Officials from the US Department of Justice over the past three months have repeatedly referenced the Department’s intention to include chief compliance officer certifications as part of corporate resolutions going forward. This certification first appeared in the Glencore resolution papers, requiring an attestation that the company’s compliance program is “reasonably designed.” A looming question remains on how regulators will define “reasonably designed.”
Morgan Lewis members of the Women’s White Collar Defense Association (WWCDA) recently attended Part 2 of the WWCDA’s Global Enforcement & Compliance Series. This session on Effective Compliance Programs and Value in Global Resolutions consisted of a discussion among a panel of top government and in-house practitioners. During the discussion, Assistant Chief of the Department of Justice (DOJ) Fraud Section’s Corporate Enforcement, Compliance and Policy Unit (CECP) Lauren Kootman confirmed that the Department intends for chief compliance officer (CCO) certifications to be a part of every corporate resolution going forward. Echoing prior public DOJ statements, Kootman reiterated that the certifications are meant to "empower" CCOs and ensure they have a “seat at the table”—not punish them. However, industry response has been wary of what these certifications actually mean in practice for CCOs.
The idea of a CCO certification was first raised by Assistant Attorney General Kenneth Polite in remarks on March 25, in which Polite provided details regarding DOJ expectations for corporate compliance programs and how those programs will be assessed. Polite reaffirmed that companies are expected to implement compliance programs that (1) are well-designed, (2) are adequately resourced and empowered to function effectively, and (3) work in practice. Polite announced that prosecutors have been instructed to consider requiring chief executive officers and chief compliance officers to certify (1) the accuracy of annual reports submitted pursuant to corporate resolutions, and (2) that their compliance program is reasonably designed and implemented prior to releasing the company from its obligations under a resolution agreement.
On May 26, Deputy Attorney General Lisa Monaco announced a new policy requiring CCOs to sign off on certain agreements with the DOJ, stating that the policy is meant to “empower” the CCO, to ensure that the CCOs are “in the room” and reporting to the board directly about “what has or has not gone on in the course of fulfilling the company's obligations,” and to promote the concept that “the business is taking ownership of its role in the compliance program and the Head of Compliance receives all relevant compliance-related information and can voice any concerns prior to certification.”
The recent Glencore resolution is the first resolution requiring such a certification. The language of that certification—taking the form of the newly added “Attachment H” to the papers—requires the CCO and chief executive officers (CEOs) to sign under penalty of perjury and attest that the company has complied with Attachment C requirements outlining minimum components of a corporate compliance program. Attachment H also requires the CCO and CEO to certify that the company’s “compliance program is reasonably designed to detect and prevent violations” of the FCPA and other anticorruption laws.
Attachment C is not new in resolutions, and its content is very much aligned with stated regulatory expectations of what constitutes an effective compliance program. The Attachment H certification—that the compliance program is “reasonably designed”—is a new feature. A looming question remains whether there could there be differing opinions on whether a program is “reasonably designed.” CCO and CEOs can take some comfort, at least, because “reasonably designed” is less worrisome than attesting that the program is effective, which is a much more subjective analysis.
First, companies are only subject to the certification in connection with a resolution—this is not a proposed change to standard disclosure requirements. Therefore, only a small subset of companies will be affected—those facing an enforcement action. If a company is facing an enforcement action, that means there has already been an investigation and significant work to enhance the compliance program to prevent and detect the conduct at issue in the investigation.
Second, it means that the company has presented its compliance program to the government, including enhancements made since the discovery of the alleged misconduct. It also means future enhancements have likely already been planned. Those presentations help set the table for the CCO to attest the compliance program is “reasonably designed” for the company.
Third, whether there is an obligation to self-report or whether a monitor is imposed as a result of the resolution, there will be continuing obligations to report on the status of the compliance program, including newly implemented components, monitoring and auditing of those components, as well as reporting on enhancements that are a work in progress or planned for the future. These reporting obligations present real opportunities to ensure there is a meeting of the minds between the CCO and the government about what “reasonably designed” means for that company. Understanding this definition will be critical in the event of recidivism.
Like SOX controls, anticorruption controls are owned by various entities across a company—legal, finance, audit, human resources, procurement, sales operations, and management all play a role and are accountable for various elements of a strong compliance program. Therefore, perhaps like SOX, a CEO and CCO faced with signing such a certification may want to consider a quarterly SOX-like sub-certification process by those accountable for internal controls designed to help the company prevent and detect corrupt behavior. Such certifications make clear who is accountable for what and will provide both the CEO and CCO with the appropriate assurances before they ever may be faced with having to sign such a certification.
All of this presumes that the CCO has adequate stature in the company and has an open and transparent relationship with both the CEO and board of directors (or sub-committee of the board that is tasked with oversight of the compliance function).
None of this precludes the possibility that some prosecutor in the future may use hindsight as 20/20 to determine that the program that was certified to was not reasonably designed. However, when asked about the certification and whether the DOJ might wait until the certification is signed to challenge whether it is reasonably designed, David Last, head of the DOJ’s FCPA Unit, commented at a June 14 International Bar Association conference on anticorruption that the DOJ doesn’t intend to “play gotcha.” Last added that the certification is intended to “incentivize” the CEO and CCO and is not meant to “provide fodder” to prosecute, noting that prosecution would be reserved for someone who “affirmatively lies” to the Department and does so knowingly. That may provide comfort to some CCOs, but likely not enough to other, more skeptical CCOs.
Morgan Lewis develops corporate compliance and ethics programs for clients’ business needs that align with global regulator and law enforcement specifications, working lockstep with clients’ risk profiles, cultures, organizational structures, systems, and processes. For additional guidance, learn more about our corporate ethics and compliance practice.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors, Amy E. Schuh or Erica A. Jaffe, or any of the following Morgan Lewis lawyers:
Sheila A. Armstrong