What the C-Suite and Board Should Know About the New CCO Certification Requirement from DOJ

U.S. Department of Justice (DOJ) Deputy Attorney General Lisa Monaco presented a new policy at a Securities Industry and Financial Markets Association event that requires chief compliance officers (CCO) to certify that compliance programs have been “reasonably designed to prevent anti-corruption violations.”1 The policy is an outgrowth of a settlement involving US$1 billion in criminal and civil penalties imposed on mining giant, Glencore International AG (Glencore), after it pleaded guilty to bribery and market manipulation charges.2 According to Monaco, this new policy is meant to ensure that CCOs stay in the loop on potential company violations and have the necessary resources to prevent financial crime.3 While the expressed intention of this new policy is to empower CCOs, it has raised concerns about potential liability for CCOs.

GLENCORE SETTLEMENT

Glencore is among the largest companies that dominate global trading of oil, fuel, metals, minerals, and food.4 In 2018, Glencore was subject to a multi-year investigation by the DOJ for violations of the Foreign Corrupt Practices Act (FCPA) and a commodity price manipulation scheme.5 According to admissions and court documents filed in the Southern District of New York, Glencore, acting through its employees and agents, engaged in a scheme for over a decade to pay more than US$100 million to third-party intermediaries in order to secure improper advantages to obtain and retain business with state-owned and state-controlled entities. A significant portion of these payments were used to pay bribes to officials in Nigeria, Cameroon, Ivory Coast, Equatorial Guinea, Brazil, Venezuela, and the Democratic Republic of the Congo.6 Glencore resolved the government’s investigations by entering into a plea agreement (Plea Agreement)7According to the Plea Agreement, Glencore admitted to one count of conspiracy to violate the FCPA.8 Shaun Teichner, the general counsel for the company, told a federal judge in New York that Glencore “knowingly and willingly entered into a conspiracy to violate the Foreign Corrupt Practices Act by making payments to corrupt government officials.”9

Glencore expects to pay about US$1 billion to U.S. authorities, after accounting for credits and offsets payable to other jurisdictions and agencies, and about US$40 million to Brazil.10 A related payment by Glencore to the United Kingdom will be finalized after a hearing next month.11

The Plea Agreement requires that Glencore, among other things: (1) implement two independent compliance monitors, one in the United States and one abroad, to prevent the reoccurrence of crimes; (2) retain a compliance monitor for three years; and (3) have its chief executive officer (CEO) and CCO submit a document certifying to the DOJ’s fraud section that the company has met its compliance obligations (the CCO Certification Requirement or the Certification).12

WHY THE CCO CERTIFICATION REQUIREMENT HAS RAISED CONCERNS

The CCO Certification Requirement has raised concerns in the compliance space over potential increases in CCO liability.13 Specifically, compliance officials worry that this policy transfers corporate liability into potential individual liability for the CCO. The Certification form asks the CEO and CCO to certify that the compliance program has been “reasonably designed” to prevent future anti-corruption violations.14 Critics worry that these new certifications may discourage CCOs from taking jobs at companies that are or may be parties to agreements with the DOJ.15

The DOJ stated that liability will depend on the facts and circumstances of the case but that the new policy is not aimed at going after CEOs or CCOs.16 Assistant Attorney General Kenneth A. Polite Jr. stated, “if there is a knowing misrepresentation on the part of the CEO or CCO, then that could certainly result in some form of personal liability.”17  Depending on the circumstances, the DOJ may consider it a breach of the corporation’s obligations under the Plea Agreement if there is either a misrepresentation in one of these certifications or a failure to provide the same.18 Polite added that “the certification memorializes the company’s commitment to take its compliance obligations seriously.”19

Critics question how realistic the CCO Certification Requirement is for large, multinational companies.20 They also question the due diligence required to actually ensure that compliance programs are “reasonably designed,” especially for companies operating in over 50 countries. Would it be realistic to expect a CCO or CEO to keep tabs on compliance across their company with that level of specificity?21

WHAT THE C SUITE AND BOARD SHOULD CONSIDER MOVING FORWARD

The questions to consider are: (1) where will the expressed policy lead? And (2) how do we best prepare for the Certification?

The DOJ has specifically stated its intention to “prosecute the individuals who commit and profit from corporate malfeasance.”22 Regardless of Monaco’s comments, the Certification appears to create potential for an extension of that policy.

The fact of the policy gives rise to a number of subsidiary questions. Is the Certification, which targets foreign corrupt practices, a harbinger for other such certifications in areas such as health care fraud, defense contractor fraud, money laundering, etc.? And is DOJ gearing toward providing its prosecutors with more tools for individual culpability at the highest corporate levels consistent with its expressed policy?

Moving forward, in-house counsel should work with the CEO and CCO to consider areas of corporate business practices that are specifically subject to compliance programs. They should develop practices including auditing, tracking, training, and reviewing to ensure the programs are “reasonably designed” to prevent future wrongdoing. Further, they should be sure to document their corporate business practices. Obviously, these programs become much more complex when operations include foreign jurisdictions and foreign laws with respect to matters such as privacy and employee rights.

Although this process may not be new to protect corporations from criminal charges, the newly-announced policy will certainly focus the spotlight on CEOs and CCOs in the FCPA context and arguably beyond.


FOOTNOTES

Al Barbarino, DOJ Defends New CCO Certifications Amid Industry Worry, LAW360 (May 26, 2022), https://www.law360.com/whitecollar/articles/1496108/doj-defends-new-cco-….

Id.

3 Id.

4 Chris Strohm, Chris Dolmetsch & Jack Farchy, Glencore Pleads Guilty to Decade of Bribery and Manipulation, BLOOMBERG (May 24, 2022), https://www.bloomberg.com/news/articles/2022-05-24/glencore-to-appear-in-us-uk-courts-over-resolutions-of-probes.

5 Id.

6 News Release, U.S. Dep’t of Just., Office of Pub. Affs., Glencore Entered Guilty Pleas to Foreign Bribery and Market Manipulation Schemes, (May 24, 2022), https://www.justice.gov/opa/pr/glencore-entered-guilty-pleas-foreign-bribery-and-market-manipulation-schemes.

7 Id.

8 Id.

Strohm, supra note 4.

10 Id.

11 Id.

12 Id.

13 Barbarino, supra note 1.

14 Id.

15 Id.

16 Id.

17 Id.

18 Id.

19 Id.

20 Id.

21 Id.

22 News Release, U.S. Dep’t of Just., Attorney General Merrick B. Garland Delivers Remarks Announcing Glencore Guilty Pleas in Connection with Foreign Bribery and Market Manipulation Schemes (May 24, 2022), https://www.justice.gov/opa/speech/attorney-general-merrick-b-garland-delivers-remarks-announcing-glencore-guilty-pleas.

Copyright 2022 K & L Gates

OCIE Director Instructs Advisers to Empower Chief Compliance Officers

On November 19, 2020, Peter Driscoll, director of the Office of Compliance Inspection and Examination (“OCIE”) of the Securities and Exchange Commission (“SEC”), gave a speech urging advisory firms to empower their Chief Compliance Officers (“CCOs”).  The speech, made at the SEC’s annual compliance outreach conference, accompanied OCIE’s Risk Alert, issued the same day, identifying notable deficiencies and weaknesses regarding Registered Investment Advisors (“RIAs”) CCOs and compliance departments.  Driscoll’s speech complemented the Risk Alert by outlining the fundamental requirements for CCOs:  “empowered, senior and with authority.”

Under Rule 206(4)-7 promulgated under the Investment Advisers Act of 1940, 17 C.F.R. § 270.38a-1 (the “Compliance Rule”), an RIA must adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act and the rules thereunder.  According to Driscoll, this cannot be done unless the RIA’s CCO is empowered to fully administer the firm’s policies and procedures and holds a position of sufficient seniority and authority to compel others to comply with those policies and procedures.  In its Risk Alert, OCIE identified common compliance deficiencies among RIAs directly stemming from an unempowered CCO, including a lack of sufficient human resources to implement policies and procedures, failure of executive management to support the CCO, and even firing the CCO for reporting suspicious behavior.  In order to address and prevent these deficiencies, Driscoll described a set baseline expectations regulators should look for, and which firms can adopt, in assessing the power and authority of the CCO and compliance function.

  • Compliance Resources: RIAs should continually reassess their budgetary needs based on their business model, size, sophistication, adviser representative population and dispersal, and provide for sufficient resources as necessary for compliance with applicable laws.  This may mean hiring additional compliance staff and upgrading information technology infrastructure, especially if the firm has grown or taken on a new business.  Compliance staff should be trained, at a minimum, to perform annual reviews, accurately complete and file advisor registration forms (Form ADV), and timely respond to OCIE requests for required books and records.

  • Responsibility of CCOs: While CCOs may have multiple responsibilities, they must be, at a minimum, knowledgeable of the Advisers Act and its mandates in order to fulfill their responsibilities as CCO.  CCOs should not only assist firms from avoiding compliance failures, but should also provide guidance on new or amended rules.

  • Authority of CCOs: Senior management should vest CCOs with ample authority and routinely interact with them.   CCOs need to understand their firm’s business and, when necessary, be brought into the business decision-making process.  CCOs should also have access to critical operational information such as trading exception reports and investment advisory agreements with key clients.  CCOs should be consulted on all matters with potential compliance implications, such as disclosures of conflicts to clients, calculation of fees, and client asset protection.

  • Position of CCOs: At a minimum, CCOs should report directly to senior management, and preferably be a part of senior management.  CCOs should not be mid-level officers or placed under the Chief Financial Officer function.

  • Security of CCOs: CCOs should have confidence that they can raise compliance issues with the backing and support of senior management without being scapegoated or terminated.

These expectations should not be read as an exhaustive checklist but as a preliminary framework for evaluating the effectiveness of a firm’s compliance function and its CCO – key elements of a firm’s ability to comply with the mandates of the Compliance Rule.  This framework can be also be used to ensure the firm’s compliance function is appropriately tailored to its size, business model, and compliance culture.


Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.