CSj highlights the latest additions to the Institute’s guidance note series, updating members on how to conduct internal investigations into malpractice and on inside information disclosure requirements for A+H share companies.

The Hong Kong Institute of Chartered Secretaries (the Institute) set up seven Interest Groups under its Technical Consultation Panel in June 2016 to issue guidance notes in their areas of expertise. This project has subsequently added a substantial body of guidance to the Institute’s website for the benefit of the Institute’s members and the wider profession and community. This article highlights the latest additions to this series.

Internal investigations

The Institute’s Ethics, Bribery and Corruption Interest Group (EB&C) issued its fourth guidance note in August this year. The three previous guidance notes addressed legal and regulatory compliance issues, as well as investigation readiness. The latest EB&C guidance note covers best practice when conducting internal investigations.

The guidance note stresses that ensuring internal investigations are robust and objective is not only a part of good corporate governance, but will also potentially mitigate litigation, reputational, criminal and regulatory risk further down the line. In this context, the guidance note outlines how companies should structure and conduct an internal investigation into alleged bribery, fraud or other wrongdoing, looking at relevant factors in Hong Kong and the Mainland.

The need for an early warning system

Many internal investigations are launched following a request from a regulator or other external authority for information regarding an alleged breach of law or regulation. Ideally, however, companies will have a functioning early warning system that will trigger an investigation long before regulatory bodies become involved. Issues may be uncovered, for example, during internal discussions, training or audit processes by internal auditors or external auditors of the company. These may reveal ‘red flags’ that indicate a particularly high risk that corrupt behaviour may have occurred.

Another form of early warning system, is a whistleblower channel enabling employees and/or stakeholders such as suppliers or vendors to reveal suspected misconduct. Every company, and especially listed companies, should set up whistleblowing policy and adopt a detailed complaint reporting procedure as described in C.3.7 and C.3.8 of Appendix 14 of the listing rules (see ‘Whistleblowing – comply or explain’).

The guidance note has useful suggestions  on the best way to set up a specific channel within the company to receive whistleblowing information. The channel should have independent status and would preferably be attached to internal auditors or the company secretary who are accountable to the company’s audit committee. Other departments in the company, such as human resources, can be used to receive whistleblowing complaints or concerns as long as they have independent status to handle whistleblowing cases.

The company should also strictly follow a whistleblower protection policy under which any retaliation or ill-treatment against genuine whistleblowers is subject to disciplinary action. In addition, the identity of the whistleblower and the information provided should be kept confidential – only being shared on a strict ‘need to know’ basis during the investigation process.

Determining scope and assembling the investigation team

The guidance note stresses that a good internal investigation should not only focus on the underlying allegations and possible compliance failings, but also address potential systemic issues – for example, whether the problem is more widespread or symptomatic of another issue. Nevertheless the investigation team should avoid starting the investigation with a very broad scope in order to avoid loss of focus.

The guidance note points out that, for obvious reasons, the investigation team should exclude anyone allegedly implicated, either as a witness or wrongdoer, in the malpractice. The investigation team should ultimately account and report to the board of directors of the company. If a board member or member of senior management is implicated in the alleged misconduct, the chairman of the audit committee may escalate the case to the chairman of the board of directors who may set up a separate ad hoc committee of the board with enough internal and external resources and support to oversee the investigation.

For more serious events, the guidance note also recommends engaging outside counsel to direct the investigation.

Document collection and review

A key priority at the outset of any internal investigation is to preserve all potentially relevant information. This will typically include information from a very wide variety of sources – including hard copy documents and data stored electronically. The guidance note acknowledges that, given the wide variety of devices such data might be stored on, identifying what the company can collect and review has become complex. It also points out that, regardless of the form in which the information exists, data privacy laws must be observed.

Once relevant data is preserved, the next step is to review the data. Issues can arise where the company wants to transfer the data across borders to be reviewed by people located elsewhere. Local data privacy and state secrecy laws may impose restrictions. As a matter of good practice, the company should keep a record of all steps taken to collect and review data. Further, data should be kept in an orderly and secure manner in case they are required for litigation or an external investigation.

Digital forensic tools exist to help the investigation team identify potentially relevant documents. Software programmes using artificial intelligence and algorithms can conduct first round reviews of documents for relevance and legal privilege. In particular, the use of search terms (for example, key words, individuals’ names or date ranges) helps to hone the pool of documents to be reviewed. ‘String searching’, whereby data in a specific text string or pattern is grouped together for review, is also popular. Analytical tools can also help pinpoint suspicious patterns of activity, for example high levels of email traffic between individuals, emails sent at unusual times and so on.

In conjunction with document collection and review, the investigation team should identify who they wish to interview (typically employees) and how these interviews should be conducted.

Preparing a report

It is important for the investigation team to consider how best to report findings of the investigation internally. The guidance note offers a number of considerations here. For example, law enforcement agencies/regulators may want to see a copy of any written report so the manner and timing of reporting requires careful consideration.

In the case of serious matters, the guidance note recommends that the outcome of the investigation should be reported to the chairman of the board who will determine whether a full board meeting is necessary to discuss the matter. In particularly urgent cases, the board chairman may directly refer the case to the relevant regulator or law enforcement without discussion in a full board of directors’ meeting.

The guidance note also points out that external reporting obligations to regulators and/or criminal authorities may apply to any internal investigation reports. If the company is listed, for example, there may be obligations to report to the Stock Exchange and the market. If there are proceeds of crime, there may be obligations to report under relevant money laundering provisions. For example, in Hong Kong, there is an obligation to report to an ‘authorised officer’ (usually the Joint Financial Intelligence Unit) upon becoming aware of, or suspecting, proceeds of crime.

Moreover, reporting obligations are not limited to the jurisdiction(s) where the relevant conduct took place. For instance, any obligations to regulators in the company’s home jurisdiction should be considered, as well as any jurisdictions where the business may be impacted by the relevant conduct. It may be prudent to voluntarily self-report in relevant jurisdictions concurrently while satisfying mandatory reporting obligations in others.

In many jurisdictions the involvement of any regulator will be accompanied by secrecy obligations. Hong Kong is one such jurisdiction, where secrecy obligations often attach to criminal and regulatory investigations. This can place companies in a difficult situation, although it may be possible to get relevant regulators’ approval for disclosure of an investigation to other regulators.

In the absence of a positive obligation, in certain jurisdictions there may be some advantages to voluntarily self-reporting. Self-reporting and cooperation with investigations by both law enforcement and regulators will be influential to obtaining leniency, particularly when representing a corporate entity.

If the company decides not to report, it is important to ensure that the decision-making process that resulted in that conclusion is documented. That way, if the question is later raised as to why the company did not make a report, then the relevant information will be available (even if the employees involved have moved on).

Remedial actions

A key value of internal investigations is the opportunity they provide for companies to enhance their policies, procedures, systems and controls to minimise the likelihood of similar incidents recurring.

Consideration should be given, for example, to whether those suspected of wrongdoing should be suspended or put on leave pending the completion of the investigation. Consideration should also be given as to whether any weaknesses need to be strengthened in other parts of the business. The response will depend on the misconduct and how it arose, but work may be needed to strengthen relevant policies – both setting up the policies and making sure that there are appropriate checks and balances in place. It will also be important that staff get appropriate training; it will not be enough to simply update policies and procedures, and there will likely be some ‘lessons learned’ updates that should be shared.

Inside information disclosure for A+H share companies

The Institute’s Mainland Technical Consultation Panel has published the second edition of Guidelines on Practices of Inside Information Disclosure of A+H Companies (the Guidelines). The first edition of the Guidelines, which was published in 2014, was the first of its kind in the Hong Kong and Mainland markets, offering practitioners, directors, senior managers and regulators a valuable guide to the different requirements on inside information disclosure for companies listed both in Hong Kong and the Mainland from a practical governance perspective.

The Institute commenced work on revising and updating the Guidelines more than a year ago in response to the changing needs of governance professionals working in Hong Kong and the Mainland. The second edition has undergone a rigorous stakeholder-led upgrade based on five rounds of written consultations, eight revisions and three series of meetings that spans more than 12 months.

The Guidelines cover three broad topics:

1. a summary of the inside information disclosure law in Hong Kong and comparisons of the key differences and similarities of the inside information disclosure law and regulations in Hong Kong and the Mainland.
2. suggestions and recommendations on internal control systems in inside information disclosure, and
3. specific guidelines on inside information disclosures.

The second edition updates the applicable rules and regulations to 31 December 2018, and expands the scope of the comparisons of the rules relevant to A+H share companies to include:

1. suspension of trading
2. disclosure of shareholder’s information, and
3. unusual share trading movement.

The second edition also introduces two appendices. Appendix 1 contains a collection of the five case summaries (three Hong Kong court/Market Misconduct Tribunal decided cases and two pending proceedings against two listed issuers) regarding breaches of the Hong Kong inside information disclosure law. Appendix 2 is a collection of Mainland insider dealing case summaries demonstrating the interpretations of the Mainland courts and the China Securities Regulatory Commission when the duty to disclose ‘inside information’ arises under the relevant Mainland law and regulations.

The guidance notes mentioned in this article are available from the Publications section of The Hong Kong Institute of Chartered Secretaries website: www.hkics.org.hk.

SIDEBAR: Whistleblowing – comply or explain

The need for effective whistleblowing arrangements among listed companies in Hong Kong is addressed by the Corporate Governance Code (Appendix 14 of the listing rules).

Code Provision

C.3.7 The terms of reference of the audit committee should also require it:

(a) to review arrangements employees of the issuer can use, in confidence, to raise concerns about possible improprieties in financial reporting, internal control or other matters. The audit committee should ensure that proper arrangements are in place for fair and independent investigation of these matters and for appropriate follow-up action; and

(b) to act as the key representative body for overseeing the issuer’s relations with the external auditor.

Recommended Best Practice

C.3.8 The audit committee should establish a whistleblowing policy and system for employees and those who deal with the issuer (for example customers and suppliers) to raise concerns, in confidence, with the audit committee about possible improprieties in any matter related to the issuer.