Despite the best efforts of governments, regulators, prosecutors, private stakeholders, and academics to identify effective mechanisms for organizations to employ in an effort to prevent and deter improper conduct within their ranks, misconduct continues to persist within organizations of all types. Fake bank accounts. Faulty ignition switches. Sexual harassment. Protection of predators. Over and over again, the public learns of widespread and significant misconduct plaguing organizations that millions of individuals rely upon on a daily basis. Most troubling, however, is that the breadth and depth of many of these scandals were entirely avoidable.
For example, in 2016, Wells Fargo announced that it had entered into an agreement to pay “a combined $185 million penalty to the Consumer Financial Protection Bureau . . . , the Office of the Comptroller of the Currency, and the City and County of Los Angeles to settle charges” without admitting formal wrongdoing that it fraudulently opened accounts on behalf of customers without their knowledge.
The initial settlement, however, was just the beginning of difficulties for the bank, and it has now entered into multiple settlements with the DOJ,
and the Federal Reserve,
In addition to actions brought by governmental actors, alleged internal whistleblowers claimed that they were fired or retaliated against when they attempted to alert higher-ups within the corporation of the fraudulent activity.
In early 2018, one such claim resulted in a $577,000 settlement and an order to rehire the employee.
The significant failures throughout the organization’s ranks led to an unprecedented sanction from the Federal Reserve in February 2018, which restricts the bank’s ability to grow until it improves its internal governance and controls.
And yet, Wells Fargo had structured its compliance program in line with what was expected under industry standards at the time. Indeed, as one scholar explained, “[A]t the time of its massive fake accounts scandal . . . Wells Fargo had a robust, [Organizational Sentencing] Guidelines-based compliance program with all of the ‘expected’ tools aimed at eliminating typical compliance lapses. Yet the company was unable to foresee, let alone prevent, an extreme compliance failure . . . .”
Likewise, General Motors failed to recognize and prevent an extreme compliance failure of a different sort, one that not only cost the organization billions of dollars, but also resulted in the deaths of at least 124 people.
In 2014, General Motors announced a recall of over seventeen million vehicles worldwide, over eleven million of which cited issues of the ignition switch that would abruptly cause the car to lose power “when keys [were] accidentally bumped or moved out of the ‘Run’ position.”
In instances where the switch failed and the car stalled, airbags would not deploy, creating the potential for serious injuries to both drivers and passengers.
Notwithstanding this significant risk, the company chose not to fix the faulty switches, despite first receiving reports on the issue in 2004, and multiple reports thereafter.
Indeed, when General Motors first analyzed the issue, it improperly classified the problem as a customer convenience issue instead of a safety issue, leading it to determine that it was simply too costly to make the necessary changes to the switch design.
And over the next number of years, the company continued to demonstrate a “lack of urgency, lack of ownership of the issue, lack of oversight, and lack of understanding of the consequences of the problem.”
This lack of urgency and oversight turned out to be exceptionally costly to General Motors, both in terms of its public reputation as well as its bottom line. In 2017, General Motors entered into a $120 million settlement with victims of its defective ignition switch scandal, a figure that came on top of roughly $2.5 billion worth of penalties imposed on the company.
These penalties included, for instance, a $900 million settlement with the DOJ in a criminal case, and multiple other settlements with accident victims.
When organizations fail to properly address potential compliance failures, it presents a particularly problematic situation, because the responsibility for preventing and detecting misconduct within an organization lies primarily with the organization itself.
An underlying assumption of all modern compliance efforts is that organizations are in the best position to monitor and police the behavior of their members.
This understanding stems from past incidents of corporate misconduct and is uncontroversial.
For instance, when the Enron and Arthur Andersen scandals broke in 2001, they sent a ripple effect across corporate America and triggered a variety of responses from Congress, regulators, and prosecutors.
Legislation was passed.
Enforcement priorities shifted.
And the manner in which corporate misconduct was settled and resolved changed dramatically.
The focus for corporations, regulators, and prosecutors shifted to “corporate compliance programs as the key to optimal deterrence.”
As compliance programs catapulted in importance, it led to the intensification of “internal policing of corporate employees.”
And as organizations took on this responsibility of policing their employees in an effort to comply with ever-increasing regulatory and legal requirements, they began to focus on the structure—the separation of work in an organization into subunits and dividing the control of and responsibilities for the work—of the compliance programs they created.
Focusing on the structure of an organization’s compliance efforts was seen as essential to ensuring an effective and robust compliance and ethics program.
Determining the proper structure of compliance programs has been a question scholars, practitioners, prosecutors, and regulators have wrestled with for decades.
Should the compliance program be segmented into particular subject areas or should there be one global compliance program?
Should the chief compliance officer report to the general counsel or the audit committee?
Should compliance professionals be embedded within particular departments or remain separate as a deterrent to capture?
These and other foundational questions about how organizations should structure their compliance programs were necessary and important progressions for creating the compliance programs found within organizations today.
Yet despite spending a great deal of time, effort, and money to enact structural reforms and improvements within organizations’ compliance programs, every year brings a new, more stunning example of how organizations’ attempts to reign in misconduct often fail to prevent even the most extensive compliance failures within industries and firms. The scandals at Wells Fargo and General Motors each reflect an intense failure by the organization to effectuate its monitoring and policing responsibilities despite the presence of compliance programs that were structured in a manner expected to effectuate an appropriate amount of monitoring and policing.
There are a variety of accepted understandings—both within industry and academic scholarship—about what is necessary for the creation of an effective compliance program. However, when one considers the significant compliance failures that continue to occur despite the adoption of increasingly sophisticated internal compliance programs, it suggests that it may be time to affirmatively question certain understandings and assumptions that serve as the foundation of modern-day compliance programs.
This Article contributes to that effort.
Compliance programs within firms focus, for good reason, on preventing and detecting misconduct within their ranks. Those striving to create effective ethics and compliance programs spend a great deal of time on developing appropriate structures to house, manage, and support compliance efforts so that they will effectively prevent and detect wrongdoing within firms. But as demonstrated in prior work, prevention and detection are just the first two of four stages—the latter stages being investigation and remediation—within compliance efforts.
This Article focuses on the detection and investigative stages and the continuum between them. It demonstrates that many recent compliance failures within organizations might have been avoided if more robust processes—meaning the actions, practices, and routines that firms can employ to communicate and analyze information—had been in place to ensure investigations were conducted in a manner that allowed the firm to analyze information from diverse areas within the firm. As such, this Article argues that firms must focus on adopting process-based reforms that will bolster internal investigations into complex compliance failures and act as a safety net when compliance programs fail to detect or appropriately respond to misconduct within firms.
Part I of this Article describes why the effort to curb corporate criminal misconduct came to rely heavily on self-policing within the organization, which contributed to the rise of the compliance function. This Part goes on to demonstrate, through the use of literature from the fields of organizational behavior and corporate governance, the importance of implementing certain structures within the creation of compliance programs. For purposes of this Article, structure refers to a firm’s decisions on how to organize itself.
Part I then recounts current understandings of compliance within legal scholarship, which include an emphasis on the key structural components necessary for an effective compliance program and their focus on the prevention and detection of corporate misconduct.
Part II focuses on the evolution of the compliance function. It demonstrates that traditional compliance programs were narrow in scope, with a focus on particular subject matter areas. Yet, the rise of more complex organizations—organizations with many diffuse departments or complicated organizational structures with a variety of parents and subsidiaries—brought new challenges for compliance efforts. A complex organization for purposes of this Article might be one organizational entity with a number of departments, such as a university, but it may also be a complicated corporate family with many subsidiaries, like Walmart. These larger, more complex organizations often suffer from information silos, which occur when departments or divisions within a large organization are isolated from other parts of the organization.
These information silos sometimes result in difficulty communicating properly throughout the organization and, in particular, can impede a firm’s attempts to fully and properly investigate claims of potential misconduct.
Part III sets forth the thesis of this Article and argues that firms must focus on adopting process-based reforms that will bolster the firm’s investigations into complex compliance failures, thereby acting as a safety net when compliance programs fail to detect or appropriately respond to misconduct within firms. Part III begins by presenting two case studies, which demonstrate that recent compliance failures at complex organizations suggest that many of these compliance programs—regardless of the program’s organizational structure—suffer from information silos that result in improper or inadequate responses to significant organizational misconduct. Part III then highlights how process-based reforms might assist large, complex firms in detecting compliance failures before they become widespread, significant, or both. It applies specific process-based reforms to the compliance failures at Wells Fargo and General Motors in an effort to demonstrate how these types of additional interventions might add value to firm compliance programs. In particular, Part III suggests the creation of three interventions meant to bolster firms’ detection and investigative efforts: (i) standardized internal investigation questions, (ii) materiality surveys, and (iii) reliance upon an aggregation principles when evaluating information. Relying on two additional case studies, Part III then highlights two limitations to process-related reforms: organizations without robust structural compliance programs, as evidenced by investigations into the Catholic Church, and organizations with corrupt cultures, as evidenced by the internal Uber sexual harassment scandal.
Part IV discusses some potential benefits raised by this Article’s proposed framework. The Article then turns to highlighting some remaining questions. This Article, admittedly, focuses on a relatively narrow area within compliance efforts—failures within the detection and investigative continuum of compliance efforts within complex organizations—but shortcomings in this space are associated with potentially devastating consequences for firms.