Corporate governance in an era of compliance.

• Author: Griffith, Sean J.
• Position: II. Governance through Conclusion, with footnotes, p. 2106-2140

2. GOVERNANCE

   Corporate governance is the set of mechanisms by which corporations are directed and controlled. On this definition there is widespread agreement, both among academics (141) and governance authorities. (142) And from this definition, the overlap between compliance and governance is clear: both compliance and governance lay claim to internal mechanisms of control. (143) The overlap is not total. Compliance lays no claim, for example, to questions such as how to design or improve products or how to finance operations. Nevertheless, basic compliance mechanisms--such as the design of policies and procedures, monitoring, and enforcement--feed back into fundamental business operations of a firm to such an extent that compliance resembles a "universal corporate governance activity" (144) and some firms, recognizing the overlap, have merged their governance, risk, and control functions. (145)

   Of course, overlap does not necessarily imply conflict. If compliance and governance had wholly consistent objectives, they could be seen as complimentary means of achieving the same ends. However, this is not the case. Compliance and governance come from different places and serve different interests. Compliance cannot be explained by reference to traditional governance authorities, whether the board of directors, state corporate law, or federal securities law. Rather, compliance is sui generis. Far from being subsumed by governance, it is closer to the truth to say that compliance supplants traditional corporate governance modalities.

   1. The Board of Directors and Compliance

      The board of directors is the fundamental endogenous corporate governance mechanism and the source of management authority within firms. (146) The board can delegate this authority, and corporate management derives its authority from a delegation of the board. (147) However, the board retains primary authority over the firm, with the power to alter firm-governance at will, subject only to the strictures contained in the charter and bylaws. (148) By contrast, compliance does not arise from a delegation of the board, nor is the compliance function wholly subordinate to the board, as other management structures are. Rather, compliance arises from an exogenous source that abrogates board authority.

      In one sense, compliance is plainly subject to the authority of the board. CCOs report to the board, not vice-versa, and board committees oversee compliance staffing and budgets. In a deeper sense, however, authority means the power to decide. As a result, the question of the authority of compliance vis-a-vis the board ultimately resolves into the question whether the board has the authority to decide not to implement a compliance function. If so, then boards retain full primacy over compliance, and compliance can be viewed as a simple delegation of board authority. But if boards must erect a compliance function, then the development of compliance has in fact supplanted some authority of the board.

      In some industries, the answer is simple. Boards must install a compliance function, and it must comport with regulatory demands. For example, banks must have a compliance function pursuant to dictates of the Federal Reserve. (149) Similarly, securities law requires investment advisers to maintain a compliance function. (150) In such industries, because boards in fact cannot decide whether to install compliance, the board must be seen to have ceded some degree of authority over intrafirm governance to the compliance function. (151)

      In industries where a regulatory authority does not formally mandate compliance, the federal government still imposes compliance obligations through the Guidelines and enforcement tactics. (152) In some cases, these are in fact mandates. As already noted, prosecutors often require the installation of robust compliance programs for firms entering DPAs and NPAs. (153) In such cases, the government intervenes directly to impose compliance on corporations. In other cases, the government creates such powerful incentives that they effectively operate as mandates. As described above, the government articulates its vision of compliance in formal and informal pronouncements, then makes a credible commitment to this vision through enforcement and settlement practices. (154) Companies closely follow these signals and frequently adopt the practices of their peers in order to keep from falling behind the industry standard. (155) Thus, in spite of the absence of a formal mandate, the consequences associated with having no compliance program, or even having an "ineffective" program, are so grave as to effectively mandate the compliance function. No firm can say no. (156) In this way, the government imposes a de facto compliance mandate on American corporations.

      The imposition of this mandate comes at the expense of board authority. Being forced not only to do something, but to do it in a particular way--so that the government deems it "effective"--demonstrates a clear lack of authority. Boards do not delegate authority to compliance. They cede it. In spite of the board's traditional authority to manage internal corporate affairs, the ultimate source of authority for compliance is derived not from the board, but from the government.

   2. Governance Authorities and Compliance

      The exogenous origins of compliance do not make it completely unique. Corporate governance, after all, is not entirely endogenous. (157) Firms also exist within a governance framework imposed by law. The traditional sources of exogenous corporate governance are state corporate law and federal securities law. (158) Insofar as the impetus toward compliance is derived from these governance authorities, it may still fit within conventional accounts focusing on the relationship between corporations on the one hand, and Delaware and the SEC on the other. The Sections that follow examine each of these traditional governance authorities, finding each lacking as an explanation for the development of the contemporary compliance function.

      1. State Corporate Law

         State corporate law defines the duties of corporate boards vis-a-vis shareholders. (159) Some aspects of this relationship are defined in minute detail--for example, board responsibilities in takeover contests (160) and the incremental value of supplemental disclosures in proxy statements. (161) Yet state corporate law is silent, or nearly so, on compliance.

         Corporate statutes do not address the compliance function. (162) Instead, any impetus toward compliance has been left to courts interpreting fiduciary duty standards, where the development of compliance has been effectively curtailed by application of the business judgment rule. (163) When courts have addressed compliance, it has typically been to reject the claim that a compliance failure amounts to a breach of fiduciary duty. For example, in Graham v. Allis Chalmers Manufacturing Co., the Delaware Supreme Court expressly disclaimed any board obligation, absent clear "red flags" of wrongdoing, to install compliance programs. (164) Later, in the In re Caremark opinion, Chancellor Allen hinted that a board that did not develop an effective compliance program might fail in its monitoring and oversight duties. (165) However, this possibility was swept aside in Stone v. Ritter, in which the Delaware Supreme Court held that courts would not inquire into the objective adequacy of a firm's monitoring and oversight mechanisms. (166) Instead, courts would limit their inquiries into the subjective basis of the board's failure to monitor and oversee the firm. (167) Thus, although directors can be held liable for intentionally (or recklessly) acting contrary to the best interests of the corporation, they cannot be held liable for the objective inadequacy or ineffectiveness of the firm's compliance or monitoring program. (168) In case there was any doubt on this point, Delaware retreated still further during the financial crisis by flatly refusing to use fiduciary duty standards to impose liability on the boards of financial institutions that had contributed to the crisis. (169)

         Corporate law courts occasionally do make pronouncements about compliance. The flexible nature of fiduciary duty jurisprudence allows judges to weigh in on a case-by-case basis to approve or disapprove of the practices at particular firms. For example, three 2013 Court of Chancery opinions emphasize the oversight responsibilities of directors of Delaware-incorporated firms whose business is based primarily overseas. (170) These cases underscored, once again, the importance of a system of monitoring and controls that the board has sought to implement and verify in good faith. (171) Nevertheless, judicial intervention in this area is episodic, resolutely fact-specific, and generally limited to cases with extreme facts. Thus, although it is fair to say that corporate law encourages corporations to have some basic system of internal monitoring and reporting, it provides no guidance as to adequacy. Corporate law looks to the motives of the board in implementing the system rather than the efficacy of the system itself. (172)

         As a result, state corporate law has not meaningfully contributed to the development of compliance. Whatever compliance may be, it is not a product of corporate law. Indeed, it is more correct to say that compliance does what corporate law's duty of care might have done, had the business judgment rule not eviscerated duty of care jurisprudence. Compliance now occupies the space left in the wake of corporate law's retreat.

      2. Federal Securities Law

         The federal securities laws establish the SEC as the primary regulator of the securities industry. (173) They also create a mechanism for federal intervention in corporate governance more generally. (174) This is accomplished through the registration requirement. All public companies must register with the SEC, which, as a result, renders them...