The Changing Landscape of Dawn Raids: Preparing for Hybrid Inspections
The pandemic accelerated widespread digitisation in almost every industry. Moving from hard copy to digital documentation influences many business and legal processes, including the way authorities around the world conduct dawn raids. This is an unannounced inspection by regulatory or criminal investigatory authorities into matters such as competition law, financial markets regulation, data protection, and financial crime. They typically occur in the morning and have generally been carried out onsite. However, the rise in remote work has altered investigatory approaches and there has been a notable increase in hybrid raids. Teams can simultaneously raid physical offices and private residences to ensure they collect data on remote worker devices – sometimes in multiple countries. This will likely increase the presence of “order up” requests mandating organisations to provide more of their data held remotely or that staff appear in person for device inspections.
Although dawn raids are not frequent, they occur without warning and can put an organisation at significant risk for noncompliance if not prepared. It is important to know who can conduct dawn raids and how investigations are shifting with the remote work culture. This knowledge better positions organisations to proactively create plans limiting risk.
Dawn raids are very prevalent in both the U.K. and mainland Europe. The Competition and Markets Authority (CMA) has the power to investigate anti-competitive behaviours that affect U.K. trade in both civil and criminal contexts. The CMA needs reasonable grounds of suspected infringement to enter premises and exercise statutory information gathering powers. This can come to light through agency intelligence or outside sources such as a whistleblower. A search warrant is not always required; however, it is necessary when entering domestic premises. Raids are appropriate for suspected cartel offences – collusion around price fixing, market sharing, bid rigging, and limiting output all raise red flags. Some other U.K. regulatory bodies that can perform dawn raids include Ofgem, Ofcom, the Civil Aviation Authority, the Financial Conduct Authority, and the Serious Fraud Office.
Starting in the middle of 2021, dawn raids in mainland Europe surged after a dip resulting from the pandemic. An emerging trend is that investigations will not be limited to cartel offences. The European Commission has statutory powers to investigate anti-competitive practices affecting trade between EU member states such as restrictive agreements and abuse of dominance. Other national competition authorities that can perform dawn raids include the French Autorité de la Concurrence, Netherlands Authority for Consumers and Markets, Hellenic Competition Commission, and Romanian Consiliul Concurenţei. This list is not exhaustive but highlights key regulatory bodies that have recently initiated more investigations.
Penalties include fines and imprisonment for criminal matters. Organisations can also receive fines for noncompliance with procedural mandates such as failure to turn over requested documentation or concealing evidence.
Considerations and Preparation
If organisations handle a dawn raid incorrectly, significant liability may result. The trend of increased hybrid raids can be daunting, as many do not have a solid plan that accounts for custodians working remotely. To reduce the shock factor and keep compliant, it is crucial to be prepared and leverage partnerships that will limit exposure and foster preparedness.
Here are four ways to enhance dawn raid preparedness:
Understanding risk factors: Knowledge of the type of data an organisation maintains will uncover which information is at risk and the regulatory bodies that would control potential investigations. Certain business activities increase dawn raid vulnerability, such as communications between organisations that could appear as collusion or collecting sensitive consumer information invoking data protection legislation. A proactive risk assessment allows for earlier custodian identification, notification, and training opportunities.
Mapping data: Many organisations already utilise data mapping as an information governance tool. After determining that an organisation could be subject to a dawn raid, specific mapping for high-risk data will aid with investigatory compliance. Mapping should entail identifying, understanding, and plotting what information an organisation has, how the data flows through the organisation, who has physical or remote access to the data, and where the information is stored. Mapping can also uncover improper data handling by remote workers that organisations need to address. Establishing control and accessibility allows for easier retrieval and assessment of privilege during a sudden investigation.
Having a documented response plan: When establishing response protocols, it is crucial to create a living document that lists roles and responsibilities so key actors know what is expected. This also eliminates gaps as personnel and team members change. The core team should include onsite reception, IT staff, legal counsel, management, human resources, and any outside partner overseeing forensic collection or compliance efforts. Also account for key custodians who could be subject to at-home investigations.
Provide proper notice and training on what can happen during a raid – including an active search of the premises, interviews, inquiries about storage locations for relevant documents, and seizure of evidence for review off-premises. Regarding electronic data, investigators can seal off premises to prevent interference with data sources, request passwords, copy drives, remove devices, and more. Also, anticipate challenges that could arise and confirm what constitutes acceptable behaviour. Some actions to avoid during a raid include hostile reception, evidence destruction or concealment, providing false or misleading information, and access obstruction.
Enable your organisation by formulating a written plan accounting for the variables listed above that also considers evolving processes or teams. Absence of a plan could lead to leakage of privileged information, so make sure the team has knowledge of what they can withhold.
Performing readiness assessments and mock exercises: Evaluating and testing policies and procedures will identify gaps. Consider partnering with a provider with experienced experts offering a combination of regulatory knowledge and forensic IT skills to guide assessments. Having an initial workshop can be beneficial to discuss procedures, common challenges, overcoming obstacles, and best practices for dawn raid preparedness. This also provides opportunities to voice anticipated concerns and uncover risk factors.
A readiness assessment can be a valuable tool to create a risk matrix, map data, establish a tailored response framework accounting for hybrid inspections, and determine whether to hold a mock dawn raid. All of this will strengthen the foundation of an organisation’s dawn raid readiness program. Providers can also work in tandem with the team to improve programs and implement best practices leading up to and during a raid. This includes:
- Understanding how to image or copy data on devices
- Creating a memorandum for regulators outlining information management, storage, and retention policies that is regularly updated
- Circulating an internal dawn raid procedure memorandum for both onsite and remote employees
- Copying data seized and imaged by regulators to assess potential exposure
- Observing and noting the entire investigatory process
These are just a few key components of a robust dawn raid readiness program. Regular assessments and audits will highlight specific processes that reduce exposure and streamline compliance in the event of a dawn raid, while also accounting for the likelihood of hybrid raids based on the organisation’s remote work policies.
For more information on how Epiq can help you, click here.