Christopher David and Lloyd Firth, Wilmer Cutler Pickering Hale and Dorr LLP

This is an extract from the third edition of GIR's The Practitioner’s Guide to Global Investigations. The whole publication is available here

5.2 Determining the terms of reference/scope of the investigation

In the rush to get to the bottom of what has happened, it is all too easy for those conducting investigations to become slaves to a pre-determined process and to lose sight of what they set out to achieve. Setting and communicating clear objectives, as well as defining and continuously reviewing the scope and terms of the inquiry, are critical first steps towards achieving an appropriate and proportionate outcome.

As soon as an issue comes to the fore, one of the first steps a company should take is to identify all relevant stakeholders and determine responsibility for the investigation. This is important not only for creating a legally privileged environment but also for ensuring the efficient running of the investigation.

It is advisable to have in place a template investigation plan long before any incident arises, which maps out internal responsibility and reporting lines for different types of hypothetical investigations. An investigation into a suspected low-level theft by an employee is less likely to require engagement at senior management level than one concerning a widespread, systematic fraud, and these distinctions should be reflected in the plan. The plan should be embedded into the company’s written processes, along with its protocols for dawn raids and other events requiring rapid responses.

While an investigation plan will assist in assembling a team at short notice, it should nevertheless contain sufficient flexibility so as to allow responsibility for an investigation to be dictated by the particular circumstances. In particular, it is important to be alive to the possibility that some or all of the individuals tasked with carrying out investigations may in fact be part of the problem that requires investigation. Any potentially implicated individuals should be excluded from the investigation team from the outset, to avoid any risk – whether real or perceived – that the integrity of the investigation be compromised. The constitution of the team should be reviewed regularly as the matter progresses: what starts out looking like a low-level infraction may turn out to be a far more significant problem, requiring the engagement of more senior personnel.

In many cases, responsibility for initiating an internal investigation will fall to the company’s general counsel or his or her representative. Depending on the scale of the investigation and the seniority of any implicated individuals, it may sometimes be necessary to set up a special investigation subcommittee of the board to oversee the investigation, or to devolve responsibility for the investigation to the audit committee. In certain circumstances, often owing to the scale or potential implications of the matter, it will be necessary to instruct external lawyers. The involvement of external lawyers can bolster the independence and credibility of the investigation process, which may be helpful when engaging with the authorities over the findings of the investigation. Appointing external counsel can also strengthen any claim to privilege over the investigation.

Whoever is conducting the internal investigation should establish and document its scope carefully and clearly at an early stage. The scope should cover the overall objective of the investigation, the issues being investigated, the date range, the jurisdictions and whether any overseas legal advice may be required, the relevant corporate entities involved (for example, subsidiary companies) and any other relevant issues.

It is important to document the reasons for any determinations as to scope. If an issue subsequently becomes the subject of a criminal or regulatory investigation that was not identified by the company’s own investigation because it fell out of scope, it may become necessary for the company to demonstrate that the issue fell out of scope for legitimate and carefully considered reasons.

The advantages of investing time in detailed planning at this stage are many. Perhaps most importantly, focusing minds on what needs to be achieved can help to limit the company’s potential exposure to a wide-ranging, unfocused investigation. An internal investigation is not intended to be a fishing expedition, but rather a considered response to a specific problem that has been identified. That is not to say that unanticipated issues that come to light during the course of the investigation should be ignored; simply that a tightly focused investigation will undoubtedly be more conducive to resolving issues in the most time- and cost-effective manner. The planning process will also put the company in a position to demonstrate to any government authorities and interested third parties that it has taken the issue seriously from the outset.

An important part of the scope-setting exercise is to assess the nature of the potential risks that the company is exposed to. This should be reviewed continuously as the investigation progresses. A problem that appears, on its face, to be regulatory may in fact have a criminal angle that only becomes apparent part-way through, or at the conclusion of the investigation. Whether a company is facing criminal or regulatory risk can have a significant impact on how investigations should be approached.

The scope and terms of reference of the investigation should be communicated to relevant personnel, and agreement sought from key stakeholders.

It may also at this stage be necessary to agree the scope of the investigation with government agencies before proceeding further. By way of example, the FCA expects regulated firms to engage in early communication regarding proposed investigations and not to take any steps that may prejudice or obstruct its own investigations. It may even seek to impose limits on the internal investigation process. The Serious Fraud Office (SFO) is also increasingly likely to seek to restrict the internal investigation process in this way, particularly for witness interviews.

This differs markedly from the position in the United States, where the Department of Justice (DOJ) arguably expects companies to leave no stone unturned in identifying individuals involved in misconduct. Companies and their advisers can therefore often face a difficult task in attempting to balance the competing demands of multiple government agencies when determining how to approach internal investigations.

Once the scope is agreed, a detailed work plan should be produced setting out how and by whom the evidence is to be preserved, collected, reviewed and analysed. This should include identifying relevant custodians from whom evidence will be collected; who, if anyone, will need to be interviewed and in what order; and what, if any, external expertise is needed (such as forensic accountants or industry experts) and what implications this may have for privilege. It may also be necessary to seek legal advice on how any issues of data protection or banking confidentiality should be dealt with.

At this stage it should be possible to estimate a likely time frame for the investigation and the anticipated resources and costs that will be involved (at least for the initial stages of the investigation), although these will need to be kept under review and updated as the scale of the review task becomes clearer.

The work plan will need to be flexible enough to adapt to changing circumstances. While the initial plan may represent the investigation the company would carry out in an ideal world, in practice, obstacles are likely to arise that should be balanced against the need to conduct a full investigation. These may include issues such as cost, external time pressures, regulatory requirements and the ongoing needs of the business.

Whoever is overseeing the investigation should send regular feedback on progress up the reporting chain, the structure of which should have been mapped out at the scoping stage to ensure that relevant personnel are kept informed and that sensitive reports are not circulated more widely than is strictly necessary. Depending on the level of engagement with the authorities at this stage, updates may also need to be provided externally.

It is important to consider early on how the investigation’s findings and conclusions will be presented and to whom they will be disclosed, both internally and externally. While a written report can be effective in demonstrating that a thorough investigation has been conducted and the steps taken to remediate problems, any ambiguity over the existence of privilege may lead to those reports being disclosable in future proceedings. Again, the FCA has made clear that it expects to be consulted on these issues early on.

In matters that are potentially cross-jurisdictional, it should be assumed that anything provided to one interested regulator will be forwarded to others. It can nevertheless be advantageous for a company to produce material to relevant agencies proactively rather than relying on cross-border information sharing, as there is often more scope for negotiation over the level of confidentiality with which that material will be treated. For instance, while the FCA will not accept restrictions on the use to which any investigation material can be put, it will normally invite and consider any representations the company wishes to make before it discloses the material to any third party.

5.3 Document preservation, collection and review

One of the most important aspects of any internal investigation is the underlying evidence and contemporaneous documentation. The issue of document preservation, collection and review should be considered at the earliest possible opportunity once a decision has been made to commence an internal investigation. How potential evidential material is preserved and collected is likely to be critically important if it becomes necessary to engage with government agencies. At best, the credibility of any investigation would be damaged by a failure to secure all potentially relevant material at the outset. At worst, an ineffective document preservation and collection process may be viewed by a prosecutor as obstruction or an attempt to pervert the course of justice. A prosecutor or regulator might also view such a failure as unco-operative. This could put a strain on the company’s relationship with any external investigators and, potentially, become an aggravating factor in any settlement.

5.3.1 Preservation

Ordinarily the first step that should be taken is the issuance of a ‘document retention notice’ (DRN) or ‘hold’ notice, but care must be taken not to inadvertently tip off data custodians who may also be suspects. In some cases, issuing a DRN is not appropriate, for example where the company is investigating something outside the public domain and where document collection needs to be carried out covertly (at least at the outset). The company will need to make a careful judgement call in these circumstances and ought to record the reasons for its decisions. This should assist the company to avoid subsequent criticism from any government agency. Ideally a company should have a documented process in place as part of its compliance policies and procedures. In any event, careful consideration should be given by the investigation team as to whom the hold notice should be sent to and what it should say. If the investigation has been triggered by the receipt of a subpoena or other official request for documents, the hold notice should be sent to all employees who are, or may be, in possession of potentially relevant material. The hold notice should also be sent to any third parties who perform services on behalf of the company and may hold relevant material. Any hold notice must clearly require the recipient to refrain from altering, discarding, destroying or concealing any documents that may be responsive to the subpoena or document request. It is best practice to err on the side of caution and interpret the applicability of any subpoena widely. Even in the absence of a formal document request, the hold notice should broadly provide details of the documents requiring preservation with a similar instruction not to alter, discard, destroy or conceal.

It is good practice to specify the types of material to be preserved. This should include all electronic data such as emails, documents and calendar invitations as well as hard-copy documents including notes, drafts and duplicates. The request should also make clear that it applies equally to any relevant material located outside the office or place of work, such as at home or within personal email accounts, mobile telephone text messages (including WhatsApp and other instant messaging applications) and social media accounts.

A clear record should be kept of those to whom the hold notice was sent. Ideally recipients should acknowledge safe receipt, evidence of which can easily be obtained through the use of an email read receipt. Prior to sending a hold notice, routine data destruction practices must be suspended and a complete backup obtained of all electronic data held. As well as being good practice, this allows investigators to establish whether any recipients have attempted to delete evidence following receipt of a hold notice.

5.3.2 Collection

The collection process presents a number of challenges and can have significant implications later in the investigation process if errors are made. For this reason it is advisable to carefully document all decisions as to what material is being collected and why, as this can be useful later in the process if external government agencies become involved.

Depending on the size of the investigation, it may be necessary to instruct external, expert forensic IT and data collection vendors. While there are inevitable cost implications in using third parties, it can be essential if the necessary expertise is not available in-house. The use of a third-party expert may also assist in retaining credibility with any interested government agencies. This is because the ‘forensic’ collection of data is highly specialised and a failure to follow the correct processes can have a significant impact on any subsequent legal proceedings. The improper collection of electronic data could interfere with, and ultimately compromise, the integrity of the underlying data.

A digital image of all relevant electronic data sources and devices (such as mobile telephones, tablets and personal computers) should be taken. When electronic devices are collected, they must be switched off by the owner. Under no circumstances should the devices be switched on again by anyone, including the company’s IT department, until they have been made available to third-party experts with the necessary expertise and equipment to collect the data without inadvertently compromising it.

It is important to think broadly when collecting electronic evidence. In addition to the more obvious sources of evidence such as network drives, hard drives, mobile telephones and tablets, consideration should be given to both landline and mobile telephone records (including numbers dialled and received), recorded telephone lines, building security logs and CCTV footage.

Collection of hard-copy material should be undertaken following a documented assessment as to where relevant material may be kept. In many cases it will be perfectly proper and proportionate to request that custodians collect the relevant material themselves and provide it either to the investigation team or to external lawyers. In some circumstances – for example, where there is a risk that evidence may be destroyed – it may be necessary to ensure that all relevant evidence is secured by conducting an unannounced collection. When doing this, it is crucial that a company’s internal policies and any local employment law considerations are taken into account. Thought should also be given to data protection issues, particularly where data from shared, as opposed to individual, drives has been collected.

It is good practice to conduct a document collection interview with each custodian, covering the location of all potential sources of material, what software the individual uses, where they save material on the network, the use of personal portable devices such as mobile phones and tablets, the use of chat and instant message systems, the use of personal email accounts, social media sites, recorded phone lines and external hard drives. The interview should also cover the location of all hard-copy documents and the custodian’s typical document destruction practices. The custodian should be asked who else, such as a secretary, personal assistant, colleague or family member, has access to his or her emails, other electronic data and hard-copy documents.

Once hard-copy material has been collected, it should be held in a secure room or locked cabinet, access to which should be monitored and restricted to members of the investigation team. To ensure a clear chain of custody, a log should be kept of any movement of material outside this locked environment and originals should not be removed.

5.3.3 Review

Given the significant volume of electronic data collected in most investigations, any subsequent review can be daunting, not least in terms of time and cost. In all but the smallest investigations it is normally advisable to upload the collected material to a document review platform. The function of the platform is to collect all of the data in a central online database that has search and tagging functionality, allowing the investigation team to review and produce documents efficiently. A wide range of platforms are available, each offering broadly similar functions, though consideration should be given to data protection and jurisdictional issues. All the material collected should be uploaded to the review platform, including any hard-copy documents that can be processed using optical character recognition technology to allow the text to be searched in the same way as electronic data.

Once the data is uploaded it can be processed to confine the review set to the relevant parameters. These can include date ranges, document types and custodians, and will usually involve the removal of duplicate documents. It is crucial for both the investigation and its credibility that documents be carefully tracked throughout. To allow for this, each document will be assigned a unique identifying number when it is uploaded to the review platform. The review platform will also provide for any linked parent-and-child documents (such as emails and attachments) to be easily identified.

At this stage of the review process, consideration should be given to creating a list of search terms to narrow the data set further. Traditionally, this process has simply consisted of listing relevant search terms, such as names, case-specific keywords, telephone numbers or any other words or phrases that could help in identifying relevant documents. While this remains a helpful method of identifying relevant documents, many vendors now provide more sophisticated search and document review technologies that can accurately detect and relate unique phrases among unstructured data sets to refine the data set to the most relevant information.

These review technologies are broadly classified under the name ‘predicative coding’ and provide for the building of an intuitive automated learning process and case-specific algorithms into the platform itself. Put simply, once the review is begun, the platform is able to learn what the reviewers are looking for and move the most relevant documents to the top of the review list. This can dramatically speed up the identification of the most relevant documents. Other tools include concept searches, context searches, metadata searches, relevance ranking, clustering and early case assessment. To varying degrees, all of these processes allow review teams to focus quickly on relevant documents and potentially identify relevant witnesses.

Once the collected material has been processed and searched (irrespective of whether any predictive coding technologies have been used), it will be necessary to begin a human review of the data set. A standard linear review, namely a review of all the material responsive to search terms, should be conducted by a first-level review team. The size of the team will depend on when the review needs to be completed and how many documents form the review set.

To assist in this process, a senior member of the investigation team should draft a review memorandum, which should include the necessary background to allow the review team to identify the relevant documents and should be accompanied by training for each member of the review team. A document coding protocol should also be prepared, detailing the tags that are available to the review team. The appropriate number of available tags is a matter of preference and will depend on the complexity of the investigation, but it is recommended in order to try to future-proof the investigation so that the document set can be easily cut down to the relevant subsets of material as required. Reviewers will usually tag documents as ‘relevant’ or ‘not relevant’, with other issue tags being used as appropriate.

A list of potential interviewees to allow reviewers to identify documents relevant to each interviewee is often helpful at this stage. However a document review is structured, it is important that ‘hot documents’ are identified and quickly escalated to the relevant people within the investigation team. Establishing a daily call or meeting allows the review team to provide feedback on the type of material they are seeing in their review and to receive guidance from the investigation team. It may also be helpful for reviewers to be tasked with creating event chronologies. The source of each event identified in the chronology should be clearly identified.

It is best practice for reviewers to identify potentially privileged material, broadly defined to include material that may be subject to bank examiners’ privilege (in the United States), bank secrecy (in the United Kingdom), data protection or other jurisdiction-specific issues. Regulators and third-party litigators will often request a privilege log, and a considerable amount of time can be saved if this is created at the outset.

5.3.4 Considerations when documents are located in multiple jurisdictions

A range of complicating factors can arise when material located in multiple jurisdictions is being reviewed. Local legal advice should be sought if there are any concerns about reviewing material or moving it from one jurisdiction to another. Bank secrecy and data privacy requirements often mean that reviews have to be carried out in the territory where the data is held. In these circumstances data should not be uploaded to a server located outside the territory. It may be helpful to arrange for a mobile server to be deployed, so that the data does not have to leave the company’s premises.

Data protection issues are often a concern and expert advice should be sought in cases of doubt, especially following the Data Protection Act 2018’s entry into force and the contingent requirement to comply with the EU’s General Data Protection Regulation.

Subscribe here for related content, breaking news and market analysis from Global Investigations Review.

Global Investigations Review provides exclusive news and analysis and other thought-provoking content for those who specialise in investigating and resolving suspected corporate wrongdoing.