A Chief Compliance Officer considers the DOJ's new CCO Certification Requirement

DOJ’s CCO Certification Requirement: raising the stakes for CCO liability

Last year, the U.S. DOJ introduced a new CCO Certification Requirement, placing even greater liability at the feet of senior compliance officers. Does the new rule empower, or just add more weight to CCO shoulders?

13 January 2023 6 mins read
By Jennie Clarke

It’s not easy being a Chief Compliance Officer (CCO). There are few roles where, if something goes wrong, your legacy could be plastered over regulatory websites and the wider media. Even where the wrongdoing wasn’t the fault of the CCO – as is so often the case – eyes will turn to where the buck should have stopped.

In remarks made at NYU Law’s Program on Corporate Compliance and Enforcement in March 2022, Assistant Attorney General Kenneth Polite Jr., said:

“I have been fortunate in my career to have served as a prosecutor, as a defense attorney, and to work as a chief compliance officer of a Fortune 500 company… Perhaps the most challenging of the three roles has been serving in compliance.”

This level of pressure and scrutiny cannot be understated, and is perhaps the reason why the industry finds it hard to recruit a good compliance team. The stakes are high and it’s not always seen as the most scintillating role (of course, those of us who work within compliance know this is entirely untrue).

Despite this, regulators across the globe are set on introducing increased accountability measures for compliance officers, with one such example being the U.S. Department of Justice’s (DOJ)’s CCO Certification Requirement, which requires organizations that are subject to enforcement action to have the CCO sign a certification of compliance as part of a settlement agreement. With the CCO Certification Requirement, the stakes just got higher.

What is the CCO Certification Requirement?

The CCO Certification Requirement was first introduced in Kenneth Polite Jr.’s March 2022 speech and essentially places a burden on CCOs and Chief Executive Officers (CEOs) to certify the capability of a company’s compliance program when looking to resolve enforcement action. Within his speech, Polite Jr. said:

“In order to further empower Chief Compliance Officers, for all of our corporate resolutions, I have asked my team to consider requiring both the Chief Executive Officer and the Chief Compliance Officer to certify at the end of the term of the agreement that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law.”

In instances where a company is required to provide annual self-reports, this certification requirement would endure so that “the CEO and CCO will also have to certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete.”

Under current DOJ expectations, CEOs and Chief Financial Officers (CFO) must certify that the company disclosed allegations and evidence of new misconduct at the end of a resolution agreement. The new CCO Certification Requirement adds another layer of certification, which holds the compliance team to account, too.

In response to the Assistant Attorney General’s speech, questions were asked about whether this new CCO Certification Requirement would indeed “empower”, or whether it would further add to the already weighty burden of individual accountability faced by CCOs.

Regardless of industry criticism, the CCO Certification Requirement was introduced within a global resolution and plea agreement with Glencore, which was pursued by U.K., U.S., and Brazilian enforcement authorities for foreign bribery and market manipulation schemes. Within Glencore’s plea agreement, “Attachment H” appeared – this was the compliance certification AAG Polite had alluded to.

Attachment H, as it was labelled, required Glencore’s CCO and CEO to sign a certification that the company’s anti-corruption program was now “reasonably designed to detect and prevent violations of the Foreign Corrupt Practices Act and other applicable anti-corruption laws through the company’s operations”. As well as appointing the CCO and CEO as signatories, an independent compliance monitor was also appointed. Naturally, that independent monitor was not to be held to the same level of accountability as the C-suite members.

And so, while we are yet to see “Attachment H” in other enforcements to date, it would appear that a new CCO Certification Requirement is now in force – at least, it is for foreign corrupt practices.

What does it mean for CCOs?

In the same NYU Law speech that is referenced above, the Assistant Attorney General was keen to set out that he understood the challenges of being a compliance officer, noting:

“I know the resource challenges. The challenges you have accessing data. The relationship challenges. The silo-ing of your function. You are called upon to be a resource for information, an enforcer of law and policy, and somehow the primary architect of your company’s ethical culture.”

Many have argued, however, that the new CCO Certification Requirement runs in contravention of the idea that the DOJ understands CCO challenges. Instead, it has introduced a new requirement which could serve to see CCOs face criminal liability in the event that a false statement is made when signing the certification. That being said, it is unlikely that a CCO would face such action unless they knowingly misrepresented the state of their firm’s compliance program. Regardless, the CCO Certification Requirement may serve as a barrier to hire-ability to the CCO role and, further, could see CCOs leaving their posts in instances where DOJ settlements look likely.

It is worth noting that, so far, the requirement has only been implemented with regard to foreign corrupt practices, though questions have been asked about how far the scope may extend. Moreover, the requirement will only apply to those that are facing enforcement action as it is only applicable to CCOs where it is in connection with a resolution.

The key takeaway for any CCO here is that the margin for error is reducing, with regulators and governments closing in. It isn’t only the DOJ that is looking at increased individual liability, the U.K.’s Law Commission and the New York City Bar have both issued similar proposals.

Where a CCO knows there are gaps in their compliance system, they should look to close them before regulators come knocking. That the CEO and CFO are also to be held to account should act as a key leverage when angling for senior leadership buy-in for new compliance tools and technology. Gaps in your compliance programs are no longer just a business issue, whether we like it or not. Proactivity will be key.

If you’re unsure whether your communication channels would withstand regulatory scrutiny, Global Relay can give you the assurance you need. With almost 25 years in compliant communications, we know what ‘good’ looks like, and we can help you get there.