“Compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.”
When evaluating the success and effectiveness of their compliance programs, companies tend to focus on their policies and procedures, their whistleblower hotline statistics, and the number of compliance-related trainings offered to employees in a year. While all of these features help form the basis of an effective compliance program, often overlooked in this evaluation is the role of the board of directors in ensuring that these and other components of the compliance program work effectively and are periodically enhanced to mitigate risk. This is not a voluntary role that boards can ignore or delegate to legal and compliance personnel. Indeed, to satisfy their duty of loyalty as fiduciaries, board members must “make a good faith effort to implement an oversight system and then monitor it.” A board’s failure to adequately exercise this oversight function may expose a company to regulatory scrutiny and severe financial penalties when problems emerge and can also create personal liability for directors.
In a 2019 KPMG survey of 220 chief ethics and compliance officers (CECOs) from various industries, only 39% responded that they “strongly agree” that their board’s engagement in ethics and compliance oversight and supervision was strong. While the extent of a board’s engagement in its company’s compliance function can be affected by a number of factors (e.g., the size of the company and the nature of its business operations), these findings represent a need and an opportunity for CECOs to develop a more proactive approach to engaging their boards in compliance matters.
In a more recent survey from a report published by the Compliance & Ethics Forum for Life Insurers (CEFLI), nearly 50% of all respondents indicated that the chief compliance officers at their companies have a dotted reporting line (i.e., a nondirect reporting line/relationship) to the company’s board or to a board committee. The survey further found that 35% of all companies polled indicated that their CECOs have no dotted reporting line to their boards. Although this survey was limited to input received from 35 CEFLI member and nonmember life insurance companies, it too reveals (at least in the insurance industry) minimal direct engagement between corporate compliance functions and corporate boards. 
Fortunately, CECOs (and other corporate officers) now have access to more practical guidance addressing board engagement with compliance than in prior years. For example, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have issued board-specific guidance that companies can leverage to enhance their compliance programs and thereby mitigate the risk of wrongdoing. This chapter examines the current and primary legal standards (including applicable case law and regulatory guidance) that inform the board’s compliance oversight obligations. It also offers some practical tips for boards to consider when exercising their compliance oversight duties. A common theme that emerges from this practical guidance is that, to be effective in their oversight duties, boards must be proactive, remain engaged in and knowledgeable about their company’s compliance and ethics program, and be responsive to compliance-related issues that are escalated for their review.
The Legal Framework for Board Oversight Duties
Delaware Case Law Decisions
In Re Caremark and Stone v. Ritter
To understand the origin of a board’s fiduciary duty to oversee corporate compliance activities, it is important to briefly review the seminal case of In Re Caremark Int’l Derivative Litigation and its progeny. In Caremark, the Delaware Court of Chancery found that a director must make a “good faith effort to be informed,” and to ensure that a “corporate information and reporting system” exists. Failure to exercise this good faith effort could render a director personally liable for losses caused by noncompliance with applicable laws. However, the Caremark court did not elaborate on what constitutes “good faith” in this context.
Ten years later, in Stone v. Ritter, the Delaware Supreme Court expanded upon Caremark by addressing the extent of a board’s duty to ensure the existence of a monitoring and reporting system specifically and its oversight of corporate compliance more generally. In Stone, shareholders of a financial institution brought a derivative action against present and former directors for their alleged failure to ensure the bank had a reasonable compliance and reporting system in place to detect money laundering and violations of the federal Bank Secrecy Act (BSA). According to the plaintiff-shareholders, this oversight failure of the directors led to violations of law, regulatory investigations, and civil penalties amounting to $50 million. Drawing from the conclusions in Caremark, the Stone court explained that director oversight liability can arise if: (1) “the directors utterly failed to implement any reporting or information system or controls;” or (2) “having implemented such a system or controls, consciously failed to monitor or oversee its operations[,] thus disabling themselves from being informed of risks or problems requiring their attention.” If plaintiffs are able to make this showing, then directors will have breached their duty of loyalty by “failing to discharge that fiduciary obligation in good faith.”
This high standard for director oversight is difficult to satisfy for at least two reasons. First, most companies today have some type of reporting or information system in place to identify violations of company policy or applicable laws. Plaintiffs will therefore have a difficult time showing that directors “utterly failed to implement any reporting or information system or controls.” Second, to satisfy the second oversight prong articulated in Stone, plaintiffs must show that the directors knew they were not discharging their fiduciary obligations. As acknowledged by the Caremark court, “a claim that directors are subject to personal liability for employee failures is ‘possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.’”
The Stone court concluded that there was no basis to hold the directors liable for the identified compliance deficiencies because they “dedicated considerable resources to the BSA/AML [anti-money-laundering] compliance program and put into place numerous procedures and systems to attempt to ensure compliance,” such as:
Appointing a BSA officer responsible for all BSA/AML-related matters, including, but not limited to, employee training;
Establishing a BSA/AML compliance department headed by the BSA officer and made up of 19 professionals;
Establishing a corporate security department responsible for detecting and reporting suspicious and fraudulent activity; and
Creating a suspicious activity oversight committee with a mission to “oversee the policy, procedure, and process issues affecting the Corporate Security and BSA/AML Compliance Programs,” and to ensure that an effective program exists at the bank to “deter, detect, and report money laundering, suspicious activity and other fraudulent activity.”
The Stone decision is important because it established the two-pronged test courts will apply when assessing whether directors have failed to discharge their corporate oversight duty articulated in Caremark. It also provides insight into the types of compliance controls and systems a court will likely deem adequate to withstand challenges from plaintiff-shareholders.
Marchand v. Barnhill
In recent years, plaintiff-shareholders have experienced greater success in their Caremark claims against directors, including those at privately held companies. For example, in the 2019 case Marchand v. Barnhill, the Delaware Supreme Court allowed a Caremark claim to proceed against the directors of an ice cream manufacturer after the company was forced to shut down its operations due to a listeria outbreak that led to the deaths of three customers and caused a liquidity crisis that diluted the interests of shareholders. According to the court, the complaint adequately pleaded the following:
The company had no board committee that addressed food safety;
The company had no regular process or protocols in place that “required management to keep the board apprised of food safety compliance practices, risks, or reports;”
The company had no schedule for the board to consider any key food safety risks on a regular basis;
During a key period leading up to the customer deaths, management received reports that contained “what could be considered red, or at least yellow, flags,” yet the board meeting minutes revealed no evidence that these flags were disclosed to the board;
The board was given favorable information about food safety by management but was not given “important reports that presented a much different picture;” and
The board meeting minutes were “devoid of any suggestion that there was any regular discussion of food safety issues.”
Considering these facts, the court concluded that the plaintiffs’ complaint supported an inference that “no system of board-level compliance monitoring and reporting” existed at the company. The court explained that while the two-pronged Caremark standard is challenging for plaintiffs to meet, it was met here because the plaintiffs demonstrated that the board had taken “no efforts to make sure it [was] informed of a compliance issue intrinsically critical to the company’s business operation”—food safety. This case settled in early 2020, with the company agreeing to pay $60 million shortly before the trial was scheduled to begin.
Clovis Oncology and Hughes v. Hu
Following Marchand, the Delaware Court of Chancery found that plaintiff-shareholders of Clovis Oncology adequately pleaded a Caremark claim against the company’s nine board members. Clovis Oncology was developing a drug designed to treat a previously untreatable type of lung cancer. The company expected the drug to generate large profits if Clovis could secure market approval from the U.S. Food and Drug Administration (FDA). Unlike the ice cream manufacturer in Marchand, which had no committee in place to address food safety, the plaintiffs in Clovis acknowledged that the company had established at least one board committee that was specifically charged with providing general compliance oversight of federal healthcare program requirements and FDA requirements. Thus, because the company had some system of controls already in place, the central issue in Clovis was whether the board properly exercised its monitoring/oversight responsibilities (the second prong of the two-pronged test articulated in Stone).
The plaintiffs alleged that while later stages of the clinical trial revealed the drug would not get approved for market by the FDA, and while the board was advised that the drug had “serious, undisclosed side effects,” the board ignored these red flags and allowed the company to mislead the market regarding the drug’s efficacy—fiduciary breaches that caused the company to experience a significant decline in market capitalization. Relying on the court’s position in Marchand that boards must be attuned to “compliance issues intrinsically critical to the company,” the Clovis court found that the plaintiffs adequately plead that the board “consciously ignored red flags that revealed a mission critical failure” to comply with applicable guidelines and regulations, and failed to correct the company’s inaccurate reporting. Whether the allegations raised by the plaintiffs will be successful in later phases of the litigation remains to be seen, but the Clovis decision serves as an instructive reminder to boards that their oversight duties encompass both a requirement to implement a reporting system or controls, as well as a process to monitor and oversee that system or controls.
Finally, in the 2020 case of Hughes v. Xiaoming Hu, the Delaware Court of Chancery allowed a Caremark claim to proceed against the directors of a China-based technology company. After the company disclosed material weaknesses in its financial controls and had to restate three years of financial statements, the plaintiffs filed a shareholder derivative suit alleging that the defendants “consciously failed to establish a board-level system of oversight…choosing instead to rely blindly on management while devoting patently inadequate time to the necessary tasks.” In allowing the plaintiffs’ action to proceed, the court pointed to allegations in the complaint that the company’s audit committee “met sporadically, devoted inadequate time to its work, had clear notice of irregularities, and consciously turned a blind eye to their continuation.” The court also considered the allegation that the company lacked personnel with sufficient expertise on US generally accepted accounting principles (GAAP) and SEC disclosure requirements as they relate to equity investment transactions. This case is currently pending.
Oversight Expectations of Regulators and Government Enforcement Agencies
The board’s compliance oversight duty is reinforced by various US regulators that have issued guidance on their expectations around board oversight. For example, in its recently updated guidance titled Evaluation of Corporate Compliance Programs, DOJ makes specific references to the oversight role of the board, including the requirement articulated in the U.S. Sentencing Guidelines that a company’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it. The guidance also directs prosecutors to consider the following factors when evaluating the effectiveness of a company’s compliance program: (1) whether compliance expertise has been made available to the board, (2) whether the board has held executive or private sessions with the compliance and control functions, and (3) the types of information the board has examined in its exercise of oversight in the area in which the misconduct occurred.
Similarly, the U.S. Justice Manual instructs federal prosecutors to evaluate whether the “corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct.” This type of mechanism would include an information and reporting system that is “reasonably designed to provide management and directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law.” The manual also instructs prosecutors to consider whether the board exercises independent review over proposed corporate actions rather than blindly and unquestioningly ratifying officers’ recommendations, one of the issues that was specifically addressed in the Hughes decision.
In addition to the expectations set by regulators, public companies that trade on US national exchanges are subject to federal securities laws that require boards to discharge their oversight duties by implementing certain financial controls. For example, Rule 10A-3 of the Exchange Act directs NYSE, NASDAQ, and other national exchanges to require its listed issuers to establish an independent audit committee that is responsible for appointing an independent external auditor and establishing procedures for the receipt and processing of accounting complaints. The SEC also requires issuers to disclose if at least one member of the audit committee is a “financial expert” and , if so, the name of the expert and whether they are independent of management.  The SEC defines a financial expert as someone whom the board has determined possesses all of the following attributes:
An understanding of financial statements and GAAP;
An ability to assess the general application of GAAP in connection with accounting for estimates, accruals, and reserves;
Experience in preparing, auditing, analyzing, or evaluating financial statements that present a breadth and level of complexity of accounting issues generally comparable to what can reasonably be expected to be raised by the company’s financial statements, or experience actively supervising those engaged in such activities;
An understanding of internal controls over financial reporting; and
An understanding of the audit committee’s functions.
Lessons from Recent Settlements
In August 2020, Herbalife Nutrition Ltd. (Herbalife)—a publicly traded global nutrition company based in the US—agreed to pay more than a combined total of $123 million in criminal and civil penalties to resolve the government’s investigation into violations of the U.S. Foreign Corrupt Practices Act (FCPA). The resolution arises out of an alleged decade-long scheme in which Herbalife approved the “extensive and systematic” payment of bribes and other benefits to Chinese government officials for the purpose of obtaining, retaining, and increasing the company’s business in China. Moreover, Herbalife was accused of creating false accounting records that mischaracterized the corrupt payments and benefits as legitimate expenses. Herbalife entered into a deferred prosecution agreement (DPA) with the U.S. Attorney’s Office for the Southern District of New York in connection with criminal information that charged the company with one count of conspiracy to violate the books and records provision of the FCPA. Pursuant to the DPA, Herbalife agreed to pay a criminal penalty of almost $56 million to the DOJ, and in a parallel action with the SEC, the company agreed to pay more than $67 million in civil penalties. Notably, the SEC in its cease-and-desist order noted that Herbalife executives received internal audit reports that showed high spending in China and violations of internal policies related to FCPA compliance. Upon receiving one such audit report in 2016, a member of Herbalife’s board emailed the audit committee and internal audit director, asking whether the high spending in China was reasonable. Another board member responded, “Please note I have questioned this every year I have been on the board, and the company has defended its position that these are reasonable within FCPA guidelines.” The internal audit director then added that the “findings are the typical issues in these audits” and are within “tolerance.” Herbalife’s settlement with the DOJ and SEC highlights two key takeaways for boards and their oversight duties. First, written policies and procedures, standing alone, are ineffective for enforcing adequate compliance. Herbalife had an internal policy that limited dinners with any Chinese government official to six dinners per year, as well as internal compliance policies designed to prevent violations of the FCPA. But these controls apparently were ignored, even when issues were brought to the board’s attention. Second, adequate board oversight includes questioning potentially problematic activity and following up on red flags. While the Herbalife board questioned the reasonableness of certain expenses that were identified by its internal audit department, the board dismissed these expenses as “tolerable” and appears to have deferred to the high-level executives’ opinions and views that the expenses were within applicable guidelines. Such a response arguably enabled and perpetuated the corrupt activity that led to significant criminal and civil penalties.
Board governance issues can arise in a variety of contexts and can be scrutinized by a variety of federal regulators. Consider, for example, the Federal Trade Commission’s (FTC) 2019 order related to Facebook Inc. In July 2019, the FTC ordered Facebook to pay a $5 billion penalty for violating consumer privacy. The order stems from allegations that the company shared users’ personal information with third-party applications that were downloaded by users’ Facebook friends. According to the FTC, many users were unaware that their personal information was being shared and therefore did not take the steps needed to opt out of information sharing. The FTC’s 20-year settlement order requires Facebook to overhaul various aspects of its compliance program by creating greater accountability and independence at the board level (among others things). For example, the order requires Facebook to (1) establish an independent privacy committee that must hold at least four regularly scheduled meetings each year; (2) receive an annual briefing on management’s review of Facebook’s privacy program, and the steps the company has taken or plans to take to monitor or mitigate any identified privacy risks; and (3) meet with an independent, third-party assessor at least quarterly and at the end of each biennial assessment in order to receive updates on the assessor’s review of Facebook’s privacy programs and any actual or potential risks related thereto. Implicit in the FTC’s order is the recognition that boards must play a role in corporate compliance. This role is not a minor one, but rather requires oversight and monitoring of the key business practices that pose legal risk to the company. The FTC order also recognizes the importance of board independence in carrying out its oversight duties.