World Bank Group Investigations Unit expands: Steps companies can take to mitigate sanctions risks

Introduction

Companies receiving WBG financing, especially those operating at or near the investigative hubs and across the developing world, should prepare for and train their employees on crisis response and rapid investigation plans to mitigate the risk of a World Bank sanction¹, particularly when investigators arrive unannounced at remote field offices. We outline hallmarks of such plans following the recently published Sanctions System Annual Report for Fiscal Year 2024 (FY24).²

FY24 Metrics

The Integrity Vice Presidency (INT) opened 56 new and completed 61 existing external investigations, resulting in the submission of 13 sanctions cases and 14 settlements to the Office of Suspension and Debarment (OSD) (up from only six settlements in FY23). INT’s FY24 performance is largely consistent with its performance during the previous fiscal year. 

OSD reviewed 14 cases and 13 settlements, with 11 companies and two individuals temporarily suspended and 17 respondents sanctioned via uncontested determinations. 

The Sanctions Board (SB) issued two final decisions resolving two contested sanctions cases against three respondents. Whereas in FY20, SB issued six final decisions.

The Integrity Compliance Office (ICO) engaged with 91 sanctioned parties to ensure compliance with their conditions for release and determined that 14 sanctioned parties had satisfied their conditions.

The aforementioned figures demonstrate a reduction in pace of approximately 50 to 60 percent of the enforcement levels across INT, OSD, and SB compared to FY20 statistics. Conversely, ICO has largely maintained pace with its FY20 performance.

New Regional Hubs

Potentially in response to the protracted pace of investigations, which constrains the workload of the remaining sanctions units, INT is restructuring its organization. This transition involves maintaining the core team in Washington, D.C., while also establishing satellite investigative hubs in various regions. Based on recruitment data, new hubs appear to be in: 

• Bangkok, Thailand
• Nairobi, Kenya
• Dakar, Senegal
• Brussels, Belgium

INT’s D.C.-based Latin America (LATAM) team has historically operated as a “quasi-hub” given the ease of travel to LATAM and the regional dominance of the Spanish and Portuguese languages, which have paved the way for streamlined investigations. 

In parallel, the D.C.-based team has been supplemented with digital forensic specialists, fraud specialists, integrity risk specialists, and investigators for the complaints development team and focused on Europe and Central Asia.

These developments are likely to increase enforcement risk for companies receiving WBG financing. We expect INT staff to be more connected to country-level operations and develop tighter and direct relationships with local Bank staff and national enforcement partners. These touchpoints can result in faster case development and evidence gathering. A decentralized investigation workflow can also shorten the timeline and minimize travel time and cost. 

The Playbook

Unannounced INT audits at local and field offices may increase as a result of the proximity of the regional hubs. Companies would be well-advised to develop crisis response and investigation plans and train local personnel to respond constructively to the arrival of INT. These measures reduce the risk that INT will perceive the company as obstructive and can foster good will with the investigators. 

The Crisis Management Plan

A company can designate a Crisis Response Team (CRT) and adopt a governance protocol to guide the response to an INT audit and other visits by enforcement authorities. The typical CRT composition includes a team lead and senior leadership from the company’s primary business sectors, as well as cross-functional representation from legal, compliance, human resources, and other functions. The CRT serves as a rapid response unit both for decision-making and for internal and external communication. Many companies have established these measures to address dawn raids and other proactive investigative measures by enforcement authorities. 

The governance protocol guides the response process so local staff understands how to alert the CRT of an external investigative contact such as an INT audit, the appropriate communication channels, and the role of the onsite team in responding to an INT audit. The protocol should include key points of contact and clearly identify decision-makers both onsite and globally, as well as flag any potentially privileged materials that INT should not review. 

Depending on a company’s risk tolerance, the initial reaction to an INT audit can be to:

• Immediately grant the investigators access to the premises. 
• Politely asking that company counsel escort INT into the premises, including asking INT to return on a different day. 
• Initially ask INT to return on a different day when company counsel is present, but grant INT access to the premises upon the investigators’ insistence. 

In any scenario, local personnel should immediately contact the CRT and a designated legal contact should be instructed to be onsite during the INT audit. The legal contact should review the scope of the audit letter and accompany the investigators to ensure the scope of the audit is not expanded. If legal personnel is present, they should liaise with INT and seek to gather additional information about the scope and objectives of the investigation.

If legal personnel cannot be onsite at a specific facility, the governance protocol should identify local personnel charged with obtaining a copy of INT’s audit letter, shadowing INT’s audit, notifying the local and global legal team of INT’s arrival, and sharing the audit letter as soon as practicable. The designated personnel should remain in contact with the CRT throughout the audit process.

Local personnel should create a list of copies of physical documents or electronic information and hardware that INT reviews on site or collects for further review. If INT wishes to interview local personnel, local personnel should politely explain that they are willing to be interviewed at a later time with the presence of company counsel. 

Within the first day of INT’s audit, the company should engage external counsel with experience representing clients before multilateral development bank (MDB) sanctions proceedings. Company and counsel should begin developing a preliminary legal strategy and an investigation plan based on the audit letter and any information gathered from the investigators. A back-end litigation hold should also be implemented to ensure that preservation measures are in place. The company should address employees of the audited location by formally disclosing the audit, requesting that it should be kept confidential, and providing in-house and external counsel contact information for employees to submit questions or concerns. If necessary, this communication can also incorporate a front-end litigation hold, as described in further detail below. 

By the third day, counsel should present the company with a complete investigation plan and obtain buy-in from global and local stakeholders. Implementation of the plan should begin promptly. Counsel should also inform INT of the representation and hold a preliminary meeting or call to gauge INT’s objectives. A reporting cadence from counsel to the company and, if necessary, to INT should be established. 

The Investigation Plan

The plan should describe the scope of the investigation, which generally will track the requests in INT’s audit letter. The plan should outline investigative tasks, which typically include engaging forensic and e-discovery vendors, preserving, collecting, and analyzing documents, and interviewing witnesses. 

Document Preservation, Collection, and Review

The investigation plan should outline the required steps for the preservation, collection, and review of documents. For example, the following measures can be included in the plan: 

• Taking stock of the materials that INT’s investigators took or copied from the audited office. 
• Identifying the relevant custodians and sources of data in-country or abroad. Note that a small set of initial scoping interviews to identify custodians and data sources may be helpful. The list of custodians may be expanded or reduced at later stages. 
• Considering personal and company mobile device collection and preservation steps for ephemeral messaging.
• Instituting a front and back-end litigation hold. The front-end hold should describe the types of documents to be preserved, the subject matter of those documents, and a relevant time period, which should generally reflect INT’s audit letter or the duration of the Bank-financed project, included the bid preparation period. 
• Collecting and processing the materials in accordance with applicable data protection laws and other restrictions on data transfer, such as state secret laws. 
• Running search terms through the collected materials and using Technology Assisted Review (TAR) and Artificial Intelligence (AI) to find relevant and significant materials. This is an iterative process and the search parameters should periodically be revisited. 
• Reviewing materials for attorney client privilege and/or other applicable protections. INT generally respects such protections, per the World Bank’s Sanctions Procedures.³
• Drafting a document review protocol before reviewing documents to ensure consistency. The protocol should outline the background, the types of documents considered relevant or not relevant, the key issues, the types of documents considered significant, and the approach to legal privilege.
• Maintaining a log of significant materials with summaries and individuals involved to facilitate reporting to management and potentially to INT, and streamlining the interview process. 
• Considering which sanctionable practices INT may be investigating and how those may intersect with domestic and cross-border enforcement exposure. 
• Strategizing about how to mitigate collateral impacts, such suspension from public procurement processes and breaches of commercial contract provisions.

Vendors

Depending on the scope of INT’s audit, the investigation plan should also identify specialist vendors to support the investigation:

• An e-discovery specialist can assist with the collection and hosting of the document review platform if a significant amount of electronic data needs to be collected. 
• A language expert can provide extra headcount or specific language expertise if the document review is expected to be significant, or the materials that are likely to be in a foreign language.
• A forensic accountant can provide valuable insights if INT’s allegations relate to accounting improprieties, complex financial transactions, or asset misappropriation. 
• A due diligence provider can unearth critical information about third parties involved in INT’s allegations and inform the cooperation strategy. 

Interviews

From the start of the investigation the plan should outline interview strategy, logistics, and tasks. The investigation plan should address logistical questions, such as virtual or in-person interviews, if in-house counsel will be present, who will communicate the interview request to the witness and how the meeting will be messaged, how will the interviews be sequenced (typically from the lower-ranking individuals to the key personnel, but strategic reasons may dictate otherwise), and if interpreters should be present.

The investigation plan should include a preliminary list of expected interviewees, which may be refined and expanded as documents are reviewed. The significant document log mentioned above can incorporate pertinent questions per document. This can later evolve into interview outlines. Comprehensive outlines for each interviewee should be drafted even if the actual interviews deviate. 

The plan should address whether interview memoranda should be drafted. They are a helpful tool for retaining and organizing information but can be a costly exercise. Formal memoranda in narrative format can be replaced by bulleted notes, especially considering that INT typically records and transcribes its interviews and respondents may be able to access them. Memoranda and bulleted points should bear all appropriate markings and introductions to ensure that they are not discoverable, according to applicable privilege and confidentiality rules.

Risk Mitigation in developing countries

Special compliance solutions are often necessary. The implementation of integrity compliance measures in the developing world, often in remote areas, can be challenging. In FY24, the ICO – in partnership with the Republic of Korea’s Ministry of Justice – launched a new guide designed to equip small and medium-sized enterprises (SMEs) with practical tips based on integrity compliance best practices.⁴ Although the guide is geared toward SMEs, multinational companies (MNCs) can draw inspiration from the ICO’s practical tips to any operations undertaken in more challenging jurisdictions. 

For example, investing in local leadership with verified integrity credentials and regional oversight can provide a flatter reporting structure, with a high degree of interaction among managers and employees. This in turn will allow for informal communication of business integrity standards. Frequent, short, small-group discussions led by local teams instead of lengthy training sessions delivered by external consultants can also organically foster an integrity culture. Experiential training, contests and games, and pictorial descriptions or graphics instead of text-based training materials may be more effective communication platforms in this setting. 

In cash-based markets like many in the developing world, cash transactions should be carefully controlled. While the risk of cash misuse for inappropriate practices remains high in any market, in the developing world cash cannot always be replaced. Use limitations, written justifications, physical controls, verification of underlying transactions, special audits, special cash replenishment procedures are additional measures to be implemented. The fundamental principles of segregation of duties and multiple approvals should underlie any such measure. 

MNCs can also consider undertaking collaborative initiatives with other companies and organizations under a “collective action” model – as coined by the World Bank. Such collaboration has proven effective in facilitating the promotion of integrity compliance more broadly, even when executed in collaboration with competitors. 

Into the Future

Looking ahead, frontline employees will continue to play an integral role in ensuring that companies are living up to their business integrity standards. Frontline employees know their market, the risks, and the good and bad actors. Companies should ensure that they are consulted. In parallel, MNCs can leverage existing compliance training and awareness-raising initiatives, with appropriate adjustments, to educate their frontline employees about the risk of enforcement by the World Bank and other MDBs. 

This proactive approach can ensure that frontline employees have the skillset to not only avoid integrity pitfalls but also identify INT investigators, if they come knocking, and promptly escalate the audit to the CRT and corporate leadership.  

Authored by Peter Spivack, Ann Kim, Alessandra Carozza, Nikolaos Doukellis, and Wintana Yohannes.