Home Affairs CommitteeSupplementary written evidence submitted by The Risk Advisory Group [PI14]

Do you think of yourselves as private investigations companies?

The Risk Advisory Group (Holdings) plc is a global risk management consultancy. We have offices in London, Moscow, Dubai, Dammam, Washington DC and Hong Kong and serve governments, government departments, multilateral organisations and multinational corporations.

Our services fall into a number of different categories:

political risk and security analysis, consultancy, training and operational support;

employee CV verification—predominately for the financial services industry;

regulatory compliance due diligence for companies that are subject to anti-bribery legislation, money laundering and export control restrictions;

merger and acquisition, private equity funding and corporate finance support; and

litigation support—this aspect of our work involves significant internal investigations, evidence gathering exercises and providing expert evidence. This area is substantially covered by the Security Industry Authority (SIA) competence requirements, issued in draft form in 2007, and most closely resembles what people may consider as “private investigations”. We, however, call such investigations “corporate investigations” because they are exclusively conducted for and on behalf of corporations either directly or through external legal advisors.

Within the above categories we also offer bespoke consultancy services. For example:

When the Directorate of Counter Fraud Services was set up within the National Health Service, Risk Advisory was engaged to help recruit and train staff and to provide support on investigations.

We have provided advice to governments and to corporations on such issues as anti-corruption.

We have provided pro bono training to the Serious Fraud Office (SFO) and many industry and trade groups on due diligence and anti-corruption controls in the context of both the Foreign Corrupt Practices Act and the Bribery Act 2010.

To provide granularity around what is involved in litigation support; some examples below:

We might be involved in internal fraud or breach of fiduciary duty cases—for example, we worked on a £250 million property valuation fraud case in conjunction with external lawyers, the police and the SFO.

We might be asked to help trace witnesses—we were instructed to try and identify the whereabouts of witnesses for and on behalf of the Bloody Sunday Inquiry.

Again for the Directorate of Counter Fraud Services, Risk Advisory investigated a number of “National Health Service tourists” and assisted in providing evidence which allowed the Directorate to issue proceedings and recover money.

We have worked with corporations to conduct investigations which could then be handed over to the relevant prosecutorial authority.

Our work is often conducted in conjunction with law firms which use our services to inform litigation strategy and as evidence.

In one such case, we undertook a significant analysis of an individual who was claiming legal aid to promote a civil claim for many millions of pounds. We were able to demonstrate, predominately through public records analysis, that he had deliberately and over a course of years disposed of assets and lied about the value of real property assets he held in a different jurisdiction. This led to a discharge of his legal aid certificate and a substantial recovery from him by the legal aid board.

In another case, we undertook a detailed analysis of the circumstances of the death of a journalist. He was killed by US forces and there was a US military investigation. Our client’s objective was to try and identify the true circumstances behind the death and in so doing, to try and influence the engagement rules applied by the US military.

Who works for you?

Our staff reflect our businesses and I thought it might be helpful for you to see the educational and professional qualifications of some of our people (annex 1).

You will note that we currently have no former police officers working within our company, although this has not always been the case. The longest serving former police officer who worked for Risk Advisory was, until he retired from the police, the head of the Public Sector Corruption Squad at New Scotland Yard. He retired from Risk Advisory in approximately 2004 and since that date we have not had a former police officer as an employee. We do, though, sometimes use retired police officers for specific tasks. For example, we recently used a retired Chief Superintendent to review a “cold case” to determine whether correct police procedures were adopted at the time of the original investigation and to identify whether any new procedures might be deployed to help solve the murder.

You will note that we do have a number of qualified lawyers who are employees. These individuals are generally engaged in cases which fall within our category of litigation support, which can involve corporate investigations.

Are you in favour of statutory regulation of private investigation companies?

Within our international businesses we are subject to local regulation which includes statutory regulation. Those of us who hold professional qualifications are also regulated—I for example, am regulated by the Bar Standards Board and a number of my staff are similarly regulated because they are solicitors, barristers or accountants. We are also, of course, subject to the general criminal law.

More widely we support the objectives of the Private Security Industry Act 2001 (annex 2).

Specifically, in areas where the public is at risk, which is the criterion that the statute is expressly intended to address, we would support statutory regulation.

In 2006 and 2007 we, together with the SIA and others, did some work on identifying risk areas. As a result of this a number of core skills or competencies were identified as being essential for private investigators to mitigate risks to the public.

Five competency requirements were set out in the paper “Private Investigation and Precognition Agents Draft Core Competency Specification”, in July 2007 (annex 3). These were:

conduct investigations;

conduct (formal) interviews;

search for information and preservation of evidence;

conduct surveillance; and

understand and work to the relevant laws and standards (annex 3, page 9).

From the outset we were of the view that these investigative techniques should be properly regulated because they can be invasive; they have the potential for causing personal distress and emotional harm as well as financial loss.

In short, if conducted without legitimate justification or inappropriately, they put the public at risk.

We were then, and still remain, at one with the SIA in this regard.

Our difficulty lies with the current wording of the Act, which arguably goes far beyond these types of investigations and potentially has the diametrically opposite effect.

That is, that the imposition of a regulatory regime around some of our activities is both unnecessary—because there is no prospect of the public being put at risk—and potentially damaging because what we do for our clients is intended, in a number of areas, to protect the public and the wider integrity of the global financial markets.

The Statute

The relevant provisions are contained within Section 3, Schedule 2 of the Act (annex 2). As you know, Section 3 creates the concept of licensable conduct and designated activities. It also provides the criminal penalty.

The operation of Section 3, Schedule 2, 4., (1) (a) makes it unlawful, unless one holds a licence, to undertake “…surveillance, inquiries or investigations that are carried out for the purpose of:

(a) obtaining information about a particular person or about the activities or whereabouts of a particular person;…”

This sub-section and the Schedule are drafted very widely.

Professional headhunters for example “undertake …inquiries…for the purpose of obtaining information about a particular person or about the activities or whereabouts of a particular person”.

They will do preliminary research to identify potential candidates who fulfil their mandate; this always involves speaking to people in the market about potential appointees. Questions will involve the location of those individuals, their key competencies, their strengths and their weaknesses. All of this activity will be done without the knowledge or consent of the candidate. Post the selection of a shortlist, more detailed questions may be asked about specific issues or incidents in which the candidate may have been involved, including questions which may relate to the candidate’s ability to operate in stressful environments, and their honesty and integrity.

We very much doubt that Parliament intended to encompass the activities of professional headhunters when enacting the Act, but because the requirement to obtain a licence is defined by conduct it is, we suggest, highly likely that this is the effect of the statute.

Similarly, we doubt that Parliament also intended to cover investigations conducted to ensure that our clients comply with the regulatory burdens imposed on them by statute.

Parliament has chosen to shift the responsibility of ensuring the integrity of the financial markets and ensuring that money is not laundered through business structures to the gatekeepers of those markets—the Regulated Sector (annex 4, paragraph 7).

Fundamentally, participants in the Regulated Sector are required to know who they are doing business with. Failure to comply with the regulations can result in fines, loss of licences, debarment and, for some, imprisonment (annex 5).

Financial institutions, law firms and accountancy practises are faced by a “diverse and dynamic” criminal and terrorist threat (annex 4, point 7.5).

Our task is to assist our clients in managing this threat.

We are instructed to investigate corporate shells, nominee structures, non-disclosed intermediaries and other such structures and devices to help our clients ensure they are not dealing with terrorists, criminals, politically exposed persons, foreign governments or foreign government officials.

Most clients, because they do not have the skills or resources, cannot undertake this type of investigative research themselves; those who do generally conduct low-level database-led due diligence. In more difficult cases or in geographies where there are language issues or a lack of readily available or reliable public records, they instruct firms like ours.

Obtaining consent to investigate, which would be a gateway (annex 2, Schedule 2, 4., (8)), is often not possible because we are asked initially to investigate corporations. The owners of those corporations are unknown, which is why we are asked to investigate.

Once identified, if the owners of a company that has been the subject of due diligence are, or may be, criminals or terrorists, it may then be a criminal offence for our clients to deal with the company in question or to notify the subject of the outcome of the investigation and to ask for retrospective consent to investigate the individual concerned.

Indeed, if criminal conduct is suspected, there is an obligation to file a Suspicious Activity Report. Disclosing to the “prospective client” that an investigation has been conducted to obtain retrospective consent from that client to investigate them, may involve the commission of a further offence of tipping off that individual (annex 6, Proceeds of Crime Act 2002, Section 333A).

There is a substantial list of statutes and regulations that require businesses to conduct due diligence (annex 7).

The most recent example is the Bribery Act 2010 (annex 8) which creates strict liability for companies where they, or any associated persons who perform services on their behalf, pay a bribe as a result of which the corporation derives a commercial benefit.

Here again Parliament has expressly shifted responsibility to corporations to try and preserve the integrity of the free market and to prevent bribery from occurring.

The only defence under the Bribery Act—which could have startling consequences including corporations being subject to unlimited fines and debarment under EU procurement rules—is for the company to establish that it has “adequate procedures” (annex 8, point 7) in place to prevent it and its associated persons from paying bribes. The burden is on the company to establish this defence.

The Ministry of Justice has issued guidance on what may constitute adequate procedures and Principal 4 of that guidance emphasises the need to conduct risk-based due diligence (annex 9, page 27):

“The commercial organisation applies due diligence procedures, taking a proportionate and risk-based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.”

Having shifted the burden in the manner in which the Bribery Act has, we do not believe that Parliament would have considered the impact of Schedule 2, 4., and had it done so, we would suggest an exemption would have been made under the Private Security Industry Act in this regard.

Furthermore, we do not believe there is any risk to the public in us conducting regulatory investigative due diligence. It does not involve conducting formal interviews, surveillance, or the search for and seizure of evidence, but it can involve “inquiries or investigations that are carried out for the purpose of obtaining information about a particular person or about the activities or whereabouts of a particular person”.

We raised this issue in 2007 with the then Chief Executive of the SIA, Mike Wilson. In his response (annex 10) to our letter he stated that some of the exceptions in Schedule 2 might apply (annex 2, Schedule 2 (2), (9) and (10)).

Unfortunately he did not specify which exemption might apply. In our respectful view, it is an unacceptable position that we may be exposing ourselves to criminal sanction (annex 8), if this part of the Act comes into force, without any clarity being provided by either the SIA or Parliament as to what exemptions do in fact apply, if any.

We do not believe that, while these investigations may fall within a strict interpretation of Schedule 2, 4. of the Act, there is any good reason for regulating this conduct. Furthermore, we would suggest that the SIA is not a body or entity which has the required knowledge, skills or capacity to be an effective regulator in these areas.

Finally, we would assert that the relevant provisions of the Data Protection Act provide sufficient controls over this type of activity without the need for additional regulation.

In short, we would suggest there should be express exemption under Schedule 2 in respect of these activities.

Parliament clearly knew that there might be a need for clarification of the scope of Schedule 2 of the Act because it inserted a power under the Act for the SIA to recommend modifications to it.

We would therefore respectfully suggest that the Select Committee make such a recommendation (annex 2, Section 1(4), a).

Merger and Acquisition, Private Equity Funding and Corporate Finance Support

There are similar arguments in relation to merger and acquisition activity, private equity funding and other general corporate finance support.

The Bribery Act does not exclude successor liability. Therefore, if you acquire a business without conducting effective due diligence you may be liable, as a corporation, for the historical acts of the acquired corporation.

Guidance from the Department of Justice in the United States in respect to similar legislation requires companies to carry out effective due diligence before they buy corporations or enter into joint ventures, or in circumstances where due diligence cannot be conducted before acquisition, requires due diligence to be conducted immediately thereafter (annex 11).

This can, and often does, involve looking at the manner in which individuals within corporations actually conduct their business relationships and would therefore involve obtaining information about a particular person or the activities of a particular person.

Such inquiries are undertaken in the first instance without conducting formal interviews, searches or surveillance.

If prima facie evidence of corruption is identified our clients are notified. At that point they may withdraw from the transaction completely or proceed with the transaction and after the acquisition initiate their own internal investigation.

Outside the Bribery Act, private equity and corporate finance firms often conduct rigorous due diligence on both individuals and firms to ensure that they understand what they are buying. In some instances this is done openly and transparently. In others, it is not. That may be because there is an insolvency process, an auction with limited disclosure through a document room or because timelines are tight.

In some circumstances a business may be considering strategic acquisitions and want to know details about a business in which it has an interest before entering into a more open process. In most circumstances, which are regular features of business in the UK and elsewhere, obtaining an individual’s consent to investigate may not be commercially viable, but it is critical to good business, proper corporate governance and the preservation of shareholder value that such investigative due diligence is undertaken.

Again, such investigations do not involve formal interviews, surveillance or the gathering and preservation of evidence. There is no identified risk to the public and thus one would seriously question, in these circumstances, whether the intent behind the Private Security Industry Act is met and therefore why such activity should be regulated.

We would once again suggest that in these circumstances the Data Protection Act provides sufficient protection to individuals.

Had Parliament considered this issue we suggest it would have excluded such activity from the ambit of the Act.

We would therefore respectfully suggest that such investigations are excluded from Schedule 2, 4. of the Act.

Statutory Regulation Anomalies

The information contained in the Information Commissioner’s 2005 report “What Price Privacy?” published in May 2006, together with the evidence the Information Commissioner gave at this Select Committee, does not support the contention that lawyers should be exempt from a licensing requirement if they conduct or instruct others to conduct formal interviews, surveillance or search and seizure in the context of an investigation.

In fact, that evidence suggests that there is a far greater risk to the public from lawyer’s activities than from the activities of private investigators in respect of whom, the Information Commissioner said in his evidence to this Select Committee, he had received very few complaints.

In his conclusions to the May 2006 report the Information Commissioner wrote:

“The press are not the only drivers of this market of course. This report highlights many other businesses which regularly turn to private investigative firms and through them to the shadier end of the tracing market, requesting personal information they must know or suspect has been unlawfully obtained.

It may only be exceptions on the fringes, but it is clear that insurance companies, solicitors, local authorities, finance companies and other lenders are implicated in this trade…”, (annex 12, point 7.3).

The evidence provided to Lord Leveson’s inquiry also demonstrates serious issues about the conduct of external and internal legal advisors.

The Act also currently exempts from its provisions individuals working as employees of companies which are not otherwise security companies. Again, given the nature of concerns raised by the Information Commissioner, particularly with reference to local authorities, finance companies and other lenders, one questions whether their staff at least should be subject to the same licensing requirements and/or competence tests.

Accountants are similarly excluded from the provisions of the Act.

In this regard we would point to the recent arrest of a PKF partner and at least one other member of staff in January 2012 (annex 13).

Moreover, if the purpose behind the statute is to mitigate risk to the public, it makes little or no sense that if a qualified lawyer or accountant works in a legal or accountancy practice and provides services which fall within Schedule 2, 4. they do not need to be licensed, but if the same individual works in a risk management consultancy they do (annex 2, Schedule 2, 4., (4) and (5)).

The impact of these sections simply serves to create an anti-competitive environment without any evidential basis for that position.

For the avoidance of doubt, our view is that any company, or individual, which conducts formal interviews, surveillance or search and seizure should be licensed whether they are a law firm, an accountancy firm, a risk management consultancy or a private investigator (or a journalist). Nor do we believe that there is any evidential basis for reaching the conclusion that the risk to the public is less from an in-house investigator than from an external investigator. In fact the Information Commissioner’s report would support the opposite conclusion.

Did you contribute to the consultation process in 2007?

We have contributed in a number of areas. When the SIA was first established we were on the stakeholder advisory panel which was subsequently disbanded.

Before that we took part in a Confederation of British Industry (CBI) initiative in conjunction with the City of London Police and the Metropolitan Police that was designed to permit “accredited investigators” to work with the police more closely and in some circumstances, to share intelligence and evidence.

The objective behind this initiative was, in circumstances where clients had suffered fraud, to allow investigators to conduct investigations in conjunction with the police, thereby freeing up significant police resources, and through the police to exercise police powers to obtain and secure evidence.

In 2007 we contributed to the debate about competences (annex 3).

We have also, at various times, contributed to the debate by either writing to or meeting with the SIA.

If there was a system of licensing should it be individuals or companies?

Again, we shared our thoughts on this in 2003, 2006 and 2007. We believe only companies should be licensed and that there should be an obligation on them to ensure that those within their organisation who provide the type of professional investigative support we have described above should be both “fit and proper” and have the necessary competences to do so.

In addition to corporate licensing, we believe both in transparency, to allow clients to make informed decisions, and in the ability of clients and those affected by breaches of their rights, to obtain recourse.

Therefore we would recommend that companies be required:

to ensure that directors are fit and proper—with no criminal convictions;

to file full audited accounts;

to have paid all relevant taxes;

to be registered pursuant to the Data Protection Act;

to provide professional indemnity insurance to cover their activities;

to screen staff to FSA levels;

to establish that staff undertaking private investigations have the necessary skills or are in the process of acquiring those skills;

to have an established training programme;

to demonstrate appropriate information security policies and procedures around their treatment of personal data and sensitive personal data;

to have such other policies and procedures as are required to protect their clients’ confidential and proprietary information; and

to the extent that third parties or subcontractors are used, to have appropriate controls around the instruction of those individuals or companies.

If individuals wish to provide investigative services they should be personally registered and, in order to obtain such registration, be able to demonstrate that they comply with the same criteria.

We believe our views correspond with those expressed in the SIA Fact Sheet issued in January 2012 (annex 14).

It has been suggested that there should be a form of co-regulation, part by statute and part by industry—would that work?

We are firmly of the view that such a mechanism would not be appropriate. The weight of the debate is away from self-regulation or partial self-regulation.

Moreover, there is no industry body in the UK that is capable of discharging such an obligation. In our view, to establish one, given the breadth of the sector, is not something which could easily be done. Aside from competence issues there are equally significant funding issues.

Whatever follows the SIA should be the statutory regulator.

Supplemental Questions Asked by the Select Committee at the Hearing on 13 March 2012

Do you buy information from third parties?

We buy a significant amount of information from third parties. These include:

Commercial database providers

We subscribe to over thirty different commercial providers of information in order to access media records, company information, credit and litigation data and international watch list information, for example:

Factiva—media database;

Dun & Bradstreet—company credit information;

Creditreform—personal and company credit information;

Lexis Nexis—media, company and litigation information; and

Complinet—international PEP and watch list information.

Official information sources

Typically these are company registries, many of which are departments of the state and we access such sources all over the world. In the UK these include:

Companies House—UK company information;

Jersey Financial Services Commission—Jersey company information; and

Land Registry—UK land ownership information.

Many of these databases collate publicly available information but that is not always the case.

For example, credit information is often protected and a company seeking to access such information is required to demonstrate a need or reason to access such information. These include:

Experian—UK consumer and corporate credit information; and

Equifax—also an UK consumer and corporate credit information.

Other commercial providers require the user to provide a reason for searching. In the case of Zyklop Inkasso, a German consumer credit provider, a drop-down list of acceptable reasons for conducting a search must be completed.

In some circumstances the database relies on information which is public, having been derived from registers, but is not “publicly available” and therefore would not fall within the provisions of Schedule 2, 4., (7) (a) of the Act. An example of this is a private news clippings agency that we have used in the past in Cyprus.

Law firms and accountancy firms

In some jurisdictions corporate records and other filings have to be obtained through law firms or accountancy firms. For example, in many African countries company records may only be accessed by a registered lawyer or accountant (eg Nigeria). In such cases, we would use a law firm to access this information.

Licensed private investigators

In some countries, Italy for example, access to some court records is restricted in that they can only be obtained by, amongst others, licensed investigators. In these circumstances a formal application to the court is made. Where that is the case we would use such investigators to obtain such data.

We also use licensed investigators, where the local regulatory regime requires it, to conduct investigative activity in support of wider international investigations we may be undertaking. This is done in conjunction with local lawyers to ensure compliance with local law.

Unlicensed investigators

In some jurisdictions, such as the UK, there is no requirement for investigators to be licensed but from time to time we may instruct them to conduct specific tasks, such as physical surveillance.

In the case of our company the decision to undertake such a step is only taken in conjunction with the client and their legal advisors and when both they and we independently form the view that such a step is both necessary and proportionate to the issues which have to be addressed. In other words, we apply the relevant test created by the Regulation of Investigatory Powers Act 2000 (annex 15). The example cited above was such a case.

Regional or sector experts

We often seek local views on political or security risk, or business related issues in markets where there is no, or very limited, publicly available information.

This might be specific—in respect, for example, of local intelligence on a terrorist incident, we may speak to third parties to try and determine where a bomb was, what its impact was and who may have been responsible.

It may be more general such as taking an expert regional view on the competences or capabilities of a local terrorist group.

In the context of anti-corruption due diligence we similarly might take a local expert view on whether an individual is or is not a politically exposed person, a foreign government official, related to a foreign government official or a known nominee for a foreign government official. We may also, for example, take regional experts’ views on the openness and transparency of a particular tender process, the key competences of the directors of a business which won a tender or their access to capital to finance the exploitation of licenses they have been awarded. Answering those questions may provide tangible data from which our clients can determine whether they are risking contravening the Bribery Act, for example.

Media consolidators

In some environments historical media coverage is not online and is manually consolidated by an individual or a company. We may buy information from such a consolidator. The information which they provide, whilst once public, is no longer “public” and may therefore not fall within Schedule 2, 4., (7) (c), (annex 2). Again the Cyprus example is relevant.

How many people do you buy information from?

There is no simple answer to this question because we offer a number of different services which relate to the provision of information to our clients. These services require different types of sources of information as indicated above.

However, as we have already indicated, we have operated in more than 150 jurisdictions, therefore the number and types of information sources are significant.

Information brokers

For the avoidance of doubt we would wish to make it plain that we do not use “information brokers” in the sense of the term identified in the 2006 report, nor, in so far as we understand it, in the sense given by other parties who have provided evidence to this Select Committee.

2 April 2012

Prepared 5th July 2012