A person who has the power to initiate investigations in a corporate environment

Introduction

In this article, we discuss the factors to take into consideration in Hong Kong and the US when determining whether and how to conduct an internal investigation in light of possible subsequent or pending investigations by regulators. We also highlight potential pitfalls that may occur and provide pointers on avoiding them.

An increasingly complex global business environment, combined with changing expectations and enhanced scrutiny both in Asia and overseas, mean that more companies are finding themselves subject to regulatory investigations and proceedings. In 2014, 64 per cent of large companies in the US with revenues of US$1 billion or more, and 44 per cent of companies with revenues of US$100 million to US$1 billion, retained outside counsel to assist with investigations. In recent years, in the US, approximately two-thirds of companies in the insurance, energy, financial services, and healthcare industries faced some type of regulatory or government investigation. In Hong Kong, in 2014 alone, the Securities and Futures Commission (Hong Kong SFC) conducted over 2,000 investigations and the Independent Commission against Corruption (Hong Kong ICAC) instigated 222 prosecutions.

This increasing regulatory scrutiny, along with a renewed focus on ethical behaviour and protecting (and in some cases incentivising) whistleblowing activity, has created an environment where regulatory lawyers are increasingly called upon to conduct or supervise internal investigations into suspected wrongdoing.

An effective corporate investigation may provide management or the board with the information it needs to make an informed decision on how to proceed in the face of alleged misconduct. In many cases the investigation will provide the information needed to take steps to ensure that no future violations occur. Unlike many forms of traditional litigation, however, there is often no roadmap to follow. Internal investigations may cover various topics such as suspected accounting fraud, violations of the antitrust and environmental laws, violations of the US Foreign Corrupt Practices Act, the Hong Kong Prevention of Bribery Ordinance and the Hong Kong Securities and Futures Ordinance, violations of government contracting regulations, violations of trade sanctions and export controls, insider trading, employee theft, suspected kickbacks, violations of a company’s specific policies and procedures, and so on. There are usually no mandatory procedural rules or court-imposed deadlines; there are no local rules or forms to follow. More importantly, how an investigation is conducted, and the scope of that investigation, are necessarily informed by the context and the potential impact on a particular company. As a result, there is a seemingly limitless variety of procedures and protocols to choose from.

Whether to initiate an internal investigation

Internal investigations often start with an allegation of wrongdoing, which may come from an employee, shareholder, director, the media, the company’s outside auditors, the regulators or someone else. At the outset, the company must decide whether the allegation warrants investigation and, if so, who should conduct the investigation.

In some cases in the US, the decision to commence an internal investigation is prescribed by statute. Section 10A of the US Securities Exchange Act of 1934, for example, requires a registered public accounting firm to take certain actions when, during the course of an audit, the auditor becomes aware of information that indicates that an ‘illegal act’ may have occurred (regardless of whether that illegal act is perceived to have a material effect on the issuer’s financial statements)1. In these circumstances auditors generally require the company to investigate the potential illegal act and then the auditors assess, pursuant to Section 10A, whether the company has taken ‘timely and appropriate remedial actions.’2 In Hong Kong, however, there is no statutory requirement for a company to conduct an internal investigation even when there is suspicion of wrongdoing. This means that the decision to commence an internal investigation is entirely at the discretion of the company. In reality, however, many companies choose to conduct internal investigations when they discover potential breaches so that they can assess their exposure ahead of formal investigations by the regulatory bodies, and ensure that directors and senior management discharge their fiduciary and professional duties to the companies.

Investigations can be disruptive and expensive and resources are limited. While the need to investigate in some situations is obvious, in some situations determining whether to conduct an investigation, and how that investigation should be conducted, are judgment calls. Some factors to consider in making these determinations include:

• the seriousness of the allegations, including whether the alleged misconduct violates criminal law or company policy
• whether the alleged misconduct involves senior management or board members
• the company’s potential exposure if the allegations are true
• the possibility for additional, future violations, or the possibility that the violations are continuing
• whether the alleged misconduct implicates a potential health and safety risk to employees or others
• whether the alleged misconduct calls into question any prior internal control or financial certifications provided by executive officers and whether the alleged misconduct prevents such officers from truthfully executing future certifications
• the likely response of the company’s auditors to the alleged misconduct
• whether there is a parallel government investigation or whether such an investigation is likely to occur
• whether the company’s audit committee charter, code of conduct, or other policies mandate or encourage an investigation whether the issue must be reported to regulatory officials
• the extent to which the company may receive credit from enforcement officials for conducting its own investigation
• the possible impact on any pending or potential civil litigation.

Consideration should also be given to whether the company has a history of similar incidents, since such history raises the likelihood of regulator intervention.3 If a complaint cannot be objectively dismissed as frivolous, the following scenarios often warrant some type of formal internal investigation:

• a subpoena from a government agency or regulatory authority, such as the US Department of Justice (US DoJ) or the US Securities and Exchange Commission (US SEC), or a notice from the Hong Kong ICAC or the Hong Kong SFC, which suggests that the company and/or its employees are the focus or subject of an inquiry
• a shareholder demand letter
• issues raised by an external auditor
• an internal report, such as through an ethics hotline, raising serious allegations involving senior management.

The likelihood of litigation or a separate regulatory investigation usually weighs in favour of initiating an internal investigation. A prompt and thorough investigation gives the company the opportunity to get ahead of a separate investigation by the regulators and gather the facts it needs to appropriately respond. In some Asian countries, such as Hong Kong, if the findings arising from the internal investigation suggest that there has been misconduct on the part of the company and/or its employees, the company will need to consider whether to self-report to the relevant regulator since failure to do so may result in severe penalties.

Determining who supervises the investigation

The decision of who should supervise the investigation, like the decision of whether to conduct an investigation, is highly contextual. Many investigations can be properly handled by a company’s own employees. Many larger companies, for example, have highly skilled legal and other staff dedicated solely to conducting such investigations.

In some situations, however, management should not be in charge of the internal investigation. If the alleged misconduct involves senior management, for example, or if the corporate entity itself is the focal point of a government investigation, the board should consider delegating the task of overseeing the investigation to an independent committee of board members who are not implicated in the alleged wrongdoing (such as the audit committee or a board committee consisting of non-executive directors formed specifically for the investigation, which very often will engage separate independent counsel for advice). If management is perceived as influencing the investigation, the investigation may not be afforded credibility by regulators. Further, if the investigation involves public company accounting or other disclosure issues, the company’s outside auditors may insist that the investigation be conducted by independent board members and independent outside counsel.

Assembling the right team

Internal investigations are often handled with the assistance of outside counsel, who may have expertise concerning the laws at issue and experience with the interested government agency or regulator.

There are, however, significant costs that come with hiring a separate outside law firm to conduct an investigation. In addition to outside counsel, consideration should be given at the outset to potential experts, such as forensic accountants, needed to assist counsel. These experts should usually be retained in such a way as to ensure legal privilege is protected, and such experts should sign retention agreements that make clear their engagement is intended to facilitate the provision of legal advice.4

Preparing an investigative plan and defining the scope of the investigation

Once the company determines who will supervise and conduct the investigation, the investigative team should prepare an investigative plan that defines the scope of the investigation. Preparing an investigative plan helps keep the investigation on schedule and on budget and may help identify potential pitfalls along the way. If a government agency or regulator is involved or is likely to become involved, a thorough plan may assist the company in showing that the company treated the allegations seriously and responded appropriately.

The scope of the investigative plan will often track the principal allegations of wrongdoing. The investigative team, however, should be mindful of related conduct that is likely to be of interest to the regulators. For example, many regulators will demand specific investigation into whether board members knew of the alleged misconduct or should have known of the alleged misconduct. One example of this often occurs in accounting investigations conducted by the relevant regulators. The relevant regulators may probe the basis for previous representations made by the company’s directors in its financial statements as to any irregularities (for example, bribery conduct or inaccurate accounting records) or adequacy of internal controls.

The investigative plan should generally include an assessment of which company operations and employees are potentially involved and what jurisdictions will be the focus of the investigation. It may also be useful to provide an overview of what documents and data will be reviewed, who will be interviewed, and which financial records will be targeted in any forensic audit component of the investigation. A plan also helps to identify data privacy law and state secrets issues in countries that prohibit the collection of certain types of data, or impose restrictions on transferring data across borders. Short preliminary interviews are often useful to identify the universe of relevant documents, reporting structures, roles and responsibilities, and IT practices and infrastructure.

If counsel retains experts, rules should be established to ensure that communications to the client will involve counsel to maintain legal advice privilege or attorney-client privilege, and if litigation is in contemplation, litigation privilege. In addition, experts should not interview any witnesses separately without counsel. Counsel should be present at witness interviews to explain who counsel represents, whether the legal advice privilege (or attorney-client privilege) applies, whether that privilege may be waived, and who has the authority to waive that privilege. Although these so-called ‘Upjohn warnings’ are well understood by most lawyers, there is always the risk that officers and employees will assume that company counsel is acting on their behalf. To counter this assumption, and to ensure that employees are properly protected, many companies will allow or even encourage employees to retain separate independent counsel and reimburse the employees for the legal costs arising from their engagement in the internal investigation. If the company is already cooperating with government authorities and there is an agreement in place that the company will share the substance of interviews, which sometimes occurs in the US, counsel should advise interviewees that waiver of the privilege is likely, probable or certain—whatever the case may be.

Privilege considerations

Following the English Court of Appeal’s decision in Three Rivers District Council v Governor and Company of the Bank of England (No 5) [2003] QB 1556 (Three Rivers (No 5)), some common law jurisdictions, in which English cases are binding or persuasive, have adopted the position that legal advice privilege only applies to communications between a limited group of employees within a company entrusted with the handling of a particular investigation (for example the legal department) and the company’s external legal advisers. In Three Rivers (No 5), it was held that any communications between employees outside that limited group (and hence, a non-client according to the English Court of Appeal) and the external legal advisers were not privileged notwithstanding that they were created for the sole or dominant purpose of obtaining legal advice. This issue was recently re-visited by the Hong Kong Court of Appeal in its decision in Citic Pacific Ltd v Secretary for Justice and another [2015] HKCA 293. In that case, the Hong Kong Court of Appeal declined the restrictive approach adopted in Three Rivers (No 5) in identifying the ‘client’ and held that for the purpose of considering whether legal advice privilege applies to a particular document, one should apply the dominant purpose test, i.e. whether the document was created with the sole or dominant purpose of obtaining legal advice, rather than focusing too much on whether or not the particular employee of the company creating/sending the document should be considered as a ‘client’.

Potential waivers of the attorneyclient privilege may arise from sharing information with the individuals whose conduct is being investigated; sharing information with auditors; or sharing information with the government. Credit for cooperation with the government, however, does not require waiver of the privilege. In 2008, the US DoJ changed its Principles of Federal Prosecution of Business Organizations, which now state:

‘Eligibility for cooperation credit is not predicated upon the waiver of attorney-client privilege or work product protection. Instead, the sort of cooperation that is most valuable to resolving allegations of misconduct by a corporation and its officers, directors, employees, or agents is disclosure of the relevant facts concerning such misconduct.’5

This marks a notable change from the policies in the Thompson Memorandum issued in January 2003 which guide the US DoJ prosecutors when they make a decision as to the proper treatment of a corporate target. Pursuant to the Thompson Memorandum, in conducting an investigation, determining whether to bring charges, and negotiating 5 US Attorney’s Manual, Principles of Federal Prosecution of Business Organizations, §9-28.720. plea agreements, prosecutors should consider, amongst other matters, the corporate target’s willingness to cooperate in the investigation of its agents, including, if necessary, the waiver of corporate attorney-client and work product protection. The US SEC has similarly articulated that legitimate privilege assertions should not preclude cooperation credit.6

The investigative team may be well served to expressly inform any interviewees that one of the purposes of the interview is to obtain information to provide the company with legal advice. In United States ex rel. Barko v Halliburton Co., a company started an internal investigation based on allegations that it had overbilled the federal government for work by Iraqi subcontractors.7 After the company received allegations of the overbilling, non-lawyers in the compliance department conducted interviews and sent reports to the legal department pursuant to the company’s Code of Business Conduct.8 In subsequent civil litigation, a court held that eighty-nine documents from the investigation were not privileged because the investigation was ‘undertaken pursuant to regulatory law and corporate policy rather than for the purpose of obtaining legal advice.’9 The court noted that the interviewed employees were not notified that the purpose of the interview was to assist the business in obtaining legal advice, and concluded that this fact further supported the view that the ‘purpose of the investigation was for business rather than legal advice.’10

The Court of Appeals for the DC Circuit granted mandamus relief, holding that the documents were protected by the attorney-client privilege because a ‘substantial purpose’ of the investigation was to obtain legal advice.11 The Court found that the company’s claim of privilege was ‘materially indistinguishable’ from the claim sustained in Upjohn v United States, 449 US 383 (1981), the landmark Supreme Court case holding that the attorney-client privilege protects confidential employee communications made during a company’s internal investigation led by company lawyers. Although the company obtained relief at the appellate level, it is noteworthy that the District Court had already revealed the substance of some of the privileged documents in its earlier opinion. The decision serves as a reminder that if a company intends for its investigation to be covered by the attorney-client privilege, care should be taken to show that the investigation is being conducted under the supervision of lawyers for the purpose of providing legal advice and is not a routine compliance function.

Pointers to avoid potential missteps

Internal investigations involve a number of judgment calls, and the reaction to those judgment calls by interested parties such as government agencies, regulators, auditors, and shareholders are not always predictable. Nevertheless, the following are a few pointers to address issues that often arise during the course of internal investigations:

Identify, preserve, and collect relevant information early and document this process

Relevant information often includes data other than email and hard copy documents. It can include items such as telephone records, text messages, instant messages, shared network files, backup data, internet search histories, databases, voicemails, and other data that may only be accessible through a forensic examination of a device.

Adhere to the agreed upon investigative structure unless a formal decision is made to change it.

If, for example, investigative counsel is reporting to the Audit Committee, the General Counsel should not direct the activities of investigative counsel.

Act on allegations of wrongdoing promptly.

A company is usually well served by gathering the facts and determining an appropriate response quickly. For example, the company may need to take action to stop the potential wrongdoing as quickly as possible, and it may be in the company’s interests to self-report a potential violation if it is mandatory and before the relevant regulator learns about it through other means.

Set a realistic time frame for completion

While companies should move swiftly to investigate allegations of misconduct, they should also set realistic timelines for completion.

Develop a clear plan prior to embarking on a substantial data review project

Even in situations where timing is critical, the investigative team is often better served by spending time up front planning any data review. Launching into a data review without a clear plan may cause the reviewers to miss relevant information, review irrelevant information, and create more issues (and expense) in the long run.

Carefully plan the interview process

Interviews are stressful for employees and multiple interviews of multiple employees will damage employee morale. Where feasible, review all relevant information prior to conducting interviews to reduce the chance of multiple sessions. Allow or encourage employees to retain separate independent counsel. Avoid conducting interviews alone and carefully document the information provided. It is important to get answers to all relevant questions, but it is also important to be polite. Keep in mind that it is not uncommon for whistleblowers to claim that a confrontational interview itself is retaliatory conduct in violation of a whistleblower statute.

Do not unintentionally waive the legal advice privilege (or attorney-client privilege) and obtain board consent for intentional waivers

In some circumstances privilege waivers are appropriate, but such a waiver should usually be approved by the board in advance and efforts should be made to avoid unintentional waivers.

Pay attention to various interested constituencies during the investigation

It is often important to communicate with various constituencies other than the client through the course of an investigation. Outside auditors, for example, should normally be kept in the loop on procedural steps the company is taking to investigate any accounting issues since the auditors will need to be comfortable with the findings. Similarly, if the investigation starts with an internal complaint, consider communicating with the complainant. If the complainant is aware that the company is conducting a thorough and independent investigation, the complainant may forgo reporting externally.

Be sensitive to data protection and state secrets laws in other jurisdictions

Many countries often have data privacy or state secrets laws intended to protect company employees and sensitive information. Consult with a local practitioner prior to collecting or reviewing data to ensure that data privacy and state secrets laws are being complied with.

Know your regulator

Different government agencies and regulators have differing views on what constitutes an effective investigation and what constitutes appropriate remedial action. Consider which government agencies or regulators are likely to be involved and consider retaining professionals with direct experience working with these bodies.