tashatuvango - Fotolia

Five key steps where there is a risk of fraud investigation

When fraud investigators come knocking, there are some important ways in which management and senior IT professionals can make sure their company is best protected.

It’s no secret that the UK is facing a huge fraud problem. Economic crime is thought to cost the UK as a whole up to £350bn per year and fraud accounts for 40% of all reported crime. The national Action Fraud reporting service dealt with around one million contacts last year, representing reported losses of more than £2.3bn.

Recent months have seen two important government documents published: the second Economic Crime Plan, which allocates £400m of funding to this area over the next three years, and a new Fraud Strategy which details how fraud will be tackled by way of more resourcing for law enforcement and the criminal justice system, better reporting and tracking of fraud, new technology, and enhanced cooperation with the private sector. Targeting scammers, holding tech platforms to account and ensuring the tech sector is not an enabler of fraud will all receive particular government attention.  

Although there are valid questions being asked about the resourcing of the UK’s enforcement agencies, those bodies (which include the Serious Fraud Office, National Crime Agency and Financial Conduct Authority as well as the police) have been invested with considerable powers to investigate fraud and economic crime.

For any business and its staff, the impact of a law enforcement fraud investigation can be significant and may include reputational damage, employment law issues and the risk of civil litigation, as well as financial repercussions. This can be the case even where the investigation does not ultimately result in a criminal charge or regulatory finding.

Read more about fraud

So how can those within a business ensure that their company is best protected in this scenario? There are a number of key points to bear in mind:

1. Get a lawyer: From the moment an investigation first lands, there are many vital decisions to be made, all with important legal consequences. Obtaining robust, pragmatic legal advice from an experienced specialist lawyer at an early stage will inevitably save time, money and heartache later down the line. A lawyer will act as an important professional go-between – enabling smoother communications with the investigator – and helps to ensure “equality of arms” where your company may otherwise feel daunted in dealing with an agent of the state.

By using a lawyer, your company can also ensure that all relevant communications concerning the provision of legal advice are shielded by legal professional privilege (LPP), one of the most important protections of English law. Where LPP applies to a document it can legally be withheld from an enforcement agency (or an opponent to litigation).

2. Make confidentiality a priority: In order to make sure that LPP is preserved as well as to limit any collateral damage (both internal and external to a company) from information leaks, communications relating to an investigation should be kept strictly confidential. Taking steps such as using a project codename, keeping the ‘circle of knowledge’ as small as possible and using secure methods of communication will all help. Due to the expertise they possess, senior IT professionals are often part of the inner circle of an investigation and all IT staff should be well trained to understand their confidentiality obligations.

3. Consider evidence retention: Where relevant material is amended or destroyed before the investigator is able to retrieve it, this could prejudice a law enforcement investigation – at best, this could damage your company’s relationship with the investigating agency; at worst it could lead to criminal charges. One of the important early decisions will be what material is relevant, where it is located, and how to preserve it. Steps should be taken to suspend document destruction policies and, where appropriate, issue hold notices to custodians of relevant data. Another important job, which usually falls to trusted IT staff, will be making sure that electronic material relating to investigation subjects or witnesses is preserved by imaging and backing up email accounts and file repositories.

4. Liaising with the authorities: In many cases, it will be in your company’s best interests to cooperate fully and voluntarily with the authorities where it comes to the provision of information; this may help to avoid law enforcement using some of its most disruptive powers. But the relevant considerations for companies are highly nuanced. For example, it is vital to make sure that any avenues of liability, and the related risks, for the company are fully understood. The timing, nature and manner of communications can often tip the balance, and legal representation here is crucial.

5. Don’t forget data privacy issues: Data privacy is a particularly complex area of law, with many competing interests to be balanced. At all stages of an investigation, there is a good chance that your company will be involved in handling personal, and sometimes sensitive, data. You may be asked – or required – to transfer data to an external party. Conducting a proper data privacy impact assessment is a recommended early step which allows your company to understand and assess its risks in this area and becomes part of an audit trail of the steps taken during the life cycle of the investigation.

Caroline Day is a partner and Phil Taylor a professional support lawyer in the Criminal Litigation Team at law firm Kingsley Napley LLP.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management