Production of Information to the Authorities

11.1 Introduction

There are many situations in which a company may face a choice, or a demand, to disclose documents and information to a law enforcement authority or regulator. These range from responding to a raid on corporate and individual premises, to compliance with a subpoena or other compulsory process, to the voluntary provision of information during a self-disclosure. The types of information and the circumstances in which a company is obliged – or even able – to produce relevant documents is circumscribed by various laws. For example, a company must address concerns regarding confidentiality, employee privacy, data protection and legal privilege (and, in certain jurisdictions, bank secrecy restrictions or blocking statutes). This becomes additionally complicated in cross-border cases where multiple legal regimes may apply and may conflict with one another. Add to this the not uncommon scenario of authorities from different countries seeking the same (or slightly different) information and it becomes a legal and practical minefield. This chapter cannot hope to cover the immense number of variables that a company may face in these circumstances, but it does seek to provide practical guidance on some of the most important points.

11.2 Production of documents to the authorities

11.2.1 Formal requests for disclosure (and related document hold issues)

11.2.1.1 Commonly used powers (UK)

Most regulatory and enforcement authorities have formal powers to compel individuals and companies to produce documents and provide information.

In the area of financial crime and corruption involving the United Kingdom, the most likely authority to be seeking to investigate and prosecute will be the Serious Fraud Office (SFO). It has powers to seek the production of documents and information at both a pre-investigation stage in relation to bribery and corruption cases under section 2A of the Criminal Justice Act 1987, and, once it opens a formal investigation, under section 2 of the same Act. These powers can be exercised against companies and individuals to produce documents and information, including by way of compelled interview where there is no right to silence (although the individual cannot be later prosecuted regarding matters arising from the interview, unless the information is found to be false). A failure to provide the documents and information within the time specified in the production notice is a criminal offence, unless the recipient can show that it had a reasonable excuse not to comply (such as an injunction preventing production).

In the field of financial markets regulation, the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have powers to compel the production of documents, contained in Part 11 of the Financial Services and Markets Act 2000 (FSMA). The key provision is section 165, subsections 1 to 6 of which are set out below as an example of how information-gathering powers are conferred:

165 Regulators’ power to require information: authorised persons etc.

(1) Either regulator may, by notice in writing given to an authorised person, require him–

(a) to provide specified information or information of a specified description; or

(b) to produce specified documents or documents of a specified description.

(2) The information or documents must be provided or produced–

(a) before the end of such reasonable period as may be specified; and

(b) at such place as may be specified.

(3) An officer who has written authorisation from the regulator to do so may require an authorised person without delay–

(a) to provide the officer with specified information or information of a specified description; or

(b) to produce to him specified documents or documents of a specified description.

(4) This section applies only to–

(a) information and documents reasonably required in connection with the exercise by either regulator of functions conferred on it by or under this Act; and

(b) in relation to the exercise by the PRA of the powers conferred by subsections (1) and (3), information and documents reasonably required by the Bank of England in connection with the exercise by the Bank of its functions in pursuance of its financial stability objective.

(5) The regulator in question may require any information provided under this section to be provided in such form as it may reasonably require.

(6) The regulator in question may require–

(a) any information provided, whether in a document or otherwise, to be verified in such manner, or

(b) any document produced to be authenticated in such manner,

as it may reasonably require.

‘Authorised person’ is defined in section 31 of FSMA and means, very broadly, a person providing a regulated financial service.

The FCA has set out its policy in relation to its exercise of enforcement powers under the FSMA (and other legislation) in its Enforcement Guide.^[2] The Enforcement Guide is useful as it not only sets out the FCA’s approach to its task as the United Kingdom’s financial markets regulator, but also it reflects the general approach of UK regulators to their document production powers.

In paragraphs 4.8 and 4.9 of the Enforcement Guide, the FCA states that its standard practice is to use its statutory powers to require the production of documents, the provision of information or the answering of questions in interview. The FCA suggests that this is for reasons of fairness, transparency and efficiency. The Enforcement Guide goes on to suggest, however, that it will sometimes be appropriate to depart from this standard practice, as it relates to document production, in cases:

• involving third parties with no professional connection with the financial services industry, such as the victims of an alleged fraud or misconduct, in which case, the FCA will usually seek information voluntarily;
• where the FCA has been asked by an overseas or EEA regulator to obtain documents on their behalf, in which case the FCA will discuss with the overseas regulator the most appropriate approach.

In the second scenario, it is important to consider the effect of regimes and jurisdictional protections colliding. For example, how might the US right to silence mesh with the UK compelled disclosure regime? The Enforcement Guide states that the FCA will make it clear to the company or individual concerned whether it requires him, her or it to produce information or answer questions under FSMA or whether the provision of information is voluntary.^[3]

Similar (but unique) powers also lie in the hands of the Competition and Markets Authority, the National Crime Agency, the police, Her Majesty’s Revenue and Customs, and the Health and Safety Executive. Many of these authorities may also apply for and obtain search warrants and use these powers more often than their US counterparts do.

11.2.1.2 Commonly used powers (US)

In the United States, most federal agencies, including the United States Department of Justice (DOJ), the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC), may issue subpoenas (or administrative orders) and compel individuals and companies to produce documents and testimony.^[4] In the case of the DOJ, a subpoena may compel the production of documents in connection with either a civil or criminal investigation.^[5] The CFTC’s regulations provide that:

The Commission or any member of the Commission or of its staff who, by order of the Commission, has been authorized to issue subpoenas in the course of a particular investigation may issue a subpoena directing the person named therein to appear before a designated person at a specified time and place to testify or to produce documentary evidence, or both, relating to any matter under investigation.^[6]

Additionally, state agencies and each state’s attorney general can compel the production of documents and testimony. As an example, Section 352 of the New York General Business Law permits the Attorney General to commence an investigation of an individual or corporation and to seek documents and testimony in connection with that investigation. The Securities Act, the Securities Exchange Act, the Investment Advisers Act and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct.^[7] Before a subpoena can be issued, the staff of the SEC must obtain a formal order of investigation.^[8]

Criminal offences for refusing to comply with a request, providing false or misleading statements, or concealing documents, generally supplement such powers.^[9]

11.2.1.3 Scope and timing

In practice, a company can do little to resist complying with a formal request for disclosure without resorting to court proceedings to challenge the validity or scope of the request. However, it can likely negotiate with the relevant authority regarding the scope of documents responsive to the request and the production date to limit the scope of the request to what is proportionate and reasonable.

Broadly drawn requests are unfortunately not uncommon, as investigators seek to ensure the requests will capture all relevant information. Early engagement with the relevant authority will typically ensure that both parties can agree on scope and a timetable for production: a request looking back over a long period, or even without any time limit, could involve a time- and resource-intensive review and expensive production exercise. This may not be in the interests of the prosecuting agency or the company if a more targeted request could produce the information. Whether an agreement to narrow the scope of the request is possible is likely to depend, in large part, on factors outside the company’s control – such as the nature and scope of the authority’s investigation (which the authority may be unwilling to share and is likely to base on information and evidence outside the company’s knowledge). However, the company and its legal advisers should nonetheless seek a reasonable, proportionate and practically achievable production: for example, by seeking to agree to produce documents relating to X project, between Y–Z dates and if necessary to produce the documents in tranches.

It becomes increasingly difficult to manage the response to multiple authorities, particularly if they are in different countries and have different areas of focus. Similarly, a company must consider whether the production notice extends to materials held overseas.

11.2.1.4 Practical steps on receipt

Upon receipt of a document request, a company should – in most cases –immediately issue a document retention (or hold) notice (DRN) (if one is not already in place). A company should take care not inadvertently to tip off data custodians, who may also be suspects. In some cases, issuing a DRN is not appropriate; for example, where the company is investigating matters outside the public domain and needs to collect documents covertly at the outset. The issuing of a DRN will assist the company to demonstrate that it has taken steps to preserve all potentially relevant documents in existence at the date of the request. The DRN should track the terms of the production notice, and be sent to all personnel who may have responsive documents, including the IT department and records department. The term ‘document’ should be widely drawn to include any paper or electronic records present on any media belonging to the company or its employees, including corporate information located off-site. The company may also need to manage complicated issues around data privacy and personal media.

The DRN should confirm that employees must not delete, alter, conceal or otherwise destroy company documents. Simultaneously, the company should take steps to secure and preserve all relevant information held on the company’s servers and backup tapes, including through external providers. It should also immediately suspend routine document and data destruction processes.

Most authorities will have their own technical standards, which the collection and production of electronically stored information must meet. It is therefore likely that a company seeking to respond to a subpoena or production notice will want to consider instructing a forensic IT specialist company to assist with the collection and production efforts. This will have the added benefit of ensuring that a company can demonstrate the independence of this analysis, that it is taking clear co-operative steps, and protects employees, as far as possible, from having to give evidence in any subsequent proceedings.

11.2.2 Informal requests for disclosure: voluntary production and co-operation

A company may wish to consider voluntarily providing documents to an authority as part of a self-report or to demonstrate its co-operation with an investigation. Government investigators and investigating authorities regularly hold out the possibility of co-operation credit to companies to encourage them to provide information about their own misconduct.

From February 2014, deferred prosecution agreements (DPAs) have been available in the United Kingdom to the SFO and Crown Prosecution Service (CPS) for disposing of corporate criminal conduct relating broadly to economic crime (including, in particular, fraud, corruption and money laundering).^[10] The SFO and the English courts have emphasised that one of the most important factors for a DPA is early reporting and co-operation by the company. Co-operation should be ‘genuinely proactive’.^[11] This includes the voluntary production of relevant documents, the importance of which has been demonstrated in one of the early DPA cases of SFO v. Rolls-Royce PLC,^[12] discussed later in this chapter.

In the United States, too, the authorities have routinely emphasised that they will consider self-reporting and co-operation with government investigations as a key factor when determining whether to charge a corporation.^[13] Under the DOJ’s Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy,^[14] ‘when a company satisfies the standards of voluntary self-disclosure, full cooperation, and timely and appropriate remediation, there will be a presumption’ that the DOJ will resolve the matter by declining to prosecute the company.^[15] The new policy, which has been incorporated into the DOJ’s Justice Manual, defines ‘Full Cooperation in FCPA Matters’ to include, among other things:

Timely preservation, collection, and disclosure of relevant documents and information relating to their provenance, including (a) disclosure of overseas documents, the locations in which such documents were found, and who found the documents, (b) facilitation of third-party production of documents, and (c) where requested and appropriate, provision of translations of relevant documents in foreign languages … .^[16]

Importantly, the Corporate Enforcement Policy does provide benefits to a company that does not voluntarily self-disclose misconduct but does fully co-operate with an investigation and implement timely and appropriate remediation.^[17]

Timing is important, both for a potential DPA and in relation to anti-cartel regimes, which often provide an amnesty only to the first discloser.^[18]

As has been noted above, the FCA’s standard practice is to rely on its statutory powers to require the production of documents. While there is merit in adopting this policy, and it does avoid the risks to companies of voluntarily disclosing documents to the FCA set out below, nothing prevents the FCA from seeking voluntary production. Principle 11 of the FCA’s Principles for Businesses states that: ‘A firm must deal with its regulators in an open and co-operative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.’ A materially identical provision is included in the PRA’s Rulebook as Fundamental Rule 7. While this chapter focuses on the approach of the FCA, it is worth remembering that the PRA has similar enforcement powers (and is using them with increasing frequency). Both regulators interpret these obligations to proactively bring matters to their attention widely, and are prepared to take enforcement action against firms and individuals for failures to discharge these obligations (even in the absence of other underlying failings). Prudential Group (fined £30 million for failing to inform the FSA of its proposed acquisition of AIA until after it had been leaked to the media), Goldman Sachs (fined £17.5 million for not disclosing an SEC investigation into its staff and members of The Goldman Sachs Group), and the Co-operative Bank (issued a final notice for failing to notify the PRA without delay of two intended personnel changes in senior positions) are recent examples. This places regulated firms in a different position from other corporates: it reduces the scope for the decision whether to self-report or not.

Principle 11 is mainly intended as a supervision tool and sets out a broad duty of co-operation that the FCA often relies on to oblige the production of documents prior to formal investigations being commenced (sometimes, but not always, for the purpose of deciding whether an investigation should be commenced and, if so, in respect of which firms and individuals). The FCA’s view of what is meant by being open and co-operative within Principle 11 is set out in the FCA Handbook, in the ‘Supervision’ section (referred to as SUP). SUP 2.3 provides that ‘open and co-operative’ includes a regulated entity making itself readily available for meetings with the FCA, giving the FCA reasonable access to records, producing documents as requested, and answering questions truthfully, fully and promptly. Where a formal investigation has been commenced, the FCA would not seek to rely on Principle 11 as a substitute for its other statutory powers that compel production. While it would be a clear breach of Principle 11 to fail to comply with a statutory request for the production of documents, a failure to comply with a voluntary request for the production of documents would not, of itself, result in disciplinary proceedings. The Enforcement Guide does state, in the context of co-operation, that:

The FCA will not bring disciplinary proceedings against a person for failing to be open and co-operative with the FCA simply because, during an investigation, they choose not to attend or answer questions at a purely voluntary interview. However, there may be circumstances in which an adverse inference may be drawn from the reluctance of a person (whether or not they are a firm or individual) to participate in a voluntary interview. If a person provides the FCA with misleading or untrue information, the FCA may consider taking action against them.^[19]

The Enforcement Guide further provides that if a person does not comply with a requirement imposed by the exercise of statutory powers, he or she may be held to be in contempt of court. The FCA may also choose to bring proceedings for breach of Principle 11.^[20] Therefore, while there is no guidance indicating that a failure to produce documents voluntarily (as opposed to attending a voluntary interview) would result in an adverse inference being drawn, a decision by a company not to produce documents voluntarily in any particular case should not be made without careful forethought and proper advice on the potential consequences.

As this suggests, the Enforcement Guide recognises the importance of an open and co-operative relationship with the firms it regulates to the effective regulation of the UK financial system. When deciding whether to exercise its enforcement powers, the FCA considers, among a number of factors, the level of co-operation demonstrated by a firm. When weighing the level of co-operation, the FCA considers whether the firm has been open and communicative with it.

Voluntarily disclosing documents carries a risk that the authority may not give any meaningful credit and may nonetheless decide to prosecute or expand an investigation already under way. Therefore, the company should weigh the likelihood of the authority being able to serve a formal request for disclosure in the relevant jurisdiction.

In some instances, a formal notice for disclosure will be preferred: for example, where a company has obligations of confidentiality, preventing voluntary disclosure. The most common examples are lawyers and financial institutions, who could both face an action for breach of confidence for supplying documents or information without a formal regulatory request. In some self-reporting circumstances, it may be appropriate for a company to seek such a notice from the relevant authority to ensure that it does not open itself up to civil action. The notice should be narrowly drawn, in consultation with the regulator, and should not affect the company’s co-operation credit. Likewise, in some situations, the company may prefer to ask to be provided with a formal document request to demonstrate that they have been compelled to produce the documents to the authorities and have not done so voluntarily.

11.2.3 Production of information to multiple authorities

The increasingly complex and multi-jurisdictional nature of investigations means that a company may face requests for formal disclosure from more than one authority. This could be authorities with different mandates within the same jurisdiction, or authorities with similar mandates from different jurisdictions. In either case, multi-authority investigations demand holistic strategies and systems to allow a company to keep track of evidence disclosed to (or seized by) different authorities. A company may also want to consider if there is any strategic advantage to disclosing to one authority before another. However, recent large-scale global investigations into the manipulation of LIBOR and foreign exchange rates demonstrate the ever increasing levels of intra- and international co-operation between regulators.^[21] Practical steps a company can take when faced with multiple requests for formal disclosure include:

• early engagement with each authority, to communicate expectations and practical difficulties of responding to multiple requests;
• identifying and prioritising information that is commonly responsive to the requests rather than focusing on responding to each individual request in isolation;
• maintaining clear production schedules; and
• ensuring a system for Bates numbering^[22] for each authority.

11.2.4 Documents and data outside the jurisdiction

11.2.4.1 Voluntary production

In cross-border fraud or corruption cases, not all of a company’s documents will be located or even accessible in the same jurisdiction as the investigating authority. A company should consider what documents are stored overseas, and which of these it should provide to investigators. A company in receipt of a formal production notice will need to assess whether the notice extends to documents outside the jurisdiction, and, if so, the extent to which the company has ‘custody or control’ over documents held by subsidiaries or overseas branches.^[23] The board of a parent company will not necessarily control the management of a subsidiary.^[24] Where production is voluntary, a company may take a more holistic view of the investigation and production (subject to local law restrictions). The extent to which it may want to voluntarily disclose information may depend on the ability of the investigating authority to obtain that information itself. However, given the increasing co-operation between authorities on the international stage, careful voluntary production of material is likely to be preferable, and vital if the company seeks co-operation credit. Importantly, to receive ‘full cooperation’ under the FCPA Corporate Enforcement Policy where disclosure of data held overseas may be prohibited due to a statute, rule or regulation, ‘the company bears the burden of establishing the prohibition. Moreover, a company should work diligently to identify all available legal bases to provide such documents.’^[25]

11.2.4.2 Mutual legal assistance

In the United Kingdom, sections 7 to 9 of the Crime (International Co-operation) Act 2003 (CICA) govern requests to obtain evidence from abroad in relation to a prosecution or investigation taking place in the United Kingdom, shaping the mutual legal assistance (MLA) powers of UK authorities. Under CICA, an MLA request can only be made if it appears to the investigating authority that an offence has been committed or there are reasonable grounds for suspecting that an offence has been committed, and either proceedings in respect of that offence have been instituted or the offence is being investigated.^[26] The request must relate to the obtaining of evidence ‘for use in the proceedings or investigation’.^[27] But, it could allow an investigating agency to have foreign law enforcement officers launch raids, arrest suspects or conduct interviews on its behalf.^[28] If the implementation of an MLA request in the requested state requires a court order, then the court in the requested state is likely to apply the relevant principles in its own jurisdiction to satisfy itself that the requested order is justified.

Note that among the vast majority of EU Member States, European investigation orders (EIOs) now allow streamlined access to evidence and information in criminal investigations. EIOs work on the basis of mutual recognition, and judicial authorities can use them to request assistance with ‘any investigative measure’ (although the EIO itself will identify a number of investigative activities that it does not permit). More specifically, the EIO:

• replaces the previous fragmented legal framework for obtaining evidence within Europe by providing a single instrument;
• imposes a strict 30-day deadline for the Member State to accept the request, and 90 days to comply;
• limits the reasons for which the Member State can refuse the request;
• introduces a standard form; and
• prioritises the necessity and proportionality of the measure as part of the rights of the defence.

EIOs were created by EU Directive 2014/41/EU, which came into force in the United Kingdom on 31 July 2017 (transposed through the Criminal Justice (European Investigation Order) Regulations 2017). The United Kingdom has opted into the EIO regime even though it has chosen to exit the European Union. In April 2018, the European Commission issued a proposal for a Regulation on European Production and Preservation Orders for electronic evidence in criminal matters.^[29] The proposal aims to reform cross-border access to electronic evidence and make mutual legal assistance across Member States more efficient. It would allow Member States to request electronic evidence directly from service providers established or represented in a Member State that provide services in the European Union (regardless of the location of the data requested). The regulation would require the service provider to respond within 10 days, or, in cases of emergency, six hours.

There is currently no timeline for the intended enactment of the regulation, but, most likely, any enactment will follow Brexit; the United Kingdom is therefore unlikely to be part of the new regime unless it opts in.

The MLA process can be cumbersome, but is a very real threat in the event a company does not co-operate. A company should also not overlook the significant scope for informal direct investigator-to-investigator co-operation. Agencies such as Interpol have dedicated programmes to share information between, and support investigations by, investigating agencies in different countries. Communications between the SFO and DOJ are frequent. The FCA, specifically, has a broad discretion to assist foreign regulators. This discretion is set out in section 169 of FSMA. The statutory power is supplemented by relevant FCA policy. Subsection 169(4) sets out the considerations in the FCA’s decision as to whether to assist a foreign regulator. It provides:

(4) In deciding whether or not to exercise its investigative power, the regulator may take into account in particular:

(a) whether in the country or territory of the overseas regulator concerned, corresponding assistance would be given to a United Kingdom regulatory authority;

(b) whether the case concerns the breach of a law, or other requirement, which has no close parallel in the United Kingdom or involves the assertion of a jurisdiction not recognised by the United Kingdom;

(c) the seriousness of the case and its importance to persons in the United Kingdom;

(d) whether it is otherwise appropriate in the public interest to give the assistance sought.

In an early decision on this section, Financial Services Authority v. Amro International,^[30] the Court of Appeal held that there was nothing in section 169 that required the FCA’s predecessor body to satisfy itself of the correctness of what it was being asked to investigate or gather by way of information. At the SEC’s behest, the FCA could seek any document that it reasonably considered relevant to the investigation the SEC was conducting. The Court of Appeal made clear that the only requirements the FCA must meet were contained in the statute. The Court of Appeal also noted that in exercising these powers, the stricter rules attaching to the drafting of a subpoena did not apply and the description of the documents sought would be acceptable provided the recipient could identify the documents he or she was required to produce.

In addition to the FCA’s statutory powers, a number of memoranda of understanding are in place between UK regulators and their overseas counterparts (most notably the SEC and other US regulators) concerning co-operation and information sharing. Recent years have seen significant co-operation between the SEC and the FCA and its cognate agencies.

Similarly, the United States has entered into mutual legal assistance treaties (MLATs) with various countries, which can be used for the sharing of information and taking of evidence abroad.^[31] Some US authorities also have memoranda of understanding in place with sister agencies outside the United States, which can allow for inter-agency sharing of documents.

11.2.4.3 Data protection

Responding to an investigation (and conducting an internal investigation) will require data about individuals to be processed. Such an exercise will engage a number of data protection considerations.^[32] A company cannot assume that complying with the data protection requirements in the investigated jurisdiction will mean compliance with overseas data protection laws. And local law may restrict a company’s ability to transfer individual data overseas. The European Union’s General Data Protection Regulation (GDPR) came into force on 25 May 2018 and applies within the EU and to those data controllers and processors outside the EU who offer goods and services to EU consumers. Chapter 5 of the GDPR deals with transfers of data to third countries (and international organisations) and re-enacts existing restrictions on transferring data to countries that do not have adequate privacy protections in circumstances where other ‘appropriate safeguards’ are not in place. The GDPR introduces a limited derogation to its principles based on ‘compelling legitimate interests’, which could cover non-repetitive transfers to foreign regulators, but would require prior notification to the relevant data protection authority.

11.2.4.4 Blocking statutes

Blocking statutes prevent the disclosure of certain documents for the purpose of legal proceedings in a foreign jurisdiction, except pursuant to procedures set out in an international treaty or agreement. Article 1bis of the French Blocking Statute provides:

[I]t is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof with a view to foreign administrative or judicial proceedings or as a part of such proceedings.

There has historically been very little enforcement of the French Blocking Statute – with some companies choosing to ignore it completely.^[33] However, as a consequence of the Sapin II law, which was implemented in June 2017, the Parquet National Financier has begun to lead cases involving the enforcement of the Blocking Statute, signalling that the French authorities are considering the issues raised by the Blocking Statute in more depth. The French authorities have traditionally taken any derogation from the letter of the law seriously and insist on the use of mutual legal assistance requests and inter-agency communications. This can leave companies in the unenviable position of being caught between authorities (if the US authorities, for example, expect production direct from the corporate). In such circumstances, agency-to-agency communications should be encouraged. Similarly, Article 271 of the Swiss Criminal Code prohibits a person performing an ‘official act’ on behalf of a foreign authority on Swiss soil. This can block the collection of evidence located in Switzerland intended for use in proceedings outside the country.

A decision to refuse to disclose documents or information due to a blocking statute may not be respected by the requesting authority^[34] and could affect any co-operation credit available – leaving the company between a rock and a hard place. This demands early and detailed dialogue with the relevant authority alongside expert local counsel advice who can educate the regulators about the relevant laws and any potential workarounds for production of information.

11.2.4.5 Bank secrecy

Bank secrecy laws prohibit banking officials from releasing confidential information about a customer to third parties outside of financial institutions, unless compelled by law. Sometimes, such a disclosure is criminalised.^[35] A bank under investigation may seek to rely on this secrecy. It should also be cautious not to infringe this secrecy inadvertently in providing information to a regulator. Note, though, that a historic deference to the banking secrecy rules of foreign jurisdictions, premised on comity or respect for the acts of foreign governments, may slowly be eroding. Even Switzerland, in recent times, has stripped away a number of its many layers of secrecy through international agreements,^[36] and, in our experience, has become, in practice, more willing to co-operate with requests for information.

11.2.4.6 State secrets

Sending data outside a jurisdiction may be contrary to state secrecy laws. Some jurisdictions, such as China, have wide definitions of what amounts to a state secret. The Law of the People’s Republic of China on Guarding State Secrets, at Article 8, defines state secrets to include ‘secrets in national economic and social development’ and ‘secrets concerning science and technology’. Similarly, Kazakhstan treats some geological data as a state secret. The consequences of violation can be serious. Article 111 of the Chinese Criminal Law makes violating state secrets a capital crime. In countries such as China, where many companies are state-owned, this is not straightforward. Again, locating expert local counsel is a must.

State secrecy laws may also restrict certain categories of documents to authorised eyes only. This is particularly pertinent for defence companies. Withholding production of such documents will require careful negotiation. Remember that the investigating agency is likely to have authorised persons of its own, who can review the documents. Finding a practical way for these to be produced by external lawyers (where prior authorisation is unlikely) will likely be more difficult and undoubtedly will increase the time it will take to respond to a request for documents and may require the review of documents ‘in country’ instead of producing the documents to the US authorities. Another potential workaround is production of information through MLATs and MOUs that allow a company to first produce documents to a local authority and thereby comply with the relevant regulations.

11.2.4.7 Whose rules of privilege apply?

It may not be clear whose rules of privilege apply when a company discloses in one jurisdiction documents created in another. English courts will generally apply English law to the question: theoretically, an unprivileged document in its country of origin could be privileged in England and vice versa. In the United States, there is no general rule, although government agencies will generally apply privilege principles broadly, although subject to certain procedural requirements, such as the production of privilege logs.

Companies should also be aware that some countries do not have developed principles of legal privilege and special care is required in creating or sending otherwise-privileged documents to such jurisdictions. Likewise, in some juris­dictions privilege does not extend to communications with in-house counsel and the role of internal counsel may be held by someone who is not an attorney, and therefore privilege may not be recognised in connection with their communications.

Further complications come when dealing with international regulatory bodies. In Akzo Nobel, for example, the European Court of Justice held that the law of the European Union superseded that of the relevant national jurisdictions; therefore, in competition cases internal counsel’s advice will not be privileged – nor will that of external legal advisers who are not EU-qualified lawyers.^[37]

11.3 Documents obtained through dawn raids, arrest and search

During a raid (or execution of a search warrant) on corporate premises, it is important to seek to obtain and understand the terms of the warrant. Check simple facts such as the premises’ address, the date and relevant powers and authorisations. If appropriate, a company may challenge the scope of the warrant (if it is unduly wide or based on erroneous facts or information). Importantly, the company and its advisers should ensure during the raid that documents outside the terms of the warrant are not seized (unless taken under relevant search and sift powers,^[38] or as can be justified under ancillary legislation^[39]) and take care both during the raid and afterwards to protect legally privileged materials. In the United States, it is nearly impossible to challenge the scope of a warrant that calls for the immediate search of a specific location. More likely, a company would have to seek to suppress evidence obtained pursuant to a warrant in a later proceeding. There may, however, be opportunities to challenge the scope of a warrant seeking electronically stored information before the data is actually collected and produced.^[40] As an example, where a company is asked to execute a warrant on behalf of the government, such as when a service provider is asked to collect electronic information of a third party, there may be additional opportunities for a company to challenge the scope of a subpoena. It is likely that the vast majority of documents obtained during a search will be electronic. It is important to agree to a process with the authorities for dealing with any electronic media that is privileged. In the United Kingdom, most investigative agencies have developed sophisticated procedures in this area. The SFO’s policy and system for dealing with material covered by legal professional privilege (LPP) is explained in its Operational Handbook:

When the SFO requires the production of material, or seizes material pursuant to its statutory powers, all material which is potentially protected by LPP must be treated with great care to:

Minimise the risk that LPP material is seen or seized by an SFO investigator or a lawyer involved in the investigation.

Ensure that any LPP material which is seized is properly isolated and promptly returned to the owner without having been seen by an SFO investigator or a lawyer involved in the investigation.

Ensure that any dispute relating to LPP is resolved in advance of the material being seen by an SFO investigator or a lawyer involved in the investigation.

Ensure that where an SFO investigator or a lawyer involved in the investigation inadvertently sees LPP material, measures are in place to ensure that the investigation and any subsequent prosecution is not adversely affected as a result. Care must always be taken that LPP material is not viewed by the SFO staff involved in the investigation.^[41]

The Operational Handbook then sets out a procedure for dealing specifically with electronic material that may be privileged. Under this procedure, the SFO will first notify the company’s lawyers if it believes that IT assets it has seized might contain privileged material (in practice, it is prudent for the company’s lawyers to advise the SFO of the potential existence of privileged material at an early stage). A list of search terms should be agreed (including names of lawyers, relevant firms, etc.) to enable the identification and isolation of the material for review by independent counsel. Independent counsel will review the material using search software and return only non-privileged material to the SFO investigative team to examine. It is normally possible to have productive discussions with investigators to determine the relevant search terms that might identify privileged material. It is then possible to make representations on the client’s behalf to independent counsel about the extent of privilege. This procedure updates and works alongside the well-established ‘blue-bagging’ approach used for hard-copy materials that may be privileged, by which authorities will send seized documents that may be potentially privileged, sealed in an opaque bag, to the custody of an independent legal adviser (usually a barrister) for review.

The DOJ has utilised three different procedures for reviewing potentially privileged information, each of which requires a ‘neutral’ third party to first review potentially privileged data.^[42] In certain instances the court may review the data on its own. A court may also appoint a ‘special master’ to handle the review of privileged information. In other instances, a team of individuals referred to as a ‘taint team’ may be used to review the files. When a taint team is used, an ethical wall will be placed between the individuals who review the documents and those who are actually participating in the investigation. Importantly, courts have had differing reactions to the use of taint teams and may not always conclude that the procedures implemented to screen materials were sufficient.

11.4 Disclosure of results of internal investigation

In most instances, a company will have to make expansive disclosures regarding its internal investigations to get full co-operation credit. The DOJ has issued guidance in the Justice Manual^[43] that explicitly states that companies will have to self-report on both the results of internal investigations and on individual misconduct to receive any co-operation credit. Whether such thorough disclosures are in the best interest of the company is something that will need to be determined in a timely manner.

11.4.1 Self-reporting of misconduct not yet known to regulators

A company’s decision as to whether to self-report is often complicated. There may be opportunities for a company to internally address misconduct without it coming to light. However, it can be very difficult for a company to keep its misdeeds from being disclosed to the relevant authorities. Whistleblower rewards provide incentives for employees to report misconduct. Federal statute provides protections for whistleblowers,^[44] and in 2017 the SEC imposed financial penalties on financial institutions that attempt to prohibit employees from seeking those bounties.^[45] Disgruntled employees can report corporate misconduct as retaliation, to attempt to prevent prosecution of themselves or simply because they do not feel that the corporate is handling the issue appropriately via its internal process. In the United Kingdom, broadly speaking, those working in the field of financial services are subject to suspicious activity reporting obligations. This means that banks, accountants and transactional lawyers must make reports to the authorities of suspicions of money laundering (including acquiring assets which may be tainted by fraud or corruption). A failure to make a report is a criminal offence – as is tipping off the subject of the report (which in some instances may be the individual’s own client). Investigative journalism and NGOs also continue to be important sources of information for regulators – as the recent ‘Panama Papers’ scandal has shown.^[46]

A failure to self-report misconduct before it becomes otherwise known to the authorities can have a significant impact on the resolution of the corporate investigation. The Justice Manual (which governs the conduct of assistant US Attorneys during the course of civil and criminal investigations, including FCPA investigations) provides that:

Even in the absence of a formal program, prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall cooperation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program. However, prosecution may be appropriate notwithstanding a corporation’s voluntary disclosure. Such a determination should be based on a consideration of all the factors set forth in these Principles.^[47]

As we have already noted, under the FCPA Corporate Enforcement Policy (which has been incorporated into the Justice Manual), full co-operation requires, among other things, prompt disclosure of ‘all facts related to involvement in the criminal activity by the company’s officers, employees, or agents; and all facts known or that become known to the company regarding potential criminal conduct by all third-party companies (including their officers, employees, or agents’.^[48] Moreover, the company will have to disclose ‘on a timely basis of all facts relevant to the wrongdoing at issue, including: all relevant facts gathered during a company’s independent investigation; attribution of facts to specific sources where such attribution does not violate the attorney–client privilege, rather than a general narrative of the facts; timely updates on a company’s internal investigation, including but not limited to rolling disclosures of information’.^[49]

The Deferred Prosecution Agreements Code of Practice (DPA Code) issued by the SFO and CPS^[50] indicates that, to be eligible for a DPA, a company will likely have to report voluntarily any misconduct within a reasonable time of becoming aware of it – and prior to it becoming known to the authorities. In fact, in both of the previous DPA cases,^[51] the companies self-reported their misconduct to the SFO in circumstances where the SFO had no prior knowledge of the misconduct and, in all likelihood, would not have learnt about the misconduct if the company had not self-reported.

But, in the Rolls-Royce case, which was concluded by a DPA in January 2017, the company did not self-report to the SFO the conduct that led to the SFO’s investigation. Instead, the SFO became aware of the need for an investigation through internet postings by a whistleblower. The fact that Rolls-Royce did not self-report weighed against the SFO offering a DPA; yet, Rolls-Royce chose to co-operate fully with the investigation after the SFO approached the company, and undertook its own internal investigation (in close consultation with the SFO). In total, Rolls-Royce collected over 30 million documents and subjected them to electronic document review as part of this investigation. One of the main features of Rolls-Royce’s co-operation was that it provided all materials requested by the SFO voluntarily, without the SFO having to compel it to provide information. Rolls-Royce also chose not to perform any legal professional privilege review over the documents (instead allowing independent counsel to resolve issues of privilege) and worked with the SFO as the SFO used sophisticated artificial intelligence searches to interrogate the data. This process led to the SFO uncovering information that may not have otherwise come to its attention. Ultimately, SFO counsel described the extent of Rolls-Royce’s co-operation with the investigation as ‘extraordinary’.

While the decision to provide documents voluntarily to the SFO was one of a number of measures taken by Rolls-Royce to demonstrate its co-operation with the investigation, this decision was of fundamental importance to the court when deciding to approve the DPA. Rolls-Royce’s voluntary disclosure of investigation documents therefore mitigated its failure to voluntarily disclose misconduct.

11.4.2 Production of reports of investigation

To obtain co-operation credit, prosecuting and government agencies require that companies provide the complete factual findings of an internal investigation, including relevant source documents. The Justice Manual recognises ‘the sort of co­operation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is disclosure of the relevant facts concerning such misconduct.’^[52]

Similarly, the DPA Code provides that co-operation will include ‘providing a report in respect of any internal investigation including source documents.’^[53]

Careful consideration should be given to the manner of disclosure of information. In the United States, the consideration for credit is that the relevant facts are disclosed. The format of the disclosure is irrelevant. The Justice Manual makes clear that a company does not have to waive privilege to receive co-operation credit.^[54] If a company chooses not to waive relevant privileges, it is unlikely to be able to share the investigative reports prepared by counsel conducting the investigation. Instead, it will have to carefully craft presentations that disclose only non-privileged facts. Preparation of such reports can be time-consuming and costly. Further, in preparing any written presentation materials the company will have to ensure that neither the mental impressions nor advice of counsel are included. Because there can be no claim that the materials are privileged, a company should also expect that they will have to produce presentation materials in any related civil litigation.

In the United Kingdom, there is currently much debate over the production of the first accounts of witnesses, which may have been taken by investigating attorneys. The SFO’s preference is that these are taken so that legal privilege does not apply. It also indicates that it does not consider all privilege claims over interview materials to be made out under English law and until the Court of Appeal’s decision in The Director of the Serious Fraud Office v. Eurasian Natural Resources Corporation (ENRC),^[55] was actively challenging such assertions. Where a valid claim for privilege exists, co-operation credit will be given for the disclosure of interview memoranda. A failure to disclose will be considered co-operation neutral. As Alun Milford, then SFO General Counsel, has previously said, ‘[i]f a company’s assertion of privilege is well-made out, then we will not hold that against the company: to do otherwise would be inconsistent with the substantive protection privilege offers.’^[56] In two of the UK cases in which the court has approved DPAs, the company made oral disclosure only of the content of witness interviews.^[57] However, Rolls-Royce chose to provide the interview memoranda to the SFO – even though it considered the memoranda to be privileged – on the basis of a limited waiver of privilege. This was another way Rolls-Royce used the voluntary disclosure of documents to counterbalance its failure to voluntarily disclose the misconduct. Other materials voluntarily provided to the SFO by Rolls-Royce included regular reports on the findings of the internal investigations; unfiltered access to the ‘digital repositories or email containers’ for over 100 past and present employees; general access to hard-copy documents at Rolls-Royce; and key documents identified by the internal investigations. Finally, Rolls-Royce held off interviewing potential witnesses until the SFO had the chance to do so. How a company makes its employees available to investigating authorities is important, and this chapter will now turn to this issue.

11.4.3 Identification of witnesses to authorities

In connection with its initial assessments of whether to co-operate with authorities, companies will have to consider the implications of disclosing information about key employees. As noted above, US and UK authorities have indicated that co-operation will require disclosure of facts relevant to the misconduct of individual employees.

In the United States, authorities have made clear that obtaining facts relevant to individual prosecutions is a top priority. The Justice Manual provides that ‘[i]n order for a company to receive any consideration for cooperation under this section, the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority, and provide to the Department all facts relating to that misconduct.’^[58]

These principles have been incorporated into the FCPA Corporate Enforcement Policy. Additionally, the ‘unequivocal co-operation’ necessary to be eligible for a DPA in the United Kingdom includes identifying relevant witnesses, disclosing their accounts of the alleged misconduct and any documents shown to them and, where practicable, making those witnesses available for interviews by investigators^[59] – together with ongoing co-operation with the authorities.

When seeking a DPA, a corporate should consider liaising closely with the SFO, which may wish to undertake witness, or interviews, under caution,^[60] with individuals prior to corporate counsel doing so. Once the individuals have been identified to the government or prosecuting authorities it may be difficult, if not impossible, for those individuals to continue working for the company. A company may feel pressure to terminate the employee or place that individual on leave, which could have a significant impact on the operations of a business unit. Even if the company does not terminate an employee under investigation, targets of a government investigation are likely to engage their own counsel who may advise the employee to stop co-operating with its employer – leading to a ‘walk or talk’ decision. Depending on the nature of any employment agreement, a company may have to advance the individual the fees and costs associated with individual representation. Also, since 2004, the United Kingdom has imposed an extensive Code of Practice for Disciplinary and Grievance Procedures on employers, which sets out standards of procedural fairness that a UK employer should comply with if it takes action that will detrimentally affect an employee’s employment.^[61]

11.5 Privilege considerations

In the United States, certain portions of internal investigations are protected by the attorney–client privilege and the work-product doctrine, and courts routinely uphold those privileges.^[62] This can be true even where the purpose of an investigation is to ensure regulatory compliance, or where non-lawyers are involved in key parts of the investigation.^[63]

Generally, the attorney–client privilege entitles a party to withhold from production (1) communications, (2) with an attorney, his or her subordinate or agent, (3) made in confidence, (4) for the primary purpose of securing an opinion of law, legal services or assistance in a legal proceeding. It applies to corporations as well as individuals, and therefore protects communications between corporate employees and a corporation’s in-house and external legal counsel on matters within the scope of the employees’ corporate responsibilities. Communications between non-legal corporate employees can also be privileged where an attorney neither authors nor receives the communication, if the communication contains or refers to previously transmitted legal advice or identifies specific legal advice that the non-attorneys will seek from attorneys in the near future. Additionally, the work-product doctrine protects documents and tangible things, otherwise discoverable, prepared in anticipation of litigation and in connection with a threatened or pending government investigation. The doctrine can apply to documents prepared by both attorneys and non-attorneys. Attorney notes, research, and compilations of background materials, memoranda, investigative reports, witness statements; and materials prepared by non-legal personnel such as investigators are examples of the types of documents that may be protected. Work-product containing an attorney’s mental impressions is referred to as ‘opinion’ work-product and is afforded greater protection than other ‘ordinary’ work-product.

In the United Kingdom, privilege attaches to (1) confidential communications between a lawyer and his or her client for the purpose of seeking and receiving legal advice in a relevant legal context, including factual reporting (legal advice privilege), and (2) confidential communications between a lawyer and his or her client and/or a third party or between a client and a third party, provided that such communications have been created for the dominant purpose of obtaining legal advice, evidence or information in preparation for actual litigation, or litigation that is ‘reasonably in prospect’ (litigation privilege). English case law has traditionally called into question the availability of litigation privilege for documents created during a regulatory investigation, as an investigation alone lacks the adversarial character of litigation. In the recent ENRC^[64] decision, the Court of Appeal looked at the issue of when a corporate might reasonably contemplate prosecution (and therefore the necessary ‘litigation’) in the context of a self-reporting process, commenting as follows:

[W]e are not sure that every SFO manifestation of concern would properly be regarded as adversarial litigation, but when the SFO specifically makes clear to the company the prospect of its criminal prosecution … and legal advisers are engaged to deal with that situation, as in the present case, there is a clear ground for contending that criminal prosecution is in reasonable contemplation.^[65]

But, the Court went on to say that no particular action in the course of engagement with a regulator will allow a company to say that at a particular date it contemplated a criminal prosecution and privilege crystallised. Every case will turn on its own facts, and the evidence will be assessed in the round.

The corporate must also have created the documents for the dominant purpose of the contemplated litigation. In ENRC, even where ENRC might have created documents for the dominant purpose of merely investigating ‘the facts to see what had happened and deal with compliance and governance’,^[66] the Court said this:

Although a reputable company will wish to ensure high ethical standards in the conduct of its business for its own sake, it is undeniable that the ‘stick’ used to enforce appropriate standards is the criminal law and, in some measure, the civil law also. Thus, where there is a clear threat of a criminal investigation, even at one remove from the specific risks posed by the SFO should it start an investigation, the reason for the investigation of whistle-blower allegations must be brought into the zone where the dominant purpose may be to prevent or deal with litigation.^[67]

So, litigation privilege may well cover a significant proportion of documents created in the course of an internal investigation into possible criminal activity after the regulator has made clear there is a prospect of prosecution. Again, though, why the corporate created particular documents is important. If a corporate creates documents specifically to disclose to the regulator, then it seems unlikely that a claim to litigation privilege against that same regulator will succeed: at least in relation to the final versions of these documents.

The Court of Appeal also discussed the policy behind applying litigation privilege in this area:

It is, however, obviously in the public interest that companies should be prepared to investigate allegations from whistle blowers or investigative journalists, prior to going to a prosecutor such as the SFO, without losing the benefit of legal professional privilege for the work product and consequences of their investigation. . . . The remedy for the SFO is not to allow prevarication and delay . . . to prevent a timeous investigation, when it becomes clear that the company is not wholeheartedly reporting its own conduct and making appropriate waivers of privilege.^[68]

It went on to make clear that determining the extent of co-operation by a company (in an analysis of whether a DPA was in the public interest) included determining ‘whether the company was willing to waive any privilege attaching to documents produced during internal investigations, so that it could share those documents with the SFO’.^[69] But, as noted above, past practice in both the United Kingdom and the United States suggests that a corporate does not need to waive privilege over all its investigation documents to receive co-operation credit.

On 2 October 2018, the SFO announced that it would not appeal the ENRC decision further to the Supreme Court.^[70]

In presenting the underlying facts of an internal investigation, a company must be mindful of the inherent risk that such a presentation will be deemed a privilege waiver in any subsequent proceedings. If a disclosure of privileged information to a federal office or agency is deemed intentional, the privilege will be waived in any federal or state proceeding.^[71] However, if a disclosure of privileged information is unintentional, it will not create a broad waiver so long as the holder of the privilege took steps to prevent the disclosure and then promptly took reasonable steps to seek return of any inadvertently disclosed information.^[72] Accordingly, if a company decides that it does not intend to waive privilege, it should devise reasonable steps that highlight the company’s decision not to waive privilege, including providing written notice of the intention not to produce privileged materials in any letter or other correspondence that accompanies a document production. Courts in England and Wales have held that a company can share the contents of a privileged communication with a regulator or other third party, keeping the privilege intact, so long as this desire is made clear, the disclosure is confidential, and the communication is not proliferated widely.^[73]

11.6 Protecting confidential information

Companies producing information to the government should take steps to protect the confidentiality of that information. Although information produced in response to a grand jury subpoena must be kept confidential,^[74] in the absence of a formal request, documents and testimony provided to the DOJ, SEC or other government authority can be shared with others. In many instances, documents under the control of a government agency can be subject to requests made pursuant to the Freedom of Information Act (FOIA).^[75] Further, documents typically shielded from disclosure by the FOIA and other regulations are not exempt from production to the United States Congress, which can, in turn, make the information public.

The procedures necessary to shield confidential information from disclosure can be quite complex. Each regulatory body has its own procedures for seeking confidential treatment of information. The SEC, for example, requires that each page of a document containing confidential information be stamped with a specific legend and that a request for confidential treatment go to the individual receiving the documents and the Office of Freedom of Information and Privacy Act Operations.^[76] Many states have their own versions of the FOIA governing the treatment of information provided to, among others, state attorneys general.^[77] Further, while some congressional committees may implement their own procedures for seeking confidential treatment of information, an entity producing documents will have to consider what regulations apply to the information sought and whether the specific regulations prohibit disclosure in response to the request.

In the United Kingdom, the High Court confronted these issues in Standard Life Assurance v. Topland Col.^[78] The SFO had disclosed information it had obtained through its section 2 powers to a Standard Life employee that it wished to interview. The SFO later discontinued the related investigation. Standard Life then used some of this information as part of civil proceedings against Topland. The court noted that the SFO was not entitled to disclose any material obtained by it during an investigation except for the purpose of its investigation (which was the original purpose of the disclosure in this case). A person who wished to prevent disclosure of genuinely confidential information, either by the SFO or by a person it had disclosed documents to, would need to rely on judicial review proceedings or seek an injunction to prevent a breach of confidence. This suggests that, to avoid relying on these indirect remedies, a company should agree with the SFO before disclosure how the SFO might control the further dissemination of confidential or sensitive documents. Safeguards may include the SFO returning the documents following a short time or notifying a disclosing party before the SFO intended to disseminate documents further. On the other hand, a company may also wish to construct potential safeguards around material produced to it during DPA negotiations and that may otherwise be discoverable in subsequent civil proceedings against it.

11.7 Concluding remarks

Companies have an incentive to co-operate with a government investigation, especially if co-operation credit does not necessarily require self-reporting of the misconduct. But self-reporting will assist companies alongside the voluntary provision of relevant materials. The additional advantages of co-operation – control of the investigation process, orderly production of materials and managing press intrusion – are likely to be great when weighed against the disruption and publicity of formal actions including raids, arrests and prosecutions. In cross-border investigations, companies will need to devise due process safeguards to protect the rights of individuals and respect local law requirements. Ensuring local law specialists are instructed to work as part of a multidisciplinary team will be key.

Footnotes