Production of Information to the Authorities
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
A company may choose or face a demand to disclose documents and information to a law enforcement authority or regulator in many situations. These range from responding to a raid on corporate and individuals’ premises, to compliance with a subpoena or other compulsory process, to the voluntary provision of information during a self-disclosure.
The types of information and the circumstances in which a company is obliged – or even allowed – to produce relevant documents is circumscribed by various laws. For example, a company must address concerns regarding confidentiality, employee privacy, data protection and legal privilege (and, in certain jurisdictions, bank secrecy restrictions or blocking statutes). This becomes especially complicated in cross-border cases where multiple legal regimes may apply and may conflict with one another. Add to this the not uncommon scenario of authorities from different countries seeking the same (or slightly different) information and it becomes a legal and practical minefield.
This chapter cannot hope to cover the immense number of variables that a company may face in these circumstances, but it does seek to provide practical guidance on some of the most important points.
17.2 Production of documents to the authorities
17.2.1 Formal requests for disclosure (and related document hold issues)
22.214.171.124 Commonly used powers (UK)
Most regulatory and enforcement authorities have formal powers to compel individuals and companies to produce documents and provide information.
In the area of financial crime and corruption involving the United Kingdom, the most likely authority to be seeking to investigate and prosecute will be the Serious Fraud Office (SFO). Following the enactment of the Economic Crime and Corporate Transparency Act on 26 October 2023, the SFO now has powers to seek the production of documents and information at a pre-investigation stage in relation to all offences under section 2A of the Criminal Justice Act 1987 (CJA) (not limited to bribery and corruption as previously). Once it opens a formal investigation, the SFO has the power to compel production under section 2 of the CJA.
The SFO’s powers can be exercised against companies and individuals to require the production of documents and information, including through compelled interview where there is no right to silence (although statements made in interviews cannot be used as evidence against interviewees unless they are being prosecuted for their statement being false or misleading, or they are being prosecuted for another offence and give evidence inconsistent with the interview). A failure to provide the documents and information within the time specified in the production notice is an offence, unless the recipient can show that it had a reasonable excuse not to comply (e.g., an injunction preventing production).
In the field of financial markets regulation, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) may compel the production of documents under Part 11 of the Financial Services and Markets Act 2000 (FSMA). The key provision is section 165, subsections 1 to 6 of which are set out below as an example of how information-gathering powers are conferred:
165 Regulators’ power to require information: authorised persons etc.
- Either regulator may, by notice in writing given to an authorised person, require him–
- to provide specified information or information of a specified description; or
- to produce specified documents or documents of a specified description.
- The information or documents must be provided or produced–
- before the end of such reasonable period as may be specified; and
- at such place as may be specified.
- An officer who has written authorisation from the regulator to do so may require an authorised person without delay–
- to provide the officer with specified information or information of a specified description; or
- to produce to him specified documents or documents of a specified description.
- This section applies only to–
- information and documents reasonably required in connection with the exercise by either regulator of functions conferred on it by or under this Act; and
- in relation to the exercise by the PRA of the powers conferred by subsections and (3), information and documents reasonably required by the Bank of England in connection with the exercise by the Bank of its functions in pursuance of its financial stability objective.
- The regulator in question may require any information provided under this section to be provided in such form as it may reasonably require.
- The regulator in question may require–
- any information provided, whether in a document or otherwise, to be verified in such manner; or
- any document produced to be authenticated in such manner, as it may reasonably require.
‘Authorised person’ is defined in section 31 of the FSMA and means, very broadly, a person providing a regulated financial service.
The FCA has set out its policy in relation to its exercise of enforcement powers under the FSMA (and other legislation) in its Enforcement Guide and the FCA’s report on its approach to enforcement. The Enforcement Guide is useful as it not only sets out the FCA’s approach to its task as the UK financial markets regulator but also reflects the general approach of UK regulators to their document production powers.
In paragraph 4.7 of the Enforcement Guide, the FCA states that its standard practice is to use its statutory powers to require the production of documents, the provision of information or the answering of questions in interview. The FCA suggests that this is for reasons of fairness, transparency and efficiency. The Enforcement Guide goes on to suggest, however, that it will sometimes be appropriate to depart from this standard practice, as it relates to document production, such as in cases:
- involving third parties with no professional connection with the financial services industry, such as the victims of an alleged fraud or misconduct, in which case the FCA will usually seek information voluntarily; and
- where the FCA has been asked by an overseas regulator to obtain documents on their behalf, in which case the FCA will discuss with the overseas regulator the most appropriate approach, unless the overseas authority’s requests are clearly ultra vires and unlawful under their own national laws.
In the second scenario, it is important to consider the effect of regimes and jurisdictional protections colliding. For example, how might the US constitutional right to remain silent in the face of requests for production of documents or other information mesh with the UK compelled disclosure regime?
In 2022, it was decided that the FCA’s statutory cooperation powers and right to compel information from UK citizens trumped US constitutional and statutory objections by UK citizens who were subject to information requests by US authorities, despite the fact that the requesting authority (in this particular case, the US Commodity Futures Trading Commission) had not formally opened an investigation and would not have compulsory powers within the United States. The Enforcement Guide states that the FCA will make it clear to the company or individual concerned whether it requires him, her or it to produce information or answer questions under FSMA or whether the provision of information is voluntary.
Equivalent (but distinct) powers also lie in the hands of the Competition and Markets Authority (CMA), the National Crime Agency, HM Revenue and Customs, and the Health and Safety Executive. Many of these authorities may also apply for and obtain search warrants.
126.96.36.199 Commonly used powers (US)
In the United States, most federal agencies, including the United States Department of Justice (DOJ), the Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Office of Foreign Assets Control may issue subpoenas (or administrative orders) and compel individuals and companies to produce documents and testimony for investigations within the scope of their agency or administrative jurisdiction.
In the case of the DOJ, a subpoena may compel the production of documents in connection with either a civil or criminal investigation. The CFTC’s regulations provide that:
The Commission or any member of the Commission or of its staff who, by order of the Commission, has been authorized to issue subpoenas in the course of a particular investigation may issue a subpoena directing the person named therein to appear before a designated person at a specified time and place to testify or to produce documentary evidence, or both, relating to any matter under investigation.
The Securities Act, the Securities Exchange Act, the Investment Advisers Act and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct. Before a subpoena can be issued, the staff of the SEC must obtain a formal order of investigation, which senior division officers can issue to expedite the investigation process.
The Federal Trade Commission Act authorises the FTC to investigate potential collusion and coordination, and in August 2022, three omnibus resolutions ‘eliminate[d] the need for FTC staff to seek compulsory process in each related case’, which was designed to ‘remove an unnecessary and time-consuming barrier to staff’s pursuit of an investigation’.
The past year has revealed significant enforcement activities across these agencies, with a focus on particular industries, such as artificial intelligence (AI). For example, in fiscal year 2022, there was a 9 per cent increase compared with the previous year to the total number of SEC enforcement actions, and the amount of money ordered in SEC actions (civil penalties, disgorgement and pre-judgment interest) was the most on record in its history. As the SEC described, the hallmark of fiscal year 2022 ‘was robust enforcement through resolutions that imposed penalties designed to deter future violations, establish accountability from major institutions, and order tailored undertakings that provide potential roadmaps for compliance by other firms’.
In May 2023, FTC Chair Lina Khan noted that ‘[a]s companies race to deploy and monetize A.I., the Federal Trade Commission is taking a close look at how we can best achieve our dual mandate to promote fair competition and to protect Americans from unfair or deceptive practices’, and that the FTC ‘will vigorously enforce the laws’, examining the conduct of scammers as well as ‘the upstream firms that are enabling them’. Two months later, the FTC issued a 20-page records demand to the creator of ChatGPT regarding ‘how it addresses risk related to AI models’, complaints the company has received related to reputational harm and security incidents related to use of private data. Finally, the CFTC created two new task forces, the Cybersecurity and Emerging Technologies Task Force and the Environmental Fraud Task Force, to investigate and prosecute issues related to these industries. Similarly, in June 2023, the DOJ created the National Security Cyber Section (known as NatSec Cyber), recognising the time and resources necessary to respond to and investigate sophisticated cyber threats.
While federal courts can review an agency’s issuance of an administrative subpoena, they may only do so for reasonableness, analysing whether:
- the investigation will be conducted pursuant to a legitimate purpose;
- the inquiry is relevant to the purpose;
- the information sought is not already within the agency’s possession; and
- the agency has followed the requisite administrative steps.
In practice, federal courts must hold that subpoenas are relevant to an agency’s investigation unless plainly incompetent or irrelevant to any lawful purpose under the agency’s authority. This test has been extended to a wide variety of agency subpoenas, including SEC subpoenas.
Offences for refusing to comply with a request, providing false or misleading statements, or concealing documents, generally supplement such investigatory powers. These powers extend to the legislative branch as well. The US Congress via House committees has a broad ‘power of inquiry’ through its legislative function to issue subpoenas to compel testimony and the production of documents. These committees can issue contempt of Congress citations for failure to comply with their subpoenas, and most recently these committees have issued citations and threated enforcement actions for technology companies’ failure to comply with requests related to investigations of censorship and content moderation activity.
The DOJ can also enforce an individual or company’s failure to comply with those subpoenas with a charge for Contempt of Congress under 2 USC § 192, which provides for imprisonment of up to one year and a fine of up to US$1,000. For example, in 2022, it indicted and tried individuals on contempt charges in connection with Congress’s investigation of the 6 January attack on the US Capitol.
Finally, state agencies and each state’s attorney general can compel the production of documents and testimony. As an example, Section 352 of the New York General Business Law permits the Attorney General of New York to commence an investigation of an individual or corporation and to seek documents and testimony in connection with that investigation.
188.8.131.52 Scope and timing
Although a company can do little in practice to resist complying with a formal request for disclosure without resorting to court proceedings to challenge the validity or scope of the request, it can probably negotiate with the authority regarding the scope of documents responsive to the request and the production date to limit the request to what is proportionate and reasonable.
Broadly drawn requests are unfortunately not uncommon, as investigators seek to ensure the requests will capture all relevant information. Early engagement with the authority will typically mean that both parties can agree on the scope and a timetable for production: a request looking back over a long period, or even without any time limit, could involve a lengthy resource-intensive review and expensive production exercise. Whether an agreement to narrow the scope of the request is possible is likely to depend, in large part, on factors outside the company’s control – such as the nature and scope of the authority’s investigation (which the authority may be unwilling to share and is likely based on information and evidence outside the company’s knowledge). However, the company and its legal advisers should nonetheless seek a reasonable, proportionate and practically achievable production, such as by seeking to agree to produce documents relating to X project, between Y and Z dates and, if necessary, to produce the documents in tranches.
A company must also consider whether the production notice extends to materials held overseas. Managing a response to multiple authorities, particularly if they are in different countries and have different areas of focus, can become increasingly difficult. To respond to broad document requests involving large volumes of data, a company may decide to use AI or technology-assisted review (TAR) to improve the accuracy and speed of identifying relevant documents. This is becoming increasingly accepted in the United Kingdom. The SFO confirmed its use of AI technology in the deferred prosecution agreement (DPA) cases of SFO v. Rolls-Royce PLC and by the company in SFO v. Airbus.
In the United States, while TAR might be used appropriately in responding to subpoenas or document requests in some limited instances, its use would likely be subject to an agreement with the requesting agency.
184.108.40.206 Practical steps on receipt
On receipt of a document request, a company should – in most cases – immediately issue a document retention (or hold) notice (DRN) (if one is not already in place). A company should take care not to inadvertently tip off data custodians, who may also be suspects. In some cases, issuing a DRN is inappropriate; for example, where the company is investigating matters outside the public domain and needs to collect documents covertly at the outset.
The issuing of a DRN will assist the company to demonstrate that it has taken steps to preserve all potentially relevant documents in existence at the date of the request. The DRN should track the terms of the production notice and be sent to all personnel who may have responsive documents, including the IT department and records department. The term ‘document’ should be widely drawn to include any paper or electronic records present on any media (including instant messaging applications) belonging to the company or its employees, including corporate information located off-site. The company may also need to manage complicated issues around data privacy and personal media. For example, ephemeral messaging applications, which delete communications after a certain amount of time, present a unique set of issues. The DOJ has issued recent pronouncements emphasising that corporations should have policies that ensure that ‘business-related electronic data and communications can be preserved and accessed’.
The SEC has made the use of such messaging applications (e.g., iMessage, WhatsApp and Signal), the focus of recent enforcement activity under the record-keeping requirements of the Securities Exchange Act. As Director of the SEC Enforcement Division Gurbir S Grewal said in August 2023:
To date, the Commission has brought 30 enforcement actions and ordered over $1.5 billion in penalties to drive this foundational message home. And while some broker-dealers and investment advisers have heeded this message, self-reported violations, or improved internal policies and procedures, today’s actions remind us that many still have not[.]
The DRN should confirm that employees must not delete, alter, conceal or otherwise destroy company documents. Simultaneously, the company should take steps to secure and preserve all relevant information held on the company’s servers and backup tapes, including through external providers. It should also immediately suspend routine document and data destruction processes.
Most authorities will have their own technical standards, which the collection and production of electronically stored information must meet. It is therefore likely that a company seeking to respond to a subpoena or production notice will want to consider instructing a forensic IT specialist company to assist with the collection and production efforts. This will have the added benefit of ensuring that a company can demonstrate the independence of this analysis, that it is taking clear cooperative steps, and protects employees, as far as possible, from having to give evidence in any subsequent proceedings.
17.2.2 Production of information to multiple authorities
The increasingly complex and multi-jurisdictional nature of investigations means that a company may face requests for formal disclosure from more than one authority. These could be authorities with different mandates in the same jurisdiction, or authorities with similar mandates from different jurisdictions. In either case, multi-authority investigations demand overarching strategies and systems to allow a company to keep track of evidence disclosed to (or seized by) different authorities.
A company may also want to consider if there is any strategic advantage to disclosing to one authority before another. However, in this regard, companies should have in mind the ever-increasing levels of cooperation between regulators domestically and internationally. Practical steps a company can take when faced with multiple requests for formal disclosure include:
- early engagement with each authority, to communicate expectations and practical difficulties of responding to multiple requests;
- identifying and prioritising information that is commonly responsive to the requests rather than focusing on responding to each request in isolation;
- maintaining clear production schedules; and
- ensuring a system for Bates numbering for each authority.
17.2.3 Documents and data outside the jurisdiction
In cross-border fraud or corruption cases, not all of a company’s documents will be located or even accessible in the same jurisdiction as the investigating authority. In assessing timely disclosure of documents in connection with obtaining credit for full cooperation in FCPA matters, the DOJ will consider ‘disclosure of overseas documents, the locations in which such documents were found, and who found the documents’. The Justice Manual states:
Where a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.
A company should consider what documents are stored overseas and which of these it should provide to investigators.
In the United Kingdom, the Supreme Court ruled in February 2021 in the case of R (KBR) v. SFO that section 2(3) of the CJA has no extraterritorial effect. This means that the SFO cannot use it to compel a foreign company to produce documents held outside the United Kingdom and will need to resort to the mutual legal assistance (MLA) framework to obtain the documents it requires from the foreign country. This judgment applies to foreign companies with no presence in the United Kingdom, but UK-based companies and named UK nationals will still be required to produce any responsive documents that they control overseas.
The position is less clear in relation to non-UK companies with some presence in the United Kingdom, although the recent judgment of BMW and Volkswagen v. CMA indicates that it is likely that those with a ‘sufficient connection’ to it would be caught by the legislation (although that case considered the principles of KBR in the context of the extraterritorial scope of the CMA’s investigative powers).
The SFO’s Corporate Co-operation Guidance continues to confirm that cooperating organisations should supply relevant material held abroad, where it is in the possession or control of the organisation. A company in receipt of a formal production notice will need to assess whether the notice extends to documents outside the jurisdiction and, if so, the extent to which the company has ‘custody or control’ over documents held by subsidiaries or overseas branches. The board of a parent company will not necessarily control the management of a subsidiary.
The Corporate Co-operation Guidance also confirms that the SFO expects cooperating organisations to identify relevant material in the possession of third parties and assist in obtaining it. Companies should also inform the SFO about relevant material that the company is unable to access (such as messaging apps and bank accounts).
Where production is voluntary, a company may take a more holistic view of the investigation and production (subject to local law restrictions). The extent to which it may want to voluntarily disclose information may depend on the ability of the investigating authority to obtain that information itself. However, given the increasing cooperation between authorities on the international stage, careful voluntary production of material is likely to be preferable and vital if the company seeks cooperation credit.
For example, to receive credit for full cooperation under the FCPA Corporate Enforcement Policy, a company cannot simply refuse to produce certain documents on the basis that production is prohibited by rule or regulation; rather, the company ‘bears the burden of establishing the prohibition’ and ‘should work diligently to identify all available legal bases to provide such documents’.
220.127.116.11 Mutual legal assistance
Mechanisms for legal assistance (UK)
In the United Kingdom, sections 7 to 9 of the Crime (International Co-operation) Act 2003 (CICA) govern requests to obtain evidence from abroad in relation to an investigation or prosecution taking place in the United Kingdom, shaping the MLA powers of UK authorities. Under CICA, an MLA request can only be made if it appears to the investigating authority that an offence has been committed or there are reasonable grounds for suspecting an offence has been committed, and proceedings have been instituted or the offence is being investigated. The request must relate to the obtaining of evidence ‘for use in the proceedings or investigation’. But it could allow an investigating agency to have foreign law enforcement officers launch raids, arrest suspects or conduct interviews on its behalf. If the implementation of an MLA request in the requested state requires a court order, the court in the requested state is likely to apply the relevant principles in its own jurisdiction to satisfy itself that the order is justified.
Following the United Kingdom’s exit from the European Union in January 2020, it lost access to the European Investigation Order process and must instead rely on the European Convention on Mutual Assistance in Criminal Matters of 1959, plus two additional protocols. The UK government signed the EU–UK Trade and Cooperation Agreement (TCA) in December 2020, which includes further MLA provisions and information regarding how MLA should work with EU countries. The provisions of the TCA are directly applicable to EU Member States, although some Member States needed to adopt additional legislation to complement the procedure at the national level.
In the United Kingdom, the Crime (Overseas Production Orders) Act 2019 deals with cross-border access to electronic evidence. This legislation empowers UK authorities (including the SFO and FCA) to apply to a UK court to compel a company operating, or an individual based, outside the United Kingdom to provide electronic data stored abroad. It allows UK authorities to sidestep the notoriously slow process of seeking MLA in favour of obtaining an overseas production order (OPO), which can be served directly on the person storing the electronic data.
For an OPO to be issued, a bilateral agreement must be in place between the requesting country and the country where the service provider holding the data is based. At the moment, there is only one such agreement in place, with the United States (the Agreement on Access to Electronic Data for the Purpose of Countering Serious Crime), which entered into force on 3 October 2022.
In 2018, the US federal government passed the Clarifying Lawful Overseas Use of Data (CLOUD) Act, explicitly authorising US law enforcement agencies to obtain data held by US cloud service providers, regardless of where in the world the data is physically stored. The CLOUD Act also created a framework by which foreign countries could seek disclosure of data held by US cloud service providers, without US cooperation or oversight.
The MLA process can be cumbersome but presents a very real threat if a company does not cooperate. A company should also not overlook the significant scope for informal direct investigator-to-investigator cooperation. Agencies such as Interpol have dedicated programmes to share information between, and support investigations by, investigating agencies in different countries.
Communications between the SFO and the DOJ are frequent. The FCA, specifically, has a broad discretion to assist foreign regulators. This discretion is set out in section 169 of the FSMA. The statutory power is supplemented by FCA policy. Subsection 169(4) sets out the considerations in the FCA’s decision as to whether to assist a foreign regulator:
- In deciding whether or not to exercise its investigative power, the regulator may take into account in particular:
- whether in the country or territory of the overseas regulator concerned, corresponding assistance would be given to a United Kingdom regulatory authority;
- whether the case concerns the breach of a law, or other requirement, which has no close parallel in the United Kingdom or involves the assertion of a jurisdiction not recognised by the United Kingdom;
- the seriousness of the case and its importance to persons in the United Kingdom;
- whether it is otherwise appropriate in the public interest to give the assistance sought.
In an early decision on the application of this section, Financial Services Authority v. Amro International, the Court of Appeal held that there was nothing in section 169 that required the FCA’s predecessor body – the Financial Services Authority (FSA) – to satisfy itself of the correctness of what it was being asked to investigate or gather by way of information. At the SEC’s behest, the FSA could seek any document that it reasonably considered relevant to the investigation the SEC was conducting. The Court of Appeal made clear that the only requirements the FSA must meet were contained in the statute. It also noted that in exercising these powers, the stricter rules attaching to the drafting of a subpoena did not apply and the description of the documents sought would be acceptable provided the recipient could identify the documents he or she was required to produce.
In addition to the FCA’s statutory powers, a number of memoranda of understanding (MOUs) are in place between UK regulators and their overseas counterparts (most notably the SEC and other US regulators) concerning cooperation and information sharing. Recent years have seen significant cooperation between the SEC and the FCA.
We are certainly in an era of increased international cooperation between enforcers, as evidenced by the recent global settlements involving Airbus (United States, United Kingdom and France), Amec Foster Wheeler (United Kingdom, United States and Brazil) and Glencore (United Kingdom, United States and Brazil), demonstrating the potential of increased inter-agency collaboration and information sharing in securing successful resolutions. Public policy statements made by UK and US prosecuting authorities demonstrate how important they consider international cooperation to be. The SFO’s Business Plan for 2023–2024 states that one of its four key objectives is to ‘collaborate with partners in the UK and overseas to ensure there is no safe haven for those who commit serious financial crime’.
Further, former SFO Director Lisa Osofsky repeatedly publicly affirmed her intention to leverage international contacts she made through her previous roles as a federal prosecutor for the DOJ and Deputy Counsel at the Federal Bureau of Investigation to strengthen the SFO’s investigational capacities. The new SFO Director Nick Ephgrave, a former senior Metropolitan Police officer, will not have the same network immediately available to him as Ms Osofsky; it is yet to be seen whether this will be reflected in the degree of focus on international cooperation in future SFO investigations.
Following the United Kingdom’s exit from the European Union, the SFO lost access to some European intelligence-sharing programmes such as Europol and Eurojust. International agencies have, however, continued to collaborate with the SFO to find workable solutions owing to the shared benefit of cooperation and intelligence sharing. The TCA expressly provides for joint investigation teams (JITs) between UK and EU Member State investigating authorities. The TCA is largely silent on the detail, except to stipulate that where a JIT involving more than one Member State is set up, the relationship between them will be governed by European law, regardless of the law stipulated in the JIT agreement.
JITs have historically proven to be an invaluable tool in cross-border general criminal and money laundering investigations, with the Airbus JIT demonstrating their utility in financial and white-collar crime investigations. In this case, the JIT structure permitted the SFO to navigate the French blocking statute, including attending interviews and taking investigative steps in France. JITs do, however, require agencies to compromise their interests in favour of the overall interests and goals of the JIT; therefore, shifting relations between agencies will determine their effectiveness in the future.
Mechanisms for legal assistance (US)
In the United States, prosecutors have access to MOUs and MLA treaties (MLATs) to facilitate the discovery of evidence overseas, as do foreign prosecutors looking to obtain evidence in the United States. The United States has entered into MLATs with more than 70 foreign jurisdictions, which can be used for the sharing of information and taking of evidence abroad. Some US authorities also have MOUs in place with sister agencies outside the United States, which can allow for inter-agency sharing of documents.
The process triggered on receipt of a foreign MLAT request is codified in the Foreign Evidence Efficiency Act. The decision whether to grant a request is at the federal district courts’ discretion. US and foreign prosecutors and investigators may also use financial intelligence units (FIUs) to collect information about potential crimes. In the United States, the Financial Crimes Enforcement Network of the US Treasury (FinCEN) is a member of the Egmont Group, a network of FIUs to share information and improve support among member governments in the fight against financial crimes. In the absence of a relevant MOU or MLAT, or recourse to FinCEN, federal courts may issue letters rogatory to foreign courts at the request of a litigant. Letters rogatory may only be used in ongoing legal proceedings, however, and are of limited value during an investigation or internal agency proceeding.
The DOJ’s authority with respect to cross-border investigations was recently expanded with the passage of the Anti-Money Laundering Act of 2020 in January 2021. Specifically, under the Act, the ‘Secretary of the Treasury or the Attorney General may issue a subpoena to any foreign bank that maintains a correspondent account in the United States and request any records relating to the correspondent account at that foreign bank, including records maintained outside the United States’ that are subject to an investigation or civil forfeiture action; therefore, federal prosecutors can obtain a significant amount of financial information from foreign banks without needing to use a cumbersome MLAT process.
The DOJ has also adopted a ‘no piling on’ policy regarding penalties. This policy explicitly includes cooperation with foreign agencies. Former Deputy Attorney General Rod Rosenstein explained in remarks in May 2018 that the policy discourages ‘disproportionate enforcement of laws by multiple authorities’ by ‘instructing Department components to appropriately coordinate with one another and with other enforcement agencies in imposing multiple penalties on a company in relation to investigations of the same misconduct’. This policy was applied in the Airbus, Glencore and Odebrecht resolutions where the DOJ credited part of the fine against payments made or due to other national authorities. Notably, the current administration has not changed this no-piling-on policy.
Finally, there are MLA tools authorised by international or multinational treaties that are particularly relevant in cross-border investigations and that would apply to investigations by both UK and US regulators or law enforcement. The UN Convention Against Corruption covers fraud, money laundering, bribery, embezzlement and other crimes. Article 46, addressing MLA, provides that ‘State Parties shall afford one another the widest measure of MLA in investigations, prosecutions and judicial proceedings in relation to the offences covered by this Convention’. Such assistance may include:
- taking of evidence;
- effecting service of judicial documents;
- executing searches, seizures, and freezing;
- examining objects and sites;
- providing evidence and expert evaluations;
- providing relevant documents and records, ‘including government, bank, financial, corporate or business records’;
- ‘[i]dentifying or tracing proceeds of crime, property, instrumentalities or other things for evidentiary purpose’;
- facilitating voluntary appearance of persons;
- ‘[a]ny other type of assistance that is not contrary to the domestic laws of the requested State Party’;
- identifying, freezing, and tracing proceeds of crime; and
- recovery of assets.
Importantly, the Convention does not permit a state to ‘decline to render mutual legal assistance pursuant to this article on the ground of bank secrecy’.
18.104.22.168 Data protection
Responding to an investigation (and conducting an internal investigation) requires processing data about individuals. This engages a number of data protection considerations. A company cannot assume that complying with the data protection requirements in the investigated jurisdiction will mean compliance with overseas data protection laws. Local law may also restrict a company’s ability to transfer individuals’ personal data overseas. The European Union’s General Data Protection Regulation (EU GDPR) applies within the European Union and to data controllers and processors outside the European Union that offer goods and services to EU consumers. In the United Kingdom, data processing is covered by the General Data Protection Regulation (UK GDPR) (which effectively retains the EU GDPR in UK law), and the UK Data Protection Act 2018. Sanctions for breaches under the GDPR are the higher of £17.5 million or €20 million or up to 4 per cent of annual worldwide turnover, meaning that data privacy in relation to individuals needs to be afforded a high degree of consideration in internal investigations.
The UK GDPR and the EU GDPR are extraterritorial in their effect – they catch overseas companies without a presence in the United Kingdom or European Union that actively offer goods and services to, or monitor the behaviour of, individuals within the United Kingdom or European Union, even if the data is stored overseas. Multinational organisations subject to cross-border investigations may therefore need to comply with both the EU GDPR and the UK GDPR in cross-border investigations.
In the United States, the FTC, under Section 5 of the Federal Trade Commission Act, prohibits ‘unfair or deceptive acts or practices in or affecting commerce’. The FTC further requires companies to be transparent about personal information they collect and how it is used, shared and maintained – for both online and offline data practices. The FTC has also used its ‘unfairness’ authority under Section 5 against companies whose information security practices were alleged to have caused ‘substantial injury to individual consumers’, including initiation of enforcement actions based on alleged failures to take ‘reasonable’ steps to protect consumer data. In addition, state attorneys general exercise consumer protection authority under state laws that protect personal privacy, including personal information. The SEC’s Regulation S-P has similar protections, requiring registered broker-dealers, investment companies and investment advisers to ‘adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information’.
In July 2023, the United States and the European Union launched an EU–US Data Privacy Framework (DPF) that is designed to provide ‘a streamlined and affordable mechanism to transfer data between [both] jurisdictions’. The DPF includes the fulfilment of certain data privacy protection commitments on the US end and ‘a basis in EU law for the transfer of personal data from EU countries to the United States by businesses in both America and Europe’, to ensure that EU data receives the protections afforded under EU legislation. The US Department of Commerce is also part of an UK extension to the EU–US DPF and Swiss–US DPF in furtherance of the same data privacy protection goals.
22.214.171.124 Blocking statutes
Blocking statutes prevent the disclosure of certain documents for the purpose of legal proceedings in a foreign jurisdiction, except pursuant to procedures set out in an international treaty or agreement. Articles 1 and 1bis of the French Blocking Statute provide:
Subject to international treaties or agreements, it is forbidden for any French national or for individuals usually residing in France and for any director, representative, agent or employee of a legal person having its head offices or establishment in France to communicate by writing, orally or in any other form, in any place whatsoever, to foreign public authorities, documents or information of an economic, commercial, industrial, financial or technical nature, the communication of which is likely to undermine the sovereignty, security, essential economic interests of France or its public order. . . . Subject to [similar conditions], it is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof with a view to foreign administrative or judicial proceedings or as a part of such proceedings.
There has historically been very little enforcement of the French Blocking Statute – with some companies choosing to ignore it completely. However, as a consequence of the Sapin II law, which was implemented in June 2017, France’s financial crime agency (Parquet National Financier (PNF)) has begun to lead cases involving the enforcement of the Blocking Statute, signalling that the French authorities are considering the issues raised by the Blocking Statute in more depth. Counsel advising on cases where foreign authorities are involved must be particularly sensitive to this question and handle any productions abroad accordingly.
The French anti-corruption regulator (Agence Française Anticorruption (AFA)) is responsible for ensuring compliance with the Blocking Statute in cases where a French company has to execute a foreign authority decision concerning the strengthening of its corruption prevention or detection policies.
The joint guidelines on the French equivalent of the DPA (convention judiciaire d’intérêt public (CJIP)) issued by the PNF and AFA in 2019 indicate the French authorities’ willingness to enter into coordinated settlement discussions with foreign enforcement authorities in cases involving multi-jurisdictional misconduct. The guidelines do not set out any differences in complying with the Blocking Statute when cooperating with foreign enforcement authorities; therefore, adherence to the Blocking Statute is expected. However, the guidelines suggest that when the PNF negotiates a joint settlement with other authorities, it may propose that the AFA act as a monitor to prevent a violation.
On 16 January 2023, the PNF issued new CJIP guidelines as an ‘update’ to the 2019 document (the 2023 PNF Guidelines). First, there is a stated obligation for the AFA to ensure compliance with the Blocking Statute when French companies, in the context of a post-CJIP remediation programme, are subject to foreign authorities’ decisions concerning the amendment of their anti-corruption procedures. Second, when the monitorship of a post-CJIP remediation programme on a multi-jurisdictional case is entrusted to the AFA, the PNF can provide updates to foreign authorities but has to fully respect French law, specifically the Blocking Statute.
Another recent development in France is that in March 2023, the AFA and the PNF published a practical guide on internal anti-corruption investigations (the March 2023 Guide), which is aimed at assisting businesses in carrying out such exercises and at making them aware of the public authorities’ expectations in this area. The March 2023 Guide warns companies that if they receive production requests from foreign authorities, they should ‘quickly get in touch with the Strategic Information and Economic Security Service (SISSE), in its capacity of a one-stop shop’ for the implementation of the Blocking Statute. The SISSE will offer support and guidance. It also emphasises that only the French judicial or administrative authorities are likely to be the interlocutor of a foreign authority within the framework of the execution of requests for international assistance, therefore further discouraging the direct communication of documents by French companies to foreign authorities.
The French authorities have traditionally taken any derogation from the letter of the law seriously and insist on the use of MLA requests and inter-agency communications. This can leave companies in the unenviable position of being caught between authorities (if the US authorities, for example, expect production directly from the corporate). In such circumstances, agency-to-agency communications should be encouraged. Similarly, Article 271 of the Swiss Criminal Code prohibits a person performing an ‘official act’ on behalf of a foreign authority on Swiss soil. This can block the collection of evidence located in Switzerland intended for use in proceedings outside the country.
China is another jurisdiction to have enacted laws to block the transfer of information to foreign government authorities in criminal proceedings. In October 2018, China enacted the International Criminal Judicial Assistance (ICJA) law, prohibiting institutions, organisations and individuals within China from providing evidentiary materials and assistance to foreign countries in criminal proceedings (e.g., before seeking to comply with a subpoena from a foreign government authority in a criminal investigation) without approval from the competent Chinese authorities. In accordance with the ICJA law, this legislation is to be applied in a manner that does not harm national sovereignty, security or public interests, giving the Chinese government broad discretion to refuse or block foreign governments’ requests for assistance. The ICJA law governs all requests for ‘judicial assistance’ between China and foreign jurisdictions in relation to international criminal proceedings, including the service of documents, evidence collection, witness testimony, seizure and confiscation of illegal assets, and the transfer of convicted persons.
A decision to refuse to disclose documents or information due to a blocking statute may not be respected by the requesting authority and could affect any cooperation credit available – leaving the company between a rock and a hard place. This demands early and detailed dialogue with the relevant authority alongside expert local counsel who can educate the regulators about the relevant laws and any potential workarounds for production of information.
126.96.36.199 Banking secrecy
Banking secrecy laws prohibit banking officials from releasing confidential information about a customer or confidential supervisory information to third parties outside financial institutions, unless compelled by law. Sometimes, such a disclosure is criminalised. A bank under investigation may seek to rely on this secrecy. It should also be cautious not to infringe this secrecy inadvertently in providing information to a regulator.
However, the historical deference to the banking secrecy rules of foreign jurisdictions, premised on comity or respect for the acts of foreign governments, may slowly be eroding. Even Switzerland, in recent times, has stripped away a number of its many layers of secrecy through international agreements and, in our experience, has become, in practice, more willing to cooperate with requests for information.
Conversely, bank secrecy or anti-money laundering (AML) laws have more recently been used as an enforcement tool. These laws impose requirements on financial institutions to report suspicious activity, which has become more pressing in the burgeoning world of cryptocurrencies and digital assets. In the United States, the Bank Secrecy Act has AML and countering the financing of terrorism requirements that govern financial institutions and ‘require covered financial institutions to collect and retain records about certain fund transfers or transmittals and to pass on particular information to other financial institutions involved in the transfer or transmittal’. FinCEN guidance and recent proposed amendments to the Bank Secrecy Act’s Travel Rule make clear that these requirements equally apply to virtual currencies. Specifically, FinCEN has proposed revising definitions to ensure the Travel Rule applies to domestic and cross-border virtual currency transactions, and revising the definition of ‘money’ to ensure that the Travel Rule extends to digital assets with legal tender status.
The Bank Secrecy Act is administered by FinCEN, which partnered with the CFTC in 2021 to bring enforcement actions against Bitcoin Mercantile Exchange (BitMEX) – parallel to a DOJ criminal prosecution of four company executives – related to its illegal offering of derivative-like digital assets and failure to comply with the Bank Secrecy Act, among other things. By 2022, the investigation and enforcement actions concluded with CFTC and FinCEN civil settlements and criminal guilty pleas and fines. Further, the main federal criminal AML statute has been utilised as one of the counts against FTX chief executive officer Sam Bankman-Fried. The superseding indictment filed by the DOJ in August 2023 brought money laundering charges against Bankman-Fried for the misappropriation of customer deposit funds from his cryptocurrency exchange. This enforcement activity signals heightened focus on the activities of the cryptocurrency industry, suggesting crypto companies may benefit from strengthening internal policies to address Bank Secrecy Act compliance.
188.8.131.52 State secrets
Sending data outside a jurisdiction may be contrary to state secrecy laws. Some jurisdictions, such as China, have wide definitions of what amounts to a state secret. Article 8 of the Chinese Law on Guarding State Secrets defines state secrets to include ‘secrets in national economic and social development’ and ‘secrets concerning science and technology’. Similarly, Kazakhstan treats some geological data as a state secret. The consequences of violation can be serious. Article 111 of the Chinese Criminal Law makes violating state secrets a capital crime. In countries such as China, where many companies are state-owned, this is not straightforward. Again, finding expert local counsel is a must.
State secrecy laws may also restrict certain categories of documents to authorised eyes only. In the United Kingdom and the United States, there is a common law doctrine designed to prevent the disclosure of sensitive state secrets or information of national security significance. The definition of ‘state secret’ is construed more narrowly than in countries such as China. The common law doctrine is invoked by the state or executive branch to ensure that state secrets are not intentionally or inadvertently disclosed.
In the United Kingdom, the state secrets privilege is known as ‘public interest immunity’. This doctrine ‘may prevent the case from being heard if it is not possible to rely on other evidence; however, over the years it has been interpreted as leaving a more substantial role for courts in evaluating the grounds for the claim of privilege’. In UK criminal trials, public interest immunity ‘is governed by statute, which imposes duties of disclosure on the prosecution’, namely the UK Criminal Procedure and Investigations Act of 1996 and the Criminal Justice Act of 2003, but in civil trials, public interest immunity is governed by the common law. This issue has impacted the investigation and prosecutions of companies in the defence industry such as BAE Systems and GPT Special Project Management Ltd.
In the United States, the state secrets doctrine ‘may prevent the disclosure of information in a judicial proceeding if “there is a reasonable danger” that such disclosure “will expose military matters which, in the interest of national security, or [foreign affairs] should not be divulged”’. Specifically, it is invoked through ‘formal claim of privilege, lodged by the head of the department which has control over the matter, after actual personal consideration by that officer’. In practice, the state secrets doctrine may bar an entire case or preclude the production of certain evidence.
As in the United Kingdom, this is particularly pertinent for defence companies. Withholding production of such documents will require careful negotiation. Finding a practical way for these to be produced by external lawyers (where prior authorisation is unlikely) will likely be more difficult and undoubtedly will increase the time it will take to respond to a request for documents and may require the review of documents ‘in country’ instead of producing the documents to the US authorities.
Another potential solution is production of information through MLATs and MOUs that allow a company to first produce documents to a local authority and thereby comply with the relevant regulations.
17.3 Documents obtained through dawn raids, arrest and search
During a raid (or execution of a search warrant) on corporate premises, it is important to obtain, and understand the terms of, the warrant. Simple facts such as the premises’ address, the date and relevant powers and authorisations must be checked. If appropriate, a company may challenge the scope of the warrant (if it is unduly wide or based on erroneous facts or information). Importantly, the company and its advisers should ensure during the raid that documents outside the terms of the warrant are not seized (unless taken under relevant search-and-sift powers, or as can be justified under ancillary legislation) and take care both during and after the raid to protect legally privileged materials.
In the United States, it is nearly impossible to challenge the scope of a warrant that calls for the immediate search of a specific location. More likely, a company would have to seek an order returning such property or seek to suppress evidence obtained pursuant to a warrant in a later proceeding. There may, however, be opportunities to challenge the scope of a warrant seeking electronically stored information before the data is actually collected and produced. As an example, where a company is asked to execute a warrant on behalf of the government, such as when a service provider is asked to collect electronic information of a third party, there may be additional opportunities for a company to challenge the scope of a subpoena.
It is likely that the vast majority of documents obtained during a search will be electronic. It is important to agree to a process with the authorities for dealing with any electronic media that is privileged. In the United Kingdom, most investigative agencies have developed sophisticated procedures in this area. The SFO’s policy and system for dealing with material covered by legal professional privilege (LPP) is explained in its Operational Handbook:
When the SFO requires the production of material, or seizes material pursuant to its statutory powers, all material which is potentially protected by LPP must be treated with great care to:
• Minimise the risk that LPP material is seen or seized by an SFO investigator or a lawyer involved in the investigation.
• Ensure that any LPP material which is seized is properly isolated and promptly returned to the owner without having been seen by an SFO investigator or a lawyer involved in the investigation.
• Ensure that any dispute relating to LPP is resolved in advance of the material being seen by an SFO investigator or a lawyer involved in the investigation.
• Ensure that where an SFO investigator or a lawyer involved in the investigation inadvertently sees LPP material, measures are in place to ensure that the investigation and any subsequent prosecution is not adversely affected as a result. Care must always be taken that LPP material is not viewed by the SFO staff involved in the investigation.
The Operational Handbook then sets out a procedure for dealing specifically with electronic material that may be privileged. Under this procedure, the SFO will first notify the company’s lawyers if it believes that IT assets it has seized might contain privileged material (in practice, it is prudent for the company’s lawyers to inform the SFO of the potential existence of privileged material at an early stage). A list of search terms should be agreed (including names of lawyers, relevant firms, etc.) to enable the identification and isolation of the material for review by independent counsel. Independent counsel will review the material using search software and return only non-privileged material to the SFO investigative team to examine.
It is normally possible to have productive discussions with investigators to determine the relevant search terms that might identify privileged material. It is then possible to make representations on the client’s behalf to independent counsel about the extent of privilege. This procedure updates and works alongside the well-established ‘blue-bagging’ approach used for hard-copy materials that may be privileged, by which authorities will send seized documents that may be potentially privileged, sealed in an opaque bag, to the custody of an independent legal adviser (usually a barrister) for review.
The DOJ has used three different procedures for reviewing potentially privileged information, each of which requires a ‘neutral’ third party to first review potentially privileged data. In certain instances, the court may review the data on its own. A court may also appoint a ‘special master’ to handle the review of privileged information. In other instances, a ‘privilege team’ or taint team – ‘consisting of agents and lawyers not involved in the underlying investigation’ – may be used to review the files. When a privilege or taint team is used, an ethical wall will be placed between the individuals who review the documents and those who are actually participating in the investigation. Importantly, courts have had differing reactions to the use of taint teams and may not always conclude that the procedures implemented to screen materials were sufficient.
17.4 Informal disclosure requests: voluntary production and cooperation
A company may wish to consider voluntarily providing documents to an authority as part of a self-report or to demonstrate its cooperation with an investigation. Government investigators and investigating authorities regularly hold out the possibility of cooperation credit to companies to encourage them to provide information about their own misconduct.
From February 2014, DPAs have been available in the United Kingdom to the SFO and the Crown Prosecution Service for disposing of corporate criminal conduct relating broadly to economic crime (including, in particular, fraud, corruption and money laundering). The SFO and the English courts have emphasised that one of the most important factors for a DPA is early reporting and cooperation by the company. Cooperation should be ‘genuinely proactive’. This includes the voluntary production of relevant documents, the importance of which has been demonstrated in a number of DPA cases, including Rolls-Royce, Airbus, G4S and Amec Foster Wheeler.
The former Director of the SFO, Lisa Osofsky, described corporate cooperation as ‘making the path to a case easier’ for the prosecutor. This means that companies will be expected to provide the SFO with evidence it does not already have and to help focus the SFO’s investigation on the most relevant lines of enquiry, including in respect of assistance with future prosecutions of individuals.
The SFO has published guidance on corporate cooperation (Corporate Co-operation Guidance), confirming a non-exhaustive list of good practices that SFO prosecutors will consider when assessing whether to charge and prosecute a company or pursue a DPA. The Corporate Co-operation Guidance sets forth detailed provisions on the SFO’s expectations regarding the preservation and provision of materials relating to digital and hard-copy evidence, financial records and analysis, industry and background information; dealing with individuals connected to the investigation; and more contentious issues such as witness accounts and waivers of privilege. It confirms that ‘co-operation means providing assistance to the SFO that goes above and beyond what the law requires’ and that this includes identifying individuals involved in the misconduct. Timing is important, both for a potential DPA and in relation to anti-cartel regimes, which often provide an amnesty only to the first discloser.
The FCA’s standard practice is to rely on its statutory powers to require the production of documents. While there is merit in adopting this policy, and it does avoid the risks to companies of voluntarily disclosing documents to the FCA, nothing prevents the FCA from requesting voluntary production in appropriate circumstances. Principle 11 of the FCA’s Principles for Businesses states: ‘A firm must deal with its regulators in an open and co-operative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.’ A materially identical provision is included in the PRA’s Rulebook as Fundamental Rule 7.
While this chapter focuses on the approach of the FCA, it is worth remembering that the PRA has similar enforcement powers (and is using them with increasing frequency). Both regulators widely interpret these obligations to proactively bring matters to their attention and are prepared to take enforcement action against firms and individuals for failures to discharge these obligations (even in the absence of other underlying failings). Examples from the past few years include Prudential Group (fined £30 million for failing to inform the FSA of its proposed acquisition of AIA until after it had been leaked to the media), Goldman Sachs (fined £17.5 million for not disclosing an SEC investigation into its staff and members of The Goldman Sachs Group), the Co-operative Bank (issued a final notice for failing to notify the PRA without delay of two intended personnel changes in senior positions) and Bank of Scotland plc (fined £45.5 million for failure to inform the FSA about its suspicions that fraud may have occurred at the Reading-based impaired-assets team of Halifax Bank of Scotland). This places regulated firms in a different position from others: it reduces the scope for the decision whether to self-report.
Principle 11 of the FCA Principles for Business is mainly intended as a supervision tool and sets out a broad duty of cooperation that the FCA often relies on to oblige the production of documents before formal investigations begin (sometimes, but not always, to decide whether an investigation should be commenced and in respect of which firms and individuals). Being ‘open and cooperative’ involves, among other things, a regulated entity making itself readily available for meetings with the FCA, giving the FCA reasonable access to records, producing documents as requested, and answering questions truthfully, fully and promptly.
Where a formal investigation has commenced, the FCA would not seek to rely on Principle 11 as a substitute for its other statutory powers that compel production. While it would be a clear breach of Principle 11 to fail to comply with a statutory request for the production of documents, a failure to comply with a voluntary request would not, of itself, result in disciplinary proceedings:
The FCA will not bring disciplinary proceedings against a person for failing to be open and co-operative with the FCA simply because, during an investigation, they choose not to attend or answer questions at a purely voluntary interview. However, there may be circumstances in which an adverse inference may be drawn from the reluctance of a person (whether or not they are a firm or individual) to participate in a voluntary interview. If a person provides the FCA with misleading or untrue information, the FCA may consider taking action against them.
The Enforcement Guide further provides that if a person does not comply with a requirement imposed by the exercise of statutory powers, he or she may be held in contempt of court. The FCA may also choose to bring proceedings for breach of Principle 11; therefore, while there is no guidance indicating that a failure to produce documents voluntarily (as opposed to attending a voluntary interview) would result in an adverse inference being drawn, a decision by a company not to produce documents voluntarily in any particular case should not be made without careful forethought and proper advice on the potential consequences.
As this suggests, the Enforcement Guide recognises the importance of an open and cooperative relationship with the firms it regulates to the effective regulation of the UK financial system. When deciding whether to exercise its enforcement powers, the FCA considers, among a number of factors, the level of cooperation demonstrated by a firm. When weighing the level of cooperation, the FCA considers whether the firm has been open and communicative.
In the United States, too, the authorities have routinely emphasised that they will consider self-reporting and cooperation with government investigations as a key factor when determining whether to charge a corporation. The DOJ considers cooperation ‘a mitigating factor, by which a corporation – just like any other subject of a criminal investigation – can gain credit in a case that otherwise is appropriate for indictment and prosecution’.
The DOJ’s Justice Manual (which governs the conduct of Assistant US Attorneys during the course of civil and criminal investigations, including Foreign Corrupt Practices Act (FCPA) investigations) therefore encourages corporations, typically through their compliance programmes, to conduct internal investigations and voluntarily self-report misconduct. Importantly, it states that prosecutors may also consider voluntary disclosure when determining whether to bring charges for criminal misconduct. However, ‘willingness to cooperate, including as to potential wrongdoing by its agents’ and ‘timely and voluntary disclosure of wrongdoing’ are just two of 11 illustrative factors that prosecutors should consider in determining whether to bring an action against the corporation.
Likewise, under the DOJ’s FCPA Corporate Enforcement Policy, which has been incorporated into the Justice Manual:
When a company has voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated, and timely and appropriately remediated, all in accordance with the standards set forth below, there will be a presumption that the company will receive a declination absent aggravating circumstances involving the seriousness of the offense or the nature of the offender.
In some instances, a formal notice for disclosure will be preferred, such as where a company has obligations of confidentiality, preventing voluntary disclosure. The most common examples are lawyers and financial institutions, who could both face an action for breach of confidence for supplying documents or information without a formal regulatory request.
In some self-reporting circumstances, it may be appropriate for a company to seek such a notice from the relevant authority to ensure that it does not open itself up to civil action. The notice should be narrowly drawn, in consultation with the regulator, and should not affect the company’s cooperation credit. Likewise, in some situations, the company may prefer to ask to be provided with a formal document request to demonstrate that it has been compelled to produce the documents to the authorities and has not done so voluntarily.
17.4.2 Disclosure of results of internal investigation
In most instances, a company will have to make expansive disclosures regarding its internal investigations to get full cooperation credit. The DOJ has issued guidance in the Justice Manual that explicitly states that companies will have to self-report both the results of internal investigations and individual misconduct to receive any cooperation credit. Whether such thorough disclosures are in the best interests of the company is something that will need to be determined in a timely manner.
17.4.3 Self-reporting of misconduct not yet known to regulators
A company’s decision as to whether to self-report is often complicated. There may be opportunities for a company to internally address misconduct before it becomes public knowledge or authorities are involved. However, even during the pendency of an internal investigation, sources outside the company’s leadership may consider reporting misconduct. Indeed, whistleblower awards provide incentives for employees to report misconduct, and these awards are significant. In May 2023, the SEC issued its largest-ever award of ‘nearly $279 million, to a whistleblower whose information and assistance led to the successful enforcement of SEC and related actions’.
Federal statute provides protections for whistleblowers, and the SEC has imposed penalties on financial institutions attempting to prohibit employees from seeking those bounties. Disgruntled employees can report corporate misconduct as retaliation, to attempt to avoid prosecution themselves or simply because they do not feel that the corporate is handling the issue appropriately via its internal process. In the United Kingdom, broadly speaking, those working in the field of financial services are subject to suspicious activity reporting obligations. This means that banks, accountants and transactional lawyers must make reports to the authorities of suspicions of money laundering (including acquiring assets that may be tainted by fraud or corruption). A failure to make a report is a criminal offence – as is tipping off the subject of the report (which in some instances may be the individual’s own client). Investigative journalism and non-governmental organisations also continue to be important sources of information for regulators – as the Panama Papers scandal illustrated.
The Deferred Prosecution Agreements Code of Practice (the DPA Code) issued by the SFO and the Crown Prosecution Service indicates that, to be eligible for a DPA, a company will likely have to report voluntarily any misconduct within a reasonable time of becoming aware of it – and prior to it becoming known to the authorities. In a number of the 13 DPA cases, the companies self-reported their misconduct to the SFO in circumstances where the SFO had no prior knowledge of the misconduct and, in all likelihood, would not have learnt about the misconduct if the company had not self-reported.
In the Rolls-Royce case, which was concluded by a DPA in January 2017, the company did not self-report the conduct that led to the SFO’s investigation: the SFO became aware of the need for an investigation through internet postings by a whistleblower. That Rolls-Royce did not self-report weighed against the SFO offering a DPA; however, Rolls-Royce chose to cooperate fully with the investigation after the SFO approached the company and undertook its own internal investigation (in close consultation with the SFO).
In total, Rolls-Royce collected over 30 million documents and subjected them to electronic document review as part of this investigation. One of the main features of Rolls-Royce’s cooperation was that it provided all materials requested by the SFO voluntarily, without the SFO having to compel it to provide any. It also chose not to perform any legal professional privilege review over the documents (instead allowing independent counsel to resolve issues of privilege) and worked with the SFO as it used sophisticated AI searches to interrogate the data. This process led to the SFO uncovering information that may not have otherwise come to its attention. Ultimately, SFO counsel described the extent of Rolls-Royce’s cooperation with the investigation as ‘extraordinary’.
The Amec Foster Wheeler DPA is another example of a company failing to self-report; however, once Brazilian authorities opened an investigation, the company cooperated ‘extensively’ with the subsequent SFO and foreign investigations, resulting in the provision of previously unseen documents to the SFO both voluntarily and in answer to statutory notices, leading to the discovery of further offending. Amec Foster Wheeler further agreed to a limited waiver of legal professional privilege for the purposes of the SFO investigation over advice received by the company during the period of the alleged offending.
While the decision to provide documents voluntarily to the SFO was one of a number of measures taken by Rolls-Royce and Amec Foster Wheeler to demonstrate their cooperation with the investigation, this decision was of fundamental importance to the court when deciding to approve the DPAs. The companies’ voluntary disclosure of investigation documents therefore mitigated its failure to voluntarily disclose misconduct. This is particularly evident in the Amec Foster Wheeler DPA, where the company still obtained 50 per cent credit on the fine imposed despite its lack of self-reporting.
From the US perspective, failure to self-report misconduct before it becomes otherwise known to the authorities can have a significant impact on the resolution of the corporate investigation. Although there is no bright-line rule for timing, disclosures should occur prior to the imminent threat of investigation and in a timely manner. Further, representing another shift in government policies, the DOJ has returned to a prior investigative and prosecutorial focus, requiring that companies adhere to more fulsome disclosure standards.
In furtherance of this policy shift, on 15 September 2022, Deputy Attorney General Monaco issued a formal DOJ memorandum entitled ‘Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group’. Among other things, the memorandum emphasises that: ‘The Department’s first priority in corporate criminal matters is to hold accountable individuals who commit and profit from corporate crime.’ Accordingly, the DOJ will require cooperating companies to prioritise prompt and comprehensive disclosures regarding executives and other individual actors. Should prosecutors identify any ‘undue or intentional delay’ in a cooperator’s production of information or documents, particularly where the information impacts the assessment of individual culpability, the company’s cooperation credit will be reduced or eliminated.
Pursuant to these policies, prosecutors must adhere to two core principles regarding voluntary self-disclosure aiming to incentivise corporate cooperation. First, absent aggravating factors, the DOJ will not seek a guilty plea from a corporation if the corporation has voluntarily self-disclosed, fully cooperated and timely and appropriately remediated the criminal conduct. Second, the DOJ will not require an independent compliance monitor for cooperating self-disclosers if, at the time of resolution, the cooperating company can demonstrate that an effective compliance programme has been implemented and tested.
In January 2023, then Assistant Attorney General Kenneth Polite, Jr emphasised the administration’s policies in favour of voluntary disclosure during his remarks on revisions to the DOJ Criminal Division’s Corporate Enforcement Policy: ‘When a company has uncovered criminal misconduct in its operations, the clearest path to avoiding a guilty plea or an indictment is voluntary self-disclosure. It is also the clearest path to the greatest incentives that we offer, such as a declination with disgorgement of profits’. On the other hand, as Polite warned, ‘a corporation that falls short of our expectations does so at its own risk. Make no mistake – failing to self-report, failing to fully cooperate, failing to remediate, can lead to dire consequences’.
These revisions to the Corporate Enforcement Policy reveal a heightened focus on self-reporting that is immediate and complete and demonstrates extraordinary effort. As Polite explained, even where there are aggravating factors present, the DOJ can issue a declination of prosecution if three factors are met:
- The voluntary self-disclosure was made immediately upon the company becoming aware of the allegation of misconduct;
- At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that enabled the identification of the misconduct and led to the company’s voluntary self-disclosure; and
- The company provided extraordinary cooperation with the Department’s investigation and undertook extraordinary remediation.
The revised policy includes other incentives for self-reporting, including recommending a reduction in the criminal sentence where prosecution is ultimately necessary and pursued. Accordingly, voluntary disclosure carries a risk that the authority may not give any meaningful credit and may nonetheless decide to prosecute or expand an investigation already under way. The decision to voluntarily self-disclose is one that requires careful balancing of risks and benefits. In deciding whether to self-disclose, a company should also consider whether the relevant government authority could serve or enforce a formal request for disclosure on the company.
Organisations should be cognisant that individuals at various levels of the organisation may bear greater liability, and when making voluntary disclosures in investigations, all relevant individuals should be considered.
17.4.4 Production of investigation reports
To obtain cooperation credit, prosecuting and government agencies require that companies provide the complete factual findings of an internal investigation, including relevant source documents. The Justice Manual recognises ‘the sort of cooperation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is timely disclosure of the relevant facts concerning such misconduct’. Similarly, the UK DPA Code provides that cooperation will include ‘providing a report in respect of any internal investigation including source documents’.
Careful consideration should be given to the manner of disclosure of information. In the United States, the consideration for credit is that the relevant facts are disclosed, regardless of format and without need to waive privilege. A company bears the burden, however, of disclosing the facts necessary to qualify for cooperation credit, and if a company chooses not to waive relevant privileges, it is unlikely to be able to share the investigative reports prepared by counsel conducting the investigation; instead, it will have to carefully craft presentations that disclose only non-privileged facts. Oral presentations and high-level overview summaries relying on primary source evidence may reduce the risk to a company, although even these methods of disclosure can face judicial resistance with respect to maintaining privilege; therefore, companies and their legal counsel can face challenging strategic decisions when weighing cooperation with the government against maintaining privilege. Because there can be no claim that the materials are privileged, a company should also expect that it will have to produce presentation materials in any related civil litigation.
In the United Kingdom, there is much debate over the production of the first accounts of witnesses, which may have been taken by investigating attorneys. The SFO’s preference is that these are taken so that legal privilege does not apply. It also indicates that it does not consider all privilege claims over interview materials to be made out under English law and, until the Court of Appeal’s decision in ENRC, was actively challenging such assertions. Where a valid claim for privilege exists, cooperation credit will be given for the disclosure of interview memoranda. A failure to disclose will be considered cooperation neutral. As Alun Milford, then SFO General Counsel, has previously said: ‘If a company’s assertion of privilege is well-made out, then we will not hold that against the company: to do otherwise would be inconsistent with the substantive protection privilege offers.’
In two of the UK cases in which the court has approved DPAs, the company made oral disclosure only of the content of witness interviews. However, Rolls-Royce, Airbus and G4S all chose to provide the interview memoranda or transcripts to the SFO on the basis of a limited waiver of privilege. This was another way Rolls-Royce in particular used the voluntary disclosure of documents to counterbalance any actual or perceived failure to voluntarily disclose the misconduct. Other materials voluntarily provided to the SFO by companies subject to executed DPAs have included regular reports and presentations on the findings of the internal investigations, unfiltered access to the ‘digital repositories or email containers’ for past and present employees, and key documents identified by the internal investigations.
The SFO has affirmed its position on witness accounts and privilege as part of the Corporate Co-operation Guidance, which confirms that a company’s failure to waive privilege means that it will not attain the corresponding factor against prosecution in the DPA Code, but that the SFO will not penalise the company in this regard. The Corporate Co-operation Guidance suggests that while an organisation will not get the full cooperation credit potentially available in these circumstances, the SFO will not automatically refuse a DPA if it can demonstrate other cooperative factors pointing against a public interest in prosecuting the company, in accordance with the DPA Code.
17.4.5 Identification of witnesses to authorities
In its initial assessments of whether to cooperate with authorities, a company will have to consider the implications of disclosing information about key employees. As noted above, US and UK authorities have indicated that cooperation will require disclosure of facts relevant to the misconduct of individual employees.
While the DOJ’s current policies require companies to make fulsome disclosures of any and all individuals who may have been involved in alleged misconduct, the unequivocal cooperation necessary to be eligible for a DPA in the United Kingdom additionally includes identifying relevant witnesses, disclosing their accounts of the alleged misconduct and any documents shown to them and, where practicable, making those witnesses available for interviews by investigators – together with ongoing cooperation with the authorities.
When seeking a DPA, a corporate should consider liaising closely with the SFO, which may wish to undertake witness interviews, or interviews under caution, with individuals before corporate counsel does so. The Corporate Co-operation Guidance confirms that the SFO will expect organisations to identify individuals responsible for the suspected wrongdoing (and support the SFO’s disclosure obligations in its prosecution of individuals) and potential witnesses, and that cooperating companies should consult with the SFO before interviewing potential witnesses or suspects, or taking human resources actions or other overt steps.
Once the individuals have been identified to the government or prosecuting authorities, it may be difficult, if not impossible, for them to continue working for the company. A company may feel pressure to terminate the employee or place that individual on leave, which could have a significant impact on the operations of a business unit. Even if the company does not terminate an employee under investigation, targets of a government investigation are likely to engage their own counsel who may advise the employee to stop cooperating with its employer – leading to a ‘walk or talk’ decision. Depending on the nature of any employment agreement, a company may have to advance fees and costs of an individual’s representation. Also, since 2004, the United Kingdom has imposed an extensive Code of Practice for Disciplinary and Grievance Procedures on employers, which sets out standards of procedural fairness that a UK employer should comply with if it takes action that will detrimentally affect an individual’s employment.
17.5 Privilege considerations
In the United States, generally the attorney–client privilege entitles a party to withhold from production communications, with an attorney, his or her subordinate or agent, made in confidence, for the primary purpose of securing an opinion of law, legal services or assistance in a legal proceeding. It applies to corporations as well as individuals and therefore protects communications between corporate employees and a corporation’s in-house and external legal counsel on matters within the scope of the employees’ corporate responsibilities. Communications between non-legal corporate employees can also be privileged where an attorney neither authors nor receives the communication, if the communication contains or refers to previously transmitted legal advice or identifies specific legal advice that the non-attorneys will seek from attorneys in the near future.
Additionally, the work-product doctrine protects documents and tangible things, otherwise discoverable, prepared in anticipation of litigation and in connection with a threatened or pending government investigation. It can apply to documents prepared by both attorneys and non-attorneys. Attorney notes, research and compilations of background materials, memoranda, investigative reports, witness statements and materials prepared by non-legal personnel such as investigators are examples of the types of documents that may be protected. Work-product containing an attorney’s mental impressions is referred to as ‘opinion’ work-product and is afforded greater protection than other ‘ordinary’ work-product.
In the United Kingdom, privilege attaches to (1) confidential communications between a lawyer and his or her client for the purpose of seeking and receiving legal advice in a relevant legal context, including factual reporting (legal advice privilege), and (2) confidential communications between a lawyer and his or her client or a third party (or both), or between a client and a third party, provided that the communications have been created for the dominant purpose of obtaining legal advice, evidence or information in preparation for actual litigation, or litigation that is reasonably in prospect (litigation privilege).
English case law has traditionally called into question the availability of litigation privilege for documents created during a regulatory investigation, as an investigation alone lacks the adversarial character of litigation. In the ENRC decision, the Court of Appeal looked at the issue of when a corporate might reasonably contemplate prosecution (and therefore the necessary ‘litigation’) in the context of a self-reporting process, commenting as follows:
[W]e are not sure that every SFO manifestation of concern would properly be regarded as adversarial litigation, but when the SFO specifically makes clear to the company the prospect of its criminal prosecution . . . and legal advisers are engaged to deal with that situation, as in the present case, there is a clear ground for contending that criminal prosecution is in reasonable contemplation.
But the Court went on to say that no particular action in the course of engagement with a regulator will allow a company to say that at a particular date it contemplated a criminal prosecution and privilege crystallised. Every case will turn on its own facts, and the evidence will be assessed in the round.
The corporate must also have created the documents for the dominant purpose of the contemplated litigation. In ENRC, even where ENRC might have created documents for the dominant purpose of merely investigating ‘the facts to see what had happened and deal with compliance and governance’, the Court held:
Although a reputable company will wish to ensure high ethical standards in the conduct of its business for its own sake, it is undeniable that the ‘stick’ used to enforce appropriate standards is the criminal law and, in some measure, the civil law also. Thus, where there is a clear threat of a criminal investigation, even at one remove from the specific risks posed by the SFO should it start an investigation, the reason for the investigation of whistle-blower allegations must be brought into the zone where the dominant purpose may be to prevent or deal with litigation.
So, litigation privilege may well cover a significant proportion of documents created during an internal investigation into possible criminal activity after the regulator has made clear there is a prospect of prosecution. Again, though, the reasons why the corporate created particular documents are important. If a corporate creates documents specifically to disclose to the regulator, then it seems unlikely that a claim to litigation privilege against that same regulator will succeed, at least in relation to the final versions of these documents.
The Court of Appeal also discussed the policy behind applying litigation privilege in this area:
It is, however, obviously in the public interest that companies should be prepared to investigate allegations from whistle blowers or investigative journalists, prior to going to a prosecutor such as the SFO, without losing the benefit of legal professional privilege for the work product and consequences of their investigation. . . . The remedy for the SFO is not to allow prevarication and delay . . . to prevent a timeous investigation, when it becomes clear that the company is not wholeheartedly reporting its own conduct and making appropriate waivers of privilege.
It went on to make clear that determining the extent of cooperation by a company (in an analysis of whether a DPA was in the public interest) included determining ‘whether the company was willing to waive any privilege attaching to documents produced during internal investigations, so that it could share those documents with the SFO’. But past practice in both the United Kingdom and the United States suggests that a corporate does not need to waive privilege over all its investigation documents to receive cooperation credit.
In presenting the underlying facts of an internal investigation, a company must be mindful of the inherent risk that this will be deemed a privilege waiver in any subsequent proceedings. In the United States, if a disclosure of privileged information to a federal office or agency is deemed intentional, the privilege will be waived in any federal or state proceeding. However, if a disclosure of privileged information is unintentional, it will not create a broad waiver so long as the holder of the privilege took steps to prevent the disclosure and then promptly took reasonable steps to seek return of any inadvertently disclosed information. Accordingly, if a company decides that it does not intend to waive privilege, it should devise reasonable steps that highlight the company’s decision not to waive privilege, including providing written notice of the intention not to produce privileged materials in any letter or other correspondence that accompanies a document production.
Courts in England and Wales have held that a company can share the contents of a privileged communication with a regulator or other specific third party under a limited waiver, keeping the privilege intact for other purposes and against others, so long as this desire is made clear, the disclosure is confidential and the communication is not proliferated widely.
The SFO has clarified its position on privilege considerations as part of the Corporate Co-operation Guidance, confirming that if an organisation asserts legal privilege over relevant materials (such as first accounts, internal investigation interviews or other documents), the SFO may challenge the privilege assertion where it considers it necessary or appropriate to do so. The Corporate Co-operation Guidance also includes an additional step for companies, requiring organisations to provide certification by independent counsel that the material is privileged.
In the United States, certain portions of internal investigations are protected by the attorney–client privilege and the work-product doctrine, and courts routinely uphold those privileges. This can be true even where the purpose of an investigation is to ensure regulatory compliance or where non-lawyers are involved in key parts of the investigation. However, the DOJ can take a more aggressive stance challenging claims of the attorney–client privilege in certain instances, including if it believes that in-house legal counsel is copied on communications simply to shield those communications from investigation by regulators or if it believes that a company has document hold policies that permit the spoliation of potential evidence. For example, for nearly a year, the DOJ pursued motions for sanctions related to privilege assertions on these bases in an antitrust action. Organisations should take care in their internal approach to privileged communications and the assertion of privilege for general business or public relations matters that do not actually solicit or require professional legal advice.
17.5.2 Privilege in cross-border contexts
It may not be clear which privilege rules apply when a company discloses in one jurisdiction documents created in another. Companies should be aware that some countries do not have developed principles of legal privilege, and special care is required in creating or sending otherwise privileged documents to such jurisdictions. Likewise, in some jurisdictions, privilege does not extend to communications with in-house counsel, and the role of internal counsel may be held by someone who is not an attorney, and therefore privilege may not be recognised in connection with their communications.
Further complications come when dealing with international regulatory bodies. In Akzo Nobel, for example, the Court of Justice of the European Union held that the law of the European Union superseded that of the relevant national jurisdictions; therefore, in competition cases, internal counsel’s advice will not be privileged – nor will that of external legal advisers who are not EU-qualified lawyers.
17.6 Protecting confidential information
Companies producing information to the government should take steps to protect its confidentiality. In the United Kingdom, the High Court confronted these issues in Standard Life. The SFO had disclosed information it had obtained through its compulsory powers under section 2 of the CJA to a Standard Life employee it wished to interview. It later discontinued the related investigation. Standard Life then used some of this information as part of civil proceedings against Topland.
The Court noted that the SFO was not entitled to disclose any material obtained by it during an investigation except for the purpose of its investigation (which was the original purpose of the disclosure in this case). A person who wished to prevent disclosure of genuinely confidential information, either by the SFO or by a person to whom it had disclosed documents, would need to rely on judicial review proceedings or seek an injunction to prevent a breach of confidence. This suggests that, to avoid relying on these indirect remedies, a company should agree with the SFO before disclosure how the SFO might control the further dissemination of confidential or sensitive documents. Safeguards may include notifying a disclosing party before the SFO intends to disseminate documents further, or applying explicit restrictions on the use of documents disclosed to suspects or interviewees.
On the other hand, a company may also wish to construct potential safeguards around material produced to it during DPA negotiations and that may otherwise be discoverable in subsequent civil proceedings against it. This point was particularly relevant in Omers, where the SFO had provided Tesco with a number of confidential documents during DPA negotiations that it had obtained from third parties using its section 2 CJA investigation powers. These documents subsequently became subject to the standard disclosure test under Part 31 of the Civil Procedure Rules when two groups of shareholders brought civil proceedings against Tesco. The High Court considered the conflict between Part 31 and Tesco’s confidentiality obligations to the SFO and found that the key question to be considered was whether the overriding objective of dealing with a case justly and at a proportionate cost could be solved with the production of relevant documents. Applying the facts of the case, the High Court ordered disclosure as the documents were likely to contain material ‘necessary for the fair disposal of the action’, and the public interest in confidentiality (even though this held particular weight when documents were originally obtained by compulsion under the SFO’s powers) was overridden by the public interest in ensuring ‘the courts try civil claims on the basis of all relevant material’.
In the United States, the government must keep information produced in response to a grand jury subpoena confidential, although a court may authorise disclosure subject to any conditions it directs (such as disclosure to a defendant post-indictment during discovery). Additionally, documents under the control of a government agency can be subject to requests made pursuant to the Freedom of Information Act (FOIA), although exemptions to FOIA may allow an agency to withhold certain documents from disclosure.
The procedures necessary to shield confidential information from disclosure can be quite complex. Each regulatory body has its own procedures for seeking confidential treatment of information. The SEC, for example, has Rule 83, which provides a procedure for requesting that information submitted to the SEC be withheld from FOIA requests. The SEC requires that each page of a document containing confidential information be stamped with a specific legend and that a request for confidential treatment go to the individual receiving the documents and the Office of Freedom of Information and Privacy Act Operations. However, organisations should take care because documents typically shielded from disclosure by FOIA and other regulations are not exempt from production to the US Congress, which can, in turn, make the information public.
Many states have their own versions of FOIA governing the treatment of information provided to, among others, state attorneys general. At the federal level, the Privacy Act and Trade Secrets Act also protect a company’s information that has been disclosed to investigators and forbid those investigators from further disclosing information.
There are multiple strategies that regulators and authorities, both on a national and international level, can deploy to elicit the production of documents from companies or individuals. Where cross-border investigations arise, companies should ensure that local law specialists are instructed to work as part of a multidisciplinary team.
Cooperating expeditiously with authorities upon receipt of a document production request is often advisable, and companies should consider the advantages of voluntary production of materials and self-reporting (in particular gaining maximum cooperation credit and increased flexibility over the timing and parameters of a production), as opposed to the internal disruption and damning publicity of dawn raids and arrests.
 Tim Bowden and Clare Putnam Pozos are partners, and Chloe Binding and Carla Graff are associates, at Dechert LLP. The authors would like to thank the Hon Hector Gonzalez and Caroline Black, who co-authored earlier versions of this chapter.
 Economic Crime and Corporate Transparency Act, s.211.
 Criminal Justice Act 1987, ss.2(8) and 2(14).
 Financial Conduct Authority (FCA), Enforcement Guide (Aug. 2023), www.handbook.fca.org.uk/handbook/EG; and FCA Mission: Approach to Enforcement (Apr. 2019), www.fca.org.uk/publication/corporate/our-approach-enforcement-final-report-feedback-statement.pdf.
 JP Morgan Chase Bank National Association & Ors v. Director of the Serious Fraud Office  EWHC 1674 (Admin).
 R (Sutton) v. Financial Conduct Authority  EWHC 2497 (Admin). The basic policy rationale that can be taken from this case is the FCA should not have to second guess the powers of foreign regulators under their own national laws when an overseas authority makes a mutual assistance request.
 Whether the FCA compels testimony from an individual can have an impact on whether that information can be used in connection with a criminal proceeding in the United States. The Second Circuit Court of Appeals has held that testimony compelled by the FCA cannot be used against a defendant in a criminal prosecution. See United States v. Allen, 864 F.3d 63 (2d Cir. 2017).
 Other federal agencies, such as the Consumer Financial Protection Bureau and the Federal Trade Commission, may issue subpoenas. Other agencies must seek the assistance of the United States Attorney’s Office in seeking documents and testimony. For a discussion of the use of administrative subpoenas, see www.justice.gov/archive/olp/rpt_to_congress.htm.
 For information regarding criminal matters, see Justice Manual § 9-13. The Civil Division is authorised to issue subpoenas by a number of statutes.
 17 C.F.R. § 11.4(a).
 Section 19(c) of the Securities Act of 1933, 15 U.S.C. § 77s(c); Section 21(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78u(b); Section 209(b) of the Investment Advisers Act of 1940, 15 U.S.C. § 80b–9(b); and Section 42(b) of the Investment Company Act of 1940, 15 U.S.C. § 80a–41(b).
 For information regarding procedures for obtaining a formal order of investigation, see Sections 2.2.3 to 2.3.4 of the Enforcement Manual of the Securities and Exchange Commission Division of Enforcement, www.sec.gov/divisions/enforce/enforcementmanual.pdf (28 Nov. 2017).
 Endicott Johnson Corp. v. Perkins, 317 U.S. 501, 509 (1943); CFTC v. Zepeda, No. 22-18, 2022 WL 20163249, at *4 (C.D. Cal. 12 May 2022), report and recommendation adopted, 2022 WL 2392025 (C.D. Cal. 30 June 2022); SEC v. Kimmel, No. 19-00113, 2020 WL 280813, at *2 (D. Colo. 28 May 2020).
 SEC v. Marin, 982 F.3d 1341, 1352 (11th Cir. 2020).
 18 U.S.C. §§ 401, 1001; see also 7 U.S.C. §§ 9, 13(a)(3). Rule 17 of the Federal Rules of Criminal Procedure governs subpoenas, including grand jury subpoenas and Rule 17(g) authorises federal courts to exercise their contempt powers for non-compliance. (‘The court (other than a magistrate judge) may hold in contempt a witness who, without adequate excuse, disobeys a subpoena issued by a federal court in that district.’)
 Trump v. Thompson, 20 F.4th 10, 24 (D.C. Cir. 2021); www.justice.gov/usao-dc/pr/stephen-k-bannon-found-guilty-jury-two-counts-contempt-congress.
 www.nbcnews.com/politics/congress/house-judiciary-plans-contempt-proceedings-mark-zuckerberg-rcna96297; www.cnbc.com/2023/05/08/jordan-threatens-action-against-google-for-not-complying-with-subpoena.html.
 SFO v. Rolls-Royce PLC and Rolls-Royce Energy Systems Inc (Case No. U20170036)  Lloyd’s Rep FC 249.
 SFO v. Airbus SE (Case No. U20200108)  1 WLU 435;  Lloyd’s Rep FC 159.
 For example, employees’ use of disappearing messaging services, such as WhatsApp, raises issues. In March 2019, the Department of Justice (DOJ) relaxed its prior guidance to companies regarding employees’ use of those services, removing from the Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy a requirement that employees be prohibited from using those services. Instead, the revised policy requires each company seeking timely and appropriate remediation credit put in place ‘appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations’. Justice Manual § 9-47.120.
 Bates numbering is a method of indexing legal documents for easy identification and retrieval.
 Justice Manual § 9-47.120(3)(b).
 Justice Manual § 9-47.120(3)(b).
 R (on the application of KBR, Inc) v. Director of the Serious Fraud Office  UKSC 2.
 Bayerische Motoren Werke Ag and The King Volkswagen Aktiengesellschaft v. Competition and Markets Authority  CAT 7, 2023 WL 02500791.
 For the United Kingdom, see Lonrho v. Shell Petroleum  1 WLR 627.
 Justice Manual § 9-47.120(3)(b).
 Crime (International Co-operation) Act 2003, s.7(5).
 Crime (International Co-operation) Act 2003, s.7(2).
 Financial Services Authority v. Amro International  EWCA Civ 123.
 SFO v. Airbus SE (Case No. U20200108)  1 WLU 435;  Lloyd’s Rep FC 159; SFO v. Amec Foster Wheeler Energy Ltd  6 WLUK 664;  Lloyd’s Rep FC 353;  2 C.L. 46; SFO v. Glencore Energy UK (Ltd) (2022).
 See www.state.gov/j/inl/rls/nrcrpt/2012/vol2/184110.htm; www.justice.gov/criminal-oia/file/1498806/download; see also In re Premises Located at 840 140th Ave. NE, Bellevue, Wash., 634 F.3d 557, 563–64 (9th Cir. 2011) (‘In recent decades, the United States has ratified an increasing number of bilateral treaties with other nations to facilitate legal proceedings, known as mutual legal assistance treaties or MLATs . . . As their names suggest, these treaties provide for bilateral, mutual assistance in the gathering of legal evidence for use by the requesting state in criminal investigations and proceedings. Viewed through the lens of reciprocity, MLATs represent a direct approach to achieving reciprocity with other nations, in addition to the indirect approach taken by congressional expansion of the scope of § 1782. The ratification of MLATs in recent decades can be seen as yet another step towards the goal of greater legal assistance by, and for, other nations, at least with respect to requests by foreign governments for use in underlying criminal investigations and proceedings.’). (citation omitted)).
 18 U.S.C. § 3512.
 See 18 U.S.C. § 3512(a)(1) (‘Upon application, duly authorized by an appropriate official of the Department of Justice, of an attorney for the Government, a Federal judge may issue such orders as may be necessary to execute a request from a foreign authority for assistance in the investigation or prosecution of criminal offenses, or in proceedings related to the prosecution of criminal offenses, including proceedings regarding forfeiture, sentencing, and restitution.’); Hon Virginia M Kendall and T Markus Funk, The Role of Mutual Legal Assistance Treaties in Obtaining Foreign Evidence at 2, Global Litigator (Winter 2014), www.perkinscoie.com/images/content/3/1/v2/31795/2014-winter-litigation.pdf (‘U.S. District courts, for their part, have considerable discretion concerning whether to authorize a foreign request.’).
 28 U.S.C. § 1781(b).
 Anti-Money Laundering Act 2020, § 6308 (31 U.S.C. § 5318(k)(3)(A)(i)).
 UN Convention Against Corruption (31 Oct. 2003), https://treaties.un.org/doc/Treaties/2003/12/20031209%2002-50%20PM/Ch_XVIII_14p.pdf.
 The United States does not have a comprehensive, federal data protection law. However, numerous state and federal laws govern the treatment of personal data. There are federal protections for, among other things, data collected from children, from financial institutions and that includes medical information. See, e.g., Federal Trade Commission Act, 15 U.S.C. §§ 41 to 58; Children’s Online Privacy Protection Act, 15 U.S.C. §§ 6501 to 6506; Financial Services Modernization Act (Gramm-Leach-Bliley Act), 15 U.S.C. §§ 6801 to 6827; Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1301 et seq. (and the rules and regulations promulgated thereunder); Fair Credit Reporting Act, 15 U.S.C. § 1681.
 15 U.S.C. § 45.
 See, e.g., CafePress, FTC Matter No. 1923209 (15 Mar. 2022) (settling allegations that the company failed to take reasonable security measures to protect sensitive information, including the failure to encrypt sensitive information and holding data longer than necessary); DealerBuilt, FTC Matter No. 1723051 (6 Sept. 2019) (settling allegations that the company failed to take reasonable steps to protect consumer data, including by failing to implement access controls or authentication procedures to protect against unauthorised access to or acquisition of data); FTC v. D-Link Sys., Inc., No. 3:17-cv-00039-JD (N.D. Cal. 2 July 2019) (complaint alleging that D-Link, a computer networking equipment manufacturer, failed to take reasonable steps to secure its routers and internet cameras, leaving products ‘vulnerable to hackers’ and putting consumers’ privacy at risk).
 17 C.F.R. § 248.30(a).
 Law No. 68-678 of 26 July 1968 relating to the communication of documents and information of an economic, commercial, industrial, financial or technical nature to foreign natural or legal persons.
 Despite its very protective wording, the French Blocking Statute has received a very limited application – only one criminal conviction (under Article 1bis) has ever been recorded (Cass. Crim, 12 Dec. 2007, No. 07-83.228).
 For English case law dealing with the French Blocking Statute, see Secretary of State for Health v. Servier Laboratories; National Grid Electricity Transmission v. ABB  WLR 4383.
 As defined by 12 C.F.R. § 261.2(b)(1).
 See, most famously, Swiss Federal Act on Banks and Savings Banks (1934), Article 47.
 See, e.g., Switzerland’s entrance, in October 2013, to the Multilateral Convention on Mutual Administrative Assistance on Tax Matters, and agreement to increase transparency and exchange financial information with approximately 60 other countries.
 www.washingtonpost.com/technology/2023/01/07/binance-subpoenas-crypto-trading. Various sources suggest that the nature of cryptocurrency makes these issues more pressing given that many regulatory schemes do not entirely or do not yet encompass cryptocurrency businesses or exchanges. See www.wsj.com/articles/u-s-targets-crypto-mixers-over-money-laundering-risks-e431def; www.reuters.com/legal/transactional/cryptocurrency-anti-money-laundering-enforcement-2022-09-26; www.europol.europa.eu/cms/sites/default/files/documents/Europol%20Spotlight%20-%20Cryptocurrencies%20-%20Tracing%20the%20evolution%20of%20criminal%20finances.pdf.
 DOJ, The Report of the Attorney General Pursuant to Section 5(b)(iii) of Executive Order 14067: The Role Of Law Enforcement In Detecting, Investigating, And Prosecuting Criminal Activity Related To Digital Assets, www.justice.gov/ag/page/file/1535236/download.
 Superseding Indictment ¶¶ 34–37, United States v. Bankman-Fried, No. 22-cr-673, Dkt. No. 202 (S.D.N.Y. 14 Aug. 2023).
 Jasminka Kalajdzic, Litigation State Secrets: A Comparative Study of National Security Privilege in Canadian, US and English Civil Cases, 41:2 Ottawa L. Rev. 289, 311 (2010).
 Arianna Vedaschi, The Dark Side of Counter-Terrorism: Arcana Imperii and Salus Rei Republicae, 66 Am. J. Comp. L. 877, 881 n.13 (2013).
 Miiko Kumar, Protecting State Secrets: Jurisdictional Differences and Current Developments, Miss. L. J. 853, 867 (2013).
 El-Masri v. United States, 479 F.3d 296, 302 (4th Cir. 2007).
 For the United Kingdom, see Criminal Justice and Police Act 2001, s.50. In the United States, prosecutors will often establish ‘taint teams’ to review potentially privileged information. Justice Manual § 9-13.420 (Searches of Premises of Subject Attorneys) provides guidance for the review of material seized not only from an attorney’s office but also from ‘searches of business organizations where such searches involve materials in the possession of individuals serving in the capacity of legal advisor to the organization’.
 Police and Criminal Evidence Act 1984, s.19(5).
 Cited in R (on the application of Colin McKenzie) v. The Director of the Serious Fraud Office  EWHC 102, at . In this unsuccessful challenge to this procedure, the essential question was whether, as a matter of law, the process for isolating files that may contain legal professional privilege (LPP) material into an electronic folder for review by an independent lawyer must itself be carried out by individuals who are independent of the seizing body. The court held that the procedure set out in the SFO’s Handbook for isolating material potentially subject to LPP, for the purpose of making it available to an independent lawyer for review, was lawful.
 See, e.g., Order Appointing Special Master, United States v. Cohen, No. 18-mj-3161, Dkt. No. 30 (S.D.N.Y. 27 Apr. 2018) (Cohen).
 Searches of Premises of Subject Attorneys, Justice Manual, § 9-13.420.
 See, e.g., Cohen; Order, United States v. Gallego, No. 4:18-cr-01537, Dkt. No. 65 (D. Ariz. 6 Sept. 2018).
 In re Grand Jury Subpoenas 04–124–03 and 04–124–05, 454 F.3d 511, 522–24 (6th Cir. 2006) (stating that ‘taint teams present inevitable, and reasonably foreseeable, risks to privilege’ because they possess both ‘an interest in preserving privilege’ and ‘a conflicting interest in pursuing the investigation,’ while favouring a ‘check in the proposed taint team review procedure against the possibility that the government’s team might make some false negative conclusions’). See also Harbor Healthcare Sys., L.P. v. United States, 5 F.4th 593, 599 (5th Cir. 2021) (‘A taint team serves no practical effect if the government refuses to destroy or return the copies of documents that the taint team has identified as privileged.’); In re Search Warrant Issued June 13, 2019, 942 F.3d 159, 176–81 (4th Cir. 2019) (criticising magistrate judge’s approval of taint team’s protocol, including review of attorney’s seized communications and work product, which included materials about unrelated clients and matters).
 Deferred prosecution agreements (DPAs) were introduced by s.45 and Sch. 17 of the Crime and Courts Act 2013.
 Crown Prosecution Service and Serious Fraud Office (SFO), Deferred Prosecution Agreements Code of Practice – Crime and Courts Act 2013 (11 Feb. 2014) (DPA Code), at para. 2.8.2(i).
 SFO v. Rolls-Royce PLC and Rolls-Royce Energy Systems Inc. (Case No. U20170036)  Lloyd’s Rep FC 249; SFO v. Airbus SE (Case No. U20200108)  1 WLU 435;  Lloyd’s Rep FC 159; SFO v. G4S Care and Justice Services (UK) Limited (Case No. U20201392)  7 WLUK 303;  Crim LR 138; SFO v. Amec Foster Wheeler Energy Ltd  6 WLUK 664;  Lloyd’s Rep FC 353;  2 C.L. 46.
 Corporate Co-operation Guidance, SFO Operational Handbook (6 Aug. 2019), www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for-corporates/corporate-co-operation-guidance (Corporate Co-operation Guidance).
 See, e.g., European Commission Notice on Immunity from Fines and Reduction of Fines in Cartel Cases, Official Journal C 298 (8 Dec. 2006), p. 17.
 The Financial Services Authority was the predecessor to the FCA.
 Enforcement Guide, at para. 4.7.3.
 Enforcement Guide, at para. 4.7.4.
 See, e.g., memorandum dated 5 July 2007 from Paul J McNulty regarding Principles of Federal Prosecution of Business Organizations, www.justice.gov/sites/default/files/dag/legacy/2007/07/05/mcnulty_memo.pdf.
 Justice Manual § 9-28.700.
 Justice Manual §§ 9-28.900, 9-47.120.
 Justice Manual § 9-28.900. (‘Even in the absence of a formal program, prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall co-operation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program.’)
 Justice Manual §§ 9-28.300, 9-28.900, 9-47.120.
 Justice Manual § 9-47.120.
 The Value of Cooperation, Justice Manual § 9-28.700; Cooperation: Disclosing the Relevant Facts, Justice Manual § 9-28.720; FCPA Corporate Enforcement Policy, Justice Manual § 9-47.120, www.justice.gov/criminal-fraud/file/838416/download (full cooperation requires, among other things, prompt disclosure of ‘all facts related to involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents)’).
 The November 2019 amendments to the FCPA Corporate Enforcement Policy acknowledge that a company may not know all facts relevant to misconduct at the time of a voluntary self-disclosure. The revised policy emphasises that to receive cooperation credit, a company should ‘make clear that it is making its disclosure based upon a preliminary investigation or assessment of information, but it should nonetheless provide a fulsome disclosure of the relevant facts known to it at the time’. Justice Manual § 9-47.120 at note 1.
 Dodd-Frank Wall Street Reform and Consumer Protection Act, Section 922(h), 15 U.S.C.A. § 78u-6(h)(1)(A).
 www.sec.gov/news/pressrelease/2017-14.html (announcing penalty imposed on BlackRock Inc, based on its inclusion of language in separation agreements requiring former employees to waive any incentives they might be entitled to for reporting the company’s misconduct); www.sec.gov/news/pressrelease/2017-24.html (announcing penalty imposed on HomeStreet Inc for improper accounting and steps taken to impede whistleblowers).
 DPA Code, para. 2.8.2(i).
 SFO v. Standard Bank plc (Case No. U20150854)  Lloyd’s Rep FC 102 and SFO v. Sarclad Ltd (Case No. U20150856)  7 WLUK 220;  Lloyd’s Rep FC 509. In the case of SFO v. Tesco Stores Limited  Lloyd’s Rep FC 283, Tesco identified issues in its financial statements and referred itself to enforcement authorities after revealing that revenues had been incorrectly recorded as profits and made an announcement to the market. In SFO v. Serco Geografix Ltd. (Case No. U20190413)  7 WLUK 45, the company disclosed material discovered after an initial SFO investigation found no evidence of any dishonest or fraudulent activity. In SFO v. Güralp Systems Limited , the company self-reported. In SFO v. Airbus SE (Case No. U20200108)  1 WLU 435;  Lloyd’s Rep FC 159, Airbus self-reported to the SFO following notification to UK Export Finance to correct inaccurate information it had previously provided, including red flags for corruption. G4S (SFO v. G4S Care and Justice Services (UK) Limited (Case No. U20201392)  7 WLUK 303;  Crim LR 138), Amec Foster Wheeler (SFO v. Amec Foster Wheeler Energy Limited ), Airline Services (SFO v. Airline Services Ltd (Case No. U20201913)  10 WLUK 606;  Lloyd’s Rep FC 42;  CLY 584), and the parent company of Tetris Projects Limited and Bluu Solutions Limited (SFO v. Bluu Solutions Limited and Tetris Projects Limited (Case No. U20210959) ) also self-reported.
 SFO v. Rolls Royce Plc (Case No. U20170036) .
 Justice Manual § 9-28.900.
 See, e.g., Justice Manual § 9-47.120(3)(a).
 DOJ, Office of the Deputy Attorney General, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group (15 Sept. 2022), www.justice.gov/opa/speech/file/1535301/download.
 Justice Manual § 9-28.720 (emphasis in original).
 DPA Code, para. 2.8.2(i).
 Justice Manual § 9-28.720. The FCPA Corporate Enforcement Policy refers to Justice Manual § 9-28.720 and states that a company will not have to waive privilege to receive full cooperation credit.
 See, e.g., United States v. Coburn, No. 2:19-cr-00120 (KM), 2022 WL 357217, at *7 (D.N.J. 1 Feb. 2022) (finding waiver with respect to ‘documents and communications that were reviewed and formed any part of the basis of any presentation, oral or written, to the DOJ in connection with the investigation’); see also SEC v. Herrera, 324 F.R.D. 258, 264 (S.D. Fl. 5 Dec. 2017) (finding waiver of privilege as to oral summaries of interview materials provided to the SEC because they were the ‘functional equivalent’ of privileged material).
 The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation  EWCA Civ 2006 (ENRC).
 Alun Milford, then SFO General Counsel, ‘Speech to compliance professionals’ (given to the European Compliance and Ethics Institute, Prague, 29 Mar. 2016).
 See, e.g., SFO v. XYZ (Preliminary Judgment) Crown Court, Southwark, U20150856 (20 Apr. 2016): ‘[C]o-operation includes identifying relevant witnesses, disclosing their accounts and the documents shown to them: see DPA Code, para. 2.8.2(i). Where practicable it will involve making witnesses available for interview when requested. In that regard, XYZ (now identified as Sarclad) provided oral summaries of first accounts of interviewees, facilitated the interview of current employees, and provided timely and complete responses to requests for information and material, save for those subject to a proper claim of legal professional privilege.’
 In Airbus, these transcripts and memoranda included Airbus employees and third-party business partners.
 Corporate Co-operation Guidance, p. 5.
 DPA Code, para. 2.8.2(i).
 Where a defendant in the United Kingdom is suspected of committing a criminal offence, and is questioned in relation to it (whether while under arrest or voluntarily), the questioner must administer a ‘caution’ for any evidence provided in the interview to be admissible in subsequent proceedings. The caution sets out interviewees’ rights and how any evidence they provide at interview may be used against them in a trial. An organisation or company can be interviewed under caution through a nominated spokesperson, who will attend the interview to answer questions on its behalf.
 Advisory, Conciliation and Arbitration Service Code of Practice on disciplinary and grievance procedures (2015), www.acas.org.uk/acas-code-of-practice-for-disciplinary-and-grievance-procedures/html.
 Id., at .
 Id., at .
 Id., at .
 Id., at 116].
 Id., at .
 Fed. R. Evid. 502(a).
 Fed. R. Evid. 502(b).
 Gotha City v. Sotheby’s  1 WLR 114 CA.
 In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014); Cicel (Beijing) Sci. & Tech. Co. v. Misonix, Inc., No. 17CV1642, 2019 WL 1574806 (E.D.N.Y. 11 Apr. 2019); In re Gen. Motors LLC Ignition Switch Litig., 80 F. Supp. 3d 521, 530 (S.D.N.Y. 2015).
 In re Kellogg Brown & Root, Inc., 756 F.3d 754, 760 (D.C. Cir. 2014) (‘In the context of an organization’s internal investigation, if one of the significant purposes of the internal investigation was to obtain or provide legal advice, the privilege will apply. That is true regardless of whether an internal investigation was conducted pursuant to a company compliance programme required by statute or regulation, or was otherwise conducted pursuant to company policy.’) (citation omitted).
 Plaintiffs’ Reply in Support of Plaintiffs’ Motion to Sanction Google and Compel Disclosure of Documents Unjustifiably Claimed by Google as Attorney-Client Privileged, United States v. Google LLC, No. 1:20-cv-03010-APM, Dkt. No. 335 (D.D.C. 7 Apr. 2022); Mem. in Support of the United States’ Motion for Sanctions Against Google, LLC and an Evidentiary Hearing to Determine the Appropriate Relief, No. 1:20-cv-03010-APM, Dkt. No. 512 (D.D.C. 23 Feb. 2023).
 Akzo Nobel Chemicals v. European Commission (Case C-550/07, Court of Justice of the European Union, 14 Sept. 2010). Here, the Court held that internal company communications with in-house lawyers subject to a European Commission investigation were not covered by legal professional privilege, as, for the purposes of such an investigation, an in-house lawyer was not sufficiently independent.
 Standard Life Assurance Ltd v. Topland Col (Rev 1)  1 WLR 2162.
 Omers Administration Corp & Ors v. Tesco Plc  EWHC 109 (Ch).
 Fed. R. Crim. Pro. 6(e).
 5 U.S.C. § 552.
 17 C.F.R. § 200.83; 5 U.S.C. § 552a(b); www.justice.gov/opcl/overview-privacy-act-1974-2020-edition/disclosures-third-parties.
 See, e.g., New York Freedom of Information Law, Public Officer’s Law §§ 84 to 90.