Categories
Compliance Tip of the Day

Compliance Tip of the Day: TD Bank Lessons Learned: The Board and It’s Duty of Oversight

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Under the Caremark Doctrine, the Board of Directors has clear duties not to put their head in the sand and engage in conscious indifference.

Categories
All Things Investigations

All Things Investigations – Huneke and Carlson on Directors’ Accountability for Compliance and Risk Management

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this podcast, I was joined by HughesHubbardReed partner Mike Huneke and Brent Carlson, Director at BRG, to discuss the concepts around their recent paper, Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement.

Mike Huneke and Brent Carlson are seasoned professionals specializing in fraud compliance, corruption issues, sanctions, and export control enforcement. Huneke’s perspective on the duties of directors in sanctions and export controls is that boards need to be proactive and engaged in understanding and addressing these risks, emphasizing the importance of caution, skepticism, and diligence in overseeing these critical areas of compliance. His views are shaped by his experience in investigating, litigating, remediating, and preventing fraud, as well as his belief in the importance of good corporate governance and risk management. Carlson emphasizes the significance of understanding geopolitics in the context of company operations and advocates for a return to fundamental principles amidst rapid regulatory changes. His perspective is shaped by his experience in assisting companies navigate the complexities of sanctions and export controls, and his belief in the importance of boards actively engaging with management, asking questions, and ensuring thorough investigations are conducted.

Key Highlights:

  • Directors’ Role in Export Control Compliance
  • McDonald’s Case: Duty of Oversight Emphasis
  • Dynamic Compliance Monitoring for Export Controls
  • Directors’ Accountability for Compliance and Risk Management
  • Proactive Board Oversight for Compliance Excellence

Resources:

Hughes Hubbard & Reed website

Brent Carlson on Linkedin

This podcast is based on: 

Brent & Mike’s blog post on directors’ duty of oversight can be found here: Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement (Jan. 12, 2024).

For more on sanctions and export control compliance in the new era of FCPA-like corporate enforcement, see Brent’s and Mike’s prior posts here:

— Brent’s piece that launched the seriesWhen Loopholes Create Liability Pitfalls: A Fresh Look at Export Controls (Aug. 25, 2023).

— How can you assess your risk of sanctions violations?  Know Your Customer, But Also Yourself: A Fresh Look at Sanctions & Export Controls Risk Assessments in the Era of the “New FCPA” (Sept. 28, 2023).

— If you discover a sanctions problem, how can you efficiently investigate and remediate it?  Slow is Smooth, Smooth is Fast: A Fresh Look at Planning and Executing Internal Investigations into Allegations of Sanctions or Export Controls Evasion (Oct. 30, 2023).

— What does that mean for future fines and penalties for export control evasion?  From Peanuts to Prison Time – A Fresh Look at the Evolution of Export Controls Penalties (Nov. 14, 2023).

— Why is an FCPA “mindset” required for sanctions and export control compliance, and how to apply one?  The Blind Men and the Elephant (Dec. 18, 2023).

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 21 — Big Trouble in China Edition

What happens when two top compliance commentators get together? They talk about compliance, of course. Join Tom Fox and Kristy Grant-Hart in 2 Gurus Talk Compliance as they discuss the latest compliance issues in this week’s episode! In this episode, Tom and Kristy take on a wide variety of topics, including the self-improvement of the Florida Man gone astray.

In the ever-evolving world of regulatory compliance and risk management, challenges are constant, and strategies must be dynamic. Tom highlights corruption in China, data privacy, the duty of oversight for officers and export control sanctions. Kristy highlights the ESG & DEI, Supply Chains and China, SAP, frequent flyer mile fraud and checks in on Florida Man. Join Tom Fox and Kristy Grant-Hart as they delve deeper into these issues in this episode of the 2 Gurus Talk Compliance podcast.

Highlights Include:

  1. First Shots Fired in 2024 Proxy Battle Over ESG, DEI: (Law.com)
  2. Enforcement of China’s Forced Import Ban Needs to Be Much Tougher, Say U.S. Lawmakers (WSJ)
  3. Lessons Learned from the SAP Enforcement Action: DOJ Changes Tack on FCPA Enforcement While SEC Digs into Third-Party Controls (Part III of III) (Corruption, Crime & Compliance)
  4. Frequent flyer miles helped authorities crack down on a $127 million money laundering scheme (The Street): HERE
  5. Analysis of failure to exercise duty of oversight by a corporate officer. (FCPA Compliance & Ethics Blog)
  6. McDonald’s Duty of Officer oversight. (Compliance and Enforcement)
  7. China and its fight against corruption.  (Reuters)
  8. Big penalties are coming for export control and sanctions enforcement. (WSJ)
  9. A federal data privacy law in 2024? (CCI)
  10. Florida man uses phone he found in Walmart bathroom to call in fake bomb threat, cites TikTok trend: deputies (FOX Orlando)

Resources:

Kristy Grant-Hart on LinkedIn

Spark Consulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

Eric Young on the Evolution of the CCO

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this special episode, I am joined by Eric Young from Guidepost Solutions. Young has worked at prestigious institutions like JPMorgan, General Electric, S&P Global Ratings, and BNP Paribas. He shares his expertise to empower employees looking to move ahead with processes, find solutions, and navigate compliance issues.

Tom and Eric talk about the highlights of the Monaco Memo, updates on the Corporate Enforcement Policy, a case study from ABB to showcase the role of the CCO, and how firms should interpret Department of Justice speeches. He further dives into the corporate culture, accountability, and role of the CCO within an organization. Finally, Eric sheds light on a case from McDonald’s involving the former CEO and their decision to claw back compensation. The discussion concluded with acknowledging the Delaware court’s holding that elevates the CCO’s corporate duties.

Key Topics:

[00:04:24] Process Improvement to Avoid Violations and Effect Positive Change in Company Culture

[00:09:19] The Effects of the Monaco Memorandum on Corporate Compliance Practice

[00:14:35] ABB’s Impressive Performance During an Investigation and Remediation Period

[00:18:42] The C-suite’s Responsibility in Organizations

[00:23:21] The Impact of Experiences on Assessing Business Decisions

[00:28:05] The SEC Inquiry on McDonald’s precipitated by Steve Easterbrook’s Removal

[00:32:24] The Significance of Delaware Courts in Regards to Corporate Law

[00:37:13] The Functions of Corporate Boards During Times of Crisis.

Tune in and listen to Eric as he educates us about the need to report extraordinary circumstances to the Department of Justice

 Resources:

Connect with Tom Fox

●      LinkedIn

Connect with Eric Young

●      Guidepost Solutions

●      LinkedIn

Categories
Everything Compliance

Episode 111 – The Duty of Oversight Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Karen Woody, Jonathan Marks, Tom Fox, and Matt Kelly, who review the recent Delaware Court of Chancery decision creating a duty of oversight for corporate officers. We conclude with our fan-fav Shout Outs and Rants section.

1. Matt Kelly sets the stage for our discussion and poses a question about what it all means for CCOs going forward. He rants to the State of Texas Legislature for creating a ‘Gold Card’ for physicians who have over 90% of all requested procedures covered by insurance. (1:30)

2. Jonathan Marks looks at the case from the internal audit and corporate governance perspectives. He rants about the Pentagon’s failure to shoot down a Chinese spy balloon.

3. Tom Fox shouts out to Hindenburg Research and all other short sellers who help uncover fraud, waste, and abuse.

4. Karen Woody looks at the case from a legal perspective and unpacks the court’s legal reasoning. Woody shouts to Amtrak and asks us to ‘ride the train more often.’ (11:08)

5. Jay Rosen reviews the changes wrought for CCOs over the past year, from CCO certification to the Delaware court decision. He shouts out to his twin daughters on their 15th birthday. (41:13)

The members of Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Into the Weeds

Activision Blizzard Settlement with SEC

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt and I take a deep dive into the recent Activision Blizzard settlement with the SEC for the company’s failings around internal controls regarding the detection and prevention of sexual harassment and its whistleblower protection laws.

Some of the highlights include:

·      The background facts.

·      The toxic culture which led to the claims.

·      The denials by company officers that anything was wrong or to the validity of the claims.

·      How does this ruling tie into the Delaware court decision on the duty of oversight?

·      Must there be a material risk for the creation of an information system?

·      What about CCO certification?

·      What does it all mean for CCOs going forward?

 Resources

SEC Order

Matt Kelly in Radical Compliance

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 4

Over the past year, the role of the Chief Compliance Officer (CCO) has shifted in some very dramatic ways. The shifts have been from disparate groups and for a variety of reasons. Yet when put together, one can see a clear and bright line expanding and elevating the role of the CCO in the corporate world. From the announcement of the requirement for CCO Certification last year up to the announcement of the Delaware Court of Chancery’s decision in the case of In re McDonald’s Corporation Stockholder Derivative Litigation, it is now clear that the CCO has as wide a remit and responsibility as any corporate officer, other than the Chief Executive Officer (CEO) of a company.

I think the following announcements, changes in DOJ and SEC focus on Foreign Corrupt Practices Act (FCPA) enforcement and now a court case out of Delaware will change the role of the CCO forever.

CCO Certification

This shift began with the speech by Kenneth Polite, Assistant Attorney General for the Criminal Division speech on May 17, 2022, at Compliance Week 2022; announcing the new requirement for CCO Certification of compliance programs for companies going through a Deferred Prosecution Agreement (DPA). This CCO Certification required the Glencore CCO to certify Glencore compliance program “is reasonably designed to detect and prevent violations of the FCPA and other anti-corruption laws” at the conclusion of the DPA.  Who is the only other person required to make a similar certification at the conclusion of a DPA? The CEO of the company.

This means the CCO (and CEO) are certifying the entire compliance program meets the standards of not simply best practices but also all the enhanced requirements set out in Attachment C of any DPA. While many have focused on the question of whether this would bring criminal liability to a long-gone (or even current) CCO; this question now seems to miss the mark. Recall what Polite said when announcing the new requirement “It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”

Monaco Memo and Changes in the Corporate Enforcement Policy

The 2022 Monaco Memo and 2023 announced changes in the DOJ’s Corporate Enforcement Policy (CEP) are bookends of a series of changes which began as far back as October 2021 when Deputy Attorney General Lisa Monaco first announced the revisions which would eventually be incorporated into the Monaco Memo and CEP. In many ways the Monaco Memo laid out the sticks while the CEP provided the carrots for current FCPA and other white-collar enforcements.

The Monaco Memo directed prosecutors to evaluate a corporation’s compliance program as a factor in determining the appropriate terms for a corporate resolution; as prosecutors should now assess the adequacy and effectiveness of the corporation’s compliance program at two points in time: (1) the time of the offense; and (2) the time of a charging decision.  Kenneth Polite further defined the effectiveness of a compliance program at the time of the offense as “At the time of the misconduct and the disclosure, the company had an effective compliance program and system of internal accounting controls that allowed the identification of the misconduct and led to the company’s self-disclosure.” This is the first time the DOJ has said that it is the detection of wrongdoing which defines the effectiveness of a compliance program. This means a company’s investment in a compliance program, CCO and corporate compliance team are all elevated in importance. This prong does not simply get you a discount, but it can put you on the road to the default position of the DOJ for a FCPA violation, a declination.

Moreover, when you couple the ABB FCPA resolution to the Monaco Memo, you see the carrots which appeared in the new CEP. ABB was the first, three-time FCPA recidivist yet was able to get an excellent resolution with the government and a fine of only $315 million despite clear aggravating factors including corruption up to and in the corporate office. From the ABB resolution, you begin to see how the role of the CCO increases dramatically.

Duty of Oversight

These trends were brought together in the Delaware Court of Chancery’s decision in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst in the case In re McDonald’s Corporation Stockholder Derivative Litigation, where for the first time, a Delaware court formally recognized the oversight duties of officers of Delaware corporations.

As I have previously noted, one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a prime reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

The court noted that the CCO has a broad scope within an organization. The court stated “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority.” The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

What Does It Mean?

This is the part where it gets interesting. Under the CCO Certification and the Delaware court’s ruling, it is the CCO who is 1B to the CEO’s 1A. The first step every company must make it to put the CCO in position to report up directly to the Board of Directors. It also means that the days of a CCO reporting to a Chief Legal Officer (CLO) or General Counsel (GC) are certainly numbered. The Delaware Court drove this point home by specifically naming  a CLO/GC as a person “responsible for legal oversight and for making a good faith effort to establish reasonable information systems to cover that area.” In other words, not responsible for the company wide remit such as the CCO.

The next area would come from the Hallmarks of an Effective Compliance Program as laid out in the FCPA Resource Guide, 2nd edition. In that document it states “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” That means financial resources and head count.

I would add, a level of professionalism and expertise in compliance means more than simply ‘being a lawyer’. Under Chapter 9, Section 47 of the US Attorney’s Manual, the DOJ is mandated to evaluate “The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.”  Finally, the DOJ will also evaluate other factors such as CCO compensataion as commiserate with the position of being second in importance to the CEO.

The Delaware Court decision creating the Duty of Oversight was not designed to increase the scope, reach and importance of a CCO but the more I look at the case I believe that will be its most lasting legacy. When you look back over the past 12 months, you see that the CCO has more stature and responsibility than it has ever had before.

With a converse nod to Uncle Ben from Spiderman, with great responsibility must come great power.

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 3

This week, we are exploring a shift in the duties of care owed by corporate officers to the corporation. This shift is coming through the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and his part in the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. The case is styled In re McDonald’s Corporation Stockholder Derivative Litigation, and in it, the court formally recognizes the oversight duties of officers of Delaware corporations. Today we discuss the role of the Chief Compliance Officer (CCO) in both the reasoning for the decision and what it means for CCOs going forward.

Perhaps one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a key reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

Specifically, the “Guidelines state that “[h]igh- level personnel of the organization shall ensure that the organization has an effective compliance and ethics program” and such senior person(s) “be assigned overall responsibility for the compliance and ethics program.” The Guidelines went on to define an organization’s “high-level personnel” as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization,” which includes “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.”

The court somewhat dryly concluded “It would seem hard to argue that, simply by virtue of being an officer, the Chief Compliance Officer could not owe a duty of oversight. That, however, is the logical implication of Fairhurst’s position that only directors can owe a duty of oversight.”

The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

Finally, the CCO has a broad scope within an organization. Indeed the court noted, that only the Chief Executive Officer (CEO) has as broad a remit, stating “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority. With a constrained area of responsibility comes a constrained version of the duty that supports an Information-Systems Claim.”

Yet the breadth of this portfolio does not mean a CCO can be liable for every corporate failure, even those directly in culture or compliance. Here the standard of liability for the CCO is critical and standard is breach of the duty of loyalty through bad faith. The court noted, that in the decision of Stone v. Ritter, upholding the original Caremark decision, “the Delaware Supreme Court adopted the Guttman formulation and stated that a breach of the duty of loyalty, such as acting in bad faith, was a “necessary condition to liability.” After Stone, then-Vice Chancellor Strine acknowledged that Caremark duties carried overtones of care, but explained that “to hold directors liable for a failure in monitoring, the directors have to have acted with a state of mind consistent with a conscious decision to breach their duty of care.”

Rarely, if ever do you see a CCO engage in bad faith. There have been some instances but I can think or only one or two that rise to the level of bad faith. The good news for CCOs is that while there may be a new cause of action against them for a duty of oversight; if there is a compliance program in place and if that compliance program detects wrongdoing which is reported up to the Board; a CCO has most probably met their duty under this decision.

Please join me tomorrow as I explore how this court decision, together with the CCO certification mandate by the Department of Justice, the Monaco Memo and the new Corporate Enforcement Policy will all change the relationships and dynamics of Chief Compliance Officers in the corporate world.

Categories
Compliance Into the Weeds

McDonald’s and Duty of Corporate Officer Oversight

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. In this episode, Matt and I dive deep into a recent decision by the Delaware Court of Chancery in the McDonald’s case, creating a duty of oversight for corporate officers.

Some of the highlights include:

·      Why can bad facts make bad laws?

·      The sordid facts of David Fairhurst during his tenure at McDonald’s.

·      The legal rationale.

·      What is Caremark, and how did it influence this decision?

·      What does it mean for CCOs?

·      How does this decision intertwine with the Monaco Doctrine, CCO certification, and the new Corporate Enforcement Policy?

 Resources

Tom with a multipart series on the FCPA Compliance and Ethics Blog

Matt Kelly with two posts in Radical Compliance

Categories
Daily Compliance News

January 26, 2023 – The Offices Search Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • PwC, Boston Consulting Group offices search in Dos Santos corruption investigation. (ICIJ)
  • Corp execs now have a duty of oversight in Delaware. (Reuters)
  • 4 top pods on women and working. (FT)
  • British gambler fined for AML failures. (WSJ)