As compliance officers enter 2023, they need to learn how to handle a double-edged sword: the Justice Department’s new requirement that as part of corporate misconduct resolutions, CCOs must certify the effectiveness of their compliance programs.
If you wield that sword correctly, certification requirements could be quite useful. They will force compliance officers and CEOs to think seriously about what an effective compliance program for their corporation should be able to do; and then to marshal the necessary resources to bring that plan about.
Mishandle the sword, however, and you might end up skewered. What happens if you and the CEO disagree about the state of your compliance program? What data will you need to collect (from across the enterprise and your third parties) to satisfy the expectations of the Justice Department? Could CCOs face personal liability if their certifications don’t hold up?
That’s the challenge now facing compliance officers. You’ll need deft moves and skill to prevail.
The logic behind CCO certifications
First, we should step back and remember precisely what the Justice Department has done, and why.
The requirement is that chief compliance officers and their CEOs will both need to certify at the end of a deferred- or non-prosecution agreement that the company’s program “is reasonably designed and implemented to detect and prevent violations of the law … and is functioning effectively.” So said assistant attorney general Kenneth Polite when he announced the requirement last May.
The intentions behind program certification are laudable, at least. By forcing the chief executive and the CCO to certify the effectiveness of the compliance program, that assigns accountability to those executives. It drives the importance of a culture of compliance up the company’s priority list, ideally to the top.
Compliance program certification also helps the Justice Department’s broader effort to crack down on recidivist corporate misconduct and nurture a greater appreciation of corporate compliance. Those CEOs who might need to certify their program also tend to sit on the boards of other companies; that helps to spread the message in corporate boardrooms that strong compliance programs matter. Moreover, when the CEO and CCO have to sign their names to a certification under penalty of perjury, that does tend to focus the mind. Compliance officers and chief executives alike will want to convey the importance of effective compliance throughout the whole enterprise, and build the systems, policies, and controls necessary to meet that standard.
So, one can see why, from the Justice Department’s perspective, compliance program certification is a compelling idea.
From the compliance officer’s perspective, of course, things look quite different.
Compliance officers and chief executives alike will want to convey the importance of effective compliance throughout the whole enterprise, and build the systems, policies, and controls necessary to meet that standard.
Facing new problems and perils
The primary question for compliance officers is obvious: What happens if you certify that your program is “reasonably designed and functioning effectively,” and the company subsequently suffers a compliance failure anyway?
Right now, we don’t know. The Justice Department only began imposing certification requirements in 2022. It might be years before an erroneous certification comes to light – and when it does, the Justice Department will evaluate that case based on the specific facts at hand. Compliance officers won’t have that luxury. You’ll need to certify your program without knowing what future scenarios might prove you wrong.
Meanwhile, compliance officers will face other, more practical headaches along the way. If you and the CEO disagree over the health of the compliance program, who settles that dispute? If you join a company in the middle of a DPA or NPA, can you review – or even redesign – the pre-existing compliance program, if you believe it isn’t up to standard? Can you ask for directors and officers’ insurance to protect you from possible legal costs? What if the company declines? When do you quit, rather than oversee a compliance program you believe to be substandard?
It will be years before compliance officers have answers to all those questions, but even now, at the start of 2023, we can start to answer some of them.
Get better data, run better programs
The immediate answer is that compliance officers need to work on building an effective compliance program in the first place, and then documenting why your program is indeed effective. That’s what the Justice Department will want to see if your company ever faces a government investigation: evidence that the program was designed thoughtfully and works as intended.
In that case, several specific capabilities become even more important:
- Risk assessments. You’ll need to be able to identify new regulatory requirements and changes to your own company’s operations, and do so swiftly. You’ll also need the ability to test compliance controls.
- Key performance indicators for the compliance program. You’ll need relevant KPIs, and an ability to track changes in those KPIs over time.
- Data analytics. This isn’t simply about collecting data (from multiple parties, in multiple formats). You’ll also need some way to turn that data into meaningful insights – about program weaknesses, problematic transactions, risk exposure, and the like.
- Third-party due diligence and monitoring. Third-party risk became an even more pressing issue in 2022, after Russia invaded Ukraine and the West responded with sweeping, fast-moving sanctions against Russian persons. More broadly, as third parties play ever larger roles for corporate organizations, your ability to manage their compliance risks will become even more crucial.
- Internal accounting controls. Weak accounting controls are a perennial source of FCPA risk. Companies need to assess whether documentation and approval controls for high-risk payments are sufficiently strong, and for each transaction they need to confirm that employees follow the rules.
Aside from those program-specific needs, there’s a larger issue here. Compliance officers will also need to forge stronger relationships with the CEO and the board. After all, the CEO’s signature will be next to yours on the certification forms, and the board is the ultimate source of authority for the organization. In a roundabout way, certification requirements could help to propel your compliance program up the maturity curve, since CCOs should (ideally) have more influence with senior management. You can then reorient corporate priorities toward that stronger culture of compliance.
The good news is that most CEOs and boards already value a strong culture of compliance, at least in theory; and most other senior executives do too. In 2023 and beyond, chief compliance officers will need to leverage that abstract enthusiasm into demonstrable, vocal, tangible support for the compliance program.
Then, with luck, we won’t need to worry about what happens to a CCO who signs a certification form that later proves invalid, because you’ll have that reasonably designed and effective compliance program in place.
We won’t see a lot of chief compliance officers certifying the effectiveness of their compliance programs in 2023, but only because the Justice Department settles only a relative handful of cases in any given year. Compliance officers will, however, need to have more frank conversations with their boards and senior management teams about investing in their compliance programs – because CCOs’ unease about personal liability for program failures won’t be going away. Compliance officers will need to think long and hard about how to assess risk and measure the effectiveness of their programs; and what their red lines will be for when they leave a job rather than participate in burying a compliance failure.