“Compliance begins with the board of directors and senior executives setting the
proper tone for the rest of the company.”
When evaluating the success and effectiveness of their compliance programs, companies tend to focus on their policies and procedures, their whistleblower hotline statistics, and the number of compliance-related trainings offered to employees over a certain period of time. While all of these features help form the basis of an effective compliance program, often overlooked in this evaluation is the role of the board of directors in ensuring that these and other components of the compliance program work effectively and are periodically enhanced to mitigate risk. This is not a voluntary role that boards can ignore or delegate to legal and compliance personnel. Indeed, to satisfy their duty of loyalty as fiduciaries, board members must “make a good faith effort to implement an oversight system and then monitor it.” A board’s failure to adequately exercise this oversight function may expose a company to regulatory scrutiny and severe financial penalties when problems emerge, and also create personal liability for directors.
Fortunately, chief ethics and compliance officers (CECOs), as well as other corporate officers, now have access to more practical guidance addressing board engagement with compliance than in prior years. For example, the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have issued board-specific guidance that companies can leverage to enhance their compliance programs and thereby mitigate the risk of wrongdoing. This chapter examines the current and primary legal standards (including applicable case law and regulatory guidance) that inform the board’s compliance oversight obligations. It also offers some practical tips for boards to consider when exercising their compliance oversight duties. A common theme that emerges from this practical guidance is that, to be effective in their oversight duties, boards must be proactive, remain engaged in and knowledgeable about their company’s compliance and ethics program, and be responsive to compliance- related issues that are escalated for their review.
The Legal Framework for Board Oversight Duties
Delaware Case Law Decisions
In Re Caremark and Stone v. Ritter
To understand the origin of a board’s fiduciary duty to oversee corporate compliance activities, it is important to briefly review the seminal case of In Re Caremark Int’l Derivative Litigation and its progeny. In Caremark, the Delaware Court of Chancery found that a director must make a “good faith effort to be informed,” and to ensure that a “corporate information and reporting system” exists. Failure to exercise this good faith effort could render a director personally liable for losses caused by noncompliance with applicable laws. However, the Caremark court did not elaborate on what constitutes “good faith” in this context.
Ten years later, in Stone v. Ritter, the Delaware Supreme Court expanded upon Caremark by addressing the extent of a board’s duty to ensure the existence of a monitoring and reporting system specifically, and its oversight of corporate compliance more generally. In Stone, shareholders of a financial institution brought a derivative action against present and former directors for their alleged failure to ensure the bank had a reasonable compliance and reporting system in place to detect money laundering and violations of the federal Bank Secrecy Act (BSA). According to the plaintiff-shareholders, this oversight failure of the directors led to violations of law, regulatory investigations, and civil penalties amounting to $50 million. Drawing from the conclusions in Caremark, the Stone court explained that director oversight liability can arise if: (1) “the directors utterly failed to implement any reporting or information system or controls;” or (2) “having implemented such a system or controls, consciously failed to monitor or oversee its operations [,] thus disabling themselves from being informed of risks or problems requiring their attention.” If plaintiffs are able to make this showing, then directors will have breached their duty of loyalty by “failing to discharge that fiduciary obligation in good faith.”
This high standard for director oversight is difficult to satisfy for at least two reasons. First, most companies today have some type of reporting or information system in place to identify violations of company policy or applicable laws. Plaintiffs will therefore have a difficult time showing that directors “utterly failed to implement any reporting or information system or controls.” Second, to satisfy the second oversight prong articulated in Stone, plaintiffs must show that the directors knew they were not discharging their fiduciary obligations. As acknowledged by the Caremark court, “a claim that directors are subject to personal liability for employee failures is ‘possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”
The Stone court concluded that there was no basis to hold the directors liable for the identified compliance deficiencies because they “dedicated considerable resources to the BSA/AML [anti-money-laundering] compliance program and put into place numerous procedures and systems to attempt to ensure compliance,” such as:
Appointing a BSA officer responsible for all BSA/AML-related matters, including, but not limited to, employee training;
Establishing a BSA/AML compliance department headed by the BSA officer and made up of 19 professionals;
Establishing a corporate security department responsible for detecting and reporting suspicious and fraudulent activity; and
Creating a suspicious activity oversight committee with a mission to “oversee the policy, procedure, and process issues affecting the Corporate Security and BSA/AML Compliance Programs,” and to ensure that an effective program exists at the bank to “deter, detect, and report money laundering, suspicious activity and other fraudulent activity.”
The Stone decision is important because it established the two-pronged test courts will apply when assessing whether directors have failed to discharge their corporate oversight duty articulated in Caremark. It also provides insight into the types of compliance controls and systems a court will likely deem adequate to withstand challenges from plaintiff-shareholders.
Marchand v. Barnhill
In recent years, plaintiff-shareholders have experienced greater success in their Caremark claims against directors, including those at privately held companies. For example, in the 2019 case Marchand v. Barnhill, the Delaware Supreme Court allowed a Caremark claim to proceed against the directors of an ice cream manufacturer after the company was forced to shut down its operations due to a listeria outbreak that led to the deaths of three customers and caused a liquidity crisis that diluted the interests of shareholders. According to the court, the complaint adequately pleaded the following:
The company had no board committee that addressed food safety;
The company had no regular process or protocols in place that “required management to keep the board apprised of food safety compliance practices, risks, or reports;”
The company had no schedule for the board to consider any key food safety risks on a regular basis;
During a key period leading up to the customer deaths, management received reports that contained “what could be considered red, or at least yellow, flags,” yet the board meeting minutes revealed no evidence that these flags were disclosed to the board;
The board was given favorable information about food safety by management but was not given “important reports that presented a much different picture;” and
The board meeting minutes were “devoid of any suggestion that there was any regular discussion of food safety issues.”
Considering these facts, the court concluded that the plaintiffs’ complaint supported an inference that “no system of board-level compliance monitoring and reporting” existed at the company. The court explained that while the two-pronged Caremark standard is challenging for plaintiffs to meet, it was met here because the plaintiffs demonstrated that the board had taken “no efforts to make sure it [was] informed of a compliance issue intrinsically critical to the company’s business operation”—food safety. This case settled in early 2020, with the company agreeing to pay $60 million shortly before the trial was scheduled to begin.
Clovis Oncology, Hughes v. Hu, and Delaware Courts Today
Following Marchand, the Delaware Court of Chancery found that plaintiff-shareholders of Clovis Oncology Inc. (Clovis) adequately pleaded a Caremark claim against the company’s nine board members. Clovis was developing a drug designed to treat a previously untreatable type of lung cancer. The company expected the drug to generate large profits if Clovis could secure market approval from the U.S. Food and Drug Administration (FDA). Unlike the ice cream manufacturer in Marchand, which had no committee in place to address food safety, the plaintiffs in Clovis acknowledged that the company had established at least one board committee that was specifically charged with providing general compliance oversight of federal healthcare program requirements and FDA requirements. Thus, because the company had some system of controls already in place, the central issue in Clovis was whether the board properly exercised its monitoring/oversight responsibilities (the second prong of the two-pronged test articulated in Stone).
The plaintiffs alleged that while later stages of the clinical trial revealed the drug would not get approved for market by the FDA, and while the board was advised that the drug had “serious, undisclosed side effects,” the board ignored these red flags and allowed the company to mislead the market regarding the drug’s efficacy— fiduciary breaches that caused the company to experience a significant decline in market capitalization. Relying on the court’s position in Marchand that boards must be attuned to “compliance issues intrinsically critical to the company,” the Clovis court found that the plaintiffs adequately plead that the board “consciously ignored red flags that revealed a mission critical failure” to comply with applicable guidelines and regulations, and failed to correct the company’s inaccurate reporting. In March 2020, Clovis settled this lawsuit and agreed to pay $2.3 million in attorney fees. Clovis also agreed to adopt certain corporate governance reforms, including: (1) establishing a management-level committee to oversee disclosures; (2) adding an independent director to the board; and (3) implementing improvements to the company’s whistleblower program. The Clovis decision and settlement serve as an instructive reminder to boards that their oversight duties encompass a requirement to implement a reporting system or controls, as well as a process to monitor and oversee that system and controls.
In Hughes v. Xiaoming Hu, the Delaware Court of Chancery allowed a Caremark claim to proceed against the directors of a China-based technology company. After the company disclosed material weaknesses in its financial controls and had to restate three years of financial statements, the plaintiffs filed a shareholder derivative suit alleging that the defendants “consciously failed to establish a board-level system of oversight…choosing instead to rely blindly on management while devoting patently inadequate time to the necessary tasks.” In allowing the plaintiffs’ action to proceed, the court pointed to allegations in the complaint that the company’s audit committee “met sporadically, devoted inadequate time to its work, had clear notice of irregularities, and consciously turned a blind eye to their continuation.” The court also considered the allegation that the company lacked personnel with sufficient expertise on US generally accepted accounting principles (GAAP) and SEC disclosure requirements as they relate to equity investment transactions. This case is currently pending.
Notably, Delaware courts have signaled a potential shift in Caremark litigation by allowing duty of care claims to proceed beyond the motion to dismiss phase. For example, in Inter-Marketing Group USA, Inc. v. Armstrong, the Court of Chancery permitted plaintiffs’ Caremark claim against an oil pipeline operator for an oil spill. 2020 Del. Ch. LEXIS 391, at *35 (Del. Ch. Jan. 31, 2020). Even though the board received reports on general pipeline activity, the Court of Chancery held that those reports lacked substance and the board “never reviewed pipeline integrity policy [or] procedure.” Id. at *34. In In re Boeing Co. Derivative Litig., a derivative action brought by shareholders following the crash of two Boeing 737 MAX airplanes, the Court of Chancery held that plaintiffs sufficiently pled that the board of directors “turn[ed] a blind eye to a red flag representing airplane safety problems” and failed to implement a reporting system for airplane safety. 2021 Del. Ch. LEXIS 197, at *3 (Del. Ch. Sept. 7, 2021).
While few in number, these decisions show that Delaware courts are more willing to hear Caremark claims than in previous years. Boards should therefore establish systems and controls that will allow them to adequately monitor activities that are “mission critical” to their company’s business operations (e.g., airplane safety for airplane manufacturers, drug safety for pharmaceutical companies), and, importantly, take proactive steps to oversee those systems and controls in order to ensure they work in practice.