The new edition of Global Investigations Review’s Guide to Sanctions includes the latest information and expert commentary on sanctions and export control regimes around the world, compliance programmes, and sanctions in practice. David Savage has once again written the EU Sanctions Enforcement chapter of the guide.

In this second part, David explains investigations of suspected breaches, requirements for reporting and legal professional privilege. The full GIR Guide to Sanctions is available here.


Investigating suspected breaches

In-house counsel, senior compliance officers, c-suite executives and directors are expected to understand their business to the best of their ability, including any potential exposure to sanctions. For those working in multinational organisations, this can be a particular challenge. It is imperative, therefore, for senior directors and officers to understand the business areas that are more explicitly exposed to the risk of sanctions breaches. This can only be fully recognised following the implementation of a robust risk assessment framework, including mediation of identified issues.

However, even the strongest systems and controls framework will invariably have weaknesses. Potential breaches of sanctions can arise in a myriad of ways. Transaction monitoring systems within financial institutions may identify potential matches with specially designated nationals, sectoral sanctions identifications, and entities and individuals designated by the EU, that require investigation by monitoring teams. These investigations may be straightforward or complicated, depending on the nature of the ‘hit’. More complicated will be investigations when it is not the system that has identified the potential issue, but rather identification is by way of a whistle-blower or as part of ‘business as usual’ continuing monitoring, thereby indicating potentially active deception and obfuscation by clients and, in some cases, employees.

What is required in terms of an investigation will vary depending on the initial issues identified and the manner in which the investigation unfolds. However, key considerations at the outset of an investigation may include the following:

  • investigation committee: well-run investigations will normally be directed by a central investigation committee, separate from the board, that can control the focus and progress of investigatory work. Depending on the nature of the investigation, the committee may require input from various departments, including legal, financial crime, compliance, information technology, risk, human resources (HR) and operations, as well as a representative of the board;
  • scoping: the scope of the investigation should be ascertained from the outset. The size and scale of any investigation will depend on a number of factors, including the potential severity of any suspected breaches of sanctions and the efficacy of the systems and controls framework within which those potential breaches occurred. Investigations that are flexible in terms of scale tend to be the most effective;
  • regulatory exposure: it is important to identify which regulators in which jurisdictions would expect to be notified of the potential or actual issue. By considering this from the outset, the terms of reference for the investigation will take cognisance of regulatory expectations, which may be gleaned from guidance, judgments or enforcement actions publicised by the relevant competent authority. When considering the regulator to which a report may need to be made, corporates should consider, inter alia, their place of registration, jurisdictions with a corporate presence, the place or places where the misconduct occurred, and the nationality and location of members of staff and clients linked to the conduct;
  • potential penalties: the nature of the potential exposure to the company and any implicated individuals is obviously key. This exposure may include civil and criminal penalties, the imposition of monitors on the business, reputational impact, potential for additional scrutiny from other regulators, and costly systems and controls remediation;
  • internal and external communications: communications, both internal and external, should be drafted and implemented from a central point and all external communications should be reviewed by legal counsel;
  • independent legal advisers (ILAs): for larger-scale investigations, consideration will need to be given to the provision of ILAs for those in the spotlight or those whose interests will not necessarily align with those of the company;
  • document preservation: document preservation protocols should be implemented and, where applicable, automatic deletion of documentation protocols suspended to ensure key evidence is not destroyed. Staff being investigated should be notified of document preservation requirements;
  • HR issues: consideration of employee suspension and, potentially, termination may be required; and
  • regulatory reporting: at the appropriate time, it will be important to consider whether there is an obligation to report to regulators, or whether it would be in the company’s interests to voluntarily self-report. In the former case, there may be agreements, statutes, regulations or other legal requirements that mandate some form of disclosure by the company. In the latter, providing a voluntary self-disclosure may result in a reduced penalty. In either event, it is important to note that many regulators now have open lines of communication with their foreign counterparts. It should be assumed, therefore, that disclosure to one regulator will result in information being passed to other regulators throughout the world. Reporting is considered further in the next section.


Reporting, professional secrecy and legal professional privilege

Regulatory reporting

There are two distinct reporting requirements in respect of EU sanctions. The first is a general obligation that applies to everyone and requires that natural and legal persons supply their competent authority as soon as practicable with information that would facilitate compliance with the regulations. The second is a more targeted obligation that applies to specified businesses and professions. Those businesses will vary in each jurisdiction, as will the penalties for failing to comply with the reporting expectations. The manner of reporting varies from jurisdiction to jurisdiction.

Examples of information that might be reported from the perspective of a financial institution include:

  • the reason for the report;
  • full details regarding the customer, including name, account name, account numbers and sort codes, bank details, residential or company address, date of birth and nationality, where known;
  • full details of the remitter or beneficiary (or both), which may be available from, for example, the SWIFT These details may include account names, account numbers and sort codes, bank details, nationalities of payers, and dates of birth, where known;
  • any other information that may be available from the transfer message, which may include references, dates, goods involved, amounts and currencies;
  • intermediary information, which may include the intermediary’s role in the transfer, names, date of birth, company registration information, country of operation or nationality, address or location, account name, account number and sort code, and bank details, where known;
  • ultimate beneficiary information, which may include name, account name, account number and sort code, bank details, residential or company address, date of birth and nationality, where known;
  • the amount of funds in question;
  • the quantity of any funds or economic resources held on behalf of the customer;
  • a breakdown of the prior transactions on the account;
  • the nature of the investigation undertaken and any relevant findings and remedial action;
  • if reporting a breach, details of the breach; and
  • the sanctions regimes to which the report relates.

Certain EU regulations, including, for example, Council Regulation (EU) 2017/1509, which addresses the destabilising conduct of the Democratic People’s Republic of Korea (DPRK), require that credit and financial institutions ‘promptly report any suspicious transaction, including attempted transactions’ and notify their local financial intelligence unit ‘where there are reasonable grounds to suspect that funds could contribute to the DPRK’s nuclear-related, ballistic-missile-related or other weapons of mass destruction-related programmes or activities (“proliferation financing”)’. EU corporates must have a thorough understanding of their reporting requirements, therefore, both under the relevant regulations and pursuant to domestic requirements.


Professional secrecy and legal professional privilege

Notwithstanding the existence of reporting requirements, organisations are not required to provide any information to which professional secrecy or legal professional privilege attaches.

In common law systems, legal professional privilege and confidentiality are a fundamental feature of the rule of law. Documents are normally considered to be privileged if they contain confidential information supplied by a client to his or her lawyer, or advice supplied by the lawyer to the client. When litigation is reasonably in contemplation, the scope of privilege may be extended to third-party communications.

In civil law systems, professional secrecy requirements can vary. For example, in France, a relatively new rule, Article 226-13, in the Criminal Code concerning professional secrecy no longer mentions a specific profession: ‘The disclosure of secret information by a person entrusted with such a secret, either because of his position or profession, or because of a temporary function or mission, is punished by one year’s imprisonment and a fine of €15,000.’ In Germany, however, the obligations of professional secrecy stem from both the German Criminal Code and the law regulating the legal profession. Section 43a of the Federal Lawyers’ Act provides:

A Rechtsanwalt has a duty to observe professional secrecy. This duty relates to everything that has become known to the Rechtsanwalt in professional practice. This does not apply to facts that are obvious or which do not need to be kept secret from the point of view of their significance.

It should be noted that certain jurisdictions do not consider that in-house counsel are able to assert professional secrecy over documents. This is something that should be considered by in-house counsel (or externally instructed lawyers) during any sanctions investigation.

Whenever sanctions issues are identified, and it is considered either necessary or appropriate to report to regulators, issues of professional secrecy and legal professional privilege will need to be considered, both in respect of historical documentation and documentation created as part of any investigation that is undertaken. Key considerations may include the following.

  • In respect of historical documentation, for what purpose the document was created. Were legal counsel involved in the creation of the documentation? Was litigation reasonably in contemplation at the time the documentation was created?
  • In respect of investigation-related documentation, whether lawyers are involved in providing advice or receiving information designed to inform any advice they give. Are lawyers providing legal advice or are they, in fact, providing commercial advice – a single document can include both. If third parties are involved (e.g., forensic accountants), is litigation reasonably in contemplation? If so, communications with, and documents created by, the third parties may also be covered by professional secrecy or privilege. When interviewing employees, does your jurisdiction consider the work-product to be covered by professional secrecy rules or privilege?

The decision as to whether to claim privilege or rely on professional secrecy when dealing with regulators is of the utmost importance. In general, regulators will expect companies to be entirely frank with them regarding the conduct in question, and the steps undertaken to investigate the issue. Asserting professional secrecy or legal privilege when communicating with regulators may raise doubt as to the scope of the investigation undertaken and the conclusions reached. In certain cases, this could affect any potential discount that may be applied to penalties issued by the regulator.



You can find further information regarding our expertise, experience and team on our Financial Crime page.

If you require assistance from our team, please contact us.



Subscribe – In order to receive our news straight to your inbox, subscribe here. Our newsletters are sent no more than once a month.