New Certification Requirements on the Horizon for CCOs: Certifying the Efficacy of Compliance Programs at the Conclusion of Criminal Settlements

5 min

On Tuesday, March 22, 2022, Assistant Attorney General Kenneth Polite of the Department of Justice (DOJ) told an audience of compliance professionals that DOJ will direct prosecutors to "consider requiring" chief compliance officers (CCOs) and CEOs to certify at the end of a settlement term that "the company's compliance program is reasonably designed and implemented to detect and prevent violations of the law and is functioning effectively." This announcement, made at the ACAMS AML and Financial Crime Conference, is the latest in a years-long trend of increasing expectations of compliance officers and their departments and will be a significant area of focus in corporate resolutions in years to come.

CCOs have myriad responsibilities within their organizations for compliance with state, federal, and international laws that impact their companies' operations. While in recent years corporations have elevated and recognized the importance of CCOs and the compliance function, the DOJ's requirement for a CCO to certify the efficacy of a compliance program at the end of a DOJ settlement period raises numerous concerns for both the CCO and the corporation.

First, the new directive applies a standard whose contours could be subject to reasonable debate – CCOs are directed to certify that the corporation's compliance policies are "reasonably designed and implemented." Presumably CCOs and corporations can look to the DOJ Manual, Section 9-28.000 on the principles of prosecution of business organizations, and DOJ's Evaluation of Corporate Compliance Programs (ECCP) for guidance on what would constitute a policy that is "reasonably designed and implemented." However, what is deemed "reasonable" will be very fact specific to each institution, and what may appear "reasonable" to the institution and its CCO may not necessarily be seen as "reasonable" by DOJ and regulators. We have previously written on the ECCP and its update in 2020. Furthermore, the certification will be required only in settlements in which guilty pleas or deferred prosecution or non-prosecution agreements (DPAs and NPAs) have been entered, conclusions the DOJ generally reaches only in situations where the wrongdoing was pervasive or systemic or involved senior-level management, or in cases of recidivists. It is the rare case in which the DOJ requires a DPA, NPA, or guilty plea where the corporate compliance program was already "functioning effectively."

Second, the 2021 Monaco Memo directs DOJ attorneys to consider a company's "entire criminal history" when entering into future corporate settlements, not just the specific type of wrongdoing at the heart of the enforcement action. This of course creates an added layer of complexity for CCOs tasked with making the certification. CCOs should be mindful of the compliance function as it relates to all business units or geographic regions, especially those businesses that are subject to the DOJ settlement, as well as those that may have had prior entanglements with regulators, regardless of whether such prior cases involved conduct similar to the allegations that are the subject of the DOJ settlement at hand.

Another question to be answered will be what repercussions CCOs who sign such a certification face if the company then commits a subsequent violation. While the DOJ has previously said that "reasonably designed and implemented" does not require a perfect record, defending a corporate compliance program after a violation has occurred is an uphill battle. Doing so as a recidivist is even more so. Polite recently said at the ABA Institute on White Collar Crime that when misconduct does occur, he expects a compliance program that "immediately detects, remediates, disciplines, and then adapts to ensure that others do not follow suit." A CCO signing a certification will need to carefully consider future liability imposed in making such a certification – not only for the company, but personally.

We have previously discussed the focus on CCOs in SEC, FinCEN and FINRA enforcement actions where the government believes the compliance function was complicit or even merely negligent in connection with wrongdoing. CCOs have been charged with violations of the Investment Advisers Act for failure to ensure that their firms had compliance policies and procedures in place to assess and monitor the outside activities of employees and disclose conflicts of interest. It remains to be seen whether the DOJ or SEC will utilize a CCO's settlement certification against the CCO if subsequent violations occur, but such a certification is almost certain to have significant ramifications for them personally, professionally, and potentially legally.

CCOs will not be alone in facing potential repercussions when the organization commits subsequent civil or criminal violations – the company and its management are also likely to come under additional scrutiny from the government and by private litigants. Polite's speech also included potentially requiring CEOs to sign the certification, adding personal risk to the chief executive, as well as to management as a whole. Furthermore, shareholder suits based upon material misrepresentations made regarding the efficacy of a company's compliance program are another potential risk of this certification requirement, especially if subsequent DOJ enforcement actions find that the company's compliance program was in fact not sufficient.

Companies should proactively review their compliance programs and the roles of their CCOs to ensure they are adequately able to defend them if a criminal violation is detected. Venable has a deep bench of attorneys experienced in responding to DOJ inquiries, entering into settlements with the government, and advising CCOs, CEOs, and boards of directors on compliance program implementation.