What to do When the Government Gets Personal with Compliance Enforcement

By Dan A. Bailey, Bailey Cavalieri LLC

Corporate compliance efforts are no longer important just for companies. In an attempt to assure greater compliance diligence, regulators are now imposing harsh penalties on compliance officers and other individuals who fail to adopt and maintain effective compliance programs. For example, in 2014, a former MoneyGram International Inc. chief compliance officer was fined $1 million for allegedly not ensuring that the company adhered to anti-money-laundering laws. A few months earlier, FINRA fined Brown Brothers Harriman’s former global anti-money-laundering compliance officer $25,000, alleging he failed to establish an anti-money-laundering program that could reasonably detect and report potentially suspicious activity. He did not admit or deny guilt as part of the settlement.

U.S. regulators have vowed to hold more individuals responsible for compliance failures, particularly at financial institutions. And the effort may be trickling down to state regulators. Finding the enormous civil penalties levied against corporations to be inadequate deterrents, New York Superintendent of Financial Services Benjamin Lawsky proposed earlier this year that senior executives attest to the adequacy of their institutions’ anti-money-laundering and OFAC compliance systems, similar to Sarbanes-Oxley verifications about the correctness of a public company’s financial statements and the effectiveness of its internal controls. The proposal would hold individual bank executives personally responsible for their employers’ compliance system shortcomings. In the United Kingdom, the Financial Conduct Authority and Prudential Regulation Authority are working on new rules for 2016 that significantly strengthen individual accountability for compliance failures in the financial sector.

In this regulatory climate, directors and officers must be proactive and take steps to protect their organizations and themselves. An effective compliance program can reduce many of the company’s greatest risks, reduce the severity of claims and corporate and individual penalties when violations of law occur despite the program, and enhance company performance and profitability. Conversely, a deficient compliance program can result in increased liabilities, harmful management distractions and negative publicity. In short, a quality corporate compliance program is extremely valuable and important. As a result, directors should consider their oversight of compliance activities to be one of the highest priority items on their agenda.

Whistleblower Incentives
In addition to targeting personal accountability, other recent efforts by various regulators heighten even more the importance of compliance efforts within public companies. Most notably, Section 922 of the Dodd-Frank Wall Street Reform and Consumer Protection Act required the SEC to adopt rules for the implementation of a robust whistleblower program which is intended to incentivize company employees and third parties to identify and disclose to the SEC illegal conduct within the company. Those new SEC rules, which became effective in August 2011, allow a whistleblower who voluntarily provides to the SEC original information that leads to the SEC obtaining monetary sanctions exceeding $1 million to recover up to 30 percent of those sanctions. Although these new rules mildly encourage employees to utilize the company’s internal compliance programs to report wrongdoing, in reality, employees are now heavily incentivized to disclose to the SEC illegal company activity without utilizing the company’s internal compliance programs. To the extent these new rules result in the SEC learning of a legal violation before the company identifies, investigates and potentially remediates the violation, companies will likely be forced more often to defend themselves to the SEC, shareholders and the public. An obvious question in that situation will be why the company’s corporate compliance program failed to detect and prevent the illegal conduct, thereby placing even greater scrutiny and pressure on the directors to maintain an effective corporate compliance program.

The following discussion summarizes the directors’ legal duties with respect to monitoring corporate compliance, identifies practical ideas for directors to consider with respect to the various aspects of a quality compliance program and discusses important D&O litigation and insurance considerations in this context.

Director Compliance Responsibilities
A director’s duty of care requires directors to not only make informed decisions, but also to reasonably oversee the operations of the company. Encompassed within this oversight function is the responsibility to assure themselves that an effective corporate information and reporting system exists, and that this “information and reporting system is in concept and design adequate to assure the board that appropriate information [as to compliance matters] will come to its attention in a timely manner as a matter of ordinary operations.” In re Caremark International, Inc. Derivative Litigation, 698 A.2d 959, 970 (Del. Ch. 1996).

In discharging this oversight function, directors can, of course, rely in good faith on officers, employees and outside advisors with respect to designing, implementing and monitoring an appropriate compliance program for the company. However, directors should be sufficiently informed about those processes in order to allow the directors to make a reasonable assessment as to the adequacy and effectiveness of the program. At a minimum, the Board should receive reasonable assurances that employees of the company are informed and periodically reminded of corporate policies, including those pertaining to compliance with (i) codes of business conduct, (ii) anti-discrimination and employment laws, (iii) environmental and health and safety laws, (iv) anti-bribery laws, (v) antitrust and competition laws, and (vi) securities laws, particularly those addressing insider trading.

In describing an effective corporate compliance program, the U.S. Sentencing Guidelines (which greatly increase or reduce a company’s penalties for criminal violations depending on whether the company maintains an “effective” compliance program) state an effective compliance program should include the following elements: Board and management oversight and governance; proper organizational structure and accountability; an ethical culture and tone at the top; periodic risk assessments and prioritization of legal, regulatory, ethical, tax and fraud risks; policies, procedures, internal controls, training and education; monitoring and assessment of programs and processes, incident response and investigatory mechanisms; and robust corrective actions and remediation.

Importantly, the directors’ duty of reasonable inquiry does not require directors “to install and operate a corporate system of espionage to ferret out wrongdoing which they have no reason to suspect exists.” Graham v. Allis-Chalmers Mfg. Co., 188 A.2d 125 (Del. 1963). Absent a warning or “red flag,” directors satisfy their responsibilities in this context by approving and monitoring thoughtful and comprehensive compliance programs. However, directors should continually evaluate the adequacy of those programs and adopt enhancements when appropriate based upon internal experiences and peer practices.

Director Considerations
A good corporate compliance program generally includes the following five components. Some matters for directors to consider regarding each of those components are summarized below:

Establish Compliance Policies. Each company should have its own unique compliance program which reflects the specific compliance risks most prevalent in that company. Therefore, the design of an appropriate compliance program should first start with a risk assessment of the most vulnerable compliance areas within the company, and should not be limited to the company’s historical compliance issues. Directors should consider the following when evaluating the adequacy of the compliance program design:

• The program should be tailored to each separate risk factor and to the local cultures, business practices and languages of the respective business units. A one-size-fits-all program design is probably insufficient.
• The program should be supported by significant money, company resources and management support so that the program both appears to be and in fact is one of the highest priorities within the company.
• A chief compliance officer or other high-level executive should be assigned overall responsibility to oversee the compliance process and should be given broad autonomy and authority with respect to all aspects of the program.
• The program should be simple in its design and should minimize bureaucracy so that it is practical and easily understood.
• The primary Board oversight function with respect to the compliance program should be assigned to a specific Board committee, which will devote significant time on a regular basis to evaluate and monitor the program’s effectiveness.

Provide Training and Education. The best-designed compliance program is useless unless everyone involved with the company’s operations understands what is and is not acceptable conduct, the importance of full legal compliance and the role of each person in the compliance efforts. When directors evaluate the adequacy of the program’s training and education efforts, some of the factors to evaluate include the following:

• The company’s compliance standards and procedures should be effectively communicated to all employees and all outside agents who are directly involved in company business. Preferably, these communications are through onsite training programs rather than simply the dissemination of written information.
• The training program should “connect” with the participants by using creative methods such as videos, movie clips, eye-catching charts and role playing in order to gain the attention of the participants. Interactive sessions can be particularly effective.
• The training program should include a compelling explanation why compliance is critically important to the company as well as to the individual participants.
• All aspects of the compliance program should be fully explained to the participants, including not just what is proper conduct but also how to respond to inappropriate behavior by others.
• Directors should also participate in the training exercise.

Internal Reporting System. The company should establish and publicize a simple internal reporting protocol so that employees who identify inappropriate behavior can report that behavior to appropriate officials within the company. This internal reporting system should be available for use by current and former employees, as well as other third parties, should be strictly confidential, should encourage persons to make reports without fear of retribution, should ensure a thorough and independent investigation of all reports, and should accommodate complaints involving persons within the reporting structure. Although many complaints are related to personnel issues rather than legal compliance issues, these whistleblower disclosures frequently are the best source for identifying serious legal compliance issues, and therefore this internal reporting system should be a well-understood and trusted method for persons to report wrongdoing. Investigating the reports can be challenging because the most serious violations are frequently reported anonymously, but those challenging investigations are at times the most important.

The persons involved in operating the internal reporting process should have direct access to the company’s general counsel, chief compliance officer and ultimately the chair of the appropriate Board committee so that all compliance situations will be considered by disinterested persons within the company.

Audit and Monitor the Program. No compliance program is perfect or complete, and therefore constant evaluation of the program and its effectiveness is critical. Directors should seek to determine if (i) senior management is sufficiently supporting the internal compliance efforts through adequate resources, full cooperation and an appropriate tone-at-the-top, (ii) internal compliance efforts are identifying most issues before regulators do and (iii) the compliance department is identifying and correcting common causes to compliance issues when they arise. Some items for directors to consider in this regard include the following:

• Various “stress tests” should be developed to assess the compliance program’s detection capabilities and reliability. For example, an auditor could test existing controls by intentionally processing a false or fraudulent expense report which contains indicia of corruption or by attempting to improperly access confidential information.
• Employee exit interviews can include questions relating to compliance issues and risks.
• Employee cultural surveys can be used to assess attitudes, awareness and willingness to comply with various legal requirements, as well as identify emerging issues.
• Directors should meet with the respective compliance teams (rather than only with the chief compliance officer) regularly and should develop dashboard metrics which identify, for example, compliance issues which arise, trends, responses by the compliance department, results of regulatory examinations, training activities, number of issues identified by the compliance department versus whistleblowers and changes in the program.
• Directors should occasionally visit company facilities to gauge the extent of compliance sensitivity and activities.
• The program should include the investigation and monitoring of compliance by partners of the company, both before creation of the relationship and during the relationship.

Respond to Deficiencies. When compliance violations are identified, the company should react in a consistent and thorough manner. Individuals should be disciplined both for violating legal requirements as well as failing to detect or report offenses. Actions speak louder than words, and therefore how a company responds to identified violations sets an important tone within the company regarding the company’s intolerance for wrongful behavior. In addition, once an offense is identified, the compliance program should be reevaluated so that the same or similar offenses are not likely to occur again.

At every step, actions should be thoroughly documented for potential future regulator review.

Litigation and Insurance
Directors occasionally are sued by shareholders who allege that the directors failed to properly discharge their oversight duties by tolerating an ineffective corporate compliance program design, implementation and enforcement. These types of claims are typically brought in the form of a shareholder derivative lawsuit, alleging damages to the company by reason of the directors’ breaches of fiduciary duty. Several judicial and statutory defenses, including the business judgment rule, make these cases difficult to successfully prosecute, although cases involving particularly egregious conduct which results in very large losses to the company can give rise to significant settlement payments.

In most states, settlements and judgments in these types of shareholder derivative lawsuits are not indemnifiable by the company, and therefore the defendant directors’ only financial protection is through the company’s D&O insurance program. These non-indemnified losses are covered under the so-called “Side A” coverage within standard D&O policies. In order to maximize the quality and breadth of that Side A coverage, most large companies today maintain within their D&O insurance program one or more policies which only cover non-indemnified losses by directors and officers (i.e., Side A Only policies) and do not cover losses indemnified or incurred by the company. Those types of “personal asset protection” policies afford exceptionally broad coverage when compared with standard D&O policies that also cover the company. Plus, the limits of liability for those Side A Only policies are not eroded by company losses but are preserved for the personal protection of directors and officers. Directors can have even more focused personal insurance protection through an Independent Directors Liability (IDL) insurance policy, which is a Side A Only policy covering only outside directors and not officers.

Like most insurance products, though, there are major differences among the various Side A Only and IDL policies available in the market. Companies should use knowledgeable insurance brokers to identify not only the broadest Side A and IDL policy forms available, but also the Side A Only insurers that have the best claims-paying record and strongest commitment to the long-term integrity of this unique D&O insurance product.

*******

Today more than ever, corporate compliance programs are critically important to the financial and reputational success of a company. Therefore, directors should devote even greater diligence to ensuring that their compliance systems are state of the art and that their key personnel understand what’s at stake. After all, now it’s personal.