Internal Investigations: How Financial Institutions Can Preserve Privilege

Takeaways

• Privilege is critical to managing legal and regulatory risk in internal investigations in the financial services industry and must be actively protected.
• Financial institutions should involve counsel early and clearly document the purpose of obtaining legal advice and assessing potential legal exposure.
• Emerging technologies, including AI tools and increasing multiregulator coordination, present new and evolving risks to privilege that require proactive management to avoid inadvertent disclosure.

Related link

• AI Notetaking Tools Under Fire: Lessons from the Otter.ai Class Action Complaint

Article

Financial institutions’ investigations of internal complaints frequently begin as routine compliance or examination-related matters but quickly evolve into enforcement-sensitive or litigation-focused legal investigations where privilege is most at risk. These investigations often unfold under the scrutiny of multiple federal or state regulators.

In this context, attorney-client privilege is more than a procedural safeguard. It is a key component of regulatory risk management. A misstep can lead to the inadvertent waiver of the attorney-client privilege and expose sensitive communications in later litigation or examinations.

What Makes a Communication Privileged?

Regulators often expect transparency, while business teams may assume exam response materials are privileged. Particularly where materials were created primarily for compliance rather than legal advice, judicial opinions are unclear. Attorney-client privilege protects confidential communication between a lawyer and client made for obtaining or providing legal advice.

In the corporate investigation setting, attorney-client privilege applies when:

1. The communication is between an attorney (in-house or outside counsel) and an employee acting on behalf of the organization;
2. The communication’s primary or dominant purpose is to seek or provide legal advice; and
3. The communication is intended to remain confidential.

Privilege risks are heightened where compliance and audit functions are heavily documented and counsel is only tangentially involved. Counsel’s mere review alone does not create privilege, which can become a concern in common scenarios like monitoring, surveillance, and sales practice reviews.

Determining who qualifies as “the client” within an organization is critical. Privilege generally extends to employees empowered to act on counsel’s advice such as compliance officers, risk executives, and senior managers. Interviews with other employees may also be privileged if they are:

1. Conducted by counsel or at counsel’s direction; 
2. For the purpose of obtaining legal advice; and 
3. Conducted only after the employee has received appropriate Upjohn warnings clarifying that counsel represents the organization, not the individual being interviewed.

Confusion in these investigations over whom counsel represents can be great. This is especially the case where employees may reasonably assume counsel represents them individually due to licensing obligations, regulatory exposure, or prior interactions. Because employees in the financial services industry often are licensed or face individual exposure, consistent, clear, and repeated Upjohn warnings are particularly important.

Work-Product Doctrine: Legal Preparation vs. Routine Compliance

Separate from the attorney-client privilege, the work-product doctrine protects materials an attorney, or others at the attorney’s direction, prepared in anticipation of litigation.

For financial institutions, this distinction often turns on whether the investigation is part of routine compliance or conducted in response to a specific and articulable threat of litigation or enforcement.

There are two types of work product:

1. Opinion work product (counsel’s mental impressions, conclusions, and legal theories), which receives near-absolute protection; and
2. Fact work product (factual summaries or interview notes), which may be discoverable in litigation if an opposing party demonstrates substantial need.

To preserve the work-product protections, institutions should clearly document that counsel was engaged to provide legal advice regarding potential legal exposure, not merely to satisfy a regulatory or compliance requirement.

Common Privilege Challenges for Financial Institutions

1. Regulator coordination and waiver risks – Voluntarily providing investigation summaries to a regulator (even under a confidentiality agreement) can waive privilege for the documents disclosed. Benefits to entering into these agreements are not the solution for this concern. Although strategic reasons exist for entering into such agreements, those reasons do not eliminate waiver risk. Pressure to cooperate with requests from regulators (such as FINRA requests, SEC cooperation credit consideration, and CFPB civil investigative demands) heighten the need for financial services organizations to make early, strategic decisions about sharing investigative findings. Institutions should consult with counsel before and throughout any investigation to address the organization’s specific risk profile.
    
2. Multi-agency and cross-border operations – Financial institutions often operate under overlapping regulatory regimes or across national borders. Although U.S. law recognizes corporate privilege broadly, foreign jurisdictions (particularly within the European Union) apply more restrictive or different standards. Early coordination with counsel experienced in cross-border investigations is important in these situations. 
    
3. Intersection of legal, compliance, and audit functions – Internal audit and compliance reviews, while essential (and often legally required), are not inherently privileged. Privilege attaches only if these functions act at counsel’s direction to support legal advice, rather than routine business or regulatory objectives.
    

Avoiding Common Pitfalls

Emerging Consideration: AI, Privilege

The financial services industry has relatively higher regulatory expectations around data governance, vendor management, and cybersecurity than other industries.

Generative artificial intelligence (AI) tools can streamline investigations by summarizing interviews, drafting reports, or organizing evidence, but they also can introduce significant new privilege and confidentiality risks. Many AI platforms store user data or use it to train models, potentially disclosing confidential and privileged information to third parties.

Before incorporating AI into any investigation process:

1. Enter into written agreements with vendors that explain exactly how uploaded data is used and stored in any AI tool.
2. Avoid entering confidential, privileged, or identifying information into tools not controlled by the organization or its counsel.
3. Establish internal protocols for how AI tools are used and reviewed in legal or compliance functions.

Even inadvertent disclosure through AI can undermine privilege and create additional cybersecurity and regulatory exposures.

Practical Steps to Safeguard Privilege

1. Engage counsel early
2. Define the investigation’s purpose
3. Control investigative report distribution
4. Label legal questions and advice appropriately
5. Train internal teams
6. Coordinate globally

* * *

For financial institutions, privilege is both a shield and a strategic tool. Preserving privilege requires thoughtful planning and disciplined execution.

By engaging counsel early, clearly documenting purpose, and managing regulator and technology interactions with care, financial institutions can protect the integrity of their investigations — and their most sensitive communications.

Attorneys in Jackson Lewis’ Financial Services Industry Group and Corporate Governance and Investigations Group advise financial institutions on privilege, work product, and internal investigation strategy. For guidance on all phases of your next investigation, please contact a member of our team.