Strategies for protecting Taiwanese businesses from cross-border risks

How to manage multijurisdictional compliance investigations

Taiwanese businesses operating in a global context need strong mechanisms to investigate and manage potential cross-border misconduct

As a company's business grows globally, inevitably the company will become subject to regulators in different countries for anti-corruption, antitrust and many other aspects of its business.

This makes it vital for multinational companies operating in a global context to have a mechanism in place to investigate suspected cross-border misconduct. A credible internal investigation mechanism is not only an expectation from regulators and law enforcement agencies, but also recognized as a matter of good corporate governance. However, conducting complex compliance investigations in multiple jurisdictions can be challenging and difficult.

To manage multijurisdictional compliance investigations efficiently and effectively, here are a few practical steps that Taiwanese companies can take.

Engage with regulators at an early stage to manage their expectations and coordinate your approach to requests from authorities in different jurisdictions.



It is important for Taiwanese companies to establish a protocol for the conduct of any investigation and to ensure coordination among all parties involved.

Having standard procedures at the outset of any investigation will help. At a minimum, these investigation procedures should provide guidance on:

  • How to set up an investigation team for different types of investigations.  This includes determining when external advisors—such as outside legal counsel, forensic technology vendors and forensic accounting experts—should be engaged
  • Which internal functions need to be aligned.  Usually, internal functions that need to align include audit, finance, human resources, IT, media/PR and occasionally the relevant business teams
  • How to determine the level of authority to which the investigation team should report. Usually, investigation teams should provide their reports to the company's general counsel or chief compliance officer, who, in turn, may report on the investigation to other senior executives. However, if an investigation involves senior executives, the investigation team should report to the board of directors of a company or a special committee established by the board
  • How to delineate workstreams. Standard procedures should explain how to define workstreams by jurisdiction, regulator or issue—as appropriate—and make sure that each workstream feeds into the main investigation



If a multijurisdictional investigation is in response to requests from regulators and law enforcement agencies, it is important to understand and manage the expectations and competing demands from different authorities.

For example, in a US-style internal investigation, a US regulator would expect a company to have undertaken document preservation measures and to have interviewed relevant employees.

However, if the misconduct is in mainland China and under Chinese authorities' investigation, the authorities might consider these types of measures as possible obstruction of justice and interfering with mainland Chinese authorities' investigation. The UK Serious Fraud Office (SFO), for example, has been vocal in criticizing companies for "churning" the crime scene by interviewing key witnesses and disturbing documents before the SFO has become involved. The SFO has also criticized companies for continuing with their own internal investigations once an SFO investigation has commenced.

Therefore, it is important to have a plan to engage with regulators at an early stage to manage their expectations and have a coordinated approach to requests from authorities in different jurisdictions.



At the outset of an investigation, a company should take immediate action to preserve all relevant data. This may include imaging electronic data, issuing document preservation notices and ceasing automatic deletion policies.

An investigation team should always be aware that data may need to be collected, processed and presented in different ways for different regulators.

In addition, the increasing stringent requirements of data privacy laws globally make it vital for companies to have defined a data protection strategy for navigating different jurisdictions' data protection laws. This may include securing consents in advance in employees' employment contracts and putting in place appropriate data-sharing agreements among subsidiaries.



At the outset of any investigation, a company should check the legal position on privilege in relevant jurisdictions to protect legal advice and relevant investigation materials from disclosure to regulators and third parties. The operation of privilege can differ significantly from jurisdiction to jurisdiction.



Throughout the process of an investigation, it is crucial to consider potential remediation plans.

In some cases, a company must be able to show regulatory authorities that it has taken tangible steps in response to the findings of an investigation. If an internal investigation is not initiated by government authorities, it is important for a company to assess whether any self-reporting obligations will be triggered once a preliminary investigation has been completed.

Finally, in a multijurisdictional context, a company must consider all jurisdictions where it may have reporting obligations. This will not necessarily be limited to jurisdictions in which the relevant conduct took place. For example, a company should review and comply with all obligations to regulators in its home jurisdiction as well as any jurisdictions where the relevant conduct may have impacted its business.


Strategies for protecting Taiwanese businesses from cross-border risks


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2018 White & Case LLP