Archives, 2022: CCO Certifications

Radical Compliance is taking an off-the-grid vacation for the next few days, so we are reprinting some of readers’ favorite posts from the archives. The following ran in August 2022.

Today I want to revisit the Justice Department’s plans to have chief compliance officers certify the effectiveness of their compliance programs, to unpack a question that’s been bothering me. When the department says it wants certification that your program is reasonably designed to prevent future violations, what does “reasonable” actually mean? 

Readers of Radical Compliance will already know that I’m skeptical of CCO certifications as part of corporate misconduct resolutions for numerous reasons. For example, couldn’t certification put compliance officers at odds with the general counsel or CEO, if the compliance officer doesn’t want to certify effectiveness of the program but they do? Might certification bring more personal liability to a compliance officer, if you’re given more authority to impose policies, procedures, and controls on the business units? 

Before we even reach those issues, however, there is this nagging antecedent question: nobody pushing this idea has expressly defined what “reasonable” means.

For example, when assistant attorney general Kenneth Polite first floated the idea of CCO certifications during a speech he delivered in March, he uttered the word “reasonable” one time, in the following sentence:

I have asked my team to consider requiring both the chief executive officer and the chief compliance officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law… and is functioning effectively.

That’s not a definition. So I turned to the Justice Department’s guidelines for evaluating effective compliance programs, last updated in 2020. That document uses the words “reasonable” or “reasonably” five times, but none of those references offer any definition or standard that compliance officers could use in practice either. Instead, they only point to the U.S. Sentencing Guidelines and its declaration that compliance programs should be — you guessed it — reasonably designed to provide management and directors with information about possible compliance violations.

So then I went to the U.S. Sentencing Guidelines and its seven elements of an effective compliance program. Now “reasonable” or “reasonably” appeared 13 times, but still no definition or explanation of what the word means. Not even in the section titled “Definitions.”

I make such a point of this because there is one U.S. statute where a standard for “reasonable” is defined: the Securities Exchange Act of 1934 — and that definition is what worries me about CCO certifications. 

‘Satisfy Prudent Officials in Their Own Affairs’

The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization
  • Transactions are recorded properly
  • Access to assets is permitted only according to management authorization
  • Recorded accountability for assets is reconciled with existing assets

Then the Exchange Act gives us, at long last, a precise definition of what reasonable assurances are: “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.”

This is what worries me. Because if compliance officers need to certify that their compliance programs are reasonably designed to prevent and detect violations as part of a corporate misconduct resolution, then by definition that means their company has already suffered misconduct — and that radically changes the perspective and expectations of a prudent person.

We all experience this in the conduct of our own affairs all the time. For example, I was diligent about locking the single lock on my front door every night. Then one morning, my three-year-old flipped the lock, opened the door, and went outside while everyone else was asleep. 

What did we do that afternoon? Installed a second deadbolt six feet off the ground. And what did we do every evening thereafter? Checked that both locks were sealed tight.

Or, to describe all that in abstract terms: management (me) had a control (one lock) that seemed reasonable for the risk in question (my son running away). When that control failed (he opened the lock), I needed a stronger control (two locks), and had to test it more often (nightly) because I now understood the risk was greater. 

Moreover, imagine if I hadn’t installed that second lock, and my son ran away again. What would every reasonable parent say? “Why did you allow that? You knew this could happen!” 

We could concoct any number of other examples: a teenager who wrecks the family car, a single woman tired of Tinder matches lying about their height, an elderly relative who falls for a financial scam. Once the event happens, you’re far more vigilant about the event happening again.

So how would that standard scale up to a compliance program that you’d need to certify to the Justice Department? 

Reasonable Design at the FCPA Level

In any number of prior FCPA enforcement actions, we’ve seen tales of the compliance team struggling to quell a corruption issue that the company already knew about. In some instances, those struggles unfolded over a period of years. 

But once you discover the internal control weakness that allows the corrupt act, your perception of reasonable assurance changes. Management knows the company is vulnerable to a certain type of misconduct — say, engaging with corrupt intermediaries overseas — so it should be less tolerant of future incidents, and place more emphasis on controls to quash that risk.

That seems right, but we still haven’t answered my original question: How much less tolerant? Would it be reasonable to assume zero tolerance for future incidents, since the company already has a clear understanding of the threat? 

Moreover, in many instances, the internal accounting controls that exist to prevent FCPA violations — well, they’re not poorly designed per se; they just fail because employees engage in fabrication of documents or management decides to ignore red flags the compliance team dutifully raised. (The latter is exactly what happened in Goldman Sachs’ FCPA settlement in 2020, for example.) 

In those cases, shouldn’t we have zero tolerance for future failures? Because that’s not the compliance or audit team making well-intentioned but unwise decisions about internal control design; that’s management deliberately pooping all over the control environment. If management already had prior violations on its track record and then poops on the control environment, zero tolerance strikes me as fine. But it puts a compliance officer with annual certification duties in a very, very difficult position. 

I suppose my ultimate point in all this is that we don’t know what we’re supposed to do here. The Justice Department has given no formal policy pronouncement about CCO certifications. It has not updated the compliance program evaluation guidelines. It hasn’t even offered a specific definition of what “reasonable” means here. 

The department is asking a lot of compliance officers with this certification idea. It’s not unreasonable to demand more clarity.

Leave a Comment

You must be logged in to post a comment.