What Is Board Responsibility For Compliance?

more+
less-

Originally Published in FCPA Professor -  June 19, 2013.

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of the New York Times (NYT) for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times, in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

Recently the NYT reported that shareholders were asking questions of the Wal-Mart Board regarding its response these allegations. In a story, entitled “More Dissent in a Store Over Wal-Mart Bribery Scandal”, Stephanie Clifford reported Wal-Mart shareholders are still asking questions of the Board regarding its role in the ongoing scandal. Some of these questions include “whether the company is holding current and former executives financially responsible for breaching company policies” and concerns about the company’s supply chain vendors. This shareholder dissatisfaction held several groups of large shareholders to indicate that they would vote against the company’s current Board of Directors at its annual shareholder meeting.

Clifford quoted from a report by Institutional Shareholder Services (ISS), a proxy advising firm, which said that investors have also complained about “being in the dark about the nature and extent of the alleged violations (and knowledge of them within the company)” and the company’s “timetable for completion of its investigation and disclosure of its results”. There were also questions raised about the remediation efforts of Wal-Mart. The ISS report went on to add that “Shareholders should vote against these directors to send a clear message to the board that such poor oversight does not come without repercussions.”

The publicity and costs to Wal-Mart have been well documented. The FCPA Professor has consistently stated that he views this scandal as largely a failure of corporate governance. In a post entitled, “Wal-Mart One Year Later” he said, “Corporate governance, or lack thereof, is what made the NY Times April 2012 remarkable.  This is the reason why Wal-Mart generated all the buzz it did a year ago this week and I’ve consistently held the view that the Wal-Mart story is a corporate governance sandwich with the FCPA as a mere condiment.” I thought about the Professor’s observations on this failure in light of Clifford’s article and wondered what the Board’s legal obligations might be.

I.                   Some Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del.1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” The Corporate Compliance Blog, in a post entitled “Caremark 101”, said that the Caremark case “addressed the board’s duty to oversee a corporation’s legal compliance efforts. As part of its duty to monitor, the Board must make good faith efforts to ensure that a corporation has adequate reporting and information systems. The opinion described this claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” with liability attaching only for “a sustained or systematic failure to exercise oversight” or “[a]n utter failure to attempt to ensure a reporting and information system.”

In the case of Stone v. Ritter 911 A.2d 362, 370 (Del. 2006), the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

Andrew J. Demetriou and Jessica T. Olmon, writing in the ABA Health Esource blog, said that “This standard aims to protect shareholders by ensuring that corporations will adopt reasonable programs to deter, detect and address violations of law and corporate policy, while absolving the Board from liability for corporate conduct so long as it has exercised reasonable responsibility with respect to the adoption and maintenance of a compliance and reporting system. Although the standard protects the Board, consistent with most jurisprudence under the business judgment rule, it also requires that the Board follow through to address problems of which it has notice and this may include adopting modifications to its compliance program to address emerging risks.”

Lastly, I recently heard Jeff Kaplan discuss the oversight obligations of the Board regarding the compliance function. In addition to the above cases, he discussed the case of Louisiana Municipal Police Employees’ Retirement System et al. v. David Pyott, et al., 2012 WL 2087205 (Del. Ch. June 11, 2012) (rev’d on other grounds, No. 380, 2012, 2013 WL 1364695 (Del. Apr. 4, 2013), which was a shareholder action that went forward against a Board based upon a claim that the Board knew of compliance risk based on the company’s business plan. The Delaware Court pointed out the possibility that “The appearance of formal compliance cloaked the reality of noncompliance, and directors who understood the difference between legal off-label sales and illegal off-label marketing continued to approve and oversee business plans that depended on illegal activity.” Kaplan believes that this case more generally, supports the need for risk-based oversight by board.

II.                FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

Board failure to head this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the SEC and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. I would not be a far next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

The Wal-Mart case has driven home the need for focused Board of Directors oversight of a company’s compliance program.  But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. If the Wal-Mart Board had fulfilled its legal obligations regarding compliance, the company might not have found itself on the front page of the New York Times.