Cross-jurisdictional communication: how to handle challenges posed by enforcement authorities’ different approaches
Global authorities are adopting an increasingly collaborative approach to their investigations into corporate wrongdoing. This presents both challenges and opportunities for companies under investigation, and a comprehensive cooperation and disclosure strategy will be key. In the second of three articles examining the cross-jurisdictional approach to corporate accountability, we examine how to best handle the different approaches to investigations practised by enforcement authorities in key jurisdictions.
Self-reporting – yes or no?
Outside of any mandatory reporting obligations, a key question for firms is whether voluntarily to report the relevant conduct to the enforcement agencies. Any decision to self-report will require a careful assessment of the risks and benefits in light of the relevant facts and best interests of the company.
The primary benefit of self-reporting is the possibility of avoiding criminal charges or regulatory enforcement proceedings or, at a minimum, achieving a reduction in the penalties/fines that may otherwise have been imposed. In this context, many enforcement agencies have created policies that encourage self-disclosure. In the United States, the Department of Justice (“DOJ”) operates a self-disclosure policy under which the DOJ will generally decline to prosecute entities that self-report and cooperate with the DOJ’s investigation, provided the company has implemented remedial measures and there are no aggravating factors. Equally, in the UK, the Serious Fraud Office (“SFO”) has published policies relating to self-reporting and the cooperation it will expect, for example, in the context of achieving a DPA. In Singapore, conversely, a failure to report offences may even constitute a criminal offence. However, like the UK and US, Singapore authorities often place significant weight on self-reporting and cooperation during the course of an investigation when deciding whether to prosecute entities. The Consumer and Competition Commission of Singapore, for example, has published guidelines under which companies that self-report stand to benefit from total or partial immunity from financial penalties.
Self-reporting – where and when?
Where the relevant misconduct crosses jurisdictions, companies considering potential reports to multiple enforcement agencies may benefit from determining which of them is likely to enjoy primacy and inviting the other regulators to coordinate their own investigations with that of the lead authority, to reduce time and expense.
Determining the timing of any self-reporting can be a challenge. Prematurely self-reporting could harm the company; if it self-reports when further investigation would have revealed that the issue is narrower or less problematic than initially understood, this could subject the company to unnecessary scrutiny from enforcement authorities. However, if the company is the first to report the misconduct, the information may be more valuable and therefore more highly appreciated by the authority than if revealed later.
Cooperation with authorities
There is generally a recognition that firms will have to undertake preliminary enquiries to establish the nature and extent of a problem and those accountable, before they self-report. In the UK, the current director of the SFO, Lisa Osofsky, has made it clear that organisations will want, and need, to take some investigative steps to establish what has happened before self-reporting. The SFO’s recent “Corporate Cooperation Guidance” appears to reflect this approach, stating that organisations should “report within a reasonable time of the suspicions coming to light” while “preserving available evidence and providing it promptly in an evidentially sound format”, suggesting that companies can launch an internal investigation before self-reporting.
On the other hand, some regulators will prefer firms to investigate everything thoroughly and hand the results to them. Ultimately, there is no right answer; the assessment will vary from case to case and depend on the regulator involved.
The nature and extent of the cooperation may also affect the likelihood of any reduction in penalties according to the policies of the regulatory bodies involved. For example, in the US, there is a presumption that the government will decline to prosecute companies that meet the DOJ’s standard of “voluntary self-disclosure,” “full cooperation,” and “timely and appropriate remediation.” To receive cooperation credit, the DOJ’s current guidance requires companies to provide information about the “individuals substantially involved in or responsible for the misconduct”, make available for interviews company officers and employees who possess relevant information and disclose all relevant facts gathered during a company’s independent investigation, even when not specifically asked to do so.
Other enforcement agencies have also issued guidance on this issue. The SFO’s Corporate Co-operation Guidance sets out what it considers to be appropriate cooperation, focussing on the steps companies need to take to assist the SFO with its investigation and including the timing and extent of self-reporting. Similarly, the Hong Kong Monetary Authority and the Securities and Futures Commission have released guidance notes setting out what would be considered to be cooperation – including early and voluntary self-reporting and taking a proactive approach to assist investigations.
Preserving claims to legal privilege is an essential consideration when conducting a cross-border investigation. Privilege will usually apply to confidential documents that were made for the purpose of giving or obtaining legal advice and it belongs to the person to whom the legal advice was given. However, privilege can be lost if the document is no longer confidential or if the privilege is waived by the person to whom it belongs.
The rules relating to privilege, disclosure and waiver can vary widely from one jurisdiction to another – disclosure of privileged material in one jurisdiction may amount to a waiver of privilege over that material in another. It is important, therefore, to consider preserving privilege over sensitive documents or information throughout the investigation, to prevent them being disclosed to authorities or other third parties. In the context of cross-border investigations, it will be critical to ensure that local advice is sought and a coordinated approach is taken to preserving privilege as far as possible, taking into account the various jurisdictional rules.
The fact-finding process is inevitably more difficult in cross-border investigations. Adopting a comprehensive, systematic and logical approach is critical and care must be taken to ensure that applicable data protection regulations are not breached. This particularly relates to the collation, review and disclosure of personal information and the transfer of personal data to regulators or enforcement agencies outside the jurisdiction.
Data privacy issues have recently been a hot topic in many jurisdictions. In the United States, for example, the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) was recently enacted to make explicit that U.S. enforcement agencies could subpoena data stored on overseas servers by companies that are subject to the jurisdiction of the United States. The CLOUD Act also included provisions permitting the United States to enter into agreements with other countries regarding the production of information stored overseas.
Pursuant to the Cloud Act, on 3 October 2019, the UK and US entered into a bilateral data access agreement which, in essence, allows law enforcement, when armed with appropriate court authorisation, to go directly to tech companies or communication service providers based in the other country to access electronic data. Additional bilateral agreements are anticipated, including between the US and Australia, who recently announced that they have begun negotiations on such an agreement.
Coordinated settlement approach
A key concern for a company faced with investigations in multiple jurisdictions will be to achieve finality by reaching one global settlement with all potential enforcers at the same time. When negotiating settlement in a cross-border case, it is therefore desirable to coordinate discussions with the “competing” authorities in the different jurisdictions. This way a company can also try to ensure, as far as possible, that the risk of double disgorgement and/or punitive measures is minimized.
The different approaches to investigations demonstrated by authorities across the globe can give rise to significant challenges for any organisation facing enforcement action in more than one jurisdiction. When external and unexpected developments are added to the mix, a comprehensive strategy for responding will be key. In our third and last article in this series, we will examine the impact of recent developments, including the global pandemic and US elections, on the international enforcement arena.
This article first appeared in Thomson Reuters Regulatory Intelligence here.