DOJ announces compliance certifications to be considered as part of corporate criminal resolutions
In a pair of speeches last week, the Assistant Attorney General of DOJ’s Criminal Division emphasized its focus on compliance and announced that he has instructed his prosecutors to consider requiring chief executive officers and chief compliance officers to certify to (1) the accuracy of annual reports submitted pursuant to corporate resolutions, and (2) the effectiveness of their company’s compliance program prior to releasing the company from its obligations under a resolution agreement.
Assistant Attorney General (AAG) Kenneth Polite – who oversees many of the Department of Justice’s (DOJ) most significant corporate criminal cases relating to the Foreign Corrupt Practices Act (FCPA), financial fraud, anti-money laundering (AML), the Bank Secrecy Act, computer crimes, and health care fraud violations – gave the speeches at the ACAMS AML and Financial Crime Conference in Hollywood, Florida, on March 22 and the NYU Program for Corporate Compliance and Enforcement Conference on Assessing Effective Compliance on March 24.
In particular, he has asked his prosecutors to consider requiring the chief executive officer (CEO) and chief compliance officer (CCO) of the relevant corporate entity to certify that their compliance program is reasonably designed and implemented as part of the close-out of a company’s resolution agreement with DOJ. In addition, where the company is required to self-report on its compliance program during the term of the agreement (as opposed to where an independent compliance monitor is imposed), the CEO and CCO may also be required to certify that the annual reports submitted by the company during the term are true, accurate, and complete.
That such certifications may be mandated highlights DOJ’s recent emphasis on compliance. Indeed, AAG Polite stated that it was his view that requiring these certifications would help to empower CCOs and ensure that they get the support and resources they need to fully remediate and enhance their companies’ compliance programs in the wake of discovering misconduct. Still, it remains unclear whether the AAG’s announcement signals a sweeping policy change to be implemented across all resolution agreements, or if his instruction to “consider” requiring such certifications is intended to be done on a case by case basis.
To be sure, under standard agreements with the Criminal Division, CEOs and CFOs are currently required to certify that the company has met its disclosure obligations at the conclusion of the agreement’s term. However, the new requirements proposed by AAG Polite would necessarily inject a heightened level of scrutiny into the certification process and would undoubtedly result in more robust discussions between companies and DOJ to ensure that CEOs and CCOs are not making certifications that DOJ would view as false. Moreover, depending on the language that DOJ ultimately rolls out as part of the certification process, and the type of diligence CEOs and CCOs might be required to undertake in order to meet their compliance obligations, these corporate officers may have an increased risk of personal liability. Accordingly, CEOs and CCOs who submit such certifications would be well served by ensuring that there is sufficient supporting documentation before doing so.
In addition to the announcement on compliance certifications, AAG Polite also provided guidance concerning what is expected of companies presenting to DOJ on their compliance program, as well as DOJ’s commitment to adding compliance resources to its own ranks.
Potentially new certification requirement
In his speech, AAG Polite stated that he has asked his prosecutors “to consider requiring both the chief executive officer and the chief compliance officer to certify at the end of the term of an agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law and is functioning effectively.”
In addition, AAG Polite said that in certain resolutions where companies are required to provide annual self-reports to DOJ on the state of their compliance programs (as opposed to monitorships, where the monitor is the one submitting annual reports about the company’s compliance program), DOJ “will consider requiring the CEO and the CCO to certify that all compliance reports submitted during the term of the resolution are true, that they are accurate, that they are complete.”
AAG Polite drew upon his experience as a CCO, stating that he knows the challenges that compliance officers face with resources, relationships, accessing data, and siloing of the compliance function. This is a theme that AAG Polite has emphasized throughout his tenure, and of note, he is the first former CCO to serve as a senior official in the Department.
According to AAG Polite, the purpose of these new conditions is to “empower” CCOs and compliance programs and to ensure “that chief compliance officers receive all relevant compliance-related info and can voice any concerns they may have prior to certification.” He also noted his hope that such additional requirements would result in “our chief compliance officers hav[ing] true independence, true authority and true stature within [their] companies.”
Although AAG Polite’s announcement proposes consideration of a new type of certification by corporate officers at the end of the term of a resolution agreement, DOJ’s Criminal Division already requires the CEO and CFO to certify that the company has satisfied its obligation to disclose allegations and evidence of new misconduct. That certification includes an attestation that the CEO and CFO are duly authorized by the company to sign the certification, and that the certification constitutes “a material statement and representation by the undersigned and by, on behalf of, and for the benefit of, the Company to the executive branch of the United States for purposes of 18 U.S.C. § 1001.” In other words, the certification exposes the corporate officers and the company to a false statements prosecution if it turns out that the company did not disclose certain allegations or evidence of misconduct. The newly proposed certifications have the potential of requiring far more work and scrutiny by CEOs and CCOs, specifically as it relates to the state of their compliance programs.
Additional compliance focus
In addition to discussing the newly proposed compliance certifications, which was by far the most ground-breaking aspect of his speeches, the AAG also provided insight into what DOJ expects of companies when they present on their compliance programs and highlighted that DOJ’s Fraud Section will be adding new compliance expertise and resources.
Although DOJ’s Evaluation of Corporate Compliance Programs provides a sampling of questions that DOJ asks companies to evaluate compliance program effectiveness, AAG Polite provided additional examples, particularly revolving around culture. For example, “[d]o employees feel empowered to bring issues and questions to the management’s attention? Are managers and compliance officers providing ethical advice to salespeople even though such advice may mean loss of business?”
He also emphasized the importance of coming armed with compliance “success stories,” including the discipline of poor behavior, the rewarding of positive behavior, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business. Beating a similar drum, the AAG noted the benefit of using data analytics tools to monitor compliance with laws and policies within company operations to ferret out wrongdoing when it occurs.
AAG Polite also addressed expectations around who should be providing compliance presentations to DOJ, and stressed that DOJ would “like to see the Chief Compliance Officer leading  compliance presentation[s] and demonstrating knowledge and ownership of the compliance program” instead of a “check-the-box presentation from outside counsel.” In fact, he noted that “[o]ther senior management should also participate, taking ownership of their role in the compliance program and demonstrating commitment to compliance.”
To aid with this heightened focus on compliance, the AAG announced that DOJ has “prioritized . . . dedicating resources to strengthen [its] abilities to assess the effectiveness of compliance programs” beyond those already embedded in the DOJ Fraud Section’s Corporate Enforcement, Compliance, and Policy Unit.
Finally, the AAG reiterated a common theme hit by other DOJ officials over the past few months – that DOJ will hold to account companies that breach existing resolution agreements, but that compliance can mitigate bad outcomes. According to AAG Polite, “companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department. Support your compliance team now or pay later.”
Emphasizing compliance: These speeches are consistent with recent messaging by DOJ about the importance of compliance. In recent speeches by the Deputy Attorney General and other DOJ officials, there has been consistent messaging concerning their intent to pursue harsher treatment of corporate wrongdoers, but also a standard refrain about the importance of compliance as a mitigating factor. Sending a similar message, DOJ’s Fraud Section, which handles all FCPA matters among other significant financial fraud and healthcare fraud cases, continues to hire additional compliance attorneys who are devoted to evaluating companies’ compliance programs, a point that AAG Polite reiterated last week. These messages underscore the importance of companies continuing to enhance their compliance programs prior to, and during, any government investigation in order for companies to achieve the best outcome possible with DOJ (as well as the SEC).
Open questions: There remain a number of open questions related to AAG Polite’s remarks. Given that he stated he was directing his prosecutors to “consider” requiring this new certification, under what circumstances and in what types of cases will such certifications be required? Will individual prosecutors be given the discretion to decide, or will there be leadership team directives concerning when to apply such requirements? Will mandated certifications contain a similar “penalty of perjury” clause that would subject CEOs and CCOs to personal liability if DOJ disagrees with their conclusion that the program is “reasonably designed and implemented to detect and prevent violations of the law and is functioning effectively”? What type of diligence would be required of CEOs and CCOs to meet their certification obligations, and what type of guidance would DOJ provide to companies and corporate officers about its view concerning the state of the compliance program? The answers to these questions will be critical in assessing the feasibility of such certifications and whether CEOs and CCOs will be willing to sign them.
An ambiguous concept likely to lead to a robust discussion with DOJ: Unlike the current disclosure certification (which requires the CEO and CFO to certify that the company has disclosed misconduct raised to its attention), the concept of a “reasonably designed and implemented” compliance program that is “functioning effectively” is not at all clear. Indeed, given the wide range of compliance failings that could exist in a company’s compliance program, the specific contours of this concept would be largely subjective absent further clarification from DOJ. To avoid being stuck in a “gotcha” moment where CEOs and CCOs risk being prosecuted for false certifications, detailed and clear communications between DOJ and company counsel concerning the nature and extent of the compliance requirements will be necessary prior to a resolution. Moreover, there is a concern that such new requirements would put senior corporate officials in the very difficult position of certifying to something that, in most cases, they do not have direct knowledge of. DOJ could help to address this concern by having a robust discussion with the company at the end of the resolution agreement term, wherein the company provides a detailed download of its compliance program and DOJ, in turn, provides feedback in real time concerning whether they are skeptical of the ability of the CEO and CCO to sign the certification under the circumstances. If the purpose of the certification is, as AAG Polite stated, to ensure that compliance programs are properly resourced and enhanced, this is exactly the type of discussion that DOJ should welcome.