In the midst of ongoing sanctions investigations and enforcement actions, companies are faced with yet another challenge: interested third-party stakeholders. Companies must decide who to share information with, what levels and types of information to share, how to share information, and how to mitigate the risks of loss of legal privilege, leaks, and triggering disclosure/reporting obligations by others.
In this blog post, the Global Sanctions Investigations Group focuses on three critical third party stakeholders – auditors, shareholders, and customers – in the context of sanctions investigations.
Auditors
Engaging with auditors during an investigation requires careful timing and strategy. Auditors should normally be notified early in the process, especially if the sign-off of financials is imminent, to avoid any delays in filing. However, jurisdictional differences may necessitate a more nuanced approach on what, when, and how to report issues to auditors, including whether such disclosures may prematurely trigger the auditors’ own reporting obligations, such as potential money laundering reporting. For example, as India has empowered auditors to report instances of fraud more vigorously, disclosures made to auditors could become public information and may raise the risk of parallel enforcement by other global regulators such as the US Treasury Department’s Office of Foreign Assets Control.
When sharing information, it is crucial to preserve legal privilege. This means providing enough detail to anticipate reasonable questions or prevent delays, but not so much detail that privilege is lost. We have seen companies focus on sharing facts rather than impressions, and in our experience oral presentations rather than written disclosure should generally be sufficient, especially at the early stages of an investigation. Additionally, as noted in our previous blog post, privilege protections are not the same across jurisdictions and will require a careful approach in managing auditors’ expectations.
It is also important to understand the auditors’ role and focus, which typically revolves around material financial risk and information relevant to reasonable investors. This differs from the company’s focus on legal risk exposure under relevant laws and affects the type of information that can and should be shared with auditors.
Shareholders
When companies need to address sanctions investigations in their public filings, it is important to balance the need to comply with securities law obligations to disclose certain information relevant to a reasonable investor while carefully managing legal and regulatory risks. Companies normally provide high-level disclosures outlining just the material information related to the sanctions investigation, such as the nature of the investigation, the potential impact on the company’s operations, and any significant developments. In addition, companies could consider highlighting the steps being taken to manage and mitigate risks associated with the investigation. Forward-looking statements could be used to outline the potential outcomes of the investigation and their possible impact on the company’s future performance. These statements will need to be carefully crafted to meet securities law requirements and avoid creating undue concerns while providing a realistic assessment of the situation.
When a shareholder demands more information, this can create several risks for a company, particularly concerning the loss of attorney-client privilege and potential lawsuits. As discussed in the context of auditors, sharing detailed information with shareholders can inadvertently waive the attorney-client privilege. In addition, once information is shared with shareholders, there is a risk that it could be further disseminated, either intentionally or unintentionally. This can lead to broader exposure of sensitive information, increasing the risk of regulatory scrutiny and competitive disadvantage.
Disclosing information to shareholders can also increase the risk of lawsuits. Shareholders may use the disclosed information to file derivative suits against the company or its directors, alleging mismanagement or breach of fiduciary duty. This can lead to costly and time-consuming litigation.
To mitigate these risks, we have seen companies focus on providing high-level factual summaries rather than detailed legal analyses or opinions. This approach helps maintain the confidentiality of sensitive information while still addressing shareholders’ concerns. Implementing non-disclosure agreements with shareholders can provide an additional layer of protection, but they are not foolproof and cannot fully eliminate the risk of privilege waiver or further leakage.
Customers
When responding to customer queries about reported sanctions violations, companies should aim to be transparent, reassuring, and of course compliant with legal requirements. It may be beneficial for companies to start by acknowledging the customer’s concern, demonstrating that the company values transparency and customer feedback. Companies may offer a high-level overview of the situation without disclosing sensitive or privileged information, and explain that the company is aware of the reported sanctions violations and is taking the matter seriously. Companies could also take steps to reassure customers that they are committed to complying with all applicable laws and regulations, and provide a point of contact for further questions or concerns (if appropriate). These steps can help to maintain trust.
If the customer is involved or implicated in reported sanctions violations, handling their queries requires extra caution to avoid “tipping off” and other legal complications. Tipping off refers to the act of alerting someone that they are under investigation, which can interfere with ongoing investigations and allow individuals to take steps to cover up or destroy evidence. In some countries, tipping off is a criminal offense (e.g., under anti-money laundering rules and regulations). Critically, companies should avoid disclosing any information that could make the customer aware of the investigation, and be mindful of adhering to any instructions from law enforcement or regulatory authorities as to what information can be shared with the customer and how to handle ongoing dealings during the investigation.
When a regulator requests information about dealings with customers, companies will need to strike a careful balance between compliance with legal obligations, cooperating with authorities, and protecting customer confidentiality. In some cases, we have seen companies request that a regulator issue a subpoena to compel the company to produce the requested information. This provides a legal mandate for disclosure and can help protect the company from potential litigation by customers. Regardless of whether information is provided voluntarily or under subpoena, it is important for companies to maintain confidentiality and protect legal privilege.
Takeaways
Engaging with auditors, shareholders, and customers during an investigation requires a strategic approach to ensure compliance, transparency, and effective communications. This is particularly crucial in a multi-jurisdictional sanctions investigation. By carefully managing the information shared with third parties, companies can better protect their legal interests and minimize the risks associated with demands for additional information. Our Global Sanctions Investigation Group is prepared to offer guidance on managing these complex third-party challenges while minimizing legal risks.
View all posts in the “Navigating the Impending Global Sanctions Enforcement Storm” series.
