Content uploaded by Alan S. Gutterman
Author content
All content in this area was uploaded by Alan S. Gutterman on Jun 12, 2023
Content may be subject to copyright.
Legal and Regulatory Basis for Compliance Programs
1
Legal and Regulatory Basis for Compliance Programs
Alan S. Gutterman
_______________
§1 Legal environment for business activities
In today’s business world, all companies, regardless of their size, business model and
scope of activities, are required to understand and comply with a plethora of laws and
regulations, including:
• Common law legal relationships with employees, creditors, and landlords;
• Various licensing requirements imposed by federal, state, and local governments;
• Intellectual property rights;
• Employment laws (e.g., harassment, discrimination and immigration laws) and
applicable human resources policies;
• Federal and state tax laws and regulations, including the reporting obligations
imposed under such laws;
• Domestic and foreign laws regulating technology transfers and the form and content
of many common commercial relationships;
• Federal and state statutes relating to antitrust and unfair competition;
• Federal and state laws regulating commercial and consumer transactions;
• Federal and state environmental laws and regulations;
• Federal and state health and safety laws;
• Federal and state laws relating to privacy and data security;
• Federal and state securities laws and governance rules and regulations and
requirements of national securities exchanges in the case of public companies;
• Domestic and foreign laws relating to cross-border business activities (e.g., laws and
regulations pertaining to exports, imports, bribery and compliance with foreign
boycotts);
• Laws and regulations relating to conducting business with the federal government and
acting as a “government contractor”;
• Federal and state laws relating to conflicts of interest, working with government
officials, lobbying and political activities (e.g., contributions);
• Internal accounting and financial controls to reduce theft and facilities accurate
disclosures and financial reporting; and
• Federal and state statutes relating to consumer protection and other matters.
These requirements apply regardless of whether the business is operated as a
proprietorship, a partnership, a limited liability company, or a corporation and also apply
to non-profit organizations. Moreover, each form of legal entity available for use by an
organization has its own set of rules regarding formation and internal operations that
must be followed in order to gain the legal benefits from the use of the entity. For
example, in order for the shareholders of a corporation to take advantage of the limited
Legal and Regulatory Basis for Compliance Programs
2
liability offered through the use of the corporate form, they must observe certain
governance procedures and operational formalities.
Most of case law and practical guidance regarding compliance and governance has been
developed with respect to corporations, particularly corporations with securities traded in
the public markets (i.e., “public companies”); however, compliance is relevant to every
type of legal entity and it can be expected the specific rules will emerge that take into
account the legal principles that apply to general and limited partnerships, limited
liability companies, non-profit organizations and other types of entities recognized by
statute or under common law. Since the corporation has long been the dominant form of
legal entity for organizations involved in business activities the discussion in this chapter
often refers to the board of directors and its committees formed to oversee audit and
compliance issues as well as to the shareholders who are the owners of a corporation.
However, the principles in this chapter can and should be adapted to other forms of legal
entity (e.g., the board of managers of a manager-managed limited liability company have
duties and responsibilities similar to those of the board of directors of a corporation).
Similarly, well-known principles of “corporate governance” are also applicable to non-
corporate entities.
1
While it is impossible to generalize, it is commonplace for growth-oriented companies to
have compliance programs covering employment law matters (e.g., sexual harassment,
employee discrimination and immigration laws), antitrust, securities laws, intellectual
property and government contracting. With respect to international compliance areas, the
scope of the programs to be implemented by a specific company will generally be
determined by the particular international laws that are most relevant in its industry as
well as the specific foreign countries in which the company has material business
activities. For most companies this means that formal global compliance should begin
with programs covering Export Administration Regulations, including export controls
and licenses and anti-boycott regulations; the Foreign Corrupt Practices Act; sanctions
programs approved by Congressional action and resolutions of the United Nations and
administered by the Office of Foreign Assets Control; and import laws under Customs
statutes and regulations.
§2 Legal needs of technology-based companies
While the list of legal categories above is helpful and illustrative, the specific legal
environment for a particular company, which determines the areas that are most
important in designing a framework for complying with applicable laws and regulations,
will depend on the activities of the company and the resources that the company relies
upon in order to execute its strategy. For example, a list of the major categories of legal
needs for larger technology-based companies (i.e., companies that rely heavily on
proprietary technology for creating innovative products and processes that afford them a
competitive advantage) would include the following:
1
For further discussion of the corporate governance responsibilities of corporate directors and officers, see
“Governance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the
Sustainable Entrepreneurship Project (www.seproject.org).
Legal and Regulatory Basis for Compliance Programs
3
• Management of existing intellectual property assets and establishment of strategies
and procedures for creating and protecting new assets;
• Compliance with environmental, product testing, health, and safety regulations,
including new “green” initiatives;
• Employment-related issues including compliance with applicable federal and state
employment laws;
• Federal securities laws including laws such as the Sarbanes-Oxley Act of 2002 which
specifically address compliance issues for public companies;
• International operations including compliance with export/import law requirements;
• Privacy and data security laws and industry guidelines;
• Accounting and financial reporting requirements;
• Regulations pertaining to e-commerce; and
• Litigation and e-discovery.
§3 Challenges of changing legal environments
In the past several years increased emphasis has been placed on international operations,
as more companies are pushed into global business activities, and e-discovery. The
application of so-called “corporate governance” principles has also expanded to cover
many private companies (i.e., companies other than companies with publicly-traded
securities) including organizations in the non-profit sector. E-discovery and privacy and
data security laws are generally quite a mystery and surprise to executives, and each
expansion into new foreign markets typically leads to unforeseen challenges that are not
always planned for in advance. For example, the lack of speed and expected costs
associated with obtaining business licenses in new foreign markets often upsets even the
best strategic plan for launching new activities in those markets. Another problem is
attempting to enforce legal rights in foreign courts. The scope, complexity, and costs of
litigation continue to rise even as the economy remains flat, and litigation generally takes
up a larger percentage of the resources allocated to the legal needs of many companies.
Another complicating is that the legal environment for a company is not fixed and laws
are continually changing along with the risk profile associated with the evolving business
activities of the company. In addition to the compliance programs discussed in this
chapter, companies must establish and continuously maintain risk assessment programs
that facilitate identification and management of the material business risks faced by the
company. Any such assessment must address all of the threats to management’s ability
to achieve the organizational objectives, including threats in the areas of operations,
financial reporting, and compliance with laws and regulations. The process of risk
assessment includes identifying the risks, estimating the significance of the risks, and
then selecting methods to manage them. Auditors and others have identified a number of
factors that they consider strong indications of increased financial risk. Therefore,
management should be aware of their existence and increase its control mechanisms
when the following factors exist: changes in the company’s regulatory or operating
environment; changes in personnel; new or revamped information systems; rapid growth
of the company; changes in technology affecting production processes or information
Legal and Regulatory Basis for Compliance Programs
4
systems; new business models, products, or activities; restructurings; expansion or
acquisition of foreign operations; and adoption of new accounting principles or changing
accounting principles.
2
§4 Processes for tracking new legal developments
An important element of any compliance program is establishing processes for keeping
track of new developments in those areas of law and regulation that are specifically
applicable to activities of the company. Information on new cases and statutes can be
obtained in online publications from leading law firms. In addition, national, state and
local bar associations regularly put on programs and distribute publications. For
example, attorneys and others involved in compliance activities can attend live and online
presentations covering all aspects of intellectual property rights, licensing arrangements,
strategic technology alliances and creation and maintenance of compliance programs.
Another source of information is industry-specific publications and programs that are
made available by non-legal sources that specialize in providing content to executives.
Courses are offered by major universities as part of their executive education programs
and for-profit firms publish magazines and create and manage extensive curriculum for
working professionals. For example, CIO magazine serves chief information officers and
other information technology professionals and provide them with programs, research
reports and newsletters.
§5 Advantages and challenges of compliance programs
The penalties for failing to comply with laws and regulations can be significant and often
can ruin a company and the careers of the persons involved in the misconduct. For
example, criminal sanctions may include fines, probation, and remedial action, including
restitution, community service, and notice to victims. Civil penalties can also be
substantial and may include treble damages and the additional costs of litigation. Added
to all of this is the damage to the company’s reputation and employee morale, and
additional scrutiny from government investigators. Finally, companies that have been
found to have violated laws in government investigations may be exposed to shareholder
lawsuits, loss of business partners, and debarment from government contracting.
In order to fulfill their obligations and avoid the costs associated with violations, all
companies should be admonished to adopt and aggressively implement compliance
programs in a wide range of areas. Compliance programs are important even for
companies that honestly believe they are acting in a lawful fashion, since these programs
are probably the best way to establish formal policies and procedures that can guide the
actions of employees and institutionalize regular assessment of actual practices.
Moreover, the existence of a formal compliance program that is actually followed can be
an important factor in reducing the liability of the company in the event that a problem
arises in spite of the controls that have been put in place.
2
For further discussion of risk assessment procedures, see “Risk Assessments” in “Compliance: A Library
of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship
Project (www.seproject.org).
Legal and Regulatory Basis for Compliance Programs
5
§6 --Legal and business advantages of compliance programs
While establishing and maintaining a compliance program is a time-consuming and often
expensive project, there are clearly significant legal and business advantages to the
company. Compliance programs can be used to educate employees and set standards for
acceptable conduct in all the company’s operations around the world. There also seems
to be a direct link between companies that score high on integrity factors and those that
perform well financially. According to one study, five companies generally perceived as
having strong integrity (i.e., General Electric, IBM, Microsoft, Toyota and Wal-Mart)
were the same ones that topped the list of companies that created the most value for their
shareholders. Other studies focusing generally on corporate governance, of which
compliance is an important element, have verified that companies with the best
governance practices tend to be relatively more profitable, more valuable and offer their
shareholders a higher return on their investment.
The costs of failing to establish and maintain adequate compliance programs and
procedures can be substantial. For example, violations of United States export controls
can lead to criminal prosecution, arrest, extradition and severe monetary penalties. The
failure to follow United States customs laws and regulations can result in significant
adverse consequences, including seizure of merchandise under various circumstances,
assessment of civil penalties in an amount up to the domestic value of the imported
merchandise for any material misstatements or omissions or actions in connection with
the importation of merchandise into the United States, and even criminal sanctions for
certain violations. It has been estimated that there are more than 300,000 federal
regulations subjecting companies to criminal liability, and that, on average, 400
companies have annually been subjected to federal indictments since 1990, including
10% of the Fortune 500 companies. This is a tenfold increase from the 1980s. Moreover,
criminal fines have increased dramatically in recent years from an average of $50,000 in
the 1980s to millions of dollars.
In light of these monetary risks, compliance programs can have substantial value because
they substantially reduce the risk that companies will engage in unlawful activities.
Moreover, several federal agencies have declared that adoption of formal company-wide
compliance programs can be useful evidence of the good-faith attempts by management
of those companies to educate employees and establish the desired “compliance culture.”
Companies that have created and followed compliance programs are better able to defend
against enforcement actions by federal prosecutors by arguing that the company did in
fact use reasonable care in complying with the law and that the actions of the company
did not reach the level of "willfulness" required to be proven for certain criminal
convictions. For example, the United States Department of Commerce and the United
States Customs and Border Protection both recognize the existence of a compliance
program as a factor to be taken into account with respect to mitigation of penalties. Also,
the federal Sentencing Guidelines, described below, endorse reduction of criminal
sentences in cases where an effective compliance program is in place. Compliance
programs are also an important part of settlements with federal agencies, and
Legal and Regulatory Basis for Compliance Programs
6
corporations that have run into problems as a result of a government investigation have
been able to resolve them by agreeing to bolster their compliance function and allow
outside experts to audit existing controls and make recommendations to the board of
directors and its audit committee with respect to improvements.
Confirming the importance of compliance, the Conference Board, an international
organization that periodically reports on management and markets, found that companies
are increasing their supervision of compliance, including ethics. Since 1987, when it first
looked at corporate ethics programs and the involvement of the board of directors in their
design, implementation and monitoring, the percentage of boards and the extent of their
involvement have steadily increased, both domestically and internationally. They have
also gone beyond “narrow, reactive” programs to pro-active programs with deep
institutional roots. The driving forces behind this increasing emphasis on compliance
programs are the recent corporate scandals, as well as the new standards adopted by
regulatory agencies such as the Securities and Exchange Commission, which are
described below. More specifically, the Conference Board found that, between 1987 and
1998, the percentage of survey participants indicating their directors participated in
drafting a corporate code of ethics has increased from 21% to 78%. Also during this
period, the make-up of the participants changed dramatically—most respondents in 1987
were United States companies, but fewer than half were in 1998. This underscores that
the issue is not just one for companies in the United States, but applies to all companies
wherever they are operating. In addition, in the United States it is not just publicly traded
companies with compliance programs, but even those not listed (97% of those traded
versus 93% of those not publicly traded).
§7 --Risks and challenges of compliance programs
While the advantages of adopting a compliance program outweigh the costs associated
therewith, there are nonetheless some real risks and challenges that must be recognized
and addressed before moving forward. One practical problem is making sure that
employees take the program seriously since adopting a program that is not followed can
be worse than not having any rules at all. Employees may feel that, having adopted the
program, they can put it behind them, move on and forget it. Ongoing education and
monitoring will be critical to avoiding this problem. A second risk, known as the
“litigation dilemma,” is less easily avoided. This refers to the danger that the company
may discover illegal activities while creating the compliance program, and that any
materials referring to or describing such activities may be subject to discovery. Even if
such materials are collected through attorneys and possibly covered by the attorney-client
privilege, government agencies are likely to insist on a waiver of such privileges and
demand cooperation with government investigations as part of any settlement
negotiations. In light of these difficult issues, it is not surprising that compliance and
corporate governance has emerged as a new and rapidly growing specialty within the
legal community.
3
3
For further discussion of governance issues and related programs and procedures, see “Governance: A
Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable
Entrepreneurship Project (www.seproject.org).
Legal and Regulatory Basis for Compliance Programs
7
Despite the mounting evidence in favor of implementing compliance systems senior
executives must still examine the tradeoff between investing resources on prevention and
the expected value of liability to the company in the event that something actually goes
wrong. This is particular true when a company is just starting up and financial resources
are tight. There are executives who are unwilling to support a large legal budget to cover
a wide range of compliance issues and micromanage every contract because they believe
that the chances of an issue coming up are small, and they will simply address the
problem at that time. On the other hand, executives of public companies have learned the
hard way in recent years that money must be spent on internal controls and compliance.
Notable examples include accounting issues that have caused companies to restate
earnings and endure strong criticism in the financial markets and scandals relating to
backdating of stock options and illegal payments to agents of foreign governments.
§8 Judicial and regulatory guidance on effective compliance programs
Compliance programs are generally discussed, and adopted, in the context of the
fiduciary duties in the corporate context which flow from the directors and officers to the
shareholders. Thus, it is not surprising that commentators and courts have turned to
principles of duty and care in analyzing legal compliance programs. Courts have also
begun to recognize the importance of guidance from governmental agencies, such as the
Federal Sentencing Guidelines for Organizational Defendants, and the opportunity that
compliance with such guidelines offers with respect to reducing potential liability for
companies and their managers. Therefore, one can expect to see courts examining
whether compliance procedures, programs and other techniques have been implemented
to determine if those serving in fiduciary capacities have acted diligently. When
evaluating the compliance procedures for a particular company courts can now also refer
to very specific guidelines that have been announced by regulatory agencies as well as to
commentaries prepared and disseminated by professional organizations such as the
American Law Institute. Finally, information that may be relevant to establishing a
compliance program can be gleaned from federal laws such as the Sarbanes-Oxley Act of
2002 and the listing requirements of the major securities exchanges.
§9 --ALI principles of corporate governance
The Principles of Corporate Governance promulgated by the American Law Institute
("ALI") in 1994 (“ALI Principles”) represent a comprehensive effort to evaluate and
summarize some of the major legal standards applicable to corporate governance. Under
the ALI Principles, a corporation "[i]s obligated, to the same extent as a natural person, to
act within the boundaries set by law."
4
The managers of the corporation are obligated to
direct the activities of the corporation within these boundaries.
5
In addition to an
obligation not to knowingly cause employees of the corporation to violate the law,
directors and officers have duties to establish effective legal compliance systems to
ensure that activities of the corporation are generally conducted lawfully and that illegal
4
ALI Principles § 2.01(b)(1).
5
ALI Principles § 4.01(a) (Comment d to § 4.01(a), first paragraph).
Legal and Regulatory Basis for Compliance Programs
8
aberrations in corporate operations are detected and stopped.
6
While legal compliance in
day-to-day corporate operations need not be overseen directly by corporate directors and
officers, they must act responsibly in delegating monitoring duties concerning legal
compliance and must react affirmatively once they receive evidence that compliance
programs are not operating properly.
7
Actions and decisions by directors and officers
with respect to determining the need for, and the appropriate scope of, a legal compliance
system will be judged under the "business judgment rule," which will protect such
individuals if they have undertaken reasonable fact gathering and evaluation prior to
making a decision about the adequacy of legal compliance systems.
8
§10 --Judicial trends: Caremark case
In re Caremark International, Inc. Derivative Litigation
9
involved a shareholder action
brought against the directors of Caremark International Incorporated to recover fines paid
by Caremark for illegal activities that occurred while the directors were in office. Federal
prosecutors had charged Caremark, a health care provider, with violating federal laws by
paying doctors and hospitals to refer Medicare and Medicaid patients. The company
subsequently pleaded guilty to mail fraud and paid $250 million in fines and restitution.
Indignant shareholders immediately began filing lawsuits to recover the corporation's
losses.
10
They did not claim that the directors were themselves involved in any
wrongdoing; however, they argued that the directors should be liable for what amounted
to a breach of their fiduciary duty of care by failing to properly supervise employees of
the corporation and implement legal compliance programs which, if present, would have
prevented the activities that resulted in the fines.
11
The Delaware Chancery Court was
called upon to review proposed settlement terms for fairness. Technically, Caremark is
not a “holding” and the case does not, as a matter of law, establish standards that must be
followed by the board of directors in order to avoid liability. However, it is certainly
illustrative of the direction that the law seems to be taking with regard to good corporate
practice.
In the Caremark case, the chancellor explained that directors of Delaware corporations
may, in fact, be subject to personal liability for losses suffered by the corporation arising
out of employee misconduct if the directors fail “to attempt in good faith to assure that a
corporate information and reporting system [aimed at detecting misconduct] … exists”
and is adequate for this purpose.
12
The information and reporting system must be
“reasonably designed to provide [senior managers and board members with] timely,
accurate information sufficient to allow management and the board … to reach informed
judgments concerning both the corporation's compliance with law and its business
performance.”
13
6
ALI Principles § 4.01 (Comment c to § 4.01(a)(1)-(2)).
7
ALI Principles § 4.01 (Comment b to § 4.01(b)).
8
ALI Principles § 4.01(c).
9
In re Caremark Intern. Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).
10
Id. at 960–65.
11
Id. at 966.
12
Id. at 970.
13
Id.
Legal and Regulatory Basis for Compliance Programs
9
In order for a plaintiff to prevail against directors, it must be shown that there has been a
“sustained or systematic failure … to exercise reasonable oversight.”
14
Directors might be
vulnerable where there has been “an utter failure to attempt to assure a reasonable
information and reporting system exists”
15
or where, after a violation or weakness in the
legal compliance program has been discovered, the directors fail to investigate the
situation and determine in good faith that the “information and reporting system is in
concept and design adequate to assure the board that appropriate information will come
to its attention in a timely manner as a matter of ordinary operations.”
16
In the Caremark case, the chancellor's review of the proposed settlement included a
comparison of the proposed terms to the likely result had the case proceeded to trial. He
found that, based on the particular facts of the case, the plaintiffs' case was “extremely
weak.”
17
He based this conclusion on findings that the directors had given some attention
to legal compliance programs before the fraudulent activities occurred and had also
reacted quickly to improve the company's compliance procedures once the employees'
misconduct was discovered. In Caremark, the chancellor approved a settlement which
included no monetary liability for the defendant directors, but Caremark was required to
pay the attorney fees of the plaintiffs and make further specified changes in its
compliance procedures.
18
The standard established in the Caremark case regarding the compliance oversight duties
and potential liability of directors has generally been upheld in subsequent cases. For
example, in the In Re Citigroup litigation, the Delaware Chancery Court made it clear
that in order for the plaintiffs to establish a claim against the directors for breach of their
compliance oversight duties, a demonstration must be made “that the directors knew they
were not discharging their fiduciary obligations or that the directors demonstrated a
conscious disregard for their responsibilities, such as by failing to act in the face of a
known duty to act”.
19
The use of the words “conscious disregard” implies intentional
conduct and the need for a showing of “bad faith” on the part of the directors and this
means that the plaintiffs must prove that “(a) the directors utterly fail to implement any
reporting or information system or controls; or (b) having implemented such a system or
controls, consciously fail to monitor or oversee its operations thus disabling themselves
from being informed of risks or problems requiring their attention”.
20
As an aside, the
decision in the In Re Citigroup litigation is interesting in that the Delaware Chancery
Court not only affirmed the Caremark case holding but also refused to extend the
possibility of personal liability for directors to situations where the directors failed to
predict the future and properly evaluate business risks such as the meltdown of financial
markets that wiped out Citigroup’s investment portfolio.
21
14
Id. at 971.
15
Id.
16
Id. at 970.
17
Id. at 971.
18
Id. at 972.
19
In re Citigroup Inc. Shareholder Derivative Litig., 964 A.2d 106 (Del. Ch. 2009).
20
Id.
21
Id.
Legal and Regulatory Basis for Compliance Programs
10
§11 --Government agency guidelines and policies
Either as a matter of internal policy or in response to specific requirements included in
legislative actions, many government agencies have issued compliance guidelines.
Among the most detailed rules issued by any regulatory agency are those issued from
time-to-time by the Department of Justice, including the policy statements regarding the
factors that federal prosecutors should consider in deciding whether to pursue criminal
charges against a corporation. These policy statements, prepared in the form of a
memorandum, are generally given names based on the names of their authors, with the
most recent being the Holder Memo issued in 1999
22
, the Thompson Memo issued in
2003
23
, the McNulty Memo issued in 2006
24
, and the Filip Memo issued in 2008
25
. Each
new Memo supersedes the previous policy statement and includes elements of prior
statements and new guidance intended to address particular issues. For example, the
Thompson Memo's advice to prosecutors to consider waiver of privilege, and whether or
not the corporation advanced counsel fees to its employees, generated a substantial
amount of controversy and the changes in both the McNulty Memo and Filip Memo were
intended to address concerns regarding those issues and update policy in other areas.
26
The Filip Memo, which was announced on August 28, 2008 and officially entitled
“Principles for Federal Prosecution of Business Organizations”, was similar in many
ways to previous policy statements. The Filip Memo was noteworthy for the approach it
took regarding several controversial issues including whether or not waiver of the
attorney-client or work product privilege is a condition to cooperation credit for a
corporate target. In addition, while not discussed in detail in this chapter, the Filip Memo
also addressed other concerns about Department of Justice policies that had been
festering for some period of time including clarification that prosecutors would not
consider the following in evaluating cooperation: whether a corporation has advanced
attorney's fees to its employees (or provided counsel to employees at the expense of the
corporation); or whether a corporation has entered into a joint defense, common interest
or similar agreement.
27
22
See Memorandum, Bringing Criminal Charges Against Corporations (June 16, 1999), available at
http://www.usdoj.gov/criminal/fraud/policy/Chargingcorps.html.
23
See Memorandum, Principles of Federal Prosecution of Business Companies (Jan. 20, 2003), available at
http://www.usdoj.gov/dag/cftf/corporate_guidelines.html.
24
See Memorandum, Principles of Federal Prosecution of Business Organizations (Dec. 12, 2006),
available at http://www.usdoj.gov/dag/cftf/corporate_guidelines.html.
25
See www.usdoj.gov/opa/documents/corp-charging-guidelines.pdf. See also the Justice Department's
press release at www.usdoj.gov/opa/pr/2008/August/08-odag-757.html. The Guidelines can also be found
at Title 9, Chapter 9-28.000: Principles of Federal Prosecution of Business Organizations.
26
For further discussion of the issues and concerns relating to waiver of attorney-client and work product
privileges in the context of a government investigation, see “Internal Investigations” in “Compliance: A
Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable
Entrepreneurship Project (www.seproject.org).
27
For discussion of the impact of the Filip Memo on internal investigations, see “Internal Investigations” in
“Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the
Sustainable Entrepreneurship Project (www.seproject.org).
Legal and Regulatory Basis for Compliance Programs
11
The Filip Memo listed nine factors that prosecutors would be expected to take into
account in reach a decision as to the proper treatment of a corporate target
28
:
(1) The nature and seriousness of the offense, including the risk of harm to the public,
and applicable policies and priorities, if any, governing the prosecution of
corporations for particular categories of crime;
(2) The pervasiveness of wrongdoing within the corporation, including the complicity
in, or the condoning of, the wrongdoing by corporate management;
(3) The corporation's history of similar misconduct, including prior criminal, civil,
and regulatory enforcement actions against it;
(4) The corporation's timely and voluntary disclosure of wrongdoing and its
willingness to cooperate in the investigation of its agents;
(5) The 1existence and effectiveness of the corporation's pre-existing compliance
program;
(6) The corporation's remedial actions, including any efforts to implement an
effective corporate compliance program or to improve an existing one, to replace
responsible management, to discipline or terminate wrongdoers, to pay restitution,
and to cooperate with the relevant government agencies;
(7) Collateral consequences, including whether there is disproportionate harm to
shareholders, pension holders, employees, and others not proven personally culpable,
as well as impact on the public arising from the prosecution;
(8) The adequacy of the prosecution of individuals responsible for the corporation's
malfeasance; and
(9) The adequacy of remedies such as civil or regulatory enforcement actions.
The Filip Memo noted that compliance programs are established by corporate
management to prevent and detect misconduct and to ensure that corporate activities are
conducted in accordance with applicable criminal and civil laws, regulations, and rules.
While the Department of Justice encourages such corporate self-policing, including
voluntary disclosures to the government of any problems that a corporation discovers on
its own, the Filip Memo noted that the existence of a compliance program is not
sufficient, in and of itself, to justify not charging a corporation for criminal misconduct
undertaken by its officers, directors, employees, or agents.
29
A compliance program must
be “effective” and while this does not mean that the program must prevent all criminal
activity by a corporation's employees it must be adequately designed for maximum
effectiveness in preventing and detecting wrongdoing by employees and corporate
management must be enforcing the program rather than tacitly encouraging or pressuring
employees to engage in misconduct to achieve business objectives.
The Filip Memo noted that while the Department of Justice has no formulaic
requirements regarding corporate compliance programs it should be expected that
prosecutors will ask the following fundamental questions: “Is the corporation's
compliance program well designed? Is the program being applied earnestly and in good
faith? Does the corporation's compliance program work?” In answering these questions,
28
Title 9, Chapter 9-28.300.
29
Title 9, Chapter 9-28.800.
Legal and Regulatory Basis for Compliance Programs
12
the prosecutors must consider the comprehensiveness of the compliance program; the
extent and pervasiveness of the criminal misconduct; the number and level of the
corporate employees involved; the seriousness, duration, and frequency of the
misconduct; and any remedial actions taken by the corporation, including, for example,
disciplinary action against past violators uncovered by the prior compliance program, and
revisions to corporate compliance programs in light of lessons learned. Prosecutors are
also urged to consider the promptness of any disclosure of wrongdoing to the government
and whether the corporation has established corporate governance mechanisms that can
effectively detect and prevent misconduct. For example, indicators of an effective
program include evidence that the corporation's directors exercise independent review
over proposed corporate actions rather than unquestioningly ratifying officers'
recommendations; that internal audit functions are conducted at a level sufficient to
ensure their independence and accuracy; and that directors have established an
information and reporting system in the organization reasonably designed to provide
management and directors with timely and accurate information sufficient to allow them
to reach an informed decision regarding the corporation's compliance with the law.
30
Finally, a compliance program that is merely a “paper program” will not mitigate the
culpability of a corporation and credit will only be given to programs that are designed,
implemented, reviewed, and revised, as appropriate, in an effective manner. In
determining whether this standard has been achieved prosecutors should take into
account whether the corporation has provided for a staff sufficient to audit, document,
analyze, and utilize the results of the corporation's compliance efforts and whether the
corporation's employees are adequately informed about the compliance program and are
convinced of the corporation's commitment to it.
In September 2015, Deputy Attorney General Sally Quillian Yates announced a policy
that appeared to signal that the Department of Justice would proceed more aggressively
in targeting individuals involved in corporate wrongdoing. The announcement, referred
to as the “Yates Memo”
31
, is seen as an extension of the previous memos and, in fact, the
Principles and other sections of the U.S. Attorney’s Manual were to be revised and
updated to include the following “six key steps” from the Yates Memo:
• In order to qualify for any cooperation credit, corporations must provide to the DOJ
all relevant facts relating to the individuals responsible for the misconduct;
• Criminal and civil corporate investigations should focus on individuals from the
inception of the investigation;
• Criminal and civil attorneys handling corporate investigations should be in routine
communication with one another;
30
The Filip Memo draws upon, and includes citations to, both USSG § 8B2.1 and In re Caremark Intern.
Inc. Derivative Litigation, 698 A.2d 959, 968–70 (Del. Ch. 1996). For further discussion of the role of
directors in establishing and administering corporate governance mechanisms, including effective
compliance programs, see “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared
and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).
31
http://www.justice.gov/dag/file/769036/download
Legal and Regulatory Basis for Compliance Programs
13
• Absent extraordinary circumstances or approved departmental policy, the DOJ will
not release culpable individuals from civil or criminal liability when resolving a
matter with a corporation;
• DOJ attorneys should not resolve matters with a corporation without a clear plan to
resolve related individual cases, and should memorialize any declinations as to
individuals in such cases; and
• Civil attorneys should consistently focus on individuals as well as the company and
evaluate whether to bring suit against an individual based on considerations beyond
that individual's ability to pay.
While the increased focus on individual culpability has been long-awaited, it remains
unclear what the actual impact of the Yates Memo will be on internal investigations.
There are concerns that lower-level personnel may feel pressured to provide government
investigators with what they want as opposed to facts that might be less helpful to
investigators and that higher-level officials will be less cooperative dues to fears of
potential individual liability. There are also worries about how the Department of Justice
may go about its stated goal to “fully leverage its resources”. However, the Yates Memo
does make it more important than ever for corporations and their agents (i.e., executives
and all other personnel involved with compliance activities) to implement procedures that
ensure that the corporation responds proactively to inquiries from the Department and is
able to develop a thorough presentation of the relevant facts. Among other things,
corporations are advised to update their ethics and compliance programs, particularly
training activities and the procedures for reporting actual and potential violations;
reiterate and reinforce support of the executives for compliance activities, including an
assessment of the current adequacy of compliance resources; ensure that there is a rapid
response by executives to problems that are brought to their attention; and require that all
activities relating to a response to a compliance issue are well documented in order to
demonstrate to the Department that the corporation has acted in good faith to act ethically
and comply with its obligations to respond fully to the Department’s inquiries.
Other federal agencies that have promulgated guidelines and policies touching on
compliance programs include the Department of Defense, the Department of Health and
Human Services; and the Securities and Exchange Commission. For example, Defense
Federal Acquisition Regulations System (“DFARS”) Subpart 3.10 establishes policies
and procedures for the establishment of contractor codes of business ethics and conduct,
and display of agency Office of Inspector General (OIG) fraud hotline posters. In
general, contractors will be required to conduct themselves with the highest degree of
integrity and honesty.
32
In order to be sure that a contractor will achieve these objectives,
it should have a written code of business ethics and conduct. In addition, to promote
compliance with such code of business ethics and conduct, contractors should have an
employee business ethics and compliance training program and an internal control system
that are suitable to the size of the company and the extent of their involvement in
Government contracting; facilitate the timely discovery and disclosure of improper
conduct in connection with Government contracts; and ensure corrective measures are
32
DFARS Subpart 3.1002(a).
Legal and Regulatory Basis for Compliance Programs
14
promptly instituted and carried out.
33
The Office of Inspector General of the Department of Health and Human Services issued
a “model compliance plan for clinical laboratories” which includes the following
elements
34
:
• Written standards of conduct for employees;
• The development and distribution of written policies that promote the laboratory's
commitment to compliance and that address specific areas of potential fraud, such as
billing, marketing and claims processing;
• The designation of a chief compliance officer or other appropriate high-level
corporate structure or official who is charged with the responsibility of operating the
compliance program;
• The development and offering of education and training programs to all employees;
• The use of audits and/or other evaluation techniques to monitor compliance and
ensure a reduction in identified problem areas;
• The development of a code of improper/illegal activities and the use of disciplinary
action against employees who have violated internal compliance policies or
applicable laws or who have engaged in wrongdoing;
• The investigation and remediation of identified systemic and personnel problems;
• The promotion of and adherence to compliance as an element in evaluating
supervisors and managers;
• The development of policies addressing the non-employment or retention of
sanctioned individuals;
• The maintenance of a hot line to receive complaints and the adoption of procedures to
protect the anonymity of complainants; and
• The adoption of requirements applicable to record creation and retention.
Not surprisingly, given the recent flood of civil and criminal actions against senior
executives of public companies for violations of law, the Securities and Exchange
Commission (“SEC”) has been very active in drafting and circulating pronouncements
that strongly recommend compliance programs and procedures. For example, the SEC
has opined on the oversight duties of directors in the context of proceedings relating to
alleged deficiencies in disclosures made by publicly traded companies, noting that
directors have an affirmative duty and obligation to keep the shareholders informed, on a
timely basis, of material facts concerning the basic operations of the company, and to
assure that the public is provided with accurate and full disclosures about the company's
operation; directors have an affirmative duty to keep themselves informed of
developments within the company and to seek out the nature of corporate disclosures to
determine if adequate disclosures are being made; directors may not rely on management
to make required disclosures and on company counsel to advise when disclosures are
required; and directors have a need for adequate, regularized procedures under the overall
supervision of the board to ensure that proper disclosures are being made. Such
33
DFARS Subpart 3.1002(b).
34
See Publication of OIG Compliance Program Guidance for Clinical Laboratories, 63 Fed. Reg. 45076-03
(Aug. 24, 1998).
Legal and Regulatory Basis for Compliance Programs
15
procedures could include a functioning audit committee with authority over disclosure
matters or any other procedure that involves the board of directors in a meaningful way in
the disclosure process.
35
This opinion has been substantially enhanced by the enactment
of the Sarbanes-Oxley Act of 2002 and the related rules and regulations from the SEC
and the NASDAQ and the New York Stock Exchange, which are described below.
36
§12 --Sarbanes-Oxley Act of 2002 and exchange listing requirements
The federal Sarbanes-Oxley Act of 2002 (“SOX”) contains many provisions that are
relevant to the design, implementation and enforcement of a compliance program. For
example, SOX § 406 and SEC implementing regulations require public companies to
disclose whether they have adopted written codes of ethics applicable to principal
executive officers, principal financial officers, principal accounting officers or
controllers, or persons performing similar functions.
37
Companies that have not adopted
such codes of ethics must disclose the reason for not doing so. The disclosures must
appear in the company’s annual report. Companies changing or waiving any portion of
their codes must disclose the action within five business days of the event on Form 8-K,
which is filed with the SEC.
38
The practical effect of these rules since SOX became
effective has been to force most public companies to adopt and publish written codes of
ethics and detailed statements of conduct standards for their executives, managers,
employees and agents.
SOX also contains three sections concerning whistleblowers. First, under SOX § 301 and
Securities Exchange Act Rule 10A-3, the audit committee must establish procedures for
the receipt and handling of any complaints about accounting, internal controls or auditing
matters.
39
The procedures must allow employees to submit anonymous complaints.
Second, SOX § 806 prohibits companies from taking adverse employment action against
employees who provide information to a supervisor, federal agency or Congress
regarding violations of SOX, any SEC rule, or federal law regarding shareholder fraud.
40
Finally, according to SOX § 1107, employers can be assessed criminal sanctions for
intentionally retaliating against employees who provide truthful information to law
enforcement officers regarding possible commission of federal offenses.
41
All of these
35
See Report of Investigation in the Matter of National Telephone Co., Inc. Relating to Activities of the
Outside Directors of National Telephone Co., Inc., SEC Release No. 34-14380 (Jan. 16, 1978).
36
The SEC released an enforcement manual, thereby providing securities lawyers with a valuable tool in
representing their clients in SEC investigatory proceedings. See SEC Division of Enforcement,
Enforcement Manual (2008), www.sec.gov/divisions/enforce/encorcementmanual.pdf. For further
discussion see J. Masella III and R. Cronin, “The SEC Enforcement Manual—An aid to combat SEC
investigations”, Business Law Today (March/April 2009), 51.
37
Final Rule: Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, available at
http://www.sec.gov/rules/final/33-8177.htm.
38
The NYSE and Nasdaq rules, adopted by the SEC in 2003, also require listed companies to adopt and
disclose codes of business conduct. See NASD and NYSE Rulemaking: Relating to Corporate
Governance, SEC Release No. 34-48745 (Nov. 4, 2003).
39
15 U.S.C.A. § 78j-1(m)(4).
40
18 U.S.C.A. § 1514A.
41
18 U.S.C.A. § 1513.
Legal and Regulatory Basis for Compliance Programs
16
provisions must be taken into account in creating and implementing a compliance
program.
§13 --Federal sentencing guidelines
One of the motivating forces behind the adoption of a legal compliance program is the
Federal Sentencing Guidelines for Organizational Defendants (“Sentencing Guidelines”)
established by the United States Sentencing Commission.
42
The Sentencing Guidelines
have several objectives, including just punishment for, and adequate deterrence of,
violations of federal statutes by corporations and other companies. In addition, it is
hoped that the existence of the Sentencing Guidelines will provide a greater incentive for
companies to establish compliance programs that will prevent illegal conduct by their
employees.
43
Among other things, the Sentencing Guidelines provide incentives for
corporations to police their own activities for violations of law by setting fines at
extremely high levels, often in excess of the net worth of many companies, and then
providing for mitigation of the penalties if a corporation has an "effective compliance
program" and/or "self-reports" crimes that may be committed by employees.
44
For
example, in the case of violations of environmental laws, the United States Department of
Justice (“DOJ”) considers several factors in determining whether or how to prosecute.
45
These factors include whether there has been voluntary, timely and complete disclosure
of the matter under investigation; the degree and timeliness of cooperation; the existence
and scope of any regularized, intensive, and comprehensive environmental compliance
program; the pervasiveness of noncompliance; whether there has been internal
disciplinary action; and the nature and effectiveness of subsequent compliance efforts.
The rewards available under the Sentencing Guidelines for an effective compliance
program can be substantial, since the fines established under the Sentencing Guidelines
are computed by balancing the seriousness of the particular offense against the efforts of
the company to prevent the violation and remedy the problem once it comes to the
attention of the managers or the company. If the company does not have a compliance
program in place at the time a case is settled, the government will require that such a
program be established as a condition of closing the particular matter. When a company
does not have a compliance program, it is likely that the court will place the company on
probation for some period of time. This means that government agencies would have the
right to inspect the books and records of the company, attend management meetings,
conduct internal audits and investigations and manage internal discipline programs. In
extreme cases, important management and financial decisions will need prior approval by
the court. Therefore, implementation of a compliance program can be an important
safeguard against unwanted government intrusion into the affairs of the business.
The elements of an effective legal compliance program under the Sentencing Guidelines
include the following:
42
USSG §§ 8A1.1 et seq.
43
See Compliance Programs & the Corp Sentencing Guidelines §§ 2:1, 4:1.
44
See Compliance Programs & the Corp Sentencing Guidelines §§ 3:26, 4:1 et seq.
45
See Compliance Programs & Corp Sentencing Guidelines App. 2.
Legal and Regulatory Basis for Compliance Programs
17
(1) The company should develop legal compliance standards and specific compliance
procedures that can be followed by employees and other agents as they go through their
day-to-day activities on behalf of the company.
46
In order for the legal compliance
program to be adequate, it must ensure that line managers, including the executive and
operating officers at all levels, direct their attention to legal compliance matters as a
regular part of their oversight of the operations of the company and that legal compliance
is fully integrated into other day-to-day operating practices and procedures.
47
(2) A specific official at a high level within the company should be assigned primary
oversight responsibility for ensuring that legal compliance procedures and standards are
adhered to within the company.
48
“High-level personnel” means an individual who has
substantial control over the company or who have a substantial role in the making of
policy within the company. The term includes a director, executive officer, individual in
charge of a major business or functional unit of the company, such as sales,
administration, or finance, and an individual with a substantial ownership interest.
49
In
addition, specific individual(s) within the company must be delegated day-to-day
operational responsibility for the program.
(3) Managers must act responsibly when delegating authority within the company.
This means that managers must not delegate substantial discretionary authority to
individuals whom the managers know, or should have known through the exercise of due
diligence, to have a propensity for illegal activities.
50
In the hiring and promotion of such
individuals, the company must consider the relatedness of the individual's illegal
activities or other misconduct (i.e., conduct inconsistent with an effective ethics and
compliance program) to the specific responsibilities anticipated to be assigned as well as
other factors, including the recency of the misconduct and whether the individual
engaged in other illegal activities or misconduct.
51
(4) Compliance standards will only be effective if they are adequately and clearly
communicated to all employees in the company.
52
Therefore, it is important for the
compliance team to develop communication tools that include training sessions;
meetings; written materials; and posted notices.
(5) It is not enough for a company to simply promulgate and communicate
compliance standards. The company must also take reasonable steps to detect illegal
activities by employees.
53
This includes reporting and auditing systems which are
reasonably designed to detect criminal activity by employees and other agents of the
46
USSG § 8B2.1(b)(1).
47
See, e.g., Proposed Environmental Guidelines §§ 9D1.1(a)(1), 9D1.1(a)(2).
48
USSG § 8B2.1(b)(2)(B).
49
See USSG § 8B2.1(b)(2)(B) (Application Note 1).
50
USSG § 8B2.1(b)(3).
51
USSG § 8B2.1(b)(3) (Application Note 4(B)).
52
USSG § 8B2.1(b)(4).
53
See USSG § 8B2.1(b)(5).
Legal and Regulatory Basis for Compliance Programs
18
company.
54
The company should also periodically evaluate the effectiveness of the
program and have and publicize a system whereby employees and agents can report or
seek guidance regarding potential or actual criminal conduct without fear of retaliation.
55
(6) A legal compliance program will not be effective unless it also includes
procedures for disciplining and penalizing individuals who violate applicable conduct
codes and procedures.
56
It is essential that the company consistently enforce penalties for
even minor violations of the compliance standards or run the risk that employees come to
believe that management is not truly concerned about compliance. Discipline should
extend beyond actual wrongdoers to include persons who fail to perform their monitoring
and reporting duties within the program.
(7) After a violation of law has been uncovered, the company must be prepared to
take reasonable steps to respond to the specific violation and to prevent further similar
violations, including making medications to the ethics and compliance program where
necessary.
57
Once changes have been made, follow-up reviews should be conducted on a
regular basis to make sure that the changes remain in effect and are having the desired
preventive effect.
(8) Companies must periodically assess the risk of criminal conduct and take
appropriate steps to modify the above requirements as necessary.
58
In 2003, the Report of the Ad Hoc Advisory Group on the Organizational Sentencing
Guidelines
59
was issued and final amendments were submitted to Congress in May
2004.
60
In light of then-recent business scandals and the adoption by various federal
agencies of their own compliance program standards, the Report proposed that the
Sentencing Guidelines be changed to “give greater guidance regarding the factors that are
likely to result in truly effective programs.”
61
More specifically, the Report identified
“emerging standards” reflecting “three major departures from the organizational
sentencing guidelines compliance paradigm in that they extended conduct codes and
54
See, e.g., Defense Contractor Internal Controls, 48 C.F.R. § 203.7000 (1988); Defense Industry
Initiatives on Business Ethics and Conduct in President's Blue Ribbon Commission on Defense
Management, Final Report Appendix 249, 252 (1986) (describing corporate obligations to monitor internal
compliance with federal procurement laws).
55
See USSG § 8B2.1(b)(5)(B), (C).
56
USSG § 8B2.1(b)(6).
57
USSG § 8B2.1(b)(7). The relevant application notes emphasize that there are two aspects to the
aforementioned advice. First, the company should respond appropriately to the criminal conduct including
taking reasonable steps, as warranted under the circumstances, to remedy the harm resulting from the
criminal conduct such as, where appropriate, providing restitution and other forms of remediation to
identifiable victims, self-reporting and cooperating with authorities. Second, the company should assess its
compliance and ethics program and make such changes as are necessary to ensure the program is effective.
Use of an outside professional advisor to ensure adequate assessment and implementation of changes is
encouraged.
58
See USSG § 8B2.1(c).
59
Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines (Oct. 7, 2003),
available at http://www.ussc.gov/corp/advgrprpt/advgrprpt.htm.
60
Notice, U.S. Sentencing Commission, 69 Fed. Reg. 28994-01 (May 19, 2004).
61
Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines p. 48 (Oct. 7, 2003).
Legal and Regulatory Basis for Compliance Programs
19
compliance efforts beyond mere legal compliance to the development of an
organizational culture that encourages more effective compliance with the law, including
ethics-based standards, recognize responsibilities and accountability of company
leadership for compliance efforts, and require companies to conduct risk assessments of
probable types and sources of misconduct and to target compliance efforts on them.”
62
Role of Directors in Developing and Overseeing Compliance Programs
When companies run afoul of laws and regulations the publicity can be intense and the adverse reputational
and financial consequences to the company are generally quite significant. The post-mortem brings the
board of directors to “center stage” and judges, regulators, investors and pundits in the financial press will
all be asking whether the directors were paying attention, asking the right questions, adopting and enforcing
appropriate policies and procedures, and making it clear that “compliance matters” when setting goals and
allocating rewards. Simply put, while directors are not expected to fend off every act of misconduct by
executives, employees and agents of their companies, they are responsible for effectively discharging their
own duties and responsibilities relating to compliance and ethics programs.
The core elements of directors’ compliance-related duties and responsibilities come from several sources:
• The Federal Sentencing Guidelines for Organizations require that the governing authority of the
organization (e.g., the board of directors of a corporation) be knowledgeable about the content and
operation of the compliance and ethics program; exercise reasonable oversight with respect to the
implementation and effectiveness of the program; exercise due diligence to prevent and detect criminal
conduct, and promote an organizational culture which encourages compliance with the law.
• Courts have recognized that directors have a fiduciary obligation to make a good faith effort to assure
that an adequate compliance program exists and to take affirmative steps to ensure that appropriate
information regarding compliance with applicable laws reaches the board in a regular and timely
manner.
• The listing requirements of the major securities exchanges include compliance-related elements such
as mandating implementation of reporting procedures, adoption of codes of conduct and business
ethics and independence of board and audit committee members.
• Regulators focusing on a range of industries have articulated their preferences regarding the role of the
board of directors in compliance activities by conditioning settlement agreements on undertakings by
the company that its board will retain independent individuals or entities with compliance expertise
and regulatory guidelines consistently mention that directors must be knowledgeable about, and
involved with, the compliance programs of their companies.
While attention to compliance problems is generally most intense for larger publicly-owned companies,
directors of firms of all sizes, including privately-owned companies, should consider “compliance” to be a
significant part of their jobs. All directors have a fiduciary duty to their corporations and to the
stockholders who are actual owners of the corporation and that duty will almost certainly be breached if
directors fail to act with care in developing and implementing compliance and ethics programs and as a
result the corporation and/or its agents are found to be culpable of misconduct and/or unlawful activity. In
order to be sure that the board and its members understand their role in developing and overseeing an
effective compliance and ethics program the following questions should be carefully considered:
• Is each prospective member of the board advised prior to appointment that he or she will be expected
to achieve and maintain an adequate level of knowledge and skills relating to their duties with respect
to overseeing the company’s compliance and ethics program and is prior compliance experience a
factor in vetting new board members?
• Has each new member of the board completed an orientation program that includes information on the
sources of a director’s duties and obligations with respect to oversight of the company’s c ompliance
62
Id. at 38.
Legal and Regulatory Basis for Compliance Programs
20
and ethics program and illustrative case studies of how courts and regulators have interpreted and
enforced such duties and obligations?
• Are the members of the board sufficiently knowledgeable about the operations and structure of the
company to understand internal reporting procedures and lines of authority and identify the activities
that present the highest level of compliance risk?
• Are the members of the board sufficiently knowledgeable about the legal environment for the
company’s specific business activities so that they can readily understand the statutes and regulatory
guidelines that are most relevant to decisions about how to design the compliance and ethics program?
• Has the board ensured the compliance and ethics program is appropriate for the specific activities of
the company by undertaking a detailed risk assessment that identifies and ranks risk areas and issues
that have raised compliance problems in the past and must be specifically addressed in the program?
• Has the board conducted a “cost-benefit” analysis regarding the scope of the company’s compliance
and ethics program to ensure that the company’s limited resources for compliance infrastructure have
been efficiently allocated to the areas that present the most significant potential risks and liabilities for
the company?
• Has the board fulfilled its overriding obligation to be knowledgeable about the content and operation
of the company’s compliance and ethics program by overseeing the development of the program and
formally reviewing and approving the overall program and specific policies and procedures within the
program (e.g., code of conduct, policies regarding conflicts of interest, “hot line” or other policies for
reporting misconduct and policies that address the company’s highest risk areas such as employment
laws, antitrust laws and/or products liability laws) before implementation?
• Has the board formally approved the creation of an independent team with compliance expertise within
the company’s organizational structure that includes (1) a chief compliance officer (“CCO”) who
reports directly to the board (or audit or compliance committee of the board), (2) a compliance
department overseen by the CCO, (3) a corporate compliance committee (“CCC”) with members from
all the company’s functional departments charged with implementing compliance policies and
procedures, and (4) an internal controls/security department charged with implementing internal
controls and detecting and reporting actual misconduct and suspicious activities?
• Has the board formally given the CCO and the compliance department the authority to audit the
activities of the company’s legal department and provide direct guidance and assistance to members of
the board regarding fulfillment of their oversight responsibilities relating to compliance activities?
• Has the board formally reviewed and approved the charter of the CCC to ensure that it addresses key
activities such as the development and implementation of codes of conduct and other compliance
policies and procedures, development and administration of compliance and ethics training programs,
risk assessments, annual audits of compliance and internal controls programs and remedial actions and
employee discipline in the case of compliance issues or other misconduct?
• Does the board (or the audit or compliance committee of the board) receive regular reports from the
CCO regarding the involvement of managerial leaders from other departments (e.g., human resources,
legal, finance, business development etc.) in the activities of the CCC and the actions they have taken
to implement relevant aspects of the compliance and ethics program within their departments?
• Has the board required that the CCO develop objective performance metrics for the compliance and
ethics program that have been formally approved by the board and set aside time at each meeting of the
board (or audit or compliance committee of the board) to receive reports on the operations of the
compliance department and progress toward satisfying the program’s goals and objectives and ask
compliance-related questions of the CCO and members of the senior management team?
• Has the board allocated sufficient human, financial and technological resources to the compliance and
ethics program (including funding for the CCC and retention of outside advisors (e.g., lawyers,
accountants and consultants)) and invested the board’s own time in continuously considering
compliance-related issues?
• Has the board provided for the “express authority” and “direct reporting obligation” for those persons
with day-to-day responsibility for compliance activities (e.g., the CCO) to have direct access to
members of the board and/or the committee of the board to which compliance matters have been
delegated (i.e., audit or compliance committee) without having to report to the CEO, other members of
the senior management team or the legal department?
• Has the board acted in a manner that sets the appropriate “tone at the top” with respect to promotion of
Legal and Regulatory Basis for Compliance Programs
21
an organizational culture of ethical conduct throughout the company and encouraging compliance
through the use of appropriate incentives and disciplinary measures and proactive involvement in the
development and approval of the compliance and ethics program in the manner described above?
• Has the board properly aligned the incentives for members of the management team and employees by
ensuring that the company’s performance evaluation and incentive compensation processes take into
account not only traditional financial metrics but also compliance and ethics-related objectives such as
product/services quality, safety and customer satisfaction?
• Have all of the members of the board, as well as officers and employees of the company, completed
adequate training to ensure that they are aware of the content and purposes of the company’s
compliance and ethics program and how issues are identified and remediated?
• Has the board provided for continuous training of board members and senior management on the
impact of changes in the legal and regulatory environment of the company that will impact the
company’s compliance requirements?
• Have all of the members of the board been provided with suggestions on how they can educate
themselves about how to carry out their compliance oversight activities such as by accessing
information, guidelines and educational programs available through government websites (e.g., Office
of Inspector General)?
• Does the board oversee regular reviews of the compliance and ethics program, no less than annually, to
determine if changes are necessary in light of objective metrics of the efficacy of the procedures
included in the program and changes in applicable laws and regulatory enforcement initiatives?
• Does the board oversee regular reviews of the company’s internal controls and risk management
policies and procedures, no less than annually?
• Does the board ensure that reports or findings of compliance problems or other acts of misconduct are
promptly reviewed and that responses are made in a timely fashion?
Legal and Regulatory Basis for Compliance Programs
22
____________________
About the Author
This Work was written by Alan S. Gutterman, whose prolific output of practical guidance and tools for
legal and financial professionals, managers, entrepreneurs and investors has made him one of the best-
selling individual authors in the global legal publishing marketplace. His cornerstone work, Business
Transactions Solution, is an online-only product available and featured on Thomson Reuters’ Westlaw, the
world’s largest legal content platform, which includes almost 200 book-length modules covering the entire
lifecycle of a business. Alan has also authored or edited over 100 books on sustainable entrepreneurship,
leadership and management, business law and transactions, international law and business and technology
management for a number of publishers including Thomson Reuters, Practical Law, Kluwer, Aspatore,
Oxford, Quorum, ABA Press, Aspen, Sweet & Maxwell, Euromoney, Business Expert Press, Harvard
Business Publishing, CCH and BNA. Alan has extensive experience as a partner and senior counsel with
internationally recognized law firms counseling small and large business enterprises in the areas of general
corporate and securities matters, venture capital, mergers and acquisitions, international law and
transactions, strategic business alliances, technology transfers and intellectual property, and has also held
senior management positions with several technology-based businesses including service as the chief legal
officer of a leading international distributor of IT products headquartered in Silicon Valley and as the chief
operating officer of an emerging broadband media company. He has been an adjunct faculty member at
several colleges and universities, including Berkeley Law, Golden Gate University, Hastings College of
Law, Santa Clara University and the University of San Francisco, teaching classes on corporate finance,
venture capital, corporate governance, Japanese business law and law and economic development. He has
also launched and oversees projects relating to promoting the civil and human rights of older persons and a
human rights-based approach to entrepreneurship. He received his A.B., M.B.A., and J.D. from the
University of California at Berkeley, a D.B.A. from Golden Gate University, and a Ph. D. from the
University of Cambridge. For more information about Alan and his activities, please contact him directly
at alangutterman@gmail.com, follow him on LinkedIn, subscribe to his newsletters (Older Persons’ Rights
Project and Entrepreneurship | Human Rights) and visit his personal website. Many of Alan’s research
papers and other publications are also available through SSRN and Google Scholar.
Copyright Matters, Permitted Uses, Disclaimers and Suggested Citation
Copyright © 2023 by Alan S. Gutterman. All the rights of a copyright owner in this Work are reserved and
retained by Alan S. Gutterman; however, the copyright owner grants the public the non-exclusive right to
copy, distribute, or display the Work under a Creative Commons Attribution-NonCommercial-ShareAlike
(CC BY-NC-SA) 4.0 License. The author, Alan S. Gutterman, declares that there is no conflict of interest,
and no financial support was received for the research, authorship and/or publication of this Work.
061223