The Voice of Reason
The Corporate Compliance Officer and the Regulated Corporate Environment
Ashoke S. Talukdar
Posted Friday, March 3, 2017
6 U.C. Davis Bus. L.J. 3 (2005)

I. Introduction: The Origins of Corporate Compliance Programs

"A wise person once said that the test of a truly moral person, is whether he does the right thing when no one is looking. Certainly, the test for all firms is whether they maintain and each day, reinforce, a culture of compliance - which includes a culture of doing not only what is within the strict parameters of the law, but also what is right - whether or not a regulator or anyone else is looking. This culture underpins your business and the decisions and choices that you make every day, about small and not so small issues.… It is critical that firms establish a strong culture of compliance that guides and reinforces employees as they make decisions and choices each day."[1]

A corporate compliance program is "a system which is designed to detect and prevent violations of law by the agents, employees, officers and directors of a business."[2] Modern corporate compliance programs can be traced back to the landmark In re Caremark International Inc. Derivative Litigation decision.[3] In Caremark, the Court held that directors may be liable for losses resulting from the corporation's failure to comply with applicable legal standards.[4] Thus, the Caremark decision created a significant impetus to corporate directors for ensuring compliance with applicable laws. However, the real growth in corporate compliance programs has been a more recent phenomenon arising out of two other major changes in law: the passage of the Sarbanes-Oxley Act[5] and the associated amendments to Federal Sentencing Guidelines.[6]

To grasp the significance of these changes, one need only consider the typical view of the compliance horizon from the governance helm of the corporate ship. The sails of corporate operations are beset with numerous regulatory hazards. These hazards may include insufficient internal controls in a publicly traded corporation,[7] inappropriate disclosure of confidential information,[8] conflicts of interest in hiring and referral practices,[9] and proper reporting of consumer credit.[10]

Recent changes in laws have created corporate accountability to various interested constituencies. As a result, many corporate entities have turned with renewed vigor to compliance programs as a preventative measure. [11] Even industries not directly affected by specific governance rules have established such programs based upon regimes existing in the corporate realm, and modified by the addition of other norms of organizational conduct, particularly ethics.[12]

Section II of this article focuses on the basics of compliance programs, with overviews of the role of the Chief Compliance Officer ("CCO"), and the effect of regulations on corporate operations. Part A of Section III describes some illustrative provisions of federal and state laws. Next, part B fleshes out some discernable regulatory themes in the modern business entity while part C identifies important and associated compliance challenges, including general skepticism about these programs.

Section IV expands on a reprise of the basic premise of this discussion - successful compliance as corporate culture. Part A enumerates the multifaceted role of the CCO, with an eye towards the regulatory themes introduced in Section III. This is followed by a statement of the benefits of compliance programs in Part B. Part C ends with some comments on the integration of ethical principles into the corporate compliance culture.

II. The Corporate Compliance Program

By the very terms of her title, the CCO is the overseer of a corporate compliance program. Therefore, to understand her role, it is also necessary to understand the nature of a compliance program in the modern corporation. The important drivers of such a program establish the objectives that the CCO position is conceptually designed to fulfill.

A. The Corporate Compliance Officer

Although the theoretical framework of regulatory compliance emphasizes a corporate compliance "program," leading regulators have pointed out the need for single points of authority, such as a CCO who is responsible for overseeing the program. Commissioner Roberts of the U.S. Securities and Exchanges Commission ("SEC") stated that such programs can only be effective when organized under the leadership of a CCO.[13] The Commissioner emphasized the importance of the CCO role because she is the "first line of defense against fraud and sales practice abuse, and [she] can serve [her] employer well by serving the public well."[14]

The Commissioner's slate of key requirements for a compliance program places the CCO in a central role and provides her with certain basic "weapons in her arsenal."[15] First, a CCO must have authority to remedy inappropriate conduct with ability to sanction.[16] Second, there should be strong procedures in place for monitoring activities of employees and a commitment to enforce them.[17] Finally, the program must be provided with the necessary resources to be effective, even if it is unlikely to have an immediate tangible benefit to an organization.[18] Furthermore, the overall scheme should emphasize vigilance in monitoring for questionable conduct and taking early action so as to minimize the harm done.[19]

B. Compliance and the Regulated Environment

The emphasis of the compliance program is squarely on employee conduct and the prevention and mitigation of the attendant harms of unlawful conduct. The CCO should steer the program in such a way that appropriate conduct becomes the norm rather than the direct result of constant enforcement. Indeed, the typical complex corporate environment may make it difficult, if not impossible for her to enforce legally required conduct daily. Hence, education throughout the firm should be a hallmark feature of any compliance program in a regulated environment.[20]

Additionally, the duties created by regulatory standards will often mirror the underlying rights created for the intended beneficiaries who may be neither shareholders nor firm employees of the firm.[21] Not surprisingly, these beneficiaries are often the clients of the regulated entity. Hence, a program that maintains focus on the beneficiaries as well as the day-to-day business processes is integral to successful compliance. Due to the complexity and detail of this task, there is inevitable skepticism as to whether a compliance program can successfully address these issues. However, a successful CCO can, in fact, overcome such skepticism and run a successful compliance program. Furthermore, she can turn what is generally conceived of as a corporate expense, into a corporate investment.

III. Regulatory Obligations of Corporate and Other Entities

It is useful to understand the diverse regulatory regimes that a CCO might be faced with. These regimes create various obligations that a corporate entity must meet. Often the obligations intersect or overlap, and sometimes they conflict with each other. The CCO's role is to successfully navigate the corporate ship through these troubled waters, fulfill the obligations, and resolve conflicts along the way.

A. Examples of Regulations

The required standards of conduct and care to be established and enforced can only be determined by examining the appropriate laws that govern the particular entity. A review of a representative sample of these laws follows below.[22]

(1) Fiduciary Duties: Sarbanes-Oxley

Scholars view Sarbanes-Oxley as heightening corporate governance duties aimed at curbing unlawful fiduciary behavior in response to the collapse of Enron.[23] However, members of the SEC have unofficially indicated that there is a greater underlying need to restore investor confidence in a stock market shaken by accounting scandals.[24] Sarbanes-Oxley is an example of governance regulation that not only creates direct management fiduciary duties, but also indirectly advances other federal policy objectives.

The SEC regulations developed under Section 404 of Sarbanes-Oxley are particularly illustrative of boosting investor confidence.[25] These rules require a corporation to include in its annual filing a statement of conclusions "about the effectiveness of the [the corporation's] disclosure controls and procedures…based on [management's] evaluation of these controls and procedures," as well as "significant changes in internal controls or in other factors that could significantly affect these controls."[26] In a press release prior to the issuance of the rule, the SEC indicated that these rules required: an annual internal control report containing statements of management's responsibility for establishing and maintaining adequate internal controls; identification of evaluation methods to measure the effectiveness of the rules; assessment of the results at the end of the company's most recent fiscal year; and auditor attestation of the results.[27]

In effect, management must design, implement, and validate effective internal controls that ensure the integrity of the annual report's content. Ultimately, the SEC emphasizes effectiveness of controls, which in turn will depend on how well the controls were designed. Corporations have taken a risk management approach to Section 404 compliance in order to minimize the risk of paying significant penalties for violations of SEC rules.[28]

(2) Private Rights: HIPAA

In the health care field, the Health Insurance Portability and Accountability Act of 1996 established specific rights of patients in regards to health information and gives a broad grant of authority to the Department of Health and Human Services ("HHS") to undertake the necessary rulemaking.[29] Accordingly, HHS has published rules to ensure the privacy[30] and the security[31] of Protected Health Information ("PHI").[32]

The HHS rules create distinct, yet overlapping attendant obligations and duties for the covered entities. For instance, the Privacy Rule requires that a covered entity "designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity."[33] Similarly, the Security Rule mandates that a covered entity "[i]dentify the security official who is responsible for the development and implementation of the [required] policies and procedures."[34] While in many respects, the rights and obligations under the two sets of rules mirror each other,[35] the organizational positioning of either or both roles could vary, and they could have different reporting structures, based on the firm size.[36] Coordinating the activities of these roles is thus a compliance function that is critical in the context of these rules.

(3) Conflict of Interest: Stark

The Stark Law was passed in two phases to address the inherent conflict of interest in physician self-referrals.[37] Stark I barred self-referrals for clinical laboratory services under the Medicare program.[38] Stark II expanded the restrictions to a range of health services and applied them to both the Medicare and Medicaid programs.[39] Pursuant to the law, the Center for Medicare and Medicaid Services ("CMS")[40] developed multi-phased rules.[41] The consequences of non-compliance include denial of claims, civil monetary penalties, and exclusion from the Medicare program.[42]

The CMS rules also provide a two-step process for determining an exception for certain "indirect compensation arrangements" that would not trigger the penalties.[43] The first step involves identifying whether the relationship between the referred physician and the health service provider is an "indirect compensation arrangement" as defined in the rule.[44] The second step is the substantive criterion for determining if such an arrangement qualifies for the exception.[45]

Hospitals routinely enter into employment and other compensation arrangements with physicians. The Stark exception is vital to the continuance of such arrangements, but prone to abuse with regard to the second step. Most importantly, scrutiny of physician agreements for potential Stark issues becomes an area of active monitoring by health care compliance programs.

(4) Statutory Assurances to Constituencies: Fair Credit Reporting Act

The meteoric increase in the number of credit transactions, accompanied by the significant automation in the collection, retention, compilation, and dissemination of credit information (collectively "credit reporting"), greatly increases the likelihood of inaccurate and incomplete credit information reported, often with life-shattering consequences for the consumer.[46] In response to these concerns, the Fair Credit Reporting Act ("FCRA") makes available to consumers several causes of action against credit reporting agencies where such inaccuracies occur as a result of the willful or negligent actions of a credit reporting agency.[47] The law also specifies certain defenses for reporting agencies.[48] The consequences of non-compliance are in the form of remedies available to the consumer. Specifically, willful non-compliance results in liability to the consumer for actual damages or a minimum range of statutory damages, punitive damages, and attorney fees.[49] For negligent non-compliance, liability exists for actual damages and attorney fees only.[50]

The reporting agency's computerized databases and their interaction with various systems that participate in automated credit reporting are of immense significance under the FCRA.[51] As a matter of risk management, the procurement of appropriate computer database systems for credit reporting becomes a critical element of compliance under the FCRA.[52] The evidentiary importance of such systems aside, FCRA is an example of law that implicitly creates the need for internal technological standards as well as external statutory standards that fall within the ambit of a compliance program.[53]

(5) Conflicts in Statutory Rights: USA PATRIOT Act

Enacted in the aftermath of September 11th , the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act ("Patriot Act"),[54] has generated widespread bipartisan controversy because it allegedly offends basic civil liberties under the First, Fourth, and Fifth Amendments to the United States Constitution.[55] Furthermore, the Patriot Act amends several existing Federal laws.[56] The Foreign Intelligence Surveillance Act ("FISA") is an illuminating example.[57] One of the most controversial provisions of this amendment is the expansion of FISA's common carrier records provision. This provision now authorizes the Federal Bureau of Investigation ("FBI") to seek an order for the production of "any tangible things (including books, records, papers, documents, or other items)," rather than just records, from any entity, not just common carriers.[58] The amendment also removes the need for the previously required "specific and articulable facts giving reason to believe that the person…is a foreign power or an agent of a foreign power."[59]

Additionally, the Patriot Act creates significant tension with existing laws that provide statutory privacy rights to specific classes of beneficiaries.[60] Owing to the importance of the production orders under Section 215, compliance with the Patriot Act in the context of these rights can be one of the most significant challenges to a modern compliance program.[61] Until the courts rule on the constitutionality of these provisions, compliance may indeed require disclosure of information that might arguably be protected under other laws.

B. Common Regulatory Themes

Although part A is a greatly abbreviated sampling of regulatory schemes, a complex web of laws emerges from them and the interrelationships of these laws will govern the basics of permissible employee behavior and firm activities. There are a few themes of importance that are conspicuous both directly in the regulations and in the industry response. The remainder of this subsection identifies some of these regulatory themes and examines their relevance to a corporate compliance program.

(1) Risk Management

As a practical matter, compliance programs are not self-standing concepts, but risk management mechanisms.[62] A well structured compliance program can prevent violations and misconduct from occurring in the first place.[63] This approach manages the risk associated with conduct by reducing the ongoing costs arising out of the handling of charges and claims or the efforts to mitigate any harm that might result from non-compliant conduct.

This approach to compliance comports with both the 1991 Organizational Sentencing Guidelines as well as the amendments thereto under Sarbanes-Oxley.[64] The guidelines generally allow convicted organizations to substantially reduce penalties by showing corporate good conduct.[65] It is believed that a well designed compliance program would "prevent and detect violations of law" and also assist in a showing of compliant conduct in those situations where a violation does indeed occur.[66]

(2) Compliance Awareness

The companion approach to risk management consists of generating corporate awareness of both the risks of non-compliance and what constitutes risk-avoiding conduct. For a compliance program to be successful, the workforce must know what to avoid. This awareness should not come merely from the legal department but from top management.[67] To the rank and file, the voice of management will be a more authoritative statement of the commitments of the firm.[68] It will also help to make compliance a part of the daily processes and help to foster teamwork and cooperation between legal and operational functions of the firm.[69]

Awareness can only be as effective as the message used, which means that proper education and training is vital. Furthermore, the importance of education and training programs in compliance awareness is often reflected in the laws itself. For example, both the Privacy and the Security Rules under HIPAA require that, as of the effective dates of the rules and as an ongoing effort, a covered entity provide education and training to its staff at various levels.[70] Specifically, in the preamble to the Security Rule, HHS explains that security awareness training "is a critical activity, regardless of an organization's size. This feature would typically become part of an entity's overall training program."[71]

In recent years, the SEC, in its expanding regulatory role, has echoed this theme of educational awareness. On January 14, 1999, the SEC issued an order instituting proceedings and an order against PricewaterhouseCoopers L.L.P. ("PwC"), alleging "improper professional conduct."[72] As a part of this action, the SEC ordered several policies and procedures to be implemented within 180 days of the order, with independent consultant review within 210 days of the order.[73] But most notably, the SEC ordered professional education and training for all PwC partners and professionals regarding independence from financial interests in accounting firms.[74]

(3) Disclosure and Reporting

As the Federal Sentencing Guidelines indicated, there is a significant emphasis on openness and availability of information.[75] Much of this emphasis stems from the Caremark decision which established that corporate directors can be held personally liable for a corporation's wrongdoing, and that absence of an effective corporate compliance program may be used to prove such liability.[76]

Caremark was a managed-care healthcare provider that received substantial revenues from Medicare and Medicaid reimbursements, subject to the Anti-Referral Payments Law ("ARPL"),[77] which prohibits healthcare companies from making payments to doctors in exchange for Medicare and Medicaid patient referrals. In 1991, the Inspector General for the Department of Health and Human Services began investigating Caremark for possible ARPL violations because Caremark physician contracts indicated payment to doctors for monitoring patients under Caremark's care, including Medicare and Medicaid patients, in return for some referrals to Caremark.[78] Despite remedial efforts by Caremark, a federal grand jury indicted Caremark, two of its officers, and two other employees, accusing them of violating the ARPL.[79] The derivative suit followed shortly thereafter, alleging the directors' breach of their fiduciary duty of care for insufficient supervision of employee conduct and insufficient corrective measures. This suit exposed Caremark to substantial liabilities.[80] Importantly, the Delaware Chancery Court found that a modern corporate board must ensure that management establishes appropriate information and reporting systems.[81] The court cited the potential impact of the U.S. Sentencing Guidelines for Organizations and their mitigation factors, finding it to be irrational for a company to fail to take the Guidelines into account in responsibly governing an organization.[82]

The Caremark decision unequivocally established proper information reporting and disclosure as a fundamental ingredient of corporate governance. Recent regulations in other areas have explicitly extended such disclosure requirements outside the public corporation context and to constituencies other than shareholders. For instance, the Privacy Rule in HIPAA gives the patient a right to an accounting of certain disclosures of PHI by a covered entity.[83] The accounting must include "disclosures of [PHI] that occurred during the six years [or less] prior to the date of the request for an accounting."[84] In addition, each item of accounting must also include:

(i) The date of the disclosure; (ii) The name [and, if known, the address] of the entity or person who received the [PHI]…; (iii) A brief description of the [PHI] disclosed; and (iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure."[85]

(4) Accountability

Accountability has served as a traditional basis for compliance programs. Even the public corporation boards are indirectly accountable to shareholders. Professor Langevoort writes that "the dominant view in corporate governance theory today is that heavy emphasis on teamwork and conflict-avoidance marks a board that has been captured by its CEO" acting largely as "an elite private club with a rubber stamp."[86] Most regulatory lobbying and scholarly work has urged the replacement of such boards with boards that monitor with "independence, skepticism, and a rigorous loyalty to shareholder interests."[87]

Accountability in other regulations extend to other constituencies, ranging from consumers,[88] to patients,[89] and perhaps to the citizens of the United States.[90] The mantle of responsibility falls on credit reporters, health care providers, insurance plans, clearinghouses, and ultimately on the Federal Government itself.[91] Accountability stems from corporate responsibility to the various constituencies. In the context of independent directors in a public company setting, Langevoort further urges, that "[t]he Model Business Corporation Act and the [law] should more clearly delineate the oversight responsibility of directors generally, and the unique role that independent directors play in discharging that responsibility."[92]

The courts have also broadly applied the element of responsibility or duty for senior management in various contexts under the "responsible corporate officer doctrine."[93] In BEC Corp. v. Dep't. Of Envtl. Prot., the corporation and its officers sought review of a decision of the Connecticut Department of Environmental Protection ("DEP") upholding an abatement order pertaining to a property owned and used by BEC for an oil storage and distribution business with a history of oil spills.[94] The Connecticut Supreme Court, interpreting the state Water Pollution Control Act ("WPCA"),[95] held that while a corporate officer's personal liability is not automatic by virtue of having supervisory authority over employee actions, such liability may nevertheless attach if the officer's actions or inactions lead to conditions that "reasonably can be expected to create a source" of the regulatory violation.[96] The court also explicitly relied on "the broad remedial purpose of [the WPCA], which is to protect the waters of the state from pollution" and found that the Connecticut legislature intended that the WPCA "enable [DEP]…to impose liability on all those who, in some way, have responsibility towards the land."[97]

(5) Corporate Gatekeeping

The preceding discussion emphasizes that the task of staying clear of the potential violations of regulations requires careful evaluation of the business operations in the context of the laws, their intended goals, and the attendant liabilities arising from violations. This task is therefore the central legal component of a successful compliance program, and in some cases perhaps its exclusive realm. It also creates the specter of a prior approval of all corporate conduct. However, this gatekeeping function comes with its attendant challenges, principally because compliance personnel must take on the multiple roles of being not only agents of the corporation, but also its lawyers, bookkeepers, educators, and ethicists as well.[98]

C. Common Compliance Challenges

Before discussing the role of the CCO, it is useful to enumerate some practical challenges that she and the compliance program are likely to face in the context of the different regulatory themes discussed above.

(1) Costs

One daunting obstacle is the cost of maintaining a compliance program. Depending on the size of the firm, such a program may require substantial resources, particularly because of the requirements for education and training. The expense obstacle is even more unpalatable in light of the indirect, and often inherently intangible, nature of the benefits of a compliance program.[99]

The cost of a corporate compliance program is not insignificant. Lynch and Salvaty reported that the education and training requirement of the PwC settlement agreement resulted in PwC creating a $2.5 million fund to be used for educating the management.[100] The dramatic nature of the SEC's enforcement is evidence of its willingness to take action against accounting firms when it perceives an independence problem regardless of any actual material compromise of the result of a client firm's audit. This position by a federal agency greatly heightens the economic bar for corrective compliance actions designed to monitor and discourage such activity from inside the firm.

The operating cost of a compliance program is likely to be similarly significant. One study predicts that in the next five years national compliance costs will reach the $80 billion mark, with organizations spending $15.5 billion on compliance related activities in 2005.[101] Only 35% of companies surveyed had compliance specific budgets.[102] Almost two-thirds of these companies had to use funding from other areas to fund compliance projects.[103] The study also estimates that more companies will have compliance specific budgets in the future.

The economic toll taken by compliance can be particularly heavy on small businesses, which prompted the passage of the Small Business Regulatory Enforcement Fairness Act of 1996 ("SBREFA"). Congress found that "small businesses bear a disproportionate share of regulatory costs and burdens."[104] However, it is unclear whether SBREFA will translate to a tangible improvement in the compliance costs of small business. Ultimately compliance is likely to continue to remain a significant financial challenge to most firms.

(2) Monitoring and Assessment

Proper monitoring and assessment is another continual challenge for any compliance program. Former Deputy Attorney General, Larry D. Thompson's Memorandum to Heads of Department Components and United States Attorneys 3 ("Thompson Memo") is illustrative of this challenge.[105] The Thompson Memo directs United States Attorneys to consider the presence of an effective compliance program when deciding whether to take action against an organization. The memo refers to the organizational sentencing guidelines as criteria for evaluating the effectiveness of such a program.[106]

However, while the Thompson Memo influences the Sentencing Guidelines in federal charging and plea decisions, it provides little guidance on how a compliance program should assess and manage the corporate risk with regard to regulatory violations.[107] Finally, while the Sentencing Guidelines have greatly influenced the shape of modern compliance programs, in the absence of a good evaluation standard, the ongoing monitoring for compliance suffers from the same uncertainties as the risk assessment itself.[108] Thus in the complex operations of the modern firm, a predefined set of metrics for measuring efficacy becomes a significant compliance challenge. Without such metrics, continual monitoring of the compliance of day-to-day activities may become an all consuming and unproductive task.

(3) Inertia and Indifference: Skepticism

Perhaps the most significant barrier to the compliance program is the sheer inertia of current corporate and regulatory practices. Professor Bowman points out that although Caremark introduced the application of the Federal Sentencing Guidelines in measuring liability of management wrongdoing,[109] Sarbanes-Oxley has remained remarkably silent on sentencing.[110] He further explains that while the Sentencing Guidelines as applied to individuals are the subject of much debate, this is not the case with organizational sentencing guidelines.[111] In his view, the difference is partially due to the fact that in the very rare instances when corporations suffer criminal convictions and sentences there is "no soul to be damned, and no body to be kicked."[112]

Therefore, there is an apparent disjoint in the standards of culpability as between the firm and its officers, which results in a very practical problem of distinguishing to management the conceptual difference between actions attributable to the firm and those imputed to the officers. This disjoint can create indifference towards the program which leads to much skepticism, both internally and externally, about the efficacy of compliance programs. For example, Professor Bowman's prosecutorial view compares compliance programs to "legal Potemkin villages," and doubts whether the compliance "[scurry]…on the riverbank…[moves] either the barons or the serfs of corporate life to commit less crime."[113] Such skepticism is likely to remain an ominous cloud in the compliance horizon, and overcoming, it is an ongoing challenge.

IV. The Voice of Reason: The Successful Compliance Officer

"The culture of compliance is not a new concept. Hopefully, everyone here is familiar with the idea. For years, you've been told you need one. We at the SEC have been emphasizing that firms need to create a culture of compliance for many years. You've heard it from Chairmen, from Commissioners, and from the staff, and certainly you've heard it from me. If you've been listening, you know it's not enough to have policies. It's not enough to have procedures. It's not enough to have good intentions. All of these can help. But to be successful, compliance must be an embedded part of your firm's culture."[114]

The preceding discussion makes it abundantly clear that the helm of the compliance ship can be a precarious place. Even with her hands placed firmly on the tiller, the CCO will have a significant challenge in steering the corporate ship safely through the troubled enforcement waters, while avoiding the regulatory Scylla and Charybdis.[115] There will always be a danger of obstructing the corporate sails of production with excessively aggressive steering of the compliance helm. It is proposed here that the challenges can indeed be met, and the skepticism overcome, for successful navigation of the corporate ship. If the CCO's voice is one of reason, rather than of prohibition, she will win the cooperation from all hands of her crew in all facets of her job. It is therefore worthwhile to determine what the function of the CCO should be in the context of her various roles, as required by the different regulatory themes discussed above.

A. More Than a Lawyer: Her Many Faces

At the onset, it is apparent that a firm will rarely need to comply with just one set of regulations, or be governed by just one act of law. In practice, each of the regulations discussed here (which are but a very small sample) cut across multiple organizations so that any firm will have to comply with many rules and regulations.[116] This requires the successful CCO to wear many hats during the course of her tenure in any firm.

(1) The Fiduciary

The direct impact of Sarbanes-Oxley on lawyers as a community has generated much literature.[117] Corporate fiduciary duties originated with respect to the duties of the board towards the corporation to counter the agency costs associated with the separation of ownership and management. The CCO and other firm employees are not board members, and therefore not wholly within the scope of the traditional fiduciary duties to shareholders. However, it is arguably impossible to have a successful compliance program without incorporating principles of fiduciary duties because regulatory obligations ultimately exist to inure to the benefit of the firms various constituencies, including public shareholders and customers.

As a result, even though the firm is both her employer and her client, the CCO nevertheless must also walk in the shoes of the traditional firm fiduciaries, while simultaneously maintaining her independence from their influence. Indeed, most CCOs are required to have direct reporting authority to the board, often bypassing the CEO in situations of conflict or disagreement.[118] More strikingly, in keeping with this spirit of independence and disclosure, SEC rules promulgated under Sarbanes-Oxley would expressly allow her, in certain situations, to approach the SEC directly even in the absence of the firm's consent, thereby immunizing her from the risk of violating her client's confidences.[119]

(2) The Protector of Rights and Interests

The fulfillment of obligations to constituencies other than shareholders is successfully monitored only when such monitoring extends to and, if necessary, restricts firm activities that are within the scope of the obligations. For example, it is the CCO of a health care organization, rather than its board or its managers, that may need to be the final arbitrator in situations where a disclosure of PHI[120] is imminent, but the legality of the stated purpose is not clear. For example, in 2004, the U.S. Attorney General demanded medical records from several hospitals.[121] These records documented certain late-term abortions performed by doctors who had allegedly joined in a legal challenge of the disputed Partial-Birth Abortion Ban Act.[122] The hospitals successfully challenged the subpoenas in courts.[123] Ironically, decisions to challenge such subpoenas question the bases of certain regulatory efforts. This example demonstrates that the CCO may have to make a decision to actively resist compliance with one set of rules, in order to protect the statutory rights and interests of corporate constituencies under another.

(3) The Educator

Although the traditional role of corporate counsel may not necessarily include education, the role of CCO certainly should. As discussed below, a fundamental goal of a compliance program is to create a culture of compliance.[124] However, the culture may only be formed if the employees are aware of what needs to be done during day-to-day operations.[125] The employees must also receive this information in a form that they can comprehend, and not merely as a recitation of the typically incomprehensible regulatory text. The CCO and her staff must, therefore, work closely with education and training programs to deliver the required message to the rank and file, management, and the board.

(4) The Business Process Advisor

Ultimately, the CCO must operate the compliance program not only as an insider but also as an outsider looking in. Unfortunately, the internal regulator, which the CCO is by virtue of her role, is often viewed by the firm as the traditional naysayer and as an obstructionist by both the firm and the regulators.[126] A significant problem with this perception is perhaps the fact that it is often true - the CCO is by necessity a naysayer, particularly in firms where compliance is not the culture.

It is therefore important for the CCO to present herself as a solution provider and a facilitator that can achieve the firm's production goals while simultaneously avoiding the regulatory risks. However, in order to achieve these goals, she needs to thoroughly understand both the current business processes of the firm, and how to replace a current process that is in technical violation of a law. Ultimately, the successful CCO will be one who can help keep the firm legally operational and profitable, while working in conjunction with all the process managers.

B. Benefits of a Successful Compliance Program: Creating a Culture of Compliance

A compliance program can reduce the risk of legal violations and lower the level of regulatory scrutiny. The SEC has indicated that it will focus its limited enforcement resources on higher-risk firms.[127] This approach is likely to be shared by other federal agencies charged with enforcing various regulations because all agencies are resource constrained. Therefore, while a successful compliance program helps to prevent legal violations and to mitigate punishment in case of violations, it could also potentially reduce the frequency and level of regulatory investigations and governmental audits.[128]

A compliance program can also be beneficial to the firm by using available regulatory guidance, which is frequently tailored specifically for such programs. For example, the Office of the Inspector General (OIG) for the HHS routinely issues compliance guidance to the health care industry, including nursing homes, hospices, emergency rooms, ambulance providers, and hospitals. The guidance documents provide suggestions on how they might be adapted to a specific industry, based on the Federal Sentencing Guidelines.[129] Furthermore, the OIG explicitly incorporates risk assessment into its guidance.[130] The Patriot Act is a second example, and one that requires a compliance program. It delegates to the Department of the Treasury ("DOT") the task of writing regulations that "prescribe minimum standards for programs established under" the statute.[131]

A more direct benefit of a compliance program can be realized under the Federal Sentencing Guidelines' formula for calculating culpability.[132] For any violation, the culpability starts with a score of 5.[133] However, the rule provides that if the violation occurred "even though the organization had in place at the time of the [violation] an effective compliance and ethics program…[the corporate defendant can] subtract 3 points" from the culpability score.[134] Compliance programs have additional quantifiable, though not readily apparent, benefits. These would include meeting the expectations of and improving relationships with customers, shareholders, the community, and the regulators; facilitating easier financing of business transactions and reducing liability insurance costs through compliance documentation; and regularly compiling information necessary for various regulatory filings.[135]

Finally, as one commentator believes, a good compliance program results in "sound business decisions, confidence in reporting to stakeholders," and ultimately a more "insightful, controlled, and trustworthy view of [the firm's] performance."[136] It thus provides an opportunity for the firm to turn a burden into a competitive advantage. This implies, as a practical matter, that compliance is not merely about following the rules and avoiding violations and penalties. Instead, the firm can choose its mode of operations and general corporate conduct. In this context, the perceived hardships of compliance are best overcome and the anticipated benefits are best reaped if the firm observes compliance as a matter of practice, such that the entire culture of the firm - the board, the management, and the rank and file - is one that incorporates compliant conduct.

C. Corporate Culture Redux: Some Final Thoughts on Ethics

The Open Compliance and Ethics Group ("OCEG") was formed in December 2002 as "a multi-industry, multi-disciplinary coalition [of business leaders seeking] to integrate the principles of effective governance, compliance, risk management and integrity into [corporate culture]."[137] In its Public Exposure Draft, the OCEG set forth that the "boundary-setting" essence of corporate governance:

· Defines and evaluates performance against objectives;

· Authorizes and oversees the business architecture that will be employed to meet the objectives;

· Identifies and oversees compliance with mandated boundaries;

· Defines and oversees compliance with selected or discretionary boundaries; and

· Defines and oversees compliance with social, ethical and other obligations.[138]

The OCEG created a framework for compliance that suggests that identification of ethical factors is an important additional component of the regulatory compliance programs.[139] More importantly, the functional goal of the framework is to help firms meet minimum legal requirements and reduce compliance costs while also providing guidance and direction on exceeding the minimum requirements so that compliance spending becomes a business investment that boosts performance.[140] Given the tenor of corporate representation in the OCEG,[141] it would appear that a significant and influential segment of corporate America is of the opinion that ethics are indeed an important and realistic conduit for bringing compliance into American corporate culture.

The OCEG advises that the first step in the framework is identifying factors related to ethics, entity values, and integrity, including an assessment of the firm's own value statement.[142] The belief is that identifying the ethical drivers behind laws can provide support and detail for such value statements.[143] This view arguably places ethical factors and related events in the same orbit of importance as legal mandates and internal controls. Indeed, as explained previously, legal mandates may be unclear or conflicting, and internal controls may be informal or weak.

Inherent in this logic is an important lesson for understanding compliance as a corporate culture; when employees understand the "why" behind legal factors, they are more likely to be willing and able to align their conduct when faced with "questionable" issues where regulatory violations are likely to occur.[144] The employees are likely to comply even when the regulators are not necessarily looking.[145] In such a state of things, the CCO will be better able to run a successful and ultimately beneficial compliance program by virtue of the compliant conduct of firm members, instead of by legal fiat.

V. Conclusions

Tracing corporate compliance programs from their origins to their current incarnation in the post-Enron corporate America reveals that the CCO was and still is an important internal regulatory presence. Modern regulatory regimes impose several duties on the compliance program and the CCO. They include fiduciary duties, duties to other constituencies introduced by statutory individual rights, avoidance of conflicts of interest, assurances to clients and customers, and even post September 11th homeland security.

The duties introduce the recurring themes of treating compliance as a risk management effort, with the goal of avoiding the punitive consequences of regulatory violations. Of course, the CCO is now tasked with ensuring that firm employees are aware of what would be considered appropriate conduct. Moreover, in light of the Caremark decision, such awareness must be presented across the workforce, accompanied by confident, accurate, and truthful disclosure, and reporting of firm activity to various Federal regulatory bodies. These principles emphasize management accountability. They also implicitly require that a CCO be the gatekeeper of firm activity and employee conduct. In the face of these requirements, she has to overcome challenges of compliance costs, corporate resistance and disfavor towards compliance programs, the frequent negative perception of being a naysayer, and general skepticism as she dutifully goes about her task of monitoring and assessment. Also, in attempting to uphold statutory obligations to other constituencies, the CCO sometimes may urge action contrary to a regulation yet to be interpreted. In spite of her best efforts, some shall remain skeptical about her likelihood of achieving the desired spirit of the regulatory goals.

It is proposed here that a CCO is nevertheless an absolutely critical presence in running a successful compliance program; a presence that can, in fact, control the abhorred costs of compliance and ultimately inure to the benefit of the firm's bottom line. She can achieve this compliance utopia by integrating risk management and corporate ethics into the ordinary business practices of the firm and by providing education and training with an understanding of the firm's business processes. The perception of her multifaceted role might then change from being that of an expensive obstructionist to that of a voice of reason. Her voice would serve as an investment to the firm by engraining compliance into the latter's culture, mission, vision, and values, thereby providing the firm with a competitive and reputable advantage.

It is unlikely that the white-collar prison cell will ever be entirely empty. However, although Professor Bowman's regulatory Tsarinas will still see much scurrying about on the banks of the corporate Dneiper, unlike his Potemkin villages, these will tend to be thriving and functional cultures of compliance under their respective CCO's, and not expensive and fanciful illusions constructed merely to impress with appearances.[146]

[1] Lori A. Richards, Speech by SEC Staff: The Culture of Compliance, Spring Compliance Conference: National Regulatory Services, Tucson, Arizona (April 23, 2003). At the time of the speech, Lori A. Richards was the Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission.

[2] See Answers to Frequently Asked Questions, Corporate Compliance, Ltd., available at (last visited Nov. 4, 2005). See also, Lawrence B. Pedowitz et al, A Firm-Wide Culture Of Compliance: Seven Best Practices That Can Make A Difference, 18 No. 6 Insights 15 (2004) (the seven practices being: "[setting] the proper tone at the top," id. at 16; "[communicating] the compliance message throughout the organization," id. at 17; "[creating] an inventory of regulatory and reputation risks," id. at 19; "[establishing] an "Early Warning" System," id.; "[conducting] specialized training for supervisors," id. at 20; "[ensuring] that information is promptly surfaced," id.; and "[using] internal discipline effectively," id. at 21).

[3] In re Caremark Intl. Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. Ct. 1996) (finding that that a director's obligations include good faith attempt at assuring existence of corporate information and reporting system).

[4] Id.

[5] Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).

[6] The former Federal Sentencing Guidelines emphasized due diligence in seeking to prevent and detect criminal conduct by its agents as being the cornerstone of an effective risk management program. Comments to the Guidelines indicated that at a minimum, an effective program was required to: (1) Establish compliance standards and procedures for its agents that are reasonably capable of reducing improper conduct; (2) Assign responsibility to specific, high-level personnel within the organization to oversee compliance with the standards described above; (3) Use due care so that excessive discretionary authority is not delegated to people whom the organization knows or should know engaged in illegal activities; (4) Take steps to create pervasive awareness through training programs and publications; (5) Take reasonable steps to be compliant with its own standards through monitoring and auditing systems to detect improper conduct, and implementing proper whistleblower mechanisms; (6) Enforce through proper disciplinary sanctions; and (7) Take all reasonable risk mitigation and avoidance steps when an offense occurs. See 18 U.S.C.S. app. § 8A1.2, cmt. n.3(k) (2003). Under Sarbanes-Oxley, these comments became express statutory mandate as a new section. See § 8B2.1 (2004).

[7] See Fiduciary Duties: Sarbanes-Oxley Act, infra section III.A(1) .

[8] See Privacy Rights: HIPAA, infra section III.A(2). See also, Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g(b)(1) ("No funds shall be made available under any applicable program to any educational agency or institution which has a policy or practice of permitting the release of education records (or personally identifiable information contained therein...) of students without the written consent of their parents to any individual, agency, or organization."); Gonzaga U. v. Doe, 536 U.S. 273, 278-279 (2002).

[9] See Conflict of Interest: Stark, infra section III.A(3).

[10] See Statutory Assurances to Constituencies: Fair Credit Reporting Act, infra section III.A(4).

[11] See H. Lowell Brown, The Corporate Director's Compliance Oversight Responsibility in the Post Caremark Era, 26 Del. J. Corp. L. 71, 80-81 (2001); see also Dan K. Webb et al., Understanding and Avoiding Corporate and Executive Criminal Liability, 49 Bus. L. 617, 653 (1994).

[12] This trend has been particularly marked in health care. See, e.g. Mark E. Meaney, Error Reduction, Patient Safety And Institutional Ethics Committees, 32 J.L. Med. & Ethics 358 (2004).

[13] See Richard Y. Roberts, Commissioner, U.S. Securities and Exchange Commission, The Role of Compliance Personnel - Remarks at the National Regulatory Services 10th Anniversary Investment Adviser and Broker-Dealer Compliance Conference, Paget Parish, Bermuda April 7, 1995, at (last visited Nov. 1, 2005).

[14] Id. at II, ¶1.

[15] Id. at II, ¶2.

[16] Id.

[17]Id, at ¶3.

[18] Id. at ¶4.

[19] Id. at ¶5 (emphasis added).

[20] Id.

[21] For example, the Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act," states that "[i]t is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information," 15 U.S.C. § 6801(a) (2001), with appropriate "[f]inancial institutions safeguards," §6801(b). (emphasis added). Pursuant to this objective, and as authorized by § 6804, the U.S. Federal Trade Commission promulgated, among others, the "Safeguards Rule," requiring financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. See The Gramm-Leach-Bliley Act: The Safeguards Rule, Federal Trade Commission (2001), available at (last visited Sept. 28, 2005).

[22] This is by no means an exhaustive list. The statutory selections here represent only a sampling of the regulatory standards that appear on the compliance compass.

[23] See generally A Bird's Eye View of the Enron Debacle, The American Institute of Certified Public Accountants (2005), available at (last visited Oct. 30, 2005).

[24] See Paul S. Atkins, Commissioner, U.S. Securities and Exchange Comm'n: The Sarbanes-Oxley Act of 2002: Goals, Content, and Status of Implementation, Address before the University of Cologne, Germany, February 5, 2003, available at (last visited Oct. 30, 2005).

[25] See 17 C.F.R. §§ 229.307 (2004). Section 404(a) of Sarbanes-Oxley, directs the SEC to develop rules to:

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

116 Stat. 745 § 404 (2001).

[26] 116 Stat. 745 § 307 (2001); see also SEC Form 10-K, available at (last visited Nov. 4, 2005).

[27] U.S. Securities and Exchange Comm'n, SEC Implements Internal Control Provisions of Sarbanes-Oxley Act; Adopts Investment Company R&D Safe Harbor, U.S. Securities and Exchange Commission (May 27, 2003), available at (last visited Nov. 4, 2005).

[28] See, David M. Katz, Sarbanes-Oxley Spurs ERM,, CFO Publishing Corporation, (2003), available at (last visited Nov. 4, 2005).

[29] See Pub. L. No. 104-191, 110 Stat. 1936 (1996); 110 Stat. 2033 § 264(c)(1).

[30] See 45 C.F.R. § 164.501 (2004) et seq.

[31] See 45 C.F.R. § 164.301 (2004) et seq.

[32] See generally 45 C.F.R. §§ 160, 164 (2004).

[33] 45 C.F.R. § 164.530(a)(1)(i) (2004).

[34] 45 C.F.R. § 164.308(a)(2) (2004).

[35] Compare § 164.502(b)(1) (2004) ("When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request") and § 164.514(d)(2) (a covered entity must identify both the classes of persons who need access to PHI as well as the category of PHI to which access is needed) with § 164.308(a)(iv)(2)(B) (a covered entity must "[i]mplement policies and procedures for granting access to electronic protected health information") and § 164.312(a)(1) (a covered entity must put in place "technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights").

[36] See, Mel Duvall, Chief Security Officer: No Magic Bullet (2002), available at,1540,818127,00.asp (last visited Nov. 4, 2005) (discussing corporate positioning of security officials).

[37] Physician self-referral is the practice of a physician referring a patient to a medical facility in which he has a financial interest, be it ownership, investment, or a structured compensation arrangement.

[38] Stark I was a provision under the Omnibus Budget Reconciliation Act of 1989, Pub. L. No. 101-239, 103 Stat. 2106 (1989).

[39] Stark II was a provision under the Omnibus Budget Reconciliation Act of 1993, Pub. L. No. 103-66, 107 Stat. 312 (1993), as amended by the Social Security Amendments of 1994, Pub. L. No.103-432, 108 Stat. 4398 (1994).

[40] Formerly known as the Health Care Financing Administration ("HCFA").

[41] 42 C.F.R. § 411 et seq (2004); see generally, Maureen Kwiecinski, Limiting Conflicts Of Interest Arising From Physician Investment In Specialty Hospitals, 88 Marq. L. Rev. 413 (2004); Andrew B. Wachler, Adrienne Dresevic, and Karen K. Harris, Stark II - Phase II - The Final Voyage, 2004-APR Health L. 1 (2004).

[42] See Andrew B. Wachler, Adrienne Dresevic, and Karen K. Harris, Stark II - Phase II - The Final Voyage, 2004-APR Health L. 1 (2004).

[43] Id.

[44] See 42 C.F.R. § 411.354(c)(2) (2004) (creating three-element definition for indirect compensation arrangements).

[45] See 42 C.F.R. § 411.357(p) (2004) (requiring that arrangement be either in writing or in form of bonafide employment arrangements; that compensation be fair market value of services, provided without any reference to volume of referrals to health service provider; and that arrangement not violate any other law).

[46] See Justin Baxter and Michael C. Baxter, Cause Of Action For Credit Reporting Agency's Reporting Inaccurate Or Incomplete Credit Information, 18 Causes of Action 2d 1 (2004).

[47] 15 U.S.C.A. §§ 1681-1681u (West 2004); See also Baxter supra note 46.

[48] See Baxter, supra note 46.

[49] 15 U.S.C.A. § 1681n (West 2004).

[50] 15 U.S.C.A. § 1681o (West 2004).

[51] See, e.g., Baxter supra note 46 at § 21 (emphasizing importance of "understanding and explaining to the jury the consumer reporting agency's computerized database, which compiles credit information provided by creditors, and other information furnishers and produces the transmitted consumer credit reports to prospective credit grantors").

[52] Id.

[53] On this topic, compare FCRA with the requirements under the HIPAA Security Rule in supra section III.B which creates explicit technological standards and implementation schemes for compliance.

[54] Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001).

[55] See, e.g., Conservative Voices Against the USA PATRIOT Act, available at (last visited Nov. 4, 2005).

[56] For an overview of the act and a listing of the laws amended, see The USA PATRIOT Act, Electronic Privacy Information Center ("EPIC") (2004), available at (last visited Nov. 4, 2005).

[57] See 50 U.S.C. §§ 1801-1811 (2001).

[58] Patriot Act § 215, codified at U.S.C. § 1861(a)-(b) (2001).

[59] Id.; See also ACLU v. DOJ, 265 F. Supp. 2d 20, 23 (D.D.C. 2003).

[60] See, e.g., 45 C.F.R. § 164.501 (2004) et seq.

[61] An example of the potential reach of section 215 is found in Muslim Community Association of Ann Arbor v. Ashcroft ("MCA"), CA No. 03-72913, filed July 30, 2003 (E.D. Mich.). In MCA, the American Civil Liberties Union ("ACLU") filed a suit against the U.S. Attorney General and the Dept. of Justice on behalf of six plaintiff organizations, alleging that use of section 215 to obtain their records and those of members and clients without either probable cause or disclosure, violated the First, Fourth, and Fifth Amendments of the United States Constitution. This case is currently pending.

[62] See Dana H. Freyer and Benjamin B. Klubes, A Practical Approach To Implementing A Corporate Compliance Program For Smaller Companies, 13 Preventive L. Rep. 33-36 (Winter 1994), reprinted in Law Institute, Corporate Law and Practice Course Handbook Series, 995 PLI/Corp 487 (1997).

[63] Id. at 489.

[64] See 18 U.S.C.S. app. § 8A1.2, cmt. n.3(k) (2003).

[65] Id.; see also Pamela H. Bucy, Organizational Sentencing Guidelines: The Cart Before The Horse, 71 Wash. U. L.Q. 329 (1993).

[66] Freyer, supra note 62, at 489.

[67] See id. (indicating that "compliance program that is implemented by fiat from the legal department is unlikely to be effective in practice").

[68] Id.

[69] Id.

[70] See 45 C.F.R. §§ 164.530(b), 164.308(a)(5) (2004).

[71] 68 Fed. Reg. 8334, 8350 (2003).

[72] See Gary G. Lynch and Kathleen Salvaty, The SEC's Focus On Financial Reporting And Accounting Issues, Practicing Law Institute, Corporate Law and Practice Course Handbook Series, 1213 PLI/Corp 323, 368 (2000).

[73] Id. at 371.

[74] Id.

[75] See 18 U.S.C.S. app. § 8A1.2, cmt. n.3(k) (2003).

[76] In re Caremark Intl. Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. Ct. 1996).

[77] A precursor to Stark, discussed supra, Section III.A(3).

[78] Caremark, 698 A.2d at 961-62.

[79] Id. at 963-64.

[80] Id. at 964.

[81] Id. at 969-70.

[82] Id. at 970; see also, 18 U.S.C.S. app. § 8A1.2, cmt. n.3(k) (2003).

[83] See 45 C.F.R. § 164.528(a) (2004).

[84] Id. at § 164.528(b) (emphasis added).

[85] Id.

[86] See Donald C. Langevoort, The Human Nature Of Corporate Boards: Law, Norms, And The Unintended Consequences Of Independence And Accountability, 89 Geo. L.J. 797 (2001).

[87] Id.

[88] FCRA, 15 U.S.C.A. §§ 1681-1681u (2005).

[89] HIPAA, 110 Stat. 1936 (1996).

[90] Patriot Act, 115 Stat. 272 (2001).

[91] In this context it is useful to note that the Federal Government's accountability is not only defined under the Patriot Act but also under other regulations. For instance, the Medicare and Medicaid programs are indeed federal health insurance programs and thus covered entities under HIPAA.

[92] See Report Of The American Bar Association Task Force On Corporate Responsibility, 59 Bus. Law. 145, 161 (2003).

[93] See Randy J. Sutton, Annotation, "Responsible Corporate Officer" Doctrine Or "Responsible Relationship" Of Corporate Officer To Corporate Violation Of Law, 119 A.L.R.5th 205 (2004).

[94] BEC Corp. v. Dep't of Envtl. Prot., 775 A.2d 928 (Ct. 2001).

[95] Conn. Gen. Stat. Ann. § 22a-432 (West 2004).

[96] Id. at 939 (citing § 22a-432) (emphasis added).

[97] Id. (emphasis added).

[98] See Deborah A. DeMott, The Lawyer as Agent, 67 Fordham L. Rev. 301, 321 (1998) (describing the corporate lawyer as the "the Author, the Tout, and the Scrivener").

[99] See Richard Y. Roberts, Commissioner, U.S. Securities and Exchange Commission, The Role of Compliance Personnel - Remarks at the National Regulatory Services 10th Anniversary Investment Adviser and Broker-Dealer Compliance Conference, Paget Parish, Bermuda April 7, 1995, available at (citing lack of immediate tangible benefits as reason for compliance programs' lack of priority in corporate resource allocation, but suggesting that sufficient resources be provided to such programs nevertheless because "public trust and confidence is a critical component of any successful securities market operation").

[100] See Gary G. Lynch and Kathleen Salvaty, The SEC's Focus On Financial Reporting And Accounting Issues, Practicing Law Institute, Corporate Law and Practice Course Handbook Series, 1213 PLI/Corp 323, 368 (2000).

[101] See Kevin Reilly, AMR Research Predicts Compliance Is an $80B Issue, AMR Research, (March 14, 2005), available at (last visited Mar. 18, 2005) (showing breakdown of estimated compliance costs by regulatory standards).

[102] Id.

[103] Id.

[104] See Small Business Regulatory Enforcement Fairness Act of 1996, P.104 Pub. L. No.104-121, 110 Stat. 847 (1996) ("SBREFA"), at § 202(2). Title II of the law is the SBREFA. Pertinently, Congress articulated as a purpose of this act a need "to make Federal regulators more accountable for their enforcement actions by providing small entities with a meaningful opportunity for redress of excessive enforcement activities." § 203(7)). SBREFA also requires that Federal agencies that are required "prepare a final regulatory flexibility analysis under ([5 U.S.C.S. § 604 (2005))]," must also "publish one or more guides to assist small entities in complying with the [appropriate] rule," designated as "small entity compliance guides." § 212(a).

[105] See Thomson Memo, Jan. 20, 2003, available at (last visited Mar. 18, 2005).

[106] See id. at 7, n.2.

[107] See Paul McGreal, Legal Risk Assessment After The Amended Sentencing Guidelines: The Challenge For Small Organizations, 23-NOV Corp. Couns. Rev. 153, 180 (2004).

[108] Id.

[109] See 18 U.S.C.S. app. § 8A1.2, cmt. n.3(k) (2003).

[110] § 805(a)(5) of Sarbanes-Oxley is the only reference to the Guidelines, mandating "the United States Sentencing Commission [to] review and amend, as appropriate, the Federal Sentencing Guidelines…to ensure that…the guidelines that apply to organizations…are sufficient to deter and punish organizational criminal misconduct." Id.

[111] Frank O. Bowman III, Drifting Down The Dnieper With Prince Potemkin: Some Skeptical Reflections About The Place Of Compliance Programs In Federal Criminal Sentencing, 39 Wake Forest L. Rev. 671, 674 (2004).

[112] Id. (citations omitted).

[113] Id. Potemkin villages were anecdotal fake settlements constructed by Russian minister Grigori Aleksandrovich Potemkin to fool Empress Catherine II during her visit to Ukraine and Crimea in 1787. Potemkin, who led the Crimean military campaign, had hollow facades of villages constructed along the desolate banks of the Dnieper river in order to impress the Tsarina with the value of her new conquests, thus enhancing his standing in the her eyes. See Potemkin Village, Wikipedia, The Free Encyclopedia, available at (last visited Nov. 4, 2005).

[114] Lori A. Richards, Speech by SEC Staff: The Culture of Compliance, Spring Compliance Conference: National Regulatory Services, Tucson, Arizona (April 23, 2003). At the time of the speech, Lori A. Richards was the Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission.

[115] See Scylla and Charybdis, in The Adventures of Ulysses, 20-20 Site, Inc. (2004), (last visited Mar. 18, 2005). Ulysses had been warned by Circe of the two monsters Scylla and Charybdis. Scylla dwelt in a cave high up on the cliff, from where she thrust forth her long necks (she had six heads), and in each mouth seized one of the crew of every vessel passing within reach. Charybdis was a whirlpool into which water gushed in and back out thrice a day, engulfing any vessel coming near the whirlpool when the tide was rushing in. On approaching the haunt of these monsters, Ulysses had to maintain strict vigilance in order to save from the perils of the pair.

[116] Consider a publicly traded credit reporting company which will be affected by both the FCRA and one or more acts amended under Sarbanes‑Oxley. Additionally, consider that this company also has a self insured health plan for its employees, which would be a covered entity under HIPAA. Finally, if it provides certain credit related services, it will further regulated by the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801-6809.

[117] See generally, Thomas W. Joo, Editor, Corporate Governance: Law, Theory, and Policy, 135, 325 Carolina Academic Press (2004).

[118] See, e.g., Compliance Programs of Investment Companies and Investment Advisers, 68 Fed. Reg. 7038, 7041-42 (Feb. 11, 2003). Part II, section C of the rule describes the Chief Compliance Officer, requiring that each entity "appoint a chief compliance officer who is responsible for administering the [entity's] policies and procedures approved by the board under the rule," and who "report directly to the board of directors." Id.

[119] See 17 C.F.R. §205.3 (2004).

[120] See 45 C.F.R. § 164.501 (2004) et seq.

[121] Ashcroft addresses abortion records request, CNN.COM, February 13, 2004, available at (last visited Mar. 18, 2005).

[122] Pub. L. No. 108-105, 117 Stat 1201 (2003).

[123] See Abortion Records, supra note 121.

[124] See Lori A. Richards, Speech by SEC Staff: The Culture of Compliance, Spring Compliance Conference: National Regulatory Services, Tucson, Arizona (April 23, 2003). At the time of the speech, Lori A. Richards was the Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission.

[125] See Compliance Awareness discussion, supra section III.B(2).

[126] See, e.g., Mark S. Bergman, Satisfying the SEC, The European Lawyer, Nov., 2004, at 67, available at, (last visited Mar. 18, 2005) (summarizing "what [European] in-house counsel need to know about dealing with the American regulator"); see also, Julie Connelly, Dissenting Directors: Should You Shut Up, Quit, or Fight?, Corporate Board Member Magazine, September 2002, available at, (last visited March 18, 2005) (indicating that board members that gain a reputation as naysayers might find it hard to be selected in other boards). This same fate could befall the CCO, except she often has does not have the option of "shutting up." Id.

[127] See Compliance Programs of Investment Companies and Investment Advisers, 68 Fed. Reg. 7038, 7041-42 (Feb. 11, 2003).

[128] See Paul McGreal, Legal Risk Assessment After The Amended Sentencing Guidelines: The Challenge For Small Organizations, 23-NOV Corp. Couns. Rev. 153, 181-82 (2004) (emphasis added).

[129] See Publication of the OIG Compliance Program Guidance for Nursing Facilities, 65 Fed. Reg. 14,289, 14,291-92 (Mar. 16, 2000) (recommending that health care organizations implement compliance elements that closely parallel Sentencing Guidelines).

[130] Id. at 14,292 (citing nursing home industry as an example).

[131] See 31 U.S.C.A. § 5318(h)(2)(West 2001); see also, McGreal, supra note 107, at 183 (listingvarious industry specific rules drafted by DOT pursuant to Patriot Act).

[132] See 18 U.S.C.A. app. § 8C2.5 (West 2005).

[133] 18 U.S.C.A. § 8C2.5(a) (West 2005).

[134] 18 U.S.C.A. § 8C2.5(f)(1) (West 2005).

[135] See generally, Richard S. Gruner, General Counsel in an Era of Compliance Programs and Corporate Self-Policing, 46 Emory L.J. 1113 (1997).

[136] See Businesses Overlook Benefits of Compliance, Feb. 8, 2005, PR Newswire Inc., Feb. 8, 2005, available at, (last visited Mar. 18, 2005) (quoting John Taylor, Managing Director, Cartesis UK).

[137] See Open Compliance and Ethics Group Home Page, available at (last visited Mar. 18, 2005).

[138] See generally Foundation Guidelines "Brown Book": Public Exposure Draft, OCEG (2004), available at (last visited Mar. 18, 2005) (also on file with author).

[139] See Framework Overview, available at, OCEG (2004); see also OCEG Brown Book, supra note 138, at B-18.

[140] Id.

[141] See OCEG Brown Book, supra note 138, at A-2 (listing Advisory Board and Steering Committee).

[142] See Businesses Overlook Benefits of Compliance, Feb. 8, 2005, PR Newswire Inc., Feb. 8, 2005, available at, (last visited Mar. 18, 2005).

[143] Id.

[144] See Foundation Guidelines "Brown Book": Public Exposure Draft, OCEG (2004), available at (last visited Mar. 18, 2005).

[145] See Lori A. Richards, Speech by SEC Staff: The Culture of Compliance, Spring Compliance Conference: National Regulatory Services, Tucson, Arizona (April 23, 2003). At the time of the speech, Lori A. Richards was the Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission.

[146] See Frank O. Bowman III, Drifting Down The Dnieper With Prince Potemkin: Some Skeptical Reflections About The Place Of Compliance Programs In Federal Criminal Sentencing, 39 Wake Forest L. Rev. 671, 674 (2004).