Representing Financial Institutions in Global Multi-Agency AML Investigations

Introduction

Multi-jurisdictional investigations present numerous challenges and require careful management of the risks that arise. This chapter provides an overview of the issues that may occur throughout the duration of multi-jurisdictional anti-money laundering (AML) investigations into financial institutions, from breach reporting, to responding to investigatory requests, to the settlement of an action.

The nature of money laundering systems and controls failures is such that, in some jurisdictions, investigations can be pursued on either a criminal or regulatory basis, or proceed on a ‘dual track’ basis at the outset, and criminal money laundering or failure to report offences by an institution may be investigated by law enforcement agencies rather than on a regulatory basis. In this chapter, we focus primarily on multi-jurisdictional regulatory investigations, including internal investigations carried out in parallel with such investigations.

Managing multi-jurisdictional investigative demands against data privacy and other requirements

Self-reporting of breaches and reporting of suspicious transactions

An investigation by a regulator may be triggered by various events; for example, a potential issue may be uncovered during a regulatory inspection, by a complaint directly to the regulator, by a financial crime incident involving a customer of the financial institution, or via breach reporting by the financial institution itself.

Licensed financial institutions in many jurisdictions will often have self-reporting obligations (that is, obligations to report their own breaches). These may include the requirement to self-report to their regulator any suspected material breach of specified laws or regulations that they (or their staff) have committed and, in certain jurisdictions, more onerous requirements, such as the following:

In Hong Kong, the obligation on licensed financial institutions to self-report breaches to the Securities and Futures Commission (SFC) is broad, and covers breaches that they (or persons they employ or appoint) have committed, including (among other things) suspected material breaches of ‘law, rules, regulations, and codes administered or issued by the [SFC], the rules of any exchange or clearing house of which [they are] a member or participant, and the requirements of any regulatory authority which apply to [them]’. In the AML context, this will include breaches of all relevant requirements, whether in legislation or regulatory codes, such as those relating to customer due diligence and record-keeping.
The Financial Conduct Authority (FCA) in the United Kingdom requires regulated financial institutions to report ‘anything relating to the firm of which the regulator would reasonably expect notice’. This is a broad and non-exhaustive obligation that includes (but is not limited to) significant breaches of AML systems and controls requirements.

In other jurisdictions, such as France, licensed financial institutions are not required to self-report suspected breaches as and when they occur. Rather, financial institutions are required to submit periodic reports to their regulators in relation to their compliance with laws and regulations, in which breaches or shortcomings may be identified.

Breach reporting is fact-sensitive and all potentially relevant jurisdictions should be considered; for example, there may be reporting obligations in the financial institution’s home jurisdiction as well as one or more other jurisdictions in which the business may be affected by the relevant conduct. The analysis of which regulators to notify is nuanced and should be kept under continuous review.

Reporting obligations need to be considered at an early stage and revisited as more information comes to light. This is because the obligations may be triggered by a mere suspicion and, once triggered, there may be a relatively short window within which reporting is required.

Regulators are increasingly expecting to be given early notification of potential issues. Hong Kong’s SFC, for example, has disciplined financial institutions for late reporting and has emphasised that reporting should be made ‘as soon as practicable upon identification’ and ‘not after the [institution] has already completed its investigation, obtained legal advice or taken remedial actions’.

Even where there is no formal self-reporting requirement, the financial institution may want to consider whether it would be appropriate to report a suspected breach voluntarily to its regulator. In the United States, for example, regulatory authorities such as the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) seek to encourage corporate organisations to report misconduct. In recent months, senior DOJ officials have reinforced and expanded their department’s policy that institutions that voluntarily self-report potential misconduct can receive more lenient treatment in resolving any subsequent investigations; for example, in January 2023, the DOJ expanded the scope of its Corporate Enforcement and Voluntary Self-Disclosure Policy from Foreign Corrupt Practices Act cases to all corporate criminal matters, including money laundering. Similarly, in the United Kingdom, the joint executive director of enforcement and market oversight at the FCA has emphasised the importance of firms ‘doing the right thing’, noting that the FCA ‘[appreciates] and [rewards] transparency and cooperation’.

In any event, if a matter is reported in one jurisdiction – whether by regulation or voluntarily – it is usually the preferable course of action to notify other relevant jurisdictions. This is likely to be the case when an issue has been identified in a jurisdiction where the financial institution has a branch operation, in which case it may be prudent to notify both the regulator in the branch jurisdiction and the regulator responsible in the jurisdiction in which the financial institution is headquartered. Reporting in multiple jurisdictions would be especially advisable if the two jurisdictions have agreements in place to exchange information. Nonetheless, caution should be exercised in framing the report. The potential for reports to contain damaging admissions and then to be used in actions against the financial institution should be kept in mind.

Separately, many jurisdictions require persons who know or suspect that any property represents proceeds of criminal offences (i.e., that money laundering may have occurred) to disclose that knowledge or suspicion to their local financial intelligence unit. Unlike the self-reporting obligation discussed above, under which financial institutions are required to report to regulators their own breaches (or breaches by their staff), this obligation often applies to all persons (individuals and entities) and is for the purpose of identifying criminal money laundering offences committed by others (and potentially by the firm). Disclosure is usually by way of what may be described as a suspicious transaction report (STR) or suspicious activity report (SAR) to the local financial intelligence unit, and is typically required to be submitted as soon as practicable.

In both cases of reporting, when an event has been assessed but is determined not to be reportable, financial institutions should document this decision-making process in case it is subsequently called into question by a regulator or in litigation.

Preserving documents and information

Once a potential breach is identified, the financial institution should take steps to preserve all relevant documents and information for the purposes of investigating the breach internally as well as responding to any investigatory requests by regulators.

The information technology department should be notified promptly and directed to secure all relevant documents and information located on the financial institution’s servers. Subject to considerations regarding confidentiality, further specific document retention instructions should be sent promptly to all employees who may have possession of or access to relevant documents and information. Routine destruction processes for the relevant documents and information should be halted.

The financial institution should identify the types of data that are relevant (for example, communications data such as email, instant messaging logs and voice recordings, and non-communications data such as financial records, transaction records, system logs and AML compliance systems, including records documenting customer due diligence and transaction monitoring), as well as the locations in which data is stored.

In addition to information held centrally by the financial institution (e.g., on its servers), consideration should be given to the information stored locally on devices used by employees, such as desktops, laptops, smartphones, tablets and portable hard drives, to the extent that these are not backed up in the financial institution’s system. The financial institution will need to consider its rights to access these, whether they need to be secured immediately to preserve evidence and how best to undertake this process. The extent to which a financial institution may be able to access these devices will depend on the type of device (for example, bring-your-own devices and wholly personal devices are more problematic than firm-issued devices), the financial institution’s internal policies and the protection offered to employees under the laws of the jurisdiction in question (including data privacy laws).

The rise in the use of off-channel communications for business purposes is a global phenomenon, prompted by the increased availability of instant messaging platforms as well as pandemic-induced remote working. Recent cases in the United States have illustrated the perils associated with data that is stored on an employee’s personal device and the need for financial institutions to put in place policies and measures to limit off-channel business communications and to ensure proper records are kept of all business communications.

In December 2021 and September 2022, the US SEC charged 17 large financial institutions with violations of the provisions of federal securities laws that require registered broker-dealers and investment advisers to keep records of customer accounts, transactions and relevant communications. The SEC found that employees at all of the institutions (at multiple levels of seniority) were communicating with customers and internally via text messages, encrypted messaging applications (such as WhatsApp) and personal email accounts, and the institutions were not able to produce the off-channel communications to the SEC when required to do so by request or subpoena. The financial institutions admitted that they had violated the relevant record-keeping requirements in question and agreed to pay combined penalties of more than US$1.2 billion and be subject to other orders. The US Commodity Futures Trading Commission (CFTC) also announced settlements with the same financial institutions for essentially the same conduct. Investigations against other firms are continuing.

Reviewing documents and information

Once the relevant documents and information are preserved, the next step is to review them.

Where the documents and information are located in different jurisdictions, it may be ideal from a logistical perspective to review them centrally in one location. However, this is not always possible owing to the restrictions on cross-border data transfer that may be imposed under data protection laws, state secrecy laws or blocking statutes in the jurisdictions in question, and in some cases, it may not be desirable to bring documents into particular jurisdictions. In addition, information may be in multiple languages and may require review by different teams.

For example, China’s state secrecy laws restrict transfer of a broad list of items that may be state secrets and include a catch-all provision for ‘other matters that are classified as state secrets by the National State Secrets Bureau’. The Anti-Espionage Law prohibits any activity that amounts to stealing, spying for, purchasing or illegally providing certain information, and recent amendments to the Law (which took effect on 1 July 2023) have expanded the scope of protected information to ‘other documents, data, materials, articles relating to national security and interests’, in addition to ‘state secrets and intelligence’ as stated in the earlier version, which causes additional ambiguity around the scope of protected information. The Penal Code of the United Arab Emirates (UAE) also restricts the disclosure and transfer overseas of national secrets of the state and state secrets of defence, which cover a broad range of information.

The European Union’s General Data Protection Regulation casts a wide net in terms of what constitutes personal data (any information relating to an identified or identifiable natural person) and prohibits the transfer of personal data to jurisdictions outside the European Union that have not been recognised as providing adequate protection, unless an exemption applies: the exemptions include law enforcement and the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions. The European Union has so far recognised around a dozen jurisdictions, including the United Kingdom and Switzerland, as providing adequate protection, but even when documents are to be transferred to a recognised jurisdiction, an applicable data protection gateway would still need to be identified to provide a basis for the data processing, and it would still be necessary to comply with any applicable obligations relating to the processing of the data.

In addition to state secrecy and data protection laws, a number of Chinese laws contain provisions that may further restrict the provision or transfer of information outside China. For instance, the International Criminal Judicial Assistance Law provides that organisations and individuals within the territory of China shall not provide assistance in criminal proceedings outside the jurisdiction without the approval of competent authorities. Similar provisions can be found in China’s Data Security Law and Personal Information Protection Law, which prohibit the provision of data and personal information to foreign judicial and law enforcement bodies (including regulators) without the approval of competent authorities. In France, Law No. 68-678 of 26 July 1969 (known as the blocking statute) prohibits any French company from communicating to a foreign public authority any information of an economic, commercial, industrial, financial or technical nature, where the information is intended to constitute evidence for the purposes of judicial or administrative proceedings (subject to agreements between France and some jurisdictions that allow documents to be provided through specific channels and under certain circumstances).

Financial institutions should consider whether these laws may apply and, if so, whether an exemption (for example, customer consent via terms and conditions of a service agreement, or an exemption relating to cross-border data transfer for the purpose of responding to investigations) can be relied on. If data cannot be transferred to the desired review location, a satellite review team may need to be established to review data locally with appropriate controls in place to ensure compliance with local laws.

Producing documents and information to regulators

Regulators can typically only require production of documents and information that are relevant to the matter under investigation; however, in practice, the scope of investigations tends to be broad and regulators have a wide discretion.

Regulators may ask for specific information, such as applicable AML risk assessments, AML policies and procedures, internal or third-party reviews of the AML programme, details of particular aspects of the framework (such as the operation of the AML transaction monitoring system), or details about particular crystallised financial crime risk incidents. They may also ask about the institution’s governance framework (such as the composition, terms of reference and reporting lines of relevant committees), for minutes of board or committee meetings, and for details about the individuals in relevant roles who were employed by the financial institution during the period of the suspected breach. These types of information may appear relatively easy to locate but it can be challenging, particularly over a long period during which governance arrangements have changed multiple times (as is common).

Regulators typically also request evidence to demonstrate that certain steps have been taken (or not, and why that was the case) and for documents that evidence consideration of particular aspects of (or problems with) the institution’s financial crime programme. This may require going through a substantial amount of information, including electronic communications. The review team will need to identify the search criteria (for example, a combination of time frame, search terms and custodians). In appropriate cases, two or more phases of review may be undertaken, using less expensive resources for a first pass review.

There are tools available to make the review process more efficient. Predictive coding is becoming increasingly popular; however, in our experience, the reliability of the results has been mixed, and there is a risk that a regulator would take the view that a predictive coding-assisted review lacks credibility.

It is important in any event to keep an audit trail and record judgement calls in relation to the production of documents to regulators. It is also important to have a globally coordinated approach to managing communications with regulators (as well as other external parties, such as clients and the media), to ensure the accuracy of what is being said and to avoid inconsistencies.

In jurisdictions where the concept of legal professional privilege (LPP) exists (such as Hong Kong, the United Kingdom and the United States), the general principle is that it is not mandatory for documents and information that are subject to LPP to be provided to regulators; however, care should be taken to maintain confidentiality of privileged documents and information. If confidentiality is lost, LPP will also be lost.

Financial institutions should also note that the scope of LPP protection may vary among jurisdictions that recognise the concept; for example, in the United Kingdom, where litigation is not in reasonable prospect, in general only solicitor–client communications are privileged, and the definition of ‘client’ within an organisation is narrow. The client is considered to be a core team within the organisation tasked with giving instructions to, and receiving advice from, the legal team. As a result, reports commissioned from third parties, such as consulting firms, even if instructed by lawyers, may not be privileged; and if a fact-finding internal investigation has been conducted (even by lawyers), the interview notes may not be privileged. These issues require careful consideration, and the regulator will typically be sensitive to overly broad privilege claims. Hong Kong, on the other hand, has adopted a broader approach, defining ‘client’ as simply the organisation. Hence, for example, LPP will protect all confidential documents within the organisation that are produced for the dominant purpose that they or their contents be used to obtain legal advice.

Where part of a document is subject to LPP, the financial institution may redact or obscure the privileged parts before submitting the document to the regulator.

Although regulators in jurisdictions where LPP is recognised generally respect the fundamental right to LPP, it is now common for financial institutions to consider waiving their right to LPP to certain documents and disclosing them to one or more regulators as an act of cooperation, in the hope that this cooperation will be recognised in the investigation outcome. Disclosure will normally be made under a limited waiver of LPP (if recognised by the jurisdiction and permitted by the regulator). This involves a waiver as it applies to the regulator who has agreed to maintain the confidentiality of documents but not waiving LPP as it applies to the rest of the world.

Although the concept of limited waiver is recognised in some jurisdictions (such as Hong Kong and the United Kingdom), the consequences of a limited waiver remain unpredictable, particularly in a multi-jurisdictional investigation. For example, the United States does not generally recognise the concept of a limited waiver – once produced to the regulator, the document loses its privileged status. Financial institutions must therefore carefully assess the benefits and risks before voluntarily disclosing any privileged document to a regulator. In jurisdictions that recognise limited waivers, it may be possible to seek an explicit confidentiality agreement with the regulator in question when considering making a disclosure of privileged information, and in any event, it is usually recommended to be clear as to the basis on which any documents are being produced. Depending on the circumstances, it is possible that a regulator may not agree to confidentiality terms that undermine its obligations to share information with other regulators.

Although civil law jurisdictions (such as France and the UAE (other than in the common law free zones)) tend not to recognise the concept of LPP, communications between financial institutions and their external lawyers are usually protected by a duty of confidentiality or professional secrecy on the part of the lawyers, subject to limited exceptions (for example, in France, if communication documents are proven to have been used for the purposes of committing or facilitating the commission of money laundering and certain other criminal offences, and are seized as part of an investigation into such offences). However, the same communications are not protected in the hands of the financial institutions.

Similar issues arising from any state secrecy, data protection and other laws as discussed above will need to be considered by financial institutions when responding to regulators’ investigatory requests. Financial institutions should also take note of any bank secrecy provisions that may be applicable, which usually limit the disclosure of customer information subject to specified exemptions.

When addressing a request from an out-of-jurisdiction regulator, the financial institution should carefully consider the nature of the request and whether it is being compelled to produce the information. In some circumstances, voluntary production of information to a regulator can result in the institution committing breaches of client or counterparty confidentiality obligations, data privacy or banking secrecy, or losing LPP protections.

Another point to note is the increased regulation of the outsourcing of data by financial institutions in recent years, as noted by, for example, the updating by the International Organisation of Securities Commissions (IOSCO) of its Principles on Outsourcing in October 2021. One of the principles that are relevant to regulatory investigations is Principle 6, which provides (among other things) that: ‘Regulated entities should ensure that their regulator has prompt and comprehensive access to information concerning outsourced tasks, to enable the regulator to carry out its inspection, investigation and monitoring powers over the activities for which they are regulated.’ An example of regulatory guidance that has been issued with these IOSCO principles in mind are the Hong Kong SFC’s requirements on regulatory records that are kept in cloud storage. If such records are kept exclusively with an external electronic data storage provider, licensed firms must ensure that the records are fully accessible upon demand by the SFC without undue delay. The Central Bank of the UAE’s ‘Outsourcing Regulation for Banks’ and accompanying standards provide that outsourcing agreements must include an explicit provision giving the Central Bank (or any agent appointed by it) access to the outsourcing service provider, including the right to conduct on-site visits, and access to data or information stored at the provider that is required for supervisory purposes.

Secrecy obligations and prohibition against tipping off

In many jurisdictions, the involvement of any regulator will be accompanied by secrecy obligations, and breach of these obligations will attract criminal consequences in some jurisdictions. Secrecy obligations will restrict the extent to which a financial institution can disclose the existence and details of regulatory inquiries or investigations.

In the context of multi-jurisdictional investigations, it also restricts the extent to which financial institutions can share the fact of involvement of one regulator with other regulators. This potentially places them in a difficult position if they are asked by a regulator which other regulators are aware of or have made enquiries about the relevant conduct. It will normally be possible to get the relevant regulators’ approval for disclosure of an investigation to other regulators, but the discussions seeking such consent should be undertaken with great care. The financial institution should explain the difficulties it is facing and seek the regulator’s agreement as to what the other regulator can be informed about.

In many jurisdictions, including the United Kingdom, France, Hong Kong and the UAE, the requirement to file an STR or SAR (to report suspected money laundering) is accompanied by the prohibition against tipping off, such as disclosing that an STR or SAR has been filed, the contents of the report, or any matter that is likely to prejudice any investigation that might be conducted following the filing of a report.

Managing outcomes of multi-jurisdictional investigations

Cooperation with regulators

Regulators will often have a policy (whether formal or informal) that incentivises cooperation by providing more favourable outcomes and reduced penalties in return. As a general rule, cooperation does not mean simply complying with lawful requests from a regulator.

The following are some examples of actions that may be considered by regulators as cooperation (these will vary between jurisdictions, and some of the actions will be required in certain jurisdictions in any event):

voluntarily and promptly reporting breaches or failings to the regulator;
taking the initiative to undertake a credible investigation to examine the nature, extent, origins and consequences of the misconduct, opening a frank dialogue with the regulator, and providing regular and meaningful updates on the progress of the investigation;
providing true and complete information regarding breaches or failings, such as taking early and proactive steps to preserve and collect important evidence, and providing it to the regulator, providing information and evidence of which the regulator is otherwise unaware (including sharing the results of an internal investigation), and providing useful intelligence to the regulator;
waiving LPP over a document (including on a limited basis);
accepting liability, including taking responsibility for breaches or failings, addressing the regulator’s concerns and accepting the regulator’s findings or proposed sanctions;
adopting rectification measures, such as taking early and active steps to contain breaches or failings, making full and prompt compensation to affected customers, and instituting necessary enhancements to internal controls and procedures;
conducting a credible internal investigation that is led by independent outside counsel and is independent of the management involved in the relevant conduct, and providing the results of the internal investigation to the regulator;
appointing a third-party reviewer jointly with the regulator to conduct a fact-finding review in respect of the breaches or failings, or a prospective internal control review to identify appropriate remedial actions; and
having the board of directors of the financial institution give undertakings collectively and individually to address the regulator’s concerns, such as undertakings to remedy deficiencies identified in a third-party review within a specified amount of time and to ensure that the same failings would not reoccur.

An overarching strategy should be developed when a financial institution is seeking to cooperate with multiple regulators across different jurisdictions. Cooperation will be viewed favourably in settlement discussions with all regulators. However, the formal framework for recognition of cooperation and each regulator’s history of rewarding cooperation should be taken into account when considering how best to approach the issue of cooperation. The incentives to cooperate and the benefit available to the financial institution must be balanced against the need to preserve privilege and defences. If multiple regulators are involved, there may be varying degrees of certainty around the benefits of cooperation that need to be considered in devising the overall strategy. The financial institution should strive, where possible, to take a consistent approach to cooperation.

Settlement with multiple regulators

When financial institutions are dealing with a single regulator, there is an opportunity to influence the enforcement narrative. This process can facilitate a resolution of the matter by settlement, where the financial institution and the regulator find common ground on what the important facts and issues are. Although this is still possible with multiple regulators, it can be more difficult. Regulators will have different enforcement or regulatory cultures, as well as varying focus areas and agendas, which complicates the settlement process.

It may also be difficult to settle with all regulators concurrently, even though there is increasing coordination and cooperation among regulators. The worst-case scenario may be the involvement of a regulator that wants to make a name for itself by adopting a different approach from the other regulators.

Preventing ‘piling on’

To address concerns about ‘piling on’ (i.e., receiving multiple, overlapping penalties in relation to the same misconduct from various civil, criminal and regulatory authorities – including overseas authorities), the US DOJ has instructed federal prosecutors to avoid seeking excessive or duplicative fines, penalties or forfeitures against a company, while nevertheless recognising the importance of coordinating parallel proceedings. According to its Justice Manual, the DOJ should also endeavour to coordinate with and consider the amount of fines, penalties or forfeiture paid to other federal, state, local or foreign enforcement authorities that are seeking to resolve a case with the company for the same misconduct.

All relevant factors should be considered in determining whether coordination and apportionment between DOJ components and with other enforcement authorities allows the interests of justice to be fully vindicated, such as the egregiousness of a company’s misconduct, statutory mandates regarding penalties, fines and forfeitures, and the adequacy and timeliness of a company’s disclosures and its cooperation with the DOJ. It is common for the DOJ to work closely with other authorities (such as the SEC and the CFTC), as well as their foreign counterparts, and there are many instances when a company will obtain a credit against its US fine for fines paid in other jurisdictions.

The rules setting out the process for calculating penalties in FCA enforcement actions in the United Kingdom expressly include, as a potential mitigating factor, consideration of action taken against the firm by other domestic or international regulatory authorities that is relevant to the breach in question. Similarly, in its disciplinary fining guidelines, the Hong Kong SFC states that it will consider all circumstances of a case in deciding the level of fine, including any punishment imposed or regulatory action taken, or likely to be taken, by other competent authorities, and the result, or likely result, of any civil action taken, or likely to be taken, by third parties (successful civil claims, or those likely to be successful, may reduce the part of a fine, if any, that is intended to stop a firm benefiting from its conduct).

Under the UAE Criminal Procedures Code, any civil claim that is brought in parallel with criminal proceedings will be stayed until a decision is made in the criminal proceedings (the findings of the criminal court can then be referred to in the civil court, which will proceed directly to assessing the quantum of damages). UAE regulators are becoming increasingly adept at information sharing as well as coordinating with foreign bodies, including via memoranda of understanding.

Conclusion

To sum up, the following are some of the questions that need to be asked at the outset of and throughout an investigation:

Does the potential breach trigger a self-reporting obligation? Which regulator, or regulators, should be notified? What should be included in the report? Should a voluntary notification be made in the absence of a mandatory obligation to do so? The position needs to be revisited as more information comes to light.
Is the issue localised or systemic? If the latter, the financial institution should review the position in other areas of the business and other jurisdictions that may be affected.
Who in the financial institution should be involved in investigating the issue, responding to the regulator (or regulators) and reporting to management?
What types of documents and information are relevant to the issue at hand? Where are they stored? How should they be secured? Does the financial institution have the right to access its employees’ personal devices in light of its internal policies and data privacy or other laws?
How should the documents and information be gathered for review? Are there laws restricting cross-border transfer of information (and if so, can any exemptions be utilised)? Where should the document review team (or teams) be based?
How should the document review be conducted (for instance, what are the appropriate search criteria)? What document review platforms or software (such as predictive coding) should be used?
Which documents can be withheld from the regulator on the basis of LPP or lawyer’s duty of confidentiality? What is the scope of the privilege or lawyer confidentiality in the jurisdictions in question? Should LPP be waived in relation to certain documents for any specific regulator to obtain credit for cooperation?
Do any state secrecy, data protection and bank secrecy laws, or blocking statutes apply (and can any exemptions be utilised)?
Have audit trails been maintained in relation to judgement calls made during document review?
Have measures been put in place to ensure that any obligation to maintain confidentiality of investigations is complied with, and any prohibition against tipping off money laundering investigations is not breached?
Do the regulators in the jurisdictions in question recognise cooperation by financial institutions and reward cooperation by providing more favourable outcomes? If so, how should the financial institution make use of this benefit, balanced against the need to preserve any privilege or defences?