Categories
Blog

Caremark as a Strategic Framework: Compliance Strategy for Business Executives

In a surprise to no one who has been watching, a group of institutional investors has filed suit against Boeing for another set of Caremark violations. I wrote about this eventuality back last summer around the court case the (then) Department of Justice (DOJ) brought against Boeing for violating its DPA around the 737Max crashes. I was therefore intrigued to see a new article looking at the Caremark Doctrine, entitled Caremark’s Fractured State by Itai Fiegenbaum.

The Caremark Doctrine has long been the bedrock of board-level oversight in corporate compliance, yet its application remains a subject of intense debate. Originally framed as a duty of care, Caremark obligations have since developed into a duty of loyalty, placing an increased burden on directors to monitor corporate compliance proactively. Through the 2018 ruling in Marchand v. Barnhill, the Delaware courts have reinforced that directors can be liable for failures in “mission-critical” areas. However, as this Fiegenbaum explores, the Caremark standard is far from universally applied across U.S. jurisdictions, leaving compliance officers and business executives with an uneven playing field.

Understanding the Caremark framework and its implications for corporate oversight is critical for compliance professionals. This article unpacked the evolution of Caremark, its inconsistent application outside Delaware, and how compliance strategies must adapt to varying levels of director accountability.

I. The Strategic Compliance Takeaways from Caremark’s Evolution

1. Compliance as a Board-Level Obligation

At its core, Caremark establishes that directors must ensure robust compliance systems are in place and actively monitored. This proactive duty means that corporate compliance is not just a legal safeguard but a strategic necessity. Boards that fail to implement adequate monitoring systems—or ignore known compliance risks—face potential liability. In today’s regulatory climate, companies cannot afford a passive approach to compliance oversight.

2. The Expanding Definition of Oversight Risk

Delaware courts have broadened their view of what constitutes a director’s duty under Caremark. The March decision, for example, held that directors overseeing “mission-critical” aspects of a business (such as food safety for an ice cream manufacturer) are presumed to have higher oversight obligations. This shift suggests that compliance programs must be tailored to each company’s core risks. Compliance officers should prioritize risk assessments that align with the company’s industry and regulatory landscape, ensuring that high-risk areas receive enhanced scrutiny.

3. Lessons from the Jurisdictional Divide

While Delaware leads in developing oversight liability, nearly half of U.S. jurisdictions provide directors with broader legal protection, making Caremark-based claims difficult to sustain. In many states, exculpation provisions shield directors from oversight liability unless they act intentionally. This discrepancy underscores the need for compliance teams to be well-versed in jurisdiction-specific director liability standards. Companies incorporated outside of Delaware should not assume they are insulated from oversight risk—regulators and investors are increasingly scrutinizing board-level compliance failures, regardless of legal precedent.

II. Strengthening Compliance Programs in Light of Caremark

1. Building a Proactive Compliance Framework.

Given the heightened expectations of board oversight, companies must establish rigorous compliance frameworks that extend beyond minimum regulatory requirements. A robust compliance strategy should include:

Board-Level Training. Directors must be educated on their Caremark duties and understand their personal liability risks. Compliance officers should facilitate ongoing training on emerging regulatory risks and enforcement trends.

Risk-Based Monitoring. Compliance should not be a one-size-fits-all approach. Companies must identify mission-critical areas and allocate resources accordingly.

Whistleblower and Incident Reporting Systems. Companies must ensure that directors receive timely, credible information on compliance failures. This means strengthening internal reporting mechanisms and providing whistleblower protections are in place.

2. Data-Driven Compliance Monitoring.

The Caremark Doctrine has also emphasized the importance of data-driven oversight. Boards cannot exercise proper oversight without access to meaningful compliance data. Companies must:

  • Leverage analytics to detect anomalies in high-risk areas, such as supply chain transactions, financial reporting, and regulatory disclosures.
  • Implement dashboards that provide directors with real-time compliance insights.
  • Internal audits should be conducted to assess compliance program effectiveness and identify gaps before they escalate into enforcement actions.

III. The Compliance-Board Partnership: Closing the Oversight Gap 

1. Integrating Compliance into Corporate Strategy

One of the most significant lessons from Caremark is that compliance must be embedded into overall business strategy. Boards and executives should move beyond viewing compliance as a reactive function and instead treat it as a key driver of business sustainability. Compliance teams should work closely with legal and operational leadership to ensure that:

  • Compliance is integrated into strategic decision-making, particularly in areas with heightened regulatory risk.
  • Board members actively engage in compliance discussions rather than relying solely on quarterly reports.
  • Directors have direct access to compliance officers and internal audit teams to stay informed about emerging risks.

IV. Mitigating Personal and Corporate Risk

For boards, compliance failures are not just a corporate risk but a personal liability risk. Directors and executives should take steps to protect both the company and themselves by:

  • Ensuring robust documentation of compliance efforts. Regulators and courts expect clear evidence of proactive compliance oversight.
  • Regularly reviewing and updating governance policies. Compliance obligations evolve with regulatory shifts, and boards must stay ahead of these changes.
  • Engaging external compliance experts when necessary. Outside counsel or compliance specialists can provide critical insights, particularly in highly regulated industries.

V. The Future of Caremark: Compliance in an Evolving Legal Landscape 

The Caremark standard will continue to evolve as courts and regulators refine expectations for board oversight. Companies should prepare for:

Stronger enforcement actions against directors for compliance failures in mission-critical areas. This trend is relevant to the healthcare, finance, and technology industries, where regulatory expectations are intensifying.

More aggressive shareholder litigation. Investors increasingly use Caremark claims to hold directors accountable for compliance missteps, particularly in ESG-related areas.

Greater emphasis on cybersecurity and data governance. As regulators focus on data privacy and cybersecurity breaches, boards must ensure they are actively monitoring these risks.

VI. Turning Compliance into a Strategic Asset

For business executives, Caremark should not be viewed solely as a legal doctrine but as a strategic framework for strengthening corporate oversight and resilience. Companies that proactively embrace compliance as a board-level priority will reduce regulatory risk and enhance investor confidence, corporate reputation, and long-term business sustainability.

The key takeaway? Compliance is no longer optional. It is a fundamental component of responsible corporate governance, and boards that fail to adapt face increasing legal, financial, and reputational consequences. Compliance professionals must take the lead in bridging the oversight gap, ensuring that directors are equipped to meet their evolving fiduciary responsibilities in a complex regulatory landscape.

Categories
Blog

Caremark Claims: A Compliance Professional’s Guide to the Shifting Landscape

For decades, Delaware courts famously described Caremark claims alleging breaches of the duty of oversight as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” Yet recent legal developments have shown that while Caremark claims remain challenging, they are no longer insurmountable. Cases like Marchand v. Barnhill) and the Boeing 737 Max shareholder derivative lawsuit have demonstrated that boards of directors are not immune from liability when they fail to fulfill their oversight responsibilities.

As we head into 2025, compliance professionals must stay attuned to the evolving dynamics of oversight duty claims. Today, we consider the current state of Caremark litigation, the implications of recent case law, and emerging areas such as cybersecurity, ESG, and AI that could generate oversight liability in the future.

A Historical Shift: From Rare Wins to Increased Viability

Historically, Caremark claims were long shots for plaintiffs. Courts typically set an extremely high bar, requiring claimants to demonstrate that directors acted in bad faith by consciously ignoring red flags or failing to implement compliance systems. However, recent decisions have opened the door for such claims, particularly in cases involving egregious governance failures.

The Boeing case was one of the most striking examples of a Caremark claim. It involved the two Boeing 737 Max plane crashes, which were catastrophic crashes tied to governance and oversight failures. The case survived a motion to dismiss and eventually settled for $237.5 million, funded entirely by D&O insurance. Next was Walmart’s Opioid case, which was also resolved in 2024. In this matter, Walmart’s Board of Directors faced a shareholder derivative claim, alleging breaches of the duty of oversight about the opioid crisis. The case settled for $123 million, showing that courts will entertain Caremark claims when systemic failures result in significant harm. These high-profile cases have emboldened plaintiffs and raised alarms in Delaware courts, leading to a noticeable backlash in recent decisions.

A Backlash Emerges: Delaware Courts Reassert a High Bar 

The Delaware Chancery Court, which has long been a guardian of corporate governance law, has recently pushed back against what it views as an overextension of Caremark claims. Since 2023, we have seen three notable cases that highlight this skepticism. The first was the Segway case from 2023. In this decision, the Court dismissed claims against the board, emphasizing that liability requires a “red line” of bad faith—an extremely high standard that most claims fail to meet.

Next was the Walgreens Boots Alliance matter from 2024. In this decision, the Court criticized the “proliferation” of oversight lawsuits, warning that every time a company experiences an adverse event, reflexive filings could do more harm than good. Finally, there was the Centene matter, also from 2024: In Bricklayers Pension Fund v. Brinkley, Vice Chancellor Morgan Zurn dismissed oversight claims, finding no evidence that the board consciously disregarded compliance risks. Zurn underscored that “a bad outcome, without more, does not equate to bad faith.” These decisions signal a clear message from Delaware courts: that Caremark claims must meet an exacting standard and that not every adverse outcome shows a breach of oversight duties.

The Federal Courts Enter the Fray  

While Delaware courts tighten their standards, federal courts applying Delaware law have shown a greater willingness to let Caremark claims proceed. Two notable cases from 2024 illustrated this trend. The first was a piece of the long-running Wells Fargo litigation for various actions. In this matter, a federal district court in California allowed claims against Wells Fargo’s board to move forward, citing allegations that directors failed to address discriminatory lending practices. Similarly, a federal court in Illinois sustained claims against Abbott Labs’ Board of Directors for failing to oversee the safety of its infant formula products.

These rulings suggest federal courts may be more receptive to Caremark claims, particularly in cases involving systemic misconduct or significant public harm. While these cases do not have precedential value in Delaware, they can be seen as a roadmap for successful Caremark claims outside the jurisdiction of these two district courts.

The Compliance Implications of Recent Trends

What do all these decisions mean for compliance professionals? In the ever-evolving landscape of oversight liability, the compliance professional has challenges and opportunities. Compliance professionals should proactively identify and address these risks at the board level. There are five areas compliance professionals should focus on.

  1. Active Oversight. The common thread in successful Caremark claims is the board’s failure to actively monitor compliance risks. Compliance officers should ensure that boards are regularly informed about key risks through detailed reports and actively engaged in oversight of high-risk areas, such as product safety, regulatory compliance, and ethical conduct.
  2. Document Document Document. Your Board’s efforts to oversee compliance systems and address red flags that rise to the Board level. Boeing shows that the absence of documented board actions can be devastating in litigation. Compliance teams should work with corporate secretaries to: a.) Ensure board minutes reflect meaningful discussions about compliance risks. b.) Record follow-ups on identified issues to demonstrate a proactive approach.
  3. Emerging Risks. There are a variety of areas that are ripe for future Caremark claims. These areas include cybersecurity, as Boards that fail to oversee cyber risk management could face liability after a data breach. ESG is still a business imperative, even if the incoming Administration is antithetical to it. Environmental and social failures, such as ignoring climate risks or fostering discriminatory practices, may trigger oversight claims. Finally, AI governance will be at the forefront of many compliance professionals’ minds. As AI adoption accelerates, Boards must ensure compliance with developing regulations and ethical standards.
  4. Federal Courts. The divergence between Delaware and federal courts applying Delaware law complicates the oversight liability landscape. Compliance teams should monitor cases in both jurisdictions and adapt their strategies accordingly.
  5. Insurance and Indemnification. Given the financial stakes in Caremark litigation, robust Directors and Officers (D&O) insurance is essential. Compliance teams should work on reviewing D&O policies to ensure they provide adequate coverage for oversight claims. You should also collaborate with legal and risk management teams to understand policy exclusions and coverage limits.

A Call to Action for Compliance Professionals  

The shifting dynamics of Caremark claims underscore the critical role compliance professionals play in supporting board oversight. To strengthen your organization’s oversight framework:

  1. Educate the Board by providing regular training on directors’ fiduciary duties, focusing on their oversight obligations.
  2. Enhance reporting by developing dashboards and reports that give the board a clear view of compliance risks and mitigation efforts.
  3. Promote a culture of accountability by working with senior leadership to embed compliance into the organization’s culture and ensure that issues are addressed at every level.

While recent Delaware decisions have reaffirmed the difficulty prevailing in Caremark cases, high-profile settlements and federal court rulings indicate that oversight liability remains a growing risk. Compliance professionals must stay vigilant, ensuring their boards are well-equipped to meet their oversight responsibilities.

By focusing on proactive risk management, thorough documentation, and emerging risks like cybersecurity and AI, compliance teams can help their organizations navigate the complex oversight landscape. The stakes are high, but so are the opportunities to build stronger, more resilient governance frameworks.

As Kevin LaCroix has noted, “The bottom line is that notwithstanding recent Delaware Chancery Court skepticism toward a breach of the duty of oversight claims, there is life for these kinds of suits, at least in some cases—including in cases filed outside of the Delaware state courts.”

Categories
Blog

TD Bank, Part 7 – Caremark Claims – Officers

Next, I explore the TD Bank AML/BSA enforcement action by looking at the expansion of the Caremark Doctrine. In the McDonald’s case, the Delaware Court of Chancery took the Caremark Doctrine further by applying the Duty of Loyalty to officers and Directors. In that case, styled In re McDonald’s Corporation Stockholder Derivative Litigation (McDonald’s herein), the Delaware Court of Chancery for the first time extended the Caremark Duty to officers, in addition to Directors. Here, the Court stated, “Diverse authorities indicate that officers owe a fiduciary duty of oversight as to matters within their areas of responsibility. Those authorities include the reasoning of the original Caremark opinion, the Delaware Supreme Court’s holding that the duties of officers are the same as those of directors, decisions from other jurisdictions and academic commentary, and the additional duties that officers owe as agents. This decision confirms that officers owe a duty of oversight.”

Expansion of Caremark to Officers

Caremark created an affirmative duty for the Board to engage in oversight. The Caremark court formulated a “more functional terminology that species of claim can be called an “Information- Systems Theory” of Board liability, also known as “Prong-One” Board liability. In this case, a plaintiff typically pleads a ‘Red Flag Theory’ or Prong-Two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. In McDonald’s, the Court expanded both Prong-One and Prong-Two liability to officers.

The Court of Chancery listed three key sources for expanding this duty from Boards to officers.

  1. Management runs a company. While the Board oversees management, “most corporations are managed ‘under the direction of’ the board.” However, “the officers are charged with, and responsible for, running the corporation’s business.” Therefore, “Because of this reality, “[m]onitoring and strategy are not exclusively the dominion of the board. Nondirector officers may be more capable of making oversight and strategic decisions daily.”
  2. Boards depend on information from management. Here, the court noted that “For relevant and timely information to reach the board, the officers who serve as the day-to-day managers of the entity must make a good faith effort to ensure that information systems are in place so that the officers receive relevant and timely information that they can provide to the directors.” From this, “it follows that officers must have a duty to make a good faith effort to establish an information system as a predicate to fulfilling their obligation to provide information to the board.”
  3. Compliance systems are required under the USSG. The US Sentencing Guidelines (USSG) mandate that “high-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline.” This requirement includes, “Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.” The USSG goes on to define an organization’s “high-level personnel as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization, which includes “a director; an executive officer, an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest. This has the added benefit of putting compliance professionals directly in the path of liability created by this decision.

Interestingly, even as the Delaware courts had not explicitly expanded the duty of oversight to officers, the court found some support in bankruptcy court decisions. The Delaware court found that Prong-One Information Systems and Prong-Two Red Flag claims were available against officers under certain circumstances. The Delaware court concluded this section: “All preceding authorities start from the premise that officers owe the same duties as directors. Because directors owe a duty of oversight, these authorities reason that officers owe a duty of oversight. That logic is sound.”

The Delaware court also noted that officers have fiduciary duties to the corporation akin to those duties that agents owe their principals. The court pointed to a prior Delaware decision in Hampshire, which “recognized a standard of conduct at the officer level that included a duty to act carefully, loyally, and in good faith to gather and provide information, with the standard of liability for the care dimension of the duty measured by gross negligence. By recognizing the duty to provide information, Hampshire lays the foundation for an officer-level duty consistent with an Information-Systems Theory. The Court also found there is officer accountability to the Board, which supports this extension of the duty of oversight to officers.

Officer Actions

From the Information in the TD Bank matter, we have the following, “During the relevant period, Defendants willfully failed to maintain an adequate AML program at the Bank. At various times, high-level executives including those in Global AML Operations, in senior executive management, and on the TDBUSH Audit Committee—specifically including an individual who became Defendants’ Chief Anti-Money Laundering Officer (“Chief AML Officer”) during the relevant period (Individual-1) and the Bank’s BSA Officer (Individual-2)—knew there were long-term, pervasive, and systemic deficiencies in the Defendants’ U.S. AML policies, procedures, and controls.

 The Defendants did not substantively update the Bank’s automated transaction monitoring system from at least 2014 through 2022— including addressing known gaps and vulnerabilities in the TDBNA’s transaction monitoring program—despite increases in the volume and risk of its business and significant changes in the nature and risk of transactional activity. In addition, during the relevant period, TDBNA monitored only approximately 8% of the volume of transactions because it omitted all domestic automated clearinghouse (“ACH”) transactions, most check activity, and numerous other transaction types from its automated transaction monitoring system.

 Due to this failure, the Bank did not monitor approximately $18.3 trillion in activity between January 1, 2018, and April 12, 2024. At the same time, Bank senior executives repeatedly prioritized the “customer experience over AML compliance. They enforced a budget mandate, referred to internally as a “flat cost paradigm, that set expectations that all budgets, including the AML budget, would not increase year over year.

Is all of this enough to invoke Caremark liability for officers? Perhaps when you consider the additional facts as reported in the Information Bank, senior executives repeatedly prioritized the “customer experience over AML compliance and enforced a budget mandate, referred to internally as a “flat cost paradigm, that set expectations that all budgets, including the AML budget, would not increase year-over-year. The Defendants’ failures to appropriately fund the Bank’s AML program and to adapt its transaction monitoring program resulted in a willfully deficient AML program that allowed three money laundering networks to exploit the Bank and collectively transfer over $670 million through TDBNA accounts. At least one scheme had the assistance of five store insiders at TDBNA.

 At one point, the Information reported that the AML compliance program budget was reduced by 2021 to an amount lower than budgeted for the program in 2018. Further, both the Chief Anti-Money Laundering Officer (“Chief AML Officer”) and the Bank’s BSA Officer (Individual-2) touted their ability to stay within the budgetary constraints in their self-assessments as positive. Finally, Individual-1 referred to the Bank’s “historical underspend on compliance in an email to the Group senior executive responsible for the enterprise AML budget, yet the US-AML budget essentially stayed flat. GAML and US-AML employees explained to the Offices that budgetary restrictions led to systemic deficiencies in the Bank’s transaction monitoring program and exposed the Bank to potential legal and regulatory consequences. In other words, the Bank’s AML officers were well aware of the shortcomings in the Bank’s AML program yet did nothing to remediate or ameliorate these deficiencies.

 The bottom line is that if there is ever going to be a case to validate the expansion of the Caremark Doctrine to include officers, this is likely the case.

Categories
Blog

TD Bank, Part 6 – Caremark Claims – The Board of Directors

Today, I continue my exploration of the TD Bank AML/BSA enforcement action through two of the most significant cases regarding Boards of Directors and corporate compliance: the Caremark and Stone v. Ritter decisions. The former decision was released in 1996, and the latter, some ten years later, in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision.

Caremark

In Caremark, the Court noted that director liability for a breach of the duty to exercise appropriate attention can come up in two distinct contexts. The first, liability can occur from a board decision that results “in a loss because that decision was ill-advised or “negligent.” In the second, board liability for a loss “may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

However, there is a second type of liability that boards can run afoul of under Caremark, and it is the one that seems to be the liability under which most boards are found wanting in successful Caremark claims. It is when “director liability for inattention is theoretically possible to entail  circumstances in which a loss eventuates not from a decision but from unconsidered inaction.” Board obligations had changed, and the Caremark court noted the following: the “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that is reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with the law and its business performance.”

Stone v. Ritter

This case involved money laundering and a bank’s failure to report suspicious activity, which led to an employee running a Ponzi scheme. The bank in question was fined over $40 million. Once again, the plaintiffs needed to be more successful in their claims. The Stone v. Ritter court approved the Caremark Doctrine and further specified that Caremark required a “lack of good faith as a “necessary condition to liability.” It is because the Court was not focusing simply on the results but on the board’s overall conduct “of the fundamental duty of loyalty. It follows that because a showing of bad faith conduct “is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.”

The Stone v. Ritter court ended by refining the Caremark Doctrine to define the necessary conditions for director liability under Caremark.

They are:

  1. Directors utterly failed to implement any reporting or information system or controls. This is called a Prong 1 claim or the ‘Information-Systems Theory and
  2. If they have implemented such a system or controls, they have consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. This is called a Prong 2 claim or the ‘Red Flag Theory.’

In either situation, imposition of liability requires a showing that the directors knew they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.

Board AML Obligations

TD Bank’s Board of Directors had a variety of obligations regarding compliance and the bank’s AML program. According to the Information, these duties included:

  1. Supervision and Strategy. The Board oversaw the Group’s overall operations to ensure the effective execution of major strategies and enterprise risk management.
  2. Executive Oversight. The Board is responsible for executive hiring and management and provides leadership across the Group’s subsidiaries.
  3. Internal Controls and Compliance. The Board was mandated to ensure that internal controls were effective and that the Group complied with applicable regulations. It was also mandated to set the tone for corporate integrity and culture and promote a compliance-oriented environment throughout the organization.
  4. Subsidiary Oversight. For TD Bank’s U.S. operations, the Board of TDBUSH was to oversee and monitor the BSA/AML program. They appointed the BSA Officer, were mandated to ensure the program’s effectiveness, and allegedly received regular updates on its performance. (More on this in a later blog.) The board also challenges information and actively participates in risk briefings to understand the program’s risks and controls adequately.

Overall, the Board was accountable for maintaining a strong compliance culture, particularly around AML policies, and ensuring a top-down commitment to these principles. Which, if any, of the above did the TD Bank actually fulfill?

Board Knowledge of AML and Compliance Deficiencies

Over at least eleven years, the Board of Directors at TD Bank Group and its subsidiaries was repeatedly made aware of failures in the Banks’ AML program through several channels. These channels included:

  1. Regulatory Actions. In 2013, enforcement actions by the OCC and FinCEN resulted in a $37.5 million penalty, with the board of TDBNA signing the agreement. The failure to identify $900 million in suspicious activity highlighted concerns about inadequate AML training.
  • Ongoing Audits. Between 2017 and 2020, internal audits identified multiple unresolved AML deficiencies, such as outdated transaction monitoring scenarios and governance issues. The Board was informed of these audit findings and the associated remediation plans.
  1. Third-Party Consultants. Between 2018 and 2021, external consultants flagged key weaknesses, including delays in AML technology upgrades, outdated parameters, and inefficiencies in testing transaction monitoring scenarios. The Board was informed of these reports.
  2. Direct Board Briefings. In 2021, the Boards of TD Bank Group, TDGUS, and TDBUSH were directly briefed on the need for a more adaptive AML framework to address evolving risks, which had yet to be adequately implemented over time.

Despite multiple alerts from regulators, auditors, and consultants, the Board of Directors needed to take sufficient action to resolve the identified deficiencies in the AML program, which led to significant unmonitored customer activity.

The Board and Caremark

As previously noted, the standard for violation of the Caremark Doctrine is one of two potential claims:

  1. Directors utterly failed to implement any reporting or information system or controls. This is called a Prong 1 claim or the ‘Information-Systems Theory and
  2. If they have implemented such a system or controls, they have consciously failed to monitor or oversee its operations, thus disabling themselves from being informed of risks or problems requiring their attention. This is called a Prong 2 claim or the ‘Red Flag Theory.’

It appears that the Board of Directors was well aware of its obligations regarding AML reporting and oversight. Yet, for some reason, the Board failed to act on any of the information presented to it.

Categories
Daily Compliance News

Daily Compliance News: September 25, 2024 – The $11bn Forfeiture Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network.

Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Carolyn Ellison is sentenced to 2 years in prison and forfeits $11 billion. (NYT)
  • Wagner Group used HSBC and JPMorgan for payments. (FT)
  • China probes PVH. (Reuters)
  • Wells Fargo must face a Caremark claim. (Reuters)

Categories
All Things Investigations

All Things Investigations: Episode 38 – CCO Certification – A Better Approach with Kevin Abikoff

In this episode of All Things Investigation, Tom Fox and guest Kevin Abikoff discuss the Department of Justice’s introduction of a CCO certification in the wake of FCPA violations. Kevin offers his unique perspective on this issue; their conversation also explores broader issues of corporate governance and the role of the Board of Directors.

Kevin Abikoff is a Partner and Deputy Chair at Hughes Hubbard & Reed. He is a recognized authority in corporate governance and compliance. 

You’ll hear Tom and Kevin discuss:

  • Kevin questions the necessity of the CCO certification, suggesting it addresses a problem that doesn’t exist, given the absence of complaints from the Department of Justice about dishonesty during monitorships.
  • A more practical approach, Kevin posits, is a certification 12 to 24 months after a monitorship ends to empower CCOs during periods of vulnerability truly.
  • Measuring compliance effectiveness is subjective and may be void of vagueness in a legal context.
  • In the broader realm of corporate governance, the board has a pivotal role in overseeing compliance. Parallels to the Caremark duty and Delaware law are drawn.
  • Kevin raises concerns about the burden on CCOs to assess program effectiveness retrospectively, especially considering the dynamic nature of compliance programs over time.
  • Boards should take responsibility for compliance certifications and should sign off on these certifications, mirroring similar practices in financial reporting.
  • Innovation within compliance may be stymied if CCOs fear that enhancing a program might be used against them in the future, Kevin points out.

KEY QUOTES:

“I’ve just never heard, especially from the context of Chief Compliance Officer, that the DOJ feels like they’re being lied to. If that’s not the problem they’re trying to solve, I think the solution they have paved is, again, a solution in search of a problem that doesn’t exist…” – Kevin Abikoff

“If you’re going to have a certification and you want to empower the chief compliance officer, have the certification twelve months, 24 months after the conclusion of the monitorship and have the CCO certify that they continue to believe that the policies, procedures, things that have been put in place, continue to be in place.” – Kevin Abikoff

“Now what you fail to investigate can kill you.” – Kevin Abikoff

Resources:

Hughes Hubbard & Reed website 

Kevin Abikoff on LinkedIn

Categories
Innovation in Compliance

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 5 – The Role of the Board

Welcome to a special 5 part podcast series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series, I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, Director, Compliance and Ethics at Diligent; Andrew Rincón, Client Director at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third parties, and the role of the Board of Directors. In this concluding Part 5, we consider the role of the Board of Directors in a compliance program with David Greenberg.

In this episode, Greenberg discusses the board’s legal obligations, emphasizing their duty to exercise reasonable oversight over potential misconduct and failures of compliance with law and policy. The podcast also delves into the importance of integrating compliance programs into a company’s overall strategy and developing strong relationships with senior management, such as the chief legal officer or chief compliance officer. Listeners will learn the importance of finding the right committee to oversee compliance obligations and utilizing outside experts for insight and guidance. This conversation is essential for board members and executives who want to ensure accountability, initiate change, and drive organizational success. Don’t miss out on this informative and engaging episode of “The Role of the Board” episode.

Key Highlights:

  • Legal obligations and oversight for corporate boards
  • Importance of integrating compliance into the company culture
  • Board Oversight and Relationship Building with CCO
  • The Significance of Outside Perspectives for Boards

Notable Quotes:

“There is a strong obligation on boards to exercise reasonable oversight over all potential misconduct and failures of compliance law and policy should a reasonable board has known and taken steps…should that body have known and should it have done more than it did.”

“Boards principally should be asking tough questions and following up on those questions.”

“Anything that is not integrated into the real levers and machinery of the business will not be successful.”

“That chief compliance officer who knows the head of the audit committee or compliance committee or governance committee is much more able and comfortable picking up the phone and saying to the chair, Houston, we’ve got a problem.”

For more information go to Diligent.com

Categories
Everything Compliance

Episode 111 – The Duty of Oversight Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Karen Woody, Jonathan Marks, Tom Fox, and Matt Kelly, who review the recent Delaware Court of Chancery decision creating a duty of oversight for corporate officers. We conclude with our fan-fav Shout Outs and Rants section.

1. Matt Kelly sets the stage for our discussion and poses a question about what it all means for CCOs going forward. He rants to the State of Texas Legislature for creating a ‘Gold Card’ for physicians who have over 90% of all requested procedures covered by insurance. (1:30)

2. Jonathan Marks looks at the case from the internal audit and corporate governance perspectives. He rants about the Pentagon’s failure to shoot down a Chinese spy balloon.

3. Tom Fox shouts out to Hindenburg Research and all other short sellers who help uncover fraud, waste, and abuse.

4. Karen Woody looks at the case from a legal perspective and unpacks the court’s legal reasoning. Woody shouts to Amtrak and asks us to ‘ride the train more often.’ (11:08)

5. Jay Rosen reviews the changes wrought for CCOs over the past year, from CCO certification to the Delaware court decision. He shouts out to his twin daughters on their 15th birthday. (41:13)

The members of Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 4

Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.

I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.

CCO Certification

This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA.  Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.

This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”

Monaco Memo and Changes in the Corporate Enforcement Policy

The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.

The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision.  Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.

Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.

Duty of Oversight

These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

What Does It Mean?

This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming  a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.

The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.

I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.”  Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.

The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.

With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 2

This week, we are exploring a shift in the duties of care owed by corporate officers to the corporation. It is coming through the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and his part in the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. It is styled In re McDonald’s Corporation Stockholder Derivative Litigation, and the court formally recognizes the oversight duties of officers of Delaware corporations. Today we consider the legal reasoning in the opinion.

Yesterday we began a discussion on the legal reasoning. Most compliance practitioners point to the 1996 Caremark decision as the one which set a Board’s duty around compliance. However, there has long been a duty of oversight in Delaware law, for Boards of Directors since at least the 1960s but for officers as well. In 1963, the Delaware Supreme Court established a Board duty when red flags are brought to its attention in the case of Graham v. Allis-Chalmers Manufacturing Co., which held that directors have an obligation to respond if information reached them, but created no affirmative duty to set up an information system to learn about issues within the company. A limited duty of oversight arose only if the directors had already learned enough to suspect that there were issues that needed overseeing. This was termed a “Red-Flags Claim” or a “Red-Flags Theory” of liability. This is also known as “Prong-One” Board liability.

Caremark created that affirmative duty for Board’s to engage in oversight. The Caremark court formulated a “more functional terminology, that species of claim can be called an “Information-Systems Claim” or an “Information- Systems Theory” of Board liability, also known as “Prong-Two” Board liability. In this type of case, a plaintiff typically pleads a prong-two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. In McDonald’s Corp we now see both Prong-One and Prong-Two liability expanded to officers.

The Court of Chancery listed three key sources for expanding this duty from Boards to officers.

  1. Management runs a company. While Board’s oversee management, “most corporations are managed ‘under the direction of’ the board.” Moreover, “In the typical corporation, it is the officers who are charged with, and responsible for, running the business of the corporation.” Finally, “Because of this reality, “[m]onitoring and strategy are not exclusively the dominion of the board. Actually, nondirector officers may have a greater capacity to make oversight and strategic decisions on a day-to-day basis.”
  2. Boards depend on information from management. Here the court noted that “For relevant and timely information to reach the board, the officers who serve as the day-to-day managers of the entity must make a good faith effort to ensure that information systems are in place so that the officers receive relevant and timely information that they can provide to the directors.” From this, “it follows that officers must have a duty to make a good faith effort to establish an information system as a predicate to fulfilling their obligation to provide information to the board.”
  3. Compliance systems required under the USSG. The US Sentencing Guidelines (USSG) mandate that “[h]igh- level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline.” This requirement includes that “Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.” The USSG goes on to define an organization’s “high-level personnel” as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization,” which includes “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.” This has the added benefit of putting compliance professionals directly in the path of liability created in this decision.

Interestingly since the Delaware courts had not explicitly expanded the duty of oversight to offices, the court looked at some bankruptcy court decisions for guidance. Here the Delaware court found, there were both Prong-One Red Flag claims and Prong-Two Information Systems claims available against officers under certain circumstances. The Delaware court concluded this section with the following “All of the foregoing authorities start from the premise that officers owe the same duties as directors. Because directors owe a duty of oversight, these authorities reason that officers owe a duty of oversight. That logic is sound.”

In a section I found very interesting, the Delaware court noted that officers have fiduciary duties to the corporation akin to those duties agents owe their principals. Here the court pointed to a prior Delaware decision, which “recognized a standard of conduct at the officer level that included a duty to act carefully, loyally, and in good faith to gather and provide information, with the standard of liability for the care dimension of the duty measured by gross negligence. By recognizing the duty to provide information, Hampshire lays the foundation for an officer-level duty consistent with an Information-Systems Theory.” The Court also found there is officer accountability to the Board which supports this extension of the duty of oversight to officer.

With this legal underpinning in place, please join me tomorrow to explore how this decision will impact Chief Compliance Officers.