Both the chief compliance officer (CCO) and the general counsel (GC) or chief legal officer perform crucial and related compliance functions with the law for their organization, but they have different functions in that regard. The lawyer has an ethical duty to provide advice on how to comply with the law and must represent his client’s interests zealously whether it is a public, private, or not-for- profit entity.There are still a fair number of companies where the GC also serves as the compliance officer and or where the CCO reports to the GC. While this dual function is generally more prevalent in smaller companies, it is notuncommon in larger organizations.[1]

Is there a real distinction between the two roles? Can an individual serve effectively as both general counsel and compliance officer simultaneously? What safeguards, if any, are needed if one does serve in a dual role? And can thetwo positions co-exist, how can they work together to help achieve the goals of the compliance program?

Both officers face challenges and tensions between the functions of the CCO and those of the GC. Both have some compliance responsibilities, but they each have distinctive roles that can result in potentially conflicting professional obligations. Various reporting models and relationships exist between the two, and some considerations and approaches can be used to ensure that appropriate checks and balances are in place, the discussion in this paper will refer to developments from various sectors.

The role of the CCO is relatively new creation inthe corporate world, especially compared with the GC who has a long history of servinga company as its consiglioreor chieflegal advisor. The dual role held by a single individual appears to be less common in many organizations including healthcare organization[2]. The Office of Inspector General (OIG) compliance guidance and the U.S. Sentencing Guidelines for Organizations (the “Federal Sentencing Guidelines”) make clear the role of the CCO in operating the compliance program andreporting to the board. When the OIG Compliance Program Guidance (CPG) first came out in 1998, it became apparent that corporate management were of the view that a CCO should not be subordinate to a GC or a chief financial officer (CFO), because:

Free standing compliance functions help to ensure independent and objectivelegalreviewsandfinancialanalyses of the institute’s compliance efforts and activities. By separating the compliance function from the keymanagement positions of general counsel or chief financial officer (where the size and structure of the corporation makes this a feasible option), asystemof checks and balances is established to more effectively achieve the goals of the compliance program.[3]

This OIG point of view was followed in subsequent CPGs issued for the various corporate management and health care as well as pharmaceutical industry sectors. There was a reaffirmation in a 2005 Supplemental Guidance for Hospitals, where (in discussing the need to perform a regular review of the compliance program) the OIG noted, among other things, the following factor to consider:

Is the relationship between the compliance function and the general counsel function appropriatetoachieve the purpose of each?[4]

The concern by the government with how the GC should oversee and interface with the compliance function was also made abundantly clear following a now infamous quote by U.S. Senator Charles Grassley in a letter to Tenet HealthcareCorporation:

Apparently,neither Tenet(nor its General Counsel) saw any conflict in her wearing two hats as Tenet’s General Counsel and Chief Compliance Officer…It doesn’t takea pig farmer from Iowa to smell the stench of conflict in that arrangement. [5]

This sharp delineation between the compliance and legal roles, however, is not universal. For instance, the American Bar AssociationTask Force on Corporate Responsibility (ABA Task Force) focused solely on the role of the chief legal officer in an organization’s corporate governance program and did not address the separate role and responsibilities of the complianceofficer.[6]

In response to Enron and other corporate scandals, the ABA appointed the Task Force to “examine systemic issues relating to corporate responsibility arising out of the unexpected and traumatic bankruptcy of Enron and other Enron-like situations whichhaveshaken confidence in the effectiveness of the governance and disclosure systems applicable to public companies inthe

United States.”[7]The work of the Task Force overlapped with Sarbanes-Oxley and was done with consideration of its provisions. The work thus addressed the importance of engaging internal and external counsel in corporate governance and legal compliance matters that were raised by Section 307 of Sarbanes-Oxley. As noted by the OIG and the American Health Lawyers Association (AHLA) in a joint publication, the ABA Task Force recommendedthat:“The general counsel of a public corporation should have primary responsibility for assuring the implementation of an effective legal compliance system under the oversight of the board of directors”.

So, on the one hand, the Federal Sentencing Guidelines, the OIG, and Senator Grassley state that the CCO has a distinct compliance role that should be separate and independent from the legal function, while on the other, as set forth in Sarbanes-Oxley and by the ABA, it is the GC who is responsible for “legal” compliance.

Can these different perspectives be reconciled?[8]Conceptual issues can be explored surroundingthe role of a compliance program,its administration by the CCO, and theinterface with the GC, along with the potential barriers and conflicts imposedby recent updates to the professional standards andduties of each respectiveposition. To appreciatethe organizational dynamics, it is helpfulto first understand how the roleof the compliance officer differs from thatof the GC.

Definition of Compliance Role

A useful starting point is clarity on how an organization itself defines the role and scope of the compliance program, and thereby, theduties of the CCO who is tasked with the day-to-day operations of the program. In many respects, theposition is unique and relativelynew to the modern organization. Most people can articulate what a lawyer or auditor does for a living, but the average employee mayhave difficulty defining“compliance.”

Strictly speaking, both the compliance officer and GC have responsibility for the organization’s compliance with laws, regulations, and other applicable rules and standards. The divergence is how they function to achieve this objective and the corresponding impact on their respective professional duties.

The GC generally provides legal advice on how the organization can comply with applicable laws while attaining its business objectives.[9]It is this “legal advice” that is subject to licensure, regulation, and professional standards.

Conversely and by contrast the CCO is a management function that incorporates legal considerations while influencing processes and practices of the organization.[10] One well-known commentator describes the distinction as follows:

Being general counsel and being CCO are very different things. A lawyer, ethically, has a duty to give sound legal advice and to represent the client’s interests“zealously.” The compliance officer’s mission is substantially different: it is to do whatever it takes to prevent and detect misconduct…While the lawyer may give legal advice, the compliance professional translates that advice into management action. While the lawyermust focus on what will result in success in legal battles, the compliance professional wants to prevent the very mistakes that result in legalbattles…Given this description, it is clear the functions are complementary, but not the same. Compliance is a management, not a legal function”.[11]Another way to view the distinction is that legal assists indefining and establishing the appropriate company standards, while compliance supports in implementing and monitoring those processes that ensure the established standards are beingmet.

A compliance program can be viewed as a management tool relied upon by the Board to manage the operations of the company in a manner consistent with relevant rules and the organization’s own values and goals. Compliance relies heavily on legal expertise (and vice versa) but also involves management know-how in training, human resource matters, communications, auditing, and internalcontrols.

By creating and implementing the compliance program composed of the elements detailed in the Federal Sentencing Guidelines, the compliance officer is responsible for coordinatingapplicable policies and procedures, the code of conduct, employee training on ethics and compliance, oversight of internal reportingmechanisms(e.g.,thehelpline/hotline), coordinating compliance audits, investigations, and corrective action plans.

The compliance officer may also have an internal audit role. If resources are shared with the internal audit function, both the CCO and the chief audit executive (CAE) may report directly to the Board and deal with allegations of misconduct of very high senior officials. As observed by a noted authority, “the most powerful people in the corporation — CEO’s, CFO’sand even general counsels — may perpetrate the “most dangerous business offenses…you cannot expect someone to ‘police up.’ In other words, you cannot expect a human being to tell a direct boss that she is wrong, when the boss is fully committed to a course of action (and ready to fire anyone who gets in theway).[12]

As a result, the trend is for the CCO to be a senior level position with commensurate access to senior management and the Board, with sufficient budget and critical protections (e.g., termination of the compliance officer requires approval by the Board). Ultimately, the role of CCO involves more than just support for following the rules. Laws and standards have always existed, but given the volume of legal mandates and the regulatory incentives to comply, what has evolved is a distinct cross-disciplinary systems approach with considerable rigor in application, implementation, and management of a program. Apart from internal investigations and the addressing of misconduct, these compliance program processes are generally not within the purview of in-housecounsel.

Moreover, thetendency to view complianceas another legal topic sometimes results in the underestimation of the management skills and organizational change required to effectuate a compliance program. Thisis often seen in theearly stages of the program where there may be overemphasison rule analysis andlegalistic policy development.[13] Consider the advice to compliance professionals from a leading authority in Australia:

To reach its full potential, the profession’s value must stem not from its role as a valuable, but resented policeman, but to an indispensable aid to running good businesses well. It will require both education of the market — employers and regulators — and personal growth. Forindividuals, my advice is look at your personal skill bank. You should own the room. You should have courage of your conviction. You should have great communication skills — particularly active listening. You should be able to change language, tone, and pitch to suit the audience. You should be able to read people. These skills andattributes will differentiate you from those who just know the rules and how to apply them. Lastly,you really know the business — its drivers for cost, income and growth; its systems,processes, as well as culture. If you can say yes to all of these, you will inexorably move, if you have not already, from policemanto strategic ally.15

Only in recent history have organizations learned by trial-and-error to go beyond the advisory model of compliance as influenced by its legal heritage, to one that is about checks and balances, and of driving and influencing change on a wide spectrum of regulatory and ethicalissues.

An effective compliance program enables objective sources of monitoring and advice through information, analyses, and recommendations that are free from undue influence and constraints. Having appropriate checks and balances in compliance reporting to ensure proper oversight is necessary regardless of who has formal responsibility for the program. The potential for disagreement between the compliance and corporate counsel is a real risk that an organization needs to address.

Reporting Model

The boardcommittee overseeing the compliance function, and the entire board itself, should understand how these two roles interface as they both support the directors by ensuring that they receive accurate and candid advice. Ultimately “[i]t is the Board’s responsibility to reconcile these potentially conflicting views into a complementary set of responsibilities and reporting relationships.”[14]

Essentially there are three models for structuring the relationship between the compliance and legal functions in an organization:

The CCO and the GC are one and thesame;

The CCO reports to the GC;and

The CCO does not report to and is independent from theGC.[15]

There are pros and cons for each reporting structure and each presents different considerations on how to manage compliance issues.

Dualist: one person, two hats, the recently amended Federal Sentencing Guidelines provide more exacting requirements for the staffing of a compliance and ethics program, but they also recognize that the small and mid-size organization often do not have the resources to create an entirely new officer-level position to manage the program. The Federal Sentencing Guidelines recognize this practicality by offering an endorsement for utilizing existing officers rather than creatinga new CCO position.[16] And when a new role is not created, often the compliance responsibility is assigned to the GC. The dualist role is not limited to smaller companies. As noted earlier, a fair percentage of surveyed organizations have a CG who has the additional role of COO.[17]

The obvious advantage of the dualist is for a resource-strappedorganization. Most compliance (and ethical) issues have legal ramifications and combining thepositions can promoteoperational efficiency. Attorneysprovide guidance on how lawsimpact business operations, and compliance personnel incorporate that advice into the ethical practices of the organization.Arguably, the compliance role is an inherently legal one.Additionally, the legal privileges and discovery protections readily apply and can be more easily managed when the CCO is also the GC. Further, there can be the advantage of authority and influence with the perception that, if the GC is involved, the matter must be significant. Conversely, government regulators are concerned that the professional role of the GC can serve as a shield to limit government access toinformation.However, the government clearly takes the view that unification of the positions creates an untenable conflict of interest. I concur even though it is not universally accepted and others have commented that an individual can serve both roles, although care must be exercised to ensure that an individual “clearlydifferentiates his or her actions as general counsel from those as compliance officer.”[18]The difficulty here, as with other situationsinvolving multiple hats, is that the degree of care applied to keep the roles distinct is dependent, to an extent, on the individual wearing the hats. Moreover, there is often the hurdle of finding the two complementary skill sets in a single person. The resolution recommended by the OIG to help ensure that the objectives of the compliance program (and not just the legal department) are met include the following:

-Adopting a process where the GC may recuse himself or herself from a compliance investigation, as well as other alternative processes if the matter involves the conduct or judgment of theGC;

-Periodic board initiated third-part audits or assessments of the compliance program;and

-Authorizing the Board and Audit Committee to retain outside counsel or other experts with respect to selected matters under Board-approved criteria.[19]

-Another consideration to ensure a compliance system with appropriate checks and balances is to have substantial involvement by a management-level compliance committee.

In some organizations, compliance is functionally operated by committee — multiple individuals sharing a single hat — with the GC receiving support and coordination from managers, such as the chief financial officer, human resource leader, chief audit executive, and key business unit leaders.

But withsmallnonprofitswhoselegaldepartment may consist of the GC as thesole in-houseattorney, there may be no better alternative. For many smaller companies, it may make the most sense if thecompliance officer is also the GC, because there is sufficient overlap in theirroles.

Keep in mind that no matter what the tone is at the top, the risk remains that a particular individual in a dual role will have a limited perspective. In otherwords, when one is acting in the primary capacity as counsel for the organization, there may be an inherent bias to filter or censor (consciously or unconsciously) critical information that should bereported to the Board. An active compliance committee and the measures noted above can mitigate such risk while providing addedcredibility and buy-in support for compliance programactivities.

Two Functions: Separate but Unequal where the CCO is a separate individual but reports to the GC, additional challengesemerge. Again, the OIG has expressed concern about compliance programs where the CCO is subordinate to the GC. Having one function report to the other can solve some checks-and-balances problems, and commentators point to theoperationalefficienciesattendantsuch a structure, especially when the GC is senior to and more experienced thanthe

CCO. Overall,theGCandtheCCOmust work closely together and a direct reporting relation can make operational sense. Additionally, the added resource enables the CCO to focus on compliance operational responsibilities, which can be relief to an overburdened GC.

As with the dualist role, the downside of this reporting structure is that it can be overly dependent on the individuals in the two positions. CCOs who report to more seasoned and higher-level GCs can face undue pressure if theydisagree with their bosses. The tension is obvious and more pronounced when one is not on equal footing and is dependent on another for their livelihood.

As observed previously, “the most powerful people in a corporation…may perpetrate the most dangerous business offenses…”[20]By structuring the compliance program in a way that makes the primary compliance monitor beholden to another superior in the C-suite can be a risky proposition, especially if it is a particular GC who has undeniable clout and when the CCO is viewed as ineffectual. The OIG has the following recommendationsthat can attenuate this risk:

-Provide alternative reporting mechanisms that formally provide the CCO direct reporting to another member of senior management as deemed necessary by theCCO;

-Establish procedures to have someone other than the GC authorizethe CCO to conduct compliance investigations, including the right to hire outside counsel;and Require periodic direct reports from the CCO to the Board, balanced by the GC’s consultation, so that both may report to and advise the Board, consistent with theirresponsibilities.[21]

For a new compliance function, it may be appropriate for the compliance officer to initially be part of the legal department and administratively report to the GC. At this stage, the newly minted CCO can benefit from the experience, resources, influence, and exposure that the GC can provide to support the compliance program. With additional reporting considerations that provide a level of independence for the CCO, this subordinate structure may work very well for someorganizations.

As an additional safeguard, the company can protect the compliance officer from an unusually powerful GC (or other senior executive), by requiring Board approval before a CCO can be terminated.[22]This is in line with protections afforded to CAEs who face similar challenges of maintaining independence and objectivity when dealing with the highest levels in the organization.

As the compliance function evolves and develops it own resources, an assessment of this initial reporting structure should be undertaken. Depending on the size and complexity of the organization, it may ultimately be advantageous for the compliance function to be wholly independent and separate from legal.[23]

Two Separate Complementary Functions

If an organization has sufficient resources to establish a comprehensive compliance program, this is the best scenario to avoid complicated conflicting professional obligations. The clear trend, especially in health care, is for the compliance officer to occupy a senior-level position with commensurate protections, budget, support, and access. If the CCO and GC are essentially given equal stature, there can be enhanced oversight by the Board, because it is more likely to receive balanced and unvarnishedinformation.

When a compliance officer has such senior-appropriate protections, the likelihoodis improved for the appropriatereporting up (or out) that may be more difficult for in-house counsel. It is ironicthat the term “oversight” is a suitable double entendre in thissituation, meaning eitherto oversee or to have overlookedor missed something important. ABoard in ensuring appropriate oversightshould assure itself that its CCO is able to provide objective information, analyses, and recommendations. Having a compliance officer who is independent from the GC provides thesurest checks and balances in the compliance reporting process.Considerations still need to be kept in mind when the CCO is independent from the GC. Even the role of the compliance officer needs to be counterbalanced against unchecked zeal in rooting out noncompliance and unethical conduct. Recommendations from the OIG[24] include the following:

Have the GC involved in an advisory capacity in core compliance processes such as: 1) program riskassessments;

2) Policies;

3) Help-lines and investigations;

4) Corrective action to address violations; and

5) Reports on compliance processes;

Include the GC in routine reviews of compliance matters being reported by the CCO — of course, excluding matters in which the GC is the subject of the report;and Requiring notice and consultation with the GC when the CCO has independent authority to retain outside counsel andconsultants.

An effective CCO will be expected to have the experience and judgment to exercise authority and discretion in an appropriate fashion. A CCO will need to know when an issue needs the direct involvement of the GC and/or outside counsel, for instance, when the application of legal privileges needs careful consideration. Further, when handling compliance audits, help-line calls, and internal investigations, the CCO will undoubtedly need the full support and close coordination of the legal function.

Professional Conflicting Obligation

Relationship tensions are likely to arise in the handling of a potential legal violation. If a compliance officer has a reputation for integrity within the organization, employees may be more willing to raise and divulge sensitive issues to the compliance department. Company attorneys may not benefit from the same degree of openness, because they are typically viewed as representing the subjective interest of the board and not the objective view of the organization. The CCO is sometime perceived as more of an ombudsman to theemployee.

However, corporate counsel are well situated to become aware of instances involving “material violations,” because they are often involved in directing internal investigations (to preserve legal privileges) or providing advice on legal

consequences. For publicly traded U.S. companies, attorneys who appear before the SEC (whether in-house or external counsel) are now required to escalate certain types of violations. Under Sarbanes Oxley § 307 and SEC Rule 205, material violations of law should be directed to the chief legal officer, who is then responsible for developing an appropriate response. This is the genesis of the duty of in-house counsel to report evidence of a material violation committed by a corporate officer “up the ladder.”[25]If the GC or CEO’s response is inappropriate, then the counsel must report the evidence to the board of directors.[26]Similarly, the ABA report provides recommendations for attorneys to report potential problems oflegal non-compliance.[27]

Therefore, more explicitly than before, a major compliance function of the GC and the in-house attorneys is to bring issues of wrongdoing to the attention of appropriate authorities within the organization. Yet the new professional standards raise difficult questions about the extent to which counsel must disclose information and risk breaching the attorney-client privilege.

Conceivably, in-house counsel may find themselves at odds and in conflict with the company’sCCO. As noted, the CCO as ombudsman typically has sensitive information that may require him or her to report at the Board level without executive knowledge. Ideally, the CCO and GC should work closely and trust each other on complicated matters that require difficult judgment calls.But if there is an outrightdisagreement it is useful to evaluate the dilemma in the context of the applicable professional obligations and standards of professional conduct. Licensed attorney may become disbarred and the compliance officer lacks a similar professional and disciplinary body that could restrict his or her livelihood.[28]But recently, however, the government has increasingly used another weapon against banks and other financial institutions, and their directors and officers — criminal charges for willfully failing to maintain an adequate compliance program as required by the BSA. While the government has used this statute against several financial institutions over the last ten years, it was the formation of the Bank Integrity Unit at the U.S. Department of Justice — announced by the Assistant Attorney General in charge of the Criminal Division, Lanny Breuer, in an October 2010 speech — that signaled the government’s new willingness to turn this powerful prosecutorial weapon on financial institutions themselves, especially those which have “abdicated their roles as responsible gatekeepers to the American banking system.”[29]

The mission of the Bank Integrity Unit has focused not only on financial institutions themselves, but also their directors and officers, to the extent that they ignored their obligations to implement and maintain BSA/AML compliance and allowed their institutions to be used for criminal purposes. A willful violation of this or any other requirement of the BSA could result in criminal penalties for the financial institution and its directors and officers, including enhanced penalties where the violation occurs in connection with another violation of law or as part a pattern of illegal activity.[30] On May 4, 2017, Joon H. Kim, the acting United States Attorney for the Southern District of New York, and Jamal El-Hindi, the acting director of the Financial Crimes Enforcement Network, jointly announced that the Treasury Department settled its claims under the Bank Secrecy Act against Thomas E. Haider, the former chief compliance officer of MoneyGram International Inc. The DOJ and FinCEN said that, as part of the settlement, Haider “admitted, acknowledged, and accepted responsibility for” the following actions (detailed more fully in the press release):

“(1) failing to terminate specific MoneyGram outlets after being presented with information that strongly indicated the outlets were complicit in consumer fraud schemes, (2) failing to implement a policy for terminating outlets that presented a high risk of fraud, and (3) structuring MoneyGram’s AML [anti-money laundering] program such that information that MoneyGram’s Fraud Department had aggregated about outlets, including the number of reports of consumer fraud that particular outlets had accumulated over specific time periods, was not generally provided to the MoneyGram analysts who were responsible for filing SARs [suspicious activity reports].”[31]

In the settlement, Haider agreed to a $250,000 civil penalty and to a three-year injunction “barring him from performing a compliance function for any money transmitter.” The settlement was approved by District of Minnesota Judge David S. Doty, who, as we reported in our February 2016 newsletter under “Eye on the Courts — Recent Opinions and Rulings of Note,” ruled in early proceedings in the case of U.S. Department of Treasury v. Haider that, contrary to Haider’s argument, individuals can be held personally responsible for AML control failures under the Bank Secrecy Act, stating that “the plain language of the [Bank Secrecy Act] statute provides that a civil penalty may be imposed on corporate officers and employees like Haider.”[32]

The quotes from the DOJ and FinCEN in the press release reflect the high standards to which compliance officers are held by those agencies. Acting U.S. Attorney Kim said that “[c]ompliance officers perform an essential function, serving as the first line of defense in the fight against fraud and money laundering. Unfortunately, as today’s settlement shows, Thomas Haider violated his obligations as MoneyGram’s chief compliance officer. By failing to terminate MoneyGram outlets that presented a high risk for fraud and to take other actions clearly required of him, Haider allowed criminals to use MoneyGram to defraud innocent consumers. We are committed to working with FinCEN to enforce the requirements of the Bank Secrecy Act and to hold individuals like Haider accountable.”[33]

Added Acting Director of FinCEN Jamal El-Hindi, “FinCEN relies on compliance professionals from every corner of the financial industry. FinCEN and our law enforcement partners need their judgment and their skills to effectively fight money laundering, fraud, and terrorist financing. Compliance professionals occupy unique positions of trust in our financial system. When that trust is broken, it is important that we take action so that the reputations of thousands of talented compliance officers are not diminished by any one individual’s outlying egregious actions. Holding [Haider] personally accountable strengthens the compliance profession by demonstrating that behavior like this is not tolerated within the ranks of compliance professionals.”[34]

On March 24, 2017, the SEC announced a settlement with William Quigley, the former chief compliance officer of Long Island, New York-based Trident Partners Ltd. By way of background, Quigley had been indicted[35]by the DOJ in May 2015 for conspiracy to commit wire fraud and money laundering conspiracy in connection with a fraudulent investment scheme in which Quigley and his co-conspirator brothers would, among other things, tell overseas investors that their funds would be invested in blue chip companies/funds such as Dell and Berkshire Hathaway, when in reality the money was transferred to accounts in the Philippines for personal use. Quigley pleaded guilty to the charges in March 2016 and was sentenced in November 2016 to six months in jail (plus three years of supervised release and one year of home confinement) and forfeiture of almost $357,000.[36]

In its administrative order, the SEC said that Quigley served as chief compliance officer and AML officer of Trident for two periods of time between 2004 and 2014. While serving in this capacity, Quigley reportedly, among other things, “opened three brokerage accounts that he and his brothers used to misappropriate investor funds, including one account at Trident; kept Trident from learning about the account that was located there; funneled money from the accounts to his brothers; and even, on at least one occasion, gave his brother Michael Quigley an idea for a phony sales pitch to investors.” Moreover, the SEC said that when Quigley “became aware of investor concerns, he falsely claimed to have no knowledge of the relevant accounts or the subject of the investor’s complaints.”

The SEC said that Quigley’s actions were particularly egregious because he had certain obligations to Trident stemming from his role as the chief compliance officer:

“[a]s Director of Compliance, it was William Quigley’s obligation to report violations and suspected violations of the securities laws, rules and regulations. This included reporting a transaction if he knew or suspected that it involved funds derived from illegal activity, or was intended or conducted to hide or disguise funds derived from illegal activity or has no business or apparent lawful purpose. Despite this obligation and his knowledge of the relevant facts, William Quigley failed to report or file required reports regarding, inter alia, wire transfers of the stolen investor funds, his improper diversion and deposits of the commission checks, his inappropriate designation of an account as a house account, or the diversion of investors’ stolen funds through various accounts. … It was also William Quigley’s obligation to help ensure that all the books and records of Trident were accurate and not to engage in conduct that would render them inaccurate. Despite this obligation and his responsibilities as Director of Compliance, William Quigley failed to, among other things, preserve receipts and disbursements of cash and all other debits and credits in connection with his theft of firm checks, to keep proper records regarding the beneficial owners of accounts, and to preserve originals of all communications received and sent relating to the business of Trident.”[37]

The SEC ordered Quigley to pay disgorgement of approximately $357,000 (which payment was deemed satisfied by Quigley’s forfeiture payment in the parallel criminal case). Because Quigley had been sentenced to serve jail time in the parallel criminal case, the SEC waived any civil penalty but barred Quigley from all aspects of the securities business going forward.

If there is a disagreement between the CCO, GC, and/or management on a specific compliance matter, a conflict ensues due to differing reporting obligations, especially when the compliance officer feels compelled to “go public.” The imposition of reporting obligations on in-house counsel raises some

challenging issues. Practical steps for the GC and CCO to resolve differences of opinion and to secure consensus need to be carefully considered, and this isa currently developing area of corporate governance and compliance.


The consequences that counsel or a CCO may face from their professional affiliation or licensing body, or fines and jail time for not reporting out or whistleblowing can also be a career killer. As a practical matter, Sarbanes-Oxley can be viewed as creating a conflict between an attorney’s duty of confidentiality to theclient and his or her own personal interest in avoiding discipline or indictment.[38]A variety of federal statutes provide protections against retaliation for private sector employees who make good faith reports of an employer’sconduct that violates criminal or civil laws. Most statesalso have some form of laws thatprotect employees from retaliation.And Section806 of Sarbanes-Oxley provides protection for employeesof publicly traded companies.Whistleblower award programs established by the Securities Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) hit their strides in 2018. Less than a decade after its founding, the SEC program paid more than $168 million to individual whistleblowers — more than the total amount awarded in all other years combined. The CFTC program experienced significant growth as well, awarding whistleblowers a total of $75 million in 2018 — nearly seven times the roughly $11 million total the agency had doled out since the program’s inception in 2010.

Under both the SEC and CFTC programs, a whistleblower must have “independent knowledge” or have conducted an “independent analysis” to qualify for an award. This requirement has implications for compliance personnel, who frequently learn about — and have an opportunity to address — alleged wrongdoing in the performance of their duties. To promote robust internal compliance programs and avoid conflicts of interest, the SEC and CFTC whistleblower program rules deem certain individuals presumptively ineligible for awards.

One category includes attorneys who work for or represent the company, as well as non-attorneys who possess attorney-client privileged or confidential information. There is an exception where federal or state ethics rules, including SEC or CFTC rules, would permit the disclosures.

Another category includes individuals who play central roles in internal compliance programs. Specifically under the rules, the SEC will not consider information to be derived from independent knowledge or analysis where the individual obtained the information in the performance of his or her duties as:

-an officer, director, trustee or partner;

-an employee with compliance or audit responsibilities;

-part of a firm retained to conduct an investigation into possible legal violations; or

-part of a public accounting firm, if the individual obtained the information through the performance of an engagement required of an independent public accountant under the federal securities laws (in the case of the SEC program).

Individuals are also ineligible for awards where their information comes from individuals who would be ineligible for awards themselves.

These exclusions do not prohibit individuals from claiming “independent knowledge” where they learn the relevant information outside their compliance roles. Additionally, important exceptions apply those allow individuals with compliance responsibilities to be eligible for an award:

where there is a reasonable basis to believe that disclosure to the SEC is necessary to prevent conduct likely to cause substantial injury to the financial interest or property of the entity or investors;

where there is a reasonable basis to believe the entity is engaging in conduct that will impede an investigation of the misconduct (e.g., by masking illegal schemes or destroying evidence); or

where 120 days have elapsed since the whistleblower: (a) provided the information to the audit committee, chief legal officer, chief compliance officer or the individual’s supervisor or(b) received the information, if the circumstances indicate that the entity’s audit committee, CLO, CCO or the individual’s supervisor was already aware of the information.

Despite these stringent requirements, there is precedent for audit and compliance professionals receiving whistleblower awards. In August 2014, the SEC announced a $300,000 award to an audit and compliance professional.[39]Eight months later, a compliance officer received an ward of between $1.4 and $1.6 million from the SEC.[40]

Whistleblowers are instrumental in rooting out fraud left undetected by law enforcement. While blowing the whistle can put an individual’s career at risk as stated ealier, the law provides rewards and protections for those who come forward with evidence of financial fraud. These rewards and protections are available to compliance personnel under the SEC and CFTC whistleblower programs. But the SEC and CFTC balance these incentives with requirements that compliance personnel also fulfill certain job duties. Nevertheless, given the rapid growth of these programs and the fact that compliance professionals are in unique positions to detect the financial fraud, we can surely expect an increase in tips from such individuals in the future.


In difficult situations, a CCO’s perspective about a controversial transaction orevent would obviously be unnoticed, ifthat person was also serving as the GCwho happened to agree withexecutive management. As company counsel, the GCis likely to be more focused on supporting the organization’s business objectives while staying within the bounds of the law,and less likely concerned with shapingthe

ethicalpractices of the organization.

Without an authoritative compliance officer there would be less effective and unconstrained monitoring. The potential for receiving prudent advice contrary to the determined business plans ofmanagement, as supported by a similarlyinclinedGC, declines. Certain unique business and professional responsibilitiesneed a system of checks and balances that are more difficult to achieve by locating all responsibilities, perspectives, and knowledgewithinonepersonorevenonefunction. We’re just now starting to see a rash of implicated GCs and other in-house attorneys in major allegations of misconduct (e.g., Medicaid fraud,backdating of stock options, the use of pretexting to obtain personal data, etc.).

Finally, dividing these positions between two people and providing them with separate reporting lines provides the greatest degree of independence in the compliance function. The risk under this scenario is a lack of coordination between the legal and compliance functions. However, the CCO must coordinate with departments and divisions throughout the organization. His work requires cooperation with administration, human resources, finance, investor relations, accounting and other groups within the company. Ideally, the GC and CCO should develop a close working relationship to enhance the effectiveness of enterprise risk assessment and management, controls testing, the handling of whistleblower complaints, conducting investigations, and devising corrective actions to address violations.

[1]See Corpedia and the Association of Corporate Counsel Compliance Program and Risk Assessment Survey of 2005, p.10, where 61% of surveyed companies have a CCO with 48% of those having the dual role of general counsel; see also Corpedia and The Conference Board 2006 Compliance Program and Risk Assessment Benchmarking Survey, p.10, where 38% of the CCOs were reported to also be the generalcounsel

[2]See Health Care Compliance Association Eighth Annual Survey: 2006 Profile of Health Care Compliance Officers, pp.17, 30, where 13% of CCOs are also the generalcounsel/attorney

[3]See OIG Supplemental Compliance Program Guidance for Hospitals,Federal Register, Vol. 70, №19, Jan. 31, 2005, 4858, at4874.

[4]See Id.

[5]See Grassley Investigates Tenet Healthcare’s Use of Federal Tax Dollars, Sept. 8, 2003, Press Release providing text of his letter to Tenet HealthcareCorporation

[6]See It didn’t help that Sarbanes-Oxley failed to formally acknowledge the role of compliance programs and professionals despite the long-standing existence of the U.S. Sentencing Guidelines for Organizations (see comments of attorney Joe Murphy in Tabuena, J., Meet Joseph Murphy, Compliance & Ethics, March 2006, pp. 28–29).

[7]See Cheek III, J.H., et al., Report of the American Bar Association, Task Force on Corporate Responsibility,2003.

8 See Id. at32.

[9]See U.S. Department of Health and Human Services OIG and AHLA, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors, July 1, 2004. The OIG/AHLA resource describes three models of the relationship between corporate counsel and the compliance officer, including steps to mitigate perceived negative consequences from combining the tworoles

[10]See Demetriou, A.J., et al., Compliance Roles for Counsel to Corporations, American Health Lawyers Association Topical Insight Series, July 2005, p. 13. Similar to the OIG/AHLA resource, supra note 9, this publication provides discussion on the relationship of in-house counsel to complianceofficers

[11]See Id.

[12]See Quote of Joseph Murphy from Tabuena, J., Compliance& Ethics, supra note 6 at28.

[13]See this is not to denigrate the legal professional, because the compliance function needs access to good attorneys and their advice. However, the skills required for an effective lawyer do not necessarily translate into those required for a competent compliance officer. 15 Tabuena,J., Meet Mike Lotzof, Compliance & Ethics, June 2006.

[14]See Tabuena, J., Meet Mike Lotzof, Compliance & Ethics, June 2006. Mr. Lotzof is formerly the Chief Executive officer of the Australasian Compliance Institute which has established an accreditation program with three levels of certification for compliance professionals

[15]See Supra, note 9 at6.

[16]See Supra, note 10 at12.

[17]See Federal Sentencing Guidelines, 8B2.1, Application Note 2(c)(iii), providing that using available personnel rather than employing a separate staff or organization to carry out compliance and ethics activities is an acceptable alternative for thesmall organization

[18]See Federal Sentencing Guidelines, 8B2.1, Application Note 2(c)(iii), providing that using available personnel rather than employing a separate staff or organization to carry out compli- ance and ethics activities is an acceptable alternative for the small organization

[19]See comments of respected healthcare attorney Gary Eiland in Snell, R., Gary Eiland Discusses the Relationship of Compliance with Other Departments, Journal of Health CareCompliance,July-August 2004, at 38. Mr. Eiland opines that the OIG is more concerned with whether such duality would limit access to informa- tion and documents if an investigation were to ensue.

[20]See note 9, supra, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors at8.

[21]See Id.

[22]Seenote 20, supra. Mr. Eiland observes that often the general counsel is the more senior and experienced of the two officers but nevertheless, “the compliance officer should have dual reporting lines in order to report directly to the chief executive officer and board compliance committee, asappropriate”.

[23]See Supra, note 6 at28.

[24]See Note 1, supra, An Integrated Approach to Corporate Compliance: A Resource for Health Care Organization Boards of Directors at8.

[25]See Murphy, J., Questions to Ask About an In-House and Ethics Job Offer, ethikos and Corporate Conduct Quarterly, November/December 2004, at9.

[26]17 C.F.R. § 205.2(i), 2003 (17 C.F.R. Part 205 contains the rules promulgated by the SEC in response to Section 307 of the Sarbanes-Oxley Act

[27]For a detailed analysis of the impact of the Sarbanes-Oxley standards of professional conduct on in-house attorneys, see Noordhash, K., Sarbanes-Oxley Act and In-House Counsel: Suggestions for Viable Compliance, Georgetown Journal of Legal Ethics, Summer 2005.

[28]See ABA Model Rules of Professional Conduct, Rule 1.13. While the focus of the ABA Task Force was on public companies, many of its recommendations as well as the amendments to Model Rule 1.13, apply to non-profit and privately-heldcorporations.


[30]See 31 U.S.C. § 5322.




[34]See Id.



[37]See Id.

[38]The traditional rule did not impose sanctions, as Sarbanes- Oxley now does, on an attorney who chose not to report up the ladder, so long as nothing was done to further or abet the illegal conduct.


[40]See Id.



Independent researcher, Anti- Illicit Financial Flows / Anti-Corruption Strategist, Private Prosecutor, Host of GOAL16 podcast, Founding Dir.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GuyChristian Agbor, PhD

Independent researcher, Anti- Illicit Financial Flows / Anti-Corruption Strategist, Private Prosecutor, Host of GOAL16 podcast, Founding Dir.