Corporate Investigations

by Tahmidur Remura Wahid | Sep 2, 2025 | Uncategorized | 0 comments

Corporate Investigations in Bangladesh (2025): A Complete Field Manual for Local & Foreign Companies

By TRW Law Firm — Investigations, Compliance & Disputes (Dhaka & Dubai)

Why this matters

Bangladesh is a high-growth market with dense supply chains (RMG, leather, light engineering), fast-rising services (fintech, logistics, e-commerce), and significant government touchpoints (permits, customs, taxation, utilities). Those touchpoints create real investigative workloads: procurement collusion, kickbacks, inventory shrink, payroll fraud, grey traffic in telecom, trade-based money laundering (TBML), workplace harassment, data leaks, and cyber incidents. If you operate here—especially as part of a multinational—you need a repeatable, defensible investigation playbook that respects local law and culture while aligning with global standards (anti-bribery, AML, sanctions, data & labour rules).

This guide gives you the end-to-end “how”: governance and privilege, scoping, evidence, interviews, digital forensics, regulator engagement, remediation, and a foreign-investor caution list tailored to Bangladesh.

Important: numbers and procedures can change via notifications and circulars. Use this as your operating blueprint and confirm specifics when you implement.

Part A — What counts as a “corporate investigation” (Bangladesh reality)

Common triggers

Allegations via hotline or HR: harassment, discrimination, bullying, retaliation
Procurement & sales: bid rigging, kickbacks, conflict of interest, resale price maintenance (RPM) attempts
Finance: false invoicing, round-tripping, payroll ghosts, expense fraud, asset misappropriation
Trade: HS code manipulation, over/under-invoicing, sham third-party freight or inspection fees, bonded-warehouse abuse
AML/sanctions: suspicious flows via banks and mobile financial services (MFS), third-country routing, cash-to-digital conversion
Data/cyber: account takeovers, exfiltration, malware/RAT infections, vendor breaches
HSE/OSH: reportable accidents, falsified logs, safety equipment tampering
Competition: competitor information exchanges through shared distributors, hub-and-spoke coordination
Workplace conduct: substance abuse, extortion, intimidation, theft
IP & information: leak of tech packs, patterns, BOMs, customer files

Where matters usually arise

Factories, depots, bonded warehouses, customs yards
Finance shared services, call centers, field sales, agent networks
Import/export desks (LCs, BoE, B/L), C\&F agents, logistics vendors
Digital ecosystems: WhatsApp/IMO/Facebook Messenger groups, Google/Microsoft suites, local ERPs, MFS wallets (bKash, Nagad), POS, ride-along apps

Part B — The legal & enforcement backdrop (what you must internalize)

Criminal law & corruption: Bribery and “speed money” are criminal; the Anti-Corruption Commission (ACC) investigates/prosecutes. Donor-funded projects add debarment exposure.
Money laundering & TFS: Proceeds of corruption/fraud can trigger AML obligations; the central bank’s financial intelligence unit issues directives and freeze orders; regulated entities must file STRs/SARs.
Corporate/securities: Listed-company governance rules expect internal control, related-party discipline, and fair disclosure; violations invite enforcement and shareholder litigation.
Labour & domestic inquiries: Discipline must follow due process—show-cause → impartial inquiry → reasoned order—or courts can reinstate with back wages.
Data & cyber: A formal personal data regime is emerging; cyber offenses are policed under current cyber laws. Treat PI and system logs as sensitive; implement lawful, proportionate collection.
Dawn raids: ACC, police units, tax/VAT intelligence and other authorities can conduct searches/seizures with due process. Know your response script.
Extraterritorial overlays: FCPA/UKBA and other foreign laws can apply to conduct within Bangladesh, especially for multinationals or USD-cleared payments.

Takeaway: Your investigation playbook must anticipate criminal exposure, labour due-process, regulatory notifications, data sensitivity, and cross-border legal risks—all at once.

Part C — Governance & privilege: build the right cockpit

Investigation Charter

Board-approved document that sets scope, authority, and independence of the investigations function (Legal/Compliance with HR and Internal Audit).
Defines thresholds for external counsel, forensic firms, and when to brief the board/audit committee.

Independence & conflicts

Segregate investigators from local management in scope. Require conflict declarations for each matter (no one investigates their own chain).

Legal privilege & work product

Engage counsel early and document that the purpose is to obtain legal advice. Limit distribution, watermark drafts, and log access.

Anti-retaliation

Board-backed “no retaliation” policy with Bangla-language communications. Track for reprisals after reports/interviews.

Case lifecycle controls

Unique case IDs, matter triage, SOX-style evidence repository, chain-of-custody logs, investigation hypotheses, decision memos, remediation tracking.

Part D — Intake, triage & scoping (the first 72 hours)

Stabilize

Preserve devices, email, chat, shared drives, ERP, CCTV, access logs, visitor registers, and—critically—phones (WhatsApp/IMO). Suspend auto-deletion.
Issue a legal hold to custodians in Bangla and English (plain, specific, time-bounded).

Initial risk screen

Criminal exposure? Reputational risk? Safety at risk? Regulator notifications likely? If yes, escalate to counsel and the audit committee.

Scope & hypotheses

Draft a scoping memo: allegations, time frame, custodians, systems, third-parties, money/goods flows, legal issues, decision-makers.

Stakeholder map & comms

Identify internal stakeholders (Legal/Compliance, HR, IT, Security, Finance) and external (counsel, forensics, PR).
Set one communications channel; enforce need-to-know.

Part E — Evidence & forensics (Bangladesh-specific realities)

1) Digital forensics & data sources

Messaging apps: WhatsApp, IMO, Messenger, Viber, Telegram—collect chat exports and, where lawful, forensically image devices. Expect hybrids (personal device used for work). Use consent and policy for BYOD.
Email & cloud: Google/Microsoft tenants; preserve mailboxes, Drive/SharePoint, audit logs; collect admin logs for group changes and deletions.
Local systems: On-prem ERPs, attendance/biometrics, access control, CCTV DVRs (short retention!), POS, weighbridges, RFID, GPS trackers.
Financial: Bank statements, MFS ledgers (wallet transactions), LC files, invoices, BoE, B/L, packing lists, inspection certificates, customs files, tax/VAT returns, e-BIN/e-TIN records.
Telecom: For telecom cases, CDRs, interconnect CDRs, routing tables, CLI integrity reports, spam/A2P logs.
Physical: Delivery challans, gate passes, store ledgers, machine utilization logs, quality reports, scrap registers.

2) Chain of custody

Use evidence bags for drives/phones; photo each hand-off; assign seals; maintain a custody log with signatures and timestamps.

3) Collection protocols

Imaging: Prefer bit-by-bit where feasible; if not, documented logical collections with hash values.
Keyword strategy: English and Bangla (Bangla Unicode & phonetic English), plus common slang (chai-pani, commission, adjust, manage).
Data minimization: Collect only what’s relevant; segregate PI; apply search term audit to show proportionality.

4) Analytics

Transaction testing: three-way match (PO–GRN–Invoice), duplicates, weekend postings, round sums, split POs under approval thresholds, Benford analysis.
Network analysis: shared addresses/phones among vendors and employees; graph links to bKash/Nagad wallets; hub-and-spoke in distributor networks.
Trade tests: price/quantity anomalies vs. market; HS code consistency; Incoterms mismatch; repeated LC amendments.
Payroll: ghost identities, bank/MFS accounts linked to supervisors, overtime anomalies.

Part F — Interviews (doing them right in Bangladesh)

Language & setting: Offer Bangla or English. Use trained interpreters; avoid managerial presence for rank-and-file.
Notice & fairness: Explain purpose, process, and anti-retaliation. For employees facing discipline, outline rights per policy/standing orders.
Sequencing: Start with neutral witnesses, then supporting, then subjects. Cross-verify facts; use documents to anchor.
Style: Fact-first, neutral, no promises. Avoid leading questions or threats.
Records: Contemporaneous notes; ask the witness to review key points. For critical interviews, audio (with consent) or two-investigator notes.

Part G — Playbooks for the most common Bangladesh cases

1) Procurement kickbacks & bid rigging

Red flags: new vendor incorporated days before award; shared contact data with staff; sequential quotes with identical typos; split POs under thresholds; “consulting” invoices post-award.

Steps

Pull vendor master data; match NPWP/TIN/BIN, bank accounts, directors/UBOs; cross-link to staff phone numbers and addresses.
Review tender files, price models, evaluation sheets; re-score bids independently.
Examine rebate/marketing service invoices; look for no deliverables.
Interview procurement, finance, and warehouse on receipt and quality checks.
If collusion suspected, prepare a self-reporting path and supplier debarment plan.

Remediation

Rewrite vendor policy; introduce pre-qualification, conflict declarations, audit rights. Install three-way match and duplicate invoice alerts.

2) Trade-Based Money Laundering (TBML)

Red flags: price mismatch vs. indices; odd Incoterms; repeated LC amendments; third-party payments outside contract; goods never seen at gate; frequent BoE value disputes.

Steps

Build a trade file (contract, PI, LC, invoice, packing list, B/L/AWB, inspection, insurance, COO, port/warehouse logs).
Check HS codes, values, and quantities; compare with market ranges.
Map money flows: bank and MFS; identify third-country hops.
Coordinate with bank AML teams; consider STRs and control tightening.

Remediation

Introduce end-use/end-user statements for sensitive goods; require independent price checks; strengthen C\&F agent controls.

3) Inventory shrink & scrap diversion

Red flags: negative yield variances, “rework” escalation, night dispatches, scrap sale cash.

Steps

Reconcile BoM to production and dispatch; review CCTV and access logs; surprise stocktakes; analyze scale logs at entry/exit.
Map truck GPS to gate passes; test vendor weights vs. your scales.
Interview line supervisors and security.

Remediation

Lock scrap sales into a controlled tender; add weighbridge cameras; enforce route seals; segregate duties in stores.

4) Payroll ghosts & expense fraud

Red flags: employees without photos, multiple bank/MFS accounts tied to one phone, identical addresses, unusual per diems.

Steps

HRIS–bank/MFS reconciliation; device/phone clustering; physical headcount checks.
Recheck overtime approvals, supervisor benefit links, and duty rosters.

Remediation

Biometric attendance with liveness; geo-fenced field attendance; expense policy with receipt OCR and random audits.

5) Harassment & workplace conduct

Red flags: repeated complaints about an individual, sudden exits, patterns by shift/department.

Steps

Trigger Complaint Committee (woman-chaired, external member per court guidance).
Protect complainant and witnesses; consider interim measures (shift changes, supervisor swap).
Evidence: messages, CCTV near incident areas, duty rosters.
Conclude with a reasoned order; discipline proportionate; remedial training.

6) Grey traffic & telecom fraud (for operators/ISPs)

Red flags: abnormal A-to-B ratios, CLI spoofing, international inbound spikes, SIMbox patterns, sender-ID look-alikes.

Steps

Traffic analytics (CDR/SDR), test call programs, KYC checks on high-usage SIMs, anti-spam throttling.
Coordinate with interconnect partners; enforce blacklists; document enforcement.

Remediation

Strengthen RA (revenue assurance), routing tables, SIM lifecycle, and fraud desk staffing.

7) Cyber/data leakage

Red flags: unusual outbound traffic, mass file downloads, credential reuse, vendor remote access at odd hours.

Steps

Contain (disable accounts, isolate endpoints), image devices, rotate credentials, check logs, identify exfil paths.
If personal data is involved, trigger data incident SOP (assessment, notifications as required).

Remediation

MFA everywhere; privileged access management; vendor access segmentation; DLP and CASB; regular phishing drills.

Part H — Working with regulators & law enforcement

When to notify: If there’s material criminal exposure, significant customer impact, or regulatory reporting triggers (e.g., STRs for AML), brief counsel on whether and when to notify.
Searches & seizures: Have a dawn-raid SOP: verify warrant/order, call counsel, escort the team, log everything taken/copied, assert privilege, and request sealed copies of digital images.
Witnesses: Prepare staff; insist on counsel’s presence for formal statements; avoid speculation; correct inaccuracies in writing.
Media: Centralize comms. No casual quotes. Internal memo first; external messaging vetted by counsel/PR.

Part I — Outcomes & remediation (what “good” looks like)

Decision memo

Facts established; law applied; credibility assessment; financial impact; root causes; disciplinary outcomes; regulator actions taken; recovery actions (clawbacks, claims).

Control fixes

Policy/SOP changes, system rules (e.g., duplicate invoice alerts), vendor contractual re-papering, segregation of duties, new approval matrices.

Restitution & recovery

Demand letters; settlement agreements; insurance notifications (crime policies); civil claims; police complaints if appropriate.

Training & culture

Targeted refreshers for procurement, logistics, finance, supervisors; Bangla-first “what to do when asked for a bribe” scripts.

Board reporting

Quarterly pack: new matters, time to close, substantiation rates, controls fixed, open actions, and trendlines.

Part J — Foreign-investor caution list (Bangladesh-specific)

“Speed money” is a bribe. There is no legal facilitation exception.
Third-party risk: Customs brokers, C\&F agents, distributors, consultants—run real due diligence (UBO, site visit, references, litigation/blacklist checks).
Cash & MFS flows: Kickbacks route via mobile wallets; correlate phone numbers and device IDs with employees/vendors.
Trade corridors: TBML risk around HS codes and price manipulation; insist on independent checks.
Bonded warehouse: High diversion risk; inventory controls must be tight and audited.
Shared distributors: High chance of hub-and-spoke info sharing—hard line on competitor data.
Labour due-process: Don’t terminate without a domestic inquiry; courts punish shortcut discipline.
POSH compliance: A functioning complaint committee is non-negotiable for buyers and courts.
Data transfer & privacy: Treat PI and logs sensitively; use proportionate collection; be ready for data-authority scrutiny as rules mature.
Books & records: No vague GLs (“market development”), no off-book cash, no “marketing services” without outputs.
Gifts/hospitality: Public officials—extremely conservative; document approvals; pay vendors directly, not per diems.
Distributor RPM: Don’t police retail prices; focus on quality standards and availability KPIs.
Call centers: Use licensed routes; avoid grey VoIP.
IP leakage: Guard tech packs and patterns; lock down supplier access; watermark files.
Security & safety: Genuine fire drills, PPE, lock-out/tag-out—buyers audit this.
Speak-up channels: Provide Bangla-language hotline/email/WhatsApp; protect whistleblowers in practice.
Language & documents: Keep Bangla-English versions of contracts, handbooks, notices; staff must understand them.
Notarization & stamping: Budget time for certified copies and stamping where needed; courts expect originals or certified dupes.
Board oversight: Quarterly MI on investigations; audit committee timeboxed remediations.
Exit strategies: If you must exit a distributor or employee, follow contract + law—notice, cure, inquiry, settlement.
Dawn-raid readiness: Train reception/security; keep an evidence room; know your counsel’s number.
Foreign law overlays: FCPA/UKBA risks—ban “success fees” with vague services; structure FMV consulting.
Charity/CSR: Vet beneficiaries; avoid political or front charities; require reports and photos.
M\&A clean team: No competitively sensitive sharing pre-close; clean team for pricing and customer-level data.
Travel & security: For sensitive sites or disputes, use security briefings and escorts; never carry original master records off-site without chain-of-custody.

Part K — Toolkits you can copy today

1) Investigation intake form (one page)

Reporter details (may be anonymous)
Allegation summary (who/what/when/where)
Urgency/safety risks
Systems and people implicated
Evidence known to exist (chats, documents, CCTV, logs)

2) Legal hold (Bangla + English)

Clear description of records and dates
Prohibition on deletion/alteration
How to preserve chats, phones, laptops, cloud folders
Contact for questions; acknowledgment required

3) Digital forensics kit list

Evidence bags and seals; Faraday bags
Write-blockers; imaging software; hash tools
External encrypted drives; chain-of-custody forms
SIM/microSD adapters; device chargers/cables
Camera and label printer

4) Interview checklist

Case facts summary; exhibits; witness history
Neutral opening; rights explanation; interpreter booked
Specific, time-anchored questions; no leading
Notes, signatures or audio (with consent)

5) Dawn-raid SOP (wallet card)

Verify IDs and warrant/order
Call counsel and investigations lead
Escort officials; allocate a room; log copies/seizures
Assert privilege; request sealed images
No deletion, no obstruction, no speculation

6) Third-party due-diligence questionnaire (top items)

Legal name, address, TIN/BIN; trade licence
Directors/UBOs; PEP links; bank account in same legal name
Litigation/blacklist/debarment checks
References; premises photos; staff list
Scope, deliverables, and fee basis (no success fees without outputs)

Part L — 30/60/90-day program to professionalize investigations

Days 1–30 — Stabilize

Approve the Investigation Charter; nominate the Investigations Lead.
Launch a Bangla-English speak-up channel and anti-retaliation notice.
Draft legal hold templates; run a tabletop on evidence preservation.
Create a case register with role-based access and chain-of-custody module.
Pick external providers (forensics, translators, PR) under master terms.

Days 31–60 — Institutionalize

Train HR, Finance, Procurement, IT, Security on intake and preservation.
Publish interview and BYOD protocols.
Install analytics for AP/GL (duplicates, round sums, split POs).
Run third-party due diligence on top 50 vendors/agents by risk/spend; re-paper contracts (audit rights, ABC, AML, termination).
Write the dawn-raid SOP; drill reception/security.

Days 61–90 — Assure

Close two test matters end-to-end (documentation gold standard).
Present the board dashboard: caseload, closure time, substantiation rate, recoveries, control fixes.
Launch targeted trainings: procurement integrity, trade red flags, POSH investigator skills.
Integrate investigations MI into enterprise risk and internal audit plans.

Part M — Board dashboard (quarterly)

New matters opened/closed; average time to close
Substantiation rates by category (procurement, trade, payroll, POSH, cyber)
Financial impact and recoveries; insurance claims lodged
Disciplinary outcomes; litigation filed/settled
Control fixes shipped and verified; repeat-finding rate
Third-party DD status; high-risk partner monitoring
Dawn-raid drills; data incident tabletop results
Speak-up volumes, anonymous %, retaliation cases (target: zero)
Training completion for investigators and line managers

Part N — Fast FAQs

Can we copy employee WhatsApp chats on personal phones?
Only with lawful basis and in line with your policy (e.g., BYOD consent) and proportionality. Prefer targeted exports over full device images. In sensitive cases, seek employee consent or use work-managed apps.

Do we have to tell the ACC immediately about bribery allegations?
Not automatically. Assess credibility and evidence quickly under counsel. If substantiated or if there’s immediate public risk, design a regulator engagement plan. Maintain evidence integrity at all times.

Can we dismiss without inquiry if theft seems obvious?
No. Bangladesh labour law expects due process. Conduct a domestic inquiry and issue a reasoned order, or you risk reinstatement with back pay.

How do we handle vendors threatening to “expose” us if we terminate them?
Stick to contracts and facts. Document breaches, issue cure notices, and terminate per terms. Have litigation and PR plans ready; never pay hush money.

What about moving evidence out of Bangladesh for review?
Minimize personal data exports; anonymize where possible; use secure channels and logs; check contractual and regulatory duties before transfer.

Part O — The TRW advantage (how we help end-to-end)

Rapid response: 72-hour containment, legal holds, device and cloud preservation, chain-of-custody.
Forensics & analytics: mobile/chat/email/ERP imaging; AP/GL and trade analytics; MFS flow mapping; link analysis.
Investigations: interviews (Bangla/English), documentary tests, reconstruction, quantification, and narrative.
Regulator strategy: ACC/central bank/securities/tax engagement; dawn-raid defense; disclosure or settlement pathways.
Remediation: policy/SOP rebuilds, vendor re-papering, control fixes, trainings, and board MI.
Cross-border: FCPA/UKBA alignment, privacy-aware collections, and global reporting packs for HQ.

Contact TRW Law Firm
Phones: +8801708000660 · +8801847220062 · +8801708080817
Emails: [email protected] · [email protected] · [email protected]
Offices: Dhaka — House 410, Road 29, Mohakhali DOHS • Dubai — Rolex Building, L-12 Sheikh Zayed Road

Final word

Great investigations are operational systems, not heroic one-offs. In Bangladesh, that means (1) lawful evidence, (2) clean interviews, (3) forensic accounting that sees both bank and mobile money, (4) respect for labour due-process, and (5) control fixes that stop repeat incidents. Put this playbook in motion, and your investigations will be fast, fair, and defensible—at home and in front of any regulator or court.

Loading…

Loading… | 5 MIN READ | BY TAHMIDUR REMURA WAHID