Tag: Delaware

Categories
Blog

Key Boards Issues for 2026: What Compliance and Governance Leaders Must See Coming

Boards entering 2026 are doing so in an environment defined not by stability, but by volatility. Regulatory priorities are shifting rapidly, geopolitical risk is reshaping markets, technology is accelerating faster than governance frameworks can keep pace, and long-standing assumptions about shareholder engagement and corporate oversight are being tested. In this environment, the role of compliance is no longer reactive or advisory at the margins. It is structural.

The Thoughts for Boards: Key Issues for 2026 memorandum from the law firm of Wachtell, Lipton, Rosen & Katz, which appeared in the Harvard Law School Forum on Corporate Governance, provides a valuable roadmap for boards navigating this uncertainty. For compliance professionals, however, the document does something more important: it reveals where governance risk is quietly migrating. The challenge for compliance leaders is not simply to track these developments, but to translate them into oversight, controls, and strategic guidance that boards can use going forward.

A More Permissive SEC Does Not Mean Less Risk

One of the most striking developments outlined in the memorandum is the SEC’s recalibration of its role. From easing reporting burdens to stepping back from adjudication of shareholder proposals under Rule 14a-8, the Commission is signaling greater deference to companies in deciding how and when to engage with shareholders. At first glance, this appears to reduce regulatory pressure. In reality, it shifts risk inward.

When regulators retreat, discretion moves to boards and management. Predictable SEC processes no longer mediate decisions about disclosure cadence, shareholder engagement, and proposal exclusion. They are governance judgments that will be evaluated ex post by investors, courts, activists, and the media. For compliance professionals, this means fewer bright lines and more gray zones.

The potential move toward semi-annual reporting is a prime example. While it may reduce short-termism, it also alters internal disclosure controls, forecasting discipline, and market expectations. Compliance must ensure that reduced frequency does not translate into reduced rigor. Less reporting does not mean less accountability.

DEI and ESG: From Public Messaging to Quiet Risk Management

The memorandum describes sustained political and regulatory pushback against DEI and ESG initiatives, including executive orders, revised SEC guidance, and heightened scrutiny of shareholder proposals. Yet it also notes an important countervailing force: institutional investors have not abandoned interest in these areas. They have become quieter. This creates a compliance paradox.

On one hand, public signaling around DEI and ESG may expose companies to political and regulatory risk. On the other hand, abandoning these initiatives entirely risks alienating long-term shareholders, employees, and business partners. The compliance function sits at the center of this tension. In 2026, DEI and ESG will increasingly be treated less as branding exercises and more as internal governance risks. Compliance leaders should focus on process integrity, consistency, and documentation rather than rhetoric. The question is no longer whether a company “supports” DEI or ESG, but whether its practices align with its stated values and risk disclosures.

Tone at the top matters here more than ever. Boards must understand that silence does not equal neutrality. How a company governs these issues internally will determine its exposure externally.

Government as Shareholder: A New Governance Reality

Perhaps the most underappreciated development highlighted in the memorandum is the Trump Administration’s growing role as an equity holder in public companies deemed critical to national security. These investments vary widely in form, from passive economic stakes to golden shares with veto rights over strategic decisions. For compliance and governance professionals, this raises novel questions.

Government ownership blurs traditional distinctions between regulator and shareholder. It introduces new stakeholders with potentially divergent objectives, including national security, industrial policy, and geopolitical strategy. Even when governance rights are limited, the mere presence of the government on the cap table can alter decision-making dynamics and investor perceptions.

Compliance must be prepared to advise boards on conflicts of interest, disclosure obligations, and fiduciary duties in this new context. The risk is not simply regulatory; it is structural. Companies operating in sensitive sectors must assume that government involvement is no longer exceptional but potentially recurring.

AI Oversight Moves from Optional to Mandatory

Artificial intelligence dominated board agendas in 2025, and there is no indication that attention will diminish in 2026. The memorandum correctly emphasizes that AI is no longer confined to technology companies. It is embedded in products, operations, compliance monitoring, and decision-making across industries. For boards, the oversight challenge is acute. AI introduces opacity, speed, and scale that traditional governance frameworks were not designed to manage. For compliance officers, this creates both opportunity and risk.

AI is increasingly used within compliance itself, from transaction monitoring to proxy voting analytics. But the use of AI does not eliminate accountability. Boards will still be expected to understand how AI systems function, what risks they create, and how those risks are mitigated.

This is why board-level AI literacy is becoming a governance imperative. Compliance leaders should be proactive in helping boards understand AI not as a technical novelty, but as a risk multiplier. Data governance, model bias, explainability, and third-party reliance must all be incorporated into enterprise risk management frameworks.

Crypto and Digital Assets: Strategy First, Compliance Always

The memorandum highlights a friendlier regulatory environment for crypto-assets, alongside growing corporate interest in crypto treasury strategies and asset tokenization. This combination is dangerous if misunderstood. Regulatory friendliness is not regulatory clarity. Crypto engagement introduces risks related to custody, valuation, sanctions, AML, cybersecurity, and financial reporting. Boards that view crypto as a strategic opportunity without fully appreciating these risks are exposing the company to significant downside.

Compliance must insist on strategic discipline. Why is the company engaging with crypto? What problem is it solving? How does it align with the business model? Without clear answers, crypto becomes speculation rather than strategy. In 2026, compliance officers should expect to spend more time explaining why not to move quickly than how to move fast.

Shareholder Engagement Is Becoming More Fragmented, Not Less Important

The memorandum’s discussion of shareholder engagement reflects a fundamental shift. Institutional investors are splintering their stewardship approaches. Retail investors are more organized and more volatile. Proxy advisors are under regulatory and political attack. The result is unpredictability.

Boards can no longer rely on a small set of proxy advisor recommendations or institutional voting norms. Engagement must become more targeted, more frequent, and more informed. Compliance plays a critical role here by ensuring that engagement practices remain consistent with disclosure rules, insider trading controls, and governance policies.

The rise of retail activism and meme-stock dynamics also creates reputational risk that traditional governance tools were not designed to address. Social media is now a governance arena. Compliance must help boards understand that investor relations, communications, and risk management are increasingly inseparable.

Delaware Still Matters, Even as Alternatives Emerge

Finally, the memorandum addresses trends toward reincorporation in Texas and Nevada, as well as Delaware’s legislative response. While high-profile moves grab headlines, the underlying message is continuity rather than disruption. For most public companies, Delaware remains the default for a reason: predictability. Reincorporation carries costs, risks, and uncertainty that often outweigh perceived benefits. Compliance professionals should ensure that boards approach these decisions with discipline rather than reaction to political or cultural trends. Governance arbitrage is rarely a substitute for governance quality.

Conclusion: Compliance as Governance Infrastructure

The overarching lesson from the Key Issues for 2026 memorandum is that governance risk is becoming more diffuse, not less. Regulatory pullbacks, technological acceleration, geopolitical intervention, and fragmented shareholder bases all point to one conclusion: boards will be expected to exercise more judgment with fewer guardrails. As with all things under this Trump Administration, another key concept is volatility. That places compliance at the center of corporate governance.

In 2026, effective compliance will not be measured solely by the absence of enforcement actions. It will be measured by whether boards can navigate volatility and ambiguity without losing coherence, integrity, or trust. Compliance professionals who understand this shift will be indispensable partners in long-term value creation.

Categories
Blog

Brewer v. Turner: When Board Delay Becomes Bad Faith

In corporate governance, timing is everything. A board’s oversight failure does not always come from what it does not see; often, it comes from how long it waits to act once the warning lights flash red. This cautionary tale originates from the shareholder action in the case of Brewer v. Turner, a Delaware Court of Chancery decision that permitted a Caremark claim against the directors of Regions Financial Corporation to proceed. The opinion marks another milestone in the court’s expanding interpretation of fiduciary “bad faith.” It offers an unmistakable message to compliance professionals: delay can be fatal, and now it can also lead to exposure.

A New Chapter in Caremark

In the article in the Harvard Law School Forum on Corporate Governance, titled Caremark Claim Survives Board’s Delay in Ending Illegal Practices, lawyers from Fried Frank considered the case. At issue was the board’s handling of a whistleblower complaint from its former Deputy General Counsel, Jeffrey A. Lee, who alleged that Regions’ overdraft-fee practices violated CFPB regulations. Eighteen months after receiving his detailed complaint, the bank finally ended those practices. By then, the Consumer Financial Protection Bureau had investigated and levied $191 million in penalties and restitution.

The court concluded that the board’s delay could itself amount to bad faith. Hiring outside counsel and forming committees did not shield the directors from liability. As Chancellor Kathaleen McCormick wrote, “Everyone knows that delay can be intentional and a tactic to avoid the consequences of acting appropriately.” For compliance officers, this ruling signals that boards can no longer hide behind process if the substance and speed of oversight fall short of expectations.

Today, examine the lessons compliance leaders should take from the case.

1. Red Flags Require Immediate, Documented Response

Historically, Delaware courts were reluctant to treat whistleblower complaints as “red flags.” They often viewed such claims as speculative unless corroborated by concrete evidence of wrongdoing. But in Regions, the whistleblower’s position mattered: he was a lawyer responsible for assessing legal risk. His complaint was detailed, specific, and sent to the Audit Committee, a combination that the court found impossible to ignore. That shift widens the compliance risk perimeter. A whistleblower who possesses subject-matter authority, particularly someone in compliance, legal, risk, or audit, can now trigger a board-level duty to act.

For the CCO:

Implement a rapid-response framework for any internal report that raises concerns about legal or regulatory violations. Require escalation to the board or relevant committee within days, not weeks. Then document every step: receipt, investigation, deliberation, and resolution. When courts review the record, speed and transparency become your strongest defenses.

2. Delay Can Be the New Bad Faith

Perhaps the most groundbreaking element of this case is the court’s recognition that delay itself can constitute bad faith. The board did not ignore the red flag; it simply took 18 months to address the illegal conduct while seeking to offset the lost revenue. That conscious hesitation, prioritizing profits over compliance, transformed a mere oversight lapse into a potential breach of fiduciary duty. This is a paradigm shift. Previously, a board’s response, no matter how sluggish or ineffective, was often enough to defeat Caremark liability. No longer. The court has now drawn a line between discretionary pacing and strategic stalling.

For the CCO:

Build timelines into remediation plans. When an investigation confirms illegality, establish a clear corrective-action schedule, present it to the board, and insist on documented follow-through. If management requests “time to replace lost revenue,” remind them and the board that regulatory risk compounds with every day of delay.

3. Law Firm Engagement Is Not Absolution

The region’s board tried to defend its actions by noting that it had hired a law firm to review the overdraft program. But the court found that “merely hiring an attorney” does not immunize directors from bad faith findings. What mattered was not the hiring, but what the board did with the firm’s advice, and the minutes didn’t say.

For compliance professionals, this point should feel familiar. Retaining outside counsel is prudent, but outsourcing judgment is perilous. A board that commissions a report yet fails to discuss or implement its recommendations appears, in the eyes of Delaware law, to be checking boxes rather than managing risk.

For the CCO:

Whenever outside counsel is engaged, insist on:

  1. The written scope of work aligned with the suspected violation.
  2. Formal delivery of findings to the full board or its committee.
  3. Recorded deliberations on next steps.
  4. Follow-up updates tracking implementation of counsel’s recommendations.

Compliance is not a spectator sport. Documenting action, not merely delegation, demonstrates good faith.

4. Central Compliance Risks Deserve Central Oversight

The court emphasized that overdraft-fee compliance was a “central risk” for a retail bank and thus a board-level responsibility. This reasoning expands the range of risks boards must personally monitor, rather than delegate entirely to management. Each industry has its equivalents: drug safety in the pharmaceutical industry, anti-bribery in global operations, and data security in the tech sector. When violations occur within these core domains, the argument that “management had it under control” will no longer be a sufficient defense for directors.

For the CCO:

Regularly update your board on the organization’s central compliance risks. Tie each risk to explicit board-level monitoring responsibilities. Provide metrics, internal audit findings, incident counts, and regulatory inquiries that show oversight in action. In the post-Brewer v. Turner environment, silence equals exposure.

5. Meeting Minutes Are Compliance Evidence

A striking aspect of the case was the court’s observation that the board minutes were “largely redacted” and recorded only cursory discussions. This absence of detail undermined the directors’ defense that they had acted responsibly. The court essentially inferred neglect from the lack of written proof. Compliance officers should view board minutes as the audit trail of integrity. If your minutes merely note that “the issue was discussed,” you may have built a weak defense for a strong case.

For the CCO:

Work with your corporate secretary to ensure that minutes:

  • Record substantive deliberation, not boilerplate.
  • Reference specific documents reviewed, such as legal opinions or risk assessments.
  • Capture decisions, follow-ups, and accountability for each item.

When regulators or plaintiffs seek evidence of good-faith oversight, well-crafted minutes speak louder than affidavits.

Broader Compliance Takeaways

The Brewer decision reflects a judiciary that is increasingly willing to look beyond formality and assess intent. In the compliance world, this mirrors what the DOJ’s 2024 Evaluation of Corporate Compliance Programs emphasized: that outcomes matter, but so do the timeliness and sincerity of response. A compliance program that detects misconduct yet allows it to persist for months or years cannot claim to be effective.

The ruling also underscores why Caremark risk is a personal matter. Because these claims rest on findings of bad faith, neither the DGCL Section 102(b)(7) exculpation clauses nor most D&O insurance policies will shield directors or officers from liability. The best protection remains proactive compliance, not post-hoc coverage. Finally, note the procedural context: new DGCL amendments restrict shareholder access to corporate books and records, potentially reducing frivolous oversight suits. Yet for legitimate claims supported by detailed facts, as in Brewer, the bar has been lowered. Courts are signaling that they will continue to allow well-pled Caremark cases to proceed when evidence shows a conscious disregard.

What It Means for the Chief Compliance Officer

For the CCO, Brewer v. Turner is both a warning and a roadmap. It is a warning that oversight delay equals liability. You can no longer rely on the board’s procedural comfort—hiring counsel, forming committees, or debating endlessly—to prove good faith. Results and responsiveness now define the legal standard.

But it is also a roadmap for strengthening your partnership with the board. You can help directors stay ahead of Caremark exposure by:

  1. Defining red flags. Work with Audit and Risk Committees to set escalation thresholds for legal-risk incidents.
  2. Accelerating action. Create escalation SLAs with responses within 24 hours for high-severity issues.
  3. Documenting diligence. Ensure every board discussion about misconduct is supported by complete, unredacted minutes.
  4. Tracking remediation. Maintain a dashboard showing when each issue was raised, investigated, and resolved.
  5. Aligning incentives. Reinforce that executive bonuses and promotions depend on compliance performance, not just profitability.

At its heart, Caremark is not about punishing hindsight; rather, it is about enforcing foresight. The compliance professional’s role is to make foresight possible by ensuring that red flags are identified quickly, decisions are properly documented, and illegal conduct is corrected before it metastasizes into corporate trauma.

Final Thoughts

The Brewer case stands as a modern parable of fiduciary patience gone wrong. A board that meant to deliberate found itself accused of delay; a company that tried to plan found itself punished for profit-driven hesitation. For compliance leaders, the moral is clear: you cannot strategize your way out of illegality. When a red flag rises, the clock starts, and every tick is a test of integrity. The essence of compliance is not preventing failure. It is ensuring you act decisively when failure appears. In the wake of Brewer, that truth has never been more legally or morally binding.

Categories
The Woody Report

The Solar Winds Decision

Welcome to The Woody Report, where Washington & Lee School of Law Associate Professor Karen Woody and host Tom Fox discuss issues on white-collar crime, compliance issues, international corruption, securities, and accounting fraud, and internal corporate investigations. From current events to topical issues to academic research and thought leadership, Karen Woody helps lead the discussion of these issues on the new and exciting podcast. In this episode, Tom and Karen explore the recently announced decision in the Solar Winds shareholder claim based upon the Caremark Doctrine. Some of the issues we explore include:

  1. Background facts and court rationale.
  2. What is ‘positive law’?
  3. Can any cyberbreach claim be the basis of a Caremark Claim?
  4. Why is victim v. perpetrator status critical in a Caremark Claim?
  5. What is the bad faith standard in Caremark Claims?
  6. What does this decision portend for Caremark Claims going forward?

Resources

Karen Woody on LinkedIn

Karen Woody at Washington & Lee, School of Law

Categories
Blog

A Caremark Retrospective: Part I – Background

It is often instructive to look back at old cases which have become so well known for a doctrine that the underlying facts are often forgotten. I did so recently in reading the original Caremark and Stone v. Ritterdecisions. The former decision was released in 1996 and the latter, some ten years later in 2006. They both made interesting reading and the underlying facts could well be drawn from the headlines of anti-corruption and anti-money laundering (AML) enforcement actions today. The original Caremark decision laid the foundation for the modern obligations of Boards of Directors in oversight of compliance in general and a company’s risk management profile in particular. Stone v. Ritter confirmed the ongoing vitality of the originalCaremark decision. Today, in Part 1, we review the underlying facts of the Caremark decision and in Part II, the legal reasoning.

Underlying Facts

In Caremark, the decision involved a company which provided patient care and managed care services and a substantial part of the revenues generated by the company was derived through third party payments, insurers, and Medicare and Medicaid reimbursement programs. Medicare and Medicaid payments were governed under the Anti-Referral Payments Law (“ARPL”) which prohibited health care providers (HCPs) from paying any form of remuneration (i.e., kickbacks) to physicians to induce them to refer Medicare or Medicaid patients to Caremark products or services.

To try and get around this prescription, Caremark entered various contracts for services (e.g., consultation agreements and research grants) with physicians at least some of whom prescribed or recommended services or products that Caremark provided to Medicare recipients and other patients. Moreover, Caremark had a decentralized governance and operational structure which allowed wide latitude to the business units to enter into such agreements without corporate or any centralized compliance or legal oversight. The results were about what you would expect.

Multiple federal investigations found that from the mid-1980s until the early 1990s, Caremark paid out millions to doctors in forms disguised to evade ARPL liability. Caremark claimed that its payments for consultation, teaching, research grants and other similar evasions did not violate the law. Further, it relied on an audit by Price Waterhouse (PwC) which concluded that there were no material weaknesses in Caremark’s control structure.

In 1993, Caremark formally changed its compliance manual to prohibit such payments, announced this change internally and put on training for this new set of policies. However, there were no attendant controls, monitoring or follow up noted. Indeed, it is not clear if much if anything changed at Caremark, given the decentralized nature of its business model.

Criminal and Civil Charges

In August 1994, Caremark was hit with a 47-page indictment alleging criminal violations of ARPL, specifically including making payments to induce physicians to refer patients to Caremark services and products. The indictment alleged that payments were “in the guise of research grants and others were consulting agreements.” Moreover, the Indictment went on to allege that such payments were made where no consulting services or research performed. (Very 2022 FCPA-ish) One doctor was alleged to have direct payments from Caremark for staff and offices expenses. Multiple shareholder suits were filed against the Board in Delaware and another federal Indictment was handled in Ohio. In addition to the claims in Ohio, new allegations of over billing and inappropriate referral payments made in Georgia and “reported that federal investigators were expanding their inquiry to look at Caremark’s referral practices in Michigan as well as allegations of fraudulent billing of insurers.” Rather amazingly, the company management, when reporting the Indictment to the Board of Directors, maintained the company had done nothing wrong.

Settlements

Of course, the Caremark senior management was not correct, and Caremark was required to pay millions to resolve enforcement actions. An agreement, with the Department of Justice (DOJ), Office of Inspector General (OIG), US Veterans Administration, US Federal Employee Health Benefits Program, federal Civilian Health and Medical Program of the Uniformed Services, and related state agencies in all fifty states and the District of Columbia required a Caremark subsidiary to enter a guilty plea to two counts of mail fraud, and required Caremark to pay $29 million in criminal fines, $129.9 million relating to civil claims concerning payment practices, $3.5 million for alleged violations of the Controlled Substances Act, and $2 million, in the form of a donation, to a grant program set up by the Ryan White Comprehensive AIDS Resources Emergency Act. Caremark also agreed to enter into a compliance agreement with the Department of Health and Human Services (HHS).

In addition to all these entities, Caremark was also sued by several private insurance company payors (“Private Payors”), who alleged that Caremark was liable for damages to them for allegedly improper business practices related to those at issue in the OIG investigation. As a result of negotiations with the Private Payors the Caremark Board of Directors approved a $98.5 million settlement agreement with the Private Payors in 1996.

In addition to the financial penalties, Caremark finally agreed to institute a full compliance program. It created the position of Chief Compliance Officer (CCO) and created a Board level Compliance and Ethics Committee who, with the assistance of outside counsel, was tasked with reviewing existing contracts and advanced approval of any new contract forms.

Join us for our next piece where we consider the court holdings and rationales in Caremark and Stone v. Ritter.