First compliance officer of US company sent to prison
To the casual news observer, it may seem as if corporate executives have traded in their Rolex wristwatches for stainless-steel handcuffs. The parade of top-tier corporate leaders who are departing in the wake of scandal continues to grow in ever-increasing numbers.
Many of these executives are obscure players, but some have achieved legendary, one-name status usually observed for rock stars (Lay and Skilling, for instance). And new players continue to be added to the list.
Recently, UnitedHealth Group executives and directors, along with those at more than 100 other companies, have been dealing with whiffs of a stock-option backdating scandal. Some executives have stepped down; the resignations of others are being demanded. Several top executives at Broadcom were recently indicted in California on similar charges.
Most of these scandals involve corporate finances, but then along comes Hewlett-Packard with a plot straight from Mission Impossible. Unfortunately for those at HP, they replaced the famous self-destructing tapes with all-too-incriminating e-mails.
Certainly there are thousands of hard-working, honest executives who take their positions seriously, treat employees fairly and act in the best interest of the company and its stockholders. But just as bad apples can spoil the barrel, those with questionable ethics cause the hot spotlight to fall on others. And in their wake, many are wondering whether the risks of guiding a corporation outweigh the benefits.
For compliance officers, having your name mentioned in the same breath as corporate scandal can be the death of a career. Meanwhile, the blending of corporate and personal reputation and liability is making the industry very nervous. That anxiety was only heightened when word came of the first compliance officer sentenced to jail time for his role in a company fraud.
The company, AbTox, was a manufacturer of medical sterilizers for ophthalmic equipment. As a maker of medical devices, AbTox was required to obtain FDA approval on its products. But in an old-fashioned bait-and-switch scheme, the company sold a more expensive, non-approved product in place of the approved version. But side effects allegedly caused numerous patients to lose their sight.
The CEO and compliance officer were found to have engaged in reputed and blatant fraud to the tune of more than $17 million. In June, Judge Ruben Castillo of the US District Court for the Northern District of Illinois and co-chairman of the US Sentencing Commission levied stiff fines and criminal sentences on both. The CEO received ten years, while the compliance officer got six years.
Keeping awake at night
It’s a disturbing development for in-house compliance officers, but one that compliance case-watchers feel might be over-reaching. The compliance officer involved was an individual with a sales background, no compliance training and little understanding of the industry.
‘This isn’t a case of a compliance officer going to jail for being a bad compliance officer,’ says Jeffrey Kaplan, an attorney with Kaplan & Walker and a frequent lecturer on compliance issues. ‘He was involved in the actual criminal events. That’s a big distinction.’
But the fear of increasing liability for the inappropriate or unethical conduct of corporations still leaves many compliance officers sleep-deprived – and those fears may be well-founded. ‘Legal liability under US law is far greater than often understood,’ says Kaplan. ‘It casts a very wide net, so it doesn’t take much to be found culpable for colleagues, or even third parties who work for the company.’
He points to the current situation at HP, where the company’s woes are partially due to actions taken by an independent agent. ‘If you are aware of wrongdoing and in any way assist or seem to encourage it, it takes very little to meet those standards.’
Executives often get inundated with information and e-mails during the course of a day, and it’s easy to overlook or forget small details. But the small details are frequently offered as evidence of wrongdoing.
And the higher paid the executive, the harsher the critics. Faced with an executive earning millions, jurors may have difficulty accepting ignorance as a defense.
Lawyers not gatekeepers
Creating an effective compliance program is the first line of defense. Effectively operating the program is the next important step. Corporations can put themselves in risky situations simply by structuring the compliance program ineffectively. One common mistake is assigning corporate compliance responsibilities to the legal counsel’s office.
Because of the regulatory origin of compliance, executives assume that the duties are legal in nature. But the two functions are often at odds. The compliance officer should play a much different role, says Roy Snell, CEO of the Society for Corporate Compliance and Ethics (SCCE). ‘The compliance officer is the conscience of the organization defending the stakeholders,’ he explains. ‘Their job is to interpret the gray areas when contemplating corporate decisions.’
Snell says the distinction is easy to see in HP’s situation. Even if legal opinion stated that the leak investigation wasn’t breaking the law, a good compliance officer would have been ‘coming out of his shoes’ at the investigation tactics.
Job separation is key
Asking general counsel to play multiple roles – corporate secretary, compliance officer, human resources investigator – puts them in an untenable position of meeting different standards, and the risks rise accordingly.
‘The job of in-house lawyers is to provide straight, uncut legal advice to the corporation,’ explains Todd Jones, an attorney in the Minneapolis office of Robins, Kaplan, Miller & Ciresi. ‘But the compliance officer has additional duties to examine the effects of the corporation’s actions. Combining the two can dilute the effectiveness.’
The correct structure for a compliance program is critical. It needs to have some ‘teeth,’ Jones says. ‘Government regulators are really hammering people who just do paper compliance. You can’t get away with a compliance strategy that sits on the shelf gathering dust.’
Jones chaired an advisory group for the US Sentencing Commission on corporate criminal sentencing. One of their concerns was what exactly created an effective compliance program. Delineated duties were a clear part of the answer. Granted, not every company has the resources for an independent compliance division. It’s important to analyze the company’s available resources, industry risk and potential exposure when assigning compliance duties.
‘If you are a small-cap private company with 500 employees, you may not need a stand-alone compliance department.’ Jones says. ‘But a Fortune 500 company, pharmaceutical company or any other heavily regulated business should certainly consider creating a separate division.’
Asking the right question
A compliance officer needs keen observational skills to keep corporate compliance on the straight and narrow. Stay ahead of risks by modifying the company’s compliance methods as needed. For example, regularly adding new training methods or alerting management to new laws or regulations can greatly assist in keeping missteps from occurring.
But having someone to act as the corporate conscience is only as good as the ability of that individual to raise concerns. When red flags are waving and no one is listening, the compliance officer needs to act.
Ideally, the compliance officer should have direct access to the CEO or an active board of directors who are plugged into the compliance practices of the company. Wading through layers of corporate bureaucracy only bogs down the process and waters down the effectiveness. ‘When you discover something amiss, it’s crucial to take immediate steps to relay the information and to start fixing what’s wrong,’ says Jones. ‘In these cases, ignorance is not bliss.’
When it comes to ferreting out problems, it doesn’t always take a sixth sense. Sometimes the warning signs are clear. In a recent memo to his company executives, Warren Buffet succinctly summed up what should be a clear emergency bell. ‘The five most dangerous words are everybody else is doing it,’ he wrote.
‘We call it the EDI – everybody does it – reasoning,’ says Kaplan. ‘It’s probably the most universal excuse. If you look at a lot of the recent scandals involving insurance, stock or mutual funds, you’ll find that people legitimated their actions on the EDI excuse.’
Snell suggests a simple test to determine what’s out of line: ‘How would it look on the front page of the papers?’ he asks. That straightforward question could have saved many an executive from a very public chastising.
Some worry about voicing concern too soon, but a review of history doesn’t really warrant those fears. As Snell points out, ‘How many companies have been damaged by false internal accusations? Then look at how many have been damaged by warnings that weren’t heeded.’
Snell recently asked a Department of Justice agent for advice to offer compliance officers. ‘He said if you have a clear track record of making an effort to do the right thing and there’s no personal gain involved, it’s unlikely the compliance officer would be targeted,’ Snell says.
Judge Castillo explained that a main consideration when he sentenced AbTox vice president Robert Riley to jail was the fact that he ‘completely failed to ask the right questions of his CEO.’ Simply getting on record that you have brought forward potential problems to the CEO or board may keep a compliance officer out of prison.
But in compliance, as in life, there are no guarantees. Developing a strong compliance program and reacting quickly to any violation is a compliance officer’s simplest and best way to avoid problems – and get a good night’s rest.