The question of where a compliance department should reside within the corporate configuration is getting significant attention by companies and commentators alike. Indeed, news reports over the past year have underscored the trend of elevating Chief Compliance Officers (“CCOs”) in the company hierarchy, creating separation between compliance and legal within the corporate infrastructure, and boosting spending on compliance resources. Moreover, because the aptitude of companies in detecting, preventing, and deterring unethical and/or criminal conduct through effective compliance is increasingly scrutinized by enforcement authorities worldwide, the need for a trained, dedicated, and independent corporate compliance function may be more important than ever. This idea of an empowered CCO working collaboratively with a dedicated compliance department has fostered a robust public discussion about where exactly a compliance group should be housed in the corporate configuration, and whether it should be operated and maintained separately from the legal department. Many companies are opting for separation and independence, furthering a trend that has gained considerable support from relevant law enforcement and regulatory bodies. This article explores this trend and discusses the pertinent regulatory and practical considerations for companies seeking to make an informed decision on how best to structure and resource their compliance groups.
History and Evidence of the Trend
The dialogue over best practices with respect to a company’s compliance structure took on increased significance when, in 2010, the U.S. Sentencing Commission revised the definition of an “effective compliance program” in the U.S. Sentencing Guidelines (“Guidelines”) to require that the individual with operational responsibility for the program have direct reporting obligations to the organization’s governing authority (e.g., board of directors).[1] The Guidelines explain that this individual must have authority to communicate personally and promptly to the governing authority on any matter involving criminal conduct (or potential criminal conduct) and at least annually on the implementation and effectiveness of the program.[2] Similarly, in 2012, in A Resource Guide to the U.S. Foreign Corrupt Practices Act, the U.S. Department of Justice (“DOJ”) and Securities and Exchange Commission (“SEC”) emphasized that the individual responsible for oversight and implementation of a company’s compliance program “must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.”[3] And outside of the United States, Brazil’s Clean Company Act, the new criminal code requirements in Spain, and the U.K. Bribery Act all incorporate the expectation that an effective compliance program will include a lead compliance officer with a certain level of seniority, autonomy, and independence vis-à-vis other corporate groups, such as legal. Moreover, a joint Society of Corporate Compliance and Ethics (“SCCE”) and NYSE Governance Services survey released in September 2014 found that only 8% of the 249 organizations surveyed placed overall responsibility for the ethics and compliance program with the general counsel or chief legal officer, while 56% placed it with a compliance and/or ethics officer.[4] Among the entities surveyed, only 18% of the individuals responsible for compliance reported to the general counsel, while 38% reported to the CEO, and 19% to the board of directors. Accordingly, well over half of the entities surveyed maintain compliance departments separate from, and certainly not under the direct control of, the general counsel. An annual benchmarking survey conducted by Deloitte and Compliance Week reveals a similar trend. Of the 364 respondents participating in their 2015 Compliance Trends Survey, 59% reported having a stand-alone CCO, representing a 9% increase from the survey’s 2014 findings and a 22% increase from the 2013 findings. Additionally, in 57% of the participant companies, the CCO reports directly to the CEO or board of directors. Also, importantly, the CCO sits on the executive management committee in 51% of the respondent entities. Contrast these findings with those reflecting the CCO’s relationship with the legal function – only 15% of CCOs in the companies surveyed function as both CCO and general counsel and only 21% report directly to their company’s general counsel. Another high-profile example of this trend was captured in the recent responses by companies in the banking and financial services sectors to anti-money laundering regulatory and enforcement obligations. Over the past year, for instance, several global banks publicly announced plans to separate their compliance and legal functions, while other major financial institutions publicized a substantial expansion and/or enhanced expenditures for their compliance staffing and resource budgets. Based on statements from relevant authorities, such changes to infrastructure, as well as increased compliance spending, appear to be warranted. In an October 2014 speech, for example, a high-ranking official at the DOJ stated that, while the decision about whether to separate compliance and legal should be made on a case-by-case basis, and tailored to a company’s specific circumstances, ultimately, compliance departments should act independently and with autonomy. The official further emphasized that those overseeing the compliance function (e.g., the CCO) should be able to demonstrate they have a direct line of communication to the board of directors. Last month, the Assistant Attorney General for the DOJ’s Criminal Division stressed the importance of an adequately funded compliance department that has sufficient independent stature within a company. Such comments cast some uncertainty about whether a compliance function housed within or as part of the legal group would be perceived by U.S. authorities in 2015 as sufficiently influential to be viewed as effective.
Divergence of Objectives
One of the primary goals of a corporate legal department is to identify and manage legal risk presented by the corporation’s specific business profile. The legal group is, therefore, often tasked with, among other things, supporting the business function and assisting in the development of the company’s business intentions. It must also, of course, defend the company against the threat of litigation and otherwise protect the legal interests of the company around the world. The main objective of a compliance department, on the other hand, is to develop and manage the means through which a company conforms the conduct of its employees to fit within applicable ethical, legal, and regulatory obligations. A company’s efforts in this regard are independently addressed in both the Guidelines, as noted above, and the Principles of Federal Prosecution of Business Organizations set forth in the U.S. Attorneys’ Manual (“Principles”). The Principles direct U.S. prosecutors to consider the strength and effectiveness of a compliance program as proof of a company’s good faith attempt to ensure that its employees and/or others acting for or on its behalf do not engage in criminal conduct. These differing objectives can sometimes result in a type of conflict of interest between legal and compliance. The legal group’s role as an advocate for the company may, for instance, conflict with the notion of independence in making difficult decisions about high-risk business opportunities. Indeed, one recent corporate Foreign Corrupt Practices Act (“FCPA”) enforcement action is illustrative of how the divergent aims of the legal and compliance functions can result in problems. According to the government in that matter, members of the company’s legal team had knowledge of ongoing misconduct at a foreign subsidiary, but acquiesced to the efforts of foreign business executives to cover up the misconduct — and also took no steps to improve internal controls designed to prevent future misconduct. Citing, among other things, the lack of a dedicated compliance officer and experienced compliance personnel, the DOJ labeled the company’s program as “inadequate” and spotlighted the absence of certain compliance-related activities typically performed by devoted compliance departments, such as training on policies, implementation and management of a due diligence program, approval for the retention of third parties, periodic risk assessments, and oversight of gifts, travel, and entertainment expenses.
Practical Considerations for Companies
The design, implementation, and oversight of an effective compliance program should be tailored to each company’s industry, business model, global footprint, and overall risk profile. The key is to carefully consider what structure will put the company in the best position to prevent, detect, and deter improper conduct. Given the substantial benefits that can inure to companies that take time to invest properly and proportionately in compliance, the failure to design, implement, and maintain an effective and independent program can result in unnecessary costs and unwelcome attention from relevant authorities. In light of the above, companies should evaluate the current structure of their legal and compliance departments and determine whether the compliance function is sufficiently independent, autonomous, resourced, and empowered (with open lines of communication to the board of directors). Below are some best-practice considerations for entities evaluating their compliance departments in this respect.
- Highly-Regulated Industry — As noted above with financial institutions in the area of anti-money laundering compliance, the requirements of certain regulated industries are such that compliance should be carved out from legal and sufficiently independent to ensure that the compliance function has the influence and resources necessary to avert unethical and illegal conduct.
- Significant Operations in Emerging Markets and/or Higher-Risk Countries – Certain industries and business models require substantial operations in emerging markets or countries known for a higher risk of corruption and other criminal activity. Such companies may sometimes find the roles of the legal department and the compliance group at odds making, as noted above, the independence of compliance a critical factor in the detection and prevention of improper conduct.
- Corporate Growth and Development – Companies entering a stage of significant growth through mergers and acquisitions or joint ventures, for example, face increased compliance risks by absorbing new employees from different compliance cultures and entering new regulatory markets. In such circumstances, an empowered and independent compliance department will help ensure that business leaders promptly address red flags associated with these transactions, and, when necessary, elevate such concerns to senior management. In addition, assigning personnel dedicated to oversight of post-transaction compliance integration is key to ensuring that the compliance program is effectively implemented in new corporate arrangements.
- Decentralized Corporate Structure – For similar reasons, a compliance department that is independent from the business and the legal team is vital for companies with a decentralized operational structure wherein authority is largely delegated to employees in the field.
- Recent Compliance-Related Incidents – Companies that have recently experienced compliance-related issues should evaluate their compliance structure and program effectiveness. Such entities should also assess whether the compliance group is sufficiently senior within the company’s management structure and whether it has adequate autonomy and independence to effectively communicate the importance of compliance to the company’s overall success. Even where companies have a well-designed compliance program, it is vital that employees at all levels of the company view the CCO, CEO, board, and other senior leaders as equal members of one team, all of whom are fully committed to compliance. Sometimes, the misperception that compliance is not imperative to the corporate mission can be at the root of related employee misconduct.
- Heavy Reliance on Third Parties – Companies active in certain regions or industries may heavily depend on distributors, consultants, agents, and other third-party intermediaries. Global enforcement authorities expect companies, big and small, to have a means of tracking or identifying their third parties, whether they are lower-risk vendors and suppliers or higher-risk intermediaries such as business development agents. Such authorities likewise expect that companies will conduct a centralized, objective, and independent risk evaluation on their third parties prior to engagement and retention. For example, any company that must appear before the DOJ or SEC in an FCPA matter without such processes in place runs the risk of its compliance program being viewed as inadequate. Thus, companies that regularly engage third parties should sufficiently staff and resource their compliance departments to ensure that they are equipped and capable of providing the oversight and monitoring enforcement authorities now expect.
- Privately Held Companies – Business organizations that are not subject to the SEC’s governance and filing requirements may sometimes, understandably, be more complacent in their risk management efforts. Accordingly, their boards may have an even greater need for an independent perspective on the nature and extent of their compliance risks. Regular and direct interaction with the CCO will help such boards remain appropriately sensitive to such risks.
[1] U.S. Sentencing Guidelines § 8B2.1(b)(2)(C). [2] Id. § 8C2.5 (Application Note 11). [3] Dep’t of Justice & Sec. & Exch. Comm., A Resource Guide to the U.S. Foreign Corrupt Practices Act at 58 (2012) (emphasis added). [4] Another 23% placed it with a Director or an Executive/Senior/Vice President, 4% placed it with a manager or Chief Human Resources Officer, and 9% placed it with some “other” individual.
