In the sometimes complex arrangements between financial institutions and their hired compliance advisors, one ambiguity consistently eludes the legalese of contracts: what can be said in e-mails without landing the firms in hot water? A string of enforcement actions by the New York State Department of Financial Services (NYSDFS) and a recent circuit court decision have underscored the question, which remains unresolved by case law in large part because companies historically have opted to waive attorney-client and work-product protections in the face of investigatory or regulatory scrutiny. The question of when federal agencies have the authority to penetrate attorney-client privilege...