with contributing authors Bonnie Green and David Wilson
By now, most public companies have given a senior employee the Chief Compliance Officer or some similar title, and vested in him or her responsibility for the company’s compliance and ethics programs. Not infrequently, the general counsel fills this role based on the premise that compliance is essentially a legal matter and, after all, the legal department is often the source of the recommendation to create such a position based on its awareness of the Federal Sentencing Guidelines, applicable laws and guidance from regulators who encourage companies to adopt rigorous compliance programs. In certain instances, the role of Chief Compliance Officer is mandated by statute and the appointment and compensation of that individual becomes the direct responsibility of the issuer’s board of directors.[1] Particularly in smaller companies or where resources are limited, practical considerations provide another rationale for combining these functions.
Other (usually larger) companies, many of which have a broad range of regulations under which they must comply, have separated the legal and compliance departments, in some instances appointing a non-lawyer to lead the compliance functions. In companies where these functions are separated, some have the CCO report to the general counsel, and others have him or her report elsewhere – sometimes to the CEO, COO or CFO and sometimes directly to the board or audit committee.
None of these different ways of staffing and positioning the CCO vis a vis the legal department is inherently right or wrong. The best arrangement is likely to be dependent upon the nature of the company’s business, the regulatory environment in which it operates, and the characteristics and capabilities of the individuals who occupy not only the GC and CCO positions, but other senior officers and board positions.
Both roles serve the organization’s need to comply with the law, but they have different functions in that regard. The lawyer has an ethical duty to provide advice on how to comply with the law and must represent his client’s interests zealously. The lawyer provides legal advice on, among other things, defining and establishing appropriate company standards in the context of attaining its business objectives. Meanwhile, the traditionally defined CCO role serves a management function primarily focused on devising, implementing and overseeing organizational processes to meet those standards. Her job is to educate the board of directors, senior management and other employees and prevent and root out misconduct, whether legal, ethical or otherwise. The CCO needs skills in the fields of employee training, human resources, and perhaps oversight of internal controls and investigations. In the case of an organization where the role has been expanded to include additional responsibilities, such as public disclosure oversight, the CCO must also be well versed in federal securities laws, including SEC rules and regulations.
Irrespective of the breadth of the CCO’s role, it is critical he or she be provided unfettered access, or be empowered to present candid reports, to the board or the audit committee, in each case without undue influence from senior management. Moreover, the CCO must be an executive level officer in order to possess the autonomy necessary to effectively function in the role, since history teaches that some of the matters he or she will be called upon to review or enforce may involve the company’s senior management. In addition, if the CCO is not the GC, he or she should at least have the support of the GC, which may be more likely or stronger when the CCO is a member of the legal department. On the other hand, if senior management is implicated in the conduct under review, having the CCO be independent of the legal department may be preferable in instances where a close relationship exists between the GC or a member of the legal department and senior management.
To be sure, there are some advantages to lodging the compliance and legal responsibilities in the same person and, particularly in a small organization, it is not unreasonable to do so, provided that the company is able to find a single person with a skill set that is broad enough.[2] A combined GC-CCO may save money and promote efficiency, since many compliance issues have legal overtones and ramifications. A separate CCO position my be necessary, however, where the regulations applicable to the enterprise are vast and/or divers or where the business demands of the organization require the GC to abdicate responsibilities to another individual, such as Regulation FD advice and compliance, corporate secretary duties or enterprise risk management. In addition, at least some of the GC’s compliance work may be protectable under the attorney-client privilege, although the general view of government agencies is that compliance is a business matter, not a legal function. When the CCO has both compliance and legal duties, she must be particularly sensitive to which hat she is wearing so as to provide the greatest likelihood of supporting a privilege claim for an internal review or investigation. When these functions are combined, a company must have a contingency plan for handling matters for which the GC is walled off. Regardless of whether the roles are separate or combined, a company should put into place procedures whereby the GC can be recused if the events at issue involve the conduct or advice of the GC, or the conduct of other senior officers with whom the GC may have longstanding or close relationships. Under those circumstances, the board, the audit committee or other members of senior management must have the authority to step in to retain outside counsel or other experts to handle a review.
Similar potential conflicts are posed by a structure in which the GC and COO titles are held by different individuals, but the CCO reports to the GC. This arrangement may have the advantage of fostering close cooperation between the compliance and legal functions. It may make particularly good sense where a company is instituting a new or significantly revamped compliance program, or where a new CCO is reporting to a seasoned GC. Nonetheless, as in the scenario where a single person fills both roles, the CCO will need the ability to report to someone in senior management other than the GC if he or she deems it necessary. The CCO should also have the autonomy to be able to initiate compliance investigations and to report to the board or audit committee on his or her own.
Finally, dividing these positions between two people and providing them with separate reporting lines provides the greatest degree of independence in the compliance function. The risk under this scenario is a lack of coordination between the legal and compliance functions. However, the CCO must coordinate with departments and divisions throughout the organization. His work requires cooperation with administration, human resources, finance, investor relations, accounting and other groups within the company. Ideally, the GC and CCO should develop a close working relationship to enhance the effectiveness of enterprise risk assessment and management, controls testing, the handling of whistleblower complaints, conducting investigations, and devising corrective actions to address violations.
Each company will fill the CCO role and devise reporting structures based on its own particular circumstances, including budgetary constraints, the experience of the personnel involved, the nature and geographic array of the business, the scope of the regulations that must be addressed by the issuer and its enterprise risk assessments. Whatever structure a company chooses, it must be mindful of the risks posed by whatever arrangement it chooses, and take appropriate steps to account for those risks.
[1] Under Rule 38s-1 of the Investment Company Act of 1940, as amended (the “1940 Act”), each registered investment company and business development company must (i) adopt policies and procedures reasonably designed to prevent violations of the federal securities laws and (ii) appoint a chief compliance officer responsible for administering the fund’s policies and procedures (A) whose designation and compensation must be approved by the fund’s board of directors, including a majority of the directors who are not interested persons of the fund and (B) who may be removed from his or her responsibilities by action of (and only wit the approval of) the fund’s board of directors, including a majority of the directors who are not interested persons of the fund. [2] That section also states that one of the minimal requirements of such a program is that [s]pecific individual(s) within high level personnel shall be assigned overall responsibility for the compliance and ethics program. Aside from the 1940 Act rules and regulations, neither the Sarbanes-Oxley law or any other statute requires the establishment of a Chief Compliance Officer or even to establish a compliance and ethics program. However, the combined effect of the Sarbanes-Oxley internal controls and certification requirements, the U.S. Sentencing Guidelines, other regulatory guidance, and the recognition that compliance is simply a good business practice have led most companies to take these steps. There is no “one-size-fits-all” element to this—the 2004 amendment to the Guidelines simply speaks of a program that is “reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.” (§ 8B2.1).
