By Daniel Martin and Anne-Marie Ottaway
November 27, 2021
Allegations of sanctions violations can come from many sources, including regulators, banks and other counterparties, press articles, pressure groups and whistleblowers. Any allegation needs to be taken seriously, given the potential for significant fines, severe reputational damage and other commercial repercussions.
At the same time, an investigation can be hugely time-consuming and a major distraction from the day-to-day running of a business. It is important to get the balance right so that your investigation enables you to understand what went wrong, how to deal with the consequences and how to ensure it does not happen again.
This article outlines the key considerations for an effective sanctions investigation and focuses on the most common scenario – an investigation being led by the company’s global counsel or head of compliance.
There are five key stages:
- Identify the purpose and the scope of the investigation.
- Build the team and manage the process.
- Document preservation and review.
- Identify and interview the key witnesses.
- Report fully and promptly.
Stage 1 – Identify the Purpose and the Scope
While there is a natural tendency to think the purpose of the investigation is to uncover “the truth,” that is unfocused and will make it difficult to be clear about the precise scope. It will also make it difficult to control the scope, extent and timescale for the investigation, as it is easy for one avenue of inquiry to lead to others, without ever reaching a conclusion. A clear scope and specific timeframe are critical.
The purpose (and, therefore, the scope) will be driven by many factors. The first relates to the underlying violation itself: has there been intentional criminal conduct or is it more likely that there was a lack of knowledge, information or attention? Does the investigation arise because of a concern that a company has itself committed a sanctions violation, or is the investigation being carried out because the company has a particular regulatory or reporting requirement which it needs to satisfy?
The second relates to the “audience” for the final report – is it going to a regulator, or is the company primarily investigating to satisfy a shareholder or counterparty, such as its bank. Before writing a report for regulators, you need to think about their requirements.
We have seen marked differences between competent authorities in EU member states when considering potential sanctions violations. The information required varies, as does the likelihood of a penalty.
Having identified the purpose of the investigation, decisions can be made about the scope. This includes the period under review. What is the relevant period – is it defined by a change in the legal framework (with developments in the sanctions landscape creating new risks for the company), a change in corporate structure or ownership (for example, increasing ownership by US persons or by institutional investors) or a change in personnel (arrivals or departures of key individuals)?
Geography needs to be considered: does the investigation cover all of the organization’s offices or is it more targeted? Is it necessary to identify US nationals in the organization to check whether they have violated US laws? Where are the most relevant subsidiaries located?
If the organization has several divisions or business lines, it may not be necessary to investigate every unit. This will depend on the underlying transactions and processes being investigated, as well as the organizational structure of the business and the roles and responsibilities of particular individuals. It may also depend on the nature of business units’ suppliers, customers or areas of operation.
These are just some of the factors to consider when defining the scope. A clear definition enables those running the investigation to measure progress and ensure they remain on track. It is still necessary to keep a somewhat open mind, as the investigation may highlight other regulatory issues that need to be looked at. If possible, these should not distract from the main investigation, as few organizations have the resources to run two internal investigations at the same time.
Stage 2 – Build the Team and Manage the Process
Identifying those individuals who will run the investigation is critical. They need to have the necessary expertise, skills and time to ensure the process runs smoothly.
Management needs to determine proportionate resourcing and dedicate sufficient resources to ensure the available facts are investigated promptly while minimizing disruption and cost (in terms of opportunity cost and/or external expenditure). If the organization wishes to ensure the investigation is covered by legal advice privilege, external lawyers will likely need to be involved.
Some other important considerations include: will the team be entirely made up of company employees, or is there a need for external support? What are the reporting lines – does the team report directly to the board or is there a different structure? Do those leading the investigation have the necessary skills and an understanding of the likely approach and attitude of the particular regulator? Are there issues of confidentiality, data protection or personal interest, and how will the organization ensure that sensitive documents or information do not leak?
An investigation needs to be managed, just like any other project, and there should be clear interim milestones: collecting evidence, interviewing witnesses, analysis, drafting, among others, with timelines.
There may be a need for an interim change of personnel or process. Certain business activities may need to be suspended pending the investigation to ensure no further breaches.
There is a need to move quickly, as ordinarily, the company should promptly report a sanctions breach. Even if an investigation is underway, it may be possible to submit an interim report, with a more detailed report following once the full facts are known.
Stage 3 – Document Preservation and Review
All of the relevant documents need collecting and preserving. After becoming aware of an issue, preservation – for example, the suspension of any routine data destruction policies and a “litigation hold” on relevant email accounts – should be undertaken as soon as possible and before any individuals who may be implicated become aware of the investigation.
Relevant documents will, of course, include emails as well as instant messages on applications such as WhatsApp. It may be necessary to take possession of company-issued physical devices and to access records on a server.
Ordinarily, documents will be uploaded to a secure third-party site so that they can be reviewed using keyword searches, filters and other automated tools, and so that there is an audit trail.
Once the documents have been reviewed, witnesses should be asked about any inconsistencies between their initial evidence and the documents.
Stage 4 – Identify and Interview the Key Witnesses
Talking to the key people is, of course, critical, and they should be allowed to “have their say”. It can be valuable to start this process with an open mind as opposed to a pre-determined view of what happened, why, and who is responsible. People may say things that surprise you if you use open questions and are prepared to listen.
One important decision is the sequence in which witnesses will be interviewed. As soon as you start talking to one or more people, it may become increasingly difficult to control the process, as people will inevitably speak to each other, however much you try to stop them, and that may make it more difficult to get a true and complete version of the facts.
It is often best to have initial discussions with all of the witnesses as soon as possible, with more targeted second interviews at a later stage so that at least you can collect the initial evidence in as unfiltered a way as possible. Even so, there may still be a need for tactical decisions as to the sequence of interviews – is there a critical witness you need to talk to before anyone else and before he or she is aware that an investigation is underway?
Think also about who will carry out the interviews and how they will be conducted. Interviews would ordinarily be in person, but consider whether a remote interview, which may be more discreet, might be preferable. In either case, it is important to keep full and accurate notes of the interview.
Consider whether a regulator will expect to be provided with notes of any interviews you conduct, and whether the notes may be covered by legal professional privilege.
Stage 5 – Report Fully and Promptly
There are several facets to the report, which depending on the audience may be included in the one document. First is the report of the full factual circumstances based on the interviews and document review.
Next will be an analysis of what, if any, sanctions violations occurred and an indication of why, such as, lack of understanding, lack of due diligence, or third-party concealment of key facts.
Subsequent steps will need consideration: is it necessary to engage further with regulators and other stakeholders and, if so, how? Will a formal self-disclosure be filed, is there a need to notify third parties, or is this purely an internal matter?
Finally, there will need to be a record of your mitigation measures and, more specifically, the actions being taken to ensure that whatever went wrong will not happen again. Regulators and other stakeholders will look for evidence that the company is taking the matter seriously and that there will be no future sanctions breaches.
The company should use the report as an opportunity to persuade the regulator there is no need for formal enforcement because the necessary steps have already been taken.
Daniel Martin is Partner and Head of the Global Regulatory Practice at international law firm HFW, a member of the ACSS Editorial Taskforce, and a board member of the ACSS London Chapter. Anne-Marie Ottaway is Partner in the Global Investigations and Enforcement practice at HFW and a former Serious Fraud Office prosecutor