As regulations evolve and enforcement intensifies, effective documentation of sanctions investigation results has never been more critical. Proper documentation is crucial not only for maintaining legal privileges and the confidentiality of sensitive information, but also for supporting legal defenses in potential regulatory enforcement in the future. Additionally, companies may have an obligation to disclose investigation results to their external auditors, shareholders, and other stakeholders (e.g., transaction counterparties), underscoring the importance of appropriate documentation to ensure different expectations are met.
In this blog, the Global Sanctions Investigation Group explores some of the key trends and considerations that shape how sanctions investigation results are documented in the current legal landscape.
- Attorney-Client Privilege. Based on our experience, the consideration of attorney-client privilege is critical in sanctions investigations. This privilege fosters an environment where employees and other stakeholders can freely share information without fear of external exposure, leading to more thorough and candid conversations and documentation of findings. Interview memos, legal assessments/analyses (e.g., export controls or sanctions jurisdictional analyses), investigation reports, and remedial plans (e.g., termination of relationships with customers implicated in product diversions in violation of export controls) that are privileged may be withheld from disclosures to third parties (e.g., regulators, prosecutors, competitors, adverse litigants). This allows companies to manage the dissemination of sensitive information and protect their legal and business interests. Attorney-client privilege becomes even more paramount if the company decides not to make a voluntary disclosure of an investigation’s findings to government regulators.
However, the application of attorney-client privilege varies across jurisdictions. A communication privileged in one jurisdiction might not be protected in another. In the United States, attorney-client privilege and work product immunity protections are broad, covering confidential communications intended to further the provision of legal services and generally applying to both in-house and external counsel. In contrast, in the EU, the privilege is generally more limited and does not in every member state extend to in-house counsels, who are not considered to possess the same level of independence as external lawyers admitted to a bar association. In Mainland China, the analogous concept of attorney-client privilege does not exist although laws and regulations provide for the confidentiality of documents and communications between lawyers and their clients. Global regulators have been known to take the position that privilege claims made by lawyers admitted in jurisdictions without privilege protections will not be recognized. This divergence among jurisdictions necessitates a careful approach to documentation in multi-jurisdictional investigation contexts.
- Style and Formatting of Documentation: We have seen companies usually opt for high-level reports (e.g., reports in PowerPoint format) for several years now when documenting investigation results. This approach minimizes the impact of inadvertent disclosure of the investigation report and potential waiver of attorney-client privilege, as reports are increasingly shared with a larger number of stakeholders given how much attention a sanctions investigation can receive, whether internally or externally. This high-level documentation generally focuses on presenting the essential background (e.g., methodology, scope), material findings, conclusions, and recommendations without delving into granular details, to balance the risk of sensitive information (such as the existence/extent of certain specifically named customer or counterparty relationships, e.g., “5-year relationship with two SDNs under the Russian sanctions, with revenues totaling USD 20 million” versus “5-year relationship with [specific company names ABC and XYZ], with revenues totaling USD 20 million”) and personal data being disclosed.
Another consideration in documenting investigation results is the choice between oral and written presentations. We have seen companies making the strategic decision to deliver the findings orally only, such as when making a presentation to external auditors. In our experience, oral presentations allow for a more controlled flow of information, in that presenters can manage the level of details shared and adjust the discussion dynamically based on the audience’s questions and interests. Oral presentations also do not leave a written record for recipients, thereby reducing the risk of unauthorized access or distribution of the report, inadvertent disclosures, and exposures during regulatory investigations.
- Documenting Results for Various Stakeholders: When documenting sanctions investigation results, consider tailoring the documentation to the specific needs of the various stakeholders. Each group – whether internal stakeholders (e.g., senior management, board of directors, human resources) or external stakeholders (e.g., regulators such as BIS and OFAC, prosecutors, external auditors, transaction counterparties) – has different concerns and expectations.
For instance, when making a voluntary disclosure of investigation findings to regulators, it may be more beneficial to clearly explain the scope of the investigation and rationale behind, the methodology and relevant limitations, the decisions to escalate or dismiss certain findings, and any remedial actions taken and plans to address compliance gaps. When disclosing to transaction counterparties, a company may also want to carefully balance transparency with the need to protect the company’s interest.
- Legal and Regulatory Compliance: It is important that a company ensures its documentation practices comply with applicable legal and regulatory requirements. This includes navigating complex frameworks such as blocking statutes (e.g., the EU Blocking Statute on Cuba and Iran, Mainland China’s Anti-Foreign Sanctions Law), data protection laws, and other applicable regulations such as state secrets and national security laws (e.g., Mainland China’s recently amended Law on Guarding State Secrets). Companies should be aware of which jurisdictions have blocking statutes that may apply to their operations and how information related to the sanctions investigation should be documented and disclosed without violating these statutes.
Further, data protection and privacy laws (e.g., the GDPR in the EU, Mainland China’s Personal Information Protection Law) may impose requirements on the handling of personal data during investigations and documentation, such as restrictions on cross-border data transfers and data localization requirements. For more information, please see our previous blog post in this series here.
Beyond the basics of ensuring all documentation of sanctions investigation results is timely, complete, and reflective of the actual investigation process, documenting sanctions investigation results requires careful balancing of legal, regulatory, and business considerations. This is further complicated in multi-jurisdictional investigation contexts, where companies must navigate the complex interplay of different legal standards around legal privilege and the cross-border transfers of certain types of information. With presence and experience in sanctions investigations in key jurisdictions globally, our Global Sanctions Investigation Group stands ready to support clients in navigating these complexities.
