Production of Information to the Authorities

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

11.1       Introduction

There are many situations in which a company may face a choice, or a demand, to disclose documents and information to a law enforcement authority or regulator, ranging from responding to a raid on corporate and individual premises, to compliance with a subpoena or other compulsory process, to the voluntary provision of information during a self-disclosure. The types of information and the circumstances in which a company is obliged – or even able – to produce relevant documents is circumscribed by various laws. For example, a company must address concerns regarding confidentiality, employee privacy, data protection and legal privilege (and, in certain jurisdictions, bank secrecy restrictions or blocking statutes). This becomes additionally complicated in cross-border cases where multiple legal regimes may apply and may conflict with one another. Add to this the not uncommon scenario of authorities from different countries seeking the same (or slightly different) information and it becomes a legal and practical minefield. This chapter cannot hope to cover the immense number of variables that a company may face in these circumstances, but it does seek to provide practical guidance on some of the most important points.

11.2       Production of documents to the authorities

11.2.1    Formal requests for disclosure (and related document hold issues)  Commonly used powers (UK)

Most regulatory and enforcement authorities have formal powers to compel individuals and companies to produce documents and provide information.

In the area of financial crime and corruption involving the United Kingdom, the most likely authority to be seeking to investigate and prosecute will be the Serious Fraud Office (SFO). It has powers to seek the production of documents and information at both a pre-investigation stage in relation to corruption cases under section 2A of the Criminal Justice Act 1987, and, once it opens a formal investigation, under section 2 of the same Act. These powers can be exercised against companies and individuals to produce documents and information, including by way of compelled interview where there is no right to silence (although the individual cannot be later prosecuted regarding matters arising from the interview, unless the information is found to be false). A failure to provide the documents and information within the time specified in the production notice is a criminal offence, unless the recipient can show that it had a reasonable excuse not to comply (such as an injunction preventing production).

In the field of financial markets regulation, the Financial Conduct Authority (FCA) has powers to compel the production of documents, contained in Part 11 of the Financial Services and Markets Act 2000 (FSMA). The key provision is section 165, which is set out here as an example of how information-gathering powers are conferred:

165  Authority’s power to require information: authorised persons etc.

(1)  The Authority may, by notice in writing given to an authorised person, require him–

        (a) to provide specified information or information of a specified description; or

        (b) to produce specified documents or documents of a specified description.

(2)   The information or documents must be provided or produced–

        (a) before the end of such reasonable period as may be specified; and

        (b) at such place as may be specified.

(3)  An officer who has written authorisation from the Authority to do so may require an authorised person without delay–

        (a) to provide the officer with specified information or information of a specified description; or

        (b) to produce to him specified documents or documents of a specified description.

(4)  This section applies only to information and documents reasonably required in connection with the exercise by the Authority of functions conferred on it by or under this Act.

(5)  The Authority may require any information provided under this section to be provided in such form as it may reasonably require.

(6)   The Authority may require–

        (a) any information provided, whether in a document or otherwise, to be verified in such manner, or

        (b) any document produced to be authenticated in such manner, as it may reasonably require.

‘Authorised person’ is defined in section 31 of FSMA and means, very broadly, a person providing a regulated financial service.

The FCA has set out its policy in relation to its exercise of enforcement powers under the FSMA (and other legislation) in its Enforcement Guide.1 The Enforcement Guide is useful as it not only sets out the FCA’s approach to its task as the United Kingdom’s financial markets regulator, but also it reflects the general approach of UK regulators to their document production powers.

In paragraphs 4.8 and 4.9 of the Enforcement Guide, the FCA states that its standard practice is to use its statutory powers to require the production of documents, the provision of information or the answering of questions in interview. The FCA suggests that this is for reasons of fairness, transparency and efficiency. The Enforcement Guide goes on to suggest, however, that it will sometimes be appropriate to depart from this standard practice, as it relates to document production, in cases:

  • involving third parties with no professional connection with the financial services industry, such as the victims of an alleged fraud or misconduct, in which case, the FCA will usually seek information voluntarily;
  • where the FCA has been asked by an overseas or EEA regulator to obtain documents on their behalf, in which case the FCA will discuss with the overseas regulator the most appropriate approach.

In the second scenario, it is important to consider the effect of regimes and jurisdictional protections colliding. For example, how might the US right to silence mesh with the UK compelled disclosure regime? The Enforcement Guide states that the FCA will make it clear to the company or individual concerned whether it requires him, her or it to produce information or answer questions under FSMA or whether the provision of information is voluntary.

Similar (but unique) powers also lie in the hands of the Competition and Markets Authority, the National Crime Agency, police, Her Majesty’s Revenue and Customs, and the Health and Safety Executive. Many of these authorities may also apply for and obtain search warrants and use these powers more often than their US counterparts do (see Section 11.3).  Commonly used powers (US)

In the United States, most federal agencies, including the United States Department of Justice (DOJ), the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC), may issue subpoenas (or administrative orders) and compel individuals and companies to produce documents and testimony.2 In the case of the DOJ, a subpoena may compel the production of documents in connection with either a civil or criminal investigation.3 The CFTC’s regulations provide that:

The Commission or any member of the Commission or of its staff who, by order of the Commission, has been authorized to issue subpoenas in the course of a particular investigation may issue a subpoena directing the person named therein to appear before a designated person at a specified time and place to testify or to produce documentary evidence, or both, relating to any matter under investigation.4

Additionally, state agencies and each state’s attorney general can compel the production of documents and testimony. As an example, Section 352 of the New York General Business Law permits the attorney general to commence an investigation of an individual or corporation and to seek documents and testimony in connection with that investigation. The Securities Act, the Securities Exchange Act, the Investment Advisers Act, and the Investment Company Act all permit the SEC to issue subpoenas in connection with an ongoing investigation of misconduct.5 Before a subpoena can be issued, the staff of the SEC must obtain a formal order of investigation.6

Criminal offences for refusing to comply with a request, providing false or misleading statements, or concealing documents, generally supplement such powers.7  Scope and timing

In practice, a company can do little to resist complying with a formal request for disclosure without resorting to court proceedings to challenge the validity or scope of the request. However, it can likely negotiate with the relevant authority regarding the scope of documents responsive to the request and the production date to limit the scope of the request to what is proportionate and reasonable.

Broadly drawn requests are unfortunately not uncommon, as investigators seek to ensure the requests will capture all relevant information. Early engagement with the relevant authority will typically ensure that both parties can agree on scope and a timetable for production: a request looking back over a long period, or even without any time limit, could involve a time- and resource-intensive review and expensive production exercise. This may not be in the interests of the prosecuting agency or the company if a more targeted request could produce the information. Whether an agreement to narrow the scope of the request is possible is likely to depend, in large part, on factors outside the company’s control – such as the nature and scope of the authority’s investigation (which the authority may be unwilling to share and is likely to base on information and evidence outside the company’s knowledge). However, the company and its legal advisers should nonetheless seek a reasonable, proportionate and practically achievable production: for example, by seeking to agree to produce documents relating to X project, between Y–Z dates and if necessary to produce the documents in tranches.

It becomes increasingly difficult to manage the response to multiple authorities particularly if they are in different countries and have different areas of focus. We explore this in more detail in Section 11.2.3. Similarly, a company must consider whether the production notice extends to materials held overseas. This is explored further in Section 11.2.4.  Practical steps on receipt

Upon receipt of a document request, a company should immediately issue a document retention (or hold) notice (DRN) (if one is not already in place). The issuing of a DRN will assist the company to demonstrate that it has taken steps to preserve all potentially relevant documents in existence at the date of the request. The DRN should track the terms of the production notice, and be sent to all personnel who may have responsive documents, including the IT department and records department. The term ‘document’ should be widely drawn to include any paper or electronic records present on any media belonging to the company or its employees, including corporate information located off-site. The company may also need to manage complicated issues around data privacy and personal media. This book discusses these issues further in Chapters 12 and 13 on employee rights.

The DRN should confirm that employees must not delete, alter, conceal or otherwise destroy company documents. Simultaneously, the company should take steps to secure and preserve all relevant information held on the company’s servers and back-up tapes, including through external providers. It should also immediately suspend routine document and data destruction processes.

Most authorities will have their own technical standards, which the collection and production of electronically stored information must meet. It is therefore likely that a company seeking to respond to a subpoena or production notice will want to consider instructing a forensic IT specialist company to assist with the collection and production efforts. This will have the added benefit of ensuring that a company can demonstrate the independence of this analysis, that it is taking clear co-operative steps, and protects employees, as far as possible, from having to give evidence in any subsequent proceedings.

11.2.2    Informal requests for disclosure: voluntary production and co-operation

A company may wish to consider voluntarily providing documents to an authority as part of a self-report or to demonstrate its co-operation with an investigation. Government investigators and investigating authorities regularly hold out the possibility of co-operation credit to companies to encourage them to provide information about their own misconduct.

From February 2014, deferred prosecution agreements (DPAs) have been available in the United Kingdom to the SFO and Crown Prosecution Service (CPS) for disposing of corporate criminal conduct relating broadly to economic crime (including, in particular, fraud, corruption and money laundering).8 The current Director of the SFO, David Green QC, and the English courts have emphasised that one of the most important factors for a DPA is early reporting and co-operation by the company. Co-operation should be ‘genuinely proactive’.9 This will likely include the voluntary production of relevant documents.

In the United States, too, the authorities have routinely emphasised that they will consider self-reporting and co-operation with government investigations as a key factor when determining whether to charge a corporation.10 Under the DOJ’s recently introduced FCPA Pilot Program, ‘for a company to receive credit for voluntary self-disclosure of wrongdoing’ the disclosure will have to be made ‘prior to an imminent threat of disclosure or government investigations’ and ‘within a reasonably prompt time after becoming aware of the offense’. Moreover, the company will have to disclose ‘all relevant facts known to it, including all relevant facts about the individuals involved in any FCPA violation.’11 Voluntarily producing documents to an investigating authority, without the need for a formal request, helps demonstrate a truly proactive approach by the company. There may also be more room to negotiate the scope of the voluntary disclosure than where a company receives a formal request.

Timing is important, both for a potential DPA and in relation to anti-cartel regimes, which often provide an amnesty only to the first discloser.12

As has been noted above, the FCA’s standard practice is to rely on its statutory powers to require the production of documents. While there is merit in adopting this policy, and it does avoid the risks to companies of voluntarily disclosing documents to the FCA set out below, nothing prevents the FCA from seeking voluntary production. Principle 11 of the FCA’s Principles for Businesses states that: ‘A firm must deal with its regulators in an open and co-operative way, and must disclose to the appropriate regulator appropriately anything relating to the firm of which that regulator would reasonably expect notice.’ A materially identical provision is included in the Prudential Regulation Authority’s (PRA) Rulebook as Fundamental Rule 7. While this chapter focuses on the approach of the FCA, it is worth remembering that the PRA has similar enforcement powers (and is using them with increasing frequency). Both regulators interpret these obligations to proactively bring matters to their attention widely, and are prepared to take enforcement action against firms and individuals for failures to discharge these obligations (even in the absence of other underlying failings). Prudential Group (fined £30 million for failing to inform the FSA of its proposed acquisition of AIA until after it had been leaked to the media), Goldman Sachs (fined £17.5 million for not disclosing an SEC investigation into its staff and members of Goldman Group), and the Co-operative Bank (issued a final notice for failing to notify the PRA without delay of two intended personnel changes in senior positions) are recent examples. This places regulated firms in a different position from other corporates: it reduces the scope for the decision whether to self-report or not.

Principle 11 is mainly intended as a supervision tool and sets out a broad duty of co-operation that the FCA often relies on to oblige the production of documents prior to formal investigations being commenced (sometimes, but not always, for the purpose of deciding whether an investigation should be commenced and, if so, in respect of which firms and individuals). The FCA’s view of what is meant by being open and co-operative within Principle 11 is set out in the FCA Handbook, in the ‘Supervision’ section (referred to as SUP). SUP 2.3 provides that ‘open and co-operative’ includes a regulated entity making itself readily available for meetings with the FCA, giving the FCA reasonable access to records, producing documents as requested, and answering questions truthfully, fully and promptly. Where a formal investigation has been commenced, the FCA would not seek to rely on Principle 11 obligations as requiring production where it is not compelling information using its statutory powers. While it would be a clear breach of Principle 11 to fail to comply with a statutory request for the production of documents, a failure to comply with a voluntary request for the production of documents would not, of itself, result in disciplinary proceedings. The Enforcement Guide does state, in the context of co-operation, that:

The FCA will not bring disciplinary proceedings against a person for failing to be open and co-operative with the FCA simply because, during an investigation, they choose not to attend or answer questions at a purely voluntary interview. However, there may be circumstances in which an adverse inference may be drawn from the reluctance of a person (whether or not they are a firm or individual) to participate in a voluntary interview. If a person provides the FCA with misleading or untrue information, the FCA may consider taking action against them.13

The Enforcement Guide further provides that if a person does not comply with a requirement imposed by the exercise of statutory powers, he or she may be held to be in contempt of court. The FCA may also choose to bring proceedings for breach of Principle 11.14 Therefore, while there is no guidance indicating that a failure to produce documents voluntarily (as opposed to attending a voluntary interview) would result in an adverse inference being drawn, a decision by a company not to produce documents voluntarily in any particular case should not be made without careful forethought and proper advice on the potential consequences.

As this suggests, the Enforcement Guide recognises the importance of an open and co-operative relationship with the firms it regulates to the effective regulation of the UK financial system. When deciding whether to exercise its enforcement powers, the FCA considers, among a number of factors, the level of co-operation demonstrated by a firm. When weighing the level of co-operation, the FCA considers whether the firm has been open and communicative with it.

Voluntarily disclosing documents carries a risk that the authority may not give any meaningful credit and may nonetheless decide to prosecute or expand an investigation already under way. Therefore, the company should weigh the likelihood of the authority being able to serve a formal request for disclosure in the relevant jurisdiction.

In some instances, a formal notice for disclosure will be preferred: for example, where a company has obligations of confidentiality, preventing voluntary disclosure. The most common examples being lawyers15 and financial institutions who could both face an action for breach of confidence for supplying documents or information without a formal regulatory request. In some self-reporting circumstances, it may be appropriate for a company to seek such a notice from the relevant authority to ensure that it does not open itself up to civil action. The notice should be narrowly drawn, in consultation with the regulator, and should not affect the company’s co-operation credit. Likewise, in some situations, the company may prefer to ask to be provided with a formal document request to demonstrate that they have been compelled to produce the documents to the authorities and have not done so voluntarily.

11.2.3    Production of information to multiple authorities

The increasingly complex and multi-jurisdictional nature of investigations means that a company may face requests for formal disclosure from more than one authority. This could be authorities with different mandates within the same jurisdiction, or authorities with similar mandates from different jurisdictions. In either case, multi-authority investigations demand holistic strategies and systems to allow a company to keep track of evidence disclosed to (or seized by) different authorities. A company may also want to consider if there is any strategic advantage to disclosing to one authority before another. However, recent large-scale global investigations into the manipulation of LIBOR and foreign exchange rates demonstrate the ever increasing levels of intra- and international co-operation between regulators.16 Practical steps a company can take when faced with multiple requests for formal disclosure include:

  • early engagement with each authority, to communicate expectations and practical difficulties of responding to multiple requests;
  • identifying and prioritising information that is commonly responsive to the requests rather than focusing on responding to each individual request in isolation;
  • maintaining clear production schedules; and
  • ensuring a system for Bates numbering17 for each authority.

11.2.4    Documents and data outside the jurisdiction  Voluntary production

In cross-border fraud or corruption cases, not all of a company’s documents will be located or even accessible in the same jurisdiction as the investigating authority. A company should consider what documents are stored overseas, and which of these it should provide to investigators. A company in receipt of a formal production notice will need to assess whether the notice extends to documents outside the jurisdiction, and, if so, the extent to which the company has ‘custody or control’ over documents held by subsidiaries or overseas branches.18 The board of a parent company will not necessarily control the management of a subsidiary.19 Where production is voluntary, a company may take a more holistic view of the investigation and production (subject to local law restrictions). The extent to which it may want to voluntarily disclose information may depend on the ability of the investigating authority to obtain that information itself. However, given the increasing co-operation between authorities on the international stage, careful voluntary production of material is likely to be preferable, and vital if the company seeks co-operation credit.  Mutual legal assistance

In the United Kingdom, sections 7–9 of the Crime (International Co-operation) Act 2003 (CICA) govern requests to obtain evidence from abroad in relation to a prosecution or investigation taking place in the United Kingdom, shaping the mutual legal assistance (MLA) powers of UK authorities. Under CICA, an MLA request can only be made if it appears to the investigating authority that an offence has been committed or there are reasonable grounds for suspecting that an offence has been committed, and either proceedings in respect of that offence have been instituted or the offence is being investigated.20 The request must relate to the obtaining of evidence ‘for use in the proceedings or investigation’.21 But, it could allow an investigating agency to have foreign law enforcement officers launch raids, arrest suspects or conduct interviews on its behalf.22 If the implementation of an MLA request in the requested state requires a court order, then the court in the requested state is likely to apply the relevant principles in its own jurisdiction to satisfy itself that the requested order is justified.

The MLA process can be cumbersome, but is a very real threat in the event a company does not co-operate. A company should also not overlook the significant scope for informal direct investigator-to-investigator co-operation. Agencies such as Interpol have dedicated programmes to share information between, and support investigations by, investigating agencies in different countries. Communications between the SFO and DOJ are frequent. The FCA, specifically, has a broad discretion to assist foreign regulators. This discretion is set out in section 169 of FSMA. The statutory power is supplemented by relevant FCA policy. Subsection 169(4) sets out the considerations in the FCA’s decision as to whether to assist a foreign regulator. It provides:

(4) In deciding whether or not to exercise its investigative power, the regulator may take into account in particular:

      (a) whether in the country or territory of the overseas regulator concerned, corresponding assistance would be given to a United Kingdom regulatory authority;

      (b) whether the case concerns the breach of a law, or other requirement, which has no close parallel in the United Kingdom or involves the assertion of a jurisdiction not recognised by the United Kingdom;

      (c) the seriousness of the case and its importance to persons in the United Kingdom;

      (d) whether it is otherwise appropriate in the public interest to give the assistance sought.

In an early decision on this section, Financial Services Authority v. Amro International,23 the Court of Appeal held that there was nothing in section 169 that required the FCA’s predecessor body to satisfy itself of the correctness of what it was being asked to investigate or gather by way of information. At the SEC’s behest, the FCA could seek any document that it reasonably considered relevant to the investigation the SEC was conducting. The Court of Appeal made clear that the only requirements the FCA must meet were contained in the statute. The Court of Appeal also noted that in exercising these powers, the stricter rules attaching to the drafting of a subpoena did not apply and the description of the documents sought would be acceptable provided the recipient could identify the documents he or she was required to produce.

In addition to the FCA’s statutory powers, a number of memoranda of understanding are in place between UK regulators and their overseas counterparts (most notably the SEC and other US regulators) concerning co-operation and information sharing. Recent years have seen significant co-operation between the SEC and the FCA and its cognate agencies (as noted in Section 11.2.3).

Similarly, the United States has entered into mutual legal assistance treaties (MLATs) with various countries, which can be used for the sharing of information and taking of evidence abroad.24 Some US authorities also have memoranda of understanding in place with sister agencies outside the United States, which can allow for inter-agency sharing of documents.  Data protection

Responding to an investigation (and conducting an internal investigation) will require data about individuals to be processed. Such an exercise will engage a number of data protection considerations. A company cannot assume that complying with the data protection requirements in the investigated jurisdiction will mean compliance with overseas data protection laws. European jurisdictions such as France and Germany, for example, have demanding standards for informed consent to a given process. Data protection laws may also prevent the transfer of personal information outside the country of origin: under the UK’s Data Protection Act 1998, a company cannot transfer data to countries outside the European Economic Area unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data. In Europe, the European Union’s General Data Protection Regulation (GDPR) is scheduled to come into force on 25 May 2018. Whatever the implications of Brexit for the United Kingdom, the GDPR applies to data controllers and processers outside the EU who offer goods and services to EU consumers. The GDPR introduces a limited derogation to its principles based on ‘legitimate interests’, which could cover transfers to foreign regulators, but does require prior notification to the relevant data protection authority. Transfers from Europe to the United States will also need to consider the EU–US privacy shield, designed to replace the safe-harbour framework that governs the processing and storing of EU citizens’ data in the United States.  Blocking statutes

Blocking statutes prevent the disclosure of certain documents for the purpose of legal proceedings in a foreign jurisdiction, except pursuant to procedures set out in an international treaty or agreement. Article 1bis of the French Blocking Statute provides:

It is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof with a view to foreign administrative or judicial proceedings or as a part of such proceedings.

There has historically been very little enforcement of the French Blocking Statute – with some companies choosing to ignore it completely. However, as a consequence of the Sapin 2 law, a new French national anti-corruption agency will be given specific responsibility for the enforcement of the Blocking Statute, signalling that the French authorities are looking to actively enforce this legislation. Similarly, Article 271 of the Swiss Criminal Code prohibits a person performing an ‘official act’ on behalf of a foreign authority on Swiss soil. This can block the collection of evidence located in Switzerland intended for use in proceedings outside the country.

A decision to refuse to disclose documents or information due to a blocking statute may not be respected by the requesting authority25 and could affect any co-operation credit available – leaving the company between a rock and a hard place. This demands early and detailed dialogue with the relevant authority alongside expert local counsel advice who can educate the regulators about the relevant laws and any potential workarounds for production of information.  Bank secrecy

Bank secrecy laws prohibit banking officials from releasing confidential information about a customer to third parties outside of financial institutions, unless compelled by law. Sometimes, such a disclosure is criminalised.26 A bank under investigation may seek to rely on this secrecy. It should also be cautious not to infringe this secrecy inadvertently in providing information to a regulator. Note, though, that a historic deference to the banking secrecy rules of foreign jurisdictions, premised on comity or respect for the acts of foreign governments, may slowly be eroding. Even Switzerland, in recent times, has stripped away a number of its many layers of secrecy through international agreements,27 and, in our experience, has become, in practice, more willing to co-operate with requests for information.  State secrets

Sending data outside a jurisdiction may be contrary to state secrecy laws. Some jurisdictions, such as China, have wide definitions of what amounts to a state secret. The Law of the People’s Republic of China on Guarding State Secrets, at Article 8, defines state secrets to include ‘secrets in national economic and social development’ and ‘secrets concerning science and technology’. Similarly, Kazakhstan treats some geological data as a state secret. The consequences of violation can be serious. Article 111 of the Chinese Criminal Law makes violating state secrets a capital crime. In countries such as China, where many companies are state-owned, this is not straightforward. Again, locating expert local counsel is a must.

State secrecy laws may also restrict certain categories of documents to authorised eyes only. This is particularly pertinent for defence companies. Withholding production of such documents will require careful negotiation. Remember that the investigating agency is likely to have authorised persons of its own, who can review the documents. Finding a practical way for these to be produced by external lawyers (where prior authorisation is unlikely) will likely be more difficult and undoubtedly will increase the time it will take to respond to a request for documents and may require the review of documents ‘in country’ instead of producing the documents to the US authorities. Another potential workaround is production of information through MLATs and MOUs that allow a company to first produce documents to a local authority and thereby comply with the relevant regulations.  Whose rules of privilege apply?

It may not be clear whose rules of privilege apply when a company discloses in one jurisdiction documents created in another. English courts will generally apply English law to the question: theoretically, an unprivileged document in its country of origin could be privileged in England and vice versa. In the United States, there is no general rule, although government agencies will generally apply privilege principles broadly, although subject to certain procedural requirements, such as the production of privilege logs.

Companies should also be aware that some countries do not have developed principles of legal privilege and special care is required in creating or sending otherwise-privileged documents to such jurisdictions. Likewise, in some jurisdictions privilege does not extend to communications with in house counsel and the role of internal counsel may be held by someone who is not an attorney, and therefore privilege may not be recognised in connection with their communications.

Further complications come when dealing with international regulatory bodies. In Akzo Nobel, for example, the European Court of Justice held that the law of the European Union superseded that of the relevant national jurisdictions; therefore, in competition cases internal counsel’s advice will not be privileged – nor will that of external legal advisers who are not EU-qualified lawyers be.28

11.3       Documents obtained through dawn raids, arrest and search

During a raid (or execution of a search warrant) on corporate premises, it is important to seek to obtain and understand the terms of the warrant. Check simple facts such as the premises’ address, date and relevant powers and authorisations. If appropriate, a company may challenge the scope of the warrant (if it is unduly wide or based on erroneous facts or information). Importantly, the company and its advisers should ensure during the raid that documents outside the terms of the warrant are not seized (unless taken under relevant search and sift powers,29 or as can be justified under ancillary legislation30) and take care both during the raid and afterwards to protect legally privileged materials. In the United States, it is nearly impossible to challenge the scope of a warrant that calls for the immediate search of a specific location. More likely, a company would have to seek to suppress evidence obtained pursuant to a warrant in a later proceeding. There may, however, be opportunities to challenge the scope of a warrant seeking electronically stored information before the data is actually collected and produced.31 As an example, where a company is asked to execute a warrant on behalf of the government, such as when a service provider is asked to collect electronic information of a third party, there may be additional opportunities for a company to challenge the scope of a subpoena. Recently, Microsoft was successful in challenging the scope of a warrant issued pursuant to the Stored Communications Act.32 Specifically, Microsoft was served with a warrant seeking data held on servers in Ireland. It challenged the collection of the relevant information, arguing that it was not permitted to make the collection based on data privacy laws in the jurisdiction where the data was held. A US Court of Appeals agreed, finding that the Stored Communications Act (the law pursuant to which the warrant was issued) could not be used to compel collection of data outside the United States. Notably, the court distinguished between the obligations of an entity receiving a warrant issued pursuant to the SCA and a subpoena that would seek documents and information from the target of an investigation.33

It is likely that the vast majority of documents obtained during a search will be electronic. It is important to agree to a process with the authorities for dealing with any electronic media that is privileged. In the United Kingdom, most investigative agencies have developed sophisticated procedures in this area. The SFO’s policy and system for dealing with material covered by legal professional privilege (LPP) is explained in its Operational Handbook:34

When the SFO requires the production of material, or seizes material pursuant to its statutory powers, all material which is potentially protected by LPP must be treated with great care to:

  • Minimise the risk that LPP material is seen or seized by an SFO investigator or a lawyer involved in the investigation.
  • Ensure that any LPP material which is seized is properly isolated and promptly returned to the owner without having been seen by an SFO investigator or a lawyer involved in the investigation.
  • Ensure that any dispute relating to LPP is resolved in advance of the material being seen by an SFO investigator or a lawyer involved in the investigation.
  • Ensure that where an SFO investigator or a lawyer involved in the investigation inadvertently sees LPP material, measures are in place to ensure that the investigation and any subsequent prosecution is not adversely affected as a result. Care must always be taken that LPP material is not viewed by the SFO staff involved in the investigation. Original emphasis.

The Operational Handbook then sets out a procedure for dealing specifically with electronic material that may be privileged. Under this procedure, the SFO will first notify the company’s lawyers if it believes that IT assets it has seized might contain privileged material (in practice, it is prudent for the company’s lawyers to advise the SFO of the potential existence of privileged material at an early stage). A list of search terms should be agreed (including names of lawyers, relevant firms, etc.) to enable the identification and isolation of the material for review by independent counsel. Independent counsel will review the material using search software and return only non-privileged material to the SFO investigative team to examine. It is normally possible to have productive discussions with investigators to determine the relevant search terms that might identify privileged material. It is then possible to make representations on the client’s behalf to independent counsel about the extent of privilege. This procedure updates and works alongside the well-established ‘blue-bagging’ approach used for hard-copy materials that may be privileged, by which authorities will send seized documents that may be potentially privileged, sealed in an opaque bag, to the custody of an independent legal adviser (usually a barrister) for review.

The DOJ has utilised three different procedures for reviewing potentially privileged information, each of which requires a ‘neutral’ third-party to first review potentially privileged data.35 In certain instances the court may review the data on its own. A court may also appoint a ‘special master’ to handle the review of privileged information. In other instances, a team of individuals referred to as a ‘taint team’ may be used to review the files. When a taint team is used, an ethical wall will be placed between the individuals who review the documents and those who are actually participating in the investigation. Importantly, courts have had differing reactions to the use of taint teams and may not always conclude that the procedures implemented to screen materials were sufficient.

11.4       Disclosure of results of internal investigation

In most instances, a company will have to make expansive disclosures regarding its internal investigations to get full co-operation credit. The DOJ recently issued guidance through the Yates Memorandum36 and the FCPA Pilot Program37 that explicitly state that companies will have to self-report on both the results of internal investigations and on individual misconduct to receive any co-operation credit. Whether such thorough disclosures are in the best interest of the company is something that will need to be determined in a timely manner.

11.4.1    Self-reporting of misconduct not yet known to regulators

A company’s decision as to whether to self-report is often complicated. There may be opportunities for a company to internally address misconduct without it coming to light. However, it can be very difficult for a company to keep its misdeeds from being disclosed to the relevant authorities. Whistleblower rewards provide incentives for employees to report misconduct. Disgruntled employees can report corporate misconduct as retaliation, to attempt to prevent prosecution of themselves or simply because they do not feel that the corporate is handling the issue appropriately via its internal process. In the United Kingdom, broadly speaking, those working in the field of financial services are subject to suspicious activity reporting obligations. This means that banks, accountants and transactional lawyers must make reports to the authorities of suspicions of money laundering (including acquiring assets which may be tainted by fraud or corruption). A failure to make a report is a criminal offence – as is tipping off the subject of the report (which in some instances may be the individual’s own client). Investigative journalism and NGOs also continue to be an important source of information for regulators – as the recent ‘Panama Papers’ scandal has shown.38

A failure to self-report misconduct before it becomes otherwise known to the authorities can have a significant impact on the resolution of the corporate investigation. The US Attorneys’ Manual (which governs the conduct of assistant US Attorneys during the course of civil and criminal investigations, including FCPA investigations) (USAM) has recently been revised to provide that:39

Even in the absence of a formal program, prosecutors may consider a corporation’s timely and voluntary disclosure, both as an independent factor and in evaluating the company’s overall cooperation and the adequacy of the corporation’s compliance program and its management’s commitment to the compliance program. However, prosecution may be appropriate notwithstanding a corporation’s voluntary disclosure. Such a determination should be based on a consideration of all the factors set forth in these Principles.

As we have already noted at Section 11.2.2, under the FCPA Pilot Program, ‘for a company to receive credit for voluntary self-disclosure of wrongdoing’, the disclosure will have to be made ‘prior to an imminent threat of disclosure or government investigations’ and ‘within a reasonably prompt time after becoming aware of the offense’. Moreover, the company will have to disclose ‘all relevant facts known to it, including all relevant facts about the individuals involved in any FCPA violation.’

The Deferred Prosecution Agreements Code of Practice (DPA Code) issued by the SFO and CPS40 indicates that to be eligible for a DPA, a company will likely have to voluntarily report any misconduct within a reasonable time of becoming aware of it – and prior to it becoming known to the authorities.

11.4.2    Production of reports of investigation

To obtain co-operation credit, prosecuting and government agencies require that companies provide the complete factual findings of an internal investigation, including relevant source documents. The USAM recognises ‘the sort of co­operation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is disclosure of the relevant facts concerning such misconduct.’41 The Yates Memorandum notes that

To be eligible for any credit for cooperation, the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their positions, status or seniority, and provide to the Department all facts relating to that misconduct. Emphasis added.

The FCPA Pilot Program requires that to receive credit for voluntary self-disclosure, a company must disclose all relevant facts. Similarly, the DPA Code provides that co-operation will include ‘providing a report in respect of any internal investigation including source documents.’42

Careful consideration should be given to the manner of disclosure of information. In the United States, the consideration for credit is that the relevant facts are disclosed. The format of the disclosure is irrelevant. The USAM makes clear that a company does not have to waive privilege to receive co-operation credit.43 If a company chooses not to waive relevant privileges, it is unlikely to be able to share the investigative reports prepared by counsel conducting the investigation. Instead, it will have to carefully craft presentations that disclose only non-privileged facts. Preparation of such reports can be time-consuming and costly. Further, in preparing any written presentation materials the company will have to ensure that neither the mental impressions nor advice of counsel are included. Because there can be no claim that the materials are privileged, a company should also expect that they will have to produce presentation materials in any related civil litigation.

In the United Kingdom, there is currently much debate over the production of the first accounts of witnesses, which may have been taken by investigating attorneys. The SFO’s preference is that these are taken so that legal privilege does not apply. It also indicates that it does not consider all privilege claims over interview materials to be made out under English law and is actively challenging such assertions. Where a valid claim for privilege exists, co-operation credit will be given for the disclosure of interview memoranda. A failure to disclose will be considered co-operation neutral. As Alun Milford, SFO General Counsel, has recently said, ‘if a company’s assertion of privilege is well-made out, then we will not hold that against the company: to do otherwise would be inconsistent with the substantive protection privilege offers.’44 In the two UK cases in which the court has approved DPAs, the company made oral disclosure only of the content of witness interviews.45

11.4.3    Identification of witnesses to authorities

In connection with its initial assessments of whether to co-operate with authorities, companies will have to consider the implications of disclosing information about key employees. As noted above, US and UK authorities have indicated that co-operation will require disclosure of facts relevant to the misconduct of individual employees.

In the United States, authorities have recently made clear that obtaining facts relevant to individual prosecutions is a top priority. In the Yates Memorandum, the DOJ stated that ‘one of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.’ It went on to identify and discuss in detail six key steps to strengthen the DOJ’s pursuit of individual wrongdoing including:

1. To be eligible for any co-operation credit, corporations must provide to the Department all relevant facts relating to the individuals responsible for the misconduct.’ [Original emphasis.]
. . .
2. Both criminal and civil corporate investigations should focus on individuals from the inception of the investigation.

These principles have been incorporated into the USAM and into the FCPA Pilot Program. Additionally, the ‘unequivocal co-operation’ necessary to be eligible for a DPA in the United Kingdom includes identifying relevant witnesses, disclosing their accounts of the alleged misconduct and any documents shown to them and, where practicable, making those witnesses available for interviews by investigators46 – together with ongoing co-operation with the authorities.

Once the individuals have been identified to the government or prosecuting authorities it may be difficult, if not impossible, for those individuals to continue working for the company. A company may feel pressure to terminate the employee or place that individual on leave, which could have a significant impact on the operations of a business unit. Even if the company does not terminate an employee under investigation, targets of a government investigation are likely to engage their own counsel who may advise the employee to stop co-operating with its employer – leading to a ‘walk or talk’ decision. Depending on the nature of any employment agreement, a company may have to advance the individual the fees and costs associated with individual representation. Also, since 2004, the United Kingdom has imposed an extensive Code of Practice for Disciplinary and Grievance Procedures on employers, which sets out standards of procedural fairness that a UK employer should comply with if it takes action that will detrimentally affect an employee’s employment.47 (See also Chapters 12 and 13 on employee rights.)

11.5       Privilege considerations

In the United States, certain portions of internal investigations are protected by the attorney–client privilege and the work-product doctrine, and courts routinely uphold those privileges.48 This can be true even where the purpose of an investigation is to ensure regulatory compliance, or where non-lawyers are involved in key parts of the investigation.49

Generally, the attorney–client privilege entitles a party to withhold from production (1) communications, (2) with an attorney, his or her subordinate or agent, (3) made in confidence, (4) for the primary purpose of securing an opinion of law, legal services or assistance in a legal proceeding. It applies to corporations as well as individuals, and therefore protects communications between corporate employees and a corporation’s in-house and outside legal counsel on matters within the scope of the employees’ corporate responsibilities. Communications between non-legal corporate employees can also be privileged where an attorney neither authors nor receives the communication, if the communication contains or refers to previously-transmitted legal advice or identifies specific legal advice that the non-attorneys will seek from attorneys in the near future. Additionally, the work-product doctrine protects documents and tangible things, otherwise discoverable, prepared in anticipation of litigation and in connection with a threatened or pending government investigation. The doctrine can apply to documents prepared by both attorneys and non-attorneys. Attorney notes, research, and compilations of background materials, memoranda, investigative reports, witness statements; and materials prepared by non-legal personnel such as investigators are examples of the types of documents that may be protected. Work-product containing an attorney’s mental impressions is referred to as ‘opinion’ work-product and is afforded greater protection than other ‘ordinary’ work-product.

In the United Kingdom, privilege attaches to (1) confidential communications between a lawyer and his or her client for the purpose of seeking and receiving legal advice in a relevant legal context, including factual reporting (legal professional privilege), and (2) confidential communications between a lawyer and his or her client and/or a third party or between a client and a third party, provided that such communications have been created for the dominant purpose of obtaining legal advice, evidence or information in preparation for actual litigation, or litigation that is ‘reasonably in prospect’ (litigation privilege). English case law has long called into question the availability of litigation privilege for documents created during a regulatory investigation. In Rawlinson and Hunter Trustees SA v. Akers,50 the Court of Appeal upheld a High Court decision that:

The mere fact that a document is produced for the purpose of obtaining information or advice in connection with pending or contemplated litigation, or of conducting or aiding in the conduct of such litigation, is not sufficient to found a claim for litigation privilege. It is only if such purpose is one which can properly be characterised as the dominant purpose that such claim for litigation privilege can properly be sustained.

In the recent decision of Property Alliance Group Limited v. The Royal Bank of Scotland,51 the High Court confirmed that the test remained an objective assessment of the dominant purpose of collecting the information. In that case, where one party sought to obtain evidence for litigation, and misled the other parties to a meeting to do so, the Court performed the objective assessment from the misled parties’ point of view.

A key consideration is therefore the reason for the creation of the document. The Court of Appeal in Rawlinson and Hunter Trustees confirmed that where documents are created for multiple purposes, those purposes will not necessarily be independent of each other. However, the burden is on the party claiming privilege to demonstrate that the purposes are related and that the dominant purpose was for use in the conduct of litigation. This will protect communications with third parties outside the narrowly defined concept of the ‘client’ under English law. Even though this was not the context of the Rawlinson and Hunter Trustees case, some UK white-collar crime experts consider it as authority for the proposition that employee accounts provided during an internal investigation with a view to making a self-report may not be privileged.52 Whether such a challenge to privilege in employee accounts is successful will depend on the case.

Authorities in both the United States and the United Kingdom have made clear that a company does not need to waive any applicable privileges to receive co-operation credit. However, it may be difficult for attorneys to find ways to present all facts discovered during an internal investigation in a manner that does not disclose privileged information.

In presenting the underlying facts of an internal investigation, a company must be mindful of the inherent risk that such a presentation will be deemed a privilege waiver in any subsequent proceedings. If a disclosure of privileged information to a federal office or agency is deemed intentional, the privilege will be waived in any federal or state proceeding.53 However, if a disclosure of privileged information is unintentional, it will not create a broad waiver so long as the holder of the privilege took steps to prevent the disclosure and then promptly took reasonable steps to seek return of any inadvertently disclosed information.54 Accordingly, if a company decides that it does not intend to waive privilege, it should devise reasonable steps that highlight the company’s decision not to waive privilege, including providing written notice of the intention not to produce privileged materials in any letter or other correspondence that accompanies a document production. Courts in England and Wales have held that a company can share the contents of a privileged communication with a regulator or other third party, keeping the privilege intact, so long as this desire is made clear, the disclosure is confidential, and the communication is not proliferated widely.55 For a more detailed discussion of privilege issues that can arise in global investigations, see Chapters 31 and 32.

11.6       Concluding remarks

Business organisations have an incentive to obtain credit for co-operating with a government investigation, which is likely to require self-reporting before the government or prosecuting authority knows of the misconduct and providing relevant materials on a voluntary basis. The advantages around control of the investigation process, orderly production of materials and managing press intrusion are likely to be great when weighed against the disruption and publicity of formal actions including raids, arrests and prosecutions. However, careful consideration should be given to ensure due process safeguards to protect the rights of individuals are followed and local law requirements are respected in cross-border investigations. Ensuring local law specialists are instructed to work as part of a multidisciplinary team will be key.


  1. Financial Conduct Authority, Enforcement Guide (January 2016).
  2. Other federal agencies such as the Consumer Financial Protection Bureau and the Federal Trade Commission are authorised to issue subpoenas. Other agencies are required to seek the assistance of the United States Attorney’s Office in seeking documents and testimony. For a discussion of the use of administrative subpoenas, see
  3. For information regarding criminal matters, see Section 9-13 of the U.S. Attorneys’ Manual (USAM). The Civil Division is authorised to issue subpoenas by a number of statutes.
  4. 17 C.F.R. § 11.4(a).
  5. Section 19(c) of the Securities Act of 1933, 15 U.S.C. § 77s(c); Section 21(b) of the Securities Exchange Act of 1934, 15 U.S.C. § 78u(b); Section 209(b) of the Investment Advisers Act of 1940, 15 U.S.C. § 80b–9(b); and Section 42(b) of the Investment Company Act of 1940, 15 U.S.C. § 80a–41(b).
  6. For information regarding procedures for obtaining a formal order of investigation, see sections 2.2.3-2.3.4 of the Enforcement Manual of the Securities and Exchange Commission Division of Enforcement, available at (4 June 2015).
  7. 18 U.S.C. §§ 401, 1001; see also 7 U.S.C. §§ 9, 13(a)(3). Rule 17 of the Federal Rules of Criminal Procedures, governs subpoenas, including grand jury subpoenas and Rule 17(g) authorises federal courts to exercise its contempt powers for non-compliance (‘The court (other than a magistrate judge) may hold in contempt a witness who, without adequate excuse, disobeys a subpoena issued by a federal court in that district.’).
  8. DPAs were introduced by s.45 and Sch. 17 of the Crime and Courts Act 2013.
  9. Crown Prosecution Service and Serious Fraud Office, Deferred Prosecution Agreements Code of Practice – Crime and Courts Act 2013, 11 February 2014, at para. 2.8.2(i).
  10. See e.g. memorandum dated 5 July 2007 from Paul J. McNulty re Principles of Federal Prosecution of Business Organizations available at mcnulty_memo.pdf
  11. US Department of Justice, The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance, 5 April 2016, at p. 4.
  12. See e.g. European Commission Notice on Immunity from Fines and Reduction of Fines in Cartel Cases, Official Journal C 298, 8 December 2006, p. 17.
  13. See Enforcement Guide, at para. 4.7.3.
  14. Ibid. at para. 4.7.4.
  15. For a more detailed discussion of privilege issues that can arise in global investigations, including how requests by authorities for privileged documents are treated, see Section, below, and Chapters 31 and 32 on privilege.
  16. In 2015, Deutsche Bank AG entered into a DPA with the DOJ and settlements with the US Commodity Futures Trading Commission, the Department of Financial Services and the FCA, in connection with its role in manipulating LIBOR rates. DB Group, a subsidiary of Deutsche Bank, also pleaded guilty to wire fraud for its role. Together, Deutsche Bank and its subsidiary agreed to pay over US$2 billion in penalties to US authorities and US$344 million to the FCA – then the second-largest fine in the FCA’s history.
  17. Bates numbering is a method of indexing legal documents for easy identification and retrieval.
  18. Production notices seeking documents held outside the jurisdiction of the investigating authority are complicated. For example, the authors take the view that a request made under s.165 of FSMA captures documents in a company’s custody or control outside the United Kingdom, while a request under s.2 of the Criminal Justice Act does not.
  19. For the United Kingdom see Lonrho v. Shell Petroleum [1980] 1 WLR 627.
  20. Crime (International Co-operation) Act 2003, s.7(5).
  21. Ibid., s.7(2).
  22. See e.g. Reuters, ‘Monaco raids Unaoil offices over global oil corruption probe’, available at
  23. Financial Services Authority v. Amro International [2010] EWCA Civ 123.
  25. For a recent English case dealing with the French blocking statute, see Secretary of State for Health v. Servier Laboratories; National Grid Electricity Transmission v. ABB [2014] WLR 4383.
  26. See most famously Article 47 of the Swiss Federal Act on Banks and Savings Banks (1934).
  27. See e.g. Switzerland’s entrance, in October 2013, to the Multilateral Convention on Mutual Administrative Assistance on Tax Matters, and agreement to increase transparency and exchange financial information with approximately 60 other countries.
  28. Akzo Nobel Chemicals v. European Commission (Case C-550/07, European Court of Justice, 14 September 2010). Here, the Court held that internal company communications with in-house lawyers subject to a European Commission investigation were not covered by legal professional privilege, as, for the purposes of such an investigation, an in-house lawyer was not sufficiently independent.
  29. For the United Kingdom, see s.50 of the Criminal Justice and Police Act 2001.
  30. See s.19(5) of the Police and Criminal Evidence Act 1984.
  31. See In re Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., F/ 3d (2016), 2016 WL 3770056 (2d Cir. 14 July 2016) (finding that the government could not compel Microsoft to collect data held outside of the United States that was requested in a warrant issued pursuant to the Stored Communications Act).
  32. Id.
  33. See id. at 12 (rejecting argument that a warrant should be treated as being equivalent to a subpoena).
  34. See the unsuccessful challenge to this procedure in R (McKenzie) v. Director of the Serious Fraud Office [2016] EWHC 102 in which the essential question was whether, as a matter of law, the process for isolating files that may contain LPP material into an electronic folder for review by an independent lawyer must itself be carried out by individuals who are independent of the seizing body. The court held that the procedure set out in the SFO’s Handbook for isolating material potentially subject to LPP, for the purpose of making it available to an independent lawyer for review, was lawful.
  35. See Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations available at
  36. Memorandum dated 9 September 2015 from Sally Quillian Yates re Individual Accountability for Corporate Wrongdoing available at
  37. Memorandum dated 5 April 2016 re The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance available at
  38. The Panama Papers are available through the ICIJ’s (The International Consortium of Investigative Journalists) dedicated website:
  39. USAM 9-28.900 (internal citations omitted).
  40. Para. 2.8.2(i) DPA Code.
  41. See USAM 9-28.720 (‘Cooperation: Disclosing the Relevant Facts’).
  42. Para. 2.8.2(i) DPA Code.
  43. See USAM 9-28.720.
  44. Alun Milford, SFO General Counsel, ‘Speech to compliance professionals’ (Speech given to the European Compliance and Ethics Institute, Prague, 29 March 2016).
  45. See e.g. SFO v. XYZ (Preliminary Judgment) Crown Court, Southwark, U20150856 (20 April 2016): ‘[C]o-operation includes identifying relevant witnesses, disclosing their accounts and the documents shown to them: see para. 2.8.2(i) of the DPA Code of Practice. Where practicable it will involve making witnesses available for interview when requested. In that regard, XYZ provided oral summaries of first accounts of interviewees, facilitated the interview of current employees, and provided timely and complete responses to requests for information and material, save for those subject to a proper claim of legal professional privilege.’
  46. DPA Code, para. 2.8.2(i)
  47. ACAS ‘Code of Practice on Disciplinary and Grievance Procedures’ (2015) available at
  48. See In re Kellogg Brown & Root, Inc., 756 F.3d 754 (D.C. Cir. 2014).
  49. Id. at 760 (‘In the context of an organization’s internal investigation, if one of the significant purposes of the internal investigation was to obtain or provide legal advice, the privilege will apply. That is true regardless of whether an internal investigation was conducted pursuant to a company compliance programme required by statute or regulation, or was otherwise conducted pursuant to company policy.’) (citation omitted).
  50. [2014] EWCA Civ 136.
  51. Property Alliance Group Limited v. The Royal Bank of Scotland [2016] 4 WLR 3 at [41]–[42].
  52. See e.g. S Balber, J O’Donnell and E Head, ‘Cross-border overview: maximising privilege protection under US and English law’ in The Investigations Review of the Americas 2016 (Global Investigations Review, 2015).
  53. See Fed. R. Evid. 502(a).
  54. See Fed. R. Evid. 502(b).
  55. See Gotha City v. Sotheby’s [1998] 1 WLR 114 (CA).

Unlock unlimited access to all Global Investigations Review content