 |
|
The Growing Importance of Corporate Compliance Programs: A Look at Caremark
by Frode Jensen, III and John E. Davis
Good faith implementation and oversight of a workable corporate compliance program may shield directors and officers from personal liability for the acts of employees that cause the corporation to violate criminal statutes. Such programs are receiving increased attention in the wake of an opinion by Chancellor William T. Allen of the Delaware Chancery Court.[1] In addition, corporate compliance programs are growing in importance as a factor taken into consideration by courts and regulators in exercising their enforcement and sentencing discretion.
In Caremark, Chancellor Allen rejects the permissive oversight standards previously applied to directors and officers and imposes, at least in some instances, a mandatory duty to institute and maintain compliance and information systems. Given the importance of Delaware corporate law in general and decisions of the Chancery Court in particular, Chancellor Allen's opinion will be influential in defining the duty of care owed by corporate directors nationwide.
Indictments Led To Suits For Inadequate Oversight
Caremark International, Inc. (Caremark) was a Delaware corporation in the health care business that provided, among other things, patient care and managed care services. In 1994, Caremark and several of its employees were indicted for making illegal payments to doctors who referred Medicare and Medicaid patients to Caremark. Caremark settled with federal authorities by pleading guilty to a single count of felony mail fraud and paying civil and criminal fines. The fines, along with reimbursements to various private and public parties, totaled approximately $250,000,000.
Shareholders filed derivative suits against Caremark's directors, alleging that they had breached their fiduciary duty of care by failing to oversee employee activities or implement measures to avert criminal conduct. The parties negotiated a settlement under which the directors agreed, among other things, to strengthen the company's compliance system. The parties then sought to obtain Chancery Court approval of the settlement's fairness.
Compliance System Helps Fulfill Oversight Duties
In approving the settlement, Chancellor Allen discussed at length the nature of directors' oversight duties and the way organized compliance programs might fulfill them.
First, the Chancellor noted that directors owe shareholders a fiduciary duty of due care or attention, which includes the obligation to oversee activities of the corporation's employees. The Board's oversight obligations include "a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists."[2] Failure to institute such a system "under some circumstances may, in theory at least, render a director liable for losses caused by noncompliance with applicable legal standards."[3]
Second, the Board's information and reporting system need only be adequate, not perfect. "It could never be assumed that an adequate information system would be a system that would prevent all losses."[4] The level of detail appropriate for a compliance program is a question of business judgment. Because courts are highly deferential to Board decisions in matters of business judgment, "only a sustained or systematic failure of the board to exercise oversightÑsuch as an utter failure to attempt to assure a reasonable information and reporting system exists will establish the lack of good faith that is a necessary condition to liability."[5]
Directors Cannot Rely Solely on Employees' Honesty
In Chancellor Allen's view, the law has moved beyond the Delaware Supreme Court's 1963 pronouncement that directors, absent cause for suspicion, are not required to install and operate "a system of espionage to ferret out wrongdoing."[6] In Caremark, the Chancellor read Graham "more narrowly" as holding that, absent grounds to suspect deception, directors and offices cannot be held liable merely for assuming that employees are honest in their activities on the corporation's behalf.[7] Chancellor Allen opined that the present Delaware Supreme Court would recognize a higher standard for directors; while directors need not conduct internal espionage, some sort of compliance program is required to satisfy the duty of attention.
Sentencing Guidelines Highlight Need For Compliance Programs
Chancellor Allen pointed to the 1991 federal Organizational Sentencing Guidelines (the Guidelines), which provide for penalties that "equal or often massively exceed those previously imposed on corporations," as offering "powerful incentives for corporations today to have in place compliance programs to detect violations of law, promptly to report violations to appropriate public officials when discovered, and to take prompt, voluntary remedial efforts."[8] The Guidelines create such strong incentives for corporations to establish compliance programs that, in the Chancellor's view, "any rational person attempting in good faith to meet an organizational governance responsibility would be bound to take into account this development ... and the opportunities for reduced sanctions that it offers."[9]
Good Faith Compliance Should Preclude Liability
At relevant times, Caremark had "a functioning committee charged with overseeing corporate compliance," and the company's information systems "appear to have represented a good faith ,attempt to be informed of relevant facts."[10] Thus, the Chancellor noted, the directors could not be faulted if they lacked knowledge of the employees' criminal activities and could not be held personally liable for their employees' misdeeds.[11]
Guidelines Provide Blueprint For Meeting Duty Of Care
Recent high-profile fines levied under the Guidelines, including those against Daiwa Bank for $340,000,000 and Archer-Daniels-Midland Co. for $100,000,000, reinforce the importance of policing from within. An effective crime detection and prevention program, coupled with prompt reporting to appropriate government authorities, can substantially reduce the fine a corporate defendant must pay. To qualify for the reduction a duly diligent organization must at least take the following steps:
- establish standards and procedures for employees and other agents to follow that are reasonably capable of reducing the prospect of criminal conduct;
- assign to specific high-level individuals overall responsibility for overseeing compliance;
- exercise due care by not delegating substantial discretionary authority to persons whom the organization knows or should know possess "a propensity to engage in illegal activities";
- take steps to effectively communicate its standards and procedures to all employees and other agents, for example, by requiring mandatory training programs and disseminating publications that explain requirements in a practical manner;
- take reasonable steps to achieve compliance with its standards, for example, by monitoring and auditing compliance and implementing and publicizing a confidential reporting system;
- consistently enforce its standards through appropriate disciplinary mechanisms, including disciplining the individuals responsible for failing to detect an offense; and
- after detection, take all reasonable steps to respond appropriately to and prevent further similar offenses.
Organizations that are bigger, involved in a field that poses special compliance problems, or those exhibiting a history of noncompliance will be held to more formal and comprehensive compliance policy standards.
Securities Laws Punish Corporations For Employee Wrongdoing
Incentives to oversight exist in addition to those noted in Caremark. Provisions of the, Securities Exchange Act (Exchange Act)[14] also strongly encourage organizations to maintain workable compliance programs. Corporations have been subject to penalty since 1977 ,under the Foreign Corrupt Practices Act[15] for not maintaining adequate accounting controls. Public companies must "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances" that no one has access to corporate funds without management authorization.
Similarly, the Private Securities Litigation Reform Act of 1995[16] requires outside auditors to use procedures designed to detect clients' "illegal acts" directly and materially affecting financial statements. The auditor has the responsibility to then report any such acts to the corporation's board of directors, and, should the board fail to take appropriate remedial action, directly to the Securities and Exchange Commission.
Finally, section 20(a) of the Exchange Act[17] which imposes liability on those who directly or indirectly control violators of the Exchange Act, provides an exception if the controlling person acted in good faith and did not induce the violation. Courts determining the applicability of this exception will inquire into the efforts made by the controlling person to implement and enforce an acceptable compliance system.
Government Also Encourages Environmental Compliance
Government environmental policy provides further incentive for directors to implement compliance programs. In a manner similar to that exhibited in the Guidelines, the Environmental Protection Agency (EPA) has announced a policy that promises to reward companies for exercising due diligence and maintaining effective programs to discover and report their own violations of environmental law.[18] The EPA will not levy punitive sanctions and will usually forgo prosecution given prompt reporting and correction of the violation. Department of Justice factors for addressing environmental violations also provide for leniency where companies have developed such programs.
A company's environmental compliance will also be a factor in whether it is certified under ISO 14001Ñthe environmental management-system specification developed by the International Organization for Standardization (ISO), as part of its ISO 14000 series of international environmental standards. If the EPA follows through on plans to link ISO-based regulatory incentives to environmental compliance, organizations certified under these standards will enjoy regulatory advantages at home and abroad in addition to the arguable competitive benefits of discovering and correcting trouble spots from within.
Boards Should Review Compliance Programs
Caremark underscores the necessity for directors to make good-faith efforts to police from within. Directors may avoid personal liability for employee wrongdoing by taking reasonable steps to satisfy themselves that they are receiving adequate information to fulfill their oversight obligations. The Guidelines and EPA standards provide helpful guidance in setting up acceptable compliance programs, although the unique characteristics and needs of each company mandate individualized attention to ensure suitability.
In light of Caremark, Boards should review their existing compliance programs for adequacy, or should establish workable compliance systems if they have not done so. These programs should be run by executives who are given the power to enforce compliance, and who report regularly to the Board. Directors cannot, however, simply order the implementation of compliance and information systems and pay no further attention. Directors should ensure the proper implementation and maintenance of such programs and insist on reviews of training efforts, discipline, audit and financial information, as well as notice of any problems with compliance or ways to make the program more effective.
The duty outlined in Caremark need not be onerous. Directors may still rely for information upon management and committees reporting to the Board. Moreover, so long as they have considered the options, directors may rely on their business judgment in deciding the extent and characteristics of a workable compliance program suitable to their company's individual circumstances. Still, Caremark drives home the point that it is not only the corporation that stands to lose from employee wrongdoing. Directors and officers that fail to take steps to prevent and uncover crime in their own organizations may violate their duty of care to the corporation and become personally liable for its losses.
Notes
[1] In re Caremark International Inc. Derivative Litigation, No. CIV.A. 13670, 1996 Del. Ch. LEXIS 125 (Del. Ch. Sept. 25, 1996).
[2] Caremark at *38.
[3] Id.
[4] Id. at *38, n.27.
[5] Id. at *42.
[6] Graham v. Allis-Chalmers Manufacturing Co., 188 A.2d 125, 130 (Del. 1963).
[7] Caremark at *35.
[8] Caremark at *32-33.
[9] Id at *36.
[10] Id at *39, 42-43.
[11] Id at *43.
[12] U.S. Sentencing Commission, Guidelines Manual (USSG), §8A1.2 cmt. 3(k)(1-7) (1996).
[13] USSG §8A1.2 cmt. 3(k)(i-iii).
[14] 15 U.S.C. §§78a-11 (1994 & Supp. 1996)
[15] 15 U.S.C. §§78a, 78m, 78dd-1, 78dd-2, 78ff (1988).
[16] 15 U.S.C. §§77k, 771, 77z-1, 77z-2, 78j-1, 78u-4, 78u-5, and 18 U.S.C. §1964,
[17] 15 U.S.C. §78t(a),
[18] EPA, "Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations," 60 Fed. Reg. 66706 (1995).
Frode Jensen, III is a Partner resident in the Stamford, Connecticut office of the international law firm of Winthrop, Stimson, Putnam & Roberts. He is a corporate lawyer, one of whose fields of concentration is corporate governance. John E. Davis is a Litigation Associate resident in the New York city office of Winthrop, Stimson, Putnam & Roberts.
Reprinted with permission from In-House Practice & Management
