The global Covid-19 pandemic has created a multitude of challenges for companies and has forced the vast majority of us to work in ways which, even a few years ago, would not have been possible or practical. With this global uncertainty comes an increased compliance and financial crime risk. David Savage, a partner in our Financial Crime team, looks at some of the key considerations when conducting an internal investigation remotely.
As organisations respond to the Covid-19 pandemic by adapting to new working practices, restructuring their business and consolidating their operations, the scope for fraud and misconduct increases. Obvious potential exposure includes increased scope for insider dealing, invoice fraud and money laundering. Therefore, it hardly comes as a surprise that internal investigations continue at pace, and regulators are focusing their efforts on Covid-19 linked issues.
Internal investigations have, over recent years, become part of the DNA of organisations. Throughout the world, regulators now expect companies to conduct such investigations efficaciously and with haste, focusing on the key issues and reporting where required or desirable. Indeed, since the pandemic gripped the world, the majority of regulators (with some notable exceptions) and government prosecutors have continued to investigate corporate wrongdoing, often working in collaboration with corporates and their instructed legal representatives.
The acceleration of home-working practices as a result of the pandemic has required in-house counsel and those in private practice to adapt promptly to agile working. Increasing numbers of organisations are hoping to utilise agile working to their advantage, meaning that for most legal practitioners part of their working week will now be spent at home. This means the way in which we operate needs to adapt, particularly in the case of the conduct of internal investigations. To add to the uncertainty, there is an almost constant stream of updated guidance from regulators.
We set out below our key observations and guidance in relation to conducting internal investigations remotely.
As a result of the pandemic, additional consideration and care must be taken at the investigation planning stage. While traditional considerations will still apply (including the constitution of the investigation committee, reporting lines, engagement of external counsel, identifying both potential regulatory and jurisdictional exposure and the objective of the investigation), it is now imperative to consider additional requirements and nuances. The conduct of interviews, document retention, collection and review, and the presentation of findings, whether to a board or a regulator, will all need to be considered with caution.
The scope of the investigation, which should not be unnecessarily broad and must be articulated with sufficient clarity to minimise potential investigatory slippage, will necessarily be informed by the trigger event, whether that be, for example, a whistleblowing report or a response to an enquiry from a regulatory authority. Whatever the trigger, a properly scoped investigation will respond to that trigger event and, depending on initial findings, adapt as required.
One of the main considerations will be whether to proceed with the investigation or postpone it. Regulators, including the Financial Conduct Authority and Serious Fraud Office, have recognised the impact of the pandemic on the operation of businesses, including financial crime systems and controls; expectations have been recalibrated accordingly. If a matter is of critical importance or is mandated by a regulator, then the investigation should proceed without delay. Investigation time frames should be pragmatic and take into account the global situation.
Document imaging and retention
Data collection (or imaging) can, for the most part, be undertaken as normal, because the majority of businesses now store data in the cloud. Collection will normally involve forensic experts securing access to systems remotely or by remote supervision (screen sharing) or, in certain cases, ‘DIY’ collection, where the data custodian is sent a remote collection kit.
That said, remote working can present certain challenges for data preservation where there are devices that need to be imaged but are spread out geographically. Where it is considered necessary to image such custodian devices, this must be done safely and securely. Considerations include whether the device can be couriered, ensuring the chain of custody documentation is satisfied, and minimising the scope for data deletion or destruction by the custodian. Local employment and data privacy laws must also be factored into the equation, as should the possibility of an intransigent employee refusing to provide the relevant device.
When it comes to ‘bring your own device’ arrangements, companies and their legal counsel will need to consider the policies and procedures in place to govern the right to access not only the device but its various communication applications, including WhatsApp, WeChat, Skype and Zoom, Microsoft Teams, Google Chat, Facebook Messenger, etc. If such policies are not already in place, companies are advised to give this urgent consideration.
However data is captured, extra time will need to be factored into the process, and care must be taken, particularly if there are criminal or regulatory concerns, to ensure the data is forensically sound.
Hard copy documents must not be forgotten. If collecting these documents cannot be done in a Covid-19 compliant manner, consideration must be given as to how to secure the locations of the documents to prevent loss or destruction.
From the outset of the investigation, companies should be advised to issue document preservation notices to all relevant employees, contractors and third parties and suspend data deletion protocols in order to minimise the scope for inadvertent loss of data.
When working remotely, it is of paramount importance that the document review team, whatever the size, is fully apprised of the requirements of the task and that regular team meetings are held to discuss progress, concerns and observations, as well as consider revisions to the review methodology. Guidance documents should be drafted and updated, where appropriate, and circulated to the review team in a secure manner.
Where a review team is located in other (potentially multiple) jurisdictions, data privacy must be considered carefully. This is particularly important where review is undertaken using local servers, as this may be considered to be an export of data which could bring the documentation within the purview of foreign regulators.
While Zoom, Skype and Microsoft Teams has been key in ensuring business continuity and maintaining team morale during the pandemic, legal counsel should give careful consideration as to whether to conduct interviews remotely (whether by video call or phone). While most video calling programs allow the interviewer to share documents online and ‘interact’ with the interviewee, it may be more difficult to ‘read’ an interviewee and assess their reactions and credibility by reference to body language and soft cues. Therefore, more attention should be paid in observing and noting physical and verbal reactions. It is also advisable to note whenever the interviewee turns from the camera, mutes their microphone, turns off their video or disconnects from the call, and make sure to include the context of those actions to minimise potential arguments further down the line.
Often, the requirement for conducting interviews remotely will depend on the nature of the interview. If an interview is expected to be contentious, it may be advisable to defer holding it until the ability to control the environment, pace and access to material is a little easier. Conversely, if the interview is of a ‘fact-finding’ style and you do not consider that the interviewee is central to the issues under investigation, a video interview may well be appropriate.
Where interviews are conducted by video or phone, practicalities including security (‘Zoom bombing’ has become a significant concern during this pandemic) and clarity of the connection must be considered. Depending on the interview, interviewers should check that the interviewee is not unexpectedly accompanied in order to ensure that the interview is covered by legal privilege or professional secrecy rules. At present, this is best achieved by asking the interviewee to rotate their camera around the room, but even that is not infallible. Therefore, it is important to ask the interviewee to confirm that either they are alone or to have each attendee confirm their attendance verbally. Interviewers should also ask the interviewee to confirm that they are not recording the interview. Recording of interviews by the interviewer is also discouraged by regulators and should not be undertaken as a matter of course.
When drafting any internal reports that may be required, careful planning is required to ensure that team members in different locations are cognisant of their roles. All such documents should be marked in draft and privileged where appropriate and security settings implemented to prevent distribution to those who should not see the document in question.
When considering reporting to regulators or prosecutors, thought will need to be had as to the method of providing both the report and the supporting documentation, which minimises the potential for leakage. One solution may be secure file transfer protocol (“FTP”) sites, but consideration will need to be had as to any relevant file size restrictions, as well as the ability of the receiving party to access the FTP site. As with data collection, regulators and prosecutors will be particularly interested to ensure that all metadata is correct.
In the current environment and, depending on the nature of the investigation, it is important to consider the logistics of implementing systems and controls remediation. To that end, thought must be had as to what requires immediate attention, (for example disciplinary action and the filing of suspicious activity reports to the local Financial Intelligence Unit), and what can be effected a little further down the line, (for example, a review of procurement processes or third party relationships).
The ability to conduct investigations remotely presents an opportunity to significantly expedite the process, as well as minimise costs incurred in a ‘normal’ investigation by, for example, cutting down travel costs. The move to agile working will require significant focus on internal controls designed to ensure that investigations are undertaken correctly and efficiently. Technology will have a significant role to play in managing such requirements.
Covid-19 is impacting individuals and companies around the world in an unprecedented way. We have collected insights here to help you navigate the key legal issues you may be facing at this time.
You can find further information regarding our expertise, experience and team on our Financial Crime page.
Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.