by Aaron Lewis, Donald Ridings, Jennifer Saperstein, Adam Studner, and Ishita Kala

Overview

An official in the Fraud Section of DOJ’s Criminal Division confirmed that, going forward, DOJ will “most likely” require a certification from executives in all corporate resolutions that the company’s compliance program is reasonably designed to prevent and detect violations of law. This announcement follows several statements from other senior DOJ officials suggesting that the Department might require CEOs and CCOs to provide such certifications, and one recent enforcement action imposing such a requirement.

DOJ officials have said that this requirement is not part of a “gotcha game” to hold executives liable for compliance failures. At the same time, this announcement follows many others signaling DOJ’s intent to prioritize its evaluation of compliance programs pre- and post resolution and to more proactively police compliance with obligations imposed in enforcement actions. Thus, companies and their CCOs should prioritize building robust compliance programs and testing their effectiveness proactively, and companies should focus intently on compliance early during any government investigations and post-resolution.

Background

Last week, an official in the Fraud Section of DOJ’s Criminal Division stated that all corporate resolutions will “most likely” require a certification from executives that the company’s compliance program is reasonably designed to prevent and detect violations of law. This official reinforced previously expressed DOJ views that “[t]he intention is not to put a target on the back of a chief compliance officer,” but rather to incentivize companies to prioritize compliance and to ensure that CCO’s “have a seat at the table” and are involved in “high-risk transactions [and] important decisions.” The official positioned the certification requirement as consistent with Department policy and practice, noting that “[e]very corporate resolution we have includes compliance obligations,” and pointing specifically to the resolution requirement “that the CEO and the CFO certify that they have met their disclosure obligations.”

This new requirement, even though materially broader than previous certifications required by DOJ in enforcement actions, is in line with recent DOJ positioning on the importance of compliance programs. Over several years, DOJ has released numerous policies signaling an increased focus on compliance program effectiveness and empowerment of compliance professionals, which we covered in a previous alert. And DOJ has imposed, and has stated that it will continue to impose, harsher resolutions, including compliance monitorships, on companies that are not able to demonstrate that their compliance programs are “tested, effective, adequately resourced, and fully implemented,” which we also covered previously.

Before last week’s announcement, DOJ’s Assistant Attorney General for the Criminal Division, Kenneth Polite, previewed in March 2022 that DOJ was considering imposing two certification obligations on CEOs and CCOs. First, at the end of the term imposed by a resolution agreement, a certification that a company’s compliance program is “functioning effectively” and “is reasonably designed and implemented to detect and prevent violations of law (based on the nature of the legal violation that gave rise to the resolution, as relevant).” And second, for resolutions requiring companies to provide annual self-reports on the state of their compliance programs, a certification that all compliance reports are true, accurate, and complete.

Consistent with last week’s announcement, AAG Polite, who previously served as CCO for a public company, framed DOJ’s goal as ensuring that CCOs “have true independence, authority, and stature within the company,” and said that certification requirements are not meant to be “punitive in nature.” Similarly, following concerns expressed by practitioners about new certification requirements, DOJ’s FCPA Unit Chief stated earlier this month that the corporate certifications are “not meant to be a gotcha game” and are instead intended as a mechanism to empower CCOs and to ensure “that the company is taking compliance seriously.”

DOJ’s May 2022 $1.1 billion resolutions with Glencore International A.G. (“Glencore”) and Glencore Ltd., for alleged violations of the Foreign Corrupt Practices Act and market manipulation, offer a first look at the compliance certification obligations that DOJ may impose going forward. Both resolutions require an independent compliance monitor for three years and include a “Certification” attachment to be signed by the CEO and CCO 30 days before the expiration of the term of the plea agreement.

The Glencore certification requires the CEO and CCO to certify that: (i) the company has implemented an anti-corruption compliance program that meets the requirements set forth in the plea agreement; (ii) the “compliance program is reasonably designed to detect and prevent violations of the Foreign Corrupt Practices Act and other applicable anti-corruption laws throughout the Company’s operations”; and (iii) “based on a review of the Company’s reports submitted to [DOJ], the reports were true, accurate, and complete as of the date they were submitted.” The Glencore Ltd. certification includes the first two requirements, with the second requirement focused on the commodities-related alleged violations that were the subject of Glencore Ltd.’s resolution. Consistent with AAG Polite’s remarks, this suggests that executive compliance certifications may be limited to the subject of the alleged legal violation at issue. 

Key Takeaways

The steady stream of remarks from DOJ senior officials on the topic of compliance certifications, and the certification requirements in the Glencore and Glencore Ltd. resolutions, reflect a growing focus on compliance program design and effectiveness pre- and post-resolution. Here are our key takeaways:

Compliance, Compliance, Compliance.

• DOJ could not be any clearer in its messaging—companies must take compliance seriously, empowering compliance professionals and devoting significant resources to creating an effective program. DOJ’s Evaluation of Corporate Compliance Programs guidance should be the starting point for any company in structuring and evaluating the effectiveness of its compliance program and any company that has not conducted a compliance program assessment should prioritize such an exercise to meet the Department’s expectations. As practitioners know well, designing, implementing, and testing compliance program enhancements to ensure effectiveness takes time, so companies—and the CEOs and CCOs who may need to provide certifications—would be well advised to undertake these efforts proactively, well before the government comes calling.
• Beyond proactive work to shore up compliance programs, companies caught in the government’s crosshairs should expect, as we covered in a prior alert, that independent compliance monitors are likely to be imposed when a compliance program is “untested, ineffective, inadequately resourced, or not fully implemented at the time of a resolution.” And, as covered in the same alert, DOJ has stated that it will be more actively policing compliance with the terms of resolution agreements—a commitment with which the Department is following through, as we covered in another alert. In light of these developments, and in particular the recent certification announcement, companies should prioritize compliance program evaluation, enhancement, and effectiveness testing as early as possible during a government investigation in order to avoid imposition of a monitor and to support certification requirements.
• CEOs and CCOs Should Tread Cautiously.  Despite statements from DOJ  officials that the compliance certification is not intended to be a “gotcha game,” whereby the Department would disagree with and enforce against, for instance, a CCO’s certification that a compliance program is reasonably designed to prevent violations of law, the certification still must be treated quite seriously. Notably, in the Glencore resolutions, the certifications constitute “a material statement and representation . . . for purposes of 18 U.S.C. § 1001.” This means that a false certification to DOJ potentially could expose corporate officers to a criminal false statements prosecution. Perhaps this reflects DOJ’s view that CEOs and CCOs should feel pressure to devote resources to compliance enhancements. As building compliance program enhancements and testing their effectiveness can take significant time, companies should begin these efforts proactively, before they are under Department scrutiny, and should continue these efforts early and in earnest during a government investigation and thereafter. Proactive compliance steps are not only consistent with the Department’s expectations, but also can considerably support executives’ certifications down the road.
•  Growing Department Expertise in Compliance. The Department is putting new resources and experience behind its enhanced focus on compliance. Both AAG Polite and DOJ’s recently announced Chief of the Fraud Section have experience as corporate CCOs. In addition, in recent years, DOJ’s Corporate Enforcement, Compliance, and Policy Unit has gained a greater role in the compliance aspects of corporate resolutions. The senior official from that Unit who announced that compliance certifications will “most likely” be required in all corporate resolutions also promised last week that additional compliance professionals will be joining the Unit shortly. These developments suggest that companies and their advisors will sit across the table from DOJ prosecutors who have a deeper understanding of the compliance space and how companies can achieve results, notwithstanding the ever-present reality of limited resources and time.

The bottom line is that DOJ is going further and further to signal just how much it is prioritizing compliance. Of course, as with any new DOJ policy initiative, there are open questions. For instance, how will the certification process function in practice in cases in which both an independent compliance monitor and executives must certify regarding the design of a
compliance program? What if their views are in tension with one another? What might be the effect of a CEO and CCO certification in the case of an enforcement action against a recidivist, a key DOJ focus as we covered in a previous alert? And will DOJ’s CEO and CCO certifications tread into the area of effectiveness, as opposed to compliance program design, as was signaled
by AAG Polite but which is not incorporated into the Glencore certifications? We will be keeping an eye on how these issues play out in practice. But for the time being, the message is clear: Companies and their executives should significantly prioritize their compliance efforts before, during, and after a DOJ investigation and enforcement action.

Aaron Lewis, Donald Ridings, and Jennifer Saperstein are Partners, Adam Studner is Of Counsel, and Ishita Kala is an Associate at Covington & Burling LLP.

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.