This article looks at the first few days of a financial services investigation and gives you a list of points to consider and action items. It draws on the author’s practical experience of investigations, prosecuting investigations and enforcement actions as Head of Enforcement for a major international exchange, running internal investigations, and defending financial services clients against investigations by the Financial Conduct Authority (FCA) and other enforcement bodies.
What has prompted the investigation?
The investigation may have arisen as a result of a notice from an external regulator, such as the FCA, or it may have arisen due to an internal issue, such as a risk, compliance or audit finding, or a whistleblower.
A first point to consider is, do I need acknowledge receipt? If internal, check the relevant internal policy (eg the whistleblowing policy). If external, respond in writing to the regulator. Suggest a sensible, achievable timeframe for a substantive response. Be careful not to overpromise here – a short, simple acknowledgement should suffice.
The first few days of an investigation can be crucial. It is vital that the investigation gets off on the right foot, and you formulate a plan to gather the necessary information. You will need to think about internal governance and confidentiality, and a number of different legal issues. Here are some action points to consider:
- Notifications – who do I need to inform about the investigation, whether internal or external? It is likely you will need to inform the CEO, the Board, other regulators (consider exchanges and CCPs under their relevant rules as well) etc. Generally regulators expect to be informed without delay. Even if not under a formal obligation, consider whether to make an informal notification. Be very careful about making statements to regulators, for example do not provide any assurances about the alleged misconduct having ceased if you are not 100% confident that is the case.
- Jurisdiction – if the investigation is external, does the regulator have the power to make the request, and are you compelled to respond? Which legal entity is involved? Is this purely a UK issue, or are overseas jurisdictions involved? Do you need to ask the regulator to use its formal information gathering powers? Sometimes this may be necessary to get around confidentiality issues (see bullet below).
- Confidentiality and data – are you restricted from producing the information by any relevant customer agreements or data protection rules? What is the interaction between any formal investigatory powers and any confidentiality obligations?
- Expectations – what is expected of you? Should you carry out your own internal investigation?
- External counsel – should you engage external counsel? Do the lawyers have the right expertise and will they carry clout with the investigating authority and with your own board? Choosing someone who has done this many times before, from both sides of the fence (ie prosecuting and defending), can be very beneficial.
- Privilege – the rules on privilege warrant their own separate article. However, consider privilege and discoverability issues around any reports generated and any correspondence, including emails, social media etc. Be very wary about anything written down, and bear in mind that social media or instant messenger correspondence may be discoverable. Identify who the client is and agree rules for preserving privilege. Consider a memo explaining the basic rules of privilege for employees not legally qualified.
- Governance – is there an existing governance process for this type of investigation? Who is responsible for leading the investigation, who will oversee it, and where do reports go? Is a special governance process required? Do any standard reporting obligations need to be suspended?
- Litigation risk – is there a risk of litigation surrounding the same subject matter as the investigation? If so, consider the interplay between the two, privilege and discoverability issues etc.
- Preservation of evidence – prepare a document hold notice and send it to all relevant custodians as soon as possible. Ensure any standard document destruction processes are suspended, including email back-ups, recorded lines, social media, instant messenger etc. Prepare a list of custodians and ensure this is regularly updated.
- Employees – who needs to know about the investigation? Do any employees need to be suspended whilst the investigation proceeds? Consider NDAs for all who have a need to know. Keep an “insider list” – ie a list of those who know about the investigation; keep the insider list updated regularly and ensure each person on it has signed the NDA.
- Insurance – consider notifications to insurers. It is highly likely that you will have an obligation to disclose material developments to insurers, and an investigation will be material. A failure or delay in doing so can risk invalidating the insurance policy.
Often it will help to draw up an investigation plan, under privilege, which will set out the scope, timeline and process for the investigation:
- Which departments / business units or legal entities will be the subject of the investigation?
- What historical timeframe will the investigation cover?
- Will interviews of witnesses be required?
- How will you preserve, sift and review evidence?
- Do you need a media strategy? Do you need to engage external media advisors? Do you need a leak strategy? This can be extremely important – leaks can occur for all sorts of reasons, such as disgruntled employees, careless talk, a misdirected email etc. Having media advisors on board early to prepare scripts and action plans can be very helpful in managing the fallout from a leak.
- If you are going to undertake an internal investigation, who will conduct it? Will this be an internal team, such as the compliance or in-house legal team, or will external counsel undertake the investigation? Having a report prepared by external counsel can assist with privilege / discoverability issues. It can also provide impartiality, which may give reassurance to the board or to your regulator.
- How often will you report on investigation progress, and to whom? It is likely that the board, the regulator and other parties will want regular updates, but you must also consider issues of confidentiality, privilege etc.
- Are there any immediate actions you can take to stop further misconduct? Are there remediating actions you can take? Consider how remediating actions will be perceived – be careful to avoid anything which might be considered an admission of liability. Are any additional controls required?
The actions taken in the first few hours and days can be crucial to the outcome of an investigation. A key point is to engage counsel and media advisors as early as possible in the process.
An investigation can be an extremely intensive and time-consuming exercise. The total cost will encompass regulator fines, management time, remediation actions, external reviews, counsel fees and many others. Often the total cost will be many multiples of any fine amount imposed by regulators.
One way of avoiding this is to conduct a pre-emptive audit of your systems and controls. This can be far more cost-effective and less invasive than an investigation. If that is something you would like to consider, please contact the author.