Forensic techniques to investigate emerging trends

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


In summary

This article explores cryptocurrencies and environmental, social and governance (ESG) matters in the context of fraud and compliance investigations. FRA considers the pertinent aspects of the evolving regulatory landscape and discusses specific nuances, considerations and investigative tools practitioners should consider when conducting investigations in these areas, including examples of how they can be applied.


Discussion points

  • Regulatory guidance and enforcement trends in cryptocurrencies
  • Cryptocurrency investigation considerations and the power of leveraging blockchain intelligence tools in combination with traditional investigative techniques
  • Regulatory guidance and enforcement trends in ESG-related fraud and compliance investigations by the DOJ, the SEC and the US Customs and Border Protection (CBP) as well as European legislation updates
  • ESG investigation considerations and the increased reputational risk to companies that are held out to be acting irresponsibly

Referenced in this article

  • Foreign Corrupt Practices Act
  • SEC lawsuits against Binance and Coinbase
  • Bank Secrecy Act
  • Cryptocurrency Enforcement Framework
  • Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
  • Uyghur Forced Labor Prevention Act
  • CBP’s Green Trade Strategy

Introduction

The ever-changing economic, commercial and regulatory landscape, along with emerging technologies, has led to an increase in the sophistication and complexity of fraud schemes.[1] It is essential for investigations practitioners to remain abreast of these evolving trends and understand how to apply existing and new investigative techniques and technology solutions when issues arise. Within the Americas, the United States continues to set new precedents in regulatory investigations and enforcement actions. In addition to historical priority areas of enforcement such as the Foreign Corrupt Practices Act (FCPA), regulatory agencies across the Americas – including the DOJ and the SEC – have indicated that they will focus investigative efforts and resources on misconduct in the emerging areas of cryptocurrencies and ESG, and sanctions violations. The DOJ announced in March 2023 significant updates to its corporate compliance programme guidance, enforcement policies and commitment of enforcement resources,[2] indicating the DOJ’s intent to hold corporates to a higher standard.

In this article, we explore cryptocurrencies and ESG in the context of fraud and compliance investigations. While not intended to be a fulsome discussion of current regulations, we briefly touch upon pertinent aspects of the evolving regulatory framework in the Americas that investigators should be aware of. We then discuss specific nuances, considerations and investigative tools that practitioners should consider when conducting investigations in these areas, including examples of how they have been applied in recent investigations.

Cryptocurrencies

Cryptocurrencies are becoming accepted as more mainstream forms of investment and finance and are attracting more attention from regulatory and law enforcement bodies. These digital assets allow for faster fund transfers across the globe and provide increased transaction transparency. The exponential growth in the use of cryptocurrencies has even led several countries to formally accept them as legitimate forms of payment. In October 2021, El Salvador became the first of many countries to adopt the cryptocurrency, Bitcoin, as legal tender,[3] followed by the Central African Republic in April 2022.[4] However, price volatilities and nascent regulatory oversight have allowed bad actors to take advantage of the investing public by leveraging cryptocurrencies as conduits for fraudulent activities. We are now seeing a wide range of schemes perpetrated through the use of cryptocurrencies, including traditional frauds and newer types of cryptocurrency-specific fraud, such as smart contract exploits[5] and rug pull scams.[6] According to a 2023 report, funds sent to illicit addresses reached US$18billion in 2022, up from US$14 billion in 2021.[7]

Regulatory guidance and enforcement trends in cryptocurrencies

Due to the decentralised nature and complexity of cryptocurrencies, regulators have been slow to provide guidance and enact specific frameworks for regulation. In recent years, the US government was still developing its stance on cryptocurrency regulation. However, in April 2023 Gensler, SEC Chairman, posted a video on Twitter where he stated that crypto-markets suffered from a lack of regulatory compliance, not regulatory clarity.[8] Shortly thereafter, in June 2023, the SEC filed lawsuits against Binance and Coinbase for operating unregulated securities exchanges. Given this changing landscape, several US regulatory agencies are now actively focused on cryptocurrencies, and the DOJ, the SEC, the OFAC and the Financial Crimes Enforcement Network (FinCEN) appear to be taking the global lead on investigations and enforcement. We highlight below recent guidance from these regulators most pertinent for investigative professionals to consider in investigations.

DOJ

The Cryptocurrency Enforcement Framework the DOJ released in October 2020 continues to be utilised for cryptocurrency-related matters. In February 2022, the DOJ further expanded its cryptocurrency investigative resources and appointed Eun Young Choi as the first director of the newly formed National Cryptocurrency Enforcement Team (NCET), with the mission of tackling complex investigations and prosecuting criminal misuses of cryptocurrency.[9] In May 2023, Choi stated that the DOJ is targeting cryptocurrency exchanges that allow criminal actors to easily profit from their crimes and cash out. Choi further added that the department’s focus is on businesses that sidestep anti-money laundering (AML) or know-your-customer (KYC) rules or do not otherwise do not have thorough compliance or risk-mitigation procedures.[10]

Since Choi’s appointment, the DOJ has executed several high-profile cryptocurrency related seizures and arrests, including the April 2023 seizure of US$112 million linked to pig-butchering scams, the March 2023 takedown of Darknet cryptocurrency mixer ChipMixer[11] and the November 2021 seizure of US$3.36 billion connected to Silk Road dark web fraud.[12],[13]

SEC

In May 2022, the SEC announced that it was nearly doubling the size of its Crypto Assets and Cyber Unit to better equip the SEC to police wrongdoing in the crypto-market and ensure investor protection.[14]

Most notably, in June 2023, the SEC filed lawsuits against Binance[15] and Coinbase,[16] the two biggest cryptocurrency exchanges in the world, for operating unregistered security exchanges. In the lawsuits against the two exchanges, the SEC also named specific tokens sold on the exchanges it considers to be securities. The lawsuit against Binance alleged that Binance misrepresented in public filings its level of oversight and trading controls of Binance US, the separate platform Binance created for US based customers. The outcomes of these two cases will have significant implications for the US crypto-market, especially if they result in the SEC issuing formal guidance on whether the SEC considers cryptoassets to be securities.

OFAC

In 2020, ransomware payments reached over a staggering US$400 million, more than four times 2019 levels. In September 2021, OFAC designated as a sanctioned entity SUEX OTC, SRO, a Russian-based cryptocurrency exchange, for facilitating transactions involving illicit proceeds from multiple ransomware variants.[17]

In its Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, OFAC advised that it may impose civil penalties for sanctions violations if a U.S. person or persons paid an OFAC sanctioned entity in a ransomware payment[18]. Further, this would be based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such a person did not know or have reason to know that it was engaging an entity in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.

Additionally, OFAC has used its authorities to sanction cryptocurrency mixers. A cryptocurrency mixer, also referred to as a tumbler, is a service that blends the cryptocurrencies of many users to obfuscate the source of the funds. In May 2022, OFAC announced its first ever sanctions on a virtual currency mixer, Blender.io, which the Democratic People’s Republic of Korea (DPRK) used to launder stolen virtual currency.[19] Following that announcement, in August 2022, OFAC sanctioned the virtual currency mixer Tornado Cash, which was used to launder more than US$7 billion worth of virtual currency since its creation in 2019. Tornado Cash laundered over US$455 million stolen by the DPRK state-sponsored Lazarus Group.[20]

OFAC’s sanctioning of Tornado Cash was significant as it was the first time a decentralised, non-custodial smart contract – code that is managed by a decentralised autonomous organisation (DAO) and functions automatically without human intervention – was targeted for sanctions.[21]

FinCEN

According to FinCEN, users who obtain cryptocurrency to purchase goods or services are not generally considered money transmitters subject to FinCEN’s authority. However, issuers, redeemers and exchangers of cryptocurrency fall within the realm of FinCEN’s regulatory authority, requiring them to adhere to applicable AML and KYC statutes.

In October 2022, FinCEN announced a US$29 million enforcement action against the cryptocurrency exchange Bittrex for violations of the Bank Secrecy Act (BSA). FinCEN stated that its investigation found that from February 2014 to December 2018, Bittrex failed to maintain an effective AML programme and address the risks associated with their offered products and services, to include anonymity enhanced cryptocurrencies or ‘privacy coins’.[22]

Cryptocurrency investigation considerations

While regulators continue to develop cryptocurrency-specific regulations, the enforcement actions to date make a clear statement that US government agencies will use its enforcement authorities, particularly pertaining to AML, on the cryptocurrency industry. That being said, the practice of using datasets to determine the ultimate source or destination of funds should be familiar to practitioners and is still the ultimate goal in most investigations.

In this section we explore nuances that practitioners should consider in cryptocurrency investigations and the power of utilising blockchain analysis tools in concert with traditional investigative techniques.

Planning for the investigation

There are several considerations that investigative teams should evaluate carefully during the planning and scoping phases of a cryptocurrency investigation. Investigative teams need to consider the varying levels of regulations, across jurisdictions, that may be applicable. For example, if a practitioner is investigating suspicious transactions that have occurred within a virtual asset service provider (VASP) as defined within US regulations, the practitioner should consult the BSA as the updated guidance indicates that VASPs are considered money transmitters and are, therefore, subject to compliance with AML requirements under the BSA. To that end, determining what fiat currencies were involved in an investigation can also help investigators determine what regulations may apply.

As cryptocurrency investigations involve analysing the flow of funds on one or multiple blockchains, the investigation team should determine any required involvement of subject matter experts. These investigations should be staffed with experts who are well versed in the elements that make up a cryptocurrency transaction, including cryptocurrency addresses, wallets, exchanges and analysing data on the blockchain.

Investigative teams also need to determine what kinds of virtual assets are involved in the investigation, as there are significant differences in the way one follows the flow of funds in an unspent transaction output-based blockchain such as Bitcoin versus an account-based blockchain such as Ethereum (ETH). While having investigators trained in Bitcoin asset tracing is a good baseline, cryptocurrency investigations increasingly involve ETH, ERC-20 tokens[23] and ERC-721 tokens[24] (non-fungible tokens (NFTs)) assets. If these types of tokens are involved, investigative teams should employ individuals trained in tracing these types of assets.

Identifying information relevant to the investigation

For cryptocurrency-related investigations, data collection and analysis will be a major component of the overall investigative procedures, with the core data points being the applicable cryptocurrency blockchains. Although anyone can trace specific transactions on the blockchain, additional data is required to identify the details of real-world actors associated with cryptocurrency addresses identified on the blockchain. Information such as emails, text messages and other structured or unstructured data stored on devices could potentially help identify the owners of cryptocurrency wallet addresses or provide information on wallet private keys or passwords associated with the addresses.

There are also identity and access management data points to consider, such as knowledge of private keys, code update permissions or access to company-controlled cryptocurrency accounts. These are key facts for investigators to consider if a party claims that they could not have authorised a transfer of funds or if an account with elevated privileges was accessed without authorisation.

Investigative procedures

Cryptocurrency investigations often involve tracing assets to identify the ultimate source or destination of funds and what parties were involved. Instead of traditionally tracing funds through the general ledger and corresponding bank statements to investigate a crime committed using fiat currency, practitioners will investigate the flow of funds by analysing activity recorded on the blockchain.

Complications can arise when cryptocurrencies maintained on different blockchains are used to facilitate the illicit activity. If multiple cryptocurrencies were used at any point in the payment process, it will likely be necessary to perform tracing across blockchains. To this end, investigators need to be aware of cryptocurrency-swapping services and cross-chain bridges. While these services are not nefarious themselves, actors seeking to obfuscate the true source or destination of their funds can utilise these swapping services for illicit purposes.

In these complex situations, blockchain analytics tools streamline the review as they collate copious amounts of blockchain data, across multiple blockchains, and provide innovative data visualisations that allow for methodical asset tracing and effective reporting of findings. By utilising blockchain analytics tools in tandem with the information collected in the data collection phase to identify owners of cryptocurrency addresses, practitioners will be able to capture and analyse blockchain and cross-chain cryptocurrency transactions in a more tactical manner.

While cryptocurrency schemes are typically complex, we present below two simplified case studies featuring fictitious companies to demonstrate how practitioners could combine cryptocurrency tracing with traditional investigative techniques to create a statement of facts from multiple datasets.

  • Company ABC (ABC) was hit by ransomware, resulting in the encryption of its entire network. The ransomware actors have provided ABC with a bitcoin wallet to send US$1 million to receive the decryption keys. After consultation with in-house counsel, ABC is considering paying the ransom. Open-source lookups of the ransomware variant revealed that the variant potentially has ties to the DPRK. Given the recent OFAC advisory on making ransom payments to sanctioned entities, ABC wants to conduct due diligence to ensure it is not paying a sanctioned wallet address. ABC first compares the wallet address provided by the ransomware actors with the bitcoin wallet addresses in OFAC’s specially designated nationals and blocked persons (SDN) list and does not find a match. Knowing that it is trivial for a ransomware actor to generate a new wallet address, ABC conducts blockchain analysis to determine whether the wallet address the ransomware actors provided has direct or indirect sending or receiving exposure to any cryptocurrency wallet addresses on the SDN list. By analysing the blockchain, ABC determined that the wallet address provided by the ransomware actors was part of a co-spending transaction[25] with a wallet address on the SDN list, and thus it was reasonably likely that wallet address was controlled by a sanctioned entity.
  • Law firm XYZ (XYZ) is investigating allegations that the CEO of BadCryptoExchange embezzled customer deposits. In the data-gathering phase of the investigation, XYZ examines the contents of the CEO’s email account and learns that the CEO has an account at a US-based cryptocurrency exchange. XYZ also gathers identifiers for the BadCryptoExchange’s hot and cold wallets. XYZ, through the legal authority of a subpoena, acquires records for the CEO’s account at the cryptocurrency exchange. Analysis of those records reveal identifiers for the CEO’s personal cryptocurrency wallet addresses as well as their fiat currency bank account. XYZ then used blockchain analysis tools to analyse the outbound transactions from BadCryptoExhchange’s hot and cold wallets and identifies that funds from a BadCryptoExhchange hot wallet were sent to several intermediary wallets and then deposited into one of the CEO’s personal cryptocurrency wallet addresses. XYZ then goes back to the subpoena results from the US-based crypto-exchange and identifies the inbound transaction from the intermediary wallet address to the CEO’s wallet address. By using blockchain analysis, XYZ has now established that customer deposits from BadCryptoExhange were transferred to the CEO’s personal cryptocurrency wallet. Further examination of the subpoena results from the US-based cryptocurrency exchange revealed that shortly after the CEO received the cryptocurrency from the intermediary wallet, the CEO then sold or cashed out their cryptocurrency and transferred the resulting US dollars to their fiat currency bank account. XYZ then serves a subpoena to the CEO’s bank to continue following the flow of funds. Analysis of the CEO’s bank records shows reveals a deposit of US dollars from the US-based cryptocurrency exchange. Furthermore, shortly after the deposit, the bank records show purchases for luxury goods and services. As a result of this analysis, XYZ has identified a flow of funds from the BadCryptoExchange hot wallets to the CEO’s personal bank account and personal usage.

ESG

ESG continues to be a topic of focus as investors, consumers, employees and activists place pressure on companies and individuals to meet growing expectations to demonstrate good corporate citizenship. Regulators worldwide have responded, placing more scrutiny and higher expectations of transparency on how companies govern these topics. As regulators enforce more ESG matters, companies may feel more incentivised to subvert regulations and investor expectations by committing fraudulent acts, delivering false, inaccurate or manipulating and misleading disclosures in ESG-related data (eg, ‘greenwashing’ information related to emissions, supply chain or activities-related sustainability).

Today, with more intensified moves to make ESG part of regulatory requirements, the expectations for companies to make ESG transparent is heightened. In 2023, at least 49 anti-ESG bills have been introduced in the United States, painting ESG ideas as detracting from financial returns and unnecessarily restrictive to corporates.[26] Some companies have raised concerns for increased efforts required, such as reporting requirements, becoming more burdensome, leading some to take a drastic approach to understate, or even hide, their sustainability efforts, caused by fear of possible public backlash for being inadequate, which is known as ‘green hushing’.

Regulatory guidance and enforcement trends in ESG

With the global prevalence of ESG issues and the broad scope across an entity’s operations (eg, engineering, manufacturing, finance and marketing), multiple regulators have jurisdiction over various aspects of ESG.

The CBP has already been active in governing the sourcing and importing practices of companies operating in the United States. Certain key US regulators, including the DOJ and the SEC, have committed resources and are in the process of issuing meaningful ESG guidance, likely for adoption in 2024. We highlight below recent enforcement activity of these regulators and key elements of the current (and expected) guidance that are most pertinent for investigative professionals to consider in fraud and compliance investigations.

DOJ

In May 2022, the DOJ announced a series of actions to advance environmental justice and strengthen the DOJ’s commitment to ensuring equal justice, including a launch of its first-ever Office of Environmental Justice (OEJ) within the Environment and Natural Resources Division. The OEJ’s first year has been marked with mission-driven enforcement aligned with its purpose of ‘protecting underserved communities from harm caused by environmental crimes, pollutions and climate change’.[27] This includes two recent matters, including settlement of an environmental justice and civil rights investigation in Houston for illegal dumping in Black and Latino neighborhoods, leading to contaminated groundwater and soil. Outside of the OEJ, the DOJ’s scope continues to include enforcement of US EPA policies, such as the Clean Air Act and Clean Water Act, and related state-level laws.

In addition, the DOJ announced on 11 May 2023 its launch of an Environmental Crimes Task Force in Puerto Rico and the US Virgin Islands in a multi-agency effort to investigate and enforce violations of laws and related waste fraud and abuse harming the environment, wildlife and human health in these jurisdictions.[28]

While not explicit to ESG, certain aspects of the Deputy Attorney General’s, Lisa O Monaco’s 2022 Memo[29] emphasise familiar topics, such as the favourable emphasis on voluntary self-disclosure and expectations that a company’s compliance programme should be considered in companies’ methodical investigation of ESG-related allegations.

SEC

The SEC’s mission is to protect investors, which has led to the SEC prioritising ESG within its agenda given heightened investor interest.[30] Recent SEC actions include establishing its Climate and ESG Task Force in the Division of Enforcement, mandated with identifying material gaps or misstatements in issuers’ climate risk disclosures in annual financial reporting under existing rules. In March 2022, the SEC proposed its climate disclosure requirements rule designed to improve and bring consistency to the climate-related disclosures of public companies. After an extended comment period, finalisation is now expected in 2023. If the SEC’s proposal is approved, public companies will need to act quickly to implement measures to meet greenhouse gas emission disclosure requirements by the fiscal year ending 2023 or 2024.[31]

The SEC remains active in issuing enforcement actions. Notably, in September 2022, the SEC charged mining company Compass Minerals International, Inc (Compass) for publicly misleading investors about costs at one of its mines in Canada. Separately, Compass failed to assess the financial risks of mercury contamination in Brazil, as required, to determine whether it must disclose the uncertainties to investors. It subsequently covered up the conduct in reports to Brazilian authorities.[32] Compass agreed to pay US$12 million to settle with the SEC.[33],[34]

In another notable development, the SEC charged Goldman Sachs Asset Management, LP (GSAM), in November 2022 for failure to have written policies and procedures governing ESG research investment products between April 2017 and June 2018. After establishing policies and procedures, GSAM then failed to follow them consistently prior to February 2020. During this period, the SEC indicated GSAM misled third parties by sharing the policies and procedures and indicating it was following them.[35] GSAM agreed to pay US$4 million to settle the charges.[36]

CBP

In December 2021, the United States enacted the Uyghur Forced Labor Prevention Act (UFLPA), introducing additional rules around imports into the US as part of a policy to ensure that goods made with forced labour in the Xinjiang Uyghur Autonomous Region (XUAR or Xinjiang) of China do not enter the US market. The UFLPA stipulates that unless importers can present clear and convincing evidence that goods, wares, articles and merchandise mined, produced or manufactured in China’s XUAR are free from forced labour, entities are prohibited from importing these products into the United States.[37] The CBP published operational guidance on 13 June 2022,[38] and this rebuttable presumption came in to effect on 21 June 2022.[39] This law impacts the second-largest cotton producer in the world along with any parties conducting business with China, sending a clear message that US regulators and enforcement agencies are taking a strict stance against the use of forced labour.

In December 2022, the US Senate Finance Committee enquired with eight major automakers about whether their supply chain of raw materials from China might be linked to forced labour in Xinjiang.[40] The Committee probed whether these automakers perform their own supply chain mapping and analysis to determine linkage of the raw materials to Xinjiang, XUAR government’s poverty alleviation or the ‘pairing-assistance’ programme outside of Xinjiang, including by way of manufacturers in third countries such as Mexico and Canada. In March 2023, after the major automakers did not provide sufficient answers to the Committee’s December 2022 inquiry, the Committee further questioned these eight manufacturers and expanded the supply chain inquiry to five Tier 1 auto parts suppliers.[41]

In June 2022, the CBP issued its Green Trade Strategy in recognition of the connection between climate change and international trade. The Green Trade Strategy ‘establishes a proactive model to combat the negative impacts of climate change on the agency’s trade mission while strengthening existing enforcement activities against environmental trade crimes, including illegal logging; wildlife trafficking; illegal, unreported, and unregulated fishing; and illegal mining’.[42] While CBP does not appear to be pursuing new rule-making directly related to the Green Trade Strategy, CBP has stated it will collaborate with other government agencies to enforce existing environmental provisions, laws and regulations that prevent importation and affect seizures of goods related to environmental crimes.[43]

European legislation

Recently, European regulators have made significant strides in their legislation. The Corporate Sustainability Reporting Directive (CSRD) by the European Parliament and the Council of the European Union, which came into effect in January 2023, requires companies to provide investors and stakeholders with access to information related to investment risks that stem from sustainability, such as climate change. Approximately 50,000 companies will now be required to report on sustainability for the year ending 2024, and to issue reports in 2025 in accordance with European Sustainability Reporting Standards (ESRS) developed by the European Financial Reporting Advisory Group.[44] EU approval of the current draft ESRS is expected in 2023 with disclosure requirements in 2024, making this a priority for companies with European operations to be prepared to comply with the CSRD reporting requirements.

ESG investigation considerations

Practitioners investigating potential ESG-related violations will need to be acutely aware of their company’s ESG risks and controls within the supply chain –particularly considering the increased reputational risk accompanying perceived indifference or recklessness in the court of public opinion. While practitioners will still rely on many standard investigation techniques, they should expect to supplement those with more nuanced approaches that will aid in navigating the new complexities that they may encounter in ESG investigations, as we explore in this section.

Planning for the investigation

When investigating ESG matters, practitioners should take additional care during the planning and scoping phases. Particularly with the evolving regulatory landscape this year, investigators should actively engage with subject-matter experts to understand applicable regulations, jurisdictions, compliance requirements and expectations of the various regulators. These individuals can be instrumental in supporting the investigation by, for example, designing nuanced testing procedures, interpreting complex regulatory requirements in different jurisdictions and evaluating highly technical manuals and procedures.

In 2015, the DOJ, the Environmental Protection Agency (EPA) and the CBP charged Volkswagen AG for lying and misleading the EPA and US customers by manipulating the diesel vehicles’ nitrogen oxide emission levels during regulatory testing to meet emissions standards, also known as ‘Dieselgate’.[45] Multiple companies have since been implicated in the Dieselgate scandal. In such an investigation, practitioners may consider employing regulatory experts specialising in the Clean Air Act, automotive engineers with a background in vehicle programming and automotive safety experts with knowledge of regulatory testing processes and requirements.

Identifying information relevant to an investigation

In an ESG investigation, the nature of the allegations may necessitate reviewing information beyond the traditional data sources relevant to many investigations (eg, financial records and general ledger data). Companies may develop home-grown systems to adapt to new needs for data in areas beyond those that have traditionally been tracked, analysed, reported on and audited. For example, this may include centrally tracking contractual requirements pertaining to business partners’ Scope 3 greenhouse gas emissions. Further, companies may not track certain data points and data may not even be accessible without involving third parties. Data analytics experts, with the ability to understand the back-end database design of non-standard systems, will be essential in assessing what data exists and extracting the relevant data to prepare for the analysis.

In the Dieselgate case, data sets of testing results from multiple vehicle models, along with data gathered from vehicles while in operation, would be critical. If automotive manufacturers performed this type of testing internally, these data sets would likely reside in a system within their emission testing or inspection facility. The data may require scrubbing, formatting and organising to a standard and optimised format before practitioners could use it for analysis. It would also be important to obtain the source code from the software, along with any audit logs and approval records for changes to the code.

We have included two additional examples of the types of data relevant to certain ESG allegations, along with the related challenges that the practitioners may need to address.

  • Human rights and labour practices abuses, or around the use of unsustainably sourced ingredients: the scope likely requires delving into a company’s complex global supply chain. Practitioners may encounter limitations in the data they can reasonably gain access to given the likelihood that multiple third parties, whose data the company has no control over, form part of this chain. Targeted analysis of unstructured datasets may turn up documents (eg, emails, attachments to emails such as invoices or shipping documents, and meeting invitations), or even structured data extracts (supplier transaction extracts, raw material pricing data, etc) can provide insight and fill gaps where information is not forthcoming from third parties.
  • Greenwashing related to investments: relevant sources will include information about the fund’s ESG rating or scorecard, the basis upon which the determination of its ESG rating was made, and the conditions that had to be met to achieve classification as an ESG fund. Further, fund prospectuses should be identified to consider whether statements made have been misstated or could potentially mislead investors.

Investigative procedures

ESG investigations necessarily require a variety of investigative techniques and procedures, given the potential breadth of scope. Investigation teams will need to take a creative approach to crafting procedures for testing and analysis, considering how to leverage available data that is not historically monitored and gathered or tested for investigative purposes. Variable factors such as the size of the data and the scope of the matter can influence the analysis and sampling techniques employed. As referenced earlier in the article, it may be helpful to seek assistance from skilled data analytics specialists in collecting and organising data for practitioners to review.

The following examples of allegation-specific procedures illustrate additional types of techniques that practitioners could employ in an ESG investigation:

  • discrimination and police brutality: analysing metrics around the number of traffic stops involving persons of colour, and the outcome of those stops, compared with the overall statistics for the police department’s traffic stops;
  • greenwashing related to investments: tracing statements made in marketing and investment materials back to working papers, analysis and raw data to assess whether environmental impact disclosures made to potential investors are appropriate and reasonable based on source information;
  • falsified emissions reporting: utilising software engineers and developers to analyse audit logs of software programming changes and to ascertain whether there are corresponding approved change orders; and
  • supply chain investigation: leveraging due diligence records with sophisticated supply chain traceability technologies to scientifically identify the source of materials included in a finished good or to assess whether the raw materials originated from a region where human rights violations (eg, child or slave labour) are known to be commonplace.

Conclusion

As cryptocurrencies and ESG continue to be top of mind for investors and regulators alike, bad actors will continue to look for opportunities and incentives to defraud and deceive stakeholders. Multiple regulators in the Americas identify these areas as priorities and practitioners should remain aware of the trends and regulatory developments. As we have described in this article, many of the necessary techniques will be familiar to experienced practitioners, although often requiring a slight nuance or incorporation of different technologies to adapt to the nature of the allegations subject to investigation.


Notes

[5] Smart contract exploits occur when a hacker exploits, or takes advantage of, a flaw in the smart contract to steal cryptocurrency assets. This is most commonly seen in decentralized finance (DeFi) protocols, which are explained in more detail in the following pages.

[6] A rug pull scam occurs when the creator of a token or non-fungible token (NFT) attracts investors with false claims about their token, namely that it will rapidly rise in value. The scammers then liquidate their holdings (pulling the rug) without warning investors, leaving them with a worthless investment. This is also commonly referred to as an exit scam.

[26] ‘ESG backlash in the US: what implications for corporations and investors?’ Financial Times, https://www.ft.com/content/3f064321-138c-4c65-bbb9-6abcc92adead.

[27] Office of Environmental Justice (https://www.justice.gov/oej).

[28] Justice Department Announces Launch of Puerto Rico and U.S. Virgin Islands Environmental Crimes Task Force, OPA, Department of Justice (https://www.justice.gov/opa/pr/justice-department-announces-launch-puerto-rico-and-us-virgin-islands-environmental-crimes).

[29] Deputy Attorney General Lisa O Monaco’s speech on 15 September 2022 announced updates to DOJ policies on investigating and prosecuting corporate crime and, in parallel, published an accompanying memo detailing the policy changes. Further Revisions to Corporate Criminal Enforcement Policies, 15 September 2022, https://www.justice.gov/opa/speech/file/1535301/download.

[31] The proposed disclosure requirements employ a phased-in approach depending on the registrant types to accommodate the newly proposed regulations: the current proposed timeline will require the filers to provide greenhouse gas (GHG) emission disclosures as of the fiscal year ending 2023 for large accelerated filers (for Scope 1 and Scope 2). Large accelerated filers will also need to disclose Scope 3 GHG emissions as of the fiscal year ending 2024 and in the same year, attestation on Scope 1 and Scope 2 GHG emission disclosure will require limited assurance; they will have two more years to obtain reasonable assurance (ie, 2026). Accelerated and non-accelerated filers will have an additional year whereby they will need to provide GHG emissions for Scope 1 and Scope 2 by the fiscal year ending 2024, and Scope 3 disclosure by the fiscal year ending 2025. https://www.sec.gov/rules/proposed/2022/33-11042.pdf.

[32] SEC.gov, SEC Charges Compass Minerals for Misleading Investors about Its Operations at World’s Largest Underground Salt Mine (https://www.sec.gov/news/press-release/2022-171).

[35] By designating certain investment products as ESG, investment advisers must establish reasonable policies and procedures to govern how it will evaluate ESG factors during the investment process – and then follow the procedures.

[36] SEC.gov, SEC Charges Goldman Sachs Asset Management for Failing to Follow its Policies and Procedures Involving ESG Investments.

[38] Uyghur Forced Labor Prevention Act: U.S. Customs and Border Protection Operational Guidance for Importers, dated 13 June 2022, https://www.cbp.gov/sites/default/files/assets/documents/2022-Jun/CBP_Guidance_for_Importers_for_UFLPA_13_June_2022.pdf.

[39] This is particularly a significant development for business entities that are importing high-risk commodities from China, such as cotton, polysilicon and tomatoes because, according to recently published CBP Operational Guidance, they are ‘presumed to be made with forced labor and are prohibited from entry’ into the US and this presumption applies to goods that are ‘made in, or shipped through [China] and other countries that include inputs made in Xinjiang’.

Unlock unlimited access to all Global Investigations Review content