Episode 1, Corporate Crime and Investigations: Triggers for investigations

10 May 2023

Ruby Hamid, co-lead in Ashurst's global corporate crime team is joined by Tom Mercer, Duncan Liddell, Ruth Buchanan and Matt Russell, partners in Ashurst's corporate, competition, employment practices and Ashurst's Risk Advisory practice.

In this episode, Ruby, Tom, Duncan, Ruth and Matt discuss the triggers they have seen in 2022 and how clients can manage investigation risk.

The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to. Listeners should take legal advice before applying it to specific issues or transactions.



Hello, and welcome to the Ashurst Corporate Crime and Investigations Podcast series, where we explore a range of aspects of investigations and bring to you some of the insights that we've gained from carrying out investigations for our clients across a wide range of areas. I'm Ruby Hamid, I co-lead Ashurst's global corporate crime team, and I am delighted to be joined by my partners, Tom Mercer, Duncan Liddell, Ruth Buchanan and Matt Russell, who respectively are partners in our corporate, our competition, our employment and our risk advisory practice.


Yeah, so what's been keeping us busy over the last year, I would say is more of a focus in terms of employment investigations in the area of non-financial misconduct. And just to explain a little bit about, I guess what I mean by non-financial misconduct, that's a term that's typically used in the financial services sector, but it's also relevant for other sectors as well. But it's basically conduct that doesn't specifically relate to the performance of somebody's role. But rather, something that could have a corrosive effect on an organization's culture or personal behaviour that might erode public confidence in a particular profession.


So where do you see non-financial misconduct coming up, Ruth? How does it manifest itself? How does it trigger an investigation?


So really the types of behaviour that tend to trigger this type of investigation really relates to kind of allegations of things like discrimination, sexual harassment, bullying, victimisation. But what we're starting to see is that those cases are increasingly looking at not just what happens during the course of a normal working day, but also what happens during an individual's personal life. And so, that might be cases where conduct arises between colleagues but outside the working environment. So for example, things that happen in the pub or after work related events. But another area is actually where the personal conduct complained of is totally separate from the individual's day job, but where the complaint comes because they feel it's relevant to a firm's reputation to the ethos of the firm or an individual's integrity.

And so, just by way of example, we've seen cases where people have complained about people's dishonesty outside of work, whether that they've been lying in applications for planning approval or for personal memberships of things. But kind of what I found particularly interesting are those cases that have arisen where people have, for example, made comments on social media entirely in their private life with a subject that they might feel strongly about. For example, something where they have a particular political or philosophical belief and that's gone against the particular ethos of an organisation. And there's been real challenges, I think, for employers and how to balance where you might have two colleagues that have totally different views on things, and where do you balance that as an employer?


And I guess, Ruth, if it's social media, then it's a visible source of content for an employer to look at and decide if they take issue with it. But how else are employers finding out about bullying or harassment or inappropriate conduct?


So I think there's kind of different ways that employers become aware. Partly it's through normal HR process, so grievances, whistleblowing rates as I mentioned. But also, I think we're starting to see employers become much more sophisticated in terms of how they monitor their employees and also, that's coming as a result of regulator pressure as well. And so, sophisticated means of monitoring will mean that employers are detecting language which indicates misconduct. And so, it may be triggered and captured through that route.


That's a really interesting read across to other areas of misconduct, my area, which is financial crime, but also, Duncan, yours as well in the competition arena. I think that we've seen in the last decades some very big competition infringement cases that have involved the language that individuals use in corporate communications.


Yeah, that's absolutely right. I mean, in fact, in nearly all competition investigations turn on the conduct of individuals and the communications between individuals and their counterparts at other firms, whether that be on email, whether it be on Bloomberg chats, whether increasingly on social media or instant messaging. And similar to the issue that Ruth raised, that internal supervision and internal compliance are increasingly leading to internal investigations on conduct. In the competition space, another area where companies become subject to investigations and therefore, have to do their own investigation is where the regulator comes knocking on your door, either a dawn raid or with a request for information.

And very often, the regulators own investigations are kicked off by other firms, whistleblowing, i.e, making use of the immunity and leniency regimes that most competition authorities have. Now, in the past, those sort of immunity and leniency applications have been a huge driver of competition investigations. That has become increasingly less the case over the last few years. And that has been as a consequence of the growth in follow-on damages claims. So after the damages directive and with specific legislation in the UK allowing damages claims to be brought on the back of competition authorities infringement decisions, the risk benefit analysis of making use of the immunity and leniency regimes has changed really fundamentally.

In the past, a company that had discovered anti-competitive conduct could effectively immunise itself from the impact of fines as a consequence of that by effectively blowing the whistle on everybody else. And ultimately, the decision was actually quite often a very straightforward one. You knew you would otherwise be fined a large sum of money, hundreds of millions in some cases. But if you went in first, you didn't. But now, with the growth of follow-on claims and in the Competition Appeal Tribunal, the specialist body in the UK, there's now, I think currently about 186 sort of follow-on damages claims.

The balance of the assessments changed because in some cases, the liability for damages to third parties arising from the conduct is significantly greater than the fines that would be imposed by a regulator. So there are some claims in front of the Competition Tribunal that are running into the billions, one relating to interchange fees, which has sort of started at 14 billion and the trucks litigation where it's in several billion being the numbers. And that means that you might well sort of avoid a fine, but that fine might be in the tens of millions.

But by effectively triggering an investigation by the regulator, you are making yourself liable for damages claims that might be in the hundreds of millions. And that means that the regulators have had their source of information about investigations drying up and they are having to find new ways of getting the information needed to commence those investigations and ensure that anti-competitive conduct isn't taking place in the market.


So absolutely huge scale in terms of value. And these cases go on for a long time, don't they?


They do. I mean, from the starting point of a regulatory investigation by a competition regulator, whether that be the European Commission or the Competition and Markets Authority in the UK through to the end of the follow-on damages claims, it can be decades literally. And that has its own consequence. It means that if you are as a company, you have identified potentially anti-competitive conduct and you're trying to evaluate what needs to be done, you have to be able to be getting a very good grip on both what is the substance of conduct, what's its scope, how far does it go? But you also need to look ahead to the future and say, well, what might my possible liability be? Have third parties been adversely affected by that?

If so, what is the quantum of the loss that they might have suffered? And what might be the quantum of any damages claims that might be brought against us? And all of that plays into your strategic and tactical decision-making when you're actually managing your investigation. Because every decision you make about who do you investigate, who do you interview, how do you interview them, how are you preserving privilege, all needs to be thought about with proceedings running into the next sort of 5, 10 years into the future.


This is very important risks to avoid. Duncan, how do our clients avoid that sort of challenge?


Well, it comes down to the archetypal focus on good compliance and ensuring that the risks are identified, that you've got proper compliance processes in place, that people understand that the training's regular. All the usual stuff that is central to any kind of risk management. And it's just becoming increasingly important in the competition space. But it's not just the competition space, of course, it's across all conduct risk areas.


Matt, I'm going to bring you in here because your practice is about helping clients reduce conduct and investigation risk by looking at compliance programmes. How would you bring in compliance in the areas that Ruth and Duncan have talked about as well as others?


I suppose building on what sort of Duncan was saying there, I think it is having that more holistic view of compliance and a more holistic view of the risks themselves. Because if you reflect on what both Ruth and Duncan have just talked about, the underlying theme is personal conduct. Whether that's the appropriate conduct with staff or how you are interacting with competitors. And I think by looking at those risks more holistic, you can start to avoid those pitfalls that come with those organisations that perhaps look at some of those risks through the lens of the respective silos. And I think the benefits of doing so I think are at least threefold. So firstly, I think it minimises duplication of effort. And I know we've talked about cost in the context of some of these investigations, but the actual cost of the compliance programmes and the systems themselves I think are expensive for organisations and difficult to maintain.

So by looking at holistically or trying to minimise that duplication of effort, so trying to use systems and the controls perhaps more broadly and broader applicability. And I think related to that, it also reduces some of the inconsistency that it might be around how you address each of those risks. And those inconsistencies are often where the regulator will focus on, if there is any investigation. I think secondly, it also reduces the possibility that you have some regulatory gaps within those controls and having some of the activities fall between those gaps because each of the programme owners think that perhaps somebody else was dealing with an aspect of either the risk or the corresponding control. So it reduces that possibility.

But I think thirdly, it also ensures that the organisation is able to really understand the risks, the relationship between them and those corresponding controls. And I think it's that ability for the organisation to demonstrate that they've understood the risk, which is where I think the regulator is increasingly focused on. And if I look at my area of financial crime compliance, that's been an area where the regulator, the FCA, has been calling out those organisations that perhaps don't have that understanding of what risk they have. But more particularly, how the particular controls mitigate those risks. So I think looking at it holistically, hopefully, ensures that we're able to do so.


And Matt, while I've got you, can you give us a short insight into what trends you've been seeing in investigations in your area, in financial crime this year?


I think the primary trigger Ruby has been around the economic downturn, and I think that's having two clear impacts. The first one is that whenever you've got an organisation that's got those financial pressures, the expectation is that the risk is at least more sort of misconduct. Particularly, where sort of management is under pressure, whether that's from a forecasting perspective or in the space of having to recognise revenues, for example, for longer term contracts. So there's a risk, there's pressure to manipulate those figures at this time. I think the second element though that now needs to be considered is the role of the auditor and how they're undertaking sort of their audit responsibilities.

Because there's an increasing focus and pressure on them to ensure that they're challenging and having suitably robust challenge of management in relation to particularly any sort of management representations. Or just any areas where there might be an area of judgement . And we're seeing them actually often turn to more sort of specialist investigations where they need to be able to demonstrate again, to external parties that sufficient scrutiny is being applied in relation to those areas. And all that does is sort of echoing what Duncan was saying, it just impacts on management's ability to be able to do the day job. And obviously, it impacts on the time required for them to be able to service those sorts of investigations.


Well, that's really interesting, Matt. Tom, you think about things from a large company and often listed company perspective. How are your clients managing the investigation risk in these areas? What are the consequences as you see them?


Yeah, it's interesting. I mean, if we look at public companies for a minute, public companies have the overriding disclosure obligations of the Market Abuse Regulation imposed upon them. Which really goes to a lot of the points that we've talked about on this podcast around the multifaceted nature of investigations. By which I mean this, if you went back 10, 20 years, companies were subject to the same rules they are now, around having to make disclosures if they had publicly traded securities. But the sorts of things that companies had to disclose tended to be a little bit easier to digest. It was demonstrably material things like a takeover approach or a significant dip in profitability that hadn't previously been publicised - a profit warning.

As the world gets more complex and other regulators take a greater interest in companies with listed securities, so to have been the heads under which disclosure obligations are engaged and therefore, the areas where care needs to be taken if a listed share is who doesn't want to find themselves on the wrong end of an FCA investigation. And that's partly because in a way, from an FCA perspective, the smoking gun that they need to commence an investigation into whether a company has complied with its MAR obligations can be as simple as a very abrupt share price movement. That's it, and we've certainly seen the FCA take a much more interventionist approach in the last few years to investigating company's compliance with MAR.

So these days, the best advice I can give a busy company secretary or general counsel is always to ask the question when encountered with any problem in the business, is it also a MAR problem? Because if it's material enough, it may well engage the company's disclosure obligations. And if those disclosure obligations aren't discharged, the company may be on the wrong end of an FCA investigation as well as an investigation into whatever the subject matter of the issue is. It also works in reverse. It's interesting hearing Ruth talk about personal conduct issues in relation to employees, private and public enterprises.

In the public company context, it wouldn't be at all unusual, particularly these days where whistleblowing is more widespread, for there to be a scenario where there is a whistle blown potentially around personal conduct and for that conduct potentially to relate to the financial affairs of the company, if it's a person whose role is financial in nature. The question that the company must ask when considering its internal investigation into that is not just, is there a problem in relation to this individual and their employment relationship with the business and their relationship with other people. But is that problem sufficiently grave to potentially lead us into a disclosure obligation?

And if it does, the key advice is to ensure that the internal investigation recognises the possibility, but whatever the outputs to that investigation are, they themselves may need to be announced. And if they're not, there could be a separate FCA investigation into the first internal investigation. So it all gets quite complex, but I would always encourage listed public companies to have that MAR consideration up front of mind. Because the FCA, as I said, are really showing a propensity to review this sort of thing after the event.

The second point I'd make is that most of that linked quite neatly into what Matt was talking about. Because as it's hard avoiding investigations into MAR compliance and general compliance with listed company obligations is directly linked to governance and to systems and controls. Not that I would necessarily recommend it for a rainy afternoon, but if you go back and read some of the FCA's most recent decisions where they sanctioned companies and individuals for breaching the rules, usually MAR, but often other listing rules or AIM rules, they often at the same time censure the relevant company for not having systems and controls, the regulatory perspective seemingly being that if companies do have good systems and controls, which are bespoke to the company and its sphere of operations, with relevant stakeholders, understanding not just the rules but the risks the company faces, there is less likely to be an instance of non-compliance with those requirements.

But the third thing I would just conclude with in terms of offering a little bit of hope here to companies is that certainly the FCA in its most recent decision in relation to company called ConvaTec and its chairman, Sir Christopher Gent, did suggest to me that the FCA is focusing on personal conduct. Which in a way is comforting because what the FCA in that case wasn't focused on was whether the company had reached the right conclusion on whether it needed to disclose a particular piece of information to the market. In that case, the individual was sanctioned for their own conduct in relation to the handling and dissemination of inside information.

And a number of observers, myself included, wondered why it was that the FCA hadn't actually gone after the company in that case, but seemingly for not concluding that the information the chairman had was inside in the first place. And that's a real area of anxiety for most companies who handle information like this. But what it says to me is that companies may get a little bit more tolerance from the FCA as a regulator if they come to the wrong conclusion in relation to decisions around disclosure but they followed appropriate systems, appropriate governance, and although it didn't happen in this case, individuals conduct themselves properly. And a particular area of focus, I think that listed companies or other companies with publicly traded securities must focus on is record keeping.

Because what we've seen time and time again, both in relation to financial services investigations, and of course, I've listened over the years to Duncan talking to clients about competition law well enough to know the same is true for competition regulators is that records are critical. And my advice simply is if companies don't create proper records of deliberations in relation to regulatory obligations or investigations internally, the records that do exist will speak for themselves. And if those records are email correspondence or instant messages or some other form of non-formal communication between people, that can be where danger creeps in, because those will very rarely correctly record the right process in relation to these investigations, the right governance and will often create significant hostages to fortune.


Tom, thank you. That's a really interesting way of pulling everything together and as you say, giving our clients some hope about ways to manage and reduce investigation risk. We are at time, so I'm going to just stop for a minute to thank Tom, Duncan, Ruth and Matt for joining us on this episode. If any of our listeners want to get in touch with us, then you'll find our details on the Ashurst website. And if you'd like to learn more, then look out for the next podcast in this series. We'll be looking in later podcasts at how we deal with the aftermath of an investigation, outcomes, remediation, follow-on risks, and how we learn lessons, so do please join us. If you don't want to miss future episodes, do subscribe now on your favourite podcast platform. And if you'd like to keep the conversation going, leave us a review or a rating and let us know if there are any topics you'd like us to cover. Until then, thank you for listening.

Keep up to date

Listen to our podcasts on Apple Podcasts, Spotify or Google Podcasts, so you can take us on the go. Sign up to receive the latest legal developments, insights and news from Ashurst.