Financial Fraud Law Report
Financial Fraud Law Report An A.S. Pratt & Sons Publication
February 2013
Headnote: Guidance Steven A. Meyerowitz The FCPA Guidance Road Map Mara V.J. Senn, Drew A. Harker, Arthur Luk, and Philippe A. Oudinot Anti-Corruption Enforcement in China Bruce E. Yannett, Sean Hecker, Paul R. Berger, Philip Rohlik, and Fengian Ao SEC Focuses on Fair Valuation in Recent Enforcement Cases Jane A. Kanter and Robert G. Zack Conducting an Effective FCPA Internal Investigation Zack Harmon and Laura Greig The Role of Financial Information in Fraud Investigations Colleen Vallen Domestic and Foreign Money Transmitters Face Complex Hazardous Web of Federal and State Laws and Regulations Jennifer R. Taylor and Emre N. Ilter Government’s Burden in Insider Trading Cases Clarified Michael S. Schachter and Alison R. Levine Second Circuit Decision Clarifies the Standard for Claims of Aiding and Abetting Securities Fraud Michael S. Schachter Going it Alone: Recent Federal Court Decision Demonstrates Risks of Losing Privilege When Conducting Internal Investigations Without Counsel Nooree Lee and Samantha S. Lee Recent Federal False Claims Act Decision Undermines Attorney-Client Privilege over Certain In-House Counsel Emails Marvin G. Pickholz and Mary C. Pennisi U.K. Serious Fraud Office Issues New Bribery Act Policies Lord Goldsmith QC, Karolos Seeger, and Matthew H. Getz
Conducting an Effective FCPA Internal Investigation Zack Harmon and Laura Greig
The authors suggest that although a thoughtful preliminary work plan is essential at the outset of any FCPA investigation, a willingness to modify the structure of the investigation, and remain fluid as it progresses, is integral to reaching key investigative objectives in an effective manner.
A
s is so often the case, “one size” most definitely does not “fit all” when conducting an effective FCPA internal investigation. Any investigative strategy premised on the notion that there is one correct path to conducting an effective investigation will inescapably result in unnecessary work in many situations, and critical loose ends in others. Internal investigations are and should be fluid undertakings, continually tweaked and reoriented to maximize efficiency while achieving the defined objectives. This may appear self-evident, but preliminary conversations about internal investigations all too frequently begin with a request for a comprehensive work plan plotting the detailed work steps and attendant timing from points A to Z. While it is obviously sensible to formulate a thoughtful, disciplined, and appropriately detailed work plan at the outset of any investigation, everyone involved in the project should expect that there will be significant modifications to the work plan as the investigation progresses. Any other approach will be neither efficient nor, ultimately, effective. There are, however, a number of overarching objectives that should guide
Zack Harmon is a partner and Laura Greig is an associate in King & Spalding’s Washington, D.C. office. Both are members of the firm’s Special Matters & Government Investigations Practice Group.
Published by A.S. Pratt in the February 2013 issue of the Financial Fraud Law Report. Copyright © 2013 THOMPSON MEDIA GROUP LLC. 1-800-572-2797.
141
Financial Fraud Law Report
how the basic investigative work steps — the elemental building blocks of any investigation — are prioritized, scoped, sequenced, and retooled for maximum impact. Among these overarching objectives, by far the most critical is to get to the bottom of the issues of concern. Internal investigations skewed by design to avoid the hard issues or result in favorable findings will not be credible or useful to anyone. By contrast, if all decisions made during the design and course of an internal investigation are guided by this preeminent objective, judgments made along the way are easy to explain, and the investigation typically will satisfy the expectations of all parties involved.
Determining the Scope of the Investigation and the Preliminary Work Plan A threshold question in any internal investigation is whether the findings are likely to be shared at some point, and in some appropriate manner, outside the company. The answer to this question — often difficult to answer definitively during the early stages — will inform many decisions about how the investigation should be conducted (e.g., staffing, timeframe, etc.). As to scope, however, assuming that the overarching objective is to fully probe the concerns giving rise to the investigation, the initial focus of an investigation typically does not vary whether the investigative findings are expected to be shared outside the company or not. As we will discuss, subsequent decisions regarding how deeply or broadly to probe may turn on how the findings are to be used, but the initial scope typically varies only on the margins. Turning to another general principle, because the FCPA enforcement authorities are quite clear in many respects about their expectations for internal investigations, the approach when structuring an FCPA investigation should be to anticipate the authorities’ questions and expectations about scope, and be prepared to demonstrate a mastery of these issues. To be clear, this recommendation does not mean that an investigation necessarily should be scoped broadly enough to address every potential question or concern that the FCPA authorities may raise; rather, these questions and concerns must be anticipated in advance so that scoping decisions are made with a realistic understanding of where the authorities may (later) believe that the investigative scope should have been broader, or perhaps differently focused in some way. 142
Conducting an Effective FCPA Internal Investigation
Ultimately, the key is to be prepared to explain all decisions about scope and work steps so that the FCPA authorities are confident that the investigators were cognizant of all of their concerns and questions, even if there is some reasoned disagreement about what should have been done to address them.
Scope Determining the scope of an investigation depends in large part on the specificity and credibility of the allegations or concerns giving rise to the investigation. The more specific the allegations or concerns, the easier it is to frame an investigation so as to avoid both unnecessary work and loose ends. For example, the more information there is regarding employees’ names, dates, business units, payment amounts and the like, the clearer the initial scope required to adequately investigate the issues. Even when confronting specific allegations, however, it is important to revisit throughout the investigation the pros and cons of “testing” issues beyond the carefully-circumscribed initial focus areas of the investigation. If the allegations are not specific and no greater detail is available from the source, the company should devise a strategy for surgically sampling business processes, transactions and other conduct that is as relevant to the nonspecific allegations as possible. A thorough understanding of the implicated business processes and control structures is essential to determining scope in the face of more general allegations. Moreover, the company should study carefully all of the situations in which other companies have encountered FCPA issues similar to those generally alleged. Drawing from other FCPA investigations as a baseline for the company’s own investigation is important because the concerns and expectations of the FCPA enforcement authorities are clearly shaped by their experiences in other, similar matters. Finally, the credibility of the source also informs the scope of the investigation. If the source appears credible at the outset, or is deemed increasingly credible as the investigation progresses, then there is a greater premium on fully investigating all of the allegations. By contrast, if the allegations appear less credible, then it may be reasonable for the company to take a more incremental approach to confirming or debunking the allegations.
143
Financial Fraud Law Report
Work Plan After the company determines the initial scope of its FCPA investigation, it must formulate a preliminary work plan to begin meeting these investigative objectives. However, before the company can turn to the more obvious components of the investigation (e.g., reviewing key documents, interviewing employees), it first must take a number of critical steps and make several key decisions. Most importantly, it must take immediate steps to reasonably preserve the relevant records (e.g., important hard copy documents, key network data, etc.). Obviously, the more specific the allegations, the easier it is to define the universe of relevant records requiring preservation. Many companies have protocols in place to preserve records, although these protocols often are geared towards civil litigation discovery and the like — situations in which preservation obligations as defined by the companies can differ somewhat from preservation obligations in the face of potential criminal exposure and government investigations. The FCPA authorities’ expectations concerning preservation are quite specific, and data preservation is an area in which they can be unforgiving. Preservation is an iterative process, and often involves adding records, custodians, and additional forms of data as the investigation progresses. Once initial preservation of documents is complete — and under some circumstances, contemporaneously with this preservation — the company may begin compiling and reviewing relevant records. In doing so, the company should determine whether any non-U.S. data privacy obligations, blocking statutes, or other logistical issues might arise based on non-U.S. laws, regulations, and rules. In addition, the company should develop an initial list of potential interviewees and identify any obligations that exist or could arise in connection with these interviews, recognizing the possibility that interviewees found to have engaged in misconduct may face potential legal exposure. Because FCPA investigations typically focus on conduct and personnel outside the United States, the relevant interview considerations are often complicated and vary from country to country. Each company, investigation, and individual interview will present unique substantive and logistical issues that must be anticipated and addressed before conducting (or even scheduling) the interviews. For example, before scheduling an interview with an employee, the company must know whether there are relevant local laws, rules, or practices governing the manner in which employee interviews should be 144
Conducting an Effective FCPA Internal Investigation
conducted; it should have considered the need for an interpreter; it must be prepared for a request by the employee (potentially during the interview) for representation by counsel; and it must have a plan in place should the employee begin incriminating himself or herself during the interview. The company also should recognize that issues identified during the course of the investigation may warrant or require employee disciplinary action, and, therefore, certain interviews should be staffed and conducted with follow-on litigation in mind. Moreover, the timing of disciplinary actions should be carefully considered because certain information may only be available from employees while they remain employed by the company. The company must also make an initial determination as to whether there is any obligation or other reason to disclose the investigation to the investing public, outside auditors, insurance carriers, government authorities, or any other stakeholders. The merits of self-disclosing an FCPA issue to the enforcement authorities is a particularly complicated and nuanced issue, which we touch upon later. The bottom line is that it is essential to devise a thoughtful strategy for assessing when disclosure obligations or benefits from disclosure may arise during the course of the investigation, and to remain mindful of this strategy throughout the investigation. Additionally, the company should determine whether and how issues identified during the course of the investigation should be communicated to stakeholders, recognizing that these issues typically arise as time-sensitive considerations. If warranted under the circumstances, the company should devise a strategy to manage media exposure if or when the investigation or allegations become public. If the situation requires, the company should also devise a strategy for responding to search warrants, subpoenas, and other outside inquiries. Depending on the circumstances, it may also become necessary during the course of the investigation to modify and enhance relevant compliance programs, internal controls, and other company policies that reflect lessons learned from the investigation. Finally, if outside counsel or other outside professional firms (e.g., forensic accountants) are involved, the company should determine a clear reporting chain between the company and the professional advisors. It is important to identify the company personnel who will be assisting with the investigation, and to remain mindful of attorney-client privilege issues that might arise.
145
Financial Fraud Law Report
Measures to Ensure that Attorney-Client Privilege is Protected If one objective of the FCPA investigation is to conduct it in a privileged and confidential manner, then the company should involve in-house counsel or outside counsel from the outset. The decision whether to employ in-house counsel, outside counsel, or some combination of the two may turn on a number of considerations. For example: • availability and experience of in-house legal resources (including experience in dealing with both the FCPA authorities, as well as other outside professional firms whose expertise may be required, e.g., forensic accountants); • comparative legal protections that may attach to the work of in-house counsel and outside attorneys, which vary widely from country-tocountry; • importance of the comparative independence attaching to work of inhouse versus outside counsel; and • in-house counsel’s role, if any, in the conduct at issue, or in designing, overseeing or previously reviewing the controls or business processes surrounding the conduct at issue in the investigation, and whether an outside party might consider any such role as actively or tacitly enabling or allowing the conduct at issue. Should the company elect to have in-house counsel conduct the investigation, most companies have protocols in place that maximize the protections afforded to such in-house investigative work. Similarly, if the company elects to involve outside counsel in some capacity, then it is prudent to impose a simple, but clear, structure to ensure that the investigative work benefits fully from the additional protections. For example: • determine and clarify which persons within the company constitute the “client,” and have the client authorize and direct the work of outside counsel;
146
Conducting an Effective FCPA Internal Investigation
• communicate to relevant company personnel that the investigation has been duly authorized; • establish appropriate reporting chains between counsel and client; and • make certain that no actions are taken to undermine the protections of attorney-client privilege and attorney work product. Counsel should also evaluate the steps that must be taken and the requisite formalities that must be observed inside and outside the U.S. to protect attorney-client privilege, attorney work product assertions, and similar protections in relevant foreign jurisdictions. Should the company engage other counsel or third parties (e.g., to represent individual employees, conduct an accounting review, translate documents, etc.), additional considerations must be addressed to ensure there is no unintentional waiver of applicable legal privileges and protections under U.S. and non-U.S. laws, rules, and regulations.
Knowing When the Investigation Has Been Exhausted In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete. However, even when confronted with specific, discrete allegations, the decision of when to close the investigation grows harder if the allegations of FCPA violations prove to be true. In such a scenario, one key question is whether there is a basis for concluding that the established violations were clearly isolated. To illustrate this common scenario, take the situation in which the investigation has confirmed — as was specifically alleged — that improper payments were made to named government contracting officials by a particular business unit in Country A during timeframe [X]. Having confirmed the specific allegations, the company must decide whether to close the investigation at this point, or instead sample conduct around the perimeter of these payments to evaluate whether they were isolated. So, for example, should the company choose to sample payments: (1) made by this business unit in connection with other government interactions, e.g., payments to customs?; (2) made by this business unit to government contracting officials in Country B?; (3) 147
Financial Fraud Law Report
made by this business unit to the same government contracting officials in Country A, but during timeframe [Y]?; (4) made by other business units to the named government contracting officials in Country A during timeframe [X]? The answers to these and similar questions will turn on a variety of factors, but they obviously complicate the decision to close the investigation. And, of course, the greatest challenges to closing an investigation arise when the investigation becomes an exercise in “proving a negative.” In this very common situation, the decision of when to close the investigation will turn on a number of factors such as the credibility of the allegations. If the investigation establishes that many of the facts or premises underpinning the allegations are incorrect, then that may militate in favor of ending the investigation. For example, if the allegation is that payments were made by a named employee to a particular government official during a specified timeframe, and the investigation reveals that the named employee worked in some other geography during the specified timeframe, or that the particular government official left his position ten years prior to the period of the alleged misconduct, then those findings are relevant in deciding what to do next. Similarly, the closure decision should be informed by the quality of the evidence compiled to date. For example, it is more difficult to close an investigation based solely on the denials of the person accused of wrongdoing than it would be based on a thorough email review, or a determination — based on significant pressure-testing — that internal controls almost certainly would have prevented the alleged misconduct. Finally, the decision whether to continue an investigation also depends on the company’s risk tolerance, and the likelihood that the FCPA authorities or other outside parties will learn of (and be interested in) the allegations. If a company does not plan to disclose the issue, there are no reporting obligations to stakeholders, the issue is entirely historical, and it is unlikely that the issue will otherwise become the subject of a government inquiry, then the company may feel that it has gleaned enough information to implement productive compliance changes and thereby learn from its mistakes. In such a situation, the company might not elect to determine with certainty whether the historical misconduct occurred five times versus ten. However, if there is likely to be an outside disclosure of the issues, the company may elect to take additional investigative steps, or conduct additional sampling, with the objective of preempting
148
Conducting an Effective FCPA Internal Investigation
more extreme investigative measures taken by, or at the insistence of, an outside party (e.g., FCPA authorities, outside auditors, etc.) at a later date.
What to Do When a Violation is Discovered When an internal investigation reveals that an FCPA violation has (or appears to have) occurred, the company must make sure that the conduct has been terminated, implement any reasonable and necessary changes to its compliance program, consider necessary disciplinary action against involved personnel, and revisit whether to self-report the violations — or apparent violations — to the FCPA authorities. As to the last of these considerations, the decision to voluntarily disclose FCPA violations has always been a hotly-debated topic within the FCPA bar, and is one that cannot be addressed adequately in this short article. Generally speaking, there is no easy rule of thumb to guide this analysis; each decision to self-disclose should be based on a wide variety of factual circumstances specific to the individual situation. We share the view of many FCPA practitioners that there are compelling reasons to self-disclose under certain circumstances. However, there are practitioners, academics, media commentators, and others who see little benefit in doing so. While the recently-released FCPA guidance states that the Department of Justice and Securities Exchange Commission consider voluntary disclosure as a mitigating factor when assessing FCPA outcomes,1 a 2012 study found that the presence of mitigating factors, including voluntary disclosure, did not result in reduced sanctions in FCPA cases.2 However, the study could not rule out that self-disclosure did not result in some form of less-visible leniency.3 Moreover, the new whistleblower rules arising from Dodd-Frank may create additional incentives for companies to self-disclose FCPA violations since employees are now powerfully (financially) motivated to report FCPA violations. In short, while the issue of self-disclosure is complicated, a company must have a strategy for evaluating the merits of self-disclosure at the outset of its investigation, and as certain events transpire over the course of the investigation.
149
Financial Fraud Law Report
Conclusion Put simply, each FCPA internal investigation is unique, and you can be certain of only one thing going in: if you are unprepared or unwilling to modify your work plan along the way, you will end up doing either too much work or too little. While this approach may seem undisciplined, the reality is that a constant focus on the project objectives and work steps results in a much more effective and efficient investigation. At the outset of the investigation, the trick is to design a thoughtful preliminary work plan that anticipates the likely—if not unavoidable—twists and turns in the investigation. Identify critical decision points and anticipate that the investigation could change course at those points. Lay markers down at the outset of the planning process for likely developments, and thereby minimize surprises or rushed decisions by evaluating the options in advance. The purpose of this article is not to identify all of these considerations, but rather to emphasize the fluidity of an effective FCPA internal investigation and touch upon some of the key objectives and ingredients of any sound investigation.
Notes U.S. Department of Justice & U.S. Securities Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2012). 2 Stephen J. Choi & Kevin E. Davis, Foreign Affairs and Enforcement of the Foreign Corrupt Practices Act 21 (NYU Law and Econ. Research Paper No. 12-15; NYU School of Law, Public Law Research Paper No. 12-35, 2012). In an email responding to this study, a Justice Department spokesperson stated that “the department regularly rewards companies that voluntarily disclose wrongdoing through the use of declinations, deferred prosecution agreements and nonprosecution agreements, as well as significantly reduced monetary penalties.” Samuel Rubenfeld, Study Says Voluntary Disclosure Doesn’t Change FCPA Penalties, Wall St. J., Sept. 6, 2012. 3 Samuel Rubenfeld, supra note 2. 1
150
February 2013
Headnote: Guidance Steven A. Meyerowitz The FCPA Guidance Road Map Mara V.J. Senn, Drew A. Harker, Arthur Luk, and Philippe A. Oudinot Anti-Corruption Enforcement in China Bruce E. Yannett, Sean Hecker, Paul R. Berger, Philip Rohlik, and Fengian Ao SEC Focuses on Fair Valuation in Recent Enforcement Cases Jane A. Kanter and Robert G. Zack Conducting an Effective FCPA Internal Investigation Zack Harmon and Laura Greig The Role of Financial Information in Fraud Investigations Colleen Vallen Domestic and Foreign Money Transmitters Face Complex Hazardous Web of Federal and State Laws and Regulations Jennifer R. Taylor and Emre N. Ilter Government’s Burden in Insider Trading Cases Clarified Michael S. Schachter and Alison R. Levine Second Circuit Decision Clarifies the Standard for Claims of Aiding and Abetting Securities Fraud Michael S. Schachter Going it Alone: Recent Federal Court Decision Demonstrates Risks of Losing Privilege When Conducting Internal Investigations Without Counsel Nooree Lee and Samantha S. Lee Recent Federal False Claims Act Decision Undermines Attorney-Client Privilege over Certain In-House Counsel Emails Marvin G. Pickholz and Mary C. Pennisi U.K. Serious Fraud Office Issues New Bribery Act Policies Lord Goldsmith QC, Karolos Seeger, and Matthew H. Getz
Conducting an Effective FCPA Internal Investigation Zack Harmon and Laura Greig
The authors suggest that although a thoughtful preliminary work plan is essential at the outset of any FCPA investigation, a willingness to modify the structure of the investigation, and remain fluid as it progresses, is integral to reaching key investigative objectives in an effective manner.
A
s is so often the case, “one size” most definitely does not “fit all” when conducting an effective FCPA internal investigation. Any investigative strategy premised on the notion that there is one correct path to conducting an effective investigation will inescapably result in unnecessary work in many situations, and critical loose ends in others. Internal investigations are and should be fluid undertakings, continually tweaked and reoriented to maximize efficiency while achieving the defined objectives. This may appear self-evident, but preliminary conversations about internal investigations all too frequently begin with a request for a comprehensive work plan plotting the detailed work steps and attendant timing from points A to Z. While it is obviously sensible to formulate a thoughtful, disciplined, and appropriately detailed work plan at the outset of any investigation, everyone involved in the project should expect that there will be significant modifications to the work plan as the investigation progresses. Any other approach will be neither efficient nor, ultimately, effective. There are, however, a number of overarching objectives that should guide
Zack Harmon is a partner and Laura Greig is an associate in King & Spalding’s Washington, D.C. office. Both are members of the firm’s Special Matters & Government Investigations Practice Group.
Published by A.S. Pratt in the February 2013 issue of the Financial Fraud Law Report. Copyright © 2013 THOMPSON MEDIA GROUP LLC. 1-800-572-2797.
141
Financial Fraud Law Report
how the basic investigative work steps — the elemental building blocks of any investigation — are prioritized, scoped, sequenced, and retooled for maximum impact. Among these overarching objectives, by far the most critical is to get to the bottom of the issues of concern. Internal investigations skewed by design to avoid the hard issues or result in favorable findings will not be credible or useful to anyone. By contrast, if all decisions made during the design and course of an internal investigation are guided by this preeminent objective, judgments made along the way are easy to explain, and the investigation typically will satisfy the expectations of all parties involved.
Determining the Scope of the Investigation and the Preliminary Work Plan A threshold question in any internal investigation is whether the findings are likely to be shared at some point, and in some appropriate manner, outside the company. The answer to this question — often difficult to answer definitively during the early stages — will inform many decisions about how the investigation should be conducted (e.g., staffing, timeframe, etc.). As to scope, however, assuming that the overarching objective is to fully probe the concerns giving rise to the investigation, the initial focus of an investigation typically does not vary whether the investigative findings are expected to be shared outside the company or not. As we will discuss, subsequent decisions regarding how deeply or broadly to probe may turn on how the findings are to be used, but the initial scope typically varies only on the margins. Turning to another general principle, because the FCPA enforcement authorities are quite clear in many respects about their expectations for internal investigations, the approach when structuring an FCPA investigation should be to anticipate the authorities’ questions and expectations about scope, and be prepared to demonstrate a mastery of these issues. To be clear, this recommendation does not mean that an investigation necessarily should be scoped broadly enough to address every potential question or concern that the FCPA authorities may raise; rather, these questions and concerns must be anticipated in advance so that scoping decisions are made with a realistic understanding of where the authorities may (later) believe that the investigative scope should have been broader, or perhaps differently focused in some way. 142
Conducting an Effective FCPA Internal Investigation
Ultimately, the key is to be prepared to explain all decisions about scope and work steps so that the FCPA authorities are confident that the investigators were cognizant of all of their concerns and questions, even if there is some reasoned disagreement about what should have been done to address them.
Scope Determining the scope of an investigation depends in large part on the specificity and credibility of the allegations or concerns giving rise to the investigation. The more specific the allegations or concerns, the easier it is to frame an investigation so as to avoid both unnecessary work and loose ends. For example, the more information there is regarding employees’ names, dates, business units, payment amounts and the like, the clearer the initial scope required to adequately investigate the issues. Even when confronting specific allegations, however, it is important to revisit throughout the investigation the pros and cons of “testing” issues beyond the carefully-circumscribed initial focus areas of the investigation. If the allegations are not specific and no greater detail is available from the source, the company should devise a strategy for surgically sampling business processes, transactions and other conduct that is as relevant to the nonspecific allegations as possible. A thorough understanding of the implicated business processes and control structures is essential to determining scope in the face of more general allegations. Moreover, the company should study carefully all of the situations in which other companies have encountered FCPA issues similar to those generally alleged. Drawing from other FCPA investigations as a baseline for the company’s own investigation is important because the concerns and expectations of the FCPA enforcement authorities are clearly shaped by their experiences in other, similar matters. Finally, the credibility of the source also informs the scope of the investigation. If the source appears credible at the outset, or is deemed increasingly credible as the investigation progresses, then there is a greater premium on fully investigating all of the allegations. By contrast, if the allegations appear less credible, then it may be reasonable for the company to take a more incremental approach to confirming or debunking the allegations.
143
Financial Fraud Law Report
Work Plan After the company determines the initial scope of its FCPA investigation, it must formulate a preliminary work plan to begin meeting these investigative objectives. However, before the company can turn to the more obvious components of the investigation (e.g., reviewing key documents, interviewing employees), it first must take a number of critical steps and make several key decisions. Most importantly, it must take immediate steps to reasonably preserve the relevant records (e.g., important hard copy documents, key network data, etc.). Obviously, the more specific the allegations, the easier it is to define the universe of relevant records requiring preservation. Many companies have protocols in place to preserve records, although these protocols often are geared towards civil litigation discovery and the like — situations in which preservation obligations as defined by the companies can differ somewhat from preservation obligations in the face of potential criminal exposure and government investigations. The FCPA authorities’ expectations concerning preservation are quite specific, and data preservation is an area in which they can be unforgiving. Preservation is an iterative process, and often involves adding records, custodians, and additional forms of data as the investigation progresses. Once initial preservation of documents is complete — and under some circumstances, contemporaneously with this preservation — the company may begin compiling and reviewing relevant records. In doing so, the company should determine whether any non-U.S. data privacy obligations, blocking statutes, or other logistical issues might arise based on non-U.S. laws, regulations, and rules. In addition, the company should develop an initial list of potential interviewees and identify any obligations that exist or could arise in connection with these interviews, recognizing the possibility that interviewees found to have engaged in misconduct may face potential legal exposure. Because FCPA investigations typically focus on conduct and personnel outside the United States, the relevant interview considerations are often complicated and vary from country to country. Each company, investigation, and individual interview will present unique substantive and logistical issues that must be anticipated and addressed before conducting (or even scheduling) the interviews. For example, before scheduling an interview with an employee, the company must know whether there are relevant local laws, rules, or practices governing the manner in which employee interviews should be 144
Conducting an Effective FCPA Internal Investigation
conducted; it should have considered the need for an interpreter; it must be prepared for a request by the employee (potentially during the interview) for representation by counsel; and it must have a plan in place should the employee begin incriminating himself or herself during the interview. The company also should recognize that issues identified during the course of the investigation may warrant or require employee disciplinary action, and, therefore, certain interviews should be staffed and conducted with follow-on litigation in mind. Moreover, the timing of disciplinary actions should be carefully considered because certain information may only be available from employees while they remain employed by the company. The company must also make an initial determination as to whether there is any obligation or other reason to disclose the investigation to the investing public, outside auditors, insurance carriers, government authorities, or any other stakeholders. The merits of self-disclosing an FCPA issue to the enforcement authorities is a particularly complicated and nuanced issue, which we touch upon later. The bottom line is that it is essential to devise a thoughtful strategy for assessing when disclosure obligations or benefits from disclosure may arise during the course of the investigation, and to remain mindful of this strategy throughout the investigation. Additionally, the company should determine whether and how issues identified during the course of the investigation should be communicated to stakeholders, recognizing that these issues typically arise as time-sensitive considerations. If warranted under the circumstances, the company should devise a strategy to manage media exposure if or when the investigation or allegations become public. If the situation requires, the company should also devise a strategy for responding to search warrants, subpoenas, and other outside inquiries. Depending on the circumstances, it may also become necessary during the course of the investigation to modify and enhance relevant compliance programs, internal controls, and other company policies that reflect lessons learned from the investigation. Finally, if outside counsel or other outside professional firms (e.g., forensic accountants) are involved, the company should determine a clear reporting chain between the company and the professional advisors. It is important to identify the company personnel who will be assisting with the investigation, and to remain mindful of attorney-client privilege issues that might arise.
145
Financial Fraud Law Report
Measures to Ensure that Attorney-Client Privilege is Protected If one objective of the FCPA investigation is to conduct it in a privileged and confidential manner, then the company should involve in-house counsel or outside counsel from the outset. The decision whether to employ in-house counsel, outside counsel, or some combination of the two may turn on a number of considerations. For example: • availability and experience of in-house legal resources (including experience in dealing with both the FCPA authorities, as well as other outside professional firms whose expertise may be required, e.g., forensic accountants); • comparative legal protections that may attach to the work of in-house counsel and outside attorneys, which vary widely from country-tocountry; • importance of the comparative independence attaching to work of inhouse versus outside counsel; and • in-house counsel’s role, if any, in the conduct at issue, or in designing, overseeing or previously reviewing the controls or business processes surrounding the conduct at issue in the investigation, and whether an outside party might consider any such role as actively or tacitly enabling or allowing the conduct at issue. Should the company elect to have in-house counsel conduct the investigation, most companies have protocols in place that maximize the protections afforded to such in-house investigative work. Similarly, if the company elects to involve outside counsel in some capacity, then it is prudent to impose a simple, but clear, structure to ensure that the investigative work benefits fully from the additional protections. For example: • determine and clarify which persons within the company constitute the “client,” and have the client authorize and direct the work of outside counsel;
146
Conducting an Effective FCPA Internal Investigation
• communicate to relevant company personnel that the investigation has been duly authorized; • establish appropriate reporting chains between counsel and client; and • make certain that no actions are taken to undermine the protections of attorney-client privilege and attorney work product. Counsel should also evaluate the steps that must be taken and the requisite formalities that must be observed inside and outside the U.S. to protect attorney-client privilege, attorney work product assertions, and similar protections in relevant foreign jurisdictions. Should the company engage other counsel or third parties (e.g., to represent individual employees, conduct an accounting review, translate documents, etc.), additional considerations must be addressed to ensure there is no unintentional waiver of applicable legal privileges and protections under U.S. and non-U.S. laws, rules, and regulations.
Knowing When the Investigation Has Been Exhausted In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete. However, even when confronted with specific, discrete allegations, the decision of when to close the investigation grows harder if the allegations of FCPA violations prove to be true. In such a scenario, one key question is whether there is a basis for concluding that the established violations were clearly isolated. To illustrate this common scenario, take the situation in which the investigation has confirmed — as was specifically alleged — that improper payments were made to named government contracting officials by a particular business unit in Country A during timeframe [X]. Having confirmed the specific allegations, the company must decide whether to close the investigation at this point, or instead sample conduct around the perimeter of these payments to evaluate whether they were isolated. So, for example, should the company choose to sample payments: (1) made by this business unit in connection with other government interactions, e.g., payments to customs?; (2) made by this business unit to government contracting officials in Country B?; (3) 147
Financial Fraud Law Report
made by this business unit to the same government contracting officials in Country A, but during timeframe [Y]?; (4) made by other business units to the named government contracting officials in Country A during timeframe [X]? The answers to these and similar questions will turn on a variety of factors, but they obviously complicate the decision to close the investigation. And, of course, the greatest challenges to closing an investigation arise when the investigation becomes an exercise in “proving a negative.” In this very common situation, the decision of when to close the investigation will turn on a number of factors such as the credibility of the allegations. If the investigation establishes that many of the facts or premises underpinning the allegations are incorrect, then that may militate in favor of ending the investigation. For example, if the allegation is that payments were made by a named employee to a particular government official during a specified timeframe, and the investigation reveals that the named employee worked in some other geography during the specified timeframe, or that the particular government official left his position ten years prior to the period of the alleged misconduct, then those findings are relevant in deciding what to do next. Similarly, the closure decision should be informed by the quality of the evidence compiled to date. For example, it is more difficult to close an investigation based solely on the denials of the person accused of wrongdoing than it would be based on a thorough email review, or a determination — based on significant pressure-testing — that internal controls almost certainly would have prevented the alleged misconduct. Finally, the decision whether to continue an investigation also depends on the company’s risk tolerance, and the likelihood that the FCPA authorities or other outside parties will learn of (and be interested in) the allegations. If a company does not plan to disclose the issue, there are no reporting obligations to stakeholders, the issue is entirely historical, and it is unlikely that the issue will otherwise become the subject of a government inquiry, then the company may feel that it has gleaned enough information to implement productive compliance changes and thereby learn from its mistakes. In such a situation, the company might not elect to determine with certainty whether the historical misconduct occurred five times versus ten. However, if there is likely to be an outside disclosure of the issues, the company may elect to take additional investigative steps, or conduct additional sampling, with the objective of preempting
148
Conducting an Effective FCPA Internal Investigation
more extreme investigative measures taken by, or at the insistence of, an outside party (e.g., FCPA authorities, outside auditors, etc.) at a later date.
What to Do When a Violation is Discovered When an internal investigation reveals that an FCPA violation has (or appears to have) occurred, the company must make sure that the conduct has been terminated, implement any reasonable and necessary changes to its compliance program, consider necessary disciplinary action against involved personnel, and revisit whether to self-report the violations — or apparent violations — to the FCPA authorities. As to the last of these considerations, the decision to voluntarily disclose FCPA violations has always been a hotly-debated topic within the FCPA bar, and is one that cannot be addressed adequately in this short article. Generally speaking, there is no easy rule of thumb to guide this analysis; each decision to self-disclose should be based on a wide variety of factual circumstances specific to the individual situation. We share the view of many FCPA practitioners that there are compelling reasons to self-disclose under certain circumstances. However, there are practitioners, academics, media commentators, and others who see little benefit in doing so. While the recently-released FCPA guidance states that the Department of Justice and Securities Exchange Commission consider voluntary disclosure as a mitigating factor when assessing FCPA outcomes,1 a 2012 study found that the presence of mitigating factors, including voluntary disclosure, did not result in reduced sanctions in FCPA cases.2 However, the study could not rule out that self-disclosure did not result in some form of less-visible leniency.3 Moreover, the new whistleblower rules arising from Dodd-Frank may create additional incentives for companies to self-disclose FCPA violations since employees are now powerfully (financially) motivated to report FCPA violations. In short, while the issue of self-disclosure is complicated, a company must have a strategy for evaluating the merits of self-disclosure at the outset of its investigation, and as certain events transpire over the course of the investigation.
149
Financial Fraud Law Report
Conclusion Put simply, each FCPA internal investigation is unique, and you can be certain of only one thing going in: if you are unprepared or unwilling to modify your work plan along the way, you will end up doing either too much work or too little. While this approach may seem undisciplined, the reality is that a constant focus on the project objectives and work steps results in a much more effective and efficient investigation. At the outset of the investigation, the trick is to design a thoughtful preliminary work plan that anticipates the likely—if not unavoidable—twists and turns in the investigation. Identify critical decision points and anticipate that the investigation could change course at those points. Lay markers down at the outset of the planning process for likely developments, and thereby minimize surprises or rushed decisions by evaluating the options in advance. The purpose of this article is not to identify all of these considerations, but rather to emphasize the fluidity of an effective FCPA internal investigation and touch upon some of the key objectives and ingredients of any sound investigation.
Notes U.S. Department of Justice & U.S. Securities Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act (2012). 2 Stephen J. Choi & Kevin E. Davis, Foreign Affairs and Enforcement of the Foreign Corrupt Practices Act 21 (NYU Law and Econ. Research Paper No. 12-15; NYU School of Law, Public Law Research Paper No. 12-35, 2012). In an email responding to this study, a Justice Department spokesperson stated that “the department regularly rewards companies that voluntarily disclose wrongdoing through the use of declinations, deferred prosecution agreements and nonprosecution agreements, as well as significantly reduced monetary penalties.” Samuel Rubenfeld, Study Says Voluntary Disclosure Doesn’t Change FCPA Penalties, Wall St. J., Sept. 6, 2012. 3 Samuel Rubenfeld, supra note 2. 1
150
