Cross-border Investigations in Mexico

In summary

Mexico is subject to various treaties and conventions that support investigations into anti-corruption and compliance matters, and companies that have operations in Mexico are subject to specific rules for their development. When conducting cross-border investigations, companies should emphasise the importance of attorney–client privilege, Upjohn warnings, the use of information technologies and communications with authorities in order to reduce risks that may affect the company.

Discussion points

  • Cross-border investigations cover more than a sole jurisdiction
  • Companies with multinational jurisdictions should comply with cultural, language and legal provisions
  • When performing investigations, the companies involved should consider the applicable regulations on data privacy
  • Companies shall try to minimise risks involved during conducting an investigations
  • External counsel is usually helpful to duly perform cross-border investigations

Referenced in this article

  • United Nations Convention against Corruption
  • Mexican Constitution
  • General Law on Administrative Liabilities
  • Federal Law on the Protection of Personal Data held by Individuals
  • Mexican Federal Administrative Court
  • Ministry of Public Affairs

Investigations are essential for a company’s well-being. No company is safe from wrongdoing by its board, directors, employees or contractors, if applicable. No matter how sophisticated the compliance programme of a company is, even if it helps to prevent unlawful or unethical behaviour from third parties, companies are always at risk. Companies must be ready to perform an investigation with the help of their in-house counsel and outside counsel if needed. We live in a cross-border world, where it is rare that a big company operates in a sole jurisdiction. Therefore, companies – particularly large companies – must consider that, when performing an investigation, more than one jurisdiction will likely be part of that investigation.

Businesses with international operations must overcome a unique set of challenges when dealing with compliance issues and cross-border investigations. Consequently, companies attempting to coordinate efforts across multiple jurisdictions may encounter cultural and language barriers and differing labour, privacy and legal compliance frameworks, among other hurdles.

Cross-border investigations are on the rise and multinational businesses must be prepared to confront these and other obstacles they may encounter. From the initial trigger of an investigation to the determination and implementation of remediation efforts, understanding the process can help avoid critical mistakes. For this reason we explain significant aspects that companies and law firms need to be aware of when conducting cross-border investigations that involve operations in Mexico.[1]

Main applicable regulations (international treaties) to conduct a cross-border investigation concerning alleged corrupt activities

Mexico is a party to multiple international treaties and conventions that address anti-corruption, including

  • the Inter-American Convention Against Corruption;
  • the Organisation for Economic Co-operation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions;
  • the United Nations Convention Against Corruption; and
  • the recent United States–Mexico–Canada Agreement.

Mexico has also included in its Constitution general principles applicable to the fight against corrupt activities at the national level. When carrying out a cross-border investigation, it is crucial to understand and consider the various aspects of the above international treaties and conventions to, among other things, ensure international cooperation between the relevant countries of the investigation, if needed. International cooperation allows cross-border investigations to carry out more effectively and efficiently.

Topics to consider during a cross-border investigation

A cross-border investigation may be a difficult task. Companies must consider that each jurisdiction has specific rules to follow, as well as different cultural views and language that may change from place to place. One of the most critical components of conducting a cross-border investigation is to build a team of professionals capable of understanding the nuances of every investigation. Typically, the best way to achieve this purpose is by gathering local counsel in each of the jurisdictions where the investigation takes place.

We explain some of the most sensitive matters of an investigation.

Start of a cross-border investigation

Compliance claims may involve parties or events from different jurisdictions that may trigger a cross-border investigation. Effective intake procedures should have a global outlook and consider cultural sensitivities, and an initial assessment of the facts, which may require an analysis of criminal, civil, privacy, labour and regulatory concerns in all jurisdictions involved.

As set forth above, the next step in undertaking a cross-border investigation is to consider whether the relevant company needs local counsel for support and advice specific to that jurisdiction. Under some circumstances, a well-structured in-house legal department may suffice. However, outside counsel or other external resources may be necessary depending on the scope of the investigation and the matters in question. Once a team of professionals has been assembled, strategies to address data privacy concerns, whistleblower protection, preservation of evidence and disclosure to local law enforcement and regulatory authorities, among others, can be devised.

When legally permitted, companies may inquire into related misconduct accusations in the review and assessment of personal data during an investigation process. How a company conducts itself at the initial stages can set the tone for the remainder of the investigation and minimise risks and liability for the company.

Scope of an interview (including Upjohn warning)

In some countries, employers do not need to provide written instructions before conducting an interview. However, if written instructions were to be handed out, these instructions should be consistent with the scope and purpose of the investigation.

Each country has specific rules to follow. However, as a general rule, it may be essential to inform the interviewee that the attorney who conducts the interviews represents the company and not the employee – this is called an Upjohn warning. When performing a cross-border investigation with a particular interest in unlawful behaviour that may affect a company with presence in the United States, an Upjohn warning is highly recommended, even though, under the specific applicable legislation, an Upjohn warning may not be necessary. However, it is customary to make that statement during the interviews. An employee may have an attorney present during the interview.

When conducting an interview, the interviewer should inform the employee that the answers provided during the interviews may be shared with third parties, if deemed necessary at the company’s discretion.

In workplaces where there is a union, employees may have the right to have a representative from the labour union (or any other representative bodies) to be present during the interview. Accordingly, we suggest that collective bargaining agreements are reviewed for any obligations applicable to unionised workers, if appropriate.

Before collecting personal data, under various regulations, employers must obtain a personal waiver from the employees. Employers should ensure that these waivers are signed for each employee who is expected to take part in the investigation or interviews.

In the specific case of Mexico, interviewers may share information obtained in the investigation to third parties. Nevertheless, the employee should consent to all information transfer to third parties, except for the following cases:

  1. to affiliates, subsidiaries, or controlling companies;
  2. for the public interest or for the administration of justice; or
  3. for the recognition, exercise or defence of rights in a judicial procedure, among others.

Depending on the circumstances, transfer to local or foreign authorities may be permissible under items (ii) or (iii), above.

During interviews, notes are typically taken and may be included in the form of minutes, which, when allowed, the employee must sign.

In general terms, there is no obligation for employees to support internal investigations. Generally, employees are expected to adhere to best practices in the workplace and inform management of any concerns that may negatively impact the business. To promote this culture of compliance, companies should have clear policies as part of employment contracts and other internal labour regulations that require employee support during investigations.

The cross-border investigation phase

Once the investigative phase begins, companies should implement a short-term action plan that ensures that any ongoing criminal or unlawful conduct is immediately stopped. The preservation of evidence or data should be a priority, especially where this is required under local law. As set forth below, an analysis of the availability of the attorney–client privilege across the jurisdictions involved should be undertaken to preserve and maximise any protections available to the entity subject to the investigation.

Privacy regulations tend to have several common elements, including requirements addressing notice, consent, processing of sensitive data, maintaining data integrity and retention. When conducting interviews, the interviewer should consider collecting evidence, reviewing private employee information and transferring data. Alerting management, investors and shareholders may also be required under local law. Moreover, providing timely notice to insurance carriers before, during, or after an investigation may be necessary to preserve coverage.

An understanding of local law is crucial throughout all phases of a cross-border investigation and the investigative stage is no exception. Failure to abide by the rules that govern these situations can lead to significant adverse consequences.

Scope of attorney–client privilege in Mexico

Effective intake procedures (including communications confidentiality) should have a global outlook and consider cultural sensitivities to conduct a cross-border investigation efficiently. Nonetheless, Mexico has no precise specific regulation applicable to the confidentiality of communications exchanged between clients and their attorneys during the process of obtaining legal advice. However, the Mexican Constitution does establish the protection of communication between attorneys and clients, mainly for criminal procedures. When starting a cross-border investigation, it is crucial to consider the following.

Each jurisdiction has specific rules. Therefore, in the case of Mexico, the applicable regulations establish that professionals (eg, attorneys) are required to maintain secrecy on matters that are entrusted to them by clients, with a few exceptions. Likewise, the applicable legislation establishes that testimony of professionals who must maintain confidentiality due to knowledge acquired as a result of their trade or profession is inadmissible in a court of law.

Under Mexican legislation, any professional who reveals secrets or confidential communications without just cause and the consent from the other party is subject to strict penalties. All employees must keep technical, commercial and manufacturing secrets directly or indirectly possessed by them as confidential, as well as any other secrets they may be know due to their work position or involvement in the processing of information. These provisions apply to all professionals working in Mexico.

Mexican federal courts have recently issued a series of legal precedents that reinforce professional secrecy. For example, there is a decision that establishes that professional secrecy refers to the right to privacy and that certain people or entities (ie, doctors, attorneys, financial institutions, accountants, priests, among others) may not disclose any of the information obtained as part of their professional activities without consent from the other party. In this regard, if an individual knows certain information as a result of their professional practice, they may not be forced to testify about it, unless the other party allows it.

In 2017, Mexico issued a decision establishing that, although attorney–client privilege is not expressly established in secondary legislation, it is guaranteed by the Mexican Constitution through the protection of the fundamental rights to

  • privacy;
  • present a defence;
  • secrecy of correspondence; and
  • practice a profession.

Mexican federal courts have also confirmed that all antitrust audit reports prepared by external counsel for their clients are protected by said privilege. Likewise, they have pointed out the relevance of making sure that the report is issued by external counsel and that the information contained in the report relates to the client’s right to a proper defence. However, this is a not binding precedent.

As a result, there is no specific regulation applicable to attorney–client privilege in Mexico. The current regulation applies to the relationship between professionals and their clients. Under Mexican law, companies are not considered as clients of in-house counsel. Therefore, all the information obtained from internal investigations is not protected under professional secrecy. Caution should be exercised when dealing with information obtained from cross-border investigations.

Data privacy matters (including use of IT servers)

Around the world, there is a broad range of approaches to data privacy matters. However, Mexican and some international privacy regulations may apply to personal data collected through the course of an investigation. Global companies and other organisations are now expected to implement various processes for processing personal data if a cross-border investigation takes place. While the details of the international data and Mexican regulations may significantly vary, they both have similar underlying provisions concerning IT servers. For example, Mexican privacy laws apply to an employee’s personal data even if said data is stored in IT servers located at any other foreign office or abroad.

On the other hand, companies are not compelled to notify data privacy authorities or their data protection officer when starting an internal investigation. Nevertheless, it is a good practice to inform the company’s officer about internal investigations to assure that compliance procedures are being met (eg, confirming if privacy notices have been delivered to employees) and that all data obtained from the investigation is correctly stored, retrieved and protected to prevent any loss or damage. When data is collected through interviews, the company’s interviewer or attorney must provide a privacy notice update before collecting said data unless it was delivered during or as part of the hiring process and the privacy waiver indicates that the employee’s personal data may be reviewed for investigation purposes.

Under Mexican law, business communications between employees are subject to be reviewed by the company without consent if said contacts are stored in corporate databases or company-owned devices. For any other kind of communication, permission is necessary. Private conversations, including emails, are protected under the Mexican Constitution and may only be reviewed if one of the participating parties provides consent or as permitted under the applicable regulations. Employee consent may be included in employment contracts, privacy notices or the company’s internal policies and consent notices should state that there is no reasonable expectation of privacy in corporate databases or corporate-owned devices.

As mentioned above, employers are required to provide a privacy notice update to collect personal data, personal information or communications from employees. Employers must secure the employees’ express consent when receiving:

  • financial records (eg, bank accounts);
  • sensitive personal data (eg, medical records or information about an employee’s religion); and
  • private communications or information (eg, text or instant messages).

If personal data or information is collected by an employer without consent, employers may incur liability, such as fines. According to the applicable law, all parties involved in the processing of personal data, such as an employer (data controller) or any data processor (eg, an external forensic team), must protect the confidentiality of personal data during the collection and review of the information that involves personal data.

There are non-binding court precedents in Mexico, which express that personal communications must be lawfully collected (ie, providing and obtaining the corresponding notices and consents).

If business databases contain personal data, the company must provide notice that said personal data might be stored and analysed for specific purposes (ie, investigation or statistics), among other reasons. A notification will not be required for undertaking a review of personal data contained in corporate files or databases that do not identify a specific individual.

Notices to authorities (local or foreigners)

Each jurisdiction has its own approach, as well as different cultural views, on whether or not to inform authorities about internal investigations. In the case of Mexico, it is unusual to notify prosecutors about internal investigations. However, if a past or ongoing crime is identified as a result of an investigation, the company must file a report with the relevant Public Prosecutor’s Office (PPO); if not, the company may be found liable of concealment.

If companies are found liable of concealment, the competent authorities will take into account voluntary reporting when determining the sanctions.

Companies should consider that they must promptly inform administrative authorities of any internal regulatory breaches to obtain all available benefits for self-reporting. Companies listed in the stock exchange may report the banking authority about any investigation in terms of the applicable legislation.

The Mexican Constitution forbids authorities on disturbing any person and their domicile, papers or possessions without a prior written order clearly stating the legal grounds and reasoning for the disturbance. The competent authority must issue this document.

If the PPO has reason to believe that there is information that may be relevant to an investigation and requires the inspection of private property or possessions, the PPO must first request a search warrant from a control judge. The search warrant must contain at least the:

  • name and position of the control judge;
  • place to be inspected, the items to be sought or the individuals to be arrested;
  • purpose of the inspection;
  • date and time the inspection will take place; and
  • names of the authorised public officials that will carry out the inspection.

Mexican administrative authorities may carry out verification visits to confirm compliance with the applicable law. Similarly, the relevant legislation authorises competition authorities to conduct raids at the premises of companies for searches related to ongoing investigations. The investigative authority (without judicial intervention) must issue an inspection order that contains the:

  • purpose, scope and duration of the dawn raid;
  • name and address of the individual or companies to be inspected;
  • name of the public officers that shall carry out the dawn raid; and
  • enforcement measures that shall be imposed during the inspection.

Of course, at the appropriate time, professionals who are in charge of the investigation should analyse if authorities may conduct raids at the company’s premises for searches related to ongoing investigations.

If financial entities believe that their employees or clients are involved in criminal activity, according to Mexican regulations, the entity must submit a report to the authorities requesting the commencement of an investigation of the suspicious activity. If a company suffers from a security breach on data privacy (eg, money laundering), an internal investigation will take place to be able to identify the origin and causes, as well as the implementation of actions to improve its security measures. The company also has to inform the data subjects of any breaches to databases containing financial or sensitive personal data. Therefore, caution should be exercised when carrying out cross-border investigations.

End of the investigation

Once the relevant company’s employees or attorneys complete the fact-finding stage of a cross-border investigation, a company will likely need to create a long term action plan that includes remediation. The next steps may also include, but are not limited to, sanctioning employees, addressing oversight weaknesses, evaluating internal investigation protocols, and updating company records. The company must strictly observe deadlines to avoid losing the right to impose disciplinary actions.

After completing the investigative phase, companies, with the assistance of attorneys, should decide whether a detailed investigation report should be prepared or not. This is linked to the question of privilege, as set forth above.

Companies may undertake recovery efforts as the last step. Once the parties liable for misconduct have been identified and disciplined, sanctioned, or prosecuted, an opportunity to recover some of the company’s losses may become available under some circumstances.

Investigative powers by agencies and possible penalties in case of breach of anti-corruption regulations in Mexico

If a company becomes aware that a crime was committed and did not inform criminal authorities, the company may be prosecuted for concealment of a criminal offence, as this implies that the company covered up the criminal acts of the responsible parties or hid the effects of illegal activity. As a result, the company may be penalised with a fine, confiscation of goods acquired from the criminal conduct, the publication of the judgment and dissolution of the company. If a company violates the obligation to inform employee representative bodies about internal investigations, non-compliance could lead to conflicts with the union.

To be able to determine a company’s liability, the applicable legislation establishes that in some cases, including bribery and influence peddling and collusion, the competent authority will take into account the existence of a compliance policy on the mitigation of sanctions. This compliance policy shall at least include an internal control system and periodic audit procedures.

According to the applicable legislation, companies are liable for the misconduct of others when the individuals committed the activity and acted on behalf, or in the representation of the company, to obtain an illegal benefit for said entity.

Companies liable for the criminal activity of others are subject to:

  • fines up to double the amount of any financial benefits obtained from the illegal conduct and, if no financial benefit was obtained, of up to approximately US$6 million;
  • disbarment from bidding for public contracts for up to 10 years;
  • suspension of business activities from three months up to three years;
  • dissolution of the company; and
  • compensation for damages caused to the government.

Additionally, companies may be held criminally liable for crimes committed by their representatives, managers, partners or employees when the violation was carried out:

  • on behalf or in benefit of the company;
  • through means provided by the company; and
  • the criminal authority determines that the company was neglectful in supervising the unlawful conduct.

The company’s criminal liability is assessed separately from that of the party who committed the crime.

If the criminal conduct involved bribery, fines imposed may be up to US$4,000 and may also result in the suspension of activities or dissolution of the company. If the criminal conduct involves money laundering, fines imposed may be up to US$20,000. They may also include suspension of activities, dissolution of the company and disbarment from participation in public procurement. These sanctions may increase when committed by a counsel, administrator, officer, employee, attorney or service provider. Companies that have knowledge of any administrative liabilities and voluntarily report or cooperate during the investigation may be subject to a reduction of penalty from the authorities.

Individual directors, officers or employees may be subject to disciplinary measures for the misconduct of others if those individuals authorised or instructed another employee to conduct illegal activities, including money laundering or bribery activities.


Cross-border investigations are complex endeavours that cover a web of interrelated legal areas. Many issues and concerns may arise at different stages of a cross-border investigation, and resolving them quickly and effectively is key to a successful resolution. Of course, companies are not required to know all the answers from the onset. At the very least, it is essential to understand that merely tweaking or retooling a company’s internal investigation process for a cross-border investigation is likely not appropriate or sufficient to achieve a complete, successful result.

Minimising risks in a cross-border investigation requires a purposeful, targeted approach that takes into account the fundamental cultural, legal and business differences of each local jurisdiction.


[1] This article is not intended to provide legal advice nor should it replace the advice of counsel.

Unlock unlimited access to all Global Investigations Review content