Reporting obligations in corporate crime investigations

Why should I read this?

Managing reporting obligations across borders isn’t just a compliance exercise: it’s a key step in reducing legal and reputational risk. When misconduct affects multiple jurisdictions, a single investigation can quickly lead to overlapping legal duties, regulator attention and public scrutiny.

Knowing how to define the scope of an investigation, manage whistleblowers, protect privilege and navigate complex reporting requirements helps businesses respond effectively and avoid costly mistakes.

How do you carry out initial team scoping?

When potential criminal conduct emerges (such as bribery, fraud or corruption), the first step is clear scoping. Define the investigation’s purpose, scope and governance early.  This includes:

• Identifying key stakeholders and assigning roles.
• Making sure investigators are independent from those implicated.
• Involving legal, HR and relevant business units promptly.
• Setting up clear communication channels. 

Time invested here in clarifying what is (and isn’t) within scope sets a strong foundation and makes it easier to handle external scrutiny.

How do whistleblowers act as a trigger for reporting obligations?

Whistleblowers can sometimes provide the first indication of misconduct. Their reports can reveal issues that trigger mandatory external reporting (e.g., suspicions of money laundering or bribery).

Manage whistleblowers carefully:

• Balance confidentiality promises with legal duties.
• Give periodic updates when required by law.
• Avoid conflicts that could lead to premature or problematic disclosures.

Handled well, whistleblower engagement strengthens the integrity of the investigation from the outset.

How to protect legal privilege and update the board?

Maintaining privilege is important but challenging in cross-border scenarios. When briefing boards:

• Share facts sparingly and mark documents appropriately.
• Use private sessions for sensitive updates.
• Frame communications around legal risk, not investigation progress.
• Draft minutes carefully to avoid unintended waiver.

Keeping the issues, outcome and advice relating to an investigation confidential is fundamental to maintaining legal privilege. Limiting disclosure to authorized members helps preserve privilege and prevent universal waiver.

What reporting obligations apply?

Reporting duties vary widely. For example:

• In Hong Kong, all entities must report any knowledge or suspicions of money laundering, unlike sector-specific rules elsewhere. Even receiving tainted benefits (e.g., dividends) can trigger duties. Failure to report is a criminal offence, punishable by fines and imprisonment.
• In the UAE, penal code requirements require reporting known crimes. First reporters may receive immunity for certain offences, but there are risks of criminal defamation or liability for false reporting.

Do an early review of where the misconduct has occurred and identify what each country’s reporting rules are. This prevents inadvertent non-compliance or committing an offence by omission.

Have you considered data handling and cross-border challenges?

Data location and transfer can complicate investigations and create disclosure issues later. Best practices include:

• Don’t rush to centralize all data in one country (it can increase exposure to foreign investigations. Instead, review data locally where possible, using local teams and secure systems).
• Consider data protection laws and blocking statutes (e.g., China, Saudi Arabia).
• Use local teams for reviews to preserve integrity and comply with data export restrictions.

Unplanned remote access can expose the company to legal and regulatory risks. Always plan how and where data will be accessed before doing so.

How to deal with external stakeholders and regulators?

Decide early on regulator engagement. Build trust through transparency but seek legal advice before disclosures to avoid privilege waiver. Key steps:

• Notify promptly if misconduct risks public exposure.
• Appoint a Single Point of Contact to be responsible for regulatory reporting.
• Align updates carefully in regulated sectors.
• Prepare media strategies with a single spokesperson and consistent messaging.
• If everyone works together and follows a clear plan, you avoid mistakes that could harm the investigation or compromise legal protections.

How to prepare in advance?

Strong governance upfront is your best protection. Steps include:

• Make sure legal advice is addressed to the correct company in the group. Privilege can be lost if advice is sent to the wrong entity.
• Consider whether the investigation is significant enough to appoint a formal investigation committee with clear terms of reference.
• Clarify whether the investigation is for fact-finding, regulatory reporting or litigation preparation. The purpose determines how you structure the process and what protections apply.
• Put rules in place to preserve legal privilege and map out which countries’ laws apply. This avoids mistakes like sharing privileged material where it isn’t protected.

Planning ahead readies you to deal with unexpected developments, such as new regulator demands or cross-border issues.