In the past decade, the Department of Justice’s Criminal Division (DOJ) has leveraged its use of corporate monitorship against companies to achieve several goals: to deter companies from wrongdoing through the threat of costly oversight, to incapacitate a company from further wrongdoing, and to reform a company’s internal compliance mechanisms.1 To preface, corporate monitorships are independent third-parties that analyze a company’s adherence with government compliance standards in order to reduce corporate misconduct, such as fraud and management corruption. Examples of current monitorships implemented to oversee fraudulent misconduct include monitors appointed for Walmart Inc. and Deutsche Bank AG. While corporate monitorships provide a way for companies to avoid being criminally prosecuted under a deferred prosecution agreement and to mitigate against heavy fines imposed by the government, companies can still easily spend northward of $30-50 million on monitorship.2 In an effort to stymy shareholder pressure and additional reputational harm, companies will foot the bill even if the costs will have a significant impact on their bottom line—after all, there is little room to negotiate for one’s own wrongdoing.3
However, corporate monitorship is not a complete remedy for improving a company’s compliance program; it is primarily a reactive recourse to misconduct. By the time a company is appointed a monitor, millions would have been spent on damage control, litigating lawsuits, and settling. While the DOJ updated its compliance evaluation guidelines for its prosecutors to include a cost-benefit analysis of a corporation’s existing compliance program and the enormous economic burden a monitorship would impose, the guidelines and accompanying metrics are still vague and broad.4 What constitutes a “well designed” program?5 How do you measure whether the program is working in good faith and in actual practice? Should companies simulate a breach by a rogue employer? Will an annual ten-question test after an ethics presentation on bribery be enough? There are no concrete answers to these questions, thereby demonstrating the failures of the current system. While there are numerous resources promulgating broad principles of what a successful compliance program should contain (e.g. fostering honesty among employees and creating a strong leadership team that centers corporate integrity), the current system lacks robust ways to test the efficiency of their programming.
Indeed, even when companies do install or reform their internal compliance structures, the measures of assessing their effectiveness may be poorly executed, tested, and lacking in empirical data.6 Consequently, without a visible way to see improvement trends or pinpoint areas that need work, it becomes difficult to truly foster a corporate culture that inspires ethical behavior. Creating a facially legally compliant program is not the same as an effective one, nor is there a one-size-fits all model available. In the age of increasingly complex regulations, developing technology, and a pandemic that has pushed for the explosion of data streams awaiting to be monitored for risky behavior, relying on an ex-post solution to encourage better corporate behavior is no longer enough. Companies are in the best position to monitor and mitigate new risks. Perhaps, now is the time for companies to innovate and take the lead in devising a pre-monitorship regulatory framework with government expertise and guidelines to light the way7
In order to assess whether there is an environment conducive enough for companies to take such a risk, it is helpful to assess the incentives that would motivate them to undertake such a resource-intensive endeavor. One possible way to analyze this paradigm is through the law and economic lens of the incentive intensity principle. This principle focuses on four points of interaction to determine the appropriate intensity of incentives: “the incremental profits created by additional effort, the precision with which the desired activities are assessed, the agent’s risk tolerance, and the agent’s responsiveness to incentives.”8
We can apply this principle to the emerging trend of utilizing artificial intelligence (AI) and machine learning to compliment internal compliance programs. AI’s adaptability, customization features, and the speed of which it learns and processes data makes analyzing the trends of human behavior possible. Indeed, simply showing the numbers that “X” amount of employees have completed an ethics video training, setting up a hotline without tracking proper usage patterns, and distributing binders of policies may not be enough to pass muster under DOJ guidelines and increasingly complex regulations.9 However, in applying the incentive intensity principle, investing in AI will (1) incrementally yield profits in the form of better risk detection and mitigation while decreasing labor costs; (2) generate precise analysis regarding human behavior that can be used to craft tailored compliance incentives; (3) increase a company’s risk tolerance since AI, when complimented with human intelligence, leads to more stable improvement in programming; and (4) further incentivize companies to undertake the risk of innovating new compliance measures once they see improvements.
If companies are pouring millions into compliance and consulting, it should show sustainable, effective results. AI can create more efficient and customizable modes of risk detection and efficient data collection. For example, it can identify patterns of confidential communication sent during non-business hours to email addresses outside the company.10 Intelligent programming can compile empirical data used to compare whether standard compliance training is actually helpful for management-level employees, or if something more advance is needed to demonstrate their understanding of policies. AI can decrease both human error and cost, do away with inefficient programming that is empirically assessed to be ineffective, and reallocate human resources to more useful areas. In this sense, incremental profits are made at the margins and can decrease a company’s risk aversion to new technology. Experimenting with the use of AI will certainly be a new frontier, but the technology is present, and the rewards of having a more effective program are considerable given how much of a company’s resources are already put towards compliance.
One other issue facing the corporate compliance industry is the decentralization of resources and guidelines. Granted, risk management programs can and should vary depending on a company’s needs and financial capabilities while complying with federal and state laws, but it would not be novel to incentivize more centralization of resources that are industry-specific. For example, the Federal Reserve has already implemented a “Large Financial Institution Rating System” for banking and holding firms with total consolidated assets of $100 billion or more and another rating system for those with less.11 This system, while confidential, utilizes expert regulators and methodology to score firms. Rather than relying on decentralized sources (e.g. hiring consultants or using expert, but scattered, interpretations of guidelines) to help analyze whether a company’s operations meet government standards, the Federal Reserve created a “one-stop” shop for firms to be evaluated against. This makes for less second-guessing on the firm’s part regarding whether their operations function sufficiently.
With a rating system in place, how can we incentivize companies to streamline the compliance testing process? Is it possible to pool resources and create a quasi-regulatory group composed of government experts and private lawyers/consultants? Doing so can diffuse the risks associated with monetary and labor costs amongst public and private actors. Can a centralized group create standardized metrics and a robust testing system that shifts the burden from companies to more qualified actors in testing the efficacy of their programs? Is it possible to normalize corporate compliance such that it becomes part of a company’s branding? Take for example the prestigious ratings program led by environmental experts called the Leadership in Energy and Environmental Design (LEED), which determines whether a building was constructed in a way that satisfies stringent environmentally-focused metrics.12 Acquiring LEED certification signals to consumers and business partners that the companies who funded the design prioritize being environmentally sustainable. The same signaling effect applies to the ratings that the Better Business Bureau gives out in terms of reputation and potential trustworthiness. One can imagine a centralized regulatory framework that could give out ratings or certifications showing that a company meets U.S. corporate compliance thresholds. This branding could signal to future business partners, other government agencies, and foreign actors whether a company is taking care to maintain a sustainable compliance program. Further, this branding, if developed against the backdrop of DOJ or other respective agency guidelines, could be used by companies to demonstrate that there is effective compliance due diligence that should lend to mitigating punishments in case of breaches by rogue actors.
Of course, whether such a scheme is worth thinking about will depend on the incentives. Will the marginal productivity of effort—the effort put into creating the scheme—be responsive to marginal costs, and decrease the risk aversion of companies? While we cannot predict nor monitor the value of new innovative modes of compliance, nothing will change if we do not take the first step in thinking outside the box. In fact, it is imperative that we start thinking creatively as increasing globalism and technology push the boundaries of ethical behavior. Take for example the growing industries of cryptocurrency and finance technology—it will take years for governments to create effective regulatory schemes for compliance in these new landscapes. Many government regulations are passed after the damage is done. Yet, it is arguably the companies who will know the most in how a breach or fraudulent behavior can arise, and how to safeguard against it. After all, they are at the frontlines and have the most to lose. Ex-post solutions where money is pumped into monetary/reputational damage control are reactive and sunk costs for companies. This time, companies have every incentive to take a proactive lead. After all, they are in the best position to detect new risks, have access to abundant resources and insider knowledge, and have the most leverage in creating a framework that combines the art of incentivizing human behavior, the science of data analytics, and the act of striking the right balance for economic efficiency.
Anthony S. Barkow & Michael Ross, The Guide to Monitorships – Second Edition: Introduction, Glob. Investigations Rev.(May 7, 2020), https://globalinvestigationsreview.com/guide/the-guide-monitorships/second-edition/article/introduction. ↩
Philip Inglima, White Collar – Corporate Monitors: Peace, at What Cost?, Crowell & Moring (Jan. 2018), https://www.crowell.com/NewsEvents/Publications/Articles/White-Collar-Corporate-Monitors-Peace-at-What-Cost. ↩
Id. ↩
Evaluation of Corporate Compliance Programs, U.S. Dep’t of Just. Criminal Div. (June 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download. ↩
See Id. at 2 for the fundamental core questions that prosecutors may use in evaluating a corporate compliance program. While this is a simplistic summary of topics, the DOJ’s Criminal Division is given some latitude of discretion to determine what further metrics to assess by. ↩
Hui Chen & Eugene Soltes, Why Compliance Programs Fail—and How to Fix Them, Harv. Bus. Rev. Mag. (Mar.-Apr. 2018), https://hbr.org/2018/03/why-compliance-programs-fail. ↩
See Inglima, supra note 2 (“The idea is to show substantial progress in making improvement and a commitment to the required investment prior to the DOJ disposition—which ideally will be factored into a more limited monitoring arrangement.”). ↩
Paul Milgrom & John Roberts, Economics, Organization and Management: Risk Sharing and Incentive Contracts 221 (1992). ↩
See Chen & Soltes, supra note 6 (wherein authors discuss the importance of using meaningful metrics, aside from completion rate, that “are directly tied to a clearly articulated outcome”). ↩
Michael S. Stanek et al., Intelligently Evolving Your Corporate Compliance Program, Nat’l L. Rev. (Feb. 11, 2021), https://www.natlawreview.com/article/intelligently-evolving-your-corporate-compliance-program. ↩
Letter: SR 19-3 / CA 19-2: Large Financial Institution (LFI) Rating System, Fed. Rsrv. Sys., https://www.federalreserve.gov/supervisionreg/srletters/sr1903.htm (last updated Feb. 28, 2019). ↩
What is LEED, U.S. Green Bldg. Council, https://www.usgbc.org/help/what-leed (last visited Mar. 25, 2021). ↩