This certification requirement highlights the DOJ’s recent focus on compliance and enforcement as part of its strategy to tackle corporate crime. Indeed, the DOJ’s Corporate Enforcement Compliance and Policy unit – previously known as the Strategy, Policy and Training Unit – has recently been reformulated to better reflect its focus on compliance, including by hiring more people with in-house compliance experience. Speaking at the Association of Certified Anti-Money Laundering Specialists’ 26th Annual International Conference in March 2022, Assistant Attorney General of the DOJ’s Criminal Division Kenneth A. Polite, Jr. (who himself has in-house experience as a compliance officer) called on prosecutors to consider requiring CCOs to certify, in all DOJ corporate resolutions, that their companies’ compliance programs are “reasonably designed and implemented to detect and prevent violations of the law” and are “functioning effectively.” In addition, Polite said that in certain resolutions where companies are required to provide annual self-reports to the DOJ on the state of their compliance programs (as opposed to monitorships, where the monitor is the one submitting such reports), the DOJ will consider requiring CCOs to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete. Polite assured CCOs that these new certification requirements are not intended to be “punitive,” but rather are meant to “empower” CCOs and ensure that CCOs receive all relevant compliance-related information and can more freely voice and effectively vet their concerns with the companies’ compliance programs prior to certification. He also expressed his hope that the additional requirements will “help companies cultivate cultures that promote compliance, including such that employees feel empowered to raise issues to management, and management prioritizes ethics over profit.”
In May 2022, following months of uncertainty over how and when this new policy might be implemented, the CCO certification requirement first appeared in a billion-dollar Foreign Corrupt Practices Act (FCPA) settlement entered into between the DOJ and a large mining company. The agreement required both the CEO and CCO to make various certifications under penalty of perjury (18 U.S.C. § 1001) and a criminal obstruction statute (18 U.S.C. § 1519), including certifying that (1) “the undersigned are aware of the Company’s compliance obligations under ... the Agreement”; (2) “the Company has implemented a compliance program that meets the requirements set forth in ... the Agreement”; and (3) “such compliance program is reasonably designed to detect and prevent violations of the [applicable law] (as defined in the Agreement) throughout the company’s operations.”
Speaking at a Securities Industry and Financial Markets Association event shortly following the announcement of this settlement, Deputy Attorney General Lisa Monaco reaffirmed the DOJ’s view that requiring CCOs to sign off on these agreements would help ensure that the CCOs are “in the room” and reporting to the board directly about “what has or has not gone on in the course of fulfilling the company’s obligations.” Monaco also repeated that this policy is not meant to be a “punitive measure.” And, most recently, on June 22, 2022, Assistant Chief of the DOJ’s Fraud Section Lauren Kootman confirmed that companies can expect the CCO certification requirement to be included in every corporate resolution going forward. She also reassured CCOs that the certification requirement was not intended to increase CCO liability, but rather to ensure that CCOs have “adequate visibility and access to information” regarding the company’s business decisions and potential violations before certifying at the end of a required monitorship that the compliance program has been “reasonably designed” to detect and prevent future violations. Despite repeated reassurance from the DOJ regarding the intended scope and purpose of the CCO certification requirement – i.e., that the DOJ’s focus is on serious misconduct or intentional CCO (or CEO) malfeasance as opposed to good faith mistakes – many have criticized the “reasonably designed” language as highly subjective.
What does this mean for companies going forward?
The certification requirement will necessarily give CCOs greater oversight, control, and visibility into compliance programs because CCOs will be required to fully understand their functionality and drive the implementation and ongoing effectiveness of company policies. However, being “empowered” with additional oversight comes with its own risks, and it may expose CCOs to additional liability, which could discourage qualified CCOs from taking job opportunities with companies that are or may be under investigation or entering into agreements with the DOJ. Given that CCOs will need to take on significantly greater oversight responsibility in connection with government investigations of corporations, CCOs may seek additional indemnification or remuneration from the companies whose compliance they will oversee. The new requirement also necessitates that companies be prepared to regularly review their internal auditing, reporting, and testing procedures, as well as compliance programs more generally, to ensure that these internal controls are strengthened to meet the company’s risk profile. This regular audit to strengthen the compliance program and related procedures is even more important given the DOJ’s broad interpretation of the new standards. While the certification requirements we have seen thus far have been attached specifically to FCPA cases, this may foreshadow future action by the DOJ to require similar certifications in other cases where a company’s compliance policies are at the heart of a resolution, including matters involving the enforcement of sanctions, export controls, and foreign investment reviews, among others. In those matters, it is not uncommon for the DOJ and other agencies to scrutinize and place demands on companies’ existing internal policies. Enforcement agencies in such cases may view certification requirements similar to the above as a natural extension of their approach to settlement and resolution of violations.
In light of this new certification requirement, companies should be prepared that any interaction with the DOJ could result in a probe of the company’s compliance programs and related internal controls generally. Should the DOJ contact the company, whether through a subpoena or an informal inquiry, it is imperative that the company engage outside counsel to mitigate any potential exposure to the company. Although the certification requirement suggests a shift in how the DOJ may want to resolve investigations with corporate entities, this should not rule out the prospect that experienced outside counsel could negotiate a resolution without the execution of a CCO certification. Given the DOJ’s increased focus on corporate governance, large organizations in heavily regulated industries should also consider retaining outside counsel to lead a privileged enterprise risk assessment intended to analyze the company’s risk profile against the company’s existing compliance program. Conducting a proactive assessment in this manner would allow the company to protect any conclusions from disclosure to the government or other third parties and, most importantly, ensure that the company implements any necessary improvements such that, if necessary, the company’s CCO could attest that the company’s compliance program is “reasonably designed to detect and prevent violations of the [applicable law].”
Client Alert 2022-180