Officials with the U.S. Department of Justice have portended a sea change in the oversight responsibilities of chief compliance officers (CCOs) as it concerns corporate resolutions going forward.
In public remarks made March 22, Assistant Attorney General Kenneth Polite announced that for all corporate resolutions going forward—including guilty pleas, deferred prosecution agreements, non-prosecution agreements—CCOs and chief executive officers (CEOs) must “certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law—based on the nature of the legal violation that gave rise to the resolution, as relevant—and is functioning effectively.”
Polite added, in certain resolutions, additional certification language may be required. “When a company is required to provide annual self-reports on the state of their compliance programs, we will consider requiring the CEO and the CCO to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete,” he stated.
As a former CCO himself, Polite said the intent of the certification requirement is to empower CCOs and ensure they have “true independence, authority, and stature within the company.” He added that the certification requirement ensures CCOs “receive all relevant compliance-related information and can voice any concerns they may have prior to certification.”
Some in the compliance community have expressed skepticism, however, fearing it could increase the risk of personal liability. What is a CCO to do, for example, in circumstances when senior leadership insists on overriding the CCO and hiding compliance deficiencies or misconduct?
“When a CCO is the only person standing in the way of the company being freed from DOJ supervision, there is enormous pressure to certify, regardless of how the CCO feels about the program,” said Hui Chen, the first-ever compliance counsel expert at the Department of Justice and now a senior advisor at R&G Insights Lab. “CCOs may very well be facing the choice of ‘sign or leave.’”
Certification Case Study: Glencore
The Justice Department already has demonstrated how it intends to use the certification requirement. The $1 billion global resolution and plea agreement that mining company Glencore reached with U.S., U.K., and Brazilian enforcement authorities in May marked the first ever resolution in which the Justice Department used the certification requirement language in resolution papers with a company.
Many in the compliance profession are already quite familiar with “Attachment C,” which outlines in corporate resolution agreements the minimum requirements of a compliance program. Glencore’s plea agreement is the first, however, to include “Attachment H,” the compliance certification.
Attachment H requires that Glencore’s CEO and head of compliance certify that the company’s anti-corruption compliance program is “reasonably designed to detect and prevent violations of the Foreign Corrupt Practices Act and other applicable anti-corruption laws throughout the company’s operations.”
Said Hui, “The certification language is fairly broad, particularly the language stating the compliance program be ‘reasonably designed and implemented to detect and prevent violations…throughout the company’s operations.’ Particularly for larger companies, that would be an ambitious statement to make.”
As Glencore’s resolution further demonstrates, even resolutions that install an independent compliance monitor, will require the CCO and CEO certifications. The difference, however, is “the independent monitor isn’t certifying under penalty of perjury,” said Amy Schuh, a former chief ethics and compliance officer and now a partner at Morgan Lewis. The monitor effectively is attesting to the Justice Department in the form of a report, not a certification, whether the company has met all the requirements in Attachment C.
Glencore declined comment.
In addition to gray areas surrounding the certification language itself, lack of certainty concerning the circumstances under which a CCO could face individual criminal liability is also creating a healthy amount of concern among those in the compliance profession.
Reiterating public remarks made by David Last, head of the Justice Department’s Fraud Unit, at a June 14 International Bar Association, Schuh said prosecution presumably would be reserved only if a CCO or CEO made a certification that was “knowingly untrue, that they were lying when they signed it,” she said.
That would then constitute making a false statement in violation of 18 U.S.C. 1001. On the other hand, if the certification is made in good faith, that should put the CCO in a better position with the Justice Department, Schuh said.
A lot will depend on factual elements, particularly intent, Hui said. “Because there is no consistent standard, simply showing the CCO knew about some insufficiencies of the program might not be sufficient,” she said. “Who is to say how many problems actually constitute not ‘reasonably designed and implemented to prevent and detect violations…throughout the company’s operations?’”
Steps to mitigate personal liability
“A CCO needs, at least, measurable evidence of effectiveness on every component of the program,” Hui said. “For example, evidence that training is effective in changing behavior would entail measurements of specific behavior before and some period after training. To simply show that training took place would be insufficient. It has to show it accomplished something toward preventing and detecting corruption—and keep in mind, this certification requirement applies to a wide variety of cases beyond anti-corruption violations.”
On some level, with all the guidance documents available to CCOs, there are no secrets concerning the government’s expectations of a ‘reasonably designed’ compliance program, Schuh said. For example, in addition to Attachment C in corporate resolutions, CCOs also have as a framework the agency’s “Evaluation of Corporate Compliance Programs” and the FCPA Resource Guide.
Moreover, companies that are engaging in resolution talks with the government have already identified the misconduct at issue, presented its compliance program and mapped out any necessary enhancements moving forward, and likely have done so in conjunction with counsel, Schuh said. All those discussions and ongoing reporting obligations present an opportunity for the CCO and the business to ensure their understanding of a “reasonably designed” compliance program aligns with the government’s interpretation and expectations of a “reasonably designed” compliance program, she said.
As with Sarbanes-Oxley (SOX)-specific compliance controls, various business units across a company—legal, finance, audit, human resources, procurement, sales operations, and management—all play a role and are accountable for maintaining a robust global corporate compliance program. With that in mind, CCOs moving forward may want to consider “setting up some kind of sub-certification process, akin to SOX certification,” Schuh said.
In practical terms, this means making those who are accountable for internal controls designed to help the company prevent and detect corrupt behavior attest that the controls have been implemented, tested, and are effective. That way, the CCO can then rely on those sub-certifications as part of the compliance program, even before being subject to a certification requirement if ever faced with one.
“That would mean you have a really robust, attested program,” Schuh said. “That’s like the Cadillac of programs, but I think that’s the reality for companies that have to sign these certifications.”