General counsel aren’t the focus of the new Department of Justice policy requiring a company’s CEO and chief compliance officer (CCO) to certify to the reasonableness of their Foreign Corrupt Practices Act (FCPA) controls, but the top legal officer is central to mitigating risk stemming from the policy, FCPA specialists say.
DOJ’s policy has raised C-suite concerns because it extends personal criminal liability to CEOs and CCOs if they certify to controls they know aren’t adequate. What’s more, DOJ could extend the same type of liability to other areas for which controls are needed, like money laundering, health care fraud and defense contractor fraud.
Is this “a harbinger for other such certifications?” Mark Rush and Nadia Brooks of K&L Gates say in their analysis of the policy.
There’s a concern the liability risk could put a chill on companies’ ability to hire CCOs. Rush and Brooks question what CCO will want to take a job at a company that could be subject to an FCPA agreement with DOJ.
Assistant Attorney General Kenneth Polite in remarks he gave in March made it clear it wasn’t DOJ’s intent to go after CEOs and CCOs, but that doesn’t mean it won’t happen.
“If there is a knowing misrepresentation on the part of the CEO or CCO, then that could certainly result in some form of personal liability,” Polite said, but the intent is only to “memorialize the company’s commitment to take its compliance obligations seriously.”
The policy was first enforced earlier this year when DOJ entered into a $1 billion FCPA settlement with global commodities trader Glencore.
Based on the way the policy was expressed in that settlement, the CEO and CCO are to certify the company’s compliance program is “reasonably designed” to prevent anti-corruption violations. The certifications are to be signed 30 days before the expiration of the deferred prosecution agreement and should be based on the executives’ review and understanding that the controls are reasonably designed.
For executives whose company operates through multiple subsidiaries in multiple countries, certifying to controls with confidence, with criminal liability hanging over one’s head, requires a daunting level of due diligence.
Is it “realistic to expect a CCO or CEO to keep tabs on compliance across their company with that level of specificity?” Rush and Gates say.
This is where the general counsel plays a role, says Michael Huneke of Hughes Hubbard & Reed.
As is common with financial reporting certifications, the general counsel should anticipate being asked to make a sub-certification that the CEO and CCO can point to as part of the basis for saying the controls are reasonably designed. That would effectively extend due diligence responsibility to the GC.
“The general counsel would then have to consider on what basis to make the sub-certification,” Huneke says in his analysis.
The general counsel should also ensure that records related to the certifications are maintained. That way, if the DOJ ends up pursuing litigation, the company can say why the controls were believed to be reasonable.
“In any prosecution, the factual record (and legal advice received) will be critical both to the prosecution and the defending officer(s), potentially leading to discovery litigation or even exposing the company to liability,” he says.
In short, even though the GC isn’t the target of the policy, the GC, for all intents and purposes, has to be engaged.
“The policy’s practical implications engage the role and responsibilities of the general counsel in critical respects, reaffirming the importance of the general counsel in compliance matters,” he says.