Tag: McDonald’s

Categories
Blog

TD Bank, Part 7 – Caremark Claims – Officers

Next, I explore the TD Bank AML/BSA enforcement action by looking at the expansion of the Caremark Doctrine. In the McDonald’s case, the Delaware Court of Chancery took the Caremark Doctrine further by applying the Duty of Loyalty to officers and Directors. In that case, styled In re McDonald’s Corporation Stockholder Derivative Litigation (McDonald’s herein), the Delaware Court of Chancery for the first time extended the Caremark Duty to officers, in addition to Directors. Here, the Court stated, “Diverse authorities indicate that officers owe a fiduciary duty of oversight as to matters within their areas of responsibility. Those authorities include the reasoning of the original Caremark opinion, the Delaware Supreme Court’s holding that the duties of officers are the same as those of directors, decisions from other jurisdictions and academic commentary, and the additional duties that officers owe as agents. This decision confirms that officers owe a duty of oversight.”

Expansion of Caremark to Officers

Caremark created an affirmative duty for the Board to engage in oversight. The Caremark court formulated a “more functional terminology that species of claim can be called an “Information- Systems Theory” of Board liability, also known as “Prong-One” Board liability. In this case, a plaintiff typically pleads a ‘Red Flag Theory’ or Prong-Two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. In McDonald’s, the Court expanded both Prong-One and Prong-Two liability to officers.

The Court of Chancery listed three key sources for expanding this duty from Boards to officers.

  1. Management runs a company. While the Board oversees management, “most corporations are managed ‘under the direction of’ the board.” However, “the officers are charged with, and responsible for, running the corporation’s business.” Therefore, “Because of this reality, “[m]onitoring and strategy are not exclusively the dominion of the board. Nondirector officers may be more capable of making oversight and strategic decisions daily.”
  2. Boards depend on information from management. Here, the court noted that “For relevant and timely information to reach the board, the officers who serve as the day-to-day managers of the entity must make a good faith effort to ensure that information systems are in place so that the officers receive relevant and timely information that they can provide to the directors.” From this, “it follows that officers must have a duty to make a good faith effort to establish an information system as a predicate to fulfilling their obligation to provide information to the board.”
  3. Compliance systems are required under the USSG. The US Sentencing Guidelines (USSG) mandate that “high-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline.” This requirement includes, “Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.” The USSG goes on to define an organization’s “high-level personnel as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization, which includes “a director; an executive officer, an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest. This has the added benefit of putting compliance professionals directly in the path of liability created by this decision.

Interestingly, even as the Delaware courts had not explicitly expanded the duty of oversight to officers, the court found some support in bankruptcy court decisions. The Delaware court found that Prong-One Information Systems and Prong-Two Red Flag claims were available against officers under certain circumstances. The Delaware court concluded this section: “All preceding authorities start from the premise that officers owe the same duties as directors. Because directors owe a duty of oversight, these authorities reason that officers owe a duty of oversight. That logic is sound.”

The Delaware court also noted that officers have fiduciary duties to the corporation akin to those duties that agents owe their principals. The court pointed to a prior Delaware decision in Hampshire, which “recognized a standard of conduct at the officer level that included a duty to act carefully, loyally, and in good faith to gather and provide information, with the standard of liability for the care dimension of the duty measured by gross negligence. By recognizing the duty to provide information, Hampshire lays the foundation for an officer-level duty consistent with an Information-Systems Theory. The Court also found there is officer accountability to the Board, which supports this extension of the duty of oversight to officers.

Officer Actions

From the Information in the TD Bank matter, we have the following, “During the relevant period, Defendants willfully failed to maintain an adequate AML program at the Bank. At various times, high-level executives including those in Global AML Operations, in senior executive management, and on the TDBUSH Audit Committee—specifically including an individual who became Defendants’ Chief Anti-Money Laundering Officer (“Chief AML Officer”) during the relevant period (Individual-1) and the Bank’s BSA Officer (Individual-2)—knew there were long-term, pervasive, and systemic deficiencies in the Defendants’ U.S. AML policies, procedures, and controls.

 The Defendants did not substantively update the Bank’s automated transaction monitoring system from at least 2014 through 2022— including addressing known gaps and vulnerabilities in the TDBNA’s transaction monitoring program—despite increases in the volume and risk of its business and significant changes in the nature and risk of transactional activity. In addition, during the relevant period, TDBNA monitored only approximately 8% of the volume of transactions because it omitted all domestic automated clearinghouse (“ACH”) transactions, most check activity, and numerous other transaction types from its automated transaction monitoring system.

 Due to this failure, the Bank did not monitor approximately $18.3 trillion in activity between January 1, 2018, and April 12, 2024. At the same time, Bank senior executives repeatedly prioritized the “customer experience over AML compliance. They enforced a budget mandate, referred to internally as a “flat cost paradigm, that set expectations that all budgets, including the AML budget, would not increase year over year.

Is all of this enough to invoke Caremark liability for officers? Perhaps when you consider the additional facts as reported in the Information Bank, senior executives repeatedly prioritized the “customer experience over AML compliance and enforced a budget mandate, referred to internally as a “flat cost paradigm, that set expectations that all budgets, including the AML budget, would not increase year-over-year. The Defendants’ failures to appropriately fund the Bank’s AML program and to adapt its transaction monitoring program resulted in a willfully deficient AML program that allowed three money laundering networks to exploit the Bank and collectively transfer over $670 million through TDBNA accounts. At least one scheme had the assistance of five store insiders at TDBNA.

 At one point, the Information reported that the AML compliance program budget was reduced by 2021 to an amount lower than budgeted for the program in 2018. Further, both the Chief Anti-Money Laundering Officer (“Chief AML Officer”) and the Bank’s BSA Officer (Individual-2) touted their ability to stay within the budgetary constraints in their self-assessments as positive. Finally, Individual-1 referred to the Bank’s “historical underspend on compliance in an email to the Group senior executive responsible for the enterprise AML budget, yet the US-AML budget essentially stayed flat. GAML and US-AML employees explained to the Offices that budgetary restrictions led to systemic deficiencies in the Bank’s transaction monitoring program and exposed the Bank to potential legal and regulatory consequences. In other words, the Bank’s AML officers were well aware of the shortcomings in the Bank’s AML program yet did nothing to remediate or ameliorate these deficiencies.

 The bottom line is that if there is ever going to be a case to validate the expansion of the Caremark Doctrine to include officers, this is likely the case.

Categories
Blog

Boards of Directors in the Era of Sanctions Enforcement

In a recent episode of the podcast ‘All Things Investigations, the discussion centered around directors’ critical role in ensuring legal compliance, particularly in sanctions and export controls. I was joined in this exploration by Mike Huneke, partner at HughesHubbardReed, and Brent Carlson, Director at BRG. Our discussion was based on their blog post on directors’ duty of oversight, which can be found here:  Boards of Directors Lovin’ It after McDonald’s? A Fresh Look at Directors’ Duty of Oversight in the New Era of Sanctions & Export Control Corporate Enforcement.

Our discussion highlighted McDonald’s case from the Delaware Court of Chancery, where the company officers faced lawsuits for neglecting their duties, emphasizing the importance of a dynamic approach from boards and compliance officers to evaluate and enhance compliance programs in response to the evolving geopolitical landscape and increased regulatory enforcement.

While many compliance professionals reviewed McDonald’s for the new duty of oversight created for corporate officers, including Chief Compliance Officers, Huneke and Carlson focused on the duties owed by Directors. For companies engaged in international trade, these actions engage directors’ fiduciary duties. Looking to bellwether Delaware corporate law, Delaware’s Chancery Court recently reiterated in the McDonald’s shareholder litigation that directors’ Caremark duty of oversight is a function of their duty of loyalty.

According to Huneke and Carlson’s article, this case “reinforced the limits of the protections directors would otherwise have if it were instead a function of the duty of care—under both the business judgment rule and “exculpation,” which is the option corporations have to excuse in their articles of incorporation directors’ liability for breaches of their duty of care (but not of loyalty).” Directors’ duty of oversight further requires ensuring that they receive information regarding any “central compliance risks,” not just “mission critical” risks, and that there is an appropriate response to red flags.”

The decision in McDonald’s case underscored the significance of information systems and controls for compliance. It stressed the need for companies to adopt a broader, qualitative view in monitoring export control compliance, with the Department of Justice’s heightened involvement signaling a shift towards a more proactive approach. Key aspects such as oversight, duty of care, and the business judgment rule were highlighted as essential components of board responsibilities and liability.

Board directors were urged to engage with compliance issues actively, ask critical questions, and conduct thorough investigations to fulfill their fiduciary duties. It was emphasized that boards should exercise caution when relying on management reports, proactively address risks, and take necessary actions to prevent potential legal and reputational damage.

From the Board’s perspective, we emphasized the importance of being cautiously skeptical of management’s information, seeking external advice, and taking preventive measures to avoid compliance issues. We also discussed the significance of the duty of oversight, which stems from the duty of loyalty and requires directors to ensure the presence of information systems and controls for informed decision-making and an effective response to red flags.

There is a clear need for board directors, corporate officers, and compliance professionals to stay abreast of the changing landscape of sanctions and export controls. With the Department of Justice’s increased focus on enforcement in this area, organizations must prioritize compliance efforts, seek external guidance, and take proactive steps to mitigate risks and ensure legal adherence.

Huneke and Carlson noted that the court ultimately dismissed plaintiffs’ claims against the directors because, after learning of the red flags, the directors:

  • Obtained detailed oral and written reports from management throughout several meetings dedicated to the red flag identified;
  • Made enhancements to the compliance program, including training and communication;
  • Retained external advisors;
  • Ensured that affiliates (here, franchisees) were included in the enhancements made;
  • Assessed and improved corporate culture and
  • Management involved in the conduct was eventually terminated.

These serve as a road map for the sanctions and export control boards.

Huneke and Carlson concluded their article with the following suggestions:

1) Understand how the world is changing and how those changes impact your business 

Geopolitical risks impact companies in different ways. Analyze potential impact scenarios to arrive at effective oversight approaches. Seek input from a variety of experts. Challenge commonly held assumptions, especially concerning the sufficiency of traditional screening.

2) Continuously ensure that the compliance program identifies and addresses evolving risks

Effective compliance programs evolve as risks change. Make sure management considers the changed enforcement environment when assessing risk. Do not just ask questions—ensure you receive good answers. Avoid solutions that are too clever by half, which can ultimately expose the company to greater risks.

3) Don’t sit on any red flags, and don’t let the management team sit on them either

All kinds of red flags can indeed come out of the blue. Our prior posts provide suggestions for responding to potential evasion effectively and efficiently. Politics (global and domestic) drive regulatory enforcement, and 2024 will be no exception. Now is the time to get ahead of what’s coming. An ounce of prevention is worth a pound of cure.

We concluded the podcast by noting that directors’ duties in sanctions and export controls are paramount in today’s regulatory environment. The pressure will only increase. Boards must be vigilant, proactive, and thorough in their oversight of compliance programs to uphold their fiduciary responsibilities and safeguard their organizations from potential legal and reputational harm. By staying informed, engaging with compliance issues, and taking decisive actions, directors can navigate the complexities of sanctions and export controls effectively.

Categories
FCPA Compliance Report

FCPA Compliance Report – Karen Woody on Officers Duty of Oversight

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this episode, Tom Fox welcomes Professor Karen Woody and they take a deep dive into the Segway case from Delaware.

The bottom line is that proving bad faith and breaching the duty of oversight remains a challenging task. The conversation delved into the fiduciary duties of directors and officers, specifically the duty of care and the duty of loyalty. The duty of care requires fiduciaries to be well-informed about material information and exercise prudence in decision-making. On the other hand, the duty of loyalty necessitates undivided interests towards the corporation, with no conflicts of interest or self-dealing.

The duty of oversight, derived from the landmark Caremark case in 1996, is an extension of the duty of loyalty. It requires the establishment of information reporting systems and compliance programs to inform senior management and the board about potential issues. There are two prongs to bring a duty of oversight claim: the systems or information prong and the red flag prong. The former focuses on the absence or ineffectiveness of systems, while the latter deals with the conscious disregard of red flags.

However, proving bad faith and breaching the duty of oversight is a high bar to clear. The Caremark standard is challenging to meet, and most cases are dismissed on a motion to dismiss. The recent Segway case, following the McDonald’s case, indicated a pushback against lowering the bar for officers compared to directors. The interpretation of the duty of oversight remains stringent, emphasizing the need for strong evidence of bad faith.

The conversation concluded by acknowledging the importance of context and the specific facts of each case. While there has been a slow march of weakening the Caremark standard in some cases, the facts in those instances were particularly egregious. The recent cases discussed in the episode did not exhibit the same level of egregiousness, leading to a retraction and a reaffirmation of the high bar set by the Caremark standard.

Resources:

Karen Woody on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Daily Compliance News

Daily Compliance News: November 15, 2023 – The Two Per Week Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance brings to you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All, from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Ukraine legislator tied to Giuliani arrested for treason.  (WaPo)
  • 2 sexual harassment claims per week at McDonalds UK (TT)
  • Can Barclay’s move beyond scandal (and Jes Staley)? (FT)
  • US drops antitrust claims over hospital hiring. (Reuters)
Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 3

This week, we are exploring a shift in the duties of care owed by corporate officers to the corporation. This shift is coming through the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and his part in the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. The case is styled In re McDonald’s Corporation Stockholder Derivative Litigation, and in it, the court formally recognizes the oversight duties of officers of Delaware corporations. Today we discuss the role of the Chief Compliance Officer (CCO) in both the reasoning for the decision and what it means for CCOs going forward.

Perhaps one of the most interesting parts of the court’s opinion is that it draws from the US Sentencing Guidelines and their creation of the Chief Compliance Officer position as both reasons for the decision and as a guide to how the CCO position will be impacted by this ruling. The judge pointed to the US Sentencing Guidelines as a key basis for the creation of the original Caremark Doctrine. The court stated that a key reason for “recognizing the board’s duty of oversight was the importance of having compliance systems in place so the corporation could receive credit under the federal Organizational Sentencing Guidelines.” However, the Guidelines did not stop at the board level. The US Sentencing Guidelines mandated the creation of the CCO position.

Specifically, the “Guidelines state that “[h]igh- level personnel of the organization shall ensure that the organization has an effective compliance and ethics program” and such senior person(s) “be assigned overall responsibility for the compliance and ethics program.” The Guidelines went on to define an organization’s “high-level personnel” as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization,” which includes “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.”

The court somewhat dryly concluded “It would seem hard to argue that, simply by virtue of being an officer, the Chief Compliance Officer could not owe a duty of oversight. That, however, is the logical implication of Fairhurst’s position that only directors can owe a duty of oversight.”

The responsibilities of the CCO are wide and sometimes varied. Here the court stated, ““[s]pecific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program.” But the Delaware court also provided CCOs with some additional ammunition in their quest for true influence in a corporation by stating that “to carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”

Finally, the CCO has a broad scope within an organization. Indeed the court noted, that only the Chief Executive Officer (CEO) has as broad a remit, stating “Although the CEO and Chief Compliance Officer likely will have company-wide oversight portfolios, other officers generally have a more constrained area of authority. With a constrained area of responsibility comes a constrained version of the duty that supports an Information-Systems Claim.”

Yet the breadth of this portfolio does not mean a CCO can be liable for every corporate failure, even those directly in culture or compliance. Here the standard of liability for the CCO is critical and standard is breach of the duty of loyalty through bad faith. The court noted, that in the decision of Stone v. Ritter, upholding the original Caremark decision, “the Delaware Supreme Court adopted the Guttman formulation and stated that a breach of the duty of loyalty, such as acting in bad faith, was a “necessary condition to liability.” After Stone, then-Vice Chancellor Strine acknowledged that Caremark duties carried overtones of care, but explained that “to hold directors liable for a failure in monitoring, the directors have to have acted with a state of mind consistent with a conscious decision to breach their duty of care.”

Rarely, if ever do you see a CCO engage in bad faith. There have been some instances but I can think or only one or two that rise to the level of bad faith. The good news for CCOs is that while there may be a new cause of action against them for a duty of oversight; if there is a compliance program in place and if that compliance program detects wrongdoing which is reported up to the Board; a CCO has most probably met their duty under this decision.

Please join me tomorrow as I explore how this court decision, together with the CCO certification mandate by the Department of Justice, the Monaco Memo and the new Corporate Enforcement Policy will all change the relationships and dynamics of Chief Compliance Officers in the corporate world.

Categories
Compliance Into the Weeds

McDonald’s and Duty of Corporate Officer Oversight

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. In this episode, Matt and I dive deep into a recent decision by the Delaware Court of Chancery in the McDonald’s case, creating a duty of oversight for corporate officers.

Some of the highlights include:

·      Why can bad facts make bad laws?

·      The sordid facts of David Fairhurst during his tenure at McDonald’s.

·      The legal rationale.

·      What is Caremark, and how did it influence this decision?

·      What does it mean for CCOs?

·      How does this decision intertwine with the Monaco Doctrine, CCO certification, and the new Corporate Enforcement Policy?

 Resources

Tom with a multipart series on the FCPA Compliance and Ethics Blog

Matt Kelly with two posts in Radical Compliance

Categories
Blog

The World Has Changed: McDonald’s and the Oversight Duty of Officers-Part 1

There is a reason that lawyer truisms are just that: because they are based in fact. One of those truisms is that bad facts make bad laws. I saw that in the first year I started practicing law in  case in Texas which forever changed the definition of gross negligence: Burke Royalty. In that case, a company allowed a rough neck to burn to death while hanging on a chain off an oil rig. The company, Burke Royalty claimed they had subcontracted their safety function to another company. The Texas Supreme Court decreed that safety was a non-delegable duty and failure to provide a safe workplace could form the basis of claim for gross negligence.

We now see this same truism playing out in the Chancery Court of Delaware in the case of McDonald’s Corporation and its former Executive Vice President and Global Chief People Officer of McDonald’s Corporation, David Fairhurst and the creation of an absolute toxic atmosphere of sexual harassment at the very highest levels of the organization. It included the now disgraced former Chief Executive Officer (CEO) Steven Easterbrook but he was dismissed from this litigation.

I will not go into the sordid facts of this matter as they are well-known from other litigation. Suffice it to say that Fairhurst and Easterbrook engaged in multiple instances of sexual harassment and inappropriate behavior with other McDonald’s employees and such conduct was not only well-known within the organization but also known by the McDonald’s Board. But this case dealt not Easterbrook or the Board but with Fairhurst. As you might guess from his corporate title, Fairhurst had a human resources role which he apparently took as license to get drunk at company events and grope, fondle and generally harass as many women as possible. It appears that the rest of McDonald’s senior management and Board stood by while he engaged in all of this.

Fairhurst’s attitude towards sexual harassment seemed to have permeated the entire corporate culture at McDonald’s. One employee class action lawsuit by employees claimed that 75% of all female employees had been sexually harassed while working at the company. Another allegation said that “over 70% of those who reported sexual harassment they witnessed or experienced faced some form of retaliation, with 42% reporting loss of income as a result.” A class action lawsuit by employees of McDonald’s franchisees claimed that “almost two-thirds of restaurant employees worked at locations that did not provide any sexual harassment training.”

As I started out this post, bad facts make bad law.

What the Court of Chancery found was there has long been a duty of oversight in Delaware law, not only for Board’s since at least the 1960s but for officers as well. On the Board side of the equation, there is of course the Caremark  decision from 1996 but which established an affirmative duty of Board oversight, with its progeny up to this day. However in 1963, the Delaware Supreme Court established a Board duty when red flags are brought to its attention in the case of Graham v. Allis-Chalmers Manufacturing Co., which held that directors have an obligation to respond if information reached them, but created no affirmative duty to set up an information system to learn about issues within the company. A limited duty of oversight arose only if the directors had already learned enough to suspect that there were issues that needed overseeing. Caremark created that affirmative duty.  

Taking a deep dive into the legalese, in this case the court noted, “Using more functional terminology, that species of claim can be called an “Information-Systems Claim” or an “Information- Systems Theory.” A plaintiff typically pleads a prong-two Caremark claim by alleging that the board’s information systems generated red flags indicating wrongdoing and that the directors failed to respond. From a functional perspective, the second type of claim can be called a “Red-Flags Claim” or a “Red-Flags Theory.”

But Board’s do not govern in a vacuum. They depend on senior management. Here the court said, “Indeed, from that perspective, the Caremark oversight role “is more suited to corporate officers who are responsible for managing the day-to-day affairs of the corporate enterprise.” This “first reason for recognizing oversight duties for directors—the seriousness with which the law takes the role—thus applies equally to officers.”

Indeed, “relevant and timely information is an essential predicate for satisfaction of the board’s supervisory and monitoring role under Section 141.” Finally, “board’s need for information leads ineluctably to an imperative for officers to generate and provide that information: Whereas a corporate board meets periodically—roughly six to ten times a year—senior officer engagement with the corporation is continuous. From a practical perspective, a board’s ability to effectively monitor is contingent upon adequate information flow, usually from senior officers functioning in a non-directorial capacity.”

Join me tomorrow where I take a dive into the Court’s legal reasoning.

Categories
Daily Compliance News

January 10, 2023 – The James Bond Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • Why did Phoenix police detain a WSJ reporter? (NYT)
  • A former head of Eskom was poisoned with Cyanide. (BusinessInsider)
  • Former McDonald’s CEO settles with SEC for lying. (WSJ)
  • Germany is looking into corruption by Finance Minister. (FT)
Categories
Daily Compliance News

August 24, 2022 the 1MDB Verdict Upheld Edition

In today’s edition of Daily Compliance News:

  • Najib’s verdict was upheld in Malaysia. (Reuters)
  • Ex Twitter Security Chief files whistleblower suit. (WSJ)
  • McDonald’s shakes up BOD. (NYT)
  • Musk’s Twitter bot claims thin air? (BBC)
Categories
Daily Compliance News

December 17, 2021 McDonalds Claws Back Edition


In today’s edition of Daily Compliance News:

  • HSBC fined for AML violations. (WSJ)
  • Sackler bankruptcy settlement tossed. (NYT)
  • McDonalds claws back $105MM from former CEO? (WSJ)
  • Bayer faces more grief from Monsanto acquisition. (Reuters)