Senior lawyers and compliance specialists for internal investigations and the risk frameworks meant to prevent them, handled with the discretion and seniority the matter calls for.
These matters tend to start with an unwelcome question. A whistleblower complaint has reached the board. A payment has surfaced that the finance team cannot explain. A senior manager’s conduct has been challenged. A near-miss has emerged in financial promotions, in AML, in a third-party arrangement. A supervisor has asked something that suggests they are about to ask more. How the firm responds in the first few weeks tends to determine whether the matter stays inside the building, whether the people accountable for it keep their reputations, and whether the business comes out the other side stronger or weaker than it went in.
When you instruct Arbor on a risk or investigations matter, you work directly with senior lawyers and compliance specialists who have handled matters like this from the inside – as GCs, compliance leads and board advisers – not only as external counsel. Kate Bennett, co-founder of Arbor, brings the GC and board seat: eight and a half years as Group General Counsel of two FTSE 250 financial services groups, and seven years of Virtual GC and regulatory advisory since. Pregeshni Maduramuthu leads our compliance team and the day-to-day running of risk and investigations work.
The arrangement is simple: you stay in control of the strategy, and we get on with the work that needs doing, fast and quietly.
What you get when you instruct Arbor on a risk or investigations matter
Kate and Pregeshni lead the practice personally. The work is run by people who have sat in the seat the firm is now sitting in, and who know what an FCA supervisor, a board, a regulator and a whistleblower each actually need to hear. You will not be handed to a junior to draft the interview notes, then to a partner to sign off the conclusions.
Ex-Magic Circle and Big Law expertise at the rate a Magic Circle associate charges. We agree the scope and the fee envelope at the start, with a scoping phase, an investigation phase and a remediation phase each priced separately so the bill cannot run away from the board. Most investigations fit a capped-fee or phased-fee structure rather than a fully open-ended retainer. Discretion does not need to be expensive to be real.
An investigation is rarely only a legal exercise. It carries commercial consequences for the people involved, governance consequences for the board, regulatory consequences for the firm and reputational consequences for the brand. We help you take the decisions that need to be made with the right information, in the right order, and at the right level of seniority. We never push an investigation past where the facts justify it.
We act for boards, audit and risk committees, GCs, SMFs and heads of compliance at investment firms, asset managers, fintechs, regulated payment businesses, corporate finance advisory boutiques and the broader population of FCA-authorised mid-market firms. We do not need a briefing on what SUP 15 expects of a notification, on how an SMF’s conduct is evidenced for the regulator, or on where a whistleblower scheme has to land procedurally.
The first read of an allegation is often wrong. Sometimes the situation is worse than the original complaint; often it is much better. We will tell you what we think the matter actually is on the first call, which of the three or four routes available is the right one to take, and what each one will cost in time, money and disclosure. Where we are not the right firm for the matter, we will tell you that too and, where we can, point you to someone who is.
We sit alongside your audit and risk committee, board, SMF and in-house team rather than around them. Where you want us to run the investigation end-to-end under privilege, with named ownership, a clear protocol and a single report at the end, we do that. Where you want to lead the investigation yourself and use us for senior oversight and a second pair of eyes on the difficult calls, we do that too. The aim is the same either way: discretion, defensibility, and a recovery the board can stand behind.
What the first phase of an investigation looks like
The shape of the engagement depends on the matter, but the first two weeks tend to follow a similar pattern across the three most common starting points.
On a whistleblower complaint or conduct allegation, the first week is about establishing the facts of the allegation, the privilege framework, the people who need to be brought into the loop and the people who must not be. We help you scope the investigation, design the interview plan, decide whether to engage external forensic or e-discovery support, and set the protocol for the report. The output of week one is an agreed investigation plan that the board, the SMF and the people running the matter can each rely on.
On a regulatory breach or near-miss, the first week is about understanding the breach and the disclosure decision. We help you map the facts against the rule, the likely regulatory consequences, the SUP 15 or equivalent notification position, and the remediation that should accompany the disclosure rather than follow it. Few things make a supervisor more uncomfortable than a firm that knows it has a problem and does not yet have a plan; we make sure you arrive at the regulator with both.
On a risk-framework engagement, the first phase is diagnostic. We map your current framework against where the rules expect it to be, where peer firms have landed, where your business model is most exposed, and where the audit and risk committee is most likely to ask hard questions. The output is a prioritised work programme: the items that need to be done now, the items that can wait, and the items that need a board-level decision rather than a compliance-level one.
Two propositions sit at the centre of our practice and bring most of the recent work.
Preventative risk frameworks are for firms that want to build the scaffolding now rather than after the first uncomfortable supervisor letter arrives. The work covers enterprise risk management, financial crime and AML risk, ABC and sanctions, third-party and supply-chain risk, financial promotions, conduct risk and the risk-appetite frameworks that help boards understand what they are actually carrying. Kate brings the board-level GC perspective on what a working framework looks like from the inside. Pregeshni’s team turns that into something the business can use day to day rather than a binder that sits on a shelf.
Discrete internal investigations are for matters that need to be looked at properly, but quietly: whistleblower complaints, conduct allegations, payment irregularities, regulatory near-misses, the awkward overlap between an HR matter and a regulatory one. We handle these under privilege where the structure allows, with a small named team, a clear written protocol, and a brief that does not leave the room it is meant to stay in. The deliverable at the end is a report the board can act on and a remediation plan the firm can stand behind, not a document trail that creates new exposure.
Our risk and internal investigations services across the lifecycle from prevention to remediation
Structured internal investigations under privilege: scoping, protocol design, evidence gathering, interviews, document review and the final report. Discreet, defensible, and run by senior people who have done this work before.
Initial triage, privilege framework, interview design and conduct, regulatory considerations under SMCR, and the interaction between an internal investigation and any HR process that runs alongside it.
Breach analysis against the relevant rule, SUP 15 and equivalent notification decisions, remediation planning, supervisory engagement strategy, and the broader question of what to say, when, and to whom.
Risk appetite and tolerance, risk taxonomies, three-lines-of-defence design, board risk reporting, and the assurance work that confirms the framework is actually being used rather than only being documented.
Policies, training, due-diligence frameworks for third parties and acquisitions, sanctions screening and licensing, and the investigations work that follows a flagged transaction or a media allegation.
Customer due diligence, source-of-funds and source-of-wealth frameworks, transaction monitoring policy, MLRO support, suspicious activity reporting, and the response work when a regulator or correspondent bank raises a concern.
Vendor and outsourcing risk frameworks, due diligence templates, contractual protections, ongoing monitoring, and the breach-response work when a third party causes a regulatory or commercial event of its own.
The first 48 hours of a cyber incident, a data breach, a senior departure, a media allegation or a regulatory raid. We act as legal quarterback alongside the comms team, the GC and the audit and risk committee, and we keep the legal, regulatory and reputational decisions in the right order. That includes advice on engagement with the FCA and other regulators, the scope of any disclosure obligations, and how to manage the board, investor and media dimensions of a matter that is developing under pressure.
For matters that escalate to formal dispute, see Commercial Dispute Resolution.
For governance matters that sit alongside or give rise to an investigation, see Corporate Governance.
For the regulatory dimension of an investigation involving an FCA-authorised business, see Financial Services Regulatory.
For businesses that need ongoing senior legal support to manage risk and investigations as a function, see General Counsel Solutions.
The sooner the right lawyer sees the matter, the better the options tend to be. Send us a short note about what you are working on and one of us, Kate or Pregeshni, will come back to you personally to talk it through. The first conversation is on us and is always treated as confidential. If we are not the right firm for the matter we will tell you and, where we can, point you to someone who is.
