On Compliance Officers Certifying Their Programs
Folks, we need to talk about the Justice Department’s new idea to have chief compliance officers certify at the end of a deferred-prosecution agreement that their company’s compliance program is reasonably designed and effective. I am a fan of the Justice Department and strong compliance programs — but can something like this really work in practice?
Assistant attorney general Kenneth Polite floated said idea while speaking at a compliance conference last week. Since then I’ve been scouring the Internet for a copy of his full remarks, which were posted online by the New York University Law School the other day. They deserve a close read, because even the suggestion of requiring compliance officers to certify the effectiveness of their programs raises knotty issues that could send more than a few executives breathing into a paper bag.
What exactly did Polite propose? Let’s quote straight from his speech:
Chief compliance officers and their functions should have true independence, authority, and stature within the company. To further empower chief compliance officers, for all of our corporate resolutions (including guilty pleas, deferred prosecution agreements, and non-prosecution agreements), I have asked my team to consider requiring both the chief executive officer and the chief compliance officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law … and is functioning effectively.
Moreover, in resolutions where an outside compliance monitor is not imposed, but the company is required to provide annual reports on the state of its compliance programs, “we will consider requiring that the CEO and the CCO will also have to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete.”
Polite framed this idea as doing compliance officers a favor. By requiring such certifications, he said, “we are ensuring that chief compliance officers receive all relevant compliance-related information and can voice any concerns they may have prior to certification.”
Everyone take a deep breath, and then repeat after me: hmmmmm.
Putting Compliance Officers on the Spot
One obvious question here is what happens when a compliance violation does come to light, after you’ve certified the effectiveness of your program? Could the compliance officer face any legal jeopardy or liability for the program failure? Because if so, compliance officers won’t like this idea at all — but if not, then why bother with certifications in the first place? Polite didn’t address those questions in his remarks last week.
The implicit point in certification is that you, the signatory, assume some responsibility for the promise you’re making. Except, compliance programs have a multitude of moving parts, many of them well beyond the compliance officer’s control: the design of IT and data governance systems, the quality of personnel in First Line operating units, decisions about entering high-risk markets, and so forth.
So if the Justice Department insists on compliance officers certifying the effectiveness of their programs, one of two outcomes is likely to happen. Either:
- The CCO will make those promises he or she might not be able to keep; or
- The CCO will gain much more influence over those forces we mentioned above, to live up to the responsibility you bear if you’re certifying your program.
Obviously the first outcome is untenable; compliance officers worry all the time about liability for program failures beyond their control, and this scenario would directly play into those fears.
That said, I’m not sure the second outcome is much better for chief compliance officers. Haven’t we said since time immemorial that the business unit owns the risk? Because if you do gain much more influence over the organization, where you can make final calls about IT systems for better data analytics, or disciplinary action for errant employees, or decisions to enter emerging markets — that’s you owning the risk. Business units would see those actions as the compliance function telling them what to do; and lull themselves into the mistaken belief that ethics and compliance is something the compliance function handles, not them.
I’m not opposed to Polite’s other suggestion that CEOs certify the effectiveness of the compliance program, because the CEO is responsible for the whole enterprise. The compliance officer isn’t. If we want to say everyone in the company plays a role in effective ethics and compliance, then the only person who can be held accountable for everyone in the company is the CEO.
Another Way to Look at It
It might be instructive here to consider the only corner of compliance and regulatory enforcement that has talked about compliance officer liability at length: the broker-dealer industry. FINRA, the industry’s primary regulator, just published updated guidance on when it might hold compliance officers liable for program failures.
In that guidance, FINRA stressed that bringing enforcement actions against compliance officers is pretty much the last thing it wants to do, unless the CCO is directly involved in misconduct or grossly negligent. The key point under FINRA rules is that only executives in “supervisory” roles should be held liable for compliance failures — and that does not include the chief compliance officer, FINRA said in its guidance.
Rather, FINRA assumes that the chief compliance officer acts in an advisory role, helping those supervisory executives (typically the firm’s CEO, president, or general manager) to administer an effective compliance program. But responsibility for the program rests with the supervisory executives, not the CCO.
There’s a lot of sense in that distinction between supervisory and advisory roles, and we would do well to apply it to other branches of regulatory enforcement. My fear is that instead, Polite’s idea for compliance officer certification blurs those two roles.
To be clear, I do believe Polite wants to support and work with corporate compliance officers; he pulled a stint as chief compliance officer at Entergy in the late 2010s, and has a sense of the challenges you face. We just need much more detail (like, a formal policy statement posted to the Justice Department’s website) on how these certifications would work in practice. Otherwise compliance officers wouldn’t be wrong to start breathing into those paper bags.