Swiss Law Aspects of Internal Investigations
Internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. This article provides a brief overview of the key considerations that will allow a Swiss-domiciled company to conduct an effective internal investigation. The topics addressed in this article include typical triggers of an internal investigation, specific questions that must be addressed by the company if an investigation is about to be launched, the impact of secrecy obligations on data collection in Switzerland, the use of specific findings with regard to pending or anticipated court or other official proceedings and questions on cross-border data transfer from Switzerland. We conclude this article by highlighting certain practical recommendations for Swiss companies to prepare for potential future internal investigations.
- Set-up of an internal investigations (governance, scope and work product)
- Conduct of an internal investigation (data collection and review process, e-discovery and employment aspects)
- Particular aspects to be considered with regard to cross-border aspects of investigations (data protection, secrecy obligations and blocking statutes)
Referenced in this article
- Swiss Financial Markets Supervisory Authority
- Penal Code of 21 December 1937 (Status as of 3 March 2020), SR 311.0
- Federal Data Protection Act of 19 June 1992 (Status as of 1 March 2019) SR 235.1
- Federal Data Protection and Information Commissioner
- Code of Obligations of 30 March 1922 (Status as of 1 January 2020), SR 220
Over the past decade, internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. While this is particularly true for regulated financial institutions, catalysed especially by investigations by the US Department of Justice, internal investigations have also become market practice good governance tools for non-regulated entities.
In the wake of tightened national and foreign anti-bribery and corruption laws, law enforcement with draconian penalties (and disgorgements of profits) against corporations and convictions of individuals, internal investigations are regularly initiated in connection with bribery, fraud and other compliance matters.
Triggers for internal investigations
An internal investigation should be initiated in the event of (plausible and sufficient) indication of criminal activities affecting, or in connection with, an entity’s business. According to recent studies by PwC (2020), 47 per cent of the respondent companies on a global level experienced fraud in the past 24 months, and on average six frauds were reported per company.
In Switzerland (based on a 2018 PwC study), 39 per cent of the respondents (listed and non-listed enterprises) experienced fraud within the past 24 months, with more than 12 per cent stating they did not know whether their organisation had been a victim of fraud in this period.
If criminal activities primarily affect the enterprise internally (eg, in the case of internal fraud, mobbing or sexual harassment allegations), the company is often not interested in initiating a public prosecution. Even if the criminals are outside the company that suffers the damage, the company often does not involve public authorities as it may feel threatened by risks to its reputation.
Companies must also consider initiating an internal investigation in the event of (alleged) material non-compliance with internal or external rules and policies. For regulated financial institutions, the threshold for initiating an internal investigation is generally lower than for non-regulated entities. The Swiss Financial Markets Supervisory Authority (FINMA) generally expects financial institutions to investigate significant incidents in appropriate detail and to assess the robustness of internal processes and policies.
FINMA may also formally request a financial institution to conduct an internal investigation and produce a report to FINMA as part of its ongoing supervision to ensure that the institution meets its licensing requirements at all times. FINMA may also directly mandate an investigation. In this event, it would typically instruct an independent third party (normally a law firm or an audit firm) to conduct the investigation and to prepare a report to the regulator. The costs of such internal investigation (which can be considerable) must generally be borne by the investigated entity.
Internal investigations may also be triggered by investigations or enquiries of other government or regulatory authorities (such as tax or competition authorities) to determine the risks for and the defence strategy of the company investigated.
Finally, internal investigations can be a useful tool in a post-M&A situation, in particular to assess potential warranty claims.
Set-up of an internal investigation
If an internal investigation is about to be launched, a company must address various questions to make the investigation as efficient and legally robust as possible. The success and robustness of an internal investigation largely depend on the decisions taken at the very beginning of the investigation.
Naturally, the initial questions to be resolved differ if an investigation is not conducted on a voluntary basis but is imposed by a regulator. The topics discussed here focus on conducting a voluntary investigation. If an investigation is imposed by a regulator, the latter will, to a large extent, dictate the details of the conduct.
The project governance structure must be determined at the very beginning of an internal investigation. It is key for the success of a voluntary internal investigation that, at the top, a steering committee composed of persons with the necessary influence in the company supports and supervises the project. The steering committee should establish and supervise the project management team comprising both internal and, depending on the individual circumstances, external personnel with adequate knowledge, expertise and independence who closely manage the project on a day-to-day basis. A project office may provide administrative support both to the steering committee and to the project management.
The governance structure must also be carefully formalised to provide best protection for Swiss and foreign legal and work product privilege.
Mandate and scope
Before launching an internal investigation, the project management must be given a clear and unambiguous mandate and task. The mandate should be based on an initial analysis of the issue. The board of directors of the company, as the ultimate supervisory body, is often best-placed to determine the mandate, except in case of matters with low substantive risks, small scope and those that do not involve top management.
The mandate should formalise the topic and the goal of the investigation. Accordingly, at the outset of the investigation, the company should prepare a formal document (eg, a resolution of the board of directors, an engagement letter or a memorandum) authorising the investigation and outlining its specific scope. Furthermore, resources (personnel and IT) and a budget must be allocated, and the mandate should also state what the incident triggering the investigation was.
During an investigation, a company regularly obtains sensitive information about employees, competitors and other third parties. When defining the scope of the mandate, it is, therefore, paramount that the company is aware of the obligations and risks associated with obtaining certain information (eg, ad hoc publicity obligations) and creating certain work products (eg, production requests by third parties in civil litigation proceedings and criminal investigations).
With regard to the latter, the company must assess to what extent the results and work products of the internal investigation (eg, a final written report or interview records) may have to be disclosed to third parties and how the risk may be mitigated.
Reporting and communication
Clear reporting lines must be established, and a comprehensive reporting system implemented. As a rule, the steering committee should formalise in writing who reports what to whom at what point and in what format. Periodic reporting is advantageous (eg, in the case of ad hoc publicity obligations of the investigated entity).
The reporting concept should also determine when and how matters must be escalated internally, and a plan for any external communication (media aspect), including the respective competences, should be set-up. Communication is a necessary part of the immediate measures to be taken after the initiation of an internal investigation as external communication can have a significant influence on public opinion about the company. Proper dealing with the media may help maintain or re-establish public (and particularly investor) confidence in the company.
How the final product of the investigation will be presented should already have been considered at the outset of the investigation, . This is often a written report setting out:
- the methodology and process, as well as available data and information;
- the facts established; and
- conclusions, including proposals to improve, for example, control mechanisms and compliance in general.
However, a written report may not always be recommendable, in particular with regard to the risk that the work product is (involuntarily) disclosed to a regulator, in civil proceedings or in the course of a criminal investigation. This holds true even if the investigation is conducted by Swiss outside legal counsel, as the applicability of Swiss legal privilege to investigation work products has been limited by recent decisions of the Swiss Federal Supreme Court.
In respect of investigations conducted in-house, there is no in-house legal privilege under Swiss law. Against this background, we see an increasing tendency to request verbal reporting in a board of directors meeting, possibly combined with a key findings presentation.
Confidential or disclosed investigation
A decision must be made at the outset of an internal investigation about whether the investigation will be disclosed to employees or whether it should be conducted on a confidential basis. In Switzerland, it is not necessary to obtain approval from employee representatives or similar bodies to conduct an internal investigation. It is also not necessary to inform employees about whom an investigation will be conducted.
In our experience, there is no general rule on whether an internal investigation should be conducted confidentially or be disclosed to employees (in addition to employees involved). Rather, the best set-up must be determined on a case-by-case basis and also in light of the scope of the internal investigation and the number of employees involved. In the case of post-M&A investigations, information from employees may provide the most useful results.
In-house versus external counsel
Internal investigations may either be conducted in-house (eg, by using internal business people, in-house lawyers or internal audit employees) or by independent external investigators.
In our experience, the advantages of having the investigation conducted by external investigators (with substantial support by the investigated company’s internal staff) are: the absence of conflicts of interest; broader market expertise; experienced, specifically trained staff; and well-established collaboration with related service providers (eg, forensic e-discovery service providers). In addition, the independence of external investigators is often a key factor for third parties (such as shareholders, but also regulators and authorities) to add credibility and reliance to the internal investigation.
When choosing an external investigator, a company must carefully consider whether to task its long-time legal counsel or another outside legal firm. While a long-time corporate counsel will be very familiar with the company and could get swiftly up to speed with an internal investigation, which may save time and costs, there is also a risk that a company’s long-time counsel (and even more so the company’s auditors) lack independence and may become subject to ethical conflicts and divergent incentives.
Conduct of an investigation
Secrecy obligations provided by various Swiss laws and regulations can have an impact on or may hinder internal investigations in Switzerland. Strong secrecy obligations apply to banks, securities firms and certain other financial institutions. There are also general secrecy provisions regarding business secrets and economic espionage, as well as contractual confidentiality obligations that may oblige a company to secrecy. The respective provisions are set forth in various laws and regulations. .
The investigator must ascertain that the data established in the frame of a specific investigation can be used as evidence in court proceedings, if necessary, and must avoid any breach of the prohibitions set forth in the Penal Code (PC) to gather evidence in Switzerland in connection with foreign proceedings (article 271 of the PC).
The company may review its own files and may interview employees if the employees consent. In cases of severe misconduct, it can prove advantageous to mandate external experts familiar with interview techniques and tactics.
For a review of e-mail correspondence, the rules applicable to electronic discovery must be observed. Those rules also apply for a review of, for example, letters addressed to an employee in the files of the company. Further measures include the collection of audio and video material, GPS data analysis or observations by private investigator firms.
All such measures are only permitted as long as the personal rights and the health of the employee are not infringed. For further measures, such as the tapping or recording of telephone conversations, it may be necessary to involve state prosecutors as the company is prohibited from using such far-reaching and delicate measures. The company should be careful not to unnecessarily escalate the data retrieval as, for example, the use of espionage software may render other instruments (such as a termination of the employee) void.
In respect of data collection, contrary to other countries, the current Swiss data protection act also protects the data of legal entities – not only individuals; however, a new data protection act was passed in Parliament in September 2020. Under the new act, which is expected to enter into force in 2022, only the data of individuals will be protected.
As in other jurisdictions, a key part of any internal investigation in Switzerland is the electronic discovery of data. Electronic discovery is mainly governed by guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC) in respect of internet and email supervision by employees (latest version: September 2013) and the processing of personal data in employment (latest version: October 2014). In prudentially supervised companies such as banks and insurers, legal obligations may serve as justification for the supervision of secondary data in e-mails, such as recipients or the time of sending.
If the company has implemented internal regulation on the supervision of email and message traffic (which we recommend), such internal regulation may justify the retrieval of information from emails and messaging services – in particular, if the employee has consented to such internal regulation beforehand, for example, as part of his or her employment agreement.
However, the company, in each case, must meticulously observe the principle of proportionality in actions taken against employees. Unless there is a strong suspicion of employee misconduct, the company must not supervise the entirety of the behaviour of the employees in question (eg, by installing a video camera supervising the employee all day).
If the company has a clear and present suspicion of abuse, it may review emails specifically concerning a certain employee; however, this does not include emails labelled as private or archived in an electronic folder. If emails are unlabelled or labelled other than ‘private’, the company may generally assume that they are business-related and may review them.
While a company generally has the right to request and review all business-related data (including emails and text messages), particular issues arise in connection with the use of web-based services such as WhatsApp, where it is generally not practically possible to gather related data stored on non-Swiss servers.
As a rule, internal investigations in Switzerland do not require the approval of employee representatives or workers’ councils. It is also not necessary to inform employees about pending investigations, in particular, if the company’s interests in keeping the investigation confidential outweigh the employees’ interests. In our experience, however, it is advisable in many cases to inform employees beforehand. They often learn about the investigation themselves anyway and usually consent to it, for example, by granting access to emails and documents.
Under Swiss employment law, employees must participate in interviews and provide truthful and complete information. If an employee becomes subject to criminal prosecution, certain limitations to the employee’s duty to cooperate may apply; however, there is no uniform opinion in Switzerland on whether the employee can refuse to cooperate (specifically based on the privilege against self-incrimination) or whether self-incriminating statements by the employee made during internal investigations are inadmissible evidence in a (subsequent) criminal governmental investigation. The Swiss Federal Supreme Court has yet to rule on this question.
If an employee participates in an interview, the company may, as a rule, assume that the employee also implicitly consents to the investigation. It is not entirely clear under Swiss law whether the employee has the right to request attendance of his or her own attorney. Under certain circumstances, however, legal representation can be encouraged to facilitate the conduct of the interview, and for the employee to feel more protected and, thus, more likely to cooperate.
The company generally does not need to provide an attorney for the employee at the company’s cost; however, in view of their duty of care towards employees, companies in our experience often do provide access to an attorney at the company’s cost in the event of investigations triggered by regulators or authorities. In practice, companies regularly pay those fees as a result of directors’ and officers’ liability insurance coverage.
It is disputed under Swiss law whether the employer must inform the employee about its suspicions prior to holding the interview. Pursuant to the Code of Obligations, the employer may only retrieve data about a specific employee to the extent that the data retrieval is required for the proper performance of employment or to determine the suitability of the employee. The interpretation of this rule is, however, highly disputed in Switzerland.
The company must, furthermore, determine if and to what extent employee interviews should be recorded. If detailed minutes are taken, a court may subsequently find that the employee’s value as a witness in court is diminished.
Use of findings
The use of the findings of an investigation in the context of court or other official proceedings depends on the type of proceedings in question. As a general rule, the ‘fruit of the poisonous tree’ doctrine is not applicable under Swiss law.
In criminal investigations, a court will usually ask whether the evidence could have been obtained legally by the state authorities and whether a balancing of interest (severity of the crime or infringement of personal rights by the obtaining of the evidence) weighs in favour of using the evidence (which is typically the case). In civil proceedings, evidence obtained by illegal means will only be taken into consideration if the interest in finding the truth clearly prevails. In administrative proceedings, the rules for criminal proceedings are usually applied.
Consequently, a company conducting an investigation has a strong interest to obtain evidence through legal means, especially as gathering evidence by other means may expose the company itself to criminal actions.
Data transfer abroad
To the extent that data gathered is transferred abroad, the rules of article 273 of the PC (and other similar secrecy rules), which effectively prohibit the disclosure abroad of non-public third-party information with a sufficient nexus to Switzerland, must be complied with, in particular by appropriately redacting relevant third-party information. However, documents may be transmitted in unredacted form if the third party has consented to the disclosure of its details and if no state interests are involved.
The Federal Data Protection Act prohibits any transfer if, in the country of the recipient, there is no data protection comparable to Swiss data protection. Furthermore, US data protection regulation is deemed insufficient from the point of view of Swiss data protection law (even in the case of Privacy Shield certification). However, a transfer may be permitted without consent if it is necessary to enforce claims in court or in the event of overarching public interests (pure private interests are not sufficient).
Furthermore, there is a group privilege to transfer data within a group of companies (subject to robust group internal data protection rules and subject to prior notification of the FDPIC). If cross-border transfer is an issue, the storage and analysis of the data is typically done in Switzerland, and the results are only transmitted abroad in an anonymous manner. As a consequence, the servers used in the investigation should be located on Swiss territory and be accessed from and reviewed in Switzerland.
For investigations initiated by a foreign authority or proceedings in a foreign court, article 271 of the PC must be observed. Acts undertaken in Switzerland for and on behalf of (or for the benefit of) a foreign state that, in Switzerland, would be acts reserved to a public authority are prohibited unless expressly authorised by the federal government, to avoid circumvention of mutual judicial and administrative assistance procedures.
In this regard, the collection of evidence, even in civil law court proceedings, is considered as an act reserved to state officials under Swiss law (as Switzerland has no concept equivalent to that of US pretrial discovery) and, accordingly, is subject to the limitations of article 271 of the PC.
As the article protects Swiss public authorities, it has no extraterritorial application. Accordingly, it does not come into play in circumstances where evidence is collected and reviewed outside Switzerland, including, for example, if interviews with Swiss employees are conducted abroad. Even consent by the involved persons does not prevent the actions taken in Switzerland from being illegal, and even acts prior to the initiation of court proceedings may sometimes be considered illegal.
As a rule, a party in foreign court proceedings may (with certain, specific limitations) submit its own documents to support its position in the foreign proceedings. However, it may not file documents compelled by a court order (similar rules apply to third parties being called as witnesses). A third party may only respond to general enquiries.
In connection with internal investigations conducted in Switzerland, article 271 of the PC may become an issue if the investigation is conducted with a view to later providing the work product or documents collected to foreign authorities or courts.
Articles 271 and 273 of the PC do not apply to the company in cases where information is provided through administrative or judicial assistance channels. In particular, in connection with foreign proceedings and investigations, the company should, to the extent possible, request foreign authorities and courts to seek information through administrative or judicial assistance.
Early preparation highly recommendable
A Swiss-domiciled company is well advised to prepare early for possible internal investigations. In summary, we strongly recommend taking the following steps.
- Allocation of competence: the company should establish whether the compliance, legal or risk departments are competent to analyse trigger incidents and determine who should lead an investigation.
- Allocation mechanism for investigation budget: the company needs a mechanism to allocate a budget quickly to the investigation team (costs of internal investigations can be very considerable, in particular, if non-Swiss lawyers have to be involved).
- Employee training: ideally, a company should build up certain competences (including training) in the relevant departments (which are typically compliance, legal or internal audit). As part of this training, standard proceedings and standard documents, such as interview forms, among other things, can be prepared. Larger companies may consider obtaining forensic software and reviewing their document management systems in the context of their suitability for investigations.
- Employment contracts and regulations: these may be reviewed and adapted to permit the company to send employees on garden leave and to review their emails. The entity’s email policy will ideally state that the email may not be used for private purposes.
- Regulation on email supervision: the company should issue a regulation on email supervision. Among the further documents that can be prepared are regulations concerning document retention and application for Sunday and night work for the project team.
The company should also consider establishing a whistle-blowing policy, which should provide a clear reaction mechanism and prevent disadvantages to the whistle-blower.