David Hamilton spoke at City & Financial Global's Financial Services Investigations and Enforcement Summit on 26 June 2024. The conference brought together investigations and litigation specialists to discuss a broad range of compliance and enforcement risks facing the financial services sector.
In one of the keynote sessions, David considered the risks internal investigations present organisations and individuals. Key themes included building strong foundations at the outset through an effective triage process, structuring investigation teams to maximise legal privilege protections if required, engaging with regulatory authorities, and managing auditors and insurers.
Key takeaways
Triage
If conducted correctly, internal investigations can be valuable corporate governance tools, demonstrating an effective compliance framework to regulators and other key stakeholders. To ensure the investigation identifies, assesses, escalates, and remediates risk issues effectively, it must be built on solid foundations. This begins with a clear triage involving swift assessment of the issues, preliminary reviews of available evidence, determining the potential seriousness for the company and identifying who is best-placed to run the investigation.
Independence and integrity
We have recently seen several high-profile corporate investigations being publicly criticise for a perceived lack of independence and rigour (e.g., see From bribes to sex scandals, lawyer investigations scrutinised over ‘whitewash’ claims (ft.com)). Retention of external legal counsel can be a powerful way to demonstrate the independence and integrity of a company's investigation. In that context, companies would be well-advised to consider whether their regular legal advisers provide the necessary degree of independence. Certainly in cases where the "business as usual" advisers have been involved in establishing or advising on compliance systems and controls that may be the subject of review, conflict issues can quickly emerge.
Legal privilege
With the narrow ambit of legal advice privilege in the context of corporate clients, and litigation privilege requiring adversarial litigation to be in reasonable contemplation, claiming legal privilege over internal investigations often presents significant challenges. Not least in respect of witness interviews. Whilst each case must be considered on its own facts, it is critical in all investigations that the "client" group is identified at the outset and that legal advice is confined to that group. Broader investigation teams subject to confidentiality protocols should also be established, but the "client" group should remain sacrosanct.
Protections for individuals
Companies must also be mindful of the impact internal investigations can have on individuals, whether suspects, complainants, or witnesses. Early consideration should be given to whether any individuals require independent legal advice, ensuring a fair process that generates admissible evidence. Subject matter sensitivities should also be borne in mind, considering the potential harm to e.g., whistle-blowers and other complainants. Appropriate sequencing of interviews is critical to mitigate the risk of evidence contamination and destruction. It will, for example, generally be wise to secure all electronic evidence before speaking with anyone. Finally, consider individuals' data protection rights. There are numerous exemptions under UK GDPR to obtain and review data in an investigation context, but have those been worked through and recorded in an Impact Assessment?
Engaging with regulators
Due to broad-ranging reporting obligations, there will be little latitude as to whether financial services firms should notify serious breaches to the FCA/PRA. The questions are when and how. As a guiding principle, companies need to have done sufficient work to establish that there is in fact a problem, the nature of the problem, and the steps required to investigate further. Regulators want firms to be open and transparent, but not simply to disclose problems; they also want firms to bring proposed solutions or at least an indication of further work to be done. A precautionary holding report may therefore be prudent, although the FCA's proposed amendments to its policy on publicising enforcement actions (the so-called 'naming and shaming' proposal) may give companies pause to consider whether and when it would be sensible to raise their heads above the parapet. Again, it's very much a case-specific assessment.
Managing auditors and insurers
Although auditors are under a regulatory obligation to investigate matters indicating fraud within a company as well as matters that impinge on the company's accounts, this does not necessarily mean the company has to hand all investigation materials over. Auditor queries may be handled by way of Q&A, enabling companies and their advisors to identify precisely what the auditors require and tailoring responses accordingly. This will need to be negotiated on a case-by-case basis.
The position with insurers will largely be governed by the terms of the policy, although the overriding principle is that companies must disclose and fairly present risks and make timely claims to mitigate the risk of insurers declining claims or avoiding policies entirely. This is ultimately a point of negotiation, but appropriate measures will be needed to protect any disclosures made (including confidentiality protocols, hold harmless provisions, and read-only access).
Want to hear more from us?
