Production of Information to the Authorities

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

17.1 Introduction

A company may face a choice, or a demand, to disclose documents and information to a law enforcement authority or regulator in many situations. These range from responding to a raid on corporate and individuals’ premises, to compliance with a subpoena or other compulsory process, to the voluntary provision of information during a self-disclosure. The types of information and the circumstances in which a company is obliged – or even allowed – to produce relevant documents is circumscribed by various laws. For example, a company must address concerns regarding confidentiality, employee privacy, data protection and legal privilege (and, in certain jurisdictions, bank secrecy restrictions or blocking statutes). This becomes additionally complicated in cross-border cases where multiple legal regimes may apply and may conflict with one another. Add to this the not uncommon scenario of authorities from different countries seeking the same (or slightly different) information and it becomes a legal and practical minefield. This chapter cannot hope to cover the immense number of variables that a company may face in these circumstances, but it does seek to provide practical guidance on some of the most important points.

17.2 Production of documents to the authorities

17.2.1 Formal requests for disclosure (and related document hold issues) Commonly used powers (UK)

Most regulatory and enforcement authorities have formal powers to compel individuals and companies to produce documents and provide information.

In the area of financial crime and corruption involving the United Kingdom, the most likely authority to be seeking to investigate and prosecute will be the Serious Fraud Office (SFO). It currently has powers to seek the production of documents and information at both a pre-investigation stage in relation to bribery and corruption cases under section 2A of the Criminal Justice Act 1987 (CJA), and, once it opens a formal investigation, under section 2 of that Act. The section 2A pre-investigation provisions will be extended to include all offences if section 156 of the Economic Crime and Corporate Transparency Bill is enacted, which seems likely at the time of writing. The SFO’s powers can be exercised against companies and individuals to produce documents and information, including through compelled interview where there is no right to silence (although the individual cannot be later prosecuted regarding matters arising from the interview, unless the information is found to be false). A failure to provide the documents and information within the time specified in the production notice is an offence, unless the recipient can show that it had a reasonable excuse not to comply (such as an injunction preventing production).

In the field of financial markets regulation, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) may compel the production of documents, under Part 11 of the Financial Services and Markets Act 2000 (FSMA). The key provision is section 165, subsections 1 to 6 of which are set out below as an example of how information-gathering powers are conferred:

165 Regulators’ power to require information: authorised persons etc.
  1. Either regulator may, by notice in writing given to an authorised person, require him–
    1. to provide specified information or information of a specified description; or
    2. to produce specified documents or documents of a specified description.
  2. The information or documents must be provided or produced–
    1. before the end of such reasonable period as may be specified; and
    2. at such place as may be specified.
  3. An officer who has written authorisation from the regulator to do so may require an authorised person without delay–
    1. to provide the officer with specified information or information of a specified description; or
    2. to produce to him specified documents or documents of a specified description.
  4. This section applies only to–
    1. (a) information and documents reasonably required in connection with the exercise by either regulator of functions conferred on it by or under this Act; and
    2. in relation to the exercise by the PRA of the powers conferred by subsections (1) and (3), information and documents reasonably required by the Bank of England in connection with the exercise by the Bank of its functions in pursuance of its financial stability objective.
  5. The regulator in question may require any information provided under this section to be provided in such form as it may reasonably require.
  6. (6) The regulator in question may require–
    1. any information provided, whether in a document or otherwise, to be verified in such manner; or
    2. any document produced to be authenticated in such manner, as it may reasonably require.

‘Authorised person’ is defined in section 31 of FSMA and means, very broadly, a person providing a regulated financial service.

The FCA has set out its policy in relation to its exercise of enforcement powers under FSMA (and other legislation) in its Enforcement Guide and the FCA’s report on its approach to enforcement.[2] The Enforcement Guide is useful as it not only sets out the FCA’s approach to its task as the United Kingdom’s financial markets regulator, but also reflects the general approach of UK regulators to their document production powers.

In paragraph 4.7 of the Enforcement Guide, the FCA states that its standard practice is to use its statutory powers to require the production of documents, the provision of information or the answering of questions in interview. The FCA suggests that this is for reasons of fairness, transparency and efficiency. The Enforcement Guide goes on to suggest, however, that it will sometimes be appropriate to depart from this standard practice, as it relates to document production, for example in cases:

  • involving third parties with no professional connection with the financial services industry, such as the victims of an alleged fraud or misconduct, in which case the FCA will usually seek information voluntarily; and
  • where the FCA has been asked by an overseas regulator to obtain documents on their behalf, in which case the FCA will discuss with the overseas regulator the most appropriate approach.

In the second scenario, it is important to consider the effect of regimes and jurisdictional protections colliding. For example, how might the US right to silence mesh with the UK compelled disclosure regime? The Enforcement Guide states that the FCA will make it clear to the company or individual concerned whether it requires him, her or it to produce information or answer questions under FSMA or whether the provision of information is voluntary.[3]

Similar (but unique) powers also lie in the hands of the Competition and Markets Authority, the National Crime Agency, HM Revenue and Customs, and the Health and Safety Executive. Many of these authorities may also apply for and obtain search warrants and use these powers more often than their US counterparts do. Commonly used powers (US)

In the United States, most federal agencies, including the United States Department of Justice (DOJ), the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) may issue subpoenas (or administrative orders) and compel individuals and companies to produce documents and testimony for investigations within the scope of their agency or administrative jurisdiction.[4]

In the case of the DOJ, a subpoena may compel the production of documents in connection with either a civil or criminal investigation.[5] The CFTC’s regulations provide that:

The Commission or any member of the Commission or of its staff who, by order of the Commission, has been authorized to issue subpoenas in the course of a particular investigation may issue a subpoena directing the person named therein to appear before a designated person at a specified time and place to testify or to produce documentary evidence, or both, relating to any matter under investigation.[6]

The Securities Act, the Securities Exchange Act, the Investment Advisers Act and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct.[7] Before a subpoena can be issued, the staff of the SEC must obtain a formal order of investigation.[8] In February 2021, the acting commissioner of the SEC restored the authority of senior division officers to approve the issuance of a formal order of investigation.[9] This change was made to empower officers to more swiftly respond to potential fraud, leading to faster and more frequent actions. In fiscal year 2021, there was a 7 per cent increase compared with the previous year in the number of enforcement actions the SEC filed.[10]

While federal courts can review an agency’s issuance of an administrative subpoena, they may only do so for reasonableness, analysing whether:

  • the investigation will be conducted pursuant to a legitimate purpose;
  • the inquiry is relevant to the purpose;
  • the information sought is not already within the agency’s possession; and
  • the agency has followed the requisite administrative steps.[11]

In practice, federal courts must hold that subpoenas are relevant to an agency’s investigation unless plainly incompetent or irrelevant to any lawful purpose under the agency’s authority.[12] This test has been extended to a wide variety of agency subpoenas, including SEC subpoenas.[13]

Offences for refusing to comply with a request, providing false or misleading statements, or concealing documents, generally supplement such investigatory powers.[14] And these powers extend to the legislative branch as well. The US Congress via House committees has a broad ‘power of inquiry’ through its legislative function to issue subpoenas to compel testimony and the production of documents.[15] The DOJ can enforce an individual’s failure to comply with those subpoenas with a charge for Contempt of Congress under 2 USC §192, with imprisonment for up to one year and a fine of up to US$100,000.[16] In 2022, the DOJ indicted and tried individuals on contempt charges in connection with the US Congress’s investigation of the 6 January attack on the US Capitol.[17]

Finally, state agencies and each state’s attorney general can compel the production of documents and testimony. As an example, Section 352 of the New York General Business Law permits the Attorney General to commence an investigation of an individual or corporation and to seek documents and testimony in connection with that investigation. Scope and timing

Although a company can do little in practice to resist complying with a formal request for disclosure without resorting to court proceedings to challenge the validity or scope of the request, it can probably negotiate with the authority regarding the scope of documents responsive to the request and the production date to limit the request to what is proportionate and reasonable.

Broadly drawn requests are unfortunately not uncommon, as investigators seek to ensure the requests will capture all relevant information. Early engagement with the authority will typically mean that both parties can agree on scope and a timetable for production: a request looking back over a long period, or even without any time limit, could involve a lengthy resource-intensive review and expensive production exercise. Whether an agreement to narrow the scope of the request is possible is likely to depend, in large part, on factors outside the company’s control – such as the nature and scope of the authority’s investigation (which the authority may be unwilling to share and is likely to base on information and evidence outside the company’s knowledge). However, the company and its legal advisers should nonetheless seek a reasonable, proportionate and practically achievable production: for example, by seeking to agree to produce documents relating to X project, between Y and Z dates and if necessary to produce the documents in tranches.

It becomes increasingly difficult to manage the response to multiple authorities, particularly if they are in different countries and have different areas of focus. Similarly, a company must consider whether the production notice extends to materials held overseas.

To respond to broad document requests involving large volumes of data, a company may decide to use artificial intelligence or technology assisted review (TAR) to improve the accuracy and speed of identifying relevant documents. This is becoming increasingly accepted in the United Kingdom. The SFO confirmed its use of artificial intelligence technology in the deferred prosecution agreement (DPA) cases of SFO v. Rolls-Royce PLC[18] and by the company in SFO v. Airbus.[19]

In the United States, while TAR might be used appropriately in responding to subpoenas or document requests in some limited instances, its use would likely be subject to an agreement with the requesting agency. Practical steps on receipt

On receipt of a document request, a company should – in most cases – immediately issue a document retention (or hold) notice (DRN) (if one is not already in place). A company should take care not to inadvertently tip off data custodians, who may also be suspects. In some cases, issuing a DRN is inappropriate; for example, where the company is investigating matters outside the public domain and needs to collect documents covertly at the outset. The issuing of a DRN will assist the company to demonstrate that it has taken steps to preserve all potentially relevant documents in existence at the date of the request. The DRN should track the terms of the production notice, and be sent to all personnel who may have responsive documents, including the IT department and records department. The term ‘document’ should be widely drawn to include any paper or electronic records present on any media (including instant messaging applications) belonging to the company or its employees, including corporate information located off-site. The company may also need to manage complicated issues around data privacy and personal media.[20]

The DRN should confirm that employees must not delete, alter, conceal or otherwise destroy company documents. Simultaneously, the company should take steps to secure and preserve all relevant information held on the ­company’s servers and backup tapes, including through external providers. It should also immediately suspend routine document and data destruction processes.

Most authorities will have their own technical standards, which the collection and production of electronically stored information must meet. It is therefore likely that a company seeking to respond to a subpoena or production notice will want to consider instructing a forensic IT specialist company to assist with the collection and production efforts. This will have the added benefit of ensuring that a company can demonstrate the independence of this analysis, that it is taking clear co-operative steps, and protects employees, as far as possible, from having to give evidence in any subsequent proceedings.

17.2.2 Production of information to multiple authorities

The increasingly complex and multi-jurisdictional nature of investigations means that a company may face requests for formal disclosure from more than one authority. These could be authorities with different mandates in the same jurisdiction, or authorities with similar mandates from different juris­dictions. In either case, multi-authority investigations demand holistic strategies and systems to allow a company to keep track of evidence disclosed to (or seized by) different authorities. A company may also want to consider if there is any strategic advantage to disclosing to one authority before another. However, previous large-scale global investigations into the manipulation of LIBOR and foreign exchange rates, and the recent multi-jurisdictional Airbus and Amec Foster Wheeler investigations demonstrate the ever-increasing levels of intra- and international co-operation between regulators.[21] Practical steps a company can take when faced with multiple requests for formal disclosure include:

  • early engagement with each authority, to communicate expectations and practical difficulties of responding to multiple requests;
  • identifying and prioritising information that is commonly responsive to the requests rather than focusing on responding to each request in isolation;
  • maintaining clear production schedules; and
  • ensuring a system for Bates numbering[22] for each authority.

17.2.3 Documents and data outside the jurisdiction Generally

In cross-border fraud or corruption cases, not all of a company’s documents will be located or even accessible in the same jurisdiction as the investigating authority. In assessing timely disclosure of documents in connection with obtaining credit for full co-operation in FCPA matters, the DOJ will consider ‘disclosure of overseas documents, the locations in which such documents were found, and who found the documents’.[23] Importantly where a company claims that ‘disclosure of overseas documents is prohibited owing to data privacy, blocking statutes or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents’.[24] A company should consider what documents are stored overseas, and which of these it should provide to investigators.

In the United Kingdom, the Supreme Court ruled in February 2021 in the case of R (on the application of KBR, Inc) v. Director of the Serious Fraud Office[25] that section 2(3) of the CJA has no extraterritorial effect. This means that the SFO cannot use it to compel a foreign company to produce documents held outside the United Kingdom and will need to resort to the mutual legal assistance (MLA) framework to obtain the documents it requires from the foreign country. This judgment applies to foreign companies with no presence in the United Kingdom, but UK-based companies and named UK nationals will still be required to produce any responsive documents that they control overseas. The position is less clear in relation to non-UK companies with some presence in the United Kingdom, although it is likely that those with a ‘sufficient connection’ to it would be caught by the legislation.

The SFO’s Corporate Co-operation Guidance continues to confirm that co-operating organisations should supply relevant material held abroad, where it is in the possession or control of the organisation. A company in receipt of a formal production notice will need to assess whether the notice extends to documents outside the jurisdiction and, if so, the extent to which the company has ‘custody or control’ over documents held by subsidiaries or overseas branches.[26] The board of a parent company will not necessarily control the management of a subsidiary.[27]

The Corporate Co-operation Guidance also confirms that the SFO will expect co-operating organisations to identify relevant material in the possession of third parties and assist in obtaining it. Companies should also inform the SFO about relevant material that the company is unable to access (such as messaging apps and bank accounts).

Where production is voluntary, a company may take a more holistic view of the investigation and production (subject to local law restrictions). The extent to which it may want to voluntarily disclose information may depend on the ability of the investigating authority to obtain that information itself. However, given the increasing co-operation between authorities on the international stage, careful voluntary production of material is likely to be preferable, and vital if the company seeks co-operation credit. To receive credit for full co-operation under the FCPA Corporate Enforcement Policy, a company cannot simply refuse to produce certain documents on the basis that production is prohibited by rule or regulation. Rather, the company ‘bears the burden of establishing the prohibition’ and ‘should work diligently to identify all available legal bases to provide such documents’.[28] Mutual legal assistance

Mechanisms for legal assistance (UK)

In the United Kingdom, sections 7 to 9 of the Crime (International Co-operation) Act 2003 (CICA) govern requests to obtain evidence from abroad in relation to an investigation or prosecution taking place in the United Kingdom, shaping the MLA powers of UK authorities. Under CICA, an MLA request can only be made if it appears to the investigating authority that an offence has been committed or there are reasonable grounds for suspecting that one has, and proceedings have been instituted or the offence is being investigated.[29] The request must relate to the obtaining of evidence ‘for use in the proceedings or investigation’.[30] But it could allow an investigating agency to have foreign law enforcement officers launch raids, arrest suspects or conduct interviews on its behalf.[31] If the implementation of an MLA request in the requested state requires a court order, the court in the requested state is likely to apply the relevant principles in its own jurisdiction to satisfy itself that the order is justified.

Following the United Kingdom’s exit from the European Union in January 2020, it lost access to the European Investigation Order process and must instead rely on the European Convention on Mutual Assistance in Criminal Matters of 1959, plus two additional protocols. The UK government signed the EU–UK Trade and Cooperation Agreement (TCA) in December 2020, which includes further MLA provisions and information regarding how MLA should work with EU countries.[32] Although some EU Member States have confirmed that the provisions of the TCA are directly applicable, others have indicated that they need to adopt additional legislation that would complement the procedure at the national level.[33]

In the United Kingdom, the Crime (Overseas Production Orders) Act 2019 deals with cross-border access to electronic evidence. This legislation empowers UK authorities (including the SFO and FCA) to apply to a UK court to compel a company operating, or an individual based, outside the United Kingdom to provide electronic data stored abroad. This law allows UK authorities to sidestep the notoriously slow process of seeking MLA in favour of obtaining an overseas production order (OPO), which can be served directly on the person storing the electronic data.[34] For an OPO to be issued, a bilateral agreement must be in place between the requesting country and the country where the service provider holding the data is based. At the moment, there is only one such agreement in place, with the United States (the Data Sharing Agreement). This has, in principle, brought the United Kingdom into alignment with the US regime. In 2018, the US federal government passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, explicitly authorising US law enforcement agencies to obtain data held by US cloud service providers regardless of where in the world the data is physically stored. The CLOUD Act also created a framework by which foreign countries could seek disclosure of data held by US cloud service providers, without US co-operation or oversight.

The MLA process can be cumbersome, but it presents a very real threat if a company does not co-operate. A company should also not overlook the significant scope for informal direct investigator-to-investigator co-operation. Agencies such as Interpol have dedicated programmes to share information between, and support investigations by, investigating agencies in different countries. Communications between the SFO and the DOJ are frequent. The FCA, specifically, has a broad discretion to assist foreign regulators. This discretion is set out in section 169 of FSMA. The statutory power is supplemented by FCA policy. Subsection 169(4) sets out the considerations in the FCA’s decision as to whether to assist a foreign regulator. It provides:

  1. In deciding whether or not to exercise its investigative power, the regulator may take into account in particular:
    1. whether in the country or territory of the overseas regulator concerned, corresponding assistance would be given to a United Kingdom regulatory authority;
    2. whether the case concerns the breach of a law, or other requirement, which has no close parallel in the United Kingdom or involves the assertion of a jurisdiction not recognised by the United Kingdom;
    3. the seriousness of the case and its importance to persons in the United Kingdom;
    4. whether it is otherwise appropriate in the public interest to give the assistance sought.

In an early decision on the application of this section, Financial Services Authority v. Amro International,[35] the Court of Appeal held that there was nothing in section 169 that required the FCA’s predecessor body – the Financial Services Authority (FSA) – to satisfy itself of the correctness of what it was being asked to investigate or gather by way of information. At the SEC’s behest, the FSA could seek any document that it reasonably considered relevant to the investigation the SEC was conducting. The Court of Appeal made clear that the only requirements the FSA must meet were contained in the statute. The Court of Appeal also noted that in exercising these powers, the stricter rules attaching to the drafting of a subpoena did not apply and the description of the documents sought would be acceptable provided the recipient could identify the documents he or she was required to produce.

In addition to the FCA’s statutory powers, a number of memoranda of understanding (MOUs) are in place between UK regulators and their overseas counterparts (most notably the SEC and other US regulators) concerning co-operation and information sharing. Recent years have seen significant co-operation between the SEC and the FCA and its cognate agencies.

Similarly, the United States has entered into mutual legal assistance treaties (MLATs) with more than 70 foreign jurisdictions, which can be used for the sharing of information and taking of evidence abroad.[36] Some US authorities also have MOUs in place with sister agencies outside the United States, which can allow for inter-agency sharing of documents.

Public policy statements made by UK and US prosecuting authorities demonstrate how important they consider international co-operation to be. SFO Director Lisa Osofsky has publicly affirmed her intention to leverage international contacts she made through her previous roles as a federal prosecutor for the DOJ and Deputy Counsel at the Federal Bureau of Investigation to strengthen the SFO’s investigational capacities. As part of her oral evidence to the House of Commons Justice Committee in December 2018, she anticipated that the ‘shared use of important intelligence information’ would help ‘crack open’ cases.[37] This era of increased international co-operation has been evidenced by the recent global settlements involving Airbus (US, UK and France), Amec Foster Wheeler (UK, US and Brazil) and Glencore (UK, US and Brazil),[38] demonstrating the potential of increased inter-agency collaboration and information sharing in securing successful resolutions.

Following the United Kingdom’s exit from the European Union, the SFO has lost access to some European intelligence-sharing programmes such as Europol and Eurojust. International agencies have, however, continued to collaborate with the SFO to find workable solutions due to the shared benefit of co-operation and intelligence-sharing. The TCA further expressly provides for joint investigation teams (JITs) between UK and EU Member State investi­gating authorities. The TCA is largely silent on the detail, except to stipulate that where a JIT involving more than one Member State is set up, the relationship between them will be governed by European law, regardless of the law stipulated in the JIT agreement. JITs have historically proved to be an invaluable tool in cross-border general criminal and money laundering investigations, with the Airbus JIT demonstrating their utility in financial and white-collar crime investigations. In this case, the JIT structure permitted the SFO to navigate the French blocking statute, including attending interviews and taking investigative steps in France. JITs do, however, require agencies to compromise their interests in favour of the overall interests and goals of the JIT; therefore, shifting relations between agencies will determine their effectiveness in the future.

Mechanisms for legal assistance (US)

In the United States, prosecutors also have access to MOUs and MLATs to facilitate the discovery of evidence overseas, as do foreign prosecutors looking to obtain evidence in the United States. The process triggered on receipt of a foreign MLAT request is codified in the Foreign Evidence Efficiency Act.[39] The decision whether to grant a request is at the federal district courts’ discretion.[40] US and foreign prosecutors and investigators may also use financial intelligence units to collect information about potential crimes. In the United States, the Financial Crimes Enforcement Network of the US Treasury (FinCEN) is a member of the Egmont Group, a network of financial intelligence units to share information and improve support among member governments in the fight against financial crimes. In the absence of a relevant MOU or MLAT, or recourse to FinCEN, federal courts may issue letters rogatory to foreign courts at the request of a litigant.[41] Letters rogatory may only be used in ongoing legal proceedings, however, and are of limited value during an investigation or internal agency proceeding.

The DOJ’s authority with respect to cross-border investigations was recently expanded with the passage of the Anti-Money Laundering Act of 2020, or Corporate Transparency Act, in January 2021. Specifically, under the Act, the ‘Secretary of the Treasury or the Attorney General may issue a subpoena to any foreign bank that maintains a correspondent account in the United States and request any records relating to the correspondent account at that foreign bank, including records maintained outside the United States’ that are subject to an investigation or civil forfeiture action.[42] Therefore, federal prosecutors can obtain a significant amount of financial information from foreign banks without needing to use a cumbersome MLAT process.[43]

The DOJ has also adopted a ‘no piling on’ policy regarding penalties. This policy explicitly includes co-operation with foreign agencies. Former Deputy Attorney General Rod Rosenstein explained in remarks in May 2018 that the policy discourages ‘disproportionate enforcement of laws by multiple authorities’ by ‘instructing Department components to appropriately coordinate with one another and with other enforcement agencies in imposing multiple penalties on a company in relation to investigations of the same misconduct’.[44] This policy was applied in the Airbus and Glencore resolutions where the DOJ credited part of the fine against payments made or due to other national authorities. Finally, there are mutual legal assistance tools authorised by international or multinational treaties that are particularly relevant in cross-border investigations and that would apply to investigations by both UK and US regulators or law enforcement. The UN Convention Against Corruption covers fraud, money laundering, bribery, embezzlement and other crimes. Article 46, addressing mutual legal assistance, provides that ‘State Parties shall afford one another the widest measure of mutual legal assistance in investigations, prosecutions and judicial proceedings in relation to the offences covered by this Convention’.[45] Such assistance may include taking of evidence; effecting service of judicial documents; executing searches, seizures, and freezing; examining objects and sites; providing evidence and expert evaluations; providing relevant documents and records, ‘including government, bank, financial, corporate or business records’; ‘[i]dentifying or tracing proceeds of crime, property, instrumentalities or other things for evidentiary purpose’; facilitating voluntary appearance of persons; ‘[a]ny other type of assistance that is not contrary to the domestic laws of the requested State Party’; identifying, freezing, and tracing proceeds of crime; and recovery of assets.[46] Importantly, the Convention does not permit a state to ‘decline to render mutual legal assistance pursuant to this article on the ground of bank secrecy’.[47] Data protection

Responding to an investigation (and conducting an internal investigation) requires processing data about individuals. This engages a number of data protection considerations.[48] A company cannot assume that complying with the data protection requirements in the investigated jurisdiction will mean compliance with overseas data protection laws. Local law may also restrict a company’s ability to transfer data relating to individuals overseas. The European Union’s General Data Protection Regulation (EU GDPR) applies within the European Union and to those data controllers and processors outside the European Union who offer goods and services to EU consumers. In the United Kingdom, data processing is covered by the General Data Protection Regulation (UK GDPR) (which effectively retains the EU GDPR in UK law), and the UK Data Protection Act 2018 (DPA 2018). Sanctions for breaches under the GDPR are the higher of £17.5 million or €20 million or up to 4 per cent of annual worldwide turnover, meaning that data privacy in relation to individuals needs to be afforded a high degree of consideration in internal investigations.

The UK GDPR and the EU GDPR are extraterritorial in their effect – they catch overseas companies without a presence in the United Kingdom or European Union that actively offer goods and services to, or monitor the behaviour of, individuals within the United Kingdom or European Union, even if the data is stored overseas. Multinational organisations subject to cross-border investigations may therefore need to comply with both the EU GDPR and the UK GDPR in cross-border investigations.

In the United States, the Federal Trade Commission (FTC), under Section 5 of the Federal Trade Commission Act, prohibits ‘unfair or deceptive acts or practices in or affecting commerce’.[49] The FTC further requires companies to be transparent about personal information they collect and how it is used, shared and maintained – for both online and offline data practices. The FTC has also used its ‘unfairness’ authority under Section 5 against companies whose information security practices were alleged to have caused ‘substantial injury to individual consumers’, including initiation of enforcement actions based on alleged failures to take ‘reasonable’ steps to protect consumer data.[50] In addition, state attorneys general exercise consumer protection authority under state laws that protect personal privacy, including personal information. The SEC’s Regulation S-P has similar protections, requiring registered broker-dealers, investment companies and investment advisers to ‘adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information’.[51] Blocking statutes

Blocking statutes prevent the disclosure of certain documents for the purpose of legal proceedings in a foreign jurisdiction, except pursuant to procedures set out in an international treaty or agreement. Articles 1 and 1bis of the French Blocking Statute provide:

Subject to international treaties or agreements, it is forbidden for any French national or for individuals usually residing in France and for any director, representative, agent or employee of a legal person having its head-offices or establishment in France to communicate by writing, orally or in any other form, in any place whatsoever, to foreign public authorities, documents or information of an economic, commercial, industrial, financial or technical nature, the communication of which is likely to undermine the sovereignty, security, essential economic interests of France or its public order . . . . [I]t is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof with a view to foreign administrative or judicial proceedings or as a part of such proceedings.

There has historically been very little enforcement of the French Blocking Statute – with some companies choosing to ignore it completely.[52] However, as a consequence of the Sapin II law, which was implemented in June 2017, France’s financial crime agency (Parquet National Financier (PNF)) has begun to lead cases involving the enforcement of the Blocking Statute, signalling that the French authorities are considering the issues raised by the Blocking Statute in more depth. Counsel advising on cases where foreign authorities are involved must be particularly sensitive to this question and handle any productions abroad accordingly.

The French anti-corruption regulator (Agence Française Anticorruption (AFA)) is responsible for ensuring compliance with the Blocking Statute in cases where a French company has to execute a foreign authority decision concerning the strengthening of its corruption prevention or detection policies.

The joint guidelines on the French equivalent of the DPA (convention judiciaire d’intérêt public (CJIP)) issued by the PNF and AFA in 2019 indicate the French authorities’ willingness to enter into coordinated settlement discussions with foreign enforcement authorities in cases involving multi-jurisdictional misconduct. The guidelines do not set out any differences in complying with the Blocking Statute when co-operating with foreign enforcement authorities. Therefore, adherence to the Blocking Statute is expected. However, the guidelines suggest that when the PNF negotiates a joint settlement with other authorities, it may propose that the AFA act as a monitor to prevent a violation.[53]

The French authorities have traditionally taken any derogation from the letter of the law seriously and insist on the use of MLA requests and inter-agency communications. This can leave companies in the unenviable position of being caught between authorities (if the US authorities, for example, expect production directly from the corporate). In such circumstances, agency-to-agency communications should be encouraged. Similarly, Article 271 of the Swiss Criminal Code prohibits a person performing an ‘official act’ on behalf of a foreign authority on Swiss soil. This can block the collection of evidence located in Switzerland intended for use in proceedings outside the country.

China is another jurisdiction to have enacted laws to block the transfer of information to foreign government authorities in criminal proceedings. In October 2018, China enacted the International Criminal Judicial Assistance (ICJA) law, prohibiting institutions, organisations and individuals within China from providing evidentiary materials and assistance to foreign countries in criminal proceedings (e.g., before seeking to comply with a subpoena from a foreign government authority in a criminal investigation) without approval from the competent Chinese authorities. In accordance with the ICJA law, this legislation is to be applied in a manner that does not harm national sovereignty, security or public interests, giving the Chinese government broad discretion to refuse or block foreign governments’ requests for assistance. The ICJA law governs all requests for ‘judicial assistance’ between China and foreign jurisdictions in relation to international criminal proceedings, including the service of documents, evidence collection, witness testimony, seizure and confiscation of illegal assets, and the transfer of convicted persons.

A decision to refuse to disclose documents or information due to a blocking statute may not be respected by the requesting authority[54] and could affect any co-operation credit available – leaving the company between a rock and a hard place. This demands early and detailed dialogue with the relevant authority alongside expert local counsel who can educate the regulators about the relevant laws and any potential workarounds for production of information. Banking secrecy

Bank secrecy laws prohibit banking officials from releasing confidential information about a customer to third parties outside of financial institutions, unless compelled by law. Sometimes, such a disclosure is criminalised. A bank under investigation may seek to rely on this secrecy.[55] It should also be cautious not to infringe this secrecy inadvertently in providing information to a regulator. Note, though, that a historical deference to the banking secrecy rules of foreign jurisdictions, premised on comity or respect for the acts of foreign governments, may slowly be eroding. Even Switzerland, in recent times, has stripped away a number of its many layers of secrecy through international agreements,[56] and, in our experience, has become, in practice, more willing to co-operate with requests for information. State secrets

Sending data outside a jurisdiction may be contrary to state secrecy laws. Some jurisdictions, such as China, have wide definitions of what amounts to a state secret. The Law of the People’s Republic of China on Guarding State Secrets, at Article 8, defines state secrets to include ‘secrets in national economic and social development’ and ‘secrets concerning science and technology’. Similarly, Kazakhstan treats some geological data as a state secret. The consequences of violation can be serious. Article 111 of the Chinese Criminal Law makes violating state secrets a capital crime. In countries such as China, where many companies are state-owned, this is not straightforward. Again, finding expert local counsel is a must.

State secrecy laws may also restrict certain categories of documents to authorised eyes only. In the United Kingdom and the United States, there is a common law doctrine designed to prevent the disclosure of sensitive state secrets or information of national security significance. The definition of ‘state secret’ is construed more narrowly than in countries such as China. The common law doctrine is invoked by the state or executive branch to ensure that state secrets are not intentionally or inadvertently disclosed. In the United Kingdom, the state secrets privilege is known as ‘public interest immunity’.[57] This doctrine ‘may prevent the case from being heard if it is not possible to rely on other evidence; however, over the years it has been interpreted as leaving a more substantial role for courts in evaluating the grounds for the claim of privilege’.[58] In criminal trials, public interest immunity ‘is governed by statute, which imposes duties of disclosure on the prosecution’, namely, the UK Criminal Procedure and Investigations Act of 1996 and the Criminal Justice Act of 2003, but in civil trials, public interest immunity is governed by the common law.[59] This issue has impacted the investigation and prosecutions of companies in the defence industry such as BAE Systems and GPT Special Project Management Ltd.

In the United States, the state secrets doctrine ‘may prevent the disclosure of information in a judicial proceeding if ‘there is a reasonable danger’ that such disclosure ‘will expose military matters which, in the interest of national security, or [foreign affairs] should not be divulged’.[60] Specifically, it is invoked through ‘formal claim of privilege, lodged by the head of the department which has control over the matter, after actual personal consideration by that officer’.[61] In practice, the state secrets doctrine may bar an entire case or preclude the production of certain evidence.

As in the United Kingdom, this is particularly pertinent for defence companies. Withholding production of such documents will require careful negotiation. Finding a practical way for these to be produced by external lawyers (where prior authorisation is unlikely) will likely be more difficult and undoubtedly will increase the time it will take to respond to a request for documents and may require the review of documents ‘in country’ instead of producing the documents to the US authorities. Another potential work­around is production of information through MLATs and MOUs that allow a company to first produce documents to a local authority and thereby comply with the relevant regulations.

17.3 Documents obtained through dawn raids, arrest and search

During a raid (or execution of a search warrant) on corporate premises, it is important to obtain, and understand the terms of, the warrant. Check simple facts such as the premises’ address, the date and relevant powers and authorisations. If appropriate, a company may challenge the scope of the warrant (if it is unduly wide or based on erroneous facts or information). Importantly, the company and its advisers should ensure during the raid that documents outside the terms of the warrant are not seized (unless taken under relevant search-and-sift powers,[62] or as can be justified under ancillary legislation)[63] and take care both during and after the raid to protect legally privileged materials. In the United States, it is nearly impossible to challenge the scope of a warrant that calls for the immediate search of a specific location. More likely, a company would have to seek an order returning such property, or seek to suppress evidence obtained pursuant to a warrant in a later proceeding. There may, however, be opportunities to challenge the scope of a warrant seeking electronically stored information before the data is actually collected and produced. As an example, where a company is asked to execute a warrant on behalf of the government, such as when a service provider is asked to collect electronic information of a third party, there may be additional opportunities for a company to challenge the scope of a subpoena. It is likely that the vast majority of documents obtained during a search will be electronic. It is important to agree to a process with the authorities for dealing with any electronic media that is privileged. In the United Kingdom, most investigative agencies have developed sophisticated procedures in this area. The SFO’s policy and system for dealing with material covered by legal professional privilege (LPP) is explained in its Operational Handbook:

When the SFO requires the production of material, or seizes material pursuant to its statutory powers, all material which is potentially protected by LPP must be treated with great care to:
  • Minimise the risk that LPP material is seen or seized by an SFO investigator or a lawyer involved in the investigation.
  • Ensure that any LPP material which is seized is properly isolated and promptly returned to the owner without having been seen by an SFO investigator or a lawyer involved in the investigation.
  • Ensure that any dispute relating to LPP is resolved in advance of the material being seen by an SFO investigator or a lawyer involved in the investigation.
  • Ensure that where an SFO investigator or a lawyer involved in the investigation inadvertently sees LPP material, measures are in place to ensure that the investigation and any subsequent prosecution is not adversely affected as a result. Care must always be taken that LPP material is not viewed by the SFO staff involved in the investigation.[64]

The Operational Handbook then sets out a procedure for dealing specifically with electronic material that may be privileged. Under this procedure, the SFO will first notify the company’s lawyers if it believes that IT assets it has seized might contain privileged material (in practice, it is prudent for the company’s lawyers to advise the SFO of the potential existence of privileged material at an early stage). A list of search terms should be agreed (including names of lawyers, relevant firms, etc.) to enable the identification and isolation of the material for review by independent counsel. Independent counsel will review the material using search software and return only non-privileged material to the SFO investigative team to examine. It is normally possible to have productive discussions with investigators to determine the relevant search terms that might identify privileged material. It is then possible to make representations on the client’s behalf to independent counsel about the extent of privilege. This procedure updates and works alongside the well-established ‘blue-bagging’ approach used for hard-copy materials that may be privileged, by which authorities will send seized documents that may be potentially privileged, sealed in an opaque bag, to the custody of an independent legal adviser (usually a barrister) for review.

The DOJ has used three different procedures for reviewing potentially privileged information, each of which requires a ‘neutral’ third party to first review potentially privileged data.[65] In certain instances, the court may review the data on its own. A court may also appoint a ‘special master’ to handle the review of privileged information.[66] In other instances, a ‘taint team’ may be used to review the files.[67] When a taint team is used, an ethical wall will be placed between the individuals who review the documents and those who are actually participating in the investigation.[68] Importantly, courts have had differing reactions to the use of taint teams and may not always conclude that the procedures implemented to screen materials were sufficient.

17.4 Informal disclosure requests: voluntary production and co-operation

17.4.1 Generally

A company may wish to consider voluntarily providing documents to an authority as part of a self-report or to demonstrate its co-operation with an investi­gation. Government investigators and investigating authorities regularly hold out the possibility of co-operation credit to companies to encourage them to provide information about their own misconduct.

From February 2014, DPAs have been available in the United Kingdom to the SFO and Crown Prosecution Service for disposing of corporate criminal conduct relating broadly to economic crime (including, in particular, fraud, corruption and money laundering).[69] The SFO and the English courts have emphasised that one of the most important factors for a DPA is early reporting and co-operation by the company. Co-operation should be ‘genuinely proactive’.[70] This includes the voluntary production of relevant documents, the importance of which has been demonstrated in a number of DPA cases, including SFO v. Rolls-Royce PLC, SFO v. Airbus, SFO v. G4S and SFO v. Amec Foster Wheeler.[71] In the United Kingdom, the Director of the SFO, Lisa Osofsky, has explained that corporate co-operation means ‘making the path to a case easier’ for the prosecutor.[72] This means that companies will be expected to provide the SFO with evidence it does not already have and guide the SFO’s investigation to help it focus on the most relevant lines of enquiry, including in respect of assistance with future prosecutions of individuals.

In August 2019, the SFO updated its Operational Handbook to provide guidance on corporate co-operation (Corporate Co-operation Guidance), confirming a non-exhaustive list of good practices that SFO officers should consider when assessing an organisation’s co-operation with the SFO, with a view to being invited to enter into DPA negotiations. The Corporate Co-operation Guidance sets forth detailed provisions on the SFO’s expectations regarding the preservation and provision of materials relating to digital and hard-copy evidence, financial records and analysis, industry and background information, dealing with individuals connected to the investigation, and more contentious issues such as witness accounts and waivers of privilege. The Corporate Co-operation Guidance confirms that ‘cooperation means providing assistance to the SFO that goes above and beyond what the law requires’ and that this includes identifying individuals involved in the misconduct.[73] Timing is important, both for a potential DPA and in relation to anti-cartel regimes, which often provide an amnesty only to the first discloser.[74]

The FCA’s standard practice is to rely on its statutory powers to require the production of documents. While there is merit in adopting this policy, and it does avoid the risks to companies of voluntarily disclosing documents to the FCA, nothing prevents the FCA from seeking voluntary production. Principle 11 of the FCA’s Principles for Businesses states: ‘A firm must deal with its regulators in an open and co-operative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.’ A materially identical provision is included in the PRA’s Rulebook as Fundamental Rule 7. While this chapter focuses on the approach of the FCA, it is worth remembering that the PRA has similar enforcement powers (and is using them with increasing frequency). Both regulators interpret these obligations to proactively bring matters to their attention widely, and are prepared to take enforcement action against firms and individuals for failures to discharge these obligations (even in the absence of other underlying failings). Prudential Group (fined £30 million for failing to inform the FSA[75] of its proposed acquisition of AIA until after it had been leaked to the media), Goldman Sachs (fined £17.5 million for not disclosing an SEC investigation into its staff and members of The Goldman Sachs Group), the Co-operative Bank (issued a final notice for failing to notify the PRA without delay of two intended personnel changes in senior positions) and Bank of Scotland plc (fined £45.5 million for failure to inform the FSA about its suspicions that fraud may have occurred at the Reading-based impaired-assets team of Halifax Bank of Scotland) are examples from the past few years. This places regulated firms in a different position from others: it reduces the scope for the decision whether to self-report.

Principle 11 is mainly intended as a supervision tool and sets out a broad duty of co-operation that the FCA often relies on to oblige the production of documents before formal investigations begin (sometimes, but not always, to decide whether an investigation should be commenced and in respect of which firms and individuals). The FCA’s view of what is meant by being open and co-operative within Principle 11 is set out in the FCA Handbook, in the ‘Supervision’ (SUP) section. SUP 2.3 provides that being ‘open and co-operative’ includes a regulated entity making itself readily available for meetings with the FCA, giving the FCA reasonable access to records, producing documents as requested, and answering questions truthfully, fully and promptly. Where a formal investigation has commenced, the FCA would not seek to rely on Principle 11 as a substitute for its other statutory powers that compel production. While it would be a clear breach of Principle 11 to fail to comply with a statutory request for the production of documents, a failure to comply with a voluntary request would not, of itself, result in disciplinary proceedings:

The FCA will not bring disciplinary proceedings against a person for failing to be open and co-operative with the FCA simply because, during an investigation, they choose not to attend or answer questions at a purely voluntary interview. However, there may be circumstances in which an adverse inference may be drawn from the reluctance of a person (whether or not they are a firm or individual) to participate in a voluntary interview. If a person provides the FCA with misleading or untrue information, the FCA may consider taking action against them.[76]

The Enforcement Guide further provides that if a person does not comply with a requirement imposed by the exercise of statutory powers, he or she may be held in contempt of court. The FCA may also choose to bring proceedings for breach of Principle 11.[77] Therefore, while there is no guidance indicating that a failure to produce documents voluntarily (as opposed to attending a voluntary interview) would result in an adverse inference being drawn, a decision by a company not to produce documents voluntarily in any particular case should not be made without careful forethought and proper advice on the potential consequences.

As this suggests, the Enforcement Guide recognises the importance of an open and co-operative relationship with the firms it regulates to the effective regulation of the UK financial system. When deciding whether to exercise its enforcement powers, the FCA considers, among a number of factors, the level of co-operation demonstrated by a firm. When weighing the level of co-operation, the FCA considers whether the firm has been open and communicative with it.

In the United States, too, the authorities have routinely emphasised that they will consider self-reporting and co-operation with government investigations as a key factor when determining whether to charge a corporation.[78] The DOJ considers co-operation ‘a mitigating factor, by which a corporation – just like any other subject of a criminal investigation – can gain credit in a case that otherwise is appropriate for indictment and prosecution’.[79] The DOJ’s Justice Manual (which governs the conduct of Assistant US Attorneys during the course of civil and criminal investigations, including Foreign Corrupt Practices Act (FCPA) investigations) therefore encourages corporations, typically through their compliance programmes, to conduct internal investigations and voluntarily self-report misconduct.[80] Importantly, the Justice Manual states that prosecutors may also consider voluntary disclosure when determining whether to bring charges for criminal misconduct.[81] However, ‘willingness to cooperate, including as to potential wrongdoing by its agents’ and ‘timely and voluntary disclosure of wrongdoing’ are just two of 11 illustrative factors that prosecutors should consider in determining whether to bring an action against the corporation.[82]

Likewise, under the DOJ’s FCPA Corporate Enforcement Policy, which has been incorporated into the Justice Manual:

[W]hen a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth below, there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offense or the nature of the offender.[83]

As publicly stated in the first year of the Biden administration, there is a heightened focus on FCPA and sanctions enforcement. The DOJ has made clear that, with such enforcement, it hopes to encourage companies to voluntarily disclose their misconduct. As Deputy Attorney General Lisa Monaco explained at a June 2022 conference:

[W]e aim for our sanctions enforcement to incentivize companies to come forward and voluntarily disclose discovered misconduct. As with the FCPA, the department – through the National Security Division I had the privilege to lead earlier in my career – has a self-disclosure program to address potential criminal sanctions violations. We drew on the model from the FCPA with this self-disclosure program and since the relevant NSD guidelines were revised in 2019, the number of voluntary self-disclosures is increasing.[84]

Voluntary disclosure carries a risk that the authority may not give any meaningful credit and may nonetheless decide to prosecute or expand an investigation already under way. Therefore, the company should weigh the likelihood of the authority being able to serve a formal request for disclosure in the relevant jurisdiction.

In some instances, a formal notice for disclosure will be preferred: for example, where a company has obligations of confidentiality, preventing voluntary disclosure. The most common examples are lawyers and financial institutions, who could both face an action for breach of confidence for supplying documents or information without a formal regulatory request. In some self-reporting circumstances, it may be appropriate for a company to seek such a notice from the relevant authority to ensure that it does not open itself up to civil action. The notice should be narrowly drawn, in consultation with the regulator, and should not affect the company’s co-operation credit. Likewise, in some situations, the company may prefer to ask to be provided with a formal document request to demonstrate that it has been compelled to produce the documents to the authorities and has not done so voluntarily.

17.4.2 Disclosure of results of internal investigation

In most instances, a company will have to make expansive disclosures regarding its internal investigations to get full co-operation credit. The DOJ has issued guidance in the Justice Manual[85] that explicitly states that companies will have to self-report both the results of internal investigations and individual misconduct to receive any co-operation credit.[86] Whether such thorough disclosures are in the best interests of the company is something that will need to be determined in a timely manner.

17.4.3 Self-reporting of misconduct not yet known to regulators

A company’s decision as to whether to self-report is often complicated. There may be opportunities for a company to internally address misconduct without it coming to light. However, it can be very difficult for a company to keep its misdeeds from being disclosed to the relevant authorities. Whistleblower rewards provide incentives for employees to report misconduct. Federal statute provides protections for whistleblowers,[87] and in 2017 the SEC imposed penalties on financial institutions attempting to prohibit employees from seeking those bounties.[88] Disgruntled employees can report corporate misconduct as retaliation, to attempt to avoid prosecution themselves or simply because they do not feel that the corporate is handling the issue appropriately via its internal process. In the United Kingdom, broadly speaking, those working in the field of financial services are subject to suspicious activity reporting obligations. This means that banks, accountants and transactional lawyers must make reports to the authorities of suspicions of money laundering (including acquiring assets that may be tainted by fraud or corruption). A failure to make a report is a criminal offence – as is tipping off the subject of the report (which in some instances may be the individual’s own client). Investigative journalism and non-governmental organisations also continue to be important sources of information for regulators – as the ‘Panama Papers’ scandal illustrated.[89]

The Deferred Prosecution Agreements Code of Practice (the DPA Code) issued by the SFO and the Crown Prosecution Service[90] indicates that, to be eligible for a DPA, a company will likely have to report voluntarily any mis­conduct within a reasonable time of becoming aware of it – and prior to it becoming known to the authorities. In fact, in a number of the 12 DPA cases,[91] the companies self-reported their misconduct to the SFO in circumstances where the SFO had no prior knowledge of the misconduct and, in all likelihood, would not have learnt about the misconduct if the company had not self-reported.

But, in the Rolls-Royce case, which was concluded by a DPA in January 2017, the company did not self-report to the SFO the conduct that led to the SFO’s investigation. Instead, the SFO became aware of the need for an investigation through internet postings by a whistleblower. That Rolls-Royce did not self-report weighed against the SFO offering a DPA; yet, Rolls-Royce chose to co-operate fully with the investigation after the SFO approached the company, and undertook its own internal investigation (in close consultation with the SFO). In total, Rolls-Royce collected over 30 million documents and subjected them to electronic document review as part of this investigation. One of the main features of Rolls-Royce’s co-operation was that it provided all materials requested by the SFO voluntarily, without the SFO having to compel it to provide any. Rolls-Royce also chose not to perform any legal professional privilege review over the documents (instead allowing independent counsel to resolve issues of privilege) and worked with the SFO as it used sophisticated artificial intelligence searches to interrogate the data. This process led to the SFO uncovering information that may not have otherwise come to its attention. Ultimately, SFO counsel described the extent of Rolls-Royce’s co-operation with the investigation as ‘extraordinary’. The Amec Foster Wheeler DPA is another example of a company failing to self-report; however, once Brazilian authorities opened an investigation, the company co-operated ‘extensively’ with the subsequent SFO investigation and foreign investigators, resulting in the provision of previously unseen documents to the SFO both voluntarily and in answer to statutory notices leading to the discovery of further offending. Amec Foster Wheeler further agreed to a limited waiver of legal professional privilege for the purposes of the SFO investigation over advice received by the company during the period of the alleged offending.

While the decision to provide documents voluntarily to the SFO was one of a number of measures taken by Rolls-Royce and Amec Foster Wheeler to demonstrate their co-operation with the investigation, this decision was of fundamental importance to the court when deciding to approve the DPAs. The companies’ voluntary disclosure of investigation documents therefore mitigated its failure to voluntarily disclose misconduct. This is particularly evident in the Amec Foster Wheeler DPA, where the company still obtained 50 per cent credit on the fine imposed despite its lack of self-reporting.

From the US perspective, failure to self-report misconduct before it becomes otherwise known to the authorities can have a significant impact on the resolution of the corporate investigation.[92] Although there is no bright-line rule for timing, disclosures should occur prior to the imminent threat of investigation and in a timely manner.[93] Further, representing another shift in government policies, the DOJ has returned to a prior investigative and prosecutorial focus, requiring that companies adhere to more fulsome disclosure standards. As Deputy Attorney General Lisa Monaco stated in October 2021:

It will no longer be sufficient for companies to limit disclosures to those they assess to be ‘substantially involved’ in the misconduct. Such distinctions are confusing in practice and afford companies too much discretion in deciding who should and should not be disclosed to the government. . . . cooperating companies will now be required to provide the government with all non-privileged information about individual wrongdoing.[94]

This approach is consistent with the general policy of the DOJ under Attorney General Merrick Garland: ‘[I]t is unambiguously this department’s first priority in corporate criminal matters to prosecute the individuals who commit and profit from corporate malfeasance.’[95]

In furtherance of this policy shift, on 15 September 2022, Deputy Attorney General Monaco issued a formal DOJ memorandum entitled ‘Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group’.[96] Among other things, this memorandum emphasises that: ‘The Department’s first priority in corporate criminal matters is to hold accountable individuals who commit and profit from corporate crime.’[97] Accordingly, the DOJ will require co-operating companies to prioritise prompt and comprehensive disclosures regarding executives and other individual actors. Should prosecutors identify any ‘undue or intentional delay’ in a co-operator’s production of information or documents, particularly where the information impacts the assessment of individual culpability, the company’s co-operation credit will be reduced or eliminated.[98] Pursuant to these policies, prosecutors must adhere to two core principles regarding voluntary self-disclosure aiming to incentivise corporate co-operation. First, absent aggravating factors, the DOJ will not seek a guilty plea from a corporation if the corporation has voluntarily self-disclosed, fully co-operated, and timely and appropriately remediated the criminal conduct. Second, the DOJ will not require an independent compliance monitor for co-operating self-disclosers if, at the time of resolution, the co-operating company can demonstrate that an effective compliance programme has been implemented and tested.

Organisations should therefore be cognisant that individuals at various levels of the organisation may bear greater liability, and when making voluntary disclosures in investigations, all relevant individuals should be considered.

17.4.4 Production of investigation reports

To obtain co-operation credit, prosecuting and government agencies require that companies provide the complete factual findings of an internal investigation, including relevant source documents. The Justice Manual recognises ‘the sort of co­operation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is disclosure of the relevant facts concerning such misconduct’.[99]

Similarly, the UK DPA Code provides that co-operation will include ‘providing a report in respect of any internal investigation including source documents’.[100]

Careful consideration should be given to the manner of disclosure of information. In the United States, the consideration for credit is that the relevant facts are disclosed, regardless of format and without need to waive privilege.[101] A company bears the burden, however, of disclosing the facts necessary to qualify for co-operation credit, and if a company chooses not to waive relevant privileges, it is unlikely to be able to share the investigative reports prepared by counsel conducting the investigation. Instead, it will have to carefully craft presentations that disclose only non-privileged facts. Oral presentations and high-level overview summaries relying on primary source evidence may reduce the risk to a company, although even these methods of disclosure can face judicial resistance with respect to maintaining privilege.[102] Therefore, companies and their legal counsel can face challenging strategic decisions when weighing co-operation with the government against maintaining privilege. And, because there can be no claim that the materials are privileged, a company should also expect that it will have to produce presentation materials in any related civil litigation.

In the United Kingdom, there is currently much debate over the production of the first accounts of witnesses, which may have been taken by investigating attorneys. The SFO’s preference is that these are taken so that legal privilege does not apply. It also indicates that it does not consider all privilege claims over interview materials to be made out under English law and, until the Court of Appeal’s decision in The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation (ENRC),[103] was actively challenging such assertions. Where a valid claim for privilege exists, co-operation credit will be given for the disclosure of interview memoranda. A failure to disclose will be considered co-operation neutral. As Alun Milford, then SFO General Counsel, has previously said: ‘If a company’s assertion of privilege is well-made out, then we will not hold that against the company: to do otherwise would be inconsistent with the substantive protection privilege offers.’[104] In two of the UK cases in which the court has approved DPAs, the company made oral disclosure only of the content of witness interviews.[105] However, Rolls-Royce, Airbus and G4S all chose to provide the interview memoranda or transcripts to the SFO on the basis of a limited waiver of privilege.[106] This was another way Rolls-Royce in particular used the voluntary disclosure of documents to counterbalance any actual or perceived failure to voluntarily disclose the misconduct. Other materials voluntarily provided to the SFO by companies subject to executed DPAs have included regular reports and presentations on the findings of the internal investigations; unfiltered access to the ‘digital repositories or email containers’ for past and present employees; and key documents identified by the internal investigations.

The SFO has affirmed its position on witness accounts and privilege as part of the Corporate Co-operation Guidance, which confirms that a company’s failure to waive privilege means that it will not attain the corresponding factor against prosecution in the DPA Code, but that the SFO will not penalise the company in this regard. The Corporate Co-operation Guidance suggests that while an organisation will not get the full co-operation credit potentially available in these circumstances, the SFO will not automatically refuse a DPA if it can demonstrate other co-operative factors pointing against a public interest in prosecuting the company, in accordance with the DPA Code.[107]

17.4.5 Identification of witnesses to authorities

In its initial assessments of whether to co-operate with authorities, a company will have to consider the implications of disclosing information about key employees. As noted above, US and UK authorities have indicated that co-operation will require disclosure of facts relevant to the misconduct of individual employees.

While the DOJ’s current policies require companies to make fulsome disclosures of any and all individuals who may have been involved in alleged misconduct, the ‘unequivocal co-operation’ necessary to be eligible for a DPA in the United Kingdom additionally includes identifying relevant witnesses, disclosing their accounts of the alleged misconduct and any documents shown to them and, where practicable, making those witnesses available for interviews by investigators[108] – together with ongoing co-operation with the authorities.

When seeking a DPA, a corporate should consider liaising closely with the SFO, which may wish to undertake witness interviews, or interviews under caution,[109] with individuals before corporate counsel does so. The Corporate Co-operation Guidance confirms that the SFO will expect organisations to identify individuals responsible for the suspected wrongdoing (and support the SFO’s disclosure obligations in its prosecution of individuals) and potential witnesses, and that co-operating companies should consult with the SFO before interviewing potential witnesses or suspects, or taking human resources actions or other overt steps. Once the individuals have been identified to the government or prosecuting authorities it may be difficult, if not impossible, for them to continue working for the company. A company may feel pressure to terminate the employee or place that individual on leave, which could have a significant impact on the operations of a business unit. Even if the company does not terminate an employee under investigation, targets of a government investigation are likely to engage their own counsel who may advise the employee to stop co-operating with its employer – leading to a ‘walk or talk’ decision. Depending on the nature of any employment agreement, a company may have to advance fees and costs of an individual’s representation. Also, since 2004, the United Kingdom has imposed an extensive Code of Practice for Disciplinary and Grievance Procedures on employers, which sets out standards of procedural fairness that a UK employer should comply with if it takes action that will detrimentally affect an individual’s employment.[110]

17.5 Privilege considerations

17.5.1 Generally

In the United States, generally the attorney–client privilege entitles a party to withhold from production (1) communications, (2) with an attorney, his or her subordinate or agent, (3) made in confidence, (4) for the primary purpose of securing an opinion of law, legal services or assistance in a legal proceeding. It applies to corporations as well as individuals, and therefore protects communications between corporate employees and a corporation’s in-house and external legal counsel on matters within the scope of the employees’ corporate responsibilities. Communications between non-legal corporate employees can also be privileged where an attorney neither authors nor receives the communication, if the communication contains or refers to previously transmitted legal advice or identifies specific legal advice that the non-attorneys will seek from attorneys in the near future. Additionally, the work-product doctrine protects documents and tangible things, otherwise discoverable, prepared in anticipation of litigation and in connection with a threatened or pending government investigation. The doctrine can apply to documents prepared by both attorneys and non-attorneys. Attorney notes, research and compilations of background materials, memoranda, investigative reports, witness statements, and materials prepared by non-legal personnel such as investigators are examples of the types of documents that may be protected. Work-product containing an attorney’s mental impressions is referred to as ‘opinion’ work-product and is afforded greater protection than other ‘ordinary’ work-product.

In the United Kingdom, privilege attaches to (1) confidential communications between a lawyer and his or her client for the purpose of seeking and receiving legal advice in a relevant legal context, including factual reporting (legal advice privilege), and (2) confidential communications between a lawyer and his or her client or a third party (or both), or between a client and a third party, provided that such communications have been created for the dominant purpose of obtaining legal advice, evidence or information in preparation for actual litigation, or litigation that is ‘reasonably in prospect’ (litigation privilege). English case law has traditionally called into question the availability of litigation privilege for documents created during a regulatory investigation, as an investigation alone lacks the adversarial character of litigation. In the ENRC[111] decision, the Court of Appeal looked at the issue of when a corporate might reasonably contemplate prosecution (and therefore the necessary ‘litigation’) in the context of a self-reporting process, commenting as follows:

[W]e are not sure that every SFO manifestation of concern would properly be regarded as adversarial litigation, but when the SFO specifically makes clear to the company the prospect of its criminal prosecution . . . and legal advisers are engaged to deal with that situation, as in the present case, there is a clear ground for contending that criminal prosecution is in reasonable contemplation.[112]

But the Court went on to say that no particular action in the course of engagement with a regulator will allow a company to say that at a particular date it contemplated a criminal prosecution and privilege crystallised. Every case will turn on its own facts, and the evidence will be assessed in the round.

The corporate must also have created the documents for the dominant purpose of the contemplated litigation. In ENRC, even where ENRC might have created documents for the dominant purpose of merely investigating ‘the facts to see what had happened and deal with compliance and governance’,[113] the Court held:

Although a reputable company will wish to ensure high ethical standards in the conduct of its business for its own sake, it is undeniable that the ‘stick’ used to enforce appropriate standards is the criminal law and, in some measure, the civil law also. Thus, where there is a clear threat of a criminal investigation, even at one remove from the specific risks posed by the SFO should it start an investigation, the reason for the investigation of whistle-blower allegations must be brought into the zone where the dominant purpose may be to prevent or deal with litigation.[114]

So, litigation privilege may well cover a significant proportion of documents created during an internal investigation into possible criminal activity after the regulator has made clear there is a prospect of prosecution. Again, though, the reasons the corporate created particular documents is important. If a corporate creates documents specifically to disclose to the regulator, then it seems unlikely that a claim to litigation privilege against that same regulator will succeed, at least in relation to the final versions of these documents.

The Court of Appeal also discussed the policy behind applying litigation privilege in this area:

It is, however, obviously in the public interest that companies should be prepared to investigate allegations from whistle blowers or investigative journalists, prior to going to a prosecutor such as the SFO, without losing the benefit of legal professional privilege for the work product and consequences of their investigation. . . . The remedy for the SFO is not to allow prevarication and delay . . . to prevent a timeous investigation, when it becomes clear that the company is not wholeheartedly reporting its own conduct and making appropriate waivers of privilege.[115]

It went on to make clear that determining the extent of co-operation by a company (in an analysis of whether a DPA was in the public interest) included determining ‘whether the company was willing to waive any privilege attaching to documents produced during internal investigations, so that it could share those documents with the SFO’.[116] But, past practice in both the United Kingdom and the United States suggests that a corporate does not need to waive privilege over all its investigation documents to receive co-operation credit.

In presenting the underlying facts of an internal investigation, a company must be mindful of the inherent risk that this will be deemed a privilege waiver in any subsequent proceedings. In the United States, if a disclosure of privileged information to a federal office or agency is deemed intentional, the privilege will be waived in any federal or state proceeding.[117] However, if a disclosure of privileged information is unintentional, it will not create a broad waiver so long as the holder of the privilege took steps to prevent the disclosure and then promptly took reasonable steps to seek return of any inadvertently disclosed information.[118] Accordingly, if a company decides that it does not intend to waive privilege, it should devise reasonable steps that highlight the company’s decision not to waive privilege, including providing written notice of the intention not to produce privileged materials in any letter or other correspondence that accompanies a document production. Courts in England and Wales have held that a company can share the contents of a privileged communication with a regulator or other third party, keeping the privilege intact, so long as this desire is made clear, the disclosure is confidential and the communication is not proliferated widely.[119]

The SFO has clarified its position on privilege considerations as part of the Corporate Co-operation Guidance, confirming that if an organisation asserts legal privilege over relevant materials (such as first accounts, internal investi­gation interviews or other documents), the SFO may challenge the privilege assertion where it considers it necessary or appropriate to do so. The Corporate Co-operation Guidance also includes an additional step for companies, requiring organisations to provide certification by independent counsel that the material is privileged. In the United States, certain portions of internal investigations are protected by the attorney–client privilege and the work-product doctrine, and courts routinely uphold those privileges.[120] This can be true even where the purpose of an investigation is to ensure regulatory compliance, or where non-lawyers are involved in key parts of the investigation.[121] The DOJ can take a more aggressive stance challenging claims of the attorney–client privilege in certain instances, however. For example, as demonstrated by a motion for sanctions the DOJ filed in an antitrust action in spring 2022, if the DOJ believes that in-house legal counsel is copied on communications simply to shield communications from investigation by regulators and not to provide legal counsel, the DOJ has recently challenged the invocation of privilege.[122] Organisations should take care in their internal approach to privileged communications and assertion of privilege for general business or public relations matters that do not actually solicit or require professional legal advice.

17.5.2 Privilege in cross-border contexts

It may not be clear which privilege rules apply when a company discloses in one jurisdiction documents created in another. Companies should be aware that some countries do not have developed principles of legal privilege and special care is required in creating or sending otherwise privileged documents to such jurisdictions. Likewise, in some jurisdictions privilege does not extend to communications with in-house counsel and the role of internal counsel may be held by someone who is not an attorney, and therefore privilege may not be recognised in connection with their communications.

Further complications come when dealing with international regulatory bodies. In Akzo Nobel, for example, the European Court of Justice held that the law of the European Union superseded that of the relevant national jurisdictions; therefore, in competition cases, internal counsel’s advice will not be privileged – nor will that of external legal advisers who are not EU-qualified lawyers.[123]

17.6 Protecting confidential information

Companies producing information to the government should take steps to protect its confidentiality. In the United Kingdom, the High Court confronted these issues in Standard Life Assurance v. Topland Col.[124] The SFO had disclosed information it had obtained through its compulsory powers under section 2 of the CJA to a Standard Life employee it wished to interview. The SFO later discontinued the related investigation. Standard Life then used some of this information as part of civil proceedings against Topland. The Court noted that the SFO was not entitled to disclose any material obtained by it during an investigation except for the purpose of its investigation (which was the original purpose of the disclosure in this case). A person who wished to prevent disclosure of genuinely confidential information, either by the SFO or by a person it had disclosed documents to, would need to rely on judicial review proceedings or seek an injunction to prevent a breach of confidence. This suggests that, to avoid relying on these indirect remedies, a company should agree with the SFO before disclosure how the SFO might control the further dissemination of confidential or sensitive documents. Safeguards may include the SFO returning the documents following a short time or notifying a disclosing party before the SFO intended to disseminate documents further. On the other hand, a company may also wish to construct potential safeguards around material produced to it during DPA negotiations and that may otherwise be discoverable in subsequent civil proceedings against it. This point was particularly relevant in Omers Administration Corp & Ors v. Tesco Plc,[125] where the SFO had provided Tesco with a number of confidential documents during DPA negotiations that it had obtained from third parties using its section 2 CJA investigation powers. These documents subsequently became subject to the standard disclosure test under Part 31 of the Civil Procedure Rules when two groups of shareholders brought civil proceedings against Tesco. The High Court considered the conflict between Part 31 and Tesco’s confidentiality obligations to the SFO and found that the key question to be considered was whether the overriding objective of dealing with a case justly and at a proportionate cost could be solved with the production of relevant documents. Applying the facts of the case, the High Court ordered disclosure as the documents were likely to contain material ‘necessary for the fair disposal of the action’; and the public interest in confidentiality (even though this held particular weight when documents were originally obtained by compulsion under the SFO’s powers) was overridden by the public interest in ensuring ‘the courts try civil claims on the basis of all relevant material’.

In the United States, the government must keep information produced in response to a grand jury subpoena confidential,[126] although a court may authorise disclosure subject to any conditions it directs (such as disclosure to a defendant post-indictment during discovery). Additionally documents under the control of a government agency can be subject to requests made pursuant to the Freedom of Information Act (FOIA), although exemptions to FOIA may allow an agency to withhold certain documents from disclosure.[127]

The procedures necessary to shield confidential information from disclosure can be quite complex. Each regulatory body has its own procedures for seeking confidential treatment of information. The SEC, for example, has Rule 83, which provides a procedure for requesting that information submitted to the SEC be withheld from FOIA requests.[128] The SEC requires that each page of a document containing confidential information be stamped with a specific legend and that a request for confidential treatment go to the individual receiving the documents and the Office of Freedom of Information and Privacy Act Operations.[129] However, organisations should take care because documents typically shielded from disclosure by FOIA and other regulations are not exempt from production to the United States Congress, which can, in turn, make the information public. Many states have their own versions of FOIA governing the treatment of information provided to, among others, state attorneys general.[130] And, at the federal level, the Privacy Act and Trade Secrets Act also protect a company’s information that has been disclosed to investigators and forbid those investigators from further disclosing information.[131]

17.7 Conclusion

Companies have an incentive to co-operate with a government investigation, especially if co-operation credit does not necessarily require self-reporting of the misconduct. But self-reporting will assist companies alongside the voluntary provision of relevant materials. The additional advantages of co-operation – control of the investigation process, orderly production of materials and managing press intrusion – are likely to be great when weighed against the disruption and publicity of formal actions including raids, arrests and prosecutions. In cross-border investigations, companies will need to devise due process safeguards to protect the rights of individuals and respect local law requirements. Ensuring local law specialists are instructed to work as part of a multidisciplinary team will be key.


[1] Caroline Black and Clare Putnam Pozos are partners, and Chloe Binding and Carla Graff are associates, at Dechert LLP. The authors would like to thank the Hon. Hector Gonzalez, who co-authored earlier versions of this chapter.

[2] Financial Conduct Authority (FCA), Enforcement Guide (January 2021), available at; and FCA Mission: Approach to Enforcement (April 2019), available at -approach-enforcement-final-report-feedback-statement.pdf.

[3] Whether the FCA compels testimony from an individual can have an impact on whether that information can be used in connection with a criminal proceeding in the United States. The Second Circuit Court of Appeals has held that testimony compelled by the FCA cannot be used against a defendant in a criminal prosecution. See United States v. Allen, 864 F.3d 63 (2d Cir. 2017).

[4] Other federal agencies, such as the Consumer Financial Protection Bureau and the Federal Trade Commission, may issue subpoenas. Other agencies must seek the assistance of the United States Attorney’s Office in seeking documents and testimony. For a discussion of the use of administrative subpoenas, see

[5] For information regarding criminal matters, see Justice Manual § 9-13. The Civil Division is authorised to issue subpoenas by a number of statutes.

[6] 17 C.F.R. § 11.4(a).

[7] Section 19(c) of the Securities Act of 1933, 15 U.S.C. § 77s(c); Section 21(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78u(b); Section 209(b) of the Investment Advisers Act of 1940, 15 U.S.C. § 80b–9(b); and Section 42(b) of the Investment Company Act of 1940, 15 U.S.C. § 80a–41(b).

[8] For information regarding procedures for obtaining a formal order of investigation, see Sections 2.2.3 to 2.3.4 of the Enforcement Manual of the Securities and Exchange Commission Division of Enforcement, available at (28 November 2017).

[12] Endicott Johnson Corp. v. Perkins, 317 U.S. 501, 509 (1943); CFTC v. Zepeda, No. 22-18, 2022 WL 20163249, at *4 (C.D. Cal. 12 May 2022); SEC v. Kimmel, No. 19-00113, 2020 WL 280813, at *2 (D. Colo. 28 May 2020).

[13] SEC v. Marin, 982 F.3d 1341, 1352 (11th Cir. 2020).

[14] 18 U.S.C. §§ 401, 1001; see also 7 U.S.C. §§ 9, 13(a)(3). Rule 17 of the Federal Rules of Criminal Procedure governs subpoenas, including grand jury subpoenas and Rule 17(g) authorises federal courts to exercise their contempt powers for non-compliance. (‘The court (other than a magistrate judge) may hold in contempt a witness who, without adequate excuse, disobeys a subpoena issued by a federal court in that district.’)

[16] Id.

[18] SFO v. Rolls-Royce PLC and Rolls-Royce Energy Systems Inc (Case No. U20170036) [2017] Lloyd’s Rep FC 249.

[19] SFO v. Airbus SE (Case No. U20200108) [2020] 1 WLU 435; [2021] Lloyd’s Rep FC 159.

[20] For example, employees’ use of disappearing messaging services, such as WhatsApp, raises issues. In March 2019, the Department of Justice (DOJ) relaxed its prior guidance to companies regarding employees’ use of those services, removing from the Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy a requirement that employees be prohibited from using those services. Instead, the revised policy requires each company seeking timely and appropriate remediation credit put in place ‘appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations’. Justice Manual § 9-47.120.

[21] In 2015, Deutsche Bank AG entered into a DPA with the DOJ and settlements with the US Commodity Futures Trading Commission, the Department of Financial Services and the FCA, in connection with its role in manipulating LIBOR rates. DB Group, a subsidiary of Deutsche Bank, also pleaded guilty to wire fraud for its role. Together, Deutsche Bank and its subsidiary agreed to pay over US$2 billion in penalties to US authorities and US$344 million to the FCA – then the second-largest fine in the FCA’s history.

[22] Bates numbering is a method of indexing legal documents for easy identification and retrieval.

[23] Justice Manual § 9-47.120(3)(b).

[24] Justice Manual § 9-47.120(3)(b).

[25] [2021] UKSC 2.

[26] Production notices seeking documents held outside the jurisdiction of the investigating authority are complicated. For example, the authors take the view that a request made under s.165 of the Financial Services and Markets Act 2000 captures documents in a company’s custody or control outside the United Kingdom. In the 2018 case of R (on the Application of KBR Inc.) v. The Director of the Serious Fraud Office [2018] EWHC 2368 (Admin), the High Court held that the SFO’s compulsory document production powers under section 2(3) of the Criminal Justice Act 1987 could have extraterritorial application, but to issue a notice to a non-UK company in respect of documents held outside the United Kingdom, there must be a ‘sufficient connection’ between the overseas company and the United Kingdom. Overseas companies should assess the factual connection to the United Kingdom (in terms of its connection to the subject matter of the SFO’s investigation, rather than from a business perspective). The UK Supreme Court has granted KBR leave to appeal. In the case of R (on the application of Tony Michael Jimenez) v. (1) First Tier Tax Tribunal and (2) HMRC [2019] Civ 51, the Court of Appeal applied the ‘sufficient connection’ test set out in KBR in determining that HM Revenue and Customs, the UK tax authority, may serve a ‘taxpayer notice’ on a UK taxpayer resident overseas to obtain information about that individual’s tax position.

[27] For the United Kingdom, see Lonrho v. Shell Petroleum [1980] 1 WLR 627.

[28] See Justice Manual § 9-47.120.

[29] Crime (International Co-operation) Act 2003, s.7(5).

[30] Crime (International Co-operation) Act 2003, s.7(2).

[31] See, e.g., Reuters, ‘Monaco raids Unaoil offices over global oil corruption probe’, available at -over-global-oil-corruption-probe-idUSKCN0WY4S6.

[34] Overseas production orders (OPOs) will only be available where the United Kingdom has a ‘designated international co-operation agreement’ (DICA) with the country in which the OPO will be served. The United States and the United Kingdom have been negotiating such an agreement since 2015. This means that the United States is likely to be the first country directly affected by OPOs. Because a DICA is a precondition of an OPO means we are unlikely to see OPOs in practice in the immediate future.

[35] Financial Services Authority v. Amro International [2010] EWCA Civ 123.

[36] See; see also In re Premises Located at 840 140th Ave. NE, Bellevue, Wash., 634 F.3d 557, 563–64 (9th Cir. 2011) (‘In recent decades, the United States has ratified an increasing number of bilateral treaties with other nations to facilitate legal proceedings, known as mutual legal assistance treaties or MLATs . . . As their names suggest, these treaties provide for bilateral, mutual assistance in the gathering of legal evidence for use by the requesting state in criminal investigations and proceedings. Viewed through the lens of reciprocity, MLATs represent a direct approach to achieving reciprocity with other nations, in addition to the indirect approach taken by congressional expansion of the scope of § 1782. The ratification of MLATs in recent decades can be seen as yet another step towards the goal of greater legal assistance by, and for, other nations, at least with respect to requests by foreign governments for use in underlying criminal investigations and proceedings.’).

[37] Lisa Osofsky, evidence to House of Commons Justice Committee, 18 December 2018.

[38] SFO v. Airbus SE (Case No. U20200108) [2020] 1 WLU 435; [2021] Lloyd’s Rep FC 159; SFO v. Amec Foster Wheeler Energy Ltd [2021] 6 WLUK 664; [2021] Lloyd’s Rep FC 353; [2022] 2 C.L. 46; SFO v. Glencore Energy UK (Ltd) (2022).

[39] 18 U.S.C. § 3512.

[40] See 18 U.S.C. § 3512 (‘Upon application, duly authorized by an appropriate official of the Department of Justice, of an attorney for the Government, a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses, or in proceedings related to the prosecution of criminal offenses, including proceedings regarding forfeiture, sentencing, and restitution.’); Hon. Virginia M Kendall and T Markus Funk, The Role of Mutual Legal Assistance Treaties in Obtaining Foreign Evidence at 2, Global Litigator (Winter 2014), available at -litigation.pdf (‘U.S. District courts, for their part, have considerable discretion concerning whether to authorize a foreign request.’).

[41] 28 U.S.C. § 1781(b).

[42] AMLA § 6308 (31 U.S.C. § 5318(k)(3)(A)(i)).

[46] Id.

[47] Id.

[48] The United States does not have a comprehensive, federal data protection law. However, numerous state and federal laws govern the treatment of personal data. There are federal protections for, among other things, data collected from children, from financial institutions and that includes medical information. See, e.g., Federal Trade Commission Act, 15 U.S.C. §§ 41 to 58; Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 to 6506; Financial Services Modernization Act (Gramm-Leach-Bliley Act), 15 U.S.C. §§ 6801 to 6827; Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1301 et seq. (and the rules and regulations promulgated thereunder); Fair Credit Reporting Act, 15 U.S.C. § 1681.

[49] 15 U.S.C. § 45.

[50] See, e.g., CafePress, FTC Matter No. 1923209 (15 March 2022) (settling allegations that the company failed to take reasonable security measures to protect sensitive information, including the failure to encrypt sensitive information and holding data longer than necessary); DealerBuilt, FTC Matter No. 1723051 (6 September 2019) (settling allegations that the company failed to take reasonable steps to protect consumer data, including by failing to implement access controls or authentication procedures to protect against unauthorised access to or acquisition of data); FTC v. D-Link Sys., Inc., No. 3:17-cv-00039-JD (N.D. Cal. 2 July 2019) (complaint alleging that D-Link, a computer networking equipment manufacturer, failed to take reasonable steps to secure its routers and internet cameras, leaving products ‘vulnerable to hackers’ and putting consumers’ privacy at risk).

[51] 17 C.F.R. § 248.30(a).

[52] Despite its very protective wording, the French Blocking Statute has received a very limited application – only one criminal conviction (under Article 1bis) has ever been recorded (Cass. Crim, 12 December 2007, No. 07-83.228).

[54] For English case law dealing with the French Blocking Statute, see Secretary of State for Health v. Servier Laboratories; National Grid Electricity Transmission v. ABB [2014] WLR 4383.

[55] See most famously Swiss Federal Act on Banks and Savings Banks (1934), Article 47.

[56] See, e.g., Switzerland’s entrance, in October 2013, to the Multilateral Convention on Mutual Administrative Assistance on Tax Matters, and agreement to increase transparency and exchange financial information with approximately 60 other countries.

[57] Jasminka Kalajdzic, Litigation State Secrets: A Comparative Study of National Security Privilege in Canadian, US and English Civil Cases, 41:2 Ottawa L. Rev. 289, 311 (2010).

[58] Arianna Vedaschi, The Dark Side of Counter-Terrorism: Arcana Imperii and Salus Rei Republicae, 66 Am. J. Comp. L. 877, 881 n.13 (2013).

[59] Miiko Kumar, Protecting State Secrets: Jurisdictional Differences and Current Developments, Miss. L. J. 853, 867 (2013).

[60] El-Masri v. United States, 479 F.3d 296, 302 (4th Cir. 2007).

[61] Id.

[62] For the United Kingdom, see Criminal Justice and Police Act 2001 s.50. In the United States, prosecutors will often establish ‘taint teams’ to review potentially privileged information. Justice Manual § 9-13.420 (Searches of Premises of Subject Attorneys) provides guidance for the review of material seized not only from an attorney’s office but also from ‘searches of business organizations where such searches involve materials in the possession of individuals serving in the capacity of legal advisor to the organization’.

[63] See Police and Criminal Evidence Act 1984, s.19(5).

[64] Cited in R (on the application of Colin McKenzie) v. The Director of the Serious Fraud Office [2016] EWHC 102, at [8]. In this unsuccessful challenge to this procedure, the essential question was whether, as a matter of law, the process for isolating files that may contain legal professional privilege (LPP) material into an electronic folder for review by an independent lawyer must itself be carried out by individuals who are independent of the seizing body. The court held that the procedure set out in the SFO’s Handbook for isolating material potentially subject to LPP, for the purpose of making it available to an independent lawyer for review, was lawful.

[65] See Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, available at

[66] See, e.g., Order Appointing Special Master, United States v. Cohen, Dkt No. 30, No. 18-mj-3161 (S.D.N.Y. 27 April 2018).

[67] Searches of Premises of Subject Attorneys, Justice Manual, § 9-13.420.

[68] See, e.g., Order Appointing Special Master, United States v. Cohen, Dkt No. 30, No. 18-mj-3161 (S.D.N.Y. 27 April 2018); Order, United States v. Gallego, Dkt No. 65, No. 4:18-cr-01537 (D. Ariz. 6 September 2018).

[69] Deferred prosecution agreements (DPAs) were introduced by s.45 and Sch. 17 of the Crime and Courts Act 2013.

[70] Crown Prosecution Service and Serious Fraud Office, Deferred Prosecution Agreements Code of Practice – Crime and Courts Act 2013, 11 February 2014, at para. 2.8.2(i).

[71] SFO v. Rolls-Royce PLC and Rolls-Royce Energy Systems Inc. (Case No. U20170036) [2017] Lloyd’s Rep FC 249; SFO v. Airbus SE (Case No. U20200108) [2020] 1 WLU 435; [2021] Lloyd’s Rep FC 159; SFO v. G4S Care and Justice Services (UK) Limited (Case No. U20201392) [2020] 7 WLUK 303; [2021] Crim LR 138; SFO v. Amec Foster Wheeler Energy Ltd [2021] 6 WLUK 664; [2021] Lloyd’s Rep FC 353; [2022] 2 C.L. 46.

[73] Corporate Co-operation Guidance, SFO Operational Handbook (6 August 2019).

[74] See, e.g., European Commission Notice on Immunity from Fines and Reduction of Fines in Cartel Cases, Official Journal C 298, 8 December 2006, p. 17.

[75] The Financial Services Authority was the predecessor to the FCA.

[76] See Enforcement Guide, at para. 4.7.3.

[77] Enforcement Guide, at para. 4.7.4.

[78] See, e.g., memorandum dated 5 July 2007 from Paul J McNulty re Principles of Federal Prosecution of Business Organizations, available at

[79] Justice Manual § 9-28.700.

[80] Justice Manual §§ 9-28.900, 9-47.120.

[81] Justice Manual § 9-28.900. (‘Even in the absence of a formal program, prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall co-operation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program.’)

[82] Justice Manual §§ 9-28.300, 9-28.900, 9-47.120.

[83] See Justice Manual § 9-47.120.

[85] The Value of Cooperation, Justice Manual § 9-28.700; Cooperation: Disclosing the Relevant Facts, Justice Manual § 9-28.720; FCPA Corporate Enforcement Policy, Justice Manual § 9-47.120, available at (full co-operation requires, among other things, prompt disclosure of ‘all facts related to involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents’).

[86] The November 2019 amendments to the FCPA Corporate Enforcement Policy acknowledge that a company may not know all facts relevant to misconduct at the time of a voluntary self-disclosure. The revised policy emphasises that to receive co-operation credit, a company should ‘make clear that it is making its disclosure based upon a preliminary investigation or assessment of information, but it should nonetheless provide a fulsome disclosure of the relevant facts known to it at the time’. Justice Manual § 9-47.120 at note 1.

[87] See Dodd-Frank Wall Street Reform and Consumer Protection Act, Section 922(h), 15 U.S.C.A. § 78u-6(h)(1)(A) (2010).

[88] See (announcing penalty imposed on BlackRock Inc, based on its inclusion of language in separation agreements requiring former employees to waive any incentives they might be entitled to for reporting the company’s misconduct); (announcing penalty imposed on HomeStreet Inc for improper accounting and steps taken to impede whistleblowers).

[89] The Panama Papers are available through the International Consortium of Investigative Journalists’ dedicated website, at

[90] Deferred Prosecution Agreements Code of Practice (DPA Code), para. 2.8.2(i).

[91] Two DPAs are subject to reporting restrictions so whether the companies self-reported is not known. SFO v. Standard Bank plc (Case No. U20150854) [2016] Lloyd’s Rep FC 102 and SFO v. XYZ Ltd (Case No. U20150856) [2016] 7 WLUK 220; [2016] Lloyd’s Rep FC 509. In the case of SFO v. Tesco Stores Limited [2019] Lloyd’s Rep FC 283, Tesco identified issues in its financial statements, and referred itself to enforcement authorities after revealing that revenues had been incorrectly recorded as profits and made an announcement to the market. In SFO v. Serco Geografix Ltd. (Case No. U20190413) [2019] 7 WLUK 45, the company disclosed material discovered after an initial SFO investigation found no evidence of any dishonest or fraudulent activity. In SFO v. Airbus SE (Case No. U20200108) [2020] 1 WLU 435; [2021] Lloyd’s Rep FC 159, Airbus self-reported to the SFO following notification to UK Export Finance to correct inaccurate information they had previously provided, including red flags for corruption. G4S (SFO v. G4S Care and Justice Services (UK) Limited (Case No. U20201392) [2020] 7 WLUK 303; [2021] Crim LR 138) and Airline Services (SFO v. Airline Services Ltd (Case No. U20201913) [2020] 10 WLUK 606; [2021] Lloyd’s Rep FC 42; [2021] CLY 584) also self-reported.

[92] Justice Manual § 9-28.900 (internal citations omitted).

[93] See, e.g., Justice Manual § 9-47.120(3)(a).

[95] Id.

[96] Department of Justice, Office of the Deputy Attorney General, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (15 September 2022), available at

[97] Id.

[98] Id.

[99] See Justice Manual § 9-28.720 (Cooperation: Disclosing the Relevant Facts).

[100] DPA Code, para. 2.8.2(i).

[101] See Justice Manual § 9-28.720. The FCPA Corporate Enforcement Policy refers to Justice Manual § 9-28.720 and states that a company will not have to waive privilege to receive full co-operation credit.

[102] See, e.g., United States v. Coburn, No. 2:19-cr-00120 (KM), 2022 WL 357217, at *7 (D.N.J. 1 February 2022) (finding waiver with respect to ‘documents and communications that were reviewed and formed any part of the basis of any presentation, oral or written, to the DOJ in connection with the investigation’); see also SEC v. Herrera, 324 F.R.D. 258, 264 (S.D. Fla. 5 December 2017) (finding waiver of privilege as to oral summaries of interview materials provided to the SEC because they were the ‘functional equivalent’ of privileged material).

[103] [2018] EWCA Civ 2006.

[104] Alun Milford, then SFO General Counsel, ‘Speech to compliance professionals’ (given to the European Compliance and Ethics Institute, Prague, 29 March 2016).

[105] See, e.g., SFO v. XYZ (Preliminary Judgment) Crown Court, Southwark, U20150856 (20 April 2016): ‘[C]o-operation includes identifying relevant witnesses, disclosing their accounts and the documents shown to them: see para. 2.8.2(i) of the DPA Code of Practice. Where practicable it will involve making witnesses available for interview when requested. In that regard, XYZ provided oral summaries of first accounts of interviewees, facilitated the interview of current employees, and provided timely and complete responses to requests for information and material, save for those subject to a proper claim of legal professional privilege.’

[106] In Airbus, these transcripts and memoranda included Airbus employees and third-party business partners.

[107] SFO Operational Handbook, Corporate Co-operation Guidance, p. 5.

[108] DPA Code, para. 2.8.2(i).

[109] Where a defendant in the United Kingdom is suspected of committing a criminal offence, and is questioned in relation to it (whether while under arrest or voluntarily), the questioner must administer a ‘caution’ for any evidence provided in the interview to be admissible in subsequent proceedings. The caution sets out interviewees’ rights and how any evidence they provide at interview may be used against them in a trial. An organisation or company can be interviewed under caution through a nominated spokesperson, who will attend the interview to answer questions on its behalf.

[111] [2018] EWCA Civ 2006.

[112] At [96].

[113] At [108].

[114] At [109].

[115] At [116].

[116] At [117].

[117] See Fed. R. Evid. 502(a).

[118] See Fed. R. Evid. 502(b).

[119] See Gotha City v. Sotheby’s [1998] 1 WLR 114 CA.

[120] See In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014); Cicel (Beijing) Sci. & Tech. Co. v. Misonix, Inc., No. 17CV1642, 2019 WL 1574806 (E.D.N.Y. 11 April 2019); In re Gen. Motors LLC Ignition Switch Litig., 80 F. Supp. 3d 521, 530 (S.D.N.Y. 2015).

[121] In re Kellogg Brown & Root, Inc., 756 F.3d 754, 760 (D.C. Cir. 2014) (‘In the context of an organization’s internal investigation, if one of the significant purposes of the internal investigation was to obtain or provide legal advice, the privilege will apply. That is true regardless of whether an internal investigation was conducted pursuant to a company compliance programme required by statute or regulation, or was otherwise conducted pursuant to company policy.’) (citation omitted).

[122] Plaintiffs’ Reply in Support of Plaintiffs’ Motion to Sanction Google and Compel Disclosure of Documents Unjustifiably Claimed by Google as Attorney-Client Privileged, United States v. Google LLC, No. 1:20-cv-03010-APM, Dkt. No. 335 (D.D.C. 7 April 2022).

[123] Akzo Nobel Chemicals v. European Commission (Case C-550/07, European Court of Justice, 14 September 2010). Here, the Court held that internal company communications with in-house lawyers subject to a European Commission investigation were not covered by legal professional privilege, as, for the purposes of such an investigation, an in-house lawyer was not sufficiently independent.

[124] Standard Life Assurance Ltd v. Topland Col (Rev 1) [2011] 1 WLR 2162.

[125] [2019] EWHC 109 (Ch).

[126] Fed. R. Crim. Pro. 6(e).

[127] 5 U.S.C. § 552.

[129] 17 C.F.R. § 200.83. See also

[130] See, e.g., New York Freedom of Information Law, Public Officer’s Law §§ 84 to 90.

Unlock unlimited access to all Global Investigations Review content