CCOs, by definition, are careful and deliberate. It comes with the profession. As risk managers, CCOs are skilled in identifying, assessing and acting in a risk environment.
The impact of the new CCO certification requirement, however, presents serious risks that cannot be brushed off or ignored in the face of assurances that prosecutorial discretion will protect CCOs from misguided prosecutions. Frankly, CCOs recognize that there is too much at stake, including their careers and their liberty interest.
DOJ’s new requirement was designed and rolled out in good faith, in an attempt to bolster the standing of CCOs in the corporate governance landscape. To address the potential negative reaction to the certification requirement, DOJ included an important provision in its Glencore FCPA plea agreement.
As set out by DOJ, a CEO and CCO would be required to execute the form Certification thirty (30) days prior to the end of the Independent Compliance Monitor’s Term, which in the case of Glencore is a three-year term. Paragraph 10 of the Plea Agreement sets out the following important language:
Where necessary and appropriate, the Defendant will adopt new or modify existing internal controls, compliance policies, and procedures in order to ensure that the Defendant maintains: (a) an effective system of internal accounting controls designed to ensure the making and keeping of fair and accurate books, records, and accounts; and (b) a rigorous anti-corruption compliance program that incorporates relevant internal accounting controls, as well as policies and procedures designed to effectively detect and deter violations of the FCPA and other applicable anti-corruption laws. The compliance program, including the internal accounting controls system, will include, but not be limited to, the minimum elements set forth in Attachment C. The Office[r]s, in their sole discretion, may consider the Monitor’s certification decision in assessing the Defendant’s compliance program and the state of its internal accounting controls.
DOJ’s last sentence in Paragraph 10 contemplates that the CEO and CCO may, in their discretion, may consider the Independent Compliance Monitor’s certification, in reaching their own determination as to the state of the Company’s compliance program.
Another significant consideration is the language of the CEO and CCO certification itself — which states that “such anti-corruption compliance program is reasonably designed (emphasis added) to detect and prevent violations of the [FCPA] and other anti-corruption laws throughout the company’s operations.”
In effect, CEOs and CCOs can rely on the Independent Compliance Monitor’s certification and the limitation on its certification that the compliance program is “reasonably designed” to detect and prevent violations of the FCPA.
Even with these positive factors, however, CEOs and CCOs will need to design and implement an appropriate procedure to document their respective due diligence and analysis of the Company’s compliance program. This consideration, at first glance, appears to be straight-forward but could quickly unravel into difficult issues.
A CCO should be able to rely on and document any internal and external reports, assessments, and reviews of the Company’s compliance program conducted as part of the remediation effort. DOJ clearly contemplates that a Company’s compliance program over a three-year monitorship period will undergo significant change and improvement. By definition, a CCO will be intimately involved in this process.
The CCO’s ability to rely on these reports, assessments and reviews may require a personal review and evaluation to justify such reliance. CCOs need to evaluate when a further examination of a specific report may be warranted. In this situation, a CCO may have to devote and document follow-ups to specific issues flagged in the report, assessment and review. CCO will inevitablye face difficult situations where reliance on a report may not be completely justifiable.
A further complication may arise when a Company subjects its compliance program to a robust testing and evaluation by an outside party. in these circumstances, an independent test of an enhanced compliance program may require a CCO to review the test results carefully with a questioning eye. This process may, in turn, delay the CCO’s certification or even raise further issues requiring analysis and review.
The risks presented by even these obvious situations are even more troublesome given the legal risks posed by acknowledgement that a “false” certification would constitute a violation of the False Statements and Obstruction of Justice criminal statutes, 18 U.S.C. §§1001, and 1519, respectively. By conceding the issues of “materiality” under 18 U.S.C. §1001, and “tangible record” under 18 U.S.C. §1519, a CCO may be setting him or herself up for a criminal prosecution where the issue may not rise to a criminal violation.
CCOs have enough problems in the corporate governance world. On balance, it is difficult to maintain that the CEO and CCO certification requirement is a net plus for CCO stature in the corporate governance landscape.
Given the controversy surrounding this issue, I fully expect there will be more discussion between the CCO community and DOJ. After all, DOJ’s most important ally in the corporate world is the CCO — and DOJ should avoid any negative impact on such a critical ally.