I. Legal Requirements of the Board Regarding Compliance

A. Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses.

B. FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) 2012 FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

From the Delaware cases, a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

II. Prudent Discharge of Compliance Obligations

What are the obligations of a Board member regarding the FCPA? Are the obligations of the Compliance Committee under the FCPA at odds with a director’s “prudent discharge of duties to shareholders”? Do the words prudent discharge even appear anywhere in the FCPA? In webinar, entitled “Reporting to the Board on Your Compliance Program: New Guidance and Good Practices”, Rebecca Walker and Jeffery Kaplan, explored these and other issues.

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, Walker looked to Delaware corporate law for guidance. She cited to the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate exists.” From the case of In re Walt Disney Company Derivative Litigation, she drew the principle that directors should follow the best practices in the area of ethics and compliance.

According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a board’s role is not to actually manage the company, but instead to oversee and monitor the management of the company. In the realm of compliance, this means the Chief Compliance Officer. The board has the responsibility to fulfill the role of strategic and business advisor to management of the company. In addition, the board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using customary economic metrics, and by overseeing compliance with applicable laws and regulations. While the board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the board must take appropriate action if and when it becomes aware of a material problem that it believes management is not properly handling.

There is no reference to prudent discharge in the FCPA itself. However, a Board member might well think more than twice about the prudent discharge of duties to the shareholders as both the DOJ and SEC now might well wish to look into a Board’s prudent discharge of duties under the FCPA.