Managing complex global investigations presents significant challenges. Regulatory probes in multijurisdictional investigations are likely to be complex and overlapping. This article sets out practical steps that a company can take to manage those competing demands in order to manage an investigation efficiently and effectively.
01 | Set up an investigation team and a steering committee
First, put in place an investigation team consisting of internal and (where appropriate) external advisers with relevant skills and expertise.
In a multi-jurisdictional investigation, this team may need to include individuals in each jurisdiction. Make sure that there is an overall investigation lead.
If it is a significant, complex investigation, set up an internal steering committee.
Decide what level of representation is required on the committee from legal, compliance, audit, finance, human resources, IT, media/PR and other business areas. The more serious the investigation, the more senior the representatives required.
Include on the committee an accountable executive to whom the investigation team ultimately reports. Use steering committee meetings to agree the scope of the investigation and to put forward practical recommendations to management and senior stakeholders for approval.
02 | Establish multiple but linked workstreams Decide whether and how
investigation into workstreams. This will help to manage the investigation team and avoid duplication.
Decide whether to delineate the workstreams by jurisdiction, regulator or issue as appropriate. For example, project A1 could relate to all DOJ matters, project A2 to all CFTC matters, project A3 to all FCA matters, and so on.
It is crucial that each workstream feeds into the main investigation.
A practical way to do this is to ensure that each workstream communicates its actions and findings to the wider team at regular intervals and inputs the results into key investigation documents.
03 | Preserve all relevant data
At the outset of any investigation, act immediately to secure and preserve all data that may be relevant.
Take a proportionate, accurate and methodically sound approach.
This may include imaging electronic data, issuing document preservation notices and ceasing automatic deletion policies. Remember to assess what hard copy documents may exist in the form of notebooks, diaries and files.
It is vital to document data collection and processing.
Record the methodology accurately and comprehensively, and note all reasons for decisions on custodians, jurisdictions and data types. It is far easier to justify decisions around proportionality where the reasons for those decisions are recorded at the time.
Data will have to be collected, processed and presented in different ways for different regulators. Make sure that the investigation team is aware of this.
If dialogue has been established with regulators, decide whether to explain to the various regulators what you are doing and why. There may be more flexibility than is at first apparent if you can demonstrate that your data exercise is methodologically sound; equally, by raising the issue ahead of time, you may have some influence over the methodological parameters.
04 | Strategically manage data protection risk
You must have a robust data protection strategy and this must be in place before any investigation occurs. You will need this in order to navigate the relevant jurisdictions’ data protection laws.
Take steps to mitigate potential issues and exposure. This may include securing consent in advance in employee contracts; putting in place appropriate data-sharing agreements among subsidiaries; relaying instructions for personal emails to be marked as private or personal.
Assess the data privacy protections of relevant custodians where these apply to the export, collection and/or use of data.
05 | Consider the variation of legal privilege between jurisdictions and try for a ‘blended’ approach
At the outset of any investigation, check the legal position on privilege in relevant jurisdictions and the objectives of the investigation in order, as appropriate, to protect legal advice and potentially other investigation material from onward disclosure, e.g. to regulators and third parties.
The operation of privilege can differ significantly from jurisdiction to jurisdiction. This can entail multiple privilege reviews applying different tests to the same documentation – which can be both time-consuming and costly. Try instead to agree with your external lawyers and/or with regulators (where appropriate) a single set of privilege principles that will be applied.
If you wish to pass privileged material to a regulator, check first whether the regulator preserves confidentiality. While UK regulators have been prepared to receive privileged documents on the basis that privilege is not waived against third parties and confidentiality is preserved, in other jurisdictions, such as the US, such documents may be more vulnerable to an order for disclosure in third party litigation.
If a UK regulator wants to share information with, for example, a US regulator, decide whether to seek an express agreement from the UK regulator that there will be no onward disclosure to overseas regulators.
06 | Plan engagement with regulators initially and throughout the investigation
Early engagement with regulators can be extremely beneficial, but must be assessed on a case by case basis, depending on the type of investigation, jurisdictions and regulators involved, as well as the potential litigation and commercial risks.
This is especially important in the case of concurrent investigations by different regulators, with multiple and overlapping document requests. Early engagement may result in a coordinated approach to information requests. On the other hand, different regulators may have different approaches to how you should progress the investigation internally which may conflict with each other or with the company’s objectives or indeed legal requirements in certain jurisdictions, which may mean that the company wishes to progress its own internal investigation to a certain level first. Further, there may be advantages in the investigation moving at a more measured pace, enabling you to explore the issues fully.
If you do not engage with regulators at an early stage, make sure that you check regulatory expectations around the conduct of investigations. The UK’s Serious Fraud Office, for example, has been vocal in criticising companies for ‘churning’ the crime scene by interviewing key witnesses and disturbing documents before the SFO has become involved. It has also criticised companies for continuing with their own internal investigations once an SFO investigation has commenced.
07 | Understand internal processes
Be clear on your internal processes for gathering information and approving the release of data.
Large financial institutions may, for example, have a discrete IT board process before any IT-related information can be released.
Factor in all relevant approvals and adopt an organised, logical approach to make sure that everything is documented – creating, for example, an approval or sign-off matrix to operate throughout the investigation. This will avoid last-minute blockages, as when, for example, the legal team is ready to send out a regulatory response but then has to wait for an internal approval to come through.
Keep employment law obligations and any whistleblowing policy requirements under review.
In-house teams will also have significant pressure in terms of budgeting, particularly in an external resource-intensive investigation. Prepare budgets on the basis of workstreams and forecasts on a monthby- month basis.
Remember to factor in internal processes for external reporting, such as insurance notification, public announcements, reporting to auditors and reporting obligations to other third parties such as joint venture partners.
08 | Keep management fully informed
The accountable executive and steering committee should be kept fully informed throughout the investigation. This equips them to manage internal and external concerns.
Keep track of key statistics such as the volume of documents retrieved, the number of witnesses involved, which jurisdictions are affected, what information is in the public domain, and so on. This information gives senior management an overview which they can use to explain the position to stakeholders and/or regulators to help them understand the scale of the issues and therefore the amount of work and oversight needed.
09 | Ask to see early drafts of information requests or subpoenas for comment before issue
Try to obtain drafts of information requests or subpoenas (witness summons) for comment before they are finalised. At best, this gives you the ability to narrow the scope of the requests and to influence the timetable that the regulator is proposing. At worst, it will provide extra time in which to prepare any documents.
Once you know what is or is not achievable in terms of the draft request, you will be in a better position to negotiate with the regulator. If it is going to be impossible to provide certain information or documents within the timetable set out, explain this to the regulator, giving clear reasons. You may be able to agree a sensible compromise.
10 | Plan for remediation
At the outset of any investigation, consider potential remediation outcomes. This will help you to set the scope and process of the investigation.
In all but the most simple investigations, it will not be enough for remediation to focus purely on individuals. Systems and controls need to be examined and refined.
You must be able to demonstrate that you have taken tangible steps in response to the findings of an investigation. Lessons need to be learned and seen to be learned.