Practical Steps for Conducting a Corporate Internal Investigation (UK)

As companies face more scrutiny than ever before from a number of stakeholders—including regulators, shareholders, investors, and market participants generally—the circumstances in which it may be necessary for a company to conduct an internal investigation has exponentially grown. It therefore has become increasingly important for companies to implement appropriate practices so that they are able to adequately and swiftly address those myriad of potential circumstances.

There are a wide range of events that may trigger the commencement of an internal investigation by a company. For example, an issue may arise following an internal or external audit, unforeseen enforcement action or regulatory interest, or information that has come to the attention of a company via a whistleblower. Issues will cover limitless types of conduct. A company may receive allegations of bribery, uncover a financial accounting black hole, or be the subject of newspaper allegations of modern slavery. Equally, an employee may complain of a culture of bullying and/or discrimination. Each situation will call for a different approach to the way in which an internal investigation is conducted.

This article discusses three crucial questions meriting consideration by companies in connection with corporate internal investigations:

1. When should a corporate internal investigation be launched?
2. Who should conduct a corporate internal investigation?
3. How should a corporate internal investigation be conducted?

These questions will rarely be sequential despite the structure of this article. Rather, there is a significant degree of overlap between them, and companies should consider the various issues raised in tandem. For example, the decision as to whether a company should embark on an internal investigation (question one) is contingent on what a possible investigation may look like (question three).

When Should a Corporate Internal Investigation Be Launched?

Intrinsically linked to the question of when a corporate internal investigation should be conducted is the rationale for doing so. There is an obvious case for an internal investigation when there have been allegations of misconduct and other criminality, or when enforcement action may result in regulatory or criminal fines and sanctions. However, as discussed at the outset of the article, the trigger for conducting an internal investigation may be much wider than that.

An internal investigation, when undertaken properly, can be of considerable benefit to a company. It may expose gaps in a company’s corporate governance, policies, procedures and controls, and therefore allow a company the opportunity to not only address the conduct that triggered the investigation but take remedial steps to improve essential areas of its business and prevent misconduct from occurring in the future. A timely internal investigation also can allow a company to be well placed to prevent or respond to adverse publicity.

Internal investigations can require significant resources, such as management time and cost, and may be disruptive to the day-to-day running of a company’s business. A company therefore should consider whether a formal internal investigation is the most feasible way to address the issue. In doing so, companies may consider factors such as:

• The nature and source of a complaint, including whether it is internal or external and whether it is specific or anonymous;
• How serious the issue appears to be;
• Whether the issue has the potential to attract regulatory or enforcement action or media interest, or could otherwise damage the company’s reputation;
• Whether the company is under any regulatory obligation to investigate or report the issue;
• Whether it is likely to be an isolated incident that does not suggest wider issues concerning the company’s culture, systems, and controls;
• Whether an internal investigation would be a proportionate response; and
• The threat of litigation.

Regardless of whether a company ultimately decides to embark on an internal investigation, it still will need to consider taking steps to better understand the issues that have been raised. These include:

• A company should take immediate steps to cease any ongoing criminal activity or regulatory breach, including any temporary measures such as placing individuals on garden leave while the matter is investigated.
• A company should consider whether, and if so, when, there is an obligation to report to or cooperate with relevant enforcement authorities. Firms regulated by the Financial Conduct Authority (FCA) have a duty to disclose anything of which the FCA would reasonably expect notice, including a decision to conduct an internal investigation. Certain companies also may have an obligation to report suspicions or knowledge of money laundering or terrorist financing to the National Crime Agency (NCA).
• Even if there is no obligation, a company should consider whether there are other good reasons to report to or cooperate with authorities. For example, reporting the intention to deal with proceeds of crime to the NCA may provide a company with a defense to principal money laundering offenses. Self-reporting and cooperation with authorities also can make a Deferred Prosecution Agreement or leniency from enforcement authorities more possible.
• A company should consider whether there is an obligation to take steps to preserve and retain documents. Where there is such an obligation, companies should not overlook auto-deletion of electronic records and should enlist assistance from IT professionals. Companies also should consider issuing a preservation order to relevant individuals.
• A company should consider whether notifications need to be made in respect of any relevant insurance policies and the requisite time periods for doing so.
• A company should consider whether communications are required at this initial stage, including to external stakeholders such as clients, suppliers, and/or shareholders.
• A company should consider a media/communications strategy and whether external public relations expertise should be engaged.

Who Should Conduct the Corporate InternalInvestigation?

If a company decides to commence an internal investigation, careful thought should be given to who is best placed to undertake the investigation (for example, in-house legal personnel, compliance, internal audit, and/or outside counsel) as well as who may be required to work alongside such individuals during the investigation (for example, forensic accountants). Companies may consider a number of factors when determining the most appropriate individuals to conduct an investigation, including:

• Experience dealing with internal investigations and the subject matter involved;
• Sensitivity and urgency of the issues;
• Seriousness of the issues and potential liability;
• Contemplation of any litigation;
• Actual or perceived independence of the individual; and
• Any specific regulatory or legislative requirements.

Legal Professional Privilege

The choice of investigator (internal lawyers, external lawyers, or nonlawyers) will have important implications for privilege and the confidentiality of documents created in connection with an investigation. Therefore, this will also be a relevant factor when determining who should conduct an internal investigation.

As a general rule, there is little difference in the privilege position between outside counsel and in-house counsel acting in a legal capacity. However, in-house counsel of many companies will perform a role that encompasses the provision of legal, commercial, and administrative advice, and only advice given in the context of the first category (legal) will attract privilege.

The position is less generous for communications with nonlawyers such as forensic accountants and accountants, who, in appropriate cases, may benefit from litigation privilege (where a communication was made or created for the dominant purpose of preparing for or dealing with reasonably contemplated or existing adversarial proceedings) but are not covered by legal advice privilege. This may weigh in favor of using outside counsel, at least at the outset of an investigation where it is not clear if litigation is likely.

Whatever the choice of investigator, companies will need to ensure that appropriate safeguards and protocols are put in place to protect privilege and the confidentiality of documents pertaining to an investigation.

Identification of the Client

Where an investigation is to be undertaken by outside counsel, a second question arises as to who the “client” will be for the specific purpose of conducting the investigation.

This question of who should formally be identified as the client and included in the client group merits careful consideration given the potential impact on the overall integrity and success of the investigation, as well as the privileged nature of communications created in connection with the investigation.

English courts have tended to adopt a restrictive interpretation of “client” for the purpose of legal advice privilege, extending it only to “a narrow group of individuals employed by [a legal] entity who are charged with seeking and receiving legal advice on its behalf” (Three Rivers Dist. Council v Bank of England [2003] EWCA Civ 474). While litigation privilege is interpreted slightly more widely, it can be difficult for companies to identify the type of privilege that is likely to be applicable, particularly during the initial stages of an investigation. Companies therefore may be best advised to err on the side of caution and constitute focused client groups (outside of which privileged documents and advice should not be circulated) to limit the risk of the company losing its right to privilege over those communications.

The client group should have the necessary authority to make decisions in relation to the investigation, seek legal advice on behalf of the company, and secure the cooperation of employees in relation to gathering and/or providing information to the investigation. Certainly, care should be taken to ensure that no one with any involvement in the matter under investigation should be included in the client group (or investigating team), as failure to do so could result in the company inadvertently participating in further criminality and additional regulatory and/or legislative breaches.

Where a company is part of a corporate group, consideration will need to be given to which entity (or entities) should engage outside counsel. For example, where a subsidiary company engages outside counsel, the privilege will belong to that subsidiary company and only communications with that entity will be covered by legal advice privilege, thereby creating potential issues relating to the loss of privilege if that subsidiary is required to update its parent company about the progress and findings of the investigation. In such cases, parties involved may need to consider a joint retainer or common interest agreement.

How Should a Corporate Internal Investigation Be Conducted?

A corporate internal investigation is only as successful as it is set up to be. When undertaken effectively, it can maximize outcomes for a company while minimizing any disruption that it may cause, time spent on the investigation, and cost incurred by the investigation. Key to ensuring such effectiveness is having a clearly defined scope for the investigation from the outset and a comprehensive investigation work plan.

The investigation plan is a crucial document that sets out how an investigation will be conducted; it provides an audit trail of all actions to be undertaken, clearly stipulating the mandate and terms by which the investigation will proceed. A good investigation plan will therefore seek to comprehensively document:

• The aims and risks (for example, regulatory, criminal, and litigation) of the investigation;
• The issues that the investigation seeks to examine;
• The parameters of the investigation (for example, estimated time period during which the investigation will be completed and estimated time period for each stage of the investigation, relevant conduct that will be reviewed, jurisdictions that will be relevant to the investigation, and business areas/teams that will be relevant to the investigation);
• Procedures by which relevant evidence (documentary, expert, and witness) will be gathered and reviewed and the persons from whom relevant data or documents will be collected and/or with whom interviews may be conducted;
• Resources and arrangements required for each stage of the investigation (internally by the company and from third parties);
• Key persons who will be involved in the investigation (including the investigating team, witnesses, and stakeholders); and
• The reporting mechanisms and timescales that are contemplated.

The investigation plan can therefore be useful for setting clear expectations with the client and investigating team. It can comprise a framework for measuring and reporting progress during the investigation and for setting a timetable for reporting or progress updates. It also acts as a useful record if the investigation itself comes under scrutiny, for example, through cooperation with an authority or examination by auditors, the judiciary, or other stakeholders. A well-defined scope for an internal investigation and investigation plan, if followed, also can help to control costs and avoid digression from the aim(s) of the internal investigation.

While care should be taken to ensure that the scope of the internal investigation is proportionate and focused, it should not be so narrow as to attract criticism of it comprising a whitewash or being crafted to avoid relevant issues. Similarly, while an investigation plan should thoroughly address the issues requiring attention in the investigation, it should remain flexible to accommodate any new or unexpected facts that may emerge during the investigation.

Although the scope and nature of any particular investigation will be fact dependent, the steps taken when setting up and launching the investigation will be broadly similar. Most investigations will involve a document review phase, the planning and conducting of witness interviews, and the preparation of a findings report. In some cases, where technical issues are involved or a forensic assessment of liability is required, it also may be necessary to seek expert advice.

Document Collection and Review

Although the scope of a document review will differ for each investigation, it often will be the most time- and cost-intensive phase. There are a number of best practices that can assist in streamlining this phase, including in relation to data collection, which is the precursor to any document review exercise. These include:

• Carefully select relevant custodians for data collection (as captured in the investigation plan) and employing imaging technology to gather data.
• When selecting relevant custodians, consideration should be given to any factors that would make data collection from that custodian (or subsequent use of collected data) difficult—for example, whether there are any blocking statutes that prevent the cross-border transfer of data, and, if so, whether there are alternative custodians from whom similar data can be obtained [there are no relevant blocking statutes under United Kingdom (UK) law], or whether there is a risk that certain documentation may be altered or destroyed and should therefore be preserved as soon as possible.
• Set priorities to determine which documents are most critical to the investigation.
• Perform detailed documentation of the process, which would typically include identifying and applying search terms or keywords against collected data to retrieve documents for review, and producing a log of documents that have been collated and includes their underlying detail and any agreed methodology followed during the review; for example, to determine relevance and privilege status.
• Consider using technology-assisted review (TAR) and other artificial intelligence (AI) or machine learning–based technology where appropriate; for example, in investigations involving a large dataset.
• Ensure the document review adapts and evolves with any changes to the scope of the investigation—for example, due to new facts coming to light or a regulatory authority becoming involved. This, in some cases, may require the addition or removal of custodians in relation to whom data have been collected and the collection of further data.
• Ensure compliance with applicable data protection law, including, in the UK, the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018, which incorporates the General Data Protection Regulation (Regulation (EU) 2016/679) into UK domestic law (UK GDPR). Companies should ensure appropriate safeguards are put in place to protect the privacy of data subjects.

Witnesses

The other significant phase in an internal investigation is the gathering of witness evidence. Witness interviews can take place at a preliminary stage for scoping purposes, and subsequently, more substantively, before and/or after the review of relevant documentation.

Scoping interviews are conducted early in the investigation process in order to attempt to discover basic facts and the extent of a witness’ knowledge of relevant information. Whether these goals have been achieved will partially be a judgment as to the witness’s credibility.

More substantive witness interviews will typically take place after completion of any document review stage, or following the review of a significant proportion of relevant documentation. The purpose of these interviews is not only to obtain all relevant information and clarifications, but also to assess the credibility of a witness. This is possible through meticulous preparation to identify gaps in knowledge prior to the interview, well-crafted questions (open- and close-ended as appropriate), and careful observation of nonverbal indicators during the interview.

Similar to the process of identifying documentary evidence to review, companies should carefully consider the most appropriate individuals to interview. Companies can be less selective when it comes to scoping interviews given that their nature is to discover basic facts and identify suitable witnesses for the more substantive interviews. Interviewing multiple witnesses at a scoping stage allows the company to assess each witness’s relative credibility and the investigation team to corroborate facts and identify discrepancies. For the same reason, it also may be helpful to interview personnel with knowledge of the matters under investigation but who are not suspected of wrongdoing before interviewing those who are suspected of such conduct.

Companies also should give consideration to how and where witness interviews should be conducted, including their format and any formalities that need to be observed. There are no formal rules for conducting witness interviews in internal investigations in the UK; nonetheless, companies should follow generally accepted interview practices in line with appropriate codes of conduct. Doing so not only facilitates robust information-gathering, but it also bolsters the credibility of an investigation (thereby potentially rendering further investigation by authorities unnecessary) as well as the witness evidence (thereby making it more suitable for use in any future litigation). Some best practices to keep in mind in relation to conducting interviews include:

• Consider the size of the interviewing team. It is typical to have at least two interviewers. Indeed, large interview teams should be avoided so as to ensure efficiency, preserve privilege, and avoid any impression of undue pressure.
• Consider whether any adjustments need to be made for interviewees, including whether an aide or interpreter is required.
• Advise witnesses at the outset of the interview that (i) the discussions are confidential and cannot be discussed with anyone else (other than the lawyers conducting the investigation) without the consent of the company; (ii) any legal privilege belongs to the company and not the witness and the company may waive that privilege at any point (similarly to an Upjohn warning); and (iii) information provided could inform a decision as to whether to instigate disciplinary action.
• Consider what information should be provided to a witness before, during, and after an interview, including whether, and, if so, when, documentation should be provided. Providing documents to a witness can help refresh their memory and ensure complete and direct responses.
• Ensure that the conduct of interviews does not violate relevant employment rights and rights of whistleblowers (see the “Treatment of Whistleblowers” section below). Employees usually cannot be compelled to attend an interview absent an express requirement in their employment contract; however, a failure to do so may be in breach of implied duties arising out of the relationship of trust and confidence between the employee and their employer as well as a failure to follow reasonable instructions.

Companies also should consider whether authorities should be notified about witness interviews in advance. There are no general UK legal requirements for a company to notify or seek consent from authorities to conduct witness interviews; however, self-reporting and cooperation with authorities by a company can impact a company’s ultimate treatment by authorities. Consultation with authorities in certain cases also may help to avoid unintended adverse inferences being drawn in any parallel regulatory investigations.

Treatment of Whistleblowers

Whistleblowers are protected from detrimental treatment or dismissal by the Employment Rights Act 1996 (ERA) (as amended by the Public Interest Disclosure Act 1998 and the Enterprise and Regulatory Reform Act 2013) where they have made a “protected disclosure” as defined in the ERA. Any dismissal of a whistleblower will be automatically deemed unfair. The whistleblower also will have protection from any detrimental treatment such as disciplinary action.

The identity of a whistleblower, or of any information that would likely identify them, should be kept confidential and only disclosed to those who need to know it. Attempts or perceived attempts by a company to identify an anonymous whistleblower may be considered detrimental to the whistleblower and should be avoided. Overall, companies should consider adopting strong policies and internal procedures for reporting concerns and whistleblowing.

Companies also should consider providing a whistleblower with limited updates periodically about the progress of an investigation so that the whistleblower is reassured that their concern is being taken seriously and appropriate action is being taken, such that a further report to a regulator, enforcement agency, or the media is not necessary.

Reports and the Closing of an Investigation

The conduct and conclusion(s) of an investigation should be recorded in a final investigation report. Such findings may be followed by a number of recommendations for the company.

Consideration should be given to the best format for and intended audience of an investigation report. In the event that outside counsel has been engaged to conduct the internal investigation and draft a corresponding report, the hardcopy report will be addressed to the client group and its provision to the client may coincide with an in-person presentation that addresses the report’s findings and recommendations.

Following its review of the report, a company will need to consider whether any (further) reporting is required, either to regulators or enforcement authorities. The disclosure of any findings to third parties should be carefully considered by a company in order to bear in mind the impact that any such disclosure may have on a company’s legal professional privilege.

Key Takeaways

1. Client: Identify the client from whom instructions are to be provided/received as well as the investigation team, including external counsel and other experts, as soon as possible and ensure that information is confined to that group.
2. Investigation plan: Draft a detailed investigation plan including the scope, purpose, and method of the investigation. It should contain defined targets and goals, sometimes limited by time and budget and adjusted as the investigation progresses.
3. Data: Preserve data at the outset of the investigation, including issuing data preservation orders and maintaining records of when such orders were circulated and to whom they were circulated. When collecting information, adhere to relevant data privacy laws including legal restrictions on transferring data out of the country. Where there is a voluminous amount of data, TAR and other AI- or machine learning–based technology should be considered.
4. Privilege: Careful consideration should be given as to what documents, advice, and records attract privilege. Care should be taken to ensure disclosure to any third parties is limited to circumstances where it is required, including the way in which any findings are communicated to regulators.
5. Employee interviews: These should adhere to local labor laws and follow any additional processes and procedures detailed in company literature, such as employee handbooks. Additionally, employees should be made to feel as comfortable as possible by conducting the interview in their language and taking into account any cultural nuances. Interviewers must be transparent regarding the status of the interview and to whom any privilege belongs. A US-style Upjohn warning is now commonplace.
6. Reporting: Consider whether reporting any misconduct is a legal requirement; where voluntary reporting is possible, weigh the risks and benefits of doing so as soon as possible and on a continuing basis. This will allow the company to determine the proper course of action to ensure that the minimal penalty or maximum credit is applicable. If the company operates in multiple jurisdictions, consideration should be given to cooperation between authorities both domestically and internationally, and whether disclosure will be required or advantageous in other jurisdictions.
7. Finally, use investigations as an opportunity to review existing compliance and governance measures and inform remedial measures the company might put in place to strengthen its systems and controls.

The article is based on the UK chapter of the second edition of the forthcoming ABA publication An International Guide to Corporate Internal Investigations, which is authored by Christine Braamskamp and Robert Dalling of Jenner & Block, Tom Epps and Benjamin Sharrock-Mason of Cooley (UK) LLP, and Charlotte Glaser of Goodwin Procter (UK) LLP. The publication is edited by Mark Beardsworth of Goodwin Procter (UK) LLP and others.