Chief Compliance Officer v. General Counsel – Should They Be Separate?

© Copyright 2018  – Jonathan T. Marks
May not be reproduced in any form without express written permission. 

Note: The following information is intended to be used as a guide by the board and others in assessing the structure and roles and responsibilities of the CCO and GC.  Every situation is different and requires a thoughtful approach. I hope this research will help in your evaluation of the roles.

I welcome you comments and suggestions.


 Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

The issues relating to separation of the CCO and the GC are most often discussed in terms of the differences in their roles (below).


Lack of separation of the CHIEF COMPLIANCE OFFICER and the GENERAL COUNSEL has been cited as a cause of numerous corporate failures.  In fact, separation is now the norm in Health Care organizations.  In spite of numerous recommendations to separate the two functions, there is general agreement that the roles are closely related and frequent collaboration is required.

The issues relating to separation of the CHIEF COMPLIANCE OFFICER and the GENERAL COUNSEL are most often discussed in terms of the differences in their roles (below).


    • Defends Client
    • Gives Legal Advice on how to comply, maintain business objectives, but
    • Represents client “zealously”
    • Defines Standards
    • Finds, Fixes and Prevents Future Problems
    • Protects Whistleblowers (so others may come forward)
    • Management Function
    • Incorporates legal considerations
    • Influences processes
    • Translates legal advice into Management Action
    • Preventative
    • Implements and Monitors Processes assuring Standards are met
      • Code of conduct
      • Ethics training and compliance
    • May also have an Internal Audit Role
    • Requires
      • Senior level position
      • Access to Management
      • Access to Board
      • Sufficient Budget[1]

The potential conflict in their roles are often described as follows:

  • Conflicting Obligations
    • Privilege – CHIEF COMPLIANCE OFFICER may be more in touch with employees and may be more likely to receive information. The privilege could be an issue if the GENERAL COUNSEL is not involved.
    • Material Violations – SEC companies are required to escalate certain material violations to the Chief Legal Officer.
    • Defensive Role of the GENERAL COUNSEL may squash the transparency required to design a preventative compliance program if the reporting relationship is not independent

Generally, the SEC and DOJ are less rigid in their requirements regarding the CHIEF COMPLIANCE OFFICER’s reporting relationships, while HHS more committed to separating the CHIEF COMPLIANCE OFFICER from the GENERAL COUNSEL.

  • OIG and US Sentencing Guidelines for Organizations
    1. Clarify the role of CHIEF COMPLIANCE OFFICER in:
      • Operating the Compliance program
      • Reporting to the Board
    1. OIG Compliance Program Guidance (CPG) in 1998 (Supplemented 2005)
      • Convinced Health Care organizations they should be separate

The ABA came out with its Cheek report that defends the GENERAL COUNSEL’s role, but also acknowledges the CHIEF COMPLIANCE OFFICER should have:  unrestricted ability to interact with regulators, and the ability to engage outside counsel on its own (but should involve GENERAL COUNSEL where there is no conflict.  (See Article 11. Excerpts below)

  • ABA Task Force on Corporate Responsibility
    1. Did not directly address the separation of CHIEF COMPLIANCE OFFICER, but pointed out
    1. Sarbanes-Oxley states the GENERAL COUNSEL is responsible for legal compliance[2]

Various Models Used for CHIEF COMPLIANCE OFFICER Reporting

CHIEF COMPLIANCE OFFICER and GENERAL COUNSEL Combined – Survey[3]:  15% are combined[4]

  • Unique issues
    • Is there a process whereby GENERAL COUNSEL recuse him/herself?
    • Are there Board initiated Third Party Compliance assessments?
    • Is there a process authorizing Board to retain Outside Counsel?
  • Benefits:
    • Efficiency
    • Privilege
  • Downside
    • Regulators can view GENERAL COUNSEL as a shield to limit info (especially Healthcare) [5]


  • Considerations OIG and AHLA (Am. Health Lawyers Assn) recommend:
    • Alternative reporting mechanisms
    • Someone other than GENERAL COUNSEL authorizes compliance investigations (including hiring outside counsel)
    • Periodic Direct Reports from CHIEF COMPLIANCE OFFICER to the Board
    • 36% report to GENERAL COUNSEL, up 5% from 2015[7] (note, this percentage is from a different source than the others quoted herein; it is unclear if it includes CHIEF COMPLIANCE OFFICER reporting to GENERAL COUNSEL alone, or in addition to where CHIEF COMPLIANCE OFFICER is combined with GENERAL COUNSEL)
  • Benefits
    • Efficiency
    • With added reporting lines of independence, this can work for some organizations
      • Requiring Board Approval for CHIEF COMPLIANCE OFFICER to be fired
    • Downside
      • Without these measures (above), open to criticism
      • Confusion – Compliance goals may be at odds with legal objectives leading to confusion. For example, when issues arise:
        • GENERAL COUNSEL is obligated to protect the organization
        • CHIEF COMPLIANCE OFFICER is obligated to identify the issue, and implement preventative procedures
      • Attorney-Client Privilege issues – GENERAL COUNSEL acting in both roles must distinguish between legal advice and business advice.[8]
      • Senior management should “be ready to defend a decision to preserve the CHIEF COMPLIANCE OFFICER in a subordinate position to the GENERAL COUNSEL.”[9]

CHIEF COMPLIANCE OFFICER Independent from GENERAL COUNSEL – Survey:  59% stand alone, 57% report to CEO or Board[10]

  • Considerations
    • Have GENERAL COUNSEL involved in core compliance processes
      • Risk assessments
      • Policy Development
      • Internal Investigations
      • Devising remedial measures to address violations
    • Include GENERAL COUNSEL in routine reviews of compliance matters (if not the subject)
    • Require consultation with the GENERAL COUNSEL when hiring outside counsel and consultants[11]
    • Determine how GENERAL COUNSEL and CHIEF COMPLIANCE OFFICER will resolve differences of opinion
    • Whistle-blowers have more incentive now to by-pass internal reporting and go directly to the SEC for cash rewards
    • Global banks have announced that they will go in this direction
  • Benefits
    • Improved upward (outward) reporting
    • Assures checks and balances i/r/o GENERAL COUNSEL
    • Even critics of the independent arrangement agree that “it has long been settled that the chief compliance officer, whether also the chief legal officer, should have a direct line of reporting to a board audit committee, which has substantive oversight.”[12]
    • Apparent preferred structure of SEC, HHS, DOJ and OIG[13]OIG (non-binding) compliance program guidelines (HC)
        • “not advisable for the compliance function bot be subordinate to the…general counsel”[14]
        • CHIEF COMPLIANCE OFFICER must be senior management
        • CHIEF COMPLIANCE OFFICER must report to the Board
      • DOJ – prefers separation as evidenced in:
        • Fed Sentencing Guidelines
        • Deferred Prosecution Agreements (DPAs)[15]
        • CHIEF COMPLIANCE OFFICER must be senior management
        • CHIEF COMPLIANCE OFFICER must report to the Board[16]
        • DOJ uses Filip Factors which are a:
          • Flexible Framework to assess Compliance Function
          • Emphasize the Compliance Office’s
            • Stature
            • Compensation
            • Empowerment (concerns heard)
            • Direct Lines to Board[17]
          • Apparent preferred structure in key areas Outside the United States:
            • UK, Brazil and Spain[18]
          • Downside
            • Costs
            • Potential for overzealous, unchecked Compliance
            • CHIEF COMPLIANCE OFFICER may not be a lawyer because large organizations require CHIEF COMPLIANCE OFFICER to be expert in business processes and training.[19]

 Other Considerations

  • Companies that have changed to Independent Model:
  • GM – After faulty ignition issue
  • Walmart
  • Pfizer (under a Corporate Integrity Agreement – CIA, by the OIG)
  • Global Banks
  • Volkswagen
  • Relevant Case (see also, Article Excerpts, below)
  • Caremark – final settlement against the organization was “huge” but Directors shared no liability because of a good faith effort to implement a compliance program (subsequently known as the Caremark test as a benchmark to determine if directors had satisfied their duty of care).[20]Specific Form of compliance program is a matter of business judgment.
    • Business judgment advice from the GENERAL COUNSEL is not privileged

Articles (Including Excerpts)

  1. SEC – Arthur Levitt Speech – The Numbers Game (Sept. 28, 1998

Expresses concerns about financial reporting in general.  Calls for an improved Accounting Framework, improved Outside Auditing and Strengthening the Audit Committee Process.  Establishes a blue ribbon panel to address recommendations to empower Audit Committees.

  1. Hunton & Williams – Errors in Previously Issued Financials (Jan. 16, 2015)

SAB 99 – SEC Staff Accounting Bulletin – Requires analysis of qualitative factors to be addressed (usually in a SAB 99 Memo) whenever “materiality” is invoked as a reason to avoid restatement.  Material errors require Restatement (and 8K); immaterial errors require error be corrected in the next 10K or 10Q.

  1. SEC – Staff Accounting Bulletin No. 99 (SAB 99), Materiality (Aug. 12, 1999)

Materiality – Materiality cannot be reduced to a percentage threshold (see #2 above).

  1. Paul Weiss – DOJ Releases Guidance for Evaluating Corporate Compliance Programs

DOJ Evaluation Guidance for CCPs.  8 Factors:  1. Culture 2. Resources, 3. Personnel, 4. Independence, 5. Tailored to an Effective Risk Assessment, 6. Compensation (of Compliance Personnel), 7. Regular Effectiveness Audits, 8. Reporting Structure within the Company. 

Evaluation Guidance (aka Filip Factors)1. Remediation of Misconduct, 2. Sr./Mgt. Culture, 3. Autonomy and Resources, 4. Policies and Procedures, 5. Risk Assessment, 6. Training, 7. Confidential Reporting, 8. Disciplinary Measures, 9. Testing/Review, 10. Third-Party Management, 11. M&A

  1. DOJ – Evaluation of Corporate Compliance Programs (Feb. 8, 2017)

DOJ does not have a rigid formula to assess Corporate Compliance Programs, but instead applies the Filip Factors (see 1-11 in #4 above).  In 3. Autonomy and Resources – a. Stature and compensation of the compliance function is important, and b. Direct reporting lines to the Board

  1. DOJ – The Fraud Section’s FCPA Enforcement Plan and Guidance ( Apr. 5, 2016)

Encourages companies to Self-disclose (FCPA), fully cooperate, and remediate (their Compliance Programs).  Reductions of up to 50% on Sentencing Guideline fines are available for companies that self-report.

  1. DOJ – Yates Memo – Individual Accountability for Corporate Wrongdoing – Sept. 9, 2015

Seeks accountability from corporate wrongdoing at the individual level.  Corporate credits will require complete information on individuals.  Corporate investigations should focus on individuals from the start.  Corporate resolutions will not provide protection for individuals

  1. Cooley – Evaluating FCPA Pilot Program – A look at SEC Involvement (Apr. 12, 2017)

DOJ announced its FCPA Pilot Program in 2016 (yet, the SEC has played a more prominent role in FCPA).  SEC and DOJ have generally the same guidance in giving credits (self-disclosure, cooperation and remediation), but may assess the factors differently (SEC has an additional 49 questions).

  1. SEC – Seaboard Report (Oct. 23, 2001)

Providing sentencing guideline fine credits benefits investors and the enforcement program.

  1. Gibson Dunn / AES Corp – Learning the Hard Way: Ethics and Compliance Program Lessons Gleaned from Recent US Resolution Agreements (Aug. 8, 2014)

Requirements for effective Compliance Programs include:  1. High level commitment, 2. Policies and Procedures, 3. Risk-based Review, 4. Proper Oversight, 5. Training, 6. Investigation, 7. Enforcement, 8. Third Party Relationships, 9. M&A, 10. Monitoring.

Johnson & Johnson CIA requires:  1. Board Level Compliance Oversight, 2. Board Level Training, and 3. Certification by VPs of various departments (not just the CEO and CFO), requiring a more explicit assignment of responsibility.

Recent Resolution focused specifically on the CHIEF COMPLIANCE OFFICER’s ability to communicate directly with the Board.  DOJ and SEC allow a wide variety of reporting structures, but HHS prefers the CHIEF COMPLIANCE OFFICER to report to the CEO.

Endo Pharmaceuticals CIA and DOJ agreement require:  1. CHIEF COMPLIANCE OFFICER to report to CEO, and 2. CHIEF COMPLIANCE OFFICER to make regular reports to the Board.

HSBC Deferred Prosecution Agreement required the CHIEF COMPLIANCE OFFICER be elevated to the top 50 managers of the firm.

ADM non-prosecution agreement required CHIEF COMPLIANCE OFFICER to 1. Have authority to report directly to independent monitoring bodies (the Board and Internal Audit), 2. Have an adequate level of autonomy from management, 3. Have sufficient resources.

  1. MWE – Coordination of Legal and Compliance (Aug. 7, 2014)[i]

ABA’s Cheeck Report calls for the GENERAL COUNSEL to be responsible for assuring implementation of an effective corporate compliance program.

The failure to delineate duties of CLO and CHIEF COMPLIANCE OFFICER can create confusion, waste and jeopardize attorney-client privilege.  Coordination of roles is required.  CHIEF COMPLIANCE OFFICER should have:  unrestricted ability to interact with regulators, and the ability to engage outside counsel (with the understanding the GENERAL COUNSEL is to be involved (unless there is a conflict).

  1. Compliance Strategists LLC – Structuring the Chief Ethics and Compliance Officer and Compliance Function for Success. (2010)

This compliance consultant warns against hiring a highly visible compliance officer specifically to address historical breaches.  One company with FCPA issues hired and elevated a leader with the title “Chief Compliance Officer for FCPA.”  She argues that elevating one compliance issue over all others, impedes efforts to change a culture and address important compliance issues as they develop.

In addition, she argues that it is imprudent to simply add the CHIEF COMPLIANCE OFFICER title to the General Counsel’s business card.  Five Essential Features of the CHIEF COMPLIANCE OFFICER position are:  1. Empowerment, 2. Independence, (“Levers of independence include reporting line, unfiltered board access, a nondiscretionary escalation clause, an employment agreement, prior board approval required for any change in employment terms (including dismissal), an independent budget, and an adequate staff to properly manage the overall compliance program.”) 3. A Seat at the Table (inclusion in top-management), 4. Line of Sight (ability to perform oversight), 5. Resources

The 2012 PWC State of Compliance Study indicates that the number of CECOs reporting to the General Counsel fell by 6%, from 41% in 2011 to 35% in 2012.

Former federal prosecutor Michael Volkov says “Forward thinking companies are not relying on the general counsel to ensure compliance. They are empowering their [CECOs] by elevating them to senior management. When important business issues come up, the [CECO] is at the table.”

When considering the structure of the CECO position, boards would be well-advised to demand an institutional model that does not depend on the goodwill, personal working relationships, or temperament of an individual GENERAL COUNSEL and CECO—but instead is created with sufficient checks and balances from the outset that structure the CECO position for success.

In a 2009 survey conducted by the Society of Corporate Compliance and Ethics, 55% of CECOs surveyed reported to the CEO.   The CECO-reporting-to-CEO model carries with it automatic levers of independence and empowerment, and for this reason appears to be gaining in favor.

“Q: An ex-SEC official has been quoted as saying that the CECO should not report to the CEO because that is insufficient autonomy from management. Is this a concern?

A: That would be true if there were not a dotted line to the board….”

  1. “Should Compliance Report to the General Counsel?” Society of Corporate Compliance and Ethics (SCCE) and Health Care Compliance Association (HCCA)

Survey Results of Compliance Professionals:

  • 88% are opposed to GENERAL COUNSEL serving as CHIEF COMPLIANCE OFFICER (higher in Health Care)
  • 80% oppose having CHIEF COMPLIANCE OFFICER report to GENERAL COUNSEL
  • “Collaboration, not cohabitation” is the consensus
    1. SEC Probes Departure of PepsiCo’s Top Lawyer – WSJ
  • Allegations are that PepsiCo retaliated against GENERAL COUNSEL for her handling of Russian probe
  • A draft memo by the GENERAL COUNSEL placed blame on certain employees involved in the due diligence process
  • GENERAL COUNSEL was told by CFO not to finalize the memo, and then was fired
    1. Letter to Cardinal Health Shareholders from International Brotherhood of Teamsters, October 2017

Investigation of Alleged Role in Opioid Distribution and Epidemic

  • Failure to report suspicious orders from high-volume pharmacies
  • $100 million in settlements with state attorneys general

Teamsters allege:

  • CEO failed to set “tone at the top”
  • Board has failed in compliance and governance structure
  • After 2012 settlement, in 2014 Board set up committee to review allegations that determined robust systems were in place
  • In 2016, Cardinal allegedly failed to remediate and was assessed a second penalty of $44 million (one year, a pharmacy in a town of 211 people received 309,000 doses of opioids)
  • CEO and Board shifted blame to others in the supply chain
  • CLO was also the CHIEF COMPLIANCE OFFICER and received a bonus in every year 2010-2016, in spite of massive compliance failures
  • Letter calls for vote in Favor of Independent Board Leadership of the company
    1. “Working to Change Compliance Culture at Volkswagen” – WSJ

New CHIEF COMPLIANCE OFFICER at Volkswagen describes changes:

– CHIEF COMPLIANCE OFFICER now reports to the CEO (p. 2)

– CHIEF COMPLIANCE OFFICER now has an independent relationship with the Board – reports to them at least annually (p. 2)

– Ethics and Compliance Committee – Is comprised of senior-level executives and reports directly to the Board (p. 3)

  1. “Why the Compliance Function is Different than the Legal Function” FCPA Compliance & Ethics

  1. “Compliance or Legal? The Board’s Duty to Assure Clarity” Harvard Law School Forum on Corporate Governance and Financial Regulation

  1. “When Compliance and Legal Don’t See Eye to Eye” Corporate Counsel

  1. “Where the Legal and Compliance Functions Intersect” Corporate Counsel

  1. “The Roles of General Counsel and Chief Compliance Officers” Corporate Compliance Insights

  1. “Compliance vs. the Law Department: How to Work Together” Schering-Plough

  1. “The Changing Role of Compliance” Deloitte


  1. “Why Compliance Officers Need Independence” Corporate Compliance Insights

  1. “Pfizer GENERAL COUNSEL Loses Compliance Chief Role Under $2.3B Drug Marketing Settlement” ABA Journal Counsel_loses_compliance_chief_role_under_2.3b_drug_marketing_settlement

  1. “Should General Counsels also be Chief Compliance Officers?” Convercent Global Ethics and Compliance Software website

  1. “The Chief Compliance Officer vs the General Counsel: Friend or Foe? Society of Corporate Compliance and Ethics

  1. “State of Compliance” PwC – 2016

  1. Grant Ostlund – Seton Hall

  1. Baker McKenzie “Independence Day – The Separate and Equal Compliance Department” – Global Comp

  1. “The Chief Legal Officer’s Critical Role in the Compliance Function” Bloomberg News[ii]

  1. “Separating out legal and compliance functions – the view from America” LegalWeek (UK)[iii]

  1. “Let’s Call a Cease-fire in the GENERAL COUNSEL vs. CHIEF COMPLIANCE OFFICER Debate” Corporate Counsel[iv]



[1] The Chief Compliance Officer vs the General Counsel:  Friend or Foe?, p. 4

[2] The Chief Compliance Officer vs the General Counsel:  Friend or Foe?, p. 2

[3] NOTE:  Various surveys differ.  See excerpts articles at end for other survey results.

[4] Baker McKenzie “Independence Day – The Separate and Equal Compliance Department” – Global Comp, p. 4

[5] The Chief Compliance Officer vs the General Counsel:  Friend or Foe?, p. 4

[6] Baker McKenzie “Independence Day – The Separate and Equal Compliance Department” – Global Comp, p. 4

[7] PwC State of Compliance 2016, p. 14

[8] Grant Ostlund – Seton Hall, p. 25-32

[9] Ibid, p. 36

[10] The Chief Compliance Officer vs the General Counsel:  Friend or Foe?, p. 4

[11] The Chief Compliance Officer vs the General Counsel:  Friend or Foe?, p.5

[12] The Chief Compliance Officer vs the General Counsel:  Friend or Foe?, p. 2

[13] Grant Ostlund – Seton Hall, p. 32-3

[14] Ibid, p. 33

[15] Ibid, p. 35

[16] Ibid, p. 36

[17] DOJ – Evaluation of Corporate Compliance Programs, Feb. 8, 2017

[18] Baker McKenzie “Independence Day – The Separate and Equal Compliance Department” – Global Comp

[19] The Chief Legal Officer’s Critical Role in the Compliance Function, Bloomberg, p. 7 of 13

[20] Grant Ostlund, Seton Hall, p. 6

[i] Article warns of problems relating to CHIEF COMPLIANCE OFFICER independence

[ii] Ibid

[iii] Ibid

[iv] Ibid