In In re McDonald's Corporation Stockholder Derivative Litigation, the Delaware Court of Chancery recently confirmed that the fiduciary duty of oversight, also known as “Caremark duties,” applies to non-director officers. While many have responded to that decision with surprise and some hand-wringing, the reality is that the decision is consistent with a legal and regulatory regime that has increasingly sought to hold corporate officers — particularly chief compliance officers (CCOs) — liable for corporate misconduct. And, as was suggested in the McDonald's opinion, the CCO's oversight responsibility extends over the entire company. As a result, when boards are considering how to structure their oversight of the corporation's risk management function, they should make sure that their CCO understands these obligations and is prepared to take them on.
The Increasing Visibility of the CCO
The McDonald's case is another example of how corporate officers, including CCOs, have become more visible targets for those seeking to assign blame for corporate compliance failures. Another example was the announcement last year by Assistant Attorney General Kenneth Polite that CCOs and CEOs must, among other things, certify “that the company's compliance program is reasonably designed and implemented to detect and prevent violations of the law ⦠and is functioning effectively.” And where companies must provide annual reports on their compliance programs, the Department of Justice is considering requiring CEOs and CCOs to certify that the reports are “true, accurate and complete.” While the stated intent was to empower CCOs to discharge their oversight responsibilities by giving them added motivation to review all compliance-related information and voice concerns, this obligation could create additional personal liability for those CCOs who have been misled or perhaps pressured by their company to sign such a certification.
FINRA also recently addressed the liability of CCOs of broker-dealers under its supervision. Rule 3110, FINRA's supervision rule, requires member firms to “establish and maintain a system, including written procedures, to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations, and with applicable FINRA rules.” A CCO also may be exposed to personal liability under the Investment Advisers Act of 1940 if they fail to enforce written policies and procedures meant to prevent violations of the law. And under the Securities Exchange Act of 1934, the SEC is authorized to take individual action against a CCO of a broker-dealer if they fail to reasonably supervise a subordinate that violates the Exchange Act.
Key Takeaways
The McDonald's decision is the latest evidence of the increased appetite for holding corporate officers personally accountable for permitting or failing to uncover corporate malfeasance. In addition to the Chancery Court of Delaware, the Department of Justice, the SEC and FINRA have already been imposing penalties on CCOs for compliance oversight failures. After the McDonald's case, the scrutiny on CCOs is likely to increase. Boards should consider this heightened focus on the CCO's oversight responsibility when they evaluate the compliance function and hire a CCO. The CCO is no longer — if it ever was — a secondary role, but is a crucial function for the business, especially a regulated one such as a broker-dealer. Consequently, boards need to make sure that the company's compliance function, including the CCO:
- Is up to date on the current visibility of the compliance oversight function and the expectations that have been set for management's compliance function.
- Updates important policies and procedures regularly and makes sure that they are easily accessible to the employees that need to be aware of them.
- Routinely reviews applicable laws, rules and guidelines with the appropriate employees, and keeps up to date on changes to the regulatory environment.
- Does not ignore red flags. Personal liability can ensue if the CCO ignores or halfheartedly addresses problems brought to their attention. If the CCO learns of a potential issue, it should be brought to the company's lawyers for investigation sooner rather than later.
- Keeps current and enforces the company's procedures for handling and escalating issues that come to the attention of the CCO. This includes keeping the board informed. As McDonald's makes clear, the duty of oversight is shared among directors and officers, and the board is unable to exercise its own duty of oversight unless management keeps the board informed of areas of concern.
Legal and regulatory compliance is a core aspect of the overall risk management of the company, and as boards consider how best to fulfill their own oversight responsibilities, they must make sure that their CCOs are able and empowered to act robustly to eliminate any meaningful risk of noncompliance.
Jason Rauch assisted in preparing this column.