One of my last posts on Internal Investigations (here, in German) ended with the following remark:
“Before commissioning [investigators], […] the objective of the investigation and the tactics of the approach should be defined and a suitable project team should be appointed to ensure that the objective is achieved in a cost-efficient manner.”
In the following post I will take up this remark again and – also against the background of the current Wirecard scandal – give some thoughts on the initial situation, the potential aims and the tactics of internal investigations. The knowledge of these (criminalistic) basics is not only helpful for the consulting lawyer, but also for the client of lawyers and investigators, in order to sufficiently understand the interfaces between the three aforementioned professional groups and to be able to act accordingly.
1. Initial situation
a) “Suspicion management” and “threshold of attack”
In the initial situation, management becomes aware of a suspicion of – possibly unspecified – “misconduct”. Now, management does not have to investigate every suspicion of misconduct. In a first step, it is sufficient to check the allegations for plausibility and possible minor violations; the latter do not require further investigations. If the suspicion turns out to be plausible and if the violation would not be considered trivial either, only then is the management obliged to pursue the potential violation (so-called “suspicion management”).
One benchmark for this examination can be the regulation on initial suspicion, § 152 (2) StPO (German Code of Criminal Procedure), which obliges the public prosecutor’s office to start investigations “if there are sufficient factual indications”. On the other hand, the relevant case law on § 248a StGB (German Criminal Code) on the theft and misappropriation of low-value items can be used to define the de minimis limit (so-called “attack threshold”). When defining these standards, one must of course consider an adjustment to the economic sector, as not every offence requiring investigation from a compliance point of view constitutes a criminal offence.
If the management comes to the conclusion that a “misconduct” (“non-compliance”, criminal offence) above the de minimis threshold is present that requires investigation- i.e. the “attack threshold” has been exceeded – the management is (probably) also legally obliged to investigate this suspicion and to clarify the facts of the case (for the supervisory board of a stock corporation, this obligation was expressly specified e.g. by the so-called “ARAG/Garmenbeck” decision of the German Federal Court of Justice (see for further details here, in German).
b) Usage of “on-board resources” or the use of external consultants?
While the use of external advisors (“forensic services”) to investigate such cases has been common practice in Anglo-American law for years, it has only slowly become “fashionable” – especially among German SMEs – since the “VW-diesel scandal” (cf for an interesting decision on that subject, here). However, in the course of the introduction of a criminal law for enterprises into German law (see here for more details), it is likely to become the rule, regardless of its usefulness. In the case of public limited companies, this rule-exception relationship may already have been reversed in the course of the so-called “Ision” case law. According to this judgement, “the representative of a company’s governing body, who does not himself have the necessary expertise, can only meet the strict requirements for an examination of the legal situation incumbent upon him and for compliance with the law and case law if he obtains advice from an independent professional who is technically qualified for the question to be clarified, giving a comprehensive account of the company’s circumstances and disclosing the necessary documents, and if he subjects the legal advice given to a careful plausibility check.” As is so often the case, this ruling is likely to have a “radiating effect” at least on larger GmbHs.
Accordingly, it can only be assumed in simple cases (i.e. cases which are easy to investigate) with a low damage potential that the management will be able to reliably avoid personal liability without consulting external experts (for my criticism of this excessive obligation of managers, see again here).
The question remains as to whom exactly the management should turn for investigation. In concrete terms, of course, the formation of the appropriate team depends on the (in the following more detailed discussed) objective of the investigation. The simple instruction of a suitably experienced lawyer will rarely be sufficient, as lawyers are usually not sufficiently well versed in the “criminalistic” investigation of suspected cases (which is explained in more detail below). For this reason, the division of work as already known between the public prosecutor and the police, may be adopted in the civil sector by involving lawyers and investigators in parallel.
When putting together the appropriate team and upon the coordination of the investigation by the management, secrecy must be observed, not only in order not to obstruct or prevent the investigation, but also to prevent the suspects from being subject to “character assassination”. Information should therefore be passed on on a “need-to-know” basis, which requires a certain amount of tact and sensitivity, especially when it comes to the necessary involvement of a possible supervisory board.
2. (Strategic) objective
If the “attack threshold” is exceeded, the team sets the objective of the investigation. From the objective then follow the premises for the investigation’s tactical procedure of the suspected case, which is explained in more detail below.
The starting point is always the clarification of the suspected case, but already at this stage it can also be determined, for example, that the relevant results of the investigation are made available to law enforcement or regulatory authorities. This is, for example, legally binding in the case of violations of § 43 GWG (German Money Laundering Act) or the severe crimes contained in § 138 StGB, but may also possibly become necessary under the upcoming criminal law for enterprises. In addition, the company may also have an interest in filing a criminal complaint on its own initiative and/or seek compensation for financial losses, e.g. by locating and exploiting seized assets (so-called “asset recovery”).
3. (Tactical) procedure
The tactical approach to the investigation of the facts in question should, starting from the suspicion, be oriented towards the so-called “criminalistic cycle” – originally developed by Hans Walder from the so-called “Intelligence Cycle” used in the Intelligence community.
The first step of this criminalistic cycle is already completed when the “attack threshold” is exceeded. Subsequently, the data situation is analysed together with the investigative team in order to form hypotheses about the “crime” and the “perpetrator”. In the following step. The term “programme definition” for the third step, on the other hand, is rather misleading in the first (sub-)step. This step is not concerned with the question of the “technique” to solve the crime, but rather with the normative regulation that was violated by the act, i.e. a criminal law norm. In the corporate sector, however, such acts can also consist of (simple) compliance violations without any criminal law reference. In the second sub-step – based on the hypothetical breach of the rules considered to be decisive – the investigation plan is then drawn up, together with the definition of the subjects of the evidence (what must be proven) and evidence (what serves as evidence). The next step is to obtain the necessary evidence. Very often this will require interviews with the parties involved. Other means, such as obtaining information from third parties, for example bank information, are regularly not available to the company or private investigators without the consent of the persons concerned. At the end of the cycle there will either be a result in the form of evidence to be used in criminal proceedings or the need to adapt the suspicion to the knowledge gained from the processing of the cycle. In the former case, the investigation phase ends, in the latter it begins anew.
As is so often the case, the first steps are the most important – and often the most error-prone – for Internal Inestigations. The steps from “suspicion management” to “threshold of attack” should be taken very consciously and documented accordingly, also to avoid overreactions “in the heat of the moment”, for example due to emotionally excessive employee behaviour.
In addition to the composition of the team (not discussed in detail here), it is necessary in the initial phase to define the objective of the investigation as precisely as possible, which then leads to the (repeated) processing of the criminalistic cycle.