ABB: CCO Certification After All!
Well this is quite the plot twist: the chief compliance officer and the CEO for Swiss industrial giant ABB will indeed need to certify the effectiveness of ABB’s compliance program as part of the company’s FCPA settlement announced last week.
That requirement was included in the company’s deferred-prosecution agreement, which the Justice Department did not publish until earlier this week — after yours truly and (several other compliance commentators) wrote about the settlement and puzzled over why the deal apparently hadn’t included any such certification requirement.
To be clear: yes it does; I misunderstood the situation. We’re all about accountability here at Radical Compliance so the blame is mine.
The good news is that the text of the DPA includes the actual certification forms that ABB’s chief executive and chief compliance officers will need to sign. If you want to read the precise language yourself, we have a copy of those specific pages that you can download.
The arrangement is as follows. ABB signed a deferred-prosecution agreement that runs until Dec. 2, 2025. During those three years, the company must “promptly report” to the Justice Department any evidence or allegation of conduct that might qualify as a violation of the Foreign Corrupt Practices Act. It also needs to implement and maintain a compliance program consisting of two parts:
- A system of internal accounting controls “designed to ensure the making and keeping of fair and accurate” books and records; and
- An anti-corruption compliance program that incorporates relevant internal accounting controls, as well as policies and procedures “designed to effectively detect and deter violations” of the FCPA and other anti-corruption laws.
At the end of the DPA’s term, two certifications happen. First, ABB’s chief executive officer and chief financial officer must certify that the company has indeed promptly reported any new evidence or allegations of FCPA violations. Second, ABB’s chief executive officer and chief compliance officer must certify that the company has built and maintained an effective compliance program.
The full details of what that effective compliance program should accomplish are spelled out in Attachment C of the deferred-prosecution agreement. Those requirements are lengthy, but in substance they are nothing that compliance professionals haven’t heard before: executive-level commitment, policies and procedures, periodic risk assessments, training, enforcement and discipline, and all the other standard elements of an effective compliance program.
‘Reasonably Designed’ Program
My concern about compliance officers (and chief executives) certifying the effectiveness of their compliance programs remains what it has been all along. The specific language in those certifications is that the program is “reasonably designed” to detect and prevent FCPA violations — and that might be a perilously high standard for an FCPA-offending company to achieve.
The problem is that most of the guidance relevant to corporate compliance programs doesn’t actually define what “reasonably designed” means. The Justice Department’s guidance for effective corporate compliance programs doesn’t define the term; neither do the U.S. Sentencing Guidelines. Both documents just use the phrase numerous times, assuming we all know what the words mean.
The only precise definition for “reasonably designed” comes in the Securities Exchange Act. It states that publicly traded companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:
- Transactions executed according to management authorization;
- Transactions are recorded properly;
- Access to assets is permitted only according to management authorization;
- Recorded accountability for assets is reconciled with existing assets.
Then comes the precise definition of what reasonable assurances are: “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”
Well, for a company such as ABB, which has now violated the FCPA three times in less than 20 years, wouldn’t that standard be extremely high? Wouldn’t it mean that the compliance program should catch even the faintest whiff of any FCPA violation at all?
“Satisfy prudent officials in the conduct of their own affairs” — those are the magic words. If your teenager took the car without your permission three times, how closely would you watch him or her after that? If the bank erroneously docked your savings account three times, how closely would you review your monthly statement?
To be clear, I have only heard positive things about ABB’s current chief integrity officer, Natalia Shehadeh. I don’t question her ability to run a strong compliance program, or the commitment of ABB’s senior leaders to put an end to the company’s bad habits once and for all.
Still, the Justice Department is placing high expectations on corporate compliance officers when it requires program certification. Whether companies will support CCOs in that position, or what CCOs will do if the company doesn’t, remains to be seen.