Compliance programmes and the protection of legal privilege

In recent years, financial crime prosecutors have sought to encourage companies to establish compliance programmes designed to avoid – or at least detect – illegal conduct, by including the requirement as a precondition to their securing a reduced penalty, or other form of leniency, following a compliance incident. In responding to those incentives by implementing robust compliance programmes, companies risk uncovering potentially problematic issues, which necessitate in-house counsel giving careful thought to the role the protection of legal privilege should play in the design and functioning of corporate compliance programmes.

In the paragraphs that follow, we take a look at some of the potential legal privilege pitfalls associated with compliance programmes and suggest some practical tips to assist in-house counsel when assessing whether their company’s compliance programme maximises the company’s ability to claim legal privilege in appropriate circumstances.

This article focuses on the laws and practices relating to legal privilege that have developed in England and Wales. Because of jurisdictional variations that exist relating to legal privilege, the steps to be considered by in-house counsel to protect the company’s ability to assert legal privilege may – and often will – vary by country.

Compliance programmes and legal privilege

While it is impractical to attempt to cloak the routine, non-incident driven, functioning of a compliance programme in legal privilege (even if such privilege ever exists), there are certain situations in which in-house counsel and compliance professionals need to be mindful of the importance of the company’s ability to assert legal privilege.

Compliance reviews, risk assessments and internal investigations into alleged misconduct can uncover potentially problematic issues involving past – or ongoing – conduct that can result in legal liability for companies and should be conducted in a way that preserves legal privilege to the extent possible.

The foregoing activities routinely generate a substantial number of hard copy and electronic communications, including documents containing subjective assertions. Unless appropriately protected from disclosure, such materials can serve as a blueprint for prosecutors engaged in criminal investigations, disgruntled counterparties or even stakeholders pursuing civil litigation against the company.

Integrating privilege protections into the design of a company’s compliance function, policies and procedures can maximise a company’s ability to identify, analyse and remedy compliance issues in a privileged manner should it elect to do so.

Compliance programmes and privilege protections

The steps in-house counsel can and need to take to build privilege protections into their company’s compliance programme depend in significant part on the countries in which the company operates and – when defending an enforcement action – will be determined by the jurisdiction of the pertinent enforcement agency. Therefore, companies should seek advice from local counsel in relevant jurisdictions and incorporate that advice into the company’s overall privilege protection strategy.

In common law jurisdictions such as the UK and United States of America, legal professional privilege (LPP) generally enables companies to instruct their lawyers and receive legal advice without having to disclose that advice to a third party (eg a regulator, prosecutor or claimant in litigation). Although the pertinent nomenclature varies somewhat from country to country, LPP generally is comprised of two components – legal advice privilege (LAP) and litigation privilege (LP).

While the precise contours can vary slightly from one country to another, LAP typically applies to communications, made in confidence, between a client and lawyer for the purpose of giving or obtaining legal advice. LP, by contrast, generally applies to confidential communications between a client and lawyer (or a client/lawyer and a third party) for the dominant purpose of defending or otherwise protecting the client’s interest in legal proceedings that are pending or reasonably contemplated when the particular communication occurs.

Because of the requirements that have been imposed with respect to LP, LP seldom applies to routine compliance activities, including internal investigations. That is particularly so in England and Wales, which has adopted a narrow view of LP. As a consequence, companies operating in the UK are well advised to rely on LAP.

Structuring compliance projects and teams in a manner maximising the company’s ability to claim LAP is critically important. While there is little difference from a privilege perspective in the UK in undertaking projects using external or in-house legal counsel acting in a legal capacity, there can be a considerable difference when non-lawyers are used. For example, in R (Prudential Plc) v Special Commissioner of Income Tax & anor [2013], the UK Supreme Court held that LAP protects legal advice given by lawyers but not advice given by other non-lawyer professionals such as tax advisers.

In addition, in-house counsel resident in and practicing from most countries in continental Europe cannot serve as the predicate for their company’s assertion of LAP, thus depriving their company of the ability to assert LAP over the compliance activities they have undertaken or supervised.

The starting point for ensuring that the design and functioning of a company’s compliance programme adequately maximises the company’s ability to claim legal privilege is a thorough evaluation of the responsibilities of the various functions tasked with implementing the company’s programme as well as their reporting lines. That process can and should be used to gather information enabling the company to make decisions about how best to manage the company’s compliance risks in a manner that protects its legal privilege rights.

At the vast majority of companies, the compliance function is responsible for developing compliance policies and procedures, implementing those policies and procedures on a day-to-day basis and developing and delivering compliance training materials. The compliance function frequently also conducts compliance risk assessments and periodically assesses the efficacy of the compliance programme. Many companies also have separate in-house teams that are responsible for conducting investigations, operating and overseeing the company’s whistleblower system. The employees within those teams typically are a mix of lawyers and non-lawyer professionals.

Compliance officers can – and should – co-ordinate with in-house or external legal counsel whenever issues arise in the day-to-day functioning of a compliance programme over which the company may wish to claim LAP. For example, a company’s compliance officer, who may or may not be a qualified lawyer, may need to seek legal advice in relation to how certain compliance policies and procedures should be developed in response to the requirements of laws and regulations applicable to the company’s operations. Legal advice also may be required for a compliance officer to respond to compliance questions raised by employees or enforce the company’s compliance policies and procedures.

A more structured approach to the protection of legal privilege is warranted, however, when dealing with compliance activities with the potential to create corporate legal liability. Those activities include conducting compliance programme reviews and risk assessments as well as responding to whistleblower reports or the discovery of documents suggesting misconduct.

Since LAP applies in the UK only to communications created for the purpose of seeking or giving legal advice, it does not apply to communications that precede the involvement or engagement of a lawyer. It is therefore best practice to limit responsibility for initiating, conducting or supervising activities with the potential to create liability to a company’s external or in-house legal counsel so as to preserve the possibility of maintaining LAP over documents created in the course of such activities. In most counties in continental Europe, a much larger role needs to be considered for external counsel than is needed for the UK to maximise the company’s ability to assert legal privilege.

The establishment of organisational structures that give a company’s senior in-house lawyers day-to-day knowledge of the issues being considered by functions responsible for implementing the company’s compliance programme – and an ability to control how the issues that have arisen are being handled – facilitate the early identification of issues that should be addressed in a manner that preserves privilege. Compliance activities that have not been structured from the outset to maximise the company’s ability to assert legal privilege generally cannot be brought within a privilege umbrella on a retroactive basis.

Practical tips for maximising legal privilege protections

Advanced planning is key to the effective use of LAP to protect a broad range of documents created in connection with, or arising out of, the functioning of a company’s compliance programme.

To ensure the timely flow of information and protect the company’s privilege interests, a direct reporting line should be created between the general counsel and the heads of each function responsible for implementing the compliance programme. Companies with an in-house investigation function responsible for internal and/or regulator facing investigations should be headed by a qualified lawyer to maximise the company’s ability to claim legal privilege over such investigations.

The policies and procedures governing compliance reviews, risk assessments (including transactional due diligence) and internal investigations should be tailored to address the associated legal privilege issues. In particular, consideration should be given to:

  • Identifying the client. The objective of the exercise is to specify and record the officers and employees within the company qualifying as the ‘client’ at the outset of the project and communicate that information to relevant company employees. It is important regularly to revisit and update the list if individuals are to be named. A list of individuals will be the first port of call for any aggressive prosecutor seeking to determine the identity of the client and an omission will strengthen the prosecutor’s argument that legal privilege has been lost.
  • Making sure the client group that is identified is appropriate. The entity employing those authorising the compliance activity should be the entity in which the particular inquiry is focused rather than another entity within the corporate group, including the parent company if it was not directly responsible for any misconduct that ultimately is found to have occurred.
  • Channelling project communications. Notifying employees of the need to channel through the client group any information provided to in-house or external legal counsel regarding the particular project.
  • Carefully allocating tasks between and supervision of lawyers and non-lawyer service providers. Because of the limited scope of LAP in the UK, certain communications between a lawyer and an external service provider, including accountancy firms and compliance consultants, fall outside the lawyer-client relationship even if a lawyer engages or receives reports from the service provider. Pertinent policies and procedures should include appropriate protections such as a requirement that non-lawyer service providers refrain from posing questions during interviews focusing on potential misconduct – other than questions seeking to identify the location of pertinent documents, information or understand the company’s IT system – or including language in reports assessing the company’s potential liability.
  • Conducting and memorialising interviews focusing on potential misconduct. It generally is advisable to have in-house or external lawyers present in – and responsible for – memorialising interviews addressing issues that can have legal implications for the company. While there is some uncertainty over the extent to which interview notes can be covered by LAP in the UK (assuming that LP does not apply), LAP is more likely to apply if the notes, rather than being a verbatim transcript, incorporate a lawyer’s impressions or legal analysis.
  • Conducting and memorialising the results of routine programmatic inquiries. A risk-based approach may be appropriate when conducting compliance reviews or risk assessments not focused on discrete allegations or other evidence of possible wrongdoing. In such cases, the presence of lawyers may be needed only when the discussion of sensitive issues is reasonably contemplated. It is good practice, however, to instruct any non-lawyer interviewer to terminate immediately any interview he/she is conducting if a sensitive issue is raised unexpectedly so that a lawyer can advise on structuring the residual inquiry.
  • Allocating a lead role to lawyers in the production of any written reports. While non-lawyer professionals and service providers often make valuable contributions to such projects, any reports they produce are unlikely to be privileged unless it can be said that a claim to LP has by that time arisen.
  • Marking pertinent documents clearly as being ‘privileged and confidential’ and maintaining their confidentiality. Advice also should be sought from a lawyer before privileged documents, or the information that they contain, are shared with anyone not within the client group.
  • Securely storing privileged documents. Hard copy documents should be kept in locked cabinets. It also may be prudent in sensitive cases to create numbered copies of documents along with a register that tracks who possesses each copy. Particular care should be taken not to store electronic documents in locations that can be accessed by those who are not within the client group. The access of IT staff or others with administrator rights vis-à-vis the company’s IT systems also may need to be limited and monitored. If such documents require electronic transmission, consideration should be given to the use of encryption.