ARTICLE
11 July 2025

Representing Financial Institutions In Multi-jurisdictional Anti-money Laundering Investigations

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Multi-jurisdictional investigations present numerous challenges and require careful management of the risks that arise. This chapter provides an overview of the issues that may occur throughout the duration...
Worldwide Criminal Law

Introduction

Multi-jurisdictional investigations present numerous challenges and require careful management of the risks that arise. This chapter provides an overview of the issues that may occur throughout the duration of multi-jurisdictional anti-money laundering (AML) investigations into financial institutions, from breach reporting to responding to investigatory requests to the settlement of an action.

The nature of money laundering systems and controls failures is such that, in some jurisdictions, investigations can be pursued on either a criminal or a regulatory basis, or proceed on a 'dual track' basis at the outset. Criminal money laundering or failure to report offences by an institution may be investigated by law enforcement agencies, or the focus may be on AML systems and controls (on either a criminal or regulatory basis). In this chapter, we focus primarily on multi-jurisdictional regulatory investigations, including internal investigations carried out in parallel with such investigations.

Managing multi-jurisdictional investigative demands against data privacy and other requirements

Self-reporting of breaches and reporting of suspicious transactions

An investigation by a regulator may be triggered by various events; for example, a potential issue may be uncovered during a regulatory inspection, by a complaint directly to the regulator, by a financial crime incident involving a customer of the financial institution or via breach reporting by the financial institution itself.

Licensed financial institutions in many jurisdictions will often have self-reporting obligations (i.e., obligations to report their own breaches). These may include the requirement to self-report to their regulator any suspected material breach of specified laws or regulations that they (or their staff) have committed and, in certain jurisdictions, more onerous requirements, such as the following:

  • In Hong Kong, the obligation on licensed financial institutions to self-report breaches to the Securities and Futures Commission (SFC) is broad and covers breaches that they (or persons they employ or appoint) have committed, including suspected material breaches of 'law, rules, regulations, and codes administered or issued by the [SFC], the rules of any exchange or clearing house of which [they are] a member or participant, and the requirements of any regulatory authority which apply to [them]'.1 In the AML context, this includes breaches of all relevant requirements, whether in legislation or regulatory codes, such as those relating to customer due diligence and record-keeping.
  • The Financial Conduct Authority (FCA) in the United Kingdom requires regulated firms to report 'anything relating to the firm of which the regulator would reasonably expect notice'.2 This is a broad and non-exhaustive obligation that includes (but is not limited to) significant breaches of AML systems and controls requirements.3

In other jurisdictions, such as France, licensed financial institutions are not required to self-report suspected breaches as and when they occur. Rather, financial institutions are required to submit periodic reports to their regulators in relation to their compliance with laws and regulations, in which breaches or shortcomings may be identified.

Breach reporting is fact-sensitive and all potentially relevant jurisdictions should be considered; for example, there may be reporting obligations in the financial institution's home jurisdiction as well as one or more other jurisdictions in which the business may be affected by the relevant conduct. The analysis of which regulators to notify is nuanced and should be kept under continuous review.

Reporting obligations must be considered at an early stage and be revisited as more information comes to light. This is because the obligations may be triggered by a mere suspicion, and, once triggered, there may be a relatively short window within which reporting is required.

Regulators are increasingly expecting to be given early notification of potential issues. Hong Kong's SFC, for example, has disciplined financial institutions for late reporting and has emphasised that reporting should be made 'as soon as practicable upon identification' and 'not after the [institution] has already completed its investigation, obtained legal advice or taken remedial actions'.4

Even where there is no formal self-reporting requirement, the financial institution may want to consider whether it would be appropriate to report a suspected breach voluntarily to its regulator. In the United States, for example, regulatory authorities such as the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) seek to encourage corporate organisations to report misconduct. Under the Trump administration, it is expected that US regulators, including the DOJ and SEC, will continue to encourage cooperation and voluntary self-reporting of misconduct. As has long been the case, prosecutors and regulatory attorneys will consider whether companies have voluntarily self-reported misconduct, cooperated with the regulatory investigation and remediated the issues that caused the problems in determining appropriate resolutions and sanctions. As the DOJ has previously noted, self-reporting can 'result in a virtuous cycle' in rewarding companies 'trying to do the right thing' and allowing the DOJ to prosecute those that are not.5

Similarly, in the United Kingdom, the joint executive director of enforcement and market oversight at the FCA has emphasised the importance of firms 'doing the right thing', noting that the FCA '[appreciates] and [rewards] transparency and cooperation'.6

In any event, if a matter is reported in one jurisdiction – whether by regulation or voluntarily – it is usually the preferable course of action to notify other relevant jurisdictions. This is likely to be the case when an issue has been identified in a jurisdiction where the financial institution has a branch operation, in which case it may be prudent to notify both the regulator in the branch jurisdiction and the regulator responsible in the jurisdiction in which the financial institution is headquartered. Since AML systems and controls often operate on a group-wide basis, and breaches can have reputational implications and attract significant penalties, it is also not uncommon for material AML issues or investigations in one jurisdiction to be of interest to, or require reporting to, regulators in another jurisdiction, even outside head office and branch scenarios. Jurisdictions may also have agreements in place to exchange information.7 Nonetheless, caution should be exercised in framing the report. The potential for reports to contain damaging admissions and then to be used in actions against the financial institution should be kept in mind.

Separately, many jurisdictions require persons who know or suspect that any property represents proceeds of criminal offences (i.e., that money laundering may have occurred) to disclose that knowledge or suspicion to their local financial intelligence unit.8 Unlike the self-reporting obligation, under which financial institutions are required to report to regulators their own breaches (or breaches by their staff), this obligation often applies to all regulated persons or even unregulated persons (individuals and entities) and is for the purpose of identifying criminal money laundering offences committed by others (and potentially by the firm). Disclosure is usually by way of what may be described as a suspicious transaction report (STR) or suspicious activity report (SAR) to the local financial intelligence unit, and is typically required to be submitted as soon as practicable.

For example, financial institutions in the United Arab Emirates (UAE), including those in the free zones, have an obligation to report to the UAE Financial Intelligence Unit (part of the Central Bank of the UAE) where they suspect or have reasonable grounds to suspect that a transaction or funds fully or partially constitute funds generated from the perpetration of any felony or misdemeanour, or that the transaction or funds relate to money laundering or that they will be used therein.9 This is to be done by submitting a report setting out the details of the transaction, relevant parties and any additional information, including confidential information, required by the unit. This obligation is in addition to the UAE Penal Code's general duty on all persons who have knowledge of a crime to report it to the competent authorities, with failure to do so being a punishable offence.

In both cases of reporting, when an event has been assessed but is determined not to be reportable, financial institutions should document this decision-making process in case it is subsequently called into question by a regulator or in litigation.

Preserving documents and information

Once a potential breach is identified, the financial institution should take steps to preserve all relevant documents and information for the purposes of investigating the breach internally as well as responding to any investigatory requests by regulators.

The information technology department should be notified promptly and directed to secure all relevant documents and information located on the financial institution's servers. Subject to considerations regarding confidentiality, further specific document retention instructions should be sent promptly to all employees who may have possession of or access to relevant documents and information. Routine destruction processes for the relevant documents and information should be halted.

The financial institution should identify the types of data that are relevant (e.g., communications data such as email, instant messaging logs and voice recordings, and non-communications data such as financial records, transaction records, system logs and AML compliance systems, including records documenting customer due diligence and transaction monitoring), as well as the locations in which data is stored.

In addition to information held centrally by the financial institution (e.g., on its servers), consideration should be given to the information stored locally on devices used by employees, such as desktops, laptops, smartphones, tablets and portable hard drives, to the extent that these are not backed up in the financial institution's system. The financial institution will need to consider its rights to access these, whether they need to be secured immediately to preserve evidence and how best to undertake this process. The extent to which a financial institution may be able to access these devices will depend on the type of device (e.g., bring your own devices and wholly personal devices are more problematic than firm-issued devices), the financial institution's internal policies and the protection offered to employees under the laws of the jurisdiction in question (including data privacy laws).

The rise in the use of off-channel communications for business purposes is a global phenomenon, prompted by the increased availability of instant messaging platforms, as well as the overall rise in remote or flexible working. Recent cases in the United States have illustrated the perils associated with data that is stored on an employee's personal device and the need for financial institutions to put in place policies and measures to limit off-channel business communications and to ensure that proper records are kept of all business communications.

In December 2021 and September 2022,10 the SEC charged 17 large financial institutions with violations of the provisions of federal securities laws that require registered broker-dealers and investment advisers to keep records of customer accounts, transactions and relevant communications. It found that employees at all the institutions at multiple levels of seniority were communicating with customers and internally via text messages, encrypted messaging applications (e.g., WhatsApp) and personal email accounts, and the institutions were not able to produce the off-channel communications to the SEC when required to do so by request or subpoena. The financial institutions admitted that they had violated the relevant record-keeping requirements in question and agreed to pay combined penalties of more than US$1.2 billion and be subject to other orders. The US Commodity Futures Trading Commission (CFTC) also announced settlements with the same financial institutions for essentially the same conduct.11

On 9 February 2024, the SEC announced charges against another 16 financial institutions – including five broker-dealers, seven dually registered broker-dealers and investment advisers and four affiliated investment advisers – for 'widespread and longstanding failures by the firms and their employees to maintain and preserve electronic communications'.12 The SEC continued this trend, announcing more charges in early 2025 against nine investment advisers and three broker-dealers 'for failures by the firms and their personnel to maintain and preserve electronic communications,' ordering the firms to pay more than US$63 million combined.13 Under the Trump administration, however, 'off-channel' communication sweeps will likely be deprioritised: both Republican-appointed Commissioners that currently sit on the SEC have expressed criticism of the off-channel sweeps because it 'does not appear that firms have an achievable path to compliance'.14 It is expected that the newly appointed chair, Paul Atkins, will have a similar sentiment, and there are likely to be fewer off-channel communication investigations moving forward.

In the United Kingdom, the Prudential Regulation Authority took action in April 2023 against a bank for, among other things, failing to put in place effective documentation and record-keeping policies or procedures that took into account technological advances such as those relating to instant messaging platforms, after an investigation identified that senior executives and external parties had regularly exchanged messages in respect of the firm's actual and potential transactions, its business and its strategy through WhatsApp on both firm-issued and personal mobile devices.15

Reviewing documents and information

Once the relevant documents and information are preserved, the next step is typically to review them.

Where the documents and information are located in different jurisdictions, it may be ideal from a logistical perspective to review them centrally in one location; however, this is not always possible owing to the restrictions on cross-border data transfer that may be imposed under data protection laws, state secrecy laws or blocking statutes in the jurisdictions in question, and, in some cases, it may not be desirable to bring documents into particular jurisdictions. In addition, information may be in multiple languages and may require review by different teams.

For example, the People's Republic of China (PRC) Law on Protecting State Secrets 2024 (the 2024 State Secrets Law), which took effect on 1 May 2024, restricts transfer of a broad list of items that may be state secrets and includes a catch-all provision for 'other matters that are classified as state secrets by the National State Secrets Bureau'.16 The 2024 State Secrets Law may also have created a new category of state secrets: 'work secrets', which were already regulated before the promulgation of the 2024 State Secrets Law and were included in the ambit of the Law to strengthen their protection.

The 2024 State Secrets Law provides that items that are obtained or generated by party and government bodies in the course of conducting their work will be subject to work secret restrictions if the leakage of those items may cause certain adverse effects. The PRC Anti-Espionage Law prohibits any activity that amounts to stealing, spying for, purchasing or illegally providing state secrets, intelligence and any 'other documents, data, materials, articles relating to national security and interests'.17

The Penal Code of the UAE also restricts the disclosure and transfer overseas of national secrets of the state and state secrets of defence, which cover a broad range of information.18

The European Union's General Data Protection Regulation19 casts a wide net in terms of what constitutes personal data (any information relating to an identified or identifiable natural person) and prohibits the transfer of personal data to jurisdictions outside the European Union that have not been recognised as providing adequate protection, unless an exemption applies: the exemptions include law enforcement and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions. The European Union has so far recognised around a dozen jurisdictions, including the United Kingdom and Switzerland, Canada (commercial organisations) and the United States (commercial organisations participating in the EU-US Data Privacy Framework), as providing adequate protection, but even when documents are to be transferred to a recognised jurisdiction, an applicable data protection gateway would still need to be identified to provide a basis for the data processing, and it would still be necessary to comply with any applicable obligations relating to the processing of the data.

In addition to state secrecy and data protection laws, several Chinese laws contain provisions that may further restrict the provision or transfer of information outside China. For instance, the International Criminal Judicial Assistance Law provides that organisations and individuals within the territory of China shall not provide assistance, including any evidence materials, in criminal proceedings outside the jurisdiction without the approval of competent authorities. An investigation initiated by an organisation within China in response to an inquiry or investigation by a foreign enforcement agency, or the self-reporting of misconduct (identified through an internal investigation by such organisation) to a foreign enforcement agency, may be deemed as part of a foreign criminal proceeding. Similar provisions can be found in China's Data Security Law and Personal Information Protection Law, which prohibit the provision of data and personal information to foreign judicial and law enforcement bodies (including regulators) without the approval of competent authorities.

In France, Law No. 68-678 of 26 July 1969 (known as the blocking statute) prohibits any French company from communicating to a foreign public authority any information of an economic, commercial, industrial, financial or technical nature, where the information is intended to constitute evidence for the purposes of judicial or administrative proceedings (subject to agreements between France and some jurisdictions that allow documents to be provided through specific channels and under certain circumstances).

Financial institutions should consider whether these laws may apply and, if so, whether an exemption (e.g., customer consent via terms and conditions of a service agreement, or an exemption relating to cross-border data transfer for the purpose of responding to investigations) can be relied on. If data cannot be transferred to the desired review location, a satellite review team may need to be established to review data locally with appropriate controls in place to ensure compliance with local laws.

Producing documents and information to regulators

Regulators can typically require production only of documents and information that are relevant to the matter under investigation; however, in practice, the scope of investigations tends to be broad and regulators have a wide discretion.

Regulators may ask for specific information, such as applicable AML risk assessments, AML policies and procedures, internal or third-party reviews of the AML programme, details of particular aspects of the framework (such as the operation of the AML transaction monitoring system) or details about particular crystallised financial crime risk incidents. They may also ask about the institution's governance framework (e.g., the composition, terms of reference and reporting lines of relevant committees) for minutes of board or committee meetings, and for details about the individuals in relevant roles who were employed by the financial institution during the period of the suspected breach. These types of information may appear relatively easy to locate but it can be challenging, particularly over a long period during which governance arrangements have changed multiple times (as is common).

Regulators typically also request evidence to demonstrate that certain steps have been taken (or not taken and why that was the case) and for documents that evidence consideration of particular aspects of (or problems with) the institution's financial crime programme. This may require going through a substantial amount of information, including electronic communications. The review team will need to identify the search criteria (e.g., a combination of time frame, search terms and custodians). In appropriate cases, two or more phases of review may be undertaken, using less expensive resources for a first pass review.

Tools are available to make the review process more efficient. Predictive coding and other artificial intelligence (AI) tools are becoming increasingly popular, with ever-increasing accuracy and ever-expanding use cases. Regulators are therefore generally more receptive to the use of such tools than before; however, it is likely that regulators will expect financial institutions to be transparent about the tools that are used and how they are used and may, in practice, only agree to such use where considered appropriate, such as where the volume of the documents and data makes other review methods disproportionate or inadequate such that they would entail undue delay. Other means of addressing large data sets may be considered first, such as narrowing down the time frame, custodians or the subject matter.

In the same way that institutions will often discuss search terms and date ranges with the relevant regulator or enforcement agency, it will also be important for the institution to provide the necessary information about its proposed use of AI and to agree parameters around the use of these tools (e.g., sample populations used to train the tool, thresholds below which documents will not be subject to human review).

It is important in any event to keep an audit trail and record judgement calls in relation to the production of documents to regulators. It is also important to have a globally coordinated approach to managing communications with regulators (as well as other external parties, such as clients and the media), to ensure the accuracy of what is being said and to avoid inconsistencies.

In jurisdictions where the concept of legal professional privilege (LPP) exists (e.g., Hong Kong, the United Kingdom and the United States), the general principle is that it is not mandatory for documents and information that are subject to LPP to be provided to regulators; however, care should be taken to maintain confidentiality of privileged documents and information. If confidentiality is lost, LPP will also be lost.

Financial institutions should note that the scope of LPP protection may vary among jurisdictions that recognise the concept; for example, in the United Kingdom, where litigation is not in reasonable prospect, in general, only solicitor–client communications are privileged, and the definition of 'client' within an organisation is narrow. The client is considered to be a core team within the organisation tasked with giving instructions to, and receiving advice from, the legal team. As a result, reports commissioned from third parties, such as consulting firms, even if instructed by lawyers, may not be privileged, and if a fact-finding internal investigation has been conducted (even by lawyers), the interview notes may not be privileged. These issues require careful consideration, and the regulator will typically be sensitive to overly broad privilege claims. Hong Kong, on the other hand, has adopted a broader approach, defining 'client' as simply the organisation; therefore, LPP will protect, for example, all confidential documents within the organisation that are produced for the dominant purpose of being used to obtain legal advice.

Where part of a document is subject to LPP, the financial institution may redact or obscure the privileged parts before submitting the document to the regulator.

Although regulators in jurisdictions where LPP is recognised generally respect the fundamental right to LPP,20 it is now common for financial institutions to consider waiving their right to LPP over certain documents and disclosing them to one or more regulators as an act of cooperation, in the hope that this cooperation will be recognised in the investigation outcome. Disclosure will normally be made under a limited waiver of LPP (if recognised by the jurisdiction and permitted by the regulator). This involves a waiver as it applies to the regulator that has agreed to maintain the confidentiality of documents but not waiving LPP as it applies to the rest of the world.

Although the concept of limited waiver is recognised in some jurisdictions (e.g., Hong Kong and the United Kingdom),21 the consequences of a limited waiver remain unpredictable, particularly in a multi-jurisdictional investigation. For example, the United States does not generally recognise the concept of a limited waiver – once produced to the regulator, the document loses its privileged status. Financial institutions must therefore carefully assess the benefits and risks before voluntarily disclosing any privileged document to a regulator. In jurisdictions that recognise limited waivers, it may be possible to seek an explicit confidentiality agreement with the regulator in question when considering making a disclosure of privileged information, and, in any event, it is usually recommended to be clear as to the basis on which any documents are being produced. Depending on the circumstances, it is possible that a regulator may not agree to confidentiality terms that undermine its obligations to share information with other regulators.

Although civil law jurisdictions (e.g., France and the UAE (other than in the common law free zones)) tend not to recognise the concept of LPP, communications between financial institutions and their external lawyers are usually protected by a duty of confidentiality or professional secrecy on the part of the lawyers, subject to limited exceptions (e.g., in France, if communication documents are proven to have been used for the purposes of committing or facilitating the commission of money laundering and certain other criminal offences, and are seized as part of an investigation into such offences, or in the UAE, which allows disclosure of such confidential information to prevent the commission of a crime threatening life or safety, or material damage to property, or if such disclosure is mandated by applicable laws);22 however, the same communications are not protected in the hands of financial institutions.

Similar issues arising from any state secrecy, data protection and other laws as discussed above will need to be considered by financial institutions when responding to regulators' investigatory requests. Financial institutions should also take note of any bank secrecy provisions that may be applicable, which usually limit the disclosure of customer information subject to specified exemptions.23

When addressing a request from an out-of-jurisdiction regulator, the financial institution should carefully consider the nature of the request and whether it is being compelled to produce the information. In some circumstances, voluntary production of information to a regulator can result in the institution committing breaches of client or counterparty confidentiality obligations, data privacy or banking secrecy, or losing LPP protections.

Another point to note is the increased regulation of the outsourcing of data by financial institutions in recent years, as noted by, for example, the updating by the International Organization of Securities Commissions (IOSCO) of its Principles on Outsourcing in October 2021.24 One of the Principles relevant to regulatory investigations is Principle 6, which provides, among other things, that '[r]egulated entities should ensure that their regulator has prompt and comprehensive access to information concerning outsourced tasks, to enable the regulator to carry out its inspection, investigation and monitoring powers over the activities for which they are regulated'.25

An example of regulatory guidance that has been issued with these IOSCO Principles in mind is the Hong Kong SFC's requirements on regulatory records that are kept in cloud storage.26 If such records are kept exclusively with an external electronic data storage provider, licensed firms must ensure that the records are fully accessible upon demand by the SFC without undue delay. The Central Bank of the UAE's Outsourcing Regulation for Banks and accompanying standards provide that outsourcing agreements must include an explicit provision giving the Central Bank (or any agent appointed by it) access to the outsourcing service provider, including the right to conduct on-site visits and access to data or information stored at the provider that is required for supervisory purposes.27 Within the European Union, the European Banking Authority has also required, in its guidelines on outsourcing published in 2019,28 that financial institutions that decide to outsource some of their activities ensure that the regulator can carry out its supervisory mission by having a right of access to any data stored by the provider.

Secrecy obligations and prohibition against tipping off

In many jurisdictions, the involvement of any regulator will be accompanied by secrecy obligations, and breach of these obligations will attract criminal consequences in some jurisdictions. Secrecy obligations will restrict the extent to which a financial institution can disclose the existence and details of regulatory inquiries or investigations.

That said, in the United Kingdom, the FCA has recently consulted on its approach to enforcement investigations,29 including on proposals to communicate more about investigations at an early stage. Currently, the FCA publishes information about its enforcement investigations only when these lead to outcomes (i.e., when the FCA decides to issue statutory notices imposing sanctions or that impose prohibitions and requirements). It has been only in exceptional circumstances that the FCA has commented on the fact of – or progress of – an investigation. While the FCA initially proposed publicly announcing that it has opened an enforcement investigation and publishing updates on the investigation if it considers that it is in the public interest to do so, this was met with significant opposition within the industry. The FCA ultimately confirmed that it would not be proceeding with this change but that it would be taking forward proposals to reactively confirm investigations already in the public domain, publish greater detail of issues under investigation on an anonymous basis and make public notifications focusing on the potentially unlawful activities of unregulated firms and regulated firms operating outside the regulatory perimeter.30 At the time of writing, the FCA has not yet published its final policy; therefore, any impact on the conduct of future investigations remains uncertain.

In the context of multi-jurisdictional investigations, where secrecy obligations exist, they also restrict the extent to which financial institutions can share the fact of involvement of one regulator with other regulators. This potentially places them in a difficult position if they are asked by a regulator which other regulators are aware of or have made enquiries about the relevant conduct. It will normally be possible to get the relevant regulators' approval for disclosure of an investigation to other regulators, but the discussions seeking such consent should be undertaken with great care. The financial institution should explain the difficulties it is facing and seek the regulator's agreement as to what the other regulator can be informed about.

In many jurisdictions, including the United Kingdom, France, Hong Kong and the UAE, the requirement to file an STR or SAR (to report suspected money laundering) is accompanied by the prohibition against tipping off, such as disclosing that an STR or SAR has been or is about to be filed, the contents of the report, or any matter that is likely to prejudice any investigation that might be conducted following the filing of a report.

Managing outcomes of multi-jurisdictional investigations

Cooperation with regulators

Regulators will often have a policy (whether formal or informal) that incentivises cooperation by providing more favourable outcomes and reduced penalties in return. As a general rule, cooperation does not mean simply complying with lawful requests from a regulator.

The following are some examples of actions that may be considered by regulators as cooperation (these will vary between jurisdictions,31 and some of the actions will be required in certain jurisdictions in any event):

  • voluntarily and promptly reporting breaches or failings to the regulator;32
  • taking the initiative to undertake a credible investigation to examine the nature, extent, origins and consequences of the misconduct, opening a frank dialogue with the regulator, and providing regular and meaningful updates on the progress of the investigation;
  • providing true and complete information regarding breaches or failings, such as taking early and proactive steps to preserve and collect important evidence and providing it to the regulator, providing information and evidence of which the regulator is otherwise unaware (including sharing the results of an internal investigation), and providing useful intelligence to the regulator;
  • waiving LPP over a document (including on a limited basis);
  • accepting liability, including taking responsibility for breaches or failings, addressing the regulator's concerns and accepting the regulator's findings or proposed sanctions;
  • adopting rectification measures, such as taking early and active steps to contain breaches or failings, making full and prompt compensation to affected customers, and instituting necessary enhancements to internal controls and procedures;
  • conducting a credible internal investigation that is led by independent outside counsel and is independent of the management involved in the relevant conduct, and providing the results of the internal investigation to the regulator;
  • appointing a third-party reviewer jointly with the regulator to conduct a fact-finding review in respect of the breaches or failings, or a prospective internal control review to identify appropriate remedial actions;33 and
  • having the board of directors of the financial institution give undertakings collectively and individually to address the regulator's concerns, such as undertakings to remedy deficiencies identified in a third-party review within a specified amount of time and to ensure that the same failings would not reoccur.

An overarching strategy should be developed when a financial institution is seeking to cooperate with multiple regulators across different jurisdictions. Cooperation will be viewed favourably in settlement discussions with all regulators; however, the formal framework for recognition of cooperation and each regulator's history of rewarding cooperation should be taken into account when considering how best to approach the issue of cooperation. The incentives to cooperate and the benefit available to the financial institution must be balanced against the need to preserve privilege and defences. If multiple regulators are involved, there may be varying degrees of certainty around the benefits of cooperation that need to be considered in devising the overall strategy. The financial institution should strive, where possible, to take a consistent approach to cooperation.

Settlement with multiple regulators

When financial institutions are dealing with a single regulator, there is an opportunity to influence the enforcement narrative. This process can facilitate a resolution of the matter by settlement, where the financial institution and the regulator find common ground on what the important facts and issues are. Although this is still possible with multiple regulators, it can be more difficult. Regulators will have different enforcement or regulatory cultures, as well as varying focus areas and agendas, which complicates the settlement process.

It may also be difficult to settle with all regulators concurrently, even though there is increasing coordination and cooperation among regulators. The worst-case scenario may be the involvement of a regulator that wants to make a name for itself by adopting a different approach from that of the other regulators.

Preventing piling on

To address concerns about 'piling on' (i.e., receiving multiple, overlapping penalties in relation to the same misconduct from various civil, criminal and regulatory authorities, including overseas authorities), the US DOJ has instructed federal prosecutors to avoid seeking excessive or duplicative fines, penalties or forfeitures against a company, while nevertheless recognising the importance of coordinating parallel proceedings. According to its Justice Manual, the DOJ should also endeavour to coordinate with and consider the amount of fines, penalties or forfeiture paid to other federal, state, local or foreign enforcement authorities that are seeking to resolve a case with the company for the same misconduct.34

All relevant factors should be considered in determining whether coordination and apportionment between DOJ components and with other enforcement authorities allows the interests of justice to be fully vindicated, such as the egregiousness of a company's misconduct, statutory mandates regarding penalties, fines and forfeitures, and the adequacy and timeliness of a company's disclosures and its cooperation with the DOJ.35 It is common for the DOJ to work closely with other authorities (such as the SEC and the CFTC), as well as their foreign counterparts, and there are many instances when a company will obtain a credit against its US fine for fines paid in other jurisdictions. The DOJ will also assess any impact on innocent third parties (e.g., employees and shareholders) in considering appropriate action. For example, if the consequences have a significant impact on innocent third parties, the DOJ instructs 'it may be appropriate to consider a non-prosecution or deferred prosecution agreement with conditions designed, among other things, to promote compliance with applicable law and to prevent recidivism'.36

The rules setting out the process for calculating penalties in FCA enforcement actions in the United Kingdom expressly include, as a potential mitigating factor, consideration of action taken against the firm by other domestic or international regulatory authorities that is relevant to the breach in question.37 Similarly, in its disciplinary fining guidelines, the Hong Kong SFC states that it will consider all circumstances of a case in deciding the level of fine, including any punishment imposed or regulatory action taken (or likely to be taken) by other competent authorities, and the result or likely result of any civil action taken (or likely to be taken) by third parties (successful civil claims, or those likely to be successful, may reduce the part of a fine, if any, that is intended to stop a firm benefiting from its conduct).38

Information sharing and coordination between regulators, such as through memoranda of understanding, may also help reduce instances of piling on. The UAE's National Strategy for Anti-Money Laundering, Countering the Financing of Terrorism and Proliferation Financing for 2024-27 focuses on enhancing national and international coordination to improve information exchange and partnerships. In February 2025, the Central Bank of the UAE and the Economic Security Centre of Dubai signed a memorandum of understanding to strengthen cooperation and information sharing in combating financial crime within the country.39

Conclusion

The following are some of the questions that need to be asked at the outset of and throughout an investigation:

  • Does the potential breach trigger a self-reporting obligation? Which regulator, or regulators, should be notified? What should be included in the report? Should a voluntary notification be made in the absence of a mandatory obligation to do so? The position needs to be revisited as more information comes to light.
  • Is the issue localised or systemic? If the latter, the financial institution should review the position in other areas of the business and other jurisdictions that may be affected.
  • Who in the financial institution should be involved in investigating the issue, responding to the regulator (or regulators) and reporting to management?
  • What types of documents and information are relevant to the issue at hand? Where are they stored? How should they be secured? Does the financial institution have the right to access its employees' personal devices in light of its internal policies and data privacy or other laws?
  • How should the documents and information be gathered for review? Are there laws restricting cross-border transfer of information (and, if so, can any exemptions be utilised)? Where should the document review team (or teams) be based?
  • How should the document review be conducted (e.g., what are the appropriate search criteria)? What document review platforms or software (such as predictive coding) should be used?
  • Which documents can be withheld from the regulator on the basis of LPP or lawyer's duty of confidentiality? What is the scope of the privilege or lawyer confidentiality in the jurisdictions in question? Should LPP be waived in relation to certain documents for any specific regulator to obtain credit for cooperation?
  • Do any state secrecy, data protection and bank secrecy laws, or blocking statutes apply (and can any exemptions be utilised)?
  • Have audit trails been maintained in relation to judgement calls made during document review?
  • Have measures been put in place to ensure that any obligation to maintain confidentiality of investigations is complied with, and any prohibition against tipping off money laundering investigations is not breached?
  • Do the regulators in the jurisdictions in question recognise cooperation by financial institutions and reward cooperation by providing more favourable outcomes? If so, how should the financial institution make use of this benefit, balanced against the need to preserve any privilege or defences?

Acknowledgement

The authors wish to thank their colleagues Pamela Kiesselbach, Valerie Tao, Elizabeth Head, Elizabeth Kaminski, Martin Le Touzé, César Michel, Ariel Axler, Rémi Jouaneton, Janine Mallis, Tania Forichon, David Chen and Edward Lin for their contributions to this chapter.

Footnotes

1 Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission, Hong Kong Securities and Futures Commission (SFC), Paragraph 12.5(a).

2 Handbook, 'Principles for Businesses', Financial Conduct Authority (FCA), Principle 11 under Section 2.1.1.

3 See FCA Handbook, Regulatory Processes, SUP 15.3, which sets out supplementary rules regarding notification.

4 Circular to intermediaries, 'Compliance with notification requirement', SFC (14 Sept 2018).

5 Speech by Deputy Attorney General Lisa O Monaco, 'Deputy Attorney General Lisa O. Monaco Announces New Safe Harbor Policy for Voluntary Self-Disclosures Made in Connection with Mergers and Acquisitions' (4 Oct 2023).

6 Speech by Therese Chambers, Joint Executive Director of Enforcement and Market Oversight, 'Do the right thing', FCA (1 June 2023).

7 For example, under the Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information of the International Organization of Securities Commissions (IOSCO), the Enhanced Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information or bilateral agreements.

8 Such as the Joint Financial Intelligence Unit in Hong Kong, the Traitement du renseignement et action contre les circuits financiers clandestins (TRACFIN) in France and the Financial Intelligence Unit in the United Arab Emirates.

9 Federal Law No. 20 of 2018, Article 15 (as amended).

10 Press release 2021-262, 'JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges', US Securities and Exchange Commission (SEC) (17 Dec 2021); press release 2022-174, 'SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures', SEC (27 Sept 2022).

11 Press release 8470-21, 'CFTC Orders JPMorgan to Pay $75 Million for Widespread Use by Employees of Unapproved Communication Methods and Related Recordkeeping and Supervision Failures', US Commodity Futures Trading Commission (CFTC) (17 Dec 2021); press release 8599-2022, 'CFTC Orders 11 Financial Institutions to Pay Over $710 Million for Recordkeeping and Supervision Failures for Widespread Use of Unapproved Communication Methods', CFTC (27 Sept 2022).

12 Press release 2024-18, 'Sixteen Firms to Pay More Than $81 Million Combined to Settle Charges for Widespread Recordkeeping Failures', SEC (9 Feb 2024)

13 Press release 2025-6, 'Twelve Firms to Pay More Than $63 Million Combined to Settle SEC's Charges for Recordkeeping Failures', SEC (13 Jan 2025).

14 Statement by Commissioner Hester M Peirce and Commissioner Mark T Uyeda, 'A Catalyst: Statement on Qatalyst Partners LP', SEC (24 Sept 2024).

15 Final Notice to Wyelands Bank Plc (FRN 139209), Bank of England Final Notice (4 Apr 2023).

16 Law of the People's Republic of China on Protecting State Secrets, Article 13.

17 Anti-Espionage Law, Article 4(3).

18 Federal Decree-Law No. 31/2021 on the Issuance of the Crimes and Penalties Law, Article 166.

19 Regulation (EU) No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which took effect on 25 May 2018.

20 See, e.g., 'Corporate Enforcement and Voluntary Self-Disclosure Policy', US Department of Justice (DOJ), Criminal Division, Part 6; 'Guidance Note on Cooperation with the SFC', SFC (1 June 2023), Paragraph 5.

21 Nevertheless, the FCA has issued guidance on the scope of waiver expected where the institution produces a firm-commissioned report to it.

22 Federal Decree-Law No. 34/2022 Regulating the Advocacy and Legal Consultancy Professions, Article 45.

23 See, e.g., Singapore Banking Act 1970, Section 47 and Third Schedule.

24 Press release, 'IOSCO updates its outsourcing principles to ensure operational resilience', IOSCO (27 Oct 2021); 'Principles on Outsourcing: Final Report', IOSCO (Oct 2021).

25 'Principles on Outsourcing: Final Report' (see footnote 24), p. 30.

26 'Circular to Licensed Corporations, 'Use of external electronic data storage', SFC (31 Oct 2019); 'FAQs: Use of External Electronic Data Storage', SFC.

27 Outsourcing Regulation for Banks, Central Bank of the UAE; Outsourcing Standards for Banks, Central Bank of the UAE.

28 'Final report on EBA Guidelines on outsourcing arrangements', European Banking Authority (25 Feb 2019), Sections 85 to 86.

29 Consultation paper CP24/2, 'Our Enforcement Guide and publicising enforcement investigations - a new approach', FCA (updated 4 Dec 2024); consultation paper CP24/2, 'Part 2: Greater transparency of our enforcement investigations', FCA (updated 20 Feb 2025).

30 Statement, 'Update on the FCA's enforcement transparency proposals', FCA (12 Mar 2025).

31 See, e.g., 'Guidance Note on Cooperation with the SFC' (see footnote 20).

32 For example, it is expected that the SEC and DOJ will have a continued emphasis on voluntary self-reporting.

33 However, financial institutions should be aware that in several recent FCA anti-money laundering enforcement actions, the findings of third-party reviews have then been used as evidence of breaches in a subsequent final notice, particularly if any identified issues have not been appropriately remedied.

34 Justice Manual, Paragraph 1-12.100.

35 Id.

36 Id., Paragraph 9-28.1100 (Collateral Consequences).

37 FCA Handbook, DEPP 6.5A.3.

38 SFC Disciplinary Fining Guidelines: Anti-Money Laundering and Counter-Terrorist Financing Ordinance – Considerations relevant to the level of a disciplinary fine, SFC.

39 Press release, 'The Economic Security Centre of Dubai and CBUAE, sign MoU to enhance partnership in combating financial crime', Government of Dubai (6 Feb 2025).

Originally published by Global Investigations Review, 27 May 2025

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More