The proliferation of internal investigations: a new challenge for Compliance Officers
Several trends are leading companies to increase the frequency of their internal investigations. Soon, internal investigations will no longer be the exception, but the rule.
The Compliance Officer must be prepared for this development which has three important consequences on: i) the confidential status of any information collected, ii) the protection of staff and iii) the credibility of the CCO and his or her compliance program.
More internal investigations
Four trends point to a sustained increase in internal investigations.
In the first instance, there is a marked growth in legal requirements for controls. American authorities have always believed that an anti-corruption compliance program should be designed for both the prevention AND detection of corruption. Following their example, many other jurisdictions have followed suit and consider that anti-corruption compliance programs must detect corruption: Spain (July 2015 law), Brazil (law of September 2015), France (Sapin II law of December 2016), Mexico (law of June 2017).
Secondly, this legal obligation has been reinforced in several countries by the adoption of policies which encourage corporates to self-report acts of corruption. Since the first official adoption of deferred prosecution agreements by the US (DoJ in 2008 and SEC in 2010), a number of countries has encouraged companies to cooperate with authorities by offering either reductions in sanctions or even exemptions from prosecution: United Kingdom (2014), France (2016), Japan (2018), Canada (2018), and a deferred prosecution agreement scheme was proposed in Australia in March 2017. By extending and reinforcing the FCPA Pilot program in 2018 the US DoJ has demonstrated its political will to continue this strategy of corporate voluntary disclosure.
Thirdly, the proliferation of corporate alert or whistleblowing systems has resulted in an increase in internal investigations as every suspicion of corruption raised through these processes must be addressed. The need for a formalized alert system is a significant development for companies who must ensure its design and implementation in order to respect both an increasing number of national legal obligations on the subject as well as the demands of a civil society which is expects more and more transparency in business practices.
Finally, the development of more user-friendly data mining tools to facilitate companies’ ability to execute in-depth controls at a reasonable cost constitutes the fourth reason for which there has been and will continue to be a rise in internal investigations.
Preparing a company for an increase in internal investigations
An increase in the number of internal investigations brings with it a challenge for the company, one which must be anticipated by the Compliance Officer in order to benefit from the law while minimizing any adverse effects on the company. A well-managed internal investigation can result in a reduction in fines for the company or, at the very least, demonstrate the company’s commitment to corruption prevention in countries where the national legislation does not include the possibility of fine reduction. That said, an internal investigation is always a difficult moment for the company. Moreover, a poorly executed internal investigation can have heavy consequences.
In my view there are three elements to consider when organizing an internal investigation: the confidentiality of data, the rights of employees, and the efficiency of the anti-corruption compliance program.
The first challenge involves the confidentiality of data collected during an internal investigation
In 2018, there was a decision on the issue of legal privilege in the United Kingdom which is of interest. Specifically, a company in the process of self-reporting to British authorities saw the request by prosecutors to seize documents internal to the investigation confirmed by a court. It was argued that staff interviewed by an outside law firm were not considered clients of the firm, but witnesses. Thus, reports or accounts of the staff interviews were not considered confidential.
Fortunately, in September 2018, the Court of Appeal of England and Wales overruled the first court’s decision and made three recommendations. For documents generated during an internal investigation to be covered by legal privilege it is necessary to:
⁃ Identify clearly in the letter of engagement with any outside law firm who is considered the firm’s client and include employees and, in some cases, even third parties who work for the company;
⁃ Ensure that investigators including outside consulting investigators or forensic specialists work under the legal responsibility of a lawyer;
⁃ Identify explicitly all documents which will be considered covered by legal privilege.
These recommendations are relevant beyond British borders and should be considered by any company launching an internal investigation.
The second challenge involves protecting staff involved in the internal investigation
The issue of employee protection is not new to corporate America as there is a long history of conducting these kinds of investigations. It is, however, relatively new for most other jurisdictions.
When corporate investigations are carried out by external law firms it is not always clear to employees that the lawyers are there to defend the company’s interests and not necessarily those of the employee. Therefore, it is important for employees to understand that anything they say can be held against them later. The subject was treated by the US Supreme Court in 1981 when it overturned a Court of Appeals decision that attorney-client privilege did not apply to communication between a company’s middle management officials and the company’s attorneys. The case concerning the Upjohn company gave rise to a procedure called an "Upjohn warning," in which a company's lawyer explains that he represents the company and not the individual employee with whom he or she is dealing.
Explaining and applying the Upjohn warning procedure facilitates employee acceptance of the internal investigation procedure and brings me to the third challenge of internal investigations.
The third challenge is linked to a potential loss of credibility for the Compliance Officer involved in the investigation
Anti-corruption compliance programs are often designed to both prevent AND detect corruption. Detection is of course important – it is often neglected – but its importance is secondary. The first goal of an anti-corruption compliance program is to prevent corruption to ensure that the company is never faced with an allegation of bribery. The issue of control or detection is secondary as its primary goal is to reinforce the preventative capabilities of the program.
An effective anti-corruption compliance program is one which creates confidence between employees and the compliance team. I have often said that the imagination of one who is intent on corrupting will always be stronger than even the best corruption prevention program. It is by demonstrating that he is there to support sales staff in their transactions that the Compliance Officer will gain the ear and respect of the commercial teams. In addition, the commercial teams will not hesitate to reach out to the Compliance Officer when confronted with complex situations requiring a positive and compliant solution.
If – later – the Compliance Officer conducts an internal investigation, he will be viewed as having betrayed the confidence bestowed on him by staff. The Compliance Officer can assist in the definition of the parameters of an internal investigation, including data protection and employee rights; however, he should in no way be involved directly. The actual investigation should be assigned to a department separate from compliance: the legal department if Compliance is not part of it or audit, internal control, inspectorate general…... To involve the Compliance Officer in the investigation is to ruin his credibility and the credibility of the anti-corruption compliance program.
This said, it is the responsibility of the Compliance Officer to make clear that there will be systematic internal investigations when and where warranted. He can reassure employees by explaining that appropriate measures are in place to protect both the company and its staff. In this way he will be able to maintain the relationship of confidence with staff so necessary for a successful anti-corruption compliance system.