Whether it is a financial institution like Wells Fargo, an automotive company like General Motors, a transportation company like Uber, or a religious organization like the Catholic Church, failing to properly prevent, detect, investigate, and remediate misconduct within an organization’s ranks can have devastating results. The importance of the compliance function is accepted within corporations, but the reality is that all types of organizations—private or public—must ensure their members com­ply with legal and regulatory mandates, industry standards, and internal norms and expectations. They must police thousands of members’ compli­ance with hundreds of laws. And when compliance failures occur at these complex organizations they can be significant and widespread in both scope and associated harms.

Yet, careful examination and assessment reveals that many of the most significant and damning scandals occurring within organi­zations of late were entirely avoidable. Research within the field of corporate governance focuses on how firms are structured because those structures can result in better decisionmaking within the firm. Structure refers to the manner of separating the work in an organization into subunits and dividing the control of and responsi­bilities for the work. The field of compliance relies heavily on these insights from corporate governance, which has led to a focus on what organizational structures will lead to compliance programs likely to prevent and detect misconduct within firms. When it comes time to investigate potential incidents of misconduct and determine whether they are material events, however, complex organizations must go beyond issues related to the best manner in which to structure a compliance program. Instead, this Article argues that firms must focus on process-based reforms—or the actions, practices, and routines firms employ to communicate and analyze information—that will bolster a firm’s “Complex Compliance Investigations” and act as a safety net when compliance programs fail to detect or appropriately respond to misconduct within firms.

The full text of this article be found by clicking the PDF link to the left.


Despite the best efforts of governments, regulators, prosecutors, private stakeholders, and academics to identify effective mechanisms for organizations to employ in an effort to prevent and deter improper conduct within their ranks, misconduct continues to persist within organizations of all types. Fake bank accounts. Faulty ignition switches. Sexual harassment. Protection of predators. Over and over again, the public learns of wide­spread and significant misconduct plaguing organi­zations that millions of individuals rely upon on a daily basis. Most troubling, however, is that the breadth and depth of many of these scandals were entirely avoidable.

For example, in 2016, Wells Fargo announced that it had entered into an agreement to pay  “a  combined  $185  million  penalty  to  the  Consumer  Financial  Protection Bureau . . . , the Office of the Comptroller of the Currency, and the City and County of Los Angeles to settle charges” without admitting formal wrongdoing that it fraudulently opened accounts on behalf of customers without their knowledge. 1 Bethany McLean, How Wells Fargo’s Cutthroat Corporate Culture Allegedly Drove Bankers to Fraud, Vanity Fair (May 31, 2017), []. The initial settlement, however, was just the beginning of difficulties for the bank, and it has now entered into multiple settlements with the DOJ, 2 E.g., Press Release, DOJ, Justice Department Obtains $5.4 Million in Additional Relief to Compensate Servicemembers for Unlawful Repossessions by Wells Fargo Dealer Services (Nov. 14, 2017), []; Press Release, DOJ, Justice Department Reaches $4 Million Settlement with Wells Fargo Dealer Services for Illegally Repossessing Servicemembers’ Cars (Sept. 29, 2016), []; Press Release, DOJ, Wells Fargo Bank Agrees to Pay $1.2 Billion for Improper Mortgage Lending Practices (Apr. 8, 2016), []. the SEC, 3 E.g., Order Approving Plan of Distribution, Exchange Act Release No. 80,302, 116 SEC Docket 1642 (Mar. 23, 2017); Order Instituting Administrative Cease-and-Desist Proceedings, Securities Act Release No. 9349, Exchange Act Release No. 67,649, Investment Company Act Release No. 30,167, 104 SEC Docket 1445 (Aug. 14, 2012); Press Release, SEC, Wells Fargo Advisors Admits Failing to Maintain Controls and Producing Altered Document, Agrees to Pay $5 Million Penalty (Sept. 22, 2014), []. and the Federal Reserve, 4 E.g., Written Agreement Between Wells Fargo & Company and Board of Governors of the Federal Reserve System, Docket No. 18-007-B-HC (Feb. 2, 2018); Wells Fargo & Co., Wells Fargo Update: Federal Reserve Consent Order 1 (2018), []; Press Release, Bd. of Governors of the Fed. Reserve Sys., Responding to Widespread Consumer Abuses and Compliance Breakdowns by Wells Fargo, Federal Reserve Restricts Wells’ Growth Until Firm Improves Governance and Controls. Concurrent with Fed Action, Wells to Replace Three Directors by April, One by Year End (Feb. 2, 2018), [] [hereinafter Fed. Reserve Wells Fargo Press Release]. among others. 5 See, e.g., Emily Flitter, Wells Fargo Agrees to Settle Auto Insurance Suit for $386 Million, N.Y. Times (June 7, 2019), (on file with the Columbia Law Review); Imani Moise, Wells Fargo to Pay $575 Million in Settlement with U.S. States, Reuters (Dec. 28, 2018), []; Jonathan Stempel & Dena Aubin, Wells Fargo Officials Enter $240 Million Settlement over Bogus Accounts, Reuters (Mar. 1, 2019), []. In addition to actions brought by governmental actors, alleged internal whistleblowers claimed that they were fired or retaliated against when they attempted to alert higher-ups within the corporation of the fraudulent activity. 6 Matt Egan, More Wells Fargo Workers Allege Retaliation for Whistleblowing, CNN (Nov. 7, 2017), []. For Wells Fargo’s legal assess­ment of alleged retaliation against whistleblowers, see Indep. Dirs. of the Bd. of Wells Fargo & Co., Sales Practices Investigation Report 87 n.26 (2017), [] [hereinafter Wells Fargo Investigation Report]. In early 2018, one such claim resulted in a $577,000 settlement and an order to rehire the employee. 7 C. Ryan Barber, Wells Fargo, Ending Its Appeal, Settles Whistleblower’s $577K Retaliation Case, Nat’l L.J. (Jan. 19, 2018), (on file with the Columbia Law Review). The significant failures throughout the organization’s ranks led to an unprecedented sanction from the Federal Reserve in February 2018, which restricts the bank’s ability to grow until it improves its internal governance and controls. 8 See Written Agreement Between Wells Fargo & Company and Board of Governors of the Federal Reserve System, supra note 4, at 8–9; Fed. Reserve Wells Fargo Press Release, supra note 4. And yet, Wells Fargo had structured its compliance program in line with what was expected under industry standards at the time. Indeed, as one scholar explained, “[A]t the time of its massive fake accounts scandal . . . Wells Fargo had a robust, [Organizational Sentencing] Guidelines-based compliance program with all of the ‘expected’ tools aimed at eliminating typical compli­ance lapses. Yet the company was unable to foresee, let alone prevent, an extreme compliance failure . . . .” 9 Todd Haugh, The Power Few of Corporate Compliance, 53 Ga. L. Rev. 129, 157 (2018) [hereinafter Haugh, Power Few] (footnote omitted).

Likewise, General Motors failed to recognize and prevent an extreme compliance failure of a different sort, one that not only cost the organization billions of dollars, but also resulted in the deaths of at least 124 people. 10 Kirsten Korosec, Ten Times More Deaths Linked to Faulty Switch than GM First Reported, Fortune (Aug. 24, 2015), (on file with the Columbia Law Review); Eric D. Lawrence, GM Settles Deadly Ignition Switch Cases for $120 Million, USA Today (Oct. 20, 2017), []. In 2014, General Motors announced a recall of over seventeen million vehicles worldwide, over eleven million of which cited issues of the ignition switch that would abruptly cause the car to lose power “when keys [were] acci­dentally bumped or moved out of the ‘Run’ position.” 11 Peter Valdes-Dapena & Tal Yellin, GM: Steps to a Recall Nightmare, CNN, [] (last visited Oct. 8, 2019). In instances where the switch failed and the car stalled, airbags would not deploy, creating the potential for serious injuries to both drivers and passengers. 12 Anton R. Valukas, Jenner & Block, Report to Board of Directors of General Motors Company Regarding Ignition Switch Recalls 1 (2014), []. Notwith­standing this significant risk, the company chose not to fix the faulty switches, despite first receiving reports on the issue in 2004, and multiple reports thereafter. 13 Id. at 2–4. Indeed, when General Motors first analyzed the issue, it improperly classified the problem as a customer convenience issue instead of a safety issue, leading it to determine that it was simply too costly to make the necessary changes to the switch design. 14 Id. at 2; see also Valdes-Dapena & Yellin, supra note 11. And over the next number of years, the company continued to demonstrate a “lack of urgency, lack of ownership of the issue, lack of oversight, and lack of understanding of the consequences of the problem.” 15 Valukas, supra note 12, at 4, 9. This lack of urgency and oversight turned out to be exceptionally costly to General Motors, both in terms of its public reputation as well as its bottom line. In 2017, General Motors entered into a $120 million settlement with victims of its defective ignition switch scandal, a figure that came on top of roughly $2.5 billion worth of penalties imposed on the company. 16 Lawrence, supra note 10. These penalties included, for instance, a $900 million settlement with the DOJ in a criminal case, and multiple other settlements with accident victims. 17 Id.

When organizations fail to properly address potential compliance failures, it presents a particularly problematic situation, because the respon­sibility for preventing and detecting  misconduct  within  an  organization  lies  primarily  with  the  organization itself. 18 See U.S. Sentencing Guidelines Manual § 8B2.1 (U.S. Sentencing Comm’n 2004) (describing an “effective compliance and ethics program,” including due diligence, the promotion of ethical conduct, and compliance with the law); see also id. ch. 8, introductory cmt. (noting that the guidelines “provid[e] a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program” (emphasis added)). An underlying assumption of all modern compliance efforts is that organizations are in the best position to monitor and police the behavior of their members. 19 Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C. L. Rev. 949, 959 (2009). This understanding stems from past incidents of corporate misconduct and is uncontroversial.

For instance, when the Enron and Arthur Andersen scandals broke in 2001, they sent a ripple effect across corporate America and triggered a vari­ety of responses from Congress, regulators, and prosecutors. 20 Lawrence A. Cunningham, Deferred Prosecutions and Corporate Governance: An Integrated Approach to Investigation and Reform, 66 Fla. L. Rev. 1, 16–18 (2014). Legislation was passed. 21 See Sarbanes–Oxley Act of 2002, Pub. L. No. 107-204, § 302, 116 Stat. 745, 777–78 (codified at 15 U.S.C. § 7241 (2012)). Enforcement priorities shifted. 22 For example, within weeks of Arthur Andersen’s conviction for obstruction of justice, then-President George W. Bush formed the President’s Corporate Fraud Task Force within the Department of Justice. Compare United States v. Arthur Andersen, LLP, 374 F.3d 281, 284 (5th Cir. 2004) (noting that a guilty verdict was returned on June 15, 2002), rev’d, 544 U.S. 696, 708 (2005), with Exec. Order No. 13,271, 67 Fed. Reg. 46,091 (July 11, 2002) (estab­lishing the task force to “investigate and prosecute significant financial crimes, recover the proceeds of such crimes, and ensure just and effective punishment of those who perpetrate financial crimes”). For more information on the Corporate Fraud Task Force, see The President’s Corporate Fraud Task Force, DOJ Archives, [] (last visited Oct. 9, 2019). Under then-President Barack Obama, the program shifted into the Interagency Financial Fraud Task Force. See Press Release, SEC, President Obama Establishes Interagency Financial Fraud Enforcement Task Force (Nov. 17, 2009), []; see also Cunningham, supra note 20, at 16–17 (outlining different changes to enforce­ment priorities as a result of Enron and other corporate scandals). And the manner in which corporate misconduct was settled and resolved changed dramatically. 23 See Brandon L. Garrett, The Public Interest in Corporate Settlements, 58 B.C. L. Rev. 1483, 1498–511 (2017) (surveying the use of supervised probation, deferred prosecution agreements, and nonprosecution agreements in addressing corporate misconduct and collecting relevant citations). The focus for corporations, regulators, and prosecutors shifted to “corporate compliance programs as the key to optimal deterrence.” 24 Cunningham, supra note 20, at 17. As compliance programs catapulted in importance, it led to the intensi­fication of “internal policing of corporate employees.” 25 Id. And as organi­zations took on this respon­sibility of policing their employees in an effort to comply with ever-increasing regulatory and legal requirements, they began to focus on the structure—the separation of work in an organization into subunits and dividing the control of and responsibilities for the work—of the compliance programs they created. 26 See infra section I.B. Focusing on the structure of an organization’s compliance efforts was seen as essential to ensuring an effective and robust compliance and ethics program. 27 See infra section I.B.

Determining the proper structure of compliance programs has been a question scholars, practitioners, prosecutors, and regulators have wres­tled with for decades. 28 At a minimum, the question of how to structure a compliance program has been an issue since the 1991 passage of the original iteration of the Organizational Sentencing Guidelines, which is applicable to corporations, partnerships, unions, funds, trusts, nonprofits, and governmental entities. See Paula Desio, U.S. Sentencing Comm’n, An Overview of the Organizational Guidelines 2–3, [] (last visited Jan. 20, 2020). Should the compliance program be segmented into particular subject areas or should there be one global compliance program? 29 Walmart, for instance, segments its compliance department by subject area and then by geography. Jay T. Jorgensen & C. Kevin Marshall, Corruption and Compliance: Promoting Integrity in a Global Economy, 49 U.C. Davis L. Rev. 425, 431–33 (2015); see also Global Ethics & Compliance, Walmart, [] (last visited Oct. 9, 2019). Should the chief compliance officer report to the general counsel or the audit committee? 30 See Michael W. Peregrine, Seeking Clarity at the Crossroads of Legal and Compliance, Corp. Couns. (Sept. 18, 2014), []. Should compliance professionals be embedded within particular departments or remain separate as a deterrent to capture? 31 See id. These and other foundational questions about how organi­zations should structure their compliance programs were necessary and important progressions for creating the compliance programs found within organi­zations today.

Yet despite spending a great deal of time, effort, and money to enact structural reforms and improvements within organizations’ compliance programs, every year brings a new, more stunning example of how organi­zations’ attempts to reign in misconduct often fail to prevent even the most extensive compliance failures within industries and firms. The scandals at Wells Fargo and General Motors each reflect an intense failure by the organization to effectuate its monitoring and policing responsibilities despite the presence of compliance programs that were structured in a manner expected to effectuate an appropriate amount of monitoring and policing.

There are a variety of accepted understandings—both within industry and academic scholarship—about what is necessary for the creation of an effective compliance program. However, when one considers the signif­icant compliance failures that continue to occur despite the adoption of increasingly sophisticated internal compliance programs, it suggests that it may be time to affirmatively question certain understandings and assumptions that serve as the foundation of modern-day compliance programs. 32 This effort is at nascent stages but has begun. For example, Professor Todd Haugh has recently argued that compliance programs have suffered in effectiveness because they assume that compliance failures will fall within a normal distribution amongst one’s employ­ees. In actuality, however, “[U]nethical employee conduct is just as likely to follow a skewed, or ‘fat-tailed,’ distribution.” Haugh, Power Few, supra note 9, at 135 (quoting Daniel A. Farber, Uncertainty, 99 Geo. L.J. 901, 923 (2011)). This Article contributes to that effort.

Compliance programs within firms focus, for good reason, on preventing and detecting misconduct within their ranks. Those striving to create effective ethics and compliance programs spend a great deal of time on developing appropriate structures to house, manage, and support compliance efforts so that they will effectively prevent and detect wrongdoing within firms. But as demonstrated in prior work, prevention and detection are just the first two of four stages—the latter stages being investigation and remediation—within compliance efforts. 33 See Veronica Root, The Compliance Process, 94 Ind. L.J. 203, 219–27 (2019) [hereinafter Root, Compliance Process]. This Article focuses on the detection and investigative stages and the continuum between them. It demonstrates that many recent compliance failures within organizations might have been avoided if more robust processes—meaning the actions, practices, and routines that firms can employ to communicate and analyze information—had been in place to ensure investigations were conducted in a manner that allowed the firm to analyze information from diverse areas within the firm. As such, this Article argues that firms must focus on adopting process-based reforms that will bolster internal investi­gations into complex compliance failures and act as a safety net when compliance programs fail to detect or appropriately respond to misconduct within firms.

Part I of this Article describes why the effort to curb corporate criminal misconduct came to rely heavily on self-policing within the organization, which contributed to the rise of the compliance function. This Part goes on to demonstrate, through the use of literature from the fields of organizational behavior and corporate governance, the importance of implementing certain structures within the creation of compliance pro­grams. For purposes of this Article, structure refers to a firm’s decisions on how to organize itself. 34 Tor Hernes, A Process Theory of Organization 69 (2014) (citing Stewart Ranson, Bob Hinings, and Royston Greenwood’s definition of organizational structure as “the social structures of relationships that reside in organizations”); see also Nicola Faith Sharpe, Process over Structure: An Organizational Behavior Approach to Improving Corporate Boards, 85 S. Cal. L. Rev. 261, 266–68 (2012). But see Hernes, supra, at 69–71 (arguing that the duality of process and structure is a fallacy). Part I then recounts current understandings of compliance within legal scholarship, which include an emphasis on the key structural components necessary for an effective compliance program and their focus on the prevention and detection of corporate misconduct.

Part II focuses on the evolution of the compliance function. It demonstrates that traditional compliance programs were narrow in scope, with a focus on particular subject matter areas. Yet, the rise of more complex organizations—organizations with many diffuse departments or complicated organizational structures with a variety of parents and subsidiaries—brought new challenges for compliance efforts. A complex organization for purposes of this Article might be one organizational entity with a number of departments, such as a university, but it may also be a complicated corporate family with many subsidiaries, like Walmart. These larger, more complex organizations often suffer from information silos, which occur when departments or divisions  within  a  large  organization  are  isolated  from  other  parts  of  the organization. 35 Cf. Richard E. Levy & Robert L. Glicksman, Agency-Specific Precedents, 89 Tex. L. Rev. 499, 510–14 (2011) (discussing effects of information silos on large government bureau­cracies in administrative agencies). These information silos sometimes result in difficulty communicating properly throughout the organization and, in particular, can impede a firm’s attempts to fully and properly investigate claims of potential misconduct.

Part III sets forth the thesis of this Article and argues that firms must focus on adopting process-based reforms that will bolster the firm’s investi­gations into complex compliance failures, thereby acting as a safety net when compliance programs fail to detect or appropriately respond to misconduct within firms. Part III begins by presenting two case studies, which demonstrate that recent compliance failures at complex organi­zations suggest that many of these compliance programs—regardless of the program’s organizational structure—suffer from information silos that result in improper or inadequate responses to significant organizational misconduct. Part III then highlights how process-based reforms might assist large, complex firms in detecting compliance failures before they become widespread, significant, or both. It applies specific process-based reforms to the compliance failures at Wells Fargo and General Motors in an effort to demonstrate how these types of additional interventions might add value to firm compliance programs. In particular, Part III suggests the creation of three interventions meant to bolster firms’ detection and investigative efforts: (i) standardized internal investigation questions, (ii) materiality surveys, and (iii) reliance upon an aggregation principles when evaluating information. Relying on two additional case studies, Part III then highlights two limitations to process-related reforms: organizations without robust structural compliance programs, as evidenced by investigations into the Catholic Church, and organizations with corrupt cultures, as evidenced by the internal Uber sexual harassment scandal.

Part IV discusses some potential benefits raised by this Article’s proposed framework. The Article then turns to highlighting some remaining questions. This Article, admittedly, focuses on a relatively narrow area within compliance efforts—failures within the detection and investigative contin­uum of compli­ance efforts within complex organizations—but short­comings in this space are associated with potentially devastating consequences for firms.