Compliance Officers have long been preoccupied by their potential exposure to legal liability; worries seemingly justified by recent cases of prosecutions – and convictions – of compliance officers.
Several experts on the subject have addressed the issue in the Experts’ Corner section of the ETHIC Intelligence website: Hans-Hermann Aldenhoff, partner and Country Head at Simmons & Simmons (Germany), Judy Krieg, Partner at Shepherd and Wedderburn (London) and Patrick J. O’Malley a US-UK Lawyer, who published a dissertation on “The Parameter of Duties of Boards of Directors Concerning Corporate Corruption”.
I had many discussions on the subject with the ETHIC Intelligence Certification Committee’s lawyers and would like to highlight two of the most important aspects addressed during these; aspects that any compliance officer should keep in mind when considering the issue of his personal criminal liability.
The Compliance Officer shall be independent of operations to avoid conflicts of interest
I have stressed how important it is for compliance officers to be thoroughly aware of business operations and revenue acquisition, as well as to enjoy the confidence of sales executives and managing directors. While emphasizing this necessity, I maintained that, at the same time, compliance officers must remain independent from operations.
If compliance is not a full-time job, for the sake of the Compliance Officer’s independence, his “second job” cannot be operational. The second job could however be related to support functions: legal, administrative, financial, human resources… Maintaining the Compliance Officer’s independence also means that, at the subsidiary level, the Compliance Officer can’t be the managing director, even if the local managing director has a responsibility to ensure that compliance is truly embedded in business processes.
If compliance is a full-time job, then the Compliance Officer’s independence will be guaranteed by the reporting hierarchy. The Compliance Officer should not report to anyone in business management, but rather to the General Counsel, the Legal Director, or to the Head of Administrative Affairs. A strong sign of the Compliance Officer’s independence would be demonstrated by direct access to the CEO and to the audit committee if any.
It should be clear that the Compliance Officer’s mission of ensuring that business is compliant with laws and regulations will not be obscured by any form of conflict of interest with business operations.
The Compliance Officer shall demonstrate that compliance is not window dressing
The very first and most important duty of a compliance officer is to carry out – regularly - an in-depth corruption risk assessment, which should be brought to the attention of Top Management.
This risk assessment is imperative, not only because it is required by many regulations and is essential to the tailoring of a risk-based compliance policy, but also because it will help determine the resources needed to mitigate corruption risks appropriately and to structure the compliance system.
Like any budget allocated to a support function, the budget for compliance is always under pressure. It should, however, be adequate to the needs ascertained through the risk assessment exercise presented to Top Management. If, following the risk assessment’s presentation to the board, the resources allocated to a compliance program are insufficient, it will be Top Management’s responsibility and not that of the Compliance Officer.
I have often heard that a compliance officer should resign if he considers that he hasn’t been provided with the appropriate resources necessary to complete his mission. I know of a few Chief Compliance Officers who did resign on these grounds, but it should be acknowledged that it is easier said than done. Hence, why I believe that one of the Compliance Officer’s duties is to ensure that Top Management carefully examine the corruption risk assessment he has executed (either alone or with external guidance).
Before accepting this responsibility, I encourage future compliance officers to make sure that the presentation of the corruption risk assessment to Top Management is part of the job description.
Compliance Officers will not be prosecuted for mistakes or accidents
To conclude, I would like to recall the statement Assistant Attorney General Leslie R. Caldwell, made in New York on November 2, 2015 when addressing the SIFMA Compliance and Legal Society: “The vast majority of compliance violations do not result in criminal prosecution. Rather, the Criminal Division pursues charges when the offending conduct is intentional and particularly egregious or pervasive. We’re not interested in prosecuting mistakes or accidents, or bad business judgments. And we are not looking to prosecute compliance professionals. To the contrary, we view you as the good guys and as our allies.”
If the Compliance Officer is independent of business operations, he cannot be charged for an “… offending conduct (which) is intentional…”. If the Compliance Officer demonstrates that his program is more than just a window dressing exercise, he will not be the accomplice of an “… offending conduct (which) is …particularly egregious or pervasive”.
Like accidents in the work place, corruption is a risk that can’t be avoided 100% in any company’s operations. But, if it occurs, it should be clear that it was an accident.
The settlements within the FCPA pilot program demonstrate clearly that the DoJ is not interested in prosecuting “accidents”, but rather in encouraging companies to genuinely prevent and detect corruption. It also means that the act of purposely creating a complex bribery scheme will be sanctioned more and more severely.
Given my experience and contacts with prosecutors from a wide variety of countries, I believe this approach, as described by the US Assistant Attorney General, is becoming more common amongst enforcement authorities.