A compliance officer’s certification that her organization was compliant with applicable laws and regulations as part of its false claims settlement with the Department of Justice (DOJ) has come back to bite her. The organization is considering a self-disclosure that implicates the certification, a cautionary tale for other compliance officers now that DOJ is expected to require chief compliance officers to sign certifications that their organization’s compliance program is “reasonably designed and implemented to detect and prevent violations of the law” and functioning effectively in the resolution of corporate criminal cases. That language has already made an appearance in Glencore International A.G.’s May guilty plea to Foreign Corrupt Practices Act violations and in speeches by top DOJ officials.[1]
The new DOJ compliance certification “compounds the risk profile of a compliance officer,” said former prosecutor Robert Trusiak, who represents the compliance officer involved in the possible self-disclosure. The conundrum for compliance officers is they are “one step removed” from settlement negotiations with DOJ but could face criminal penalties for failures in their compliance program because of their signature on that certification, he said.
“A hard job just got harder,” said Trusiak, a former compliance officer. “It’s time you undertake your own due diligence checklist to address your concerns.” He said it should include having the board of directors sign off on the minutes of compliance committee meetings, keeping “mirror” documentation of higher-risk transactions, and determining where they stand under the company’s directors & officers (D&O) liability insurance policy.
The new DOJ policy also would require companies that resolve criminal cases to submit annual self-reports on the state of their compliance programs, and may extend to the CEO and chief compliance officer certifying “that all compliance reports submitted during the term of the resolution are true, accurate and complete,” Assistant Attorney General Kenneth Polite said in a March speech.[2]
He said it’s not meant to be “punitive.” Certifications are designed to “empower” compliance officers and ensure they have “true independence, authority and stature within the company.”
In fact, they may “elevate the importance of the compliance function,” said Mark Pastin, president of the Health Ethics Trust in Alexandria, Virginia. “It’s sending a signal to organizations that compliance is serious.” And compliance officers who are expected to sign certifications should be in upper management, a reminder of the influence the compliance role should have. “An attestation to the federal government is a weighty matter,” he noted.
The consequences for signing a certification and not delivering on it can be severe: charges under 18 U.S.C. § 1001 (making false statements). “Martha Stewart and thousands of others went to jail for violating it,” Trusiak said. And he warns against “omnibus” certifications, such as attesting to compliance with all applicable laws and regulations, in any context. “No provider is in compliance at any one time with all applicable rules, regulations, laws and statutes. That is a recognition of the density and complexity of operating in the health care environment.”
‘You Have a Voice in Negotiating That Language’
Because the stakes are high, compliance officers shouldn’t sign the DOJ certification or any compliance attestation until they’re confident about what they’re attesting to. Over time, the language may change as U.S. attorneys negotiate pleas and deferred prosecution agreements and go back and forth with defense attorneys, said Trusiak. “If you’re uncomfortable with that language, you need to address it then and there. You can’t accept some statement [from leadership] of, ‘We understand you have resource concerns and they might impede your ability to certify. We will address it in next year’s budget,’” he said. “You need to recognize you have a voice in negotiating that language because it is your certification.”
It’s also a good idea for compliance officers to think broadly about their exposure, beyond the certification in potential criminal cases. In addition to the compliance officer caught up in the potential self-disclosure, Trusiak has taken on another compliance officer client in the past two months in connection with the discharge of their compliance responsibilities. This compliance officer is named in a lawsuit, along with their former employee, over a failed acquisition. Because he had participated in due diligence in preparation for the merger, the compliance officer was drawn into the lawsuit. “When you are involved in a matter that falls within ‘duties that are otherwise assigned,’ such as mergers, delineate what you are doing and not doing and also look at [your employer’s] D&O insurance and see if you’re a covered official and whether an event is covered as a claim if it goes south.” The compliance officer is paying out of pocket for legal expenses because the former employer’s D&O insurance didn’t cover him.
The Role of Compliance Committee Minutes
It's important for compliance officers to “recognize material risks as they come along,” he said. “These are significant risks that are not set forth in the specific details of your job description.” When their job takes them beyond core compliance responsibilities (e.g., auditing the work plan, exclusion screening, ensuring contracts are signed), he suggested compliance officers “memorialize what you are being asked to do” (e.g., help manage a corporate integrity agreement, due diligence for mergers and physician practice acquisitions). “Be transparent. Share with all relevant people what you did and didn’t do and maintain a mirror file of important communications.” If there’s an enforcement action or regulatory concern years later and the compliance officer has left the organization, they won’t be able go back and get the files.
Trusiak also suggested having the minutes of the compliance committee reviewed and accepted by the board. “Boards often review and accept minutes of the finance committee because it’s critically important to the organization,” Trusiak said. The same should apply to the compliance committee. “If everything goes south, you can say, ‘The minutes were reviewed by the board, and the board was invested in what I recommended.’” He also thinks a board member should serve on the compliance committee, which ideally hears about both the positive aspects of what compliance officers have accomplished in the previous quarter as well as resource constraints that handcuff them. Make sure you’re “frank in the compliance committee relative to discharging material risk events,” Trusiak said.
Compliance officers also may want to explore whether and how their employer’s D&O insurance protects them, Trusiak said, mentioning a blog on the topic.[3] “Detail is important,” he noted. “Do not inquire and be satisfied with a statement along the lines of, ‘You are covered.’” Compliance officers should ask questions about whether they are an insured person, how a claim is defined, how legal fees are paid, whether protection extends after they leave the organization and whether there’s a cap on legal fees.
Language Is Part of ‘Settlement Terms Anyway’
The DOJ certification is also another reason to ensure, “well before being in the crosshairs of DOJ,” that companies have a process to assess their compliance programs, said Matthew Krueger, former U.S. Attorney for the Eastern District of Wisconsin. “It’s best to periodically review and test the compliance program against objective standards so if you are in the compliance officer role you have a basis to give certifications,” said Krueger, with Foley & Lardner LLP. DOJ has provided a road map of sorts in its Evaluation of Corporate Compliance Programs, which was updated in June 2020.[4]
Certifying they have an effective compliance program can be helped by use of “subcertifications” that companies have in place, Krueger said. Larger entities with multiple compliance professionals may want to use subcertifications according to the area they’re responsible for (e.g., auditing and monitoring, training and education) so the chief compliance officer can rely on their subordinates’ certifications, he said.
The language in DOJ’s new certification “seems like a fairly broad and reasonable request,” said Kirk Ogrosky, former deputy chief of DOJ’s fraud section. “This type of language is part of the general settlement terms anyway—the government wouldn’t be resolving prior criminal conduct if they thought it was still ongoing.”
“The trick here is the compliance officer will be signing a document that may give rise to a Sec. 1001 false statement charge if it is, in fact, false,” Ogrosky said. “The ask for a formal sign-off by the CEO and chief compliance officer may trigger some anxiety about what the executives may or may not know. And in large, multinational corporations with thousands of employees, it is really hard for the CEO and chief compliance officer to be certain. But these types of certifications are based on what the CEO and chief compliance officer know at the time of execution and whether they have made diligent and reasonable efforts to assure compliance. All in all, it should not be a big deal or extra burden for a well-run company.”
Contract Trusiak at robert@trusiaklaw.com, Krueger at mkrueger@foley.com, Pastin at mpastin@corporateethics.com and Ogrosky at kogrosky@goodwinlaw.com.