Internal investigations by firms

Published: 05/11/2015     Last Modified: 05/11/2015 / Author: Jamie Symington
Speech by Jamie Symington, Director in Enforcement (Wholesale, Unauthorised Business and Intelligence), FCA, delivered at the Pinsent Masons Regulatory Conference 2015 on 5 November 2015. This is the text of the speech as drafted, which may differ from the delivered version.

It's a pleasure to join you today.

I want to talk to you today about a subject which may on the face of it seem quite narrow. But I believe it to be of sufficient importance and wide application to anyone whose business is potentially touched by regulatory or law enforcement investigations to deserve a some focus.

The subject is firms’ internal investigations: i.e. investigations undertaken by firms of their own affairs when things have gone wrong, either at their own initiative or through agreement with the FCA.

This is a long-established practice. Often such investigations and reports are prepared by firms where there is not a likelihood of enforcement action, i.e. they are prepared for internal purposes and/or may be shared with FCA supervisors. This is relatively uncontroversial. It is often the right and the best thing to do. 

Where things become more problematic is if firms want to conduct internal investigations of matters where there is also a possibility or enforcement action by the regulator. Great care needs to be taken not to prejudice any such action.

It is also a practice that requires a better understanding externally if there is to be public confidence in how we carry out our enforcement responsibilities. For example, I noticed media commentary on one of our recent cases where the practice was characterised as firms being allowed to 'mark their own homework'. 

And that indeed is one of the dangers that we need to be alive to. If internal investigations are to play a useful role, clearly the regulator cannot – and cannot be seen – naively to accept firms’ reports and conclusions. Let me be clear: that is not how we work.

It is worth saying at the outset, that there are many cases – perhaps the majority of investigations in my area of responsibility – when relying on firms' internal reports has no place. For example, we carry out criminal investigations of sophisticated insider-dealing rings and of organised boiler-room frauds, among many other things. It gets very gritty at times. Investigations need to be built piece by piece for enforcement to be successful. And I believe we have a world-class capability in terms of intelligence, investigative, subject and legal expertise to do this. The FCA’s track record tells the story. 

My point is not simply to blow the FCA’s own trumpet. But to illustrate that there are a range of different approaches to investigation strategy. Whether or not an internal investigation can play any part in this is something to be considered carefully on the facts of each case.

If internal investigations are to play a useful role, clearly the regulator cannot – and cannot be seen – naively to accept firms’ reports and conclusions. Let me be clear: that is not how we work

As a regulator, we recognise and indeed encourage the role played by firms themselves in the regulatory process more widely. Firms understand their own businesses, and should be best placed to examine what has happened when problems arise. Firms may need to establish the facts quickly and put measures in place to remediate an immediate crisis.

Firms are also the front line in terms of achieving good standards of conduct in industry and markets. Firms’ systems and controls should prevent things from going wrong. But if things do go wrong, then clearly firms bear the primary responsibility for putting them right. Firms need to establish the nature and extent of the problem, its root causes, where accountability lies etc for their own purposes.

In short, we recognise, and indeed encourage, firms to investigate proactively when there are concerns. 

So far so good. But where there are conduct concerns that also meets the threshold where the FCA may wish to investigate with a view to taking enforcement action, the alarm bells should ring. It is imperative that the FCA’s ability to take enforcement action is not prejudiced. Whether and how a firm investigates internally must now be looked at from the point of view of whether doing so will assist or inhibit the FCA’s investigation.

So what is the reality? What do we expect of firms? How much might we rely on, or influence a firm's internal investigation? What are the advantages, and the pitfalls? 

As with most things in life, there is a delicate balance to be struck between several different factors. I'll discuss some of those factors today, and try to do a bit of 'myth busting' along the way. 

Starting point: self reporting

The starting point is that where a firm has decided to investigate conduct concerns we expect them to consider whether it is appropriate to notify us, at the earliest possible opportunity. 

One of our high-level principles for businesses is that regulated firms must be open and cooperative with us, and inform us of anything about which we would reasonably expect notice. In our FCA Handbook we list circumstances where we definitely expect this, but of course the list is non exhaustive, and firms need to use their judgment. 

It is imperative that the FCA’s ability to take enforcement action is not prejudiced. Whether and how a firm investigates internally must now be looked at from the point of view of whether doing so will assist or inhibit the FCA’s investigation.

There is a balance to be struck – we would not encourage defensive reporting, a laundry list of every single issue emailed across on a daily basis. We expect firms to be able to judge how serious a problem is and where it falls on a continuum between urgent notification and potentially no need to tell us at all.

Self reporting, however, is the bare minimum that is required. Indeed, we have fined firms in the tens of millions for breaching our high-level principle of openness, by failing to tell us, promptly, something they should have.

Having said that, we are inclined to give credit to those who assist us in unravelling potential misconduct and help us conduct our enquiries quickly and efficiently. This is often where the firm's own investigation can be immensely helpful.

The benefits – efficiency and speed of outcome

That brings me to the most obvious mutual benefits when a firm chooses to promptly and fully deliver up to us the fruits of their own investigation: efficiency and speed of outcome. 

We sometimes hear feedback about how long our investigations take. In fact, the firm is very well placed to help us speed the process up. Fully transparent and expedient cooperation throughout an enforcement investigation can help bring matters to a concluded outcome much more quickly. 

A good example of all these benefits to firms in action is our recent FX settlements with five major investment banks. It's fair to say that we leveraged off investigations carried out by firms in a significant way throughout that case. 

That doesn't mean we just accepted their version of events. What it meant in practice is that they provided us the evidence they were uncovering without delay, and we reviewed it ourselves. We conducted our own investigation of some aspects in tandem, or subsequently if we thought matters were not addressed to our satisfaction. Until we reached the point where we understood the misconduct well enough to articulate the breaches that had occurred.

Our goal in an enforcement investigation is to reach an understanding of the evidence and the conduct, which is sufficient for us to form a view on whether there have been breaches or offences, and how serious they are. 

A firm will generally have readier access to the evidence. It knows its people, their roles and responsibilities, and how those might interact with the issues under investigation. It has direct access to its systems containing all manner of relevant data and communications. 

Independence

For this reason, it can be more efficient if a firm initiates or commissions its own investigation, before – and in some cases simultaneously with – investigating directly ourselves. Whether we do this will depend on all the circumstances of the case – often it will not be.

An important factor is whether we are satisfied that the firm's investigation has an adequate degree of independence. Sometimes this is achieved by the firm instructing a third party to conduct its investigation.

The benefits of this can be huge. But critically, the usefulness depends entirely on whether the firm is willing to share the output openly, fully and promptly. I will come back to this later.

Increasingly we find that senior management at firms are genuinely invested in working to understand root causes of problems at their firms and finding common ground between us as to the nature of the problems.

Early engagement with the FCA

So how can we seek to ensure a firm's investigation becomes a helpful tool to speed up a good outcome for the firm and for the regulator?

First, if it is a matter that would trigger notice to the FCA, or if the firm knows we have related concerns, then the firm must discuss the scope of its investigation with us as early as possible – I cannot stress enough how vital this is. 

At the FCA, where we carry out both supervisory and enforcement functions, the conversation will often be with Supervisors in the first instance. 

We don't necessarily need to input into every case. But generally we can only properly maximise the utility of the report to us if we have had the chance to comment on its proposed scope and purpose. 

Firms might balk at this as a one-way benefit. But in fact it is important to the firm as well, if it wants to get the best out of the exercise. If we have had no say in scoping, you might spend unnecessary time later trying to convince us why the scope you chose and the methods you employed hold up to scrutiny. Or worse, we will conclude that we cannot rely on the report you have produced and have to redo the investigation.

There will also be important risks to be managed. As I mentioned, there may be situations where we see the risks of prejudice to an FCA investigation as insurmountable. This is especially acute in a case of potential criminal offences. For example, tipping-off risks might mean it is not possible for the firm to conduct its own investigation without alerting individuals who the FCA prefers to monitor covertly for the time being.

Other risks are more manageable if approached with care. A key area of risk is firm interviews of employees. The circumstances in which a person is asked to give an account of events, or their own actions, can be critically important to the reliability and indeed the admissibility of that evidence in proceedings later. 

Firms will naturally have their own interests in mind, and these might not align completely with the aims of an FCA investigation, making a firm interview potentially inappropriate. 

The bottom line is that we encourage firms to be alive to the possibility that their own investigation could prejudice or hinder a subsequent FCA investigation. It's crucial that the firm discusses this with the FCA before taking action.

The ground rules

Some typical points we would seek to establish with a firm which is conducting an internal investigation include:

  • To what extent will we be able to rely on the report in any subsequent enforcement proceedings?
  • To what extent will we have access to the underlying evidence or information that was relied upon in producing the report?
  • To what extent, and on what basis, is the firm willing to disclose material over which they claim legal privilege, and how can we use it? This is a major area that I'll come back to later.
  • How will evidence be recorded and retained? This is another major area which I'll focus on later.
  • Have any conflicts of interest been identified? What are the proposals to manage them appropriately?
  • Will the report describe the roles and responsibilities of identified individuals?
  • Will the investigation be limited to ascertaining facts, or will it also include advice or opinions about breaches of FCA rules or requirements?
  • How does the firm intend to inform the FCA of progress and communicate the results of the investigation?
  • What is the expected timescale for completion?

Transparency is the key

But if there is one core value that I would stress and encourage above all, it is transparency.   

There are high-level boundaries, like the binding principle of openness I spoke about earlier. But when it gets down to the details of whether, how and when you choose to share specific documents, there are many obstacles you can unwisely choose to put in our path.

The bottom line is that we encourage firms to be alive to the possibility that their own investigation could prejudice or hinder a subsequent FCA investigation. It's crucial that the firm discusses this with the FCA before taking action.

We don’t typically encounter issues with firms sharing historic evidence gathered in the course of an investigation. For example, client files in mis-selling cases or order-book data on market conduct cases.

More problematic are documents that are created during the firm's investigation. We tend to have the most differences with firms around their attempts to withhold materials generated in an internal investigation, often based on a claim of legal professional privilege.

We fully understand and respect the needs and the rights of firms to claim and protect their rights to legal privilege where appropriate. But at the same time, firms need to take care when conducting internal investigations not to let legal privilege become an unnecessary barrier to sharing the output with the FCA. With care, it should be possible to strike the right balance.

How an investigation is carried out and recorded can impact on whether the output, or parts of it, are amenable to claims of privileged. If the output of a report and supporting evidence are not available to the FCA, it devalues the usefulness the whole exercise. This might require the FCA to undertake additional enquiries. So, we expect to agree in early discussions what will be provided to us. If not, firms are missing an opportunity to gain the full benefits.

For example, one of the most common areas of dispute is in relation to firm interviews of employees. 

A practice we sometimes see is for the investigation to produce only lawyers' notes of such interviews. No recordings, no notes by others including the interviewee. Then firms will sometimes argue that the notes of the interview are privileged. This sort of approach looks to us like a 'gaming' of the process in order to shroud the output of an investigation in privilege. We find it particularly unhelpful and unwelcome.

Similarly, it has sometimes been suggested to us that – in order to avoid waiving privilege –  firms would like to read aloud the output from investigations to us in a meeting, rather than to commit material into document form. 

It seems to me that this is an absurd way to suggest a that public authority should operate. If a regulated firm wishes to share information with its regulator, there should be no question but that it must be done properly, in a transparent manner, with a proper record. 

Most of the public would probably find it absolutely extraordinary that a firm would offer to read aloud something but not provide it in writing, or show us something but then yank it back afterward. It just doesn't pass the smell test.

Let me be clear: where firms propose to carry out or commission an internal investigation themselves – the starting point is that we expect them to share the core product of their investigation – i.e. the evidence  with us.  

If firms wish to get the benefits of carrying out their own investigation, they need to accept that as a regulator we will not accept terms where we will not get access to the product in a sensible and practicable manner.

It's important to bear in mind that information provided to the FCA does not suddenly lose all protections from onward disclosure. We may use and disclose information in furtherance of our own functions or to assist other regulators. But there are otherwise strict statutory restrictions on the onward disclosure of confidential information.  

Reports and underlying materials provided voluntarily to the FCA by a firm, whether covered by legal privilege or not, are confidential for these purposes and benefit from the statutory protections.

Even in circumstances where disclosure of information would be permitted under relevant legal 'gateways', we consider carefully whether it's appropriate to disclose material provided voluntarily by a firm.  

We appreciate that firms feel strongly about the importance of maintaining confidentiality. We know firms are more likely to volunteer information to us when they know that we're mindful of this sensitivity, and the impact of potential disclosure.

If we are considering disclosing materials voluntarily provided by a firm, the firm will normally be notified and given an opportunity to make representations.

Of course, there are exceptions, for example where notification to the firm might prejudice an investigation. But we certainly have no interest in deliberately undermining confidentiality or legal privilege.

Concluding remarks

Let me say in conclusion:

As a regulator, we have a job to do. We must look after our statutory objectives: protecting consumers, guarding market integrity, promoting competition. Those things come first. We are willing to be creative and work with the regulated community on how we achieve those goals.

But we have to operate with certain core values. And in an enforcement investigation, we need to get at the facts and the evidence. We want to do that in the most efficient way possible without compromising rigour, fairness and justice to all parties. 

Contrary to some commentary, we never 'subcontract out' our investigative responsibility to the firms themselves. I have explained how we work with firms in cases where we are happy to accommodate a degree of internal investigation. We will never do this without testing the evidence ourselves. Often investigating further in parallel or in follow up. Crucially, we always reach our own conclusions on the evidence.

We are encouraged to find that where the tone from the top at a firm is a genuine search for root causes, firms are more willing to live up to working in a joined-up way with us.   

So what are the most important points I would like you to take away from this talk, in relation to the FCA's expectations of internal investigations by firms?

First, where there are conduct concerns that you expect the FCA might want to investigate, you should engage with us at an early stage. That way we can discuss and agree some ground rules if you are considering doing or commissioning an internal investigation.

Secondly, is the importance of transparency. The methodology of the investigation is critical. If we can't gain proper access to and records of your investigation, then then it is of little use to us and indeed ultimately of little use to you. We may have to reinvestigate the matter ourselves. The process takes longer, and you can't expect credit for that.

As with many aspects of regulation, communication, trust and transparency between the regulator and the industry are what make for success. That is what we encourage. That is what we reward.

Back to top >