Internal Investigations: Swiss Law Aspects

In summary

Internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. This article provides a brief overview of the key considerations that will allow a Swiss-domiciled company to conduct an effective internal investigation. The topics addressed in this article include typical triggers of an internal investigation, specific questions that must be addressed by the company if an investigation is about to be launched, the impact of secrecy obligations on data collection in Switzerland, the use of specific findings with regard to pending or anticipated court or other official proceedings and questions on cross-border data transfer from Switzerland. We conclude this article by highlighting certain practical recommendations for Swiss companies to prepare for potential future internal investigations.

Discussion points

• Set-up of an internal investigations (governance, scope and work product)
• Conduct of an internal investigation (data collection and review process, e-discovery and employment aspects)
• Particular aspects to be considered with regard to cross-border aspects of investigations (data protection, secrecy obligations and blocking statutes)

Referenced in this article

• Federal Data Protection Act of 19 June 1992 (status as at 1 March 2019) SR 235.1
• Federal Data Protection and Information Commissioner
• Code of Obligations of 30 March 1922 (status as at 1 January 2022), SR 220
• Financial Markets Supervisory Authority
• Penal Code of 21 December 1937 (status as at 1 January 2022), SR 311.0

Introduction

Over the past decade, internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. While this is particularly true for regulated financial institutions, catalysed especially by US Department of Justice investigations, internal investigations have also become market practice good governance tools for non-regulated entities.

In the wake of tightened national and foreign anti-bribery and corruption laws, law enforcement with draconian penalties (and disgorgements of profits) against corporations and convictions of individuals, internal investigations are regularly initiated in connection with bribery, fraud and other compliance matters.

Triggers for internal investigations

An internal investigation should be initiated in case of (plausible and sufficient) indication of criminal activities affecting, or in connection with, an entity’s business. According to recent studies by PwC (2020), 47 per cent of the respondent companies on a global level experienced fraud in the past 24 months, and on average six cases of frauds were reported per company.

In Switzerland (based on a 2018 PwC study), 39 per cent of the respondents (listed and non-listed enterprises) experienced fraud within the past 24 months, with more than 12 per cent stating that they did not know whether their organisation had been a victim of fraud in this period.

If criminal activities primarily affect the enterprise internally (eg, in case of internal fraud, mobbing or sexual harassment allegations), the company is often not interested in initiating a public prosecution. Even if the criminals are outside the company that suffers the damage, the company often does not involve public authorities as it may feel threatened by risks to its reputation.

Companies should consider initiating internal investigations in cases of (alleged) material non-compliance with internal or external rules and policies.

For regulated financial institutions, the threshold for initiating an internal investigation is generally lower than for non-regulated entities. The Swiss Financial Markets Supervisory Authority (FINMA) generally expects financial institutions to investigate significant incidents in appropriate detail and to assess the robustness of internal processes and policies.

Furthermore, FINMA may formally request a financial institution to conduct an internal investigation and produce a report to FINMA as part of its ongoing supervision to ensure that the institution continues to meet its licensing requirements at all times.

FINMA may also directly mandate an investigation, in which case it would typically instruct an independent third party (usually a law firm or an audit firm) to conduct the investigation and to prepare a report to the regulator. The costs of such internal investigation (which can be considerable) must generally be borne by the investigated entity.

Internal investigations may also be triggered by investigations or enquiries of other government or regulatory authorities (seg, tax or competition authorities) to determine the risks for and the defence strategy of the company investigated.

Finally, internal investigations can be a useful tool in a post-M&A situation, in particular to assess potential warranty claims.

Set-up of an internal investigation

Introduction

If an internal investigation is about to be launched, a company must address various questions to make the investigation as efficient and legally robust as possible. The success and robustness of an internal investigation largely depend on the decisions taken at the very beginning of the investigation.

The initial questions to be resolved differ if an investigation is not conducted on a voluntary basis but is imposed by a regulator. The topics discussed here focus on conducting a voluntary investigation. If an investigation is imposed by a regulator, the latter will to a large extent dictate the details of the conduct.

Governance structure

The project governance structure is determined at the very beginning of an internal investigation. It is key for the success of a voluntary internal investigation that, at the top, a steering committee comprising persons with the necessary influence in the company supports and supervises the project.

The steering committee should establish and supervise the project management team, which comprises internal – and, depending on the individual circumstances, external – personnel with adequate knowledge, expertise and independence who closely manage the project on a day-to-day basis. A project office may provide administrative support both to the steering committee and to the project management.

The governance structure must be carefully formalised to provide the best protection for Swiss and foreign legal and work product privilege.

Mandate and scope

Before launching an internal investigation, the project management should be given a clear and unambiguous mandate and task. The mandate should be based on an initial analysis of the issue. The board of directors of the company, as the ultimate supervisory body, is often best-placed to determine the mandate, except in the case of matters with low substantive risks and a small scope and those that do not involve top management.

The mandate should formalise the topic and the goal of the investigation. Accordingly, at the outset of the investigation, the company should prepare a formal document (eg, a resolution of the board of directors, an engagement letter or a memorandum) authorising the investigation and outlining the specific scope of the investigation. Furthermore, resources (personnel and IT) and a budget must be allocated. The mandate should state what the incident triggering the investigation was.

Risk assessment

During an investigation, a company regularly obtains sensitive information about employees, competitors and other third parties. When defining the scope of the mandate, it is therefore paramount that the company is aware of the obligations and risks associated with obtaining certain information (eg, ad hoc publicity obligations) and creating certain work products (eg, production requests by third parties in civil litigation proceedings and criminal investigations).

With regard to the latter, the company must assess to what extent the results and work products of the internal investigation (eg, a final written report or interview records) may have to be disclosed to third parties and how those risks may be mitigated.

Reporting and communication

Clear reporting lines must be established, and a comprehensive reporting system implemented. As a rule, the steering committee should formalise in writing who reports what to whom at what point and in what format.

Periodic reporting is advantageous (eg, in the case of ad hoc publicity obligations of the investigated entity). The reporting concept should also determine when and how matters are escalated internally and a plan for any external communication (the media aspect), including the respective competences, should be set up.

Communication is a necessary part of the immediate measures to be taken after the initiation of an internal investigation as external communication can have a significant influence on public opinion about the company. Proper dealing with the media may help maintain or re-establish public (and particularly investor) confidence in the company.

Work product

At the outset of the investigation, consideration must be made on how the final product of the investigation will be presented. This is often a written report setting out:

• the methodology, process and the available data and information;
• the facts established; and
• conclusions, including proposals to improve, for example, control mechanisms and compliance in general.

A written report may not always be recommendable, in particular with regard to the risk that the work product is (involuntarily) disclosed to a regulator, in civil proceedings or in the course of a criminal investigation. This holds true even if the investigation is conducted by Swiss outside legal counsel as the applicability of Swiss legal privilege to investigation work products has been limited by recent decisions of the Swiss Federal Supreme Court.

If the investigation is conducted in-house, there is no in-house legal privilege under Swiss law. Against this background, there is an increasing tendency to request verbal reporting in a board of directors’ meeting, possibly combined with a key findings presentation.

Confidential or disclosed investigation

A decision must be made at the outset of an internal investigation about whether the investigation will be disclosed to employees or whether it should be conducted on a confidential basis. In Switzerland, it is not necessary to obtain approval from employee representatives or similar bodies to conduct an internal investigation. It is also not necessary to inform employees about whom an investigation will be conducted against.

There is no general rule regarding whether an internal investigation should be conducted confidentially or be disclosed to employees (in addition to employees involved). Rather, the best set-up is determined on a case-by-case basis, as well as in light of the scope of the internal investigation and the number of employees involved.

In the case of post-M&A investigations, information from employees may provide the most useful results.

In-house versus external counsel

Internal investigations may either be conducted in-house (eg, by using internal business people, in-house lawyers or internal audit employees) or by independent external investigators. The advantages of having the investigation conducted by external investigators (with substantial support by the investigated company’s internal staff) are:

• the absence of conflicts of interest;
• broader market expertise;
• experienced, specifically trained staff; and
• well-established collaboration with related service providers (eg, forensic e-discovery service providers).

In addition, the independence of external investigators is often a key factor for third parties (eg, shareholders, regulators and authorities) to add credibility and reliance to the internal investigation.

When choosing an external investigator, a company should carefully consider whether to task its long-time legal counsel or another outside legal firm. While long-time corporate counsel will be very familiar with the company and could get swiftly up to speed with an internal investigation, which may save time and costs, there is also a risk that a company’s long-time counsel (and even more so the company’s auditors) lack independence and may become subject to ethical conflicts and divergent incentives.

Conduct of an investigation

Secrecy obligations provided by various Swiss laws and regulations can have an impact on or may hinder internal investigations in Switzerland. Strong secrecy obligations apply to banks, securities firms and certain other financial institutions.

There are also general secrecy provisions regarding business secrets and economic espionage, as well as contractual confidentiality obligations that may oblige a company to secrecy. The respective provisions are set forth in various laws and regulations.

The investigator must ascertain that the data established in the frame of a specific investigation can be used as evidence in court proceedings, if necessary, and must avoid any breach of the prohibitions set forth in the Penal Code (PC) to gather evidence in Switzerland in connection with foreign proceedings (article 271, PC).

Data collection

The company may review its own files and may interview employees if they consent. In cases of severe misconduct, it can prove advantageous to mandate external experts familiar with interview techniques and tactics.

For a review of email correspondence, the rules applicable to electronic discovery must be observed. These rules also apply for a review of, for example, letters addressed to an employee in the files of the company. Further measures include the collection of audio and video material, GPS data analysis or observations by private investigator firms. Such measures are only permitted as long as the personal rights and the health of the employee are not infringed.

For further measures, such as the tapping or recording of telephone conversations, it may be necessary to involve state prosecutors as the company is prohibited from using such far-reaching and delicate measures. The company should be careful not to unnecessarily escalate the data retrieval as, for example, the use of espionage software may render other instruments (eg, termination of the employee) void.

With regard to data collection, contrary to other countries, the current Swiss Data Protection Act also protects the data of legal entities, not only individuals; however, a new data protection act was passed in Parliament in September 2020. Under the new act, which is expected to enter into force on 1 September 2023, only the data of individuals will be protected.

Electronic discovery

As in other jurisdictions, a key part of any internal investigation in Switzerland is the electronic discovery of data. Electronic discovery is mainly governed by guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC)^[1] on internet and email supervision by employees (latest version September 2013) and personal data processing in employment (latest version October 2014). In prudentially supervised companies such as banks and insurers, legal obligations may serve as justification for the supervision of secondary data in emails, such as recipients or the time of sending.

If the company has implemented an internal regulation on the supervision of email and message traffic (which is recommended), the regulation may justify the retrieval of information from emails and messaging services – in particular if the employee has consented to such internal regulation beforehand, for example, as part of his or her employment agreement.

The company in each case must meticulously observe the principle of proportionality in actions taken against employees. Unless there is a strong suspicion of employee misconduct, the company must not supervise the entirety of the behaviour of the employees in question (eg, by installing video cameras supervising the employee all day).

If the company has a clear and present suspicion of abuse, it may review emails specifically concerning a certain employee; however, this does not include emails labelled as private or archived in an electronic folder. If emails are unlabelled or labelled other than ‘private’, the company may generally assume that they are business-related and may review them.

While a company generally has the right to request and review all business-related data (including emails and text messages), particular issues arise in connection with the use of web-based services, such as WhatsApp, where it is generally not practically possible to gather related data stored on non-Swiss servers.

Employee interviews

As a rule, internal investigations in Switzerland do not require the approval of employee representatives or workers’ councils. It is also not necessary to inform employees about pending investigations, in particular if the company’s interests in keeping the investigation confidential outweigh the employees’ interests; however, it is often advisable in many cases to inform employees beforehand – they often learn about the investigation themselves anyway and usually consent to it, for example, by granting access to emails and documents.

Under Swiss employment law, employees must participate in interviews and provide truthful and complete information. If an employee becomes subject to criminal prosecution, certain limitations to the employee’s duty to cooperate may apply; however, there is no uniform opinion in Switzerland on whether the employee can refuse to cooperate (specifically based on the privilege against self-incrimination) or whether self-incriminating statements by the employee made during internal investigations are inadmissible evidence in a (subsequent) criminal governmental investigation.

The Swiss Federal Supreme Court has yet to rule on this question. If an employee participates in an interview, the company may, as a rule, assume that the employee also implicitly consents to the investigation.

It is not entirely clear under Swiss law whether the employee has the right to request attendance of his or her own attorney. Under certain circumstances, however, legal representation can be encouraged to facilitate the conduct of the interview and for the employee to feel more protected and thus more likely to cooperate.

The company generally does not need to provide an attorney for the employee at the company’s cost; however, in view of their duty of care towards employees, companies often do provide access to an attorney at the company’s cost in the case of investigations triggered by regulators or authorities. In practice, companies regularly pay those fees as a result of directors’ and officers’ liability insurance coverage.

It is disputed under Swiss law whether the employer must inform the employee about its suspicions prior to holding the interview. Pursuant to the Code of Obligations, the employer may only retrieve data about a specific employee to the extent that the data retrieval is required for proper performance of the employment or to determine the suitability of the employee. The interpretation of this rule is, however, highly disputed in Switzerland.

The company must, furthermore, determine if and to what extent employee interviews should be recorded. If detailed minutes are taken, a court may subsequently find that the employee’s value as a witness in court is diminished.

Use of findings

The use of the findings of an investigation in the context of court or other official proceedings depends on the type of proceedings in question. As a general rule, the ‘fruit of the poisonous tree’ doctrine is not applicable under Swiss law.

In criminal investigations, a court will usually ask whether the evidence could have been obtained legally by the state authorities and whether a balancing of interest (severity of the crime or infringement of personal rights by the obtaining of the evidence) weighs in favour of using the evidence (which is typically the case).

In civil proceedings, evidence obtained by illegal means will only be taken into consideration if the interest in finding the truth clearly prevails.

In administrative proceedings, the rules for criminal proceedings are usually applied.

A company conducting an investigation has a strong interest to obtain evidence through legal means, especially as gathering evidence by other means may expose the company itself to criminal actions.

Data transfer abroad

To the extent that data gathered is transferred abroad, the rules of article 273 of the PC (and other similar secrecy rules), which effectively prohibits the disclosure abroad of non-public third-party information with a sufficient nexus to Switzerland, must be complied with, in particular by appropriately redacting relevant third-party information; however, documents may be transmitted in unredacted form if the third party has consented to the disclosure of its details and if no state interests are involved.

The Federal Data Protection Act prohibits any transfer if, in the country of the recipient, there is no data protection comparable to Swiss data protection. The US data protection regulations are deemed insufficient from the perspective of Swiss data protection law (even in the case of a Privacy Shield certification); however, a transfer may be permitted without consent if it is necessary to enforce claims in court or if there are overarching public interests (pure private interests are not sufficient).

Furthermore, there is a group privilege to transfer data within a group of companies (subject to robust group internal data protection rules and subject to prior notification of the FDPIC). If a cross-border transfer is an issue, the storage and analysis of the data is typically done in Switzerland, and the results are only transmitted abroad in an anonymous manner. As a consequence, the servers used in the investigation should be located on Swiss territory and be accessed from and reviewed in Switzerland.

For investigations initiated by a foreign authority or proceedings in a foreign court, article 271 of the PC must be observed. Acts undertaken in Switzerland for and on behalf of (or for the benefit of) a foreign state that, in Switzerland, would be acts reserved to a public authority are prohibited, unless expressly authorised by the federal government, to avoid circumvention of mutual judicial and administrative assistance procedures.

In this regard, the collection of evidence, even in civil law court proceedings, is considered as an act reserved to state officials under Swiss law (as Switzerland has no concept equivalent to that of US pretrial discovery) and accordingly is subject to the limitations of article 271 of the PC. As article 271 of the PC protects Swiss public authorities, it has no extraterritorial application.

Accordingly, article 271 does not come into play in circumstances where evidence is collected and reviewed outside Switzerland, including, for example, if interviews with Swiss employees are conducted abroad. Consent by the involved persons does not prevent the actions taken in Switzerland from being illegal, and acts prior to the initiation of court proceedings may sometimes be considered illegal.

As a rule, a party in foreign court proceedings may (with certain specific limitations) submit its own documents to support its position in the foreign proceedings; however, it may not file documents compelled by a court order (similar rules apply to third parties being called as witnesses). A third party may only respond to general enquiries.

In connection with internal investigations conducted in Switzerland, article 271 of the PC may become an issue if the investigation is conducted with a view to later providing the work product or documents collected to foreign authorities or courts.

Articles 271 and 273 of the PC do not apply to the company in cases where information is provided through administrative or judicial assistance channels. In particular, in connection with foreign proceedings and investigations, the company should to the extent possible request foreign authorities and courts to seek information through the route of administrative or judicial assistance.

Early preparation highly recommendable

In light of the issues summarised in this article, a Swiss-domiciled company is well advised to prepare early for possible internal investigations. In summary, the following steps are strongly recommended:

• Allocation of competence: the company should establish whether the compliance, legal or risk departments are competent to analyse trigger incidents and determine who should lead an investigation.
• Allocation mechanism for investigation budget: the company needs a mechanism to allocate a budget quickly to the investigation team (costs of internal investigations can be very considerable, especially if non-Swiss lawyers are involved).
• Employee training: ideally a company should build up certain competences (including training) in the relevant departments (which are typically compliance, legal or internal audit). As part of this training, standard proceedings and standard documents (eg, interview forms) can be prepared. Larger companies may consider obtaining forensic software and reviewing their document management systems in the context of their suitability for investigations.
• Employment contracts and regulations: these may be reviewed and adapted to permit the company to send employees on garden leave and to review their emails. The entity’s email policy will ideally state that the email account may not be used for private purposes.
• Regulation on email supervision: the company should issue a regulation on email supervision. Among the further documents that can be prepared are regulations concerning document retention and application for Sunday and night work for the project team.

The company should also consider establishing a whistle-blowing policy, which should provide a clear reaction mechanism and protect the whistle-blower.

Notes