In business and government, today, bureaucrat is a pejorative. Bureaucracy rather than being a mark of rationality is sneered at. Multi-disciplinary project teams, flat hierarchies and “intrapreneurship” are what corporate consultants prescribe. At least since Thatcher and Reagan, market mechanisms have been praised as superior to the civil service.
Yet, corporate legal regulation can only think in bureaucratic forms. In Europe, the GDPR requires a new C-suite member, the Chief Data Officer. In the U.S., executive, legislative and judicial actions, well described in this article, have resulted in “the explosive growth of compliance departments.” (P. 7.) In legal regulation, authority is vested at the top and liability at the top is thought to ensure compliance. As scandals occur because those at the top failed to confront problems, the law envisions new staffs being created so that the top of the bureaucracy can issue orders resolving the problems. Previous work has been skeptical of whether the development of compliance departments will lead to actual compliance. Gadinis and Miazad report on various law review articles in which “the harshest critics view compliance as a box-checking exercise, too formalistic.” (P. 2.) Others complain that those in the department won’t be able to “supervise their superiors.” (P. 2.) In other words, they will be inferior bureaucrats. Without being explicit about it, often using agency-cost theory, these law review articles apply the critique of bureaucracy so prevalent in our culture to criticize the organizational technique of compliance departments.
Gadinis and Miazad cut through these critiques and argue that the principal function of compliance departments is to put red flags in front of the board. One might quibble with this approach by emphasizing the educational function of compliance departments, improving how lower-level employees exercise their powers. But, in consonance with corporate law’s emphasis on power at the top, Gadinis and Miazad propose that whoever leads the compliance department (sometimes a Chief Legal Officer, but increasingly a Chief Compliance Officer) be in the C-suite and have clear lines of authority to communicate to the board. The threat of liability, they assume, will incentivize chief compliance officers to report to the board.
Gadinis and Miazad’s insight is to describe the problem facing the law as deciding “where the board faces a substantial risk of liability” and where the “chief legal or compliance officer faces a substantial risk of liability.” (P. 40.) Reviewing both Delaware and Federal law, they show that the board has a high risk of liability when it culpably ignores the red flags and that the chief compliance officer has a high risk of liability when she knew of red flags and failed to communicate them to the board. But the situation is not always so clear cut.
The great pleasure of this article is that the authors create a 2×2 matrix of low and high risk of liability for boards, on one axis, and chief compliance officers, on the other. They label the four situations as ones in which non-compliance is “untraceable,” “traceable,” “interrupted,” and “incomplete.”
“Untraceable” non-compliance occurs when the problems escape the due attention of both the compliance officer and the board, which is how the authors interpret what happened at GM during the 12 years of non-recall of a fatally defective ignition switch, despite repeated individual cases that GM settled. According to the authors, in “untraceable” non-compliance, neither the board nor the head of the compliance department are liable.
“Traceable” non-compliance occurs when the compliance department has reported to the board and the board chooses to ignore the red flags. In the WaMu Mortgage Meltdown, the board was informed of the risks, but chose not to act, creating its liability, but not that of the compliance officer, even though the compliance department did not stop the underlying actions.
“Interrupted” non-compliance occurs where the compliance department is aware of the non-compliance but doesn’t report it to the board. The authors recount this happening at Yahoo, which in 2014 had what was then the largest data beach in history. The authors don’t explain why the General Counsel failed to involve the board, but by doing so he incurred liability.
“Incomplete” non-compliance occurs when the compliance department communicates some of the facts to the board, but in such a way that when the scandal erupts the board claims “that they were ‘blindsided.’” (P. 51.) The authors interpret the fake accounts saga at Wells Fargo in this manner. Muddled awareness by the board and obfuscating reports to them by the compliance department, according to the authors, potentially lead to liability for both. The authors don’t explain why the Wells Fargo compliance department acted as it did, but describes that it escaped liability, as did the board, although the board had to undergo some stress in proving its lack of scienter.
These distinctions are lucid. But it might be emphasized that in all categories, except “traceable” noncompliance, the board was protected. In all but “interrupted noncompliance,” the chief compliance officer was protected. In all these cases, lower level employees, in and out of compliance, were the normal fall guys. Many were fired and only rarely was the CEO terminated.
It also might be emphasized that except at WaMU, the “traceable” case, the compliance department did not signal red flags to the board. At GM, the red flags were not even signaled to the General Counsel, its chief compliance officer at that time. The General Counsel was kept ignorant because he delegated to his staff the settlement of all cases for $5 million or less. The legal department of GM empowered lower-level attorneys, and all the cases settled within their limits. Especially in flat organizations, information does not necessarily get to the top, but also in bureaucracies, no one wants to be the messenger of bad news. Failing to report to the board may be a result of the chief compliance officer making her subordinates aware of how she is to be protected or it may be that the chief compliance officer knows that the board expects her to fall on her sword.
The emphasis of this article is on designing organizational structures where people want to be messengers of bad news. In the one case where the board was apprised, WaMu, the board had “already run through nine chief compliance officers in just seven years.” (P. 45.) I doubt that this frequent firing makes for a desirable organizational strategy because it could frighten the chief compliance officer into failing to report the problems to the board. But there also can be incidental benefits. In my opinion, the tenth one felt no loyalty to the company or the board and that is why he put the board on the hot seat.
Organizational loyalty can make one a bad gatekeeper, but it more importantly may induce a chief compliance officer to choose to incur liability. Where once, the Chief Legal Officer was “the vice-president in charge of going to jail,”1 now that task may have shifted to the chief of compliance. As the authors point out, “going to jail” is hardly ever the problem. Losing golden parachutes and claw-backs of bonuses are the risks that chief compliance officers may feel is part of their job. When one chief compliance officer suffered liability, at Yahoo, the “interrupted” case, other Silicon Valley GC’s explained that he was “The Fall Guy.” (P. 48.) True, and he probably thought that was his job. General counsels and chief compliance officers may feel that non-compliance is their territory and it is their problem to deal with. As a General Counsel once told me, she knows that she stands at “the coalface” and it is her job to handle the problem, not the board’s.2
The bureaucratic instinct is a territorial one: this is my job and my station. In response to “incomplete” non-compliance, where the full story was not told to the Wells Fargo board, the compliance department was increased by over 5,200 employees (P. 52.) Obfuscating reports may risk subjecting the chief compliance officer to liability for maintaining an inadequate system, but they also create the possibility that a larger department may result. Suggesting that there may be red flags out there, but not planting them at the board, may be in the interest of both the chief compliance officer and the board.
As the authors note, there “is wide variation in structure, powers, and resources available” to compliance departments (P. 53.) As they also note, these organizational differences may have profound consequences not only on the “new actors” (P. 52) but also on “the institutional makeup of compliance.” (P. 53.) The authors call for “empirical studies of successful compliance operations.” (P. 53.) The weakness of this article is the authors’ review of the extant empirical literature on this topic. Although the authors quote various law review articles, they do not mention work, such as that being done at their institution by Lauren Edelman on Human Resources Departments, or, for example, on Australian compliance departments by Christine Parker and Vibeke Lehmann Nielsen. For Gadinis and Miazad, organizational problems arising in connection with compliance departments are new ones. Although their perspective on compliance is new and exciting, I would suggest as a partial critique of the many pleasures of this article that we do have some knowledge of how corporate staffs function. Joining what we know about how corporate staffs operate to the unique approach of Gadinas and Miazad will only enhance the many pleasures of this article.
- I discuss this in, Robert Eli Rosen, Resistances to Reforming Corporate Governance: The Diffusion of QLCCs, 74 Fordham L. Rev. 1251 (2005).
- Id. at 1287-88.