Despite an industry uproar, the sky is NOT falling with the U.S. Department of Justice (“DoJ”) requirement that chief executive officers (“CEOs”) and chief compliance officers (“CCOs”) certify that their compliance programs are effective.
Instead, a warm productive sunlight will shine upon CCOs and companies. That’s because these CEO / CCO certifications – if done well with independent validation – will empower the CCO while holding the CEO, C-suite, and their business executives more accountable for their conduct and compliance.
The certifications uproar may be misguided
Some in the legal and compliance community shortsightedly warn that the DoJ certifications by corporate CEOs and CCOs are counter-productive, despite the DoJ’s stated rationale for certifications. As background, the DoJ goal is that at the end of a corporate resolution agreement with the DoJ (e.g., a guilty plea, deferred prosecution, or non-prosecution agreement), CEO / CCO certifications will assert that:
- “… the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law … and (that it) is functioning effectively.”
- “… In instances where a monitor is not imposed (to report independently) on the state of (the) compliance program, we will consider requiring that the CEO and the CCO … certify that all compliance (self-) reports submitted during the term of the resolution are true, accurate, and complete.”
The DoJ’s view is that “… by taking this step, we are ensuring that Chief Compliance Officers receive all relevant compliance-related information and can voice any concerns they may have prior to certification.”[1] (edits / emphasis added).
This rationale for CEO / CCO certifications, in our view, is sound.
The usual outcry against certifying – liability and cost
Prognosticators erroneously warn that certifications will expose CCOs to criminal prosecution and will therefore demoralize them if they sign – or refuse to sign – them. Other critics typically invoke the “regulatory burden and cost” argument.
1. Alarmingly, they are overreacting. Just as we’ve seen premature panic over certifications before.
Despite even greater criticism, the sky did not fall when the Sarbanes-Oxley Act (“SOX”) of 2002 required regular financial statement and internal control certifications by the CEO and Chief Financial Officer.
- In fact, more companies have realized that the certifications compel greater accountability from those required to sub-certify their financial controls, and SOX has helped companies standardize, streamline, and reduce redundancies over their financial reporting processes to produce accurate financial statements and a stronger system of internal controls.
2. Nor did the world end, when in 2014 the “Volcker Rule” certifications over prohibited proprietary trading was imposed.
3. Similarly, CCOs and CEOs have not been imprisoned since 2017 when the New York State Department of Financial Services (“DFS”) required “Rule 504” certifications with criminal consequences over the integrity and robustness of anti-money laundering (“AML”) and sanctions surveillance systems and processes.
- Like SOX, financial institutions subject to DFS Rule 504 have benefited from the discipline of: identifying and mapping their compliance processes and accountable control owners; and verifying the integrity of their surveillance and sanctions technology. AML and Sanctions compliance programs have improved because DFS Rule 504 certifications compel individual accountability, clarity of roles and processes, and independent validation with a written audit trail of compliance.
The benefit of certifying
A thoughtful consideration of certifications is that they have been and will continue to be a path to greater executive and individual accountability and corporate transparency. Certifications work when executed well, because they place personal accountability squarely on the signatories and on those that sub-certify before reaching the CEO, CFO (in the case of SOX), and the CCO.
Suddenly, each of these individuals care quite a bit more about personally complying. And most importantly, certifications enable a clear map of internal control processes and owners, and a more effective compliance program.
The DoJ’s corporate compliance certification requirement is no exception.
And just as independent monitors can be “allies to compliance officers”[2] and to the company, CEO and CCO certifications can benefit the company for the long run in a continuously compliant and profitable manner in a safe and responsible manner resulting from “lasting, sustainable change in corporate culture”[3].
More prosecutions ahead
Criminal prosecution and a corporate resolution are often the fallout of a tone-at-the-top culture of misconduct, noncompliance, and recidivism. That culture is fueled by profit maximization over safety and culminates in an ineffective compliance program. Worse, emboldened companies take the “business risk” of recidivism because they can easily afford to pay the monetary penalties and cost of remediation, simply by writing a check funded by one quarter’s net profit.
The root cause of these criminal violations and ineffective compliance programs is that the CCO is too often insufficiently empowered, not independent, suppressed from reporting to the board, and poorly budgeted. Multiple Foreign Corrupt Practices Act (“FCPA”) enforcement actions are continuous reminders of these compliance weaknesses. Recidivist trading and sales misconduct, fraudulent acts against consumers, and white-collar crime have not abated.
With the DoJ pronouncing that “sanctions are the new FCPA” and that serial, recidivist violators are primary DoJ targets, the intensity and number of criminal prosecutions for sanctions violations and major enforcement actions will grow followed by significant monetary penalties, reputational damage, and the likely imposition of independent monitors and CEO / CCO certifications.
“Proactively effective” compliance avoids prosecution – and certification
Remember, CEO and CCO certifications is one of the last steps of a criminal prosecution resulting in a corporate resolution with the DoJ. A company never should have gotten itself into a circumstance of criminal prosecution and settlement in the first place.
Corporate compliance programs are supposed to be well designed, adequately resourced in skills, headcount, and technological tools, which enable compliance to be “working in practice.”[4] Too often they’re not.
An empowered and independent CCO can lead a “proactively effective” compliance program visibly supported by the CEO and board of directors, with clearly identifiable processes and accountable control owners across 1st line businesses, finance, HR, operations, and IT. “Proactively effective” compliance programs have the means to “detect and prevent” misconduct and violations because their regulatory change management process is robust; fluid risk assessments properly identify, anticipate, and act upon higher compliance risks, with independent compliance testing which can promptly flag, escalate, and remediate exceptions to changing laws and policies, and longstanding ethical codes.
Connected at the hip
And an effective compliance program means that the CEO and the CCO work together regularly, continuously weaving the right fabric and culture of ethics and compliance across the company. The CEO and CCO should be visibly “connected at the hip.” Together they can hold all staff accountable for their conduct and record of compliance so that books and records and financial statements are accurate, timely and complete; that the company knows their customers, employees, vendors, and third-party agents; and in particular, that their sanctions, anti-bribery & corruption, and overall corporate compliance programs comply with hundreds of other laws and regulations in a prioritized, “working in practice” manner.
Proactive steps the board, CEO and CCOs can take together
Just as a child needs continuous nourishment to grow into a healthy and mature adult, all companies (big or small, public- or private, or for-profit or non-profit) must nourish their compliance programs to mature profitably in a safe and responsible manner. Here are some steps companies can take:
1. Benchmark and act. An empowered CCO and supportive CEO partner can lead your company to diagnostically benchmark and execute the seven elements of the U.S. Organizational Sentencing Guidelines, the 2020 DoJ Evaluation of Corporate Compliance Programs, and Federal Reserve Supervision and Regulation (“SR”) Letter 2008-08[5].
- This proactive, annual diagnostic will produce actionable steps overseen by an active board of directors and CEO to achieve and sustain a well-designed, adequately resourced, and working-in-practice compliance program.
2. Map your controls and self-certify. Map and self-assess your internal control and compliance processes to prevent and detect violations from occurring. And compel your control owners identified in your process maps to self-certify at least annually, rolling up to the CEO and CCO for their certifications.
- Personally self-certifying compels personal knowledge and a thorough understanding of the controls they own. This accountability and ownership will help shape behavior and prevent and detect misconduct and recidivist violations from occurring. Proactive self-diagnostic process mapping with certifications work.
3. Self-report. If control and compliance weaknesses or violations are self-identified through your diagnostic risk assessments, compliance testing, process mapping with certifications, then escalate these weaknesses to your board of directors in a prioritized, thematic manner with remedial action plans to be executed, with timelines and owners.
- Most importantly, self-report them to your primary regulator and where criminal matters arise, to the DoJ.
- As Deputy Attorney General Lisa Monaco recently stated, “pick up the phone and call us. Do not wait for us to call you.”[6]
Independent monitors and certifications benefit the company
Sometimes, criminal violations occur despite having an effective and proactive compliance program. The DoJ will reduce the severity of enforcement and reduce the likelihood of an independent monitor if it concludes that your company and CEO have embraced a culture of compliance and enable your CCO to have a well-designed, working-in-practice compliance program. The previously mentioned self-diagnostics with independently validated certifications will tremendously benefit during you this DoJ consideration.
However, if prosecution and enforcement results in a corporate resolution, the following steps are essential:
- Don’t’ resist. Cooperate. If the DoJ knocks on your door, you are well past resisting and / or arguing that prosecution is over-reaching. The legal fees alone to attempt resistance would be futile, possibly fatal, and quite expensive.
- Embrace an independent monitor. They can be your “allies,” as previously noted. Monitors can and should independently validate for you and your company that your remedial actions are effective, and sustainable to achieve compliance health and responsible profitability. Compliance, profit, and safety are not mutually exclusive.
- Be open to certifications. Open-mindedness reflects the right corporate culture because it demonstrates that an ethical and compliant CEO will support an empowered CCO, to sustain a proactively effective compliance program which works in practice… something the company should have had in the first place.
[1] Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE), March 25, 2022 – Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE) | OPA | Department of Justice
[2] Ibid.
[3] Ibid.
[4] DoJ Evaluation of Corporate Compliance Programs (June 2020) – https://www.justice.gov/criminal-fraud/page/file/937501/download
[5] Although applicable to US and foreign banking organizations, all companies can embrace the Fed’s principles. Federal Reserve Board – “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles”, Revised February 26, 2021 – https://www.federalreserve.gov/boarddocs/srletters/2008/sr0808.htm
[6] Deputy Attorney General Lisa O. Monaco Delivers Keynote Remarks at 2022 GIR Live: Women in Investigations | OPA | Department of Justice