Chief Compliance Officers (CCOs) routinely take point on reaching resolution with state and federal regulators when addressing and settling cases related to regulatory or compliance violations. However, in 2022, the US Department of Justice has formally required that in the case of enforcement actions against health care organizations, CCOs will now be front and center on certifying as to their organizations’ compliance program effectiveness.
The March 2022 comments by the US DOJ Assistant AG Kenneth Polite Jr. clearly set forth the expectation that compliance officers have the authority, independence and accountability to both drive compliance and to certify their organization’s program effectiveness:
Chief Compliance Officers and their functions should have true independence, authority, and stature within the company. In order to further empower Chief Compliance Officers, for all of our corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), I have asked my team to consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively. In certain resolutions, we will require additional certification language.
In certain resolutions, we will also require additional certification language. When a company is required to provide annual self-reports on the state of their compliance programs, we will consider requiring the CEO and the CCO to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete.
On May 26, 2022 Deputy Attorney General Lisa Monaco presented a new policy at a Securities Industry and Financial Markets Association event, requiring CCOs to sign off on certain agreements with the DOJ, stating that the policy is meant to “empower” the CCO, to ensure that the CCOs are “in the room” and reporting to the board directly about “what has or has not gone on in the course of fulfilling the company’s obligations,” and to promote the concept that “the business is taking ownership of its role in the compliance program and the Head of Compliance receives all relevant compliance-related information and can voice any concerns prior to certification.” According to Monaco, this new policy is meant to ensure that CCOs stay in the loop on potential company violations and have the necessary resources to prevent financial crime.
Notwithstanding the stated intent, the requirement of CCO certification can create significant challenges and has been met with some concern within the compliance community for a number of reasons:
- A CCO could face individual criminal liability under federal fraud statutes for false certification statements if the CCO is knowingly misrepresented their organization’s compliance program or the status of corrective actions.
- A CCO could be exposed to individual liability even when the CCO was diligent in assessment of compliance program status but the certification is later found to include a significant or material omission or misstatement.
- Compliance officials worry that this policy transfers corporate liability into potential individual liability for the CCO.
- Trying to hire a CCO into an organization that is under a federal settlement agreement where certifications are required will be more difficult due to the potential new liability.
- The DOJ’s Certification form asks the CEO and CCO to certify that the compliance program has been “reasonably designed” to prevent future anti-corruption violations. In the Certification Attachment H of the 2022 Glencore case, the certification language is fairly broad, particularly the language stating the compliance program be ‘reasonably designed and implemented to detect and prevent violations…throughout the company’s operations.’ Asking any one individual to certify the effectiveness of an organization’s compliance program is a practically infeasible due to the complexity of multi-tiered and matrixed corporate structure where compliance must be assessed and monitored.
From a practical standpoint, in most cases where a settlement with the DOJ is under discussion, compliance deficiencies have been defined and disclosed, the compliance program has undergone intense scrutiny and a corrective action plan to address deficiencies has been developed. These extensive discussions with the DOJ and clear reporting obligations give the CCO an opportunity to assure that organizational leaders are in the room when operational and leadership accountabilities are being determined so that they understand how a “reasonably designed” compliance program aligns with the government’s interpretation and expectations.
There are other steps that CCOs can take to bolster documentation of compliance program effectiveness:
- Each compliance program component requires a clear and accurate policy and procedure and that it has been implemented. However, the CCO should also be able to demonstrate that the implemented policy has tangibly resulted in detecting, monitoring and/or preventing non-compliant activities.
- CCOs, with the support of the CEO, should mandate a sub-attestation process whereby each organizational leader responsible for particular compliance requirements must certify and attest to the accuracy of the information provided to the CEO and CCO prior to their certification under penalty of perjury to the DOJ. Using this compliance control structure, operational and business units are accountable for organizational compliance as a whole. To be effective, these internal attestations must include serious consequences in the event they prove to be knowingly or recklessly false, misleading or incomplete.
The DOJ has repeatedly stated the new requirement should not be considered punitive but instead “is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure the CCO and the DOJ that a company has an ethical and compliance focused environment.” The potential liability for CCOs who are diligently working in good faith and who accurately represent their knowledge of a compliance program effectiveness seems fairly low. However, this new requirement can put increased pressure particularly on CCOs working for organizations where compliance involvement in limited or dismissed when business decisions are being made. Also, when CCO certification will free a company from DOJ supervision, the pressure on a CCO to certify a less than stellar compliance program can be significant.
The frequency with which CCO certifications will be required is not yet clear, nor are the circumstances for using the certification well defined but recent remarks by the DOJ would seem to indicate that organizations should expect to see more of these in the future.