A corporate director’s duty of good faith has evolved over time to include an obligation to attempt in good faith to assure that an adequate corporate information and reporting system exists.
In Caremark (a 1996 decision by the Delaware Court of Chancery – a trial court), the court held that a director’s failure to do so, in certain circumstances, may give rise to individual director liability for breach of fiduciary duty.
Search for the term “FCPA” and “Caremark” and you will find enough reading material to last the rest of the day. However, much of the analysis is thin and more importantly often fails to mention Stone v. Ritter (a more important 2006 decision by the Delaware Supreme Court). Whereas Caremark answered the “could” question, Stone answers the “when” question and the “when” question (when can directors face individual liability for internal control failures) is not nearly the boogeyman that many FCPA commentators make it out to be.
This post provides a detailed discussion of Stone and highlights how a common FCPA enforcement theory (particularly of the SEC) that because legal violations allegedly occurred the company therefore, with the benefit of hindsight, had insufficient internal controls is seemingly inconsistent with holding of the Delaware Supreme Court in Stone.
The post also discusses a recent Second Circuit decision which further elaborates on the difference between Caremark and Stone and how Stone – and not Caremark – is the relevant prevailing standard for director oversight claims. The Second Circuit decision is further instructive in that it rejects “hindsight driven” enforcement theories that are typically common in corporate FCPA enforcement actions.
In Stone v. Ritter , the Delaware Supreme Court provided the following necessary conditions for director oversight liability under the so-called Caremark standard: (i) a director utterly failed to implement any reporting or information system or controls; or (ii) having implemented such systems or controls, a director failed to monitor or oversee the corporation’s operations.
The court held that both situations require a showing that a director knew that they were not discharging their fiduciary obligations and courts have widely recognize that a director’s good faith exercise of oversight responsibility may not necessarily prevent employees from violating criminal laws or from causing the corporation to incur significant financial liability or both.
What is interesting about Stone were the following facts as articulated by the court regarding the company at issue.
“In 2004, AmSouth and Amsouth Bank paid $40 million in fines and $10 million in civil penalties to resolve government and regulatory investigations pertaining principally to the failure by bank employees to file “Suspicious Activity Reports” (“SARs”), as required by the federal Bank Secrecy Act (“BSA”) and various anti-money-laundering (“AML”) regulations.”
The authorities examined AmSouth’s compliance with its reporting and other obligations under the BSA. On November 17, 2003, the USAO advised AmSouth that it was the subject of a criminal investigation. On October 12, 2004, AmSouth and the USAO entered into a Deferred Prosecution Agreement (“DPA”) in which AmSouth agreed: first, to the filing by USAO of a one-count Information in the United States District Court for the Southern District of Mississippi, charging AmSouth with failing to file SARs; and second, to pay a $40 million fine. In conjunction with the DPA, the USAO issued a “Statement of Facts,” which noted that although in 2000 “at least one” AmSouth employee suspected that Hamric [a customer of the bank] was involved in a possibly illegal scheme, AmSouth failed to file SARs in a timely manner. In neither the Statement of Facts nor anywhere else did the USAO ascribe any blame to the Board or to any individual director.
On October 12, 2004, the Federal Reserve and the Alabama Banking Department concurrently issued a Cease and Desist Order against AmSouth, requiring it, for the first time, to improve its BSA/AML program. That Cease and Desist Order required AmSouth to (among other things) engage an independent consultant “to conduct a comprehensive review of the Bank’s AML Compliance program and make recommendations, as appropriate, for new policies and procedures to be implemented by the Bank.” KPMG Forensic Services (“KPMG”) performed the role of independent consultant and issued its report on December 10, 2004 (the “KPMG Report”). Also on October 12, 2004, FinCEN and the Federal Reserve jointly assessed a $10 million civil penalty against AmSouth for operating an inadequate anti-money-laundering program and for failing to file SARs. In connection with that assessment, FinCEN issued a written Assessment of Civil Money Penalty (the “Assessment”), which included detailed “determinations” regarding AmSouth’s BSA compliance procedures. FinCEN found that “AmSouth violated the suspicious activity reporting requirements of the Bank Secrecy Act,” and that “[s]ince April 24, 2002, AmSouth has been in violation of the anti-money-laundering program requirements of the Bank Secrecy Act.” Among FinCEN’s specific determinations were its conclusions that “AmSouth’s [AML compliance] program lacked adequate board and management oversight,” and that “reporting to management for the purposes of monitoring and oversight of compliance activities was materially deficient.” AmSouth neither admitted nor denied FinCEN’s determinations in this or any other forum.”
Notwithstanding the above, the Delaware Supreme Court concluded that the directors did not breach their fiduciary duties because a reporting system existed. In the words of the Court:
“The KPMG Report reflects that AmSouth’s Board dedicated considerable resources to the BSA/AML compliance program and put into place numerous procedures and systems to attempt to ensure compliance.”
“The KPMG Report describes the numerous AmSouth employees, departments and committees established by the Board to oversee AmSouth’s compliance with the BSA and to report violations to management and the Board.”
The KPMG Report reflects that the directors not only discharged their oversight responsibility to establish an information and reporting system, but also proved that the system was designed to permit the directors to periodically monitor AmSouth’s compliance with BSA and AML regulations.”
In the words of the Court:
“With the benefit of hindsight, the plaintiffs’ complaint seeks to equate a bad outcome with bad faith. The lacuna in the plaintiffs’ argument is a failure to recognize that the directors’ good faith exercise of oversight responsibility may not invariably prevent employees from violating criminal laws, or from causing the corporation to incur significant financial liability, or both, as occurred in Graham, Caremark and this very case. In the absence of red flags, good faith in the context of oversight must be measured by the directors’ actions “to assure a reasonable information and reporting system exists” and not by second-guessing after the occurrence of employee conduct that results in an unintended adverse outcome.”
The holding and logic of the Delaware Supreme Court in Stone seemingly conflicts with a common FCPA enforcement theory (particularly of the SEC) that because legal violations allegedly occurred the company therefore had insufficient internal controls.
Corporate FCPA enforcement actions are typically brought against otherwise well-respected and well-managed business organizations in which adverse outcomes are cast, with the benefit of hindsight, as internal controls violations even though the enforcement agencies otherwise pay lip service to the truism that no internal compliance system can always prevent employee breaches.
Moreover, the focus on “reasonableness” in the Stone holding is the standard of the FCPA’s internal controls provisions.
This  recent Second Circuit (involving JPMorgan and alleging breach of fiduciary duty by certain directors in connection with the Bernie Madoff fraud) further elaborates on the difference between Caremark and Stone and how Stone – and not Caremark – is the relevant prevailing standard for director oversight claims.
The Second Circuit decision is further instructive in that it rejects “hindsight driven” enforcement theories that are typically common in corporate FCPA enforcement actions.
The relevant excerpt from the Second Circuit decision is as follows (internal citations omitted).
“The District Court held that, because “[p]laintiffs’ claim for breach of fiduciary duty is a Caremark claim”—i.e., a claim based on the Board’s alleged “failure to monitor,” a theory of liability explored in the seminal case of In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)—it “require[s] proof that . . . the directors utterly failed to implement any reporting or information system or controls . . . .” But plaintiffs claim only “that JPMorgan’s controls were . . . inadequate,” not that they did not exist. Therefore, the District Court reasoned, plaintiffs “cannot maintain a Caremark action.” Id.
Plaintiffs argue that the District Court erred in requiring them to plead that defendants “utterly failed to implement any reporting or information system or controls,” and that instead, they should have been required to plead only defendants’ “utter failure to attempt to assure a reasonable information and reporting system exist[ed].”
Plaintiffs’ argument, however, has a fundamental shortcoming—the standard that the District Court applied was taken verbatim from Stone v. Ritter, a Delaware Supreme Court decision that the District Court was obligated to follow. Further, this standard appears in the portion of Stone that the Delaware Supreme Court described as its “hold[ing].” And the standard’s plain language could not be any clearer—“any” simply does not mean “reasonable.”
To be sure, the language that plaintiffs contend the District Court should have used is taken from Caremark. But Caremark was decided by the Delaware Court of Chancery, a trial court from which appeals are generally taken as of right to the Delaware Supreme Court. Additionally, the Delaware Court of Chancery decided Caremark before the Delaware Supreme Court decided Stone.
What is more—and perhaps most damaging to plaintiffs’ argument—in setting out the standard to which plaintiffs here object, Stone was actually interpreting Caremark. The District Court was no less bound by Stone’s interpretation of Caremark than it would have been by Stone’s announcement of an entirely new standard.
Our conclusion is buttressed by two additional factors. First, it is not clear to us that, under the facts of this case, replacing the Stone standard with the language from Caremark would have made any difference in the disposition of plaintiffs’ action. Plaintiffs emphasize the word “reasonable,” but ignore the word “attempt.” It seems implausible that defendants could have “utter[ly] fail[ed] [even] to attempt to assure a reasonable information and reporting system exist[ed],” given that “JPMorgan designated an executive located in New York as the head of JPMorgan’s [anti-money laundering] program, which included individuals based in the United States and other countries responsible for filing suspicious activity reports in the relevant jurisdictions.”
Second, the notion that the District Court incorrectly interpreted Stone is severely undermined by a recent decision of the Delaware Court of Chancery—decided less than two weeks after defendants submitted their appellate brief—in which that court stated the following:
The Complaint does not allege a total lack of any reporting system at [the defendant company]; rather, the Plaintiffs allege the reporting system should have transmitted certain pieces of information . . . . In other words, [the defendant] had a system for reporting risk to the Board, but in the Plaintiffs’ view it should have been a better system.
Contentions that the Board did not receive specific types of information do not establish that the Board utterly failed to attempt to assure a reasonable information and reporting system exists, particularly in the case at hand where the Complaint not only fails to plead with particularity that [the defendant] lacked procedures to comply with its . . . reporting requirements, but actually concedes the existence of information and reporting systems. . . .
In other words, the Plaintiffs complain that [the defendant] could have, should have, had a better reporting system, but not that it had no such system. Stated more generally, in criticizing the Board’s risk oversight and its delegation thereof, throughout the Complaint, the Plaintiffs concede that the Board was exercising some oversight, albeit not to the Plaintiffs’ hindsight-driven satisfaction. . . . That is short of pleading that the Board utterly failed to implement any reporting or information system or controls, sufficient to raise a reasonable doubt of the directors’ good faith.
For all of the foregoing reasons, we conclude that plaintiffs cannot prevail on their Caremark claim—a claim that the Delaware Supreme Court has described as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” Stone, 911 A.2d at 372 (internal quotation marks omitted)—and that the District Court therefore properly dismissed their complaint.”