The Hidden Power of Compliance

Stavros Gadinis is professor of law and Amelia Miazad is founding Director and Senior Research Fellow of the Business in Society Institute at Berkeley Law School. This post is based on their recent paper, and is part of the Delaware law series; links to other posts in the series are available here.

Although corporate wrongdoing can reach an immense scale with disastrous ramifications, holding boards accountable has long been perceived as elusive. Under both state fiduciary duty law and federal securities doctrine, directors and officers are liable only if they were aware of corporate failures or reckless in ignoring them. Since providing evidence of awareness or recklessness is exceedingly hard, corporate law scholars have long seen these requirements as raising an almost impenetrable shield over the board.

Instead, we demonstrate that the evidentiary path to boards’ state of mind is nowadays more open than it has ever been before, due to the revolutionary growth of compliance departments in recent years. Corporate law literature has largely dismissed compliance as ineffective, fearing that in-house monitors would be too weak or too loyal to constrain corporate wrongdoing. Contrary to this conventional wisdom, we argue that legal and compliance experts’ reports and recommendations, especially if ignored at the time they were made, often expose the board to liability once misconduct is revealed.

This hidden power of compliance, we argue, sprung up unexpectedly from parallel case law developments in Delaware fiduciary duty jurisprudence, federal securities regulation, and personal liability for compliance officers, over the last decade. We first trace these doctrinal developments to explain how a renewed emphasis on evidence of awareness boosted the standing of legal and compliance officers in the eyes of the board, while also threatening them with liability if they fail. We then reveal how this works in practice by analyzing the interactions between the board and its legal and compliance officers through evidence released in four major recent scandals, including the GM ignition switch scandal, the WaMu mortgage meltdown, the Yahoo security breach, and the Wells Fargo fake accounts scandal.

When the Delaware Supreme Court first confirmed, in its landmark 2006 Stone v. Ritter opinion, that board members would be liable for failing to monitor misconduct only if found in bad faith, much of the legal academy burst out in despair. We closely analyze post-Stone jurisprudence from the last ten years, detailing the facets of bad faith in the various prongs of Delaware’s monitoring doctrine. Our argument here is not that Delaware law has turned out more generous than critics feared. Rather, we argue that the precise line that Delaware jurisprudence has drawn around bad faith allows legal and compliance personnel to formulate their communications with the board in a manner that can either expose it to liability or shield it from it. The dramatic increase in monitoring resources since Stone has positioned legal and compliance officers to bridge the informational gap and provide the detailed reports required by courts to prove bad faith. For example, internal compliance reports have helped shareholders win hefty settlements in cases about illegal drug promotion against the boards of Pfizer, the pharmaceutics giant, and Allergan, who produces Botox. Similarly, internal reports documenting failures and gaps in companies’ safety, risk, and compliance systems have boosted plaintiffs’ wins against boards in diverse industries such as finance and mining.

The gravity of internal reports for board liability becomes clearer when taking into account parallel developments in federal securities case law. In 2007, just a year after Stone, the Supreme Court’s ruling in Tellabs v. Makor raised the evidentiary standard for successfully pleading scienter, effectively requiring hard evidence of awareness or recklessness. As a result, the lines demarcating scienter and bad faith essentially coincide, as courts themselves have recognized. Consequently, securities plaintiffs often pore over internal records of communications between boards and their legal and compliance officers to unearth evidence of scienter. Thus, interactions between legal and compliance officers and the board have never been more critical. Compliance officers have not only gained greater influence due to their role in communicating with corporate boards, but have also been held personally liable when they failed to do so, as the SEC sanctions against the Chief Compliance Officers in Blackrock and SFX demonstrate.

These developments in state corporate law, federal securities law, and personal liability for legal and compliance officers are transforming the legal treatment of corporate misconduct in practice. We present case studies focusing on four mega scandals: the General Motors ignition switch failure, the Washington Mutual collapse during the financial crisis, the security breach in Yahoo, and Wells Fargo’s fake accounts fiasco. While legal and compliance personnel are at the heart of the inquiry in all cases, their interaction with the board in each setting is different, changing the liability outcome. We present four different categories of interactions, which we term as follows for ease of reference: untraceable, traceable, interrupted, and incomplete.

Our first category, “untraceable” communications, includes settings where no evidentiary trail connects the heads of legal and compliance departments with ongoing violations or red flags, and no communication happens on record. With no hard evidence of awareness, the board is off the hook, as was the case in the General Motors ignition switch scandal. Despite settling over 100 lawsuits pointing to a potential mechanical failure, lower-tier in-house lawyers, apparently content with the small payouts to plaintiffs they secured, failed to elevate the issue to the chief legal counsel’s attention. This negative outcome has dominated academic assessments of compliance, but we bring to light the other scenarios below, where the outcome for corporate actors is less favorable.

Our second category, “traceable” communications, represents the polar opposite of the one above, with on-record interactions between the board and legal and compliance officers, who provide well-informed reports of employees’ illegal acts or red flags. For an illustration of a clear evidentiary link between corporate failures and the board’s state of mind, we turn to the failure of Washington Mutual, the largest savings and loan association that collapsed during the 2007 financial crisis. WaMu’s board pursued an aggressive mortgage origination strategy, despite repeated warnings by successive compliance officers that the mortgage documentation prevented them from meeting, or even accurately assessing, the institution’s risk levels as required by law. The resulting settlement between the board and the FDIC, which took over the fledgling institution, included a rare out-of-pocket payment by board members.

As our next two categories demonstrate, interactions between the board and legal and compliance personnel are not always as clear-cut as in our first two examples. In our third setting, which we term “interrupted” communications, information about underlying violations reaches top legal and compliance officers, who never communicate it officially to the board, perhaps out of loyalty as critics fear. Although this interruption protects the board from liability, it can generate risks for legal and compliance personnel who may be seen as engineering it, as in the Yahoo example we discuss. In what became the largest cyber-security breach in history, Russian hackers compromised over 3 billion accounts, selling personal financial information online for financial crime or espionage. Although red flags had reached the chief legal officer of Yahoo, an independent investigation found that he neither pursued a full-scale inquiry nor alerted the board officially. When revelations of the hack engulfed the board, the independent investigation documented the red flags and faulted the chief legal officer for not following through. Protecting itself behind this lack of communication, the board publicly fired the chief legal counsel, who now also finds himself embroiled in litigation. For industry commentators and plaintiffs alike, the board used the chief legal counsel as a scapegoat.

In our final setting, where communications were “incomplete,” legal and compliance personnel are aware of apparent red flags, but instead of turning a blind eye they opt for half-hearted investigations and vague communications to the board. From the outside, it may seem like the compliance apparatus is humming along so as to justify the board’s good faith, but no incriminating information ever comes to the surface. If this was the strategy in the Wells Fargo fake accounts scandal, it clearly did not work. Opening fictitious accounts was so widespread among bank employees that even the press featured stories about misconduct. For years, the chief legal and compliance officers watched over underwhelming attempts to collect information, hesitated to interview top bank executives, and submitted inconclusive reports to the board. When the scandal erupted, those lackluster efforts and the shreds of evidence left behind engulfed all corporate actors. Top executives and compliance officers stepped down, had their compensation clawed back, and found themselves targeted by private plaintiffs and regulators. To top it all off, the Federal Reserve took the unprecedented move of pushing for a removal of all board members.

The complete paper is available for download here.

Both comments and trackbacks are currently closed.