Best practices in internal investigations in Mexico

Von Wobeser y Sierra | Within the framework of the National Anti-Corruption System and the strengthening of the regulatory framework in key sectors such as finance, energy, and health, organizations operating in Mexico face an increasingly rigorous compliance environment. The regulatory evolution—driven by laws such as the General Law of Administrative Responsibilities (LGRA), the Federal Law for the Protection of Personal Data Held by Private Parties (LFPDPPP), and increased scrutiny from authorities like the CNBV, COFECE, and UIF—has resulted in a clear expectation: companies must have effective mechanisms to prevent, detect, and remedy misconduct within their organizations.

In this context, internal investigations are not just a good practice, but an essential component of a corporate culture of integrity. When conducted with rigor, they not only allow organizations to act diligently in response to specific events but also demonstrate a preventative commitment against potential regulatory investigations or litigation. In relevant international investigations, such as the Walmart Mexico case related to improper payments, the existence of well-documented and executed internal processes was key to the defense strategy under the FCPA.

In this brief article, we analyze aspects that must be considered when conducting an internal investigation.

Scope and Planning

An effective internal investigation begins with a structured planning phase. The first step is to define the scope, which involves precisely identifying:

• The facts to be investigated.
• The individuals potentially involved.
• The internal rules or policies that may have been violated.
• The specific objectives of the investigation (e.g., determining responsibility, validating controls, proposing corrective measures).

This stage must also determine:

• The reasonable time to conclude the investigation.
• Whether external advisors are required (legal, forensic, technological).
• The need to preserve digital evidence.
• The applicable legal or contractual framework (internal statutes, code of ethics, collective agreements, etc.).

A clear definition of these elements prevents the investigation from becoming excessively broad, costly, or unfocused, and minimizes the risk of the investigation or its results being challenged by third parties or the authorities themselves.

Collection and Custody of Evidence: Preserving Integrity

Secure and integral preservation of evidence is a cornerstone of any investigation. Evidence may include documents, emails, messages, recordings, physical files, access logs, collaborative platforms, or even mobile devices.

A good practice is to issue a "hold notice" to individuals who may have relevant evidence under their control. This notice must state the obligation not to delete, alter, or share such information. It must be documented and form part of the investigation file.

It is essential to maintain a clear chain of custody: recording who collects each item of evidence, when and how it was stored, who accessed it, and under what conditions. This principle is critical when the findings may have implications before regulatory or criminal authorities or in judicial proceedings.
Access to personal devices or private communications should only occur with informed consent from the owner, supported by previously accepted internal policies. Otherwise, there is a risk of violating the LFPDPPP or the labor rights provided for in the Federal Labor Law.

Document Review and Interviews

The analysis phase of information related to the investigation includes document review and conducting interviews with key individuals. Interviews should be conducted based on the principles of:

• Confidentiality.
• Procedural respect.
• Warning of Representation (Upjohn Warning): Informing the interviewee that the person interviewing them represents the company, that the information will be kept confidential but belongs to the organization and may be used in its interest, even before authorities.

It is recommended not to record interviews, except for well-founded legal reasons and explicit consent. It is preferable to document them through detailed minutes, signed by the investigator or person responsible for the process.

The identity of the whistleblower must be protected at all times, retaliation must be avoided, and internal protection mechanisms must be in place. The company must have an effective and monitored non-retaliation policy.

Interviews should take place in neutral spaces, without coercion, and ensuring that the interviewee can request legal support if they wish.

Report and Corrective Measures

Upon conclusion of the investigation, a structured executive report must be prepared, containing:

• Facts investigated.
• Evidence collected and analyzed.
• Legal conclusions (whether internal or external rules were infringed).
• Specific recommendations.

This report must not include value judgments or unsupported statements. It can adopt a narrative, structured, or sectional format, and must be reviewed by the legal and compliance areas. In relevant cases, it should also be validated with governing bodies (such as the Audit Committee or the Board).

Corrective actions must be proportional to the severity of the findings. Some options include:

• Disciplinary sanctions or justified termination of employment.
• Relocations or internal precautionary measures.
• Review or termination of contractual relationships with third parties.
• Operational or technological adjustments.
• Reinforcement of the internal controls system.

Institutional remediation measures should also be considered, such as training, updated protocols, process redesign, or new audits.
When the conclusions imply the possible imposition of labor sanctions, it is crucial to consider the applicable legal deadlines. In particular, the Federal Labor Law establishes that the employer has 30 calendar days to take disciplinary action from the moment it becomes aware of the fact and the responsible party.

In scenarios with broader regulatory implications, voluntary disclosure to authorities such as the CNBV, UIF, COFECE or, internationally, to the DOJ or the SEC, may also be evaluated. This decision must be made strategically, assessing its impact in terms of cooperation, reduction of sanctions, and reputational protection.

Conclusion

Internal investigations should not be viewed as a mere legal formality. When conducted with method, objectivity, and regulatory adherence, they allow organizations to protect themselves, learn, and improve.

A robust and properly documented internal investigation can be the difference between a multi-million-dollar penalty and a favorable resolution. Beyond resolving specific incidents, it demonstrates ethical leadership, reinforces institutional credibility, and builds trust with employees, clients, investors, and authorities.

In an environment of increasing demand, having a solid internal investigation process is one of the most valuable assets of the corporate compliance system.

vonwobeser.com