other jurisdictions. In particular, consideration should be given to the risk of voluntarily transferring documents into a jurisdiction so that they become available to authorities or civil litigation counterparties when they might not otherwise have been available to those third parties (although this should be balanced against the risk that in not collecting this data the company may be found to be unco-operative or frustrating the investigation). Further, where data is held by a subsidiary, it may be necessary for the subsidiary to enter into co-operation and information-sharing agreements with its parent in relation to the investigation. It is common in these agreements (especially where the subsidiary is not wholly owned) for the subsidiary to retain a right of consent prior to its data being disclosed to any authority.
5.6.5 Importance of record-keeping
It is critical at all stages of an internal investigation to keep clear records of key decisions taken, including the drafting of detailed, auditable summaries of the methodology undertaken for data preservation, collection and review. It will also be important to maintain full chain of custody records for any originals of relevant documents, as well as for devices.
The FCA Handbook states that where a firm conducts an internal investigation, it will be ‘very helpful’ if the firm maintains a proper record of the enquiries made and interviews conducted. Likewise, in its Corporate Co-operation Guidance, the SFO has emphasised the importance of maintaining an audit trail of the acquisition and handling of digital, hard-copy and financial material, and the potential need for companies to identify a person to provide a witness statement covering such issues.
 Jonathan Cotton and Holly Ware are partners and Ella Williams is senior counsel at Slaughter and May.
 FCA Handbook, PRIN 2.1.1R, Principle 11. Individuals subject to the FCA’s individual conduct rules are also subject to equivalent obligations under FCA Handbook, COCON 2.1.3 and COCON 2.2.4.
 FCA Handbook, SUP 15.3.
 PRA Rulebook, Notifications, Rule 2. (A dual-regulated firm is a firm that is a ‘bank, a building society or a UK designated investment firm’, FCA Handbook, SYSC 19 D.)
 Sections 330 and 331 Proceeds of Crime Act 2002 and section 21A Terrorism Act 2000. ‘Regulated sector’ is defined in Schedule 9 of the Proceeds of Crime Act 2002.
 Sections 335 and 338 Proceeds of Crime Act 2002.
 For example, firms of solicitors have an obligation to report certain matters to the Solicitors Regulation Authority (see, for example, Rule 3 (Cooperation and Accountability), Code of Conduct for Firms, SRA Standards and Regulations) and accountants regulated by the Institute of Chartered Accountants in England and Wales are subject to a reporting obligation under Disciplinary Bye-laws 9.1 and 9.2.
 For example, there could be a requirement to notify the Information Commissioner’s Office if a personal data breach may have occurred (see Article 33, General Data Protection Regulation 2016/679 (GDPR); section 67 Data Protection Act 2018).
 Deferred Prosecution Agreements Code of Practice, paragraph 2.8.2(i).
 See, e.g., Serious Fraud Office v. Standard Bank Plc (now known as ICBC Standard Bank Plc)  Lloyd’s Rep FC 102, at paragraph 14, Serious Fraud Office v. Tesco Stores Ltd  Lloyd’s Rep FC 283, at paragraphs 66 and 117, Serious Fraud Office v. Serco Geografix Ltd  Lloyd’s Rep FC 518, at paragraph 47.
 SFO Operational Handbook, Corporate Co-operation Guidance, August 2019, page 1 (co-operation includes ‘identifying suspected wrongdoing and criminal conduct . . . reporting this to the SFO within a reasonable time of the suspicions coming to light’) and Deferred Prosecution Agreements, October 2020 (‘[v]oluntary self-reporting suspected wrongdoing within a reasonable time of those suspicions coming to light is an important aspect of co-operation’).
 In a speech on 3 April 2019, Lisa Osofsky, Director, SFO, said that companies ‘have a duty to their shareholders to ensure allegations or suspicions are investigated, assessed and verified, so they understand what they may be reporting before they report it’, available at https://www.sfo.gov.uk/2019/04/03/fighting-fraud-and-corruption-in-a-shrinking-world/.
 FCA Handbook, PRIN 2.1.1R.
 See, in particular, sections 171 to 177, Companies Act 2006.
 Speech by Jamie Symington, then Director in Enforcement – Wholesale, Unauthorised Business and Intelligence, FCA, 5 November 2015, available at https://www.fca.org.uk/news/speeches/internal-investigations-firms. See also FCA Handbook, EG 3.11.7.
 FCA Handbook, EG 3.11.2.
 Deferred Prosecution Agreements Code of Practice, paragraph 2.8.2(i). Also see Serious Fraud Office v. Rolls-Royce Plc and Another  Lloyd’s Rep FC 249, at paragraph 17, Serious Fraud Office v. Serco Geografix Ltd  Lloyd’s Rep FC 518, at paragraph 24, Serious Fraud Office v. Airbus SE  1 WLUK 435, at paragraphs 36 and 74, and Serious Fraud Office v. Güralp Systems Limited  Lloyd’s Rep FC 90, at paragraph 27.
 Speech by Ben Morgan, then Joint Head of Bribery and Corruption, SFO, 20 May 2015, available at https://www.sfo.gov.uk/2015/05/20/compliance-and-cooperation/.
 FCA Handbook, EG 3.11.5.
 SFO Operational Handbook, Corporate Co-operation Guidance, August 2019.
 Richard Kingston, Managing Director at Sweett Group plc, was convicted of offences contrary to section 2(16) of the Criminal Justice Act 1987 in December 2016 and in September 2019 the FCA announced the prosecution of Konstantin Vishnyak for offences under section 117(3) of the Financial Services and Markets Act 2000.
 The FCA Handbook (SYSC 10A.1) places obligations on regulated firms to record telephone conversations that relate to regulated activities in certain financial instruments.
 SFO Operational Handbook, Corporate Co-operation Guidance, August 2019.
 It is possible for authorities in the United Kingdom to request documents from authorities in other jurisdictions via diplomatic channels, including via mutual legal assistance treaties. In addition, in R (on the application of KBR Inc.) v. Director of the Serious Fraud Office  Lloyd’s Rep FC 153 it was held that in certain circumstances the SFO can compel the production of documents held overseas by a company with no presence in the United Kingdom (the appeal of this decision was heard by the Supreme Court in October 2020 and, at the time of writing, is awaiting judgment). Further, criminal law enforcement agencies in the United Kingdom now have the ability to seek electronic data held by communications service providers located in the United States under the Crime (Overseas Production Orders) Act 2019, which aims to simplify and speed up obtaining electronic data located abroad.
 FCA Handbook, EG 3.11.9.
 SFO Operational Handbook, Corporate Co-operation Guidance, August 2019.