Tag: Caremark Doctrine

Categories
All Things Investigations

All Things Investigations: Episode 38 – CCO Certification – A Better Approach with Kevin Abikoff

In this episode of All Things Investigation, Tom Fox and guest Kevin Abikoff discuss the Department of Justice’s introduction of a CCO certification in the wake of FCPA violations. Kevin offers his unique perspective on this issue; their conversation also explores broader issues of corporate governance and the role of the Board of Directors.

Kevin Abikoff is a Partner and Deputy Chair at Hughes Hubbard & Reed. He is a recognized authority in corporate governance and compliance. 

You’ll hear Tom and Kevin discuss:

  • Kevin questions the necessity of the CCO certification, suggesting it addresses a problem that doesn’t exist, given the absence of complaints from the Department of Justice about dishonesty during monitorships.
  • A more practical approach, Kevin posits, is a certification 12 to 24 months after a monitorship ends to empower CCOs during periods of vulnerability truly.
  • Measuring compliance effectiveness is subjective and may be void of vagueness in a legal context.
  • In the broader realm of corporate governance, the board has a pivotal role in overseeing compliance. Parallels to the Caremark duty and Delaware law are drawn.
  • Kevin raises concerns about the burden on CCOs to assess program effectiveness retrospectively, especially considering the dynamic nature of compliance programs over time.
  • Boards should take responsibility for compliance certifications and should sign off on these certifications, mirroring similar practices in financial reporting.
  • Innovation within compliance may be stymied if CCOs fear that enhancing a program might be used against them in the future, Kevin points out.

KEY QUOTES:

“I’ve just never heard, especially from the context of Chief Compliance Officer, that the DOJ feels like they’re being lied to. If that’s not the problem they’re trying to solve, I think the solution they have paved is, again, a solution in search of a problem that doesn’t exist…” – Kevin Abikoff

“If you’re going to have a certification and you want to empower the chief compliance officer, have the certification twelve months, 24 months after the conclusion of the monitorship and have the CCO certify that they continue to believe that the policies, procedures, things that have been put in place, continue to be in place.” – Kevin Abikoff

“Now what you fail to investigate can kill you.” – Kevin Abikoff

Resources:

Hughes Hubbard & Reed website 

Kevin Abikoff on LinkedIn

Categories
Innovation in Compliance

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 5 – The Role of the Board

Welcome to a special 5 part podcast series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series, I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, Director, Compliance and Ethics at Diligent; Andrew Rincón, Client Director at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third parties, and the role of the Board of Directors. In this concluding Part 5, we consider the role of the Board of Directors in a compliance program with David Greenberg.

In this episode, Greenberg discusses the board’s legal obligations, emphasizing their duty to exercise reasonable oversight over potential misconduct and failures of compliance with law and policy. The podcast also delves into the importance of integrating compliance programs into a company’s overall strategy and developing strong relationships with senior management, such as the chief legal officer or chief compliance officer. Listeners will learn the importance of finding the right committee to oversee compliance obligations and utilizing outside experts for insight and guidance. This conversation is essential for board members and executives who want to ensure accountability, initiate change, and drive organizational success. Don’t miss out on this informative and engaging episode of “The Role of the Board” episode.

Key Highlights:

  • Legal obligations and oversight for corporate boards
  • Importance of integrating compliance into the company culture
  • Board Oversight and Relationship Building with CCO
  • The Significance of Outside Perspectives for Boards

Notable Quotes:

“There is a strong obligation on boards to exercise reasonable oversight over all potential misconduct and failures of compliance law and policy should a reasonable board has known and taken steps…should that body have known and should it have done more than it did.”

“Boards principally should be asking tough questions and following up on those questions.”

“Anything that is not integrated into the real levers and machinery of the business will not be successful.”

“That chief compliance officer who knows the head of the audit committee or compliance committee or governance committee is much more able and comfortable picking up the phone and saying to the chair, Houston, we’ve got a problem.”

For more information go to Diligent.com

Categories
Everything Compliance

Episode 111 – The Duty of Oversight Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Karen Woody, Jonathan Marks, Tom Fox, and Matt Kelly, who review the recent Delaware Court of Chancery decision creating a duty of oversight for corporate officers. We conclude with our fan-fav Shout Outs and Rants section.

1. Matt Kelly sets the stage for our discussion and poses a question about what it all means for CCOs going forward. He rants to the State of Texas Legislature for creating a ‘Gold Card’ for physicians who have over 90% of all requested procedures covered by insurance. (1:30)

2. Jonathan Marks looks at the case from the internal audit and corporate governance perspectives. He rants about the Pentagon’s failure to shoot down a Chinese spy balloon.

3. Tom Fox shouts out to Hindenburg Research and all other short sellers who help uncover fraud, waste, and abuse.

4. Karen Woody looks at the case from a legal perspective and unpacks the court’s legal reasoning. Woody shouts to Amtrak and asks us to ‘ride the train more often.’ (11:08)

5. Jay Rosen reviews the changes wrought for CCOs over the past year, from CCO certification to the Delaware court decision. He shouts out to his twin daughters on their 15th birthday. (41:13)

The members of Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 4

Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.

I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.

CCO Certification

This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA.  Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.

This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”

Monaco Memo and Changes in the Corporate Enforcement Policy

The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.

The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision.  Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.

Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.

Duty of Oversight

These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

What Does It Mean?

This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming  a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.

The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.

I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.”  Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.

The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.

With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 2

This week, we are exploring a shift in the duties of care owed by corporate officers to the corporation. It is coming through the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and his part in the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. It is styled In re McDonald’s Corporation Stockholder Derivative Litigation, and the court formally recognizes the oversight duties of officers of Delaware corporations. Today we consider the legal reasoning in the opinion.

Yesterday we began a discussion on the legal reasoning. Most compliance practitioners point to the 1996 Caremark decision as the one which set a Board’s duty around compliance. However, there has long been a duty of oversight in Delaware law, for Boards of Directors since at least the 1960s but for officers as well. In 1963, the Delaware Supreme Court established a Board duty when red flags are brought to its attention in the case of Graham v. Allis-Chalmers Manufacturing Co., which held that directors have an obligation to respond if information reached them, but created no affirmative duty to set up an information system to learn about issues within the company. A limited duty of oversight arose only if the directors had already learned enough to suspect that there were issues that needed overseeing. This was termed a “Red-Flags Claim” or a “Red-Flags Theory” of liability. This is also known as “Prong-One” Board liability.

Caremark created that affirmative duty for Board’s to engage in oversight. The Caremark court formulated a “more functional terminology, that species of claim can be called an “Information-Systems Claim” or an “Information- Systems Theory” of Board liability, also known as “Prong-Two” Board liability. In this type of case, a plaintiff typically pleads a prong-two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. In McDonald’s Corp we now see both Prong-One and Prong-Two liability expanded to officers.

The Court of Chancery listed three key sources for expanding this duty from Boards to officers.

  1. Management runs a company. While Board’s oversee management, “most corporations are managed ‘under the direction of’ the board.” Moreover, “In the typical corporation, it is the officers who are charged with, and responsible for, running the business of the corporation.” Finally, “Because of this reality, “[m]onitoring and strategy are not exclusively the dominion of the board. Actually, nondirector officers may have a greater capacity to make oversight and strategic decisions on a day-to-day basis.”
  2. Boards depend on information from management. Here the court noted that “For relevant and timely information to reach the board, the officers who serve as the day-to-day managers of the entity must make a good faith effort to ensure that information systems are in place so that the officers receive relevant and timely information that they can provide to the directors.” From this, “it follows that officers must have a duty to make a good faith effort to establish an information system as a predicate to fulfilling their obligation to provide information to the board.”
  3. Compliance systems required under the USSG. The US Sentencing Guidelines (USSG) mandate that “[h]igh- level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline.” This requirement includes that “Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.” The USSG goes on to define an organization’s “high-level personnel” as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization,” which includes “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.” This has the added benefit of putting compliance professionals directly in the path of liability created in this decision.

Interestingly since the Delaware courts had not explicitly expanded the duty of oversight to offices, the court looked at some bankruptcy court decisions for guidance. Here the Delaware court found, there were both Prong-One Red Flag claims and Prong-Two Information Systems claims available against officers under certain circumstances. The Delaware court concluded this section with the following “All of the foregoing authorities start from the premise that officers owe the same duties as directors. Because directors owe a duty of oversight, these authorities reason that officers owe a duty of oversight. That logic is sound.”

In a section I found very interesting, the Delaware court noted that officers have fiduciary duties to the corporation akin to those duties agents owe their principals. Here the court pointed to a prior Delaware decision, which “recognized a standard of conduct at the officer level that included a duty to act carefully, loyally, and in good faith to gather and provide information, with the standard of liability for the care dimension of the duty measured by gross negligence. By recognizing the duty to provide information, Hampshire lays the foundation for an officer-level duty consistent with an Information-Systems Theory.” The Court also found there is officer accountability to the Board which supports this extension of the duty of oversight to officer.

With this legal underpinning in place, please join me tomorrow to explore how this decision will impact Chief Compliance Officers.

Categories
FCPA Compliance Report

The EC Gang on the Monaco Doctrine

In this special 5 part podcast series, I am deeply diving into the Monaco Memo and analyzing it from various angles. In this episode of the FCPA Compliance Report, we have the Award-Winning Everything Compliance quartet of Jonathan Marks, Jonathan Armstrong, Karen Woody, and Tom Fox on the Monaco Memo.

1. Tom Fox looks at the Monaco Memo through the monitorship language and answers a listener’s questions about compliance programs under the Monaco Memo.

2. Karen Woody reviews the Monaco Memo, the self-disclosure angle, and investigatory considerations and ponders the role of defense counsel going forward.

3. Jonathan Marks also looks at investigatory issues under the Monaco Memo, the role of the Board of Directors, and the role of the forensic auditor under the Monaco Memo.

4. Jonathan Armstrong’s self-disclosure from a UK angle joins Karen Woody in questioning how defense counsel should move forward.

Resources

Tom 5-Part blog post series in the FCPA Compliance and Ethics Blog

1.     A Jolt for Compliance

2.     Timely Self-Disclosure

3.     Corporate Compliance Programs

4.     Monitors

5.     The Heat is On

Monaco Memo

Categories
The Woody Report

The Solar Winds Decision

Welcome to The Woody Report, where Washington & Lee School of Law Associate Professor Karen Woody and host Tom Fox discuss issues on white-collar crime, compliance issues, international corruption, securities, and accounting fraud, and internal corporate investigations. From current events to topical issues to academic research and thought leadership, Karen Woody helps lead the discussion of these issues on the new and exciting podcast. In this episode, Tom and Karen explore the recently announced decision in the Solar Winds shareholder claim based upon the Caremark Doctrine. Some of the issues we explore include:

  1. Background facts and court rationale.
  2. What is ‘positive law’?
  3. Can any cyberbreach claim be the basis of a Caremark Claim?
  4. Why is victim v. perpetrator status critical in a Caremark Claim?
  5. What is the bad faith standard in Caremark Claims?
  6. What does this decision portend for Caremark Claims going forward?

Resources

Karen Woody on LinkedIn

Karen Woody at Washington & Lee, School of Law

Categories
Blog

Impact of the Federal Sentencing Guidelines at 30

The Federal Sentencing Guidelines for Organizations (FSGO) by the US Sentencing Commission (USSC) turn 30 this year. For compliance officers, this was perhaps the most significant government release. It did not create the compliance profession, but it certainly put compliance professionals in the forefront of the design, creation and implementation of corporate compliance programs. The FSGO also laid out for the first time, the government’s expectations of what a well-designed compliance program should look like in practice. This led to a dramatic increase in compliance professionals. Earnie Broughton, writing in the ECI blog, said, “In many ways the promulgation of the guidelines was a defining moment in our collective journey in understanding and realizing the benefits of good corporate character.”

In 2021, the Bureau of Labor Statistics reported 291,000 compliance officers in the US. But more than driving the compliance profession and a concomitant increase in compliance professionals the FSGO has in many ways shaped the structure of the 21st century corporation and dramatically improved corporate governance. In these ways, it laid the environmental, social and governance (ESG) foundations. Last month the US Sentencing Commission (USSC) released a summary of the FSGO and how it helped drives these changes, “The Organizational Sentencing Guidelines: Thirty Years of Innovation(the History).

Regarding the FSGO themselves, they take a “carrot and stick” approach to the sentencing scheme that bases the fine range on the culpability of the organization. The guidelines instruct courts to determine culpability by considering six factors. The four aggravating factors, “that increase the ultimate punishment of an organization are: (i) the involvement in or tolerance of criminal activity; (ii) the prior history of the organization; (iii) the violation of an order; and (iv) the obstruction of justice.” The two mitigating factors are: “(i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.” Rather amazingly, the History reported that only 1.5% overall of all organizations sentenced “received the five-point culpability score reduction for disclosing the offense to appropriate authorities prior to a government investigation in addition to their  full cooperation and acceptance of responsibility.” Obviously, there is still room for improvement.

Rather unsurprisingly, the Department of Justice (DOJ) drew heavily on the FSGO for two key documents which laid out the foundations of an effective compliance program. The first was the 2012 FCPA Resource Guide (developed and released jointly with the Securities and Exchange Commission (SEC)) and its update, the 2021 FCPA Resource Guide, 2nd edition. The second was the Evaluation of Corporate Compliance Programs, initially released in 2019, and the 2020 Update to the Evaluation of Corporate Compliance Programs. The History noted that the Evaluation and its update, “was first developed in 2017 under the leadership of the DOJ’s first “corporate compliance expert”” and “provides greater clarity on some key issues prosecutors consider when assessing the adequacy of corporate compliance programs during charging and settlement decisions, by laying out “fundamental questions” that prosecutors should ask about compliance programs:

  • Is the corporation’s compliance program well designed. There were three key questions for consideration:
  • Is the program being applied earnestly and in good faith?
  • In other words, is the program being implemented effectively?
  • Does the corporation’s compliance program work in practice?

The Evaluation and its Update then proceed to describe “in detail the topics that prosecutors should consider when answering those questions.”Demonstrating its influence far beyond the DOJ, SEC and other government agencies, the Delaware court decision in Caremark demonstrates a key effect in the transformation of compliance programs, policies and procedures in the corporate world. The Caremark decision was a departure from prior Delaware case law which said that a board did not have to look for wrongdoing but only had to investigate if informed about it. That was from an old 1963 decision and the Court relied on the 1992 US Sentencing Guidelines to note how such views were no longer accepted. Board obligations had changed by 1996 with the following, “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”

Caremark considered the proposed settlement of a derivative suit seeking to impose personal liability on members of the board of directors. The History noted, “the court considered whether director liability could stem from unconsidered action by the board. After observing that “[t]he Guidelines offer powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts,” the court concluded that “[a]ny rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account [the organizational guidelines].”

This meant that a director has a good faith duty to see that the organization establishes adequate information and reporting systems. i.e., a compliance program. No doubt due to the significance of the Delaware courts, “following the Caremark decision, federal and state courts recognized the importance of compliance programs in the context of shareholder derivative suits.” Caremark  and its progeny are now the law of the land regarding corporate governance and compliance across most states in the US.

All of these changes and much more point to the far- and wide-ranging impact of the FSGO.  “What began as an “experiment” to encourage legal compliance and foster more ethical business practices is now widely accepted as a success.” Moreover, “evidence suggests that compliance and ethics programs implemented using the guideline criteria produce positive effects on an organization’s behavior” and that the FSGO has had a significant impact on public and private sector actors.” Finally, the History concludes that the influence of FSGO “is now spreading around the globe, suggesting that the hallmarks of an effective compliance and ethics program have universal appeal.”

Categories
Blog

A Caremark Retrospective: Part III – Lessons for Today

Over this short blog post series I have been exploring the original Caremark and Stone v. Ritter decisions from the Delaware Supreme Court. The former decision was released in 1996 and the latter, some ten years later in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision. In Part 1, we reviewed the underlying facts of the Caremark decision and in Part II, we considered the court holdings and rationales in Caremark and Stone v. Ritter. Today, I want to review what those decisions mean for today’s Board of Directors, Chief Compliance Officer (CCO) and compliance professional.

Bribery, Fraud and Corruption

One of the things that struck me about both decisions was how timely the underlying facts were. In Caremark, a 1996 decision with the corruption going back into the 1980s, the case involved a company which provided patient care and managed care services and a substantial part of the revenues generated by the company was derived through third party payments, insurers, and Medicare and Medicaid reimbursement programs. Medicare and Medicaid payments were governed under the Anti-Referral Payments Law (“ARPL”) which prohibited health care providers (HCPs) from paying any form of remuneration (i.e., kickbacks) to physicians to induce them to refer Medicare or Medicaid patients to Caremark products or services.

To get around this prescription, Caremark entered various contracts for services (e.g., consultation agreements and research grants) with physicians at least some of whom prescribed or recommended services or products that Caremark provided to Medicare recipients and other patients. Moreover, Caremark had a decentralized governance and operational structure which allowed wide latitude to the business units to enter into such agreements without corporate or any centralized compliance or legal oversight. The results were about what you would expect.

In Stone v. Ritter, the AmSouth bank was induced to open a custodial account for two investment advisers who induced some 40 investors into a fraudulent investment, involving the construction of medical clinics overseas, by misrepresenting the nature and the risk of that investment. The bank provided custodial accounts for the investors and to distribute monthly interest payments to each account upon receipt of a check from the investment advisors. The scheme went on for about two years before the sapped investors stopped getting paid and began to contact the bank.

Federal bank examiners examined AmSouth’s compliance with its reporting and other obligations under the Bank Secrecy Act (BSA). AmSouth “entered into a Deferred Prosecution Agreement (“DPA”) in which AmSouth agreed: first, to the filing by USAO of a one-count Information in the United States District Court for the Southern District of Mississippi, charging AmSouth with failing to file SARs; and second, to pay a $40 million fine. In conjunction with the DPA, the USAO issued a “Statement of Facts,” which noted that although in 2000 “at least one” AmSouth employee suspected that Hamric was involved in a possibly illegal scheme, AmSouth failed to file SARs in a timely manner.” From my reading of these facts, it appears that there was ample evidence an illegal scheme was ongoing, and a Suspicious Activity Report (SAR) should have been filed. As with the underlying facts of Caremark, the underlying facts of Stone v. Ritter are still the basis for enforcement actions today.

Caremark – The Evolution of Board Duties

To create the modern Caremark Doctrine the Delaware Supreme Court had to overcome prior existing Delaware law regarding the board’s obligations. That decision from 1963, is known as  Allis-Chalmers, addressed the question of potential liability of board members for losses experienced by the corporation as a result of the corporation having violated US antitrust laws. There was no claim in that case that the directors knew about the behavior of subordinate employees of the corporation that had resulted in the liability.

Rather,  the claim asserted was that the directors ought to have known of it and if they had known they would have been under a duty to bring the corporation into compliance with the law and save the corporation from the loss. In Allis-Chalmers the Court found “absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.” As there were no grounds for suspicion in by the board, the directors were blamelessly unaware of the conduct leading to the corporate liability.

The Court found that the obligations for a board had evolved significantly from 1963, most notably in three areas. First, in the area of corporate takeovers, the court viewed “the seriousness with which the corporation law views the role of the corporate board.” The second area was the recognition as an “essential predicate for satisfaction of the board’s supervisory and monitoring role under Section 141 of the Delaware General Corporation Law.” The third and final change was the 1992 US Sentencing Guides and the “potential impact of the federal organizational sentencing guidelines on any business organization. Any rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development and the enhanced penalties and the opportunities for reduced sanctions that it offers.”

To effectuate this change, the court stated “I am of the view that a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” Moreover, “it is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.”

Conclusion

It is this final language which forms the basis of the modern Caremark Doctrine. There has been expansion of the Doctrine from this basic language over the past 25 years. Hopefully every board is aware of their obligations and are actually meeting them. However, every CCO and compliance professional needs to make the board aware of its Caremark obligations and then educate them on how to fulfill those obligations.

Categories
Blog

A Caremark Retrospective: Part II – Holdings and Rationale

Today, I continue my exploration of two of the most significant cases regarding Boards of Directors and corporate compliance; the Caremark and Stone v. Ritter decisions. The former decision was released in 1996 and the latter, some ten years later in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision. Yesterday, in Part 1, we reviewed the underlying facts of the Caremark decision. Today, in Part II, we consider the holdings and the legal reasoning. Perhaps the most interesting thing about both cases is that even though the Court in Caremark delineated the doctrine and in Stone v. Ritter confirmed it, both Courts ruled against the moving parties and for the defendant corporate Boards.

Caremark

In Caremark, the Court began by noting that director liability for a breach of the duty to exercise appropriate attention can come up in two distinct contexts. In the first, liability can occur from a board decision that results “in a loss because that decision was ill advised or “negligent””. In the second, board liability for a loss “may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

However, any decision is tempered by the following, what “may not widely be understood by courts or commentators who are not often required to face such questions, is that compliance with a director’s duty of care can never appropriately be judicially determined by reference to the content of the board decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the process employed.” In other words, if there is a process or protocol in place a board cannot be said to have violated its duty, even with “degrees of wrong extending through “stupid” to “egregious” or “irrational”.” To do so would abrogate the Business Judgment Rule.

The Caremark court went so far as to cite Learned Hand for the following, “They are the general advisors of the business and if they faithfully give such ability as they have to their charge, it would not be lawful to hold them liable. Must a director guarantee that his judgment is good? Can a shareholder call him to account for deficiencies that their votes assured him did not disqualify him for his office? While he may not have been the Cromwell for that Civil War, Andrews did not engage to play any such role.”

However, there is a second type of liability which boards can run afoul of under Caremark, and it is the one which seems to the liability under which most boards are found wanting in successful Caremark claims. It is when “director liability for inattention is theoretically possible entail  circumstances in which a loss eventuates not from a decision but, from unconsidered inaction.” This was a departure from prior Delaware case law which said that a board did not have to look for wrongdoing but only had to investigate if informed about it. That was from an old 1963 decision and the Court relied on the 1992 US Sentencing Guidelines to note how such views were no longer accepted. Board obligations had changed by 1996 with the following, “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”

Stone v. Ritter

This case involved money laundering and a bank’s failure to report suspicious activity which led to an employee running a Ponzi scheme. The bank in question was fined over $40 million. Once again, the plaintiffs were not successful in their claims. The Stone v. Ritter court approved the Caremark Doctrine and went on to further specify thatCaremark required a “lack of good faith as a “necessary condition to liability”.” It is because the Court was not focusing simply on the results but in the board’s overall conduct “of the fundamental duty of loyalty.” It follows that because a showing of bad faith conduct, “is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.”

Interestingly, the Court added what it termed as “two additional doctrinal consequences.” First, although good faith is a “part of a “triad” of fiduciary duties that includes the duties of care and loyalty, the obligation to act in good faith does not establish an independent fiduciary duty that stands on the same footing as the duties of care and loyalty.” Violations of the duties of care and loyalty may result in direct liability, whereas a failure to act in good faith may do so, but it would only result in indirect liability. The second consequence is that the “duty of loyalty is not limited to cases involving a financial or other cognizable fiduciary conflict of interest. It also encompasses cases where the fiduciary fails to act in good faith. As the Court of Chancery aptly put it in Guttman, “[a] director cannot act loyally towards the corporation unless she acts in the good faith belief that her actions are in the corporation’s best interest.””

The Stone v. Ritter court ended by further refining the Caremark Doctrine to define the necessary conditions for director liability under Caremark. They are:

  1. Directors utterly failed to implement any reporting or information system or controls;
  2. If they have implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.

In either situation, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.

As usual, once I get started, I often cannot stop so in my next blog post (or two) I will consider how this has evolved.