I. Introduction: The Origins of Corporate Compliance Programs

"A wise person once said that the test of a truly moral person, is whether he does the right thing when no one is looking. Certainly, the test for all firms is whether they maintain and each day, reinforce, a culture of compliance - which includes a culture of doing not only what is within the strict parameters of the law, but also what is right - whether or not a regulator or anyone else is looking. This culture underpins your business and the decisions and choices that you make every day, about small and not so small issues.… It is critical that firms establish a strong culture of compliance that guides and reinforces employees as they make decisions and choices each day."[1]

A corporate compliance program is "a system which is designed to detect and prevent violations of law by the agents, employees, officers and directors of a business."[2] Modern corporate compliance programs can be traced back to the landmark In re Caremark International Inc. Derivative Litigation decision.[3] In Caremark, the Court held that directors may be liable for losses resulting from the corporation's failure to comply with applicable legal standards.[4] Thus, the Caremark decision created a significant impetus to corporate directors for ensuring compliance with applicable laws. However, the real growth in corporate compliance programs has been a more recent phenomenon arising out of two other major changes in law: the passage of the Sarbanes-Oxley Act[5] and the associated amendments to Federal Sentencing Guidelines.[6]

To grasp the significance of these changes, one need only consider the typical view of the compliance horizon from the governance helm of the corporate ship. The sails of corporate operations are beset with numerous regulatory hazards. These hazards may include insufficient internal controls in a publicly traded corporation,[7] inappropriate disclosure of confidential information,[8] conflicts of interest in hiring and referral practices,[9] and proper reporting of consumer credit.[10]

Recent changes in laws have created corporate accountability to various interested constituencies. As a result, many corporate entities have turned with renewed vigor to compliance programs as a preventative measure. [11] Even industries not directly affected by specific governance rules have established such programs based upon regimes existing in the corporate realm, and modified by the addition of other norms of organizational conduct, particularly ethics.[12]

Section II of this article focuses on the basics of compliance programs, with overviews of the role of the Chief Compliance Officer ("CCO"), and the effect of regulations on corporate operations. Part A of Section III describes some illustrative provisions of federal and state laws. Next, part B fleshes out some discernable regulatory themes in the modern business entity while part C identifies important and associated compliance challenges, including general skepticism about these programs.

Section IV expands on a reprise of the basic premise of this discussion - successful compliance as corporate culture. Part A enumerates the multifaceted role of the CCO, with an eye towards the regulatory themes introduced in Section III. This is followed by a statement of the benefits of compliance programs in Part B. Part C ends with some comments on the integration of ethical principles into the corporate compliance culture.

II. The Corporate Compliance Program

By the very terms of her title, the CCO is the overseer of a corporate compliance program. Therefore, to understand her role, it is also necessary to understand the nature of a compliance program in the modern corporation. The important drivers of such a program establish the objectives that the CCO position is conceptually designed to fulfill.

A. The Corporate Compliance Officer

Although the theoretical framework of regulatory compliance emphasizes a corporate compliance "program," leading regulators have pointed out the need for single points of authority, such as a CCO who is responsible for overseeing the program. Commissioner Roberts of the U.S. Securities and Exchanges Commission ("SEC") stated that such programs can only be effective when organized under the leadership of a CCO.[13] The Commissioner emphasized the importance of the CCO role because she is the "first line of defense against fraud and sales practice abuse, and [she] can serve [her] employer well by serving the public well."[14]

The Commissioner's slate of key requirements for a compliance program places the CCO in a central role and provides her with certain basic "weapons in her arsenal."[15] First, a CCO must have authority to remedy inappropriate conduct with ability to sanction.[16] Second, there should be strong procedures in place for monitoring activities of employees and a commitment to enforce them.[17] Finally, the program must be provided with the necessary resources to be effective, even if it is unlikely to have an immediate tangible benefit to an organization.[18] Furthermore, the overall scheme should emphasize vigilance in monitoring for questionable conduct and taking early action so as to minimize the harm done.[19]

B. Compliance and the Regulated Environment

The emphasis of the compliance program is squarely on employee conduct and the prevention and mitigation of the attendant harms of unlawful conduct. The CCO should steer the program in such a way that appropriate conduct becomes the norm rather than the direct result of constant enforcement. Indeed, the typical complex corporate environment may make it difficult, if not impossible for her to enforce legally required conduct daily. Hence, education throughout the firm should be a hallmark feature of any compliance program in a regulated environment.[20]

Additionally, the duties created by regulatory standards will often mirror the underlying rights created for the intended beneficiaries who may be neither shareholders nor firm employees of the firm.[21] Not surprisingly, these beneficiaries are often the clients of the regulated entity. Hence, a program that maintains focus on the beneficiaries as well as the day-to-day business processes is integral to successful compliance. Due to the complexity and detail of this task, there is inevitable skepticism as to whether a compliance program can successfully address these issues. However, a successful CCO can, in fact, overcome such skepticism and run a successful compliance program. Furthermore, she can turn what is generally conceived of as a corporate expense, into a corporate investment.

III. Regulatory Obligations of Corporate and Other Entities

It is useful to understand the diverse regulatory regimes that a CCO might be faced with. These regimes create various obligations that a corporate entity must meet. Often the obligations intersect or overlap, and sometimes they conflict with each other. The CCO's role is to successfully navigate the corporate ship through these troubled waters, fulfill the obligations, and resolve conflicts along the way.

A. Examples of Regulations

The required standards of conduct and care to be established and enforced can only be determined by examining the appropriate laws that govern the particular entity. A review of a representative sample of these laws follows below.[22]

(1) Fiduciary Duties: Sarbanes-Oxley

Scholars view Sarbanes-Oxley as heightening corporate governance duties aimed at curbing unlawful fiduciary behavior in response to the collapse of Enron.[23] However, members of the SEC have unofficially indicated that there is a greater underlying need to restore investor confidence in a stock market shaken by accounting scandals.[24] Sarbanes-Oxley is an example of governance regulation that not only creates direct management fiduciary duties, but also indirectly advances other federal policy objectives.

The SEC regulations developed under Section 404 of Sarbanes-Oxley are particularly illustrative of boosting investor confidence.[25] These rules require a corporation to include in its annual filing a statement of conclusions "about the effectiveness of the [the corporation's] disclosure controls and procedures…based on [management's] evaluation of these controls and procedures," as well as "significant changes in internal controls or in other factors that could significantly affect these controls."[26] In a press release prior to the issuance of the rule, the SEC indicated that these rules required: an annual internal control report containing statements of management's responsibility for establishing and maintaining adequate internal controls; identification of evaluation methods to measure the effectiveness of the rules; assessment of the results at the end of the company's most recent fiscal year; and auditor attestation of the results.[27]

In effect, management must design, implement, and validate effective internal controls that ensure the integrity of the annual report's content. Ultimately, the SEC emphasizes effectiveness of controls, which in turn will depend on how well the controls were designed. Corporations have taken a risk management approach to Section 404 compliance in order to minimize the risk of paying significant penalties for violations of SEC rules.[28]

(2) Private Rights: HIPAA

In the health care field, the Health Insurance Portability and Accountability Act of 1996 established specific rights of patients in regards to health information and gives a broad grant of authority to the Department of Health and Human Services ("HHS") to undertake the necessary rulemaking.[29] Accordingly, HHS has published rules to ensure the privacy[30] and the security[31] of Protected Health Information ("PHI").[32]

The HHS rules create distinct, yet overlapping attendant obligations and duties for the covered entities. For instance, the Privacy Rule requires that a covered entity "designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity."[33] Similarly, the Security Rule mandates that a covered entity "[i]dentify the security official who is responsible for the development and implementation of the [required] policies and procedures."[34] While in many respects, the rights and obligations under the two sets of rules mirror each other,[35] the organizational positioning of either or both roles could vary, and they could have different reporting structures, based on the firm size.[36] Coordinating the activities of these roles is thus a compliance function that is critical in the context of these rules.

(3) Conflict of Interest: Stark

The Stark Law was passed in two phases to address the inherent conflict of interest in physician self-referrals.[37] Stark I barred self-referrals for clinical laboratory services under the Medicare program.[38] Stark II expanded the restrictions to a range of health services and applied them to both the Medicare and Medicaid programs.[39] Pursuant to the law, the Center for Medicare and Medicaid Services ("CMS")[40] developed multi-phased rules.[41] The consequences of non-compliance include denial of claims, civil monetary penalties, and exclusion from the Medicare program.[42]

The CMS rules also provide a two-step process for determining an exception for certain "indirect compensation arrangements" that would not trigger the penalties.[43] The first step involves identifying whether the relationship between the referred physician and the health service provider is an "indirect compensation arrangement" as defined in the rule.[44] The second step is the substantive criterion for determining if such an arrangement qualifies for the exception.[45]

Hospitals routinely enter into employment and other compensation arrangements with physicians. The Stark exception is vital to the continuance of such arrangements, but prone to abuse with regard to the second step. Most importantly, scrutiny of physician agreements for potential Stark issues becomes an area of active monitoring by health care compliance programs.

(4) Statutory Assurances to Constituencies: Fair Credit Reporting Act

The meteoric increase in the number of credit transactions, accompanied by the significant automation in the collection, retention, compilation, and dissemination of credit information (collectively "credit reporting"), greatly increases the likelihood of inaccurate and incomplete credit information reported, often with life-shattering consequences for the consumer.[46] In response to these concerns, the Fair Credit Reporting Act ("FCRA") makes available to consumers several causes of action against credit reporting agencies where such inaccuracies occur as a result of the willful or negligent actions of a credit reporting agency.[47] The law also specifies certain defenses for reporting agencies.[48] The consequences of non-compliance are in the form of remedies available to the consumer. Specifically, willful non-compliance results in liability to the consumer for actual damages or a minimum range of statutory damages, punitive damages, and attorney fees.[49] For negligent non-compliance, liability exists for actual damages and attorney fees only.[50]

The reporting agency's computerized databases and their interaction with various systems that participate in automated credit reporting are of immense significance under the FCRA.[51] As a matter of risk management, the procurement of appropriate computer database systems for credit reporting becomes a critical element of compliance under the FCRA.[52] The evidentiary importance of such systems aside, FCRA is an example of law that implicitly creates the need for internal technological standards as well as external statutory standards that fall within the ambit of a compliance program.[53]

(5) Conflicts in Statutory Rights: USA PATRIOT Act

Enacted in the aftermath of September 11th , the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act ("Patriot Act"),[54] has generated widespread bipartisan controversy because it allegedly offends basic civil liberties under the First, Fourth, and Fifth Amendments to the United States Constitution.[55] Furthermore, the Patriot Act amends several existing Federal laws.[56] The Foreign Intelligence Surveillance Act ("FISA") is an illuminating example.[57] One of the most controversial provisions of this amendment is the expansion of FISA's common carrier records provision. This provision now authorizes the Federal Bureau of Investigation ("FBI") to seek an order for the production of "any tangible things (including books, records, papers, documents, or other items)," rather than just records, from any entity, not just common carriers.[58] The amendment also removes the need for the previously required "specific and articulable facts giving reason to believe that the person…is a foreign power or an agent of a foreign power."[59]

Additionally, the Patriot Act creates significant tension with existing laws that provide statutory privacy rights to specific classes of beneficiaries.[60] Owing to the importance of the production orders under Section 215, compliance with the Patriot Act in the context of these rights can be one of the most significant challenges to a modern compliance program.[61] Until the courts rule on the constitutionality of these provisions, compliance may indeed require disclosure of information that might arguably be protected under other laws.

B. Common Regulatory Themes

Although part A is a greatly abbreviated sampling of regulatory schemes, a complex web of laws emerges from them and the interrelationships of these laws will govern the basics of permissible employee behavior and firm activities. There are a few themes of importance that are conspicuous both directly in the regulations and in the industry response. The remainder of this subsection identifies some of these regulatory themes and examines their relevance to a corporate compliance program.

(1) Risk Management

As a practical matter, compliance programs are not self-standing concepts, but risk management mechanisms.[62] A well structured compliance program can prevent violations and misconduct from occurring in the first place.[63] This approach manages the risk associated with conduct by reducing the ongoing costs arising out of the handling of charges and claims or the efforts to mitigate any harm that might result from non-compliant conduct.

This approach to compliance comports with both the 1991 Organizational Sentencing Guidelines as well as the amendments thereto under Sarbanes-Oxley.[64] The guidelines generally allow convicted organizations to substantially reduce penalties by showing corporate good conduct.[65] It is believed that a well designed compliance program would "prevent and detect violations of law" and also assist in a showing of compliant conduct in those situations where a violation does indeed occur.[66]

(2) Compliance Awareness

The companion approach to risk management consists of generating corporate awareness of both the risks of non-compliance and what constitutes risk-avoiding conduct. For a compliance program to be successful, the workforce must know what to avoid. This awareness should not come merely from the legal department but from top management.[67] To the rank and file, the voice of management will be a more authoritative statement of the commitments of the firm.[68] It will also help to make compliance a part of the daily processes and help to foster teamwork and cooperation between legal and operational functions of the firm.[69]

Awareness can only be as effective as the message used, which means that proper education and training is vital. Furthermore, the importance of education and training programs in compliance awareness is often reflected in the laws itself. For example, both the Privacy and the Security Rules under HIPAA require that, as of the effective dates of the rules and as an ongoing effort, a covered entity provide education and training to its staff at various levels.[70] Specifically, in the preamble to the Security Rule, HHS explains that security awareness training "is a critical activity, regardless of an organization's size. This feature would typically become part of an entity's overall training program."[71]

In recent years, the SEC, in its expanding regulatory role, has echoed this theme of educational awareness. On January 14, 1999, the SEC issued an order instituting proceedings and an order against PricewaterhouseCoopers L.L.P. ("PwC"), alleging "improper professional conduct."[72] As a part of this action, the SEC ordered several policies and procedures to be implemented within 180 days of the order, with independent consultant review within 210 days of the order.[73] But most notably, the SEC ordered professional education and training for all PwC partners and professionals regarding independence from financial interests in accounting firms.[74]

(3) Disclosure and Reporting

As the Federal Sentencing Guidelines indicated, there is a significant emphasis on openness and availability of information.[75] Much of this emphasis stems from the Caremark decision which established that corporate directors can be held personally liable for a corporation's wrongdoing, and that absence of an effective corporate compliance program may be used to prove such liability.[76]

Caremark was a managed-care healthcare provider that received substantial revenues from Medicare and Medicaid reimbursements, subject to the Anti-Referral Payments Law ("ARPL"),[77] which prohibits healthcare companies from making payments to doctors in exchange for Medicare and Medicaid patient referrals. In 1991, the Inspector General for the Department of Health and Human Services began investigating Caremark for possible ARPL violations because Caremark physician contracts indicated payment to doctors for monitoring patients under Caremark's care, including Medicare and Medicaid patients, in return for some referrals to Caremark.[78] Despite remedial efforts by Caremark, a federal grand jury indicted Caremark, two of its officers, and two other employees, accusing them of violating the ARPL.[79] The derivative suit followed shortly thereafter, alleging the directors' breach of their fiduciary duty of care for insufficient supervision of employee conduct and insufficient corrective measures. This suit exposed Caremark to substantial liabilities.[80] Importantly, the Delaware Chancery Court found that a modern corporate board must ensure that management establishes appropriate information and reporting systems.[81] The court cited the potential impact of the U.S. Sentencing Guidelines for Organizations and their mitigation factors, finding it to be irrational for a company to fail to take the Guidelines into account in responsibly governing an organization.[82]

The Caremark decision unequivocally established proper information reporting and disclosure as a fundamental ingredient of corporate governance. Recent regulations in other areas have explicitly extended such disclosure requirements outside the public corporation context and to constituencies other than shareholders. For instance, the Privacy Rule in HIPAA gives the patient a right to an accounting of certain disclosures of PHI by a covered entity.[83] The accounting must include "disclosures of [PHI] that occurred during the six years [or less] prior to the date of the request for an accounting."[84] In addition, each item of accounting must also include:

(i) The date of the disclosure; (ii) The name [and, if known, the address] of the entity or person who received the [PHI]…; (iii) A brief description of the [PHI] disclosed; and (iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure."[85]

(4) Accountability

Accountability has served as a traditional basis for compliance programs. Even the public corporation boards are indirectly accountable to shareholders. Professor Langevoort writes that "the dominant view in corporate governance theory today is that heavy emphasis on teamwork and conflict-avoidance marks a board that has been captured by its CEO" acting largely as "an elite private club with a rubber stamp."[86] Most regulatory lobbying and scholarly work has urged the replacement of such boards with boards that monitor with "independence, skepticism, and a rigorous loyalty to shareholder interests."[87]

Accountability in other regulations extend to other constituencies, ranging from consumers,[88] to patients,[89] and perhaps to the citizens of the United States.[90] The mantle of responsibility falls on credit reporters, health care providers, insurance plans, clearinghouses, and ultimately on the Federal Government itself.[91] Accountability stems from corporate responsibility to the various constituencies. In the context of independent directors in a public company setting, Langevoort further urges, that "[t]he Model Business Corporation Act and the [law] should more clearly delineate the oversight responsibility of directors generally, and the unique role that independent directors play in discharging that responsibility."[92]

The courts have also broadly applied the element of responsibility or duty for senior management in various contexts under the "responsible corporate officer doctrine."[93] In BEC Corp. v. Dep't. Of Envtl. Prot., the corporation and its officers sought review of a decision of the Connecticut Department of Environmental Protection ("DEP") upholding an abatement order pertaining to a property owned and used by BEC for an oil storage and distribution business with a history of oil spills.[94] The Connecticut Supreme Court, interpreting the state Water Pollution Control Act ("WPCA"),[95] held that while a corporate officer's personal liability is not automatic by virtue of having supervisory authority over employee actions, such liability may nevertheless attach if the officer's actions or inactions lead to conditions that "reasonably can be expected to create a source" of the regulatory violation.[96] The court also explicitly relied on "the broad remedial purpose of [the WPCA], which is to protect the waters of the state from pollution" and found that the Connecticut legislature intended that the WPCA "enable [DEP]…to impose liability on all those who, in some way, have responsibility towards the land."[97]

(5) Corporate Gatekeeping

The preceding discussion emphasizes that the task of staying clear of the potential violations of regulations requires careful evaluation of the business operations in the context of the laws, their intended goals, and the attendant liabilities arising from violations. This task is therefore the central legal component of a successful compliance program, and in some cases perhaps its exclusive realm. It also creates the specter of a prior approval of all corporate conduct. However, this gatekeeping function comes with its attendant challenges, principally because compliance personnel must take on the multiple roles of being not only agents of the corporation, but also its lawyers, bookkeepers, educators, and ethicists as well.[98]

C. Common Compliance Challenges

Before discussing the role of the CCO, it is useful to enumerate some practical challenges that she and the compliance program are likely to face in the context of the different regulatory themes discussed above.

(1) Costs

One daunting obstacle is the cost of maintaining a compliance program. Depending on the size of the firm, such a program may require substantial resources, particularly because of the requirements for education and training. The expense obstacle is even more unpalatable in light of the indirect, and often inherently intangible, nature of the benefits of a compliance program.[99]

The cost of a corporate compliance program is not insignificant. Lynch and Salvaty reported that the education and training requirement of the PwC settlement agreement resulted in PwC creating a $2.5 million fund to be used for educating the management.[100] The dramatic nature of the SEC's enforcement is evidence of its willingness to take action against accounting firms when it perceives an independence problem regardless of any actual material compromise of the result of a client firm's audit. This position by a federal agency greatly heightens the economic bar for corrective compliance actions designed to monitor and discourage such activity from inside the firm.

The operating cost of a compliance program is likely to be similarly significant. One study predicts that in the next five years national compliance costs will reach the $80 billion mark, with organizations spending $15.5 billion on compliance related activities in 2005.[101] Only 35% of companies surveyed had compliance specific budgets.[102] Almost two-thirds of these companies had to use funding from other areas to fund compliance projects.[103] The study also estimates that more companies will have compliance specific budgets in the future.

The economic toll taken by compliance can be particularly heavy on small businesses, which prompted the passage of the Small Business Regulatory Enforcement Fairness Act of 1996 ("SBREFA"). Congress found that "small businesses bear a disproportionate share of regulatory costs and burdens."[104] However, it is unclear whether SBREFA will translate to a tangible improvement in the compliance costs of small business. Ultimately compliance is likely to continue to remain a significant financial challenge to most firms.

(2) Monitoring and Assessment

Proper monitoring and assessment is another continual challenge for any compliance program. Former Deputy Attorney General, Larry D. Thompson's Memorandum to Heads of Department Components and United States Attorneys 3 ("Thompson Memo") is illustrative of this challenge.[105] The Thompson Memo directs United States Attorneys to consider the presence of an effective compliance program when deciding whether to take action against an organization. The memo refers to the organizational sentencing guidelines as criteria for evaluating the effectiveness of such a program.[106]

However, while the Thompson Memo influences the Sentencing Guidelines in federal charging and plea decisions, it provides little guidance on how a compliance program should assess and manage the corporate risk with regard to regulatory violations.[107] Finally, while the Sentencing Guidelines have greatly influenced the shape of modern compliance programs, in the absence of a good evaluation standard, the ongoing monitoring for compliance suffers from the same uncertainties as the risk assessment itself.[108] Thus in the complex operations of the modern firm, a predefined set of metrics for measuring efficacy becomes a significant compliance challenge. Without such metrics, continual monitoring of the compliance of day-to-day activities may become an all consuming and unproductive task.

(3) Inertia and Indifference: Skepticism

Perhaps the most significant barrier to the compliance program is the sheer inertia of current corporate and regulatory practices. Professor Bowman points out that although Caremark introduced the application of the Federal Sentencing Guidelines in measuring liability of management wrongdoing,[109] Sarbanes-Oxley has remained remarkably silent on sentencing.[110] He further explains that while the Sentencing Guidelines as applied to individuals are the subject of much debate, this is not the case with organizational sentencing guidelines.[111] In his view, the difference is partially due to the fact that in the very rare instances when corporations suffer criminal convictions and sentences there is "no soul to be damned, and no body to be kicked."[112]

Therefore, there is an apparent disjoint in the standards of culpability as between the firm and its officers, which results in a very practical problem of distinguishing to management the conceptual difference between actions attributable to the firm and those imputed to the officers. This disjoint can create indifference towards the program which leads to much skepticism, both internally and externally, about the efficacy of compliance programs. For example, Professor Bowman's prosecutorial view compares compliance programs to "legal Potemkin villages," and doubts whether the compliance "[scurry]…on the riverbank…[moves] either the barons or the serfs of corporate life to commit less crime."[113] Such skepticism is likely to remain an ominous cloud in the compliance horizon, and overcoming, it is an ongoing challenge.

IV. The Voice of Reason: The Successful Compliance Officer

"The culture of compliance is not a new concept. Hopefully, everyone here is familiar with the idea. For years, you've been told you need one. We at the SEC have been emphasizing that firms need to create a culture of compliance for many years. You've heard it from Chairmen, from Commissioners, and from the staff, and certainly you've heard it from me. If you've been listening, you know it's not enough to have policies. It's not enough to have procedures. It's not enough to have good intentions. All of these can help. But to be successful, compliance must be an embedded part of your firm's culture."[114]

The preceding discussion makes it abundantly clear that the helm of the compliance ship can be a precarious place. Even with her hands placed firmly on the tiller, the CCO will have a significant challenge in steering the corporate ship safely through the troubled enforcement waters, while avoiding the regulatory Scylla and Charybdis.[115] There will always be a danger of obstructing the corporate sails of production with excessively aggressive steering of the compliance helm. It is proposed here that the challenges can indeed be met, and the skepticism overcome, for successful navigation of the corporate ship. If the CCO's voice is one of reason, rather than of prohibition, she will win the cooperation from all hands of her crew in all facets of her job. It is therefore worthwhile to determine what the function of the CCO should be in the context of her various roles, as required by the different regulatory themes discussed above.

A. More Than a Lawyer: Her Many Faces

At the onset, it is apparent that a firm will rarely need to comply with just one set of regulations, or be governed by just one act of law. In practice, each of the regulations discussed here (which are but a very small sample) cut across multiple organizations so that any firm will have to comply with many rules and regulations.[116] This requires the successful CCO to wear many hats during the course of her tenure in any firm.

(1) The Fiduciary

The direct impact of Sarbanes-Oxley on lawyers as a community has generated much literature.[117] Corporate fiduciary duties originated with respect to the duties of the board towards the corporation to counter the agency costs associated with the separation of ownership and management. The CCO and other firm employees are not board members, and therefore not wholly within the scope of the traditional fiduciary duties to shareholders. However, it is arguably impossible to have a successful compliance program without incorporating principles of fiduciary duties because regulatory obligations ultimately exist to inure to the benefit of the firms various constituencies, including public shareholders and customers.

As a result, even though the firm is both her employer and her client, the CCO nevertheless must also walk in the shoes of the traditional firm fiduciaries, while simultaneously maintaining her independence from their influence. Indeed, most CCOs are required to have direct reporting authority to the board, often bypassing the CEO in situations of conflict or disagreement.[118] More strikingly, in keeping with this spirit of independence and disclosure, SEC rules promulgated under Sarbanes-Oxley would expressly allow her, in certain situations, to approach the SEC directly even in the absence of the firm's consent, thereby immunizing her from the risk of violating her client's confidences.[119]

(2) The Protector of Rights and Interests

The fulfillment of obligations to constituencies other than shareholders is successfully monitored only when such monitoring extends to and, if necessary, restricts firm activities that are within the scope of the obligations. For example, it is the CCO of a health care organization, rather than its board or its managers, that may need to be the final arbitrator in situations where a disclosure of PHI[120] is imminent, but the legality of the stated purpose is not clear. For example, in 2004, the U.S. Attorney General demanded medical records from several hospitals.[121] These records documented certain late-term abortions performed by doctors who had allegedly joined in a legal challenge of the disputed Partial-Birth Abortion Ban Act.[122] The hospitals successfully challenged the subpoenas in courts.[123] Ironically, decisions to challenge such subpoenas question the bases of certain regulatory efforts. This example demonstrates that the CCO may have to make a decision to actively resist compliance with one set of rules, in order to protect the statutory rights and interests of corporate constituencies under another.

(3) The Educator

Although the traditional role of corporate counsel may not necessarily include education, the role of CCO certainly should. As discussed below, a fundamental goal of a compliance program is to create a culture of compliance.[124] However, the culture may only be formed if the employees are aware of what needs to be done during day-to-day operations.[125] The employees must also receive this information in a form that they can comprehend, and not merely as a recitation of the typically incomprehensible regulatory text. The CCO and her staff must, therefore, work closely with education and training programs to deliver the required message to the rank and file, management, and the board.

(4) The Business Process Advisor

Ultimately, the CCO must operate the compliance program not only as an insider but also as an outsider looking in. Unfortunately, the internal regulator, which the CCO is by virtue of her role, is often viewed by the firm as the traditional naysayer and as an obstructionist by both the firm and the regulators.[126] A significant problem with this perception is perhaps the fact that it is often true - the CCO is by necessity a naysayer, particularly in firms where compliance is not the culture.

It is therefore important for the CCO to present herself as a solution provider and a facilitator that can achieve the firm's production goals while simultaneously avoiding the regulatory risks. However, in order to achieve these goals, she needs to thoroughly understand both the current business processes of the firm, and how to replace a current process that is in technical violation of a law. Ultimately, the successful CCO will be one who can help keep the firm legally operational and profitable, while working in conjunction with all the process managers.

B. Benefits of a Successful Compliance Program: Creating a Culture of Compliance

A compliance program can reduce the risk of legal violations and lower the level of regulatory scrutiny. The SEC has indicated that it will focus its limited enforcement resources on higher-risk firms.[127] This approach is likely to be shared by other federal agencies charged with enforcing various regulations because all agencies are resource constrained. Therefore, while a successful compliance program helps to prevent legal violations and to mitigate punishment in case of violations, it could also potentially reduce the frequency and level of regulatory investigations and governmental audits.[128]

A compliance program can also be beneficial to the firm by using available regulatory guidance, which is frequently tailored specifically for such programs. For example, the Office of the Inspector General (OIG) for the HHS routinely issues compliance guidance to the health care industry, including nursing homes, hospices, emergency rooms, ambulance providers, and hospitals. The guidance documents provide suggestions on how they might be adapted to a specific industry, based on the Federal Sentencing Guidelines.[129] Furthermore, the OIG explicitly incorporates risk assessment into its guidance.[130] The Patriot Act is a second example, and one that requires a compliance program. It delegates to the Department of the Treasury ("DOT") the task of writing regulations that "prescribe minimum standards for programs established under" the statute.[131]

A more direct benefit of a compliance program can be realized under the Federal Sentencing Guidelines' formula for calculating culpability.[132] For any violation, the culpability starts with a score of 5.[133] However, the rule provides that if the violation occurred "even though the organization had in place at the time of the [violation] an effective compliance and ethics program…[the corporate defendant can] subtract 3 points" from the culpability score.[134] Compliance programs have additional quantifiable, though not readily apparent, benefits. These would include meeting the expectations of and improving relationships with customers, shareholders, the community, and the regulators; facilitating easier financing of business transactions and reducing liability insurance costs through compliance documentation; and regularly compiling information necessary for various regulatory filings.[135]

Finally, as one commentator believes, a good compliance program results in "sound business decisions, confidence in reporting to stakeholders," and ultimately a more "insightful, controlled, and trustworthy view of [the firm's] performance."[136] It thus provides an opportunity for the firm to turn a burden into a competitive advantage. This implies, as a practical matter, that compliance is not merely about following the rules and avoiding violations and penalties. Instead, the firm can choose its mode of operations and general corporate conduct. In this context, the perceived hardships of compliance are best overcome and the anticipated benefits are best reaped if the firm observes compliance as a matter of practice, such that the entire culture of the firm - the board, the management, and the rank and file - is one that incorporates compliant conduct.

C. Corporate Culture Redux: Some Final Thoughts on Ethics

The Open Compliance and Ethics Group ("OCEG") was formed in December 2002 as "a multi-industry, multi-disciplinary coalition [of business leaders seeking] to integrate the principles of effective governance, compliance, risk management and integrity into [corporate culture]."[137] In its Public Exposure Draft, the OCEG set forth that the "boundary-setting" essence of corporate governance:

· Defines and evaluates performance against objectives;

· Authorizes and oversees the business architecture that will be employed to meet the objectives;

· Identifies and oversees compliance with mandated boundaries;

· Defines and oversees compliance with selected or discretionary boundaries; and

· Defines and oversees compliance with social, ethical and other obligations.[138]

The OCEG created a framework for compliance that suggests that identification of ethical factors is an important additional component of the regulatory compliance programs.[139] More importantly, the functional goal of the framework is to help firms meet minimum legal requirements and reduce compliance costs while also providing guidance and direction on exceeding the minimum requirements so that compliance spending becomes a business investment that boosts performance.[140] Given the tenor of corporate representation in the OCEG,[141] it would appear that a significant and influential segment of corporate America is of the opinion that ethics are indeed an important and realistic conduit for bringing compliance into American corporate culture.

The OCEG advises that the first step in the framework is identifying factors related to ethics, entity values, and integrity, including an assessment of the firm's own value statement.[142] The belief is that identifying the ethical drivers behind laws can provide support and detail for such value statements.[143] This view arguably places ethical factors and related events in the same orbit of importance as legal mandates and internal controls. Indeed, as explained previously, legal mandates may be unclear or conflicting, and internal controls may be informal or weak.

Inherent in this logic is an important lesson for understanding compliance as a corporate culture; when employees understand the "why" behind legal factors, they are more likely to be willing and able to align their conduct when faced with "questionable" issues where regulatory violations are likely to occur.[144] The employees are likely to comply even when the regulators are not necessarily looking.[145] In such a state of things, the CCO will be better able to run a successful and ultimately beneficial compliance program by virtue of the compliant conduct of firm members, instead of by legal fiat.

V. Conclusions

Tracing corporate compliance programs from their origins to their current incarnation in the post-Enron corporate America reveals that the CCO was and still is an important internal regulatory presence. Modern regulatory regimes impose several duties on the compliance program and the CCO. They include fiduciary duties, duties to other constituencies introduced by statutory individual rights, avoidance of conflicts of interest, assurances to clients and customers, and even post September 11th homeland security.

The duties introduce the recurring themes of treating compliance as a risk management effort, with the goal of avoiding the punitive consequences of regulatory violations. Of course, the CCO is now tasked with ensuring that firm employees are aware of what would be considered appropriate conduct. Moreover, in light of the Caremark decision, such awareness must be presented across the workforce, accompanied by confident, accurate, and truthful disclosure, and reporting of firm activity to various Federal regulatory bodies. These principles emphasize management accountability. They also implicitly require that a CCO be the gatekeeper of firm activity and employee conduct. In the face of these requirements, she has to overcome challenges of compliance costs, corporate resistance and disfavor towards compliance programs, the frequent negative perception of being a naysayer, and general skepticism as she dutifully goes about her task of monitoring and assessment. Also, in attempting to uphold statutory obligations to other constituencies, the CCO sometimes may urge action contrary to a regulation yet to be interpreted. In spite of her best efforts, some shall remain skeptical about her likelihood of achieving the desired spirit of the regulatory goals.

It is proposed here that a CCO is nevertheless an absolutely critical presence in running a successful compliance program; a presence that can, in fact, control the abhorred costs of compliance and ultimately inure to the benefit of the firm's bottom line. She can achieve this compliance utopia by integrating risk management and corporate ethics into the ordinary business practices of the firm and by providing education and training with an understanding of the firm's business processes. The perception of her multifaceted role might then change from being that of an expensive obstructionist to that of a voice of reason. Her voice would serve as an investment to the firm by engraining compliance into the latter's culture, mission, vision, and values, thereby providing the firm with a competitive and reputable advantage.

It is unlikely that the white-collar prison cell will ever be entirely empty. However, although Professor Bowman's regulatory Tsarinas will still see much scurrying about on the banks of the corporate Dneiper, unlike his Potemkin villages, these will tend to be thriving and functional cultures of compliance under their respective CCO's, and not expensive and fanciful illusions constructed merely to impress with appearances.[146]