Measure Twice, Reduce Once: New DOJ Compliance Certifications Put CEOs and CCOs at Risk of Individual Criminal Liability | Dechert LLP

certificate

Key points to remember

• As DOJ senior management has reported since March, the DOJ has now formally required, as part of the resolution of a corporate lawsuit, that a Chief Compliance Officer (CCO) and Chief Executive Officer (CEOs) certify under penalty of perjury and pursuant to powerful obstruction law, that their company’s compliance program was “reasonably designed” to prevent future violations of law.
• These certifications parallel those already required by Sarbanes-Oxley of CFOs and CEOs regarding the accuracy of periodic financial statements.
• While intended to hold CCOs accountable, these certifications could instead put them in the middle of disputes between management and the DOJ over the sufficiency of compliance programs or even expose them to personal criminal liability for perjury or obstruction of justice. They could also create conflicts of interest between CCOs and their companies.
• The DOJ has tried to allay fears about these certifications by reiterating that, in exercising its prosecutorial discretion, it focuses on serious or intentional misconduct by the CCO, not bona fide errors.
• With this latest development, C-Suite management should expect these certifications of compliance in future resolutions with the DOJ, whether under plea agreements or pretrial diversion agreements, such as prosecution agreements or non-prosecution agreements, and should endeavor to mitigate the risks. associated with these new compliance certifications.

Introduction

At a June conference sponsored by the Women’s White Collar Defense Association, Lauren Kootman, deputy chief of the Corporate Enforcement, Compliance and Policy Unit of the DOJ’s Fraud Section, pointed to the likely expansion of previous statements by the DOJ that compliance officers and potentially even chief executives be required to certify that compliance programs required by DOJ resolution agreements were “reasonably designed” to prevent future violations of the law. Under such a new requirement, C-Suite executives who sign the certification could face individual criminal liability for knowingly and willfully certifying the reasonable design of a deficient compliance program. Assuming the DOJ begins to enforce this requirement more broadly, CCOs and other C-Suite executives will want to thoroughly document their companies’ efforts to institute well-designed compliance measures to reduce the likelihood of future violations.

Background – The Origin of the New DOJ Compliance Certifications

The DOJ’s early certification requirement stems from a recent enforcement action in which Glencore International AG (Glencore) and Glencore Ltd. each pleaded guilty and agreed to pay more than US$1.1 billion combined to resolve government investigations into violations of the Foreign Corrupt Practices Act (“FCPA”) and a money-manipulating scheme. raw material prices.¹ Under the plea agreement, Glencore agreed to “implement a compliance and ethics program that meets, at a minimum, the elements of a regularly used resolution document that outlines the minimum requirement for a compliance acceptable ethics and compliance. Specifically, the plea agreement requires minimum compliance guidelines involving: (1) a commitment to comply; (2) policies, procedures and systems; (3) periodic risk-based review; (4) adequate supervision and independence; (5) training and orientation; (6) internal reports and investigations; (7) application and discipline; (8) relationships with third parties; (9) mergers and acquisitions; and (10) monitoring, testing and corrective action.²

The specifics of the new DOJ compliance certifications

Additionally – and significantly – the plea agreement also required the CEO and CCO to make various certifications under penalty of perjury (18 USC § 1001) as well as criminal obstruction law (18 USC § 1519), namely that

• “the undersigned are aware of the Company’s compliance obligations under . . . the deal;”
• “Based on the undersigned’s review and understanding of the Company’s Compliance Program, the Company established a compliance program that meets the requirements set forth in the Agreement; and
• “Such a compliance program is reasonably designed to detect and prevent violations of the [applicable law] (as defined in the Agreement) in all business activities. »³

A page of SOX Section 302 and 906 Certifications

Many of our readers will notice parallels between the new DOJ certifications and the certifications governing public companies under Sarbanes-Oxley (“SOX”) Sections 302 and 906. Section 906 of SOX, for example, requires the CEO and CFO to certify that the periodic report containing the financial statements fully complies with the applicable requirements of the Securities Exchange Act of 1934 and that the information contained in the periodic report presents fairly, in all material respects, the financial condition and results of operations of the issuer.⁴ Section 302 of SOX contains additional certifications to periodic reports. For example, Section 302(a)(4)(B) requires the CEO and CFO to certify that they “have designed these internal controls to ensure that material information about the issuer and its consolidated subsidiaries are brought to the attention of these managers by others within these entities, in particular during the period of preparation of the periodic reports.⁵

But unlike Sections 302 and 906, which apply to all public companies and require regular periodic certifications, the new DOJ compliance certifications apply only to companies that resolve DOJ enforcement actions by through corporate plea agreements or pretrial diversion agreements, such as deferred prosecution agreements. or non-prosecution agreements. Even then, DOJ certifications relate only to a company’s compliance program, as opposed to its financial reporting and various other disclosure obligations.

The Purpose and Impact of DOJ Certification Requirements

The DOJ said its new certifications should enable CCOs to participate in critical compliance-related decision-making and make it more than just a cost center. As AAG Kootman explained, “the intention is not to put a target on the back of a compliance officer”, and it does not mean “as a punitive measure”. Instead, the DOJ envisions its certification requirements will help ensure that CCOs “report directly to the board of directors on” what did or did not happen in the performance of duties. of the company “”.⁶

Understandable business concerns

Despite the DOJ’s framing of the problem, some CCOs have expressed concern that, while seemingly well-intentioned, the DOJ’s new certifications could actually be counterproductive. For example, some have expressed concern that the policy may lead to a reduction in the authority of a CCO by subjecting it to pressure from senior management to certify compliance programs despite some concerns of insufficient compliance. More so, the certifications are made under penalty of perjury and under powerful criminal obstruction law. These harsh realities place the CCO (and the CEO) in the crosshairs of a DOJ dispute with the company over the adequacy of the company’s compliance program.

Additionally, DOJ certifications create the potential for the CCO (or even the CEO) to become the “responsible person” if a dispute arises between the company and the DOJ over the sufficiency of a compliance program. This potentially – and some might say, unnecessarily – exposes the CCO and CEO to personal liability for future corporate violations, especially when those violations are viewed through the lens of the DOJ’s retrospective bias.

In addition, certifications have a burden-shifting character for them: they seem to require the certifier to prove his innocence, as opposed to the DOJ proving the guilt of the CCO or the CEO. In addition, certifications create a trap for the development of a potential conflict of interest between (or among) the company and the certifier(s) in the event of a dispute over the effectiveness of a compliance program. Since DOJ certifications are conducted pursuant to criminal laws and as part of the resolution of a criminal case, CEOs and CFOs may well find that they should retain their own attorney to advise them on certifications before performing them. Additionally, certification requirements also incentivize the CEO or CCO to spend limited time, energy and resources creating a written record of their efforts and the basis for certification, instead of actually working for it. better design and improve an organization’s compliance program and internal controls. All this to say that there may well be many unintended consequences that run counter to the DOJ’s stated goal of “empowering” CCOs in their compliance role.

DOJ Response

To allay some of these concerns, the DOJ has sought to state that while it retains its full panoply of prosecutorial discretion, it focuses on gross misconduct or willful malfeasance of the CCO (or CEO) by opposition to honest mistakes. For example, AAG Kootman has identified specific steps that the DOJ finds helpful in ensuring that compliance programs have sufficient “resources and authority,” including: (1) asking if the CCO plays a meaningful role in the conformity assessment; (2) implement employee surveys and tracking analytics; (3) link compensation to compliance incentives; and (4) ensuring the proper reporting and preservation of employee communications on company and personal devices.

Parting Thoughts

Regardless of the wisdom or necessity of the new DOJ compliance certifications, indications are that they seem here to stay, at least for now. As such, CEOs, CCOs, and others involved in the certification process (such as sub-certifiers) would do well to take these new certifications seriously and take steps to ensure that the certifications are met to the best extent possible, using the “reasonably designed” standard.

Footnotes

1. Press Release, Dep’t of Justice, US Atty’s Office, SDNY, Glencore pleaded guilty to foreign bribery and market manipulation conspiracies (May 24, 2022).
2. court agreement, United States v Glencore Ltd., no. 3:22-cr-71, at Dkt. 18, attachment C (24 May 2022).
3. Identifier. in Appendix F (emphasis added).
4. 18 USC § 1350.
5. 15 USC § 7241.
6. Al Barbarino, DOJ defends new CCO certifications amid industry concernsLAW360 (June 22, 2022, 4:54 p.m. EDT).

* The authors thank Julia Shea, Dechert’s summer associate, for her assistance in the preparation of this article.