- As DOJ senior leadership signaled it would do since March, DOJ has now officially required as part of resolving a corporate enforcement action, that a Chief Compliance Officer (CCO) and Chief Executive Officer (CEO) certify under penalty of perjury and pursuant to a powerful obstruction statute, that their company’s compliance program has been “reasonably designed” to prevent future violations of law.
- These certifications parallel those already required by the Sarbanes-Oxley Act from Chief Financial Officers and CEOs with regard to the accuracy of periodic financial statements.
- Though intended to empower CCOs, these certifications could instead place them in the middle of disputes between management and the DOJ over the sufficiency of compliance programs or even subject them to personal criminal liability for perjury or obstruction of justice. They could also create conflicts of interest between CCOs and their companies.
- DOJ has tried to assuage fears about these certifications by reiterating that, in exercising its prosecutorial discretion, its focus is on serious or intentional CCO misconduct, not good faith mistakes.
- With this latest development, C-Suite management should expect these compliance certifications in future resolutions with DOJ, whether pursuant to plea agreements or pre-trial diversion agreements, such as deferred prosecution agreements or non-prosecution agreements, and should work to mitigate the risks associated with these new compliance certifications.
At a June conference sponsored by the Women’s White Collar Defense Association, Lauren Kootman, the Assistant Chief of DOJ’s Fraud Section’s Corporate Enforcement, Compliance and Policy Unit, signaled the likely expansion of DOJ’s prior statements that Chief Compliance Officers and potentially even Chief Executive Officers will be required to certify that compliance programs required by DOJ resolution agreements have been “reasonably designed” to prevent future violations of law. Under such a new requirement, C-Suite executives who sign the certification could face individual criminal liability for knowingly and willfully certifying the reasonable design of a deficient compliance program. Assuming DOJ begins imposing this requirement more broadly, CCOs and other C-Suite management will want to fastidiously document their companies’ efforts to institute compliance measures that are well designed to reduce the likelihood of future violations.
Background – The Origin of DOJ’s New Compliance Certifications
DOJ’s anticipated certification requirement stems from a recent enforcement action where Glencore International A.G. (Glencore) and Glencore Ltd. each entered guilty pleas and agreed to pay more than US$1.1 billion combined to resolve the government’s investigations into violations of the Foreign Corrupt Practices Act (“FCPA”) and a commodity price manipulation scheme.1 Under the plea agreement, Glencore agreed to “implement a compliance and ethics program that meets, at a minimum, the elements of a regularly-used resolution document that outlines the minimum requirement for an acceptable ethics and compliance program. Specifically, the plea agreement requires minimum compliance directives involving: (1) commitment to compliance; (2) policies, procedures, and systems; (3) periodic risk-based review; (4) proper oversight and independence; (5) training and guidance; (6) internal reporting and investigation; (7) enforcement and discipline; (8) third-party relationships; (9) mergers and acquisitions; and (10) monitoring, testing and remediation.2
The Specifics of the New DOJ Compliance Certifications
Additionally—and significantly— the plea agreement also required both the CEO and CCO to make various certifications under penalty of perjury (18 U.S.C. § 1001) as well as a criminal obstruction statute (18 U.S.C. § 1519), namely, that
- “the undersigned are aware of the Company’s compliance obligations under . . . the Agreement;”
- “based on the undersigned’s review and understanding of the Company’s compliance program, the Company has implemented a compliance program that meets the requirements set forth the Agreement; and
- “such compliance program is reasonably designed to detect and prevent violations of the [applicable law] (as defined in the Agreement) throughout the company’s operations.”3
A Page from SOX’s Section 302 and 906 Certifications
Many of our readers will notice parallels between the new DOJ certifications and the certifications governing public companies under Sections 302 and 906 of the Sarbanes-Oxley Act (“SOX”). Section 906 of SOX, for example, requires the CEO and Chief Financial Officer to certify that the periodic report containing the financial statements fully complies with the applicable requirements of the Securities Exchange Act of 1934 and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.4 SOX’s Section 302 contains additional certifications to periodic reports. For example, § 302(a)(4)(B) requires the CEO and CFO to certify that they “have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.”5
But, unlike Sections 302 and 906, which apply to all public companies and require regular periodic certifications, DOJ’s new compliance certifications apply only to those companies that resolve DOJ enforcement actions through corporate plea agreements or pre-trial diversion agreements, such as deferred prosecution agreements or non-prosecution agreements. Even then, DOJ’s certifications only speak to a company’s compliance program as opposed to its financial reports and various other disclosure obligations.
The Purpose and Impact of DOJ’s Certification Requirements
DOJ has stated that its new certifications ought to empower CCOs to be involved in critical compliance-related decision-making and to make them more than just a cost-center. As AAG Kootman explained, the “intention is not to put a target on the back of a chief compliance officer,” and it is not meant “as a punitive measure.” Instead, DOJ envisions that its certifications requirements will help ensure that CCOs are “reporting to the board directly about ‘what has or has not gone on in the course of fulfilling the company’s obligations.’”6
Understandable Corporate Concerns
Despite DOJ’s framing of the issue, some CCOs have raised concerns that although seemingly well-intentioned, DOJ’s new certifications actually may be counterproductive. For example, some have expressed concern that the policy might result in the undercutting of a CCO’s authority by subjecting them to senior management pressure to certify the compliance programs despite some concerns of insufficient compliance. Even more, the certifications are being made under penalty of perjury and pursuant to a powerful criminal obstruction statute. Those stark realities put the CCO (and CEO) in the crosshairs of a DOJ dispute with the company over the sufficiency of the company’s compliance program.
Also, DOJ’s certifications create the potential for the CCO (or even CEO) becoming the “fall person” if a dispute emerges between the company and DOJ over the sufficiency of a compliance program. It potentially—and some might say, unnecessarily—exposes the CCO and CEO to personal liability in the event of a future corporate violation, especially when such violations are viewed through the prism of DOJ hindsight bias.
Also, the certifications have a burden-shifting nature to them: They seem to require the certifier to prove his/her innocence as opposed to DOJ proving the CCO’s or CEO’s guilt. Furthermore, the certifications create a trap for the development of a potential conflict of interest between (or among) the company and the certifier(s) in the event of dispute about the efficacy of a compliance program. As the DOJ’s certification are made pursuant to criminal laws and as part of a resolution of a criminal matter, CEOs and CFOs might well feel that they need to retain their own individual counsel to advise them on the certifications before executing them. In addition, the certification requirements also incentivize the CEO or CCO to spend outsized time, energy, and limited resources creating a paper trail of their efforts and the basis for the certification as opposed to actually working to best design and improve an organization’s compliance program and internal controls. All this is to say that there may well be many unintended consequences that are counterproductive to DOJ’s stated purpose of “empowering” CCOs in their compliance role.
To assuage some of these concerns, DOJ has sought to state that although it maintains its full panoply of prosecutorial discretion, its focus is on serious misconduct or intentional CCO (or CEO) malfeasance as opposed to good faith mistakes. For example, AAG Kootman identified specific steps DOJ deems useful in ensuring that compliance programs are sufficiently “resourced and empowered,” including: (1) asking whether the CCO has a meaningful role in the evaluation of compliance; (2) implementing surveys of employees and follow-up analyses; (3) connecting compensation to compliance incentives; and (4) ensuring proper reporting and preservation of employee communications on company and personal devices.
Regardless of the wisdom or necessity of DOJ’s new compliance certifications, all indications are they appear here to stay, at least for the time being. As such, CEOs, CCOs, and others involved in the certification process (such as sub-certifiers) would do well to take these new certifications seriously and to take steps to ensure that the certifications are complied with to the best extent possible, using the “reasonably designed” standard.