Tag: Caremark

Categories
Compliance Into the Weeds

McDonald’s and Duty of Corporate Officer Oversight

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. In this episode, Matt and I dive deep into a recent decision by the Delaware Court of Chancery in the McDonald’s case, creating a duty of oversight for corporate officers.

Some of the highlights include:

·      Why can bad facts make bad laws?

·      The sordid facts of David Fairhurst during his tenure at McDonald’s.

·      The legal rationale.

·      What is Caremark, and how did it influence this decision?

·      What does it mean for CCOs?

·      How does this decision intertwine with the Monaco Doctrine, CCO certification, and the new Corporate Enforcement Policy?

 Resources

Tom with a multipart series on the FCPA Compliance and Ethics Blog

Matt Kelly with two posts in Radical Compliance

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 2

This week, we are exploring a shift in the duties of care owed by corporate officers to the corporation. It is coming through the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and his part in the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. It is styled In re McDonald’s Corporation Stockholder Derivative Litigation, and the court formally recognizes the oversight duties of officers of Delaware corporations. Today we consider the legal reasoning in the opinion.

Yesterday we began a discussion on the legal reasoning. Most compliance practitioners point to the 1996 Caremark decision as the one which set a Board’s duty around compliance. However, there has long been a duty of oversight in Delaware law, for Boards of Directors since at least the 1960s but for officers as well. In 1963, the Delaware Supreme Court established a Board duty when red flags are brought to its attention in the case of Graham v. Allis-Chalmers Manufacturing Co., which held that directors have an obligation to respond if information reached them, but created no affirmative duty to set up an information system to learn about issues within the company. A limited duty of oversight arose only if the directors had already learned enough to suspect that there were issues that needed overseeing. This was termed a “Red-Flags Claim” or a “Red-Flags Theory” of liability. This is also known as “Prong-One” Board liability.

Caremark created that affirmative duty for Board’s to engage in oversight. The Caremark court formulated a “more functional terminology, that species of claim can be called an “Information-Systems Claim” or an “Information- Systems Theory” of Board liability, also known as “Prong-Two” Board liability. In this type of case, a plaintiff typically pleads a prong-two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. In McDonald’s Corp we now see both Prong-One and Prong-Two liability expanded to officers.

The Court of Chancery listed three key sources for expanding this duty from Boards to officers.

  1. Management runs a company. While Board’s oversee management, “most corporations are managed ‘under the direction of’ the board.” Moreover, “In the typical corporation, it is the officers who are charged with, and responsible for, running the business of the corporation.” Finally, “Because of this reality, “[m]onitoring and strategy are not exclusively the dominion of the board. Actually, nondirector officers may have a greater capacity to make oversight and strategic decisions on a day-to-day basis.”
  2. Boards depend on information from management. Here the court noted that “For relevant and timely information to reach the board, the officers who serve as the day-to-day managers of the entity must make a good faith effort to ensure that information systems are in place so that the officers receive relevant and timely information that they can provide to the directors.” From this, “it follows that officers must have a duty to make a good faith effort to establish an information system as a predicate to fulfilling their obligation to provide information to the board.”
  3. Compliance systems required under the USSG. The US Sentencing Guidelines (USSG) mandate that “[h]igh- level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline.” This requirement includes that “Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.” The USSG goes on to define an organization’s “high-level personnel” as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization,” which includes “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.” This has the added benefit of putting compliance professionals directly in the path of liability created in this decision.

Interestingly since the Delaware courts had not explicitly expanded the duty of oversight to offices, the court looked at some bankruptcy court decisions for guidance. Here the Delaware court found, there were both Prong-One Red Flag claims and Prong-Two Information Systems claims available against officers under certain circumstances. The Delaware court concluded this section with the following “All of the foregoing authorities start from the premise that officers owe the same duties as directors. Because directors owe a duty of oversight, these authorities reason that officers owe a duty of oversight. That logic is sound.”

In a section I found very interesting, the Delaware court noted that officers have fiduciary duties to the corporation akin to those duties agents owe their principals. Here the court pointed to a prior Delaware decision, which “recognized a standard of conduct at the officer level that included a duty to act carefully, loyally, and in good faith to gather and provide information, with the standard of liability for the care dimension of the duty measured by gross negligence. By recognizing the duty to provide information, Hampshire lays the foundation for an officer-level duty consistent with an Information-Systems Theory.” The Court also found there is officer accountability to the Board which supports this extension of the duty of oversight to officer.

With this legal underpinning in place, please join me tomorrow to explore how this decision will impact Chief Compliance Officers.

Categories
31 Days to More Effective Compliance Programs

Day 5 – The Board and Operationalizing Compliance

The most significant development for Boards and compliance continues to come from the Delaware courts, which have been expanding the civil law obligations of Boards through a series of court decisions involving the expansion of the Caremark Doctrine for the past several years. These developments began with the Marchand (Blue Bell Ice Cream) decision which required Boards to manage the risks their organizations face. Next was Clovis Oncology which required ongoing monitoring by the Board. Finally, the Boeing case stands for the continuing proposition that a Board cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document).


The decision in Boeing is yet a further expansion of the Caremark Doctrine, once again beginning with MarchandBoeing also states that a company must assess its risks and then manage them right up through the Board level. Finally, a Board must be aggressive in their approach and not passively take in what management has presented to them.
The DOJ has also made clear its thoughts on the role of the Board of Directors. The role of the Board is different than that of senior management. The 2020 Update and DOJ Antitrust Division’s 2019 Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations were even more explicit in announcing their expectation for robust Board oversight of a corporate compliance function.

Name any of the most recent corporate scandals; Wells Fargo, Theranos, Volkswagen, Boeing, FTX, etc., and there was no compliance expertise on the Board. It is now enshrined as a best practice for companies to have a seasoned compliance professional on the Board. I would also add that the DOJ may soon expect a Compliance Committee separate from the Audit Committee.
The DOJ continually speaks about the need for companies to operationalize their compliance programs. Businesses must work to integrate compliance into the DNA of their organization. Having a Board member with specific compliance expertise or heading a Compliance Committee can provide a level of oversight and commitment to achieving this goal. The DOJ enshrined this requirement in the FCPA Corporate Enforcement Policy. This means that when your company is evaluated by the DOJ, under the factors set out in the 2020 Update and FCPA Corporate Enforcement Policy, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board-level Compliance Committee but also the specific subject matter expertise on the Board and on that committee.

This means that every Board of Directors needs a true compliance expert. Almost every Board has a former Chief Financial Officer, former head of Internal Audit, or persons with a similar background. Often, these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training, and SME that can help all companies with their financial reporting and other finance-based issues. So why is there no such SME at the Board level from the compliance profession?

Three key takeaways:

1. The 2020 Update required active Board of Director engagement and oversight around compliance.
2. Board communication on compliance is two-way, both inbound and outbound.
3. The Delaware courts have been expanding Board’s roles through the expansion of the Caremark Doctrine.

Categories
Role of the Board of Compliance

Caremark

Tom Fox and Jonathan T. Marks kick off the series with a deep dive into the 1996 Caremark decision, the 2006 Stone v. Ritter resolution, and the compliance lessons companies and board members can learn from the facts and patterns of these fundamental cases.

▶️ Caremark with Tom Fox and Jonathan T. Marks

Key points discussed in the episode:

  1. Tom Fox gives a brief background on the Caremark case.
  2. Jonathan T. Marks describes how ethical behavior is the backbone of an organization and how this case defined the importance of having proper oversight monitoring.
  3. Tom Fox lays out Caremark’s penalties. He describes the Stone v. Ritter facts, how the bank was sued for failure to perform due diligence on fraudulent investors and violating the Bank Secrecy Act. These schemes follow a pattern that has been seen repeatedly. It has also defined the duties of board members: avoiding negligence and arising from failures.
  4. Jonathan T. Marks explains how fundamentals made their way into compliance laws in other countries, how guidelines are warning shots for companies to clean up, and urging companies to step up.
  5. The Caremark doctrine later refined two conditions for director liability and emphasized why boards must actively engage in oversight.
  6. Board members must get down to the nitty-gritty of what is truly happening in their organizations, ask tough questions, do a deeper self-assessment, and stop refusing to avoid problems and the ugly truth.

—————————————————————————-

Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.

Categories
The Woody Report

The Solar Winds Decision

Welcome to The Woody Report, where Washington & Lee School of Law Associate Professor Karen Woody and host Tom Fox discuss issues on white-collar crime, compliance issues, international corruption, securities, and accounting fraud, and internal corporate investigations. From current events to topical issues to academic research and thought leadership, Karen Woody helps lead the discussion of these issues on the new and exciting podcast. In this episode, Tom and Karen explore the recently announced decision in the Solar Winds shareholder claim based upon the Caremark Doctrine. Some of the issues we explore include:

  1. Background facts and court rationale.
  2. What is ‘positive law’?
  3. Can any cyberbreach claim be the basis of a Caremark Claim?
  4. Why is victim v. perpetrator status critical in a Caremark Claim?
  5. What is the bad faith standard in Caremark Claims?
  6. What does this decision portend for Caremark Claims going forward?

Resources

Karen Woody on LinkedIn

Karen Woody at Washington & Lee, School of Law

Categories
Compliance Into the Weeds

Cyber Security Failures Alleged in Mudge Whistleblower Compliant

Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. In this episode, we mine the whistleblower allegations by Peiter Zatko, AKA “Mudge,” made against Twitter for lessons for the cyber-security professional and wide compliance discipline. Highlights and questions posed include:

·      The allegations made by Mudge.

·      Why does an organization need a CISO (or CCO or CECO)?

·      How did Twitter get hacked, its employees duped, and its controls bypassed?

·      What is pedestrian yet telling in this saga?

·      Why is data mapping mandatory if not critical?

·      Where were the external auditors?

·      Is there a Caremark claim here?

Resources

Matt in Radical Compliance

Categories
Blog

Impact of the Federal Sentencing Guidelines at 30

The Federal Sentencing Guidelines for Organizations (FSGO) by the US Sentencing Commission (USSC) turn 30 this year. For compliance officers, this was perhaps the most significant government release. It did not create the compliance profession, but it certainly put compliance professionals in the forefront of the design, creation and implementation of corporate compliance programs. The FSGO also laid out for the first time, the government’s expectations of what a well-designed compliance program should look like in practice. This led to a dramatic increase in compliance professionals. Earnie Broughton, writing in the ECI blog, said, “In many ways the promulgation of the guidelines was a defining moment in our collective journey in understanding and realizing the benefits of good corporate character.”

In 2021, the Bureau of Labor Statistics reported 291,000 compliance officers in the US. But more than driving the compliance profession and a concomitant increase in compliance professionals the FSGO has in many ways shaped the structure of the 21st century corporation and dramatically improved corporate governance. In these ways, it laid the environmental, social and governance (ESG) foundations. Last month the US Sentencing Commission (USSC) released a summary of the FSGO and how it helped drives these changes, “The Organizational Sentencing Guidelines: Thirty Years of Innovation(the History).

Regarding the FSGO themselves, they take a “carrot and stick” approach to the sentencing scheme that bases the fine range on the culpability of the organization. The guidelines instruct courts to determine culpability by considering six factors. The four aggravating factors, “that increase the ultimate punishment of an organization are: (i) the involvement in or tolerance of criminal activity; (ii) the prior history of the organization; (iii) the violation of an order; and (iv) the obstruction of justice.” The two mitigating factors are: “(i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.” Rather amazingly, the History reported that only 1.5% overall of all organizations sentenced “received the five-point culpability score reduction for disclosing the offense to appropriate authorities prior to a government investigation in addition to their  full cooperation and acceptance of responsibility.” Obviously, there is still room for improvement.

Rather unsurprisingly, the Department of Justice (DOJ) drew heavily on the FSGO for two key documents which laid out the foundations of an effective compliance program. The first was the 2012 FCPA Resource Guide (developed and released jointly with the Securities and Exchange Commission (SEC)) and its update, the 2021 FCPA Resource Guide, 2nd edition. The second was the Evaluation of Corporate Compliance Programs, initially released in 2019, and the 2020 Update to the Evaluation of Corporate Compliance Programs. The History noted that the Evaluation and its update, “was first developed in 2017 under the leadership of the DOJ’s first “corporate compliance expert”” and “provides greater clarity on some key issues prosecutors consider when assessing the adequacy of corporate compliance programs during charging and settlement decisions, by laying out “fundamental questions” that prosecutors should ask about compliance programs:

  • Is the corporation’s compliance program well designed. There were three key questions for consideration:
  • Is the program being applied earnestly and in good faith?
  • In other words, is the program being implemented effectively?
  • Does the corporation’s compliance program work in practice?

The Evaluation and its Update then proceed to describe “in detail the topics that prosecutors should consider when answering those questions.”Demonstrating its influence far beyond the DOJ, SEC and other government agencies, the Delaware court decision in Caremark demonstrates a key effect in the transformation of compliance programs, policies and procedures in the corporate world. The Caremark decision was a departure from prior Delaware case law which said that a board did not have to look for wrongdoing but only had to investigate if informed about it. That was from an old 1963 decision and the Court relied on the 1992 US Sentencing Guidelines to note how such views were no longer accepted. Board obligations had changed by 1996 with the following, “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”

Caremark considered the proposed settlement of a derivative suit seeking to impose personal liability on members of the board of directors. The History noted, “the court considered whether director liability could stem from unconsidered action by the board. After observing that “[t]he Guidelines offer powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts,” the court concluded that “[a]ny rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account [the organizational guidelines].”

This meant that a director has a good faith duty to see that the organization establishes adequate information and reporting systems. i.e., a compliance program. No doubt due to the significance of the Delaware courts, “following the Caremark decision, federal and state courts recognized the importance of compliance programs in the context of shareholder derivative suits.” Caremark  and its progeny are now the law of the land regarding corporate governance and compliance across most states in the US.

All of these changes and much more point to the far- and wide-ranging impact of the FSGO.  “What began as an “experiment” to encourage legal compliance and foster more ethical business practices is now widely accepted as a success.” Moreover, “evidence suggests that compliance and ethics programs implemented using the guideline criteria produce positive effects on an organization’s behavior” and that the FSGO has had a significant impact on public and private sector actors.” Finally, the History concludes that the influence of FSGO “is now spreading around the globe, suggesting that the hallmarks of an effective compliance and ethics program have universal appeal.”

Categories
Blog

A Caremark Retrospective: Part III – Lessons for Today

Over this short blog post series I have been exploring the original Caremark and Stone v. Ritter decisions from the Delaware Supreme Court. The former decision was released in 1996 and the latter, some ten years later in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision. In Part 1, we reviewed the underlying facts of the Caremark decision and in Part II, we considered the court holdings and rationales in Caremark and Stone v. Ritter. Today, I want to review what those decisions mean for today’s Board of Directors, Chief Compliance Officer (CCO) and compliance professional.

Bribery, Fraud and Corruption

One of the things that struck me about both decisions was how timely the underlying facts were. In Caremark, a 1996 decision with the corruption going back into the 1980s, the case involved a company which provided patient care and managed care services and a substantial part of the revenues generated by the company was derived through third party payments, insurers, and Medicare and Medicaid reimbursement programs. Medicare and Medicaid payments were governed under the Anti-Referral Payments Law (“ARPL”) which prohibited health care providers (HCPs) from paying any form of remuneration (i.e., kickbacks) to physicians to induce them to refer Medicare or Medicaid patients to Caremark products or services.

To get around this prescription, Caremark entered various contracts for services (e.g., consultation agreements and research grants) with physicians at least some of whom prescribed or recommended services or products that Caremark provided to Medicare recipients and other patients. Moreover, Caremark had a decentralized governance and operational structure which allowed wide latitude to the business units to enter into such agreements without corporate or any centralized compliance or legal oversight. The results were about what you would expect.

In Stone v. Ritter, the AmSouth bank was induced to open a custodial account for two investment advisers who induced some 40 investors into a fraudulent investment, involving the construction of medical clinics overseas, by misrepresenting the nature and the risk of that investment. The bank provided custodial accounts for the investors and to distribute monthly interest payments to each account upon receipt of a check from the investment advisors. The scheme went on for about two years before the sapped investors stopped getting paid and began to contact the bank.

Federal bank examiners examined AmSouth’s compliance with its reporting and other obligations under the Bank Secrecy Act (BSA). AmSouth “entered into a Deferred Prosecution Agreement (“DPA”) in which AmSouth agreed: first, to the filing by USAO of a one-count Information in the United States District Court for the Southern District of Mississippi, charging AmSouth with failing to file SARs; and second, to pay a $40 million fine. In conjunction with the DPA, the USAO issued a “Statement of Facts,” which noted that although in 2000 “at least one” AmSouth employee suspected that Hamric was involved in a possibly illegal scheme, AmSouth failed to file SARs in a timely manner.” From my reading of these facts, it appears that there was ample evidence an illegal scheme was ongoing, and a Suspicious Activity Report (SAR) should have been filed. As with the underlying facts of Caremark, the underlying facts of Stone v. Ritter are still the basis for enforcement actions today.

Caremark – The Evolution of Board Duties

To create the modern Caremark Doctrine the Delaware Supreme Court had to overcome prior existing Delaware law regarding the board’s obligations. That decision from 1963, is known as  Allis-Chalmers, addressed the question of potential liability of board members for losses experienced by the corporation as a result of the corporation having violated US antitrust laws. There was no claim in that case that the directors knew about the behavior of subordinate employees of the corporation that had resulted in the liability.

Rather,  the claim asserted was that the directors ought to have known of it and if they had known they would have been under a duty to bring the corporation into compliance with the law and save the corporation from the loss. In Allis-Chalmers the Court found “absent cause for suspicion there is no duty upon the directors to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.” As there were no grounds for suspicion in by the board, the directors were blamelessly unaware of the conduct leading to the corporate liability.

The Court found that the obligations for a board had evolved significantly from 1963, most notably in three areas. First, in the area of corporate takeovers, the court viewed “the seriousness with which the corporation law views the role of the corporate board.” The second area was the recognition as an “essential predicate for satisfaction of the board’s supervisory and monitoring role under Section 141 of the Delaware General Corporation Law.” The third and final change was the 1992 US Sentencing Guides and the “potential impact of the federal organizational sentencing guidelines on any business organization. Any rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development and the enhanced penalties and the opportunities for reduced sanctions that it offers.”

To effectuate this change, the court stated “I am of the view that a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” Moreover, “it is important that the board exercise a good faith judgment that the corporation’s information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations, so that it may satisfy its responsibility.”

Conclusion

It is this final language which forms the basis of the modern Caremark Doctrine. There has been expansion of the Doctrine from this basic language over the past 25 years. Hopefully every board is aware of their obligations and are actually meeting them. However, every CCO and compliance professional needs to make the board aware of its Caremark obligations and then educate them on how to fulfill those obligations.

Categories
Blog

A Caremark Retrospective: Part II – Holdings and Rationale

Today, I continue my exploration of two of the most significant cases regarding Boards of Directors and corporate compliance; the Caremark and Stone v. Ritter decisions. The former decision was released in 1996 and the latter, some ten years later in 2006. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the original Caremark decision. Yesterday, in Part 1, we reviewed the underlying facts of the Caremark decision. Today, in Part II, we consider the holdings and the legal reasoning. Perhaps the most interesting thing about both cases is that even though the Court in Caremark delineated the doctrine and in Stone v. Ritter confirmed it, both Courts ruled against the moving parties and for the defendant corporate Boards.

Caremark

In Caremark, the Court began by noting that director liability for a breach of the duty to exercise appropriate attention can come up in two distinct contexts. In the first, liability can occur from a board decision that results “in a loss because that decision was ill advised or “negligent””. In the second, board liability for a loss “may be said to arise from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”

However, any decision is tempered by the following, what “may not widely be understood by courts or commentators who are not often required to face such questions, is that compliance with a director’s duty of care can never appropriately be judicially determined by reference to the content of the board decision that leads to a corporate loss, apart from consideration of the good faith or rationality of the process employed.” In other words, if there is a process or protocol in place a board cannot be said to have violated its duty, even with “degrees of wrong extending through “stupid” to “egregious” or “irrational”.” To do so would abrogate the Business Judgment Rule.

The Caremark court went so far as to cite Learned Hand for the following, “They are the general advisors of the business and if they faithfully give such ability as they have to their charge, it would not be lawful to hold them liable. Must a director guarantee that his judgment is good? Can a shareholder call him to account for deficiencies that their votes assured him did not disqualify him for his office? While he may not have been the Cromwell for that Civil War, Andrews did not engage to play any such role.”

However, there is a second type of liability which boards can run afoul of under Caremark, and it is the one which seems to the liability under which most boards are found wanting in successful Caremark claims. It is when “director liability for inattention is theoretically possible entail  circumstances in which a loss eventuates not from a decision but, from unconsidered inaction.” This was a departure from prior Delaware case law which said that a board did not have to look for wrongdoing but only had to investigate if informed about it. That was from an old 1963 decision and the Court relied on the 1992 US Sentencing Guidelines to note how such views were no longer accepted. Board obligations had changed by 1996 with the following, “obligation to be reasonably informed concerning the corporation, without assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s compliance with law and its business performance.”

Stone v. Ritter

This case involved money laundering and a bank’s failure to report suspicious activity which led to an employee running a Ponzi scheme. The bank in question was fined over $40 million. Once again, the plaintiffs were not successful in their claims. The Stone v. Ritter court approved the Caremark Doctrine and went on to further specify thatCaremark required a “lack of good faith as a “necessary condition to liability”.” It is because the Court was not focusing simply on the results but in the board’s overall conduct “of the fundamental duty of loyalty.” It follows that because a showing of bad faith conduct, “is essential to establish director oversight liability, the fiduciary duty violated by that conduct is the duty of loyalty.”

Interestingly, the Court added what it termed as “two additional doctrinal consequences.” First, although good faith is a “part of a “triad” of fiduciary duties that includes the duties of care and loyalty, the obligation to act in good faith does not establish an independent fiduciary duty that stands on the same footing as the duties of care and loyalty.” Violations of the duties of care and loyalty may result in direct liability, whereas a failure to act in good faith may do so, but it would only result in indirect liability. The second consequence is that the “duty of loyalty is not limited to cases involving a financial or other cognizable fiduciary conflict of interest. It also encompasses cases where the fiduciary fails to act in good faith. As the Court of Chancery aptly put it in Guttman, “[a] director cannot act loyally towards the corporation unless she acts in the good faith belief that her actions are in the corporation’s best interest.””

The Stone v. Ritter court ended by further refining the Caremark Doctrine to define the necessary conditions for director liability under Caremark. They are:

  1. Directors utterly failed to implement any reporting or information system or controls;
  2. If they have implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.

In either situation, imposition of liability requires a showing that the directors knew that they were not discharging their fiduciary obligations. Where directors fail to act in the face of a known duty to act, thereby demonstrating a conscious disregard for their responsibilities, they breach their duty of loyalty by failing to discharge that fiduciary obligation in good faith.

As usual, once I get started, I often cannot stop so in my next blog post (or two) I will consider how this has evolved.

Categories
Blog

A Caremark Retrospective: Part I – Background

It is often instructive to look back at old cases which have become so well known for a doctrine that the underlying facts are often forgotten. I did so recently in reading the original Caremark and Stone v. Ritterdecisions. The former decision was released in 1996 and the latter, some ten years later in 2006. They both made interesting reading and the underlying facts could well be drawn from the headlines of anti-corruption and anti-money laundering (AML) enforcement actions today. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the originalCaremark decision. Today, in Part 1, we review the underlying facts of the Caremark decision and in Part II, the legal reasoning.

Underlying Facts

In Caremark, the decision involved a company which provided patient care and managed care services and a substantial part of the revenues generated by the company was derived through third party payments, insurers, and Medicare and Medicaid reimbursement programs. Medicare and Medicaid payments were governed under the Anti-Referral Payments Law (“ARPL”) which prohibited health care providers (HCPs) from paying any form of remuneration (i.e., kickbacks) to physicians to induce them to refer Medicare or Medicaid patients to Caremark products or services.

To try and get around this prescription, Caremark entered various contracts for services (e.g., consultation agreements and research grants) with physicians at least some of whom prescribed or recommended services or products that Caremark provided to Medicare recipients and other patients. Moreover, Caremark had a decentralized governance and operational structure which allowed wide latitude to the business units to enter into such agreements without corporate or any centralized compliance or legal oversight. The results were about what you would expect.

Multiple federal investigations found that from the mid-1980s until the early 1990s, Caremark paid out millions to doctors in forms disguised to evade ARPL liability. Caremark claimed that its payments for consultation, teaching, research grants and other similar evasions did not violate the law. Further, it relied on an audit by Price Waterhouse (PwC) which concluded that there were no material weaknesses in Caremark’s control structure.

In 1993, Caremark formally changed its compliance manual to prohibit such payments, announced this change internally and put on training for this new set of policies. However, there were no attendant controls, monitoring or follow up noted. Indeed, it is not clear if much if anything changed at Caremark, given the decentralized nature of its business model.

Criminal and Civil Charges

In August 1994, Caremark was hit with a 47-page indictment alleging criminal violations of ARPL, specifically including making payments to induce physicians to refer patients to Caremark services and products. The indictment alleged that payments were “in the guise of research grants and others were consulting agreements.” Moreover, the Indictment went on to allege that such payments were made where no consulting services or research performed. (Very 2022 FCPA-ish) One doctor was alleged to have direct payments from Caremark for staff and offices expenses. Multiple shareholder suits were filed against the Board in Delaware and another federal Indictment was handled in Ohio. In addition to the claims in Ohio, new allegations of over billing and inappropriate referral payments made in Georgia and “reported that federal investigators were expanding their inquiry to look at Caremark’s referral practices in Michigan as well as allegations of fraudulent billing of insurers.” Rather amazingly, the company management, when reporting the Indictment to the Board of Directors, maintained the company had done nothing wrong.

Settlements

Of course, the Caremark senior management was not correct, and Caremark was required to pay millions to resolve enforcement actions. An agreement, with the Department of Justice (DOJ), Office of Inspector General (OIG), US Veterans Administration, US Federal Employee Health Benefits Program, federal Civilian Health and Medical Program of the Uniformed Services, and related state agencies in all fifty states and the District of Columbia required a Caremark subsidiary to enter a guilty plea to two counts of mail fraud, and required Caremark to pay $29 million in criminal fines, $129.9 million relating to civil claims concerning payment practices, $3.5 million for alleged violations of the Controlled Substances Act, and $2 million, in the form of a donation, to a grant program set up by the Ryan White Comprehensive AIDS Resources Emergency Act. Caremark also agreed to enter into a compliance agreement with the Department of Health and Human Services (HHS).

In addition to all these entities, Caremark was also sued by several private insurance company payors (“Private Payors”), who alleged that Caremark was liable for damages to them for allegedly improper business practices related to those at issue in the OIG investigation. As a result of negotiations with the Private Payors the Caremark Board of Directors approved a $98.5 million settlement agreement with the Private Payors in 1996.

In addition to the financial penalties, Caremark finally agreed to institute a full compliance program. It created the position of Chief Compliance Officer (CCO) and created a Board level Compliance and Ethics Committee who, with the assistance of outside counsel, was tasked with reviewing existing contracts and advanced approval of any new contract forms.

Join us for our next piece where we consider the court holdings and rationales in Caremark and Stone v. Ritter.