Regulatory Raids – Are you prepared?

Datuk C. Thavarajah and Geoffrey Williams, experienced investigators in local and international investigations from Malaysia and Australia respectively, spoke recently at a Lunch Talk by legal and regulatory advisers SK Chambers on Responding to Raids by Regulatory Authorities. The talk was conceived and moderated by Shanthi Kandiah of SK Chambers.

When the regulators come knocking ….unannounced, organisations should be prepared with trained staff and a clear set of procedures for them to follow.
“The reality is you won’t have time to come up with a strategy on the day,” said Geoff Williams.

He drew an analogy with a fire alarm going off in a building without established protocols and trained employees. “When people are not trained to handle a fire situation, they will be all over the place in panic. This is essentially the same for a raid. It is all about preparing yourself and managing the risk when such a situation arises,” he explained.


Key Risks associated with a Raid

A raid is the perhaps the most disruptive and intrusive form of investigation by the authorities and can do a lot of damage to an organisation’s business activities.

“Many businesses are not even aware of the risks associated with a raid, let alone whether their systems and processes can handle unannounced or unexpected visits, said Shanthi Kandiah as she set the scene for the Talk. “Potentially catastrophic damage to your business can result from speculation and misinformation surrounding a raid alone,” she added.

Risks for the un-prepared include:

  • Inability to bring together a response team that has been trained on how to act and behave, and who to call should an investigation materialise;
  • Excessive removal of documents outside the scope of a warrant, including electronic documents;
  • Claims for legal professional privilege are not made or waived;
  • Penalties (civil or criminal) for obstructing an investigation or concealing or destroying documents;
  • Inadequate communication with employees on their obligation to cooperate and maintain confidentiality. Employees should be warned against posting photographs and information about the raid as it affects corporate reputation and potentially exposes the company to liability for offences such as ‘obstruction of justice’ and ‘tipping-off others”;
  • Poor management of external communications may compromise corporate reputation with investors, customers and suppliers. Competitors may also exploit this vulnerability to ‘steal’ customers and suppliers.

“Be confident, accommodating, co-operative and do not panic”, advised Datuk Thavarajah. “Even ill-founded worries or concerns will be apparent to seasoned investigators and suggest there is information being concealed,” he cautioned.


NOT cooperating is NOT an option

“The power to conduct raids give an authority the right to search your premises without your consent,” explained Geoff Williams. “The authorities are counting on the element of surprise to retrieve as much evidence as possible and to minimise the potential for destruction of evidence”. To ensure its success they would have invested in considerable surveillance and espionage prior to the raid.

In most instances a judge would have granted to the authority the right to search premises in the form of a search warrant. But most if not all Malaysian authorities are empowered to conduct searches without warrants where there is a threat of destruction of evidence.

Resisting or obstructing a raid can only complicate your legal situation. The penalties are in most instances criminal and in some instances the law provides for personal liability for directors and senior company management. If one studies trends internationally, authorities are also becoming increasingly tough on perceived and actual failures to play by the rules during a raid, even in the case of accidental or unintentional obstruction.

Ensuring that proper procedures are in place during a raid has never been more important.


Expansive powers of search and seizure

In general authorities in Malaysia have broad powers to inspect corporate and residential premises, seize and copy documents, emails and other records, and interview employees.

Today an authority’s most important source of information is likely to be the company’s IT systems. The duty to cooperate includes giving a full explanation of a company’s organisation and IT environment.

Authorities can search a company’s entire IT environment. They can remove computers and hard drives, or image hard drives and servers, or run search words on site and limit seized documents to those that that trigger results from search words.

A raid-protocol-trained-IT assistant can be a valuable asset to an organisation – namely to give the authorities what they are looking for while minimising the removal of expensive IT equipment. Datuk Thavarajah pointed out that regulatory authorities are not keen to seize unnecessary information either.

Where data is stored off site, the question arose whether access to this data is beyond the scope of the search warrant. The view expressed by both speakers suggests that so long as access to the data is available on site, passwords should be provided to give access.


Personal effects of employees at raid site may be fair game

The authorities may search desktops and laptops, as well as, among other things, employee iPhones, mobiles, tablets, or USB keys – anything that is on the premises. In practice, an authority is likely to regard any devices on the company’s premises as fair game, even those that are owned personally by employees. Objecting to this process is tantamount to obstruction as they may have an interest in verifying whether those devices contain any business-related information. Employees should be made aware that data protection and privacy are not valid reasons or defences to refuse authorities access to certain devices or electronic files or folders.

Mistakes can prove costly – the basic message to all employees must be that it is company policy to cooperate.


Awareness of Rights

But while these powers are broad and onerous, companies should not sit back and compound a bad situation by being unprepared.

“Having a clear sense of what to expect (through scenario building and walk-throughs), what your rights are, and being alert to potential mistakes by authorities (e.g. wrong address on search warrants), are important ways in which you can protect your organisation,” said Shanthi.

Key rights include:

  • The right to ensure that officials are who they claim to be;
  • The right to study the search warrant to ensure that it states the right address and to determine its scope;
  • The right to observe what is going on and what is taken – Key staff such as IT/Legal should be there to observe and document what is being taken – What are they focusing on? What are they taking? Are they staying within the limits of the search warrant?
  • The right to a list of documents taken – The list is likely to be vague and broad. References to “computers” or only stating the file reference without listing file contents, are routinely what is provided.


Answering questions during a raid

Refusing to answer questions relating to a raid (e.g. location of files, password) may be viewed as an obstruction. However, in general you are not required to answer questions pertaining to an investigation particularly answers to questions that may incriminate you. There are notable exceptions to this right provided by the Malaysian Anti-Corruption Commission Act 2009 and the Anti-Money Laundering, Anti- Terrorism Financing and Proceeds of Unlawful Activities Act 2001. These laws appear to require answers from a person, even where it tends to incriminate him/her, failing which he/she runs the risk of having committed an offence.


Legal Professional Privilege

With regards to legally privileged documents, Geoff Williams explained that the position in Australia is that a protocol is established to deal with documents that are privileged. When there is a dispute of documents being legally privileged, those documents will be placed in a sealed envelope with its status left to be determined by an independent third party. In relation to imaged data, the authorities would not view the data until the parties have agreed to a protocol for dealing with such data.

Datuk Thavarajah felt that the practice of establishing protocols for legally privileged documents in Malaysia is not commonplace. He also highlighted the practical difficulties in separating privileged information from others. Unless privileged communication is clearly identifiable, authorities may not agree to being denied access to such information. Marking privileged documents clearly with the words “Legally Privileged” or encrypting emails containing legal advice are potential strategies to safeguard privileged information.


Raid Response Strategy

A raid is a risk like any other risk the company is exposed to. As such a Raid Response Strategy should now be part of the Risk Management Toolkit for any business. Its goal should be to minimise the disruption so organisations are able to resume business quickly, as well as to contain any fall out from the event.

A sound strategy will involve training for the following key personnel, said Shanthi Kandiah:

Senior management team – Senior management should be aware of regulatory authorities’ current strategies with regard to civil and criminal investigations, their search and arrest powers, what a raid looks like in practice (including the business recovery strategy), what the authorities can and cannot do and what a Raid Management toolkit should comprise.

Selected staff who it is envisaged might deal with a raid in practice – Training here would address in more detail at the practicalities of the raid and what it seeks to achieve. It will include an explanation and analysis of:

  • The search warrant
  • The powers of the authorities and the obligations of employees;
  • Key actions in the first hour of a raid;
  • What to do or say in response to questions and requests by the authorities;
  • The importance of preserving evidence and what to advise staff to do;
  • What to do about legally privileged material; and
  • How to deal with other document and IT issues that arise in a raid and afterwards, so that businesses can be up and running again once the authorities have left the premises
  • Proactively handling media and other external communications

Security reception and administrative staff – These staff will usually be the first people to be aware that a raid is happening. They should be advised on what to do, who to contact, how to deal with the authorities when they arrive.


Minimising the risk of being investigated

The afternoon concluded with both speakers agreeing that the ultimately the best strategy for any organisation is to minimise the risk of being investigated.

Datuk Thavarajah acknowledged that the balance of power in raids is skewed heavily in favour of the authorities, and felt it had to be so.

“They are walking into a potentially hostile environment, blind. They need these powers to do their job”.

Shanthi Kandiah summarised the key tenets of a credible compliance programme. Organisations should:

  • Know the regulatory regimes that apply to their organization.
  • Implement controls, policies and programs that ensure compliance and detect infringements – if the system does not throw up issues, then the system needs to be revisited. Do not assume that everyone is compliant!!
  • Undertake periodic inspections to identify new risks, update programs accordingly.

Regulatory authorities can sniff out a bad compliance programme a mile away, said Datuk Thavarajah. They look for incentives within the system for compliance. “If the messaging from the top, namely the board or senior management, is weak or for example if a frequent infringer is rewarded with large bonuses, these are tell-tale signs that system is not credible. It will not carry any mileage with the authorities,” he added.

Contributed by Shanthi Kandiah, Partner at

Datuk Thavarajah – Datuk C. Thavarajah started his career in the Royal Malaysian Police Force in 1956 before joining the Anti – Corruption Agency in 1967. With over 25 years of experience in anti-corruption investigations, Datuk C. Thavarajah’s was later sought to head Bank Negara Malaysia’s Special Investigation Unit in 1992. In 1998, he continued to serve as a Bank Negara Malaysia nominee and held many executive positions such as Special Assistant at RHB Bank-Credit Control Department (1998-2004), an Executive Director at Sime Securities Sdn. Bhd.(1998-2005), a Director at Sime Securities Holding (1998-2007). Besides this, he served as an Independent Investigating Officer at the Competency Assessment Panel for the Malaysian Anti-Corruption Commission (2012). Datuk C. Thavarajah brings with him more than 50 years of unparalleled investigation experience in the field of anti-corruption, criminal, white-collar crime, banking, stock broking and debt recovery litigation.

Geoff Williams is a highly regarded competition law specialist, having held the position of General Manager for Enforcement Operations NSW at the Australian Competition and Consumer Commission (ACCC). Geoff has over 25 years experience investigating enterprises from large multi-national enterprises to small enterprises. Geoff has managed investigations and litigated some of Australia’s most significant competition law cases, including ACCC v Visy Industries, which was Australia’ largest domestic cartel in the packaging industry. In 2013 he was seconded to the MyCC by ASEAN to provide competition law expertise and training. Geoff is currently engaged as a consultant to the ACCC’s serious cartels group in investigating an international cartel. He holds a Bachelor of Laws from the University of Technology Sydney, which he obtained in 1991.

Shanthi Kandiah founded SK Chambers with the goal of creating a standalone regulatory firm that services individuals and entities involved at all levels of the regulatory scheme. Her corporate practice covers the full spectrum of multimedia laws, privacy and data protection matters, anti-bribery and corruption laws, as well as capital market laws and Exchange rules. She regularly advises corporations in sectors such as media and telecommunications, FMCG, construction, pharmaceuticals and other service industries. She has assisted Malaysian multinationals on developing their global competition and regulatory law compliance policies. Formerly from the Securities Commission, Shanthi has co-authored country reports for the World Bank and OECD. She has a Masters in Law from King’s College, London and Bachelor of Laws from the University of London. She holds a Postgraduate Diploma in Competition Economics also from King’s College. She was admitted to the Malaysian Bar in 1993.

Contact Us to Understand How We Can Help You

As the first regulatory-focused practice of its kind in Malaysia, we can say that what we offer is unique. We can also say with certainty that our regulatory and legal experience provides us with the comprehensive knowledge needed to address competition law issues in a holistic manner. To learn more, or to gain the strategic advice you require, contact our regulatory law firm or call us at +60 3 2011 6800.