Department of Justice Announces Chief Compliance Officer Certifications as Part of Corporate Resolutions
Over the past few months, the U.S. Department of Justice (DOJ) has repeatedly signaled its intention to include chief compliance officer (CCO) certifications as part of corporate criminal resolutions going forward. DOJ’s recent resolution with global mining giant Glencore appears to be the first to include a CCO certification as to the effectiveness of the company’s compliance program. This is a clear sign that DOJ is placing added scrutiny on whether compliance professionals are being given enough authority, stature, access, and resources within the company. It also raises the possibility that compliance professionals of companies that are subject to enforcement actions may face individual liability.
DOJ Announces CCO Certifications
In March 2022, Assistant Attorney General Kenneth A. Polite Jr. delivered remarks announcing initiatives regarding corporate compliance programs. In those remarks, he stated that, for all corporate resolutions, prosecutors have been instructed to consider requiring the chief executive officer (CEO) and CCO of a relevant corporate entity to certify, at the end of the term of an agreement, that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the relevant law and is functioning effectively, before releasing a company from its obligations under a resolution agreement. In addition, where a company self-reports on its compliance program during the term of the agreement, the CEO and CCO may be required to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete. The Assistant Attorney General noted that the measure is “not punitive in nature,” and instead is intended “to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.” He drew on his own experience as a compliance officer, and stated that he knew the resource challenges, challenges accessing data, relationship challenges, and “silo-ing” of compliance officer functions. He claimed that the certifications are intended to ensure CCOs “have true independence, authority, and stature within the company.” See Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE) (Updated March 31, 2022), available at https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-nyu-law-s-program-corporate.
In May 2022, Deputy Attorney General Lisa Monaco announced a new policy requiring chief compliance officers to sign off on certain agreements with DOJ, formalizing the initiatives referenced in the Assistant Attorney General’s March remarks. See Al Barbarino, DOJ Defends New CCO Certifications Amid Industry Worry, Law360 (May 26, 2022) available at https://www.law360.com/articles/1496108/doj-defends-new-cco-certifications-amid-industry-worry. The Deputy Attorney General noted that this is to “empower” CCOs and ensure they have resources and are in the loop, and noted that a recent settlement with Glencore was the first that will require CCO certification “as part of the compliance process engagement by the company.” See id.
CCO Certifications in Practice: The Glencore Resolution
On May 24, 2022, Glencore, an international commodity trading and mining company, pled guilty to U.S. bribery and market manipulation charges and admitted to conspiring to violate foreign corruption laws, agreeing to pay over $1.1 billion in criminal and civil penalties. As part of the plea agreement, Glencore agreed that it would implement a compliance and ethics program that meets, at a minimum, the elements set forth in an “Attachment C” to the agreement, such as: (a) a high-level commitment by the company’s directors and senior management to compliance policies; (b) development and promulgation of a clearly articulated and visible corporate policy against violations of the relevant laws; (c) development of compliance policies and procedures on the basis of a periodic risk assessment addressing the individual circumstances of the company; (d) assignment of responsibility to one or more senior corporate executives of the company to implement and oversee compliance policies; (e) implementation of mechanisms and trainings to ensure compliance policies are effectively communicated to all directors, officers, employees, and relevant persons; (f) establishment and maintenance of an effective internal reporting system; (g) implementation of effective enforcement and discipline practices; (h) institution of risk-based due diligence and compliance requirements pertaining to the oversight of third parties such as agents and business partners; (i) development and implementation of policies for mergers and acquisitions; and (j) conducting of periodic reviews and testing of its compliance policies designed to evaluate and improve their effectiveness. See U.S. DOJ Evaluation of Corporate Compliance Programs (Updated June 2020) located at https://www.justice.gov/criminal-fraud/page/file/937501/download.
The plea agreement also requires that, prior to the expiration of the agreed term (i.e., three years in Glencore’s case), the CEO and CCO must certify that (a) they are aware of the company’s compliance obligations; (b) based on their review and understanding of the company’s compliance program, the company has implemented a compliance program that meets the requirements set forth in Attachment C; and (c) that the compliance program “is reasonably designed to detect and prevent” future violations of the relevant law throughout the company’s operations. The specific required certification is set forth in a new “Attachment H,” and is required to be executed by the CEO and CCO thirty days prior to the expiration of the plea agreement’s term. Attachment H also makes clear that it shall “constitute a material statement and representation by the undersigned” and by the company, to the executive branch of the United States.
These new certification requirements raise concerns that they could expose CCOs to individual liability for a compliance deficiency even in instances where the CCO was diligent in their performance, but their certification is determined (at the time or subsequently) to include a material omission or misstatement. This, in turn, could discourage qualified candidates from accepting such positions. Indeed, some within the compliance industry have already expressed unease at the requirements that would make an already-difficult job more difficult and risky. Further, depending on the size of the company, certifying the effectiveness of a compliance program could be a time-intensive and incredibly complicated (if not practically infeasible) task.
In its remarks, DOJ has tried to emphasized that its focus is on CCO empowerment and that the new guidance is not intended to be “punitive,” but rather to encourage companies to devote more resources to CCO functions and take the role of CCOs more seriously. DOJ has indicated that it views the role of compliance officers within the company as key to ensuring prevention of future violations. The new policy may reflect a desire to encourage companies to make more permanent changes in company culture, following the execution of agreements, and even prior to situations arising if there is a need for the compliance function to be bolstered. Indeed, DOJ’s remarks suggest that the focus is on the importance of compliance programs and independent, resourced, and empowered compliance leadership.
How prevalent CCO certifications will now become, as well as the precise circumstances in which they will be required, remains to be seen. However, it seems clear that this will be an area of keen focus for DOJ for the foreseeable future.