In high-stakes world of FCPA internal investigations, information governance rises in importance

The US Securities and Exchange Commission and the Department of Justice have continued their escalation of enforcement of the US Foreign Corrupt Practices Act, with a large surge of corporate enforcement actions toward the end of 2014.

Increasingly, the US is not the only player in anti-corruption enforcement, with countries like Germany, the UK, China, and Poland all bringing parallel cases against companies for bribery and graft in recent months. Amid this intensifying enforcement environment, companies of all sizes and types are viewing internal investigations into corruption allegations as a key step in mitigating potential compliance failings and garnering leniency from government agencies.

Filtering through data, collecting the information necessary, and analyzing the evidence are all crucial parts of an investigation, and they cannot be done without an effective eDiscovery strategy. eDiscovery, or the electronic collection of information as evidence in a legal case, is not only useful for litigation, but as a tool for internal information governance, experts say.

Hal Marcus, an eDiscovery attorney and director of product marketing for Recommind, a San Francisco- based eDiscovery software company, is one such expert who believes that the lines between investigatory use and litigation use of eDiscovery and information governance are blurring.

“When you start an internal investigation you have to be ready to pivot into full-fledged eDiscovery very quickly,” Marcus said. Before joining Recommind, Marcus designed and launched new product lines for evidence and case management at companies like Thomson Reuters.

“You have a short time frame staying ahead of any other whistleblowers that may emerge and expose a violation externally to the SEC or the DOJ. You have to own it and explore any data you can find that can put it to rest quickly–meaning you have to prove a negative, which is never easy to do–or root out the problem and decide whether you’re going to self-report, what you’re going to present to your board, and what actions you’re going to take to remediate,” Marcus explains.

Information governance, data management intersect with FCPA compliance

With those high expectations, fact-finding and data analytics become a high priority for companies that are conducting an internal investigation. Marcus said attorneys should always care about fact-finding, whether it is reactive, in a litigation context, or proactive, in an investigatory context.

“You’ve got to get to the data that matters most. Your goal is to be confident that you’ve rooted out the problem and know the extent of the liability,” Marcus said.

Companies can use the same tools, platforms and analytics that empower fast review for litigation for an internal investigation, which requires some structural planning. Companies that are vulnerable to FCPA risks, including any US companies doing business internationally, may consider their information governance plan as a pillar of anti-corruption compliance. Marcus said businesses are beginning to become aware of the importance of data collection and eDiscovery tools.

“More and more corporations are beginning to get serious about this,” Marcus said. “There’s more attention being paid to not just litigation readiness but more broadly to information governance and how it overlaps with data privacy issues.”

Cloud-based data spread across borders creates investigative challenges

Companies that do this may be in a much stronger position if an allegation arises because they can quickly collect and analyze important data. Does this mean that larger companies with more financial resources will be at an advantage if they need to conduct an internal investigation? Not necessarily.

Although there are several factors that play into the effectiveness of an internal investigation, data processing can be effective for companies of different scales because of the broad platforms that exist to analyze the data. As smaller players are able to enter the international market, they may have less access to internal information governance systems, but they may have data in the cloud, which can be beneficial if they can access the data efficiently.

“The playing field is pretty level as far as your ability to leverage the data analytics tools. The real difference is: Where is your data and how are you going to collect it?”

Cloud-based data programs present an interesting situation for companies that exist in multiple jurisdictions – where does the data reside? In an FCPA investigation, this is particularly relevant as information about a multinational company or US company doing business abroad could be retained in several different locations, all with distinct data privacy laws.

In an internal cross-border investigation, companies must be aware of local laws so any data collection or transfer of information does not breach regulations.

Marcus said there’s no consistent best practice that addresses the challenges of a cross border investigation, but urges attorneys and investigators to be creative.

“Sometimes you have to be remote, sometimes you need to have feet on the street. Sometimes it means getting the information from the cloud, or getting the information to an intermediary country for processing and management,” Marcus said.

Working with companies with a global footprint and data centers in multiple continents allows investigators to have more options on how to creatively get data. Data privacy laws are constantly evolving, Marcus explained, and it is not uncommon for investigators to turn to local counsel who know the laws of the country where the information is physically located in order to remain compliant.

Email records, financial transactions are key data for internal investigations

In the investigatory process, companies have a short time frame to find the data necessary for self-reporting and analyze it for their own benefit. However, improving accessibility to data like electronic communications, financial records, and other information can be essential in an FCPA related case.

Tim Treanor, an anti-corruption lawyer with international law firm Sidley Austin LLP, said eDiscovery is highly important for internal investigations, especially in FCPA cases because of the communication records aspect.

“Electronic communications are created by people who are not considering the fact that they may have their communications reviewed at some point, and sometimes the communication happens contemporaneously with the events that are in question,” Treanor said.

“You’re not relying on peoples’ memories,” Treanor said. In a bribery case, emails won’t necessarily contain the word “bribe” or “corruption” or “kickback,” but they may be supporting evidence of a violation.

However, like many financial crime cases, confirming or refuting the existence of corrupt payments in internal investigations often comes down to following the money.

“Your biggest buckets of evidence include emails, text messages and then the second bucket is financial records, records of payments in particular,” Treanor said.

“Bribery is a financial transaction, so you have to look at your accounting records to see what you can learn about the movement of money.”