Testing Compliance

Corporations must comply with a wide array of laws and regulations. To accomplish this complex task, corporations increasingly turn not just to the legal department and outside counsel but also an in-house group of specialists who seek to educate and motivate personnel with respect to obligations under the law and the corporation’s code of conduct. The programs they put in place aim to prevent a wide range of misconduct, from government bribery and financial fraud to environmental disasters and the creation of dangerous working conditions that jeopardize employees’ physical and mental health.

Beyond the enormity of the task, what makes the compliance enterprise deeply uncertain and problematic is that the information generated by compliance efforts is simultaneously useful and dangerous. Even the most craven corporate officers and directors seek to prevent behaviors that may jeopardize employee performance, customer satisfaction, and stock prices. However, documenting problematic behaviors creates a record that may be used against the corporation in future administrative, criminal or civil proceedings, or may become the subject of a media exposé. Officers and directors, and the in-house compliance team, may sincerely hope compliance programs are effective, but they may quite rationally avoid testing that hope. The end result will often be rational ignorance with respect to the effectiveness of corporate compliance programs. This dynamic—the hope that greater attention to compliance will reap benefits drives more resources toward compliance efforts, yet fears about what examining the effects of those efforts might reveal hinders validation of compliance programs—creates a “compliance trap” that can ensnare corporations and regulators alike.

In Testing Compliance, forthcoming in Law & Contemporary Problems and available on SSRN, we explore ways out of this trap, focusing in particular on the regulatory conditions and mindsets that lead organizations and their watchdogs alike into the trap and make it so difficult to escape. We argue that hope-based compliance—a mentality that leads insiders and outsiders to assess compliance programs by examining how many resources organizations are devoted to the effort and whether the programs appear well-intentioned or comply with accepted “best practices” within an industry—predictably arises from the incentives and practices evident under current laws. We propose a set of legal reforms that would create the conditions for a move to evidence-based compliance.

Part I introduces the turn to internal compliance as a key element of government regulation and discuss the considerations that prevent organizations and their watchdogs from insisting on validated internal compliance. To make these considerations concrete and illustrate how they lead to more compliance programs without more validation of those programs, we then look at the compliance trap in the domains of (a) federal criminal prosecutions generally, (b) enforcement of the Foreign Corrupt Practices Act, (c) enforcement of the Bank Secrecy Act, and (d) enforcement of worker protection laws.

Part II then turns to data collected from public sources concerning compliance at Fortune 100 companies to assess how organizations present their compliance programs to the public. Consistent with the story told in Part I, we find that, while almost all Fortune 100 firms publicly disclose an extensive compliance apparatus, few publicly disclose any systematic efforts to assess the effects of their compliance programs. Of the Fortune 100 companies, 86 described their compliance programs in some detail, while 14 did not go into any detail; every company at least stated which group within the firm was responsible for compliance. Seventy-six companies described efforts to train and educate officers and employees regarding compliance obligations. Many of these companies made compliance policies themselves available online, sometimes with distinct policies applicable to different areas of their business; 81 make a code of ethics or code of conduct available online. Many firms—77 of them—described to whom anonymous reports of non-compliance can be made to, and of this subset, 59 reported that an executive-level officer was responsible for compliance, with all but one reporting to the Board of Directors.

However, consistent with our personal observations, far less is disclosed concerning auditing of the compliance measures. Ninety companies did describe efforts to audit or assess compliance, but for almost all of those companies, the effort involved making clear that anyone can report noncompliance and noting that an audit committee can further investigate instances of noncompliance. A handful of companies state that they conduct risk management efforts to assess compliance, while others rely on employee surveys to gauge the effectiveness of training. This evidence suggests that the largest companies do not publicize efforts to assess compliance rigorously. While such efforts may occur, if the Fortune 100 companies are measuring the effectiveness of their compliance programs, they are not sharing it.

To better understand why companies may be reluctant to validate their compliance programs or put in place strong programs, we need to understand the costs and benefits of adopting a strong compliance program. A complicating factor for companies calculating the direct costs associated with compliance programs is the fact that compliance with one legal regulator’s mandates or commands is not likely to provide immunity from liability to other regulators or private parties that seek to impose liability on the company. The threat of parallel litigation frustrates the ability of any one regulatory actor to incentivize and reward compliance. Part III examines the primary legal proposals advanced to try to incentivize organizations to undertake serious compliance efforts—an affirmative defense based on an organization’s compliance efforts and a privilege for compliance-related information. We discuss the limits to these proposals, and then we build on these proposals to try to create legal conditions that will lead organizations and regulators out of the compliance trap. We discuss how a mandate for reporting on efforts to validate compliance, paired with a privilege focused on compliance validation data and a rule against use of mandated compliance reports in litigation, could extricate us from the compliance trap.

In Part IV, we discuss how to implement a mandate that companies test compliance for effectiveness. We also provide concrete advice on how to go about testing compliance programs to overcome the problem that many in-house specialists and outside compliance consultants lack a validation mindset and fail to develop serious tests of implemented programs even if the will to validate exists. We discuss how “compliance cartels” could operate to share information that will promote validated compliance within and across industries. We discuss the use of performance testing, audits, data mining, and anonymous reporting.

Companies test the performance of their employees in a wide range of settings, using job and personality tests to determine whether they have the basic knowledge, skills, and abilities to perform a particular job, using drug and alcohol tests to promote safety and integrity, using proficiency testing to measure accuracy and train, and using in-house phishing tests to monitor information technology security. In some fields, performance testing is standard and required. We have argued that for forensic laboratories, blind proficiency testing should be more routinely used to assess the accuracy of lab analysts. Any expertise can be empirically assessed, based on a standard of performance. Compliance is no exception. Employees can be given tasks, resembling those they would ordinarily be given in their work, where the correct answer is known. Such a test is “blind.” They can be given work that they themselves did some time in the past, which they might not recall, to measure consistency of their performance over time. Such blind performance testing is not as expensive as data mining systems offered by vendors. It can be done using random samples of employees or focused testing on units or areas of greatest concern. If knowledge of such testing becomes widespread within a company, then efforts must be taken to make sure employees cannot discern the testing when it occurs.

Our concluding message is simple: implementation of compliance programs without rigorous validation of those programs constitutes nothing more than a hope that these programs will protect workers, stockholders, and the general public from organizational misconduct. That hope is likely to go unfulfilled, at a tremendous monetary and opportunity cost, in many cases.

Compliance programs seek to prevent some of the most socially harmful corporate conduct, but simply throwing money at compliance provides no guarantee of effective compliance. Compliance should be validated through empirical testing before it can be called effective. The focus of enforcement and regulation, ostensibly seeking to promote “effective compliance,” should be to reward the collection of compliance data and to harness the lessons from these data to improve corporate compliance. It will powerfully benefit both corporations and the public interest if we rigorously test compliance.

The complete paper is available for download here.