At Large: How chief compliance officers became today’s ‘super executives’

The DOJ released the first version of its Evaluation of Corporate Compliance Programs in 2017. That document (with its 2019 and 2020 updates) completed the chief compliance officer’s amazing transformation from part-time generalist to today’s highly specialized “super executive.” How did it happen, and why?

A bit of background. The U.S. Sentencing Commission arguably created the modern compliance function with the 1991 release of the Organizational Guidelines. The DOJ’s Evaluation of Corporate Compliance Programs paid homage to the Organizational Guidelines. But the DOJ’s document “personalized” compliance in the new way that started after 9/11, and it elevated the CCO to a special level within the C-suite.

Here’s what I mean.

The Organizational Guidelines famously set out the elements of an “effective compliance program.” One of those elements required companies to place responsibility for the compliance function on “high-level personnel of the organization.” The U.S. Sentencing Commission defined high-level personnel as “individuals who have substantial control over the organization or who have a substantial role in the making of policy within the organization.” They could be “a director; an executive officer; an individual in charge of a major business or functional unit of the organization, such as sales, administration, or finance; and an individual with a substantial ownership interest.”

Responsibility for the compliance function was left vague. It could fall somewhat randomly among any of several layers of governance and management, from a board member to anyone already in management. In other words, the compliance function, as the Organizational Guidelines conceived it, was a part-time role added onto someone’s existing full-time job.

Change came after September 11, 2001. In the decade after 9/11, the federal government came to see graft as a national and global threat. Attorney General Eric Holder said in 2012, “[A]s we’ve learned, corruption often is a ‘gateway crime’ — one that allows money laundering, gang violence, terrorism and other crimes to thrive.”

Holder’s words were an early signal that combating corruption had become too important to be left with random “high-level corporate personnel.” Instead, companies would be expected to place more responsibility (and accountability) on specific individuals. In 2014, SEC Chair Mary Jo White picked up that theme. She talked about corporate gatekeepers — “auditors, lawyers, and others who have professional obligations to spot and prevent potential misconduct.”

SEC enforcement chief Andrew Ceresney went further. He put the spotlight on compliance officers. In 2015, he said the SEC would make some corporate charging decisions after asking:

• Are compliance personnel included in critical meetings?
• Are their views typically sought and followed?
• Do compliance officers report to the CEO and have significant visibility with the board?
• Is the compliance department viewed as an important partner in the business and not simply as a support function or a cost center?
• Is compliance given the personnel and resources necessary to fully cover the entity’s needs?

The SEC also began charging compliance officers themselves, including CCOs who “exhibited a wholesale failure to carry out his or her responsibilities.”

Then the DOJ released its Evaluation of Corporate Compliance Programs. That document (originally just eight pages in 2017, but now 20 pages after updates in 2019 and 2020) isn’t law. It’s internal guidance for DOJ prosecutors, but made public. Very likely, few board members will ever take the time to read it. But every lawyer and risk-management professional advising the board of a global company will read it, study it, and craft advice based on it. So the influence of the Evaluation of Corporate Compliance Programs is now everywhere.

What does the DOJ want to know? Questions from the Evaluation of Corporate Compliance Programs include:

• How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?
• What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?
• How has the company responded to specific instances where compliance raised concerns?
• Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

Beyond that, the DOJ said in the document that prosecutors should also ask whether compliance personnel are well qualified, adequately funded, autonomous from the rest of management, and directly reporting to and informing the board? And, do compliance officers have access to enough internal data “to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”

The DOJ has conferred a special status on the compliance function and compliance personnel by asking those questions (and giving companies credit for the “right” answers). That special status — and above all, being autonomous from the rest of management — has completed the transformation of CCOs into today’s “super executives.”