Tag: Chief Compliance Officer

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
Blog

Board Week, Part 3: The CCO’s Role in Preparing a Board for the Next Crisis

Crisis is no longer a rare event. From ransomware attacks and regulatory shocks to activist investors and CEO departures, boards today operate in an environment defined by volatility and disruption. PwC’s recent memorandum, “Being Prepared for the Next Crisis,” highlights the importance of boards adopting a proactive approach to resilience and oversight. However, while directors bear the primary responsibility for governance, a Chief Compliance Officer (CCO) plays a distinct role: ensuring that the board is informed, equipped, and prepared to respond effectively.

The CCO is often the organization’s “early warning system,” translating risks from the operating level into insights for the board. In a crisis, this role becomes magnified. The CCO must help the board anticipate threats, stress-test plans, and avoid the common pitfalls that derail effective responses. Today, we will explore how CCOs can adapt the PwC framework into a playbook to guide the board through the crisis preparedness lifecycle.

1. Before the Crisis: Embedding Compliance into Resilience Planning

The best crisis plans are living documents that are constantly updated, tested, and integrated across all functions. For CCOs, the challenge is to ensure compliance and ethics considerations are built into those plans from the start.

The CCO’s Role:

  • Cross-functional integration. Ensure that the compliance function sits at the crisis planning table alongside risk, legal, and operations. Issues such as bribery, data privacy breaches, or third-party misconduct can escalate into crises if left unaddressed.
  • Scenario planning. Push for tabletop exercises that include compliance scenarios—not just cyber breaches. A dawn raid by regulators, whistleblower allegations, or sanctions violations should all be tested with the board. Most boards are fixated on cyber exercises (81%) while under-testing activist campaigns, fraud investigations, and geopolitical risks. The CCO can broaden that scope.
  • Defining escalation triggers. Collaborate with management and the board to define when compliance issues rise to the level of a board crisis. For example, a government subpoena, a major third-party red flag, or media exposure of misconduct should be predefined as triggers for immediate notification to the board.

By embedding compliance into resilience planning, the CCO ensures that ethical and regulatory risks are not afterthoughts but central to the crisis playbook.

2. During the Crisis: Supporting the Board’s Oversight and Communications

Once a crisis hits, speed and clarity are critical. Work to avoid pitfalls such as “leaping before looking,” minimizing the problem, or losing credibility with stakeholders. Here, the CCO becomes the board’s translator and truth-teller.

The CCO’s Role:

  • Facts over speculation. Ensure that communications to the board are grounded in verified information. If facts are incomplete, emphasize transparency about what is known and what remains to be investigated.
  • Maintaining authenticity. Compliance leaders are custodians of corporate values. During crisis communications, the CCO should challenge management if the messaging strays from the organization’s ethical commitments. As PwC notes, stakeholder trust depends on alignment with company values.
  • Stakeholder inclusivity. Understand the importance of addressing all stakeholders, not just the loudest. The CCO should ensure employees are included in the communication strategy. In many crises, employees are both victims and messengers. If left uninformed, they can become sources of rumor or disengagement.

The CCO also helps the board resist the temptation to downplay severity. Regulators and investors are unforgiving of minimization. Credibility, once lost, is difficult to recover.

3. After the Crisis: Driving Root Cause Analysis and Continuous Improvement

The PwC framework underscores the importance of post-event reviews, root cause analysis, and continuous improvement. For CCOs, this is where compliance expertise shines.

The CCO’s Role:

  • Independent assessment. If misconduct or governance failures triggered the crisis, the CCO should advocate for independent investigations to determine the cause. This not only ensures credibility but also demonstrates the board’s seriousness in remediating gaps.
  • Root cause focus. Compliance officers are trained to ask “how and why.” A surface-level review, examining what happened and the actions taken, overlooks the deeper cultural or control weaknesses that enabled the crisis to occur. Without addressing these, organizations remain vulnerable.
  • Policy and training updates. Post-crisis reviews should feed directly into compliance programs. If a whistleblower report was ignored, revise reporting protocols. If a sanctions violation occurred, strengthen third-party screening.
  • Board education. Provide directors with debriefs on regulatory trends that emerged during the crisis. For example, if a DOJ enforcement action shaped the company’s response, explain the broader implications for future oversight.

By institutionalizing lessons learned, the CCO helps the board convert a painful episode into a competitive advantage.

4. The CCO as the Board’s Crisis Sherpa

PwC notes that boards must balance guiding management while not being overwhelmed themselves. In practice, this requires a trusted advisor who can translate complexity, cut through the noise, and flag issues that rise to governance levels. That advisor is often the CCO.

The CCO’s Role:

  • Regular briefings. Establish quarterly “crisis readiness” updates for the board, led by compliance. These sessions review recent regulatory developments, whistleblower trends, and geopolitical risks.
  • Committee alignment. Work closely with the audit or risk committee to ensure that crisis oversight responsibilities are clearly defined and understood. In some cases, a compliance liaison may be designated to report directly to the board during a crisis.
  • Tone from the top. Model ethical courage in board communications. If executives resist disclosure or push spin, the CCO must be willing to articulate the risks of opacity. The board relies on the unvarnished truth, even when it is uncomfortable to hear.

The CCO, in essence, becomes the board’s crisis sherpa: guiding directors through treacherous terrain with foresight, facts, and fidelity to values.

5. A CCO’s Checklist for Board Crisis Preparedness

To translate this into action, here’s a compliance-focused checklist adapted from PwC’s recommendations:

  1. Ensure crisis plans are compliance-inclusive. Integrate regulatory, ethical, and third-party risks into enterprise crisis planning.
  2. Broaden board exercises. Advocate for tabletop simulations that extend beyond cyber—encompassing fraud, sanctions, whistleblower events, and activist campaigns.
  3. Define escalation triggers. Codify the process for escalating compliance issues to the board.
  4. Champion transparent communication. Push for fact-based, values-aligned messaging during crises.
  5. Include employees. Make internal communications as robust as external messaging.
  6. Drive post-crisis reviews. Lead root cause analysis and ensure findings inform compliance program updates.
  7. Educate directors. Keep the board informed about current regulatory expectations and cultural red flags.

Preparing the Board for the Crisis That Hasn’t Happened Yet

As PwC observes, a crisis is no longer hypothetical; it is cyclical. Boards that prepare systematically will emerge stronger. But preparation is not solely the task of directors or management. The Chief Compliance Officer must bridge the gap by embedding compliance into resilience plans, guiding directors during responses, and ensuring that lessons are institutionalized after the fact.

The next crisis will come. We don’t know whether it will be a cyber, regulatory, or reputational issue. But we do know this: the boards that succeed will have a compliance leader at their side, someone who combines regulatory expertise with cultural insight, and who can guide directors through the storm with clarity and integrity.

That is the CCO’s role. And it may be the most important contribution compliance makes to long-term corporate resilience.

Categories
Creativity and Compliance

Creativity and Compliance – Bringing Joy to Compliance: A Conversation with Virginia MacSuibhne

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings, and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible. In this episode of Creativity and Compliance, Tom Fox and Ronnie Feldman are joined by Virginia MacSuibhne, former Chief Compliance Officer for Roche and Agilent Technologies.

Virginia shares her unique approach to making compliance accessible, engaging, and fun. Emphasizing the importance of a personal brand, she discusses her philosophy of authenticity and how it translates into creating clear, actionable, and enjoyable guidance. Her unconventional methods, including using infographics, breaking down complex policies, and injecting humor and personal interests, have significantly impacted employee engagement and compliance culture.

Virginia highlights the critical role of user experience (UX) in compliance, urging practitioners to rethink their policies and communication strategies. She shares anecdotes of her creative initiatives, such as wearing a unicorn costume to training sessions, integrating compliance messages into existing training programs, and making hotline experiences as user-friendly as possible. Her mantra, ‘What makes you weird makes you wonderful,’ encourages compliance professionals to bring their unique selves to their work to foster a more approachable and effective compliance environment.

Key highlights:

  • Virginia’s Philosophy on Compliance
  • Creating an Engaging Compliance Program
  • Simplifying Policies and Procedures
  • Innovative Training and Communication Techniques
  • Overcoming Pushback and Building a Business Case

Resources:

Virginia MacSuibhne on LinkedIn

Ronnie:

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets,” these 90-second commercials address misconceptions and excuses to promote speak-up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance, explaining policies, sharing examples, and debunking excuses. 
  • Tales from the Hotline – Real speak up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update, explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up, and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programing – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Creativity and Compliance was recently honored as one of the Top 35 Podcasts on Creativity by Feedspot.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Securing Compliance: How CCO’s Can Combat Internal Sabotage

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into some of the nettlesome internal challenges faced by many Chief Compliance Officers (CCOs) in today’s corporate environment.

On Compliance into the Weeds, Tom and Matt discuss the various challenges that CCOs face within organizations. They delve into stories of how senior management, particularly General Counsels (GCs) and Chief Financial Officers (CFOs), can sometimes undermine compliance efforts. The conversation explores issues such as budget cuts, restrictive vendor usage, structural impediments, passive-aggressive behaviors, and direct interference in investigations. They also consider potential solutions and strategies for CCOs to better navigate these struggles and ensure the effectiveness of compliance programs.

Key Highlights:

  • Budgetary Constraints and Sabotage
  • Interference in Investigations
  • Structural Impediments to Compliance
  • Undermining by Engagement and Assignment
  • Advice Going Forward

Resources:

Matt in Radical Compliance

 Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

CCO Resources, Authority and Expertise Lessons from Star Trek: The Galileo Seven

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) outlined 10 characteristics of an effective compliance program in the FCPA Resources Guide, 2nd edition. Today, I’ll continue my two-week series by examining them.

Today, I am looking at the episode The Galileo Seven, which offers valuable lessons for Chief Compliance Officers (CCOs) regarding resources, authority, and expertise. Here’s why this episode stands out and the lessons it provides: In The Galileo Seven, Spock, McCoy, Scott, and four other crew members are on a shuttlecraft mission to study a quasar-like phenomenon when they crash-land on a hostile planet. As they struggle to repair Galileo and survive the planet’s dangers, Spock, as the highest-ranking officer, must lead the group despite internal conflict and limited resources. Meanwhile, Captain Kirk faces pressure to abandon the search for the crew to deliver vital medical supplies on time.

Lesson 1 – Resource Allocation

The crashed crew has limited resources, such as a dwindling fuel supply and basic equipment, to repair the shuttle and defend against hostile creatures. Spock’s logical approach emphasizes the importance of maximizing the use of available resources to ensure survival. The lesson for a CCO is that efficient resource allocation is crucial in compliance. CCOs must prioritize and allocate resources wisely to ensure compliance programs are effective, especially when operating under budget constraints. This involves assessing the most critical areas that require attention and allocating resources to mitigate the highest risks.

Many Star Trek aficionados have long believed the Galileo Seven’s mission was doomed from the start due to insufficient resources. The crew needed to be equipped for the harsh environment, needing proper survival gear and communication systems.   Prioritize resource allocation for critical functions.  The CCO must ensure compliance resources are directed towards high-risk areas and essential functions. This includes adequate staffing, training, and technology.  Finally, you must develop contingency plans for resource shortages. The crew lacked a backup plan when their primary systems failed. CCOs should anticipate potential resource constraints and develop contingency plans to mitigate risks.

Lesson 2 – Authority

As the ranking officer, Spock must assert his authority and lead the crew despite skepticism and resistance from others. His team’s emotional and survival-driven needs put his leadership style, based on logic and reason, to the test. The lesson for a CCO is that authority and leadership are vital for implementing and enforcing compliance policies effectively. CCOs must assert their authority to influence and guide the organization toward ethical practices. Balancing logical decision-making with emotional intelligence can help gain buy-in from employees and management.

Regarding authority, this episode highlights the need for clearly defined roles and responsibilities and a transparent chain of command. The crew’s lack of clear leadership contributed to their downfall. Your CCO should be able to make independent decisions and take necessary actions to ensure compliance. Finally, there must be accountability, as the crew’s failure to hold each other accountable for their actions led to a cascade of errors. CCOs should cultivate a culture where everyone understands their responsibilities and the consequences of non-compliance.

Lesson 3 – Expertise

The crew relies on Spock’s science and engineering expertise to solve technical problems, such as repairing the shuttle and navigating off the planet. Spock’s analytical approach enables them to overcome obstacles, even as unexpected challenges arise. The lesson for a CCO is that expertise in compliance with regulations and industry standards is essential. A strong foundation in compliance knowledge enables CCOs to identify risks, develop effective policies, and respond to challenges efficiently. Continuous learning and staying updated on regulatory changes enhance a CCO’s ability to solve complex compliance issues.

This episode emphasized the value of diverse expertise. The crew needed to gain the necessary knowledge in survival, navigation, and alien biology. CCOs should assemble a team with diverse expertise to address various compliance challenges. There must be an investment in ongoing training and development. The crew’s lack of training in survival techniques proved fatal. CCOs should prioritize continuing training and development so that their team stays current with evolving regulations and best practices. There are times when a CCO must go outside and seek external expertise. The crew could have benefited from consulting with experts in alien environments.  CCOs should not hesitate to seek external expertise when facing complex compliance issues.

This episode emphasized the value of diverse expertise. The crew needed to gain the necessary knowledge in survival, navigation, and alien biology. CCOs should assemble a team with diverse expertise to address various compliance challenges. There must be an investment in ongoing training and development. The crew’s lack of training in survival techniques proved fatal. CCOs should prioritize continuing training and development so that their team stays current with evolving regulations and best practices. There are times when a CCO must go outside and seek external expertise. The crew could have benefited from consulting with experts in alien environments.  CCOs should not hesitate to seek external expertise when facing complex compliance issues.

The Galileo Seven reminds CCOs that insufficient resources, unclear authority, and inadequate expertise can lead to disastrous consequences. By learning from the crew’s mistakes, CCOs can build robust compliance programs that mitigate risks and ensure long-term success. It also highlights key aspects of resource management, authority, expertise, decision-making, and communication that directly apply to the Chief Compliance Officer role. By drawing lessons from Spock’s leadership under challenging circumstances, CCOs can better navigate their complex responsibilities, ensuring their organizations uphold the highest standards of compliance and integrity.

Join us tomorrow as we consider the lessons on risk assessments from the Star Trek episode Balance of Terror.

Categories
Into the Chair - Tales from Chief Compliance Officers

Into The Chair, Tales from Chief Compliance Officers: The Journey of Maria D’Avanzo

Welcome to the latest edition of the Compliance Podcast Network: Into the Chair: Tales from Chief Compliance Officers, which details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What skills does a CCO need to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced and how did they meet them? These questions and many others will be explored in this new podcast series. Into the Chair: Tales from Chief Compliance Officers is a COMPLY podcast hosted by Tom Fox and is a production of the Compliance Podcast Network. In this inaugural episode, I visit with Maria D’Avanzo.

Maria D’Avanzo is a seasoned professional in the legal and compliance field, with a career that has spanned from litigation to estate work to compliance. Maria’s perspective on adaptability and continuous learning in legal and compliance roles is rooted in her own career trajectory, which has seen her successfully transition from being a litigator to opening her own law practice, and eventually becoming a compliance officer. She believes the key to success in these roles is the willingness to learn new skills and take on new challenges, even outside one’s comfort zone.

Maria also underscores the importance of transferable skills such as analytical and research abilities, critical thinking, and the capacity for advocacy and persuasion, which she honed as a trial lawyer and have been instrumental in her compliance career. Join Tom Fox and Maria D’Avanzo in this episode of the Into the Chair podcast as they delve deeper into the importance of adaptability and continuous learning in legal and compliance roles.

Key Highlights:

·      Maria’s transformation into a compliance officer

·      Navigating the Legal Field: Learning and Advocacy

·      Advocacy skills and the value of compliance

·      Navigating Compliance Challenges in Regulated and Non-Regulated Corporate Sectors

Resources:

Maria D’Avanzo on LinkedIn

COMPLY

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 4

Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.

I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.

CCO Certification

This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA.  Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.

This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”

Monaco Memo and Changes in the Corporate Enforcement Policy

The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.

The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision.  Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.

Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.

Duty of Oversight

These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

What Does It Mean?

This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming  a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.

The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.

I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.”  Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.

The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.

With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.

Categories
Everything Compliance

Episode 88, the CCO Edition


Welcome to the only roundtable podcast in compliance. Today, we are joined by our newest panelist Karen Woody join us as a permanent panelist. The entire gang was also thrilled to be honored by W3 as a top talk show in podcasting. In the context of several different stories, the full gang takes a deep dive into the role, status and potential liability of the CCO. We end with a veritable mélange of shouts outs and rants.

  1. Karen Woody talks about a 2018 SEC enforcement action which held a CCO personally liable and its implications going forward. Karen has a shout out WeWork going public via a SPAC.
  2. Jay Rosen discusses how monitors evaluate corporate whistleblowing programs. Rosen has a melancholy rant about shooting victims on movie sets.
  3. Matt Kelly discusses the enforcement action involving Credit Suisse and tuna bonds. Kelly has an extended rant about the ongoing debt crisis.
  4. Jonathan Armstrong looks the recent CMA fine in the UK against Facebook for changing CCOs twice without informing the CMA. He shouts out to the graduating class of 2021 and all they went through during Covid-19 to obtain their degrees.
  5. Jonathan Marks talks about the role of internal audit, the Board and whether the termination of a CCO should be an 8K event. He rants about hotels charging full prices while cutting back on their services.
  6. Tom Fox shouts out to Houston Astros who are in the World Series for the 3rd time in 5 years. 

The members of the Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Coffee and Regs

Digital Assets: Trading & Compliance for Cryptocurrency

Digital Assets: Trading & Compliance for Cryptocurrency

In this episode, Director of Registered Investment Company Services, Allison Fraser and Director of Broker-Dealer Services & Private Funds, John Gentile discuss the latest on digital assets and cryptocurrency. Are they considered securities, what does the SEC’s risk alert mean for digital assets, and how should investment managers be thinking about cryptocurrency trading and compliance?

About Our Guest Speakers:


Allison Fraser provides compliance consulting services to investment advisers, registered investment companies and private investment funds, including conducting annual compliance program reviews and testing, developing risk assessments and preparing for SEC examinations. She also assists clients with drafting policies and procedures and preparing regulatory filings. On behalf of, the Compliance Services division of CSS, Allison served as the Chief Compliance Officer for a family of alternative funds registered under the Investment Company Act of 1940. Prior to joining CSS, Allison served as a Senior Vice President of Compliance at Northern Trust Investments, Inc. (“NTI”), the asset management subsidiary of The Northern Trust Company. In this capacity, she managed and administered the compliance due diligence program for NTI’s Multi-Manager Solutions and Outsourced Chief Investment Officer businesses. Allison also was the Chief Compliance Officer of two registered funds of hedge funds advised by NTI as well as a member of the funds’ Pricing and Disclosure Committees. Before joining NTI, Allison served as the Compliance Director for General Motors Asset Management, where she assisted with the administration of the compliance program for this registered investment adviser.
 

John Gentile is responsible for overseeing various types of broker-dealer and investment adviser consulting engagements, including conducting SEC/FINRA internal control reviews, anti-money laundering testing, written supervisory policy and procedures testing, and other consultation services. John is a frequent speaker at industry conferences on various compliance topics, including “Effective Supervision,” “Large Firm Testing,” FINRA Supervisory Control Rules” and “Anti Money Laundering Requirements for Broker Dealers under the PATRIOT Act.” In 1987 John joined the SEC as a Securities Compliance Examiner, becoming a Branch Chief in 1991. He became Assistant Regional Director in 1993, supervising a team of 20 broker-dealer managers and examiners. He also planned and conducted financial, operational, and sales practice examinations of the largest broker dealers and was among those responsible for a review of hedge funds’ impact on broker dealer internal controls. Before joining the SEC, John was a Financial Damage Analyst with PaineWebber Inc. Most recently from 2000-2007 John was an Executive Consultant, Broker-Dealer Services, at National Regulatory Services. John has an MBA from Fordham University and a BS in Finance from Central Connecticut State University. From 1995 to 2002, John was also a member of the Securities Industry Continuing Education East Coast Content Committee.
Categories
Coffee and Regs

Preparing Private Funds for the Marketing Rule

Preparing Private Funds for the Marketing Rule

 
In this episode, our team of private funds experts, John Gentile, Eugenie Warner and Adam DiPaolo, discuss how private funds will be affected by the new Marketing Rule and how they can start preparing for implementation now.
 

 

About Our Guest Speakers:

John Gentile is responsible for overseeing various types of broker-dealer and investment adviser consulting engagements, including conducting SEC/FINRA internal control reviews, anti-money laundering testing, written supervisory policy and procedures testing, and other consultation services. John is a frequent speaker at industry conferences on various compliance topics, including “Effective Supervision,” “Large Firm Testing,” FINRA Supervisory Control Rules” and “Anti Money Laundering Requirements for Broker Dealers under the PATRIOT Act.” In 1987 John joined the SEC as a Securities Compliance Examiner, becoming a Branch Chief in 1991. He became Assistant Regional Director in 1993, supervising a team of 20 broker-dealer managers and examiners. He also planned and conducted financial, operational, and sales practice examinations of the largest broker dealers and was among those responsible for a review of hedge funds’ impact on broker dealer internal controls. Before joining the SEC, John was a Financial Damage Analyst with PaineWebber Inc. Most recently from 2000-2007 John was an Executive Consultant, Broker-Dealer Services, at National Regulatory Services. John has an MBA from Fordham University and a BS in Finance from Central Connecticut State University. From 1995 to 2002, John was also a member of the Securities Industry Continuing Education East Coast Content Committee.

 

Eugenie Warner is a Senior Consultant at CSS, bringing her legal background to the Compliance Services arena. She was previously a business litigator, including as an associate at K&L Gates LLP and Loeb and Loeb LLP. Eugenie focused on consumer protection defense, primarily against federal and state regulatory agencies in administrative, state, and federal tribunals. Additionally, she managed cases and litigated in the fields of intellectual property, employment, civil contempt, unfair business practices, and deceptive advertising. Eugenie earned a B.A. in Diplomacy and World Affairs from Occidental College in Los Angeles; and a J.D. from the University of Connecticut School of Law, where she was on the Connecticut Law Review; clerked for the United States District Court, District of Connecticut; clerked for Connecticut’s Office of the Attorney General, Antitrust Department; worked in the Criminal Clinic, Appellate Division; and studied at the University of Dublin Trinity College School of Law, for which she received UCONN’s Elihu Burritt academic success award. Currently, Eugenie’s compliance work includes, for example: annual reviews, risk assessments, mock SEC exams, and other tailored analyses; detailed registration and reporting guidance; assistance to CCOs and other C-suite executives, to enhance their respective compliance programs and risk management; and other tailored services.
 
Adam DiPaolo CISA, CRISC is a Section 13 Reporting Manager, Senior Consultant and Associate General Counsel at CSS. Adam designs practical solutions to manage regulatory challenges faced by hedge funds, private equity funds, funds of funds, and other investment advisers. In addition to providing compliance services such as annual compliance program reviews, risk assessments and acquisition due diligence, Adam established Section 13 reporting capabilities and EDGAR filing agent services for CSS’s Compliance Services division. He drafts and maintains corporate filings ranging from Forms ADV and PF to Forms 13F and 13H. Adam also provides cybersecurity risk management services to CSS clients – ranging from network vulnerability scanning to onsite cybersecurity risk assessments to assistance in implementing the NIST cybersecurity framework. He is a Certified Information Systems Auditor (CISA®), and Certified in Risk and Information Systems Control (CRISC™). Adam practiced corporate law prior to joining CSS and has an extensive background in both the public and private sectors. Adam served as Assistant General Counsel at Capgemini – one of the world’s largest providers of Consulting, Technology and Outsourcing services. As in-house counsel to a global consulting business, he implemented pragmatic strategies to resolve complex legal and regulatory issues. Adam earned his B.A. from Pitzer College, his J.D. degree from UC Berkeley – Boalt Hall School of Law, and his LL.M. in Taxation from New York University School of Law. He is a member of the New York State Bar.