Managing Complaints and Inquiries: Navigating the Investigations Process

Picture this: You are meeting with a junior employee who tells you that she is concerned that a group within the organization is failing to comply with certain banking regulations. Or imagine this: You are sitting at your desk and you receive an email from a regulator asking questions and for documents related to a specific transaction or customer. What should you do in either scenario?

Entities of all sizes may find themselves facing a government or regulatory inquiry, a subpoena, a whistleblower complaint, a complaint from a customer or competitor, an adverse media report, or an internal escalation from their Compliance, Legal, Audit, or Risk teams. When such issues arise, entities must quickly assess the credibility and severity of the matter through internal fact-finding and, if the concerns are deemed credible and serious, the entity could benefit from engaging an independent professional firm to investigate the issue(s) and recommend next steps. Independent investigations can be performed by law firms, financial consulting firms, forensic accounting firms, or similar professional firms—or a combination of these specialties depending on the nature and scope of the investigation.

Whomever conducts the investigation, it is paramount that the investigation be:

• Well-defined. The purpose and scope of the investigation must be clearly identified and memorialized from the beginning, keeping in mind that the scope may expand or contract based on facts learned during the investigation. Any change in scope should also be memorialized.
• Independent. Whether conducted by internal or external professionals, an investigation must be independent from units of the entity potentially involved in the issue(s), and the investigator must be allowed to proceed without outside pressure. When independence cannot be maintained internally, an outside party may be required.
• Objective. An investigation should approach the matter from a neutral position and not from the perspective of defending the entity or any individual.
• Timely. Investigations must be initiated as quickly as possible to stop potential wrongdoing, mitigate damages, and ensure that witness recollections and documentary evidence remain intact.
• Verifiable. Conclusions must be documented and independently verifiable. The final report should “speak for itself.”

While an entity can conduct its own internal investigation, an investigation led by experienced professionals can provide:

• Credibility. Findings carry more weight when conducted by a neutral third party, particularly with government inquiries, litigation, or Board reporting.
• Attorney-Client Privilege. If led by a law firm, privilege can attach to working papers and findings.
• Objectivity. Internal investigations risk compromise if personal or professional ties exist or if investigators feel management pressure.
• Thoroughness. Experienced investigators ensure a comprehensive, well-documented process with actionable recommendations.

How Does an Investigation Proceed?

While investigations differ in size and scope, several core steps generally apply.

Scoping
The entity and investigator should create a “work plan” that defines the scope and procedures in detail. This includes identifying the subject matter, relevant custodians, and the potential audience for the final report (Board, regulator, etc.). Scope is likely to evolve and should be updated accordingly.

Preserving and Collecting Documents
Next, documents must be identified and preserved—including emails, texts, IMs, and other electronic data. Investigators typically work with in-house counsel, IT, HR, and business units to determine the appropriate custodians and then extract relevant documents while ensuring preservation of active and archival data.

Reviewing and Analyzing the Documents
Once collected, documents are processed (often with help from an external vendor). A review protocol is developed to understand the issues, identify relevant materials, and flag “hot documents” or privileged communications. This analysis informs the factual timeline and any required regulatory productions.

Interviewing Witnesses
After understanding the documentary record, investigators determine which individuals should be interviewed. In-person interviews are preferred to better assess credibility. If conducted by counsel, interviews may be privileged. Witnesses must be told that the attorney represents the entity and that privilege belongs to the entity—not the employee. All interviews should be memorialized in written memoranda.

If an investigation concludes that improper conduct occurred, an entity—working with counsel—should:

• Halt any improper conduct.
• Consider disciplinary action for wrongdoers.
• Draft a remediation plan with timelines and milestones.
• Implement remedial measures, such as training or enhanced controls, and document those efforts.

Whether to Self-Report

Once an investigation is complete, an entity must decide whether to self-report potential violations. Regulated entities—banks, broker-dealers, investment advisers, etc.—often require counsel to help determine whether self-reporting is advisable and how best to present the findings.

Financial regulators strongly encourage voluntary self-reporting, often treating it as the most important factor in determining cooperation credit and potential penalties.

Factors to consider include:

• The likelihood that a regulator may learn about the issue independently (via whistleblower, competitor, or otherwise) versus the risk that disclosure triggers further inquiry.
• The severity of the conduct and the extent of remediation.
• Whether self-reporting could lead to reduced penalties or a non-prosecution decision, versus the risk of prompting related civil litigation.
• Positive reputational benefits with the regulator versus potential negative publicity.

Conclusion

All entities are likely to experience suspected or actual violations of laws, regulations, or internal policies that may lead to criminal, regulatory, or civil exposure and reputational harm. When such risks arise, entities must investigate promptly and thoroughly, guided by an objective and reliable process. To ensure legitimacy, that process must be free from internal or external influence and must swiftly address the root causes of the issue.

About the Authors

Mark D. Shaffer, Partner
Mark D. Shaffer has over 20 years of experience advising U.S. and foreign financial institutions, broker-dealers, investment advisers, cryptocurrency businesses, and fintech companies on a broad range of regulatory and compliance matters involving SEC and FINRA rules, Federal Reserve and banking regulations, and BSA/AML laws. He frequently helps clients understand how regulations apply to new technologies and innovative products.

He represents institutions and their employees, officers, and directors in government and internal investigations and regulatory proceedings, involving issues such as alleged bribery, unregistered securities, market manipulation, collusion, insider trading, money laundering, OFAC sanctions, false statements, and accounting fraud.

Mark also assists financial institutions in developing and implementing compliance programs and remediation plans, staying current on regulatory changes, and drafting policies, procedures, controls, manuals, and training programs.

Prior to joining the firm, Mark practiced at a top-rated commercial law firm in New York and several major firms in Washington, D.C., and served as in-house counsel and compliance officer at global financial institutions.

Matthew Faranda-Diedrich, Partner
Matthew Faranda-Diedrich is a partner in the Litigation and Corporate & Business Groups. Known for helping clients turn challenges into opportunities, he provides strategic counsel to boards, publicly traded companies, CEOs, and privately held founders.

His ability to build trust and lasting relationships enables him to function as an extension of each client’s leadership team. By deeply understanding their business operations and both near- and long-term goals, Matthew delivers strategies aligned with their objectives—offering solutions that support success and foster long-term partnerships.