Is the Compliance Function an “Essential Critical Infrastructure” for COVID-19 purposes? (Answer: Yes, Absolutely)
This article is written in the midst of the COVID-19 pandemic and is meant to be fully respectful of the hundreds of thousands of positive cases and incredibly sad loss of families, loved ones and individuals across the globe. My thoughts and prayers are with these families and loved ones.
The purpose of this article is intended to consider how Essential Critical Infrastructures must be preserved not only to address the immediate threat of further loss of life and enable critical functions to continue operating, but also to consider the longer term viability of the health, welfare and economic recovery of individuals as humans, as employees and as members of a corporate body, including its board of directors.
Is Compliance an “Essential Critical Infrastructure”?
I read an excellent LinkedIn posting yesterday by Mr. Richard L. Cassin, Founder & Editor-at-Large of the FCPA Blog (Foreign Corrupt Practices Act), which asked the question whether “Compliance is Muscle or Fat” (in the context of COVID-19).
It’s a timely and absolutely appropriate question, as companies across the globe, face unprecedented pressure to triage its human, infrastructure, supply chain, cost and liquidity priorities, which have been intensified exponentially by the ravaging COVID-19 pandemic. (See the April 2, 2020 FCPA Blog: “At Large: Is the Compliance Department Muscle or Fat”?) https://fcpablog.com/2020/04/02/at-large-is-the-compliance-department-muscle-or-fat/
Mr Cassin’s and my answer is, yes.
A sidebar for corporate boards of directors: Compliance can help protect board members from personal liability, given the greater oversight and accountability expectations of the Board of Directors. See, for example, the Delaware Supreme Court opinion on Board of Director oversight (Marchand v Barnhill, June 2019).
I believe Compliance is muscle and therefore, is essential for a corporate body to sustain effectively.
This is not because I have been a Chief Compliance Officer for many years – but more importantly, because Compliance can arguably be viewed to be an “Essential Critical Infrastructure”, as defined by the U.S. Department of Homeland Security – Cybersecurity & Infrastructure Security Agency’s (“CISA”) March 28, 2020 memorandum. See “CISA Memo” link:
The CISA Memo lists and illustrates sixteen (16) essential activities, businesses and operations to ensure the “continuity of functions critical to public health and safety, as well as economic and national security.” See CISA List, below.
Companies Operate as a Corporate Body, Similar to the Human Body
A company, in particular large, complex corporations, are living corporate bodies with multiple moving parts (divisions, subsidiaries, functions), which require effective and sustainable “immune systems” in the form of controls such as 1) policies; 2) training for awareness, 3) an effective reporting mechanism to anonymously report wrongdoing, 4) a methodology to assess, prioritize and manage their external and internal risks, 5) a means to monitor and report on the effectiveness of operating compliantly to the Board, 6) a program to enforce consequences and prevent recidivist wrongdoing, and 7) most importantly, the ability of a senior level Chief Compliance Officer with adequate authority and stature to oversee an Effective Compliance Program on a day-to-day basis.
These are common elements across multiple enterprise wide compliance expectations of the: 1) US Department of Justice Corporate Sentencing Guidelines, 2) US Foreign Corrupt Practices Act, 3) Wolfsberg Principles over multiple types of Financial Crimes, 4) regulatory enforcement actions over the misconduct of retail and wholesale business sales and other staff, 5) accounting and control guidance including those of the Committee of Sponsoring Organizations of the Treadway Commission, and 6) bank regulatory guidance including those of the US Federal Reserve Board of Governors and international Basel Committee on Banking Supervision regarding compliance.
In view of the above, Compliance is not fat, but an essential muscle, which operates and coordinates the heart, soul, and vital organs and glands, and circulatory system of the corporate body, which: 1) enables, nourishes and protects the corporate body to remain strong; 2) have controls which, like antibodies and white blood cells, combat external threats or internal misconduct and 3) like red blood cells, carry essential oxygen (knowledge) to critical parts of the corporate body to function knowingly, properly and effectively.
In effect, Compliance is the heart, soul and conscience of the corporate body, which must not be “immuno-compromised” against fraud, cybercrimes, conflicts of interest, bribery and corruption (especially along critical supply chains), money-laundering and illegal wire transfers to unknown beneficial owners and enemy states, nor simply, to sell products at the expense of clients, customers and taxpayers.
Especially now, because of the triaged focus away from these fundamental controls.
Cutting Fat versus Muscle
Chief Financial Officers (CFOs) and Chief Executive Officers (CEOs) rightly must consider and operate today in triage mode, that which can or cannot be cut in terms of expenses and investment to remain liquid, viable, and continue to meet customers’ needs, but these CFOs and CEOs must also not forget the longer-term viability and sustainability of our healthcare, energy, and financial services infrastructures, especially since these infrastructures are systemically important and as evidenced by the COVID-19 pandemic, are not mutually exclusive industries.
Indeed, Corporate Boards of Directors who oversee and govern the activities of a company’s executive decisions should also be very thoughtful of management’s actions – particularly as they are now operating remotely in a socially distant manner via Zoom or other video and audio media, since it is the individual directors, whom are accountable – and liable – for their actions or inactions during this time of crisis management. This applies equally to corporations or corporate bodies in each of the sixteen CISA-listed activities, businesses and operations.
Why isn’t Compliance explicitly listed as an “essential function critical to public health and safety, as well as economic and national security”?
In effect, Compliance already is. Although not explicitly mentioned or listed as an “essential function”, the role of Compliance is transversal across these sixteen businesses, activities and operations, and therefore is absolutely essential.
Why so? Because if one reviews the CISA Memo closely, one can conclude that each of the sixteen listed are heavily regulated activities, businesses and operations requiring close supervision by management, quality control mechanisms, and for some industries such as financial services, three lines of defense and controls requiring an independent compliance function and Chief Compliance Officer with stature and authority to independently measure, monitor and report on the effectiveness of the revenue generating businesses to comply.
Most if not all of the sixteen CISA activities, businesses and operations are transversally also inherently vulnerable to risks such as bribery and corruption, vendor risk, cybercrimes, external and insider fraud, money laundering, and wire transfers to enemy states or designated individuals.
Furthermore, each must have an effective system of internal accounting controls and a broader, system of effective internal controls, pursuant to multiple laws and international principles including the US Foreign Corrupt Practices Act, UK Bribery Act, and comparable laws and regulations, as well as financial safety and soundness laws, and criminal prosecution guidelines setting minimum compliance elements.
Enterprise Compliance Risk Management is indeed, an Essential and Critical Function
Like the human body, the corporate body requires its many moving parts to operate efficiently and effectively so that: 1) controls are synchronized to self-regulate its “body temperature”; 2) it can define, measure, absorb and digest its risks appropriately (so that it does not exceed its risk “appetite” excessively), and 3) behave – that is, conduct itself – in ways that promote the appropriate values and principles and does not break the law, create conflicts of interest, nor abuse others in a society or ecosystem including customers and taxpayers.
Corporate bodies must also operate compliantly in an ecosystem, meeting not only the letter but also the spirit of laws and regulations, whether they be financial services, energy, healthcare, or other industries in a global yet incredibly shrinking world. This is because of the embedded and complex, structural and other essentially critical interdependencies that presently exist.
These interdependencies and many moving parts must operate in a manner that the “right hand” and “left hand” as well as the heart, brain, soul (or ethical conscience) – and muscle – of the corporate body are not immuno-compromised. These controls must remain healthy, and compliant to remain critical to assure public health and safety, as well as economic and national security. Environmental, occupational, safety and hazards are also laws and regulations which companies and its employees must, especially today, follow.
The Essential Role of the Board and Chief Compliance Officer
As noted earlier, the Delaware Supreme Court’s June 2019 opinion of the Marchand v Barnhill case found that Blue Bell, the ice cream manufacturer, was found for years deficient in food safety problems and alleged compliance weaknesses. The Court found not only its CEO and CFO in breach of their fiduciary duties and knowingly in violation of safety and contamination laws, but also found that Blue Bell’s directors cannot be absent from or disregarding the fundamental matters of the corporation. The standard of a director’s duty was lowered (that is, expectation is higher) that such absence or disregard for fundamental duties creates a risk of significant liability, and an “‘utter failure to attempt to assure a reasonable information and reporting systems exists’ (to the point that it) is an act of bad faith of the duty of loyalty.”
The Chief Compliance Officer is essential and critical to oversee the enterprise-wide activities and risks of the corporate body to inform the Board of Directors, independently, whether Management including its revenue generating businesses, the CFO, and the CEO are fulfilling their compliance responsibilities.
The CCO must also inform the Board that employees’ reporting of integrity or compliance issues are escalated, investigated, measured, benchmarked, analyzed and reported in a meaningful way for the Board to understand the company’s risks easily and comprehensively.
Otherwise, not only will the company be subject to civil and possibly criminal violations and enforcement actions, but also subject its Board of Directors to personal liability and potential criminal prosecution.
By remaining calm, confident, credible, clear in articulation, and especially courageous to escalate integrity, budget, technology and other compliance, conduct and control concerns, the Chief Compliance Officer will enable the company to remain healthy, and its Board of Directors governing over the Company’s management, effectively.
Accordingly, considering the CISA Memo list of essential functions critical to the public health and safety, and economic and national security, it is fundamentally important that CEOs and CFOs and Board members recognize that Compliance is essential and critical, and therefore not appropriate to cut the muscle of Compliance to the point of compromising its immune system to combat wrongdoing and misconduct.
*Eric Young is Founder and CEO of Young Enterprises LLC, and a former regulator and Chief Compliance Officer with many years leading enterprise compliance programs, including with the Federal Reserve, JP Morgan Chase, General Electric, S&P Global Ratings, and four international banks including UBS and BNP Paribas. This article is an excerpt of his upcoming Book, tentatively entitled, “Please be Socially Distant from the Chief Compliance Officer – Coronaviral Lessons Learned for Accountable and Liable Boards of Directors”. I would like to thank those with whom I’ve discussed the framework of this Book, which is the basis of this article.