Imagine any of the following items landing on your desk on a Monday morning:
- You are forwarded an email from a Chinese software distributor asking to push out a bug fix to an end user in Iran.
- In the course of selling your company, the buyer asks about sales to Huawei, and you realize certain products have been sent to Huawei by a foreign subsidiary.
- Your bank reaches out to tell you that a recent payment to a supplier has been blocked because of a connection to a sanctioned party.
You generally know that these activities could expose the company to liability, but how should you proceed?
U.S. economic sanctions and export controls compliance issues arise in many different ways. At a high level, sanctions prohibit dealings with certain countries and persons, whereas export controls restrict the provision of goods, software, technology, and certain services to countries or persons without appropriate licenses. Both regulatory regimes are highly complex, and how a company responds to red flags is critical to mitigating the impacts of identified issues. Depending on the circumstances, this response may include the initiation of an internal investigation.
While there is no “one size fits all” approach to conducting an investigation, below are some dos and don’ts to keep in mind.
What You Should Do
Gather facts for an initial analysis. The initial analysis of a potential problem is critical to framing the work plan going forward and deciding on the immediate remedial responses. You should use the initial fact gathering to help determine if the company is facing a one-off mistake or a more systemic issue. Background interviews with those who have information on a potential issue are essential to an initial assessment, as are broad data scrapes to identify the possible scope of problematic dealings, such as by reviewing sales-by-country data. Speaking to specialist international trade counsel early in the process can also ensure identification of key issues and protection of the process under the attorney-client privilege.
Stop the bleeding. If you identify ongoing violations, such as ongoing services to a sanctioned person or country, you should immediately take steps to stop the activity. You may need to temporarily suspend customer accounts, place holds on particular shipments, or place certain payments into escrow pending review. In addition, you should consider interim measures to prevent access by sanctioned persons or sanctioned countries, such as through IP blocking and manually screening new counterparties against restricted party lists. The relevant regulators are likely to view less favorably any new violations that occur after a company identifies a particular compliance concern, so “stop the bleeding” measures can help mitigate potential enforcement action.
Preserve relevant information. You should also quickly act to preserve information that could be relevant to the investigation, and avoid losing such information to ordinary course data deletion policies. Employees with potentially relevant information should receive hold notices that outline retention procedures, and the company should separately stop automatic data deletion, particularly of emails and files, through changes to the backend systems. As part of issuing hold notices and requiring data retention, it is important to analyze relevant data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), to ensure data can be collected and potentially shared with third parties as part of the investigation.
Create an investigation work plan. A work plan that defines the scope and timing for the investigation can help ensure timely review of potential compliance concerns in a structured manner. The work plan should outline broad steps, such as reviewing underlying transactional documentation, conducting interviews with key employees, implementing remedial measures, and submitting a voluntary self-disclosure as warranted. While you should revise and adapt the work plan throughout an investigation, setting markers and goals at the outset helps keep an investigation on track.
Consider making a voluntary self-disclosure. As part of the initial assessment, you should consider whether voluntary self-disclosure to the relevant regulatory authorities is warranted. Disclosures are a key tool to help mitigate potential penalties by reducing the applicable base penalty by half. However, preparing a voluntary self-disclosure and interfacing with the government can take significant time and resources. The scope of the potential issue and possible penalty amounts guide the decision whether to disclose. In addition, disclosure may be warranted if a company is seeking to be “exit ready” or if other third parties, such as lenders, request such a disclosure as part of contractual obligations.
Implement remediation. An important component of an internal investigation is identifying gaps in a company’s compliance program that may have allowed a violation to occur, and addressing those gaps through remedial measures. Such remedial measures often include implementing written compliance policies, adopting restricted party screening procedures, and training key employees. Many companies also develop third-party diligence procedures and revise third-party agreement terms to address risks under sanctions and export controls. For export controls violations in particular, you might seek formal classification of products from the Department of Commerce Bureau of Industry and Security (BIS), and may need to apply for export licenses depending on the classification. The appropriate remedial response will depend on the nature of identified violations and the company profile.
What You Should Not Do
Acting before analyzing. While it is important to quickly address potential compliance issues, you should avoid acting before analyzing. For example, once you file an initial voluntary self-disclosure, you commit to conducting an extensive investigation and providing the government with a detailed final report. Before making such a commitment, it is important to conduct sufficient initial review to confirm that there is a compliance concern that warrants a disclosure. Similarly, you should ensure that any suspension or termination of dealings with third parties is supported by initial findings, to minimize breach of contract and reputational risks.
Waiting too long to act. On the flip side, you can unintentionally increase risks by moving too slowly. In particular, if third parties, such as financial institutions, hold potentially damaging information about a compliance concern, they may report such information to the authorities, taking away your option to file a voluntary self-disclosure. In addition, new violations that occur after you identify an open compliance issue can heighten risk of enforcement action for failure to quickly stop known violations of law. To strike the balance between acting too slowly and acting without sufficient factual basis, you and your outside counsel as warranted should gather and analyze available information as soon as possible after identifying a concern.
Failing to consider privilege. Companies should involve in-house and/or external counsel early to ensure that relevant communications and legal analysis are properly protected by privilege. You should also exercise caution in discussing the status of the internal investigation and the legal analysis of the fact-findings with third parties, such as lenders and buyers, as such discussions could waive privilege. Waiver of privilege could significantly impact a company’s right to shield privileged materials from regulators as part of a disclosure process.
Ignoring competing legal regimes. Non-U.S. legal regimes can be implicated when investigating and responding to a sanctions or export-related compliance matter. Importantly, as noted above, collecting and reviewing underlying data can implicate data privacy regimes, such as GDPR. Additionally, certain other countries, including EU member states, the UK, Canada, and China, have certain “blocking statutes” that prevent companies from taking steps to comply with certain U.S. sanctions. A company that is subject to U.S. sanctions and located in one of these jurisdictions will need to ensure any remedial measures, such as terminating particular dealings, account for local blocking statutes. Also as described above, terminating specific dealings as part of remediation can create breach of contract risks.
Taking a piecemeal approach. Acting too quickly before conducting sufficient review can lead to a poorly tailored scope of investigation and remediation. Starting with too narrow a review sometimes results in finding new problems at the last minute, which you will have to backtrack to resolve. Similarly, if you collect insufficient data at the outset, you may have to redo data collection later in the investigation at higher expense. An overly narrow review can also lead to inadequate remedial responses in the first instance, and the need to revise and potentially start over in crafting the remedial response down the line. To avoid duplicating work, you are better served to think strategically and holistically about the investigation approach in the early stages before moving forward with a work plan.
An internal investigation does not need to be daunting or overwhelming. Following the best practices outlined above and avoiding common pitfalls can help you address compliance concerns in a systematic and efficient manner.