Sign on the Dotted Line: Compliance Certifications by CEOs and CCOs A Likely Requirement
As it continues its focus not just on enforcement, but on compliance, members of the U.S. Department of Justice have foreshadowed a sea change for Chief Executive Officers and Chief Compliance Officers in corporate resolutions: namely, individual certifications as to the design and efficacy of a company’s corporate compliance program.
In late March, Assistant Attorney General Kenneth A. Polite Jr. announced, “[i]n order to further empower Chief Compliance Officers, for all of our corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), I have asked my team to consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law (based on the nature of the legal violation that gave rise to the resolution, as relevant), and is functioning effectively.”
Doubling down on this impending requirement, in a June 22 panel discussion, the Fraud Section’s Assistant Chief and compliance expert, Lauren Kootman, explained “[w]e have for a long time required that the CEO and CFO certify that they have met their disclosure obligations . . . [w]e are now expanding [certifications] to chief compliance officers. . . . The intention,” Kootman explained, “is not to put a target on the back of a chief compliance officer, but rather to incentivize companies to consider whether their compliance programs are appropriately resourced and well-designed.” Similarly, Polite explained that this additional certification is not intended to be punitive, but rather “it is a new tool in your arsenal to help combat those challenges . . . It’s the type of resource compliance officials, including myself, have wanted for some time because it makes clear you should have and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within those organizations to ensure them and the Department that the company has an ethical and compliance-focused program.”
Making good on these announcements, on May 24 of this year, Swiss-based mining giant Glencore entered a $1.1 billion settlement for bribery and manipulation charges. In the resulting plea agreement, both the CEO and compliance head are required to certify at the conclusion of the reporting period, which is usually, and in this case is, three years, that the compliance program is “designed to prevent and detect violations of the FCPA and other applicable anti-corruption laws throughout its operations, including those of its affiliates, agents, and joint ventures, and those of its contractors and subcontractors whose responsibilities include interacting with foreign officials or other activities carrying a high risk of corruption.”
These announcements, raising fears among many CEOs and CCOs of the potential for increased personal liability, have triggered concerns among many that – contrary to their stated purpose of empowering the cause of compliance – these certification requirements may actually undermine the desirability of a top compliance seat. Regardless, these statements and the policy they appear to imbue emphasize anew the significant compliance expectations of federal prosecutors – corporate resolution or no – for both a company and its most senior executives.
Putting teeth to these expectations, the DOJ has continued to broaden both its focus and expertise in compliance. Indicative of these efforts, the Fraud Section has refocused its prior internal strategy and policy team into the current “Corporate Enforcement, Compliance, and Policy Unit,” or CECP, a group focused on providing compliance expertise across the Section and participating actively in the assessment of corporate compliance programs in resolution negotiations and throughout post-resolution obligations. Similarly, the DOJ continues to significantly expand its compliance resources. As Kootman warned, “[a]dditional people will be joining us very shortly with more experience,” including people with in-house compliance experience. More compliance-focused prosecutors will necessarily mean that companies and the executives now required to personally certify programs will face increased and more exacting compliance scrutiny.
The certification game is not new. The DOJ appears to be following in the footsteps of HHS-OIG (“OIG”), which has long deployed these types of CCO certifications in Corporate Integrity Agreements (“CIAs”) and other corporate resolutions, efforts that suggest a potential roadmap for compliance professionals navigating DOJ obligations. The OIG negotiates CIAs with health care providers, manufacturers and other entities as part of the settlements of federal health care program investigations. For more than a decade, CIAs have commonly featured requirements that both CEOs and CCOs provide specific, compliance-related certifications. For example, in the September 29, 2010, Novartis CIA, the CCO and CEO were required to submit certifications to seven specific stipulations, including that “to the best of his or her knowledge, except as otherwise described in the report, Novartis has implemented and is in compliance with all requirements of this CIA, [. . .] has reviewed the report[,] has made reasonable inquiry regarding its content and believes that the information in the report is accurate and truthful.”
Like the DOJ most recently, the OIG has explicitly stated that its CIA requirements are not meant to be punitive. Rather, they are “designed to put the entity at the frontline of promoting compliance . . . and hopefully put in the culture of compliance that comes from the top of the company.”
Consistent with many acts of management and strategy, compliance programs and efforts are not science, and courts and regulators alike rightly recognize that even the most well-intended, designed, and resourced program cannot prevent all wrongdoing. Given this reality, anyone sitting in the chief compliance officer seat would understandably have concerns around the DOJ’s new certification requirements. Compliance executives can and should seize this moment as an opportunity for ownership and empowerment of their functions and compliance programs. Several key steps can be taken to drive the organizational maturity and personal comfort needed to drive program effectiveness and – if needed – provide executive compliance certifications:
- Formally and Systematically Assess Risk and Program Efficacy – Believing is Not Enough
Robust and formal structures for assessing evolving risk and testing program efficacy are critical to drive the needed evolution in compliance programs and internal controls and – where needed – support executive certifications. While understanding industry trends or having extensive experience in the sector are helpful, all too often companies rely on these experiences presuming this company is like the last; or that the program is well-designed or effective because it is within perceived norms; or that no formal assessment is needed because “our people are all over it” or “know everything around here.”
Risk and program assessment must certainly be tailored to the company accounting for key factors such as size, commercialization status, product portfolio, business strategy, and geographic footprint. But – as made clear by the OIG and DOJ – all companies should have a right-sized, risk-based process for understanding their evolving risk and assessing their program. While there are many ways to structure risk and program assessment, both the OIG and DOJ make clear that only these kinds of structured efforts go beyond conjecture and provide the foundation on which a company can answer – and now an executive can certify – that a program is well-designed, implemented, and effective.
- Get an Independent View – Bolster Internal Assessment with External Validation
Even where a program is built on a rigorous risk assessment and subjected to programmatic testing, those internal efforts will be necessarily constrained to the company’s perspective of itself – a perspective that may be called into question particularly in the enforcement context. An independent, external review of a compliance program by subject matter experts serves two key purposes: first, where conducted by those deeply steeped in the industry, these efforts provide valuable benchmarking and insights on how a company’s effort measures up – a perspective that will provide validation of current efforts, identify considerations for enhancement, or both. Whether answering to a board, enforcement authorities, or the public, external validation provides a critical foundation to craft program strategy and answer key questions: “How did you get comfort with current strategy and efforts?” and “How do you know it’s working?”
Second, independent assessment can serve as key evidence of the commitment and good faith efforts of the company and its executives. In addition to serving as a foundation for any required executive certifications, these efforts can materially mitigate individual exposure given that most often the standard for executive liability turns not on delivering a perfect outcome, but rather on good faith, unconflicted management.
In an industry experiencing rapid change and emerging from a global pandemic, external review by those experienced in the industry and regularly before regulators brings informed independence, serving to both drive the program and protect the company and its gatekeepers.
- Establish the Structures Needed to Drive Efficacy, Accountability, and Confidence
Even before facing a certification requirement, companies should ensure that governance structures are positioning the program – and thus the company – for success. This begins with, as the DOJ’s guidance puts it, the “autonomy and resources” of the compliance function. In the context of executive compliance certifications, Polite further explained the DOJ’s position:
[W]hen we are evaluating whether a compliance program is adequately resourced and empowered to function effectively, we want to know more than dollars, headcount, and reporting lines. We will review the qualifications and expertise of key compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with the business, management, and the board of directors. We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource.
Empowered by a now-looming certification requirement, Compliance executives should take this moment to encourage their company to undertake efforts such as benchmarking and evaluation to carefully consider the structure, qualification, funding, integration, and empowerment of the compliance team through the lens of regulator expectations, prior enforcement and industry norms.
Relatedly, the certification requirements serve to underscore the long-standing expectation of regulators that those leading a company personally understand and have comfort in corporate compliance efforts. The potential for personal certification commands those at the top to design and implement formal structures that ensure every level of the business and each member of the compliance team truly owns and is accountable for its remit. Executives should actively avoid the all too often heard mantras of “we have great people” or “my team knows where to find me.” Instead, reminiscent of the sub-certification structures in place relating to SOX, executives should develop mechanisms to formally account for and escalate the understanding of risk, validation of the implementation of the compliance program, and identification of concerns and enhancements. While these efforts may take many forms and can and should be tailored to the particular company and program, formal structures for accountability and escalation will drive program effectiveness likely to fend off or avoid enforcement and serve as a critical foundation for executive certifications should they be required.
 Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (PCCE), (March 31, 2022), https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers-remarks-nyu-law-s-program-corporate.
 See id.
 United States v. Glencore International A.G., Plea Agreement, May 24, 2022, DOCKET NO: 22-CR-297.
 Transcript for audio podcast: OIG Outlook 2013: Chief Counsel to the IG, Gregory E. Demske, https://oig.hhs.gov/newsroom/podcasts/2012/outlook/demske-trans.asp.
 The OIG regularly requires centralized risk assessment and internal review process to take place at least annually to: (1) identify and prioritize risks, (2) develop internal audit work plans related to the identified risk areas, (3) implement the internal audit work plans, (4) develop corrective action plans in response to the results of any internal audits performed, and (5) track the implementation of the corrective action plans in order to assess the effectiveness of such plans. See [cite].
 See, for example, the latest iteration of the DOJ’s Evaluation of Corporate Compliance Programs, at , noting that “[quote on necessity of risk / program assessment].” [rework as needed – but just want a cite to the section and some quote on it.