Avoiding Gatekeeper Liability

This article will address (1) expanded requirements of in-house counsel’s role as a “gatekeeper” with respect to corporate misconduct, and (2) suggestions for best practices to meet these requirements. “Gatekeepers” have been defined as “lawyers, auditors, and others who have professional obligations to spot and prevent misconduct.” This view seeks to impose a duty on lawyers to protect the public interest rather than solely the interests of the client. In recent years, gatekeeper provisions affecting in-house counsel have become increasingly enforced in the United States. This is less true in regard to disclosure requirements in Canada and in the European Union, with the exception of the Canadian law societies and the EU Anti-Money Laundering Directives.

Prominent examples of gatekeeper provisions

Section 307 of SOX

The most prominent gatekeeper provision in the United States is found in the Sarbanes-Oxley Act, which was enacted in the wake of corporate scandals such as Enron and WorldCom. Section 307, 17 C.F.R. §§ 205.1 et seq., imposed time specific reporting requirements on attorneys who practice before the SEC. “Practicing before the SEC” is broadly defined to include (1) transacting with the SEC, including communications of any form; (2) representing an issuer in SEC administrative proceedings or in connection with an SEC investigation, inquiry, information request, or subpoena; (3) providing advice with respect to the federal securities laws or SEC rules regarding any document that will be filed with the SEC; and (4) advising an issuer as to whether a statement, opinion, or other writing is required to be filed with or submitted to the SEC. Therefore, attorneys who advise or draft, but do not sign documents filed with the SEC are covered by the reporting requirements.

Lawyers who engage in the above listed activities, outside the context of providing legal services to an issuer with whom the attorney has an attorney-client relationship, are excluded. Therefore, attorneys acting for an issuer in a business capacity are not covered.

The reporting requirement also excludes non-US lawyers, so long as they qualify as “non-appearing foreign attorneys.” To qualify as a “non-appearing foreign attorney” the lawyer must:

• Be admitted to practice in a foreign jurisdiction;
• Must neither hold himself or herself out as practicing, nor give legal advice regarding US federal or state securities or other laws unless done in consultation with a lawyer admitted in the United States; and,
• Either engage in activities (1) that would constitute appearing and practicing before the SEC incidentally to, and in the ordinary course of, practicing law in a foreign jurisdiction, or (2) in consultation with counsel, other than a non-appearing foreign attorney, that’s admitted or licensed to practice in a US jurisdiction.

An attorney covered by the reporting requirement has a duty to report evidence of a material violation of the federal securities law “up-the-ladder.” Generally something is “material” if there is a substantial likelihood that a reasonable investor would consider it important when deciding to buy, sell, or hold a security.

Sufficient evidence of a material violation triggering the reporting requirement is defined as “credible evidence, based upon which it would be unreasonable, under the circumstances, for a prudent and competent attorney not to conclude that it is reasonably likely that a material violation has occurred, is occurring, or is about to occur.” The attorney facing a reporting requirement must first report credible evidence of a material violation to the company’s general counsel or chief executive officer. In the absence of an appropriate response to the disclosure, the attorney must next report the putative violation to the company’s board of directors, audit committee, or committee of independent directors. In the alternative, the company may create a Qualified Legal Compliance Committee (QLCC) to report and investigate allegations of material violations. A QLCC is a committee of the issuer — which may also be an audit or other committee of the issuer — that must follow the composition and procedure requirements set forth in the rule.

An “appropriate response” is defined as:

• A reasonable belief that no material violation has occurred, is ongoing, or is about to occur;
• The corporation has adopted appropriate remedial measures in order to prevent, discontinue, or otherwise appropriately address the material violation that has already occurred to minimize the possibility of reoccurrence; or,
• Where the attorney, in compliance with his professional obligations, asserts a colorable defense on behalf of the company in any investigation related to the material violation.

Other prominent gatekeeper provisions include the following:

Model rule of professional conduct 1.13(b)

Growing out of the corporate scandals of the early 2000s, the ABA Task Force recommended, among other things, that a lawyer must report corporate misconduct up-the-ladder. As a result, the ABA enacted Model Rule 1.3.

Section (a) of the rule affirms that an attorney employed or retained by an organization represents the organization itself, and not its directors or officers.

Section (b) is the up-the-ladder reporting requirement. It requires that “[i]f a lawyer for an organization knows that an officer, employee, or other person associated with the organization is engaged in action, intends to act, or refuses to act in a matter related to the representation that is a violation of a legal obligation to the organization, or a violation of law that reasonably might be imputed to the organization, and that is likely to result in substantial injury to the organization, then the lawyer shall proceed as is reasonably necessary in the best interest of the organization.” The reporting requirement goes on: “[u]nless the lawyer reasonably believes that it is not necessarily in the best interest of the organization to do so, the lawyer shall refer the matter to higher authority in the organization, including, if warranted by the circumstances, to the highest authority that can act on behalf of the organization as determined by applicable law.”

Section 1.13(c) provides that, if internal reporting fails and if the lawyer reasonably believes that “the violation is certain to result in substantial injury to the organization,” the lawyer may reveal otherwise privileged information outside of the organization.

Many US states, including Illinois and Massachusetts, have enacted some form of Rule 1.13. However, other states, including California, Delaware, New York, Ohio, Pennsylvania, and Texas, have not. Attorneys should familiarize themselves with the relevant rule in their jurisdictions.

Food, Drug, and Cosmetic Act and the Park doctrine

The Park doctrine is a criminal liability theory named after the US Supreme Court decision in US v. Park, 421 US 658 (1975). John Park was the president of Acme Markets, a national supermarket chain. The government alleged that Acme had violated the Food, Drug, and Cosmetic Act (FDCA) because food held in Acme’s Baltimore warehouse became accessible to rodents. Park was convicted of five misdemeanor counts of violating the FDCA. In affirming the convictions, the Supreme Court held that the government can seek misdemeanor convictions of company officials for alleged violations of the FDCA, even if the corporate official was unaware of the violation. The standard applies as long as the official was in a position of authority to prevent or correct the violation and did not do so. The Park doctrine is also known as the “Responsible Corporate Officer Doctrine.”

Use of this doctrine had been sporadic for several years after the decision. Then, in 2010, US Senator Chuck Grassley and the General Accounting Office raised concerns about FDA’s management of its Office of Congressional Investigations. In response, FDA Commissioner Hamburg wrote a letter to Senator Grassley in March 2010 emphasizing the FDA’s commitment to implementing remedial measures, including plans to increase the use of misdemeanor prosecutions “to hold responsible corporate officials accountable.” The letter also referenced criteria that the government would use when considering misdemeanor prosecution cases:

• Whether the violation involves actual or potential harm to the public;
• Whether the violation is obvious;
• Whether the violation reflects a pattern of illegal behavior and/or failure to heed prior warnings;
• Whether the violation is widespread;
• Whether the violation is serious;
• The quality of legal and factual support for the proposed prosecution; and,
• Whether the proposed prosecution is a prudent use of agency resources.

Most of the ensuing prosecutions have been directed against business people, not lawyers. However, in the Purdue Pharma case, the government charged three executives, including Howard Udell, executive vice president and chief legal officer, with misdemeanor counts of introducing a misbranded drug into interstate commerce in violation of the FDCA. The misbranding consisted of misleading regulators, doctors, and patients about the drug’s risk of addiction and potential to be abused. Following those convictions, the three executives were ultimately excluded from participation in federal healthcare programs for 12 years.

The Park doctrine has also been applied to other public welfare statutes, such as the Clean Air Act and Clean Water Act (both include “any responsible corporate officer” in their definition of “person”).

Anti-money laundering rules issued by the New York State Division of Financial Services

On December 1, 2015, the DFS issued proposed Part 504 of the Superintendent’s Regulations, requiring certain transaction monitoring and filtering requirements with respect to anti-money laundering and terrorism initiatives. Notably, the regulations included a required annual certification by the chief compliance officer, or the functional equivalent, that the “Transaction Monitoring and Filtering Program” complies with all regulations. Furthermore, an “incorrect” or “false” certification could further subject the certifying officer to criminal penalties.

Following numerous comments, final regulations were enacted with the following notable differences: Instead of only the chief compliance officer, the certification can also be provided by any senior official responsible for “management, operations, compliance and/or risk,” or alternatively, through a board resolution. In addition, instead of a specific reference to criminal penalties, the “penalties” provision states that “[t]his regulation will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.”

Gatekeeper provisions in the European Union and Canada

The EU and Canada impose fewer gatekeeper requirements on attorneys. For example, there is no analogue for the up-the-ladder reporting requirement in SOX. However, as discussed above, a foreign attorney may be covered by section 307 of SOX unless he or she qualifies as a “non-appearing attorney.”

Canada

In Canada, attorneys are not required to report securities law violations to provincial securities commissions. “The securities commissions do not appear to have successfully extended liability to lawyers acting merely in their role as gatekeeper: something more is required for liability to attach.” Like other market participants, however, attorneys can be liable for direct misrepresentations in the secondary market. The Securities Act also asserts that notifying the securities commission of violations can provide a defense to liability.

The provincial law societies have begun to enact up-the-ladder reporting requirements similar to Model Rule 1.13. Rule of Professional Conduct 3.2-8 of the Law Society of Upper Canada (Ontario), provides that an attorney employed or retained by an organization becomes aware of past, present, or future wrongdoing by the organization, he or she is required to report up-the-ladder. Section 45 of the Code of Professional Conduct of Lawyers (Quebec), requires that, in the case of a client that is not a natural person, the lawyer must notify the client’s representative of possible breaches of the law. “If the lawyer later becomes aware that the client has not remedied the unlawful situation, he must notify the appropriate hierarchical authority.”

European Union

Since the terrorist attacks on September 11, 2001, attorneys in the European Union have been required to perform client due diligence to prevent money laundering. The Second EU Anti-Money Laundering Directive, adopted on December 4, 2001, requires that lawyers, among other financial transaction participants, engage in customer due diligence when entering into a business relationship with a client, when opening a client account, when offering custody facilities, or when aiding in a transaction that involves €15,000 or more. In any of the above instances, attorneys must disclose suspected money laundering activities to the appropriate authorities.

The Third EU Anti-Money Laundering Directive, adopted on June 7, 2005, requires attorneys, and other financial transaction participants, to perform enhanced customer due diligence in certain instances. The level of scrutiny is based on a risk-based approach.

Importance of gatekeeper issue to in-house counsel

Gatekeeper provisions are often directed at in-house counsel, and can subject them to personal, civil, and/or criminal liability. Following the financial scandals of 2000-2001 and enactment of Section 307, the government has stepped up enforcement actions against attorneys. Several attorneys have been prosecuted with regard to stock option backdating — for example, the general counsel of Converse Technology, Apple, Inc., United Health, CNET, and McAfee.

The SEC has also brought actions against high-ranking in-house counsel based on various accounting issues. On March 28, 2007, the SEC charged the general counsel and the associate general counsel of Enron with involvement in a fraudulent scheme regarding public filings and with respect to a troubled power project in Brazil. On April 2, 2007, the SEC charged the former general counsel and chief compliance officer of Tenet Healthcare with public filings allegedly containing overstated revenues.

In 2010, the US Department of Justice indicted Lauren Stevens, associate general counsel at GlaxoSmithKline, for obstruction of justice and false statements during an FDA investigation of the company’s off-label promotion of the anti-depressant Welbutrin. The indictment was dismissed by the court during trial.

Note also that the federal government has recently increased its focus on individual liability for corporate wrongdoing. Deputy Attorney General Sally Quillian Yates has recently stated that “in order for a company to receive any consideration for cooperation under the Principles of Federal Prosecution of Business Organizations, the company must completely disclose to the Department all relevant facts about individual misconduct….That is, to be eligible for any credit for cooperation, the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status or seniority….”

Similarly, in “Remarks of SEC Commissioner Kara M. Stein,” (discussing importance of corporate gatekeepers), on May 19, 2014, Commissioner Stein noted that: “One gatekeeper that often is absent from the list of cases I see every week are the lawyers.” She continued: “Are we treating lawyers differently from other gatekeepers? I think we should carefully review the role that lawyers play in our markets, with a view towards how they can better help deter misconduct and prevent fraud.”