Managing Multi-Jurisdictional Investigations

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

A credible internal investigation should be the response to any serious suspected misconduct in any company. Not only is it increasingly an expectation from regulators and law enforcement agencies, it is recognised as a matter of good corporate governance.

The number of multi-jurisdictional investigations taking place in response to cross-border misconduct is increasing. There are a number of reasons behind this increase. Globalisation brings increased cross-border business activity and with it, increased cross-border misconduct. Regulators and law enforcement authorities from different jurisdictions are cooperating in their supervision and enforcement activity and are increasingly looking at their regulated population’s extraterritorial conduct. Improved compliance frameworks in global organisations are also identifying more conduct that in the past may have gone unnoticed.

Multi-jurisdictional investigations present a number of challenges. This article addresses those challenges by examining three key topics:

•   structuring an investigation;

•   conducting an investigation; and

•   dealing with regulators and law enforcement.

Some challenges faced are identical to those in any investigation but often with a degree of added complexity. Some are unique to multi-jurisdictional investigations. These challenges create real risks for companies and need to be carefully managed.

Structuring an internal investigation

Who will conduct the investigation?

Legal privilege and independence are two key considerations when determining who should lead an investigation.

A key benefit of having the investigation led by lawyers is the legally privileged status that will often attach to the work product of the investigation. This has been a hard-learned lesson for some corporations where the primary fact-finding was undertaken by non-lawyers only to have the internal documents generated then disclosed in related private litigation.1 But privilege is not a universally recognised concept. In a multi-jurisdictional investigation, the question of establishing and maintaining privilege becomes more complex and must be carefully considered and managed, taking account of each jurisdiction.

Regulators expect internal investigations to be credible and a critical aspect in establishing that credibility is independence. Outside counsel are generally perceived to enjoy greater independence than in-house counsel. In fact, some regulators are now expressing opposition to in-house legal teams leading internal investigations. The argument underlying this objection is that in-house legal teams are more focused on ‘circling the wagons’ than ensuring a sufficiently independent investigation. In fact, some regulators take the view that outside counsel conducting an investigation should not be the company’s regular external counsel.

The independence of the investigation team may also have consequences for the maintenance of privilege. Under US law, privilege is recognised for investigations led by in-house lawyers.2 By contrast, under EU law, legal professional privilege does not protect in-house communications, principally because in-house lawyers are not considered sufficiently independent from their employers.3

It is not always necessary or proportionate to engage outside counsel. The gravity of the conduct involved will have a significant influence on this decision. For minor conduct risk events that do not have any potential criminal or significant regulatory consequences, it may be appropriate for a company’s legal function to lead the investigation, supported by internal audit or compliance. For more serious events, for instance where the conduct involves potential corruption, fraud or insider trading, it is preferable to have outside counsel engaged to direct the investigation.

Consideration should also be given to the skill sets and geographic locations needed in selecting the appropriate internal team and external experts to be engaged. From an internal perspective, a multidisciplinary team drawn from legal, compliance, internal audit and the business to assist with the investigation may be appropriate. External counsel should have the geographical reach and specialist legal knowledge to support the investigation in the key jurisdictions involved.

Any other external experts required, such as forensic accountants, should be retained by counsel. Consideration should be given to the purpose of the engagement, how this is documented and how the relationship and workflow is managed to ensure privilege is maintained. It is a good practice to ensure that the purpose of the third party adviser’s engagement is to assist counsel in providing legal advice to the company and to document that objective. This should take account of the potential variations in privilege regimes as they apply to the work product of external non-legal experts.

Having local in-house lawyers as part of the investigation team in each relevant jurisdiction will generally be of practical benefit. However, consideration should be given to whether in-house lawyers may have been involved in the circumstances of the conduct risk event, even if they are not suspected of any wrongdoing. If in-house lawyers are potential key witnesses, they should be excluded from the investigation team.

It is important to establish a protocol for the conduct of the investigation and to ensure coordination among all parties involved. External counsel should be responsible for directing the conduct of the investigation and managing the flow of information. Establishing workflow protocols at the outset will help. This coordination should also establish the responsibility and protocol for facing relevant regulators to avoid confusion and maintain a consistent message. This is especially important where multiple regulators are involved, as is often the case in multi-jurisdictional investigations.

Care should be taken to maintain the confidentiality of the investigation in order to avoid inadvertent privilege waiver. Relevant information should be disseminated on a ‘need to know’ basis.

Thought should be given to the potential need to manage interested business teams or local legal or compliance teams who may attempt to conduct their own investigations. Satellite investigations have the potential to compromise the ‘legitimate’ investigation as well as create unhelpful and potentially non-privileged material. This is particularly the case when satellite investigations are motivated by self-preservation, where reports generated may be biased and aim to shift blame to other parts of the business.

Who will the investigation team report to?

For the most part this is determined by the question: who is the client? The answer will be influenced by the corporate structure as it relates to the conduct, the geographic locations the conduct touches and whether any members of senior management are potentially implicated.

Multi-jurisdictional investigations will normally only need to be carried out for multinational corporate groups. The question of which specific entity within this group should be the client will depend on how the business is structured and how this relates to the location of the relevant conduct. Although there may be a logical local epicentre of conduct, it is in most cases best to establish a regional or potentially even global level entity and their senior management as the client. This promotes independence, allows for a better management of resources and makes the process easier should more locations become involved as the investigation unfolds.

If members of senior management are potentially implicated, whether as witnesses or wrongdoers, alternatives to reporting to senior management generally need to be considered. It might be preferable for the investigating team to report to the board of directors, the audit committee or a specially constituted committee to address any potential conflict.

The location of the investigation team and any management committee may impact regulatory reporting obligations, which should be considered when establishing a reporting structure for the investigation.

Information will inevitably need to be reported to others in the organisation besides the primary report. Entities in different locations or jurisdictions will need information for the purposes of managing their businesses and to comply with relevant local regulation. The protocol for what information is shared and in what form should be considered particularly carefully in light of the implications it can have on any claim of privilege.

How will the results of the investigation be reported?

This will depend on the purpose and audience.

Where a written report is being prepared, care should be taken to maintain privilege. The distribution of the written report might need to exclude jurisdictions where privilege might be jeopardised. Fortunately, jurisdictions where privilege is not recognised or only has a less robust equivalent also tend to have a more restrictive scope for disclosure, which can mitigate to some extent the risk that the written report will be subject to a successful disclosure request.

Where a detailed written report is prepared as part of the investigation, simply sharing this among parts of the business that require some information should be avoided. Information should instead be filtered for relevance to the recipient, provided only where absolutely needed and caveated with appropriate warnings on its strict confidentiality and restrictions on further dissemination. Verbal reports should be favoured over written reports for this purpose where possible. Where extracting from or referring directly to the findings of any final report is needed, the potential implications for any claim to privilege over the detailed report should be carefully considered.

It is now common to receive requests from regulators to waive privilege and provide the report as an act of cooperation. Such disclosure will normally be made under a limited waiver of privilege. This involves a waiver as it applies to the regulator who has agreed to maintain the report’s confidentiality, but not waiving privilege as it applies to the rest of the world. Such disclosure can have benefits as an act of cooperation. Where the company’s response to a conduct risk event has been exemplary, providing the report is the most credible way of evidencing that response.

The concept of selected waiver does have judicial support in many jurisdictions but the consequences of a limited waiver remain unpredictable, particularly in a multi-jurisdictional investigation.4There will often be a real risk that, submitting a report to one or more regulators under strict confidentiality will still result in a waiver as it applies, for instance, to third parties in subsequent private litigation. Therefore, companies must assess the benefits and risks before voluntarily disclosing any privileged document to a regulator.

The possibility of an investigation report being disclosed to a regulator or to a third-party litigant should be kept in mind from the beginning of any investigation. Accordingly, the purpose, content and clarity of an investigation report should be a focus for the investigation team.

Conducting an investigation

Determining the scope of the investigation

The first step is to identify the relevant events underlying the allegations. This is only possible after a preliminary investigation. In determining the scope, being proactive does not mean there is a need to ‘aimlessly boil the ocean’. The US Department of Justice and Securities and Exchange Commission officials have recently cautioned against unnecessarily prolonging or expanding internal corruption investigations. The assistant attorney general, Leslie Caldwell, went so far as to suggest that some companies’ overly broad investigations had even hindered the DoJ’s efforts to resolve matters in a timely fashion.5

This must be balanced against the need to ask: if this is happening here, is it happening elsewhere? Consideration should be given to different business lines and to different jurisdictions. Financial institutions involved in Libor manipulation faced criticism for failing to consider whether there may have be similar or related misconduct involving other benchmarks within the bank.6

Accordingly, a good internal investigation should be focused on the matter in hand and the possible compliance failings that permitted the event to occur, but should also appropriately encompass possible systemic issues. This will necessarily be a balancing exercise.

More specific parameters must then be determined, such as the relevant:

•   time period;

•   geographic locations;

•   jurisdictions; and

•   employees.

The relevant geographic locations and jurisdictions will not always be the same. Some laws have extraterritorial application, such as anti-corruption or financial market misconduct legislation, which may mean a jurisdiction will become relevant even though the primary misconduct occurred outside that jurisdiction’s borders.

Finally, the scope of the investigation will need to be expanded if significant new issues emerge. This is not a failing of the initial scoping exercise but a reality of conducting complex investigations.

How will information be collected and reviewed?

The investigation team should identify key data sources, establishing what type of data is required and where that data is stored. Data can include communications data such as e-mail, instant messaging logs and voice recordings as well as non-communications data such as financial records, trading records, system logs or other business documents. Data collection and processing can represent a significant challenge in multi-jurisdictional investigations and, if not attended to promptly, can delay commencement of a thorough investigation.

In determining the scope of documents or data collection, the investigation team needs to take into account the possibility that it may receive regulatory requests at a later time whose scope might be broader than the time period, locations and employees the company identified for its internal investigation. Similarly, opting for broader extraction criteria, even if initially there is an intention to only process and review a subset, may be more efficient in circumstances where it will be difficult or costly to undertake a second extraction in the event the scope of the investigation expands.

Other than extraction of information held centrally on servers, consideration should be given to key employees’ data stored locally on devices such as laptops, desktops, smartphones, tablets or portable hard drives. The investigation team will need to consider the company’s right to access these, whether these need to be secured immediately to preserve evidence and how best to undertake this process. Where devices have not been secured promptly the company may face criticism from regulators or law enforcement should the devices later be required for a criminal investigation or prosecution.

The investigation team should also examine the organisation’s document retention policies to identify when data is archived and how long it will be preserved. Processes may differ between data types and jurisdictions. Where data may be needed in future (even if it is not being extracted immediately) regular data destruction processes should be halted.

A litigation hold notice should be issued, informing all employees with access to potentially relevant data to stop the normal process of disposal of data, to not destroy any potentially relevant hard-copy or soft-copy documents and to make materials available to the investigation team. The hold notice should remind employees of the possibility of having to disclose all relevant internal documents in litigation or regulatory proceedings, which would include informal e-mails and chats. This can avoid the creation of unhelpful documents commenting on the conduct risk event in question.

Once relevant data is preserved, the next step is the review of that data. Transfer of information across borders is often challenging, as local data privacy and state secrecy laws may impose restrictions.

The scope of state secrecy laws can be broad and ambiguous. For instance, PRC state secrecy laws restrict transfer of a broad list of items that may be state secrets and include a catch-all provision for ‘other matters that are classified as state secrets by the National State Secrets Bureau’.7

Similarly, the restrictions imposed by data privacy laws can be significant. For instance, EU data privacy and protection laws casts a wide net in terms of what constitutes ‘personal data’ and imposes onerous restrictions on its processing, transfer and security.

Local regulation should be considered for each jurisdiction data is being extracted from. If data cannot be transferred to the desired review location, a satellite investigation team might need to be established to review data locally with appropriate controls to ensure the review itself and the reporting of its results also do not violate local law.

The investigation team will need to develop a document review plan, accounting for the volume of data, reviewer language or other expertise necessary and how the data population can sensibly be narrowed. This will involve identifying search criteria (eg, a combination of time frame, search terms and custodians) as well as potentially more than one phase of review (eg, using less expensive resources for a ‘first pass’ review). There are tools available to make the review process more efficient. Predictive coding is becoming increasing popular in litigation but can have application in investigations as well. Predictive coding combines human review with machine learning in order to ‘train’ document review software to recognise relevant documents.

Although predictive coding greatly increases the efficiency of the review process, it is still a relatively young technology. Even in jurisdictions where it has gained general judicial acceptance there is still uncertainty as to how and when it should be deployed. This is less of an issue outside traditional litigation where formal court processes apply, although there is a risk that a regulator may take the view that a predictive coding assisted review lacks credibility.

What needs to be considered when interviewing employees?

The investigation team should identify employees they wish to interview then determine who should conduct these interviews and how these interviews should be conducted.

The team should be mindful of the extent to which privilege covers the notes of interviews with employees. For interview notes prepared in jurisdictions where privilege is not recognised, the company may at a later stage be compelled to disclose those notes to litigants or regulators. Even in jurisdictions where privilege is recognised, the nature of the protection can differ, which needs to be considered when structuring and documenting interviews.

Steps that can be taken to protect privilege include:

•   having a lawyer lead or at least co-lead the interview where non-legal staff are required to conduct substantive questioning;

•   explaining to the interviewee employee that the lawyers represent the company not the interviewee, that the interview is privileged and confidential, but such privilege belongs to the company and may be waived in the future if the company wishes to disclose the notes of the interview (known as an Upjohn warning);8 and

•   having a designated note-taker (preferably a lawyer) who will produce the sole note of interview, which should be clearly marked privileged and confidential.

Where an employee is suspected to have committed an offence, depending on the law and best practice in the relevant jurisdiction, the investigation team should consider giving a specific caution to the interviewee on incriminating themselves in the interview. Aside from affording the employee procedural fairness, the failure to caution can have an impact on the admissibility of any confessions made in subsequent criminal proceedings against the individual, particularly where the company is actively cooperating with law enforcement.

Interviewees often ask independent legal representation about their rights. A policy for the investigation should be considered in advance, which may differ between jurisdictions depending on local requirements or practices. The approach adopted will often be to allow interviewees to bring their own lawyer.

The investigation team should also consider local legal and cultural issues. For instance, it may be necessary or preferable for local lawyers to lead interviews and for interviews to be conducted in the interviewee’s first language. Cultural differences or language barriers may undermine the fact-finding purpose of the interview by making the employee feel uncomfortable or hesitant.

Advice from local lawyers on best practice in each jurisdiction should always be sought prior to conducting interviews. There may be relatively straightforward steps that can be taken to avoid significant collateral issues arising from interviews.

Similarly, the investigation team should understand any common risks regarding methods of undermining investigations or retaliation and seek advice on ways to mitigate these. Engaging a third-party security specialist may be necessary in particularly volatile situations or in unstable locations.

Engagement with one or more regulators may be necessary before conducting interviews. A variety of approaches can be taken by regulators, which includes:

•   requesting that certain employees not be spoken to until the regulator has had the opportunity to interview them;

•   requesting that potential wrongdoers not be alerted to the existence of an investigation until the regulator has had the chance to conduct its own further inquiries (which obviously prevents any internal interview with those individuals from taking place); or

•   requiring that the interview plan or list of questions for certain employees be provided to the regulator for their review and comment prior to the interview and that the interview notes are disclosed once prepared.

What action should be taken in response to the findings of the investigation?

The two main responses to any internal investigation will be disciplining wrongdoers and strengthening policies, procedures, systems and controls.

Even before the conclusion of the investigation, consideration should be given to whether those suspected of wrongdoing need to be suspended pending the completion of the investigation. This maintains the integrity of the investigation and minimises the risk of further issues for the company. Regulators may have an expectation that such action be taken or that, at the very least, increased supervision is implemented. Rights of suspension and the potential for claims of adverse action or constructive dismissal will vary between jurisdictions, so local employment law should be considered.

Similarly, although the approach to disciplining wrongdoers should ideally be consistent, employment laws and contractual variances between jurisdictions will have an impact. Regulators will generally expect a disciplinary outcome to be proportionate with the findings of wrongdoing. With an increasing focus on promoting an ethical and compliant culture within companies, many regulators actively discourage companies from letting wrongdoers resign quietly. However, jurisdictions with very protective employment laws may make this difficult and companies will need to carefully balance disciplinary outcomes in this respect.

The company should also strengthen any internal policies, procedures, systems or controls as soon as it is clear that such procedures and controls are found to need enhancement. Although there can be a natural hesitance to do so, given that it may be interpreted as an admission that they were inadequate, it is generally better to be proactive. Furthermore, improvements should be made where needed across all relevant locations and not just where the conduct risk event occurred.

Dealing with regulators and law enforcement

Are any reporting obligations triggered?

Regulatory reporting obligations should be considered once a preliminary investigation has been completed. It may seem attractive to delay consideration until the conclusion of a full investigation, when all the facts are known. However, reporting obligations need to be considered much earlier and potentially revisited throughout the investigation. This is because obligations may be triggered by a mere suspicion and, once triggered, there may be a relatively short window within which reporting is required.

This is not to say that the decision to report a matter should be taken hastily. Particularly where self-reporting a breach of laws or regulations, caution should be exercised in framing the report. The potential for reports to contain damaging admissions and be used in actions against the company should be kept in mind.

There a number of categories of reporting obligations that tend to arise and require consideration and advice where an internal investigation identifies potentially criminal conduct. These include the following:

•   licensed financial institutions in many jurisdictions will often have broad self-reporting obligations. These may include the need to self-report any material breach of financial services law or regulation by the institution or its employees. The obligation imposed on firms regulated by the UK Financial Conduct Authority is a more extreme example, which requires firms to report any matter of which the regulator would reasonably expect to be informed;9

•   financial market participants may also be required to report any suspicious market activity (for instance transactions that may constitute insider trading or market manipulation) whether this involves an employee, a client or another market participant;10

•   anti-money laundering legislation will often impose a reporting obligation triggered by suspicious transactions that may be linked to criminal activity or knowledge or possession of property suspected to be the proceeds or instrument of a crime. Obligations in some jurisdictions apply to a broader class of persons and institutions than banks and other financial institutions but how wide the net is cast will vary by jurisdiction;11

•   in some jurisdictions, there may even be an obligation to report knowledge of any serious criminal act;12 and

•   listed companies may have market disclosure obligations in certain circumstances depending on the impact the wrong-
doing has on the business. For instance, companies listed on a US exchange will be required to disclose material adverse developments. A finding that serious wrongdoing has occurred that renders the company’s publicly reported results materially inaccurate would be required to be disclosed.

Companies will need to consider carefully where it may have reporting obligations. This will not necessarily be limited to those jurisdictions in which the relevant conduct took place. For instance, any obligations to regulators in the company’s home jurisdiction should be considered as well as any jurisdictions where the business may be impacted by the relevant conduct.13

An example of a very broad reporting obligation which may be unexpectedly triggered is found in Singaporean legislation.14 The act imposes an obligation to file a suspicious transaction report where any person or corporate located in Singapore, as a result of business activities, has knowledge or a suspicion that any property may be connected to criminal activity. Neither the property nor the crime is required to have any connection with Singapore.

Even where there is no strict reporting obligation, companies should consider the possibility of voluntary self-reporting where appropriate. For instance, where there is a reporting obligation in one relevant jurisdiction but not another, it may be prudent to voluntarily self-report in relevant jurisdictions concurrently with satisfying mandatory reporting obligations in others. Indeed, a company self-reporting to a regulator in one jurisdiction should anticipate that the report will become known to regulators in other jurisdictions. Early voluntary self-reporting may also be indicative of active cooperation. Whether voluntary self-reporting is advisable will very much depend on the facts and the regulatory climate of each jurisdiction.

For listed companies, consideration will also need to be given as to whether and when any disclosure needs to be made to the market under periodic or continuous disclosure obligations.

In circumstances where an event is assessed but is determined not to be reportable, companies should consider documenting this decision making process in case it is ever called into question by a regulator.

How do secrecy obligations impact interactions with multiple regulators?

In many jurisdictions the involvement of any regulator will be accompanied by secrecy obligations. These will restrict the extent to which the company can disclose the existence and details of regulatory inquiries or investigations. In the context of multi-jurisdictional investigations, it also restricts the extent to which the company can share the fact of involvement of one regulator with other regulators. This has the potential to place companies in a difficult situation if they are asked by a regulator which other regulators are aware of or have made enquiries about the relevant conduct. It will normally be possible to get relevant regulators’ approval for disclosure of an investigation to other regulators, but the discussions seeking this consent should be undertaken with great care.

What does cooperation look like?

Regulators will often have a formal policy that incentivises cooperation by making more favourable outcomes and reduced penalties available. As a general rule, cooperation does not mean simply complying with lawful requests from a regulator. Although guidance will vary between jurisdictions and between regulatory and law enforcement bodies, there are some common threads, which include:

•   self-reporting the occurrence of misconduct at the earliest opportunity;

•   taking the initiative to undertake a credible investigation to examine the nature, extent, origins and consequences of the misconduct;

•   opening a frank dialogue with the regulator and providing regular and meaningful updates on the progress of the investigation;

•   involving regulators in devising the terms of reference for a review by independent experts and in subsequent stages;

•   taking appropriate remedial measures in respect of personnel involved in or bearing responsibility for the matter, including dismissal or other disciplinary action;

•   instituting necessary improvements or modifications of the firm’s processes, internal controls or management structure;

•   appropriately identifying and assessing compensation for those adversely affected by the misconduct (eg, customers, counterparties or other third parties) and promptly paying redress;

•   making available to regulators the complete results of (i) the investigation into the misconduct; and (ii) any review work into deficiencies in the company’s processes, internal controls or management structure including improvements made;

•   voluntarily providing significant relevant material or information to the regulator not directly requested and of which the regulator might otherwise not have been aware;

•   waiving legal professional privilege that attaches to any of the disclosures referred to above;

•   involving senior management of the company in liaison with regulators and in overseeing the implementation of remedial measures or the payment of compensation;

•   quickly agreeing the facts with the regulators and actively seeking to agree a basis on which appropriate enforcement action against the company could be concluded; and

•   providing intelligence useful to regulators and law enforcement that contributes to successful enforcement action against other companies or individuals involved in any misconduct.

An overarching strategy should be developed when a company is looking to cooperate with multiple regulators across different jurisdictions. Cooperation will be viewed favourably in settlement discussions with all regulators. However, the formal framework for recognition of cooperation and each regulator’s history of rewarding cooperation should be taken into consideration when considering how best to approach the issue of cooperation. The incentives to cooperate and the benefit available to the company must be balanced against the need to preserve privilege and defences. Where multiple regulators are involved there may be varying degrees of certainty around the benefits of cooperation that needs to be considered in devising the overall strategy. The different offences and available defences that a company may face in different jurisdictions also need to be accounted for. Taking into account these complexities, the overarching strategy should strive, where possible, to take a consistent approach to cooperation.

What are the challenges of settling with multiple regulators?

When companies are dealing with a single regulator, there is an opportunity to influence the enforcement narrative. This process can facilitate a resolution of the matter by settlement, where the company and the regulator find common ground on what the important facts and issues are. While this is still possible with multiple regulators it can be more difficult. Regulators will have different enforcement or regulatory cultures, as well as varying focus areas and agendas, which complicates the process and may make settlement more difficult.

Companies may also be unable to settle with all regulators concurrently. Obviously global comfort is ideal but this is not always possible. There is increasing coordination and cooperation among regulators but there will always be at least some complication in settlement discussions. At its worst, companies face the risk of regulatory competition: regulatory institutions or individuals wanting to make a name for themselves by breaking from the pack.15 This risks disrupting a global settlement. Differences in settlement frameworks and the tools available to individual regulators may also pose challenges for coordination.


There are a number of general observations that can be made in conclusion.

First, the legal and regulatory regimes between jurisdictions will often be inconsistent. They will clash and a perfect solution for the company’s next steps will not be available. The approach adopted may need to be a compromise; attempting to walk a fine line of compliance with the two (or more) competing regimes or regulators.

Second, handling information and managing the flow of that information is important. The flow of information to different entities and across borders can have consequences under the various laws relating to data privacy, state or regulatory secrecy obligations, reporting obligations and legal privilege.

Third, an understanding of local law, business and culture is important in every jurisdiction. Investigation teams should be ready to tailor the approach taken to account for differences where this is necessary and appropriate.

Fourth, it is useful to regularly reflect on the investigation and consider the overall approach and priorities afresh. Does the scope still make sense? Is the investigation plan achieving what it sought to? Is regulatory engagement where it should be? Is anything being missed?

Lastly, coordination is critical. The geographic dispersion and multitude of internal and external stakeholders can make the conduct of multi-jurisdictional investigations particularly challenging.

The authors wish to acknowledge the contributions of Jeremy Birch, senior associate in Hong Kong, and Geng Li and Zhang Siyu, associates in Hong Kong, in drafting this article.


  1. See, eg, Wultz v Bank of China, 2015 WL 362667 (S.D.N.Y.) (granting motion to compel disclosure of internal investigation documents that were not prepared at the direction of counsel).
  2. See, eg, In re Kellogg Brown & Root, Inc, 2014 WL 2895939 (D.C. Cir.) (holding that ‘a lawyer’s status as in-house counsel does not dilute the privilege.’).
  3. See case C-550/07P, Akzo Nobel Chems. Ltd & Ackros Chems. Ltd v Comm’n, 2010 E.C.R. I-08301.
  4. See generally Andrew Eastwood, Providing Your Legal Advice to the Regulator, 41 Austl. Bus. L. Rev. 66 (2013).
  5. See Leslie R. Caldwell, Assistant Attorney Gen., Dep’t of Justice, Remarks at New York University Law School’s Program on Corporate Compliance and Enforcement (17 April 2015) (transcript available at
  6. See eg, News, UK Financial Conduct Authority, FCA fines five banks £1.1 billion for FX failings and announced industry-wide remediation programme (Nov. 12, 2014), (last visited 27 July 2015).
  7. See Baoshou Guojia Mimi Fa (Law on Guarding State Secrets) (promulgated by the Standing Committee of the National People’s Congress, 29 April 2010, effective 1 October 2010) section 9 LawInfoChina (last visited 27 July 2015) (PRC).
  8. The phrase is derived from the decision in Upjohn Co. v United States, 449 US 383 (1981).
  9. See UK Financial Conduct Authority, Financial Conduct Authority Handbook, Section 2.1, Principle 11 (Sweet & Maxwell), available at
  10. See, eg, UK Financial Conduct Authority, Financial Conduct Authority Handbook, SUP Section 15.10, (Sweet & Maxwell), available at; Hong Kong Securities & Futures Commission, Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission, section 12.5(f), available at; Australian Securities & Investment Commission, Market Integrity Rules (ASX Market) 2010, section 5.11, available at; 31 C.F.R. section 1023.320 (2015) (reporting duties for brokers and dealers).
  11. See, eg, Drug Trafficking (Recovery of Proceeds) Ordinance and Organized and Serious Crime Ordinance, (2002) Cap. 455, 29, section 25A, available at (H.K.); Proceeds of Crime Act, 2002, c. 29, 327 – 340, pt. 7, available at (Eng.); Anti-Money Laundering and Counter-Terrorism Financing Act, 2006, 99, section 41, available at (Australia); 12 C.F.R. section 21.11 (2015).
  12. For instance, section 316 of the Crimes Act 1900 (NSW) makes it a crime where a person knows or believes an indictable offence has been committed and has information which might be of material assistance in securing the apprehension of the offender or the prosecution or conviction of the offender to fail to report that matter to the police.
  13. See, eg, Hong Kong Securities & Futures Commission, Circular to Intermediaries Regarding Compliance with Notification Requirements (11 May 2015), available at; Australian Securities & Investment Commission, Market Supervision Update, June 2015, Investment Banks - Compliance Engagement Program, available at; UK Financial Conduct Authority, Final Notice to Goldman Sachs International (9 September 2010), available at
  14. See Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act, (2014) Cap. 65A, 60 -61, section 39(1), available at (Singapore).
  15. See, eg, Liz Rappaport, Max Colchester & Damian Paletta, Regulators Seek Unity in UK Bank Talks, Wall Street Journal, 9 August 2012, available at

Unlock unlimited access to all Global Investigations Review content