Legal and Regulatory Basis for Compliance Programs...Legal and Regulatory Basis for Compliance Programs Legal and Regulatory Basis for Compliance Programs 1 1 Legal environment for

Legal and Regulatory Basis for

Compliance Programs

A Guide for Sustainable Entrepreneurs

SUSTAINABLE ENTREPRENEURSHIP PROJECT

Dr. Alan S. Gutterman

Legal and Regulatory Basis for Compliance Programs:

A Guide for Sustainable Entrepreneurs Published by the Sustainable Entrepreneurship Project (www.seproject.org) and copyrighted © 2017 by Alan S. Gutterman. All the rights of a copyright owner in this Work are reserved and retained by Alan S. Gutterman; however, the copyright owner grants the public the non-exclusive right to copy, distribute, or display the Work under a Creative Commons Attribution-NonCommercial-ShareAlike (CC BY-NC-SA) 4.0 License, as more fully described

at http://creativecommons.org/licenses/by-nc-sa/4.0/legalcode. About the Project

The Sustainable Entrepreneurship Project (www.seproject.org) engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business. In furtherance of its mission the Project is involved in the preparation and distribution of Libraries of Resources for Sustainable Entrepreneurs covering Entrepreneurship, Leadership, Management, Organizational Design, Organizational Culture, Strategic Planning, Governance, Corporate Social Responsibility, Compliance and Risk Management, Finance, Human Resources, Product Development and Commercialization, Technology Management, Globalization, and Managing Growth and Change. Each of the Libraries include various Project publications such as handbooks, guides, briefings, articles, checklists, forms, forms, videos and audio works and other resources; management tools such as checklists and questionnaires, forms and training materials; books; chapters or articles in books; articles in journals, newspapers and magazines; theses and dissertations; papers; government and other public domain publications; online articles and databases; blogs; websites; and webinars and podcasts. About the Author

Dr. Alan S. Gutterman is the Founding Director of the Sustainable Entrepreneurship Project and the Founding Director of the Business Counselor Institute (www.businesscounselorinstitute.org), which distributes Dr. Gutterman’s widely-recognized portfolio of timely and practical legal and business information for attorneys, other professionals and executives in the form of books, online content, webinars, videos, podcasts, newsletters and training programs. Dr. Gutterman has over three decades of experience as a partner and senior counsel with internationally recognized law firms counseling small and large business enterprises in the areas of general corporate and securities matters, venture capital, mergers and acquisitions, international law and transactions, strategic business alliances, technology transfers and intellectual property, and has also held senior management positions with several technology-based businesses including service as the chief legal officer of a leading international distributor of IT

http://www.businesscounselorinstitute.org/

products headquartered in Silicon Valley and as the chief operating officer of an emerging broadband media company. He received his A.B., M.B.A., and J.D. from the University of California at Berkeley, a D.B.A. from Golden Gate University, and a Ph. D. from the University of Cambridge. For more information about Dr. Gutterman, his publications, the Sustainable Entrepreneurship Project or the Business Counselor Institute, please contact him directly at [email protected].

mailto:[email protected]

Legal and Regulatory Basis for Compliance Programs

1 Legal and Regulatory Basis for Compliance Programs

§1 Legal environment for business activities

In today’s business world, all companies, regardless of their size, business model and scope of activities, are required to understand and comply with a plethora of laws and regulations, including:

Common law legal relationships with employees, creditors, and landlords;

Various licensing requirements imposed by federal, state, and local governments;

Intellectual property rights;

Employment laws (e.g., harassment, discrimination and immigration laws) and applicable human resources policies;

Federal and state tax laws and regulations, including the reporting obligations imposed under such laws;

Domestic and foreign laws regulating technology transfers and the form and content of many common commercial relationships;

Federal and state statutes relating to antitrust and unfair competition;

Federal and state laws regulating commercial and consumer transactions;

Federal and state environmental laws and regulations;

Federal and state health and safety laws;

Federal and state laws relating to privacy and data security;

Federal and state securities laws and governance rules and regulations and requirements of national securities exchanges in the case of public companies;

Domestic and foreign laws relating to cross-border business activities (e.g., laws and regulations pertaining to exports, imports, bribery and compliance with foreign boycotts);

Laws and regulations relating to conducting business with the federal government and acting as a “government contractor”;

Federal and state laws relating to conflicts of interest, working with government officials, lobbying and political activities (e.g., contributions);

Internal accounting and financial controls to reduce theft and facilities accurate disclosures and financial reporting; and

Federal and state statutes relating to consumer protection and other matters. These requirements apply regardless of whether the business is operated as a proprietorship, a partnership, a limited liability company, or a corporation and also apply to non-profit organizations. Moreover, each form of legal entity available for use by an organization has its own set of rules regarding formation and internal operations that must be followed in order to gain the legal benefits from the use of the entity. For example, in order for the shareholders of a corporation to take advantage of the limited liability offered through the use of the corporate form, they must observe certain governance procedures and operational formalities.


2 Most of case law and practical guidance regarding compliance and governance has been developed with respect to corporations, particularly corporations with securities traded in the public markets (i.e., “public companies”); however, compliance is relevant to every type of legal entity and it can be expected the specific rules will emerge that take into account the legal principles that apply to general and limited partnerships, limited liability companies, non-profit organizations and other types of entities recognized by statute or under common law. Since the corporation has long been the dominant form of legal entity for organizations involved in business activities the discussion in this chapter often refers to the board of directors and its committees formed to oversee audit and compliance issues as well as to the shareholders who are the owners of a corporation. However, the principles in this chapter can and should be adapted to other forms of legal entity (e.g., the board of managers of a manager-managed limited liability company have duties and responsibilities similar to those of the board of directors of a corporation). Similarly, well-known principles of “corporate governance” are also applicable to non-corporate entities.1 While it is impossible to generalize, it is commonplace for growth-oriented companies to have compliance programs covering employment law matters (e.g., sexual harassment, employee discrimination and immigration laws), antitrust, securities laws, intellectual property and government contracting. With respect to international compliance areas, the scope of the programs to be implemented by a specific company will generally be determined by the particular international laws that are most relevant in its industry as well as the specific foreign countries in which the company has material business activities. For most companies this means that formal global compliance should begin with programs covering Export Administration Regulations, including export controls and licenses and anti-boycott regulations; the Foreign Corrupt Practices Act; sanctions programs approved by Congressional action and resolutions of the United Nations and administered by the Office of Foreign Assets Control; and import laws under Customs statutes and regulations. §2 Legal needs of technology-based companies While the list of legal categories above is helpful and illustrative, the specific legal environment for a particular company, which determines the areas that are most important in designing a framework for complying with applicable laws and regulations, will depend on the activities of the company and the resources that the company relies upon in order to execute its strategy. For example, a list of the major categories of legal needs for larger technology-based companies (i.e., companies that rely heavily on proprietary technology for creating innovative products and processes that afford them a competitive advantage) would include the following:

Management of existing intellectual property assets and establishment of strategies and procedures for creating and protecting new assets;

1 For further discussion of the corporate governance responsibilities of corporate directors and officers, see “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).


3 Compliance with environmental, product testing, health, and safety regulations,

including new “green” initiatives;

Employment-related issues including compliance with applicable federal and state employment laws;

Federal securities laws including laws such as the Sarbanes-Oxley Act of 2002 which specifically address compliance issues for public companies;

International operations including compliance with export/import law requirements;

Privacy and data security laws and industry guidelines;

Accounting and financial reporting requirements;

Regulations pertaining to e-commerce; and

Litigation and e-discovery. §3 Challenges of changing legal environments In the past several years increased emphasis has been placed on international operations, as more companies are pushed into global business activities, and e-discovery. The application of so-called “corporate governance” principles has also expanded to cover many private companies (i.e., companies other than companies with publicly-traded securities) including organizations in the non-profit sector. E-discovery and privacy and data security laws are generally quite a mystery and surprise to executives, and each expansion into new foreign markets typically leads to unforeseen challenges that are not always planned for in advance. For example, the lack of speed and expected costs associated with obtaining business licenses in new foreign markets often upsets even the best strategic plan for launching new activities in those markets. Another problem is attempting to enforce legal rights in foreign courts. The scope, complexity, and costs of litigation continue to rise even as the economy remains flat, and litigation generally takes up a larger percentage of the resources allocated to the legal needs of many companies. Another complicating is that the legal environment for a company is not fixed and laws are continually changing along with the risk profile associated with the evolving business activities of the company. In addition to the compliance programs discussed in this chapter, companies must establish and continuously maintain risk assessment programs that facilitate identification and management of the material business risks faced by the company. Any such assessment must address all of the threats to management’s ability to achieve the organizational objectives, including threats in the areas of operations, financial reporting, and compliance with laws and regulations. The process of risk assessment includes identifying the risks, estimating the significance of the risks, and then selecting methods to manage them. Auditors and others have identified a number of factors that they consider strong indications of increased financial risk. Therefore, management should be aware of their existence and increase its control mechanisms when the following factors exist: changes in the company’s regulatory or operating environment; changes in personnel; new or revamped information systems; rapid growth of the company; changes in technology affecting production processes or information systems; new business models, products, or activities; restructurings; expansion or


4 acquisition of foreign operations; and adoption of new accounting principles or changing accounting principles.2 §4 Processes for tracking new legal developments An important element of any compliance program is establishing processes for keeping track of new developments in those areas of law and regulation that are specifically applicable to activities of the company. Information on new cases and statutes can be obtained in online publications from leading law firms. In addition, national, state and local bar associations regularly put on programs and distribute publications. For example, attorneys and others involved in compliance activities can attend live and online presentations covering all aspects of intellectual property rights, licensing arrangements, strategic technology alliances and creation and maintenance of compliance programs. Another source of information is industry-specific publications and programs that are made available by non-legal sources that specialize in providing content to executives. Courses are offered by major universities as part of their executive education programs and for-profit firms publish magazines and create and manage extensive curriculum for working professionals. For example, CIO magazine serves chief information officers and other information technology professionals and provide them with programs, research reports and newsletters. §5 Advantages and challenges of compliance programs The penalties for failing to comply with laws and regulations can be significant and often can ruin a company and the careers of the persons involved in the misconduct. For example, criminal sanctions may include fines, probation, and remedial action, including restitution, community service, and notice to victims. Civil penalties can also be substantial and may include treble damages and the additional costs of litigation. Added to all of this is the damage to the company’s reputation and employee morale, and additional scrutiny from government investigators. Finally, companies that have been found to have violated laws in government investigations may be exposed to shareholder lawsuits, loss of business partners, and debarment from government contracting. In order to fulfill their obligations and avoid the costs associated with violations, all companies should be admonished to adopt and aggressively implement compliance programs in a wide range of areas. Compliance programs are important even for companies that honestly believe they are acting in a lawful fashion, since these programs are probably the best way to establish formal policies and procedures that can guide the actions of employees and institutionalize regular assessment of actual practices. Moreover, the existence of a formal compliance program that is actually followed can be an important factor in reducing the liability of the company in the event that a problem arises in spite of the controls that have been put in place.

2 For further discussion of risk assessment procedures, see “Risk Assessments” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).


5 §6 --Legal and business advantages of compliance programs While establishing and maintaining a compliance program is a time-consuming and often expensive project, there are clearly significant legal and business advantages to the company. Compliance programs can be used to educate employees and set standards for acceptable conduct in all the company’s operations around the world. There also seems to be a direct link between companies that score high on integrity factors and those that perform well financially. According to one study, five companies generally perceived as having strong integrity (i.e., General Electric, IBM, Microsoft, Toyota and Wal-Mart) were the same ones that topped the list of companies that created the most value for their shareholders. Other studies focusing generally on corporate governance, of which compliance is an important element, have verified that companies with the best governance practices tend to be relatively more profitable, more valuable and offer their shareholders a higher return on their investment. The costs of failing to establish and maintain adequate compliance programs and procedures can be substantial. For example, violations of United States export controls can lead to criminal prosecution, arrest, extradition and severe monetary penalties. The failure to follow United States customs laws and regulations can result in significant adverse consequences, including seizure of merchandise under various circumstances, assessment of civil penalties in an amount up to the domestic value of the imported merchandise for any material misstatements or omissions or actions in connection with the importation of merchandise into the United States, and even criminal sanctions for certain violations. It has been estimated that there are more than 300,000 federal regulations subjecting companies to criminal liability, and that, on average, 400 companies have annually been subjected to federal indictments since 1990, including 10% of the Fortune 500 companies. This is a tenfold increase from the 1980s. Moreover, criminal fines have increased dramatically in recent years from an average of $50,000 in the 1980s to millions of dollars. In light of these monetary risks, compliance programs can have substantial value because they substantially reduce the risk that companies will engage in unlawful activities. Moreover, several federal agencies have declared that adoption of formal company-wide compliance programs can be useful evidence of the good-faith attempts by management of those companies to educate employees and establish the desired “compliance culture.” Companies that have created and followed compliance programs are better able to defend against enforcement actions by federal prosecutors by arguing that the company did in fact use reasonable care in complying with the law and that the actions of the company did not reach the level of "willfulness" required to be proven for certain criminal convictions. For example, the United States Department of Commerce and the United States Customs and Border Protection both recognize the existence of a compliance program as a factor to be taken into account with respect to mitigation of penalties. Also, the federal Sentencing Guidelines, described below, endorse reduction of criminal sentences in cases where an effective compliance program is in place. Compliance programs are also an important part of settlements with federal agencies, and corporations that have run into problems as a result of a government investigation have


6 been able to resolve them by agreeing to bolster their compliance function and allow outside experts to audit existing controls and make recommendations to the board of directors and its audit committee with respect to improvements. Confirming the importance of compliance, the Conference Board, an international organization that periodically reports on management and markets, found that companies are increasing their supervision of compliance, including ethics. Since 1987, when it first looked at corporate ethics programs and the involvement of the board of directors in their design, implementation and monitoring, the percentage of boards and the extent of their involvement have steadily increased, both domestically and internationally. They have also gone beyond “narrow, reactive” programs to pro-active programs with deep institutional roots. The driving forces behind this increasing emphasis on compliance programs are the recent corporate scandals, as well as the new standards adopted by regulatory agencies such as the Securities and Exchange Commission, which are described below. More specifically, the Conference Board found that, between 1987 and 1998, the percentage of survey participants indicating their directors participated in drafting a corporate code of ethics has increased from 21% to 78%. Also during this period, the make-up of the participants changed dramatically—most respondents in 1987 were United States companies, but fewer than half were in 1998. This underscores that the issue is not just one for companies in the United States, but applies to all companies wherever they are operating. In addition, in the United States it is not just publicly traded companies with compliance programs, but even those not listed (97% of those traded versus 93% of those not publicly traded). §7 --Risks and challenges of compliance programs While the advantages of adopting a compliance program outweigh the costs associated therewith, there are nonetheless some real risks and challenges that must be recognized and addressed before moving forward. One practical problem is making sure that employees take the program seriously since adopting a program that is not followed can be worse than not having any rules at all. Employees may feel that, having adopted the program, they can put it behind them, move on and forget it. Ongoing education and monitoring will be critical to avoiding this problem. A second risk, known as the “litigation dilemma,” is less easily avoided. This refers to the danger that the company may discover illegal activities while creating the compliance program, and that any materials referring to or describing such activities may be subject to discovery. Even if such materials are collected through attorneys and possibly covered by the attorney-client privilege, government agencies are likely to insist on a waiver of such privileges and demand cooperation with government investigations as part of any settlement negotiations. In light of these difficult issues, it is not surprising that compliance and corporate governance has emerged as a new and rapidly growing specialty within the legal community.3

3 For further discussion of governance issues and related programs and procedures, see “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).


7 Despite the mounting evidence in favor of implementing compliance systems senior executives must still examine the tradeoff between investing resources on prevention and the expected value of liability to the company in the event that something actually goes wrong. This is particular true when a company is just starting up and financial resources are tight. There are executives who are unwilling to support a large legal budget to cover a wide range of compliance issues and micromanage every contract because they believe that the chances of an issue coming up are small, and they will simply address the problem at that time. On the other hand, executives of public companies have learned the hard way in recent years that money must be spent on internal controls and compliance. Notable examples include accounting issues that have caused companies to restate earnings and endure strong criticism in the financial markets and scandals relating to backdating of stock options and illegal payments to agents of foreign governments. §8 Judicial and regulatory guidance on effective compliance programs Compliance programs are generally discussed, and adopted, in the context of the fiduciary duties in the corporate context which flow from the directors and officers to the shareholders. Thus, it is not surprising that commentators and courts have turned to principles of duty and care in analyzing legal compliance programs. Courts have also begun to recognize the importance of guidance from governmental agencies, such as the Federal Sentencing Guidelines for Organizational Defendants, and the opportunity that compliance with such guidelines offers with respect to reducing potential liability for companies and their managers. Therefore, one can expect to see courts examining whether compliance procedures, programs and other techniques have been implemented to determine if those serving in fiduciary capacities have acted diligently. When evaluating the compliance procedures for a particular company courts can now also refer to very specific guidelines that have been announced by regulatory agencies as well as to commentaries prepared and disseminated by professional organizations such as the American Law Institute. Finally, information that may be relevant to establishing a compliance program can be gleaned from federal laws such as the Sarbanes-Oxley Act of 2002 and the listing requirements of the major securities exchanges. §9 --ALI principles of corporate governance

The Principles of Corporate Governance promulgated by the American Law Institute ("ALI") in 1994 (“ALI Principles”) represent a comprehensive effort to evaluate and summarize some of the major legal standards applicable to corporate governance. Under the ALI Principles, a corporation "[i]s obligated, to the same extent as a natural person, to act within the boundaries set by law."4 The managers of the corporation are obligated to direct the activities of the corporation within these boundaries.5 In addition to an obligation not to knowingly cause employees of the corporation to violate the law, directors and officers have duties to establish effective legal compliance systems to ensure that activities of the corporation are generally conducted lawfully and that illegal

4 ALI Principles § 2.01(b)(1). 5 ALI Principles § 4.01(a) (Comment d to § 4.01(a), first paragraph).


8 aberrations in corporate operations are detected and stopped.6 While legal compliance in day-to-day corporate operations need not be overseen directly by corporate directors and officers, they must act responsibly in delegating monitoring duties concerning legal compliance and must react affirmatively once they receive evidence that compliance programs are not operating properly.7 Actions and decisions by directors and officers with respect to determining the need for, and the appropriate scope of, a legal compliance system will be judged under the "business judgment rule," which will protect such individuals if they have undertaken reasonable fact gathering and evaluation prior to making a decision about the adequacy of legal compliance systems.8 §10 --Judicial trends: Caremark case

In re Caremark International, Inc. Derivative Litigation9 involved a shareholder action brought against the directors of Caremark International Incorporated to recover fines paid by Caremark for illegal activities that occurred while the directors were in office. Federal prosecutors had charged Caremark, a health care provider, with violating federal laws by paying doctors and hospitals to refer Medicare and Medicaid patients. The company subsequently pleaded guilty to mail fraud and paid $250 million in fines and restitution. Indignant shareholders immediately began filing lawsuits to recover the corporation's losses.10 They did not claim that the directors were themselves involved in any wrongdoing; however, they argued that the directors should be liable for what amounted to a breach of their fiduciary duty of care by failing to properly supervise employees of the corporation and implement legal compliance programs which, if present, would have prevented the activities that resulted in the fines.11 The Delaware Chancery Court was called upon to review proposed settlement terms for fairness. Technically, Caremark is not a “holding” and the case does not, as a matter of law, establish standards that must be followed by the board of directors in order to avoid liability. However, it is certainly illustrative of the direction that the law seems to be taking with regard to good corporate practice. In the Caremark case, the chancellor explained that directors of Delaware corporations may, in fact, be subject to personal liability for losses suffered by the corporation arising out of employee misconduct if the directors fail “to attempt in good faith to assure that a corporate information and reporting system [aimed at detecting misconduct] … exists” and is adequate for this purpose.12 The information and reporting system must be “reasonably designed to provide [senior managers and board members with] timely, accurate information sufficient to allow management and the board … to reach informed judgments concerning both the corporation's compliance with law and its business performance.”13

6 ALI Principles § 4.01 (Comment c to § 4.01(a)(1)-(2)). 7 ALI Principles § 4.01 (Comment b to § 4.01(b)). 8 ALI Principles § 4.01(c). 9 In re Caremark Intern. Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). 10 Id. at 960–65. 11 Id. at 966. 12 Id. at 970. 13 Id.

http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=0000162&FindType=Y&SerialNum=1997158544

http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=0000162&FindType=Y&ReferencePositionType=S&SerialNum=1997158544&ReferencePosition=960




9 In order for a plaintiff to prevail against directors, it must be shown that there has been a “sustained or systematic failure … to exercise reasonable oversight.”14 Directors might be vulnerable where there has been “an utter failure to attempt to assure a reasonable information and reporting system exists”15 or where, after a violation or weakness in the legal compliance program has been discovered, the directors fail to investigate the situation and determine in good faith that the “information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner as a matter of ordinary operations.”16 In the Caremark case, the chancellor's review of the proposed settlement included a comparison of the proposed terms to the likely result had the case proceeded to trial. He found that, based on the particular facts of the case, the plaintiffs' case was “extremely weak.”17 He based this conclusion on findings that the directors had given some attention to legal compliance programs before the fraudulent activities occurred and had also reacted quickly to improve the company's compliance procedures once the employees' misconduct was discovered. In Caremark, the chancellor approved a settlement which included no monetary liability for the defendant directors, but Caremark was required to pay the attorney fees of the plaintiffs and make further specified changes in its compliance procedures.18

The standard established in the Caremark case regarding the compliance oversight duties and potential liability of directors has generally been upheld in subsequent cases. For example, in the In Re Citigroup litigation, the Delaware Chancery Court made it clear that in order for the plaintiffs to establish a claim against the directors for breach of their compliance oversight duties, a demonstration must be made “that the directors knew they were not discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for their responsibilities, such as by failing to act in the face of a known duty to act”.19 The use of the words “conscious disregard” implies intentional conduct and the need for a showing of “bad faith” on the part of the directors and this means that the plaintiffs must prove that “(a) the directors utterly fail to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously fail to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention”.20 As an aside, the decision in the In Re Citigroup litigation is interesting in that the Delaware Chancery Court not only affirmed the Caremark case holding but also refused to extend the possibility of personal liability for directors to situations where the directors failed to predict the future and properly evaluate business risks such as the meltdown of financial markets that wiped out Citigroup’s investment portfolio.21

14 Id. at 971. 15 Id. 16 Id. at 970. 17 Id. at 971. 18 Id. at 972. 19 In re Citigroup Inc. Shareholder Derivative Litig., 964 A.2d 106 (Del. Ch. 2009). 20 Id. 21 Id.






10 §11 --Government agency guidelines and policies

Either as a matter of internal policy or in response to specific requirements included in legislative actions, many government agencies have issued compliance guidelines. Among the most detailed rules issued by any regulatory agency are those issued from time-to-time by the Department of Justice, including the policy statements regarding the factors that federal prosecutors should consider in deciding whether to pursue criminal charges against a corporation. These policy statements, prepared in the form of a memorandum, are generally given names based on the names of their authors, with the most recent being the Holder Memo issued in 199922, the Thompson Memo issued in 200323, the McNulty Memo issued in 200624, and the Filip Memo issued in 200825. Each new Memo supersedes the previous policy statement and includes elements of prior statements and new guidance intended to address particular issues. For example, the Thompson Memo's advice to prosecutors to consider waiver of privilege, and whether or not the corporation advanced counsel fees to its employees, generated a substantial amount of controversy and the changes in both the McNulty Memo and Filip Memo were intended to address concerns regarding those issues and update policy in other areas.26 The Filip Memo, which was announced on August 28, 2008 and officially entitled “Principles for Federal Prosecution of Business Organizations”, was similar in many ways to previous policy statements. The Filip Memo was noteworthy for the approach it took regarding several controversial issues including whether or not waiver of the attorney-client or work product privilege is a condition to cooperation credit for a corporate target. In addition, while not discussed in detail in this chapter, the Filip Memo also addressed other concerns about Department of Justice policies that had been festering for some period of time including clarification that prosecutors would not consider the following in evaluating cooperation: whether a corporation has advanced attorney's fees to its employees (or provided counsel to employees at the expense of the corporation); or whether a corporation has entered into a joint defense, common interest or similar agreement.27

22 See Memorandum, Bringing Criminal Charges Against Corporations (June 16, 1999), available at http://www.usdoj.gov/criminal/fraud/policy/Chargingcorps.html. 23 See Memorandum, Principles of Federal Prosecution of Business Companies (Jan. 20, 2003), available at http://www.usdoj.gov/dag/cftf/corporate_guidelines.html. 24 See Memorandum, Principles of Federal Prosecution of Business Organizations (Dec. 12, 2006), available at http://www.usdoj.gov/dag/cftf/corporate_guidelines.html. 25 See www.usdoj.gov/opa/documents/corp-charging-guidelines.pdf. See also the Justice Department's press release at www.usdoj.gov/opa/pr/2008/August/08-odag-757.html. The Guidelines can also be found at Title 9, Chapter 9-28.000: Principles of Federal Prosecution of Business Organizations. 26 For further discussion of the issues and concerns relating to waiver of attorney-client and work product privileges in the context of a government investigation, see “Internal Investigations” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org). 27 For discussion of the impact of the Filip Memo on internal investigations, see “Internal Investigations” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).


11 The Filip Memo listed nine factors that prosecutors would be expected to take into account in reach a decision as to the proper treatment of a corporate target28:

(1) The nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for particular categories of crime; (2) The pervasiveness of wrongdoing within the corporation, including the complicity in, or the condoning of, the wrongdoing by corporate management; (3) The corporation's history of similar misconduct, including prior criminal, civil, and regulatory enforcement actions against it; (4) The corporation's timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents; (5) The 1existence and effectiveness of the corporation's pre-existing compliance program; (6) The corporation's remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies; (7) Collateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as impact on the public arising from the prosecution; (8) The adequacy of the prosecution of individuals responsible for the corporation's malfeasance; and (9) The adequacy of remedies such as civil or regulatory enforcement actions.

The Filip Memo noted that compliance programs are established by corporate management to prevent and detect misconduct and to ensure that corporate activities are conducted in accordance with applicable criminal and civil laws, regulations, and rules. While the Department of Justice encourages such corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own, the Filip Memo noted that the existence of a compliance program is not sufficient, in and of itself, to justify not charging a corporation for criminal misconduct undertaken by its officers, directors, employees, or agents.29 A compliance program must be “effective” and while this does not mean that the program must prevent all criminal activity by a corporation's employees it must be adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and corporate management must be enforcing the program rather than tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives. The Filip Memo noted that while the Department of Justice has no formulaic requirements regarding corporate compliance programs it should be expected that prosecutors will ask the following fundamental questions: “Is the corporation's compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation's compliance program work?” In answering these questions,

28 Title 9, Chapter 9-28.300. 29 Title 9, Chapter 9-28.800.


12 the prosecutors must consider the comprehensiveness of the compliance program; the extent and pervasiveness of the criminal misconduct; the number and level of the corporate employees involved; the seriousness, duration, and frequency of the misconduct; and any remedial actions taken by the corporation, including, for example, disciplinary action against past violators uncovered by the prior compliance program, and revisions to corporate compliance programs in light of lessons learned. Prosecutors are also urged to consider the promptness of any disclosure of wrongdoing to the government and whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct. For example, indicators of an effective program include evidence that the corporation's directors exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers' recommendations; that internal audit functions are conducted at a level sufficient to ensure their independence and accuracy; and that directors have established an information and reporting system in the organization reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the corporation's compliance with the law.30 Finally, a compliance program that is merely a “paper program” will not mitigate the culpability of a corporation and credit will only be given to programs that are designed, implemented, reviewed, and revised, as appropriate, in an effective manner. In determining whether this standard has been achieved prosecutors should take into account whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts and whether the corporation's employees are adequately informed about the compliance program and are convinced of the corporation's commitment to it. In September 2015, Deputy Attorney General Sally Quillian Yates announced a policy that appeared to signal that the Department of Justice would proceed more aggressively in targeting individuals involved in corporate wrongdoing. The announcement, referred to as the “Yates Memo”31, is seen as an extension of the previous memos and, in fact, the Principles and other sections of the U.S. Attorney’s Manual were to be revised and updated to include the following “six key steps” from the Yates Memo:

In order to qualify for any cooperation credit, corporations must provide to the DOJ all relevant facts relating to the individuals responsible for the misconduct;

Criminal and civil corporate investigations should focus on individuals from the inception of the investigation;

Criminal and civil attorneys handling corporate investigations should be in routine communication with one another;

30 The Filip Memo draws upon, and includes citations to, both USSG § 8B2.1 and In re Caremark Intern. Inc. Derivative Litigation, 698 A.2d 959, 968–70 (Del. Ch. 1996). For further discussion of the role of directors in establishing and administering corporate governance mechanisms, including effective compliance programs, see “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org). 31 http://www.justice.gov/dag/file/769036/download

http://www.westlaw.com/Find/Default.wl?rs=dfa1.0&vr=2.0&DB=0004057&DocName=FSGS8B2.1&FindType=L




13 Absent extraordinary circumstances or approved departmental policy, the DOJ will

not release culpable individuals from civil or criminal liability when resolving a matter with a corporation;

DOJ attorneys should not resolve matters with a corporation without a clear plan to resolve related individual cases, and should memorialize any declinations as to individuals in such cases; and

Civil attorneys should consistently focus on individuals as well as the company and evaluate whether to bring suit against an individual based on considerations beyond that individual's ability to pay.

While the increased focus on individual culpability has been long-awaited, it remains unclear what the actual impact of the Yates Memo will be on internal investigations. There are concerns that lower-level personnel may feel pressured to provide government investigators with what they want as opposed to facts that might be less helpful to investigators and that higher-level officials will be less cooperative dues to fears of potential individual liability. There are also worries about how the Department of Justice may go about its stated goal to “fully leverage its resources”. However, the Yates Memo does make it more important than ever for corporations and their agents (i.e., executives and all other personnel involved with compliance activities) to implement procedures that ensure that the corporation responds proactively to inquiries from the Department and is able to develop a thorough presentation of the relevant facts. Among other things, corporations are advised to update their ethics and compliance programs, particularly training activities and the procedures for reporting actual and potential violations; reiterate and reinforce support of the executives for compliance activities, including an assessment of the current adequacy of compliance resources; ensure that there is a rapid response by executives to problems that are brought to their attention; and require that all activities relating to a response to a compliance issue are well documented in order to demonstrate to the Department that the corporation has acted in good faith to act ethically and comply with its obligations to respond fully to the Department’s inquiries. Other federal agencies that have promulgated guidelines and policies touching on compliance programs include the Department of Defense, the Department of Health and Human Services; and the Securities and Exchange Commission. For example, Defense Federal Acquisition Regulations System (“DFARS”) Subpart 3.10 establishes policies and procedures for the establishment of contractor codes of business ethics and conduct, and display of agency Office of Inspector General (OIG) fraud hotline posters. In general, contractors will be required to conduct themselves with the highest degree of integrity and honesty.32 In order to be sure that a contractor will achieve these objectives, it should have a written code of business ethics and conduct. In addition, to promote compliance with such code of business ethics and conduct, contractors should have an employee business ethics and compliance training program and an internal control system that are suitable to the size of the company and the extent of their involvement in Government contracting; facilitate the timely discovery and disclosure of improper conduct in connection with Government contracts; and ensure corrective measures are

32 DFARS Subpart 3.1002(a).


14 promptly instituted and carried out.33 The Office of Inspector General of the Department of Health and Human Services issued a “model compliance plan for clinical laboratories” which includes the following elements34:

• Written standards of conduct for employees; • The development and distribution of written policies that promote the laboratory's

commitment to compliance and that address specific areas of potential fraud, such as billing, marketing and claims processing;

• The designation of a chief compliance officer or other appropriate high-level corporate structure or official who is charged with the responsibility of operating the compliance program;

• The development and offering of education and training programs to all employees; • The use of audits and/or other evaluation techniques to monitor compliance and

ensure a reduction in identified problem areas; • The development of a code of improper/illegal activities and the use of disciplinary

action against employees who have violated internal compliance policies or applicable laws or who have engaged in wrongdoing;

• The investigation and remediation of identified systemic and personnel problems; • The promotion of and adherence to compliance as an element in evaluating

supervisors and managers; • The development of policies addressing the non-employment or retention of

sanctioned individuals; • The maintenance of a hot line to receive complaints and the adoption of procedures to

protect the anonymity of complainants; and • The adoption of requirements applicable to record creation and retention. Not surprisingly, given the recent flood of civil and criminal actions against senior executives of public companies for violations of law, the Securities and Exchange Commission (“SEC”) has been very active in drafting and circulating pronouncements that strongly recommend compliance programs and procedures. For example, the SEC has opined on the oversight duties of directors in the context of proceedings relating to alleged deficiencies in disclosures made by publicly traded companies, noting that directors have an affirmative duty and obligation to keep the shareholders informed, on a timely basis, of material facts concerning the basic operations of the company, and to assure that the public is provided with accurate and full disclosures about the company's operation; directors have an affirmative duty to keep themselves informed of developments within the company and to seek out the nature of corporate disclosures to determine if adequate disclosures are being made; directors may not rely on management to make required disclosures and on company counsel to advise when disclosures are required; and directors have a need for adequate, regularized procedures under the overall supervision of the board to ensure that proper disclosures are being made. Such

33 DFARS Subpart 3.1002(b). 34 See Publication of OIG Compliance Program Guidance for Clinical Laboratories, 63 Fed. Reg. 45076-03 (Aug. 24, 1998).




15 procedures could include a functioning audit committee with authority over disclosure matters or any other procedure that involves the board of directors in a meaningful way in the disclosure process.35 This opinion has been substantially enhanced by the enactment of the Sarbanes-Oxley Act of 2002 and the related rules and regulations from the SEC and the NASDAQ and the New York Stock Exchange, which are described below.36 §12 --Sarbanes-Oxley Act of 2002 and exchange listing requirements

The federal Sarbanes-Oxley Act of 2002 (“SOX”) contains many provisions that are relevant to the design, implementation and enforcement of a compliance program. For example, SOX § 406 and SEC implementing regulations require public companies to disclose whether they have adopted written codes of ethics applicable to principal executive officers, principal financial officers, principal accounting officers or controllers, or persons performing similar functions.37 Companies that have not adopted such codes of ethics must disclose the reason for not doing so. The disclosures must appear in the company’s annual report. Companies changing or waiving any portion of their codes must disclose the action within five business days of the event on Form 8-K, which is filed with the SEC.38 The practical effect of these rules since SOX became effective has been to force most public companies to adopt and publish written codes of ethics and detailed statements of conduct standards for their executives, managers, employees and agents. SOX also contains three sections concerning whistleblowers. First, under SOX § 301 and Securities Exchange Act Rule 10A-3, the audit committee must establish procedures for the receipt and handling of any complaints about accounting, internal controls or auditing matters.39 The procedures must allow employees to submit anonymous complaints. Second, SOX § 806 prohibits companies from taking adverse employment action against employees who provide information to a supervisor, federal agency or Congress regarding violations of SOX, any SEC rule, or federal law regarding shareholder fraud.40 Finally, according to SOX § 1107, employers can be assessed criminal sanctions for intentionally retaliating against employees who provide truthful information to law enforcement officers regarding possible commission of federal offenses.41 All of these

35 See Report of Investigation in the Matter of National Telephone Co., Inc. Relating to Activities of the Outside Directors of National Telephone Co., Inc., SEC Release No. 34-14380 (Jan. 16, 1978). 36 The SEC released an enforcement manual, thereby providing securities lawyers with a valuable tool in representing their clients in SEC investigatory proceedings. See SEC Division of Enforcement, Enforcement Manual (2008), www.sec.gov/divisions/enforce/encorcementmanual.pdf. For further discussion see J. Masella III and R. Cronin, “The SEC Enforcement Manual—An aid to combat SEC investigations”, Business Law Today (March/April 2009), 51. 37 Final Rule: Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, available at http://www.sec.gov/rules/final/33-8177.htm. 38 The NYSE and Nasdaq rules, adopted by the SEC in 2003, also require listed companies to adopt and disclose codes of business conduct. See NASD and NYSE Rulemaking: Relating to Corporate Governance, SEC Release No. 34-48745 (Nov. 4, 2003). 39 15 U.S.C.A. § 78j-1(m)(4). 40 18 U.S.C.A. § 1514A. 41 18 U.S.C.A. § 1513.




16 provisions must be taken into account in creating and implementing a compliance program. §13 --Federal sentencing guidelines

One of the motivating forces behind the adoption of a legal compliance program is the Federal Sentencing Guidelines for Organizational Defendants (“Sentencing Guidelines”) established by the United States Sentencing Commission.42 The Sentencing Guidelines have several objectives, including just punishment for, and adequate deterrence of, violations of federal statutes by corporations and other companies. In addition, it is hoped that the existence of the Sentencing Guidelines will provide a greater incentive for companies to establish compliance programs that will prevent illegal conduct by their employees.43 Among other things, the Sentencing Guidelines provide incentives for corporations to police their own activities for violations of law by setting fines at extremely high levels, often in excess of the net worth of many companies, and then providing for mitigation of the penalties if a corporation has an "effective compliance program" and/or "self-reports" crimes that may be committed by employees.44 For example, in the case of violations of environmental laws, the United States Department of Justice (“DOJ”) considers several factors in determining whether or how to prosecute.45 These factors include whether there has been voluntary, timely and complete disclosure of the matter under investigation; the degree and timeliness of cooperation; the existence and scope of any regularized, intensive, and comprehensive environmental compliance program; the pervasiveness of noncompliance; whether there has been internal disciplinary action; and the nature and effectiveness of subsequent compliance efforts. The rewards available under the Sentencing Guidelines for an effective compliance program can be substantial, since the fines established under the Sentencing Guidelines are computed by balancing the seriousness of the particular offense against the efforts of the company to prevent the violation and remedy the problem once it comes to the attention of the managers or the company. If the company does not have a compliance program in place at the time a case is settled, the government will require that such a program be established as a condition of closing the particular matter. When a company does not have a compliance program, it is likely that the court will place the company on probation for some period of time. This means that government agencies would have the right to inspect the books and records of the company, attend management meetings, conduct internal audits and investigations and manage internal discipline programs. In extreme cases, important management and financial decisions will need prior approval by the court. Therefore, implementation of a compliance program can be an important safeguard against unwanted government intrusion into the affairs of the business. The elements of an effective legal compliance program under the Sentencing Guidelines include the following:

42 USSG §§ 8A1.1 et seq. 43 See Compliance Programs & the Corp Sentencing Guidelines §§ 2:1, 4:1. 44 See Compliance Programs & the Corp Sentencing Guidelines §§ 3:26, 4:1 et seq. 45 See Compliance Programs & Corp Sentencing Guidelines App. 2.


17 (1) The company should develop legal compliance standards and specific compliance procedures that can be followed by employees and other agents as they go through their day-to-day activities on behalf of the company.46 In order for the legal compliance program to be adequate, it must ensure that line managers, including the executive and operating officers at all levels, direct their attention to legal compliance matters as a regular part of their oversight of the operations of the company and that legal compliance is fully integrated into other day-to-day operating practices and procedures.47 (2) A specific official at a high level within the company should be assigned primary oversight responsibility for ensuring that legal compliance procedures and standards are adhered to within the company.48 “High-level personnel” means an individual who has substantial control over the company or who have a substantial role in the making of policy within the company. The term includes a director, executive officer, individual in charge of a major business or functional unit of the company, such as sales, administration, or finance, and an individual with a substantial ownership interest.49 In addition, specific individual(s) within the company must be delegated day-to-day operational responsibility for the program. (3) Managers must act responsibly when delegating authority within the company. This means that managers must not delegate substantial discretionary authority to individuals whom the managers know, or should have known through the exercise of due diligence, to have a propensity for illegal activities.50 In the hiring and promotion of such individuals, the company must consider the relatedness of the individual's illegal activities or other misconduct (i.e., conduct inconsistent with an effective ethics and compliance program) to the specific responsibilities anticipated to be assigned as well as other factors, including the recency of the misconduct and whether the individual engaged in other illegal activities or misconduct.51 (4) Compliance standards will only be effective if they are adequately and clearly communicated to all employees in the company.52 Therefore, it is important for the compliance team to develop communication tools that include training sessions; meetings; written materials; and posted notices. (5) It is not enough for a company to simply promulgate and communicate compliance standards. The company must also take reasonable steps to detect illegal activities by employees.53 This includes reporting and auditing systems which are reasonably designed to detect criminal activity by employees and other agents of the

46 USSG § 8B2.1(b)(1). 47 See, e.g., Proposed Environmental Guidelines §§ 9D1.1(a)(1), 9D1.1(a)(2). 48 USSG § 8B2.1(b)(2)(B). 49 See USSG § 8B2.1(b)(2)(B) (Application Note 1). 50 USSG § 8B2.1(b)(3). 51 USSG § 8B2.1(b)(3) (Application Note 4(B)). 52 USSG § 8B2.1(b)(4). 53 See USSG § 8B2.1(b)(5).


18 company.54 The company should also periodically evaluate the effectiveness of the program and have and publicize a system whereby employees and agents can report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.55 (6) A legal compliance program will not be effective unless it also includes procedures for disciplining and penalizing individuals who violate applicable conduct codes and procedures.56 It is essential that the company consistently enforce penalties for even minor violations of the compliance standards or run the risk that employees come to believe that management is not truly concerned about compliance. Discipline should extend beyond actual wrongdoers to include persons who fail to perform their monitoring and reporting duties within the program. (7) After a violation of law has been uncovered, the company must be prepared to take reasonable steps to respond to the specific violation and to prevent further similar violations, including making medications to the ethics and compliance program where necessary.57 Once changes have been made, follow-up reviews should be conducted on a regular basis to make sure that the changes remain in effect and are having the desired preventive effect. (8) Companies must periodically assess the risk of criminal conduct and take appropriate steps to modify the above requirements as necessary.58 In 2003, the Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines59 was issued and final amendments were submitted to Congress in May 2004.60 In light of then-recent business scandals and the adoption by various federal agencies of their own compliance program standards, the Report proposed that the Sentencing Guidelines be changed to “give greater guidance regarding the factors that are likely to result in truly effective programs.”61 More specifically, the Report identified “emerging standards” reflecting “three major departures from the organizational sentencing guidelines compliance paradigm in that they extended conduct codes and

54 See, e.g., Defense Contractor Internal Controls, 48 C.F.R. § 203.7000 (1988); Defense Industry Initiatives on Business Ethics and Conduct in President's Blue Ribbon Commission on Defense Management, Final Report Appendix 249, 252 (1986) (describing corporate obligations to monitor internal compliance with federal procurement laws). 55 See USSG § 8B2.1(b)(5)(B), (C). 56 USSG § 8B2.1(b)(6). 57 USSG § 8B2.1(b)(7). The relevant application notes emphasize that there are two aspects to the aforementioned advice. First, the company should respond appropriately to the criminal conduct including taking reasonable steps, as warranted under the circumstances, to remedy the harm resulting from the criminal conduct such as, where appropriate, providing restitution and other forms of remediation to identifiable victims, self-reporting and cooperating with authorities. Second, the company should assess its compliance and ethics program and make such changes as are necessary to ensure the program is effective. Use of an outside professional advisor to ensure adequate assessment and implementation of changes is encouraged. 58 See USSG § 8B2.1(c). 59 Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines (Oct. 7, 2003), available at http://www.ussc.gov/corp/advgrprpt/advgrprpt.htm. 60 Notice, U.S. Sentencing Commission, 69 Fed. Reg. 28994-01 (May 19, 2004). 61 Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines p. 48 (Oct. 7, 2003).


19 compliance efforts beyond mere legal compliance to the development of an organizational culture that encourages more effective compliance with the law, including ethics-based standards, recognize responsibilities and accountability of company leadership for compliance efforts, and require companies to conduct risk assessments of probable types and sources of misconduct and to target compliance efforts on them.”62

Role of Directors in Developing and Overseeing Compliance Programs When companies run afoul of laws and regulations the publicity can be intense and the adverse reputational and financial consequences to the company are generally quite significant. The post-mortem brings the board of directors to “center stage” and judges, regulators, investors and pundits in the financial press will all be asking whether the directors were paying attention, asking the right questions, adopting and enforcing appropriate policies and procedures, and making it clear that “compliance matters” when setting goals and allocating rewards. Simply put, while directors are not expected to fend off every act of misconduct by executives, employees and agents of their companies, they are responsible for effectively discharging their own duties and responsibilities relating to compliance and ethics programs. The core elements of directors’ compliance-related duties and responsibilities come from several sources:

The Federal Sentencing Guidelines for Organizations require that the governing authority of the organization (e.g., the board of directors of a corporation) be knowledgeable about the content and operation of the compliance and ethics program; exercise reasonable oversight with respect to the implementation and effectiveness of the program; exercise due diligence to prevent and detect criminal conduct, and promote an organizational culture which encourages compliance with the law.

Courts have recognized that directors have a fiduciary obligation to make a good faith effort to assure that an adequate compliance program exists and to take affirmative steps to ensure that appropriate information regarding compliance with applicable laws reaches the board in a regular and timely manner.

The listing requirements of the major securities exchanges include compliance-related elements such as mandating implementation of reporting procedures, adoption of codes of conduct and business ethics and independence of board and audit committee members.

Regulators focusing on a range of industries have articulated their preferences regarding the role of the board of directors in compliance activities by conditioning settlement agreements on undertakings by the company that its board will retain independent individuals or entities with compliance expertise and regulatory guidelines consistently mention that directors must be knowledgeable about, and involved with, the compliance programs of their companies.

While attention to compliance problems is generally most intense for larger publicly-owned companies, directors of firms of all sizes, including privately-owned companies, should consider “compliance” to be a significant part of their jobs. All directors have a fiduciary duty to their corporations and to the stockholders who are actual owners of the corporation and that duty will almost certainly be breached if directors fail to act with care in developing and implementing compliance and ethics programs and as a result the corporation and/or its agents are found to be culpable of misconduct and/or unlawful activity. In order to be sure that the board and its members understand their role in developing and overseeing an effective compliance and ethics program the following questions should be carefully considered:

Is each prospective member of the board advised prior to appointment that he or she will be expected to achieve and maintain an adequate level of knowledge and skills relating to their duties with respect to overseeing the company’s compliance and ethics program and is prior compliance experience a factor in vetting new board members?

Has each new member of the board completed an orientation program that includes information on the sources of a director’s duties and obligations with respect to oversight of the company’s compliance

62 Id. at 38.


20 and ethics program and illustrative case studies of how courts and regulators have interpreted and enforced such duties and obligations?

Are the members of the board sufficiently knowledgeable about the operations and structure of the company to understand internal reporting procedures and lines of authority and identify the activities that present the highest level of compliance risk?

Are the members of the board sufficiently knowledgeable about the legal environment for the company’s specific business activities so that they can readily understand the statutes and regulatory guidelines that are most relevant to decisions about how to design the compliance and ethics program?

Has the board ensured the compliance and ethics program is appropriate for the specific activities of the company by undertaking a detailed risk assessment that identifies and ranks risk areas and issues that have raised compliance problems in the past and must be specifically addressed in the program?

Has the board conducted a “cost-benefit” analysis regarding the scope of the company’s compliance and ethics program to ensure that the company’s limited resources for compliance infrastructure have been efficiently allocated to the areas that present the most significant potential risks and liabilities for the company?

Has the board fulfilled its overriding obligation to be knowledgeable about the content and operation of the company’s compliance and ethics program by overseeing the development of the program and formally reviewing and approving the overall program and specific policies and procedures within the program (e.g., code of conduct, policies regarding conflicts of interest, “hot line” or other policies for reporting misconduct and policies that address the company’s highest risk areas such as employment laws, antitrust laws and/or products liability laws) before implementation?

Has the board formally approved the creation of an independent team with compliance expertise within the company’s organizational structure that includes (1) a chief compliance officer (“CCO”) who reports directly to the board (or audit or compliance committee of the board), (2) a compliance department overseen by the CCO, (3) a corporate compliance committee (“CCC”) with members from all the company’s functional departments charged with implementing compliance policies and procedures, and (4) an internal controls/security department charged with implementing internal controls and detecting and reporting actual misconduct and suspicious activities?

Has the board formally given the CCO and the compliance department the authority to audit the activities of the company’s legal department and provide direct guidance and assistance to members of the board regarding fulfillment of their oversight responsibilities relating to compliance activities?

Has the board formally reviewed and approved the charter of the CCC to ensure that it addresses key activities such as the development and implementation of codes of conduct and other compliance policies and procedures, development and administration of compliance and ethics training programs, risk assessments, annual audits of compliance and internal controls programs and remedial actions and employee discipline in the case of compliance issues or other misconduct?

Does the board (or the audit or compliance committee of the board) receive regular reports from the CCO regarding the involvement of managerial leaders from other departments (e.g., human resources, legal, finance, business development etc.) in the activities of the CCC and the actions they have taken to implement relevant aspects of the compliance and ethics program within their departments?

Has the board required that the CCO develop objective performance metrics for the compliance and ethics program that have been formally approved by the board and set aside time at each meeting of the board (or audit or compliance committee of the board) to receive reports on the operations of the compliance department and progress toward satisfying the program’s goals and objectives and ask compliance-related questions of the CCO and members of the senior management team?

Has the board allocated sufficient human, financial and technological resources to the compliance and ethics program (including funding for the CCC and retention of outside advisors (e.g., lawyers, accountants and consultants)) and invested the board’s own time in continuously considering compliance-related issues?

Has the board provided for the “express authority” and “direct reporting obligation” for those persons with day-to-day responsibility for compliance activities (e.g., the CCO) to have direct access to members of the board and/or the committee of the board to which compliance matters have been delegated (i.e., audit or compliance committee) without having to report to the CEO, other members of the senior management team or the legal department?

Has the board acted in a manner that sets the appropriate “tone at the top” with respect to promotion of


21 an organizational culture of ethical conduct throughout the company and encouraging compliance through the use of appropriate incentives and disciplinary measures and proactive involvement in the development and approval of the compliance and ethics program in the manner described above?

Has the board properly aligned the incentives for members of the management team and employees by ensuring that the company’s performance evaluation and incentive compensation processes take into account not only traditional financial metrics but also compliance and ethics-related objectives such as product/services quality, safety and customer satisfaction?

Have all of the members of the board, as well as officers and employees of the company, completed adequate training to ensure that they are aware of the content and purposes of the company’s compliance and ethics program and how issues are identified and remediated?

Has the board provided for continuous training of board members and senior management on the impact of changes in the legal and regulatory environment of the company that will impact the company’s compliance requirements?

Have all of the members of the board been provided with suggestions on how they can educate themselves about how to carry out their compliance oversight activities such as by accessing information, guidelines and educational programs available through government websites (e.g., Office of Inspector General)?

Does the board oversee regular reviews of the compliance and ethics program, no less than annually, to determine if changes are necessary in light of objective metrics of the efficacy of the procedures included in the program and changes in applicable laws and regulatory enforcement initiatives?

Does the board oversee regular reviews of the company’s internal controls and risk management policies and procedures, no less than annually?

Does the board ensure that reports or findings of compliance problems or other acts of misconduct are promptly reviewed and that responses are made in a timely fashion?

References and Resources

The Sustainable Entrepreneurship Project’s Library of Resources for Sustainable Entrepreneurs relating to Entrepreneurship is available at https://seproject.org/compliance/ and includes materials relating to the subject matters of this Guide including various Project publications such as handbooks, guides, briefings, articles, checklists, forms, forms, videos and audio works and other resources; management tools such as checklists and questionnaires, forms and training materials; books; chapters or articles in books; articles in journals, newspapers and magazines; theses and dissertations; papers; government and other public domain publications; online articles and databases; blogs; websites; and webinars and podcasts. Changes to the Library are made on a continuous basis and notifications of changes, as well as new versions of this Guide, will be provided to readers that enter their names on the Project mailing list by following the procedures on the Project’s website.

08.2017

https://seproject.org/compliance/

Documents

Legal and Regulatory Basis for Compliance Programs...Legal and Regulatory Basis for Compliance Programs Legal and Regulatory Basis for Compliance Programs 1 1 Legal environment for