Counsel dealing with regulatory requests must manage the risk of further investigations being triggered. eDiscovery methods and tools can assist with managing this risk.
Requests for information from regulators have increased significantly in both the US and Europe since the 2008 financial crisis. The Economist has reported that words such as “shall” or “must” appearing in the code of federal regulations expanded from 403,000 to nearly 963,000, between the years 1970 and 2008 – therefore predating the financial crisis.
Following the 2008 credit crunch, the UK overhauled its financial regulatory system, abolishing the FSA and creating not one, but three bodies to oversee the industry, namely the Financial Policy Committee (FPC), Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). The construction, design, and property investment industry is currently bracing for major reform following the Hackett Report into the Grenfell Tower tragedy. And AI and machine learning will undoubtedly lead to regulatory increase, as is already being seen in the fintech sector with the European Commission releasing an action plan in March 2018.
This trend is putting an enormous strain on in-house counsel, IT departments, and external law firms instructed to deal with unearthing the information required by the regulator, whilst mitigating the risk of a full-blown inquiry being launched. Not to mention CFOs whose well-planned budgets can be left in disarray following the costs of responding to a regulatory request for information.
Regulatory requests can come in the form of innocent surveys and invitations to comment on an organisation’s experience with new compliance requirements. However, if they are not handled carefully, regulatory action can quickly follow.
eDiscovery provides a vehicle for identifying, collecting, analysing, and producing the information required to satisfy a regulatory request, whilst separating out privileged data/documents and ensuring data protection regulations such as the GDPR and the California Consumer Privacy Act of 2018 are complied with.
eDiscovery and Risk Management in regulatory requests
Organisations, regardless of their size, are now drowning in data. Employees walk around with the equivalent of a 1990s supercomputer in their pocket (or bag), without much thought as to the consequences of the communications they send on various apps such as Messenger and WhatsApp.
Simply using ad-hoc methods to identify and collect information to fulfil a regulatory request exposes a business to the very real risk of opening the door to a full-blown investigation. The time and money spent on manually checking data and documents will also quickly escalate. And regardless of how meticulous the work, the chances are vital information will be missed and a proper research trial will not be created.
To deal with regulatory requests in a manner which mitigates the risk of further action from the authority, the Electronic Discovery Reference Model (EDRM) should be utilised. By doing so, information can be identified, collected, analysed, and presented in a legally defensible manner – which will be vital should a formal investigation be launched. To further protect the organisation’s interest, consideration should be given as to placing a legal hold notice to ensure the preservation of documents until the threat of investigation has passed.
Identifying data which can be kept from presentation
When it comes to responding to regulatory requests, what a company withholds is as critical as what it presents. There is no duty to supply information which is subject to legal privilege. In addition, if sensitive company information is involved, it is prudent to either redact such data before presentation, or, if this is not possible, request the regulator does not share it with third parties.
The GDPR has created a situation where permission may need to be sought before delivering data which contains personal information. And it is crucial to remember that in cross-border matters various data privacy rules may apply.
eDiscovery tools assist lawyers dealing with regulatory requests to obtain the information they need and redact that which isn’t required to be disclosed in a short period. And this is the key – it is seldom a regulator will grant the luxury of much time to present the information requested. To ensure the Board and shareholders are confident that regulatory requests will not progress to further investigation or unwittingly breaching GDPR or other data protection laws, the safest way to handle matters is by utilising eDiscovery methods and tools from the outset.
Lineal is a global leader in providing flexible eDiscovery and litigation support. To find out more about eDiscovery and regulatory requests and our other services, please call us on +44 (0)20 7940 4799 or fill in our contact form.
How Well Is Your Organisation Handling Data Subject Access Requests (DSAR)?
All organisations must be prepared and able to respond to Data Subject Access Requests (DSARs); how prepared are you?