20138 Advanced Company & Business Law

Class 13

In re Citigroup Inc. Shareholder Derivative Litigation*

Delaware Court of Chancery, 2009
964 A.2d 106

As stated in Caremark, Delaware companies’ boards are required to employ reasonable in-
formation and reporting systems designed to put them on notice of potential illegal activity
within the firm such as fraudulent or criminal conduct. In other words, directors have the
duty to establish an effective legal compliance program that covers, at the very least, the most
important laws and regulations to which the corporation is subject in order to prevent wrong-
doing that may result in criminal penalties and/or substantial losses.
That involves directors’ duty of oversight over legal risks. In the following case the plaintiffs
sought to extend the Caremark principle to oversight over business risks.

CHANDLER, Chancellor
This is a shareholder derivative action brought on behalf of Citigroup Inc. (“Citigroup” or the
“Company”), seeking to recover for the Company its losses arising from exposure to the subprime
lending market. Plaintiffs, shareholders of Citigroup, brought this action against current and former
directors and officers of Citigroup, alleging, in essence, that the defendants breached their fiduciary
duties by failing to properly monitor and manage the risks the Company faced from problems in the
subprime lending market and for failing to properly disclose Citigroup’s exposure to subprime assets.
Plaintiffs allege that there were extensive “red flags” that should have given defendants notice of the
problems that were brewing in the real estate and credit markets and that defendants ignored these
warnings in the pursuit of short term profits and at the expense of the Company’s long term viability.
Defendants in this action are current and former directors and officers of Citigroup. The com-
plaint names thirteen members of the Citigroup board of directors […]. Plaintiffs allege that a majority
of the director defendants were members of the Audit and Risk Management Committee (“ARM
Committee”) in 2007 and were considered audit committee financial experts […].
Plaintiffs allege that since as early as 2006, defendants have caused and allowed Citigroup to
engage in subprime lending that ultimately left the Company exposed to massive losses by late 2007.
Beginning in late 2005, house prices, which many believe were artificially inflated by speculation
and easily available credit, began to plateau, and then deflate. Adjustable rate mortgages issued earlier
in the decade began to reset, leaving many homeowners with significantly increased monthly pay-
ments. Defaults and foreclosures increased, and assets backed by income from residential mortgages
began to decrease in value. By February 2007, subprime mortgage lenders began filing for bankruptcy
and subprime mortgages packaged into securities began experiencing increasing levels of delin-
quency. In mid-2007, rating agencies downgraded bonds backed by subprime mortgages.

*
Footnotes omitted.

Università Bocconi Spring 2021

1
 20138 Advanced Company & Business Law
Class 13

Much of Citigroup’s exposure to the subprime lending market arose from its involvement with
collateralized debt obligations (“CDOs”)--repackaged pools of lower rated securities that Citigroup
created by acquiring asset-backed securities, including residential mortgage backed securities
(“RMBSs”), and then selling rights to the cash flows from the securities in classes, or tranches, with
different levels of risk and return. Included with at least some of the CDOs created by Citigroup was
a “liquidity put”--an option that allowed the purchasers of the CDOs to sell them back to Citigroup at
original value. […]
Plaintiffs allege that defendants are liable to the Company for breach of fiduciary duty for
(1) failing to adequately oversee and manage Citigroup’s exposure to the problems in the subprime
mortgage market, even in the face of alleged “red flags” and (2) failing to ensure that the Company’s
financial reporting and other disclosures were thorough and accurate. [T]he “red flags” alleged in the
eighty-six page Complaint are generally statements from public documents that reflect worsening
conditions in the financial markets, including the subprime and credit markets, and the effects those
worsening conditions had on market participants, including Citigroup’s peers. […]
Plaintiffs’ argument is based on a theory of director liability famously articulated by former-
Chancellor Allen in In re Caremark.
With regard to director liability standards, the Court distinguished between (1) “a board deci-
sion that results in a loss because that decision was ill advised or ‘negligent’” and (2) “an unconsid-
ered failure of the board to act in circumstances in which due attention would, arguably, have pre-
vented the loss.” In the former class of cases, director action is analyzed under the business judgment
rule, which prevents judicial second guessing of the decision if the directors employed a rational
process and considered all material information reasonably available--a standard measured by con-
cepts of gross negligence. […]
In the latter class of cases, where directors are alleged to be liable for a failure to monitor
liability creating activities, the Caremark Court […] stated that while directors could be liable for a
failure to monitor, “only a sustained or systematic failure of the board to exercise oversight--such as
an utter failure to attempt to assure a reasonable information and reporting system exists--will estab-
lish the lack of good faith that is a necessary condition to liability.” […]

Thus, to establish oversight liability a plaintiff must show that the directors knew they were not
discharging their fiduciary obligations or that the directors demonstrated a conscious disregard for
their responsibilities such as by failing to act in the face of a known duty to act. The test is rooted in
concepts of bad faith; indeed, a showing of bad faith is a necessary condition to director oversight
liability.

Plaintiffs’ theory of how the director defendants will face personal liability is a bit of a twist on
the traditional Caremark claim. In a typical Caremark case, plaintiffs argue that the defendants are
liable for damages that arise from a failure to properly monitor or oversee employee misconduct or
violations of law. For example, in Caremark the board allegedly failed to monitor employee actions
in violation of the federal Anti-Referral Payments Law […].

Università Bocconi Spring 2021

2
 20138 Advanced Company & Business Law
Class 13

In contrast, plaintiffs’ Caremark claims [in the present case] are based on defendants’ alleged
failure to properly monitor Citigroup’s business risk, specifically its exposure to the subprime mort-
gage market. [P]laintiffs allege that the director defendants are personally liable under Caremark for
failing to “make a good faith attempt to follow the procedures put in place or fail[ing] to assure that
adequate and proper corporate information and reporting systems existed that would enable them to
be fully informed regarding Citigroup’s risk to the subprime mortgage market.” Plaintiffs point to so-
called “red flags” that should have put defendants on notice of the problems in the subprime mortgage
market and further allege that the board should have been especially conscious of these red flags
because a majority of the directors […] were members of the ARM Committee and considered finan-
cial experts.
Although these claims are framed by plaintiffs as Caremark claims, plaintiffs’ theory essen-
tially amounts to a claim that the director defendants should be personally liable to the Company
because they failed to fully recognize the risk posed by subprime securities. When one looks past the
lofty allegations of duties of oversight and red flags used to dress up these claims, what is left appears
to be plaintiff shareholders attempting to hold the director defendants personally liable for making
(or allowing to be made) business decisions that, in hindsight, turned out poorly for the Company.
Delaware Courts have faced these types of claims many times and have developed doctrines to deal
with them-- the fiduciary duty of care and the business judgment rule. These doctrines properly focus
on the decision-making process rather than on a substantive evaluation of the merits of the decision.
This follows from the inadequacy of the Court, due in part to a concept known as hindsight bias, to
properly evaluate whether corporate decision-makers made a “right” or “wrong” decision.
The business judgment rule “is a presumption that in making a business decision the directors
of a corporation acted on an informed basis, in good faith and in the honest belief that the action taken
was in the best interests of the company.” The burden is on plaintiffs, the party challenging the direc-
tors' decision, to rebut this presumption. Thus, absent an allegation of interestedness or disloyalty to
the corporation, the business judgment rule prevents a judge or jury from second guessing director
decisions if they were the product of a rational process and the directors availed themselves of all
material and reasonably available information. The standard of director liability under the business
judgment rule “is predicated upon concepts of gross negligence.”
Additionally, Citigroup has adopted a provision in its certificate of incorporation pursuant to
[DGCL] § 102(b)(7) that exculpates directors from personal liability for violations of fiduciary duty,
except for, among other things, breaches of the duty of loyalty or actions or omissions not in good
faith or that involve intentional misconduct or a knowing violation of law. Because the director de-
fendants are “exculpated from liability for certain conduct, ‘then a serious threat of liability may only
be found to exist if the plaintiff pleads a non-exculpated claim against the directors based on particu-
larized facts.’” Here, plaintiffs have not alleged that the directors were interested in the transaction
and instead root their theory of director personal liability in bad faith. […]
To the extent the Court allows shareholder plaintiffs to succeed on a theory that a director is
liable for a failure to monitor business risk, the Court risks undermining the well settled policy of
Delaware law by inviting Courts to perform a hindsight evaluation of the reasonableness or prudence
of directors’ business decisions. Risk has been defined as the chance that a return on an investment
will be different than expected. The essence of the business judgment of managers and directors is

Università Bocconi Spring 2021

3
 20138 Advanced Company & Business Law
Class 13

deciding how the company will evaluate the trade-off between risk and return. Businesses--and par-
ticularly financial institutions--make returns by taking on risk; a company or investor that is willing
to take on more risk can earn a higher return. Thus, in almost any business transaction, the parties go
into the deal with the knowledge that, even if they have evaluated the situation correctly, the return
could be different than they expected.
It is almost impossible for a court, in hindsight, to determine whether the directors of a company
properly evaluated risk and thus made the “right” business decision. In any investment there is a
chance that returns will turn out lower than expected, and generally a smaller chance that they will be
far lower than expected. When investments turn out poorly, it is possible that the decision-maker
evaluated the deal correctly but got “unlucky” in that a huge loss--the probability of which was very
small--actually happened. It is also possible that the decision-maker improperly evaluated the risk
posed by an investment and that the company suffered large losses as a result.
Business decision-makers must operate in the real world, with imperfect information, limited
resources, and an uncertain future. To impose liability on directors for making a “wrong” business
decision would cripple their ability to earn returns for investors by taking business risks. Indeed, this
kind of judicial second guessing is what the business judgment rule was designed to prevent, and even
if a complaint is framed under a Caremark theory, this Court will not abandon such bedrock principles
of Delaware fiduciary duty law. […]
In this case, plaintiffs allege that the defendants are liable for failing to properly monitor the
risk that Citigroup faced from subprime securities. […]
The allegations in the Complaint amount essentially to a claim that Citigroup suffered large
losses and that there were certain warning signs that could or should have put defendants on notice of
the business risks related to Citigroup's investments in subprime assets. Plaintiffs then conclude that
because defendants failed to prevent the Company's losses associated with certain business risks, they
must have consciously ignored these warning signs or knowingly failed to monitor the Company's
risk in accordance with their fiduciary duties. Such conclusory allegations, however, are not sufficient
to state a claim for failure of oversight that would give rise to a substantial likelihood of personal
liability, which would require particularized factual allegations demonstrating bad faith by the direc-
tor defendants.
Plaintiffs do not contest that Citigroup had procedures and controls in place that were designed
to monitor risk. Plaintiffs admit that Citigroup established the ARM Committee and in 2004 amended
the ARM Committee charter to include the fact that one of the purposes of the ARM Committee was
to assist the board in fulfilling its oversight responsibility relating to policy standards and guidelines
for risk assessment and risk management. The ARM Committee was also charged with, among other
things, (1) discussing with management and independent auditors the annual audited financial state-
ments, (2) reviewing with management an evaluation of Citigroup’s internal control structure, and (3)
discussing with management Citigroup’s major credit, market, liquidity, and operational risk expo-
sures and the steps taken by management to monitor and control such exposures, including
Citigroup’s risk assessment and risk management policies. According to plaintiffs’ own allegations,
the ARM Committee met eleven times in 2006 and twelve times in 2007.
Plaintiffs nevertheless argue that the director defendants breached their duty of oversight either
because the oversight mechanisms were not adequate or because the director defendants did not make

Università Bocconi Spring 2021

4
 20138 Advanced Company & Business Law
Class 13

a good faith effort to comply with the established oversight procedures. To support this claim, the
Complaint alleges numerous facts that plaintiffs argue should have put the director defendants on
notice of the impending problems in the subprime mortgage market and Citigroup’s exposure
thereto. Plaintiffs summarized some of these “red flags” […] as follows:
− the steady decline of the housing market and the impact the collapsing bubble would
have on mortgages and subprime backed securities since as early as 2005;
− December 2005 guidance from the Financial Stability Board staff—“The FASB staff is
aware of loan products whose contractual features may increase the exposure of the
originator, holder, investor, guarantor, or servicer to risk of nonpayment or realization;”
− the drastic rise in foreclosure rates starting in 2006;
− several large subprime lenders reporting substantial losses and filing for bankruptcy
starting in 2006;
− billions of dollars in losses reported by Citigroup’s peers, such as Bear Stearns and
Merrill Lynch.
[…] The warning signs alleged by plaintiffs are not evidence that the directors consciously
disregarded their duties or otherwise acted in bad faith; at most they evidence that the directors made
bad business decisions. The “red flags” in the Complaint amount to little more than portions of public
documents that reflected the worsening conditions in the subprime mortgage market and in the econ-
omy generally. Plaintiffs fail to plead “particularized facts suggesting that the Board was presented
with ‘red flags’ alerting it to potential misconduct” at the Company. That the director defendants
knew of signs of a deterioration in the subprime mortgage market, or even signs suggesting that con-
ditions could decline further, is not sufficient to show that the directors were or should have been
aware of any wrongdoing at the Company or were consciously disregarding a duty somehow to pre-
vent Citigroup from suffering losses. Nothing about plaintiffs’ “red flags” supports plaintiffs’ con-
clusory allegation that “defendants have not made a good faith attempt to assure that adequate and
proper corporate information and reporting systems existed that would enable them to be fully in-
formed regarding Citigroup’s risk to the subprime mortgage market.” Indeed, plaintiffs’ allegations
do not even specify how the board’s oversight mechanisms were inadequate or how the director de-
fendants knew of these inadequacies and consciously ignored them. Rather, plaintiffs seem to hope
the Court will accept the conclusion that since the Company suffered large losses, and since a properly
functioning risk management system would have avoided such losses, the directors must have
breached their fiduciary duties in allowing such losses. […]
Director oversight duties are designed to ensure reasonable reporting and information systems
exist that would allow directors to know about and prevent wrongdoing that could cause losses for
the Company. There are significant differences between failing to oversee employee fraudulent or
criminal conduct and failing to recognize the extent of a Company's business risk. Directors should,
indeed must under Delaware law, ensure that reasonable information and reporting systems exist that
would put them on notice of fraudulent or criminal conduct within the company. Such oversight pro-
grams allow directors to intervene and prevent frauds or other wrongdoing that could expose the
company to risk of loss as a result of such conduct. While it may be tempting to say that directors
have the same duties to monitor and oversee business risk, imposing Caremark-type duties on direc-
tors to monitor business risk is fundamentally different. Citigroup was in the business of taking on

Università Bocconi Spring 2021

5
 20138 Advanced Company & Business Law
Class 13

and managing investment and other business risks. To impose oversight liability on directors for fail-
ure to monitor “excessive” risk would involve courts in conducting hindsight evaluations of decisions
at the heart of the business judgment of directors. Oversight duties under Delaware law are not de-
signed to subject directors, even expert directors, to personal liability for failure to predict the future
and to properly evaluate business risk.
Instead of alleging facts that could demonstrate bad faith on the part of the directors, by pre-
senting the Court with the so called “red flags,” plaintiffs are inviting the Court to engage in the exact
kind of judicial second guessing that is proscribed by the business judgment rule. In any business
decision that turns out poorly there will likely be signs that one could point to and argue are evidence
that the decision was wrong. Indeed, it is tempting in a case with such staggering losses for one to
think that they could have made the “right” decision if they had been in the directors’ position. This
temptation, however, is one of the reasons for the presumption against an objective review of business
decisions by judges, a presumption that is no less applicable when the losses to the Company are
large. […]

CONCLUSION

Citigroup has suffered staggering losses, in part, as a result of the recent problems in the United
States economy, particularly those in the subprime mortgage market. It is understandable that inves-
tors, and others, want to find someone to hold responsible for these losses, and it is often difficult to
distinguish between a desire to blame someone and a desire to force those responsible to account for
their wrongdoing. Our law, fortunately, provides guidance for precisely these situations in the form
of doctrines governing the duties owed by officers and directors of Delaware corporations. This law
has been refined over hundreds of years, which no doubt included many crises, and we must not let
our desire to blame someone for our losses make us lose sight of the purpose of our law. Ultimately,
the discretion granted directors and managers allows them to maximize shareholder value in the long
term by taking risks without the debilitating fear that they will be held personally liable if the company
experiences losses. This doctrine also means, however, that when the company suffers losses, share-
holders may not be able to hold the directors personally liable.

Università Bocconi Spring 2021

6