Chapter 4. Board of Directors and Management Responsibilities

• Author: Robert W. Tarun
• Pages: 1-32

CHAPTER 4

Board of Directors and

Management Responsibilities

I. BOARD OF DIRECTORS RESPONSIBILITIES

A board of directors has a duty of care to the company that requires it to be

informed of developments in the company’s business and of possible liabilities.

Certain categories of Securities and Exchange Commission (SEC) investigations

(including those raising issues of improper payments, false books and records, and

circumvention of internal controls) may require directors to inform themselves of

the underlying facts and risks. This is especially true where senior management is

alleged to have personally engaged in improper conduct.1 A responsible multina-

tional board of directors must today focus on anti-bribery risks, issues, policies,

and compliance.

II. IN RE CAREMARK, ITS PROGENY, AND DIRECTOR

CORPORATE GOVERNANCE RESPONSIBILITIES

In 1996 the Delaware Chancery Court in In re Caremark International Inc. Derivative

Litigation issued a landmark opinion holding that the failure of a board of directors

to ensure that its company has adequate corporate compliance information and

reporting systems in place could “render a director liable for losses caused by non-

compliance with the applicable standards.”2 The Caremark decision clearly struck

fear in directors as it warned that, in the wake of misconduct, they could be held

personally liable for corporate control system failures. Since this seminal corpo-

rate governance decision almost two decades ago, three other Delaware cases have

addressed fiduciary duties. In 2010 the Delaware Chancery Court addressed direc-

tors’ duties in an FCPA or foreign bribery allegation context in In re Dow Chemical

Company Derivative Litigation.3

A. In re Caremark

In holding that directors may be personally liable for failing to ensure that ade-

quate corporate compliance information and reporting systems are in place, the

1

tar89866_04_ch04_000-000.indd 1tar89866_04_ch04_000-000.indd 1 5/6/13 2:25 PM5/6/13 2:25 PM

2 CHAPTER 4

Delaware Chancery Court stated that elements of an adequate compliance pro-

gram include

1. the appointment of the company’s chief financial officer as “compliance

officer”;

2. a periodically updated code of business conduct for employees;

3. an ongoing ethics and compliance training program for employees;

4. an internal audit system designed to ensure compliance with ethics and

compliance policies; and

5. the formation of a board audit and ethics committee that is regularly advised

of the company’s “efforts to assure compliance with the law.”

Additional steps approved by the court included

1. establishment of a board committee to meet at least quarterly to monitor

compliance and to report to the full board on compliance issues;

2. appointment of compliance officers at each of the company’s business units

to report regularly to the board committee on compliance issues;

3. consideration by the full board of the impact of significant changes in appli-

cable legal and regulatory standards on the company’s business and compli-

ance responsibilities; and

4. modification of the company policies and procedures that led to the likeli-

hood of violations.

This guidance led many companies to adopt these measures.

In Caremark, Chancellor Allen discussed the need for companies to have adequate

corporate compliance programs in order to avoid potential liability for directors.

Commenting on the 1991 enactment of the Organization Sentencing guidelines,

he emphasized: “Any rational person attempting in good faith to meet an organiza-

tional governance responsibility would be bound to take into account this develop-

ment and the enhanced penalties and the opportunities for reduced sanctions that

it offers.”4 The court also noted that “[t]he Guidelines offer powerful incentives

for corporations today to have in place compliance programs to detect violations

of law, promptly to report violations to appropriate public officials when discov-

ered, and to take prompt, voluntary remedial efforts.”5 A company’s compliance

program should be “reasonably designed to provide to senior management and to

the board itself timely, accurate information sufficient to allow management and

the board, each within its scope, to reach informed judgments concerning both the

corporation’s compliance with the law and its business performance.”6

The Caremark decision concluded that “a director’s obligation includes a duty

to attempt in good faith to assure that a corporate information and reporting sys-

tem, which the board concludes is adequate, exists, and that the failure to do so

under some circumstances may, in theory at least, render a director liable for losses

caused by noncompliance with applicable legal standards.”7 More than seven years

later, two major Delaware cases would revisit Caremark and give directors comfort

that they would not simply be held liable whenever substantial losses occurred at

companies for which they had director oversight roles.

tar89866_04_ch04_000-000.indd 2tar89866_04_ch04_000-000.indd 2 5/6/13 2:25 PM5/6/13 2:25 PM

Board of Directors and Management Responsibilities 3

B. Stone v. Ritter Derivative Litigation

In 2006, the Delaware Chancery Court reviewed a derivative complaint against

present and former directors of AmSouth Bancorporation (AmSouth) arising

out of the failure of bank employees to file “suspicious activity reports” (SARs)

as required by the Bank Secrecy Act (BSA) and various anti-money laundering

(AML) regulations.8 Two years earlier, AmSouth and its subsidiary AmSouth

Bank had paid $40 million in fines and $10 million in civil penalties to resolve

related government and regulatory investigations. The government investi-

gations arose originally from an unlawful Ponzi scheme operated by a regis-

tered investment advisor and a licensed attorney who arranged for custodial

trust accounts to be created for “investors” in the construction of medical clin-

ics overseas. After convicting the registered representative on money launder-

ing charges, authorities examined AmSouth’s compliance with BSA reporting

obligations.

In 2005 AmSouth entered into a deferred prosecution agreement (DPA) with

the U.S. Department of Justice (DOJ). The supporting statement of facts asserted

that AmSouth failed to file SARs in a timely manner but it did not ascribe any

blame to the board or to any individual director. The Financial Crimes Enforce-

ment Network, a bureau of the U.S. Department of the Treasury known as FinCen,

determined that “AmSouth’s [AML compliance] program lacked adequate board

and management oversight,” which determination AmSouth neither admitted nor

denied.9

In upholding the lower court’s dismissal of a derivative complaint, the Delaware

Supreme Court cited the Caremark standard of care for assessing the liability of

directors where directors are unaware of employee misconduct that results in the

corporation being held liable:

Generally where a claim of directorial liability for corporate loss is

predicated upon ignorance of liability creating activities within the

corporation, as in Graham or in this case, . . . only a sustained or

systematic failure of the board to exercise oversight—such as an utter

failure to attempt to assure a reasonable information and reporting

system exists—will establish the lack of good faith that is a necessary

condition to liability.10

In connection with a Federal Reserve Bank cease-and-desist order, KPMG Foren-

sic Services was retained as an independent consultant to AmSouth, and it issued

a report that reflected that AmSouth’s board had dedicated considerable resources

to the BSA/AML compliance program and put into place numerous procedures

and systems to attempt to ensure compliance.

The plaintiff’s complaint expressly incorporated by reference the KPMG report,

repeating the assertion that the directors “never took the necessary steps to ensure

that a reasonable BSA compliance and reporting system existed.” The Delaware

Supreme Court rejected the pleading, finding that the KPMG report established

that the directors had in fact performed their fiduciary duty, and added:

tar89866_04_ch04_000-000.indd 3tar89866_04_ch04_000-000.indd 3 5/6/13 2:25 PM5/6/13 2:25 PM