Global financial organisations face requests for information from both local and overseas courts and regulators. Supervision and enforcement teams within national regulators are collaborating and the overlap between regulatory investigations and litigation is growing. Increasingly, multiple prosecutions of the same wrongdoing by different government agencies, foreign regulators and private plaintiffs are occurring.When responding to this potential wave of requests, there are number of practical and legal challenges that exist. Businesses under investigation, or conducting  internal investigations, need to be able to access and examine information, assess culpability and respond to regulators or self-report quickly and accurately, often within weeks of the initial request.

Data mapping

To resolve these challenges, companies need to ensure that a multi-faceted strategy is in place, which is regularly updated and reviewed. The first step towards an effective approach is a data map which comprehensively illustrates where and how data is stored. This is made all the more important by the prevalence of mobile devices used by an increasingly mobile workforce for business and personal communication, and the difficulties of locating and managing data generated by those devices. The potential importance of information which may be generated when such tools are used must be appreciated.
Moreover, the establishment of a growing number of social media sites upon which individuals may conduct communication that becomes relevant to an investigation or litigation, adds to the already complex web of data which must be reviewed.

Review strategies

Several steps need to be taken to ensure that data is collected and reviewed in the most time and cost effective manner.

• Prior to review, companies need to collect and de-duplicate their data. This is particularly relevant for electronically stored information (ESI) which is easily and frequently duplicated. De-duplication strategies are important to prevent the same information being reviewed by outside counsel more than once.
• Conversely, organisations need to consider whether a duplicate of a document which is stored in a foreign jurisdiction forr example, the US might actually assist the disclosure of documents to a regulator based outside of the EU by enabling the organisation to respond to a request without breaching stringent EU data protection legislation.
• Businesses need to implement strategies to deal with the review of foreign language and multi-language documents. Software which is able to quickly identify languages and group documents containing particular languages together will be invaluable to this exercise

Technology

As the nature of data used by businesses continues to evolve, so too do the technologies created to review it. Companies should keep abreast of and, where appropriate, apply cutting edge technologies to accelerate review. For example, audio evidence can be critical to legal proceedings and the review of speech requires technology which is able to decipher, and facilitate the search of, local dialects, accents, languages and the peculiarities of pronunciation and abbreviation. This is a challenging and developing area but one which financial institutions will have no option but to embrace.   

Data protection

Data protection legislation is a trap for the unwary. Tension exists as organisations:

(1) are encouraged to self report early and cooperate with regulators for fear of damage to reputation and massive fines, and yet

(2) must ensure compliance with local data protection/privacy requirements, which may require that personal information remains private and is not transferred across borders under any circumstances
For example, a European business may be asked to produce evidence to defend against litigation or regulatory investigation initiated in the U.S. While it is not possible to resist these demands for information, organisations need to be mindful of the risks involved in transferring data across borders, and implement strategies to minimise the risk of breaching local data protection regulations. 

An option which can assist here is to process and review data in-country, on the business site, in order to remove extraneous personal information from the document population and to minimise the risk of transferring anything other than that which is relevant to the request. However, this must be undertaken in consultation with local lawyers who are able to advise upon the idiosyncrasies of local data privacy legislation.

Multiple regulators

The trend for multiple regulators to become involved in investigations has increased. For example, the on-going Libor investigation has involved several authorities including the U.S. Department of Justice and Commodities Futures Trading Commission, the Canadian Competition Bureau, the European Commission and Japan’s Financial Services Agency.

Each regulatory authority is able to request categories of evidence to satisfy its particular requirements and may seek information at any time either during or at some time after the initial investigation or enforcement action has taken place. The extensive preparation undertaken when responding to an initial regulatory or internal investigation may uncover information which will also be useful for future litigation and investigation. To save time and costs, it is therefore imperative for businesses to establish an efficient system of archiving that enables them to retain this information.

Conclusion

There has been a dramatic increase in the collaborative level of cross border enforcement by government regulators and the courts. Waiting for a dawn raid or service of a writ before considering response strategies is not an option. It will lead to organisations giving inadequate responses and potentially receiving increased fines and penalties, causing damage to the corporate reputation.Proactivity, engagement with technology and vigilance in monitoring the organisation’s information will aid an effective response.

Deborah Blaxell is Legal Consultant at Epiq Systems