The New DOJ Compliance Guidelines and the Board’s Caremark Duties

Michael W. Peregrine is a partner at McDermott Will & Emery LLP. This post is based on his McDermott Will & Emery memorandum. This post is part of the Delaware law series; links to other posts in the series are available here.

Much has been written of late about the significance of the Department of Justice’s new “Evaluation of Corporate Compliance Plan Programs” [1] guidance (“New Guidance”) and its likely impact on the “nuts and bolts” of compliance program design and operation. But the Guidance may have more far-reaching implications to the extent that it serves to revitalize the authority and engagement of the governing board’s “Caremark” compliance oversight function. For at its core, the New Guidance is a strong reminder of the critical role that corporate governance plays in assuring a compliant corporate culture.

The New Guidance

The New Guidance is the latest effort by the Department of Justice to provide clarity and direction on the government’s perspective for measuring compliance program effectiveness. Released on April 30, it updates a prior version issued by the Criminal Division’s Fraud Section in February 2017. It discusses in detail topics the Criminal Division has frequently found relevant in evaluating corporate compliance programs, and organizes the detail around three main questions that prosecutors raise when evaluating such programs: 1) whether the program is well-designed; 2) whether the program has been applied earnestly and in good faith (in other words, effectively implemented); and 3) whether the program actually works in practice. [2]

Notably, it is ten (10) pages longer than the 2017 version, with many of the revisions providing additional transparency on how the Department of Justice expects prosecutors to analyze a company’s compliance program, while also harmonizing the guidance with other Department guidance and standards. [3] In this way, the New Guidance stresses the adequacy-rather than the simple existence-of a corporation’s compliance program.

Caremark Background

Delaware law has since 1996 been interpreted as obligating corporate directors to take affirmative steps to implement internal corporate compliance measures, most typically within the larger context of an enterprise risk management activity. Specifically, “[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” [4] The level of detail that is appropriate for such an information system is a matter of the board’s business judgment.

This is the so-called Caremark standard, and it has historically been applied to establish a very high burden for plaintiffs to satisfy in bringing breach of duty claims; e.g., “only a sustained or systematic failure of the Board to exercise oversight—such as an utter failure to attempt to ensure a reasonable information and reporting system exists”. [5] However, Caremark neither enumerated a specific methodology for establishing such a system, nor did it address how boards should address compliance-related warning signs.

Caremark is often read together with the provisions of the Federal Sentencing Guidelines (“FSG”) [6] that set forth seven elements of an effective compliance plan (to be considered in connection with the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense). Indeed, the FSG builds upon Caremark by making clear the board’s related responsibility (i.e., “…shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program”).

Over the years numerous industry sector publications and “best practices” statements have attempted to fill the methodology void with suggested elements of an effective compliance program. The Department of Justice has been particularly active in this area, not only with its “Principles of Federal Prosecution of Business Organizations” in the Justice Manual, but also with its February, 2017 and now April 30 versions of the Guidance.

At the same time, practitioners and scholars alike have recognized that the mere existence of a compliance program—even one that tracks the basic FSG effectiveness elements—may not be sufficient to satisfy judicial and regulatory expectations of director oversight of legal compliance. [7] It is in this context that the New Guidance is particularly relevant to governing boards (and their audit & compliance committees).

The Fiduciary Relevance of the Guidance

The traditional Caremark-consistent approach for updating the organizational compliance program rests with senior management; i.e., the chief legal officer and the chief compliance officer teaming to propose recommendations, based on their analysis, first to the audit & compliance committee and ultimately to the full board. However, several elements of the New Guidance merit more pro-active committee/board involvement in any such update:

A Material Change in Format. The change in format from the 2017 to the 2019 version of the Guidance serves to provide substantially more information from which a meaningful upgrade of the compliance program and other compliance related policies can be made. This is achieved by the shift from the ‘principal questions to ask’ format of the 2017 document’s structure, to a discussion of how these principal questions can be applied to elicit information demonstrating whether the compliance program is, indeed, effective.

The Guidance topics and questions are neither a checklist nor a formula. Yet, the change in format, and the additional detail provided on application of the principle questions, project a sense of greater DOJ attention on compliance effectiveness, which the board may wish to consider in evaluating what constitutes “reasonable” oversight.

Specific References to Board’s Role. The New Guidance contains several specific references to the role of the governing board, which should be brought to the board’s attention and understanding (i.e., if DOJ is establishing certain expectations about the board’s oversight role, the board should be so advised).

From a broad perspective, questions in the New Guidance as to whether employees are “convinced” of the corporation’s commitment to compliance would seem to impact the Board’s overall oversight duties. More to that point, the New Guidance specifically incorporates the FSG references (see above) to the board being “knowledgeable” about, and exercising reasonable oversight of, the company’s compliance and ethics program.

The New Guidance also factors in matters of board composition (whether compliance expertise is available on the board of directors); compliance related information flow to the board relating to areas of identified misconduct; the autonomy of the compliance officer (e.g., direct access to the full board or its audit committee), and the frequency and format of meetings between compliance/control functions and the board/its audit committee. Other factors relating to the authority and stature of the compliance officer are consistent with traditional corporate responsibility principles relating to board oversight of the office of general counsel.

Also included is the FSG reference to the establishment of an “information and reporting system…reasonably designed to provide management and the directors with timely information…” on legal compliance matters (which of course is part of the Caremark standard). This relates to the ability of the board to make prompt, informed decisions on compliance concerns.

Important New Perspectives. The new Guidance also sets forth several new DOJ perspectives and evaluation themes of such significance of which the board, in its oversight, may wish to be made aware. These include the significant emphasis on corporate risk assessment (especially with respect to high-risk areas); the ongoing vitality of compliance policies and procedures; the scope of employee compliance training, and the continuing value attributed to well-functioning whistleblower programs.

The New Guidance’s emphasis on effective and transparent internal discipline is relevant to the board’s oversight of the activities of senior management. The board, through its executive compensation committee, may also be called upon to consider the use of executive financial incentives and rewards that apply compliance goals. The value of applying risk based diligence to third party contracting may be of relevance to board committees that monitor vendor relationships. Board committees formed to monitor and negotiate transactions may be interested in the New Guidance’s focus on comprehensive due diligence of acquisition targets.

These three (above) factors are particularly important to the exercise of the board’s Caremark obligations, because they relate to matters on which board oversight can be particularly responsive: the magnitude of the changes in the New Guidance; specific references to expectations of board conduct; and areas of particular compliance program emphasis.

Why the Board Should Care

The board and its audit committee must be able to rely on management to advise it on whether specific changes are required to the compliance program based on the New Guidance. Yet an assertive Board effort to understand the substantive changes contained in the New Guidance will better position the board to evaluate changes, if any, recommended as necessary to assure an “effective” compliance program. In addition, it will better position governance to exercise the appropriate compliance-based “tone at the top” very clearly referenced by both the New Guidance, and the FSG.

And the value of the New Guidance goes beyond matters of government investigation and prosecutorial evaluation. To be sure, the Delaware courts have given no recent indication of a willingness to abandon the high bar they have established to prove a Caremark violation (“sustained or systemic failure of the board to exercise oversight”). Yet as a prominent observer has noted, there is an increasing risk that litigation grounded in potentially egregious fact patterns, and allegations of material shareholder or consumer harm, may face more uncertain resolution, especially in jurisdictions outside of Delaware. [8] This, as prominently demonstrated in a derivative action arising from the Wells Fargo sales program controversy. [9]

A reasonable response to this risk would be to enhance the substance of corporate legal compliance programs, consistent with the themes presented in the New Guidance. A board-directed effort to compare the company’s existing compliance program against the New Guidance, and to enhance directors’ ability to recognize compliance “red flags”, may be perceived as a reasonable exercise of business judgment because it would be informed by current regulatory developments. This, as opposed to a willingness to rely on a more minimally structured program.

Indeed, the mere existence of a compliance program—even one structured consistent with the FSG elements—may be insufficient to (a) convince federal prosecutors that the company’s program is effective; and (b) defend against allegations of breach of Caremark obligations in a legal environment 23 years removed from the Delaware court’s initial decision. [10]

Calls for greater corporate resources to be allocated to compliance may not be well received by some executives, who feel that the compliance function has received substantial attention and support over the years. The board may wish to respond forcefully to such opposition, given its ultimate responsibility for assuring the effectiveness of the program and DOJ’s preference for a well-supported and constantly upgraded program.

As noted above, the Caremark court simply required that the board assure the existence of some form of compliance program; it provided no direction of what steps might constitute such assurance. [11] By emphasizing the adequacy, as opposed to the simple existence of a corporation’s compliance plan, the New Guidance contributes significantly to the board’s interpretation of Caremark in the current compliance-focused business environment. It also confirms the critical role of the board in assuring a culture of compliance within the organization, and the important role the board can play in supervising the risk and compliance focus of senior executives.


1U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs. back)

2Criminal Division Announces Publication of Guidance on Evaluating Corporate Compliance Programs. back)

3Id.(go back)

4In re Caremark International, Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996).,_Inc._Derivative_Litigation(go back)

5Id.(go back)

6United States Sentencing Commission Guidelines Manual, Chapter 8, Sec. 8B2.1-EFFECTIVE COMPLIANCE AND ETHICS PROGRAM.§8B2.1(go back)

7Donald C. Langevoort (Georgetown University), Caremark and Compliance: A Twenty Year Lookback, Harvard Law School Forum on Corporate Governance and Financial Regulation, March 29, 2018. back)

8Martin Lipton, Risk Management and the Board of Directors, Harvard Law School Forum on Corporate Governance and Financial Regulation, September 5, 2018. back)

9In re Wells Fargo & Company Shareholder Derivative Litigation, No. 16-cv-05541-JST (N.D. Cal. Oct. 4, 2017),October 4, 2017; See also, Brad S. Karp, Analysis of Wells Fargo Shareholder Litigation, Harvard Law School Forum on Corporate Governance and Financial Regulation, December 15, 2017. back)

10See, e.g., Langevoort, supra endnote 7.(go back)

11Id.(go back)

Both comments and trackbacks are currently closed.