United States: Corporate Compliance: A Guide To Protecting Your Company From Liability

You have just been named General Counsel of a new public company. Perhaps you got the job because you are a corporate lawyer who worked on the offering, a litigator who successfully handled a case that made the offering possible, or maybe a friend of the CEO. In any event, you probably didn’t get the job because of your experience in dealing with criminal wrongdoing within a corporation. Your lack of experience in this area can be a disaster for your company, its management and you — and your instincts alone may not be enough to steer you right.

Let’s take a case in point. After a year of steadily increasing revenues, you hear through the grapevine that some of those revenues may be tied to illegal payments made abroad in violation of the Foreign Corrupt Practices Act. You file the information away, hoping nothing comes of it. Nothing does, until federal marshals show up at your office with a subpoena or a search warrant, at which time you learn that the government received the same information you did by way of a tip, and has been secretly investigating the Company’s activities abroad ever since. The government wants to know when you first learned of the possible wrongdoing, whether you investigated it, and whether your company had a compliance program in place to detect and deter criminal activity. Your company’s board of directors now wants answers to the same questions. So do the plaintiffs in the securities fraud class action filed immediately after news of the investigation hit the newswire, causing the company’s stock to drop significantly. It’s too late now to do what you should have done then. Proper planning — including the creation of an effective corporate compliance program — could have avoided much, if not all, of the ensuing nightmare. Here’s why:

A compliance program sets forth a corporate code of conduct that defines proper business ethics within the company, and the process of creating the program forces a company to assess risk areas within its organization, minimizing the likelihood of any misconduct that could result in civil or criminal liability. Ideally then, the program would have prevented the wrongdoing or at least detected it early on. Even if the program failed to prevent the wrongdoing, however, there are additional benefits. The government places great weight on self-policing by companies and expects that companies will have a compliance program in place. If the company learns of any possible criminal wrongdoing, it will investigate it and, if it confirms that there was criminal activity, report to the government the results of the investigation. Since a company’s self-policing activities are regularly considered by the government in deciding whether to prosecute a company, had you taken your company’s self-policing obligations seriously, the company might have been able to avoid a criminal prosecution altogether. At the very least, your company would have faced a lighter sentence because, under the Federal Sentencing Guidelines which apply to any "organization" public or private, creation of an effective program will permit a "reduced culpability score" (which translates to a lesser fine) should there be a criminal prosecution. For the compliance program to be viewed as "effective" it should "prevent and detect violations of law." If a company does not have a compliance program it will not be entitled to mitigation under the Guidelines. In addition, the government will likely require the creation of a program after any finding of wrongdoing. Thus, in addition to a larger fine, the company can also expect significant government intervention in the corporation’s affairs. For example, a recent corporate defendant stepped up its compliance efforts once it learned that it was under criminal investigation. Notwithstanding this effort, as part of its plea with the government, it had to enter into a detailed "corporate integrity agreement"— in essence a more expansive compliance program than it had originally intended.

In light of the recent case, In Re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996) there is yet another extremely important reason to tend to corporate compliance — to protect the company’s board of directors in the event of a challenge in the nature of a shareholder derivative claim or class action. The Delaware Chancery Court held that "A director’s obligation includes a duty to attempt in good faith to assure that a corporation’s information and reporting system, which the board concludes is adequate, exists, and the failure to do so . . . may . . . render a director liable for losses caused by non-compliance with applicable legal standards." Caremark left unchanged the circumstances a corporation may be held criminally liable for the acts of its employees: the employee must be acting within the scope of his employment with the intent to benefit the corporation. It is irrelevant that the employee might also derive a benefit from his criminal act. Thus, directors now have an affirmative duty to ensure that the corporation they serve has put in place an effective compliance program to detect and prevent fraud and criminal conduct by its employees and the failure to do so can be used as a basis for director liability in the event the corporation is sued by its shareholders.

Indeed, a recent KPMG Peat Marwick study concluded that approximately 80% of respondents to its survey had a formal code of conduct or an ethics compliance program. However, while compliance programs are fairly standard in large corporations, far less respondents had an ethics or compliance officer, or were satisfied with their internal due diligence in assessing fraud. Even post Caremark, only one third of the respondents had engaged in routine audits intended to measure the continued effectiveness of their programs.

If your board of directors wants protection from civil liability, Caremark dictates that they should be active participants in the compliance function and the compliance officer must periodically advise the board on compliance efforts and issues.

Simply put, if your company does not have a compliance program, it should.

To create an effective compliance program, a company must follow certain steps specified in the Federal Sentencing Guidelines. See, Guidelines Chapter 8 Section 8 A1.2 Commentary 3(k). These steps set forth those criteria which, at a minimum, need to be followed for the government to consider the program to be "effective" for mitigation purposes. They are:

1. The organization must have established compliance standards and procedures to be followed by employees and other agents that are reasonably capable of reducing the prospect of criminal conduct.
2. High-level individual(s) within the organization must have been assigned overall responsibility to oversee compliance with standards and procedures.
3. The organization must have used due care not to delegate substantial discretionary authority to individuals who have a propensity to engage in illegal activities.
4. The organization must have effectively communicated its standards and procedures to all employees and other agents (i.e., trained the employees about the program).
5. The organization must have taken reasonable steps to achieve compliance with its standards (monitored and audited the program).
6. The standards must have been consistently enforced.
7. After detection of offense, the organization must have taken reasonable steps to respond appropriately and to prevent further similar offenses.

If under Caremark failure to follow these compliance criteria can create potential director liability in civil suits, then demonstrating effective compliance by adherence to the seven steps might be used as a basis to shield a director from potential liability.

In interpreting the seven steps, here are some practical considerations:

Don’t pull together existing corporate policies and call it a "compliance program." Your program should be created only after the company and its counsel have assessed the risks specific to the corporation and designed a program so as to deter criminal conduct in those areas. The program creators must solicit the opinions of management, as well as lower level employees, to determine those areas where the corporation may be vulnerable. If the company’s business should change in any substantial way — by virtue of a merger or otherwise — the company must reflect those changes to the business by amending its compliance program. Those creating the program should document their efforts at risk assessment, including maintaining minutes of compliance related meetings and notes of interviews of company personnel.

Management must make clear to employees that they take the code of conduct seriously. Those in charge of each department should be held accountable for ensuring code compliance by their employees. Code compliance should be factored into incentive compensation. Where there is a lack of appreciation or inattention to the compliance function, a manager should be sanctioned, financially or otherwise.

A company must use "due care" to not delegate substantial discretionary authority to anyone that it knows, based on its due diligence, has engaged in improper conduct. At the very least, the corporation should engage in a background check of any person it intends to bring on board that will engage in business for the corporation. Such a check should not be limited only to candidates for senior or executive positions.

Due care should not be generic. Each corporation should determine what constitutes due care in light of the nature of its particular business.

Employees need to understand the purpose and scope of the compliance program. To fulfill these objectives, sufficient training is required. Training is effective when done in an interactive manner that requires an action or response from the trainee. An example of interactive training is requiring employees to certify in writing that they understand and will follow the program. Compliance training, using examples specific to a company’s business, will make the program training more relevant to employees. To keep the trainees as active participants in the training process, tape the training, or give the trainees routine pop quizzes.

The compliance manual itself should be included in any employee materials given to new hires. All training that employees receive should be reflected in their personnel files, as should any refresher courses given to them.

Program trainers can come from "in-house." These individuals will probably be most knowledgeable about the company’s business. Alternatively, the company can use professional trainers who use their well honed teaching skills to educate employees. The benefit of using professional trainers is that they can properly train managers from the company’s human resource or legal departments with an eye toward having the company personnel become better teachers who can then assume the training function. The in-house instructors can revise the training program to correspond to any changes to the compliance program that are driven by changes in the company’s business. The "train the trainer" approach, therefore, can be extremely useful and cost effective.

In addition to the comprehensive training given to all employees, a company can provide targeted training, given only to those personnel whose activities create a specific legal exposure. Using our example, only those doing business abroad need to be advised about the Foreign Corrupt Practices Act.

The Sentencing Guidelines require involvement of high-level personnel in the compliance effort. The guidelines define high level personnel as "individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization" to be involved in compliance. The term includes a director and executive officer . . . or an individual with a substantial ownership interest." (Guidelines Chapter 8 Section 8 A1.2 Commentary 3(b).) The appointment of a high-level compliance officer sends a strong message to the employees that the company is serious about compliance and that they should be as well.

The company has various options as to whom the compliance officer can be. The General Counsel, the CFO, or the chief auditor are likely candidates. The compliance officer’s responsibility is to ensure that the business practices do not violate compliance procedures, that the procedures and training in place are appropriate, and to review and investigate any compliance issues that arise. The compliance officer should report directly to the board and must have legitimate investigatory authority. He cannot be a mere figurehead.

The compliance officer needs to be independent and dedicated to the compliance function. Sufficient time, leadership skills and experience are also prerequisites. Knowledge of the company’s employees and operations, and access to resources, are also critical factors to be considered when making the selection.

The company can opt for a compliance officer new to the organization. If this is his only responsibility, he will likely develop greater familiarity with compliance issues and investigatory techniques. However, while independent, a person brought in from the outside may not have sufficient familiarity with the corporate culture. Viewed as an outsider, it will be harder for him to do the job.

Management must also ensure that everyone complies with the code. If the program is viewed as unfair, employees will not follow it. There should be equal punishment for a violation, regardless of who is the alleged violator.

Once on notice of a violation, the program must be reevaluated and, if necessary, amended so as to take all reasonable steps to prevent re-occurrence. While it is understood that no program can be foolproof, you will undermine the legitimacy of the program if you fail to take affirmative action to improve the program if it is found to be defective.

Now more than ever, organizations are expected to self-police to detect and deter criminal conduct. This responsibility will fall largely to you as the General Counsel. Fortunately, the creation and successful implementation of an effective compliance program will fulfill this objective. It will also provide an extremely useful mechanism to manage risk, and can shield the corporation and its directors from both criminal and civil liability. In the arsenal to protect your company and its directors and officers from liability, it is one tool you cannot do without.

© 2000 Greenberg Traurig