Dawn raids: responding to regulatory investigations 27 January 2021 - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Dawn raids: responding to regulatory investigations 27 January 2021 © 2021 1
Introduction
Deloitte Forensic and Yang Chan & Jamison LLP
YL Cheung
William Tam
Valarie Fung
Michael Mo
Catherine Leung
Partner Partner Partner Director Senior associate
Deloitte Forensic
Deloitte Forensic
Yang Chan & Jamison LLP
Deloitte Forensic Yang Chan & Jamison LLP
© 2021 2
XXXXXXXX
XXXXXXXXX
Imagine that…
• It is 9 o'clock in the morning and you are sipping a coffee in the office, when the receptionist informs you that over 10
officers from a regulatory authority have arrived and asked to enter the office to conduct a search.
• What should you do?
Photo credit: South China Morning Post
© 2021 3
Dawn raids Introduction • “Dawn raid” refers to an unexpected and unannounced inspection of premises by regulators. • The literal meaning of the word “dawn” infers that the visit would usually take place in the early hours of the day. • The raid is unannounced – so that the subject of investigation cannot do anything to impair the seizure of evidence by the regulatory authority. © 2021 4
Power to search and enter pursuant to a warrant
Some examples
Police Force Ordinance Securities and Futures Prevention of Bribery Independent Commission
(Cap. 232) ("PFO") Ordinance Ordinance Against Corruption Ordinance
(Cap. 204) ("ICACO")
(Cap. 571) ("SFO") (Cap. 201) ("POBO")
“Whenever it appears to a magistrate… “If a magistrate is satisfied… that there “Where… the court is satisfied that there “If a magistrate is satisfied that… there is
that there is a reasonable cause to are reasonable grounds to suspect that is reasonable cause to believe that in any a reason to believe that there is in any
suspect that there is in any building… there is or is likely to be on premises… premises…there is anything which is or premises… anything which is or contains
any… document… which is likely to be of any… document which may be required contains evidence of an offence under evidence of the commission of any of the
value… to the investigation… such to be produced under [the SFO], the [the POBO], the court may by warrant offences referred to in this section 10, he
magistrate may by warrant directed to magistrate may issue a warrant directed to an investigating officer… may by warrant directed to any officer
any police officer empower him… to authorizing a… police officer… to enter empower such officer… to enter such authorize such officer… to enter… such
enter and if necessary to break into or the premises…” (section 191) premises…” (section 17) premises…” (section 10B)
forcibly enter such building…” (section
50(7))
© 2021 5
Practical tips to handle a raid
Practical Tips
Instruct legal advisors
01 It is not ideal for any company or person to handle a regulatory investigation in the absence of legal advice. In particular, lawyers
can advise the company or person subject to investigation on their rights and obligations throughout the dawn raid and the
whole investigation process, including the right to claim legal professional privilege.
© 2021 6
Practical tips to handle a raid
Practical Tips
Check the search warrant
You should have your lawyers to check the search warrant to ensure that:-
02
• It is issued no more than 7 days prior to the search;
• There is proper description of the nature of the alleged offence;
• The location stipulated in the search warrant is correct; and
• The persons entering into the premises and undertaking the search are those authorized persons under the warrant.
© 2021 7Practical tips to handle a raid
Practical Tips
Claim of legal professional privilege ("LPP")
03 Regulators cannot compel disclosure of documents which are subject to the claim of LPP. In some circumstances you may want to
disclose privileged documents to regulators on a "limited waiver" basis, which means that the documents are provided to the
regulators solely for the purpose of their investigation and the regulators cannot transfer or disclose the documents to other
third parties for any other derivative purposes.
© 2021 8Practical tips to handle a raid
Practical Tips
Agreement on protocol for the search
Before the regulators start the search in the premises, your lawyers should agree on a "search protocol" with the regulators.
04 Under the protocol, the regulators may be willing to disclose the classes of documents they are specifically looking for, and you
can then indicate the location of those relevant documents to facilitate the search which will also help minimise any intervention
in the normal operation of the company's business.
© 2021 9Practical tips to handle a raid
Practical Tips
Think twice before voluntarily answering questions or giving statements
05
During the search, it is rather common that the regulators may ask the staff members of the company some questions. If the
questions are solely for the purpose of furthering the proper and effective conduct of the search, it is advisable that the
questions should be answered.
On the other hand, if the regulators ask substantive questions about the content of the investigation, you should seek legal
advice as to whether those questions should be answered. For example, if the raid is conducted by the SFC, they should have
issued the requisite notice under s.183 of the SFO.
© 2021 10Practical tips to handle a raid
Practical Tips
No right to silence
06 If the SFC issues a notice under s.183 of the SFO to require a person who is subject to investigation or assisting in an investigation
to answer any questions or produce any relevant documents, the person cannot refuse to answer or produce the relevant
documents or otherwise he/she may be found guilty of a criminal offence.
© 2021 11Practical tips to handle a raid
Practical Tips
Declaration of rights against self-incrimination
Although there is no right to silence under the SFO, there is statutory protection for any person who makes a claim to the
07
privilege against self-incrimination when providing answers and/or documents. Through claiming the rights against self-
incrimination, the answers and/or documents produced by a person will not be admissible in evidence against the person in
criminal proceedings.
© 2021 12Case study
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270
Facts
This case is a judicial review application of a number of search warrants issued by the Magistrates authorising the SFC to search the Applicants' premises and
the related decisions made by the SFC arising out of the execution of the search warrants. Specifically, during the course of the SFC operation:
1. Digital devices (including mobile phones, tablets and/or computers) belonging to the Applicants were found;
2. Where no password was required to access such devices, the SFC conducted keyword searches to check for relevant materials. Alternatively, where the
Applicants unlocked the digital devices voluntarily, the SFC looked for relevant materials by using keyword searches or by scrolling through the contents
to look for relevant materials;
3. Based on the searches mentioned above, the SFC was able to identify materials contained in emails, contact lists and messaging applications that were
relevant, or believed to be relevant, to the SFC’s investigations;
4. The SFC requested the Applicants to provide print-outs of the relevant materials or login names/passwords to the email accounts or digital devices to
enable the SFC to access the same, to which they either declined outright (in some instances by asserting legal professional privilege), or used various
excuses not to provide the same;
5. In the case of the Applicant who asserted legal professional privilege, the SFC suggested that the relevant emails and attachments thereto could be
printed out and kept under seal for the time being pending the resolution of the legal professional privilege claim. This suggestion was rejected by the
Applicant;
6. In the circumstances, the SFC decided to seize various digital devices belonging to the Applicants; and
7. The SFC issued notices under s 183(1) requiring the Applicants to provide the login names and/or passwords to various email accounts or digital devices
(including mobile phone, tablet and computer).
© 2021 13Case study
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270
Issues
1) Whether the SFC decisions to seize various digital devices belonging to the Applicants in the course of
execution of the search warrants and thereafter to retain them were ultra vires the SFO / the search
warrants, unlawful and/or unconstitutional;
2) Whether the SFC decisions to issue notices pursuant to s183(1) to the Applicants requiring them to provide
the SFC the passwords to their e-mail accounts or digital devices were ultra vires the SFO / the search
warrants, unlawful and/or unconstitutional; and
3) Whether the search warrants were unlawful and invalid for want of specificity.
© 2021 14Case study
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270
Challenge to notices requiring disclosure of passwords
The Applicants' arguments
The s183(1) notices issued were ultra vires the SFO provisions because:
1. They required them to produce vast amounts of materials which were irrelevant to the SFC’s investigations,
thus falling outside the remit of any record or document which "is, or may be, relevant to the investigation"
under s183(1)(a);
2. To construe s 183(1)(a) as permitting the SFC to require the production of large amounts of irrelevant materials
for the purpose of sifting would violate BL 30 and/or BORO 14, because that would give rise to a
disproportionate restriction of the right to privacy; and
3. The SFC has no power to access the email accounts of the Applicants under the corresponding warrants.
© 2021 15Case study
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270
Challenge to notices requiring disclosure of passwords
Held
Chow J rejected all of the Applicants' arguments:
• The judge referred to several case authorities (Reynolds v Commissioner of Police of the Metropolis [1985] 1 QB
881 at §§890A-B; Apple Daily Ltd v ICAC (No 2) [2000] 1 HKLRD 647 at §§19-20; R (on the application of
Paul Da Costa & Co) v Thames Magistrates Court [2002] EWHC 40 (Admin), at §§19-20; R (on the application
of H) v Commissioners of Inland Revenue [2002] EWHC 2164 (Admin), at §§37 and 39-40; R (Faisaltex Ltd) v
Crown Court at Preston [2009] 1 WLR 1687, at §§73-79) deciding that where a warrant authorises the seizure
of a particular document, the officer empowered by the warrant is lawfully entitled to seize the whole file
containing the document or the whole computer hard disk without having to separate the individual sheets or
computer files;
• The judge also considered the practical reality that information, documents and records are nowadays mostly
kept in digital or electronic forms and stored in email accounts and digital devices which (i) would almost
inevitably contain large amounts of personal or private, but irrelevant, materials, and (ii) are often also
protected by specific login names/IDs and passwords;
© 2021 16Case study
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270
Challenge to notices requiring disclosure of passwords
Held (Continue)
• The judge arrived at the conclusion that the SFC is empowered, under s 183(1), to require the Applicants to
provide means of access to email accounts and digital devices which contain, or are likely to contain,
information relevant to its investigations even though the email accounts and digital devices would likely also
contain other personal or private materials which are not relevant to the SFC’s investigations.
• However, the SFC has offered safeguards to protect the privacy of the Applicants by agreeing to use keyword
searches to identify relevant materials contained in or accessible through the digital devices and/or viewing the
contents together with the Applicants so as to minimize the chance of their personal or other information
which is irrelevant to the SFC’s investigations being viewed by its officers. Any dispute on relevance can be
brought to the court for determination, with the disputed materials being sealed pending the court’s decision.
© 2021 17Aims of a dawn raid
What will investigators do, and why?
Reasons for investigation Methodology
• Investigators will only conduct a dawn raid if they have grounds There is no “one-size-fits-all” approach but investigations will likely
to believe wrongdoing has occurred. Common reasons include: include some or all of the following:
• Whistleblower allegations • Review of paper/electronic documents, including emails, content
• Tip-offs from other agencies or tax authorities saved to laptops/shared drives, mobile phone call records/data,
• Findings from their own monitoring or analysis and any paper documents.
• The business is linked to another investigation • Transaction testing – attempts to understand
transactions by mapping fund flows/checking substance
Structure of investigation
!
of trading, comparing records against external sources
• The approach will vary depending on the circumstances
but typically investigators will have an initial hypothesis • Corporate intelligence – search corporate
of what has occurred and seek to confirm or disprove filings/databases and conduct network analysis to
that theory. An investigation will usually consist of: identify undeclared conflicts and business
• Initiation – identifying relevant parties/data interests/relationships
• Planning – obtaining warrants, planning raid • Interviews –with key personnel, typically
• Gathering information – likely to include interviews, seizure including management, finance staff, sales/ procurement and
of documents/electronic data, review of emails on servers potentially external parties (i.e. bankers, auditors, trading partners)
• Analysis & interpretation – detailed review of data seized,
forensic accounting, triangulation of data points A dawn raid is just one step Investigators’ methodologies
• Reporting and closure –prosecution, report to authorities. in a broader investigation are constantly evolving
© 2021 18What comes next?
Introducing the role of technology in investigations
Technology and data to the fore
Humans can only do so much! Faced with urgent deadlines and limited resources investigators
are leveraging new technology and data analytics.
It’s no secret that regulators worldwide are hard-pressed
for resources and Hong Kong is no exception. According to Investigations are increasingly likely to
the most recent figures: involve the seizure of electronic evidence.
• The SFC has 736 professional staff Police have faced scrutiny over how they
• The ICAC has around 1,400 staff access and use data from suspects’
phones.
Despite these constraints the SFC commenced
Regulators too will consider electronic data in
197 investigations in 2019/20 and made 8,767
their work. Emails, documents and –
requests for trading and account records – as well
increasingly – mobile messenger conversations
all alongside its day-to-day regulatory and oversight
will be a key plank of their evidence.
activities.
The ICAC received 995 separate corruption allegations In the following slides we
in the first six months of 2020 alone. introduce some of the
techniques and challenges you
How do they fit it all in…? are likely to encounter.
© 2021 19Computer forensic data workflow
Data size after each process/segment reduces
Services provided
by Deloitte Note: Please note that ESI Data
Identification and Legal review will
Concept be co-sourced by the Client and
Searching Deloitte team as requested.
Regulator visits premise
with search warrant
ESI Data Data Data Data Legal Data
Dawn raid
Identification Collection Processing Publishing Review Handover
Identify scope, Handover of non-
custodians, and data privileged data to
Collect data from source Extraction, indexing, Publish search Review, identify, and relevant party
type
medias (i.e. PC, servers, DeNISTing, results on eDiscovery tag privileged
(i.e. Email, user files)
mobiles) and make deduplication, date platform documents on the
3 copies, for: filtering (optional) eDiscovery platform
and keyword
• Regulator (sealed) searching (optional)
• Client’s Legal team of data.
(sealed)
• Deloitte as working
copy
© 2021 20Challenges for data collection, preservation and analysis
Computers / Servers Mobile devices
Operating Systems OS and Manufacturers
• Various Mobile device Operating system and manufacturers
• Various Computer Operation Systems (e.g. macOS, Windows and Linux)
(e.g. Apple, Windows, BlackBerry, Samsung, Lenovo and Huawei)
Data Storage Sources Connection Issues
• Different Data Storage Sources • Right Cable
(e.g. Desktops, laptops, servers, network-attached storages and Cloud storage)
• Right Driver
• Different interfaces
• Different hard disk types
Decryption, Wiping & Decoding Decryption and Decoding
• Decryption (e.g. DiskCryptor, TrueCrypt, BitLocker and VeraCrypt) • Customized Data Encoding in App level
• Wiping software (e.g. Eraser and CCleaner) • A large number of Apps
• MDM device control and encryption
© 2021 21Technology-enhanced workflow
Text Mining, Visual Analytics & Machine Learning
Conceptual Analytics
• Process collected data from multiple device and server sources into the analytics platform. Conduct text mining, entity
extraction and conceptual analysis.
• Run keywords on dataset. In addition to results, the platform will identify, categorise and organize thematically and
semantically similar content.
• This will allow us to refine understanding of the document population based on its actual content, uncover related
themes, and refine our search parameters.
Communications Analysis
• Focus search and assessment based on communication parameters.
• Visualisation allows analysis to identify outlier communications: external communications on topics or documentation of
concern.
• Focus specifically on communications between known entities, then apply additional filtering (such as the search term)
to remove “noise.”
Technology Assisted Document Review
• The above steps will determine a potentially relevant population for review.
• Using identified documentation from Conceptual and Communications Analysis, we will program an instance of Machine
Learning to categorise the population by proximity to the issue.
• Documents scored most likely relevant are reviewed first; review decision by the subject expert are fed back to the
machine to continuously update the machine learning algorithm.
© 2021 22Responding to a dawn raid
How to minimise disruption and recover quickly
i Preparation is essential. Have key phone numbers on hand and circulate a
written protocol to relevant staff so they know in advance how to respond
Shadow investigation
You may conduct your own internal investigation parallel to
regulators. This is a "shadow investigation“. The aim is to understand
Dealing with investigators during a raid
what investigators are likely to find so you can prepare for the
• Immediately seek legal advice and have internal/external counsel
outcome.
attend onsite when investigators arrive.
•External investigators and lawyers can help, and would
• Cooperate fully with investigators – provide a separate
typically support your own legal counsel and possibly an
room and IT support when they are onsite.
independent investigation committee formed of non-
• Accompany them during the raid to understand what
executive directors/audit committee.
they are seizing and where it came from. This will
•You may identify issues that warrant internal
help you piece together what they might be doing.
disciplinary action, even if external regulators decide to
• If they want original documents, ask if you can make
take no formal steps against the company/employees.
copies to avoid business disruption. Keep a log of data
•If the allegations/investigation are public, results of
and documents that they take.
your shadow investigation could inform your response
• If they seize laptops/mobile devices, ask via your lawyers
to shareholders, media and other stakeholders (though be
if a forensic consultant can image the devices so you have
careful not to comment about live ICAC/SFC investigations –
details of the information available to investigators.
take legal advice on any statement issued).
• Remember they are human! Offer tea and coffee, show them
where the bathrooms are, exchange name cards (this will also A shadow investigation may uncover the failures in internal controls that led to
problems, and form the basis for remediation. Remediation will help avoid future
help you identify the officers involved). Order breakfast or lunch problems and may aid your defence in any regulatory or legal proceedings.
– a hungry investigator is a grumpy investigator.
© 2021 23Recap – who will investigate and why?
Understanding Hong Kong authorities
There are several agencies in Hong Kong with the power to launch investigations into businesses and individuals. They have
varying degrees of power and separate (though sometimes overlapping) remits. This slide recaps some of the main authorities
you are likely to encounter in an investigation or dawn raid and the range of powers they have.
Agency Remit Requires search warrants? Can make arrests?
Independent Fight corruption through law No, has the power to search without a warrant (Section Yes , can arrest a person suspected of
Commission Against enforcement, prevention and 10C of the ICAC Ordinance). breaching an offence under the three
Corruption (“ICAC”) community education. anti-corruption ordinances it enforces.
Securities and Futures Strengthen and protect the integrity Yes, for forcible entry, search/seizure of documents, No. The SFC typically refers cases to the
Commission (“SFC”) and soundness of HK's securities and prohibition of document destruction. Has power to Commercial Crime Bureau of the Hong
futures markets. interview and demand “reasonable assistance” without Kong Police Force if an arrest is
a warrant. required.
Competition Commission To prohibit conduct that prevents, Yes, to enter and search premises. Has power to require No. May refer cases to Hong Kong
(“CC”) restricts or distorts competition, and people to answer questions and produce documents. Police Force if it considers that a crime
to prohibit mergers that substantially has been committed.
lessen competition in Hong Kong.
Hong Kong Police Force Law enforcement and investigation of Generally yes but not if cases can be related to national Yes.
(“police”) criminal matters. security or are extremely urgent.
© 2021 24Disclaimer Disclaimer Any material or explanation (including but not limited to presentation slides or verbal explanation) (collectively “Material”) provided hereunder serves as a general guide instead of a basis for decision making and shall not be construed as any advice, opinion or recommendation given by Yang Chan & Jamison LLP (“YCJ”) or Deloitte Advisory (Hong Kong) Limited (“DAHK”) on the presentation. In addition, the Material will be limited by the time available and by the information made available to YCJ/DAHK and you should not consider the Material as being comprehensive as YCJ/DAHK may not become aware of all facts or information. Accordingly, YCJ/DAHK will not be in a position to make a representation, and will not make a representation as to the accuracy, completeness and sufficiency of the Material. You will rely on the contents of the Material at your own risk. This Material shall be kept confidential and any person other than YCJ/DAHK’s authorized personnel shall not, in any way, retain, use or disseminate this Material without YCJ/DAHK’s prior written consent. All duties and liabilities (including without limitation, those arising from negligence or otherwise) to all parties, including you are specifically disclaimed. All copyrights and other intellectual property rights contained in the Material are reserved by YCJ/DAHK. For the avoidance of doubt, the Material contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of the Material, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on the Material. The speakers’ views, comments and speech are personal and do not constitute any position or opinion of YCJ/DAHK or otherwise represent YCJ/DAHK, or partners, principals, members, owners, directors, employees thereof. YCJ/DAHK does not endorse and is not responsible for any such personal expression in whatever form. Please take the view as the speaker's own only. © 2021 25
Any questions?
YL Cheung
William Tam
Valarie Fung
Michael Mo
Catherine Leung
Partner Partner Partner Director Senior associate
Deloitte Forensic
Deloitte Forensic
Yang Chan & Jamison LLP
Deloitte Forensic Yang Chan & Jamison LLP
T: +852 28526775
T: +86 755 33538308
T: +852 28525829
T: +852 22387227
T: +852 28521984
E: ylcheung@deloitte.com.hk
E: witam@deloitte.com.cn
E: valariefung@deloittelegal.com.hk E: wamo@deloitte.com.hk
E: cathleung@deloittelegal.com.hk
© 2021 26You can also read
