Compliance & Ethics September 2014 Professional a publication of the society of corporate compliance and ethics www.corporatecompliance.org Compliance and Ethics at Walmart an interview with Cindy Moehring and Jay Jorgensen Senior Vice-President and Global Chief Ethics Officer at Walmart See page 14 Senior Vice-President and Global Chief Compliance Officer at Walmart 31 An inside-out look at organizational ethics Frank J. Navran 49 Ethics Bowl: Teaching ethical reasoning to students Maureen Weldon 55 Seven powerful ideas to deliver meaningful compliance messages Kathalin Carvalho 59 The global language of ethical values Simon Webley This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 933 4977 or 888 277 4977 with reprint requests.
by Janice A. Anderson, Esq. and Ryan M. McAteer, Esq. Compliance Officers Roles in Corporate Compliance Programs: Are you at Risk for Personal Liability? Compliance officers are tasked with the responsibility of operating and monitoring an organization s compliance program. Compliance officers may be held liable if the services they provide are deemed to be negligent. Accordingly, it is important that compliance officers make sure they have adequate insurance to cover liability risks. Compliance officers should request copies of their organization s D&O policy and ask if their role is specifically covered. If compliance officers are covered by a D&O policy, they should confirm the instances or acts which trigger coverage and be aware of the occurrences that are excluded from coverage. If compliance officers are not included in D&O coverage, they should check state statutes, corporate bylaws and other insurance coverages to determine the extent to which they can be insured or receive coverage. The recent trend of regulators and enforcement officials has expanded the scope of investigations to in-house compliance personnel and has, in some cases, resulted in personal liability of individuals providing compliance activities for corporate wrongdoing. Aggressive prosecution of individuals implicated in corporate fraud is certainly nothing new, but never Anderson before has there been such a distinct focus on the compliance officer s efforts to prevent civil and criminal violations. As a result, corporate compliance professionals are left scrambling to determine how much personal liability they may incur if corporate fraud is uncovered within their organization. McAteer Personal liability: The risks In November 2012, MoneyGram International Inc., a global money services business, agreed to forfeit $100 million and enter into a deferred prosecution agreement (DPA) with the U.S. Department of Justice. In the DPA, MoneyGram admitted to criminally aiding and abetting wire fraud and failing to maintain an effective anti-money laundering program. According to court documents, MoneyGram was involved in mass marketing and consumer fraud phishing schemes, perpetrated by corrupt MoneyGram agents and others, that defrauded tens of thousands of victims in the United States. MoneyGram also failed to maintain an effective anti-money laundering program in violation of the Bank Secrecy Act, a program which was largely the responsibility of MoneyGram s Compliance department. Compliance & Ethics Professional September 2014 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 91
Compliance & Ethics Professional September 2014 As a result of MoneyGram s ineffective anti-money laundering program, the U.S. Treasury Department s Financial Crimes Enforcement Network reportedly notified Thomas Haider its former chief compliance officer that he may be liable for a fine of up to $5 million for compliance failures that resulted in a widespread money-laundering fraud scheme. Although Haider is expected to contest the fine, it is possible he could be found personally liable for its repayment. The Treasury Department further indicates that government regulators intend to hold individuals accountable for corporate violations. Thomas Haider is not the first compliance official to get caught in the cross-fire of a government investigation. In 2007, the U.S. Department of Justice and U.S. Attorney s Office filed a lawsuit against Christi Sulzbach, former General Counsel of Tenet Healthcare, alleging violations of the False Claims Act. Neither Mr. Haider nor Ms. Sulzbach is likely to be the last individual target of a government investigation. Duties of compliance officers Compliance officers are tasked with the responsibility of operating and monitoring an organization s compliance program, which typically includes direct access to the CEO and governing body. Although a compliance officer may be given other responsibilities, the general responsibilities of a compliance officer usually include: 1. Developing and implementing the elements of an effective compliance program; 2. Revising the program in light of organizational changes and new developments in applicable laws and regulations; 3. Generating policies and programs related to compliance issues, including those that encourage managers and employees to report suspected fraud and other improprieties without fear of retaliation; 4. Developing and implementing education and training programs to ensure employed personnel and independent contractors are in compliance with state and federal requirements; 5. Conducting internal audits and compliance reviews; 6. Reporting on the progress of the compliance program to the compliance committee, CEO, and governing body; 7. Investigating areas of potential non-compliance and developing corrective actions; 8. Coordinating personnel issues with the organization s Human Resources office, including those involving physician employment and compensation; and 9. Assessing the effectiveness of the compliance program and revising it as necessary to improve its overall effectiveness. The primary purpose of an effective compliance program is helping an organization prevent, detect, and investigate misconduct. In some cases, compliance officers must challenge management if certain improprieties are not appropriately addressed. This often puts compliance officers in an undesirable position directly at odds with management. There are no current laws or regulations that directly govern their obligations, but emerging guidance emphasizes that compliance officers should not consent or passively assent to any misconduct. If challenging management fails, a compliance officer is well-advised to escalate the issue to the board of directors. Protecting compliance officers from personal liability When corporate wrongdoing is discovered or disclosed, litigation is almost certain to 92 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
follow. Savvy compliance officers are aware of the kinds of liability coverage options that are available and how to secure them. Most organizations provide for of the board of directors and high level officers in their corporate bylaws as permitted by state law. These bylaw provisions often state that the organization will indemnify such individuals to the fullest extent permissible by state law. State statutes are intended to protect corporate directors and officers, but often permit corporations to indemnify other employees and agents if they are named in a lawsuit while they were acting on behalf of the organization or at the direction of a member of the board. Indemnification of corporate officers, employees or agents may be mandatory or permissive, and the determination of when applies can vary from state to state. In California, a corporation has the power to indemnify any person who is a party to any proceeding by reason of the fact that the person is an agent of the corporation. Such includes expenses, judgments, fines, settlements, and other amounts actually and reasonably incurred in connection with the proceeding as long as the individual acted in good faith and in a manner he/she reasonably believed to be in the best interests of the corporation. Expenses typically include attorneys fees and other fees incurred in establishing a right to When corporate wrongdoing is discovered or disclosed, litigation is almost certain to follow. Most organizations provide for of the board of directors and high level officers in their corporate bylaws as permitted by state law.. The California statute also applies to officers and other employees who act in good faith while serving at the request of the corporation. Compliance officers should therefore assess state statutes and review corporate bylaws to determine if corporate would apply to them on a mandatory or permissive basis. Further, compliance officers should endeavor to make clear with their employer that they will be included among the corporate officers covered by statutory protections, and this may need to be addressed in the corporate bylaws. Directors and officers liability insurance In addition to state statutes, compliance professionals should determine whether they are covered by the corporation s directors and officers (D&O) liability policy or if the corporation provides any other liability coverage that may apply to them. Usually a D&O policy will cover board members and other corporate officers acting in the capacity of such roles. Less certain is whether a compliance officer will be considered a corporate officer if the D&O policy does not specifically include their name or position within the organization. There is no requirement that a D&O policy specifically apply to a compliance officer and therefore a careful assessment of such policies should be undertaken. If the D&O policy is unclear, Compliance & Ethics Professional September 2014 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 93
Compliance & Ethics Professional September 2014 compliance officers should work with their employers to ensure that the policy extends to them. Both federal securities laws and the Federal Sentencing Guidelines identify compliance officers as playing a substantial role in the policy-making of the organization, and, therefore, compliance officers can point to federal guidelines to support that they should be covered by the corporation s D&O policy. In addition to determining if they are covered by a D&O policy, compliance officers should confirm the scope of D&O coverage. D&O policies typically offer a few coverage options, each of which is triggered under different circumstances. Some coverage is triggered when an claim is filed and the corporation is financially unable to indemnify its directors and officers due to insolvency (in such case, the D&O policy is an extension of the obligation discussed above). D&O policies also can cover certain covered persons for specified claims, such as employment claims, regardless of the corporation s financial ability to cover the claim. Varying levels of deductibles can also apply. Thus, it is important for compliance officers to know not only if they are a person covered by the policy but also the scope of coverage that is provided. Knowing when the organization s policy will be triggered is key to understanding whether or not a compliance officer s acts will be covered. Further, compliance officers should be aware of policy exclusions. All D&O policies carve out certain occurrences that will not All D&O policies carve out certain occurrences that will not be covered, including wrongful conduct, fraud, breach of contract, or discrimination and employment practices liability. be covered, including wrongful conduct, fraud, breach of contract, or discrimination and employment practices liability. However, carriers typically draft each policy differently, and definitions will vary from policy to policy. If a compliance officer is also acting as legal counsel, coverage may not be available at all under the D&O policy, because legal services are typically excluded from D&O coverage. Finally, compliance officers should confirm whether significant deductibles apply or whether the policy has an aggregate limit (e.g., a $1,000,000 policy limit) or is an unlimited policy. If the policy has a $1,000,000 deductible, the compliance officer must look to the organization to cover the deductible first. Further, if the policy has a $1,000,000 limit, and the carrier pays $500,000 defending the organization s directors and officers, only $500,000 will remain to settle the case or pay judgments levied by a court. These limitations to coverage under a D&O policy are important to recognize. Other insurance Depending on a compliance officer s role in the organization, services provided, and licenses or certifications held, other liability policies may be available that can be tailored to an individual or organization. For example, if a lawyer serves a dual role as compliance officer and in-house counsel, a D&O policy likely applies only to those services provided by an individual in their capacity as a compliance officer, and additional professional liability coverage would be necessary for 94 www.corporatecompliance.org +1 952 933 4977 or 888 277 4977
any legal services provided. Therefore, after determining when corporate and D&O coverage apply, compliance officers should consult their Insurance department to assess whether additional coverage is necessary. Conclusion Because compliance officers are becoming increasingly targeted by government regulators, it is important to be aware of the available protections if they are ever personally named in a suit against their employer. A thorough reading of the organization s bylaws, corporate documents, and D&O policies is necessary to determine how much personal risk a compliance officer has at stake. This article is drafted for informational purposes only and does not constitute, and should not be construed as, legal advice. Janice A. Anderson (JAnderson@Polsinelli.com) is a Shareholder in the Chicago office and Ryan M. McAteer (RMcAteer@Polsinelli.com) is an Associate in the Los Angeles office of Polsinelli, PC. 2014 COMPLIANCE & ETHICS INSTITUTE PREVIEW Session P1: Ethics & Compliance Risk Management 101: Program Essentials and Effective Practice SUNDAY, SEPTEMBER 14, 9:00 AM 12:00 PM Behind every great ethics and compliance program is a meaningful, effective, and ongoing risk assessment and management practice. Please join Greg Triguba and John Falcetano for this interactive and informative workshop where participants will explore the basic roles, resources, and fundamentals necessary to facilitate and manage an effective ethics and compliance risk management program. Participants will engage in simulated exercises that touch on the challenges, planning considerations, and strategic solutions for implementing and leading impactful risk assessment processes. In addition, workshop participants will consider the outcomes derived from basic risk assessment findings and explore opportunities to use this valuable information to prioritize and build strategic plans for effective management and mitigation. To hear more, attend SCCE s Annual Compliance & Ethics Institute in Chicago! Visit www.complianceethicsinstitute.org for more information. GREG TRIGUBA, Senior Practice Leader, Ethics, Compliance and Risk, Affiliated Monitors, Inc. JOHN FALCETANO, Chief Audit & Compliance Officer, Vidant Health Compliance & Ethics Professional September 2014 +1 952 933 4977 or 888 277 4977 www.corporatecompliance.org 95