News

Corporate compliance may not be a household word. But it’s vitally important to our daily lives. Compliance departments ensure that the companies operating in our communities and producing consumer goods and services obey and even keep ahead of laws and regulations. And when there’s a failure it can cost companies billions of dollars, cause profound harm to employees and consumers, and even lead to the loss of life.

“Compliance today is significant in a variety of ways for everyday folks, including whether the cars we drive are safe, whether our bank accounts are secure, whether our water is polluted,” said Veronica Root Martinez, the Simpson Thacher & Bartlett Distinguished Professor of Law at Duke Law School and author of Building an Effective Ethics and Compliance Program (forthcoming from Edward Elgar).

“Whether or not large multinational companies have effective compliance programs ends up mattering in a whole host of ways.” 

When a high-profile company has a compliance failure it grabs headlines. TD Bank paid $3.1 billion for failing to properly deploy and support internal anti-money laundering programs. Wells Fargo paid $3 billion over sales tactics that involved misusing customer data and creating millions of fake bank accounts. And Fox News agreed to reform its internal culture after allegations of sexual harassment and misconduct by executives and hosts that have resulted in numerous settlements and fines.

Companies tend to take one of two views toward compliance, Martinez says. Some understand that investing in ethics and compliance programs and business integrity activities that go above and beyond legal requirements has tangible benefits for the organization. Others “see compliance as an obligation that they have to endure. They focus on doing the very bare minimum to be able to defend themselves if something goes wrong,” she explained.

Firms may fall into the trap of designing their compliance programs in response to regulators’ enforcement priorities, rather than focusing on the risks that are most salient to their own line of business. And when a failure occurs, they may succumb to tunnel vision: identifying and focusing on a single problem and failing to see other contributing factors.  

“When something bad happens, and we come up with a reason for why it happened, we sometimes latch onto that initial reason, and say, ‘Okay, well, that was the reason, so we're going to fix that and then we'll be all set going forward,’” Martinez explained.

Instead, she recommends a more comprehensive analysis that looks for failures at each step of the compliance process —prevention, detection, investigation, and remediation — and considers the possibility that multiple failures occurred at once.

For example, if a bank has been cited for money laundering, was the problem only with training, in that employees couldn’t recognize a suspicious account when they saw one? Or was it also an investigation issue, where employees saw red flags but didn’t investigate properly or report the problem? Without examining what happened at each step, a bank might rewrite its training manual but fail to address breakdowns at other stages.

Martinez acknowledges that perfect compliance is not realistic.

“The expectation is that you're trying to do your best,” she said. “But you can't say that you're doing your best if you're an ostrich burying your head in the sand and trying not to see what's going on.”

Designing a program to address greatest risks

Companies should reject the idea that compliance is a burden that gets in the way of their profit-making activities, Martinez says. The most innovative companies practice “purpose-driven compliance,” in which they design a compliance program around their business purpose, the specific risks inherent to pursuing that purpose, and the company’s own values and goals. 

Utilizing that framework, a company can then determine how to allocate resources to areas of greatest risk, whether it’s related to government enforcement, interactions with consumers, or reputation.

“Complying with laws, of course, matters, but compliance officers should also be considering, ‘What is best for this business based on the products and services this business provides, and our best risk assessment?’” Martinez says.

This is especially crucial as companies begin to incorporate new technologies such as generative artificial intelligence. Regulators are inherently a step behind firms that are creating new products and services, so businesses would be wise to assess and prepare for the risks they can start to anticipate.

“Part of the job of an innovative company is to carefully consider, ‘What are the risks that my innovation is going to create for the business, and for the people within the business?” Martinez said. “How do I address those risks proactively, even if the regulator hasn't put out a rule yet?’”