As stewards of shareholder interests, corporate directors are responsible for overseeing management's efforts to manage risks. But how far does that responsibility extend when it comes to "compliance" risk? And are there limits to director liability in regard to monitoring management's activities?
A refining ruling from the Delaware Supreme Court that addresses these questions has sparked much interest and discussion among the legal community that serves boards of directors. In November 2006, the court, in Stone v. Ritter, for the first time expressly upheld the Delaware Chancery Court's 1996 landmark Caremark decision on director liability and adopted the Caremark language. In so doing, Delaware's high court set new case law, offering additional clarity on oversight responsibilities for boards of directors. The ruling also generated a clearer picture of how directors can guard against liability.
Last year's case involved a lawsuit by shareholders of AmSouth Bancorp, a retail banking company. AmSouth shareholders claimed that the bank's directors had failed in their responsibility to oversee actions by certain bank employees and managers that resulted in $50 million in penalties for violations of the Bank Secrecy Act and various anti-money-laundering regulations. The penalties principally arose from the bank's failure to file Suspicious Activity Reports as legally required.
But the Delaware Supreme Court ruled that boards can't be held liable if they can demonstrate a "good faith" effort to oversee management's actions. Key to the court's ruling was the fact that AmSouth's board used an independent third party to assess management's oversight effectiveness. From the perspective of board directors, the decision underscores the need to pursue ongoing, independent risk assessments as a means of protecting the organization - and themselves.
While financial institutions and money laundering were at the center of this case, the liability standard established in this court decision crosses all industries.
Good Faith
In upholding Delaware's Court of Chancery dismissal of the shareholders' complaint, the state Supreme Court refuted the shareholders' claim that the board did not exercise any oversight. The court's ruling said that the AmSouth directors had sought a third-party review of the bank's compliance with the anti-money-laundering regulations, and, in doing so, exercised a "good-faith" effort of overseeing the conduct of employees and management.
The Supreme Court ruling also reaffirmed the Caremark decision that "articulates the necessary conditions for assessing director oversight liability." Those conditions set a very high standard for proving negligence.
The Chancery Court's Caremark ruling said that boards of directors that exercise reasonable oversight of a compliance program may be eligible for protection from personal liability in shareholder civil suits resulting from employee misconduct. The Caremark case pointed out that the compliance program should provide "timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning both the corporation's compliance with laws and its business performance." It also delineated that a director's obligation "includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists."
In its ruling, the Delaware Supreme Court found that board liability would exist if "the director failed to implement any reporting or information system or controls," or, "having implemented such a system or controls, consciously failed to monitor or oversee its operation, thus disabling themselves from being informed of risks or problems requiring their attention." By including this second caveat, the court was saying that boards could not insulate themselves through "willful blindness."
Implications For Directors
In light of the Stone ruling, what do directors need to know about meeting this standard?
First, stay informed. Boards need to have a thorough understanding of the company's compliance program. Directors should ask questions to assess management's ability to identify relevant risks and determine how effective the compliance program is in addressing those risks. One way to keep directors informed is for board meetings to include presentations on all high-risk issues facing the company and how the compliance program is addressing these risks. All of the risks detailed and how the directors dealt with each item should be documented in board meeting minutes.
Although management has a critical role in assessing risks, as well as developing appropriate controls and compliance programs to address them, the board must make its own objective and independent assessment to determine that the company's compliance programs are effective.
To help the board fulfill this responsibility, directors will often have to seek the assistance of outside advisers to carry out an independent assessment of the institution's compliance programs. Such an assessment may be performed by reputable independent third parties that understand leading industry standards or "practices" for the particular area being reviewed. It is crucial, however, that once the assessment is performed, the board require detailed action plans by management to rectify deficiencies noted by the assessment in an efficient and sustainable manner and also require management to provide regular progress updates. Failure to follow through in this manner may create liability based upon the articulated standard contained in Stone.
Finally, directors - and management and shareholders - should understand that pursuing such an assessment and appropriate remediation will not only create evidentiary support documentation of board oversight, as it did in Stone , but also enhance the company's overall compliance program, providing greater protection to both company investors and board members alike.
Published August 1, 2007.