Two Sides of the Same Coin? Taking Another Look at Compliance Education

Sometimes that deja vu feeling is just a bit too real for words. As a consumer of bank services, you would have been forgiven for having just that feeling in July 2023 upon learning that the Consumer Financial Protection Bureau (CFPB) had just ordered the Bank of America to pay more than $100 million to customers for misappropriating sensitive personal information to open accounts without customer knowledge or authorization, along with systematically double-dipping on fees imposed on customers with insufficient funds in their account and withholding reward bonuses explicitly promised to credit card customers. 

Aside from the nearly jaw-dropping brashness of these fraudulent practices, what the CFPB did not say in its July 2023 release was that just a few years before this Bank of America order, Wells Fargo had made headlines in 2016 for doing some of the same things that Bank of America was now being penalized for. What’s more, Bank of America was doing these things, according to the CFPB, around the same time Wells Fargo was. Wells Fargo got caught in 2016, while Bank of America got caught a few years later, but the records show that both were perpetrating these frauds in the period prior to 2016, starting in about 2011 or earlier.

It is difficult to imagine that the compliance and leadership teams at Bank of America were unaware of Wells Fargo’s daily headlines in 2016. If we assume that they were aware, we must conclude either that Bank of America cynically elected to continue its own fraudulent practices until it was caught or that it ignored the entire Wells Fargo story, believing that it was not capable of such fraud and therefore had no reason to do an internal investigation.

Whatever the case, the failures at both companies raise substantial questions about the quality of compliance controls at two well-funded and modern banking companies. Was Bank of America’s leadership briefed on the possibility that the same things that happened at Wells Fargo were happening at their institution? Was any investigation conducted? Or was the fraud at Bank of America so cleverly hidden that the compliance team was unable to find it? The new compliance teams at these companies will clearly have their hands full.

But maybe the issue is bigger than just Wells Fargo, Bank of America and this deja vu moment.

A starting point

In April 2018, D. Daniel Sokol published an article in the University of Cincinnati Law Review warning that compliance training in law schools in the United States was failing both students and their eventual employers because it did not provide the skills needed for effective compliance execution. Citing the many reasons that compliance as a standalone discipline continues to grow, such as negative stock returns, private damage suits, financial penalties, reputational damage and other concerns for companies involved in scandal, Sokol focused on the difficulty law schools and law firms were having in designing and delivering effective training and education to students and young lawyers with a focus on compliance as a profession.

Sokol’s arguments may have been overshadowed by a then-current debate regarding the importance of an independent in-house corporate compliance department. That debate, which pitted compliance thought leaders against mainstream general counsel, had concluded not with a bang but a whimper not long before Sokol wrote his article.

Ben Heineman, former longtime general counsel at General Electric, maintained that the chief compliance officer (CCO) ought not report to the C-suite but rather to a “lawyer statesman,” who would provide the C-suite gravitas that the compliance function and the CCO herself would lack. Heineman maintained that the more recent development of the compliance discipline generally, as compared to the more longstanding and traditionally close relationship of the general counsel to the CEO specifically mitigated against installing the CCO as a member of the C-suite.

On the other side, Donna Boehme, a consultant and compliance expert, argued that the compliance function needed to be differentiated from the legal function and that the best structure was one in which the compliance function cooperated as an equal to the legal function.

Heineman eventually softened his approach in a later article, stating that “[t]he often-debated question of whether the CCO should report to the GC/CFO or to the CEO is far less important than deep, authentic CEO and business-leader commitment to compliance. … It is far less important than ensuring that personnel in each of these areas work together seamlessly on the wide variety of tasks within the broad prevent-detect-respond framework.”

Even today, while few commentators are arguing against compliance independence, real progress in establishing the CCO at the C-suite remains slow.

Law & compliance aren’t the same

Despite reluctance to elevate the CCO, stories of scandals occurring before, during and after the Covid-19 pandemic and involving bad corporate behavior have continued seemingly unabated. Many of the companies involved are successful global companies with a strong presence in the U.S. Stories regarding Walmart, Toyota, Volkswagen and many others continue to populate news releases announcing deferred prosecution agreements arising from corporate scandals. Despite this, surveys show less than 75% adherence to the principle of independence for the compliance department with C-suite leadership.

For his part, Sokol directed his criticism not to the CCO’s reporting dilemma but rather to the failure of education for future compliance practitioners. Despite rapid growth in in-house compliance departments in corporate America between 2010 and today, there has not been a commensurate growth in training facilities or ideas.

In 2022, 359,640 compliance officers were employed in the United States, according to data from the U.S. Bureau of Labor Statistics. This number has increased steadily over the past decade, rising from 236,090 in 2013, an increase of more than 50%, while all occupations across the economy grew only 11% in that time.

In breaking down the deficiencies in current compliance education in law schools, Sokol cited the vast differences between the defensive, advisory role the legal department plays as the expert interpreter of laws and legal strategy and the far more initiative-taking and enterprising role of the compliance officer.

Among other things, the CCO is typically charged with:

• Development, measurement, monitoring and annual recharacterization of programs for the assessment of compliance risk
• Education of employees and managers
• Installation and implementation of business controls (including financial and accounting controls)
• Investigation and remediation required in response to discovered wrongdoing

None of these responsibilities line up with the traditional role of the legal department, nor do they align with law school curricula today, with just a few exceptions. The role of legal has been to interpret the law, advise leadership and employees (including advising the compliance team) on how to follow the law and defend the company when missteps occur. The management of a proactive, individuated compliance program adapted to business risks identified by the company’s CEO and her leadership team based on planning and objectives has rarely been an expectation of the legal department. Given the inherent tensions between the legal role and that of compliance described above, it seems unlikely that this will change, in part because these frameworks (legal and compliance) are so directly opposed to one another.

Risk

The Importance of Risk Culture

by Jim DeLoach

May 26, 2015

Risk culture - a reflection of a company's goals and values - evolves as the organization does. That's not to say that it can be ignored; on the contrary, it should be regularly evaluated and improved.

Read moreDetails

Law schools are teaching, well, law

The issues Professor Sokol highlighted remain with us today. Education for aspiring CCOs continues to be found almost exclusively at law schools providing specialized Master of Law (LLM) or other international master’s programs that are not degree specific. These programs typically study existing regulatory guidance relating to anti-corruption laws, the protection of personal information and HR, health and finance activities. As a result, it is nearly impossible to find law schools that teach students how to be a compliance officer or how to build an effective compliance program.

Many law schools provide, in addition to statute-specific education (such as classes focusing specifically on the U.S. Foreign Corrupt Practices Act), classes re-hashing regulatory guidance from the U.S. federal sentencing guidelines to the U.S. Department of Justice’s “Evaluation of Corporate Compliance Programs,” describing how the DOJ has instructed its prosecutors to judge an effective compliance program.

But such paint-by-number, legalistic approaches are not enough to solve the problems we continue to see at places like VW, Wells Fargo, Bank of America and elsewhere. These educational efforts miss the mark because they do not teach law students how to effectively assess compliance risk, set company policies, implement company-wide policy training, identify compliance objectives and operational controls or to build, launch, measure and monitor compliance programs.

Law schools typically do not focus on how to build communication programs designed to establish culture and tone at the top, nor do they teach students to measure, assess and report on those programs, for example. Few law schools incorporate training on how to conduct investigations and report on them to the CEO or the board of directors. In other words, law schools are not teaching law students how to be CCOs.

Upon graduation, most newly minted lawyers are poorly prepared to build a program that can take a leadership role in helping the company establish a culture of compliance and ethical decision-making from an in-house leadership position.

But maybe the biggest issue here is not the way law schools are teaching compliance. Maybe the biggest disconnect is that we are not marrying these compliance training programs to the teaching of ethics in our business schools. And in neither school, business or law, are we effectively teaching young students how to incorporate ethical decision-making into everyday compliance practices.

It’s hard to build up without a foundation

In the absence of an ethical foundation based on a company’s leadership vision/mission, the company’s decision-making is guided by the most influential (read: loudest) decision-makers and their personal ethical positions rather than by a well-considered approach to ethics established by the CEO and her team. Instead, we choose to focus on legalistic, statute-based knowledge-building so that we can see noncompliance when it happens but are nearly powerless to build a culture that will avoid or prevent it.

Even the most experienced compliance team will find it nearly impossible to build an ethical framework to guide the company if the CEO and her team have not set down a foundation for ethical practice. Few companies today take the time to establish that framework the CCO needs as a basis on which to start building the culture described as a prerequisite by the DOJ.

In the absence of ongoing mission/vision leadership by the CEO and her team, the company’s ethical direction defaults to the personal ethics of the CCO, or to any employee or member of the C-suite team who outranks the CCO. Even for a proponent of a strong CCO position with plenty of latitude for decision-making, this feels fundamentally wrong. 

So, taking a page from Sokol’s article, maybe our mistake is that we expect law schools to teach law students to “do compliance” rather than engaging both law and business students by teaching compliance and ethics together with a focus on ethical practices. This change in orientation should have the added benefit of preparing business school students, who are much more likely to be eventual C-suite members in the corporate in-house environment, with an early understanding of the principles of compliance and ethics that will serve them throughout their careers.

To build great compliance programs, rather than rely on lawyers whose strength is in helping the company understand the law, it makes sense to rely on businesspeople who are already being trained to build programs, innovate and execute on business initiatives. Ethics courses in business schools today are not achieving this goal.

The integration of compliance education with an introduction to ethical decision-making processes, time-tested and readily available, is not keeping up with the demand for CCOs that’s clearly emerging from employment data.

Existing and well-developed solutions, such as the framework established by the Markkula Center for Applied Ethics at Santa Clara University and the excellent guidance from Ethics Unwrapped, an educational program from the McCombs School of Business at the University of Texas, make this practically a no-brainer for CCOs.

There are no guarantees, of course, that educating business students on ethical decision-making in this particular context will result in less corporate scandal in the real world, but it is hard to see how this proposed change could cause a worse situation than what we face today.

We should not ignore the guidance of Professor Sokol relating to the substitution of business case studies for traditional case method practice in compliance education in the law school environment. Law students will benefit substantially from guidance provided by practicing CCOs and lawyers who have sat at C-suite tables and argued for and against various compliance initiatives at their companies, as Sokol seems to suggest.

It seems logical, though, that there is a meaningful benefit to corporate culture generally in taking a more radical approach to restructuring law school-based compliance education.