View
3
Download
0
Category
Preview:
Citation preview
1© 2021
27 January 2021
Dawn raids: responding to regulatory investigations
2© 2021
Deloitte Forensic and Yang Chan & Jamison LLPIntroduction
YL Cheung
Partner
Deloitte Forensic
William Tam
Partner
Deloitte Forensic
Valarie Fung
Partner
Yang Chan & Jamison LLP
Michael Mo
Director
Deloitte Forensic
Catherine Leung
Senior associate
Yang Chan & Jamison LLP
3© 2021
XXXXXXXXXXXXXXXXX
Imagine that…
• It is 9 o'clock in the morning and you are sipping a coffee in the office, when the receptionist informs you that over 10 officers from a regulatory authority have arrived and asked to enter the office to conduct a search.
• What should you do?
Photo credit: South China Morning Post
4© 2021
IntroductionDawn raids
• “Dawn raid” refers to an unexpected and unannounced inspection of premises by regulators.
• The literal meaning of the word “dawn” infers that the visit would usually take place in the early hours of the day.
• The raid is unannounced – so that the subject of investigation cannot do anything to impair the seizure of evidence by the regulatory authority.
5© 2021
Some examplesPower to search and enter pursuant to a warrant
Police Force Ordinance (Cap. 232) ("PFO")
Securities and Futures Ordinance
(Cap. 571) ("SFO")
Prevention of Bribery Ordinance
(Cap. 201) ("POBO")
Independent Commission Against Corruption Ordinance
(Cap. 204) ("ICACO")
“Whenever it appears to a magistrate… that there is a reasonable cause to
suspect that there is in any building… any… document… which is likely to be of
value… to the investigation… such magistrate may by warrant directed to any police officer empower him… to
enter and if necessary to break into or forcibly enter such building…” (section
50(7))
“If a magistrate is satisfied… that there are reasonable grounds to suspect that there is or is likely to be on premises…
any… document which may be required to be produced under [the SFO], the
magistrate may issue a warrant authorizing a… police officer… to enter
the premises…” (section 191)
“Where… the court is satisfied that there is reasonable cause to believe that in any
premises…there is anything which is or contains evidence of an offence under [the POBO], the court may by warrant directed to an investigating officer…
empower such officer… to enter such premises…” (section 17)
“If a magistrate is satisfied that… there is a reason to believe that there is in any
premises… anything which is or contains evidence of the commission of any of the offences referred to in this section 10, he
may by warrant directed to any officer authorize such officer… to enter… such
premises…” (section 10B)
6© 2021
Practical tips to handle a raid
Instruct legal advisors
It is not ideal for any company or person to handle a regulatory investigation in the absence of legal advice. In particular, lawyers
can advise the company or person subject to investigation on their rights and obligations throughout the dawn raid and the
whole investigation process, including the right to claim legal professional privilege.
01
Practical Tips
7© 2021
Practical tips to handle a raid
Practical Tips
Check the search warrant
You should have your lawyers to check the search warrant to ensure that:-
• It is issued no more than 7 days prior to the search;
• There is proper description of the nature of the alleged offence;
• The location stipulated in the search warrant is correct; and
• The persons entering into the premises and undertaking the search are those authorized persons under the warrant.
02
8© 2021
Practical tips to handle a raid
Practical Tips
Claim of legal professional privilege ("LPP")
Regulators cannot compel disclosure of documents which are subject to the claim of LPP. In some circumstances you may want to
disclose privileged documents to regulators on a "limited waiver" basis, which means that the documents are provided to the
regulators solely for the purpose of their investigation and the regulators cannot transfer or disclose the documents to other
third parties for any other derivative purposes.
03
9© 2021
Practical tips to handle a raid
Agreement on protocol for the search
Before the regulators start the search in the premises, your lawyers should agree on a "search protocol" with the regulators.
Under the protocol, the regulators may be willing to disclose the classes of documents they are specifically looking for, and you
can then indicate the location of those relevant documents to facilitate the search which will also help minimise any intervention
in the normal operation of the company's business.
04
Practical Tips
10© 2021
Practical tips to handle a raid
Practical Tips
Think twice before voluntarily answering questions or giving statements
During the search, it is rather common that the regulators may ask the staff members of the company some questions. If the
questions are solely for the purpose of furthering the proper and effective conduct of the search, it is advisable that the
questions should be answered.
On the other hand, if the regulators ask substantive questions about the content of the investigation, you should seek legal
advice as to whether those questions should be answered. For example, if the raid is conducted by the SFC, they should have
issued the requisite notice under s.183 of the SFO.
05
11© 2021
Practical tips to handle a raid
Practical Tips
No right to silence
If the SFC issues a notice under s.183 of the SFO to require a person who is subject to investigation or assisting in an investigation
to answer any questions or produce any relevant documents, the person cannot refuse to answer or produce the relevant
documents or otherwise he/she may be found guilty of a criminal offence.
06
12© 2021
Practical tips to handle a raid
Declaration of rights against self-incrimination
Although there is no right to silence under the SFO, there is statutory protection for any person who makes a claim to the
privilege against self-incrimination when providing answers and/or documents. Through claiming the rights against self-
incrimination, the answers and/or documents produced by a person will not be admissible in evidence against the person in
criminal proceedings.
07
Practical Tips
13© 2021
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270Case study
Facts
This case is a judicial review application of a number of search warrants issued by the Magistrates authorising the SFC to search the Applicants' premises and the related decisions made by the SFC arising out of the execution of the search warrants. Specifically, during the course of the SFC operation:
1. Digital devices (including mobile phones, tablets and/or computers) belonging to the Applicants were found;
2. Where no password was required to access such devices, the SFC conducted keyword searches to check for relevant materials. Alternatively, where the Applicants unlocked the digital devices voluntarily, the SFC looked for relevant materials by using keyword searches or by scrolling through the contents to look for relevant materials;
3. Based on the searches mentioned above, the SFC was able to identify materials contained in emails, contact lists and messaging applications that were relevant, or believed to be relevant, to the SFC’s investigations;
4. The SFC requested the Applicants to provide print-outs of the relevant materials or login names/passwords to the email accounts or digital devices to enable the SFC to access the same, to which they either declined outright (in some instances by asserting legal professional privilege), or used various excuses not to provide the same;
5. In the case of the Applicant who asserted legal professional privilege, the SFC suggested that the relevant emails and attachments thereto could be printed out and kept under seal for the time being pending the resolution of the legal professional privilege claim. This suggestion was rejected by the Applicant;
6. In the circumstances, the SFC decided to seize various digital devices belonging to the Applicants; and
7. The SFC issued notices under s 183(1) requiring the Applicants to provide the login names and/or passwords to various email accounts or digital devices (including mobile phone, tablet and computer).
14© 2021
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270Case study
Issues
1) Whether the SFC decisions to seize various digital devices belonging to the Applicants in the course of execution of the search warrants and thereafter to retain them were ultra vires the SFO / the search warrants, unlawful and/or unconstitutional;
2) Whether the SFC decisions to issue notices pursuant to s183(1) to the Applicants requiring them to provide the SFC the passwords to their e-mail accounts or digital devices were ultra vires the SFO / the search warrants, unlawful and/or unconstitutional; and
3) Whether the search warrants were unlawful and invalid for want of specificity.
15© 2021
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270Case study
Challenge to notices requiring disclosure of passwords
The Applicants' arguments
The s183(1) notices issued were ultra vires the SFO provisions because:
1. They required them to produce vast amounts of materials which were irrelevant to the SFC’s investigations, thus falling outside the remit of any record or document which "is, or may be, relevant to the investigation" under s183(1)(a);
2. To construe s 183(1)(a) as permitting the SFC to require the production of large amounts of irrelevant materials for the purpose of sifting would violate BL 30 and/or BORO 14, because that would give rise to a disproportionate restriction of the right to privacy; and
3. The SFC has no power to access the email accounts of the Applicants under the corresponding warrants.
16© 2021
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270Case study
Challenge to notices requiring disclosure of passwords
Held
Chow J rejected all of the Applicants' arguments:
• The judge referred to several case authorities (Reynolds v Commissioner of Police of the Metropolis [1985] 1 QB 881 at §§890A-B; Apple Daily Ltd v ICAC (No 2) [2000] 1 HKLRD 647 at §§19-20; R (on the application of Paul Da Costa & Co) v Thames Magistrates Court [2002] EWHC 40 (Admin), at §§19-20; R (on the application of H) v Commissioners of Inland Revenue [2002] EWHC 2164 (Admin), at §§37 and 39-40; R (Faisaltex Ltd) v Crown Court at Preston [2009] 1 WLR 1687, at §§73-79) deciding that where a warrant authorises the seizure of a particular document, the officer empowered by the warrant is lawfully entitled to seize the whole file containing the document or the whole computer hard disk without having to separate the individual sheets or computer files;
• The judge also considered the practical reality that information, documents and records are nowadays mostly kept in digital or electronic forms and stored in email accounts and digital devices which (i) would almost inevitably contain large amounts of personal or private, but irrelevant, materials, and (ii) are often also protected by specific login names/IDs and passwords;
17© 2021
Cheung Ka Ho Cyril v SFC [2020] HKCFI 270Case study
Challenge to notices requiring disclosure of passwords
Held (Continue)
• The judge arrived at the conclusion that the SFC is empowered, under s 183(1), to require the Applicants to provide means of access to email accounts and digital devices which contain, or are likely to contain, information relevant to its investigations even though the email accounts and digital devices would likely also contain other personal or private materials which are not relevant to the SFC’s investigations.
• However, the SFC has offered safeguards to protect the privacy of the Applicants by agreeing to use keyword searches to identify relevant materials contained in or accessible through the digital devices and/or viewing the contents together with the Applicants so as to minimize the chance of their personal or other information which is irrelevant to the SFC’s investigations being viewed by its officers. Any dispute on relevance can be brought to the court for determination, with the disputed materials being sealed pending the court’s decision.
18© 2021
What will investigators do, and why?
Reasons for investigation
• Investigators will only conduct a dawn raid if they have grounds
to believe wrongdoing has occurred. Common reasons include:
• Whistleblower allegations
• Tip-offs from other agencies or tax authorities
• Findings from their own monitoring or analysis
• The business is linked to another investigation
Structure of investigation
• The approach will vary depending on the circumstances
but typically investigators will have an initial hypothesis
of what has occurred and seek to confirm or disprove
that theory. An investigation will usually consist of:
• Initiation – identifying relevant parties/data
• Planning – obtaining warrants, planning raid
• Gathering information – likely to include interviews, seizure
of documents/electronic data, review of emails on servers
• Analysis & interpretation – detailed review of data seized,
forensic accounting, triangulation of data points
• Reporting and closure –prosecution, report to authorities.
!Investigators’ methodologies
are constantly evolving
Methodology
There is no “one-size-fits-all” approach but investigations will likely
include some or all of the following:
• Review of paper/electronic documents, including emails, content
saved to laptops/shared drives, mobile phone call records/data,
and any paper documents.
• Transaction testing – attempts to understand
transactions by mapping fund flows/checking substance
of trading, comparing records against external sources
• Corporate intelligence – search corporate
filings/databases and conduct network analysis to
identify undeclared conflicts and business
interests/relationships
A dawn raid is just one step
in a broader investigation
• Interviews –with key personnel, typicallyincluding management, finance staff, sales/ procurement and
potentially external parties (i.e. bankers, auditors, trading partners)
Aims of a dawn raid
19© 2021
Introducing the role of technology in investigationsWhat comes next?
Humans can only do so much!
It’s no secret that regulators worldwide are hard-pressed
for resources and Hong Kong is no exception. According to
the most recent figures:
• The SFC has 736 professional staff
• The ICAC has around 1,400 staff
Despite these constraints the SFC commenced
197 investigations in 2019/20 and made 8,767
requests for trading and account records – as well
all alongside its day-to-day regulatory and oversight
activities.
The ICAC received 995 separate corruption allegations
in the first six months of 2020 alone.
How do they fit it all in…?
Technology and data to the fore
Faced with urgent deadlines and limited resources investigators
are leveraging new technology and data analytics.
Investigations are increasingly likely to
involve the seizure of electronic evidence.
Police have faced scrutiny over how they
access and use data from suspects’
phones.
Regulators too will consider electronic data in
their work. Emails, documents and –
increasingly – mobile messenger conversations
will be a key plank of their evidence.
In the following slides we
introduce some of the
techniques and challenges you
are likely to encounter.
20© 2021
Computer forensic data workflow
Dawn raid
Regulator visits premise with search warrant
ESI Data Identification
Data Collection
Data Processing
Data Publishing
Legal Review
Data size after each process/segment reduces
Concept Searching
Services provided by Deloitte
Data Handover
Note: Please note that ESI Data Identification and Legal review will be co-sourced by the Client and Deloitte team as requested.
Handover of non-privileged data to relevant partyReview, identify, and
tag privileged documents on the eDiscovery platform
Publish searchresults on eDiscovery platform
Extraction, indexing, DeNISTing, deduplication, date filtering (optional) and keyword searching (optional) of data.
Collect data from source medias (i.e. PC, servers, mobiles) and make 3 copies, for:
• Regulator (sealed)• Client’s Legal team (sealed)• Deloitte as working copy
Identify scope, custodians, and data type (i.e. Email, user files)
21© 2021
Challenges for data collection, preservation and analysis
• Various Computer Operation Systems (e.g. macOS, Windows and Linux)
• Different Data Storage Sources (e.g. Desktops, laptops, servers, network-attached storages and Cloud storage)
• Different interfaces• Different hard disk types
Operating Systems
Data Storage Sources
Decryption, Wiping & Decoding
Computers / Servers Mobile devices
OS and Manufacturers
Connection Issues
• Right Cable
• Right Driver
• Customized Data Encoding in App level
• A large number of Apps
• MDM device control and encryption
Decryption and Decoding
• Various Mobile device Operating system and manufacturers(e.g. Apple, Windows, BlackBerry, Samsung, Lenovo and Huawei)
• Decryption (e.g. DiskCryptor, TrueCrypt, BitLocker and VeraCrypt)
• Wiping software (e.g. Eraser and CCleaner)
22© 2021
Text Mining, Visual Analytics & Machine Learning
Technology-enhanced workflow
Conceptual Analytics
• Process collected data from multiple device and server sources into the analytics platform. Conduct text mining, entity extraction and conceptual analysis.
• Run keywords on dataset. In addition to results, the platform will identify, categorise and organize thematically and semantically similar content.
• This will allow us to refine understanding of the document population based on its actual content, uncover related themes, and refine our search parameters.
Communications Analysis
• Focus search and assessment based on communication parameters.
• Visualisation allows analysis to identify outlier communications: external communications on topics or documentation of concern.
• Focus specifically on communications between known entities, then apply additional filtering (such as the search term) to remove “noise.”
Technology Assisted Document Review
• The above steps will determine a potentially relevant population for review.
• Using identified documentation from Conceptual and Communications Analysis, we will program an instance of Machine Learning to categorise the population by proximity to the issue.
• Documents scored most likely relevant are reviewed first; review decision by the subject expert are fed back to the machine to continuously update the machine learning algorithm.
23© 2021
Dealing with investigators during a raid
• Immediately seek legal advice and have internal/external counsel
attend onsite when investigators arrive.
• Cooperate fully with investigators – provide a separate
room and IT support when they are onsite.
• Accompany them during the raid to understand what
they are seizing and where it came from. This will
help you piece together what they might be doing.
• If they want original documents, ask if you can make
copies to avoid business disruption. Keep a log of data
and documents that they take.
• If they seize laptops/mobile devices, ask via your lawyers
if a forensic consultant can image the devices so you have
details of the information available to investigators.
• Remember they are human! Offer tea and coffee, show them
where the bathrooms are, exchange name cards (this will also
help you identify the officers involved). Order breakfast or lunch
– a hungry investigator is a grumpy investigator.
Shadow investigation
You may conduct your own internal investigation parallel to
regulators. This is a "shadow investigation“. The aim is to understand
what investigators are likely to find so you can prepare for the
outcome.
Preparation is essential. Have key phone numbers on hand and circulate a
written protocol to relevant staff so they know in advance how to respondi
•External investigators and lawyers can help, and would
typically support your own legal counsel and possibly an
A shadow investigation may uncover the failures in internal controls that led to
problems, and form the basis for remediation. Remediation will help avoid future
problems and may aid your defence in any regulatory or legal proceedings.
How to minimise disruption and recover quicklyResponding to a dawn raid
independent investigation committee formed of non-
executive directors/audit committee.
•You may identify issues that warrant internal
disciplinary action, even if external regulators decide to
take no formal steps against the company/employees.
•If the allegations/investigation are public, results of
your shadow investigation could inform your responseto shareholders, media and other stakeholders (though be
careful not to comment about live ICAC/SFC investigations –
take legal advice on any statement issued).
24© 2021
Understanding Hong Kong authoritiesRecap – who will investigate and why?
There are several agencies in Hong Kong with the power to launch investigations into businesses and individuals. They have
varying degrees of power and separate (though sometimes overlapping) remits. This slide recaps some of the main authorities
you are likely to encounter in an investigation or dawn raid and the range of powers they have.
Agency Remit Requires search warrants? Can make arrests?
Independent Commission Against Corruption (“ICAC”)
Fight corruption through law enforcement, prevention and community education.
No, has the power to search without a warrant (Section 10C of the ICAC Ordinance).
Yes , can arrest a person suspected of breaching an offence under the three anti-corruption ordinances it enforces.
Securities and Futures Commission (“SFC”)
Strengthen and protect the integrity and soundness of HK's securities and futures markets.
Yes, for forcible entry, search/seizure of documents, prohibition of document destruction. Has power to interview and demand “reasonable assistance” without a warrant.
No. The SFC typically refers cases to the Commercial Crime Bureau of the Hong Kong Police Force if an arrest is required.
Competition Commission(“CC”)
To prohibit conduct that prevents, restricts or distorts competition, and to prohibit mergers that substantially lessen competition in Hong Kong.
Yes, to enter and search premises. Has power to require people to answer questions and produce documents.
No. May refer cases to Hong Kong Police Force if it considers that a crime has been committed.
Hong Kong Police Force (“police”)
Law enforcement and investigation of criminal matters.
Generally yes but not if cases can be related to national security or are extremely urgent.
Yes.
25© 2021
Disclaimer
Disclaimer
Any material or explanation (including but not limited to presentation slides or verbal explanation) (collectively “Material”) provided hereunder serves as a general guide instead of a basis for decision making and shall not be construed as any advice, opinion or recommendation given by Yang Chan & Jamison LLP (“YCJ”) or Deloitte Advisory (Hong Kong) Limited (“DAHK”) on the presentation. In addition, the Material will be limited by the time available and by the information made available to YCJ/DAHK and you should not consider the Material as being comprehensive as YCJ/DAHK may not become aware of all facts or information. Accordingly, YCJ/DAHK will not be in a position to make a representation, and will not make a representation as to the accuracy, completeness and sufficiency of the Material. You will rely on the contents of the Material at your own risk. This Material shall be kept confidential and any person other than YCJ/DAHK’s authorized personnel shall not, in any way, retain, use or disseminate this Material without YCJ/DAHK’s prior written consent. All duties and liabilities (including without limitation, those arising from negligence or otherwise) to all parties, including you are specifically disclaimed. All copyrights and other intellectual property rights contained in the Material are reserved by YCJ/DAHK. For the avoidance of doubt, the Material contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of the Material, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on the Material.
The speakers’ views, comments and speech are personal and do not constitute any position or opinion of YCJ/DAHK or otherwise represent YCJ/DAHK, or partners,principals, members, owners, directors, employees thereof. YCJ/DAHK does not endorse and is not responsible for any such personal expression in whatever form.Please take the view as the speaker's own only.
26© 2021
Any questions?
YL Cheung
Partner
Deloitte Forensic
T: +852 28526775
E: ylcheung@deloitte.com.hk
William Tam
Partner
Deloitte Forensic
T: +86 755 33538308
E: witam@deloitte.com.cn
Valarie Fung
Partner
Yang Chan & Jamison LLP
T: +852 28525829
E: valariefung@deloittelegal.com.hk
Michael Mo
Director
Deloitte Forensic
T: +852 22387227
E: wamo@deloitte.com.hk
Catherine Leung
Senior associate
Yang Chan & Jamison LLP
T: +852 28521984
E: cathleung@deloittelegal.com.hk
Recommended