Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.
I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.
CCO Certification
This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA. Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.
This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”
Monaco Memo and Changes in the Corporate Enforcement Policy
The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.
The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision. Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.
Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.
Duty of Oversight
These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.
As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.
The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”
What Does It Mean?
This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.
The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.
I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.” Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.
The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.
With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.
The 2020 Update re-emphasized the need to perform a root cause analysis and, equally importantly, use it to remediate your compliance program. It stated, “a hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It went on to state what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”
The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step process in which one method can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.
When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.
Three key takeaways:
Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.
Stories we are following in today’s edition of Daily Compliance News:
Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this special episode, I am joined by Morrison and Foerster partner James Koukios to discuss the recent Kenneth Polite speech announcing changes to the Department of Justice Corporate Enforcement Policy.
In this episode, we consider the following:
Resources
Kenneth Polite Speech
Updated CEP
The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. In this episode, Matt and I deep dive into the recent Kenneth Polite speech announcing changes to the Corporate Enforcement Policy.
Some of the highlights include:
· What are the policy reasons for the change?
· Real credit is now being given for effective compliance programs.
· What about self-disclosure?
· What is the new definition of an effective compliance program?
· Is the DOJ trying to avoid 5th Amendment concerns? Will it work?
· New percentage discounts and what they mean?
· Why does Matt have more questions?
Resources
Tom cited in CCI
Matt Kelly in Radical Compliance
Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Jonathan Armstrong, Jonathan Marks, Tom Fox, and Matt Kelly with our fan-fav Shout Outs and Rants section.
1. Matt Kelly rants about the Department of Justice CCO certification requirement for Danske Bank.
2. Jonathan Marks rants about the recent FAA failure, which crippled the US airline industry.
3. Tom Fox has his first dual shout-out. His first shout-out is to US District Judge Middleton for sanctioning Donald Trump and his lawyer, jointly and severally for $938,000 and the recently deceased musician David Crosby.
4. Jonathan Armstrong rants about the Tory proposed law against publicizing small boats that would make showing or even talking about the Bayeux Tapestry illegal.
5. Jay Rosen shouts out to the NFL for the playoffs and for getting us the best four teams in the final four.
The members of Everything Compliance are:
The host and producer, ranter (and sometimes panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.
The Compliance Kitchen returns with a wrap-up of the week’s top trade and economic sanction issues. In today’s episode, Silvia Surman looks at OFAC issues Russia-related sanctions licenses and allows for limited marine activities on SDN vessels; DOJ obtains a guilty plea for EAR violations due to unlicensed exports of chemicals to a Chinese SOE listed on the Entity List.
One cannot say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile, and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that Risk Assessments should not be done not less than annually but, in reality, should be done each time your risk change. Over the past couple of years, every company’s risks changed from Work From Home to Return to the Office to Hybrid Work environments. Have you assessed these new paradigms for risks from the compliance perspective?
As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance succinctly stated, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, your protocol must be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.
Three key takeaways:
Just as the Department of Justice (DOJ) has long focused on financial incentives in a best practices compliance program, it has equally focused on punishing those officers and employees who fail to do business ethically and in compliance. The 2020 FCPA Resource Guide, 2nd edition, stated, “A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”
The Monaco Memo drove this point home with the statement, “Corporations can best deter misconduct if they make clear that all individuals who engage in or contribute to criminal misconduct will be held personally accountable. In assessing a compliance program, prosecutors should consider whether the corporation’s compensation agreements, arrangements, and packages (the “compensation systems”) incorporate elements such as compensation clawback provisions – that enable penalties to be levied against current or former employees, executives, or directors whose direct or supervisory actions or omissions contributed to criminal conduct. Since misconduct is often discovered after it has occurred, prosecutors should examine whether compensation systems are crafted in a way that allows for retroactive discipline, including through the use of clawback measures, partial escrowing of compensation, or equivalent arrangements.”
Prior to the Monaco Memo, clawbacks had not been generally seen as a necessary part of a compliance program. However now it is clearly mandated by the DOJ. Moreover, having such a penalty in place is also seen as a part of a good corporate culture which not only penalizes those who engage in unethical behavior in violation of a company’s policies and procedures but will “promote compliant behavior and emphasize the corporation’s commitment to its compliance programs and its culture.”
This will mandate the DOJ investigating whether a corporation has included clawback provisions in its compensation agreements and whether “following the corporation’s discovery of misconduct, a corporation has, to the extent possible, taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in, or contributed to, the criminal conduct at issue.”
The issue for many compliance professionals is where to look for guidance in how to construct such clawback provisions. Fortunately, the Securities and Exchange Commission (SEC) has provided guidance in another area that the compliance professional can look to for guidance. In a final rule, published in 2022 and entitled “Listing Standards for Recovery of Erroneously Awarded Compensation”, the SEC directed “the national securities exchanges and associations that list securities to establish listing standards that require each issuer to develop and implement a policy providing for the recovery, in the event of a required accounting restatement, of incentive-based compensation received by current or former executive officers where that compensation is based on the erroneously reported financial information.” While this final rule related to Both Big-R and little-r restatements, the final rule does provide guidance in the anti-corruption compliance area.
According to a client alert, entitled “SEC Issues Long-Awaited Rule on Clawback of Executive Compensation”, by law firm Vinson & Elkins LLP, the final rule “requires companies to claw back incentive compensation erroneously received by current and former executives during the three-year period preceding the required restatement date.” An interesting caveat is that under this final rule, “the term “received” generally means that the applicable financial reporting measure connected to incentive compensation has been satisfied and such incentive compensation has been earned, even if such incentive compensation has not yet actually been paid.”
This means “an annual bonus award is deemed received in the fiscal year that the executive earns the award based on achievement of the underlying performance measure(s), even if the award is not actually paid until March of the following fiscal year.” Interestingly, the final rule “applies to incentive compensation received by executive officers on or after the effective date of the listing standards, incentive compensation granted prior to the effective date would still be subject to the Rule if it is not received prior to the effective date.” Finally, this means that the “recoverable amount (on a pre-tax basis) is the difference between the incentive-based compensation received by the executives and the amount that would have been received based on the required restatement.”
While the Monaco Memo directed, “to develop further guidance by the end of the year on how to reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders- who in many cases do not have a role in misconduct–onto those more directly responsible.” This clause is an effort by the DOJ to keep companies from shielding recalcitrant executives from the consequences of their own illegal and unethical conduct. Here compliance professionals can also draw assistance from the SEC final rule for guidance which bans companies from obtaining indemnity insurance to protect executives from clawbacks. The final rule stated, “The Commission proposed that listed issuers would be prohibited from indemnifying any executive officer or former executive officer against the loss of erroneously awarded compensation.” The reason is that if your clawback provision can be overcome by indemnification, it would “fundamentally undermine the purpose of the statute and effectively nullify the mandatory nature of the compensation recovery.”
Of course, all of this should be written down and reflected in the corporation’s compliance policies and procedures. The Monaco Memo stated, “a corporation’s policies and practices regarding compensation and determine whether they are followed in practice.” This is also consistent with the SEC final rule which said that a company should develop and implement a policy requiring recovery of erroneously awarded incentive-based compensation, stating, “in the event that the issuer is required to prepare an accounting restatement due to material noncompliance with any financial reporting requirement, the issuer will recover from any of its current or former executive officers who received incentive-based compensation during the preceding three-year period based on the erroneous data, any such compensation in excess of what would have been paid under the accounting restatement.”
But the Monaco Memo made clear it is not simply having a written policy and procedure in place. There must be corporate action, if warranted, under the clawback policy and procedure. The DOJ will evaluate a company’s actions, “following the corporation’s discovery of misconduct, a corporation has, to the extent possible, taken affirmative steps to execute on such agreements and clawback compensation previously paid to current or former executives whose actions or omissions resulted in, or contributed to, the criminal conduct at issue.”
