We consider below how advancement of legal fees, indemnification, and insurance operate when officers and directors become involved in regulatory investigations and proceedings. Part I addresses the enhanced risk officers and directors face today in an Age of Accountability. Part II addresses advancement of legal fees, which may be discretionary or mandatory depending on a company’s by-laws. Part III covers indemnification, which generally requires at least a conclusion that the officers and directors acted in good faith and reasonably believed that their conduct was in, or at least not contrary to, the best interests of the corporation. Part IV examines insurance coverage, which varies from carrier to carrier and may or may not provide meaningful protection. Finally, Part V summarizes the principal lessons from the analysis. Although there is significant overlap with similar principles that apply to private litigation, we limit our discussion here to advancement, indemnification, and insurance for regulatory investigations and proceedings.
I. The Age of Individual Accountability
Criticizing regulators for not prosecuting senior executives has become one of the great American sports. Whether it’s Judge Jed Rakoff writing in The New York Review of Books,or Gretchen Morgenson and Louise Story writing in The New York Times, or Pro Publica reporter Jesse Eisinger writing in The New York Times Magazine, or countless others making similar arguments in other publications, they sound a consistent theme: executives should have been prosecuted more aggressively for their roles in the financial crisis.
However misguided, this is not surprising. John Kenneth Galbraith observed in his history of financial bubbles going back to “Tulipmania” in the 1600s, “The final and common feature of the speculative episode—in stock markets, real estate, art, or junk bonds—is what happens after the inevitable crash. This, invariably, will be a time of anger and recrimination and also of profoundly unsubtle introspection.” The anger “will fix upon the individuals who were previously most admired for their financial imagination and acuity.” He could have added: it will also fix upon the regulators who failed to prevent the crisis.
There are compelling reasons senior executives have not been charged in greater numbers. For example, Roger Lowenstein, whose books and articles have often been critical of financial institutions and their executives, nevertheless rejected the notion that the financial crisis was caused by fraud. The assumption that the crisis was caused by fraud, he wrote, “hinder[s] our understanding of the crisis” and “do[es] violence to our system of justice.”  The crash “was the result of a tendency in our financial culture, especially after a period of buoyancy, to push leverage and risk-taking to the extreme.” But that is not fraud, and is not a basis for either criminal or civil actions against CEOs and CFOs. “We should all be thankful,” Lowenstein writes, that “people who contribute to a financial collapse aren’t guilty of a crime absent specific violations that make them so.”
Unfortunately for CEOs, CFOs, and other senior executives, the drumbeat of criticism has stung the regulators and caused them to place targets on the backs of senior executives. No matter what regulators do, armchair prosecutors will perceive it as too little, and for that reason enforcement regulators are under great pressure to be as aggressive as possible. That is why the SEC highlights the fact that as of the end of 2013, it had brought actions against 70 CEOs, CFOs and other senior officers in connection with its financial crisis enforcement actions. SEC Chair Mary Jo White has made targeting individuals a “core principle” of the SEC’s enforcement program on the theory that “when people fear for their own reputations, careers or pocketbooks, they tend to stay in line.”  Most SEC cases now name individuals.
Other agencies are focused on individual accountability as well. In imposing a $10 million fine on a bank executive and a $7.5 million fine on a CFO for a bank’s alleged disclosure violations, New York Attorney General Eric Schneiderman said, “This settlement is one more step in our effort to hold top financial executives accountable for their actions.” The Federal Energy Regulatory Commission imposed a $30 million fine on an individual trader for violating the Commission’s anti-manipulation rules. In a March 2014 speech, Benjamin Lawsky, New York State’s Superintendent of Financial Services, focused almost exclusively on his intent to punish Wall Street executives.  In testimony before Congress, David S. Cohen, the U.S. Treasury Department’s Undersecretary for Terrorism and Financial Intelligence, stated that the agency was focused on “employing all the tools at the agency’s disposal to hold accountable those institutions and individuals who allow our financial institutions to be vulnerable to terrorist financing, money laundering, proliferation finance, and other illicit financial activity.” (emphasis added). In a May 9, 2014 speech, CFPB Director Richard Cordray stated that issues of individual liability should be based on the “concept of accountability,” and that the CFPB has taken action ranging from requiring individuals to finance restitution to consumers to referring them to the Justice Department for criminal prosecution.
A recent survey by the American Association of Bank Directors found that over the prior five years 24.5% of banks had directors or prospective directors resign, refuse to serve on a committee, or refuse an offer to become a director because of fear of personal liability. Needless to say, it is even more important in the Age of Accountability for officers and directors to understand what protection they have, and do not have, against having to pay large fines out of their own pockets for conduct they undertake on behalf of their companies.
II. Mounting a Defense: Who Pays?
Regulatory investigations and proceedings often take years to bring to conclusion and may involve millions of dollars, and occasionally tens of millions of dollars, in legal fees. The first question for officers and directors is whether they are entitled to advancement of legal fees incurred in defending against a regulatory investigation.
A. Upon Receipt of an Undertaking, Delaware Law Permits but Does Not Require Advancement of Legal Fees
We turn to Delaware law first because so many companies are incorporated in Delaware and because other states often follow Delaware law and Delaware decisions on corporate governance issues. Delaware law permits, but does not require, a company to advance legal fees incurred in defending a civil, criminal, administrative, or investigative suit or proceeding. Of course, the difference between permitting and requiring is potentially the difference between fees being advanced or not advanced.
If a company chooses to advance, Delaware law requires the company first to obtain “an undertaking by or on behalf of such director or officer to repay such amount if it shall ultimately be determined that such person is not entitled to be indemnified….” A typical undertaking provides that the officer or director undertakes to repay any amounts advanced by the company to the extent it is ultimately determined that the officer or director is not entitled to indemnification. With regard to former officers and directors, as well as employees who are not officers or directors, Delaware law appears to permit but not require an undertaking.
Delaware law also allows the company to impose such “terms and conditions” as it deems appropriate. For example, a company might require collateral, retain the right to select counsel, determine the reasonableness of the fees, or demand to be kept informed regarding developments in the investigation.
Because Delaware makes advancement permissive but not mandatory, it actually provides very little protection to an executive. For example, what will happen if there is a change in management, or if regulators pressure a company not to advance legal fees, or if a matter has received publicity that makes directors uncomfortable in making a discretionary decision to advance fees, or if the board becomes unsympathetic to the executive being investigated, or if the executive has left and gone to a competitor at the time the investigation is commenced? Unless executives have a high degree of confidence that they can predict the future in a very challenging and often hostile environment, they should take virtually no comfort from the fact that a company may advance legal fees. A company that maychoose to advance legal fees may also choose nottoadvance legal fees.
B. Many Company By-Laws Require Advancement to the Maximum Extent Permitted by Delaware Law
Many companies protect officers and directors by adopting by-laws that require the company to provide advancement and indemnification to the maximum extent permitted by Delaware law. The Delaware Supreme Court itself has observed, “[M]andatory advancement provisions are set forth in a great many corporate charters, bylaws and indemnification agreements.” For example, many companies have by-laws that provide that the company “shall” advance legal fees “to the maximum extent permitted by Delaware law” upon receipt of an undertaking to repay the amount advanced if it shall ultimately be determined that the officer, director or employee is not entitled to indemnification. The by-laws may further provide that the advancement is not intended to be a personal loan, that the fees will be paid within a specific period of time (for example, 30 days), and that the officer or director may seek mandatory injunctive relief if the company fails to pay the fees. The by-laws may also provide that the officer, director, or employee will be entitled to advancement without regard to their ability to repay or ultimate entitlement to indemnification, until the final determination of the proceeding. Of course, the added protection to the executives may come at an unwelcome cost to the company of advancing fees to an unsympathetic individual who will not be in a position to reimburse the company at the end of the proceeding.  This irritation may be most acute when the same by-law provisions that apply to third-party claims against an officer or director also apply to claims by the company itself, as few things irritate companies more than having to advance legal fees for an individual that the company itself has accused of wrongdoing.
When companies make the permissive advancement provisions of Delaware law mandatory for the company, Delaware courts almost uniformly enforce the mandatory advancement provisions – even when it appears that the officer or director may have engaged in misconduct and the company resists advancement. They do so on the ground that the issue of advancement is distinct from the issue of the ultimate merits, and that advancement is required until the ultimate merits are determined, which may not be until appeals have been exhausted. The proper remedy when a corporate executive has engaged in misconduct is usually not to deny advancement before the matter is concluded but to seek recovery of any funds advanced once the matter is concluded.
The first practice pointer here is simply that officers and directors (and employees) need to know whether they work for a company that has made the Delaware advancement provisions mandatory, or whether, instead, they work for a company that has preserved its discretion to advance or not advance on any terms it sees fit. In the case of the former, the officers, directors, and employees have a strong right to advancement; in the case of the latter, their protection is entirely dependent on the company’s exercise of its discretion, which may turn out to be no protection at all. The second point is that advancement is not unconditional – it comes with an obligation to re-pay if it is ultimately determined that the officer or director is not entitled to indemnification. We turn to that issue below.
III. Ready to Settle—Now Who Bears The Cost?
Delaware Vice Chancellor Sam Glasscock, III, recently explained the rationale for broad indemnification as follows:
No corporation can be a success unless led by competent and energetic officers and directors. Such individuals would be unwilling to serve if exposed to the broad range of potential liability and legal costs inherent in such service despite the most scrupulous regard for the interests of stockholders. This is the rationale behind the indemnification and advancement provisions of Delaware corporate law.
While there are compelling reasons to protect officers and directors through broad indemnification, there are also countervailing considerations. In particular, regulators often disfavor indemnification because they believe it detracts from individual accountability and reduces the incentives against misconduct. Since corporations act through individuals, the argument goes, individuals should also be accountable when a company engages in misconduct. Regulators also tend to believe that when an individual settles a regulatory proceeding, the individual is guilty of the conduct the regulators have alleged whereas the individual and corporation may believe the settlement was made for other reasons, such as getting closure and avoiding the cost, distraction, and uncertainty associated with litigation. Beginning with the financial crisis, the individual accountability side of the argument has received more attention than in the past.
Indemnification is more limited, and more complicated to analyze, than advancement. Officers and directors seeking to understand their right to indemnification need to understand state law restrictions on indemnification, their company’s indemnification policies, regulators’ restrictions on indemnification, and public policy limitations on indemnification.
A. Delaware Law Permits, but Does Not Require, Broad Indemnification for Defendants Who Act in Good Faith
Delaware law broadly permits, but does not require, indemnification of persons who “acted in good faith and in a manner the person reasonably believed to be in or not opposed to the best interest of the corporation….” In other words, as far as Delaware law is concerned, in most cases a corporation can choose to indemnify, or not indemnify, officers, directors (and others) who acted in good faith and reasonably believed that their conduct was in or not opposed to the best interests of the company. As we noted with respect to advancement, there is a huge distinction between merely being permitted to indemnify and being required to indemnify.
Delaware law allows a corporation to make the good-faith determination without regard to whether the suit was terminated by settlement, judgment, or conviction. There is certainly no presumption under Delaware law that a settlement implies guilt. It provides that the manner in which the suit was terminated “shall not, of itself, create a presumption that the person did not act in good faith and in a manner which the person reasonably believed to be in or not opposed to the best interests of the corporation.” This makes sense because in many cases the alleged violations do not require proof of bad faith and, further, the vast majority of cases and regulatory proceedings are ultimately resolved through settlements in which there is no final adjudication of the merits of the claims. Unless a court has made the indemnification decision, Delaware law requires that it be made by 1) a majority vote of the directors who are not themselves parties to such proceeding, or 2) a committee of such directors designated by a majority vote, or 3) by independent legal counsel directed to make such a determination by the directors, or 4) by the stockholders.
With regard to indemnification that is required as opposed to permitted, Delaware law mandates indemnification in only one situation – when a present or former director or officer of the corporation “has been successful on the merits or otherwise in defense of any action, suit or proceeding,” and then for “expenses (including attorneys’ fees) actually and reasonably incurred by such person in connection” with the successful defense. What constitutes “success” is not always clear in a regulatory proceeding. For example, the Delaware Chancery Court recently rejected a CEO’s argument that his guilty plea to two strict liability misdemeanors constituted “success” because he convinced the U.S. Attorney not to charge him with more serious offenses. The court said, “The proper analysis instead considers the outcome achieved by the indemnitee in light of the formal charges or claims against him” and that it would not judge the outcome “against the universe of crimes with which the indemnitee could have been charged.” From a “success” perspective, the CEO would have been better off if he had been charged with both the more serious and the strict liability offenses, and then the more serious charges had been dropped. For similar reasons, the court also rejected the argument that he had been successful in a regulatory settlement that prohibited him from participating in federal healthcare programs because he had avoided a regulatory monetary penalty. On the other hand, it found that the CEO was successful in connection with an FDA consent decree, but only because it did not impose a fine or place any restrictions on him.
As with permissive advancement, it can quickly be seen that Delaware law itself provides little protection to officers, directors, and other employees because it only permits, but does not require, a corporation to indemnify employees who acted in good faith and with a reasonable belief that their conduct was in the best interests of the corporation. A company could condition indemnification on virtually anything–for example, the absence of negligence, the absence of gross negligence, or the absence of any violation of a statute or regulation. Moreover, absent a by-law or other provision making indemnification mandatory, officers and directors would be subject to the same risks discussed above with regard to advancement—what will happen if there is a change in management, or if regulators pressure a company not to indemnify, or if a matter has received publicity that makes directors uncomfortable in making a discretionary decision to indemnify, or if the board becomes unsympathetic to the executive being investigated, or if the executive has left and gone to a competitor at the time the investigation is commenced?
B. Many Companies Adopt By-Laws that Mandate Indemnification to the Maximum Extent Permitted by Delaware Law
As with advancement, many companies adopt by-laws that require companies to indemnify to the maximum extent permitted by Delaware law. For example, a company might indemnify persons for “all expenses and liabilities of any type whatsoever (including, but not limited to, losses, damages, judgments, fines, excise taxes and penalties, and amounts paid in settlement) actually and reasonably incurred by the individual in connection with the investigation, defense, settlement or appeal of such proceeding, provided the individual acted in good faith and in a manner reasonably believed to be in or not opposed to the best interests of the company.” It might provide that the company “shall” indemnify “to the fullest extent permitted by law and that no determination shall be required in connection with such indemnification unless specifically required by applicable law which cannot be waived.” An agreement might further provide that if the indemnitee is deceased, the company will indemnify the indemnitee’s spouse, heirs, executors, and administrators. It might further provide that the termination of any proceeding by settlement or judgment shall not create a presumption that the indemnitee did not act in good faith and in a manner in which the indemnitee believed to be in or not opposed to the best interest of the company. It may also provide that the agreement shall continue for as long as the indemnitee may be subject to any possible claim, and that the company shall require any successor to the company to assume and agree to perform the obligations to indemnify to the same extent as the company would be required to perform if no such succession had taken place.
C. Bad News: Regulators May Prohibit Indemnification that a Company is Otherwise Obligated to Pay
Unfortunately for directors and officers, there are circumstances in which indemnification of regulatory fines may be prohibited even if permitted by state law and mandated by the company’s by-laws.
For example, FDIC rules provide that no insured depository institution or depository institution holding company shall make any “prohibited indemnification payment.” The FDIC defines a “prohibited indemnification payment” to mean
any payment (or any agreement or arrangement to make any payment)… to pay or reimburse such person for any civil money penalty or judgment resulting from any administrative or civil action instituted by any federal banking agency, or any other liability or legal expense with regard to any administrative proceeding or civil action instituted by any federal banking agency which results in a final order or settlement pursuant to which such person i) is assessed a civil money penalty, ii) is removed from office or prohibited from participating in the conduct of the affairs of the insured institution, or iii) is required to cease and desist from or take any affirmative action described in section 8(b) of the Act with respect to such institution.
The only exception is for partial reimbursement of expenses incurred in connection with charges in which there is a specific adjudication or finding that the officer or director did not violate banking laws or engage in unsafe or unsound banking practices or breaches of fiduciary duty. In other words, officers or directors of an insured depository institution or holding company will likely have to bear the cost of any penalty imposed by a federal banking agency unless they prevail on the merits of the claims. Because they will not be entitled to indemnification, they may also have to reimburse the corporation for any fees advanced to defend against claims by a federal banking regulator. On the other hand, the principal risk of significant penalties usually comes from the SEC, the Department of Justice, and state attorneys general rather than federal banking regulators.
The Federal Reserve, in its Guidance Regarding Indemnification Agreements and Payments, reminds bank holding companies and state member banks that these restrictions apply to them and reinforce “the Federal Reserve’s longstanding policy that an institution-affiliated party who engaged in misconduct should not be insulated from the consequences of his or her misconduct.” Of course, the flaw in that reasoning is that it assumes that a party who settles has necessarily engaged in misconduct. The Guidance states, “Although state corporate laws may allow a company to adopt by-laws indemnifying its institution-affiliated parties, any indemnification provisions or agreements adopted by a state member bank or bank holding company must comply with federal law and the FDIC’s regulations concerning indemnification.”
Federal savings associations have broader permissive indemnification authority but are required to give the OCC at least 60 days’ notice of their intention to make an indemnification payment. “No such indemnification shall be made if the OCC advises the association in writing, within such notice period, the OCC’s objection thereto.” Moreover, if directors of a federal savings association simply decline to provide permissive indemnification, the officer or director may be without a remedy.
SEC settlement orders sometimes include bars against seeking indemnification,  but often they do not. In SEC v. Conaway, 697 F. Supp. 2d 733 (E.D. Mich. 2010), a litigated case in which the SEC prevailed, the court stated that the SEC had provided no authority for its request that the court’s order prohibit the defendant from seeking reimbursement. Nevertheless, the court went on to state, “I find that the remedial purpose of any such fine would be highly diluted if it were borne by any third party,” and it ordered that the penalty be doubled if the defendant received reimbursement from any third party.
Whether or not the SEC includes a waiver provision in a settlement agreement, companies and executives should be aware that the SEC has codified its position in item 512 of Regulation S-K, 17 C.F.R. §229.512, that a prospectus include the following language: “Insofar as indemnification for liabilities arising under the Securities Act of 1933 may be permitted to directors, officers, or persons controlling the registrant, the registrants has been informed that in the opinion of the SEC such indemnification is against public policy as expressed in the Act and is therefore unenforceable.” 
CFPB settlement orders often state that respondents “shall not… seek or accept, directly or indirectly, reimbursement or indemnification from any source… with regard to any civil money penalty that the Respondents pay under this Order.” To date, however, the CFPB has not sought to impose penalties against executives of public companies.
One point of negotiation that officers and directors should carefully consider is that in some cases an order in an enforcement action will impose joint liability on an individual defendant and a company defendant. Joint liability means that each party can be required to make the payment, but a payment of the entire amount by one party satisfies the obligation that the other party has to pay. Thus, when a company and an individual are jointly liable to pay a fine, the company may pay the entire fine. For that reason, in cases in which the company is willing and able to pay the entire penalty, it may be in the interests of the individual defendant that any penalty assessed against him or her be a joint obligation of the company as well. On the other hand, in many settlements there may be no company defendant, or the order will specify a separate penalty for the company and the individual, or the company may be unwilling or unable to pay the entire amount.
The key practice pointers are the following: 1) permissive indemnification provides little protection; 2) companies that make permissive indemnification mandatory provide a far higher level of protection; 3) banks and bank holding companies will generally not be able to indemnify individuals for fines and other sanctions assessed by federal banking regulators; 4) federal savings associations are not permitted to indemnify if, after notice, the OCC objects to indemnification; and 5) other agencies sometimes restrict indemnification by conditioning settlement on agreements not to seek indemnification.
IV. D&O Insurance: Protection or Minefield?
The limits on indemnification for regulatory penalties mean that officers and directors need to carefully consider a corporation’s insurance policies. So-called “Side A” coverage potentially protects officers and directors for economic loss arising from claims for wrongful acts made against the individual insured when the corporation refuses or is unable to provide indemnification. In contrast, Side B coverage is for claims by the entity for amounts paid to indemnify an insured person, and Side C coverage is for claims by an entity for loss arising from a claim against the entity itself.
For example, Side A coverage might provide:
This policy shall pay the Loss of each and every Director or Officer of the Company arising from a Claim first made against the Directors or Officers during the Policy Period… for any actual or alleged Wrongful Act occurring on or prior to the Effective Time in their respective capacities as Directors or Officers of the Company, except when and to the extent that the Company… has indemnifed the Directors or Officers. The Insurer shall… advance Defense Costs of such Claim prior to its final disposition.
A. Ten Questions You Should Ask about Your Company’s D&O Coverage
D&O policies differ, sometimes significantly, from carrier to carrier and may themselves be limited when it comes to regulatory penalties. Officers and directors may wish to consider the following (in addition to whether their company even has Side A coverage):
First, does the policy cover regulatory investigations and proceedings? Not all policies purport to cover regulatory investigations and proceedings. Some cover investigations, some cover regulatory proceedings, and a few may cover neither. In many cases, insurers and policyholders have litigated the availability of coverage for regulatory investigations.
Second, does the policy cover fines? Many D&O insurance policies exclude fines and penalties. Other policies do cover at least certain fines and penalties and the nature of the fine, and the underlying basis, may be important.
Third, what conduct does the policy exclude? D&O policies also contain conduct exclusions. For example, an exclusion might provide:
The Policy shall not apply to any Claims made against the Insureds… based upon or arising out of any deliberate, dishonest, fraudulent or criminal act or omission by such Insureds. 
Often such exclusions come with a proviso like the following, which requires a final adjudication:
Provided, however, such Insureds shall be protected under the terms of this policy with respect to any Claims made against them in which it is alleged that such Insureds committed any deliberate, dishonest, fraudulent or criminal act or omission, unless judgment or other final adjudication thereof adverse to such Insureds shall establish that such Insureds were guilty of any deliberate, dishonest, fraudulent or criminal act or omission.
Fourth, does the policy exclude coverage for receipt of personal benefits? D&O policies also typically exclude coverage for claims arising from an insured’s receipt of any personal profit or advantage to which the insured was not legally entitled. These policies typically include some sort of trigger, such as a requirement for a “final adjudication.”
Fifth, is the carrier likely to assert a public policy defense to coverage? In addition to relying on specific policy exclusions related to fraud or improper profits, insurers often attempt to deny coverage on public policy grounds that are not set forth in the policy itself, such as arguments that policyholders should not be entitled to coverage for any type of disgorgement. The non-contractual public policy defense is a frequent source of litigation.
Sixth, does the policy exclude liability for money laundering violations? Some D&O policies specifically exclude coverage for money laundering violations.
Seventh, under what circumstances does the policy require re-payment of defense costs that have been advanced? Some insurers may seek repayment of previously advanced defense costs if a settlement contains sufficiently specific allegations that, if true, would trigger exclusions from coverage.
Eighth, what happens in bankruptcy? Depending on the nature of the policy (e.g., is it a Side A only policy), it may become an asset of the bankruptcy estate, rather than of the director or officer, if the company files for bankruptcy. Some policies, however, include a bankruptcy provision that generally provides that the primary purpose of the policy is to protect the insured person; that in the event of bankruptcy the insurer shall first pay the claims of insured persons for non-indemnified loss; and that no insured shall oppose a request for an insured person’s request in the bankruptcy court for approval of the insurer’s advancement of defense costs. Case law, as well as policy language, may be important.
Ninth, under what other circumstances may the carrier avoid coverage? Carriers sometimes seek to avoid coverage because 1) the company’s financials, which typically form part of the application it submits to the carrier, were misstated; 2) the company did not advise the carrier of facts indicative of a claim at the time the policy holder applied for coverage; or 3) even that other insureds engaged in conduct excluded by the policy. Officers and directors have enhanced protection if the policy, for example, provides that no statements or knowledge possessed by any insured person shall be imputed to another insured person for the purpose of determining if coverage is available.
Tenth, is the amount of the coverage adequate? Officers and directors need to be aware that D&O policies are typically single-limit policies. That means that every dollar spent on defense costs for one insured reduces the amount of insurance dollars available for another insured. In addition, Side A coverage may be combined by the company with Side B and Side C coverage, and the company and individuals may assert competing claims on the pool of insurance. Some policies include priority provisions that state that the insurer must first pay the Side A claims of individual insureds.
B. Insurance Coverage Litigation
Although not involving D&O coverage, the type of litigation that can arise in the context of settlements of regulatory proceedings is seen in decisions involving a settlement between the SEC and Bear Stearns, which resulted in findings of violations, an order to disgorge $160 million, and an order to pay a $90 million penalty. The order made findings that Bear Stearns knowingly facilitated market timing by its clients.
In litigation against the carrier to recover the $160 million in disgorgement and $40 million in defense costs (the policyholder did not seek coverage for the $90 million penalty), the carrier sought to avoid coverage on various grounds, including that 1) public policy prohibits an insured from obtaining coverage for “disgorgement” of an ill-gotten gain, and 2) the D&O policy’s profit exclusion was triggered by the SEC’s findings of wrongful conduct. SEC administrative settlements, unlike settlements of SEC injunction actions, contain findings rather than allegations.
On the public policy issue, the New York Court of Appeals acknowledged that other courts have held that the risk of being ordered to return ill-gotten gains—disgorgement—is not insurable because the wrongdoer would retain the proceeds of his illegal acts by shifting his loss to an insurer. Bear Stearns did not dispute that general principle, but argued that the principle should not be applied to disgorgement of profits made by its clients, rather than obtained by Bear Stearns itself. The Court of Appeals agreed with Bear Stearns on this issue, reversed the intermediate Court of Appeals, and reinstated the coverage action.
On remand, the carrier renewed its argument that coverage was also barred because the SEC administrative order contained detailed findings of misconduct. The trial court concluded, however, that the SEC’s order, even though it contained detailed findings of violations, did not constitute a “final adjudication or judgment” required by the policy language because it was the product of a settlement rather than a contested proceeding. In reaching that conclusion, it noted that the firm’s consent to the settlement was “solely for purpose of these proceedings,” and that the factual findings were neither admitted nor denied (except as to jurisdiction). Eight years after the SEC settlement, the litigation over the carriers’ defenses to coverage is ongoing.
C. Regulatory Restrictions on Insurance Coverage
On October 10, 2013, the FDIC issued an advisory bulletin, titled “Director and Officer Liability Insurance—Policies, Exclusions, and Indemnification for Civil Money Penalties.” While the advisory bulletin appears designed in part to encourage policyholders to purchase broad protection (which may assist the FDIC when, as receiver for a failed bank, it sues officers and directors), the advisory also states, “FDIC regulations prohibit an insured depository institution or depository institution holding company from purchasing insurance that would be used to pay or reimburse an [officer or director] for the cost of any [civil money penalty] assessed against such person in an administrative proceeding or civil action commenced by any federal banking agency.” In other words, the FDIC’s position appears to be that officers and directors cannot be insured for civil money penalties assessed by a federal banking regulator. On the other hand, the advisory: 1) does not prohibit insurance coverage of legal expenses incurred in connection with such a proceeding, and 2) does not prohibit insurance for penalties assessed by state and federal agencies other than federal banking agencies. That is where most of the risk is.
The SEC does not usually address insurance of individuals in its consent decrees, but there are exceptions. In the consent decree in SEC v. Falcone, et al., which involved admissions of wrongdoing, the consent provided:
The Harbinger Defendants agree that they shall not seek or accept, directly or indirectly, reimbursement or indemnification from any source, including but limited to, payment made pursuant to any insurance policy, with regard to any civil penalty amounts that each Harbinger Defendant pays….
The CFPB often includes in its settlement orders a requirement that defendants “shall not seek or accept, directly or indirectly, reimbursement or indemnification from any source, including but not limited to payment made pursuant to any insurance policy, with regard to any civil penalty amounts that Defendants pay pursuant to this Order,” although sometimes the prohibition is limited to civil money penalties that “the company” pays under the order.
The reader who has managed to get this far will have absorbed the following lessons.
Regulators are highly focused on individual accountability, and for that reason there is greater risk than in the past that CEOs, CFOs and other executives will be targeted.
State law advancement and indemnification provisions, at least under Delaware law, are largely permissive rather than mandatory and thus, by themselves, provide little protection to officers and directors unless they actually prevail on the claims.
Officers and directors enjoy significantly greater protection when their companies adopt by-laws requiring the companies to advance fees and provide indemnification to the maximum extent permitted by law. Many companies do exactly that. Other companies, however, provide far less protection by retaining discretion at the company level to provide, or not provide, advancement and indemnification as the company deems appropriate.
Even when they have indemnification to the maximum extent permitted by law, officers and directors need to understand the following limitations:
At least for current officers and directors, advancement of legal fees comes with an undertaking to re-pay if it is ultimately determined that the officer or director is not entitled to indemnification. The fact that legal fees are advanced does not mean they will ultimately be indemnified, which means they may have to be re-paid.
The FDIC prohibits insured depository institutions and their holding companies from indemnifying officers and directors for civil money penalties imposed by federal bank regulators. The FDIC takes the position that this trumps more liberal state indemnification laws. Fortunately, most of the risk to officers and directors of solvent institutions does not usually come from federal bank regulators.
The OCC requires federal savings associations to provide 60 days notice before providing indemnification to an officer or director, and requires the federal savings association not to indemnify if the OCC objects.
SEC settlement orders sometimes prohibit indemnification and sometimes are silent on the issue. The SEC takes the position, however, that indemnification for liabilities arising under the Securities Act is against public policy and unenforceable. There is no definitive authority on what that means in the context of a settlement.
CFPB settlement orders often state that respondents may not seek indemnification from any source with regard to a civil money penalty
Because indemnification is often restricted, officers and directors also need to understand their coverage under insurance policies—so-called Side A D&O insurance. Insurance may provide coverage when indemnification does not. Among the questions officers and directors should ask are:
Are regulatory investigations and proceedings covered by the policy?
Are regulatory fines covered by the policy?
What conduct exclusions are there?
Do the conduct exclusions apply only if there is a final adjudication of misconduct or do they potentially apply to settlements as well?
What is required to obtain advancement and in what circumstances do the policies require re-payment of advanced defense costs?
What happens to the policy proceeds in the event of bankruptcy?
Are misstatements or knowledge of another insured in an application for insurance imputed to the officer or director?
Does misconduct by one insured trigger an exclusion for all insureds?
Is the amount of coverage adequate considering it may be depleted by other insureds?
Does the policy include a priority provision that gives priority to claims by an individual insured over a company insured
As with indemnification, regulators may prohibit a director or officer from transferring the loss to the carrier. In particular,
The FDIC prohibits insured banking institutions and their holding companies from insuring officers and directors for civil money penalties assessed by a federal banking agency.
The SEC sometimes prohibits a settling defendant from seeking recovery from an insurance carrier.
The CFPB often prohibits a settling defendant from seeking recovery from an insurance carrier.
Carriers may argue that public policy prohibits coverage of regulatory penalties on the facts of a particular case.
 Jed S. Rakoff, “The Financial Crisis: Why Have No High-Level Executives Been Prosecuted?” The New York Review of Books (Jan. 9, 2014).
 Gretchen Morgenson and Louise Story, “In Financial Crisis, No Prosecutions of Top Figures,” The New York Times (Apr. 14, 2011).
 Jesse Eisenger, “Why Only One Top Banker Went to Jail for the Financial Crisis,” The New York Times Magazine (Apr. 30, 2014).
 E.g., Robert Schmidt, “SEC Goldman Lawyer Says Agency Too Timid on Wall Street Misdeeds,” Bloomberg (Apr. 8, 2014); Neil Irwin, “This is a Complete List of Wall Street CEOs Prosecuted for Their Role in the Financial Crisis,” The Washington Post (Sept. 12, 2013); Glenn Greenwald, “The Real Story of How ‘Untouchable’ Wall Street Execs Avoided Prosecution,” Business Insider (Jan. 23, 2013); Ted Kaufman, “Why DOJ Deemed Bank Execs Too Big To Jail,” Forbes (Jul. 29, 2013); Alison Frankel, “Sarbanes-Oxley’s Lost Promise: Why CEOs Haven’t Been Prosecuted,” Reuters (July 27, 2012).
 John Kenneth Galbraith, A Short History of Financial Euphoria at 27 (Viking Penguin 1990).
 Id. at 29.
 Roger Lowenstein, “Wall Street: Not Guilty,” BloombergBusinessweek Magazine (May 12, 2011).
 Preet Bharara, the U.S. Attorney for the Southern District of New York, has aggressively prosecuted high-level executives in the course of bringing 80 criminal insider trading prosecutions. Explaining why he hasn’t charged executives in connection with the financial crisis, he said, “You bring the cases you can based on the evidence you have.” Quoted in Nate Raymond, “Judge Criticizes Lack of Prosecution Against Wall Street Executives for Fraud,” Reuters (Nov. 12, 2013).
 “SEC Enforcement Actions – Assessing Misconduct That Led to or Arose From the Financial Crisis,” avail. at http://www.sec.gov/spotlight/enf-actions-fc.shtml.
 Mary Jo White, “Deploying the Full Enforcement Arsenal,” (Sept. 26, 2013), avail. at http://www.isidewith.com/poll/317926575. Andrew Ceresney, “Keynote Address at the International Conference on the Foreign Corrupt Practices Act,” (Nov. 19, 2013), avail. at http://www.sec.gov/News/Speech/Detail/Speech/1370540392284#.U1_OGihXHFl.
 A.G. Schneiderman Announces Former Bank of America CFO Joe L. Price Barred for 18 Months from Serving as Officer or Director of Any Public Company,” (Apr. 25, 2014), avail. at http://www.ag.ny.gov/press-release/ag-schneiderman-announces-former-bank-america-cfo-joe-l-price-barred-18-months-serving. .
 “FERC Orders $30 Million Fine Against Former Amaranth Trader,” FERC News Release (Apr. 21, 2011), avail. at http://www.ferc.gov/media/news-releases/2011/2011-2/04-21-11-G-1.asp
 “Remarks of Superintendent Lawsky on Financial Regulatory Enforcement at the Exchequer Club,” (Mar. 19, 2014), avail. at http://www.dfs.ny.gov/about/speeches_testimony/sp140319.pdf.
 Testimony of David S. Cohen before the Senate Committee on Banking, Housing, and Urban Affairs at 5 (Mar. 7, 2013), avail. at http://www.dfs.ny.gov/about/speeches_testimony/sp140319.pdf
 Prepared Remarks of CFPB Director Richard Cordray at the Federal Reserve Bank of Chicago (May 9, 2014), avail. at http://www.consumerfinance.gov/newsroom/prepared-remarks-of-cfpb-director-richard-cordray-at-the-federal-reserve-bank-of-chicago-2/
 The American Association of Bank Directors, “AABD Survey Results on Measuring Bank Director Fear of Personal Liability Are Not Good News,” (Apr. 9, 2014), avail. at http://aabd.org/aabd-survey-results-measuring-bank-director-fear-personal-liability-good-news/.
 Executives whose companies are incorporated in other states need to look to the law of those states.
 Delaware Code, §145(e).
 For a sample form of undertaking, see Undertaking to Repay Advancement of Expenses, avail. at http://us.practicallaw.com/7-520-5639.
 Delaware Code, §145(e).
 Until a court declared the practice unconstitutional, the Department of Justice often pressured companies not to advance expenses to individuals under investigation. United States v. Stein, 435 F. Supp. 2d 330 (S.D.N.Y. 2006).
 In Miller v. Palladium Industries, Inc., C.A. No. 7475 (Del. Ch. Dec. 31, 2012), aff’d, No. 36,2013 (Del. Sup. Jul. 19, 2013), the company’s by-laws made advancement mandatory “unless otherwise determined by the Board of Directors in the specific case….” The Board rejected the CEO’s request for advancement based on, among other factors, the company’s own financial needs, its belief that the CEO had engaged in misconduct, and its conclusion that the CEO would not be able to repay the amounts advanced. The Delaware Court of Chancery and the Delaware Supreme Court rejected the CEO’s claim that the company’s by-laws made advancement mandatory.
 Homestores, Inc. v. Tafeen, 888 A.2d 204, 212 (Del. 2005).
 Section 402 of the Sarbanes-Oxley Act prohibits public companies from extending, arranging, or renewing personal loans to or for their directors and executive officers.
 See Fillip v. Centerstone Linen Services, LLC, Civil Action No. 8712-ML (Del. Ch. Feb. 27, 2014) (“It is far from uncommon that an entity finds it useful to offer broad advancement rights when encouraging an employee to enter a contract, and then finds it financially unpalatable, even morally repugnant, to perform that contract once it alleges wrongdoing against the employee.”). See also, e.g., Peter Lattman, “Goldman Stuck With a Defense Tab, and Awaiting a Payback,” Dealbook (Jun. 18, 2012), avail. at http://us.practicallaw.com/7-520-5639.
 E.g., Kaung v. Cole Nat’l Corp., 884 A.2d 500 (Del. 2005) (“[T]he scope of an advancement proceeding under Section 145(k) of the DGCL is limited to determining ‘the issue of entitlement according to the corporation’s advancement provisions and not to issues regarding the movant’s alleged conduct in the underlying litigation”)”; Sergey Aleynikov v. The Goldman Sachs Group, Inc., Civ. No. 12-5994 (D.N.J. Oct. 16, 2013) (granting summary judgment to former vice president on claim for advancement of legal fees and on claim for fees in seeking the advancement of legal fees).
 E.g., Ridder v. CityFed Fin. Corp., 47 F.3d 85, 87 (3d Cir. 1995) (“Under Delaware law, appellants’ right to receive the costs of defense in advance does not depend upon the merits of the claims asserted against them, and is separate and distinct from any right of indemnification they may later be able to establish.”)
 Sun-Times Media Group, Inc. v. Black, 954 A.2d 380, 397 (Del. Ch. 2008).
 Herman v. K-V Pharmaceutical Co., 54 A.3d 1093, 1094 (Del. 2012). See also, e.g., Stifel Financial Corp. v. Cochran, 809 A.2d 555, 561 (Del. 2002) (“The invariant policy of Delaware legislation on indemnification is to ‘promote the desirable end that corporate officials will resist that they consider unjustified suits and claims, secure in the knowledge that their reasonable expenses will be borne by the corporation they have served if they are vindicated”)”.
 In particular, Section 145(a) of the Delaware Code provides:
A corporation shall have power to indemnify any person who was or is a party or is threatened to be made a party to any threatened, pending or completed action, suit or proceeding, whether civil, criminal, administrative or investigative (other than an action by or in the right of the corporation) by reason of the fact that the person is or was a director, officer, employee or agent of the corporation, or is or was serving at the request of the corporation as a director, officer, employee or agent of another corporation, partnership, joint venture, trust or other enterprise, against expenses (including attorneys' fees), judgments, fines and amounts paid in settlement actually and reasonably incurred by the person in connection with such action, suit or proceeding if the person acted in good faith and in a manner the person reasonably believed to be in or not opposed to the best interests of the corporation, and, with respect to any criminal action or proceeding, had no reasonable cause to believe the person's conduct was unlawful.
 Delaware Code §145(a).
 Delaware Code §145(c).
 Hermelin v. K-V Pharmaceutical Co., 54 A.3d 1093 (Del. Ch. 2012).
 Id. at 1109.
 See Merritt-Chapman & Scott Corp. v. Wolfson, 321 A.2d 138 (Del. Super. 1974).
 For companies incorporated in New York, the law is more favorable on this point. Section 724 of the New York Code largely mandates indemnification in circumstances in which Delaware law only makes it permissive and provides a specific procedure for an individual to go to court when a corporation fails to provide indemnification.
 12 C.F.R. §359.1(l).
 12 C.F.R. §359.1(2).
 Board of Governors of the Federal Reserve, “Guidance Regarding Indemnification Agreements and Payments,” SR 02-17 (Jul. 8, 2002), avail. at http://www.federalreserve.gov/boarddocs/srletters/2002/sr0217.htm
 12 C.F.R. §545.121(c)(2).
 In Bender v. Jordan, 623 F.3d 1128 (2010), the D.C. Circuit held that 12 C.F.R. §545.121 “does not require a board of directors to indemnify directors and officers in any circumstances in which the officers or directors have not received final judgment on the merits in their favor” and that the regulation “creates no general entitlement to indemnification… where the board of directors does not consider the determinations necessary to create a permissive entitlement.” In that case, the company had not adopted by-laws addressing indemnification and the company’s new board declined to provide it.
 See, e.g., Consent Order in SEC v. Philip A. Falcone, et al., 12 Civ 5027 (S.D.N.Y. August 2013) (“The Harbinger Defendants agree that they shall not seek or accept, directly or indirectly, reimbursement or indemnification from any source, including, but not limited to, payment made pursuant to any insurance policy, with regard to any civil penalty amounts that each Harbinger Defendant pays pursuant to the Final Consent Judgment….”); In the Matter of Stephen A. Odland, Securities Exchange Act Rel. No. 63153 (Oct. 21, 2010) (“Respondent agrees that he shall not seek or accept, directly or indirectly, reimbursement or indemnification from any source… with regard to any amounts that Respondent shall pay pursuant to this Order”); SEC v. Richard M. Scrushy, SEC Lit. Rel. No. 20084 (Apr. 23, 2007) (Defendant has “agreed to refrain from seeking indemnification or reimbursement from any third-party for any part of the $81 million required by the Final Judgment”); Press Release 2003-56, “The SEC, NASD, and the NYSE Permanently Bar Henry Blodget from the Securities Industry and Require $4 Million Payment,” (Apr. 28, 2003) (Respondent “has agreed that he will not seek reimbursement or indemnification for the penalties he pays.”).
 Globus v. Law Research Service, Inc., 418 F.2d 1276 (2d Cir. 1969), cert. denied, 397 U.S. 913 (1970) held, in the context of a finding of Securities Act violations based on alleged knowledge of material misrepresentations, that indemnification against securities law liabilities was void as a matter of public policy. Exactly how far Globus extends is not entirely clear. Courts have held that a wrongdoer cannot enforce a contractual right to indemnification under the federal securities laws. E.g., Eichenholtz v. Brennan, 52 F.3d 478, 483-85 (3d Cir. 1995); Franklin v. Kaypro Corp., 884 F.2d 1222, 1232 (9th Cir. 1989); Baker, Watts & Co. v. Miles & Stockbridge, 876 F.2d 1101, 1108 (4th Cir. 1989). On the other hand, courts have held that “one who is not at fault may enforce a contractual agreement for the indemnification of expenses incurred in the successful defense of securities laws claims.” Credit Suisse First Boston, LLC v. Intershop Communications AG, 407 F. Supp.2d 541, 548 (S.D.N.Y. 2006). It is not clear how a particular court would come out on a request for indemnification by an officer or director who settled an SEC case without any adjudication of liability but was found by a committee of disinterested directors or by independent counsel not to have engaged in conduct that violated the securities laws or to have acted in good faith with a reasonable belief that his or her conduct was in the best interests of the corporation.
 E.g., In the Matter of Fidelity Mortgage Corp. and Mark Figert, CFPB File No. 2014-CFPB-0001 (Consent Order).
 E.g., Consent Order in SEC v. Philip A. Falcone, et al., 12 Civ. 5027 (S.D.N.Y. Aug. 16, 2013); Consent Order, In the Matter of Fidelity Mortgage Corp. and Mark Figert, CFPB Admin Proceeding File No. 2014-CFPB-0001 (Jan. 16, 2014); Stipulated Final Judgment and Order, CFPB v. Castle & Cooke Mortgage, LLC, et al., Case No. 2:13CV684DAK (Nov. 7, 2013); Stipulated Final Judgment and Consent Order in CFPB v. Meracord LLC and Linda Remsberg, Case No. 3:13-cv-05871 (W.D. Wash. Oct. 4, 2013).
 For a more detailed discussion of issues that arise in connection with directors and officers liability insurance, including issues related to coverage of regulatory investigations and proceedings, see Section 6.01, “Directors and Officers Liability Insurance,” in Eisenberg (editor), Litigating Securities Class Actions (Matthew Bender 2013). The publication is available online on Lexis/Nexis.
 See, e.g., In re Allied Digital Technologies Corp., 306 B.R. 505, 510 (Del. 2004).
 See J.P. Morgan Sec. Inc. v. Vigilant Ins. Co., 2014 NY Slip Op. 50284(U) (N.Y. Sup., New York County Feb. 28, 2014).
 See In re HealthSouth Corp. Ins. Litigation, 308 F. Supp.2d 1253, 1261 (N.D. Ala. 2004).
 In the Matter of Bear, Stearns & Co., Inc., Securities Act Rel. No. 8668 (Mar. 16, 2006).
 J.P. Morgan Securities Inc. v. Vigilant Ins. Co., 21 N.Y.3d 324, 336, 992 N.E.2d 1076 (N.Y. 2013).
 J.P. Morgan Sec. Inc. v. Vigilant Ins. Co., supra fn 49.
 FDIC, FIL-47-2013, “Director and Officer Liability Insurance Policies, Exclusions, and Indemnification for Civil Money Penalties,” (Oct. 10, 2013), avail. at http://www.fdic.gov/news/news/financial/2013/fil13047.pdf.
 Consent Order in SEC v. Falcone, et al., at§3, avail. at http://www.sec.gov/litigation/litreleases/2013/consent-pr2013-159.pdf.
 E.g., Stipulated Final Judgment and Order in CFPB v. American Debt Settlement Solutions, Inc. and Michael Dipanni, Case No. 9:13-cv-80548 (S.D. Fla. June 7, 2013).
 E.g., Stipulated Final Judgment and order in CFPB v. Castle & Cooke Mortgage, LLC., et al., No. 2:13CV684DAK (D. Utah. Nov. 7, 2013).