Internal investigations under Swiss law

In summary

Internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. This article provides a brief overview of the key considerations that will allow a Swiss-domiciled company to conduct an effective internal investigation. The topics addressed in this article include typical triggers of an internal investigation, specific questions that must be addressed by the company if an investigation is about to be launched, the impact of secrecy obligations on data collection in Switzerland, the use of specific findings with regard to pending or anticipated court or other official proceedings and questions on cross-border data transfer from Switzerland. We conclude this article by highlighting certain practical recommendations for Swiss companies to prepare for potential future internal investigations.

Discussion points

• Set-up of an internal investigations (governance, scope and work product)
• Conduct of an internal investigation (data collection and review process, e-discovery and employment aspects)
• Particular aspects to be considered with regard to cross-border aspects of investigations (data protection, secrecy obligations and blocking statutes)

Referenced in this article

• Federal Data Protection Act of 19 June 1992 (status as at 1 March 2019), SR 235.1
• Federal Data Protection Act, Referendum Proposal of 26 September 2020 (BBI 2020 7639)
• Federal Data Protection and Information Commissioner
• Code of Obligations of 30 March 1922 (status as at 9 February 2023), SR 220
• Financial Markets Supervisory Authority
• Penal Code of 21 December 1937 (status as at 23 January 2023), SR 311.0
• Criminal Procedure Code of 5 October 2007, SR 312.0

Introduction

Over the past decade, internal investigations have become an increasingly important and integral part of prudent corporate governance in Switzerland. While this is particularly true for regulated financial institutions, catalysed especially by US Department of Justice investigations, internal investigations have also become market practice good governance tools for non-regulated entities.

In the wake of tightened national and foreign anti-bribery and corruption laws, law enforcement with draconian penalties (and disgorgements of profits) against corporations and convictions of individuals, internal investigations are regularly initiated in connection with bribery, fraud and other compliance matters.

Triggers for internal investigations

An internal investigation should be initiated if there is a plausible and sufficient indication of a criminal activity affecting, or relating to, an entity’s business. According to recent studies by PwC (2022), 46 per cent of the respondent companies on a global level experienced fraud in the past 24 months.^[1]

In Switzerland (based on a 2018 PwC study), 39 per cent of the respondents (listed and non-listed enterprises) experienced fraud within the past 24 months, with more than 12 per cent stating that they did not know whether their organisation had been a victim of fraud in this period.^[2]

If criminal activities primarily affect the enterprise internally (eg, internal fraud, mobbing or sexual harassment allegations), the company is often not interested in initiating a public prosecution. Even if the criminals are outside the company that suffers the damage, the company often does not involve public authorities as it may feel threatened by risks to its reputation.

Companies should consider initiating internal investigations in cases of (alleged) material non-compliance with internal or external rules and policies.

For regulated financial institutions, the threshold for initiating an internal investigation is generally lower than for non-regulated entities. The Swiss Financial Markets Supervisory Authority (FINMA) generally expects financial institutions to investigate significant incidents in appropriate detail and to assess the robustness of internal processes and policies.

FINMA may formally request a financial institution to conduct an internal investigation and produce a report to FINMA as part of its ongoing supervision to ensure that the institution continues to meet its licensing requirements at all times. FINMA may also directly mandate an investigation, in which case it would typically instruct an independent third party (usually a law firm or an audit firm) to conduct the investigation and to prepare a report to the regulator. The costs of the internal investigation (which can be considerable) must generally be borne by the investigated entity.

Internal investigations may also be triggered by investigations or inquiries of other government or regulatory authorities (eg, tax or competition authorities) to determine the risks for and the defence strategy of the company investigated.

Finally, internal investigations can be a useful tool in a post-M&A situation, in particular to assess potential warranty claims.

Set-up of an internal investigation

Introduction

If an internal investigation is about to be launched, a company must address various questions to make the investigation as efficient and legally robust as possible. The success and robustness of an internal investigation largely depend on the decisions taken at the very beginning of the investigation.

The initial questions to be resolved differ if an investigation is not conducted on a voluntary basis but is imposed by a regulator. The topics discussed here focus on conducting a voluntary investigation. If an investigation is imposed by a regulator, the latter will dictate to a large extent the details of the conduct.

Governance structure

The project governance structure is determined at the very beginning of an internal investigation. It is key for the success of a voluntary internal investigation that, at the top, a steering committee comprising persons with the necessary influence in the company supports and supervises the project.

The steering committee should establish and supervise the project management team, which comprises internal – and, depending on the individual circumstances, external – personnel with adequate knowledge, expertise and independence who closely manage the project on a day-to-day basis. A project office may provide administrative support both to the steering committee and to the project management.

The governance structure must be carefully formalised to provide the best protection for Swiss and foreign legal and work product privilege.

Mandate and scope

Before launching an internal investigation, the project management should be given a clear and unambiguous mandate and task. The mandate should be based on an initial analysis of the issue. The board of directors of the company, as the ultimate supervisory body, is often best-placed to determine the mandate, except in the case of matters with low substantive risks and a small scope and those that do not involve top management.

The mandate should formalise the topic and the goal of the investigation. Accordingly, at the outset of the investigation, the company should prepare a formal document (eg, a resolution of the board of directors, an engagement letter or a memorandum) authorising the investigation and outlining the specific scope of the investigation. Furthermore, resources (personnel and IT) and a budget must be allocated. The mandate should state what the incident triggering the investigation was.

Risk assessment

During an investigation, a company regularly obtains sensitive information about employees, competitors and other third parties. When defining the scope of the mandate, it is paramount that the company is aware of the obligations and risks associated with obtaining certain information (eg, ad hoc publicity obligations) and creating certain work products (eg, production requests by third parties in civil litigation proceedings and criminal investigations).

With regard to the latter, the company must assess to what extent the results and work products of the internal investigation (eg, a final written report or interview records) may have to be disclosed to third parties and how those risks may be mitigated.

Reporting and communication

Clear reporting lines must be established, and a comprehensive reporting system implemented. As a rule, the steering committee should formalise in writing who reports what to whom at what point and in what format.

Periodic reporting is advantageous (eg, in the case of ad hoc publicity obligations of the investigated entity). The reporting concept should also determine when and how matters are escalated internally, and a plan for any external communication (the media aspect), including the respective competences, should be set up.

Communication is a necessary part of the immediate measures to be taken after the initiation of an internal investigation as external communication can have a significant influence on public opinion about the company. Proper dealing with the media may help maintain or re-establish public (and particularly investor) confidence in the company.

Work product

At the outset of the investigation, consideration must be made on how the final product of the investigation will be presented. This is often a written report setting out:

• the methodology, process and the available data and information;
• the facts established; and
• conclusions, including proposals to improve, for example, control mechanisms and compliance in general.

A written report may not always be recommendable, in particular with regard to the risk that the work product is (involuntarily) disclosed to a regulator, in civil proceedings or in the course of a criminal investigation. This holds true even if the investigation is conducted by Swiss outside legal counsel as the applicability of Swiss legal privilege to investigation work products has been limited by decisions of the Swiss Federal Supreme Court in recent years.

If the investigation is conducted in-house, there is no in-house legal privilege under Swiss law. Against this background, there is an increasing tendency to request verbal reporting in a board of directors’ meeting, possibly combined with a key findings presentation.

Confidential or disclosed investigation

A decision must be made at the outset of an internal investigation about whether the investigation will be disclosed to employees or whether it should be conducted on a confidential basis. In Switzerland, it is not necessary to obtain approval from employee representatives or similar bodies to conduct an internal investigation. It is also not necessary to inform employees about whom an investigation will be conducted against.

There is no general rule regarding whether an internal investigation should be conducted confidentially or be disclosed to employees (in addition to the employees involved); rather, the best set-up is determined on a case-by-case basis, as well as in light of the scope of the internal investigation and the number of employees involved.

In the case of post-M&A investigations, information from employees may provide the most useful results.

In-house versus external counsel

Internal investigations may either be conducted in-house (eg, by using internal business people, in-house lawyers or internal audit employees) or by independent external investigators. The advantages of having the investigation conducted by external investigators (with substantial support by the investigated company’s internal staff) are:

• the absence of conflicts of interest;
• broader market expertise;
• experienced, specifically trained staff; and
• well-established collaboration with related service providers (eg, forensic e-discovery service providers).

In addition, the independence of external investigators is often a key factor for third parties (eg, shareholders, regulators and authorities) to add credibility and reliance to the internal investigation.

When choosing an external investigator, a company should carefully consider whether to task its long-time legal counsel or another outside legal firm. While long-time corporate counsel will be very familiar with the company and may swiftly get up to speed with an internal investigation, which may save time and costs, there is also a risk that a company’s long-time counsel (and even more so the company’s auditors) lack independence and may become subject to ethical conflicts and divergent incentives.

Conduct of an investigation

Secrecy obligations provided by various Swiss laws and regulations can have an impact on or may hinder internal investigations in Switzerland. Strong secrecy obligations apply to banks, securities firms and certain other financial institutions.

There are also general secrecy provisions regarding business secrets and economic espionage, as well as contractual confidentiality obligations that may oblige a company to secrecy. The respective provisions are set forth in various laws and regulations.

The investigator must ascertain that the data established in the frame of a specific investigation can be used as evidence in court proceedings, if necessary, and must avoid any breach of the prohibitions set forth in the Penal Code (PC) to gather evidence in Switzerland in connection with foreign proceedings (PC, article 271).

Data collection

The company may review its own files and may interview employees if they consent. In cases of severe misconduct, it can prove advantageous to mandate external experts familiar with interview techniques and tactics.

When reviewing email correspondence, the rules applicable to electronic discovery must be observed. These rules also apply for reviews of, for example, letters addressed to an employee in the files of the company. Further measures include the collection of audio and video material, GPS data analysis and observations by private investigator firms. Those measures are only permitted if the personal rights and the health of the employee are not infringed.

For further measures, such as the taping or recording of telephone conversations, it may be necessary to involve state prosecutors as the company is prohibited from using such far-reaching and delicate measures. The company should be careful not to unnecessarily escalate the data retrieval as, for example, the use of espionage software may render other instruments (eg, termination of the employee) void.

Regarding data collection, contrary to other countries, the current Data Protection Act (DPA) also protects the data of legal entities, not only individuals; however, a new DPA will enter into force on 1 September 2023.

Under the new DPA, only the data of individuals is protected. It also provides for stricter obligations regarding the documentation of data processing and information when personal data is obtained and processed by the employer. In particular, the employer must inform the employees of the identity and the contact details of the person responsible for the processing, the exact purposes of the processing of their personal data and the recipients of their personal data. The employer must keep a register of the processing activities.

The new DPA could necessitate revisions of the data protection declarations that are currently in place. It, therefore, is important that data protection declarations are phrased sufficiently broadly with regard to the different purposes of the processing and state the possible use of personal data for an investigation.

Electronic discovery

As in other jurisdictions, a key part of any internal investigation in Switzerland is the electronic discovery of data. Electronic discovery is mainly governed by guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC)^[3] on internet and email supervision by employees^[4] and personal data processing in employment.^[5] In prudentially supervised companies such as banks and insurers, legal obligations may serve as justification for the supervision of secondary data in emails, such as recipients or the time of sending.

If the company has implemented internal regulation on the supervision of email and message traffic (which is recommended), the regulation may justify the retrieval of information from emails and messaging services – in particular if the employee has consented to internal regulation beforehand, for example, as part of his or her employment agreement.

In each case the company must meticulously observe the principle of proportionality in actions taken against employees. Unless there is a strong suspicion of employee misconduct, the company must not supervise the entirety of the behaviour of the employees in question (eg, by installing video cameras supervising the employee all day).

If the company has a clear and present suspicion of abuse, it may review emails specifically concerning a certain employee; however, this does not include emails labelled as private or archived in an electronic folder. If emails are unlabelled or labelled other than private, the company may generally assume that they are business-related and may review them.

While a company generally has the right to request and review all business-related data (including emails and text messages), particular issues arise in connection with the use of web-based services, such as WhatsApp, where it is generally not practically possible to gather related data stored on non-Swiss servers.

Employee interviews

As a rule, internal investigations in Switzerland do not require the approval of employee representatives or workers’ councils. It is also not necessary to inform employees about pending investigations, in particular if the company’s interests in keeping the investigation confidential outweigh the employees’ interests; however, it is often advisable in many cases to inform employees beforehand – they often learn about the investigation themselves anyway and usually consent to it, for example, by granting access to emails and documents.

Under Swiss employment law, employees must participate in interviews and provide truthful and complete information. If an employee becomes subject to criminal prosecution, certain limitations to the employee’s duty to cooperate may apply; however, there is no uniform opinion in Switzerland on whether the employee can refuse to cooperate (specifically based on the privilege against self-incrimination) or whether self-incriminating statements by the employee made during internal investigations are inadmissible evidence in a (subsequent) government criminal investigation.

The Federal Supreme Court has yet to rule on this question. If an employee participates in an interview, the company may, as a rule, assume that the employee also implicitly consents to the investigation. The Federal Supreme Court has, however, decided that the employer is not obliged to provide the criminal procedural notices under article 158 of the Criminal Procedure Code at the first interrogation as the employer cannot take the place of the criminal law enforcement authorities in an internal investigation.

It is not entirely clear under Swiss law whether the employee has the right to request the attendance of his or her own attorney. Under certain circumstances, however, legal representation can be encouraged to facilitate the conduct of the interview and for the employee to feel more protected and, therefore, more likely to cooperate.

The company generally does not need to provide an attorney for the employee at the company’s cost; however, in view of their duty of care towards employees, companies often do provide access to an attorney at their cost in the case of investigations triggered by regulators or authorities. In practice, companies regularly pay those fees as a result of directors’ and officers’ liability insurance coverage.

It is disputed under Swiss law whether the employer must inform the employee about its suspicions prior to holding the interview. Pursuant to the Code of Obligations, the employer may only retrieve data about a specific employee to the extent that the data retrieval is required for proper performance of the employment or to determine the suitability of the employee; however, the interpretation of this rule is highly disputed in Switzerland.

The company must, furthermore, determine whether, and if so to what extent, employee interviews should be recorded. If detailed minutes are taken, a court may subsequently find that the employee’s value as a witness in court is diminished.

Use of findings

The use of the findings of an investigation in the context of court or other official proceedings depends on the type of proceedings in question. As a general rule, the ‘fruit of the poisonous tree’ doctrine is not applicable under Swiss law.

In criminal investigations, a court will usually ask whether the evidence could have been obtained legally by the state authorities and whether a balance of interest (severity of the crime or infringement of personal rights by the obtainment of the evidence) weighs in favour of using the evidence (which is typically the case).

In civil proceedings, evidence obtained by illegal means will only be taken into consideration if the interest in finding the truth clearly prevails. In administrative proceedings, the rules for criminal proceedings are usually applied.

A company conducting an investigation has a strong interest in obtaining evidence through legal means, especially as gathering evidence by other means may expose the company itself to criminal actions.

Data transfer abroad

To the extent that data gathered is transferred abroad, the rules of article 273 of the PC (and other similar secrecy rules), which effectively prohibits the disclosure abroad of non-public third-party information with a sufficient nexus to Switzerland, must be complied with, in particular by appropriately redacting relevant third-party information; however, documents may be transmitted in unredacted form if the third party has consented to the disclosure of its details and if no state interests are involved.

The DPA prohibits any transfer if, in the country of the recipient, the data protection is inadequate compared to Swiss data protection. The US data protection regulations are deemed inadequate from the perspective of Swiss data protection law (even in the case of a Privacy Shield certification); however, a transfer may be permitted without consent if it is necessary to enforce claims in court or if there are overarching public interests (pure private interests are not sufficient).

Furthermore, there is a group privilege to transfer data within a group of companies (subject to robust group internal data protection rules and subject to prior notification of the FDPIC). If a cross-border transfer is an issue, the storage and analysis of the data is typically done in Switzerland, and the results are only transmitted abroad in an anonymous manner. As a consequence, the servers used in the investigation should be located on Swiss territory and be accessed from and reviewed in Switzerland.

For investigations initiated by a foreign authority or proceedings in a foreign court, article 271 of the PC must be observed. Acts undertaken in Switzerland for and on behalf of (or for the benefit of) a foreign state that, in Switzerland, would be acts reserved to a public authority are prohibited, unless expressly authorised by the federal government, to avoid circumvention of mutual judicial and administrative assistance procedures.

In this regard, the collection of evidence, even in civil law court proceedings, is considered an act reserved to state officials under Swiss law (as Switzerland has no concept equivalent to that of US pretrial discovery) and, therefore, is subject to the limitations of article 271 of the PC. As article 271 protects Swiss public authorities, it has no extraterritorial application.

Accordingly, article 271 does not come into play in circumstances where evidence is collected and reviewed outside Switzerland, including if interviews with Swiss employees are conducted abroad. Consent by the involved persons does not prevent the actions taken in Switzerland from being illegal, and acts prior to the initiation of court proceedings may sometimes be considered illegal.

As a rule, a party in foreign court proceedings may, with some limitations, submit its own documents to support its position in the foreign proceedings; however, it may not file documents compelled by a court order. Similar rules apply to third parties being called as witnesses. Third parties may only respond to general enquiries.

Regarding internal investigations conducted in Switzerland, article 271 of the PC may become an issue if the investigation is conducted with a view to later providing the work product or documents collected to foreign authorities or courts.

Articles 271 and 273 of the PC do not apply to the company in cases where information is provided through administrative or judicial assistance channels. In particular, in connection with foreign proceedings and investigations, the company should, to the extent possible, request foreign authorities and courts to seek information through administrative or judicial assistance.

Early preparation highly recommended

In light of the issues summarised in this article, a Swiss-domiciled company is well advised to prepare early for possible internal investigations. In summary, the following steps are strongly recommended:

• Allocation of competence: the company should establish whether the compliance, legal or risk departments are competent to analyse trigger incidents and determine who should lead an investigation.
• Allocation mechanism for investigation budget: the company must have a mechanism to allocate a budget quickly to the investigation team (costs of internal investigations can be considerable, especially if non-Swiss lawyers are involved).
• Employee training: ideally a company should build up certain competences (including training) in the relevant departments (typically compliance, legal or internal audit). As part of this training, standard proceedings and standard documents (eg, interview forms) can be prepared. Larger companies may consider obtaining forensic software and reviewing their document management systems in the context of their suitability for investigations.
• Employment contracts and regulations: these may be reviewed and adapted to permit the company to send employees on garden leave and to review their emails. The entity’s email policy will ideally state that the email account may not be used for private purposes.
• Regulation on email supervision: the company should issue a regulation on email supervision. Among the further documents that can be prepared are regulations concerning document retention and application for Sunday and night work for the project team.

The company should also consider establishing a whistle-blowing policy, which should provide a clear reaction mechanism and protect the whistle-blower.

Notes