Conducting internal investigations in the UAE
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
With comprehensive financial regulation and an increased focus on corporate governance and whistle-blower protection being enshrined in UAE law, internal investigations are becoming increasingly commonplace in the region. This article examines the key elements of conducting an internal investigation in the UAE and explores how companies can best take advantage of investigations.
- Commencing and scoping an investigation
- Fact-finding and external reports
- Taking corrective measures
Referenced in this article
- Federal Decree-Law No. 47 of 2022
- DFSA Whistleblowing Regime
- Federal Decree-Law No. 31 of 2021
- Federal Decree-Law No. 45 of 2021
- Federal Decree-Law No. 34 of 2021
Investigations in the UAE
Typically arising from an allegation of wrongdoing (whether from a concerned employee or a third party), internal investigations are essentially a fact-finding exercise for a company to confirm whether laws, regulations or internal policies have been violated. Internal investigations may be related to employee conduct (eg, harassment, discrimination or wrongful termination), regulatory compliance concerns, potential litigation or allegations of fraud or other financial crimes. Investigations may arise from a range of circumstances, such as a single unexpected incident (eg, an accident), a whistle-blower report or the discovery of a regulatory breach during a routine audit. Although the circumstances that may give rise to an internal investigation are extremely wide, there are many common features and considerations to keep in mind when conducting an investigation.
In the United Arab Emirates (UAE), regulated institutions (including financial institutions, insurance firms and virtual asset providers) must report misconduct to their regulators. For these companies, an internal investigation often acts as a preliminary exercise in preparation for an external report being made to the regulator; having clarity on the facts, rather than merely reporting suspicions, allows the company to better assist the regulator and to maintain some control over the investigatory process.
For unregulated companies, internal investigations are more often commenced to comply with internal policies or employment law rather than with external reporting obligations; however, many companies in the UAE do not have sophisticated internal policies that stipulate when and how internal investigations will be conducted.
The introduction of federal corporate tax, which will come into effect on 1 June 2023, will place a number of additional obligations on companies, and tax evasion will surely follow. Federal Decree-Law No. 47 of 2022 includes general anti-abuse rules to curb tax avoidance measures, and internal and externally led investigations are likely to follow with the introduction of the new tax regime.
Key elements of an investigation
Federal law does not explicitly define ‘whistle-blowers’, nor does it explicitly protect them; however, there are a number of whistle-blower protections both at an emirate level (Dubai Law No.4 of 2016, article 19) and in free-zone jurisdictions such as the Dubai International Financial Centre (DIFC) (the Dubai Financial Services Authority (DFSA) Whistleblowing Regime (the Regime), which came into force on 7 April 2022).
The DFSA implemented the Regime to bring the DIFC closer in line with best practices in whistle-blowing globally. The Regime stipulates the availability of internal channels for reporting and procedures for giving feedback. Importantly, employees of DFSA-regulated companies operating in or from the DIFC can withhold their identities when reporting suspected misconduct, and DFSA-regulated firms must protect whistle-blowers from any detrimental impact that may arise from reporting misconduct (up to and including dismissal). It also imposes penalties for retaliation and failure to disclose reports.
The Central Bank of the UAE (the Central Bank) has also created an online whistle-blowing portal through which its employees, representatives and contractors can report anonymously.
These reforms are designed to encourage incident reporting without fear of reprisal, and we are expecting to see an increasing number of reports being made. Given that whistle-blowers can now report anonymously, the incident report may be the only time a company hears directly from the reporting party. As such, if UAE companies follow the example of the Central Bank and provide an online reporting platform, the web portal should guide the reporter into providing important information, such as who was involved, when and where the incident occurred and who else witnessed it or was involved. This should help to prevent a situation in which a significant act of misconduct is reported, but the company lacks the required information to investigate it effectively.
As whistle-blowers may typically report to their direct supervisors or to a (HR) department, it is important that line managers and HR employees receive training on how to deal with reports. Not only does initial reporting provide an opportunity for the company to gather additional information, it is also a chance to demonstrate professionalism and competence. The more assured a whistle-blower is that their concern will be addressed swiftly and appropriately, the less likely they are to first reach out to an external authority or, potentially, the media, resulting in a loss of control of the matter and potentially harmful publicity.
Making the decision to commence an investigation
The UAE has no specific law that governs the requirements for commencing, and subsequently conducting, an internal investigation. The expected actions of the company, therefore, depend on the type of misconduct or matter being investigated, as UAE law contains a number of offences that can be committed by corporate organisations or its employees. For example, Federal Law No. 19 of 2016 establishes the crimes and penalties for corporate fraud, whereas Federal Law No. 20 of 2018, as amended, has listed a number of money laundering offences. Federal Decree-Law No. 31 of 2021 (the Penal Code) imposes a general duty on all persons who have knowledge of a crime to report it to the competent authorities, and failure to do so is a punishable offence.
The concept of corporate criminal liability is recognised and given wide application under article 66 of the Penal Code. While the position in other jurisdictions is that only criminal acts of a senior person representing the company’s controlling mind and will can incur liability on the company, under UAE law a company may have liability if the individual is deemed to have committed the criminal act in the company’s name or when acting on behalf of the company; therefore, failing to appropriately deal with a report of serious employee misconduct can lead to severe consequences for a UAE company and its managers.
When deciding whether to conduct an internal investigation following a report or a suspicion, companies should consider:
- the severity of the violation or the misconduct;
- whether the violation leads to infringement of any legislation at the federal or emirate level (or the applicable offshore laws if the company is incorporated in a free zone); and
- the consequences or the benefits to the organisation if an investigation were to be conducted.
Scoping the investigation
A clear strategy for conducting the investigation must be devised, in consultation with legal counsel, at an early stage. An investigation plan must be put in place that identifies the investigation team, the scope of the investigation, the plans for evidence gathering and factual review and the timeline for production of the final report. The plan should be flexible and should be updated regularly.
To ensure clarity and communication as the investigation progresses, the company should appoint an internal supervisor to whom the investigators will report. This can be in-house counsel, the audit committee, a board member or a special committee of the board that has been formed for this specific purpose. Consideration must be given to ensuring objectivity and credibility, and the supervision of the investigation should be moved away from company management, if possible, to reduce the risk of any apparent conflict of interest.
Retaining outside counsel can also lend greater credibility to an investigation. This is particularly the case when the investigation includes a review of the directors’ conduct as there is a risk that the objectivity of in-house counsel, who may normally be tasked with conducting or coordinating the investigation, could be, or at least appear to be, compromised.
Outside counsel are more likely to have extensive experience in conducting internal investigations and can ensure that best practices are followed. Further, engaging outside counsel on the investigations side will help provide a clear delineation between matters related to the investigation and the everyday legal or business support provided by in-house counsel. This will help protect communications between the company and outside counsel, as well as documents that are prepared in anticipation of litigation.
Another outside resource that should be considered is the hiring of consultants, which can include:
- e-discovery vendors – many investigations will require the retention and review of copious amounts of electronically stored documents. Technical support firms can provide simplified and secure platforms for data processing and hosting;
- forensic accountants – expert review of a company’s financial records can help identify irregularities and trace misappropriated assets; and
- subject-matter consultants –investigations in highly technical industries may require subject-matter consultants. A company may also wish to consider hiring public relations consultants if it is facing reputational risk.
Consultants should be hired and instructed by the company’s legal counsel to lend weight to an argument that the agent was hired in a legal rather than a business capacity, should the need to assert legal privilege or confidentiality arise.
Once a decision to proceed with an investigation has been made, the gathering of information and the document review process will need to be managed carefully. Given the vast amounts of electronic data that most companies hold on their systems, a ‘collect everything’ approach is rarely an option, and the scope of the data collection exercise will need to be focused and proportionate. Developing a smart strategy that focuses on selective data sets, while ensuring other data is not routinely or inadvertently deleted or lost, is imperative.
The company’s IT team must be consulted, and all data collection and preservation-related decisions must be recorded. Engaging an e-discovery vendor is recommended if a considerable number of documents need to be reviewed. The use of platforms that allow documents to be filtered, grouped and coded will aid investigators considerably.
Key data custodians should receive a litigation hold notice and have their preservation obligations explained to them to prevent the routine or accidental destruction of information. If there is reason to suspect that notifying some of or all the custodians would result in the deletion of records, companies must consider collecting documents before notifying employees of the investigation.
Confidentiality and data privacy
Regarding employees’ right to privacy, the Federal Decree-Law No. 45 of 2021 (the Data Protection Law) defines the controls for the processing of personal data and the general obligations of companies to secure personal data and maintain the confidentiality of that data. The Data Protection Law prohibits the processing of personal data without the consent of the owner, except in some cases, including if:
- the processing is necessary to protect a public interest;
- a controller or data subject needs to meet obligations or exercise employment or social protection rights; or
- the processing is necessary for claiming legal rights or as part of judicial or security procedures.
One lawful basis frequently applied in other jurisdictions, but that is absent from the Data Protection Law, is cases where processing is necessary for the purposes of a legitimate interest pursued by the controller.
The disclosure of confidential information carries criminal sanctions under UAE law. The Penal Code criminalises the disclosure of trade secrets, the publication of private information and the opening or interception of correspondence for which the individual is not the intended recipient. Under Federal Decree-Law No. 34 of 2021 (the Cybercrimes Law), the use of any electronic system to invade the privacy of another individual, without their consent or a right under law, can incur a prison sentence and a fine of up to 500,000dirhams.
If the company is a state entity, there are stricter controls on confidentiality, and more severe penalties may apply. For example, the unauthorised disclosure of confidential government data is punishable by imprisonment of not less than 7 years and a fine of up to 3 million dirhams. The disclosure of state secrets relating to defence carries a penalty of life imprisonment.
Defamation is also an offence under both the Penal Code and the Cybercrimes Law. Unlike in most jurisdictions, there is generally no truth defence for defamation in the UAE. Article 44(3) of the Cybercrimes law explicitly states that an offence will have been committed if information is spread to harm an individual,even if that information is true and correct. The Penal Code provides certain exemptions when a defence of truth may be raised, including when claims are made against a public official. Defamation is a pertinent issue when discussing an investigation, even with colleagues or management, and when conducting witness interviews.
Many employment contracts in the UAE already contain terms by which the employee gives consent for the processing of their personal data for reasons related to their employment or the employee’s business. As such, both the company’s employment contracts and the Data Protection Law should be consulted when deciding how information will be collected for the purposes of the investigation, and the company should record either the data subject’s consent or the legal justification under which the investigation processed employee personal data.
Investigators must identify the employees who need to be interviewed, keeping in mind proportionality and any confidentiality concerns.
When interviewing employees, particular care must be taken to preserve their rights, especially if they are personally at risk of disciplinary action. Two lawyers should typically be in attendance, one to conduct the interview and the other to transcribe it, and each witness should be informed that counsel is acting on behalf of the company and not the individualemployee.
It is important not to allow witnesses to taint each other’s evidence by holding group discussions or interviews, or by relating the evidence of one witness to another during an interview. Keeping in mind the offence of defamation, witnesses should not be informed about any alleged misconduct of a fellow employee, nor should leading questions be asked from which witnesses can infer the allegations that have been made. Although maintaining absolute confidentiality is not always feasible during an investigation, indiscretion at this stage can lead to claims of damage to the reputation of the individuals who are implicated in the investigation.
During the investigation, it may be difficult to collect certain evidence and establish a clear fact pattern. Companies that have had historically poor corporate governance may have inadequate record-keeping policies, and investigators may find that relevant documents have been lost or deleted.
Allegations of fraud or the misappropriation of assets may require assets to be traced – an exercise that can prove particularly difficult in the UAE because of a number of factors. The UAE is made up of seven emirates and various free zones, all of which have their own regulations and corporate registries with varying degrees of transparency and regulatory rigour. Large trading hubs such as Jebel Ali Free Zone further complicate matters.
As a port-based free zone that is home to a wide range of companies and commercial activities relating to the transportation, processing and trans-shipment of goods, US$123.8 billion of traded goods passed through Jebel Ali in 2021. Free zones like Jebel Ali typically afford a high level of privacy to their users such that funds that are transferred to companies within them may be very difficultto trace.
In addition, the UAE has historically had poor corporate ownership transparency requirements. Cabinet Resolution No. 58 of 2020 introduced a requirement for entities in the UAE (with certain exceptions) to maintain accurate information about their ultimate beneficial owners (UBOs). However, this information need only be disclosed to the government (not the general public); therefore, UBO and other corporate information can be very difficult to access. Business intelligence specialists can be engaged legitimately to uncover information that is not readily available, but this is often a costly endeavour.
If the investigation uncovers misconduct, the company must consider whether the law requires the discovered wrongdoing to be reported to the police, another branch of government or a regulator. Under article 323 of the Penal Code, there is a general obligation to report a crime of which one has knowledge. Article 321 imposes an obligation on employees to report, without delay, a crime of which they come to have knowledge during or by reason of theirposition.
Depending on the nature of the crime and the company, specific reporting obligations may also arise under UAE law. For example, financial institutions, designated non-financial businesses and virtual asset service providers are under an obligation to report to the Central Bank’s Financial Intelligence Unit(FIU) ‘without delay’ once they ‘suspect or have reasonable grounds to suspect’ that they are dealing with criminal proceeds. Similarly, reports of sanctions evasions must be submitted to the FIU as suspicious transaction reports.
UAE regulators will generally look favourably on self-reporting when considering the potential consequences for the company. If reporting the misconduct to the government or a regulator is discretionary:
- it is recommended that the matter be discussed with outside counsel. Their independence and experience in those matters will help the company demonstrate that any decision to make or refrain from making a report was an objective one; and
- the company should make a decision promptly after learning of the results of an internal investigation. The Penal Code provides that reports must be made without delay and any apparent hesitancy or avoidance on the company’s behalf may be looked at with suspicion if a report is subsequently made.
The investigation should help the company to implement a plan to remediate the behaviour and prevent recidivism, and any internal controls discovered to be lacking or absent during the investigation should be remedied.
When making a report, it is recommended that a company inform the regulator or government department of the preventative or disciplinary steps it has already taken, as this will likely factor into the latter’s decision-making when determining what action to take and , if any, penalties to apply.
Taking corrective action
A company must consider the corrective action it needs to take following the results of an investigation. Companies should be mindful of how they are regarded by not only the regulator or government body they report to but also their employees and the public.
A review of the company’s policies will help to determine whether it is necessary to take disciplinary action against specific employees or, if the misconduct is serious, whether criminal or civil proceedings need to be commenced against particular individuals. Overlooking improper behaviour may increase the likelihood of future misconduct by sending the message that the company does not take compliance seriously.
An investigation will also reveal any gaps in the company’s policies and procedures that have been overlooked or exploited. These must be addressed while consulting the applicable law. For example, under articles 43 to 44 of DIFC Law No. 2 of 2019, employers must provide a safe working environment that is free of discrimination and put adequate systems and training in place to minimise occupational health and safety risks. Under the DFSA Rulebook, regulated firms must have in place appropriate systems and controls, which may need updating following the findings of an investigation.
Employee training sessions can incorporate practical lessons on the applicable compliance issues, promoting increased awareness of the regulations and prohibited behaviour. Emphasising the tone from the top will also encourage ethical conduct. It, therefore, is important that managers are aligned and informed on the company’s position regarding best practices moving forwards.
Government and regulatory agencies in the UAE are demonstrating increasing appetite for investigating and prosecuting financial crime. Employees and whistle-blowers are benefiting from a growing number of legal protections, and the UAE has developed an increasingly robust regulatory system, all of which has resulted in internal investigations becoming a frequently used risk management tool.
This article has identified just some of the many issues that may arise when planning and conducting an investigation, as there is no template that suits all circumstances. This is an area in which great care must be taken to ensure compliance with UAE law (which contains some pitfalls for the unwary) and to ensure that a business protects its interests, including from a risk, regulatory and reputational perspective.
 The UAE recognises attorney–client confidentiality rather than privilege per se.
 Federal Decree-Law No. 31 of 2021 (the Penal Code), articles 431 to 433.
 Federal Decree-Law No. 34 of 2021 (the Cybercrimes Law), article 44.
 Cybercrimes Law, article 7.
 Penal Code, article 167.
 Penal Code, article425.
 Cybercrimes Law, articles 43 to 44.
 Federal Law No. 20 of 2018, article 15.