Printer Friendly

Corporate governance in an era of compliance.


Corporate governance is the set of mechanisms by which corporations are directed and controlled. On this definition there is widespread agreement, both among academics (141) and governance authorities. (142) And from this definition, the overlap between compliance and governance is clear: both compliance and governance lay claim to internal mechanisms of control. (143) The overlap is not total. Compliance lays no claim, for example, to questions such as how to design or improve products or how to finance operations. Nevertheless, basic compliance mechanisms--such as the design of policies and procedures, monitoring, and enforcement--feed back into fundamental business operations of a firm to such an extent that compliance resembles a "universal corporate governance activity" (144) and some firms, recognizing the overlap, have merged their governance, risk, and control functions. (145)

Of course, overlap does not necessarily imply conflict. If compliance and governance had wholly consistent objectives, they could be seen as complimentary means of achieving the same ends. However, this is not the case. Compliance and governance come from different places and serve different interests. Compliance cannot be explained by reference to traditional governance authorities, whether the board of directors, state corporate law, or federal securities law. Rather, compliance is sui generis. Far from being subsumed by governance, it is closer to the truth to say that compliance supplants traditional corporate governance modalities.

A. The Board of Directors and Compliance

The board of directors is the fundamental endogenous corporate governance mechanism and the source of management authority within firms. (146) The board can delegate this authority, and corporate management derives its authority from a delegation of the board. (147) However, the board retains primary authority over the firm, with the power to alter firm-governance at will, subject only to the strictures contained in the charter and bylaws. (148) By contrast, compliance does not arise from a delegation of the board, nor is the compliance function wholly subordinate to the board, as other management structures are. Rather, compliance arises from an exogenous source that abrogates board authority.

In one sense, compliance is plainly subject to the authority of the board. CCOs report to the board, not vice-versa, and board committees oversee compliance staffing and budgets. In a deeper sense, however, authority means the power to decide. As a result, the question of the authority of compliance vis-a-vis the board ultimately resolves into the question whether the board has the authority to decide not to implement a compliance function. If so, then boards retain full primacy over compliance, and compliance can be viewed as a simple delegation of board authority. But if boards must erect a compliance function, then the development of compliance has in fact supplanted some authority of the board.

In some industries, the answer is simple. Boards must install a compliance function, and it must comport with regulatory demands. For example, banks must have a compliance function pursuant to dictates of the Federal Reserve. (149) Similarly, securities law requires investment advisers to maintain a compliance function. (150) In such industries, because boards in fact cannot decide whether to install compliance, the board must be seen to have ceded some degree of authority over intrafirm governance to the compliance function. (151)

In industries where a regulatory authority does not formally mandate compliance, the federal government still imposes compliance obligations through the Guidelines and enforcement tactics. (152) In some cases, these are in fact mandates. As already noted, prosecutors often require the installation of robust compliance programs for firms entering DPAs and NPAs. (153) In such cases, the government intervenes directly to impose compliance on corporations. In other cases, the government creates such powerful incentives that they effectively operate as mandates. As described above, the government articulates its vision of compliance in formal and informal pronouncements, then makes a credible commitment to this vision through enforcement and settlement practices. (154) Companies closely follow these signals and frequently adopt the practices of their peers in order to keep from falling behind the industry standard. (155) Thus, in spite of the absence of a formal mandate, the consequences associated with having no compliance program, or even having an "ineffective" program, are so grave as to effectively mandate the compliance function. No firm can say no. (156) In this way, the government imposes a de facto compliance mandate on American corporations.

The imposition of this mandate comes at the expense of board authority. Being forced not only to do something, but to do it in a particular way--so that the government deems it "effective"--demonstrates a clear lack of authority. Boards do not delegate authority to compliance. They cede it. In spite of the board's traditional authority to manage internal corporate affairs, the ultimate source of authority for compliance is derived not from the board, but from the government.

B. Governance Authorities and Compliance

The exogenous origins of compliance do not make it completely unique. Corporate governance, after all, is not entirely endogenous. (157) Firms also exist within a governance framework imposed by law. The traditional sources of exogenous corporate governance are state corporate law and federal securities law. (158) Insofar as the impetus toward compliance is derived from these governance authorities, it may still fit within conventional accounts focusing on the relationship between corporations on the one hand, and Delaware and the SEC on the other. The Sections that follow examine each of these traditional governance authorities, finding each lacking as an explanation for the development of the contemporary compliance function.

1. State Corporate Law

State corporate law defines the duties of corporate boards vis-a-vis shareholders. (159) Some aspects of this relationship are defined in minute detail--for example, board responsibilities in takeover contests (160) and the incremental value of supplemental disclosures in proxy statements. (161) Yet state corporate law is silent, or nearly so, on compliance.

Corporate statutes do not address the compliance function. (162) Instead, any impetus toward compliance has been left to courts interpreting fiduciary duty standards, where the development of compliance has been effectively curtailed by application of the business judgment rule. (163) When courts have addressed compliance, it has typically been to reject the claim that a compliance failure amounts to a breach of fiduciary duty. For example, in Graham v. Allis Chalmers Manufacturing Co., the Delaware Supreme Court expressly disclaimed any board obligation, absent clear "red flags" of wrongdoing, to install compliance programs. (164) Later, in the In re Caremark opinion, Chancellor Allen hinted that a board that did not develop an effective compliance program might fail in its monitoring and oversight duties. (165) However, this possibility was swept aside in Stone v. Ritter, in which the Delaware Supreme Court held that courts would not inquire into the objective adequacy of a firm's monitoring and oversight mechanisms. (166) Instead, courts would limit their inquiries into the subjective basis of the board's failure to monitor and oversee the firm. (167) Thus, although directors can be held liable for intentionally (or recklessly) acting contrary to the best interests of the corporation, they cannot be held liable for the objective inadequacy or ineffectiveness of the firm's compliance or monitoring program. (168) In case there was any doubt on this point, Delaware retreated still further during the financial crisis by flatly refusing to use fiduciary duty standards to impose liability on the boards of financial institutions that had contributed to the crisis. (169)

Corporate law courts occasionally do make pronouncements about compliance. The flexible nature of fiduciary duty jurisprudence allows judges to weigh in on a case-by-case basis to approve or disapprove of the practices at particular firms. For example, three 2013 Court of Chancery opinions emphasize the oversight responsibilities of directors of Delaware-incorporated firms whose business is based primarily overseas. (170) These cases underscored, once again, the importance of a system of monitoring and controls that the board has sought to implement and verify in good faith. (171) Nevertheless, judicial intervention in this area is episodic, resolutely fact-specific, and generally limited to cases with extreme facts. Thus, although it is fair to say that corporate law encourages corporations to have some basic system of internal monitoring and reporting, it provides no guidance as to adequacy. Corporate law looks to the motives of the board in implementing the system rather than the efficacy of the system itself. (172)

As a result, state corporate law has not meaningfully contributed to the development of compliance. Whatever compliance may be, it is not a product of corporate law. Indeed, it is more correct to say that compliance does what corporate law's duty of care might have done, had the business judgment rule not eviscerated duty of care jurisprudence. Compliance now occupies the space left in the wake of corporate law's retreat.

2. Federal Securities Law

The federal securities laws establish the SEC as the primary regulator of the securities industry. (173) They also create a mechanism for federal intervention in corporate governance more generally. (174) This is accomplished through the registration requirement. All public companies must register with the SEC, which, as a result, renders them subject to SEC regulation. (175) This mechanism effectively establishes the federal government, through the SEC, as an exogenous source of governance authority. If the SEC does not like a governance term, it can obstruct the firm's capital-raising efforts. (176) As we shall see, the SEC can also effectively require registered firms to adopt specific governance terms.

The SEC's interventions in corporate governance have traditionally focused on measures to improve the accuracy of financial reporting. (177) However, the SEC also makes demands of public companies that have no obvious relationship to financial reporting. For example, the SEC makes rules for takeovers and proxy contests, (178) mandates shareholder advisory votes on executive compensation arrangements, (179) and requires all publicly traded firms to have an audit committee consisting exclusively of independent directors. (180) The Agency also prescribes an annual audit of all public firms' internal accounting controls. (181) Each of these rules amounts to government intervention in corporate governance since boards are not free to choose otherwise. (182) Although such interventions are often controversial, the government's authority to regulate corporate governance through SEC rule making is well established. (183) Through the SEC, the government effectively creates mandatory terms of corporate governance. (184) Perhaps compliance can be understood in the same way.

When the government acts through the SEC to regulate corporate governance, it acts subject to important institutional constraints, including the requirement that the Agency perform a persuasive cost-benefit analysis. (185) The D.C. Circuit emphasized this requirement in three major decisions addressing the SEC's cost-benefit analyses. (186) In particular, these decisions underscored the importance of defining a convincing baseline for comparison, (187) considering less costly alternatives, (188) and focusing on marginal costs and benefits--that is, the incremental benefits achieved for additional units of cost. (189) In response, the SEC issued guidance on cost-benefit analysis (190) and also pledged to start from a relevant baseline, (191) identify reasonable alternatives to the proposed rule, (192) and quantify benefits and costs where possible. (193) As the D.C. Circuit emphasized, the broader purpose of this analysis is not only to inform the regulator of relevant costs, benefits, and alternatives, but also to inform "the public and the Congress," in whose name the action is taken, making the regulator's actions open and notorious and subject to appropriate public contestation. (194)

By contrast, when the government intervenes in compliance, it does not act as a regulator and thus is not subject to the constraints of public comment and cost-benefit analysis. (195) Rather, as described above, the government imposes compliance through enforcement. (196) Enforcement is not the same as regulation. (197) Whether the enforcer is the SEC or the DOJ, there is no requirement that the compliance reforms it imposes be subject to a cost-benefit analysis. (198) Indeed, as the prior discussion of compliance metrics demonstrated, it is highly unlikely that the government would succeed under this standard. Instead, compliance programs and reforms to improve program effectiveness are foisted upon firms through an opaque settlement process, where the government has the whip hand, and the company accedes to its demands as a tactical concession regardless of whether the reforms make long-term strategic sense. (199)

In sum, compliance cannot be understood as an outgrowth of securities regulation. When the government intervenes in corporate governance through the federal securities laws, it intervenes as a regulator. When it intervenes in compliance, it intervenes as an enforcer. There are significant differences between these modes of intervention, the further implications of which are explored in the next Part.


So far, this Article has depicted compliance as an intrafirm governance function whose origins lie outside the firm and are alien to traditional corporate governance authorities. Compliance is not a delegation of board authority, nor is it a product of either state corporate or federal securities law. Rather, compliance is made by government enforcers--prosecutors and regulatory enforcers--who promulgate de facto corporate governance standards despite possessing neither statutory nor regulatory authority to do so. (200)

This Article will now turn to the normative implications of this analysis for theories of corporate law and corporate governance. In doing so, it will seek to frame the larger questions raised by the contemporary compliance function. How does the contemporary compliance function alter the political economy of corporate governance? What are the likely effects on firm efficiency? And what are the broader implications for theories of the firm? This Part takes up each of these questions in the Sections that follow.

A. The Political Economy of Compliance

Compliance represents a unique form of government intervention in corporate governance. It does not fit conventional accounts of the political economy of corporate governance, focusing either on the interstate race for corporate charters (201) or the interplay between Wilmington and Washington. (202) It is sui generis.

1. Weak Constraints

The traditional pattern of government intervention in corporate affairs is for legislation to follow in the wake of a scandal or a perceived market failure. (203) The government's agent in this context is the legislator, and the background of scandal is an important impetus for action. Without the environment of scandal, government intervention in corporate affairs is held in check by the lobbying power of corporate interests. (204) In an environment of scandal, populist demands for greater corporate accountability overcome the corporate lobby and push legislators to pass reforms. (205) But popular pressure inevitably subsides, and corporate interests seek to limit the scope of reform. The result is a recurring pattern of reform and retrenchment, (206) taking the shape of a "Regulatory Sine Curve." (207)

Compliance, however, represents government intervention through an enforcement agent rather than a legislator. Prosecutors are not subject to either populist pressure or corporate lobbying in the same way as legislators. (208) Prosecutors prize their independence and discretion and are largely insulated from direct political accountability. (209) Because they do not need political cover to act, they do not need a market-wide scandal to press for reforms. Of course, they do need the likelihood of a successful prosecution, but in an environment where corporations are strictly liable for the acts of their agents, and settlements often entail the payment of large fines, the necessary elements of success are present in most firm crises. (210) As a result, prosecutors need much smaller scale events--firm failures rather than market failures--to intervene and press for reform. Considering that reforms undertaken by one firm are frequently adopted by industry peers, the government, through its interventions in compliance, can exert relatively steady pressure on corporate governance.

Prosecutors are not only able to intervene in corporate governance with greater regularity than legislators; intervening through settlement agreements rather than legislation gives the government greater freedom to press reforms when it does intervene. As noted above, there is no need to perform cost-benefit analyses, and the settlement process, in contrast to the open and notorious legislative process, is closed and opaque. (211) When Congress intervenes in corporate affairs, affected interests have an opportunity to appear at hearings, engage in lobbying, and provide comments on proposed rules. Likewise, when Delaware judges make corporate law pronouncements, they are constrained by the threat of exit should their rulings upset the delicate balance between shareholders and managers. (212)

However, the settlement of enforcement actions receives scant review, even by the judges entering the orders. (213) These settlements are negotiated privately, by the parties to the case at hand, with no notice to, or involvement of, outside interests. In spite of the precedential impact the settlement may have on an array of firms and a spectrum of outside interests, those interests have no standing to intervene and no opportunity to contest the result because they are not involved in the case at bar. There is no serious judicial oversight of the process and nowhere for firms to go if they are unhappy with the result. Compliance is thus the product of an unaccountable government agent engaged in an utterly opaque rule-making process.

2. Other Constituencies

Federal law answers to a much more diverse set of perspectives on corporate governance than does state law. (214) While state corporate law traditionally balances the interests of only two parties--managers and shareholders (215)--federal law may consider the additional interests of employees, creditors, consumers, the environment, and other social responsibility concerns. (216) Whose interests will the government consider when it acts with respect to compliance? Does the government press the interests of non-shareholder constituencies on firms when it intervenes through compliance? Should it?

The conventional view in the United States is that corporate governance arrangements are the product of a bargain between shareholders and managers. Indeed, the mainstream American view of corporate governance is decidedly shareholder-centric, taking as its central preoccupation the problem of "agency costs" or "opportunism" that arises from the separation of ownership and control. (217) As expressed by Sanjai Bhagat, Brian Bolton, and Roberta Romano, "[t]he key focus of U.S. corporate law and corporate governance systems is what is referred to as an agency problem: an organizational concern that arises when owners--in a corporation, the shareholders--are not the managers who are in control." (218) Of course, corporate shareholders are not owners in a traditional sense. (219) However, shareholders' relationship with the firm is unique in its duration and in the uncertainty of their entitlement to assets, which puts them in unique risk of expropriation. (220) Corporate governance is the solution to the shareholders' risk of expropriation. (221)

Corporate governance is thus conceived of as a quasi-contractual mechanism designed to encourage investment in the modern corporate enterprise. (222) As a result, mainstream definitions of corporate governance typically reflect shareholder centricity. (223)

On the other side of this debate are those who argue that corporate governance should look to a wider set of interests. (224) This claim is often framed in terms of broad social objectives. (225) However, another version of the claim may also be advanced from an efficiency perspective, to argue that corporate governance must protect the interests of nonshareholder constituencies, such as management and labor, in order to induce them to make necessary investments to increase long-term corporate value. (226) If the recognition of other constituency interests in corporate governance is the minority view in the United States, it is not necessarily so abroad, (227) especially in countries such as Germany that recognize other constituencies' rights to board representation. (228)

Broader corporate engagement with social issues is not necessarily incompatible with a shareholder-centric model of governance, provided the impetus to consider these issues comes from shareholders. (229) However, debate frequently erupts when the government imposes considerations of other constituencies on the firm. (230) Compliance presents the government with a means of doing just that.

At first glance, that the contemporary compliance function is a tool through which the government can press other constituency interests on corporations is so obvious as to appear trivial. Of course compliance reflects broader social interests. Insofar as compliance is concerned with preventing violations of law and regulation, and insofar as laws and regulations look to nonshareholder interests, compliance must necessarily reflect nonshareholder interests. The panoply of law and regulation affecting firms--rules preventing fraud, pollution, bribery, money laundering, false advertising, and dangerous workplaces--often bars conduct that would, in some situations, even produce benefits to shareholders. (231) The compliance function simply mirrors this collection of interests.

There is an important difference, however, between passing a law to protect the interests of a nonshareholder constituency and requiring corporations to adopt intrafirm governance mechanisms to carry out the interests of that constituency. (232) Formal legal rules may be more precise in defining firms' responsibilities and, in any event, contain an avenue of appeal to public authority--the courts--when they are unclear in meaning or overbroad in scope. By contrast, governance structures are designed to supply constraints that exceed basic legal commands. (233) The compliance function, in particular, is designed to inculcate norms of behavior that exceed narrow legal obligations. (234) This is part of the reason that regulators have sought to separate compliance from the legal department. (235) Designing compliance structures on the basis of other constituency interests is a way of bringing those interests into the firm, thereby making firms servants of a wider set of social interests. (236) Moreover, this is an objective that government agents candidly admit. For example, New York Federal Reserve Chairman William Dudley has expressly stated that "financial firms exist, in part, to benefit the public, not simply their shareholders, employees, and corporate clients." (237)

Whether the role of other constituency interests in compliance is something to celebrate or decry, of course, depends upon the position one takes in the broader debate. Are corporations vehicles of wealth creation for their investors? Or are they also, in part, instruments to accomplish a broader social good? Compliance presents an opening for those who might wish to push corporations into this broader social role and a challenge for those who might wish to keep them out. At a minimum, compliance presents a new avenue for corporate law theorists to engage on these questions.

B. Incentives and Information

The government is no more monolithic than any other large organization, and identifying a set of government interests, as the prior Section sought to do, does not necessarily imply that its agents will faithfully carry them out. (238) Government enforcement agents may have their own incentives to bring particular kinds of cases. (239) And they may have their own reasons to impose excessively costly compliance programs on firms.

1. Agency Costs and Externalities

Prosecutors selecting cases may be motivated to bring cases of greater notoriety or political salience in hopes of building a reputation that they can convert into subsequent career opportunities. (240) Prosecutors with political ambitions may be motivated to make cases against firms and individuals that have aroused public ire. (241) Although it is possible that these cases correlate with the most egregious offenses, it is also possible that they principally correlate to media coverage and populist sentiment without regard to the quality of the evidence. (242) For example, the need to find a villain to satisfy public ire may partially explain the proliferation of insider trading and bad banker cases in the wake of the financial crisis. (243) On the other hand, enforcement authorities may respond to political pressure to go easier on politically connected firms. (244) These problems may be especially pronounced in a context where enforcers can use settlement agreements to side-step both political costs and evidentiary burdens. (245)

Prosecutors have obvious reasons at settlement to favor high fines over low ones. (246) However, the question of what prosecutors should seek with regard to compliance is less clear. How are compliance reforms traded in the settlement bargain?

From a prosecutor's perspective, compliance may be seen as a means of outsourcing enforcement costs. (247) By insisting that companies install a compliance function to detect and report violations of law, prosecutors can externalize a portion of their budget. The company pays for the compliance program, and the prosecutor saves costs on its investigation. The question of how much compliance to impose thus takes on the logic of a traditional externalities analysis, with the ultimate answer being: too much. (248) Because the government receives the benefit of the compliance program (in the form of detection and investigation) but does not bear the cost, its incentive is to push firms to overinvest in compliance. Thus, just as they have idiosyncratic incentives to bring especially newsworthy cases, government enforcement agents have structural incentives to mandate excessive compliance. (249)

Across the bargaining table from the prosecutor, of course, are corporate managers whose general interest will be to minimize the consequences of settlement on the firm. Managers will prefer small fines to large ones because fines erode corporate profits and thereby reduce the managers' own performance-based compensation. Managers can thus be expected to push back on prosecutorial demands for fines at settlement. The situation may be different, however, with regard to compliance reforms. Managers might be willing to accept compliance reforms in exchange for a reduction in the monetary penalty or for early termination of the investigation. Indeed, such behavior comports with the standard "agency cost" model of corporate management. (250) Monetary penalties have an immediate impact on compensation. Compliance reforms do not. Moreover, considering that firms tend to mimic the compliance reforms of their peers, the introduction of costly compliance reforms may well be copied by competitors, thereby mitigating the impact of the reforms on industry benchmarks linked to executive compensation.

2. Information Asymmetries

On the question of what specific mechanisms ought to be adopted by or imposed upon firms, this Article has already shown that compliance officers themselves do not always know what works in compliance. (251) For example, it is difficult, if not impossible, to show whether an investment in additional training will make a meaningful difference in employee behavior, or whether one form of compliance infrastructure is better than another, or what the right level of staffing or resource allocation is for a particular compliance department. If compliance officers cannot answer these questions definitively, there are very good reasons to suppose that generalist prosecutors who are not embedded in the day-to-day operation of the subject firm cannot answer them either.

The inability to demonstrate the effectiveness of compliance raises two difficult questions. First, why should prosecutors give firms any credit for employing compliance mechanisms whose effectiveness has not been proven? And second, why should prosecutors impose unproven compliance mechanisms on firms? In either case, prosecutors likely rely on heuristics. For example, a money laundering failure implies the need for more staff devoted to preventing money laundering. (252) This makes a kind of sense, but how much staff should a firm add? This is an empirical question that, at present, cannot be answered. It is not surprising, then, that prosecutors' compliance demands are occasionally vague, (253) requiring firms to conduct "appropriate due diligence," build "effective compliance," and periodically review compliance in light of current standards, all without supplying specific content. (254) Prosecutors simply do not know what to ask for. Unless and until they can pair organizational theory with empirical evidence, prosecutors are larding firms with cost for uncertain benefit.

Enforcers implicitly acknowledge their lack of information when they require the appointment of monitors or the engagement of outside consultants to review the quality of a firm's compliance program. This is a punt. Unless the third parties can accurately distinguish good compliance from bad, mandating the involvement of third parties merely amounts to a wealth transfer from the firm to the third party. Moreover, there is good reason to suspect that third-party experts do not know much more about what makes good compliance than government enforcement authorities. They are both on the outside looking in.

The information problem at the core of compliance may lead to adverse selection--the infamous "lemons problem." (255) When consumers cannot distinguish between high-quality and low-quality goods, they rationally respond by discounting the value of all goods. (256) The effect of this discount, however, is to discourage the owners of high-quality goods from bringing their wares to market, in which they would suffer the discount. (257) The unhappy result, because the owners of low-quality goods are not similarly discouraged, is that notwithstanding the discount, consumers will both buy low-quality goods and overpay for them. (258)

Firms in the market for a good compliance program face a similar problem. The good cannot be distinguished from the bad. This will discourage the development of good programs and lead many companies to overpay for bad ones. This is a double tragedy. Not only are businesses overpaying, but they also are installing compliance programs that will likely fail to prevent future violations of law.

C. Theories of the Firm

State-imposed corporate governance is inconsistent with current theories of the firm, whether one's model of the firm is derived from the "nexus of contracts," (259) "transaction cost economics," (260) or "property rights" (261) theories. (262) Under all of these theories, corporate governance is understood as contractual, subject to a background of mandatory terms supplied by statute or judicial precedent. Compliance amounts to the extrafirm imposition of intrafirm governance. It therefore does not fit with any of the current theoretical accounts of the firm.

If anything, compliance flips the intuition underlying mainstream theories of the firm. Most of these theories proceed from Coase's realization concerning the incompleteness of contracts in an ongoing business enterprise. (263) Parties in an ongoing business relationship are unable to specify all contingencies that may arise in their contractual relations over time. The result is the creation of the firm, whose role is to mediate contractual incompleteness through structures of authority and background principles of fiduciary duty. (264) In light of these principles, perhaps the best way to conceptualize compliance and distinguish it from other structures of regulation is to portray it as a similar response to the problem of incompleteness. (265) Because it is impossible for regulators to specify all contingencies that could lead to evasion or violation of regulatory rules or to articulate every step a firm must take to prevent a violation, they therefore impose on firms compliance departments whose fundamental role is to mediate regulatory demands in light of the ongoing conduct of the business. In other words, compliance is to the incompleteness of regulatory specificity as governance is to the incompleteness of the investment contract.

Although this parallel may suggest a theory of compliance, it does not succeed in fitting that account within corporate law theory. As noted above, all mainstream theories of the firm are limited in scope to the constituent entities of the firm--that is, the contractual counterparties of the business. Compliance responds to a transaction cost of the government, not of the firm's contractual counterparties. In spite of the parallel, in other words, compliance remains an exogenous imposition, not an endogenous element of firm governance. This begs the theoretical question of what gives the government the authority to intervene in the firm through compliance.

An answer to this question might be that the state's right to intervene in corporate affairs comes from the role of the sovereign in granting the corporate charter, an argument that goes back to the origins of the corporate form in Britain. (266) Having granted a corporate charter, the king retained the right to exercise a considerable degree of control over corporate affairs. (267) Once the United States separated from Britain, U.S. states assumed the authority to grant corporate charters. (268) Perhaps compliance is a later-day manifestation of the sovereign right, having granted the firm its charter, to intervene in corporate affairs. (269)

However, U.S. law long ago rejected the claim that the power to grant charters gives states an inherent right to intervene in corporate affairs. In the famous Dartmouth College case of 1819, the U.S. Supreme Court held that the state of New Hampshire could not take control of the college by altering its charter to transfer the appointment of trustees to the state. (270) In spite of having formally created the corporation, the state could not treat it as a mere instrumentality of state power. The corporation, Justice Marshall wrote, "does not share in the civil government of the country, unless that be the purpose for which it was created." (271) The corporation exists, instead, to represent the interests stated in the charter and is protected from state interference by the Contracts Clause of the Constitution. (272)

An alternative basis for the government's interventions in compliance can be found in the "real entity" theory, a late nineteenth-century theory exported from Germany to England and the United States as a basis for the legal rights of business organizations. (273) In the early to mid-twentieth century, the real entity theory "helped strengthen limited liability and the business judgment rule, and may have been partially responsible for the introduction of a corporate income tax regime, which treated corporations as separate taxable entities." (274) Most importantly, the theory supported treating the corporation as a person for purposes of criminal law. (275) A great leap is not required to go from prosecuting corporations as though they were real people to seeking to "rehabilitate" them through compliance. (276)

The real entity theory is now rejected by mainstream corporate law theory. (277) Of course, this does not mean that it is wrong, but it does mean that compliance is seriously undertheorized. Compliance is the place where conceptions of the firm held by scholars and practitioners of criminal law encounter those held by scholars and practitioners of corporate law. At present those two conceptions are incompatible, suggesting the need either for a reconceptualization of corporate law theory or, alternatively, a correction in the way the government approaches compliance. The next Part sketches an approach to the latter, while leaving open the former as perhaps the more interesting possibility.


Corporate compliance with the law is plainly a social good. However, the current structure of compliance, as the last Part has shown, is more ambiguously so. How might the situation be improved? This Part offers two alternatives. First, end the government's role as the architect of compliance, allowing firms to adopt compliance programs (or not) on the basis of efficiency concerns alone while still holding them accountable for violations of substantive law. Second, increase the transparency of the compliance function on an ongoing basis through periodic disclosures in securities law filings. The Sections that follow explore each of these alternatives.

A. Government Exit

Getting the government out of the compliance business would prevent core corporate governance functions from being designed in an opaque process by a largely unaccountable agent with no expertise in organizational design and no ability to measure effectiveness. (278) Government exit from compliance would not mean exit from enforcement. If the government got out of the business of corporate reform, it would still have the power to enforce the law to its fullest extent. It would still be able to impose massive penalties. And it would still have the power to settle and to give credit for cooperation. (279) It simply could not insist upon compliance reforms. (280) How would firms react to this change? Would corporations suddenly shut down their compliance departments?

Corporations have strong incentives to comply with the law even without the government telling them exactly how to do it. (281) And insofar as compliance programs contain elements that are an efficient means of producing compliance with the law, firms would maintain at least those. But they would likely jettison aspects of compliance programs that could not be shown to produce compliance in a cost-effective manner. In other words, if it were wholly owned by firms, compliance would be subject to firms' internal cost-benefit calculations, and firms would likely "engage in compliance if the cost of sanctions with compliance is less than or equal to the cost of sanctions without compliance." (282)

As long as corporate governance is seen as the product of a bargain between managers and shareholders ultimately aimed at wealth maximization, this is a desirable outcome. Even without a hand in the design of compliance programs, the government retains the size of the sanction (and the prospect of criminal liability) as an extremely powerful tool in preventing corporate wrongdoing. (283) If corporate misconduct is insufficiently deterred by current sanctions levels, the government should increase them, thereby changing the subject firm's present value calculation. (284) Once misconduct is no longer value-maximizing from the firm's point of view, an efficiency-based compliance program will be no less (and perhaps more) serious about detecting and deterring corporate misconduct than a program designed by the government.

The salutary effects of this arrangement are pragmatic as well as theoretical. Once firms own compliance, they will seek better and cheaper ways of channeling organizational behavior. They will experiment, moving away from the core elements that have served as the basis of compliance since the drafting of the Sentencing Guidelines. (285) For example, if investing in culture or technology appears to be a better strategy for inducing compliance than hiring hundreds or thousands of staff to perform "Know Your Customer" due diligence, firms will try it. (286) Likewise firms may seek to adapt their compliance programs to emerging literature that suggests compliance programs organized around sanctions and monitoring may be less effective (and more expensive) than systems organized around procedural fairness, consent, and deference. (287) Experimentation leads to innovation and, perhaps, more effective compliance structures. (288) Moreover, once firms begin to experiment, there will be greater heterogeneity of compliance structures and greater opportunity for the capital market to make distinctions on this basis, provided, however, that there is greater transparency in compliance--an issue taken up in the next Section.

B. Increased Transparency of the Compliance Function

Because outright government exit from the regulation of compliance may seem unlikely, it is worth considering alternative approaches to reform. Toward this end, some commentators have recently suggested greater judicial scrutiny at settlement. (289) Though there is evidence that at least some judges have signaled discomfort with the use of DPAs/NPAs in corporate prosecutions, there is little evidence that greater involvement of the judiciary could improve the resulting compliance reforms. Judges commenting on the resolution of enforcement actions have tended to criticize the government for failing to hold individuals accountable or for failing to extract more in fines. (290) They have tended not to focus on the efficacy of compliance reforms. Indeed, judges are as ill-equipped to assess the quality of settlement reforms as the prosecutors are in imposing them, perhaps even more so. (291)

A more promising regulatory strategy might therefore be to focus not on the substance of compliance reform but rather on the transparency of the compliance function. Focusing on disclosure rather than substance parallels the regulatory strategy of securities law more generally, the aim of which is simply to provide the necessary information for the capital market to make distinctions between firms. (292) Disclosure of compliance details would enable professionals to study and understand those compliance mechanisms that work and those that do not. It would also enable market professionals to distinguish between firms according to the quality of their compliance functions. If they invested accordingly, the capital market itself incentivizes firms to improve their compliance function. The government could make this happen by adopting a rule, administered by the SEC, requiring public companies to disclose compliance details.

Mandatory compliance disclosure would focus on structural details, such as how compliance is organized, what its relationship is with business units, and other control functions such as risk and internal audit, which risks are allocated to compliance and how compliance assigns personnel and technological resources to manage those risks, whether and how compliance is involved in strategic business decisions, the authority and expectations of compliance officers in the event of conflict, how escalation and reporting structures work, and whether and to what degree compliance influences executive compensation. These program details could be categorized and compared according to indicators of effectiveness, such as reported incidents of misconduct, government investigations, and sanctions paid. Alternatively or in addition, companies could be required to disclose standardized data on the performance of their own programs, allowing quantitative metrics to be compared more directly across a set of firms. (293) Currently no company voluntarily discloses this information. (294) Moreover, federal securities law, which forces public companies to disclose a vast amount of information, does not mandate any compliance disclosures. It should. (295)

Mandatory compliance disclosures would trigger the release of information that companies already possess. Many companies track program effectiveness. Those that do not are in possession of the information and could compile it. The information is not competitively sensitive. It does not include business plans or strategies that could give competitors an advantage. Or, in the event that a required compliance disclosure did hint at competitively sensitive information, companies could apply to the SEC for an exemption from the disclosure item.

Disclosure would produce substantial benefits. First, disclosure of compliance details would allow interested parties--compliance officers, policymakers, and enforcers--to learn what actually works in compliance. Claims to effectiveness would be empirically informed rather than anecdotal. Compliance programs would work better as less effective structures lost currency, resulting in more effective detection and deterrence of corporate misconduct. Second, the disclosure of compliance details would enable capital market participants to distinguish between compliance programs at different companies. Investors, recognizing that better compliance means less risk of loss, would be willing to pay a premium for firms with better compliance. (296) This, in turn, leads to a virtuous circle wherein the share-price premium serves as a further incentive to adopt strong compliance functions, leading to less downside risk, less misconduct, and higher share prices.


This Article has argued that compliance is a governance function that is incompatible with contemporary corporate theory. The inconsistencies between theory and practice exposed by compliance present an opportunity to rethink theories of the firm and to reconsider dormant debates. This Article seeks to start the conversation, calling on scholars across specialties, along with practitioners and policymakers, to engage on the critical issues of theory and practice raised by the contemporary compliance function.

SEAN J. GRIFFITH, T.J. Maloney Chair and Professor of Law, Fordham Law School. Thanks to Miriam Baer, Sam Buell, Jim Fanto, Jess Fardella, Will Foster, Tom Lin, Geoffrey Miller, Troy Paredes, Christina Skinner, and Andy Spalding for their comments on earlier drafts. I am also grateful for comments and suggestions received after presentations at the 2015 National Business Law Scholars Conference, the 2015 Berkeley-San Diego Meet-up, BYU Law School, and Fordham Law School. Thanks to Alissa Black-Dorward and Steffanie Keim for superlative research assistance. The viewpoints and any errors expressed herein are mine alone.

(1.) Susanne Craig, At Banks, Board Pay Soars Amid Cutbacks, N.Y. TIMES: DealBook (Mar. 31, 2013, 9:57 PM), [].

(2.) See Sam Fleming, The Age of the Compliance Officer Arrives, Fin. Times (Apr. 24, 2014, 12:19 AM), axzz3yHSCEAqQ [] (arguing that boom in compliance hiring and salaries comes at risk of business exit from higher cost business lines); Gregory J. Millman & Samuel Rubenfeld, Compliance Officer: Dream Career?, WALL St. J. (Jan. 15, 2014, 8:13 PM),]; Aruna Viswanatha, Wall Street's Hot Trade: Compliance Officers, Reuters (Oct. 9, 2013, 7:05 AM), idUSBRE9980EE20131009 [].

(3.) For a discussion of some of the differences between making and enforcing law versus imposing governance structures, see infra Part III.A.

(4.) This Article treats federal prosecutors and enforcement agents as essentially interchangeable with regard to the development of compliance. See Brandon L. Garrett, Collaborative Organizational Prosecution, in PROSECUTORS IN THE BOARDROOM: USING CRIMINAL Law to Regulate Corporate Conduct 154, 154-55 (Anthony S. Barkow & Rachel E. Barkow eds., 2011) (disputing rigid institutional separation of civil versus criminal enforcement in light of collaborative efforts between prosecutors and regulators and the far-reaching deterrent effects of enforcement actions). The important differences between the role of federal prosecutors and federal agencies and the dynamics of the interaction between the two are largely outside of the scope of this Article. For a discussion of these differences, see generally Daniel Richman, Prosecutors and Their Agents, Agents and Their Prosecutors, 103 COLUM. L. REV. 749 (2003). Regulatory examinations, such as those conducted in the banking industry, constitute another category of compliance intervention that is largely consistent with this Article's account of enforcement. See, e.g., Dennis Townley & Paula Caughey, Regulatory Compliance Issues for Small Banks, Aspatore (2013), 2013 WL 5293293 (describing how the burdens of the regulatory examination process have grown).

(5.) See infra Part I.A.2.

(6.) Ronald Coase, The Nature of the Firm, 4 ECONOMICA 386, 387 (1937) ("If a workman moves from department Y to department X, he does not go because of a change in relative prices, but because he is ordered to do so.").

(7.) Id. at 388.

(8.) Some exceptions include: Stephen Bainbridge, Caremark and Enterprise Risk Management, 34 J. Corp. L. 967 (2009); Lawrence A. Cunningham, Deferred Prosecutions and Corporate Governance: An Integrated Approach to Investigation and Reform, 66 Fla. L. Rev. 1 (2014); James Fanto, Paternalistic Regulation of Public Company Management: Lessons from Bank Regulation, 58 Fla. L. Rev. 859 (2006) (foreshadowing the era of compliance by arguing that the SEC should adopt a bank-regulatory model in regulating the governance of public firms); Kimberly D. Krawiec, Cosmetic Compliance and the Failure of Negotiated Governance, 81 Wash. U. L.Q. 487 (2003) [hereinafter Krawiec, Cosmetic Compliance]; Kimberly D. Krawiec, Organizational Misconduct: Beyond the Principal-Agent Model, 32 Fla. St. U. L. Rev. 571 (2005); Donald C. Langevoort, Internal Controls After Sarbanes-Oxley: Revisiting Corporate Law's "Duty of Care as Responsibility for Systems," 31 J. CORP. L. 949 (2006); Donald C. Langevoort, Monitoring: The Behavioral Economics of Corporate Compliance with Law, 2002 COLUM. BUS. L. Rev. 71; Omari Scott Simmons, The Corporate Immune System: Governance from the Inside Out, 2013 U. III. L. Rev. 1131 (focusing on compliance as part of the "internal immune system" of corporate governance); Jennifer Arlen & Marcel Kahan, Corporate Governance Regulation Through Non-Prosecution (N.Y. Univ. Sch. of Law, Public Research Paper No. 16-04, 2016), [].

(9.) See, e.g., Ian Ayres & John Braithwaite, Responsive Regulation Transcending the Deregulation Debate 101-32 (1992) (discussing compliance as a kind of "enforced self-regulation"); Brandon Garrett, Too Big to Jail: How Prosecutors Compromise with CORPORATIONS (2014) (discussing compliance reforms as a common outcome of corporate prosecutions); SHARON ODED, CORPORATE COMPLIANCE: NEW APPROACHES TO REGULATORY Enforcement (2013) (providing an account of which enforcement policies most efficiently induce proactive compliance); Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C. L. Rev. 949 (2009) (discussing corporate compliance in connection with the "New Governance" literature).

(10.) Compliance may be understood to focus on a different agency cost problem than the issues on which mainstream corporate law scholarship focuses. See ODED, supra note 9, at 10 (emphasizing that her work on compliance "does not address the well-established principal-agent problem between corporate management and shareholders, but rather focuses on a different agency problem; the one that exists between corporations (or the management thereof) and corporate employees undertaking corporate activity").

(11.) See infra notes 217-21 and accompanying text.

(12.) Geoffrey P. Miller, The Law of Governance, Risk Management, and Compliance 3 (2014) (defining compliance as "the processes by which an organization seeks to ensure that employees and other constituents conform to applicable norms--which can include either the requirements of laws or regulations or the internal rules of the organization"); accord Deloitte & Compliance Week, In Focus: 2014 Compliance Trends Survey 7 (2014), _2014_05142014.pdf [] (defining compliance as the "alignment between their organization's behavior and professed values").

(13.) Because the goal of this Article is to analyze the development of compliance across industries, it avoids going into the details of industry-specific compliance regulation. One implication of this choice is that this Article focuses on the greatest cross-industry compliance risks, such as fraud and corruption. See GARRETT, supra note 9, at 5. Nevertheless, compliance officers frequently cite industry-specific regulation as their core compliance concern. See infra note 108 and accompanying text.

(14.) See generally Detlev Nitsch et al., Why Code of Conduct Violations Go Unreported: A Conceptual Framework to Guide Intervention and Future Research, 57 J. BUS. ETHICS 327 (2005); Daniel Rottig et al., Formal Infrastructure and Ethical Decision Making: An Empirical Investigation and Implications for Supply Management, 42 Decision SCI. 163 (2011).

(15.) See Michele DeStefano, Creating a Culture of Compliance: Why Departmentalization May Not Be the Answer, 10 HASTINGS BUS. L.J. 71, 95 n.100 (2014) ("Chief compliance officers also advise on business and reputation risks.").

(16.) Risk management is a business operation of the firm typically focused on the quantitative modeling of business risk. See MILLER, supra note 12, at 2.

(17.) Cf. Bainbridge, supra note 8, at 968 ("Risk management and law compliance differ only in degree and not in kind.").

(18.) See Economist Intelligence Unit, The Economist, Governance, Risk and Compliance IN FINANCIAL Services (2008), 1083557 493.PDF [] (advocating the integration of governance, risk, and compliance functions); KPMG, THE CONVERGENCE EVOLUTION: GLOBAL SURVEY INTO THE Integration of Governance, Risk and Compliance (2012), Nyheter-Innsikt/artikler-og-publikasjoner/rapporter/Rapporter-2013/Documents/The-Convergence-Evolution. pdf [].

(19.) There was an impetus toward compliance starting with the federal antitrust prosecutions in the 1960s through the criminalization of various corporate acts in the 1970s, including bribery, money laundering, and pollution. See Foreign Corrupt Practices Act of 1977, 15 U.S.C. [section] 78dd-1 (2012) (foreign bribery); Bank Secrecy Act of 1970, 31 U.S.C. [section] 5318(h) (2012) (barring money laundering and setting forth the "four pillars" of anti-money laundering (AML) compliance); National Environmental Policy Act of 1969, 42 U.S.C. [section] 4321 (2012) (pollution). However, enforcement was often lax under these early statutes, and penalties were often slight, providing little incentive to develop robust compliance programs. See Mark A. Cohen, Corporate Crime and Punishment: An Update on Sentencing Practice in the Federal Courts, 1988-1990, 71 B.U. L. Rev. 247, 254-56 (1991) (showing that, as of the mid-1980s, most corporate fines were under $10,000, and the average fine was just over $48,000).

(20.) Jennifer Arlen, The Potentially Perverse Effects of Corporate Criminal Liability, 23 J. Legal Stud. 833, 839 (1994).

(21.) U.S. Sentencing Guidelines Manual [section] 8C2.5(f) (U.S. Sentencing Comm'n 2015) [hereinafter SENTENCING GUIDELINES], [] (listing maintenance of an effective compliance program as a mitigating factor for the company's "culpability score"). Various governmental authorities had previously sought to induce corporations to implement compliance programs. See, e.g., Jay A. Sigler & Joseph E. Murphy, Interactive Corporate Compliance: An Alternative to Regulatory Compulsion 155-56 (1988) (discussing the Occupational Health and Safety Administration's "Star Program," which provides for relief from regulation for firms with strong compliance programs). However, the Guidelines were the government's first articulation of a promise to mitigate penalties for compliance on a global basis. See Memorandum from William C. Hendricks III, Chief of the Fraud Section Criminal Div., U.S. Dep't of Justice |DOJ], to all U.S. Attorneys (July 17, 1987), in ABA Public Contract Law Section, Report of the Special Committee on Voluntary Disclosure 6-7 (1987) (describing the importance of compliance in charging decisions for criminal investigations of defense contractors).

(22.) See Jennifer Arlen & Reinier Kraakman, Controlling Corporate Misconduct: An Analysis of Corporate Liability Regimes, 72 N.Y.U. L. Rev. 687, 745 (1997).

(23.) For example, mitigation was absent from the 1989 preliminary draft of the Guidelines. See Nolan Ezra Clark, Compliance Programs and the Corporate Sentencing Guidelines: Preventing Criminal and Civil Liability [section] 2:16, Westlaw (database updated Oct. 2015).

(24.) These companies included General Electric, Atlantic Richfield, Bristol-Myers Squibb, ITT, and Martin Marietta. See id. [section] 2:17 ("[T]he biggest concern that I have is in trying to help you find a balance between imposing sentences on corporations for their wrongdoing and at the same time trying to incentivize corporations to develop meaningful compliance programs." (quoting Martin Marietta's General Counsel)); id. ("The Commission should adjust the credits ... so that there may be no penalty fine for a corporation that has developed and implemented stringent policies and training, and yet has a low-level employee go astray." (quoting comments of General Electric Company et al. on the Sentencing Commission's proposed organizational sanctions)).

(25.) For example, at a meeting with the Sentencing Commission, the Business Roundtable urged:
   We very much believe that compliance programs are the best way to
   encourage compliance with the law, respect for the law by corporate
   employees and agents. We very much feel that the likelihood of
   reducing [the] number of corporate crimes is going to best be
   served by trying to encourage, enhance, build, [and] expand not
   only the presence of compliance programs in corporations but also
   the effectiveness and vigor with which they are administered and
   enforced inside the corporation itself.

Id. [section] 2:22 (first alteration in original); see also id. [section] 2:17 ("A substantial compliance program should receive a substantial reduction in fines.").

(26.) Id. [section] 2:18.

(27.) The Fall 1990 draft defined "effective" compliance as follows:
   First, the organization must have policies defining the standards,
   rules, and procedures to be followed by its employees. Second, the
   organization must communicate its policies effectively to
   employees, e.g., by training programs and publications. Third, the
   organization must use due diligence to ensure that its policies are
   complied with, e.g., by utilizing a monitoring system reasonably
   designed to ferret out criminal conduct by its employees and by
   having in place and publicizing to employees a reporting system
   whereby employees can report criminal conduct within the
   organization without fear of retribution. Fourth, the policies must
   be enforced, e.g., through disciplinary mechanisms.

Id. [section] 2:23.

(28.) The current Guidelines now feature seven factors, including: (1) rules, (2) high-level engagement and appropriate delegation, (3) diligence in hiring, (4) communication and training, (5) monitoring and testing, (6) alignment of incentives, and (7) appropriate remediation. Sentencing Guidelines, supra note 21, [section] 8B2.1(b).

(29.) See infra note 69 and accompanying text.

(30.) See SENTENCING GUIDELINES, supra note 21, at 495 (introductory comment).

(31.) Id.

(32.) See Peter J. Henning, The Organizational Guidelines: R.I.P.?, 116 Yale L. J. POCKET Part 312, 312 (2007), [] (arguing that the scarcity of corporate convictions as opposed to settlements "means that the Organizational Guidelines are largely irrelevant").

(33.) In the corporate context, prosecuting such cases is extremely costly in terms of time and resources. Vikramaditya Khanna & Timothy L. Dickinson, The Corporate Monitor: The New Corporate Czar?, 105 Mich. L. Rev. 1713, 1721 (2007) ("[C]orporate crime cases are difficult, complex, and expensive cases to prosecute and tend to use a great deal of resources."). Successful prosecutions also risk serious collateral consequences, such as business failure. See GARRETT, supra note 9, at 19-44 (relating the story of the prosecution and subsequent collapse of Arthur Andersen).

(34.) See Mary Jo White, Corporate Criminal Liability: What Has Gone Wrong?, in 2 37th Annual Institute on Securities Regulation 815, 818 (2005) (describing use, by U.S. Attorney's Office for the Southern District of New York, of deferred prosecution agreements in the early 1990s).

(35.) Memorandum from Eric Holder, Deputy Attorney Gen., to All Component Heads and U.S. Attorneys (June 16, 1999), legacy/2010/04/ll/charging-corps.PDF [] [hereinafter Holder Memorandum].

(36.) Id. at para. II.A.4-6.

(37.) Id. at para. VII.B ("The Department has no formal guidelines for corporate compliance programs.").

(38.) Id. ("In answering these questions, the prosecutor should consider the comprehensiveness of the compliance program, the extent and pervasiveness of the criminal conduct; the number and level of the corporate employees involved; the seriousness, duration, and frequency of the misconduct, and any remedial actions taken by the corporation, including restitution, disciplinary action, and revisions to corporate compliance programs.").

(39.) DOJ, United States Attorneys' Manual [section] 9-28.700-.900 (2015), http://www.justice. gov/usam/usam-9-28000-principles-federal-prosecution-business-organizations [https://perma. CC/W4RH-G2N2].

(40.) Id. [section] 9-28.800.B ("The Department has no formulaic requirements regarding corporate compliance programs."). If anything, the Manual increases prosecutorial discretion by adding "good faith" to the list of things prosecutors may consider in assessing a program's effectiveness. Id.

(41.) See Lawrence D. Finder & Ryan D. McConnell, Devolution of Authority: The Depart meat of Justice's Corporate Charging Policies, 51 St. LOUIS U. L.J. 1, 1-2 (2006) (connecting the fact that "from 2002 to 2005, the DOJ has entered into twice as many non-prosecution agreements (NPAs) and deferred prosecution agreements ... as it had over the previous ten years" to shifts in department policy on corporate prosecutions).

(42.) See Garrett, supra note 9, at 54-60 (discussing creation of the Corporate Fraud Task Force to coordinate corporate prosecutions and the adoption of the so-called Brooklyn Plan, according to which corporations would pay a fine and adopt compliance reforms in exchange for an agreement not to prosecute).

(43.) The government investigates but, in the case of an NPA, does not file formal charges or, in the case of a DPA, files charges but simultaneously suspends prosecution. Benjamin M. Greenblum, What Happens to a Prosecution Deferred? Judicial Oversight of Corporate Deferred Prosecution Agreements, 105 COLUM. L. Rev. 1863, 1863-65 (2005).

(44.) See Leonard Orland, The Transformation of Corporate Criminal Law, 1 BROOK. J. CORP. Fin. & COM. L. 45, 53, 57 (2006).

(45.) See id. at 45-46.

(46.) Wulf A. Kaal & Timothy Lacine, The Effect of Deferred and Non-Prosecution Agreements on Corporate Governance: Evidence from 1993-2013, 70 BUS. Law. 61, 85 fig.1 (2014) (reporting publicly available DPAs/NPAs from 1993-2013).

(47.) See id. (reporting 271 DPAs/NPAs from 1993-2013); see also Garrett, supra note 9, at 65 (reporting 255 DPAs/NPAs from 2001-2012).

(48.) See, e.g., United States v. HSBC Bank USA, N.A., 2013 WL 3306161, at *6-11 (E.D.N.Y. July 1, 2013); Cunningham, supra note 8, at 2-3; see also GARRETT, supra note 9, at 72 ("Most agreements required compliance reforms (63 percent, or 160 of 255 agreements) ... while others cited compliance reforms that regulators required (28 percent, or 71 of 255 agreements)."); Kaal & Lacine, supra note 46, at 93 fig.7 (reporting compliance reforms implemented in 75 percent of publicly available DPAs/NPAs from 1993 through 2013).

(49.) Garrett, supra note 9, at 72 ("The agreements ask that higher-ups endorse new policies, new trainings of employees, and new forms of supervision of employees, and that they provide periodic reports summarizing their progress.").

(50.) See id. at 74 (noting that 71 of 255 agreements studied referred to compliance reforms subject to agreements with industry regulators). The lack of specificity may also reflect the company's implementation of compliance reforms, likely with the prosecutor's input or blessing, prior to completion of the settlement. See id. at 74-75 (noting that 162 of 255 agreements referred to compliance reforms already adopted by the corporate defendant).

(51.) Kaal & Lacine, supra note 46, at 107 fig.18.

(52.) See Garrett, supra note 9, at 72 (noting examples, including the requirement that an accounting firm shut down its private tax practice and a builder shut down a subsidiary that had engaged in fraudulent mortgage practices).

(53.) Id. (reporting that 88 of the 255 agreements studied provided for hiring new employees).

(54.) Kaal & Lacine, supra note 46, at 107 fig. 18 (finding this requirement in 11 percent of the DPAs/NPAs in their sample).

(55.) Garrett, supra note 9, at 72-73; see also Kaal & Lacine, supra note 46, at 96 fig.10 (reporting that, although 31 percent of all agreements including board reforms focused on increased reporting to the board, only 8 percent mandated committee reforms).

(56.) See generally Cristie Ford & David Hess, Can Corporate Monitorships Improve Corporate Compliance?, 34 J. COEP. L. 679 (2008) (describing the evolution of corporate monitorships as part of settlement agreements and analyzing how they function in practice).

(57.) See Garrett, supra note 9, at 174-78 (discussing the appointment of monitors and finding such appointments in 65 of 255 agreements studied).

(58.) See Arlen & Kahan, supra note 8 (critiquing prosecutors' interventions in corporate governance through DPAs/NPAs). The tactic was recently exported to the United Kingdom. See Press Release, The Serious Fraud Office, SFO Agrees First UK DPA with Standard Bank (Nov. 30, 2015), [] (the first DPA entered into by British authorities).

(59.) Rachel E. Barkow, The Prosecutor as Regulatory Agency, in PROSECUTORS IN THE Boardroom, supra note 4, at 177, 177.

(60.) However, unlike the common law, there is no adjudication and no meaningful judicial review. See infra note 213 and accompanying text.

(61.) See PricewaterhouseCoopers, State of Compliance 2014 Survey: What It Means to Be a "Chief" Compliance Officer: Today's Challenges, Tomorrow's Opportunities 17-18 (2014), pwc-state-of-compliance-2014-survey.pdf [].

(62.) See id. at 17 ("In the event of a compliance failure, government investigators often compare the organization's compliance program to those of similar organizations (in terms of size, complexity, industry, geographic footprint, etc.). Companies whose programs are not comparable to those of their peers could be subject to harsher penalties.").

(63.) See supra notes 37-40 and accompanying text.

(64.) See generally Nestor M. Davidson & Ethan J. Leib, Regleprudence--at OIRA and Beyond, 103 Geo. L.J. 259 (2015) (discussing the law-like customs and practices that govern the administrative state outside the purview of the courts and APA-based policing).

(65.) Although it acknowledges that there is no "one-size-fits-all program," the Resource Guide emphasizes top-level commitment, clearly articulated policies and procedures, sufficient resources dedicated to oversight and monitoring, regular risk assessments, training and advice, disciplinary measures, third-party vetting, confidential reporting and internal investigations, and periodic testing and review. DOJ & SEC. & EXCH. COMM'N [SEC], A RESOURCE Guide to the U.S. Foreign Corrupt Practices Act 57-62 (2012) [hereinafter FCPA Resource Guide]. The Resource Guide also discusses the infamous Garth Peterson incident as an example of effective compliance resulting in a declination. Id. at 61.

(66.) See Mike Koehler, Grading the Foreign Corrupt Practices Act Guidance, 7 White COLLAR Crime Rep. 961 (2012), [] (arguing that the Resource Guide "is an advocacy piece ... replete with selective information, half-truths, and, worse, information that is demonstratively false").

(67.) See, e.g., Thomas C. Baxter, Keynote Address: The Changing Face of Corporate Compliance and Corporate Governance, 21 Fordham J. CORP & Fin. L. 61, 63 (2016) (published speech by the General Council of the New York Federal Reserve Bank urging companies to integrate ethics and compliance); Leslie R. Caldwell, Assistant Attorney Gen. for the Criminal Div., DOJ, Remarks at the 22nd Annual Ethics and Compliance Conference (Oct. 1, 2014) (discussing enforcement policy regarding specific aspects of compliance programs).

(68.) See infra Part II.

(69.) For a partial list of relevant texts, see generally Bank Secrecy Act of 1970, 13 U.S.C. [section][section] 5318(h)(1)(A)-(D) (2012) (defining the four pillars of AML compliance); Volcker Rule, 17 C.F.R. [section] 75.20(b) (2014); BASEL COMM. ON BANKING SUPERVISION, BANK FOR INT'L SETTLEMENTS, Compliance and the Compliance Function in Banks (2005), publ/bcbs113.pdf [] [hereinafter BIS); COMM. OF SPONSORING Orgs. of the Treadway Comm'n, Internal Control--Integrated Framework: Executive Summary (2013), mary.pdf [; Comptroller of the Currency Adm'r of Nat'l Banks, Bank Supervision Process: Controller Handbook 72-74 app. D (2007), http:// [https://] [hereinafter OCC]; FCPA RESOURCE GUIDE, supra note 65; MINISTRY of Justice, The Bribery Act 2010--Guidance (2011), legislation/bribery-act-2010-guidance.pdf [] [hereinafter MOJ]; Org. for Econ. Co-operation & Dev., Good Practice Guidance on Internal Controls, Ethics, and Compliance (2010), [https://] [hereinafter OECD]; Letter from Deborah P. Bailey, Deputy Dir., Div. of Banking Supervision & Regulation, and Glenn E. Loney, Deputy Dir., Div. of Consumer and Cmty. Affairs, to Officer in Charge of Supervision & Appropriate Supervisory & Examination Staff at each Fed. Reserve Bank & Certain Orgs. Supervised by Fed. Reserve, SR 08-8/CA OS11 (Oct. 16, 2008), [https://] [hereinafter SR Letter 08-8]; Caldwell, supra note 67.

(70.) See Geoffrey Miller, Professor of Law, N.Y. Univ. Sch. of Law, Remarks at Fordham Journal of Corporate & Financial Law Symposium: Changing Face of Corporate Compliance and Corporate Governance (Feb. 9, 2015) (transcript on file with author) [hereinafter Compliance Symposium Panel] (comparing the fists to the eclectic and haphazard classification of animals in Jorge Luis Borges's story, The Celestial Emporium of Benevolent Knowledge).

(71.) See supra note 27 and accompanying text.

(72.) In the words of the Guidelines, "[t]he organization shall establish standards and procedures to prevent and detect criminal conduct." SENTENCING GUIDELINES, supra note 21, [section] 8B.21(b)(l); accord 31 U.S.C. [section] 5318(h)(1)(A) (2012) (internal policies, procedures); Volcker Rule, 17 C.F.R. [section] 75.20(b)(1) (2015) (written policies, reasonably designed); FCPA RESOURCE GUIDE, supra note 65, at 57-58 (code of conduct, policies, procedures); OCC, supra note 69, at 21 (established policies, procedures); OECD, supra note 69 (clearly articulated and visible policy); MOJ, supra note 69, at 21 ("proportionate procedures" that are "clear, practical, accessible, effectively implemented, and enforced"); Caldwell, supra note 67 (clear policy, written code).

(73.) For example:
   One of the very exciting areas in compliance today relates to how a
   company's strong ethical culture can impact corporate behavior. One
   aspect of this behavioral change relates to the greater tendency of
   corporate constituents to follow the applicable rules when the
   culture is right. Looking to the future, I envision we will see
   much more empirical research that shows the benefits of merging
   ethics with compliance, and placing both in the hands of a trusted
   corporate officer with a catchy new name--the Chief Ethics and
   Compliance Officer. As we move to the next level, ethics and
   compliance will increasingly become a part of a single program.

Baxter, supra note 67, at 3.

(74.) Fed. Reserve Bank of N.Y., Workshop on Reforming Culture and Behavior in THE FINANCIAL SERVICES Industry 2, events/events/banking/2014/Summary-Culture-Workshop.pdf [] (summarizing keynote address of David Walker, Chairman of Barclays, emphasizing policies and procedures, training, compensation practices, and performance metrics).

(75.) Participants at the workshop regularly emphasized the role of compliance in reforming culture as well as the incorporation of incentives for ethical behavior in the design of compensation policies. Id. at 2-5.

(76.) Sentencing Guidelines, supra note 21, [section] 8B2.1(b)(2)(C) ("Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program."); accord 31 U.S.C. [section] 5318(h)(1)(B) (designate CCO); BIS, supra note 69, at 10 (independent compliance function, designated officers); OCC, supra note 69, at 21 (capable compliance management); SR Letter 08-8, supra note 69 (independent compliance staff); Caldwell, supra note 67 (responsible designee). Relatedly, the firm is expected to exercise due diligence to ensure that none of the individuals hired into this function have engaged in illegal acts or conduct inconsistent with the firm's policies and procedures. Sentencing Guidelines, supra note 21, [section] 8B2.1(b)(3).

(77.) See Bank Secrecy Act of 1970, 31 U.S.C. [section] 5318(h)(1)(b); BIS, supra note 69, at 7, 10; SR Letter 08-8, supra note 69.

(78.) See Krawiec, Cosmetic Compliance, supra note 8, at 491-95 (explaining that policies can look good on paper but nevertheless fall short of actual compliance).

(79.) See Caldwell, supra note 67 ("A company should assign responsibility to senior executives for the implementation and oversight of the compliance program.... Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management.").

(80.) See, e.g., Lawrence E. Mitchell, Structural Holes, CEOs, and Informational Monopolies: The Missing Link in Corporate Governance, 70 BROOK. L. Rev. 1313, 1351-54 (2005) (describing how "structural holes" in firms encourage fraud).

(81.) See Sentencing Guidelines, supra note 21, [section] 8B2.1(b)(5)(C) (requiring the firm "to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization's employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation"); accord FCPA RESOURCE Guide, supra note 65 (system for confidential reporting); Caldwell, supra note 67 ("A company should have an effective system for confidential, internal reporting of compliance violations.").

(82.) Sentencing Guidelines, supra note 21, [section] 8B21(b)(2)(C) ("Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority."); accord BIS, supra note 69, at 9-12 (board involvement); SR Letter 08-8, supra note 69 (firmwide approach); Caldwell, supra note 67 (noting that compliance authorities "should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors").

(83.) See Caldwell, supra note 67 ("A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.").

(84.) See SENTENCING GUIDELINES, supra note 21, [section] 8B2.1(b)(4) ("The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program ... by conducting effective training programs and otherwise disseminating information appropriate to such individuals' respective roles and responsibilities."); accord Volcker Rule, 17 C.F.R. [section] 75.20(b)(3) (2015) (clear framework of responsibility and accountability).

(85.) See SENTENCING GUIDLINES, supra note 21, [section] 8B2.1(b)(2)(A) ("The organization's governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program."); id. [section] 8B2.1(b)(2)(B) ("High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program.... Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program."); accord Caldwell, supra note 67 (emphasizing "high-level commitment" and "tone at the top").

(86.) SENTENCING Guidelines, supra note 21, [section] 8B2.1(b)(5)(A) (requiring reasonable steps "to ensure that the organization's compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct").

(87.) Id. [section] 8B2.1(b)(5)(B) (requiring periodic evaluation of "the effectiveness of the organization's compliance and ethics program"); accord BIS, supra note 69, at 8 (periodic review by internal audit); FCPA Resource Guide, supra note 65, at 61-62 ("continuous improvement" through "periodic testing and review"); Caldwell, supra note 67 ("A company should conduct periodic reviews and testing of its compliance code .... [C]ompliance programs must evolve with changes in the law, business practices, technology, and culture.").

(88.) Compliance & Legal Div., Sec. Indus. Ass'n, White Paper on the Role of COMPLIANCE 5 (2005), f [] ("Compliance Department personnel generally operate a firm's 'control room' that, among other things, administers information harriers between business units. For example, Compliance personnel maintain watch and restricted lists, and handle wall crossings by firm personnel as necessary and appropriate.") (footnote omitted).

(89.) For example, brokerage houses might use trade surveillance in, or automated screening against, lists of sanctioned individuals or organizations. See, e.g., Bridger Insight XG, LexisNexis, [] (last visited Apr. 15, 2016) (promoting software product as "a fully integrated compliance platform").

(90.) Kenneth Bamberger, Technologies of Compliance: Risk and Regulation in a Digital Age, 88 Tex. L. REV. 669, 674 (2010) (describing the large and increasing market for compliance-technology products).

(91.) See Stuart Breslow, Managing Dir. & Chief Compliance Officer, Morgan Stanley, & Alan Cohen, Exec. Vice President & Global Head of Compliance, Goldman Sachs Grps., Inc., Compliance Symposium Panel, supra note 70 (Breslow noting that "we have 3 million e-communications a day at our organization," and Cohen noting that "[e]very month we record, if you played it end to end, 10 years' worth of voice").

(92.) Id. (Breslow noting: "[W]e're all in the same boat in this in terms of trying to use big data providers ... to pull together lots of information from lots of different data sources within the organizations. Boy, is that hard.").

(93.) See Miriam H. Baer, When the Corporation Investigates Itself, in RESEARCH Handbook on Corporate Crime and Financial Misdealing 1, 1-2 (Jennifer H. Arlen ed., forthcoming 2016) (summarizing the literature on internal investigations and analyzing the problem of detection avoidance).

(94.) Although the underlying misconduct may be criminal and the results are likely to be turned over to the government, employees subject to internal corporate investigation do not need to be given Miranda warnings and cannot assert Fifth Amendment protections. Bruce A. Green & Ellen S. Podgor, Unregulated Internal Investigations: Achieving Fairness for Corporate Constituencies, 54 B.C. L. Rev. 73, 87 (2013); see also Miriam Hechler Baer, Corporate Policing and Corporate Governance: What Can We Learn from Hewlett-Packard's Pretexting Scandal?, 77 U. CIN. L. Rev. 523, 554-55 (2008) (arguing that "policing" and "governance" are incompatible because the former involves deceit whereas the latter trumpets transparency).

(95.) See Caldwell, supra note 67 ("A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations.").

(96.) See id. ("A company should institute compliance requirements pertaining to the oversight of all agents and business partners.").

(97.) FCPA Resource Guide, supra note 65, at 60-61.

(98.) The Wolfsberg Grp., Wolfsberg Anti-Money Laundering Principles for Correspondent Banking 1-2 (2014), Wolfsberg-Correspondent-Banking-Principles-2014.pdf [] (industry association compliance guidelines).

(99.) See Caldwell, supra note 67 ("I cannot emphasize strongly enough the need to sensitize third parties.") (emphasis added).

(100.) See id. ("[T]hese partners need to understand that the company really expects its partners to be compliant. This often means more than just including a boilerplate paragraph in a contract in which the partner promises to comply with the law and company policies. It means warning, even terminating, relationships with partners who fail to behave in a compliant manner.").

(101.) See id. (emphasizing even-handed enforcement and noting: "People watch what people do more carefully than what they say. When it comes to compliance, you must both say and do").

(102.) See SENTENCING Guidelines, supra note 21, [section] 8B2.1 cmt. n.2 ("An organization's failure to incorporate and follow applicable industry practice or the standards called for by any applicable governmental regulation weighs against a finding of an effective compliance and ethics program.").

(103.) Id. [section] 8B2.1(b)(7) ("After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization's compliance and ethics program.").

(104.) Breslow & Cohen, Compliance Symposium Panel, supra note 91 ("[F]inancial services is far more mature when it comes to compliance than virtually any other industry. [Except m]aybe pharma and some aerospace."). Although outside the scope of this Article, the development of compliance has to do with patterns of regulation and enforcement in these industries. See id. Financial services compliance expanded as a result of the government's interest in terrorist finance and with the need to respond to the financial crisis. See id. Pharmaceutical compliance has to do principally with consumer protection concerns relating to the marketing of drugs and with government contracts through Medicare/Medicaid. See id. Likewise, defense/aerospace has to do with the demands of government procurement. Compliance, AEROSPACE Indus. Ass'n, [] (last visited Apr. 15, 2016).

(105.) Moreover, industries that experience an uptick in enforcement activity may also see a renewed push in compliance. See, e.g., Jesse Newman, Criminal Cases Roil Food Industry, WALL St. J. (May 20, 2015, 7:42 PM), [ (reporting on increased focus in criminal investigations and prosecutions of companies in the food industry and concomitant "efforts to bolster food safety" by firms in the industry).

(106.) See infra Part IV.B (advocating public disclosure of compliance details).

(107.) Survey responses may not be representative. Moreover, the consulting firms that take the surveys may also be guilty of overemphasizing the importance of compliance in order to persuade firms to upgrade their compliance departments and, not coincidentally, to sell their consulting services.

(108.) Deloitte & Compliance Week, supra note 12, at 11 (noting that the five most commonly listed CCO responsibilities are "compliance training," "code of conduct," "whistleblower programs," "compliance with domestic regulations," and "compliance strategy & process," and the five least commonly listed CCO responsibilities are "regulatory filings," "regulatory relationship management," "records management," "culture assessment," and "business continuity"); see also PRICEWATERHOUSECOOPERS, supra note 61, at 4.

(109.) Soc'y of Corp. Compliance & Ethics & NYSE Governance Servs., Compliance and Ethics Program Environment Report 42 (2014) [hereinafter SCCE & NYSE Report]; see also PRICEWATERHOUSECOOPERS, supra note 61, at 21 (emphasizing social media as an area coming within the ambit of compliance).

(110.) PRICEWATERHOUSECOOPERS, supra note 61, at 4. Recent high-profile examples include the December 2013 data breach at Target and the December 2014 breach at Morgan Stanley. See Justin Baer, U.S. Shifts Focus of Morgan Stanley Breach Probe, WALL ST. J. (Feb. 18, 2015), 501 [] (describing December 2014 breach of Morgan Stanley client information); Data Breach FAQ, TARGET, faq [] (last visited Apr. 15, 2016) (answering questions for guests impacted by the Target data breach).

(111.) DeStefano, supra note 15, at 103-04 ("Recently, [governmental authorities] have forced corporations ... to develop a distinct compliance department and designate a chief compliance officer that does not report to the general counsel but instead to the CEO with direct access to the board. Other corporations ... have followed suit.").

(112.) See, e.g., PricewaterhouseCoopers, supra note 61, at 8 (advocating this structure by asserting that "all companies, regardless of size or industry sector, could benefit by naming a chief compliance officer" and noting that companies investigated by the government "often find themselves later required to establish and maintain a CCO function"). For a contrary view, see generally Vikramaditya Khanna, An Analysis of Internal Governance and the Role of the General Counsel in Reducing Corporate Crime, in RESEARCH HANDBOOK ON CORPORATE CRIME and Financial Misdealing, supra note 93 (summarizing the literature and arguing that separating compliance from legal may lead to less effective compliance because it weakens intrafirm information flows and leads to costly duplication of effort).

(113.) See PRICEWATERHOUSECOOPERS, supra note 61, at 7-8 (finding that although 69 percent of all respondents have a CCO, 88 percent of large companies do, and 86 percent of all companies in more highly regulated industries do).

(114.) See DELOITTE & COMPLIANCE WEEK, supra note 12, at 5 (finding that 50 percent of respondents have a stand-alone CCO); PRICEWATERHOUSECOOPERS, supra note 61, at 10 (reporting that 54 percent of respondents indicated that the CCO "wears multiple hats"); accord DeStefano, supra note 15, at 100 (summarizing studies and finding that "[t]he number of corporations in which the general counsel is also the chief compliance officer and in which the chief compliance officer reports to the general counsel appears to be decreasing").

(115.) PRICEWATERHOUSECOOPERS, supra note 61, at 9 (finding that 34 percent of respondents report to the CEO, 27 percent to legal, 17 percent to the board, 8 percent to the CFO, 6 percent to the chief risk officer); SCCE & NYSE Report, supra note 109, at 11 (finding 38 percent of respondents report to the CEO, 20 percent to some other officer or entity, 19 percent to the board, 18 percent to the chief legal officer).

(116.) SCCE & NYSE REPORT, supra note 109, at 12 (finding that 79 percent of CCOs have dotted-line reporting to the board); id. at 6 (noting regularity of board contact).

(117.) PricewaterhouseCoopers, supra note 61, at 14.

(118.) Deloitte & Compliance Week, supra note 12, at 9 (reporting that half of all respondents who knew their compliance budget reported that it was at least $1 million); Ponemon Inst., The True Cost of Compliance: A Benchmark Study of Multinational ORGANIZATIONS (2011) (reporting average compliance budget for a multinational firm in their sample at over $3.5 million); PricewaterhOUSeCoopers, supra note 61, at 15 (noting that "42% of [respondents] in heavily regulated industries have budgets of at least $1 million").

(119.) PRICEWATERHOUSECOOPERS, supra note 61, at 14.

(120.) Id.

(121.) Deloitte & Compliance Week, supra note 12, at 9.

(122.) See SCCE & NYSE REPORT, supra note 109, at 26.

(123.) PRICEWATERHOUSECOOPERS, STATE OF COMPLIANCE 2014: FINANCIAL SERVICES Industry Brief 3 (2014), services.pdf [].

(124.) Id. at 5, 9.

(125.) PRICEWATERHOUSECOOPERS, STATE OF COMPLIANCE 2014: PHARMACEUTICAL AND LIFE SCIENCES Industry Brief 6-8 (2014), pharma-and-life-sciences.pdf [].

(126.) Id. at 14-16.

(127.) PricewaterhouseCoopers, State of Compliance 2014: Manufacturing Industry Brief 7-8 (2014), assets/pwc-soc-manufacturing.pdf [] [hereinafter Manufacturing Brief] (reporting that 60 percent of respondents in the manufacturing industry have a CCO but that 69 percent of these wear multiple hats); PricewaterhouseCoopers, State of Compliance 2014: Retail and Consumer Industry Brief 6-7 (2014), us/en/risk-management/state-of-compliance-survey/assets/pwc-soc-retail-and-consumer.pdf [] [hereinafter Retail AND CONSUMER Brief] (reporting that 48 percent of respondents in the retail and consumer industries have a CCO and that 70 percent of these wear multiple hats).

(128.) PricewaterhouseCoopers, Manufacturing Brief, supra note 127, at 15-17; PricewaterhouseCoopers, Retail and Consumer Brief, supra note 127, at 14-15.

(129.) See supra note 104.

(130.) PricewaterhouseCoopers, supra note 61, at 10; see also Economist Intelligence Unit, The Economist, Ascending the Maturing Curve: Effective Management of Enterprise Risk and Compliance 1 (2011) (reporting results demonstrating different levels of "maturity" of compliance across industries).

(131.) See Ronald E. Berenbeim, Universal Conduct: An Ethics and Compliance Benchmarking Survey 5 (2006).

(132.) Like financial institution compliance, the new Wal-Mart compliance structure is hierarchical and centralized around a home office CCO. Responsibilities are also divided by region and risk and allocated to an individual compliance manager, much as a global bank might have a CCO but also segregate risk by region and employ a separate compliance manager for AML, for bribery and corruption, for sanctions, and for product risk. See Global Compliance Program Report on Fiscal Year 2014, Wal-Mart, global-responsibility/global-compliance-program-report-on-fiscal-year-2014 | 3DWP-SERA] (last visited Apr. 15, 2016).

(133.) See Baxter, supra note 67, at 5 ("We simply do not have a tool that will give us an accurate and reliable measure of program effectiveness.").

(134.) See ECONOMIST INTELLIGENCE Unit, supra note 130, at 4 (reporting that most respondents view their compliance functions as above average until they experience a failure).

(135.) Deloitte & Compliance Week, supra note 12, at 13.

(136.) Id. at 12.

(137.) For example, although financial services CCOs focus heavily on compliance audits and risk assessments, both of which have a forward-looking element, CCOs in other industries report that they principally track rates of completion for compliance trainings. Compare PricewaterhouseCoopers, supra note 61, at 16, with SCCE & NYSE REPORT, supra note 109, at 93-94.

(138.) See PricewaterhouseCoopers, supra note 61, at 16 (illustrating the point with the following example: "[M]any organizations use training completion rates and hotline metrics in their program evaluations. These statistics are useful, but other measures may do a better job of helping management to understand whether the organization is more or less exposed to risk.").

(139.) See Compliance Symposium Panel, supra note 70 (major financial institution CCO describing his compliance program: "We have all the core elements and beyond ... but in the job of preventing and detecting the firm, engaging in conduct that would either violate rides or cause reputational damage or in other ways result in a bad impact, I think only results tell us that.").

(140.) Id. (another major financial institution CCO).

(141.) See, e.g., STEPHEN M. BAINBRIDGE, CORPORATE GOVERNANCE AFTER THE FINANCIAL CRISIS 2 (2012) ("Corporate governance, broadly defined, consists of the institutional structures, legal rules, and best practices that determine which body within the corporation is empowered to make particular decisions, how the members of that body are chosen, and the norms that should guide decision making."); MARGRET M. BLAIR, OWNERSHIP AND CONTROL: Rethinking Corporate Governance for the Twenty-First Century 3 (defining corporate governance as "the whole set of legal, cultural, and institutional arrangements that determine what publicly traded corporations can do, who controls them, how that control is exercised, and how the risks and return from the activities they undertake are allocated"); Miller, supra note 12, at 2 (noting that governance "has to do with the structure of control within an organization").

(142.) See Adrian Cadbury, Report of the Committee on the Financial Aspects of Corporate GOVERNANCE 14 (1992) ("Corporate governance is the system by which companies are directed and controlled.").

(143.) Scholars have defined compliance, on the one hand, as the internal processes used to bring organizational behavior in line with relevant norms, and governance, on the other, as the mechanisms by which corporations are directed and controlled. See supra text accompanying notes 12-14 (compliance), 142 (governance).

(144.) Baer, supra note 9, at 951-52.

(145.) See supra note 18 and accompanying text.

(146.) See, e.g., Oliver E. Williamson, The Economic Institutions of Capitalism 306 (1985) ("The board of directors thus arises endogenously, as a means by which to safeguard the investments of those who face a significant risk of expropriation."); Eugene F. Fama & Michael C. Jensen, Separation of Ownership and Control, 26 J.L. & ECON. 301, 311 (1983) (describing the board of directors as a basic decision-control system); see also Del. Code Ann. tit. 8, [section] 141(a) (2015).

(147.) See, e.g., Del. Code Ann. tit. 8, [section] 141(c).

(148.) See, e.g., Stephen M. Bainbridge, Director Primacy: The Means and Ends of Corporate Governance, 97 Nw. U. L. Rev. 547, 559-60 (2003).

(149.) SR Letter 08-8, supra note 69.

(150.) Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, 124 Stat. 1376 (2010) (requiring investment advisors with significant assets under management to register with the SEC and maintain a compliance function). The Act also created an Office of Compliance Inspections and Examinations within the SEC to enforce the requirement. See Office of Compliance Inspections and Examinations, SEC, [] (last visited Apr. 15, 2016).

(151.) See John Carney, Big-Bank Board Game Puts Shareholders in Second Place, WALL St. J. (Apr. 5, 2015), 1428255363 [] (describing regulatory intrusions on board authority); Craig, supra note 1 (same). The board retains some authority over the design and operation of this function, but even so, boards are not completely free in exercising that authority.

(152.) See supra Part I.A.

(153.) See supra notes 48-59 and accompanying text.

(154.) See supra notes 60-67 and accompanying text.

(155.) See supra text accompanying note 62.

(156.) As noted, however, there is significant industry variation among different industries as to the extent to which this mandate is imposed. See supra Part I.C.3.

(157.) See D. Daniel Sokol, Competition Policy and Comparative Corporate Governance of State-Owned Enterprises, 2009 BYU L. Rev. 1713, 1717-18 (discussing the difference between exogenous and endogenous theories of corporate governance).

(158.) Stock exchanges have also been a source of governance authority. See Paul G. Mahoney, The Exchange as Regulator, 83 Va. L. Rev. 1453, 1455 (1997). Increasingly, however, exchanges have become a means through which the government exerts regulatory authority. See William A. Birdthistle & M. Todd Henderson, Becoming a Fifth Branch, 99 CORNELL L. Rev. 1, 5 (2013) (arguing that exchanges, as self-regulatory organizations, are becoming a "fifth branch' of government"); Robert B. Thompson, Corporate Federalism in the Administrative State: The SEC's Discretion to Move the Line Between the State and Federal Realms of Corporate Governance, 82 NOTRE Dame L. Rev. 1143, 1177 (2007) (discussing how, by acting through exchanges, the SEC can "extend its reach further into the domain traditionally reserved for state law than would be available to it if it directly sought to promulgate the same substantive rule through federal regulation"). They are therefore excluded from this account for the sake of brevity.

(159.) This Section will focus predominantly on Delaware law, which is so often chosen by corporations as to amount to national corporate law. See Ronald J. Gilson, Globalizing Corporate Governance: Convergence of Form or Function, 49 Am. J. Comp. L. 329, 350 (2001) ("The aggregated choices of a majority of publicly traded U.S. corporations have resulted in a convergence on the Delaware General Corporation Law as a de facto national corporate law.").

(160.) See Revlon, Inc. v. MacAndrews & Forbes Holdings, Inc., 506 A.2d 173, 185 (Del. 1986) (creating special scrutiny of fiduciary duty when a company is sold); see also Kahn v. M & F Worldwide Corp., 88 A.3d 635,644 (Del. 2014) (allowing procedural protections--special committee approval and majority of the minority shareholder ratification--to shift the standard of review for controlling shareholder mergers).

(161.) See, e.g., In re Sauer-Danfoss Inc. S'holders Litig., 65 A.3d 1116,1137 (Del. Ch. 2011) (setting price parameters for awarding fees in a merger litigation settlement).

(162.) There is no compliance mandate in either the Delaware General Corporation Law or the Model Business Corporation Act. See generally DEL. Code Ann. tit. 8, ch. 1 (2010); MODEL Bus. Corp. Act (2008).

(163.) The business judgment rule is a judicial presumption that boards act in good faith, in the best interests of the corporation, and with adequate information and deliberation. See Aronson v. Lewis, 473 A.2d 805, 812 (Del. 1984); Stephen M. Bainbridge, The Business Judgment Rule as Abstention Doctrine, 57 VAND. L. Rev. 83, 87 (2004) ("The business judgment rule.... is better understood as a doctrine of abstention pursuant to which courts in fact refrain from reviewing board decisions unless exacting preconditions for review are satisfied."); see also Gagliardi v. Trifoods Intl, Inc., 683 A.2d 1049, 1052 (Del. Ch. 1996) (justifying the business judgment rule by the need to avoid inducing risk aversion on the part of boards of directors).

(164.) 188 A.2d 125, 130 (Del. 1963) (holding that, absent red flags, directors were under "no duty ... to install and operate a corporate system of espionage to ferret out wrongdoing").

(165.) In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996) (suggesting that fiduciary duty might require corporate directors to "exercise a good faith judgment that the corporation's information and reporting system is in concept and design adequate to assure the board that appropriate information will come to its attention in a timely manner").

(166.) 911 A.2d 362,372-73 (Del. 2006). In retrospect, Caremark probably never deserved the attention it received--it was merely a decision approving settlement of a derivative suit. See In re Caremark, 698 A.2d at 960. In order to approve the settlement, which involved only corporate therapeutics and no monetary relief, Chancellor Allen first had to decide that the settlement was fair in light of the merits of the claim. Id. at 961. In other words, he had to decide that the claim had some positive value, a conclusion he could not have reached under Graham u. Allis Chalmers Manufacturing Co. He therefore faced a stark choice--reject the settlement or criticize Graham. See id. at 969-70. Because the settlement was unopposed and public policy generally favors private resolution of disputes, he elected to approve the settlement but, notably, only after substantially reducing attorneys' fees. Id. at 972. The decision's criticism of Graham thus belonged to a special context that ultimately could not support all of the weight that was subsequently put on it. See Jennifer Arlen, The Story of Allis-Chalmers, Caremark, and Stone: Directors' Evolving Duty to Monitor, in CORPORATE Law Stories 323, 345-46 (J. Mark Ramseyer ed., 2009).

(167.) See Stone, 911 A.2d at 369 (providing for liability "where the fiduciary intentionally acts with a purpose other than that of advancing the best interests of the corporation, where the fiduciary acts with the intent to violate applicable positive law, or where the fiduciary intentionally fails to act in the face of a known duty to act" (quoting In re Walt Disney Co. Derivative Litig., 906 A.2d 27, 67 (Del. 2006))).

(168.) Although Stone contemplates that the requisite state of mind may be shown by demonstrating that the board has "utterly failed to implement any reporting or information system or controls," the emphasis on the utter failure to implement any such system plainly demonstrates the court's lack of interest in deciding close questions about the relative effectiveness of compliance programs. Id. at 370. Consequently, lack of oversight claims have been acknowledged as "one of, if not the most, difficult theories upon which to prevail." In re Fed. Nat'l Mortg. Ass'n Sec., Derivative & "ERISA" Litig., 503 F. Supp. 2d 9, 18 (D.D.C. 2007). Difficult, but not impossible. See, e.g., Am. Int'l Grp., Inc. v. Greenberg, 965 A.2d 763, 799 (Del. Ch. 2009) (refusing to dismiss plaintiffs' failure to monitor claim against the AIG board in connection with inadequate internal controls over financial reporting, holding that plaintiffs' allegations fairly support the inference that defendants led a "criminal organization").

(169.) See, e.g., In re Goldman Sachs Grp., Inc. S'holder Litig., No. 5215-VCG, 2011 WL 4826104, at *20 (Del. Ch. Oct. 12, 2011) ("The conduct at issue here involves, for the most part, legal business decisions that were firmly within management's judgment to pursue .... Legal, if risky, actions that are within management's discretion to pursue are not 'red flags' that would put a board on notice of unlawful conduct."); In re Citigroup Inc. S'holder Derivative Litig., 964 A.2d 106, 131 (Del. Ch. 2009) ("While it may be tempting to say that directors have the same duties to monitor and oversee business risk, imposing Caremark-type duties on directors to monitor business risk is fundamentally different. Citigroup was in the business of taking on and managing investment and other business risks. To impose oversight liability on directors for failure to monitor 'excessive' risk would involve courts in conducting hindsight evaluations of decisions at the heart of the business judgment of directors.").

(170.) See Rich ex rel. Fuqi Int'l, Inc. v. Yu Kwai Chong, 66 A.3d 963, 982-84 (Del. Ch. 2013) (refusing to dismiss an oversight claim against a foreign-based Delaware company because it had "no meaningful controls in place" and, further, that the board's failure to monitor what controls it did have in place could potentially support liability); In re China Agritech, Inc. S'holder Derivative Litig., No. 7163-VCL, 2013 WL 2181514, at *20-21 (Del. Ch. Feb. 21, 2013) (refusing to dismiss a Caremark claim against a board of a foreign-based Delaware corporation that allegedly defrauded investors); Transcript of Oral Argument at 17-18, 21, In re Puda Coal, Inc. Stockholders Litig., No. 6476-CS, 2013 WL 769400 (Del. Ch. Feb. 6, 2013) [herinafter Puda Coal Transcript) (emphasizing fiduciary duties of directors of foreign-based Delaware companies with regard to accounting controls).

(171.) See, e.g., Puda Coal Transcript, supra note 170, at 17-21 (emphasizing that directors must be physically present and possess language skills sufficient to verify the adequacy of the corporation's system of controls as well as the capabilities of the lawyers and accountants charged with administering that system).

(172.) See In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 971 (Del. Ch. 1996) ("Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities ... only a sustained or systematic failure of the board to exercise oversight ... will establish the lack of good faith that is a necessary condition to liability."). Delware may provide a basis for director liability on the basis of a compliance system implemented as a sham--that is, not implemented in good faith. See, e.g., Yu Kwai Chong, 66 A.3d at 984-85.

(173.) See The Laws that Govern the Securities Industry, SEC (Oct. 1, 2013), http://www.sec. gov/about/laws.shtml [].

(174.) See generally Robert B. Thompson, Preemption and Federalism in Corporate Governance: Protecting Shareholder Rights to Vote, Sell, and Sue, 62 LAW & CONTEMP. PROBS. 215, 215-25 (1999) (describing traditional federal and state spheres with regard to corporate governance and means by which the federal government, through the SEC, can engage in greater corporate governance rule making); see also Fanto, supra note 8, at 914 (advocating a more expansive corporate governance role for the SEC).

(175.) See 15 U.S.C. [section] 781 (2012).

(176.) See, e.g., Carl W. Schneider, Arbitration in Corporate Governance Documents: An Idea the SEC Refuses to Accelerate, 4 INSIGHTS 21, 21 (1990) (discussing the SEC's refusal to accelerate effectiveness of an IPO because of the presence of a mandatory arbitration clause in the company's organizational documents).

(177.) See Roberta S. Karmel, Comm'r, SEC, Speech to the Public Securities Association, Marco Island, Florida: What Should Be the Role of the SEC in the Public Securities Markets? (Oct. 20, 1978), [ 259V-52YD] ("The Commission's traditional role ... is primarily that of an advocate for investor protection.").

(178.) 17 C.F.R. [section] 240.14a-2 (2015); sec also 15 U.S.C. [section] 78m(d)-(f).

(179.) 17 C.F.R. [section] 240.14a-21 (2015); see also 15 U.S.C. [section] 78n-1.

(180.) 17 C.F.R. [section][section] 240.10A-2, 10A-3(b) (2015); see also 15 U.S.C. [section][section] 78j-1(m)(3)(A), 7201(3).

(181.) 17 C.F.R. [section] 210.2-02 (2014); see also 15 U.S.C. [section] 7262(a). This requirement was subsequently interpreted to require an audit of the design and effective operation of the company's internal accounting controls. See PUB. Co. ACCOUNTING OVERSIGHTBd. [PCAOB], Release No. 2004-001, Auditing Standard No. 2 (2004), making/Docket008/2004-03-09_Release_2004-001-all.pdf [].

(182.) See generally Bainbridge, supra note 148, at 573 (modeling the central question of corporate law as the trade-off between authority and accountability).

(183.) Edgar v. MITE Corp., 457 U.S. 624 (1982); see also Roberta S. Karmel, Realizing the Dream of William O. Douglas--The Securities and Exchange Commission Takes Charge of Corporate Governance, 30 Del. J. Corp. L. 79, 81 (2005).

(184.) See Frank H. Easterbrook & Daniel R. Fischel, The Economic Structure of Corporate Law (1991).

(185.) See Jill E. Fisch, The Long Road Back: Business Roundtable and the Future of SEC Rulemaking, 36 SEATTLE U. L. Rev. 695, 709-12 (2013); Eric Posner & Glen Weyl, Benefit-Cost Paradigms in Financial Regulation 2 (Coase-Sandor Inst. for Law & Econ., Working Paper No. 660, 2014), [].

(186.) See Bus. Roundtable v. SEC, 647 F.3d 1144, 1151 (D.C. Cir. 2011) (vacating proxy access proposal on basis of flawed cost-benefit analysis because the SEC "discounted the costs of [the proposed rule]--but not the benefits"); Am. Equity Inv. Life Ins. Co. v. SEC, 613 F.3d 166, 179 (D.C. Cir. 2010) (vacating proposed rule for failure to conduct adequate cost-benefit analysis, specifically failure "to determine whether, under the existing regime, sufficient protections existed to enable investors to make informed investment decisions and sellers to make suitable recommendations to investors"); Chamber of Commerce v. SEC, 412 F.3d 133, 136 (D.C. Cir. 2005) (holding that the SEC violated the Administrative Procedure Act "by failing adequately to consider the costs mutual funds would incur in order to comply with the conditions").

(187.) Am. Equity, 613 F.3d at 178 (emphasizing the importance of a baseline for comparison).

(188.) Chamber of Commerce, 412 F.3d at 145 (finding that the SEC has an obligation to consider alternatives that are "neither frivolous nor out of bounds").

(189.) Bus. Roundtable, 647 F.3d at 1150 (emphasizing the error in failing to estimate and discount the costs associated with the benefit).

(190.) Memorandum from SEC Div. of Risk, Strategy & Fin. Innovation & Office of Gen. Counsel to Staff of the Rulewriting Divs. & Offices 1 (Mar. 16, 2012), divisions/riskfin/rsfi_guidance_econ_analy_secrulemaking.pdf [].

(191.) Id. at 6 ("The baseline serves as a primary point of comparison [because].... [a]n economic analysis of a proposed regulatory action compares the current state of the world ... to the expected state of the world with the proposed regulation (or regulatory alternatives) in effect.").

(192.) Id. at 8-9.

(193.) Id. at 13-14 (requiring that an explanation be provided where quantification is impossible).

(194.) See Chamber of Commerce v. SEC, 412 F.3d 133, 144 (D.C. Cir. 2005).

(195.) See supra Part I.A.

(196.) Of course, private plaintiffs also enforce certain aspects of securities law. These litigants, however, often act in the wake of a government enforcement action. See Sean J. Griffith, Correcting Corporate Benefit: How to Fix Shareholder Litigation by Shifting the Doctrine on Fees, 56 B.C. L. Rev. 1, 9-10 (2015) (discussing "tag-along" suits). In any event, the role of private plaintiffs in extracting governance reforms on behalf of plaintiffs is outside the scope of this Article.

(197.) See Barkow, supra note 59, at 185-92 (arguing that "[t]he model of 'prosecutor-slash-regulator' is in tension with a government based on strict separation of powers" and problematic under the present system because prosecutors are relatively unconstrained and lack formal expertise to regulate the matters that come before them).

(198.) As an enforcer of securities law, the SEC brings civil actions or criminal actions for violations of securities law in concert with the DOJ. In this capacity, the SEC brings claims and settles them, just as prosecutors do, for a monetary payment and compliance reforms. See, e.g., In re Barclays Capital, Inc., Exchange Act Release No. 73183, 109 SEC Docket 17 (Sept. 23, 2014), [] (cease-and-desist order in which Barclays Capital agreed to pay $15 million penalty and agreed to appoint an independent consultant to recommend compliance reforms); Litigation Release No. 23159, SEC, SEC Charges Avon Products, Inc. with FCPA Violations (Dec. 17, 2014), [ 5VB3-H47T] (announcing settlement with Avon Products, Inc., involving a $67 million monetary payment and the appointment of "an independent compliance monitor to review its FCPA compliance program for a period of 18 months, followed by an 18-month period of self-reporting on its compliance efforts").

(199.) See Baer, supra note 9, at 952-53 (emphasizing opacity of compliance formed in an adjudicative rather than administrative context).

(200.) Id. at 976.

(201.) Compare William L. Cary, Federalism and Corporate Law: Reflections upon Delaware, 83 Yale L. J. 663, 701-05 (1974) (proposing federal corporate uniformity standards to mitigate the "race for the bottom" among states), with Ralph K. Winter, Jr., State Law, Shareholder Protection, and the Theory of the Corporation, 6 J. Legal Stud. 251, 289-92 (1977) (arguing that competition among states to attract business incorporation results in pro-investor law).

(202.) See, e.g., Mark J. Roe, Delaware's Competition, 117 Harv. L. Rev. 588 (2003) (modeling the interplay between Delaware and the federal government in the production of corporate law rules).

(203.) See John C. Coffee, Jr., The Political Economy of Dodd Frank: Why Financial Reform Tends to be Frustrated and Systematic Risk Perpetuated, 97 CORNELL L. Rev. 1019, 1028-29 (2012).

(204.) See id.

(205.) See id. at 1021-22.

(206.) Mark J. Roe, Delaware and Washington as Corporate Lawmakers, 34 Del. J. CORP. L. 1, 8 (2009) ("Washington acts only sporadically, it is often divided, and it often has more important issues than corporate governance rules on its agenda.").

(207.) Coffee, supra note 203, at 1029 (arguing that "regulatory oversight is never constant but rather increases after a market crash and then wanes as, and to the extent that, society and the market return to normalcy" as a result of the declining public support necessary to "oppose powerful interest groups").

(208.) This is not to say that prosecutors are wholly insulated from populist or other political pressures. See generally Daniel Richman, Political Control of Federal Prosecutions: Looking Back and Looking Forward, 58 DUKE L. J. 2087 (2009) (exploring political control over federal criminal enforcement); David Zaring, Litigating the Financial Crisis, 100 VA. L. Rev. 1405 (2014).

(209.) See generally Angela J. Davis, The American Prosecutor: Independence, Power, and the Threat of Tyranny, 86 IOWA L. Rev. 393, 397 (2001) (arguing that "prosecutors daily exercise practically unlimited discretion").

(210.) See generally Miriam H. Baer, Choosing Punishment, 92 B.U. L. Rev. 577, 620-21 (2012).

(211.) See generally id. (contrasting regulation with prosecution); Max Minzner, Why Agencies Punish, 53 Wm. & Mary L. Rev. 853 (2012) (discussing punishment in context of regulation).

(212.) See Roberta Romano, The Genius of American Corporate Law 9 (1993).

(213.) This is particularly true in the context of DPAs and NPAs, which, unlike guilty pleas, involve at most minimal judicial review. See generally Albert W. Alschuler, The Defense Attorney's Role in Plea Bargaining, 84 Yale L. J. 1179, 1291-94 (1975) (noting that a typical guilty plea involves judicial review, not only of the competency of the defendant to admit, his or her crimes, but also of the factual basis of the plea). An NPA involves no judicial review at all because the charges, as the name suggests, are never formally filed, whereas a DPA involves minimal judicial review because of the simultaneous filing of charges and deferral of prosecution. See Greenblum, supra note 43, at 1863-65.

(214.) See Mark J. Roe, Delaware's Politics, 118 HARV. L. Rev. 2491, 2502-03 (2005) ("[I]n Congress, the players and ideas differ.... Interest groups that can't take the franchise tax away from Delaware can play a role in Congress. The AFL-CIO comes to mind, as do public interest lobbying groups.").

(215.) Under traditional models, states compete for corporate charters in order to raise tax revenues. Because only shareholders and managers have input on the decision of where to incorporate, states seek to appeal to these interests alone in designing their corporate law. ROMANO, supra note 212, at 8-9.

(216.) Roe, supra note 206, at 17 ("[W]hen Washington acts on corporate law, it brings with it another strain of public policy: American populist sentiment and national public opinion, which are not always friendly to corporate productivity and corporate power.").

(217.) Compare Michael C. Jensen & William H. Meckling, Theory of the Firm: Managerial Behavior, Agency Costs and Captial Structure, 3 J. FIN. ECON. 305 (1976) (addressing the problem of "agency costs"), with Oliver E. Williamson, Mechanisms of Governance 173 (1996) (noting that what agency theory refers to as "agency costs" are referred to in transaction cost economics as "opportunism," "[b]ut the concerns are the same, whence these are merely terminological differences"). The problem, however described, has been a focus of the literature since Berle and Means. See Adolph A. Berle, Jr. & GARDINER C. MEANS, The Modern Corporation and Private Property 121(1932) (questioning whether, given diffuse ownership and centralized management, there remained "any justification for assuming that those in control of the modern corporation will ... choose to operate it in the interests of the owners").

(218.) Sanjai Bhagat et al., The Promise and Peril of Corporate Governance Indices, 108 COLUM. L. REV. 1803, 1809 (2008); accord Andrei Shleifer & Robert W. Vishny, A Survey of Corporate Governance, 52 J. Fin. 737, 738 (1997) (reducing the core problem to "how investors get the managers to give them back their money").

(219.) See Eugene F. Fama, Agency Problems and the Theory of the Firm, 88 J. POL. ECON. 288, 290 (1980) ("[O]wnership of capital should not be confused with ownership of the firm.... The firm is just the set of contracts covering the way inputs are joined to create outputs and the way receipts from outputs are shared among inputs.... [O]wnership of the firm is an irrelevant concept.").

(220.) As described by Oliver Williamson:
   Stockholders as a group bear a unique relation to the firm. They
   are the only voluntary constituency whose relation with the
   corporation does not come up for periodic renewal. (The public may
   be regarded as an involuntary constituency whose relation to the
   corporation is indefinite.) Labor, suppliers in the intermediate
   product market, debt-holders, and consumers all have opportunities
   to renegotiate terms when contracts are renewed. Stockholders, by
   contrast, invest for the life of the firm, and their claims are
   located at the end of the queue should liquidation occur.

      Stockholders are also unique in that their investments are not
   associated with particular assets. The diffuse character of their
   investments puts shareholders at an enormous disadvantage in
   crafting the kind of bilateral safeguards normally associated [to
   protect investments).... Absent the creation of some form of
   protection, stockholders are unavoidably [at risk of

Williamson, supra note 146, at 304-05.

(221.) See id. at 305 (noting the solution, for large modern firms, is "to invent a governance structure that holders of equity recognize as a safeguard against expropriation and egregious mismanagement"); see also Oliver D. Hart, Incomplete Contracts and the Theory of the Firm, in The Nature of the Firm, Origins, Evolution, and Development 138, 140-42 (Oliver E. Williamson & Sidney G. Winter eds., 1993) (describing the inability of parties in an ongoing commercial relationship to anticipate all future contingencies as a transaction cost leading to the formation of firms).

(222.) EASTERBROOK & FISCHEL, supra note 184, at 36-37. The contractual intuition has deep intellectual roots. See, e.g., Paul A. Samuelson, Wages and Interest: A Modern Dissection of Marxian Economic Models, 47 Am. Econ. Rev. 884, 894 (1957) ("[I]n a perfectly competitive market it really doesn't matter who hires whom: so have labor hire 'capital.'").

(223.) See, e.g., The CalPERS Corporate Governance Guidelines, 7 CORP. GOVERNANCE 218 (1999) ("Corporate [g]overnance refers to the relationship among various participants in determining the direction and performance of the corporations. The primary participants are: (1) the shareholders, (2) the management (led by the Chief Executive Officer), and (3) the board of directors.").

(224.) See, e.g., Lawrence E. Mitchell, A Critical Look at Corporate Governance, 45 VAND. L. Rev. 1263, 1272 (1992) (advocating a governance model under which the board of directors would serve "as a mediating body among the different corporate constituent groups.... charged with the duty to ensure that the corporation's assets are fairly distributed"). This view has a long history. See E. Merrick Dodd, Jr., For Whom Are Corporate Managers Trustees?, 45 HARV. L. Rev. 1145, 1153 (1932) (arguing that boards of directors should serve as trustees for a wide array of constituencies, including shareholders, employees, suppliers, customers, and the community); Robert Dahl, Power to the Workers?, N.Y. Rev. Books, Nov. 19, 1970, at 20, 23 (proposing that "the board of directors might consist of one-third representatives elected by employees, one-third consumer representatives, and one-third delegates of federal, state, and local governments").

(225.) See Wolfgang Bessler et al., Going Public: A Corporate Governance Perspective, in Comparative Corporate Governance 570, 571 (Klaus J. Hopt et al. eds., 1998) (describing a perspective that "approaches the corporate governance debate as part of the larger question of how to organize economic activity to achieve more fundamental societal objectives related to equity, fairness, freedom, and citizen responsibilities").

(226.) See Margaret M. Blair & Lynn A. Stout, A Team Production Theory of Corporate Law, 85 VA. L. Rev. 247, 250 (1999) (conceptualizing the corporation as the team to which various constituencies contribute, and for which governance arrangements serve as a credible commitment mechanism through which each promises not to usurp the wealth of another). A version of this view was recently articulated by researchers who found positive wealth effects from the adoption of staggered boards. See Martijn Cremers & Simone Sepe, The Shareholder Value of Empowered Boards, 68 STAN. L. Rev. 837 (2016) (explaining their finding as relating to the need to make a credible commitment to pursue long-term value).

(227.) See generally Martin Gelter, Taming or Protecting the Modern Corporation? Shareholder-Stakeholder Debates in a Comparative Light, 7 N.Y.U. J.L. & Bus. 641 (2011).

(228.) See, e.g., Jean J. DU Plessis et al., German Corporate Governance in International AND European Context 139-40 (2d ed. 2012) (discussing German system of "codetermination" in which labor receives board representation); see also Martin Gelter, Tilting the Balance Between Capital and Labor? The Effects of Regulatory Arbitrage in European Corporate Law on Employees, 33 FORDHAM Int'l L.J. 792, 803-04 (2010) (listing countries following board models similar to that of Germany).

(229.) See EASTERBROOK & Fischel, supra note 184, at 12-14; WILLIAMSON, supra note 146, at 323-25.

(230.) See, e.g., SEC, RELEASE No. 34-67716, CONFLICT MINERALS, 17 C.F.R. PARTS 240 AND 249B (2012), [].

(231.) See, e.g., John C. Coffee, Jr., Reforming the Securities Class Action: An Essay on Deterrence and Its Implementation, 106 COLUM. L. Rev. 1534, 1560 (2006) (noting that fraud benefits shareholders until it is detected).

(232.) See generally Carney, supra note 151 (describing regulatory pressure on bank boards to put other interests ahead of shareholder wealth maximization).

(233.) This is the traditional role of the charter and bylaws.

(234.) See supra note 75 and accompanying text.

(235.) See supra note 111 and accompanying text.

(236.) See. supra Part I.B.1.

(237.) William C. Dudley, President, Fed. Reserve Bank of N.Y., Concluding Remarks at the 2014 Workshop on Reforming Culture and Behavior in the Financial Services Industry (Oct. 20, 2014). The role of the Federal Reserve in imposing compliance reforms through the "regulatory examination" process is a special "enforcement" modality. See Fed. Reserve Bank Of N.Y., supra note 74.

(238.) See Larry E. Ribstein, Agents Prosecuting Agents, 7 J.L. ECON. & Pol'y 617, 633 (2011).

(239.) The agency itself may have interests that differ from broader government interests. For example, an agency may be tempted to bring cases that will result in large settlements or fines in order to fund itself or at least justify its budgets to lawmakers. These cases may not always coincide with merit.

(240.) See Stephen J. Choi & A.C. Pritchard, Securities Law and Its Enforcers (Aug. 2015) (unpublished manuscript) (on file with author) (discussing subsequent careers of SEC enforcement attorneys); see also Richard T. Boylan, What Do Prosecutors Maximize? Evidence from Careers of U.S. Attorneys, 7 Am. L. & ECON. Rev. 379 (2005) (providing evidence on the subsequent career paths of former U.S. Attorneys).

(241.) See Ellen S. Podgor, The Tainted Federal Prosecutor in an Overcriminalized Justice System, 67 WASH. & Lee L. Rev. 1569, 1573-77 (2010) (discussing federal prosecutors' political motivations).

(242.) See, e.g., Sara Sun Beale, The New Media's Influence on Criminal Justice Policy: How Market-Driven News Promotes Punitiveness, 48 Wm. & Mary L. Rev. 397, 442-43 (2006); see also Stephen J. Choi et al., Scandal Enforcement at the SEC: The Arc of the Option Backdating Investigations, 15 Am. L. & Econ. Rev. 542 (2013) (studying SEC enforcement decisions surrounding options back-dating and finding evidence that enforcement priorities shift in response to media attention and political salience).

(243.) See generally Donald C. Langevoort, "Fine Distinctions" in the Contemporary Law of Insider Trading, 2013 COLUM. Bus. L. Rev. 429, 434 (emphasizing the "expressive function" of insider trading regulation and the underlying premise that "manifestations of greed and lack of self-restraint among the privileged ... threaten to undermine the official identity of the public markets as open and fair").

(244.) Maria M. Correia, Political Connections and SEC Enforcement, 57 J. ACCT. & ECON. 241 (2014) (finding that firms that engage in greater lobbying face fewer SEC enforcement actions and fewer penalties); Jonas Heese, Government Preferences and SEC Enforcement (Harvard Bus. Sch., Working Paper No. 15-054, 2015) (finding less SEC enforcement against labor-intensive firms, especially in presidential election years when the firms are located in politically contested states).

(245.) See supra Part I.A.2 (discussing the evolution of corporate enforcement tactics in favor of settlement agreements).

(246.) More fines likely translate into better reputation and, according to the hypothesis above, greater career options in the future. Prosecutors do not burnish their reputations by the cases they do not bring or their willingness to accede to the settlement demands of the other side.

(247.) See generally Lisa Kern Griffin, Inside-Out Enforcement, in Prosecutors in the BOARDROOM, supra note 4, at 110 (discussing compliance as a form of prosecutorial outsourcing).

(248.) Externalities lead to overconsumption. J. J. Lafont, Externalities, in 2 New PALGRAVE Dictionary of Economics 263, 263-64 (John Eatwell et al. eds., 1998).

(249.) See Baer, supra note 9, at 991-99 (arguing that both prosecutors and private attorneys have incentives to push companies to over invest in compliance). Moreover, once the enforcement agent has imposed a compliance reform, he or she will likely turn to the next case rather than monitor the quality of the compliance reforms he or she has put in place, with the result that excessive compliance mandates are rarely revised. See Tom C.W. Lin, The New Financial Industry, 65 Ala. L. Rev. 567, 602 n.222 (2014) (noting the "stickiness" of regulatory reforms). Sunset, provisions may be of little help in this regard if, in the meantime, the industry norm has converged on the excessive compliance mandate. In such cases, implementing a more moderate regime may expose managers to greater enforcement risk.

(250.) See supra notes 217-21 and accompanying text.

(251.) See supra notes 139-40 and accompanying text.

(252.) See, e.g., Rachel Louise Ensign & Max Colchester, HSBC Struggles in Battle Against Money Laundering, Wall St. J. (Jan. 12,2015), laundering-1421100133 [] (detailing HSBC's efforts to comply with a DPA relating to money-laundering investigations, including billions of dollars spent and organizational restructuring so that "nearly 10% of HSBC's 258,000 employees work in risk and compliance").

(253.) See supra note 50 and accompanying text.

(254.) GARRETT, supra note 9, at 72.

(255.) See generally George A. Ackerlof, The Market for "Lemons": Quality Uncertainty and the Market Mechanism, 84 Q.J. ECON. 488 (1970).

(256.) Id. at 489 (developing the model by analogy to cars where consumers cannot distinguish good cars from bad ones, and the two must therefore trade at the same discounted price).

(257.) Id. at 490 ("[B]ad cars drive out the good because they sell at the same price as good cars.").

(258.) Id. at 489 ("[M]ost cars traded will be the 'lemons,' and good cars may not be traded at all.").

(259.) Easterbrook & FISCHEL, supra note 184, at 8-12.

(260.) "Transaction cost" theories of the firm account for the development of the firm as a result of these costs. WILLIAMSON, supra note 146, at 17-18.

(261.) "Property rights" theories of the firm take incomplete contracts as a starting point, but also emphasize the importance of allocating to the residual claimant control rights to the physical or intangible assets at the center of the firm. See generally Oliver Hart & John Moore, Property Rights and the Nature of the Firm, 98 J. POL. ECON. 1119 (1990).

(262.) The agency cost problem that has centrally occupied mainstream corporate law scholarship for generations can be made to fit alongside each of these theories of the firm. See Jensen & Meckling, supra note 217, at 305-06.

(263.) See generally Coase, supra note 6.

(264.) See Edward B. Rock & Michael L. Wachter, Islands of Conscious Power: Law, Norms, and the Self-Governing Corporation, 149 U. PA. L. Rev. 1619, 1629-30 (2001).

(265.) See Ayres & Braithwaite, supra note 9, at 103 (citing Coase as a source of inspiration in analyzing "enforced self-regulation as a form of subcontracting regulatory functions to private actors").

(266.) See 2 William Blackstone, Commentaries *472 (explaining that "in England, the king's consent is absolutely necessary" to charter a corporation).


(268.) Unlike the British monarch, U.S. states freely granted corporate charters to for-profit enterprises. See Joseph K. Angell & Samuel Ames, A Treatise on the Law of Private Corporations Aggregate 38 (Boston, Little, Brown & Co. 2d ed. 1843) ("In no country have corporations been multiplied to so great an extent, as in our own.... There is scarcely an individual of respectable character in our community, who is not a member of, at least, one private company or society which is incorporated.... Acts of incorporation are moreover continually solicited at every session of the legislature.").

(269.) It is worth noting that, under this theory, the right would belong to the states, not the federal government.

(270.) Trs. of Dartmouth Coll. v. Woodward, 17 U.S. (4 Wheat.) 518 (1819).

(271.) Id. at 636.

(272.) Id. at 654 ("[T]he body corporate, as possessing the whole legal and equitable interest, and completely representing the donors, for the purpose of executing the trust, has rights which are protected by the constitution.").

(273.) The real entity theory is identified principally with German legal academic Otto von Gierke, whose influence spread through the work of Frederic William Maitland and Ernst Frend. See Gelter, supra note 227, at 665-66 (discussing Gierke's influence).

(274.) Martin Petrin, Reconceptualizing the Theory of the Firm: From Nature to Function, 118 PENN St. L. Rev. 1, 12 (2013) (footnotes omitted).

(275.) Mark M. Hager, Bodies Politic: The Progressive History of Organizational "Real Entity" Theory, 50 U. Pitt. L. Rev. 575, 585, 588 (1989) ("Gierke established the understanding that the real entity theory was pro-liability while the fiction theory was anti-liability.').

(276.) See generally Miriam H. Baer, Organizational Liability and the Tension Between Corporate and Criminal Law, 19 J.L. & POL'Y 1, 10 (2010) ("Sometimes the government's proposed rehabilitation has little to do with eliminating criminal conduct at the individual level, but instead seeks the implementation of questionable governance provisions."); see also Garrett, supra note 9, at 47 ("Prosecutors say a central goal is to rehabilitate corporations, to try to help make them better and more ethical."); Peter Spivack & Sujit Raman, Regulating the "New Regulators": Current Trends in Deferred Prosecution Agreements, 45 Am. Crim. L. REV. 159, 161 (2008) ("In a post-Enron world, DOJ officials appear to believe that the principal role of corporate criminal enforcement is to reform corrupt corporate cultures--that is, to effect widespread structural reform.").

(277.) In the words of former Chancellor Allen:
   The dominant legal academic view does not describe the corporation
   as a social institution. Rather, the corporation is seen as the
   market writ small, a web of ongoing contracts (explicit or
   implicit) between various real persons. The notion that
   corporations are "persons" is seen as a weak and unimportant

William T. Allen, Contracts and Communities in Corporation Law, 50 Wash. & Lee L. Rev. 1395, 1400 (1993).

(278.) See supra Part III.B; see also Jennifer Arlen, Removing Prosecutors from the Boardroom: Limiting Prosecutorial Discretion to Impose Structural Reforms, in PROSECUTORS IN THE BOARDROOM, supra note 4, at 62, 63 (arguing that "prosecutors should not impose structural reforms on nonindicted corporations").

(279.) There are good reasons for recognizing cooperation as a mitigating factor. See Arlen, supra note 20, at 859; Arlen & Kraakman, supra note 22, at 746-47. Retaining a role for cooperation would likely mean retaining at least those parts of the contemporary compliance function that are essential to support cooperation--notably, monitoring and internal investigations--but not in a form mandated by the enforcement agent.

(280.) See David M. Uhlmann, Deferred Prosecution and Non-Prosecution Agreements and the Erosion of Corporate Criminal Liability, 72 Md. L. Rev. 1295, 1302 (2013) (arguing that the use of DP As and NPAs limits the deterrent value of law enforcement, eliminates the social condemnation of criminal wrongdoing, and undermines the rule of law).

(281.) But see Arlen & Kahan, supra note 8 (defending intervention through DPAs/NPAs when "policing agency costs" suggest that the firm does not have the proper incentive to comply with the law).

(282.) Geoffrey P. Miller, An Economic Analysis of Effective Compliance Programs, in Research Handbook on Corporate Crime and Financial Misdealing, supra note 93.

(283.) See Gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. POL. ECON. 169, 185 (1968); A. Mitchell Polinsky & Steven Shavell, Enforcement Costs and the Optimal Magnitude and Probability of Fines, 35 J.L. & ECON. 133, 133-36 (1992).

(284.) See Polinsky & Shavell, supra note 283, at 133-36.

(285.) See supra notes 27-28 and accompanying text.

(286.) As the CCO of a major financial institution remarked:
   I'm not sure what the return on investment is on hiring thousands
   and thousands of new graduates to look at account opening
   documents. We might be better off hiring thousands and thousands of
   technologists who could actually figure out how to find the money
   launderer, or the person who's engaging in misconduct. We haven't
   gone that way in large part because most of these settlements have
   resulted in people staffing up.... [Staffing up is easier than
   figuring out] how to find potential misconduct and stop it.

Compliance Symposium Panel, supra note 70.

(287.) See, e.g., Todd Haugh, Criminalized Compliance (unpublished manuscript) (arguing that current approaches to compliance fail because they import the delegitimizing features of criminal law); Tom R. Tyler, Psychology and the Deterrence of Corporate Crime, in Research Handbook on Corporate Crime and Financial Misdealing, supra note 93 (reviewing empirical evidence showing consent-based models of compliance are superior to coercion-based models). Parallel arguments have been made in other areas of law. See, e.g, Anthony V. Alfieri, The Fall of Legal Ethics and the Rise of Risk Management, 94 GEO. L. J. 1909 (2006) (describing and critiquing the import of risk management norms in the regulation of the legal profession); Russell G. Pearce & Eh Wald, Rethinking Lawyer Regulation: How A Relational Approach Would Improve Professional Rules and Roles, 2012 MICH. ST. L. Rev. 513 (critiquing the command-and-control model of professional conduct regulation and advocating instead for a relationship-based approach organized around broad principles).

(288.) See Roberta Romano, For Diversity in the International Regulation of Financial Institutions: Critiquing and Recalibrating the Basel Architecture 7 (Yale Law & Econ. Research Paper No. 452,2013), [ (arguing that regulatory experimentation "would generate information and formalize an ongoing testing of assumptions in the search for better regulatory solutions"); see also Sean J. Griffith, Substituted Compliance and Systemic Risk: How to Make a Global Market in Derivatives Regulation, 98 Minn. L. Rev. 1291, 1358-59 (2014) (advancing arguments for regulatory diversity in the context of derivative regulation).

(289.) See, e.g., Garrett, supra note 9, at 282 (advocating putting greater control over the DPA process in the hands of a judge serving the public interest); Cunningham, supra note 8, at 50 (advocating greater judicial scrutiny of prosecutorial rationales).

(290.) These include Judge Rakoffs refusal to approve the SEC's November 2011 settlement with Citigroup and Judge Gleeson's imposition of ongoing oversight of the reforms in the DOJ's December 2012 settlement with HSBC. See Peter J. Henning, Be hind Rakoffs Rejection of Citigroup Settlement, N.Y. TIMES: Dealbook (Nov. 28, 2011, 5:14 PM), http://dealbook. l/28/behind-judge-rakoffs-rejection-of-s-e-c-citigroup-settlement/?_r= 1 [] (discussing SEC v. Citigroup Global Markets)', Christie Smythe, HSBC Judge Approves $1.9B Drug-Money Laundering Accord, Bloomberg (July 3, 2013), [] (discussing United States v. HSBC Bank USA, ALA.); see also United States v. Fokker Servs. B.V., 79 F. Supp. 3d 160 (D.D.C. 2015) (holding that the DPA was too lenient in light of the charged conduct), appeal filed, No. 15-3016 (D.C. Cir. Feb. 23, 2015), and No. 15-3017 (D.C. Cir. Mar. 10, 2015) (DOJ appeal from a trial judge's rejection of a settlement as too lenient).

(291.) Judges have no opportunity to develop a sense to what works and what does not in compliance. Most compliance settlements never come before them. See Greenblum, supra note 43, at 1869-70 ("The decision to defer is generally not subject to judicial review unless an applicable statute provides otherwise. For instance, the U.S. Code does not provide judicial review for federal deferral decisions. As to offenders seeking to challenge the prosecutor's discretion in pursuing prosecution at the close of the deferral period, federal courts have intervened only insofar as the deferral agreement represents a contract with enforceable terms."). And the compliance settlements that do end up before a judge lack any adversarial element, leading to severe information asymmetry on the part of the judge faced with approving the settlement. See generally In re Trulia, Inc. Stockholder Litig., 129 A.3d 884, 893 (Del. Ch. 2016) (noting that, in the context of approving class action settlements, the parties are no longer adversarial, and the court "receives briefs and affidavits ... extolling the value of the [settlement] and advocating for approval of the proposed settlement, but rarely receives any submissions expressing am opposing viewpoint").

(292.) See supra Part II.B.2.

(293.) Performance data could focus on quantitative metrics such as how often a compliance program is audited and how it scores, how quickly a program clears concerns raised either by employees or technological tools, training completion rates and how quickly the company reaches training targets, and how well employees score on training assessments.

(294.) The absence of voluntary disclosure does not automatically imply that the information is of no use. Firms' failure to release useful information may be explained by free-rider effects, first-mover disadvantages, and the absence of a standard format to enable investors to process the information. See Easterbrook & Fischel, supra note 184, at 300-04.

(295.) It may also be possible for an industry association to compile this information, perhaps on an anonymous basis, by agreement of its members. But without standardization and a means of preventing holdouts, private data collection seems a second-best solution to a regulatory mandate.

(296.) Losses here are understood to include not only fines and other legal sanctions, but also losses generated by the misconduct itself--for example, the losses generated by "rogue traders" undetected by poor compliance programs. See generally Mark N. Wexler, Financial Edgework and the Persistence of Rogue Traders, 115 BUS. & SOC'Y REV. 1, 3-7 (2010) (historical overview of the "rogue trader" phenomenon).
COPYRIGHT 2016 College of William and Mary, Marshall Wythe School of Law
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:II. Governance through Conclusion, with footnotes, p. 2106-2140
Author:Griffith, Sean J.
Publication:William and Mary Law Review
Date:May 1, 2016
Previous Article:Corporate governance in an era of compliance.
Next Article:A problem of standards? Another perspective on secret law.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters