Managing Multi-jurisdictional Investigations


In summary

This chapter examines issues companies should be aware of when navigating multi-jurisdictional investigations.


Discussion points

  • Structuring an investigation
  • Conducting an investigation
  • Dealing with regulators and law enforcement

Referenced in this article

  • Financial Conduct Authority (UK)
  • Financial Conduct Authority Handbook (UK)
  • Department of Justice (US)
  • Evaluation of Corporate Compliance Programs (US)
  • Principles of Federal Prosecution of Business Organizations (US)
  • Australian Securities and Investments Commission (ASIC)
  • Securities & Futures Commission (Hong Kong)

A credible internal investigation should be the response when things have gone wrong in any company, especially when considering potential serious misconduct. Not only do regulators and law enforcement increasingly expect a credible investigation, but a credible investigation is also recognised as a matter of good corporate governance.

Multi-jurisdictional investigations present several challenges that create risks for companies and require careful management. This article identifies a number of those risks and outlines strategies for managing them by examining three key topics:

  1. Structuring an investigation
  2. Conducting an investigation
  3. Dealing with regulators and law enforcement

Structuring an internal investigation

Who will conduct the investigation?

Legal privilege and independence are two key considerations when determining who should lead an investigation.

A key benefit of having the investigation led by lawyers is the legally privileged status that will often attach to the communications and work product surrounding the investigation. In many jurisdictions, the privilege will attach even when much of the primary information gathering is conducted by non-lawyers, so long as they are working under the direction of lawyers. This has been a hard-learned lesson for some corporations when the primary fact-finding was undertaken or directed by non-lawyers only to have the internal documents generated then disclosed in related private litigation.[1] But privilege is not a universally recognised concept, and even where recognised, the privilege is not absolute. In a multi-jurisdictional investigation, the question of establishing and maintaining privilege becomes more complex and must be carefully considered and managed, taking account of each jurisdiction.

Regulators expect internal investigations to be credible and a critical aspect in establishing that credibility is independence. As a Director of Enforcement at the UK FCA once remarked, ‘there are many cases . . . when relying on firms’ internal reports has no place.’[2] Consequently, regulators may expect to initiate their own investigations and may also expect that firms’ investigations are conducted by third parties to establish a sufficient degree of independence. United States law enforcement and regulators expect investigations to be ‘independent, objective, appropriately conducted, and properly documented’.[3] Most crucially, a credible investigation marked by ‘diligence, thoroughness and speed’, together with ‘timely and voluntary disclosure of wrongdoing’, are crucial factors US prosecutors consider in whether to bring charges against a corporation or, when doing so, whether to recommend a reduced sentence.[4]

Outside counsel are generally perceived to enjoy greater independence than in-house counsel. Depending on the circumstances, some regulators will express opposition to in-house legal teams leading internal investigations. The argument underlying this objection is that in-house legal teams are more focused on ‘circling the wagons’ or ‘marking their own homework’ than ensuring a sufficiently independent investigation. In addition, some regulators and prosecutors take the view that, in order to avoid any potential conflicts of interest with respect to retaining regular external counsel, it is sometimes good practice for corporations to engage outside counsel they may not ordinarily hire.

The independence of the investigation team may also have consequences for the maintenance of privilege. Under US law, privilege is recognised for investigations led by in-house lawyers.[5] By contrast, under EU law, legal professional privilege does not protect in-house communications, principally because in-house lawyers are not considered sufficiently independent from their employers.[6]

It is not always necessary or proportionate to engage outside counsel. The gravity of the issues, malfeasance or conduct involved will have a significant influence on this decision. For minor conduct or risk events that do not have any potential criminal or significant regulatory consequences, it may be appropriate for a company’s legal function to lead the investigation, supported by internal audit, HR or compliance. For more serious events, for instance where the conduct involves potential corruption, fraud or insider trading, it is preferable to have outside counsel engaged to direct the investigation.

Consideration should also be given to the skill sets and geographic locations needed in selecting the appropriate internal team and external experts. From an internal perspective, a multidisciplinary team drawn from legal, compliance, internal audit and the business to assist with the investigation may be appropriate. External counsel should have the geographical reach and specialist legal knowledge to support the investigation in the key jurisdictions involved.

Any other external experts required, such as forensic accountants, should be retained by counsel. Consideration should be given to the purpose of the engagement, how this is documented and how the relationship and workflow is managed to ensure privilege is maintained. It is a good practice to ensure that the purpose of the third-party adviser’s engagement is to assist counsel in providing legal advice to the company and to document that objective. This should take account of the potential variations in privilege regimes as they apply to the work product of external non-legal experts.

Having local in-house lawyers as part of the investigation team in each relevant jurisdiction will generally be of practical benefit. However, consideration should be given to whether in-house lawyers may have been involved in the circumstances of the conduct or risk event, even if they are not suspected of any wrongdoing. If in-house lawyers are potential key witnesses, they should be excluded from the investigation team.

It is important to establish a protocol for the conduct of the investigation and to ensure coordination among all parties involved. External counsel should be responsible for directing the conduct of the investigation and managing the flow of information. Establishing workflow protocols at the outset will help. This coordination should also establish the responsibility and protocol for facing relevant regulators to avoid confusion and maintain a consistent message. This is especially important where multiple regulators are involved, as is often the case in multi-jurisdictional investigations. While regulators in some countries may expect to hear from outside counsel, regulators in other countries may expect to hear from company management.

Care should be taken to maintain the confidentiality of the investigation in order to avoid inadvertent privilege waiver as well as to maintain the integrity of the investigation itself. Relevant information should be disseminated on a need-to-know basis.

Thought should be given to the potential need to manage interested business teams or local legal or compliance teams who may attempt to conduct their own investigations. Satellite investigations have the potential to compromise the ‘legitimate’ investigation as well as create unhelpful and potentially non-privileged material. This is particularly the case when satellite investigations are motivated by self-preservation, where reports generated may be biased and aim to shift blame to other parts of the business.

Who will the investigation team report to?

For the most part, this is determined by the question: who is the client? The answer will be influenced by the corporate structure as it relates to the conduct, the geographic locations the conduct touches and whether any members of senior management are potentially implicated.

Multi-jurisdictional investigations will normally only need to be carried out for multinational corporate groups. The question of which specific entity within this group should be the client will depend on how the business is structured and how this relates to the location of the relevant conduct. Although there may be a logical local epicentre of conduct, it is in most cases best to establish a regional or potentially even global level entity and their senior management as the client. This promotes independence, allows for a better management of resources and makes the process easier should more locations become involved as the investigation unfolds.

If members of senior management are potentially implicated, whether as witnesses or wrongdoers, alternatives to reporting to senior management generally need to be considered. It might be preferable for the investigating team to report to the board of directors, the audit committee or a specially constituted committee to address any potential conflict.

The location of the investigation team and any management committee may impact regulatory reporting obligations, which should be considered when establishing a reporting structure for the investigation.

Information will inevitably need to be reported to others in the organisation besides the primary report. Entities in different locations or jurisdictions will need information for the purposes of managing their businesses and to comply with relevant local regulation. The protocol for what information is shared and in what form should be considered particularly carefully in light of the implications it can have on any claim of privilege.

How will the results of the investigation be reported?

This will depend on the purpose and audience.

Where a written report is being prepared, care should be taken to maintain privilege. The distribution of the written report might need to exclude jurisdictions where privilege might be jeopardised. Fortunately, jurisdictions where privilege is not recognised or only has a less robust equivalent also tend to have a more restrictive scope for disclosure, which can mitigate to some extent the risk that the written report will be subject to a successful disclosure request.

Where a detailed written report is prepared as part of the investigation, simply sharing this among parts of the business that require some information should be avoided. Information should instead be filtered for relevance to the recipient, provided only where absolutely needed and caveated with appropriate warnings on its strict confidentiality and restrictions on further dissemination. Verbal reports should be favoured over written reports for this purpose where possible. Where extracting from or referring directly to the findings of any final report is needed, the potential implications for any claim to privilege over the detailed report should be carefully considered.

It is now common to receive requests from regulators to waive privilege and provide the report as an act of cooperation. For example, although the United States Department of Justice has expressed unambiguous support for the attorney-client privilege and clarified that ‘prosecutors should not ask for such waivers and are directed not to do so’ industry complaints on this issue persist in a country with a very wide array of state and federal regulators and law enforcement authorities that do not always share common approaches to enforcement.[7] Such disclosure will normally be made under a limited waiver of privilege. This involves a waiver as it applies to the regulator or law enforcement body who has agreed to maintain the report’s confidentiality, but not waiving privilege as it applies to the rest of the world. Such disclosure can have benefits as an act of cooperation. Where the company’s response to a conduct risk event has been exemplary, providing the report is the most credible way of evidencing that response.

The concept of limited waiver does have judicial support in many jurisdictions but the consequences of a limited waiver remain unpredictable, particularly in a multi-jurisdictional investigation.[8] There will often be a real risk that, submitting a report to one or more regulators under strict confidentiality will still result in a waiver as it applies, for instance, to third parties in subsequent private litigation. Therefore, companies must assess the benefits and risks before voluntarily disclosing any privileged document to a regulator. In the jurisdictions where limited waiver is recognised, best practice is generally to seek an explicit confidentiality agreement with any government entity when considering making a disclosure of privileged information to that entity.

The possibility of an investigation report being disclosed to a regulator or to a third-party litigant should be kept in mind from the beginning of any investigation. Accordingly, the purpose, content and clarity of an investigation report should be a focus for the investigation team.

Conducting an investigation

Determining the scope of the investigation

The first step is to identify the relevant events underlying the allegations. This is only possible after a preliminary investigation. In determining the scope, being proactive does not mean there is a need to ‘aimlessly boil the ocean’. While in the past, DOJ officials have stated that some companies’ overly broad investigations had even hindered the DOJ’s efforts to resolve matters in a timely fashion,[9] more recent statements from Deputy Attorney General Lisa Monaco of the Department of Justice have clarified that it is now expected that internal investigations will identify ‘all individuals involved in or responsible for the misconduct at issue’ regardless of seniority in order to be eligible for cooperation credit.[10] Companies must therefore balance thoroughness with the need to satisfy evolving expectations regarding the scope of an investigation.

This must further be balanced against the need to ask: if this is happening here, is it happening elsewhere? Regulators expect that consideration should be given to different business lines and to different jurisdictions. Financial institutions involved in Libor manipulation faced criticism for failing to consider whether there may have been similar or related misconduct involving other benchmarks within the bank.[11]

Accordingly, a good internal investigation should be focused on the matter in hand and the possible compliance failings that permitted the event to occur but should also appropriately encompass possible systemic issues. This will necessarily be a balancing exercise.

More specific parameters must then be determined, such as the relevant:

  • time period;
  • geographic locations;
  • jurisdictions; and
  • employees.

The relevant geographic locations and jurisdictions will not always be the same. Some laws have extraterritorial application, such as anti-corruption or financial market misconduct legislation, which may mean a jurisdiction will become relevant even though the primary misconduct occurred outside that jurisdiction’s borders.

Finally, the scope of the investigation will need to be expanded if significant new issues emerge. This is not a failing of the initial scoping exercise but a reality of conducting complex investigations.

How will information be collected and reviewed?

The investigation team should identify key data sources, establishing what type of data is required and where that data is stored. Data can include communications data such as email, instant messaging logs and voice recordings as well as non-communications data such as financial records, trading records, system logs or other business documents. Data collection and processing can represent a significant challenge in multi-jurisdictional investigations, especially in light of the introduction of data protection and other laws restricting the transfer of information across borders in recent years (discussed further below). These issues need to be addressed promptly, or it can delay commencement of a thorough investigation.

In determining the scope of documents or data collection, the investigation team needs to take into account the possibility that it may receive regulatory requests at a later time whose scope might be broader than the time period, locations and employees the company identified for its internal investigation. Similarly, opting for broader extraction criteria, even if initially there is an intention to only process and review a subset, may be more efficient in circumstances where it will be difficult or costly to undertake a second extraction if the scope of the investigation expands.

Other than extraction of information held centrally on servers, consideration should be given to key employees’ data stored locally on devices such as laptops, desktops, smartphones, tablets or portable hard drives. The investigation team will need to consider the company’s right to access these, whether these need to be secured immediately to preserve evidence and how best to undertake this process. Where devices have not been secured promptly the company may face criticism from regulators or law enforcement should the devices later be required for a criminal investigation or prosecution.

The investigation team should also examine the organisation’s document retention policies to identify when data is archived and how long it will be preserved. Processes may differ between data types and jurisdictions. Where data may be needed in future (even if it is not being extracted immediately) regular data destruction processes should be halted.

A litigation hold notice should be issued, informing all employees with access to potentially relevant data to stop the normal process of disposal of data, to not destroy any potentially relevant hard-copy or soft-copy documents and to make materials available to the investigation team. The hold notice should remind employees of the possibility of having to disclose all relevant internal documents in litigation or regulatory proceedings, which would include informal emails and chats. This can avoid the creation of unhelpful documents commenting on the conduct risk event in question. Companies should also take note that regulators are beginning to expect access to employees’ private chats through messaging apps such as WhatsApp. Companies will need to carefully consider how to balance regulatory expectations and related data privacy concerns across multiple jurisdictions.

Once relevant data is preserved, the next step is the review of that data. Transfer of information across borders is often challenging, as local data privacy and state secrecy laws, as well as other blocking statutes, may impose restrictions.

The scope of state secrecy laws can be broad and ambiguous. For instance, China’s state secrecy laws restrict transfer of a broad list of items that may be state secrets and include a catch-all provision for ‘other matters that are classified as state secrets by the National State Secrets Bureau’.[12]

Similarly, the restrictions imposed by data privacy laws can be significant. For instance, the EU’s General Data Protection Regulation (GDPR) casts a wide net in terms of what constitutes ‘personal data’ (ie, any information relating to an identified or identifiable natural person) and imposes onerous restrictions on its processing, transfer and security with extensive extraterritorial application. The GDPR imposes onerous obligations on the handling and processing of data, which includes transparency or notification obligations, which can present challenges in the context of investigations. Data transfers to third parties or across borders can also create difficulties. Similar restrictions to those under GDPR are imposed by the PRC Personal Information Protection Law, which came into effect more recently, in November 2021.

In addition to state secrecy and data privacy laws as outlined above, a number of Chinese laws contain provisions that may further restrict the provision or transfer of information outside China. For instance, the International Criminal Judicial Assistance Law provides that organisations and individuals within the territory of China shall not provide assistance in criminal proceedings outside the jurisdiction without the approval of the competent authorities. Similar prohibitions can be found in China’s Data Security Law and the Personal Information Protection Law. Companies should consider whether these laws may apply, and if so, how the risks arising from these laws can be managed.

If, having considered the local laws and regulations for the relevant jurisdictions, data cannot be transferred to the desired review location, a satellite investigation team might need to be established to review data locally with appropriate controls to ensure the review itself and the reporting of its results also do not violate local law.

The investigation team will need to develop a document review plan, accounting for the volume of data, reviewer language or other expertise necessary and how the data population can sensibly be narrowed. This will involve identifying search criteria (eg, a combination of time frame, search terms and custodians) as well as potentially more than one phase of review (eg, using less expensive resources for a first pass review). There are tools available to make the review process more efficient. Predictive coding is becoming increasingly popular in litigation but can have application in investigations as well. Predictive coding combines human review with continuous machine learning to train document review software to recognise relevant documents. Predictive coding is increasingly being embraced by enforcement authorities. In the UK, for example, the Serious Fraud Office has adopted an AI document review system that is able to recognise patterns and group information by subject, allowing the authority to deal with the increasingly vast amounts of data involved in investigations.[13]

Although predictive coding greatly increases the efficiency of the review process, even in jurisdictions where it has gained general judicial acceptance there is still uncertainty as to how and when it should be deployed in an investigations context and there is a risk that a regulator or law enforcement may take the view that a predictive coding assisted review lacks credibility.

What needs to be considered when interviewing employees?

The investigation team should identify employees they wish to interview then determine who should conduct these interviews and how these interviews should be conducted.

The team should be mindful of the extent to which privilege covers the notes of interviews with employees. For interview notes prepared in jurisdictions where privilege is not recognised, the company may at a later stage be compelled to disclose those notes to litigants or regulators. Even in jurisdictions where privilege is recognised, the nature of the protection can differ, which needs to be considered when structuring and documenting interviews.

Steps that can be taken to protect privilege include the following:

  • Having a lawyer lead or at least co-lead the interview where non-legal staff are required to conduct substantive questioning.
  • Explaining to the interviewee employee that the lawyers represent the company not the interviewee, that the interview is privileged and confidential, but such privilege belongs to the company and may be waived in the future if the company wishes to disclose the notes of the interview (known as an Upjohn warning).[14]
  • Having a designated note-taker (preferably a lawyer) who will produce the sole notes of the interview, which should be clearly marked privileged and confidential.

Where an employee is suspected to have committed an offence, depending on the law and best practice in the relevant jurisdiction, the investigation team should consider giving a specific caution to the interviewee on incriminating themselves in the interview. Aside from affording the employee procedural fairness, the failure to caution can have an impact on the admissibility of any confessions made in subsequent criminal proceedings against the individual.

In the UK, for example, guidance relating to the Police and Criminal Evidence Act states that, where a person is questioned regarding their involvement or suspected involvement in a criminal offence, then the interview must be carried out under caution and the person must be given sufficient information to enable them to understand the nature of any such offence and why they are suspected of committing it, as well as allow them to effectively exercise their rights of defence.[15]

A related issue that companies may need to confront is an employee who does not want to cooperate with an investigation for fear of incriminating themselves. In the United States, courts have found that employers may terminate employees who refuse to cooperate with an investigation even where the company is cooperating with law enforcement.[16]

Interviewees often ask whether they can engage independent legal representation to attend any interviews with them and whether the company will pay for this. A policy for the investigation should be considered in advance, which may differ between jurisdictions depending on local requirements or practices.

The investigation team should also consider local legal and cultural issues. For instance, it may be necessary or preferable for local lawyers to lead interviews and for interviews to be conducted in the interviewee’s first language. Cultural differences or language barriers may undermine the fact-finding purpose of the interview by making the employee feel uncomfortable or hesitant.

Advice from local lawyers on best practice in each jurisdiction should always be sought prior to conducting interviews. There may be relatively straightforward steps that can be taken to avoid significant collateral issues arising from interviews.

Similarly, the investigation team should understand any common risks regarding methods of undermining investigations or retaliation and seek advice on ways to mitigate these. Engaging a third-party security specialist may be necessary in particularly volatile situations or in unstable locations.

Engagement with one or more regulators may be necessary before conducting interviews depending on the circumstances. A variety of approaches can be taken by regulators or law enforcement, which includes:

  • requesting that certain employees not be spoken to until the regulator has had the opportunity to interview them;
  • requesting that potential wrongdoers not be alerted to the existence of an investigation until the regulator has had the chance to conduct its own further inquiries (which obviously prevents any internal interview with those individuals from taking place); or
  • requiring that the interview plan or list of questions for certain employees be provided to the regulator for their review and comment prior to the interview and that the interview notes are disclosed once prepared.

What action should be taken in response to the findings of the investigation?

The two main responses to any internal investigation will be disciplining wrongdoers and strengthening policies, procedures, systems and controls.

Even before the conclusion of the investigation, consideration should be given to whether those suspected of wrongdoing need to be suspended pending the completion of the investigation. This maintains the integrity of the investigation and minimises the risk of further issues for the company. Regulators or law enforcement may have an expectation that such action be taken or that, at the very least, increased supervision is implemented. Rights of suspension and the potential for claims of adverse action or constructive dismissal will vary between jurisdictions, so local employment law should be considered.

Similarly, although the approach to disciplining wrongdoers should ideally be consistent, employment laws and contractual variances between jurisdictions will have an impact. Regulators and law enforcement will generally expect a disciplinary outcome to be proportionate with the findings of wrongdoing. With an increasing focus on promoting an ethical and compliant culture within companies, many regulators actively discourage companies from letting wrongdoers resign quietly. However, jurisdictions with very protective employment laws may make this difficult and companies will need to carefully balance disciplinary outcomes in this respect.

The company should also strengthen any internal policies, procedures, systems or controls as soon as it is clear that such procedures and controls are found to need enhancement. Although there can be a natural hesitance to do so, given that it may be interpreted as an admission that they were inadequate, it is generally better to be proactive. Furthermore, improvements should be made where needed across all relevant locations and not just where the conduct risk event occurred.

In recent years, the US DOJ and other federal regulators have taken steps to provide companies with more specific guidance around how a corporate compliance programme should impact prosecutors’ decisions around whether to prosecute. The Evaluation of Corporate Compliance Programs is an essential tool for all legal, risk and compliance teams to review in helping to benchmark their compliance programmes, particularly with respect to how federal prosecutors view the design, effectiveness, independence and function of compliance programmes.[17] Other United States and foreign regulatory authorities, including the OECD, have also taken steps to offer detailed guidance.[18]

Dealing with regulators and law enforcement

Are any reporting obligations triggered?

Regulatory reporting obligations should be considered once a preliminary investigation has been completed. It may seem attractive to delay consideration until the conclusion of a full investigation, when all the facts are known. However, reporting obligations need to be considered much earlier and potentially revisited throughout the investigation. This is because obligations may be triggered by a mere suspicion and, once triggered, there may be a relatively short window within which reporting is required.

This is not to say that the decision to report a matter should be taken hastily. Particularly where self-reporting a breach of laws or regulations, caution should be exercised in framing the report. The potential for reports to contain damaging admissions and be used in actions against the company should be kept in mind.

There are a number of categories of reporting obligations that tend to arise and require consideration and advice where an internal investigation identifies potentially criminal conduct. These include the following:

  • Licensed financial institutions in many jurisdictions will often have broad self-reporting obligations. These may include the need to self-report any material breach of financial services law or regulation by the institution or its employees. The obligation imposed on firms regulated by the UK Financial Conduct Authority is a more extreme example, which requires firms to report any matter of which the regulator would reasonably expect to be informed. More recently in Hong Kong, the SFC has required all licensed corporations to provide it with information about whether any licensed individual who leaves the corporation was under any internal investigation within six months preceding his or her departure.[19]
  • Financial market participants may also be required to report any suspicious market activity (for instance transactions that may constitute insider trading or market manipulation) whether this involves an employee, a client or another market participant.[20]
  • Anti-money laundering legislation will often impose a reporting obligation triggered by suspicious transactions that may be linked to criminal activity or knowledge or possession of property suspected to be the proceeds or instrument of a crime. Obligations in some jurisdictions apply to a broader class of persons and institutions than banks and other financial institutions but how wide the net is cast will vary by jurisdiction.[21]
  • In some jurisdictions, there may even be an obligation to report knowledge of any serious criminal act.[22]
  • Listed companies may have market disclosure obligations in certain circumstances depending on the impact the wrongdoing has on the business. For instance, companies listed on a US exchange will be required to disclose material adverse developments. A finding that serious wrongdoing has occurred that renders the company’s publicly reported results materially inaccurate would be required to be disclosed.

Companies will need to consider carefully where it may have reporting obligations. This will not necessarily be limited to those jurisdictions in which the relevant conduct took place. For instance, any obligations to regulators in the company’s home jurisdiction should be considered as well as any jurisdictions where the business may be impacted by the relevant conduct.[23]

An example of a very broad reporting obligation that may be unexpectedly triggered is found in Singaporean legislation.[24] The act imposes an obligation to file a suspicious transaction report where any person or corporate located in Singapore, as a result of business activities, has knowledge or a suspicion that any property may be connected to criminal activity. Neither the property nor the crime is required to have any connection with Singapore.

Even where there is no strict reporting obligation, companies should consider the possibility of voluntary self-reporting where appropriate. For instance, where there is a reporting obligation in one relevant jurisdiction but not another, it may be prudent to voluntarily self-report in relevant jurisdictions concurrently with satisfying mandatory reporting obligations in others. Indeed, a company self-reporting to a regulator in one jurisdiction should anticipate that the report will become known to regulators in other jurisdictions. Early voluntary self-reporting may also be indicative of active cooperation. Whether voluntary self-reporting is advisable will very much depend on the facts and the regulatory climate of each jurisdiction.[25]

For listed companies, consideration will also need to be given as to whether and when any disclosure needs to be made to the market under periodic or continuous disclosure obligations. In addition, listed entities need to be cognisant of shareholder class action risks in respect of any disclosure decisions, including where disclosure is considered but ultimately not made. The most active jurisdictions for shareholder class action claims are the US and Australia, and a nascent area in the UK. There are significant differences between the disclosure framework and statutory class action regimes in the US, Australia and the UK, and there are nuances in how the class action risks emerge and crystallise in those jurisdictions (which are beyond the scope of this article).

In circumstances where an event is assessed but is determined not to be reportable, companies should consider documenting this decision-making process in case it is ever called into question by a regulator or class action litigant.

How do secrecy obligations impact interactions with multiple regulators?

In many jurisdictions, the involvement of any regulator will be accompanied by secrecy obligations.[26] Such secrecy obligations will restrict the extent to which the company can disclose the existence and details of regulatory inquiries or investigations. In the context of multi-jurisdictional investigations, it also restricts the extent to which the company can share the fact of involvement of one regulator with other regulators. This has the potential to place companies in a difficult situation if they are asked by a regulator which other regulators are aware of or have made enquiries about the relevant conduct. It will normally be possible to get relevant regulators’ approval for disclosure of an investigation to other regulators, but the discussions seeking this consent should be undertaken with great care.

What does cooperation look like?

Regulators will often have a formal policy that incentivises cooperation by making more favourable outcomes and reduced penalties available. As a general rule, cooperation does not mean simply complying with lawful requests from a regulator or law enforcement. Although guidance will vary between jurisdictions and between regulatory and law enforcement bodies, there are some common threads, which include the following:

  • self-reporting the occurrence of misconduct at the earliest opportunity;
  • taking the initiative to undertake a credible investigation to examine the nature, extent, origins and consequences of the misconduct;
  • opening a frank dialogue with the regulator or law enforcement and providing regular and meaningful updates on the progress of the investigation;
  • involving regulators or law enforcement in devising the terms of reference for a review by independent experts and in subsequent stages;
  • taking appropriate remedial measures in respect of personnel involved in or bearing responsibility for the matter, including dismissal or other disciplinary actions;
  • instituting necessary improvements or modifications of the firm’s processes, internal controls or management structure;
  • appropriately identifying and assessing compensation for those adversely affected by the misconduct (eg, customers, counterparties or other third parties) and promptly paying redress;
  • making available to regulators or law enforcement the complete results of (1) the investigation into the misconduct; and (2) any review work into deficiencies in the company’s processes, internal controls or management structure, including improvements made;
  • voluntarily providing significant relevant material or information to the regulator or law enforcement not directly requested and of which they might otherwise not have been aware;
  • waiving legal professional privilege or surmounting any data privacy concerns that attach to any of the disclosures referred to above;
  • involving senior management of the company in liaison with regulators and in overseeing the implementation of remedial measures or the payment of compensation;
  • quickly agreeing to the facts with the regulators or law enforcement and actively seeking to agree a basis on which appropriate enforcement action against the company could be concluded; and
  • providing intelligence useful to regulators and law enforcement that contributes to successful enforcement action against other companies or individuals involved in any misconduct.

An overarching strategy should be developed when a company is looking to cooperate with multiple regulators across different jurisdictions. Cooperation will be viewed favourably in settlement discussions with all regulators. However, the formal framework for recognition of cooperation and each regulator’s history of rewarding cooperation should be taken into consideration when considering how best to approach the issue of cooperation. The incentives to cooperate and the benefit available to the company must be balanced against the need to preserve privilege and defences. Where multiple government agencies are involved, there may be varying degrees of certainty around the benefits of cooperation that needs to be considered in devising the overall strategy. The different offences and available defences that a company may face in different jurisdictions also need to be accounted for. Taking into account these complexities, the overarching strategy should strive, where possible, to take a consistent approach to cooperation.

In the United States, as noted above, Deputy Attorney General Lisa Monaco announced a policy change requiring companies to disclose all responsible individuals connected with misconduct to the Department of Justice in order to be eligible for cooperation credit. Following more recent practice at the Department of Justice to avoid a proliferation of memoranda announcing major policy changes, this shift (announced in a speech) was then incorporated into the Department’s Justice Manual.[27] The Department’s current position constitutes a return to the policy of the Obama administration, announced by former Deputy Attorney General Sally Yates in the ‘Yates Memorandum’.[28] The requirement of providing information about all responsible individuals will no doubt require enhanced cooperation and investigations broader in scope. It also represents an abandonment of a softer approach that the Trump Administration had followed and that was announced in 2018 by Deputy Attorney General Rod Rosenstein.[29] A second critical policy shift announced by Deputy Attorney General Monaco is that in making charging decisions prosecutors will now consider all prior misconduct, including in other countries, even conduct unrelated to the matter before the Department of Justice, and even for companies who have never been subject to Department of Justice investigation.[30] This shift may also have a marked effect on the calculus of cooperation and planning the strategy of an investigation, due in no small part to questions around the expansive meaning of ‘prior misconduct’.

What are the challenges of settling with multiple government agencies?

When companies are dealing with a single regulator, there is an opportunity to influence the enforcement narrative. This process can facilitate a resolution of the matter by settlement, where the company and the regulator find common ground on what the important facts and issues are. While this is still possible with multiple regulators, it can be more difficult. Regulators will have different enforcement or regulatory cultures, as well as varying focus areas and agendas, which complicates the process and may make settlement more difficult.

Companies may also be unable to settle with all regulators concurrently. Obviously, global comfort is ideal, but this is not always possible. There is increasing coordination and cooperation among regulators but there will always be at least some complication in settlement discussions. At its worst, companies face the risk of regulatory competition: regulatory institutions or individuals wanting to make a name for themselves by breaking from the pack.[31] This risks disrupting a global settlement. Differences in settlement frameworks and the tools available to individual regulators may also pose challenges for coordination.

To address concerns about ‘piling on’ and receiving multiple, overlapping fines from various civil, criminal and regulatory authorities – including overseas authorities – the US Department of Justice has instructed federal prosecutors to avoid seeking excessive or duplicative fines while nevertheless recognising the importance of coordinating parallel proceedings.[32] While this is to be done ‘with the goal of achieving an equitable result’, the Justice Manual pointedly notes that this level of solicitude should be predicated on the consideration of several factors including, among others, the egregiousness of a company’s misconduct and ‘the adequacy and timeliness of a company’s disclosures and its cooperation with the Department’.[33]

Conclusion

There are a number of general observations that can be made in conclusion.

First, the legal and regulatory regimes between jurisdictions will often be inconsistent. They will clash and a perfect solution for the company’s next steps will not be available. The approach adopted may need to be a compromise; attempting to walk a fine line of compliance with the two (or more) competing regimes or regulators.

Second, handling information and managing the flow of that information is important. The flow of information to different entities and across borders can have consequences under the various laws relating to data privacy, state or regulatory secrecy obligations, reporting obligations and legal privilege.

Third, an understanding of local law, business and culture is important in every jurisdiction. Investigation teams should be ready to tailor the approach taken to account for differences where this is necessary and appropriate.

Fourth, it is useful to regularly reflect on the investigation and consider the overall approach and priorities afresh. Does the scope still make sense? Is the investigation plan achieving what it sought to? Is regulatory engagement where it should be? Is anything being missed?

Last, coordination is critical. The geographic dispersion and multitude of internal and external stakeholders can make the conduct of multi-jurisdictional investigations particularly challenging.

* The authors wish to thank Herbert Smith Freehills associates Frederick Good, Cynthianna Yau, Christopher Hicks, Alison Cranney and Madison Ives for their contributions to this chapter.


Footnotes

[1] See, eg, Wultz v Bank of China, 2015 WL 362667 (S.D.N.Y.) (granting motion to compel disclosure of internal investigation documents that were not prepared at the direction of counsel).

[2] Speech by Jamie Symington, Director in Enforcement, FCA, delivered at the Pinsent Masons Regulatory Conference, 5 November 2015, available at: https://www.fca.org.uk/news/speeches/internal-investigations-firms.

[3] United States Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, p. 16. Available at: https://www.justice.gov/criminal-fraud/page/file/937501/download.

[4] United States Department of Justice, Justice Manual §9-28.700 – The Value of Cooperation, §9-28.300 – Factors to Be Considered, available at: https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations.

[5] See, eg, In re Kellogg Brown & Root, Inc., 2014 WL 2895939, at *3 (D.C. Cir.) (holding that ‘a lawyer’s status as in-house counsel does not dilute the privilege’.).

[6] See case C-550/07P, Akzo Nobel Chems. Ltd & Ackros Chems. Ltd v Comm’n, 2010 E.C.R. I-08301.

[7] United States Department of Justice, Justice Manual §9-28.710 – Attorney-client and Work Product Protections, available at: https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations.

[8] See generally Andrew Eastwood, Providing Your Legal Advice to the Regulator, 41 Austl. Bus. L. Rev. 66 (2013). In the United States, industry-specific efforts to address such concerns have resulted in actual legislation, but such efforts are not universal or comprehensive. See, eg, 12 U.S.C. § 1828(x), establishing rule that the disclosure of information to federal or foreign banking regulators ‘shall not be construed as waiving, destroying, or otherwise affecting any privilege such person may claim . . . as to any person or entity’.

[9] See Leslie R Caldwell, Assistant Attorney Gen., Dep’t of Justice, Remarks at New York University Law School’s Program on Corporate Compliance and Enforcement (17 April 2015) (transcript available at www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-new-york-university-law.

[10] See Lisa Monaco, Keynote at ABA’s 36th National Institute on White Collar Crime (28 October 2021) available at: https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[11] See eg, News, UK Financial Conduct Authority, ‘FCA fines five banks £1.1 billion for FX failings and announced industry-wide remediation programme’ (12 November 2014), www.fca.org.uk/news/fca-fines-five-banks-for-fx-failings (last visited 27 July 2015).

[12] See Baoshou Guojia Mimi Fa (Law on Guarding State Secrets) (promulgated by the Standing Committee of the National People’s Congress, 29 April 2010, effective 1 October 2010) section 9 LawInfoChina (last visited 27 July 2015) (PRC).

[13] https://www.sfo.gov.uk/2018/04/10/ai-powered-robo-lawyer-helps-step-up-the-sfos-fight-against-economic-crime/ – similarly, in an enforcement outcomes report issued in December 2015, the Australian Securities and Investments Commission (ASIC) stated that it is ‘increasingly adopting smarter strategies that use tools such as predictive coding, machine learning and computer algorithms’ in its investigations (see paragraph 29).

[14] The phrase is derived from the decision in Upjohn Co. v United States, 449 US 383 (1981).

[15] PACE Code of Practice – Code C, Section 11.1A.

[16] See, eg, Gilman v Marsh & McLennan Cos., 286 F.3d 69 (2d Cir. 2016) (finding that an employer subject to a criminal investigation had a right to terminate an employee who refused to participate in internal investigation where the existence of an investigation and prosecution of alleged co-conspirators provided a reasonable basis for requesting employee’s cooperation).

[17] United States Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, p. 16. Available at: https://www.justice.gov/criminal-fraud/page/file/937501/download.

[18] See, eg, United States Department of Justice and Securities Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act, available at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf; United States Department of Justice Antitrust Division, Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations, available at https://www.justice.gov/atr/page/file/1182001/download; OECD, Anti-Corruption Ethics and Compliance Handbook for Business, available at https://www.oecd.org/corruption/Anti-CorruptionEthicsComplianceHandbook.pdf. See also in the UK context https://www.sfo.gov.uk/publications/guidance-policy-and-protocols/guidance-for-corporates/evaluating-a-compliance-programme/.

[20] See, eg, UK Financial Conduct Authority, Financial Conduct Authority Handbook, SUP Section 15.10, (Sweet & Maxwell), available at https://www.handbook.fca.org.uk/handbook/SUP/15/10.html; Hong Kong Securities & Futures Commission, Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission, section 12.5(f), available at https://www.sfc.hk/-/media/EN/assets/components/codes/files-current/web/codes/code-of-conduct-for-persons-licensed-by-or-registered-with-the-securities-and-futures-commission/Code_of_conduct-Dec-2020_Eng.pdf; Australian Securities & Investment Commission, Market Integrity Rules (Securities Markets) 2017, section 5.11, available at https://www.legislation.gov.au/Details/F2022C00607/Html/Text#_Toc106176610; 31 C.F.R. section 1023.320 (2015) (reporting duties for brokers and dealers).

[21] See, eg, Drug Trafficking (Recovery of Proceeds) Ordinance and Organized and Serious Crime Ordinance, (2002) Cap. 455, 29, section 25A, available at Cap. 405 Drug Trafficking (Recovery of Proceeds) Ordinance (elegislation.gov.hk); Proceeds of Crime Act, 2002, c. 29, 327–340, pt. 7, available at www.legislation.gov.uk/ukpga/2002/29/pdfs/ukpga_20020029_en.pdf (Eng.); Anti-Money Laundering and Counter-Terrorism Financing Act, 2006, 99, section 41, available at https://www.comlaw.gov.au/Details/C2015C00064/57449150-da9a-40b4-95b5-01c22781e2d0 (Australia); 12 C.F.R. section 21.11 (2015).

[22] For instance, section 316 of the Crimes Act 1900 (NSW) makes it a crime where a person knows or believes an indictable offence has been committed and has information that might be of material assistance in securing the apprehension of the offender or the prosecution or conviction of the offender to fail to report that matter to the police.

[23] See, eg, Hong Kong Securities & Futures Commission, Circular to Intermediaries Regarding Compliance with Notification Requirements (11 May 2015), available at www.sfc.hk/edistributionWeb/gateway/EN/circular/openFile?refNo=15EC27; ASIC regulatory Guide 176 – Foreign Financial Services Providers (March 2020) at 19(d)(iii) and 21-25, available at https://asic.gov.au/regulatory-resources/find-a-document/regulatory-guides/rg-176-foreign-financial-services-providers/; UK Financial Conduct Authority, Final Notice to Goldman Sachs International (9 September 2010), available at https://www.fca.org.uk/publication/final-notices/goldman_sachs_int.pdf.

[24] See Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act, (2014) Cap. 65A, 60-61, section 39(1), available at Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act 1992 - Singapore Statutes Online (agc.gov.sg).

[25] In the United States, the Department of Justice made permanent what had been a pilot programme directed at rewarding companies with a declination of prosecution when companies are able to meet three conditions relating to a potential violation of the Foreign Corrupt Practices Act: voluntarily disclose misconduct; fully cooperate with the government’s investigation; and remediate alleged misconduct through establishment of a robust compliance programme and remediation of any ill-gotten gains: United States Department of Justice, Justice Manual -- §9-47.120 -- FCPA Corporate Enforcement Policy, available at https://www.justice.gov/jm/jm-9-47000-foreign-corrupt-practices-act-1977.

[26] For example, in Hong Kong, both the Prevention of Bribery Ordinance and the Securities and Futures Ordinance prohibit the unauthorised disclosure of enquiries and investigations carried out under the Ordinances. For example, section 30 of the Prevention of Bribery Ordinance makes it an offence for any person who knows or suspects that an investigation under the Ordinance is taking place to disclose any details of the investigation without lawful authority or reasonable excuse, while section 378 of the Securities and Futures Ordinance requires any ‘specified person’ (which includes any person assisting the Securities and Futures Commission with their requests and investigations) to preserve secrecy with regard to any matter coming to his or her knowledge by virtual of his or her involvement in such requests or investigations.

[27] United States Department of Justice, Justice Manual §9-28.700 – The Value of Cooperation, §9-28.300 – Factors to Be Considered, available at: https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations.

[28] See Sally Quinlan Yates, Department of Justice, Office of the Deputy Attorney General, Individual Accountability for Corporate Wrongdoing (9 September 2015), available at https://www.justice.gov/archives/dag/file/769036/download.

[29] See Rod J Rosenstein, Remarks at the American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act (29 November 2018), available at https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-american-conference-institute-0.

[30] Monaco, Keynote at ABA’s 36th National Institute on White Collar Crime (28 October 2021) available at: https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote-address-abas-36th-national-institute.

[31] See, eg, Liz Rappaport, Max Colchester & Damian Paletta, Regulators Seek Unity in UK Bank Talks, Wall Street Journal (9 August 2012), available at www.wsj.com/articles/SB10000872396390443404004577579271758685942.

[32] United States Department of Justice, Justice Manual §1-12.100 – Coordination of Corporate Resolution Penalties in Parallel and/or Joint Investigations and Proceedings Arising From the Same Misconduct, available at https://www.justice.gov/jm/jm-1-12000-coordination-parallel-criminal-civil-regulatory-and-administrative-proceedings.

[33] United States Department of Justice, Justice Manual §1-12.100.

Unlock unlimited access to all Global Investigations Review content