For forward-thinking advisory firms, internal investigations via big data monitoring are part of their regulatory compliance program, rather than tasks resulting from alleged misconduct. Making such proactive investigations possible, however, increasingly requires proper planning.
The battle is only half won when firms detect data that indicates possible risk of violations, such as misleading enrollment tactics, and deceptive advertising, loan servicing and debt collection. To avoid (or at least mitigate) criminal charges, financial penalties and reputational damage, firms must dig deeper to find and rectify the root of the problem. This can lead to costly, overly broad work if they don’t have an understanding of the unique issues that arise in cross-border investigations.
Due to globalization, proactive investigations are more likely than ever to venture into non-U.S. jurisdictions that bring a host of additional IT and e-discovery restrictions. While methods for internal investigations within U.S. jurisdictions are generally well understood, investigations in international jurisdictions can be more complex and time-intensive, especially when data reveals risk of serious charges and millions of dollars in fines.
Below are five best practices that can help firms achieve their objectives in an effective manner.
Identify Data Located in Foreign Jurisdictions
Companies frequently store their data in a single location that could be in a different country from where the data is produced. Thus, a crucial step is identifying key documents and where they are located, and analyzing the impact of the relevant data privacy laws.
Data privacy laws broadly vary from jurisdiction to jurisdiction. Some broadly apply to any circumstance in which personal data could be obtained, while others are targeted to a specific industry such as financial services.
With so many limits placed on data in these jurisdictions, organizations have a number of tactical options to comply with the bevy of data privacy requirements.
Define Data Processing Strategies
Collecting personal data in foreign jurisdictions is often unavoidable. There are, however, practical ways to process data locally and limit the need for transferring it across borders.
An increasingly popular option is the mobile “backpack” model in which e-discovery technology is temporarily deployed and managed by experts at the site where the information is stored. It can be a cost-effective processing and review solution for discreet matters such as internal investigations, as it requires no hardware or software investments and permits all data collection, processing and review to occur on site. Other firms opt to use review technology that is hosted in an e-discovery service provider’s local data center.
Regardless of how technology is deployed to be compliant with data privacy requirements, it should be able to identify sensitive information and automatically filter out or redact this information. Methods to support these functions can be as simple as use of keywords, or more sophisticated, advanced data detection tools that automatically identify numerical or other data patterns indicative of sensitive information, such as employee identification numbers or account numbers. Alternatively, anonymization techniques can remove all personal identifiers, and pseudonymization techniques can obscure the person’s identity while still linking multiple records to the same person.
Know Your Partners’ Data Security Measures
When determining how to protect data subjects’ privacy, firms simultaneously need to address data security issues — especially when sharing data with outside counsel, cloud providers and other vendors. Thus, it is important to understand the data security practices of outside companies.
For example, if hosting sensitive data in a local provider’s data center, firms should look for essential data security standards to secure sensitive information. These include certifications such as ISO 27001 and Tier 3+ uptime; security measures that limit physical access to the data, including firewalls, data encryption protocols, monitoring, and strict policies governing mobile devices and removable hardware; extensive disaster recovery plans; and audit procedures.
Predetermine Foreign Languages
When conducting international, internal investigations, firms should anticipate which languages will exist in the documents collected. This will allow them to better decide how to allocate their review resources and time, and identify the right set of review tools.
Document review is already the costliest and most time-consuming part of any matter. Translating and reviewing every document is unrealistic. As in any review, the most effective way to keep costs in control is to limit the amount of human review time. Thus, up-front planning for translation is often necessary to avoid investing time and money in classifying documents based on keyword search, only to later identify documents written in other languages that will likely require restarting the review process.
At the inception of a project, most e-discovery review platforms can detect foreign languages, including languages that do not use the Roman alphabet such as Chinese, Japanese and Korean. Machine translation can expedite first-pass review and exclude obviously irrelevant documents. However, machine learning is not precise, and often necessitates the use of advanced analytical tools capable of comparing concepts and relationships across documents regardless of language. For example, analytics tools can further remove system files (i.e., deNISTing – removing file types rated by the National Institute of Standards and Technology as unlikely to hold relevant information) and duplicate documents (i.e., deduplication and near-duplicate identification) to expedite review.
Sophisticated keyword analysis, when informed by linguists with expertise in local dialects and colloquial speech, can capture language nuances, especially for informal data sources increasingly used by advisors for business communication, such as chat, social media and text messaging. More powerful tools, such as predictive analytics, can parse language at the sentence level (rather than at the document level) to identify which languages a document collection contains. Finally, predictive coding analytics can cull irrelevant documents while prioritizing ones likely to be most relevant for early review.
Enforce Vendor Compliance
Finally, many investment services firms with oversees operations or employees outside of the U.S. now require that their law firms and legal service providers have expertise in managing cross-border investigation issues.
For example, some firms now require that their law firms establish methods for flagging and alerting the organization of legal matters that arise before a U.S. regulatory body or government agency and could implicate the data of non-U.S.-based custodians. Similarly, firms are requiring that e-discovery service providers adhere closely to these protocols and route any action considered to be data “processing” through the organization’s cross-border team.
With these approaches, organizations can conduct thorough internal investigations on a worldwide basis that uncover the pertinent facts economically, expeditiously and lawfully.
— Read How to Answer When FINRA Knocks on Your Door on ThinkAdvisor’s TechCenter.