The ultimate guide to handling regulatory requests

An introduction to regulatory information requests

As electronic data sets continue to grow and regulatory pressure continues to increase, answering regulatory request is continuing to be a huge challenge for law firms and corporations.

Competition, financial oversight, privacy, consumer protection, tax, fraud, bribery, health care, environmental, are just a few of the areas that are under increasing attention of the authorities.

For quite some time, regulatory agencies use advanced AI and data science to analyze data sets they obtain through dawn raids and information requests. In responds, more and more law firms and corporations now use the same technology to be at par with these agencies.

As a result, technology has completely changed how a regulatory request can be handled. Parties not using technology are a giant leap behind, get higher fines, take much longer and spent more resources handling such requests.

What does a regulatory agency do?

According to Wikipedia, a regulatory agency is “a public authority or government agency responsible for exercising autonomous authority over some area of human activity in a regulatory or supervisory capacity. An independent regulatory agency is a regulatory agency that is independent from other branches or arms of the government.”

Regulatory agencies have two primary functions in government: they implement laws and they enforce laws. A regulatory agency implements laws enacted by the legislature, by means of regulations.

If a regulatory agency has reason to believe that a business has violate its regulations, the agency will start an investigation. This investigation may consist of interviews with relevant witnesses and investigators go through certain documents. The agency will give the business a change to respond to the allegations.

Important regulatory agencies in the US are the Federal Reserve System (the FED) who regulates banking and manages the money supply; the Environmental Protection Agency (EPA) that establishes and enforces pollution standards; the Federal Trade Commission (FTC) who ensures free and fair competition and protects consumers from unfair practices and the Food and Drug Administration (FDA) that administers federal food purity laws and drug testing and safety.

Where does a regulatory request come from?

A regulatory request can come from any of the various agencies. Traditionally, competition and anti-trust violations are a major cause of such investigations. In recent years, (new) regulators are conducting similarly disruptive requests and investigations related to financial-, bribery-, fraud-, environmental-, healthcare-, data privacy-, consumer protection-, food & drug safety-, and many other regulated fields.

Sometimes a request looks like informal questions. But even these “informal” questions, should always be handled with consideration. A poorly written or confusing response may cause a regulatory agency to make assumptions. Accidentally withholding and not providing information can lead to dawn raids and on-premises investigations.

What then started with a simple and straightforward request can ultimately lead to a complex cross-border investigation.

Information seizures can vary from mandatory information productions (collected and prepared by your organization), to complex cross-border dawn raids.

Whatever the form of the investigation, they all have one important element in common: time is of the essence. As soon as a regulator shows up, the race against the clock starts.

What is the regulator looking for?

When regulators suspect - or a whistleblower informs them of - potential wrongdoings or illegal activities, they often ask vague, open-ended questions like:

• Who performed which actions;
• Did management knew about it or was it involved;
• Did management drove the irregularities;
• Were there any early warning signals and if so, were they ignored;
• Which activities occurred during what time frames;
• Which steps were taken and the reasoning behind them;
• Who benefited from the activities;
• Did similar events ever occurred.

When regulators suspect wrongdoings, they often ask vague, open-ended questions. The open-ended nature of requests are one reason executives need to provide more information than just answers to straight forward questions. eDiscovery platforms are particularly useful in handling these challenges.

What are the challenges of answering regulatory requests?

Many organizations face several requests from multiple agencies simultaneously, particularly now that regulations are increasing in number, scope, and complexity. Agencies may be located in various jurisdictions, holding you to one set of privacy regulations for some responses and a different set for others.

Projects are complicated - even stalled entirely - by their enormity. Businesses today generate massive amounts of data. Important data is located in email and document management systems, data storage systems, and file sharing software. Social media accounts, mobile devices, and devices connected to the Internet of Things may also contain evidence. The electronically stored information (ESI) you need to collect and analyze is scattered across multiple communications and media platforms and may be contained within current and legacy operating systems. 

Agencies may be holding you to one set of privacy regulations for some responses and a different set for others

Without proper planning and tools to search for and analyze the evidence you need, it’s a madhouse when regulators come calling. Internal workflows are disrupted and costs run amuck. There’s no time to develop an effective plan when you’re deadline is NOW.

Why use eDiscovery when responding to regulatory information requests?

All companies store too much data. If you have to be certain that you have provided all relevant information, it is virtually impossible to do so manually. Even the most brilliant queries will provide too many hits and no relevance ranking scheme works perfectly all the time.

Automation dramatically simplifies the process of mining vast amounts of electronically stored information and helps you to find more relevant information, faster and using fewer resources. 

You need to be fast

Most regulative authorities want you to indicate what is responsive, non-responsive or privileged within a short time range, often around 10 days. So you need answers fast.

eDiscovery platforms manage massive amounts of data much more quickly than manual processes or technology tools. eDiscovery technology cannot only help you to achieve this, it also gets to the heart of the matter immediately by performing early case assessments (ECA) that uncovers relevant information and guides you on where to look first for the most important information.

Speed is also important for your company. The sooner you know what really happened, the sooner you can plan your own strategy, start your own investigation with your outside counsel and prepare for additional investigations from other countries and services and claims from disadvantaged parties (customers, consumers).

You need to know what to look for

It is hard to find information when you do not know exactly what you are looking for. And if people want to cover up or even hide something, it becomes even more difficult. It is a continuous game of hide & seek, with one party trying to outsmart the other. Here are some clues on where to start your search:

• Look for individual names of suspects, partners in crime, related companies, etc.
• Find “One-on-one emails” sent to personal email accounts.
• Identify communication taking place at odd times.
• Locate emotional communication; anger, cursing or threats.
• Identify code words and hidden communication methods (Snapchat, WhatsApp, …)
• Analyze expenses, phone records and other data to find out where secret meetings took place.

You need to be complete

Your answers also need to be complete. eDiscovery is specifically designed to access, review, and process all your data and find potentially responsive information regardless of original file types or location.  The sooner you get the real story hidden in the data, the sooner you can prove exactly what happened and plan how you’ll deal with any fallout. 

You need to be accurate

Your answers must be accurate. Once data is centralized, advanced search capabilities, data analytics, and artificial intelligence unearth hidden details, pinpoint truly responsive information, and show how people, places, and events are connected. 

You need to protect sensitive data

Data protection and privacy are hot issues and will become even more important in the near future., In the European Union, the General Data Protection Regulation (GDPR) since the end of May 2018 regulates all activities involving the personal data of EU citizens. Consequences are equal for European companies and non-European companies conducting business in the EU. The GDPR has brought substantial changes and compliance challenges for every organization that collects, processes, stores, and transfers personal data, anywhere in the world.

If you need to disclose data from the EU to the US, make sure your use automatic Black Lining (bulk redaction) and Pseudonymization to protect personal and privileged information.

Prevention is better

Pro-actively preventing non-compliance is preferable to preparing for investigations. The same technology you should use to answer regulatory requests can also be proactively used to search for risks, deviations, and compliance violations so you can address these risks and prevent them from happening again in the future. You can, for example, carry out a compliance run during take-overs or during an unusual economic situation. And it is good to know that (independent) audits by a lawyer (interviews and data investigations) are protected by legal privilege.