Cannabis, Compliance, and Trust
Friday, July 26, 2019Kenneth Jull, Jonathan James NehmetallahCannabis, LitigationCannabis Laws, Compliance, Marijuana
Health Canada is investigating CannTrust for growing over ten thousand kilograms of cannabis in unlicensed rooms between October, 2018 and March, 2019. The Globe and Mail reported this week that allegedly the chairman and CEO of CannTrust were made aware of these growing rooms at least seven months before Health Canada began its investigation.[1]
CannTrust’s conduct, and the current Health Canada investigation, raise legal questions regarding risk analysis, the duty to cease the non-compliant activity once it is discovered, and whether there is a duty to report the non-compliant activity once it is discovered.
Zone of non-discovery by the Regulator
A company may discover non-compliant behavior in the “‘zone of non-discovery by government,’ where regulators have no knowledge of the issue.”[2] Temporally, the zone of non-discovery may be a narrow window in time. Government investigations are often begun after a whistleblower reports the misconduct up the ladder internally, prompt action is not taken to ameliorate the misconduct, and the whistleblower reports to regulatory authorities.
Risk of getting caught as a prohibitive factor
It appears from the Globe and Mail article that through their conduct, CannTrust may have been weighing the risks of getting caught against the profits the allegedly non-compliant activity would bring. However, as Archibald and Jull write, “in the zone of non-discovery, it is not appropriate…to consider the risk of getting caught as weighed against permitting the improper activity to continue.”[3] Of course, in some regulatory matters, there will be grey areas subject to interpretation: in these cases, a risk analysis is an appropriate tool. However, in the case where the rule is clear, a risk analysis should not weigh the chances an organization will get caught in their misconduct.
As Jull and Archibald write, the International Chamber of Commerce (ICC) cautions (in the antitrust context) that a risk calculation regarding chances of being caught should not be a factor in a risk matrix analysis:
“There is, in the field of antitrust, a distinction to be made between managing risk around (i) outright prohibitions/illegal practices and (ii) “grey areas” in respect of which companies may legitimately seek specialist antitrust advice on the feasibility/legality of contemplated commercial options (eg. of potential foreclosure effects of trade terms or joint venture agreements).
In addressing risks around hard core/clear violations, meaningful corporate commitment to compliance must include a clear ban on manifestly illegal conduct: the ‘likelihood’ of enforcement action should never be viewed as a relevant factor in determining risk (i.e., there should be no ‘cost-benefit’ analysis of compliance where a certain activity is clearly illegal).”[4]
The chairman and CEO of CannTrust allegedly were told via email that the company was growing cannabis in unlicensed rooms. The Cannabis Act is clear that rooms in which cannabis will be grown must be licensed.[5] The executives in their emails noted that Health Canada had been slow in licensing the rooms, that Health Canada had not inquired about the additional rooms, and that CannTrust had gotten “lucky” in not getting caught in their non-compliance. These factors should not have been part of the risk analysis of continuing non-compliant activity, as operating unlicensed rooms ran contrary to the Cannabis Act.
There are some claims that CannTrust may have concealed the rooms by moving them or hanging false walls to conceal them. If this is true, much like the Volkswagen emissions scandal, where Volkswagen developed and concealed the defeat devices used to cheat on emissions tests, CannTrust’s actions may be characterized as a “defeat tactic.” By taking actions to conceal the rooms, CannTrust may have tried to “defeat” the regulator to make it more difficult for Health Canada to discover the breach. But for the whistleblower, the violation may not have been discovered – which should not have been a factor in the risk analysis.
Duty to cease activity?
Once management discovers the illicit activity, the organization has a duty to cease that activity. Jull and Archibald note that professional requirements for lawyers and auditors require that the lawyer or auditor report any discovered illegal or non-compliant activity to the senior officers of the organization in ascending order.[6] Lawyers must withdraw from acting if the corporation indicates they intend to proceed with the matter. Auditors and accountants must also communicate the information to management, and may even be liable for not detecting the red flags of non-compliant activity.[7]
The fact that professionals, once they detect illegal or non-compliant activities, are obligated to report those activities to management and advise management to cease those activities showcases that there is an obligation for corporations to cease the non-compliant activity once it is discovered. The Volkswagen emissions scandal confirms this analysis. Executives at Volkswagen knew about the emissions plot for years before the scandal was revealed, and did not stop it, which was likely an aggravating factor in corporate and personal liability. As such, failing to cease illicit activity, as CannTrust did, can open the corporation to governmental investigations and liability.
Duty to report?
There are some statutory requirements in Canada “to report violations of the law to authorities.” Environmental violations and material changes that could affect share values of a publically traded company should be reported to authorities.[8]
In the case of CannTrust, their potential duty to self-report once the transgression was reported to management is not as clear-cut. The breach was clearly not environmental in nature, and under this requirement would not need to have been reported. However, if the regulatory breach was a material change which could have affected share values, then it ought to have been reported to the authorities and the market. To determine whether the fact or change at hand is “material” and thus necessary to disclose to the market, companies may need to embark on “a risk assessment of suspected or proven practices,” which “can lead to the identification of activities arguably ‘material’ in character.” In other words, if the fact or change is “reasonably expected to have a significant effect on the market price of the securities of the issuer,” it should be reported.[9]
Self-reporting also has potential to be a mitigating factor. For example, a middle ground may be advisable, where the company self-reports the existence of an internal investigation to the market and the relevant authorities – while caveating that no conclusions have been reached and that the investigation is ongoing.[10]
Availability of Deferred Prosecution Agreements and Safe Harbours
The SNC-Lavalin affair put the spotlight on deferred prosecution (remediation) agreements for Criminal Code offences. The CannTrust case puts the spotlight on the potential for deferred prosecutions in regulatory offences. The new legislation for remedial agreements is not directed to apply to regulatory offences. Yet, the same logic of encouraging disclosure of wrongdoing from the zone of non-discovery applies.
In the same way, regulatory authorities who can seek administrative monetary penalties have not created models for deferred penalty agreements. The new legislation for remedial agreements applies to criminal offences and not administrative penalties. Yet, similar to regulatory offences, the same logic of encouraging disclosure of wrongdoing from the zone of non-discovery applies.
We would encourage both federal and provincial governments to study the use of deferred penalty programmes for organizations and individuals to encourage voluntary disclosure from the zone of non-discovery.
Going Forward
In light of this recent legal development, Canadian corporations should consult counsel when considering developing a risk analysis, upon discovering anti-compliant activities, or considering whether to self-report compliance breaches. Gardiner Roberts LLP Compliance Risk Solutions Group is able to advise on all matters of compliance and regulation.
Please do not hesitate to contact us if you have questions or concerns regarding these developments, the application of the Cannabis Act and its regulations, and how each may affect your business operations.
Authors
Kenneth Jull, Jonathan Nehmetallah, Nicole Spadotto
[1] http://globe2go.newspaperdirect.com/epaper/viewer.aspx?noredirect=true
[2] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-128.
[3] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-129.
[4] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at 7-12 (quoting the ICC Toolkit).
[5] Cannabis Act Regulations Rule 14.
[6] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-135-136.
[7] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-136.
[8] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-137.
[9] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-137.
[10] Todd L Archibald and Kenneth E Jull, “Profiting From Risk Management and Compliance” (Toronto: Thompson Reuters) at INT-138.