Switzerland: internal investigations: Swiss law aspects
The awareness of Swiss corporates of the instrument of internal investigations has increased over the past few years. This is particularly true for the Swiss-domiciled banks in that in summer 2013 the US Department of Justice (DoJ) imposed the unilateral DoJ Programme (the Programme, www.justice.gov/opa/pr/2013/August/13-tax-975.html) on basically all 300+ Swiss-domiciled banks based on the joint statement entered into with the Swiss Federal Department of Finance (www.news.admin.ch/NSBSubscriber/message/attachments/31815.pdf). The DoJ’s focus in the frame of the Programme is to investigate, prosecute and penalise US taxpayers who aimed at evading US tax obligations by (ab)using Swiss bank accounts.
All Swiss banks were ‘encouraged’ by both the DoJ and by the Swiss Financial Market Supervisory Authority (FINMA, www.finma.ch/e/pages/default.aspx) to participate in the Programme. The banks that decided to do so had to conduct substantial internal investigations to establish whether they serviced US clients in the past years and to decide in what category of the Programme they were to be included. This process is ongoing. Moreover, it may be only a question of time before other institutions as well as the Swiss banks (eg, insurance companies) are put under scrutiny by the DoJ. Also, FINMA has published its amended enforcement policy on 25 September 2014 according to which it intends to increase its enforcement activities against entities and, in particular, their representatives failing in the observance of regulations (www.finma.ch/e/sanktionen/enforcement/pages/strategie.aspx). Hence, it seems likely that (voluntary and regulator-imposed) internal investigations will continue to play a major role in Switzerland in the forthcoming years.
Triggers for internal investigations
Although a relatively new measure for the assessment of internal misconduct in Swiss corporations, the industry, in particular the financial industry, has become acquainted with the instrument of internal investigations over the past couple of years. For example, in 2013 and 2014, more than 100 of the total of approximately 300 Swiss-domiciled banks have gained experience with internal investigations under the DoJ Programme imposed on them by US authorities (see above).
An internal investigation should be initiated in case of a suspicion of criminal activities affecting or in connection with an entity’s business. According to recent studies by KPMG, at least 50 per cent of the major enterprises became victims of financial crimes in the past two years. In Switzerland and in Germany, 40 per cent of the criminals were employees of the enterprise, in one-third of the cases they acted as members of the management of the affected enterprise. However, according to a study done by PwC, only 27 per cent of the enterprises state that they are satisfied with the job done by law enforcement agencies of the state. If criminal activities have an enterprise-internal impact only, the affected company often does not prosecute the criminals. If the criminals are outside the company that suffers the damage, the company often does not involve public authorities as it may feel threatened by risks to its reputation.
Furthermore, an internal investigation may be imposed on a company by a Swiss regulator, in particular FINMA or the Federal Competition Commission, to establish control mechanisms. The regulator will in such cases usually impose an internal investigation in accordance with specific rules set forth by the regulator. In this event, the regulator would typically instruct an independent third party (normally a law or audit firm) to conduct the investigation and to prepare a report to be disclosed to the regulator. Notably, the costs of such internal investigation (which can be considerable) have to be borne by the investigated entity itself (therefore it may make sense to obtain respective insurance coverage to the extent available).
Conduct of an internal investigation
If an internal investigation is about to be launched, a variety of questions must be addressed in order to make the investigation as efficient as possible. The success and efficiency of an internal investigation to a large extent depends on the decisions taken at the very beginning of the investigation. The first decision to be taken is who shall be tasked with the investigation. Naturally, the initial questions to be resolved differ if an investigation is not made on a voluntary basis but imposed on the entity by a regulator. The topics discussed below may arise when conducting a voluntary investigation, while in the case of an investigation imposed by the regulator, the latter will dictate the details of the conduct.
Structuring, risk assessment, reporting and work product
Structure and mandate
The project structure needs to be determined at the very beginning of an internal investigation. From the outset, a project board should be established consisting of both internal and external personnel with adequate knowledge and expertise. The structure should be determined in writing and a project management suitably composed of experienced individuals should closely manage the project. The project board may supervise project management to monitor the conduct of the internal investigation. A key for the success of a voluntary internal investigation is that at the top of the line, a steering committee composed of persons with the necessary influence in the company is supporting the project. A project office may provide administrative support both to the project board and to the project management.
Before launching an internal investigation, the project team should be given a clear and unambiguous mandate and task. The mandate should be based on an initial analysis of the issue. The company must have previously determined who is competent to draft the mandate.
In connection with the scope of the mandate, the risks of the investigation need to be assessed, in particular in view of US-law style pretrial discovery, which may extend to the results of such an internal investigation. The mandate should fix the topic and the goal of the investigation. Furthermore, resources (personnel and IT) and a budget need to be allocated. Finally, the mandate should also clearly state what the incident triggering the project was.
Also at the beginning of the project, clear reporting lines need to be established and a comprehensive reporting system should be implemented. As a rule, reporting should be done periodically and the entity under investigation is well advised to fix in writing who reports what to whom at what point and in what format. Periodic reporting is advantageous (eg, in case of ad hoc publicity obligations of the investigated entity). Also to be fixed in writing is who should be informed internally, by whom and when. Furthermore, the company must determine at what point in time and in what form the board of directors will be informed and any external information (media concept), including the competences therefore. Communication is a necessary part of the immediate measures to be taken after the trigger incident for an internal investigation.
Finally, at the very beginning of the investigation it should be determined what the work product of the investigation shall be. In the cases we have assisted in over the past years this usually was a written report about the facts established and included proposals to improve, for example, control mechanisms and compliance in general. The company should determine to whom such report will be addressed and who should draft such a report (eg, a law firm due to legal privilege). In view of, for example, pretrial discovery affecting the company, the management board or the board of directors of a company may determine that the report should only be given verbally in a board of directors meeting and should not be fixed in writing. The mandate (see above) should also determine the contents and the scope of the report and whether the report should also include legal assessments.
Confidential or disclosed investigation?
In addition to the above, a decision must be made at the outset of a forthcoming internal investigation about whether such investigation is disclosed to the employees or whether it may be conducted on a confidential basis. In Switzerland, it is not necessary to obtain approval from employee representatives or similar to conduct an internal investigation. Also, it is not necessary to inform employees into whom an investigation will be conducted. Confidentiality may be a key aspect if an internal investigation is made for due diligence purposes following a merger or if the misconduct of certain employees is at stake. In our experience, there is no general rule about what sort of investigation is best. Rather, the question of a confidential versus a disclosed internal investigation has to be assessed on a case-by-case basis.
Conduct in-house or by external counsel?
As in various other jurisdictions, internal investigations in Switzerland are either conducted by external (independent) or internal investigators, the latter being employees of the investigated company. In our experience, the advantages of having the investigation conducted by external investigators (with substantial support from the investigated company’s internal staff) are the absence of conflicts of interest, expertise in the field of internal investigations, the possibility of ancillary services by related service providers (forensic information technology services, redaction teams, etc), and possible advantages for third parties (such as the DoJ) to render an ‘independence stamp’ and possibly add some credibility to the conduct and the results of the investigation.
Legal restrictions of certain investigation tools
Internal investigations in Switzerland must take into consideration Swiss secrecy and data protection regulation. The respective provisions are set forth in a variety of laws and regulations. They do not only apply to individuals but also to legal entities. Furthermore, the investigator must ascertain that the data established in the frame of a specific investigation can be used as evidence in court proceedings if necessary, and must avoid any breach of the prohibitions set forth in the Swiss Penal Code (PC) to gather evidence in Switzerland in con-nection with foreign proceedings (article 271 PC), unless previously authorised by the Swiss Finance Department.
The company may review its own files and may interview employees if the employee consents (see below). In cases of severe misconduct it can prove advantageous to mandate external experts familiar with interview techniques and tactics. For a review of e-mail correspondence, the rules applicable to electronic discovery (see below) must be observed. Such rules also apply for a review of, for example, letters addressed to an employee in the files of the company. Further measures include video observation, GPS data analysis or observations by private detectives. It must be noted that all such measures are only permitted as long as the personal rights and the health of the employee are not infringed. For further measures such as telephone supervision it may become necessary to involve the state prosecutors as the company is prohibited from using such far-reaching and delicate measures. The company should be careful not to unnecessarily escalate the data retrieving as, for example, the use of espionage software may render other instruments (such as a termination of the employee) void.
As in other jurisdictions, a key part of any internal investigation in Switzerland is the electronic discovery of data. Electronic discoveries are mainly governed by guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC, www.edoeb.admin.ch/index.html?lang=en) about internet and e-mail supervision of employees (latest version September 2013). In prudentially supervised companies such as banks and insurers, legal obligations may serve as a justification for the supervision of secondary data in e-mails such as recipients or time of sending.
If the company has implemented an internal regulation about supervision of e-mail traffic (which we strongly recommend), such internal regulation may justify the retrieving of information from e-mails – in particular if the employee has consented to such internal regulation beforehand, for example, as part of his or her employment agreement. However, the company in each case has to thoroughly observe the principle of proportionality in actions taken against employees. Unless there is a strong suspicion of employee misconduct, the company must not supervise the entire behaviour of the employee(s) in question (eg, by installing a video camera supervising the employee all day long). In case the company has a clear and present suspicion of abuse, it may review e-mails specifically concerning a certain employee. However, this does not include e-mails labelled as private or archived in an electronic folder. However, if e-mails are unlabelled or labelled other than ‘private’, the company may assume that they are business-related and may review them.
Survey and interviewing of employees
As a rule, in Switzerland internal investigations do not require the approval of employee representatives or workers councils. As mentioned above, it is also not necessary to inform employees about pending investigations, in particular if the company’s interests in keeping the investigation confidential outweigh the employees’ interests. In our experience, however, it is in many cases advisable to inform employees beforehand; they often learn about the investigation themselves anyway and usually consent to it, for example, by granting access to e-mails and documents.
Under Swiss employment law, employees must participate in interviews, unless the employee would incriminate himself or herself or his or her close relatives when answering specific questions. By an employee’s participation in an interview, the company may as a rule assume that the employee also implicitly consents to the investigation. It is unclear under Swiss law whether or not the employee has the right to request attendance of his or her own attorney; the company typically does not need to provide an attorney for the employee at the company’s cost. Also disputed under Swiss law is the question of whether or not the employer must inform the employee about the suspicion prior to having the interview. Pursuant to the Swiss Code of Obligations, the employer may only retrieve data about a specific employee to the extent such data retrieval is required for the proper performance of the employment or to determine the suitability of the employee. The interpretation of this rule is highly disputed in Switzerland.
Secrecy obligations provided by various Swiss laws and regulations can have an impact or may hinder internal investigations in Switzerland. Strong secrecy obligations apply to banks, securities traders and certain companies involved in collective investment schemes. Moreover, there are also general secrecy provisions regarding business secrets, economic espionage and, finally, contractual obligations that may oblige a company to secrecy.
Use of findings
The use of the findings of an investigation in the frame of court or other official proceedings depends on the type of a given proceeding. As a general rule, the ‘fruit of the poisonous tree’ doctrine is not applicable under Swiss law. In criminal investigations, a court will usually ask whether the evidence could have been obtained legally by the state authorities and whether a balancing of interest (severity of the crime or infringement of personality by the obtaining of the evidence) weighs in favour of using the evidence (which is typically the case). In case of civil proceedings, evidence obtained by legal means will only be taken into consideration if the interest in finding the truth is clearly prevailing. In case of administrative proceedings, the rules for criminal proceedings are usually applied.
Data transfer abroad
To the extent gathered data are transferred abroad, the rules prohibiting economic espionage as per article 273 PC need to be complied with. Documents affecting third parties may only be transmitted in redacted form; documents may be transmitted in unredacted form if the third party has agreed to the disclosure of its details and if no state interests are involved.
The Federal Data Protection Act furthermore prohibits any transfer if there is, in the country of the recipient, no data protection regime comparable to the Swiss regime. As the Swiss data protection extends to legal entities the same way it does to natural persons, this is often not the case. For example, the US data protection regulation is deemed insufficient from a Swiss data protection law point of view. However, a transfer may be permitted if it is necessary to enforce claims in court. Furthermore, there is a group privilege (subject to prior notification of the FDPIC) to transfer data within a group of companies. If a cross-border transfer is a problem, the storage and analysis of the data is typically done in Switzerland and the results are only transmitted abroad in an anonymous manner. As a consequence, the servers used in the investigation should be located on Swiss territory.
In case of foreign proceedings, article 271 PC needs to be observed. Acts undertaken in Switzerland for and on behalf of a foreign state that (according to Swiss understanding) are typically done by a public authority are prohibited unless expressly authorised by the federal government. It must be noted in that regard that the collection of evidence, even in civil law court proceedings, is considered as being an activity done by state officials under Swiss law (as Switzerland has no concept such as the US pretrial discoveries). If this becomes an issue, Swiss companies sometimes conduct the interviews with their employees abroad, just across the border of Switzerland. Notably, even consent by the involved persons does not prevent the actions taken in Switzerland from being illegal. Even acts prior to the initiation of court proceedings may sometimes be considered illegal. As a rule, a party in foreign court proceedings may voluntarily submit its own documents to support its position in the foreign proceedings. However, it may not file documents compelled by a court order (similar rules apply to third parties being called as witnesses). A third party may only respond to general enquiries. The foreign court needs to obtain the evidence through judicial assistance proceedings. Therefore, whether an internal investigation infringes article 271 PC may depend on the background of the investigation, for example, on whether a foreign regulator has initiated the investigation.
Early preparation highly recommendable
Due to the issues summarised above, a Swiss-domiciled entity is well advised to prepare early for an eventual internal investigation. In summary, we strongly recommend the following steps to be taken:
- Allocation of competence: The company should establish whether the compliance, legal or risk departments are competent to analyse trigger incidents and to determine who should lead an investigation.
- Allocation mechanism for investigation budget: Furthermore, the company needs a mechanism to allocate a budget quickly to the investigation team (costs of internal investigations can be very considerable, in particular, if lawyers abroad have to be involved).
- Training of employees: Ideally a company builds up certain competences (including training) in the relevant departments (which are typically compliance, legal or internal audit).
As part of this training, standard proceedings and standard documents such as interview forms etc can be prepared. Larger companies may consider obtaining forensic software and reviewing their document management systems on their suitability for investigations.
- Employment contracts and regulations may be reviewed and adapted to permit the company to send employees on garden leave and to review their e-mails. The entity’s e-mail policy will ideally state that the e-mail may not be used for private purposes.
- Furthermore, the company should issue a regulation on e-mail supervision. Among the further documents that can be prepared are regulations concerning document retention and application for Sunday and night work for the project’s team.
- The company may also consider establishing a whistle-blowing policy, which should establish a clear reaction mechanism and prevent disadvantages to the whistle-blower.