Beginning an Internal Investigation: The UK Perspective
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The potential trigger points for a company’s decision whether to undertake an internal investigation are wide ranging. They can include internal allegations of wrongdoing, adverse press reports, whistleblowing reports, an auditor’s discovery of apparent accounting irregularities, complaints made by a supplier or customer, a third-party litigation action being launched, or the commencement of an investigation into the company’s affairs by a government authority.
The decision whether to launch an internal investigation is of critical importance. Once begun, the internal investigation process can be difficult to halt and impossible to reverse. Whatever decision a company reaches, it ought to do so promptly to limit further damage to the company, but not before a great deal of careful consideration has been given to the potential upsides as well as downsides.
There are clear incentives on offer to a company (and its senior management) that chooses to commence an internal investigation promptly. A properly focused investigation should allow the company to discover the full facts of, and be in the best position to put an effective stop to, any wrongdoing. Armed with the underlying facts, a company and its advisers will be able to determine what potential defences are available to it to gain control of the situation (in the face of potential external investigations) with the aim of restricting the exposure of the company and its senior management to any potential shareholder, third-party, regulatory or criminal actions.
Of course, a full internal investigation will not always be the appropriate response and to some extent this decision will be informed by the nature of the alleged misconduct. Isolated instances of minor employee misbehaviour, for example, are likely to be satisfactorily dealt with by one or a combination of a company’s human resources function, its in-house counsel and its internal audit function. Conversely, an allegation of pervasive criminal conduct or a risk of the behaviour becoming more widespread is more likely to warrant a full-scale internal investigation.
Allegations of anticompetitive behaviour are also likely to weigh in favour of an expedited internal investigation, in light of the immunity and leniency programme operated by the Competition and Markets Authority (CMA). Where the company is the first undertaking to provide the CMA with evidence of cartel activity, in circumstances where the CMA has not already started an investigation and does not already have sufficient evidence of the alleged activity, the company will automatically qualify for full immunity in respect of any civil fines. Likewise, all implicated current and former employees and directors who co-operate with the process will be granted criminal immunity.
Used properly, an internal investigation may be successfully employed as a defensive tool by a company faced with a parallel regulatory or prosecutorial investigation. The decision to initiate a thorough and credible investigation can help to create a corporate culture where compliance is taken seriously and set the tone for any discussions with the relevant government authorities. Being in possession of the full facts can also allow both the company and its professional advisers to anticipate likely developments and stay one step ahead of the regulatory or criminal process.
For those companies looking to avoid a criminal prosecution and potentially benefit from a deferred prosecution agreement (DPA) or an alternative civil resolution, it is made expressly clear in the Joint Prosecution Guidance on Corporate Prosecutions that factors tending against the prosecution of a company include ‘[a] genuinely proactive approach adopted by the corporate management team when the offending is brought to their notice, involving self-reporting and remedial actions’ and ‘the existence of a genuinely proactive and effective corporate compliance programme.’
The Deferred Prosecution Agreements Code of Practice also confirms the potential benefits of the prompt commencement of an internal investigation, stating that ‘a genuinely proactive approach adopted by [the company’s] management team when the offending is brought to their notice’ will be regarded as a factor weighing against a criminal prosecution and in favour of a DPA.
While neither a company faced with allegations of impropriety nor its directors are expressly obliged under English law to undertake an internal investigation, the combined effect of a director’s fiduciary duties, a company’s internal corporate governance codes and its regulatory obligations (for those companies that fall within the UK’s regulated sector) can effectively compel them to do so.
All company directors owe fiduciary duties to their company, including a duty to promote the success of the company for the benefit of its members and a duty to exercise reasonable skill, care and diligence. Although the duties are owed to, and enforced by, the company itself, in certain circumstances shareholders may instigate a derivative action based upon a breach.
A company’s own corporate governance policies and procedures may also mandate that allegations of serious wrongdoing are responded to in a particular manner, including by means of internal investigation.
Companies regulated by the UK Financial Conduct Authority (FCA) have much less discretion as to whether to commence an internal investigation in response to allegations of wrongdoing, given that they: (1) have a positive duty to disclose to the FCA anything relating to the firm of which the regulator would reasonably expect notice;,  (2) must adhere to the FCA’s Principles for Businesses, notably to conduct their business with integrity, due skill, care and diligence and take reasonable care to organise their affairs responsibly; and (3) must establish and maintain effective systems and controls to prevent the risk of the firm being used to further financial crime.
It is vital that a company clarifies, in writing and at the outset of any investigation, why it is undertaking the investigation and what its objectives are – not least so that the company can strengthen any claim it may have to legal professional privilege. It is impossible to be definitive about the availability of legal professional privilege in this context, with a recent Court of Appeal decision confirming that this will turn on the facts and the contemporaneous evidence of the parties in the case at hand. It therefore remains sound advice that companies should seek to limit, insofar as is possible, the creation of any non-essential documents that address the underlying facts of the investigation. In particular, those conducting the investigation should refrain from drawing any conclusions, in writing, as to the nature of the underlying conduct, on the assumption that the documents may ultimately be disclosable.
There are significant potential downsides to a full-scale internal investigation, and while they can be mitigated, they cannot be eliminated. All investigations can be extremely costly – placing a huge burden on a company’s resources and proving disruptive to its day-to-day functioning. They may also result in the creation of a potentially discoverable, written factual matrix, or route map, of alleged wrongdoing, which would be of great assistance to any regulatory or prosecutorial investigators or civil claimants. This is of particular concern given that all investigations, however restrictively scoped, have the potential to uncover misconduct beyond the scope of the initial allegation.
Such downsides, while real, ought not to dissuade companies from commencing an internal investigation where the circumstances warrant one. Provided it is carefully planned and managed, an investigation frequently offers a company the best chance to mitigate loss, remediate wrongdoing and defend itself.
5.2 Determining the terms of reference/scope of the investigation
In the rush to get to the bottom of what has happened, it is all too easy for those conducting investigations to become slaves to a pre-determined process and to lose sight of what they set out to achieve. Setting and communicating clear objectives, as well as defining and continuously reviewing the scope and terms of the inquiry, are critical first steps towards achieving an appropriate and proportionate outcome.
As soon as an issue comes to the fore, one of the first steps a company should take is to identify all relevant stakeholders and determine responsibility for the investigation. This is important not only for creating a legally privileged environment but also for ensuring the efficient running of the investigation.
It is advisable to have in place a template investigation plan long before any incident arises, which maps out internal responsibility and reporting lines for different types of hypothetical investigations. An investigation into a suspected low-level theft by an employee is less likely to require engagement at senior management level than one concerning a widespread, systematic fraud, and these distinctions should be reflected in the plan. The plan should be embedded into the company’s written processes, along with its protocols for dawn raids and other events requiring rapid responses.
While an investigation plan will assist in assembling a team at short notice, it should nevertheless contain sufficient flexibility so as to allow responsibility for an investigation to be dictated by the particular circumstances. In particular, it is important to be alive to the possibility that some or all of the individuals tasked with carrying out investigations may in fact be part of the problem that requires investigation. Any potentially implicated individuals should be excluded from the investigation team from the outset, to avoid any risk – whether real or perceived – that the integrity of the investigation be compromised. The constitution of the team should be reviewed regularly as the matter progresses: what starts out looking like a low-level infraction may turn out to be a far more significant problem, requiring the engagement of more senior personnel.
In many cases, responsibility for initiating an internal investigation will fall to the company’s general counsel or his or her representative. Depending on the scale of the investigation and the seniority of any implicated individuals, it may sometimes be necessary to set up a special investigation subcommittee of the board to oversee the investigation, or to devolve responsibility for the investigation to the audit committee. In certain circumstances, often owing to the scale or potential implications of the matter, it will be necessary to instruct external lawyers. The involvement of external lawyers can bolster the independence and credibility of the investigation process, which may be helpful when engaging with the authorities over the findings of the investigation. Appointing external counsel can also strengthen any claim to privilege over the investigation.
Whoever is conducting the internal investigation should establish and document its scope carefully and clearly at an early stage. The scope should cover the overall objective of the investigation, the issues being investigated, the date range, the jurisdictions and whether any overseas legal advice may be required, the relevant corporate entities involved (for example, subsidiary companies) and any other relevant issues.
It is important to document the reasons for any determinations as to scope. If an issue subsequently becomes the subject of a criminal or regulatory investigation that was not identified by the company’s own investigation because it fell out of scope, it may become necessary for the company to demonstrate that the issue fell out of scope for legitimate and carefully considered reasons.
The advantages of investing time in detailed planning at this stage are many. Perhaps most importantly, focusing minds on what needs to be achieved can help to limit the company’s potential exposure to a wide-ranging, unfocused investigation. An internal investigation is not intended to be a fishing expedition, but rather a considered response to a specific problem that has been identified. That is not to say that unanticipated issues that come to light during the course of the investigation should be ignored; simply that a tightly focused investigation will undoubtedly be more conducive to resolving issues in the most time- and cost-effective manner. The planning process will also put the company in a position to demonstrate to any government authorities and interested third parties that it has taken the issue seriously from the outset.
An important part of the scope-setting exercise is to assess the nature of the potential risks that the company is exposed to. This should be reviewed continuously as the investigation progresses. A problem that appears, on its face, to be regulatory may in fact have a criminal angle that only becomes apparent part-way through, or at the conclusion of the investigation. Whether a company is facing criminal or regulatory risk can have a significant impact on how investigations should be approached.
The scope and terms of reference of the investigation should be communicated to relevant personnel, and agreement sought from key stakeholders.
It may also at this stage be necessary to agree the scope of the investigation with government agencies before proceeding further. By way of example, the FCA expects regulated firms to engage in early communication regarding proposed investigations and not to take any steps that may prejudice or obstruct its own investigations. It may even seek to impose limits on the internal investigation process. The Serious Fraud Office (SFO) is also increasingly likely to seek to restrict the internal investigation process in this way, particularly for witness interviews.
This differs markedly from the position in the United States, where the Department of Justice (DOJ) arguably expects companies to leave no stone unturned in identifying individuals involved in misconduct. Companies and their advisers can therefore often face a difficult task in attempting to balance the competing demands of multiple government agencies when determining how to approach internal investigations.
Once the scope is agreed, a detailed work plan should be produced setting out how and by whom the evidence is to be preserved, collected, reviewed and analysed. This should include identifying relevant custodians from whom evidence will be collected; who, if anyone, will need to be interviewed and in what order; and what, if any, external expertise is needed (such as forensic accountants or industry experts) and what implications this may have for privilege. It may also be necessary to seek legal advice on how any issues of data protection or banking confidentiality should be dealt with.
At this stage it should be possible to estimate a likely time frame for the investigation and the anticipated resources and costs that will be involved (at least for the initial stages of the investigation), although these will need to be kept under review and updated as the scale of the review task becomes clearer.
The work plan will need to be flexible enough to adapt to changing circumstances. While the initial plan may represent the investigation the company would carry out in an ideal world, in practice, obstacles are likely to arise that should be balanced against the need to conduct a full investigation. These may include issues such as cost, external time pressures, regulatory requirements and the ongoing needs of the business.
Whoever is overseeing the investigation should send regular feedback on progress up the reporting chain, the structure of which should have been mapped out at the scoping stage to ensure that relevant personnel are kept informed and that sensitive reports are not circulated more widely than is strictly necessary. Depending on the level of engagement with the authorities at this stage, updates may also need to be provided externally.
It is important to consider early on how the investigation’s findings and conclusions will be presented and to whom they will be disclosed, both internally and externally. While a written report can be effective in demonstrating that a thorough investigation has been conducted and the steps taken to remediate problems, any ambiguity over the existence of privilege may lead to those reports being disclosable in future proceedings. Again, the FCA has made clear that it expects to be consulted on these issues early on.
In matters that are potentially cross-jurisdictional, it should be assumed that anything provided to one interested regulator will be forwarded to others. It can nevertheless be advantageous for a company to produce material to relevant agencies proactively rather than relying on cross-border information sharing, as there is often more scope for negotiation over the level of confidentiality with which that material will be treated. For instance, while the FCA will not accept restrictions on the use to which any investigation material can be put, it will normally invite and consider any representations the company wishes to make before it discloses the material to any third party.
5.3 Document preservation, collection and review
One of the most important aspects of any internal investigation is the underlying evidence and contemporaneous documentation. The issue of document preservation, collection and review should be considered at the earliest possible opportunity once a decision has been made to commence an internal investigation. How potential evidential material is preserved and collected is likely to be critically important if it becomes necessary to engage with government agencies. At best, the credibility of any investigation would be damaged by a failure to secure all potentially relevant material at the outset. At worst, an ineffective document preservation and collection process may be viewed by a prosecutor as obstruction or an attempt to pervert the course of justice. A prosecutor or regulator might also view such a failure as unco-operative. This could put a strain on the company’s relationship with any external investigators and, potentially, become an aggravating factor in any settlement.
Ordinarily the first step that should be taken is the issuance of a ‘document retention notice’ (DRN) or ‘hold’ notice, but care must be taken not to inadvertently tip off data custodians who may also be suspects. In some cases, issuing a DRN is not appropriate, for example where the company is investigating something outside the public domain and where document collection needs to be carried out covertly (at least at the outset). The company will need to make a careful judgement call in these circumstances and ought to record the reasons for its decisions. This should assist the company to avoid subsequent criticism from any government agency. Ideally a company should have a documented process in place as part of its compliance policies and procedures. In any event, careful consideration should be given by the investigation team as to whom the hold notice should be sent to and what it should say. If the investigation has been triggered by the receipt of a subpoena or other official request for documents, the hold notice should be sent to all employees who are, or may be, in possession of potentially relevant material. The hold notice should also be sent to any third parties who perform services on behalf of the company and may hold relevant material. Any hold notice must clearly require the recipient to refrain from altering, discarding, destroying or concealing any documents that may be responsive to the subpoena or document request. It is best practice to err on the side of caution and interpret the applicability of any subpoena widely. Even in the absence of a formal document request, the hold notice should broadly provide details of the documents requiring preservation with a similar instruction not to alter, discard, destroy or conceal.
It is good practice to specify the types of material to be preserved. This should include all electronic data such as emails, documents and calendar invitations as well as hard-copy documents including notes, drafts and duplicates. The request should also make clear that it applies equally to any relevant material located outside the office or place of work, such as at home or within personal email accounts, mobile telephone text messages (including WhatsApp and other instant messaging applications) and social media accounts.
A clear record should be kept of those to whom the hold notice was sent. Ideally recipients should acknowledge safe receipt, evidence of which can easily be obtained through the use of an email read receipt. Prior to sending a hold notice, routine data destruction practices must be suspended and a complete backup obtained of all electronic data held. As well as being good practice, this allows investigators to establish whether any recipients have attempted to delete evidence following receipt of a hold notice.
The collection process presents a number of challenges and can have significant implications later in the investigation process if errors are made. For this reason it is advisable to carefully document all decisions as to what material is being collected and why, as this can be useful later in the process if external government agencies become involved.
Depending on the size of the investigation, it may be necessary to instruct external, expert forensic IT and data collection vendors. While there are inevitable cost implications in using third parties, it can be essential if the necessary expertise is not available in-house. The use of a third-party expert may also assist in retaining credibility with any interested government agencies. This is because the ‘forensic’ collection of data is highly specialised and a failure to follow the correct processes can have a significant impact on any subsequent legal proceedings. The improper collection of electronic data could interfere with, and ultimately compromise, the integrity of the underlying data.
A digital image of all relevant electronic data sources and devices (such as mobile telephones, tablets and personal computers) should be taken. When electronic devices are collected, they must be switched off by the owner. Under no circumstances should the devices be switched on again by anyone, including the company’s IT department, until they have been made available to third-party experts with the necessary expertise and equipment to collect the data without inadvertently compromising it.
It is important to think broadly when collecting electronic evidence. In addition to the more obvious sources of evidence such as network drives, hard drives, mobile telephones and tablets, consideration should be given to both landline and mobile telephone records (including numbers dialled and received), recorded telephone lines, building security logs and CCTV footage.
Collection of hard-copy material should be undertaken following a documented assessment as to where relevant material may be kept. In many cases it will be perfectly proper and proportionate to request that custodians collect the relevant material themselves and provide it either to the investigation team or to external lawyers. In some circumstances – for example, where there is a risk that evidence may be destroyed – it may be necessary to ensure that all relevant evidence is secured by conducting an unannounced collection. When doing this, it is crucial that a company’s internal policies and any local employment law considerations are taken into account. Thought should also be given to data protection issues, particularly where data from shared, as opposed to individual, drives has been collected.
It is good practice to conduct a document collection interview with each custodian, covering the location of all potential sources of material, what software the individual uses, where they save material on the network, the use of personal portable devices such as mobile phones and tablets, the use of chat and instant message systems, the use of personal email accounts, social media sites, recorded phone lines and external hard drives. The interview should also cover the location of all hard-copy documents and the custodian’s typical document destruction practices. The custodian should be asked who else, such as a secretary, personal assistant, colleague or family member, has access to his or her emails, other electronic data and hard-copy documents.
Once hard-copy material has been collected, it should be held in a secure room or locked cabinet, access to which should be monitored and restricted to members of the investigation team. To ensure a clear chain of custody, a log should be kept of any movement of material outside this locked environment and originals should not be removed.
Given the significant volume of electronic data collected in most investigations, any subsequent review can be daunting, not least in terms of time and cost. In all but the smallest investigations it is normally advisable to upload the collected material to a document review platform. The function of the platform is to collect all of the data in a central online database that has search and tagging functionality, allowing the investigation team to review and produce documents efficiently. A wide range of platforms are available, each offering broadly similar functions, though consideration should be given to data protection and jurisdictional issues. All the material collected should be uploaded to the review platform, including any hard-copy documents that can be processed using optical character recognition technology to allow the text to be searched in the same way as electronic data.
Once the data is uploaded it can be processed to confine the review set to the relevant parameters. These can include date ranges, document types and custodians, and will usually involve the removal of duplicate documents. It is crucial for both the investigation and its credibility that documents be carefully tracked throughout. To allow for this, each document will be assigned a unique identifying number when it is uploaded to the review platform. The review platform will also provide for any linked parent-and-child documents (such as emails and attachments) to be easily identified.
At this stage of the review process, consideration should be given to creating a list of search terms to narrow the data set further. Traditionally, this process has simply consisted of listing relevant search terms, such as names, case-specific keywords, telephone numbers or any other words or phrases that could help in identifying relevant documents. While this remains a helpful method of identifying relevant documents, many vendors now provide more sophisticated search and document review technologies that can accurately detect and relate unique phrases among unstructured data sets to refine the data set to the most relevant information.
These review technologies are broadly classified under the name ‘predicative coding’ and provide for the building of an intuitive automated learning process and case-specific algorithms into the platform itself. Put simply, once the review is begun, the platform is able to learn what the reviewers are looking for and move the most relevant documents to the top of the review list. This can dramatically speed up the identification of the most relevant documents. Other tools include concept searches, context searches, metadata searches, relevance ranking, clustering and early case assessment. To varying degrees, all of these processes allow review teams to focus quickly on relevant documents and potentially identify relevant witnesses.
Once the collected material has been processed and searched (irrespective of whether any predictive coding technologies have been used), it will be necessary to begin a human review of the data set. A standard linear review, namely a review of all the material responsive to search terms, should be conducted by a first-level review team. The size of the team will depend on when the review needs to be completed and how many documents form the review set.
To assist in this process, a senior member of the investigation team should draft a review memorandum, which should include the necessary background to allow the review team to identify the relevant documents and should be accompanied by training for each member of the review team. A document coding protocol should also be prepared, detailing the tags that are available to the review team. The appropriate number of available tags is a matter of preference and will depend on the complexity of the investigation, but it is recommended in order to try to future-proof the investigation so that the document set can be easily cut down to the relevant subsets of material as required. Reviewers will usually tag documents as ‘relevant’ or ‘not relevant’, with other issue tags being used as appropriate.
A list of potential interviewees to allow reviewers to identify documents relevant to each interviewee is often helpful at this stage. However a document review is structured, it is important that ‘hot documents’ are identified and quickly escalated to the relevant people within the investigation team. Establishing a daily call or meeting allows the review team to provide feedback on the type of material they are seeing in their review and to receive guidance from the investigation team. It may also be helpful for reviewers to be tasked with creating event chronologies. The source of each event identified in the chronology should be clearly identified.
It is best practice for reviewers to identify potentially privileged material, broadly defined to include material that may be subject to bank examiners’ privilege (in the United States), bank secrecy (in the United Kingdom), data protection or other jurisdiction-specific issues. Regulators and third-party litigators will often request a privilege log, and a considerable amount of time can be saved if this is created at the outset.
5.3.4 Considerations when documents are located in multiple jurisdictions
A range of complicating factors can arise when material located in multiple jurisdictions is being reviewed. Local legal advice should be sought if there are any concerns about reviewing material or moving it from one jurisdiction to another. Bank secrecy and data privacy requirements often mean that reviews have to be carried out in the territory where the data is held. In these circumstances data should not be uploaded to a server located outside the territory. It may be helpful to arrange for a mobile server to be deployed, so that the data does not have to leave the company’s premises.
Data protection issues are often a concern and expert advice should be sought in cases of doubt, especially following the Data Protection Act 2018’s entry into force and the contingent requirement to comply with the EU’s General Data Protection Regulation.
1 Christopher David is counsel and Lloyd Firth is a senior associate at Wilmer Cutler Pickering Hale and Dorr LLP.
2 Guidance on Corporate Prosecutions issued by the Director of Public Prosecutions, the Director of the Serious Fraud Office and the Director the Revenue and Customs Prosecutions Office, page 8, paragraphs a. and c, (original emphasis) available at: https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/corporate-self-reporting/.
3 The Deferred Prosecution Agreements Code of Practice, page 5, paragraph 2.8.2i., available at https://www.cps.gov.uk/publications/directors_guidance/dpa_cop.pdf.
4 Companies Act 2006, section 172.
5 Companies Act 2006, section 174.
6 Companies Act 2006, sections 260 to 264.
7 The position for companies in the United States is more onerous. The Sarbanes-Oxley Act of 2002 imposes a positive obligation on each relevant company to establish an audit committee with specific responsibility for investigating complaints of financial fraud involving auditing, accounting or internal controls issues. Similarly, under the Whistleblower Programme established by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, the Securities and Exchange Commission takes into account a company’s response to its receipt of an internal tip in determining whether to bring an enforcement action against the company.
8 FCA Handbook, PRIN2.1.1R, Principle 11.
9 Since August 2015, regulated firms have also had a positive duty to notify the FCA as soon as they become aware, or have information which reasonably suggests, that a significant infringement of any applicable competition law has, or may have, occurred (FCA Handbook, SUP 15.3.32).
10 FCA Handbook, PRIN2.1.1R, Principle 1.
11 FCA Handbook, PRIN2.1.1R, Principle 2.
12 FCA Handbook, PRIN2.1.1R, Principle 3.
13 FCA Handbook, SYSC3.2.6R and SYSC6.1.1R.
14 Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation Ltd  EWCA Civ 2006.