[Editor’s Note: EDRM is pleased to share our partner’s educational articles]
It’s no secret that corporations are already subject to oversight by an alphabet soup of regulators, from the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) to the Equal Employment Opportunity Commission (EEOC) and state attorneys general.
On top of that, according to Gartner, “the COVID-19 pandemic has thrown an already chaotic regulatory landscape into even greater disarray.” So, how to keep the regulatory wolves at bay? Build a standard response plan, and iterate each time you go through the process.
Anticipating a Regulatory Investigation
These regulatory authorities could, at any time, suspect that someone at your organization has violated a regulation or committed wrongdoing. Initial inquiries range from an informal phone call seeking limited information (which is scary enough) to a full-blown regulatory investigation with subpoenas demanding answers (good luck sleeping tonight!).
The goal isn’t to try to completely avoid regulatory inquiries–it’s simply unrealistic that any corporation would be able to do so. Instead, the legal team can implement a standard Regulatory Response Plan in order to be prepared to respond quickly and defensibly every time.
Fortunately, if you’ve already built, or are in the process of building, your ediscovery process for litigation response, you’re in a solid position to respond to a regulatory inquiry.
Regulatory Response Challenges
There are two main factors that may complicate your response: unclear objectives on the part of the regulatory agency, and incredibly tight timelines.
The regulatory agency may be intentionally vague; they could still be formulating charges, trying to keep sources confidential, or simply choosing to keep the overall objective hidden for the sake of the investigation.
Tight timelines are the norm, and can often be so restrictive that they’re frankly impossible to meet without a plan that kicks in as soon as you hang up the phone.
And it goes without saying that the consequences of non-compliance are severe, as are the consequences of a finding of misconduct. You could be at risk of fines, criminal charges, litigation, and reputational damage.
Your Goals During a Regulatory Response
Regulatory investigations differ from litigation in that full compliance in good faith is generally the best strategy. The following goals can serve as your team’s “good faith” north star when making decisions.
Get to the bottom of the allegation, whether that means determining that it’s unfounded or rooting out offenders and implementing solutions to prevent a recurrence.
Minimize the damage to your organization from either outcome by preventing an unfounded accusation from unnecessarily harming your reputation or ensuring the public and the regulatory agency that you resolved the situation effectively.
Balance business objectives by controlling the costs of any investigation and minimizing the disruption to your staff and offices. That generally means resolving the inquiry as quickly as possible.
Don’t Lose Your Head
Look, responding to a regulatory investigation is likely going to be stressful. As such, your response plan should include tips for the “response mindset” – activities and characteristics that will help things along
First, be calm and remain as objective as possible. The bad news is that there may be misconduct somewhere in your organization. But the bad news here is the misconduct, not your discovery of it. The good news is that finding out now means that you can take action to correct the problem and prevent its recurrence.
Second, maintain a track record of clear and accurate communication with the regulatory agency. Say what you are going to do, and then do it. Don’t be afraid to negotiate the terms of an information request – by communicating clearly and openly about the information you have and your ability to collect and produce it, you’ll underscore the good faith of your response.
Third, the same rules of communication apply to your internal stakeholders. Keep your stakeholders in the loop in case you have to plan for corporate disclosure, or a strategic communication to keep your customers, investors, and the public apprised of the progress of any investigation.
Finally, simply take the inquiry seriously. Even an informal request today could blow up into a disaster if not handled in good faith and settled as soon as possible.
Seven Steps to Begin a Successful Regulatory Response
For a deeper dive into each of these steps, download the full guide.
Step 1: Review all the information you have.
Carefully review the entirety of the request. If the inquiry doesn’t specify the suspected violation, consider what information is being sought and reflect on what it might indicate. As you review the request and your obligations, start to strategize about the information you will need to gather and where you will find it.
Tip: Re-read the underlying regulations that govern your organization’s conduct with reference to the investigating agency.
Step 2: Start preserving information immediately.
Promptly launch your preservation effort. Identify any information that the agency has requested or that may be relevant to its inquiry and determine which custodians have control over that information.
As in your ediscovery litigation response, you’ll want to issue a prompt hold notice that advises potential custodians of their obligation to preserve data.
Tip: Use automated legal hold software and previously drafted hold templates to expedite and simplify this notice.
Step 3: Gather information and objectively assess your situation.
Collect and examine whatever information you can find, whether it’s in the form of emails and text messages, details of accounts, an employee’s transactions, or all of the above.
Tip: Use search terms to narrow your fact investigation down and evaluate, as neutrally as possible, the potential conclusions from that information.
Step 4: Try to negotiate the terms of the information request with the agency.
Now that you have some insight into the basis for the regulatory investigation, open wide the doors of communication with the agency. Don’t start this step too soon; you need to have enough information to represent your position effectively.
Tip: To continue our ediscovery analogy, this stage could be considered the Rule 26(f) conference — and the better prepared you are, the better the outcomes you can achieve.
Step 5: Review production for privilege and create a privilege log.
As you review and evaluate information for production to the investigating agency, remain mindful of attorney-client and attorney work product privileges. You can easily waive privilege in the early stages of response if you throw caution to the wind in a rush to demonstrate good faith.
Tip: Create a detailed privilege log documenting the basis for any assertions of privilege.
Step 6: Continue to communicate with the investigator or agency.
Not too much to add here, just continue to invest in your good faith cooperation and open communication efforts with the regulatory agency.
Tip: If you’ve agreed on a rolling production schedule, be sure to keep everyone apprised of upcoming delivery dates or any potential delays.
Step 7: Respond appropriately as you gain information.
The individual facts of your case will dictate what you should do in response to a regulatory investigation. If no one uncovered any wrongdoing and you felt confident and in control throughout the process, you can probably pat yourself on the back and return to business as usual.
On the other hand, what if you discovered that a trusted employee was engaging in insider trading, cooking the books, or misappropriating funds? Talk with your legal counsel and HR department about appropriate responses, and discuss next steps with the regulatory agency.
Tip: Set aside time to plan for how you might prevent similar problems in the future and how you can detect wrongdoing earlier.
