Last week, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) announced a Foreign Corrupt Practices Act (FCPA) enforcement action, involving the waste management company, Stericycle, Inc. (Stericycle). According to the Information and Deferred Prosecution Agreement (DPA), Stericycle entered into a three-year DPA. The company was charged with two counts of conspiracy to violate (1) the anti-bribery provision of the FCPA, and (2) the FCPA’s books and records provision. Under the DPA, Stericycle agreed to a criminal penalty of $52.5 million of which the DOJ agreed to credit up to one-third of the criminal penalty against fines the company pays to authorities in Brazil in related proceedings. According to the SEC Cease and Desist Order (Order), Stericycle violated the anti-bribery, books and records, and internal accounting controls provisions of the FCPA and agreed to pay approximately $28.2 million in disgorgement and prejudgment interest. The SEC Order also provided for an offset of up to approximately $4.2 million of any disgorgement paid to Brazilian authorities. In today’s post we consider the fallout to the company, the comeback made during the pendency of the investigation and the monitor.
The Fallout
The fallout for Stericycle could not have been more dramatic or more disastrous. The company had to basically shut down a large part of its Latin American business. According to the DPA, Stericycle divested itself from its subsidiaries in Mexico and Argentina and taking steps to address its risks in Brazil. Consider that for a moment, the corruption is so endemic within your business unit, that you actually cannot remediate, you must divest yourself of it. According to Stericycle’s own estimates it would lose millions of dollars in business if it was required to leave these countries and the amounts of monies generated through bribery and corruption was equally high, according to the DPA.
The Comeback
The Stericycle enforcement action once again demonstrates how the FCPA Corporate Enforcement Policy can benefit even the most corrupt organization and allow a significant reduction of the overall fine and penalty under the US Sentencing Guidelines. According to the DPA, Stericycle received a 25% discount off the bottom of the applicable Sentencing Guidelines fine range for its cooperation during the pendency of the investigation and the extensive remediation. The former conduct was identified as “proactively disclosing certain evidence of which the United States was previously unaware; providing information obtained through its internal investigation, which allowed the government to preserve and obtain evidence as part of its own independent investigation; making detailed factual presentations to the Fraud Section; voluntarily facilitating interviews in the United States of foreign-based employees; and collecting and producing voluminous relevant documents to the Fraud Section, including documents located outside the United States, accompanied by translations of documents.”
The extensive remediation was even more revealing as the DPA stated that although the company had not self-disclosed, it began its internal investigation prior to being contacted by the DOJ. The company amped up its game regarding corporate governance by “appointing numerous new individuals to senior management and Board of Directors positions and establishing a Safety, Operations, and Environmental Committee to enhance Board oversight.” It enhanced its “compliance organization by hiring additional compliance personnel, including an experienced new Chief Ethics and Compliance Officer who reports directly to Stericycle’s Chief Executive Officer and Chair of the Audit Committee of the Board of Directors”. It updated the backbone of its compliance program; by updating its code of conduct, policies, procedures and internal controls.” It enhanced (or perhaps even created) its internal reporting, investigations and risk assessment processes and improved its compliance training and communications. Discipline was levied against certain employees, “including terminating certain employees including senior managers” and the aforementioned divestitures.
I have previously estimated Stericycle saved between $25 million to $30 million from their final criminal fine. That is certainly a significant amount and one every Chief Compliance Officer (CCO) needs to have ready to submit to your CEO to demonstrate the power of committing time and resources to both internal investigations and remediation during the pendency of the investigation.
The Monitor
The is first FCPA enforcement action to show the full impact of the change in DOJ enforcement priorities after the Lisa Monaco speech of October 2021; in a variety of ways. The first is the imposition of a monitor. It was required under both the DPA and the Order. Interestingly, even though the company was long aware of its compliance and ethical failures and even though it had been investigating this matter since at least 2016; the company could not seem to get its collective act together enough to fully implement and test the new compliance regime set out in the DPA. The DPA stated, “the Company has enhanced and has committed to continuing to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in Attachment C to this Agreement (Corporate Compliance Program) but, despite its extensive remedial measures described above, the Company to date has not fully implemented or tested its enhanced compliance program, and thus the imposition of an independent compliance monitor for a term of two years, as described more fully below and in Attachment D, is necessary to prevent the recurrence of misconduct.” [Emphasis supplied] Clearly there was something missing from the company’s overall approach over these past six years.
According to the Order, the Monitor is mandated to review and evaluate the effectiveness of the Company’s policies, procedures, practices, internal accounting controls, recordkeeping, SOX controls, and financial reporting processes tying them to the FCPA and other applicable anti-corruption laws, and “make recommendations reasonably designed to improve the effectiveness of the Company’s Policies and Procedures and FCPA corporate compliance program (the “Mandate”). This Mandate shall include an assessment of the Board of Directors’ and Executive Leadership Team’s [ELT] commitment to, and effective implementation of, the Policies and Procedures and FCPA corporate compliance program.” Note this exacting requirement on the Board and ELT. Obviously, the SEC found their conduct wanting and needed to specifically call it out. It could also be a nod of the hat to the Delaware Supreme Court and its expansion of the Caremark Doctrine. Of additional interest was that the Monitor “should use a risk-based approach” and not necessarily “conduct a comprehensive review of all business lines, all business activities, and all markets.” Even with this anti-boil the ocean language, it is quite a bit of work for the company and the monitor.
Join us tomorrow where we look some lessons learned.
Tag: Caremark
Welcome to the only roundtable podcast in compliance. The entire gang was also thrilled to be honored by W3 as a top talk show in podcasting. In this episode, we have the sextet of Karen Woody, Jonathan Armstrong, Matt Kelly, Jonathan Marks, and Jay Rosen, with host Tom Fox also weighing in on this episode. We also discuss our favorite story of 2021. We end with a veritable mélange of shouts outs and rants.
1. Karen Woody reviews the increase in SEC enforcement that the regulators have told us throughout the year that is coming. Karen shouts out to starting early Emmy buzz for Ted Lasso.
2. Jay Rosen reviews the Activision imbroglio from the missteps of the CCO to the disseminations of the CEO. Rosen shouts out to civility.
3. Matt Kelly reviews the latest iteration of ransomware attacks and contrasts it with data privacy breaches from the past. Kelly shouts out to the NJ sandwich shop Hometown International, which with $35K in annual sales resulting in a $100MM market cap evaluation.
4. Jonathan Armstrong goes back to consider the long running soap opera, sage and story that is Carlos Ghosn and Nissan. Armstrong shouts out to who show true leadership in a crisis and the Spirit of Christmas.
5. Jonathan Marks reviews the increase Caremark duties for Boards of Directors coming out of the Delaware courts. Marks expands on his rant about Hall of Fame horse trainer Bob Blaffert.
6. Tom Fox reviews the year in ESG and why compliance is the most well-suited corporate function to lead a corporate ESG effort. shouts out to John Lee Dumas, who as a college senior on 9/11, knew that night he was going to war, and to all the men and women who served in combat in America’s 20-year war in Iraq and Afghanistan.
The members of the Everything Compliance are:
• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
• Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
• Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com
The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.
The final case on the Board’s expanding obligations regarding compliance oversight is Boeing, which was decided earlier this year. This action is yet more from the continuing fallout of the Boeing MAX 737 disaster. As Mike Volkov has noted “The Boeing 737 MAX scandal is a troublesome and disturbing case where corporate board oversight and responsibility was lacking. The implications of the board’s failure resulted in the killing of innocent passengers and the grounding of Boeing’s 737 MAX. Add to that a $2.5 billion settlement, a criminal case against a Chief Technical Pilot, and continuing safety and technical problems, and you have recipe for continuing disaster at Boeing.”
In this case, shareholders sued Boeing’s board, seeking to recover costs and economic losses associated with the crash of two 737 MAX jetliners. The allegations were that the directors failed to monitor aircraft safety before the crashes and then failed to respond to known safety risks after the first crash. The lawsuit seeks to hold the directors liable for the resulting loss of “billions of dollars in value.”
Here there were not allegations that the Board did not take compliance seriously or did not provide oversight of compliance but that the Board did not react swiftly and forcefully enough when the first MAX 737 crash occurred. The decision from the Court (the Court of Chancery not the Delaware Supreme Court) framed the question before it as follows, “The narrow question before this Court today is whether Boeing’s stockholders have alleged that a majority of the Company’s directors face a substantial likelihood of liability for Boeing’s losses. This may be based on the directors’ complete failure to establish a reporting system for airplane safety, or on their turning a blind eye to a red flag representing airplane safety problems.”
The Court noted that from 2011 until August 2019, the Board had five standing Committees to monitor and oversee specific aspects of the Company’s business: (1) Audit, (2) Finance, (3) Compensation, (4) Special Programs, and (5) Governance, Organization and Nominating. The Audit Committee was Boeing’s primary arbiter for risk and compliance. Specifically, it “evaluat[ed] overall risk assessment and risk management practices”; “perform[ed a] central oversight role with respect to financial statement, disclosure, and compliance risks”; and “receiv[ed] regular reports from [Boeing’s] Senior Vice President, Office of Internal Governance and Administration with respect to compliance with our ethics and risk management policies.” The Court went on to delineate a list of areas the Audit Committee covered, specifically including robust oversight over compliance.
However what the Boeing Board did not do was “implement or prioritize safety oversight at the highest level of the corporate pyramid. None of Boeing’s Board committees were specifically tasked with overseeing airplane safety, and every committee charter was silent as to airplane safety. The Board recognized as much: former director John H. Briggs, who retired in 2011, observed that the “board doesn’t have any tools to oversee” safety.” [emphasis supplied] The Court rather ominously then said “This stood in contrast to many other companies in the aviation space whose business relies on the safety and flightworthiness of airplanes.”
The Court went into a detailed discussion about what the Board did and more importantly did not do after the first MAX 737 crash (Lion Air crash). The Board did not initiate contact with management, did not do initiate any type of independent investigation or apparent do anything more than ‘Shirk Responsibility’. That final phrase comes from a section title from the Court’s opinion and reads “The Board Continues To Shirk Safety Oversight”. [bold in original opinion] (Recovering trial lawyer insight-when a court writes something like that as a section heading, it is very ‘not good’ for the defendant). The Court was equally critical about the Board’s response after the second MAX 737 crash (the Ethiopian Airlines crash). Finally the Court found “The Board publicly lied about if and how it monitored the 737 MAX’s safety.” It really does not get any worse than that for a Board.
The Court’s opinion found that under Marchand, a Board must assess the risk profile of the company and manage the most critical risks all the way up to the Board level. At Blue Bell Ice Cream, it was food safety. At Boeing it is airline safety. At the Boeing Board, there was “no committee charged with direct responsibility to monitor airplane safety. While the Audit Committee was charged with “risk oversight,” safety does not appear in its charter. Rather, its oversight function was primarily geared toward monitoring Boeing’s financial risks.” This lack provided the basis for a Caremark claim as further refined by Marchand, et al.
Moreover, there was no Board monitoring system in place for safety. There was no mechanism to get whistleblower complaints about safety to the Board. Finally there was no independent evaluation by the Board on safety, “when safety was mentioned to the Board, it did not press for further information, but rather passively accepted management’s assurances and opinions.”
Some commentators see this as a decision based upon a new category of risk called “corporate trauma”. Herlihy and Savitt said, “The harsh decision reflects the court’s obligation to accept all the plaintiffs’ allegations as true in considering defendants’ motion to dismiss. Indeed, the court reaffirmed that failure-of-oversight claims remain “the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.” But the ruling nevertheless reconfirms the courts’ increasing willingness to subject directors to suit for corporate trauma.” Mike Volkov was more succinct noting, “At bottom, the Chancery Court is raising the stakes on board member accountability.”
The Hughes Court further delineated a Board’s obligations under Caremark. It cannot simply have the trappings of oversight, it must do the serious work required and have evidence of that work (Document, Document, and Document). Marchand required Boards to manage the risks their organizations face. Clovis Oncology requires ongoing monitoring by the Board. Hughes stands for the proposition that have the structures, policies and procedures in place is not enough. The Board must fully engage in oversight of a compliance program. The decision in Boeing is yet a further expansion of Caremark, once again through Marchand. It stands for the proposition that a company must assess its risks and then manage those risks right up through the Board level.
When the Delaware Supreme Court says of a Board of Directors collectively signed a company’s Annual Statement “with hands on their ears to muffle the alarms” you can rest assured the Board was seriously negligent in fulfilling its Caremark obligations. The Court’s decision in Clovis Oncology (Clovis or ‘the company’) laid out what a plaintiff must prove to create liability for a Board under the Caremark Doctrine. Not only must a Board have oversight of a corporate compliance function it must also provide oversight of that function.
The facts are so egregious on the monitoring requirement, the entire opinion could have been the basis for the original Caremark Doctrine. As the opinion stated the Board “breached their fiduciary duties by failing to oversee the Roci clinical trial and then allowing the Company to mislead the market regarding the drug’s efficacy. These breaches, it is alleged, caused Roci to sustain corporate trauma in the form of a sudden and significant depression in market capitalization.”
Clovis had no products and no sales but only the hope of the creation, marketing and sale of a new cancer drug, Roci. Clovis “relied solely on investor capital for all operations.” The potential success for Clovis “rested largely on one of its three developmental drugs, Roci, a cancer drug designed to treat a previously- untreatable type of lung cancer. Because of the estimated $3 billion annual market for drugs of its type, Clovis expected Roci to generate large profits if Clovis could secure FDA approval for the drug and shepherd it to market.” To get Roci to market, the company had to first perform clinical trials and then submit those findings to the Food and Drug Administration (FDA).
To perform the clinical trials, Clovis used a standard, well-known drug testing protocol called RECIST. A key component of the RECIST protocol was differentiating on the reporting on confirmed results v. non-confirmed results. During the trial, Clovis deviated from the RECIST protocol by improperly calculating the efficacy measurement based on both confirmed and unconfirmed results without differentiating between the two. As a result, Clovis published inflated performance results, and included this information in raising capital in the private and public securities markets of over $500 million. Clovis also failed to properly disclose the drug’s side effects. Worse yet, Clovis made these same misrepresentations in its initial presentations to the FDA.
After its initial presentation to the FDA, the FDA requested additional information on the test results. It appears at that point the Board was made aware of significantly different results from the confirmed v. the non-confirmed categories. The stock dropped some 80% in a few days, wiping out over $1 billion in capitalization. The fallout of Clovis actions led the FDA to suspend its review of Rico, effectively ending the company’s efforts.
As noted, the Court found that the Board had made certain there was an overall compliance program. However, Caremark has a second prong which requires a Board to “monitor” its compliance program. The Court stated, “To state a claim under this prong, Plaintiffs must well-plead that a “red flag” of non- compliance waived before the Board Defendants but they chose to ignore it. In this regard, the court must remain mindful that “red flags are only useful when they are either waived in one’s face or displayed so that they are visible to the careful observer. But, as Marchand makes clear, the careful observer is one whose gaze is fixed on the company’s mission critical regulatory issues.” For the Clovis Board, the compliance oversight should have been over Roci’s trials, clinical trial protocols and related FDA regulations governing that study.
The RECIST clinical trials protocol was “the crucible in which Roci’s safety and efficacy were to be tested. Roci was Clovis’ mission critical product. And the Board knew, upon completion of the TIGER-X trial, the FDA would consider only confirmed responses when determining whether to approve Roci’s NDA per the agency’s own regulations.” Moreover, the Clovis “Board was comprised of experts and the RECIST criteria are well-known in the pharmaceutical industry. Moreover, given the degree to which Clovis relied upon it when raising capital, it is reasonable to infer the Board would have understood the concept and would have appreciated the distinction between confirmed and unconfirmed responses. The inference of Board knowledge is further enhanced by the fact the Board knew that even after FDA approval, physicians (i.e., future prescribers) would evaluate Roci based on its” clinical trials.
Mike Volkov has stated of the Clovis decision, “The Clovis Court explained that “‘Delaware Courts are more inclined to find Caremark oversight liability at the board level when the company operates in the midst of obligations imposed upon it by positive law yet fails to monitor existing compliance systems, such that a violation of law, and resulting liability, occurs.’” The Clovis Court noted that when externally imposed regulations govern a company’s mission critical operations, the board must exercise a good faith effort to implement an oversight system, which “entails a sensitivity to ‘compliance issues[s] intrinsically critical’ to the company.”
The Clovis decision is another steppingstone in the creation of duties for a Board regarding compliance. Like the Board at Blue Bell Ice Cream, the Clovis Oncology Board had but one compliance obligation. At Blue Bell Ice Cream, it was food Safety. At Clovis Oncology it was compliance around the clinical trials and reporting results of its signature product, the drug Roci. While Blue Bell Ice Cream management did not even report its food safety results to the Board, senior management at Clovis made material misrepresentations to the Board about the results of the clinal trial based upon the melding of unconfirmed results with confirmed results. This case then stands for the proposition that a Board must do more than simply accept what management says about compliance, it must monitor compliance. Here the Clovis management made material misrepresentations to the Board about the results of the clinal trial based upon the melding of unconfirmed results with confirmed results.
The role of the Board of Directors has always been a key part of any best practices compliance program. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have consistently said that a Board’s role is active oversight of compliance. Over the past few years, the civil side of this obligation has become much more prominent, led by developments in case law under the Caremark doctrine, as modified by Stone v. Ritter by the Delaware Supreme Court. In response to demands for greater accountability and corporate accountability, the Delaware courts have been cutting back the Caremark standard and rejecting motions to dismiss filed by defendants. Recent cases are continuing down this path and raising the expectations for Board members exercising their duty of loyalty and duty of care. This week I will be exploring this expanded set of legal obligations laid down by the Delaware Supreme Court.
Mike Volkov has stated, “At the core of board member protection from liability is the well-known Caremark doctrine that requires corporate boards to make a good faith effort to implement a system for compliance program monitoring and reporting. For years, Delaware courts easily rebuffed shareholder derivative suits challenging board members’ performance after a corporate scandal occurred. The Caremark standard was reinforced in Stone v. Ritter, where the court stated director oversight liability requires a showing of either “the directors utterly failed to implement any reporting or information system or controls” or the directors, “having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”
Under Caremark and Stone v. Ritter, a director must make a good faith effort to oversee the company’s operations. Failing to make that good faith effort breaches the duty of loyalty and can expose a director to liability. But it is more than simply not doing your job as a Board, it is doing so in bad faith. The Court states, “In other words, for a plaintiff to prevail on a Caremark claim, the plaintiff must show that a fiduciary acted in bad faith—“the state of mind traditionally used to define the mindset of a disloyal director.” Bad faith is established, under Caremark, when “the directors [completely] fail[] to implement any reporting or information system or controls[,] or … having implemented such a system or controls, consciously fail[ ] to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” In short, to satisfy their duty of loyalty, directors must make a good faith effort to implement an oversight system and then monitor it.”
This change began in a case Marchand v. Barnhill and it involved that Texas institution, Blue Bell Ice Cream, the top ice cream manufacturer in the US. In this decision, the Court found that the Blue Bell Board completely abrogated its duty around the single largest safety issues it faced – food safety. That abrogation allowed a listeria outbreak, “causing the company to recall all of its products, shut down production at all of its plants, and lay off over a third of its workforce. Blue Bell’s failure to contain listeria’s spread in its manufacturing plants caused listeria to be present in its products and had sad consequences. Three people died as a result of the listeria outbreak. Less consequentially, but nonetheless important for this litigation, stockholders also suffered losses because, after the operational shutdown, Blue Bell suffered a liquidity crisis that forced it to accept a dilutive private equity investment.”
The job of every Board member is to represent the shareholders, not the incumbent Chief Executive Officer (CEO) and Chairman of the Board. To do so, the Board must oversee the risk management function of the organization. Blue Bell was and to this day is a single-product food company and that food is ice cream. This sole source of income would mandate that the highest risk the company might face is around food. But as the underlying compliant noted, “despite the critical nature of food safety for Blue Bell’s continued success, the complaint alleges that management turned a blind eye to red and yellow flags that were waved in front of it by regulators and its own tests, and the board—by failing to implement any system to monitor the company’s food safety compliance programs—was unaware of any problems until it was too late.”
The plaintiffs reviewed the Board records and made the following allegations:
- there was no Board committee that addressed food safety;
- there was no regular process or protocols that required management to keep the Board apprised of food safety compliance practices, risks, or reports which existed;
- there was no schedule for the Board to consider on a regular basis, such as quarterly or biannually, any key food safety risks which existed;
- during a key period leading up to the deaths of three customers, management received reports that contained what could be considered red, or at least yellow, flags, and the Board minutes of the relevant period revealed no evidence that these were disclosed to the Board;
- the Board was given certain favorable information about food safety by management, but was not given important reports that presented a much different picture; and
- the Board meetings are devoid of any suggestion that there was any regular discussion of food safety issues.
The Board’s response to these allegations is instrumental in understanding how Board’s viewed their obligations regarding oversight of compliance. The Court stated, “the directors largely point out that by law Blue Bell had to meet FDA and state regulatory requirements for food safety, and that the company had in place certain manuals for employees regarding safety practices and commissioned audits from time to time. In the same vein, the directors emphasize that the government regularly inspected Blue Bell’s facilities, and Blue Bell management got the results.”
The Delaware Supreme Court made short shrift of this argument, stating “fact that Blue Bell nominally complied with FDA regulations does not imply that the board implemented a system to monitor food safety at the board level. Indeed, these types of routine regulatory requirements, although important, are not typically directed at the board. At best, Blue Bell’s compliance with these requirements shows only that management was following, in a nominal way, certain standard requirements of state and federal law. It does not rationally suggest that the board implemented a reporting system to monitor food safety or Blue Bell’s operational performance.”
The Board’s next defense was even more inane and was so preposterous, the Delaware Supreme Court labeled it as “telling.” It was that because the Board had received information on the company’s operational issues and performed oversight on operational issues, it had fulfilled its Caremark obligations. This is basically the same argument that every paper-pushing argument for compliance program. We have something on paper, so we have complied is the clarion call of such practitioners. The Delaware Supreme Court also saw through the flimsiness of this argument stating, “if that were the case, then Caremark would be a chimera.” [emphasis in original] This is because operational issues are always discussed at the Board level. Finally, Caremark requires “that a board make a good faith effort to put in place a reasonable system of monitoring and reporting about the corporation’s central compliance risks. In Blue Bell’s case, food safety was essential and mission critical.”
It has long been axiomatic that bad facts can lead to large changes in how courts interpret the law. The Blue Bell case had facts that the Court all but said the Board engaged in bad faith regarding its compliance obligations. The change was only the beginning.