Opinion: DoJ puts CCOs in enforcement firing line
For companies subject to federal criminal enforcement actions in the US, the responsibilities of the CEO and chief compliance officer (CCO) to lead and manage corporate compliance reform apparently were not substantial enough for the US Department of Justice (DoJ). These leaders must now put their personal stamps of approval on the company’s remediation efforts and expose themselves to the risk of prosecution for doing so.
Under the DoJ’s new compliance certification requirement, CEOs and CCOs must certify at the end of the term of any enforcement agreement that the company’s compliance program is 'reasonably designed to detect and prevent violations of the [relevant criminal law or laws at issue] throughout the company's operations.'
In resolutions where a monitor is not imposed, the DoJ may also require CEOs and CCOs to further certify that any compliance progress reports submitted to the department during the pendency of the enforcement agreement were ‘true, accurate and complete as of the day they were submitted’.
In so certifying, the CEO and CCO must each agree in writing that their statements are material for purposes of a prosecution for false statements or falsification of records in a federal investigation.
The DoJ introduced the concept of imposing a compliance certification requirement in March 2022 when Kenneth Polite, assistant attorney general of the criminal division, announced publicly that his team was considering requiring both CEOs and CCOs to certify, at the conclusion of all corporate resolutions, that the company’s compliance program ‘is reasonably designed and implemented to detect and prevent violations of the law’ and ‘is functioning effectively’.
Polite reasoned that the measure would ‘empower’ CCOs and allow them to enjoy ‘true independence, authority and stature within the company, ensuring that [CCOs] receive all relevant compliance-related information and can voice any concerns they may have prior to certification.’ He assured that the measure was not meant to be ‘punitive in nature’.
Since then, a range of DoJ officials, including Deputy Attorney General Lisa Monaco, have expressed similar sentiments about the compliance certification requirement, emphasizing that the new requirement is intended to ensure that CCOs are ‘in the room’ and reporting to the board directly about ‘what has or has not gone on in the course of fulfilling the company’s obligations.’
The certification requirement progressed from the conceptual to the actual in May 2022 when the DoJ reached a resolution with Glencore, the multinational commodities trading and mining firm, that both imposed a monitor and included the company’s agreement that both the CEO and head of compliance would execute compliance certifications at the conclusion of the three-year term of the resolution.
Specifically, the CEO and head of compliance will have to certify that ‘the company has implemented a compliance program that meets the requirements’ set out in the agreement and that the ‘compliance program is reasonably designed to detect and prevent violations’ of the relevant criminal laws.
Notwithstanding the imposition of a monitor, the resolution left open the possibility that the CEO and head of compliance would certify as to the truthfulness, accuracy and completeness of any reports that might be submitted to the DoJ as part of the resolution.
INDIVIDUALS SINGLED OUT
The certification requirement is clearly intended to pressure companies responsible for significant transgressions to prioritize both effective compliance remediation and accurate and complete communications with the DoJ about the remediation. These are worthy goals, no doubt, but the DoJ seeks to achieve them by unfairly singling out the very individuals who typically lead such reform efforts and making them feel the heat from exposure to personal criminal liability.
In the case of a CCO, the requirement puts in the crosshairs a company leader who in most cases has dedicated an entire career to advancing corporate compliance. The unfairness is even more palpable when one considers that the DoJ provides no guidance to help CEOs and CCOs determine when a compliance program is ‘reasonably designed’, a standard that could easily have different interpretations and thus ensures a degree of risk in any certification.
The requirement also seemingly ignores the challenges that will be faced by the CEOs and CCOs of large, multinational companies who will have to marshal the facts necessary to personally certify that their company’s compliance program has been reasonably designed throughout the company’s operations.
For companies that operate across the globe, such certifications will be impossible to predicate on personal knowledge, so the CEOs and CCOs will have to rely on representations of company employees in key positions, which likely will give rise to a cascading sub-certification protocol similar to that arising under the Sarbanes-Oxley Act. This is a cumbersome process that is often used by US public companies to support mandatory CEO and CFO certifications of financial statements and controls.
The uncertainties in the certification requirement have led critics to contemplate whether the requirement will discourage the most qualified CCO candidates from seeking to work for the companies that need their services most – those that are facing criminal enforcement actions – a consequence that could seriously undermine the purpose and any benefit of the requirement.
Assurances from DoJ officials that the certifications are ‘not punitive’ literally don’t make sense and will provide little comfort to the CEOs and CCOs who are made to personally bear their company’s responsibilities to remediate compliance deficiencies and to communicate honestly with the DoJ. Indeed, the point of any certification requirement is to establish a low bar to prosecution as a guarantee that certified facts are true.
Deliberately subjecting the CEOs and CCOs to that low prosecution bar will undoubtedly make them feel they have been selected for adverse treatment simply for taking on a lead role in addressing their company’s compliance challenges.
But the assurances of the DoJ officials raise an even more fundamental question. To the extent that such assurances are meant to suggest the certifications will not be used against CEOs and CCOs, why even have the requirement? This move to create criminal exposure without the intention of using it risks unintended consequences, particularly since the current intentions of DoJ officials may have little bearing on how the department acts years later when the certifications must be executed and the potential exposure to criminal prosecution is formed.
NEED FOR COMPLIANCE CERTIFICATION?
In truth, there is little to suggest the need for the compliance certifications. There has been no indication that the DoJ faces a problem with companies deceiving it regarding the state of their compliance programs when they are discharged from criminal resolutions. Such deception would be unlikely given the thoroughness with which the DoJ manages corporate discharges.
Indeed, the requirement seems totally superfluous in cases where a monitor is imposed, since in such cases the DoJ has the benefit of receiving an independent assessment from a sophisticated third party that has access to all relevant information and employees. But even in cases where there is no monitor, a dedicated and experienced DoJ team typically engages in a rigorous process to fully assess the state of corporate compliance, thus ensuring the existence of effective controls.
Although in recent years there have been some examples of corporate criminal recidivism that could be considered to imply that the companies involved did not have effective compliance programs at the conclusion of their previous resolutions, the more likely explanation is that these companies regressed after the conclusion of the initial criminal resolution – not that they provided false or incomplete information.
Compliance program regression post-resolution is simply not a problem that would be addressed effectively through compliance certifications related to the accuracy or completeness of earlier progress reports or related to the effectiveness of the program at the time of the resolution’s conclusion. In the absence of independent merits for the measure, the fact that other federal agencies such as the SEC require compliance certifications in connection with civil enforcement resolutions provides no additional support for a DoJ requirement.
At this stage, it is unknown whether the DoJ will ever use these compliance certifications to pursue criminal liability against CEOs or CCOs. Nevertheless, any company seeking to resolve federal criminal charges should expect, as part of any resolution, to commit its CEO and CCO to certifying at the end of the resolution that the compliance program is ‘reasonably designed’ to detect and prevent relevant criminal violations and that the compliance reports submitted along the way were true, accurate and complete when they were submitted.
CEOs and CCOs should also understand that, in connection with such certifications, they will be expected to expose themselves personally to the risk of prosecution for false representations. In addition, companies facing DoJ enforcement actions should – to support their CEOs and CCOs – consider adopting a protocol that establishes a waterfall of sub-certifications in order to establish a solid factual foundation for the certifications the DoJ will require.
Karma Farra is an associate and Michael Mann and Timothy Treanor are partners with Sidley Austin