Pressure on business or individual? CCOs torn on DOJ certifications

Compliance professionals responding to Compliance Week’s fourth annual “Inside the Mind of the CCO” survey were asked their opinion regarding the DOJ’s new requirement CCOs certify, along with the chief executive officer, a company’s compliance program is reasonably designed and implemented to help detect and prevent violations of the law at the end of the term of an agreement with the agency. A total of 254 respondents were also asked to weigh in on the SEC’s unwillingness to implement a CCO liability framework.

Of the compliance professionals who answered the survey question, 59 percent said the DOJ’s new CCO certification requirement is a positive development for the profession. The remainder said it was not.

“I’m a little surprised at how many people said no,” said Justin Ross, CCO at FedEx, when asked for his reaction. “I think the DOJ’s new certification requirements are a positive development. The CEO must sign the document as well, which forges a partnership between the CEO and CCO.”

Earlier this year, DOJ officials including Kenneth Polite Jr., head of the agency’s Criminal Division and a former CCO himself, first announced the CCO certification requirement. The certification would be signed at the conclusion of any regulatory agreement, in many cases a deferred prosecution agreement (DPA).

In May, a CEO/CCO certification was part of Glencore International’s plea agreement with the DOJ settling violations of the Foreign Corrupt Practices Act (FCPA). In September, after Brazilian airline Gol agreed to settle FCPA violations, Polite said the DOJ would require Gol’s CCO to sign a certification at the end of the company’s DPA.

“I think the DOJ’s new certification requirements are a positive development. The CEO must sign the document as well, which forges a partnership between the CEO and CCO.”

Justin Ross, Chief Compliance Officer, FedEx

Ross noted by the time a CEO and CCO certify at the end of a corporate resolution a penalized company’s programs are reasonably designed, the document is mostly a formality.

“The process is designed to identify and work through the issues so the CEO and CCO have confidence in signing off for a corporate resolution,” he said.

Survey respondents who thought the certification was a positive development said it might elevate the profile of compliance within an organization, in terms of funding and respect.

“At smaller companies, [the certification] will help to raise the criticality and resourcing of compliance programs, the emphasis on the core functions being resourced, and reinforce the ‘seat at the table’ at larger companies where the compliance voice needs to be heard at scale with others,” said a director of compliance from the insurance industry.

The certification “puts increasing pressure on senior leadership and the board to recognize the importance of the CCO position and place it at the right level of management,” said a CCO from the healthcare industry.

Another respondent, a chief ethics and compliance officer (CECO) in the agriculture space, said, “[T]he positive development here is that compliance is being elevated in importance on par with financial statement accuracy/certification.”

Other respondents in favor of the certification had suggestions for improving the policy.

“It raises the profile and importance of compliance—we can’t just be ignored—(but) it would be better if it was mandated as part of annual reporting rather than just in response to an investigation,” said a senior compliance officer from the communications industry.

“[T]he DOJ should determine whether the CCO truly has the power to develop the appropriate compliance program to mitigate risks before punishing the CCO if there are failures,” said a government compliance officer.

Respondents who said the certification was a negative for compliance believe it is another example of “government overreach”; something that might set “unreasonable costs, standards, and liabilities”; and “a waste of time.”

“Just puts more pressure on a job with too much pressure already,” said a CCO from the healthcare space.

“As a CCO currently managing under a DPA, I already submit reports and present to the DOJ on the state of our compliance program and any disclosures that we are obligated to inform of,” one respondent from pharmaceuticals said. “Those statements are already required to be complete, accurate, and truthful. … Therefore, in my opinion, the certification requirement is meant to simply act as a scare tactic.”

Funding and compliance’s status within a company were listed as problems not solved by the policy.

“I think they should have made it a CEO certification,” said a banking CCO. “By creating it a CCO certification, in organizations where there are issues, you will find that good compliance people will not want to be CCOs.”

“The rules get more and more stringent, yet there is no additional funding for technology or staffing provided to organizations like mine,” said a CCO from a nonprofit.

“Extra requirements and extra personal responsibilities make for a frightening situation in unpredictable times,” said a compliance manager from the manufacturing industry.

“We do not have control but all risk will be on us,” feared an electronics senior compliance officer.

Multiple compliance officers representing healthcare organizations said they are already required to certify their programs as part of their contracts. Other respondents said they would have preferred a third answer option, something like yes and no.

“I’m of two minds. In one sense, more scrutiny and regulation will provide CCOs with the support they require from boards and CEOs,” said a general counsel from the banking space. “On the other side of the coin, it puts even more pressure and personal liability on CCOs when they personally have little power/control in their organizations over resource allocation and policy drivers.”

Asked whether the SEC should publish a CCO liability framework, 74 percent of respondents said yes.

“Compliance officers like certainty,” said Ross, who agreed the SEC should provide a liability framework. “We like guidelines; we like regulators telling us what they’d like us to do. Give us a standard, and we will act accordingly.”

The New York City Bar Association last year proposed a CCO liability framework for the SEC, which homed in on charging decisions made for actions that do not result from fraud or obstruction on the part of the CCO. Another proposed framework from the National Society of Compliance Professionals urged regulators to consider CCO liability more holistically, in the context of the compliance culture within a CCO’s firm.

Despite support for a CCO liability framework from individual commissioners, the SEC has not accepted either proposed framework or issued its own, frustrating the compliance community.

Survey respondents said a liability framework would help CCOs understand where the red lines are.

“CCO(s) should know to what extent they would be personally liable in case breach is discovered post-certification,” said a CECO from the construction space. “Personal liability should define the extent of both civil and criminal liability.”

“The SEC should establish its requirements so individuals know what is expected of them, instead of the SEC ruling through enforcement actions after the fact,” said a CCO working in securities.

Guidelines are always helpful, others said.

“Frameworks for various industries provide blueprints for what ‘minimum compliance’ looks like that helps to set the bar for organizational investment and program requirement validation,” said a director of compliance in insurance.