Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
Over this short blog post series I have been exploring the original Caremark and Stone v. Ritter decisions from the Delaware Supreme Court. The former decision was released in 1996 and the latter, some ten years later in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision. In Part 1, we reviewed the underlying facts of the Caremark decision and in Part II, we considered the court holdings and rationales in Caremark and Stone v. Ritter. Today, I want to review what those decisions mean for today’s Board of Directors, Chief Compliance Officer (CCO) and compliance professional.
Bribery, Fraud and Corruption
One of the things that struck me about both decisions was how timely the underlying facts were. In Caremark, a 1996 decision with the corruption going back into the 1980s, the case involved a company which provided patient care and managed care services and a substantial part of the revenues generated by the company was derived through third party payments, insurers, and Medicare and Medicaid reimbursement programs. Medicare and Medicaid payments were governed under the Anti-Referral Payments Law (“ARPL”) which prohibited health care providers (HCPs) from paying any form of remuneration (i.e., kickbacks) to physicians to induce them to refer Medicare or Medicaid patients to Caremark products or services.
To get around this prescription, Caremark entered various contracts for services (e.g., consultation agreements and research grants) with physicians at least some of whom prescribed or recommended services or products that Caremark provided to Medicare recipients and other patients. Moreover, Caremark had a decentralized governance and operational structure which allowed wide latitude to the business units to enter into such agreements without corporate or any centralized compliance or legal oversight. The results were about what you would expect.
In Stone v. Ritter, the AmSouth bank was induced to open a custodial account for two investment advisers who induced some 40 investors into a fraudulent investment, involving the construction of medical clinics overseas, by misrepresenting the nature and the risk of that investment. The bank provided custodial accounts for the investors and to distribute monthly interest payments to each account upon receipt of a check from the investment advisors. The scheme went on for about two years before the sapped investors stopped getting paid and began to contact the bank.
Federal bank examiners examined AmSouth’s compliance with its reporting and other obligations under the Bank Secrecy Act (BSA). AmSouth “entered into a Deferred Prosecution Agreement (“DPA”) in which AmSouth agreed: first, to the filing by USAO of a one-count Information in the United States District Court for the Southern District of Mississippi, charging AmSouth with failing to file SARs; and second, to pay a $40 million fine. In conjunction with the DPA, the USAO issued a “Statement of Facts,” which noted that although in 2000 “at least one” AmSouth employee suspected that Hamric was involved in a possibly illegal scheme, AmSouth failed to file SARs in a timely manner.” From my reading of these facts, it appears that there was ample evidence an illegal scheme was ongoing, and a Suspicious Activity Report (SAR) should have been filed. As with the underlying facts of Caremark, the underlying facts of Stone v. Ritter are still the basis for enforcement actions today.
Caremark – The Evolution of Board Duties
To create the modern Caremark Doctrine the Delaware Supreme Court had to overcome prior existing Delaware law regarding the board’s obligations. That decision from 1963, is known as Allis-Chalmers, addressed the question of potential liability of board members for losses experienced by the corporation as a result of the corporation having violated US antitrust laws. There was no claim in that case that the directors knew about the behavior of subordinate employees of the corporation that had resulted in the liability.
Rather, the claim asserted was that the directors ought to have known of it and if they had known they would have been under a duty to bring the corporation into compliance with the law and save the corporation from the loss. In Allis-Chalmers the Court found “absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.” As there were no grounds for suspicion in by the board, the directors were blamelessly unaware of the conduct leading to the corporate liability.
The Court found that the obligations for a board had evolved significantly from 1963, most notably in three areas. First, in the area of corporate takeovers, the court viewed “the seriousness with which the corporation law views the role of the corporate board.” The second area was the recognition as an “essential predicate for satisfaction of the board’s supervisory and monitoring role under Section 141 of the Delaware General Corporation Law.” The third and final change was the 1992 US Sentencing Guides and the “potential impact of the federal organizational sentencing guidelines on any business organization. Any rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development and the enhanced penalties and the opportunities for reduced sanctions that it offers.”
To effectuate this change, the court stated “I am of the view that a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” Moreover, “it is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.”
Conclusion
It is this final language which forms the basis of the modern Caremark Doctrine. There has been expansion of the Doctrine from this basic language over the past 25 years. Hopefully every board is aware of their obligations and are actually meeting them. However, every CCO and compliance professional needs to make the board aware of its Caremark obligations and then educate them on how to fulfill those obligations.
The next case on the Board’s obligations regarding compliance oversight is Hughes v. Hu. In this case, the plaintiffs’ claimed that the director defendants consciously failed to establish a system of oversight for financial statements and related-party transactions, “choosing instead to rely blindly on management while devoting patently inadequate time to the necessary tasks.” According to the plaintiffs’ assertions the defendants “breached their fiduciary duties by willfully failing to maintain an adequate system of oversight, disclosure controls and procedures, and internal controls over financial reporting.” Additionally, “The board of a Delaware corporation has a fiduciary obligation to adopt internal information and reporting systems that are ‘reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance’.”
The audit committee failed to meet often as required and when they met, the meetings were short and failed to devote adequate time and attention to the issues, especially in light of the known internal control issues. In addition, the audit committee frequently acted through written consent as opposed to addressing issues during in-person meetings. The outside auditor failed to report on key issues and when it did so, the audit committee failed to respond or follow up.
The court noted, “directors face a substantial threat of liability under Caremark if “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” For both potential sources, “a showing of bad faith conduct . . . is essential to establish director oversight liability.” A plaintiff establishes bad faith by “showing that the directors knew that they were not discharging their fiduciary obligations. Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation . . . only a sustained or systemic failure of the board to exercise oversight . . . will establish the lack of good faith that is a necessary condition to liability.” [citations omitted]
Moreover, “a director may be held liable if she acts in bad faith in the sense that she made no good faith effort to ensure that the company had in place any ‘system of controls.’” Significantly directors must “design context- and industry-specific approaches tailored to their companies’ businesses and resources.” Caremark also mandates “a bottom-line requirement that is important: the board must make a good faith effort—i.e., try—to put in place a reasonable board-level system of monitoring and reporting.” Finally, a Caremark claim can be stated by alleging that “an audit committee that met only sporadically and devoted patently inadequate time to its work, or that the audit committee had clear notice of serious accounting irregularities and simply chose to ignore them or, even worse, to encourage their continuation.”
What the court found was that the Company’s Audit Committee met sporadically, devoted inadequate time to its work, “had clear notice of irregularities, and consciously turned a blind eye to their continuation. As detailed in the Factual Background, the Company suffered from pervasive problems with its internal controls, which the Company acknowledged in March 2014 and pledged to correct. Yet after making that commitment, the Audit Committee continued to meet only when prompted by the requirements of the federal securities laws. When it did meet, its meetings were short and regularly overlooked important issues.”
For example, in May 2014, the Audit Committee convened for the first time after disclosing two months earlier that its “disclosure controls and procedures were not effective as of December 31, 2013, due to a material weakness.” The meeting lasted just forty-five minutes. During that time, the Audit Committee purportedly reviewed new agreements governing the Company’s related-party transactions with Kandi USA. Neither the agreements nor the review procedures were produced in response to the plaintiff’s demand for books and records, supporting a reasonable inference that they either did not exist or did not impose meaningful restrictions on the Company’s insiders. Three weeks later, the Audit Committee purportedly reviewed and approved a new policy that management had prepared governing related-party transactions. The Company also did not produce this policy in response to the plaintiff’s demand for books and records, supporting a reasonable inference that it too either did not exist or did not impose meaningful restrictions on the Company’s insiders.
After 2014, the Audit Committee did not meet again for almost an entire year. The committee next convened in March 2015, “spurred by the need to review the Company’s financial results for purposes of the 2014 10-K. The meeting lasted only fifty minutes. During this time, the Audit Committee ostensibly discussed the financial results and purportedly approved a new policy that management had prepared to govern related-party transactions involving the Joint Venture. It is reasonable to infer that the policy did not place meaningful restrictions on management and that the Audit Committee failed to establish its own monitoring system for related-party transactions. It is also reasonable to infer that during this fifty-minute meeting, the Audit Committee could not have fulfilled its responsibilities under the Audit Committee Charter for purposes of nearly a year’s worth of transactions.” The Audit Committee again did not meet for almost an entire year, not meeting until March 2016, again spurred by the need to review the Company’s financial results for purposes of the 2015 10-K. This meeting lasted just thirty minutes.
These chronic deficiencies support a reasonable inference that the Company’s Board of Directors, acting through its Audit Committee, failed to provide meaningful oversight over the Company’s financial statements and system of financial controls. Despite identifying Yu and Lewin as Audit Committee Financial Experts in 2015, the Company later disclosed in the 2016 10-K that it lacked personnel with sufficient expertise on US GAAP and SEC disclosure requirements for equity investments and related-party transactions. The directors charged with implementing a system to oversee the Company’s financial reporting thus lacked the expertise necessary to do so all along. Instead, the Audit Committee deferred to management, which dictated the policies and procedures for reviewing related-party transactions and hired and fired the Company’s auditor, even though management’s actions suggested that it was either incapable of accurately reporting on related-party transactions or actively evading board-level oversight.
The defendants alleged that the Company had the trappings of oversight, “including an Audit Committee, a Chief Financial Officer, an internal audit department, a code of ethics, and an independent auditor.” A plaintiff cannot meet its Caremark burden by pleading that board-level monitoring systems existed but that they should have been more effective. The Court found the plaintiffs’ allegations supported inferences that the Board members did not make a good faith effort to do their jobs. The Court stated, “The Audit Committee only met when spurred by the requirements of the federal securities laws. Their abbreviated meetings suggest that they devoted patently inadequate time to their work. Their pattern of behavior indicates that they followed management blindly, even after management had demonstrated an inability to report accurately.”
An Audit Committee can rely in good faith upon reports by management and other experts. In doing its job, the members of an Audit Committee will necessarily rely on management. But Caremark envisions some degree of board-level monitoring system, not blind deference to and complete dependence on management. The board is obligated to establish information and reporting systems that “allow management and the board, each within its own scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”
Finally, the Board never established its own reasonable system of monitoring and reporting, choosing instead to rely entirely on management. There were no Board meeting minutes to support the company’s rebuttals. As the Court noted, “The absence of those documents is telling because “[i]t is more reasonable to infer that exculpatory documents would be provided than to believe the opposite: that such documents existed and yet were inexplicably withheld.”” The documents that the Company produced indicated that the Audit Committee never met for longer than one hour and typically only once per year. Each time they purported to cover multiple agenda items that included a review of the Company’s financial performance in addition to reviewing its related-party transactions. On at least two occasions, they missed important issues that they then had to address through action by written consent. Clearly, the Board was not fulfilling its oversight duties.
The Hughes Court further delineated a Board’s obligations under Caremark. It cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document). Marchand required Boards to manage the risks their organizations face. Clovis Oncology requires ongoing monitoring by the Board. Hughes stands for the proposition that have the structures, policies and procedures in place is not enough. The Board must fully engage in oversight of a compliance program.
