There is a consensus that compliance is a critical issue in corporate governance. Yet there remains a gaping hole in our understanding of what determines the effectiveness of compliance programs. Specifically, we know relatively little about the role of third-party compliance advisors.
Nowadays, virtually every large law firm or accounting firm sells various “compliance services”: from advising companies on how to design reporting systems to meet evolving regulatory demands, to conducting internal investigations and negotiating with regulators for leniency once wrongdoing has been uncovered. In fact, in the last couple of years the role of outside compliance advisors has expanded beyond legal compliance and into Environmental, Social and Governance (ESG) issues. For example, large companies now regularly hire outside consultants to conduct “racial equity audits” or verify voluntary ESG reporting.
In a new Article, titled “Compliance Gatekeepers” (forthcoming in Yale Journal on Regulation), we highlight the mismatch between the outsized role that these third-party advisors play in corporate compliance, and their lack of accountability for compliance failures. One factor driving the lack of accountability is information problems: it is often hard for outside observers to ascertain who inside the company could have done more to prevent the compliance debacle. Another factor is incentives problems: the top corporate managers who contract with outside compliance gatekeepers have their compensation tied to current stock prices. These managers may not necessarily want gatekeepers to stop the company from making short-term profits by skirting regulations. Nor would managers want gatekeepers to probe diligently after the fact and trace the blame for corporate wrongdoing all the way to the top of the corporate hierarchy.
But in this blog post we want to emphasize the legal factors contributing to lack of accountability. An amalgamation of doctrines sets the bar for lawsuits against compliance gatekeepers high. It is not enough to plead that the gatekeepers failed to exercise due care. Plaintiffs must rather plead with particularity facts indicating bad faith on the part of the gatekeepers. In other words, plaintiffs must show that the gatekeepers knowingly violated their duties. This is true across all potential claims – from securities law, to breach of contracts and professional malpractice, to aiding-and-abetting breaches of fiduciary duties in corporate law.
Consider the securities law hurdles first. On paper, shareholders can file a securities class action in federal courts, on the theory that the gatekeeper failed to ferret out fraudulent disclosures. Yet the 1995 Private Securities Litigation Reform Act has: (1) raised the pleading standard to scienter; (2) stayed discovery until after the motion to dismiss is decided; and (3) replaced the “joint and several liability” principle with “proportionate liability.” As if that was not enough, private lawsuits for aiding and abetting a breach of securities law were eliminated, leaving enforcement of such claims to the resource-constrained SEC Enforcement Division. Following all these changes, plaintiffs largely stopped naming secondary defendants in securities class actions, and not because these gatekeepers have suddenly become better at ferreting out wrongdoing.
Next consider the possibility of the company suing its gatekeepers for breach of contract or professional malpractice. Here there exists an obscure-yet-powerful doctrinal hurdle dubbed “in pari delicto.” The expression practically means that a plaintiff cannot recover damages from another party, if the plaintiff’s losses are at least substantially equally caused by his own misdeeds (that is, by activities the law forbade him to engage in). Corporate law courts have traditionally applied in pari delicto to summarily dismiss shareholders’ derivative actions against outside gatekeepers. The reasoning is that when a company violates the law, the knowledge of company insiders who were involved in the violations is imputed to the company. Accordingly, when the compliance failure at hand concerns clear illegalities, shareholders are barred from pursuing claims on behalf of the company against its outside compliance gatekeepers.
Applying in pari delicto to immunize compliance gatekeepers is both bad law and bad policy. It is bad law because the concept of imputing knowledge to the company was developed to protect innocent third parties who dealt with the company against wrongdoing by the company’s agents. It is counterintuitive to apply the same concept to bar lawsuits against gatekeepers that the company hired precisely for the purpose of combatting wrongdoing by its agents. In pari delicto was meant to deny the company a shield against innocent third parties who were wronged by its agents, and not to deny the company a sword against its own agents who wronged it.
Applying in pari delicto to immunize compliance gatekeepers is also bad policy. Basic economic analysis suggests that the criteria for where to place the blame for compliance failures should be who has better ability and incentives to curtail wrongdoing, and who would be most affected by being subject to liability. One cannot assume that public shareholders or independent directors are better positioned than compliance gatekeepers to curtail corporate wrongdoing. In fact, the entire value proposition of the fast-growing compliance consulting business is that the company’s directors and shareholders cannot do this job on their own and need to pay outside gatekeepers handsomely to perform it. Immunizing gatekeepers through in pari delicto would not magically endow public shareholders or independent directors with the ability to effectively monitor misconduct within their large corporations.
Still, in pari delicto is not an absolute bar but rather a relative one. It contains a few exceptions, including “the fiduciary exception.” In a derivative action on behalf of the corporation, a fiduciary who breached her duties toward the corporation cannot immunize herself via in pari delicto. Allowing otherwise would undermine the entire premise behind derivative actions. Third-party advisors are normally not fiduciaries. Yet Delaware courts have maintained that the fiduciary exception applies also to aiding-and-abetting breaches of fiduciary duties. On paper, this suggests a path for public shareholders to hold compliance gatekeepers accountable, namely, by suing them for aiding-and-abetting breaches of director oversight duties (often dubbed Caremark duties, after Delaware’s leading precedent) on the part of the company’s directors and officers.
But in reality, aiding-and-abetting claims in the Caremark context are virtually impossible to bring. When a deal fails, we often observe aiding-and-abetting claims against third-party financial advisors. But when compliance fails, we rarely observe aiding-and-abetting claims against third-party compliance advisors. This is because the two prongs of each doctrine – Caremark and aiding-and-abetting – do not mesh well together. A plaintiff bringing an aiding-and-abetting claim in corporate law must prove that (1) a fiduciary has breached her duty (a “predicate breach”), and (2) the non-fiduciary defendant knowingly participated in said breach (a “knowing participation”). In our context of compliance failures, this two-pronged requirement translates into having to clear not one but two very high pleading hurdles.
To meet the predicate breach prong in failure-of-oversight claims, showing negligence or even gross negligence on the part of the directors is not enough. The standard in Caremark claims is rather bad faith. Plaintiffs have to show either that the fiduciaries completely failed to install a compliance program that monitors and reports back information to them (“an information systems” claim), or that the fiduciaries installed such a system yet utterly failed to respond to “red flags” that it generated (a “red flags” claim).
An “information systems” claim and a claim of aiding and abetting by compliance advisors usually cannot coexist. The mere fact that the board hired compliance advisors is often indication enough that the board addressed compliance. Accordingly, the aiding-and-abetting claim would probably fall already at the predicate breach stage.
A “red flags” claim and an aiding-and-abetting claim can theoretically coexist. For example, plaintiffs could claim that the outside compliance advisors colluded with top management and withheld critical information from the board, which in turn led to a failure to respond to red flags on the part of the board (in our Article we use the Enron example to illustrate). The problem with litigating such a claim is the mismatch between the high evidentiary bar and the lack of tools to clear it. To bring such claims, a plaintiff must marshal evidence about what directors knew in real time, what outside advisors knew in real time, what outside advisors knew that the directors know in real time, what dialogue and discussion took place between insiders and outsiders, and so on. And she must marshal such evidence already at the pleading stage, without access to discovery. What are her odds of doing that?
Here there is an important distinction between showing bad faith on the part of insiders and showing bad faith on the part of outsiders. The first hurdle remains high, but it has become relatively easier to clear in recent years. There is a new era in director oversight duty litigation, which manifests in two changes. First, courts these days are more willing to apply heightened scrutiny to directors’ compliance efforts. When the compliance failure in question concerns “mission critical” compliance risks, courts are more likely to view absence of proof that the board discussed the issue as a pleading-stage indication that the board breached its duties. Second, courts are also more willing to grant shareholders access to internal company documents to investigate potential failure-of-oversight claims against the board. Advancing a Caremark claim against compliance insiders has therefore become relatively easier.
But advancing an aiding-and-abetting claim against compliance outside advisors has not similarly become easier. There have not been equivalent court decisions suggesting that courts will be willing to heighten the standard and sanction willful blindness on the part of outside gatekeepers. Nor have there been decisions suggesting that courts will be willing to grant liberal access to internal documents to investigate potential gatekeeper failures.
Our Article proposes several tweaks to these legal doctrines and enforcement priorities that could change the existing equilibrium and perhaps improve corporate compliance. Our focus is not necessarily on increasing the size of the sanction that will be imposed. In fact, to quell fears that legal sanctions would lead to gatekeeper overdeterrence, we propose capping damages and applying comparative negligence and indemnification rights. Our focus is rather on the process itself: we think that reviving the threat of litigation could serve as a conduit for gatekeeper accountability, by flushing out information on gatekeeper misconduct.
Asaf Eckstein is Associate Professor at Hebrew University.
Roy Shapira is Professor of Law at Reichman University and a Research Member at ECGI.
This post was adapted from their paper, “Compliance Gatekeepers,” available on SSRN.
The evolving landscape of compliance is truly intriguing.