Compliance Gatekeepers

Compliance has become a critical corporate governance issue. Companies are facing increased societal demands, heavier regulatory burdens, and a marked uptick in enforcement. In response, companies pour billions of dollars into compliance programs meant to prevent and detect wrongdoing by their employees. Yet there remains much skepticism regarding the effectiveness of these compliance programs. In one major corporate debacle after another, companies that boasted an elaborate compliance program are caught engaging in elaborate wrongdoings and coverups. And systematic empirical studies suggest that the gigantic investment in compliance is not serving its purported purpose of curbing corporate wrongdoing and promoting overall welfare.

What determines the effectiveness of corporate compliance? Who is accountable for compliance failures, and how can we mitigate them? Corporate governance scholars, regulators, and judges tend to answer these questions by focusing on internal compliance actors: debating what the scope of director oversight duties should be, how to structure board committees and design executive pay packages, and whether to divide the roles of Chief Compliance Officer and General Counsel. Yet in reality all these corporate insiders – directors, executive managers, chief compliance officers, and general counsels – rarely perform compliance tasks on their own. They rather heavily rely on outside compliance advisors.

In a new Article (forthcoming in Yale Journal on Regulation), we examine the understudied role of these outside compliance advisors and make the following three contributions.

First, we demonstrate how outside advisors play a key role at every stage of corporate compliance: from prevention, to monitoring and detection, to investigation and remediation. Indeed, virtually every large law firm or accounting firm these days sells various “compliance services”: from advising companies on how to design reporting systems to meet evolving regulatory demands, to conducting internal investigations and negotiating with regulators for leniency once wrongdoing has been uncovered. In fact, in the last couple of years the role of outside compliance advisors has expanded beyond legal compliance and into Environmental, Social and Governance (ESG) issues. For example, large companies now regularly hire outside consultants to conduct “racial equity audits” or “labor conditions audits.”

Along all these dimensions, there exists a gap between the high level of expectations for compliance gatekeepers to improve corporate behavior and their low levels of accountability for compliance failures. This is where our second contribution comes in, examining the causes of this apparent lack of accountability. Corporate insiders face a meaningful threat of litigation and reputational fallouts whenever their compliance programs fail, as is evident from doctrines such as “the responsible corporate officer” in criminal law and “Caremark duties” in corporate law. By contrast, the outside consultants that insiders rely on almost always emerge from failures unscathed. The reason is a unique combination of doctrinal hurdles and perverse incentives.

Consider first the lack of litigation. An amalgamation of doctrines set a very high pleading hurdle in litigation against compliance gatekeepers. Across all potential claims – from securities law, to contract and tort law, to aiding-and-abetting fiduciary duty obligations in corporate law – plaintiffs must show bad faith on the part of the gatekeepers in order to advance past the motion to dismiss. The only way for plaintiffs to survive such a scienter-based pleading hurdle is to have access to internal documents showing what the gatekeepers knew in real time. Yet those who have access to internal documents, namely, the corporate insiders, do not have incentives to fight gatekeepers in court, if for no other reason than out of fear that the latter will air their dirty laundry in public. And those who have incentives to recoup harms and hold gatekeepers accountable, namely, public shareholders, are usually blocked from accessing internal documents. As a result, compliance gatekeepers are rarely named as defendants in shareholder litigation following compliance failures.

What about private ordering, then? Compliance gatekeepers would surely like to maintain a reputation for being diligent. And corporate insiders would surely want to get bang for their compliance-consulting buck. One could therefore surmise that even without a meaningful threat of legal sanctions, compliance gatekeepers will be deterred from shirking or colluding due to the threat of informal, market sanctions. Yet such an argument ignores the perverse incentives and information asymmetries in our context.

The top corporate managers who contract with outside compliance gatekeepers may lack the incentives to hold gatekeepers accountable. Top corporate managers whose compensation is tied to current stock prices may not necessarily want gatekeepers to stop the company from making short-term profits by skirting regulations. And they would certainly not want gatekeepers to probe diligently after the fact and trace the blame for corporate wrongdoing all the way to the top of the corporate hierarchy.

As for compliance advisors, they operate in a fast-growing market and focus on marketing additional services to an existing client pool. As salesmen, it may be hard for them to be objective. To the outside world, gatekeepers wish to maintain a reputation for being diligent. But to the corporate managers that hire them, gatekeepers may wish to maintain a reputation for being lenient. In fact, it is in the interest of managers that gatekeepers play this two-sided reputation game. Insiders would want their outside compliance advisors to have a reputation for integrity, because such a reputation is what prompts prosecutors and investors to give the company credit when it hires an outside gatekeeper.

The upshot is counterintuitive: the accountability gap may very well be a feature rather than a bug in the market for compliance consulting and internal investigations. Both direct parties to the compliance gatekeeping transaction have an interest in keeping up appearances, and keeping down actual performance. They want to present a picture to the outside world of outside compliance gatekeepers being diligent and demanding with their corporate clients. But they also arguably want to keep making profits while escaping accountability. By paying outside compliance gatekeepers with shareholders’ money, corporate insiders buy plausible deniability for themselves. Insiders can say that they relied on the advice given to them by well-reputed, highly paid outsiders. Outsiders, in turn, can say that they relied on the information given to them by insiders.

The ones suffering from this endless loop of plausible deniability are dispersed publics: from outside shareholders who foot the bill for hefty consulting fees and heavy fines, to community members who suffer from the effects of pollution, to users who have their privacy violated, and so on.

This is where the Article’s final set of contributions comes in, proposing concrete tweaks to legal doctrines and enforcement priorities that could change the existing equilibrium and perhaps improve corporate compliance. For example, public enforcers need to rethink the practice of providing lenient treatment to corporate wrongdoers because the latter relied on outside experts. Credit to wrongdoers should be conditioned on outside experts facing a meaningful threat of liability or at minimum transparency. Courts need to carve out exceptions to an obscure-yet-powerful doctrine named “in pari delicto,” which currently blocks claims in professional negligence and contracts against gatekeepers. And corporate law courts should interpret shareholders’ right to inspect their company’s books and records more liberally, so that it includes access to documents pertaining to gatekeepers’ work, thereby enabling shareholders to investigate potential gatekeeper misconduct. To quell fears that such measures would lead to gatekeeper overdeterrence, we propose combining them with capping damages and applying comparative negligence and indemnification rights. Such a combination of measures would strike a balance between reviving litigation as a conduit for gatekeeper accountability (flushing out information on gatekeeper misconduct) and not subjecting gatekeepers to excessive liability risk.

The increased reliance on outside compliance professionals is somewhat inevitable. The size and complexity of modern corporations means that corporate boards, with their inherently limited bandwidth and expertise, do not have the capacity to keep all oversight functions in house and increasingly rely on outside experts. Similar dynamics are in play with public enforcers. Detecting and proving culpability inside large organizations often proves too difficult given regulators’ scarce resources. As a result, regulators resort to incentivizing companies to rely on outside compliance professionals. For example, the Department of Justice often conditions the credit it gives to a corporation on the prosecuted company nominating an independent third-party monitor. Corporate law courts similarly give credit to boards that rely on outside professionals to fulfill directors’ oversight duties. Outside compliance professionals are thus perceived as “gatekeepers” in the broad sense of the word, supposedly serving as “the thin blue line between insatiable corporate appetite for success at any cost and the demands of the government and investors that companies not even test the line of legality” (as the late great Peter Henning put it; we would add that investors themselves sometimes benefit from their company testing lines of legality).

Corporate compliance will be effective only to the extent that outside compliance gatekeepers are effective at their jobs. The stakes of understanding the role that these compliance gatekeepers play could therefore not be higher. Hopefully our Article makes a first step in that direction.

The full article is available for download here.