Internal investigations: inside jobs

UK and US businesses have spread their tentacles to the remotest parts of the world. But if globalisation creates economic benefits, it also poses new challenges for regulators.

It is not just financial services that have come under greater scrutiny, particularly after the crisis of 2008-09. The Serious Fraud Office, for example, is investigating a host of household-name multinationals in other sectors. Regulators are not simply relying on the long arm of their national laws – be it the UK’s Bribery Act or the US Foreign Corrupt Practices Act (FCPA). Like the companies they investigate, they have gone global.

‘Regulators pass information to each other,’ Freshfields Bruckhaus Deringer partner Raj Parker notes. ‘Because of the digital age, the speed at which [they do] is amazing.’

With few places to hide and regulators expecting greater co-operation, managing internal investigations properly could save companies millions. So what, typically, prompts an internal investigation?

In recent years, whistleblowing has been the most significant trigger.

‘In my last SFO trial and two [current] cartel investigations by the Competition and Markets Authority (CMA) whistleblowers all feature,’ says Anthony Barnfather, formerly head of Pannone’s regulatory investigations group.

Barnfather, who now leads a niche practice advising senior directors and officers, adds: ‘Although [it was] rejected by the UK government, I believe a properly regulated regime where whistleblowers may be rewarded would ultimately boost serious fraud detection.’

Last September, Wall Street watchdog the Securities and Exchange Commission (SEC) announced a record-breaking award of more than $30m to an anonymous whistleblower living abroad for providing crucial, original information that led to a successful fraud enforcement action.

Under the 2010 Dodd-Frank legislation, the SEC has powers to offer reward for ‘high-quality, original information’ that leads to an SEC enforcement action with sanctions exceeding $1m. The agency can award a whistleblower anywhere between 10%-30% of the money it collects in a case.

Frauds also come to light when internal audit teams uncover ‘unusual trends’ – for example, by running specialist forensic software which uses algorithms they can spot ‘unlikely invoicing patterns’, says Barnfather. He adds: ‘Perhaps surprisingly, external statutory audits do not often uncover frauds.’

Competitor complaints are on the rise too, notes Washington DC-based Eric Bruce, a trial lawyer and investigator at US litigation boutique Kobre & Kim and formerly a federal prosecutor with the US Department of Justice (DoJ). These arise when a company believes a competitor is getting ‘an unfair advantage’ through, say, FCPA violations – and it decides to ‘drop the dime’ by lodging a complaint with the DoJ (typically anonymously).

The internet is also expected to grow in relevance, says Alex Parker, English-qualified international counsel at US firm Debevoise & Plimpton. For example cybercrime, even by non-commercially related third parties, can lead to issues being exposed of which the company’s management was unaware.

‘There is a much closer and continuous look at financial institutions now than there was pre-2008,’ Freshfields’ Parker says. ‘In the regulated financial sector, the Financial Conduct Authority [FCA] is now so closely involved in reviewing and supervising the various business lines of banks, brokers, hedge funds and insurers that they will usually find something that they will then perhaps think should be enforced against. This then triggers an investigation.’

There is also greater scrutiny from parliamentary bodies such as the Parliamentary Commission on Banking Standards and the Treasury Select Committee, which recently launched an inquiry into allegations that HSBC’s Swiss private bank helped clients evade tax. This came after the media published HSBC files supplied by a whistleblower: ‘They start inquiring into things earlier, usually as the result of the media,’ Freshfields’ Parker says.

Inertia is not an option, then. ‘It is a risk to ignore things until they become a real problem,’ says Debevoise & Plimpton’s international counsel Matthew Getz, who has represented large multinationals in anti-corruption internal investigations. ‘Consider the trigger, consider the allegation and work out how plausible it is. Then see what the potential repercussions are if the allegation turns out to be true.’

‘These investigations are extremely disruptive to the business,’ says Freshfields’ Parker, who believes a small group of ‘credible’ people should run them. The team would typically include a non-executive director, a member of the internal audit or audit committee and an in-house lawyer. ‘You need one single point of control and management with authority for this strategy and the day-to-day operations,’ he says.

For Peters & Peters partner Jasvinder Nakhwal, the group must ‘not be tainted by anything that might or might not have happened. They should be people who are not potential witnesses in the proceedings’.

Once the team is in place, a company must decide whether to outsource legal help. ‘The most important and perhaps most difficult stage of an internal investigation is when the corporate thinks the issue is so serious that the only sensible way to deal with it is to start getting independent legal advice,’ says Andrew Oldland QC, head of Michelmores’ financial services and regulatory teams.  

Debevoise’s Parker says: ‘Consider whether to use existing counsel who advise on corporate issues and day-to-day commercial deals, or whether to have someone entirely independent of the company’s day-to-day dealings. I think by and large the latter would be more appropriate.’

Freshfields’ Parker advises: ‘Always ask whether you need an external law firm, because they are very expensive and can come and live with you for a long time. But they know the regulators and the system very well. They are independent and objective, and they can co-ordinate your strategy and protect you on tricky issues in real time.’

An external firm specialising in such work will generally be better at drafting in specialists such as forensic accountants, data recovery experts and private investigators. Ultimately, hiring external counsel also sends a message to employees and regulators that the company is taking the allegations very seriously.

Sometimes there is no alternative, says Bruce. ‘If there is a high likelihood that the DoJ or SEC are going to find out about it, or if they already know, usually it is worth bringing in external counsel right away. Chances are you are going to bring them in eventually, so why not have them shape the investigation from the start?’

A specialist external team may also help circumvent certain legal risks. ‘A company might not get around to reporting to regulators until well after regulators would expect it,’ London-based Getz says. Furthermore, they will ensure that any electronic and hard copy evidence is retrieved and secured, for example by issuing data preservation notices. ‘It is important to do that at an early stage. Deletions of data, either maliciously or due to regular company processes, can have very bad consequences. On the one hand, this can prevent the company from learning what has happened, and on the other, worst-case scenario, it can lead to accusations from prosecutors or regulators that the company has engaged in perverting the course of justice,’ he adds.

In 2002, a US district court jury found ‘big five’ accounting firm Arthur Andersen guilty of obstructing justice by shredding accounting documents relating to its client Enron, the disgraced US energy giant. The conviction was overturned by the US Supreme Court in 2005 although, by then, Andersen had failed.

Confidentiality must be maintained too. So, when interrogating witnesses, it is important not to tell them what other witnesses have said and to tell individuals not to talk to each other about what they have been asked or told, Nakhwal says.

This ‘minimises the reputational fallout’ and ‘ensures a subsequent investigation by the authorities is not scuppered or tarnished. Those protections can be put in place if the lawyers know what they are doing and have got the appropriate experience and expertise.’

An external legal adviser may also assist in circumventing the challenges of protecting legal professional privilege.

Legal advice privilege (one of two types of privilege) protects the confidentiality of client-lawyer communications created with the aim of giving or receiving legal advice; it requires that lawyers act in their legal capacity, but if in-house counsel also have executive functions it may be difficult to establish in which capacity they act. ‘With external lawyers there isn’t this hazy line and ambiguity about what is privilege and whether privilege can be rightly claimed,’ Nakhwal says.

‘The client is then the company and readily identified,’ observes Barnfather. The identity of the client is very important because legal advice privilege only attaches to communications between the client and the lawyer.

With internal investigations often spanning several jurisdictions, Roger Burlingame, a London-based trial lawyer and investigator at Kobre & Kim, notes: ‘Where legal professional privilege can become challenging is in cross-border investigations where you have different rules of privilege affecting different countries.’

‘If you have a purely DoJ problem, you may handle your investigations one way and feel more comfortable keeping certain sorts of records of what you are doing,’ Burlingame, a former US federal prosecutor, says. ‘If you are simultaneously going to end up in front of the SFO, you might conduct things quite differently as far as creating those sorts of materials, because you might not want to be forced to turn them over at the end of the day.’

 When deciding whether to self-report, the answer is: it depends. Financial services firms must disclose to the FCA ‘anything relating to the firm of which [the FCA] would reasonably expect to notice’. Freshfields’ Parker explains: ‘You have to tell the regulator even if there is no actual crime, just the risk of financial crime.’

Financial and credit businesses, among other regulated sectors, must also disclose knowledge or suspicion of money laundering by submitting a suspicious activity report to the National Crime Agency (NCA). ‘When the NCA gets a suspicious activity report, which has something to do with corruption or large-scale fraud, they pass it on to the SFO,’ Getz says. Under the fourth EU money laundering directive, expected to come into force in late 2015, there will be ‘a very strong obligation on each regulator in each country whenever they get a report which affects another country in the EU to pass the information on’, Getz adds.

Otherwise the picture is more ambiguous. ‘If it’s an internal inquiry that the DoJ or the SFO don’t know about [corporates] can decide what to do about it,’ Oldland says, but he adds that corporates on both sides of the Atlantic are becoming more risk-averse.

Regulators emphasise that corporates should ‘do the right thing’, says Barnfather. But he notes: ‘The reality in this country is that if you don’t do the morally right thing, you are far less likely to get caught because of the SFO’s restricted resources. A lawyer’s duty is not to be a whistleblower on his clients, so it is not set in stone that you should always co-operate.’

The UK agency, which is tasked with investigating and prosecuting serious fraud and corruption, is yet to bring a case against a company under the Bribery Act, in force since July 2011.

It is not just a question of financial means. As Burlingame explains, it is hard to prosecute a corporate in the UK. ‘In the US, if you have one employee doing something illegal you can prosecute the entire company. In England it is a much tougher standard,’ he says. To establish corporate criminal liability, prosecutors must prove that the ‘controlling mind’ of the company had the necessary criminal knowledge or intent.

Bruce’s advice is: ‘Do a fact-based analysis for each situation. If you think the DoJ [or other regulators] are going to find out about it anyway, you might as well self-report.’

When deciding whether to disclose, companies with robust compliance programmes should take note that Morgan Stanley escaped prosecution under the FCPA in 2012 with praise from the DoJ for its pre-existing compliance programme, as well as for its disclosure and co-operation.

‘Good compliance departments are worth their weight in gold because they often catch issues before they turn into something more nefarious and problematic,’ says Bruce.

Nakhwal points to other circumstances where there may be benefits in self-reporting immediately. Under the leniency policy of the CMA, which took over the Office of Fair Trading’s responsibilities for cartel enforcement last April, the first cartel member to report and provide evidence of a cartel will be granted total immunity, provided certain conditions are satisfied.

When assessing the pros and cons of coming clean, Freshfields’ Parker warns: ‘There is a heightened risk of detection today. If it comes out that you have not been proactive and gone to see the regulator, that doesn’t look good.’ But he warns of the disadvantages, including an immediate reputational impact: ‘There is also a question, always, as to when it’s the right time [to self-report] because if you do so too early you may not have established the full extent of the issue.’

Once companies cross the line, prosecuting agencies and regulators will expect them to be fully co-operative and transparent.

‘If you are in for a penny you have got to be in for a pound,’ Burlingame says. ‘There is no percentage in fighting back against the US government; they are effectively holding a nuclear bomb,’ he says, pointing to France’s Alstom, which was fined a record $772m in December for FCPA violations. The DoJ said in a statement that the plea agreement considered many factors, including ‘Alstom’s failure to voluntarily disclose the misconduct’; and ‘Alstom’s refusal to fully co-operate with the department’s investigation for several years’.

Freshfields’ Parker says: ‘The instincts, particularly of in-house litigation counsel, can be to protect the company too much and in an investigation sometimes it is better to be open and co-operative and do more than you might otherwise want to do.’

Each regulator defines co-operation slightly differently and the definition keeps changing.

But Freshfields’ Parker adds: ‘There is quite a bit of convergence towards the US model. US authorities wish the companies being investigated to be much more cards-on-the-table co-operative.’

Whatever you do, consistency is key. ‘You shouldn’t be treating one regulator differently from another because they are all joined up,’ he concludes.

Marialuisa Taddia is a freelance journalist