Compliance Officers Personal Liability for Compliance Violations

Key Points:

• 17 Actions Compliance Officers can take to protect against personal liability
• DOJ has been holding Compliance Officers personally liable for wrongdoing
• Court ruling increases executive and compliance officer oversight accountability

Over the last few years, Compliance Officers have increasingly faced potential personal liability for corporate wrongdoing and regulatory violations. Any evidence found by the DOJ that the Compliance Officer was complicit, aware of, or neglectful in addressing identified wrongful activity may create potential personal liability in an enforcement action. Most cases, to date, against Compliance Officers were with publicly traded companies with enforcement actions involving the SEC. However, there are also cases in the healthcare sector where actions of this type have taken place. It is important to appreciate how this trend has been developing. The Caremark case in Delaware made clear that boards have an obligation to exercise reasonable care in overseeing their organization’s compliance efforts and responding when signs of potential violations are found. Recently, in In re McDonald’s Corp. Stockholder Derivative Litigation, the Delaware Court of Chancery extended liability to corporate officers, including compliance officers, for ignoring “red flags” within their “areas of responsibility.” They noted that the officer’s duties include the obligation to report upward credible information that the company may be violating the law and make “good faith” efforts to establish information systems to effectuate this reporting. This ruling significantly raises the level of potential exposure for executives, especially the CEO and Compliance Officer, when it comes to ensuring the organization operates in a compliant manner. Failure to meet these standards means they may be subject to criminal or civil actions, especially if they were directly involved in the activity that resulted in the enforcement action. As a result of this decision, executives, including Compliance Officers, are more likely to be named in cases where they failed to report “sufficiently prominent” “red flags” of potential misconduct, regardless of whether it falls within the officers’ specific areas of responsibility.

The following are tips and suggestions for Compliance Officers to manage personal exposure to enforcement actions:

1. Alert the CEO, executive leadership, and board of the implications of the In re McDonald’s Corp. ruling, stressing the importance of evidencing support for the compliance program.
2. Determine if your Directors and Officers (D&O) insurance protection against regulatory investigations and proceedings includes the Compliance Officer and, if not, ask to be added to the list.
3. Ensure Compliance Officer duties and oversight responsibilities have been clearly defined in the position description and compliance charters.
4. Ensure the Compliance Officer does not assume operational responsibilities beyond the compliance program.
5. Conduct a review and periodically update compliance-related policies to ensure they are easily accessible and understandable for employees and address compliance risks.
6. Ensure program managers are monitoring areas of high risk within their purview of responsibility, reporting weaknesses identified, taking timely corrective actions, and reporting results.
7. Ensure active and ongoing compliance auditing in high-risk areas, including verifying that program managers are meeting their monitoring responsibilities and that corrective action measures taken effectively address identified compliance risks.
8. Develop and implement policies for reporting overpayments and disclosing potential violations of law/regulation to outside enforcement authorities.
9. Verify that reporting systems are functioning effectively with tracking logs to properly address potential regulatory and legal wrongdoing.
10. Implement an appropriate reporting structure and response protocol to address any “red flags” of non-compliance with laws and regulations.
11. Provide executive leadership and the board regular reports on managing compliance complaints and allegations and have that evidenced in meeting minutes.
12. Verify compliance investigation function effectively and follow standardized procedures, using well-trained investigators, and that the process and results are well documented.
13. Verify that substantiated allegations result in appropriate, consistent discipline and corrective actions.
14. Ensure that any procedural or operational weaknesses identified results in appropriate and timely corrective actions.
15. Verify that compliance training is delivered to all levels of the organization with evidence that it effectively delivers the key compliance messages.
16. Ensure specialized training is delivered to program managers and those involved in high-risk areas.
17. Have an independent evaluation of the compliance program effectiveness that documents and evidences the progress of the program to date, opportunities for improvement, and steps to take to improve and enhance program effectiveness.

You can keep up-to-date with Strategic Management Services by following us on LinkedIn.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.