27 January 2021 - Deloitte

1© 2021

27 January 2021

Dawn raids: responding to regulatory investigations

2© 2021

Deloitte Forensic and Yang Chan & Jamison LLPIntroduction

YL Cheung‏

Partner

Deloitte Forensic‏

William Tam‏

Partner


Valarie Fung‏

Partner

Yang Chan & Jamison LLP‏

Michael Mo‏

‏

Director

Deloitte Forensic

Catherine Leung‏

Senior associate


3© 2021

XXXXXXXXXXXXXXXXX

Imagine that…

• It is 9 o'clock in the morning and you are sipping a coffee in the office, when the receptionist informs you that over 10 officers from a regulatory authority have arrived and asked to enter the office to conduct a search.

• What should you do?

Photo credit: South China Morning Post

4© 2021

IntroductionDawn raids

• “Dawn raid” refers to an unexpected and unannounced inspection of premises by regulators.

• The literal meaning of the word “dawn” infers that the visit would usually take place in the early hours of the day.

• The raid is unannounced – so that the subject of investigation cannot do anything to impair the seizure of evidence by the regulatory authority.

5© 2021

Some examplesPower to search and enter pursuant to a warrant

Police Force Ordinance (Cap. 232) ("PFO")

Securities and Futures Ordinance

(Cap. 571) ("SFO")

Prevention of Bribery Ordinance

(Cap. 201) ("POBO")

Independent Commission Against Corruption Ordinance

(Cap. 204) ("ICACO")

“Whenever it appears to a magistrate… that there is a reasonable cause to

suspect that there is in any building… any… document… which is likely to be of

value… to the investigation… such magistrate may by warrant directed to any police officer empower him… to

enter and if necessary to break into or forcibly enter such building…” (section

50(7))

“If a magistrate is satisfied… that there are reasonable grounds to suspect that there is or is likely to be on premises…

any… document which may be required to be produced under [the SFO], the

magistrate may issue a warrant authorizing a… police officer… to enter

the premises…” (section 191)

“Where… the court is satisfied that there is reasonable cause to believe that in any

premises…there is anything which is or contains evidence of an offence under [the POBO], the court may by warrant directed to an investigating officer…

empower such officer… to enter such premises…” (section 17)

“If a magistrate is satisfied that… there is a reason to believe that there is in any

premises… anything which is or contains evidence of the commission of any of the offences referred to in this section 10, he

may by warrant directed to any officer authorize such officer… to enter… such

premises…” (section 10B)

6© 2021

Practical tips to handle a raid

Instruct legal advisors

It is not ideal for any company or person to handle a regulatory investigation in the absence of legal advice. In particular, lawyers

can advise the company or person subject to investigation on their rights and obligations throughout the dawn raid and the

whole investigation process, including the right to claim legal professional privilege.

01

Practical Tips

7© 2021


Practical Tips

Check the search warrant

You should have your lawyers to check the search warrant to ensure that:-

• It is issued no more than 7 days prior to the search;

• There is proper description of the nature of the alleged offence;

• The location stipulated in the search warrant is correct; and

• The persons entering into the premises and undertaking the search are those authorized persons under the warrant.

02

8© 2021


Practical Tips

Claim of legal professional privilege ("LPP")

Regulators cannot compel disclosure of documents which are subject to the claim of LPP. In some circumstances you may want to

disclose privileged documents to regulators on a "limited waiver" basis, which means that the documents are provided to the

regulators solely for the purpose of their investigation and the regulators cannot transfer or disclose the documents to other

third parties for any other derivative purposes.

03

9© 2021


Agreement on protocol for the search

Before the regulators start the search in the premises, your lawyers should agree on a "search protocol" with the regulators.

Under the protocol, the regulators may be willing to disclose the classes of documents they are specifically looking for, and you

can then indicate the location of those relevant documents to facilitate the search which will also help minimise any intervention

in the normal operation of the company's business.

04

Practical Tips

10© 2021


Practical Tips

Think twice before voluntarily answering questions or giving statements

During the search, it is rather common that the regulators may ask the staff members of the company some questions. If the

questions are solely for the purpose of furthering the proper and effective conduct of the search, it is advisable that the

questions should be answered.

On the other hand, if the regulators ask substantive questions about the content of the investigation, you should seek legal

advice as to whether those questions should be answered. For example, if the raid is conducted by the SFC, they should have

issued the requisite notice under s.183 of the SFO.

05

11© 2021


Practical Tips

No right to silence

If the SFC issues a notice under s.183 of the SFO to require a person who is subject to investigation or assisting in an investigation

to answer any questions or produce any relevant documents, the person cannot refuse to answer or produce the relevant

documents or otherwise he/she may be found guilty of a criminal offence.

06

12© 2021


Declaration of rights against self-incrimination

Although there is no right to silence under the SFO, there is statutory protection for any person who makes a claim to the

privilege against self-incrimination when providing answers and/or documents. Through claiming the rights against self-

incrimination, the answers and/or documents produced by a person will not be admissible in evidence against the person in

criminal proceedings.

07

Practical Tips

13© 2021

Cheung Ka Ho Cyril v SFC [2020] HKCFI 270Case study

Facts

This case is a judicial review application of a number of search warrants issued by the Magistrates authorising the SFC to search the Applicants' premises and the related decisions made by the SFC arising out of the execution of the search warrants. Specifically, during the course of the SFC operation:

1. Digital devices (including mobile phones, tablets and/or computers) belonging to the Applicants were found;

2. Where no password was required to access such devices, the SFC conducted keyword searches to check for relevant materials. Alternatively, where the Applicants unlocked the digital devices voluntarily, the SFC looked for relevant materials by using keyword searches or by scrolling through the contents to look for relevant materials;

3. Based on the searches mentioned above, the SFC was able to identify materials contained in emails, contact lists and messaging applications that were relevant, or believed to be relevant, to the SFC’s investigations;

4. The SFC requested the Applicants to provide print-outs of the relevant materials or login names/passwords to the email accounts or digital devices to enable the SFC to access the same, to which they either declined outright (in some instances by asserting legal professional privilege), or used various excuses not to provide the same;

5. In the case of the Applicant who asserted legal professional privilege, the SFC suggested that the relevant emails and attachments thereto could be printed out and kept under seal for the time being pending the resolution of the legal professional privilege claim. This suggestion was rejected by the Applicant;

6. In the circumstances, the SFC decided to seize various digital devices belonging to the Applicants; and

7. The SFC issued notices under s 183(1) requiring the Applicants to provide the login names and/or passwords to various email accounts or digital devices (including mobile phone, tablet and computer).

14© 2021


Issues

1) Whether the SFC decisions to seize various digital devices belonging to the Applicants in the course of execution of the search warrants and thereafter to retain them were ultra vires the SFO / the search warrants, unlawful and/or unconstitutional;

2) Whether the SFC decisions to issue notices pursuant to s183(1) to the Applicants requiring them to provide the SFC the passwords to their e-mail accounts or digital devices were ultra vires the SFO / the search warrants, unlawful and/or unconstitutional; and

3) Whether the search warrants were unlawful and invalid for want of specificity.

15© 2021


Challenge to notices requiring disclosure of passwords

The Applicants' arguments

The s183(1) notices issued were ultra vires the SFO provisions because:

1. They required them to produce vast amounts of materials which were irrelevant to the SFC’s investigations, thus falling outside the remit of any record or document which "is, or may be, relevant to the investigation" under s183(1)(a);

2. To construe s 183(1)(a) as permitting the SFC to require the production of large amounts of irrelevant materials for the purpose of sifting would violate BL 30 and/or BORO 14, because that would give rise to a disproportionate restriction of the right to privacy; and

3. The SFC has no power to access the email accounts of the Applicants under the corresponding warrants.

16© 2021



Held

Chow J rejected all of the Applicants' arguments:

• The judge referred to several case authorities (Reynolds v Commissioner of Police of the Metropolis [1985] 1 QB 881 at §§890A-B; Apple Daily Ltd v ICAC (No 2) [2000] 1 HKLRD 647 at §§19-20; R (on the application of Paul Da Costa & Co) v Thames Magistrates Court [2002] EWHC 40 (Admin), at §§19-20; R (on the application of H) v Commissioners of Inland Revenue [2002] EWHC 2164 (Admin), at §§37 and 39-40; R (Faisaltex Ltd) v Crown Court at Preston [2009] 1 WLR 1687, at §§73-79) deciding that where a warrant authorises the seizure of a particular document, the officer empowered by the warrant is lawfully entitled to seize the whole file containing the document or the whole computer hard disk without having to separate the individual sheets or computer files;

• The judge also considered the practical reality that information, documents and records are nowadays mostly kept in digital or electronic forms and stored in email accounts and digital devices which (i) would almost inevitably contain large amounts of personal or private, but irrelevant, materials, and (ii) are often also protected by specific login names/IDs and passwords;

17© 2021



Held (Continue)

• The judge arrived at the conclusion that the SFC is empowered, under s 183(1), to require the Applicants to provide means of access to email accounts and digital devices which contain, or are likely to contain, information relevant to its investigations even though the email accounts and digital devices would likely also contain other personal or private materials which are not relevant to the SFC’s investigations.

• However, the SFC has offered safeguards to protect the privacy of the Applicants by agreeing to use keyword searches to identify relevant materials contained in or accessible through the digital devices and/or viewing the contents together with the Applicants so as to minimize the chance of their personal or other information which is irrelevant to the SFC’s investigations being viewed by its officers. Any dispute on relevance can be brought to the court for determination, with the disputed materials being sealed pending the court’s decision.

18© 2021

What will investigators do, and why?

Reasons for investigation

• Investigators will only conduct a dawn raid if they have grounds

to believe wrongdoing has occurred. Common reasons include:

• Whistleblower allegations

• Tip-offs from other agencies or tax authorities

• Findings from their own monitoring or analysis

• The business is linked to another investigation

Structure of investigation

• The approach will vary depending on the circumstances

but typically investigators will have an initial hypothesis

of what has occurred and seek to confirm or disprove

that theory. An investigation will usually consist of:

• Initiation – identifying relevant parties/data

• Planning – obtaining warrants, planning raid

• Gathering information – likely to include interviews, seizure

of documents/electronic data, review of emails on servers

• Analysis & interpretation – detailed review of data seized,

forensic accounting, triangulation of data points

• Reporting and closure –prosecution, report to authorities.

!Investigators’ methodologies

are constantly evolving

Methodology

There is no “one-size-fits-all” approach but investigations will likely

include some or all of the following:

• Review of paper/electronic documents, including emails, content

saved to laptops/shared drives, mobile phone call records/data,

and any paper documents.

• Transaction testing – attempts to understand

transactions by mapping fund flows/checking substance

of trading, comparing records against external sources

• Corporate intelligence – search corporate

filings/databases and conduct network analysis to

identify undeclared conflicts and business

interests/relationships

A dawn raid is just one step

in a broader investigation

• Interviews –with key personnel, typicallyincluding management, finance staff, sales/ procurement and

potentially external parties (i.e. bankers, auditors, trading partners)

Aims of a dawn raid

19© 2021

Introducing the role of technology in investigationsWhat comes next?

Humans can only do so much!

It’s no secret that regulators worldwide are hard-pressed

for resources and Hong Kong is no exception. According to

the most recent figures:

• The SFC has 736 professional staff

• The ICAC has around 1,400 staff

Despite these constraints the SFC commenced

197 investigations in 2019/20 and made 8,767

requests for trading and account records – as well

all alongside its day-to-day regulatory and oversight

activities.

The ICAC received 995 separate corruption allegations

in the first six months of 2020 alone.

How do they fit it all in…?

Technology and data to the fore

Faced with urgent deadlines and limited resources investigators

are leveraging new technology and data analytics.

Investigations are increasingly likely to

involve the seizure of electronic evidence.

Police have faced scrutiny over how they

access and use data from suspects’

phones.

Regulators too will consider electronic data in

their work. Emails, documents and –

increasingly – mobile messenger conversations

will be a key plank of their evidence.

In the following slides we

introduce some of the

techniques and challenges you

are likely to encounter.

20© 2021

Computer forensic data workflow

Dawn raid

Regulator visits premise with search warrant

ESI Data Identification

Data Collection

Data Processing

Data Publishing

Legal Review

Data size after each process/segment reduces

Concept Searching

Services provided by Deloitte

Data Handover

Note: Please note that ESI Data Identification and Legal review will be co-sourced by the Client and Deloitte team as requested.

Handover of non-privileged data to relevant partyReview, identify, and

tag privileged documents on the eDiscovery platform

Publish searchresults on eDiscovery platform

Extraction, indexing, DeNISTing, deduplication, date filtering (optional) and keyword searching (optional) of data.

Collect data from source medias (i.e. PC, servers, mobiles) and make 3 copies, for:

• Regulator (sealed)• Client’s Legal team (sealed)• Deloitte as working copy

Identify scope, custodians, and data type (i.e. Email, user files)

21© 2021

Challenges for data collection, preservation and analysis

• Various Computer Operation Systems (e.g. macOS, Windows and Linux)

• Different Data Storage Sources (e.g. Desktops, laptops, servers, network-attached storages and Cloud storage)

• Different interfaces• Different hard disk types

Operating Systems

Data Storage Sources

Decryption, Wiping & Decoding

Computers / Servers Mobile devices

OS and Manufacturers

Connection Issues

• Right Cable

• Right Driver

• Customized Data Encoding in App level

• A large number of Apps

• MDM device control and encryption

Decryption and Decoding

• Various Mobile device Operating system and manufacturers(e.g. Apple, Windows, BlackBerry, Samsung, Lenovo and Huawei)

• Decryption (e.g. DiskCryptor, TrueCrypt, BitLocker and VeraCrypt)

• Wiping software (e.g. Eraser and CCleaner)

22© 2021

Text Mining, Visual Analytics & Machine Learning

Technology-enhanced workflow

Conceptual Analytics

• Process collected data from multiple device and server sources into the analytics platform. Conduct text mining, entity extraction and conceptual analysis.

• Run keywords on dataset. In addition to results, the platform will identify, categorise and organize thematically and semantically similar content.

• This will allow us to refine understanding of the document population based on its actual content, uncover related themes, and refine our search parameters.

Communications Analysis

• Focus search and assessment based on communication parameters.

• Visualisation allows analysis to identify outlier communications: external communications on topics or documentation of concern.

• Focus specifically on communications between known entities, then apply additional filtering (such as the search term) to remove “noise.”

Technology Assisted Document Review

• The above steps will determine a potentially relevant population for review.

• Using identified documentation from Conceptual and Communications Analysis, we will program an instance of Machine Learning to categorise the population by proximity to the issue.

• Documents scored most likely relevant are reviewed first; review decision by the subject expert are fed back to the machine to continuously update the machine learning algorithm.

23© 2021

Dealing with investigators during a raid

• Immediately seek legal advice and have internal/external counsel

attend onsite when investigators arrive.

• Cooperate fully with investigators – provide a separate

room and IT support when they are onsite.

• Accompany them during the raid to understand what

they are seizing and where it came from. This will

help you piece together what they might be doing.

• If they want original documents, ask if you can make

copies to avoid business disruption. Keep a log of data

and documents that they take.

• If they seize laptops/mobile devices, ask via your lawyers

if a forensic consultant can image the devices so you have

details of the information available to investigators.

• Remember they are human! Offer tea and coffee, show them

where the bathrooms are, exchange name cards (this will also

help you identify the officers involved). Order breakfast or lunch

– a hungry investigator is a grumpy investigator.

Shadow investigation

You may conduct your own internal investigation parallel to

regulators. This is a "shadow investigation“. The aim is to understand

what investigators are likely to find so you can prepare for the

outcome.

Preparation is essential. Have key phone numbers on hand and circulate a

written protocol to relevant staff so they know in advance how to respondi

•External investigators and lawyers can help, and would

typically support your own legal counsel and possibly an

A shadow investigation may uncover the failures in internal controls that led to

problems, and form the basis for remediation. Remediation will help avoid future

problems and may aid your defence in any regulatory or legal proceedings.

How to minimise disruption and recover quicklyResponding to a dawn raid

independent investigation committee formed of non-

executive directors/audit committee.

•You may identify issues that warrant internal

disciplinary action, even if external regulators decide to

take no formal steps against the company/employees.

•If the allegations/investigation are public, results of

your shadow investigation could inform your responseto shareholders, media and other stakeholders (though be

careful not to comment about live ICAC/SFC investigations –

take legal advice on any statement issued).

24© 2021

Understanding Hong Kong authoritiesRecap – who will investigate and why?

There are several agencies in Hong Kong with the power to launch investigations into businesses and individuals. They have

varying degrees of power and separate (though sometimes overlapping) remits. This slide recaps some of the main authorities

you are likely to encounter in an investigation or dawn raid and the range of powers they have.

Agency Remit Requires search warrants? Can make arrests?

Independent Commission Against Corruption (“ICAC”)

Fight corruption through law enforcement, prevention and community education.

No, has the power to search without a warrant (Section 10C of the ICAC Ordinance).

Yes , can arrest a person suspected of breaching an offence under the three anti-corruption ordinances it enforces.

Securities and Futures Commission (“SFC”)

Strengthen and protect the integrity and soundness of HK's securities and futures markets.

Yes, for forcible entry, search/seizure of documents, prohibition of document destruction. Has power to interview and demand “reasonable assistance” without a warrant.

No. The SFC typically refers cases to the Commercial Crime Bureau of the Hong Kong Police Force if an arrest is required.

Competition Commission(“CC”)

To prohibit conduct that prevents, restricts or distorts competition, and to prohibit mergers that substantially lessen competition in Hong Kong.

Yes, to enter and search premises. Has power to require people to answer questions and produce documents.

No. May refer cases to Hong Kong Police Force if it considers that a crime has been committed.

Hong Kong Police Force (“police”)

Law enforcement and investigation of criminal matters.

Generally yes but not if cases can be related to national security or are extremely urgent.

Yes.

25© 2021

Disclaimer

Disclaimer

Any material or explanation (including but not limited to presentation slides or verbal explanation) (collectively “Material”) provided hereunder serves as a general guide instead of a basis for decision making and shall not be construed as any advice, opinion or recommendation given by Yang Chan & Jamison LLP (“YCJ”) or Deloitte Advisory (Hong Kong) Limited (“DAHK”) on the presentation. In addition, the Material will be limited by the time available and by the information made available to YCJ/DAHK and you should not consider the Material as being comprehensive as YCJ/DAHK may not become aware of all facts or information. Accordingly, YCJ/DAHK will not be in a position to make a representation, and will not make a representation as to the accuracy, completeness and sufficiency of the Material. You will rely on the contents of the Material at your own risk. This Material shall be kept confidential and any person other than YCJ/DAHK’s authorized personnel shall not, in any way, retain, use or disseminate this Material without YCJ/DAHK’s prior written consent. All duties and liabilities (including without limitation, those arising from negligence or otherwise) to all parties, including you are specifically disclaimed. All copyrights and other intellectual property rights contained in the Material are reserved by YCJ/DAHK. For the avoidance of doubt, the Material contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of the Material, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on the Material.

The speakers’ views, comments and speech are personal and do not constitute any position or opinion of YCJ/DAHK or otherwise represent YCJ/DAHK, or partners,principals, members, owners, directors, employees thereof. YCJ/DAHK does not endorse and is not responsible for any such personal expression in whatever form.Please take the view as the speaker's own only.

26© 2021

Any questions?

YL Cheung‏

Partner


T: +852 28526775‏

E: [email protected]‏

William Tam‏

Partner


T: +86 755 33538308‏


Valarie Fung‏

Partner


T: +852 28525829‏


Michael Mo‏‏

Director

Deloitte Forensic

T: +852 22387227‏


Catherine Leung‏

Senior associate


T: +852 28521984‏


mailto:[email protected]





27 January 2021 - Deloitte

Documents

Transcript of 27 January 2021 - Deloitte