1 The Decision to Conduct an Internal Investigation

1.1 What statutory or regulatory obligations should an entity consider when deciding whether to conduct an internal investigation in your jurisdiction? Are there any consequences for failing to comply with these statutory or regulatory regulations? Are there any regulatory or legal benefits for conducting an investigation?

Although there are no explicit statutory or regulatory obligations pertaining to commencing internal investigations in England and Wales, it is often in an entity's best interests to conduct an internal investigation when wrongdoing is suspected, whether this be criminal or regulatory. This will enable an entity to identify if any criminal offences or regulatory breaches may have been committed at an early stage and to make informed decisions. An obvious benefit of an internal investigation is that it allows the entity to satisfy itself that it has isolated and dealt with the wrongdoing. Additionally, conducting an internal investigation may help an entity decide whether or not to approach a relevant authority with a view to securing a more favourable outcome than would likely be the case having been approached by the authorities in the first instance.

1.2 How should an entity assess the credibility of a whistleblower's complaint and determine whether an internal investigation is necessary? Are there any legal implications for dealing with whistleblowers?

Consideration should be given to whether there is likely to be any other evidence capable of supporting the whistleblower's assertions, such as documentary evidence and the extent to which the whistleblower can personally verify the allegation made. An entity should also consider the context and circumstances in which the whistleblower makes their disclosure; for example, even if they are a disgruntled employee, is the disclosure capable of belief? How much time has passed since the events occurred and what is the explanation for any delay? Is the whistleblower raising the matter for their own personal gain or motive?

A statutory framework exists to protect workers if they blow the whistle on their employer; a whistleblower who makes a qualifying disclosure has the right not to be subjected to any detriment by any act or deliberate failure to act by their employer on the ground that the worker has made a protected disclosure.

1.3 How does outside counsel determine who "the client" is for the purposes of conducting an internal investigation and reporting findings (e.g. the Legal Department, the Chief Compliance Officer, the Board of Directors, the Audit Committee, a special committee, etc.)? What steps must outside counsel take to ensure that the reporting relationship is free of any internal conflicts? When is it appropriate to exclude an in-house attorney, senior executive, or major shareholder who might have an interest in influencing the direction of the investigation?

"The client" will often be determined by who has retained the services of outside lawyers and who has control of the internal investigation. The client should be suitably qualified and hold sufficient seniority within the entity to be in a position to provide instruction, direction and make critical tactical decisions about the course and scope of the investigation and any reporting that may occur. The wider the reporting relationship is, the more difficult it is likely to be for the corporate to assert and maintain privilege, and also to preserve confidentiality. Entities are best advised to set up an investigation team comprising a limited number of individuals. For more complex investigations, it is often advisable to set up a management or steering committee as these create very clear reporting lines.

External counsel should make enquiries of the client to satisfy itself that those to whom they are to report are not conflicted – this can be done through, for instance, considering the nature of the allegations to be investigated and who is likely to hold relevant information, and asking those who conceivably have been involved in the matter under investigation to declare any interests. These steps are intended to have the effect of maintaining the credibility of any investigation results with the regulator.

2 Self-Disclosure to Enforcement Authorities

2.1 When considering whether to impose civil or criminal penalties, do law enforcement authorities in your jurisdiction consider an entity's willingness to voluntarily disclose the results of a properly conducted internal investigation? What factors do they consider?

Voluntary disclosure of the results of an internal investigation is an important factor considered by authorities in determining whether a prosecution is in the public interest, or whether a Deferred Prosecution Agreement (DPA) or civil settlement (or other alternative to prosecution) is appropriate. However, it provides no guarantee that a prosecution will not follow. Instead, it will form part of a case-by-case analysis looking at a range of factors, including the seriousness of the offence, the harm to victims and any history of similar misconduct by the entity.

2.2 When, during an internal investigation, should a disclosure be made to enforcement authorities? What are the steps that should be followed for making a disclosure?

There are a number of scenarios when entities must notify regulators of incidents/misconduct. For example, the General Data Protection Regulation (GDPR) requires that breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data must be reported to the Information Commissioner's Office (ICO) not later than 72 hours after the controller of the data becomes aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals concerned. Similarly, the Financial Conduct Authority (FCA) requires its regulated firms to be open and cooperative, and, for example, to notify the regulator of anything about which it would reasonably expect notice. The Health and Safety Executive (HSE) must be notified of reportable safety incidents under the RIDDOR requirements and entities can be required to notify the Environment Agency of pollution incidents, etc.

Generally, details of any wrongdoing discovered during an internal investigation do not automatically need to be disclosed to enforcement authorities. Prior to any self-report, an entity should carefully consider the desirability and potential consequences (e.g. civil and criminal sanctions). Voluntary disclosure before enforcement authorities are involved may be desirable if the entity is considering cooperating with the authorities in an attempt to achieve a more favourable outcome. It is clear from the Rolls-Royce case that failure to self-report is not a barrier to a DPA as long as there are counterbalancing factors, notably complete cooperation and disclosure of materials without pre-conditions (including assertions of legal professional privilege) thereafter. If this is a strategy an entity wants to pursue, wrongdoing should be reported to enforcement authorities within a reasonable time of the offending coming to light. However, when an investigation report is being prepared, there is an incentive to ensure that a detailed investigation has been undertaken before disclosure of the facts. It is an unattractive proposition to provide details of an internal investigation in haste and without a proper understanding of the conduct, not least because the nature of the wrongdoing may not be apparent until the latter stages of an investigation.

2.3 How, and in what format, should the findings of an internal investigation be reported? Must the findings of an internal investigation be reported in writing? What risks, if any, arise from providing reports in writing?

There is no requirement to provide voluntary disclosure of investigation findings in a specific format, such as in writing, rather than an oral briefing. It is a matter for the entity to decide on the extent and format of any disclosure made. A written report will undoubtedly be viewed more favourably in the context of any enforcement action given it demonstrates cooperation and is likely to contain a more complete examination of the relevant issues and underlying facts with evidential value.

However, there are risks associated with written reports. A report may contain findings or information that are potentially damaging. By disclosing a written report to law enforcement authorities, an entity runs the risk that the information contained in it will be used to open an investigation into the company. Moreover, a written report is open to misinterpretation or misuse, which may be avoided if the results of an internal investigation are presented orally instead. Ultimately, however, any investigating authorities to whom matters are to be reported will expect materials in writing to be retained and may serve statutory production orders to compel its provision. Any oral report provided will likely be swiftly followed for a request from the enforcement agency for a written report of the same.

3 Cooperation with Law Enforcement Authorities

3.1 If an entity is aware that it is the subject or target of a government investigation, is it required to liaise with local authorities before starting an internal investigation? Should it liaise with local authorities even if it is not required to do so?

Entities are not required to liaise with law enforcement authorities before starting an internal investigation but there are benefits to such early engagement and it is viewed favourably and encouraged by them. For instance, if an agency is given the opportunity to comment on the proposed scope and purpose of an investigation then the entity can ensure its report is appropriate. Early engagement may also avoid risks associated with tipping off and "trampling on the crime scene". However, an entity should remain cautious about disclosing information about wrongdoing without first having a proper understanding of the nature or extent of the alleged misconduct. To do so may result in an inappropriate or inaccurate self-report which is not in the interests of any party involved.

3.2 If regulatory or law enforcement authorities are investigating an entity's conduct, does the entity have the ability to help define or limit the scope of a government investigation? If so, how is it best achieved?

Regulators have extensive statutory powers to gather evidence as part of their investigation; for example, to compel entities to answer questions or produce documents. Engagement with a regulator may help to define or limit the scope of its investigation; guidance can be given regarding the relevance of material and the proportionality of requests for information and documentation.

3.3 Do law enforcement authorities in your jurisdiction tend to coordinate with authorities in other jurisdictions? What strategies can entities adopt if they face investigations in multiple jurisdictions?

The global nature of today's businesses, combined with the increasing availability of extraterritorial statutory powers to obtain evidence and extraterritorial offences, means that jurisdictional issues are becoming more prevalent. Law enforcement authorities in the UK frequently share information with authorities in other jurisdictions through mutual legal assistance agreements or via organisations such as Eurojust, and there are increasing numbers of truly joint investigations by agencies from different states.

To view the full article, please click here

Originally published in ICLG

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.