The Hidden Power of Compliance

Although corporate wrongdoing can reach an immense scale with disastrous ramifications, holding boards accountable has long been perceived as elusive. Under both state fiduciary duty law and federal securities doctrine, directors and officers are liable only if they were aware of corporate failures or reckless in ignoring them. Since providing evidence of awareness or recklessness is exceedingly hard, corporate law scholars have long seen these requirements as raising an almost impenetrable shield over the board. Instead, we demonstrate that the evidentiary path to boards’ state of mind is nowadays more open than it has ever been before, due to the revolutionary growth of compliance departments in recent years. Corporate law literature has largely dismissed compliance as ineffective, fearing that in-house monitors would be too weak or too loyal to constrain corporate wrongdoing. Contrary to this conventional wisdom, we argue that legal and compliance experts’ reports and recommendations, especially if ignored at the time they were made, often expose the board to liability once misconduct is revealed. To support our argument, we turn to parallel case law developments in Delaware fiduciary duty law and federal securities doctrine in the last ten years. We show that, in order to better delineate board liability, state and federal rulings have raised the evidentiary standards, demanding concrete proof that directors were aware of ongoing violations or had received sufficient red flags. In response, courts turn time and again to internal reports by legal and compliance personnel, which are well-suited to offer the requisite evidence. We offer a systematic analysis of Delaware jurisprudence in the last ten years since the landmark Stone v. Ritter ruling, which shows how instrumental legal and compliance personnel are in guiding the board through the multi-pronged requirements of its monitoring duties. We trace similar developments in federal securities class actions under Rule 10b-5. Finally, we discuss a small but growing body of law which imposes personal liability on legal and compliance personnel if they fail to alert the board about ongoing misconduct or gaps in its oversight systems. The threat of personal liability further cements the position of these officers vis-a-vis the board. To show how these developments transformed the legal treatment of massive corporate wrongdoing in practice, we study four recent high-stakes corporate debacles: the Wells Fargo fake accounts scandal, the Yahoo cybersecurity breach, the General Motors ignition switch scandal, and the Washington Mutual mortgage meltdown. Our case studies illustrate that the choices legal and compliance officers make when communicating with the board end up determining its liability. Chief legal and compliance officers, we conclude, have become the leading corporate actors in ensuring sound risk management and ethical leadership for companies.