Directors are generally viewed as stewards of the corporation and fiduciaries of the corporation’s shareholders. Boards of directors are primarily responsible for overseeing the company, and in exercising these responsibilities, directors must discharge their fiduciary duties of care and loyalty and their obligation to act in good faith. Directors, however, confront increasing litigation risk and regulatory scrutiny in navigating their fiduciary duties and the demands of shareholders in the face of corporate compliance crises and independent investigations. In addition, regulators in the United States and around the world have become increasingly focused on the role of the board and its directors with respect to governance, financial reporting and reinforcing the commitment to a culture of compliance. In this chapter, we discuss the fiduciary duties owed by directors in the context of independent investigations, potential director liability for violations of those duties, and strategic considerations for directors to satisfy their fiduciary duties when faced with compliance crises.
42.2Directors’ fiduciary duties
In the United States, the fiduciary duties and responsibilities of members of boards of directors arise primarily out of state corporate law, both from state statutes and evolving case law (also known as common law). Fundamentally, directors owe fiduciary duties of care and loyalty to the corporation and are expected to carry out their obligations in good faith. These duties lie at the core of a director’s oversight and stewardship responsibilities to the corporation.
42.2.1Duty of care
The duty of care refers to the obligation of corporate directors to exercise the proper amount of care as they make business decisions on behalf of their corporation. Directors must ‘use that amount of care which ordinarily careful and prudent men would use in similar circumstances, [and] consider all material information reasonably available in making business decisions’. To satisfy their duty of care, therefore, directors must, among other things, be knowledgeable about the corporation, its business, its industry and relevant risks, including by regularly reviewing financial statements and inquiring into corporate affairs; remain informed about decisions faced by the board; and engage in meaningful consideration of the issues. If a director ‘feels that he has not had sufficient business experience to qualify him to perform the duties of a director, he should either acquire the knowledge by inquiry, or refuse to act’.
Director liability for a breach of the duty of care typically arises in two contexts: (1) ‘ill-advised’ or grossly negligent board decisions that result in a loss for the corporation; and (2) liability for a loss that arose from an ‘unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss’. In the seminal case of Smith v. Van Gorkom, the Delaware Supreme Court found that the directors of Trans Union Corporation had breached their duty of care by acting with gross negligence in failing to make an informed decision regarding the sale of the company. The court cited the fact that the board approved the sale without having reviewed a term sheet or any other documentation to support the adequacy of the sale price and that the board relied, without any basis, on the uninformed statements of a director regarding the proposed agreement.
Directors are only liable for breach of the duty of care if their conduct has amounted to ‘gross negligence’, meaning that they demonstrated a ‘reckless indifference to or a deliberate disregard of the whole body of stockholders or actions which are without the bounds of reason’. Courts have found that ‘directors’ actions need not achieve perfection to avoid liability’, and that directors do not breach a legal duty simply because they ‘failed to act as a model director might have acted’. In most cases, monetary damages are unavailable to plaintiffs alleging breach of duty of care, even if they can demonstrate gross negligence. This is because many states, in response to Van Gorkom, enacted statutes permitting corporations to eliminate or limit directors’ personal liability for monetary damages for breaches of their duty of care. Significantly, these state laws do not authorise corporations to eliminate or limit directors’ personal liability for breaches of their duty of loyalty or good faith obligations, and monetary damages remain available to plaintiffs for such breaches.
42.2.2Duty of loyalty
The duty of loyalty ‘mandates that the best interest of the corporation and its shareholders take precedence over any interest possessed by a director, officer or controlling shareholder and not shared by the stockholders generally’. Corporate directors ‘are not permitted to use their position of trust and confidence to further their private interests’.
As a ‘subsidiary element’ of the duty of loyalty, directors must carry out their duties in ‘good faith’. The obligation to act in good faith is not an independent fiduciary duty or direct basis for liability, but rather is at the core of the duty of loyalty – ‘a director cannot act loyally towards the corporation unless she acts in the good faith belief that her actions are in the corporation’s best interest’. A director fails to act in good faith where the director ‘intentionally acts with a purpose other than that of advancing the best interests of the corporation, where [the director] acts with the intent to violate applicable positive law, or where [the director] intentionally fails to act in the face of a known duty to act, demonstrating a conscious disregard for [his or her] duties’.
Courts have interpreted the duty of loyalty as giving rise to the duty to exercise oversight in the day-to-day business operations of the corporation. The Delaware Court of Chancery set forth the standard for directors’ obligation to oversee and monitor the corporation in In re Caremark International Inc Derivative Litigation, holding that directors have an affirmative duty to establish a reporting system and internal controls, and to monitor and oversee internal compliance activity. Directors must assure themselves that the system of internal controls is ‘reasonably designed’ to allow senior management and the board to reach ‘informed judgments concerning both the corporation’s compliance with law and its business performance’. Failure to do so, the court held, may ‘render a director liable for losses caused by non-compliance with applicable legal standards’.
Thus, while ‘directors’ good faith exercise of oversight responsibility may not invariably prevent employees from violating criminal laws, or from causing the corporation to incur significant financial liability or both’, directors are expected to take steps to implement reasonable reporting, information and compliance systems, and to address corporate misconduct of which they become aware.
42.2.3Oversight obligations under US securities laws
In addition to the standards articulated in Caremark and its progeny, the Sarbanes-Oxley Act of 2002 sets expectations for public company audit committees (and consequently the independent directors that serve on audit committees) with respect to their oversight of companies’ accounting, internal controls and auditing matters. These include oversight of the company’s independent auditors, review of audit reports and the establishment of procedures to address complaints regarding the company’s accounting and financial reporting. Audit committees may also hire independent counsel to assist them in fulfilling their responsibilities, including in independent audit committee investigations and compliance reviews.
42.3Liability for breach of fiduciary duties
42.3.1Caremark claims in private civil actions
Directors may be subject to civil action in their personal capacity by shareholders of the corporation, both directly and in derivative suits on behalf of the corporation, for alleged breaches of their fiduciary duties. Courts make liability determinations on a director-by-director basis, rather than on the basis of the conduct of the board as a whole. In most US states, the remedy for breach of a fiduciary duty can be ‘[a]ny form of equitable and monetary relief’ that the court finds ‘appropriate’.
Caremark established the standard of liability for alleged breaches of directors’ duty of oversight, holding that ‘only a sustained or systemic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists – will establish the lack of good faith that is a necessary condition to liability’. Caremark, therefore, ‘articulates a standard for liability for failures of oversight that requires a showing that the directors breached their duty of loyalty by failing to attend to their duties in good faith’. Liability is premised on plaintiffs’ demonstration that ‘the directors were conscious of the fact that they were not doing their jobs’.
In Stone v. Ritter, the Delaware Supreme Court affirmed the standard for oversight liability articulated in Caremark and held that a Caremark claim for director oversight liability requires the following conditions predicate: (1) that the directors ‘utterly failed to implement any reporting or information system or controls’; or (2) that the directors, ‘having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention’. In either instance, directors can only be liable if plaintiffs demonstrate that they knowingly violated their fiduciary obligations.
While Caremark and Stone set a high standard for establishing liability for breach of oversight obligations, board processes and decision-making nonetheless can result in director liability. In Wells Fargo & Co Shareholder Derivative Litigation, for example, the plaintiffs alleged that the defendant directors ‘knew or consciously disregarded’ that Wells Fargo employees were fraudulently creating millions of deposit and credit card accounts for customers as part of ‘cross-selling’ activities. In denying Wells Fargo’s motion to dismiss, the court relied on allegations that the board had been informed of multiple ‘red flags’ of improper conduct, including alleged communications between employees and board members regarding the fraudulent activity, several related lawsuits, news reports, investigations by government agencies, employee terminations allegedly aimed at silencing whistleblowers, and emphasis on the importance of cross-selling practices in the bank’s financial reports. The court found that the numerous red flags alleged ‘collectively supported an inference that a majority of the Director Defendants consciously disregarded their fiduciary duties despite knowledge regarding widespread illegal account-creation activities, and that there is a substantial likelihood of director oversight liability’.
42.3.2The business judgment rule
The ‘business judgment rule’ is a standard of judicial review that protects directors from personal civil liability for their decisions as long as the decision was independent, informed, made in good faith, with due care and with the honest belief that the action taken was in the company’s best interest. The business judgment rule presumes that ‘in making a business decision the directors of a corporation acted on an informed basis, . . . and in the honest belief that the action taken was in the best interests of the company [and its shareholders]’. Therefore, the business judgment rule presupposes that directors have complied with their duty of loyalty to the corporation. In the absence of evidence to the contrary, the board’s ‘decision will be upheld unless it cannot be attributed to any rational business purpose’. If plaintiffs fail to rebut the presumption, they will not be entitled to any remedy, unless the transaction constitutes corporate waste.
Plaintiffs may rebut the presumption by showing that the directors breached one of their fiduciary duties of loyalty or care in connection with the transaction at issue. In that case, the burden shifts to the director defendants to demonstrate that the challenged transaction was ‘entirely fair to the corporation and its shareholders’.
Even if directors have exercised their business judgment, the protections of the business judgment rule will not apply if the directors have made an ‘unintelligent or unadvised judgment’. Furthermore, the protections of the business judgment rule will not apply in the event of director inaction, unless the directors made a conscious decision not to act. For this reason, it is critical that boards and directors work with management to develop a process that (1) enables the board to obtain the information it needs in order to evaluate and decide on a course of action, (2) facilitates careful consideration and debate at the board level consistent with fiduciary obligations and (3) results in a record that demonstrates the board’s execution of its responsibilities.
42.3.3Regulatory enforcement actions
In addition to being named in securities class action or derivative suits, public company directors can be subjected to regulatory investigations and enforcement actions under US securities laws. Indeed, directors increasingly face all three proceedings – securities class actions, derivative litigation and enforcement proceedings – in parallel. The Securities Exchange Act of 1934 (the Exchange Act), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act, authorises the US Securities and Exchange Commission (SEC) to institute administrative and civil proceedings and to seek monetary and injunctive relief from directors for their violations of the securities laws. The SEC also can request that a court permanently or temporarily bar an individual from serving as a public company officer or director for violations of the anti-fraud provisions of the US securities laws. In addition, the US Department of Justice (DOJ) can criminally prosecute directors for ‘willful’ or ‘knowing’ violations of the US securities laws or conspiracy to commit such violations.
There are clear and direct consequences for companies when oversight is found lacking. In evaluating corporate compliance programmes, regulators focus on the types of information that the board has examined in its exercise of oversight in the area in which misconduct occurred. US regulators have been vocal in commenting on the roles and responsibilities of directors, and have been critical of boards of directors that, in their view, failed to exercise reasonable oversight. The SEC and DOJ have been particularly outspoken with respect to financial reporting and Foreign Corrupt Practices Act (FCPA) matters. In the settlement made with Sociedad Química y Minera de Chile (SQM) for internal controls and books-and-records violations under the FCPA in 2017, for instance, the DOJ explicitly noted that although SQM’s board had been briefed on certain internal controls failures flagged by internal audit, ‘no adequate changes were made to SQM’s internal accounting controls’.
Of particular relevance to public company directors, Section 20(a) of the Exchange Act provides that every person who indirectly or directly controls another person found liable for a securities violation under the Exchange Act is liable for that same conduct. For ‘control person’ liability to attach, the majority of US circuit courts require only that the director exercised control over the general operations of the business that included the violation and could exercise control over the transaction or activity giving rise to it. Section 20(a) provides an affirmative defence to a director who ‘acted in good faith’ and ‘did not directly or indirectly induce’ the act constituting the violation.
For example, in 2009, the SEC filed a settled enforcement action against Nature’s Sunshine Products, its chief executive officer (CEO) and board member, and its chief financial officer (CFO), alleging that the CEO/director and CFO, in their capacities as control persons under Section 20(a), violated the books-and-records and internal controls provisions of the FCPA. Notably, the SEC did not allege that these individuals had direct knowledge of, or participated in, the underlying improper payments or accounting failures, but rather that the executives failed to identify certain red flags that would have alerted them to the improper payments and failed to perform their corporate duties adequately and in good faith.
42.4Duty of oversight in investigations
Directors’ duty of oversight, and their obligation to act in good faith, are implicated at multiple stages of a corporate investigation – from the decision whether to initiate an investigation, to the decision whether to self-disclose potential wrongdoing to regulators, to decisions authorising negotiation or settlement with regulators. At each stage, directors will need to ask appropriate questions, obtain sufficient information and engage in meaningful consideration to satisfy themselves that the decision is in the best interests of the corporation. Increasingly, independent auditors threaten to initiate reporting procedures under Section 10A of the Exchange Act absent an independent investigation into suspected wrongdoing. In addition, directors must consider that, in the event the corporation is prosecuted for misconduct, the board’s execution of its duty of oversight will be considered by prosecutors and the court in sentencing the corporation.
Moreover, directors play a central role in the remediation process that often results from an investigation. Directors must oversee the process of enhancing or establishing internal controls for financial reporting or other material aspects of the company’s compliance infrastructure that are found lacking. This often requires directors to adapt to, and sometimes reassess, their view of company processes and the conduct of management based on facts developed during an investigation. At the same time, directors must interact with external auditors in connection with the issuance of an audit opinion and oversee a financial reporting process that contemplates such changes.
Often, director liability for breach of fiduciary duty arises from the alleged failure of the board to respond to red flags of corporate misconduct. When faced with actual knowledge or red flags of wrongdoing, directors must take good-faith steps to conduct reasonable inquiry to understand the cause and scope of the issue, and to implement appropriate remediation, as necessary. Directors may be subject to oversight liability on the basis of inaction, wilful ignorance or failure to investigate and address possible misconduct in good faith.
As reflected in Wells Fargo, there are numerous ways in which a director may be considered to be on notice of possible wrongdoing at the corporation. These include internal and external audit reports, whistleblower complaints, consumer complaints, news reports, regulatory investigations and related civil litigation claims. The case law emphasises the need for directors to respond to repeated signs of misconduct, as courts and regulators may interpret the absence of a response as a conscious disregard of the directors’ duty of oversight. As the Delaware Court of Chancery explained, ‘a Caremark plaintiff can plead that “the directors were conscious of the fact that they were not doing their jobs,” and that they ignored “red flags” indicating misconduct in defiance of their duties. A claim that an audit committee or board had notice of serious misconduct and simply failed to investigate . . . would survive a motion to dismiss, even if the committee or board was well constituted and was otherwise functioning’.
Importantly, by virtue of the audit committee’s oversight of accounting, internal controls and auditing matters, the independent directors naturally receive information regarding the corporation’s internal controls and compliance system that implicates their duty of oversight. This level of knowledge could subject the independent directors to increased risk of regulatory scrutiny and private shareholder action if they fail to respond to internal control deficiencies and red flags of potential misconduct that are reported to them.
42.5Strategic considerations for directors
While there is no effective one-size-fits-all approach to satisfaction of fiduciary duties, directors can take certain steps to meet the ongoing challenges and expectations of regulators and shareholders. Implementation of these strategies may not eliminate the risk of director liability, but they will demonstrate directors’ adherence to the core principles of their fiduciary duties.
- Risk-based compliance framework: Directors should require management to demonstrate that the company has adopted an effective risk-based compliance framework to identify high-risk compliance issues and prioritise resources accordingly.
- Remaining informed: Directors should implement a formal process that facilitates communications between the board and management regarding the compliance framework and business performance. Directors should remain informed about ongoing and acute risks, as well as about the broader business environment and industries in which the company is operating.
- Independent investigations and compliance crises: Directors should establish a crisis management strategy and investigative protocol before such measures are needed, including a framework for the board’s response if an independent investigation is necessary. This may include proactive delegation of oversight responsibility to the company’s audit committee or a special litigation or investigation committee. This also may include an annual presentation from management, including the legal and compliance functions, as to the company’s readiness if a government inquiry, whistleblower complaint or other occurrence gives rise to consideration of an independent investigation.
- Training: Directors should have sufficient training not only to be familiar with principles of corporate governance and the corporation’s business, but also to provide directors a basis from which they can ask questions regarding compliance risks and analyse responses consistent with their oversight responsibilities.
- Overseeing the external auditor relationship: The audit committee owns the relationship with the external auditor. Too often, directors limit their interaction with the external auditor to engagement of the auditor and a quarterly discussion in advance of the issuance of a filing. The better course is for independent directors, particularly those on the audit committee, to establish a deeper relationship that provides for a foundation of trust and familiarity from which both parties can act when an unexpected problem arises.
- Making the record: A documented approach to corporate governance and adherence to fiduciary duties can mitigate directors’ risks in the event of litigation or an enforcement proceeding. Real-time documentation, including through minutes of audit committee or special investigative committee meetings, are critical evidence of directors’ fulfilment of their oversight obligations in the context of a board committee’s evaluation of issues involving investigations and compliance crises.
Effective board processes enable directors to execute their responsibilities in accordance with applicable fiduciary duties and the expectations of regulators and the market. Adherence to sound principles of corporate governance protects directors and promotes tangible benefits to the company in the form of:
- heightened investor confidence and corporate reputation;
- increased efficiency and avoidance of costly investigation due to early issue spotting and risk mitigation; and
- higher levels of customer and employee retention.
1 Timothy P O’Toole and William P Barry are members, and Margot Laporte is counsel, at Miller & Chevalier Chartered.
2 While civil liability for breaches of fiduciary duties arises under state law, public company directors separately may face federal criminal and civil liability for violations of the federal securities laws. For example, among other violations, public company directors may be held liable for financial reporting and disclosure violations, and insider trading and other fraud violations, under the Securities Act of 1933 (Securities Act) and the Securities Exchange Act of 1934 (Exchange Act). The Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley) and the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 also enhanced director liability under federal law for self-dealing and compensation-related violations, among others.
3 In re Walt Disney Co. Derivative Litig., 907 A.2d 693, 745 (Del. Ch. 2005), aff’d, 906 A.2d 2 (Del. 2006) (Disney).
4 Id. at 749 (internal quotation marks omitted).
5 See Francis v. United Jersey Bank, 432 A.2d 814, 822 (N.J. 1981) (duty to conduct regular review of financial statements); Barnes v. Andrews, 298 F. 614, 615 (S.D.N.Y. 1924) (duty to enquire into the corporate business).
6 Francis, 432 A.2d at 822 (internal quotation marks omitted).
7 Disney, 907 A.2d at 749 (quoting In re Caremark Int’l Inc. Derivative Litig., 698 A.2d 959, 967 (Del. Ch. 1996) (Caremark) (alterations omitted)).
8 Smith v. Van Gorkom, 488 A.2d 858, 881 (Del. 1985).
9 Id. at 874.
10 Disney, 907 A.2d at 750 (internal quotations marks omitted).
11 Cooke v. Oolie, Civ. Action No. 11134, 2000 Del. Ch. LEXIS 89, at *58–59 (Del. Ch. 24 May 2000).
12 Disney, 907 A.2d at 751.
13 See, e.g., Del. Code Ann. tit. 8, § 102(b)(7).
14 See, e.g., id.
15 Disney, 907 A.2d at 751 (internal quotation marks and alteration omitted).
16 Guth v. Loft, Inc., 5 A.2d 503, 510 (1939).
17 Stone v. Ritter, 911 A.2d 362, 369 (Del. 2006).
18 Id. at 370.
19 Id. at 369.
20 Caremark, 698 A.2d at 970.
23 Stone, 911 A.2d at 373.
24 Id. at 370.
25 Sarbanes-Oxley, Pub. L. No. 107-204, 116 Stat. 745, § 301.
27 Disney, 907 A.2d at 748.
28 In re Tri-Star Pictures, Inc. Litig., 634 A.2d 319, 333 (Del. 1993) (internal quotation marks omitted).
29 Cinerama, Inc. v. Technicolor, Inc., 663 A.2d 1156, 1166 (Del. 1995) (internal quotation marks omitted). Often, directors’ liability for monetary payments will be covered by directors and officers liability insurance.
30 Stone, 911 A.2d at 369 (internal quotation marks omitted).
31 Guttman v. Huang, 823 A.2d 492, 506 (Del. Ch. 2003).
33 Stone, 911 A.2d at 369.
34 Id. at 370.
36 In re Wells Fargo & Co. S’holder Derivative Litig., 282 F. Supp. 3d 1074, 1082 (N.D. Cal. 2017) (Wells Fargo).
37 Id. at 1088.
38 Id. (alterations omitted); see also id. at 1107 to 1109.
39 See Gantler v. Stephens, 965 A.2d 695, 705–06 (Del. 2006).
40 Aronson v. Lewis, 473 A.2d 805, 812 (Del. 1984).
41 Disney, 907 A.2d at 747 (internal quotation marks omitted).
45 Id. at 748 (internal quotation marks omitted).
47 Exchange Act §§ 21(a)(1), (d)(3), (d)(5), 15 U.S.C. §§ 78u(a)(1), (d)(3), (d)(5).
48 Id. § 21(d)(2), 15 U.S.C. § 78u(d)(2).
49 Securities Act § 24, 15 U.S.C. § 77x; Exchange Act §§ 13(a), 32(a), 15 U.S.C. §§ 78m(b)(4) and (5), 78ff(a). The securities laws define ‘knowing’ violations as being ‘aware’ that one is engaging in conduct, that circumstances exist, or that a result is substantially certain to occur, or having a firm belief of the same. 15 U.S.C. § 78dd-1(f).
50 Sarbanes-Oxley § 902(a), 18 U.S.C. § 1349.
51 See, e.g., Mary Jo White, Chair, US Securities and Exchange Commission, Address at the Stanford University Rock Center for Corporate Governance: A Few Things Directors Should Know About the SEC (23 June 2014) (‘One question we are often asked is whether some of the things we are doing may actually discourage strong directors from serving on boards because of the risk that they may unfairly find themselves on the wrong end of an SEC enforcement action. While we do bring cases against directors, these cases should not strike fear in the heart of a conscientious, diligent director’).
52 United States v. Sociedad Química y Minera de Chile, S.A., No. 1:17-cr-00013, Deferred Prosecution Agreement (D.D.C. 13 January 2017).
53 Exchange Act § 20(a), 15 U.S.C. § 17t(a).
54 See, e.g., In re Mut. Funds Inv. Litig., 566 F.3d 111, 129–30 (4th Cir. 2009); Laperriere v. Vesta Ins. Group, 526 F.3d 715, 723–25 (11th Cir. 2008).
55 Exchange Act § 20(a), 15 U.S.C. § 17t(a).
56 U.S. Sec. Exch. Comm’n v. Nature’s Sunshine Prods., Inc., Civ. No. 2:09CV0672, Compl. (D. Utah 31 July 2009).
58 Exchange Act § 10(A), 15 U.S.C. § 78j-1.
59 See U.S. Fed. Sentencing Guidelines Manual § 8B2.1(b)(2)(A) (‘The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance program.’).
60 Wells Fargo, 282 F. Supp. 3d at 1088, 1107–09.
61 Shaev Profit Sharing Account v. Armstrong, C.A. No. 1449-N, 2006 Del. Ch. LEXIS 33, at *16 (Del. Ch. 13 February 2006).