Part II of this article will appear in the April issue of The Metropolitan Corporate Counsel.
Right now, an employee of your company is breaking the law by exploiting the gaps in your compliance process. He has found a way to take advantage of the expectations of his supervisors that everyone is honest and above-board. He is going to benefit himself at the expense of the company. The company's reputation built through years of effort will be shredded on the front page of the Wall Street Journal. The worst part of it is, your very busy compliance department will not even recognize this threat until the company has discovered the problem and shifted to damage control mode - in short, when it's too late.
That's the scenario that should be running through the head of every executive responsible for corporate compliance, which, properly understood, means every executive. This is not to say that businesses should be so burdened by a totalitarian snare of compliance processes that they turn into a compliance business, rather than a profit-making enterprise. Something closer to the opposite may be true because, in many ways, a properly targeted compliance regime can actually diminish the expense and distraction of compliance efforts. To understand why many current compliance regimes do not work to achieve their goals, it pays to step back and review the many purposes of compliance programs, and how we got to this point in the interplay between business and regulation.
What Is "Compliance"?
Compliance is what a company does to police itself when no one is looking. The compliance program's direct goal is keeping the company and its employees within the law. Compliance programs work by training employees about regulations and the company's procedures, by monitoring employees' conduct, and by punishing violations. That will all seem obvious to any sophisticated reader of this journal, but the accretion of bureaucracy and muddled thinking in this area routinely leads companies into wasteful and counter-productive exercises that distract employees and detract from meaningful compliance efforts.
To understand why, some history is in order. While the principle of corporate criminal liability goes back more than 100 years1, formal compliance programs are creatures of the more recent past, outgrowths of the intense regulation in the securities industry that have gradually spread throughout the economy.2 This formalization has closely followed the increased governmental focus on the effectiveness of a company's response to compliance violations. More recently, attention has turned to a company's ability to proactively detect problems and to create a compliant and ethical culture with a presence at all organizational levels. Compliance programs appearing in the 1970s and 1980s were largely in response to highly publicized incidents involving bribery, insider trading, and defense contractor issues.3 The promulgation of the Sentencing Guidelines for Organizations in 1991 made clear that the strength of a company's compliance program could have a significant impact on its treatment by the government in the course of an investigation. Guidance issued by governmental agencies such as the Department of Justice, the SEC, and the EPA have made the same point. More recent actions, such as the amendments to the Sentencing Guidelines in 2004 and the McNulty memorandum, have provided further insight into what factors the government considers most important in an effective compliance program which, in turn, will likely influence the shape of current compliance programs.4
The most important misconception about compliance is that it is primarily the responsibility of the compliance department. In healthy corporate cultures, compliance is the responsibility of all employees, especially senior business leaders who must serve as both compliance participants and compliance models. As a practical matter, only senior business leaders can set or change the culture to value compliance.
In addition to its direct purpose, compliance programs have significant indirect purposes: assurance for the investing public and insurance from the government. Properly executed, compliance programs are a subtle form of advertising telling investors in this scandal-weary age that the company has a strong commitment to avoiding scandal. Effective compliance programs can also deflect regulators and prosecutors from seeking sanctions against the company when it can appropriately claim that it took all reasonable measures to prevent a violation.5
But how effective and cost-effective are companies' compliance efforts? Especially in regulated industries, but in many other businesses as well, companies have evolved massive compliance structures, heavy in head count and outside vendor costs. Companies have invested in automated systems to check customers' bona fides, avoid trading by restricted employees, review employee spending and provide other controls -some of which must be certified by independent accountants.6 Employees can be deluged with training on everything from international trade controls to ergonomics. Some of these efforts, like the classically derided excesses of "defensive medicine," stem from the natural desire to protect the company by making clear legal violations also violated company policy and training.
At many large public companies, however, these compliance efforts have hit a wall. Employees reach the limits of rote absorption of unfamiliar compliance materials that do not directly impact their "real jobs." The costs multiply from erecting the systems, both mechanical and human, to vet millions of transactions for potential money laundering, abuses of travel and lodging policies, potential insider trading or document retention.7 Those costs include the distraction of law- and policy-abiding employees from the main object of making money for the company.
Where Do Compliance Systems Go Wrong?
Despite these massive investments in process compliance, significant companies with strong corporate cultures continue to suffer serious violations by their employees with dramatic consequences.8 One is tempted to chalk this up to the human condition and accept the premise that even the best compliance structure will suffer defeats along with victories. While that premise is certainly true, and a familiar argument of every company facing investigation, it does not address the question of whether the current compliance structure is actually cutting down on violations.
This is not to propose a "law and economics" trade-off between absolute compliance and utter criminality, rather it is to expose where compliance thinking gets stuck. Current compliance efforts are too long on process and too short on analysis. In short: compliance officers are prepared to think like accountants, when they need to think more like investigators. This is a gross overgeneralization - since, of course, regimented processes do play a valuable role in both uncovering and deterring fraud and other violations (not to mention that certain processes are required by law and regulation). There is, nonetheless, an important truth in this observation and significant added value to the company from supplementing its required routine compliance processes with the traditional intrusive skepticism that drives law enforcement.1See New York Cent. & H.H.R. Co. v. U.S., 212 U.S. 481 (1909) (holding a corporation punishable by fine for the criminal actions of employees which ultimately benefited the corporation financially).
2See, e.g., Securities Act Amendments of 1964, Pub. L. No. 88-467, 78 Stat. 565 (1964) (expanding the reach of the 1934 Securities Exchange Act reporting, proxy, and trading provisions to previously unregulated corporations), Williams Act Amendments of the 1934 Act, Pub. L. No. 90-439, 82 Stat. 454 (1968) (amending the Securities and Exchange Act of 1934 to require mandatory disclosure of information relating to cash tender offers). See also Jeffrey D. Bauman, Loss and Seligman on Securities Regulation: An Essay for Don Schwartz, 78 Geo. L.J. 1753 (1990) (reviewing Louis Loss and Joel Seligman, Securities Regulation (1989)) (stating that securities regulation "emerged as a major field of law in the 1960s and early 1970s. During this period, the securities markets grew at a substantial rate, the SEC published several major studies, Congress enacted numerous pieces of legislation, and the judiciary handed down expansive interpretations of the federal securities laws").
3See Rebecca Walker, The Evolution of the Law of Corporate Compliance in the United States: A Brief Overview, Practising Law Institute, Corporate Law and Practice Course Handbook Series, 1561 PLI/Corp 13, 17-18 (September 2006) (citing other sources).
4See United States Sentencing Guidelines Manual 8B2.1 (listing specific minimum requirements for organizations to adhere to in order to promote "an organizational culture that encourages ethical conduct and a commitment to compliance with the law"); United States Department of Justice, Memorandum Regarding Principles of Federal Prosecution of Business Organizations (Dec. 12, 2006), available at www.usdoj.gov/dag/speech/2006/mcnulty_memo.pdf (describing factors that prosecutors should take into consideration including "whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct," if corporate directors "exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers' recommendations," and whether internal audit functions are conducted at a level "sufficient to ensure their independence and accuracy").
5See United States Sentencing Guidelines Manual 8B2.1, cmt. Background (stating that " the prior diligence of an organization in seeking to prevent and detect criminal conduct has a direct bearing on the appropriate penalties and probation terms for the organization if it is convicted and sentenced for a criminal offense"); United States Department of Justice, Memorandum Regarding Principles of Federal Prosecution of Business Organizations (Dec. 12, 2006), available at www.usdoj.gov/dag/speech/2006/mcnulty_memo.pdf (recommending that prosecutors should consider the sufficiency and effectiveness of a corporation's compliance program when evaluating the extent of the corporation's liability for illegal acts of its employees.), 8 SEC Report of Investigation, Exchange Release Act No. 34-44969 (Oct. 23, 2001), available at www.sec.gov/litigation/investreport/34-44969.htm (listing factors that the SEC will consider in determining how much credit it may give an organization for self-policing, self-reporting, remediation, and cooperation agency's investigation).
6See Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 404, 116 Stat. 745 (2002).
7See Stephen L. Carlson and Frank A. Fernandez, The Costs of Compliance in the U.S. Securities Industry, 7 SIA Res. Rep. 3 ( Feb. 22, 2006), available at www.sia.com/research/pdf/RsrchRprtVol7-2.pdf (finding that, with respect to the U.S. securities industry, "the cost of compliance has risen rapidly, nearly doubling in the past three years, to reach an estimated annual total of more than $25 billion in 2005, up from $13 billion in 2002.")
8See, e.g., Avery Johnson, Kara Scannell, and Jon Kamp, J&J Reports Improper Payments - Drug Firm Tells Regulators Of Expenditures Overseas; A Senior Executive Resigns, Feb. 13, 2007, at A20 (reporting on the voluntary disclosure by Johnson & Johnson that its subsidiaries may have made improper payments in two countries relating to the sale of medical devices and that a senior official at the company is resigning over the probe.); Laurie J. Flynn, Apple Says Jobs Knew Of Options, N.Y. Times, Oct. 5, 2006, at C1 (reporting that Apple Computer's chief executive "knew that the company was backdating some stock options granted to employees to inflate their value"); Greg Farrell, Morgan Stanley agrees to $15M fine; Firm accused of not cooperating with SEC, USA Today, May 11, 2006, at 2B (summarizing Morgan Stanley's agreement to pay a record $15 million fine to the SEC to settle charges that it failed to diligently search for and produce electronic information to the agency and that it made misstatements related to the production of this information).
Published March 1, 2007.