Navigating the pitfalls of cross-border investigations
July 2014 | SPECIAL REPORT: WHITE-COLLAR CRIME
Financier Worldwide Magazine
Conducting cross-border investigations is one of the biggest challenges facing global corporations today. There are obstacles at every step of a cross-border investigation, including initially receiving a claim or allegation; complying with foreign data privacy laws; using the appropriate staff and resources; respecting diverse employee rights; and remediating across borders. Understanding the pitfalls can help companies avoid critical missteps.
Cross-border investigations can be triggered from a multitude of foreign countries, in a variety of languages, and through different reporting channels. It is critical, therefore, when designing procedures for handling allegations, to consider social and geographical differences, and to have effective processes that enable managers to respond to allegations with the appropriate level of care and attention. Unfortunately, many companies that receive complaints of wrongdoing do not have a plan to deal with them.
Understanding the ways in which a cross-border investigation may arise and how to respond can ensure that it starts out on the right track. The most common trigger of a cross-border investigation is a lead or an allegation made by an employee of the company. Around the globe, employees have become empowered to raise concerns through a variety of reporting channels. For this reason, a company needs to be prepared to act efficiently when responding to allegations by developing case management and investigative procedures that align with the company’s standards and that take into account country-specific requirements.
The steps companies should take in handling cross-border investigations include the development of a thorough and well-designed plan to help the investigation team focus on the objectives and measure progress. There needs to be a detailed protocol that outlines which department or individuals will bear responsibility for overseeing the investigation, which could be the board of directors, the audit committee or senior management. In addition, before a company launches an investigation, it should consult with in-house or external counsel familiar with the law of the relevant jurisdiction as to whether the investigation can be privileged or protected. Local law may also limit the scope of the investigation.
Being sensitive to data privacy and regulations in individual countries is important in cross-border investigations. Companies are advised to not, for example, conduct an investigation in the European Union or in China, without first understanding what legal limits are placed on collecting and exporting data. For example, China has strict laws that prohibit the collection, review, and transfer of ‘state secrets’ and other information that is in China’s national interest. However, China’s laws do not define what are state secrets or national interests.
The data privacy laws of some countries may prohibit a company from reviewing certain data in a company’s own files unless the data was originally obtained to pursue the investigation, which is often not the case. One of the biggest hurdles is complying with restrictions on collecting and reviewing data in a company’s readily accessible files, such as emails on the company’s server, internet use records, documents on an employee’s hard drive, and even documents in an employee’s office.
Obtaining relevant data, however, is only the first step. Many foreign data privacy laws, including those in Europe and parts of Latin America and Asia, prohibit the transfer of data out of the local jurisdiction without first establishing data export channels. Another important difference between domestic and foreign data privacy laws relates to the confidentiality of investigation materials. Many countries require that, if requested, investigators disclose personal data included in investigation materials to the individuals who are targets of the investigation.
Interviewing employees who are located in a foreign country raises unique legal and cultural issues that are often fraught with pitfalls. In many countries, employees have the right to refuse to cooperate with an employer-led investigation, even if they are not its target. For example, in some jurisdictions, including parts of Europe, rules prohibit employers from requiring their employees to report incriminatory information about co-workers. Labour laws in many countries mandate that an employee representative or union committee be consulted before an employer may interview its own employees in an investigation.
Careful attention should be paid to the form and content of a report in a cross-border investigation. Some countries have data privacy laws that allow a target or a witness to have access to certain investigatory material, including a written investigation report. Being compelled to disclose data in this way could affect the applicability of domestic and foreign legal privileges and could expose the company to data privacy and defamation claims.
A company needs to keep in mind that an investigation report may contain data that is restricted from being transferred out of a jurisdiction, such as names of individuals, financial information or personal data. Therefore, the proper data export channels need to be established before providing a report to executives outside of the country.
Once the fact-finding stage of a cross-border investigation is complete, a company may need to remediate any issues identified, which could include correcting books and records, fixing control weaknesses, and disciplining employees. Taking remedial action can be an important determinant by regulators, both domestic and foreign, in deciding to charge a company with a violation of a law or to reduce the size of a criminal fine or penalty that might be assessed.
One consideration is how to handle employees found to have engaged in wrongdoing. It is critical that companies punish employees proportionately to their role in the misconduct, but it also is important to follow local regulations when doing so. For instance, certain countries require employers to notify an employee if he or she is going to be terminated for cause. Another key area of remediation is to address the deficient, insufficient or ineffective controls or procedures that allowed the misconduct to occur or to avoid being detected.
Given the challenges created by cross-border investigations and the increase in global regulations and enforcement actions, companies with well-designed cross-border investigation protocols will be positioned for more positive outcomes than those that are not prepared. At each stage of a cross-border investigation, there are unique challenges that require careful planning to manage the risks and to respond swiftly and appropriately. Companies must customise their procedures and resources to comply with different local laws and to respect diverse cultures and customs. Since allegations can arise from almost anywhere around the world, at any time, and in virtually any language, each company should consider the question: Are we prepared for the challenge of a cross-border investigation?
Phil Ostwalt is a partner at KPMG. He can be contacted on +1 (404) 222 3327 or by email: firstname.lastname@example.org.
© Financier Worldwide