Over the last decade, federal corporate criminal enforcement policy has undergone a significant transformation. Firms that commit crimes are no longer simply required to pay fines. Instead, prosecutors and firms enter into pretrial diversion agreements (PDAs). Prosecutors regularly use PDAs to impose mandates on firms, creating new duties that alter firms’ internal operations or governance structures. DOJ policy favors the use of such mandates for any firm with a deficient compliance program at the time of the crime. This Article evaluates PDA mandates to determine when and how prosecutors should use them to deter corporate crime. We find that the current DOJ policy on mandates is misguided and that mandates should be imposed more selectively. Specifically, mandates are appropriate only if a firm is plagued by policing agency costs—in that the firm’s managers did not act to deter or report wrongdoing because they benefited personally from tolerating wrongdoing or from deficient corporate policing. Moreover, only mandates that are properly designed to reduce policing agency costs are appropriate. The policing agency cost justification for mandates that we develop calls into question both the extent to which mandates are used and the type of mandates that are imposed by prosecutors.

TABLE OF CONTENTS

I.  Corporate Criminal Enforcement and PDAs

This Part examines corporate criminal enforcement policy as applied to publicly held firms to evaluate how PDA mandates fit within, and alter, the corporate criminal liability regime. In Section A, we describe the federal corporate liability regime applied to such firms. In Section B, we review the use and typical terms of PDAs. In Section C, we show how PDA-imposed mandates fundamentally change the structure of corporate criminal liability. The standard regime imposes duties13 on all firms to undertake effective compliance and other policing measures but generally sanctions breach of these duties only if a substantive crime occurs.14 By contrast, prosecutors use PDA mandates to create and impose new, firm-specific policing duties ex post (after a substantive violation occurs), and to threaten firms with liability for breach of these duties even if no future substantive crime occurs. PDA mandates thus represent both a fundamental expansion in prosecutorial authority and a change in the liability regime governing affected firms.

A.    US Corporate Criminal Enforcement

In the United States, corporations can be held strictly criminally liable15 for crimes committed by employees in the scope of employment through the doctrine of respondeat superior.16 The scope of this liability is unusually broad. Corporations can be held criminally liable for crimes committed by low-level employees,17 contrary to corporate directives,18 or notwithstanding the firm’s adoption of an effective compliance program.19 Convicted corporations can be subject to substantial monetary sanctions, including fines, restitution, and remediation, as well as nonmonetary sanctions (such as corporate probation).20 They also may be subject to civil penalties and administrative sanctions.21 Administrative sanctions can include delicensing and debarment from contracting with federal agencies (such as the Department of Defense, Department of Health and Human Services, or the Securities and Exchange Commission), which can have ruinous consequences for the firm.22

Yet, in practice, federal prosecutors do not hold publicly traded corporations strictly liable for their employees’ crimes.23 Instead, the Department of Justice instructs prosecutors to consider alternatives to criminal conviction based on a variety of factors, including (and especially) whether the firm maintained an effective compliance program, self-reported, and cooperated in the investigation of the wrongdoing.24 Firms that fully self-report the wrong prior to any threat of detection and cooperate are rarely prosecuted.25 Firms that avoid prosecution are generally subject to PDAs.26 PDAs can take one of two forms: a deferred prosecution agreement (DPA) or a nonprosecution agreement (NPA). Under a DPA, the prosecutor files charges but agrees not to seek conviction. Under an NPA, the prosecutor agrees not to file formal charges against the firm.27 Both types of PDAs enable prosecutors to sanction the firm without triggering the collateral consequences of a formal conviction, such as debarment or delicensing.28 Prosecutors’ ability to use PDAs to both sanction firms for misconduct and insulate them from mandatory collateral penalties triggered by conviction enables them to reward firms that helped deter misconduct through effective compliance, self-reporting, or full cooperation while still sanctioning the underlying crime. Prosecutors also respond to valued corporate policing by reducing the sanctions imposed through PDAs.29

Thus, in practice, publicly held corporations are not held strictly liable for their employees’ crimes. Instead, publicly held firms are subject to a form of “duty-based” corporate criminal liability.30 Duty-based liability imposes general up-front duties on all firms to adopt an effective compliance program, self-report detected wrongdoing, and fully cooperate with the government’s investigation. Should a substantive violation31 occur, corporations that breach these duties face severe sanctions—including criminal conviction with substantial fines—whereas firms that satisfy these duties face no or lower sanctions.

B.    PDAs and Corporate Reform Mandates

Today, firms with detected wrongdoing often satisfy some of their policing duties—for example, by fully cooperating with prosecutors. As a result, PDAs have become federal prosecutors’ primary tool for imposing sanctions on publicly held firms for many important offenses—other than antitrust, import/export and immigration, and environmental crimes—since 2003.32

In a conventional PDA, the firm acknowledges that its employees committed the acts that constitute the crime, agrees to waive its right to a speedy trial, and agrees to fully cooperate with the prosecutors’ investigation. In return for the firm’s compliance with the PDA, prosecutors agree to not seek the firm’s conviction. PDAs further provide that, if a firm fails to comply with the terms of the PDA, the prosecutor can proceed to convict the firm using its statement of facts admitting the crime against it.33 A firm that fails to comply with a PDA thus faces nearly guaranteed criminal conviction even when it does not commit any subsequent crime.34

The majority of PDAs require firms to pay fines and other monetary penalties. Monetary penalties imposed through PDAs can be substantial.35 PDAs entered into by the US Attorney’s Office or the DOJ’s Criminal Division in 2010 through 2014 imposed mean fines of approximately $31.3 million. Total sanctions imposed on the entire corporate group at the time of the PDA averaged over $171.3 million.36

In addition, most PDAs over the last ten years imposed at least one mandate, as shown in Table 1 (in Part I.C).37 PDA mandates usually govern the design and oversight of the firm’s compliance program. Many PDA compliance mandates require firms to adopt a compliance program with specific features that the firm otherwise would not be required to employ.38 For example, the PDA may mandate the type of compliance information to be collected, the type and frequency of employee training, or the additional due diligence procedures or specific policies governing payments and disbursements.39 PDAs can also require firms to materially increase compliance expenditures.40 Other compliance mandates simply require the firm to adopt an effective compliance program as defined by the Organizational Sentencing Guidelines.41 Yet even these mandates can impose new duties on the firm, because, but for the PDA, the firm generally could not be sanctioned for its failure to adopt such a program unless a substantive violation occurs.42 We refer to mandates governing compliance and other efforts by the firm to detect violations of the law as “policing mandates.”

Further, PDAs often include provisions governing internal and external oversight of the firm’s efforts to comply with the law. For example, a PDA may require the appointment of a chief compliance officer with authority to report directly to the board;43 the addition of specific independent directors;44 the establishment of new board45 or senior management committees;46 or the separation of the positions of CEO and chairman of the board.47 Most PDAs with mandates also require firms to regularly report to prosecutors and other federal authorities on the firm’s compliance activities.48 A substantial number of PDAs go even further and require firms to hire an outside monitor with authority to audit the firm to ensure its compliance with the duties imposed by the agreement and, in some cases, seek evidence of additional wrongdoing.49 We refer to provisions governing the internal or external oversight of compliance as “metapolicing duties.”

To understand the breadth of the mandates that can be imposed, consider the PDA that Bristol-Myers Squibb Co (BMS) agreed to in response to allegations of conspiracy to commit securities fraud. Under the agreement, BMS agreed to adopt a compliance program with features specified in the PDA; to institute a training program covering specified topics; to separate the positions of chairman of the board and CEO; to have the chairman participate in preparatory meetings held by senior management prior to BMS’s quarterly conference calls with analysts; to have the chairman, CEO, and general counsel monitor these calls; to appoint an additional outside director to the board, approved by the US Attorney’s Office; to hire and pay for a prosecutor-approved corporate monitor with authority to oversee compliance with both the agreement and federal law and to report to management and the prosecutor’s office; and, finally, to have the CEO and CFO make specific reports to the chairman of the board, the chief compliance officer, the monitor, and the SEC relating to sales, earnings, budgeting and projections, and other matters.50

C.    Mandates as a New Form of Liability

PDA policing mandates fundamentally change the structure of the corporate liability regime faced by publicly held firms. To identify these changes, we compare the core features of PDA mandates with those of more traditional corporate liability regimes, both criminal and regulatory, governing publicly held firms.

Corporate liability rules can be distinguished along two dimensions, as shown in Figure 1. The first is whether firm-level liability is strict or duty based. Corporate liability is strict when the firm is liable for all violations by its employees, as under respondeat superior. Corporate liability is “duty based” to the extent that a firm is subject to higher (or any) sanctions for its employees’ actions only if it failed to engage in proper corporate-level policing, for example, by failing to have an effective compliance program, self-report, or cooperate.51

The second dimension is whether liability is harm contingent or non–harm contingent. Liability is harm contingent to the extent that liability is imposed only if the firm’s employees also committed a substantive violation.52 Liability is non–harm contingent to the extent that a firm’s failure to adhere to its policing duties suffices to trigger liability.53 Traditional corporate criminal liability54 for publicly held firms, in effect, generally imposes liability that is harm contingent, as well as duty based. Criminal liability is harm contingent in that a corporation with inadequate policing generally cannot be convicted for breaching its policing duties unless its employees committed a substantive criminal violation. By contrast, regulators regularly impose policing duties enforced by non-harm-contingent corporate liability, sanctioning firms for implementing an inadequate compliance program even if no substantive violation occurred.55

Figure 1.  Taxonomy of Corporate Liability Regimes

Image removed.

PDAs that impose mandates supplement traditional regimes with a new form of criminal liability that differs from traditional corporate criminal and regulatory liability. First, traditional corporate criminal and regulatory liability imposes general policing duties on firms up front.56 By contrast, PDA mandates impose policing duties ex post after misconduct is detected, and then only on select firms with detected wrongdoing.57 Indeed, the duties imposed by PDAs are not merely imposed on firms ex post, but the content of the duties often is both determined ex post and specific to a single firm. Moreover, these firm-specific duties regularly are fashioned by individual prosecutors’ offices with limited, if any, oversight by, or guidance from, the DOJ.58

Second, whereas the traditional corporate criminal liability regime is harm contingent, PDA mandates impose non-harm-contingent liability: a mere breach of a PDA mandate without any subsequent substantive violation can result in criminal sanctions. PDA mandates thus in effect transform individual prosecutors into firm-specific quasi regulators with authority to devise and impose new duties on a firm with detected wrongdoing, enforced by liability that is non–harm contingent.

Federal policy and practice encourages this exercise of ad hoc regulatory authority by prosecutors.59 Federal enforcement policy favors the imposition of compliance programs and other mandates on those firms that did not have an effective compliance program.60 Consistent with that policy, the vast majority of PDAs impose mandates: as seen in Table 1, from 2008 to 2014, approximately 82 percent of the PDAs entered into by the DOJ Criminal Division or the US Attorneys’ Offices imposed compliance program mandates, and more than 30 percent imposed outside monitors.61 In addition, the DOJ has failed to supervise prosecutors or to adopt clear guidelines governing the type of PDA mandates imposed.62 It has thereby effectively granted prosecutors enormous discretion to determine what duties should be imposed through PDAs.63

Table 1.  Policing Mandates Imposed through PDAs, 2008–201464

Image removed.

Commentators have called for increased DOJ guidance for prosecutors on when PDA mandates should be imposed and what they should entail.65 To provide such guidance, however, one must understand how mandates fit into the corporate liability regime and what shortcomings in the regime they are designed to address. To date, neither the DOJ nor academic commentators have provided a satisfactory analysis of these issues. The remainder of this Article seeks to fill this void.

II.  Liability Regimes and Deterrence

The current broad federal policy and practice favoring the imposition of policing mandates raises the question, addressed in this Part, whether it is appropriate for prosecutors to impose PDA mandates whenever a firm did not have an effective compliance program at the time of the crime.

To address this question, we first identify in Section A a central purpose of corporate criminal liability for publicly held firms—inducing optimal corporate policing. In Sections B and C, we then analyze whether this goal is best served through the imposition of ex post mandates on all firms with deficient compliance. To address this issue, we examine whether PDA mandates are superior to reliance on general ex ante duties imposed by the more traditional corporate liability regimes with adequate monetary sanctions.66 In Section D, we conclude that PDA mandates are neither needed nor desirable as a general response to firms with deficient compliance programs. Duty-based corporate liability with adequate monetary sanctions is superior. Whether PDA mandates are justified in more limited circumstances is discussed in Part III.

A.    Optimal Deterrence in Publicly Held Firms

Criminal law cannot optimally deter crime by publicly held firms unless the individuals responsible for the crime are personally sanctioned for the wrongs they commit.67 Corporate sanctions alone are not sufficient because, in publicly held firms, the individuals who actually commit crimes68 generally own only a small percentage of the firm’s stock. Thus, these individuals are not likely to be motivated to commit corporate crimes by the benefits they derive as shareholders. Instead, they are motivated by personal benefits—such as increased job security, additional compensation, or promotion—resulting from undetected crimes that boost real or apparent profits.69 Put differently, crimes by publicly held firms often are an agency cost, best deterred by imposing liability directly on the individual wrongdoers.70

Nevertheless, individual liability alone generally cannot optimally deter corporate misconduct by publicly held firms. Left to their own resources, enforcement authorities may be unable to detect wrongdoing or to sanction individual wrongdoers with sufficient regularity to ensure that crime does not pay.71 Evidence of crimes by employees of publicly held firms rarely lies out in the open. Detecting crime, identifying wrongdoers, and obtaining the evidence needed to convict them requires significant up-front expenditures to monitor corporate activities, as well as significant resources devoted to investigations of suspected wrongs (corporate policing). Firms are often far better able than the government to undertake these policing activities.72 Thus, to effectively deter most crimes by employees of publicly held firms, government enforcers must induce firms to come to their aid by adopting compliance programs designed to detect crime, investigating suspected wrongs, self-reporting, and cooperating with the government’s efforts to prosecute individuals.73

Corporate policing measures are costly, however. A firm will not incur these costs unless the benefit to it from adopting corporate policing exceeds the cost. A regime in which corporate liability is duty based—such that firms with deficient policing face higher sanctions—can provide firms with the requisite incentive to adopt optimal policing.74 Corporate liability needs to be duty based both because effective corporate policing imposes substantial direct costs75 and because it increases the probability that enforcement authorities will detect and sanction corporate misconduct. To induce firms to bear both these direct expenses and the increased probability of sanction, corporate sanctions imposed for detected wrongdoing must be adjusted so that firms face lower expected liability if they police optimally than if they do not. Thus, firms that engage in proper policing need to be subject to a substantially lower sanction should employees commit a crime.76 Corporate liability that is duty based can ensure that firms are better off if they engage in optimal policing, provided that the government imposes appropriate monetary sanctions on firms with deficient policing.77

DOJ policy and practice encourages prosecutors to supplement duty-based corporate liability with PDA mandates for firms that have deficient compliance. PDA mandates have two core features. First, they impose policing duties ex post on select firms with detected wrongdoing, instead of ex ante on all (or a specified subset of) firms. Second, liability for breach of these PDA mandates may be imposed even if no substantive violation occurs. In the next two Sections, we examine whether these two features of PDA mandates—ex post duties and non-harm-contingent sanctions—justify the imposition of PDA mandates on firms with detected wrongdoing that did not have an effective compliance program. To assess PDA mandates, we compare them with the primary alternative approach to sanctioning deficient policing: imposing ex ante duties on all firms that are enforced by adequate monetary sanctions for breach.

B.    Advantages of Ex Ante Rules over PDA Mandates

The primary distinguishing features of PDA policing mandates are that they impose duties only on firms with detected wrongdoing and do so in an ad hoc fashion.78 PDA policing mandates thus differ from both duty-based corporate criminal liability and ex ante regulation, which each impose general duties up front on all firms (or on a subset of firms with particular characteristics, such as financial institutions or publicly traded companies).

Ex ante duties have an obvious advantage over mandates imposed selectively on firms with detected wrongdoing: the policing duties imposed—and thus the incentives they create—apply to a wider set of firms. Ex ante rules are presumably superior whenever it would be desirable to impose policing duties on a broader set of firms that includes firms without detected wrongdoing.

A further difference between ex ante duties and PDA mandates lies in the identity of the government body in charge of the decision to impose a duty and the design of the duty. Ex ante duties are often imposed through rules adopted by regulatory agencies or central enforcement authorities (for example, the US Sentencing Commission) after careful deliberation and after obtaining input from experts, the affected parties, and the public. These bodies generally have subject matter expertise and mechanisms for obtaining information on the costs and effectiveness of policing measures.79 By contrast, PDA mandates are fashioned by individual prosecutors’ offices,80 with little effective guidance from the DOJ.81 With the exception of substantive violations that tend to be handled by a single prosecutorial office—for example, violations of the Foreign Corrupt Practices Act of 197782 (FCPA)—the prosecutors designing PDA mandates may have no expertise with the type of violation involved.83 Moreover, even when prosecutors have experience with a particular type of violation, they still may lack the expertise needed to design and impose an optimal compliance program tailored to firms in a particular industry or with a particular organizational structure and to determine whether liability for failure to adopt such a program should be harm contingent or non–harm contingent. Finally, prosecutors often lack the resources or incentives to provide ongoing assessments of the policing measures they impose.84 The fact that regulators generally have greater experience and access to more information than the prosecutors who impose PDA mandates is a further reason why it is generally preferable to impose policing duties through ex ante rules rather than through PDA mandates.

C.    Advantages of Harm-Contingent Corporate Liability

Whereas traditional corporate criminal liability uses harm-contingent liability to sanction breaches of policing duties, PDA mandates impose non-harm-contingent liability. This shift to non-harm-contingent liability does not provide a reason to favor PDA mandates.

First, many breaches of policing duties are more effectively deterred by imposing harm-contingent liability on firms that commit substantive violations, instead of imposing non-harm-contingent liability.85 Indeed, the fact that firms without prior detected wrongdoing are not subject to liability for the breach of the policing duties that prosecutors impose through PDAs suggests, at least prima facie, that imposition of non-harm-contingent liability for breach of these duties is questionable. Moreover, even if non-harm-contingent liability is advisable, it is generally more effective when used to enforce general ex ante duties imposed by legislation or regulation than when used to enforce firm-specific duties imposed ex post by PDA mandates.

Corporate policing entails duties along four separate dimensions: adoption of an effective compliance program; effective oversight of the program, including the proper response to reports of suspicious activities; self-reporting of detected wrongdoing; and cooperation with enforcement authorities. Most of these policing duties—such as duties to respond effectively to evidence of wrongdoing,86 self-report detected wrongdoing, and cooperate with enforcement authorities—arise, and thus can be breached, only in the context of an actual or suspected substantive violation. Harm-contingent liability is effective as applied to these duties because it focuses the state’s limited enforcement resources on evaluating the firm’s adherence to its policing duties in those situations in which all of the firm’s policing duties have arisen and evaluation of breach can encompass the full panoply of duties. By contrast, inducing policing by deploying enforcement resources in the absence of any wrongdoing is generally less effective because several dimensions of corporate policing will have yet to arise.

Of course, some policing duties arise before any wrongdoing occurs. For example, firms may have investigatory duties when wrongdoing is suspected, even if no wrongdoing occurred. Nevertheless, harm-contingent enforcement actions tend to be superior, because bringing enforcement actions in the absence of actual wrongdoing could present an increased risk of error. When enforcement authorities evaluate policing by firms that have not actually committed a substantive violation, they could conclude that the firm failed to properly investigate and report a suspected violation even if the firm had a reasonable basis for being confident that no such violation occurred.

In addition, firms should adopt and maintain an effective compliance program regardless of whether any wrongdoing has occurred in the past. Again, however, focusing enforcement resources on firms that also committed a substantive violation will tend to be a more cost-effective way to induce effective compliance. Although prosecutors can evaluate certain facets of a compliance program prior to any wrongdoing—such as whether the firm established a compliance office and hired a compliance officer at all—most aspects of a compliance program’s effectiveness depend on soft inputs, including the level of attention, commitment, and courage of the compliance department, which are difficult to evaluate in the abstract. Enforcement authorities can better distinguish firms with “paper” compliance programs from those with genuine compliance programs by examining how compliance programs operate in the context of an actual substantive violation.87 Core compliance features that can be assessed ex ante tend to be better imposed and enforced by regulation than by PDA mandates that impose duties on select firms ad hoc.88

D.    Summary

Compared to more traditional corporate liability regimes, PDA mandates—which are imposed selectively on firms with prior wrongdoing—suffer from three shortcomings. Most importantly, the traditional regimes are presumably superior whenever it would be desirable to impose additional policing duties (enforced by higher sanctions) on a broader set of firms that includes firms without detected wrongdoing. Moreover, PDA mandates subject firms to criminal liability for policing deficiencies even if firms commit no further substantive violations. Such a broad imposition of non-harm-contingent criminal liability by prosecutors is questionable. Third, the content of the PDA duties is fashioned in an ad hoc manner by prosecutors. Ad hoc firm-specific mandates are not an appropriate response to all firms that failed to implement an effective compliance program. Absent the specific special considerations discussed below, regulators (or central authorities within the DOJ) are better equipped than are individual prosecutors to determine appropriate policing duties to be imposed on firms. Thus, as a general matter, it is not optimal to impose PDA mandates in response to deficient corporate policing.

III.  Are PDAs Optimal in Special Circumstances?

Although duty-based corporate criminal liability and ex ante regulations are generally superior to PDA mandates, PDA mandates may be appropriate when, and only when, these more traditional liability regimes cannot be relied on to induce optimal policing. In this Part, we identify and evaluate those possible situations.

We conclude that there is only one circumstance in which the traditional regimes should be supplemented by PDA mandates: when a firm is plagued by significant policing agency costs, in that top managers with direct or indirect authority over policing benefit personally either from tolerating wrongdoing or from deficient policing. Policing agency costs combine three features that, in combination, make it difficult to provide proper incentives through either corporate criminal liability or its stan­dard alternative, ex ante regulation. First, in the presence of policing agency costs, sanctions imposed on the firm may not provide sufficient incentives on managers to act in the firm’s best interests when designing or overseeing compliance or deciding whether to self-report and cooperate. Second, it is difficult to identify firms in which policing agency costs are significant through clear, ex ante criteria. Third, prosecutors may have an advantage over regulators in identifying such firms on a case-by-case basis.89 In combination, these three factors make it, in some cases, desirable to supplement duty-based, harm-contingent corporate liability or ex ante regulations with properly designed PDA mandates.

In Section A, we discuss why, in the presence of policing agency costs, PDA mandates may be desirable. In Section B, we explain why other arguable deficiencies in the traditional liability regime, such as corporate asset insufficiency, are not properly addressed by PDA mandates.

A.    Policing Agency Costs

Duty-based corporate liability—whether imposed as traditional, harm-contingent liability or through ex ante regulations—can generally induce firms to adopt optimal policing when firms are managed in the interest of shareholders. But it will not suffice to induce optimal corporate policing when managers benefit personally from making policing decisions that are not optimal from the perspective of shareholders. This can occur when managers obtain personal benefits from facilitating substantive crimes or ensuring a low probability that wrongdoing is detected and sanctioned. In addition, senior managers may eschew policing measures that entail oversight of their own actions by compliance officers, even if they plan to comply with the law, when oversight reduces their power and thwarts their autonomy.90 In these situations, even when a corporate liability regime is structured such that taking optimal policing measures is in the shareholders’ interests, managers of some firms will have self-interested reasons to induce or tolerate suboptimal policing.91 We refer to private benefits that undermine managers’ incentives to police in the best interest of shareholders as “policing agency costs.”

Policing agency costs are particularly likely to infect corporate enforcement decisions when managers own only a small portion of the firm’s stock and thus do not directly bear much of the cost of sanctions imposed on the firm for failure to satisfy policing duties.92 Thus, publicly held firms, whose managers generally own a small portion of the shares, are more likely than owner-managed, closely held firms to have high policing agency costs. Nevertheless, although all publicly held firms suffer from some general agency costs, not all (or even most) publicly held firms have high policing agency costs. Because policing often does not involve issues, such as executive compensation or corporate control, on which the interests of managers and shareholders are likely to conflict, policing agency costs may not significantly affect corporate policing decisions. Whether a publicly held firm exhibits high policing agency costs depends on various considerations that impact managers’ private incentives to undermine corporate policing. These include expected benefits of and penalties for misconduct, managers’ expected tenure, the structure of the firm’s compensation and promotion policies,93 the firm’s financial situation, the degree to which the board monitors managers, and whether the firm has an active controlling shareholder who ensures that the firm’s policing serves shareholders’ interests. Thus, policing agency costs are likely to be significant only for a subset of publicly traded firms in which the combination of the compensation structure, the management structure, the board’s structure and composition, the type of business the firm is engaged in, the type of criminal liability to which the firm is subject, and the feasibility of board oversight of compliance enables managers both to benefit ex ante from suboptimal policing and to implement it unchecked.94

The following comparison between two firms can help clarify the distinction between general and policing agency costs. Consider a publicly held firm whose senior managers’ compensation depends on cash bonuses tied to long-run firm performance. They own only a small percentage of the shares and have no unvested options. They also are relatively young, and thus their future expected wealth depends on retaining their positions over the next decades. When evaluating takeover bids and other threats to their tenure, these managers would be plagued by agency costs because they would obtain private benefits from resisting a hostile bidder intent on replacing them, even if the bid is in shareholders’ best interests. Yet these same managers will not be plagued by policing agency costs affecting their decisions about whether to implement a compliance program that deters wrongdoing by those below them. Assuming that traditional corporate liability ensures that deterring crime and corporate policing are in the shareholders’ long-run best interests, managers with compensation tied to the firm’s long-run performance also benefit from deterring misconduct and implementing optimal policing.

By contrast, consider the incentives of a different group of senior managers, which includes both the chief financial officer and the chief compliance officer. Assume that each of these managers will earn substantial incentive pay this year and next if, but only if, the firm earns higher revenues. This bonus constitutes a significant portion of their expected future earnings from the firm because either they are all due to retire shortly or the firm is underperforming and institutional shareholders will seek their ouster should things not improve. The firm is expanding into new territory rife with corruption. Weak compliance will boost short-run revenues by enabling sales obtained through bribery. But it will harm the firm in the long run because the expected sanctions for bribery exceed the benefit to the firm of the crime. In this situation, managers may intentionally fail to implement effective policing—even though shareholders want them to—because they obtain immediate private benefits from corruption and do not expect to bear any costs that may eventually be imposed on the firms. These managers are plagued by policing agency costs, which will manifest themselves in a deficient compliance program and intentionally ineffective responses to signals of wrongdoing.95

When the firm is plagued by significant policing agency costs, authorities cannot rely solely on the threat of sanctions imposed on the firm for inadequate policing to induce optimal policing. The very presence of policing agency costs undermines the incentive effects of corporate sanctions, because managers benefit from deficient policing even when the firm does not. In these situations, it may be desirable to intervene to address policing agency costs through measures that would not be desir­able absent such costs.96

One possible approach is to impose duties that are structured to combat policing agency costs. Another approach is to hold managers personally liable for the firm’s failure to satisfy its policing duties. PDA mandates can be an example of the first approach. PDA mandates are justified as a remedy to policing agency costs if three conditions are met. First, the duties imposed by the PDA are properly designed to address policing agency costs. Second, imposing these duties through PDAs ex post (after a substantive violation has occurred) is superior to imposing them through ex ante regulation. Finally, mandates are superior to liability imposed directly on managers for failure to undertake optimal policing. The next three Sections address these conditions.

1.   Using policing and metapolicing duties to reduce agency costs.

One way to address policing agency costs is to impose additional duties on affected firms, either through PDAs or through ex ante regulation. The root problem of policing agency costs is that managers can benefit from a firm’s failure to comply with its policing duties even though compliance would be in the firm’s best interest. Accordingly, in order to reduce policing agency costs effectively, it is not sufficient to impose policing duties expressed as broad standards enforced solely through corporate sanctions, as with duty-based corporate criminal liability.97 Instead, policing duties must be structured to make it harder or more costly for managers to have the firm pursue suboptimal policing. Two types of duties can be used, separately or in concert, to achieve this goal.

First, PDA mandates or ex ante regulations can require the firm to undertake specific verifiable policing measures. For example, mandates can specify the type of information to be collected, require enhanced oversight over specific high-risk business arrangements, or require creation of an internal whistle-blowing program with specified features designed to facilitate internal reporting to people trained to respond appropriately. Imposition of specific policing duties can incentivize managers, even though liability ostensibly falls on the firm, if the required policing measures are clearly specified and senior managers know that they will be held responsible for ensuring that the company undertakes them. If the duty is clear and senior managers are responsible for ensuring compliance, then these managers can expect to be blamed and sanctioned by shareholders, independent directors, and the market for any criminal penalties imposed on the firm as a result of their failure to comply with these duties. Possible sanctions on managers include termination, reduced compensation, a suit for breach of fiduciary duty under In re Caremark International Inc Derivative Litigation,98 and reputational harm.99 As a result, if a firm violates a specific policing measure, the expected costs to the responsible managers are substantially higher than they would be if a firm violates the firm’s existing ex ante policing duties, for which both the scope of the policing duties and the identity of the manager responsible for compliance may be more ambiguous. Because specific policing duties enforced by non-harm-contingent liability raise the expected costs to management (as opposed to just the cost to the firm and shareholders) for policing failures, they are a plausible device for reducing policing agency costs.

Second, PDA mandates or ex ante regulations can mute policing agency costs by relocating authority over policing from persons within the firm who are afflicted by significant policing agency costs to other persons, within or outside of the firm, who are not. Because this approach relates to the oversight, or policing, of corporate policing, we refer to it as “metapolicing.” The required metapolicing can be internal or external.

Internal metapolicing measures shift authority over, and information about, corporate policing to people within the firm who are less plagued by policing agency costs, such as outside directors. Examples of such metapolicing duties include the requirements in the BMS PDA that certain reports be submitted to the chairman of the board (a position that the BMS PDA states may not be held by the CEO) and that the chairman attend certain meetings.100 Other examples of internal metapolicing duties include requiring that the chief compliance officer be separate from the general counsel’s office and have authority to report directly to the board of directors, and requiring that the board of directors oversee the response to whistle-blowing.

External metapolicing measures give individuals outside the firm access to information about, and oversight authority over, the firm’s compliance program. These external duties are generally needed when the outside directors cannot or will not provide the oversight needed to induce optimal policing.101 External metapolicing can take the form of oversight accomplished through reporting obligations to, and periodic audits by, enforcement authorities or independent auditors. It can also be accomplished by requiring the firm to hire a monitor who has the authority to investigate the firm’s compliance with its policing mandates and the law and who reports her findings to enforcement authorities.

As to both internal and external metapolicing, there is little concern that the company will fail to comply with its metapolicing duties. As long as internal metapolicing duties are specific, and sanctions for breach render compliance cost-effective, the outside directors can generally be relied on to ensure that the firm complies. For example, directors of a firm who are required to make sure that the chief compliance officer is given the authority to report directly to the board are likely to do so. The directors would not benefit directly from breach and would risk shareholder wrath (and potential liability) if they deliberately failed to ensure that the firm complies with the mandate.102 External metapolicing duties in turn provide their own oversight. Prosecutors can readily oversee whether the firm is complying with its external metapolicing duties, such as to report to prosecutors, to hire a monitor, or to regularly report to regulators. This should be sufficient to ensure that the firm complies with these duties.

2.   PDA mandates versus ex ante regulation.

Authorities could impose specific policing duties or metapolicing duties on firms with heightened policing agency costs by using either PDAs or ex ante regulations. The central difference is that ex ante regulations impose generally applicable duties on all firms, or on firms meeting certain criteria, regardless of whether a wrong was detected. PDA mandates, by contrast, can impose duties only on firms with detected wrongdoing.

This distinction would appear to favor regulation because policing agency costs are significant in many firms without detected wrongdoing. Regulating policing agency costs through PDA mandates, rather than ex ante regulation, thus fails to reach many firms afflicted by policing agency costs.

But even though PDA mandates tend to be underinclusive, they may sometimes be superior to ex ante regulation. As we explain in this Section, ex ante regulation will generally cover too many firms, and it may be more beneficial to address policing agency costs through underinclusive PDA mandates than through overinclusive regulation. The reason why ex ante regulation will tend to be overinclusive is that regulatory authorities cannot easily identify firms with high policing agency costs based on criteria they can easily observe ex ante. Beyond the fact that a low managerial ownership stake is a prerequisite for the existence of significant policing agency costs,103 policing agency costs are not associated with any particular easily identifiable structural features of the firm. Regulators attempting to specify the set of firms subject to additional duties ex ante would inevitably either have to use criteria that capture both firms with high policing agency costs and firms at which policing agency costs are low, or have to rely on a costly case-by-case investigation to determine whether a firm should become subject to additional duties.104

By contrast, prosecutors can use PDAs to target mandates at firms with high policing agency costs. PDA mandates are imposed after the firm has had the opportunity to employ its policing measures and has been investigated for committing a substantive crime. Prosecutors often obtain information about the firm’s policing in the course, and as a by-product, of their investigations. In addition, they obtain this information when the quality of policing is best observed: when a firm has committed a substantive violation. Moreover, given that prosecutors already have to spend resources investigating an alleged substantive crime and the company’s policing, they may also be able to identify firms with high policing agency costs at no or relatively low marginal cost. For example, prosecutors may learn specific facts that indicate that senior managers with influence over policing benefited from deficient policing—for example, because the wrongdoing enabled managers to achieve a short-term bonus target and fend off an attack by a shareholder activist—and that top management subtly discouraged or failed to pursue a full-scale investigation of the wrongdoing for their own benefit. Alternatively, they might learn both that an imperial CEO implemented a relatively ineffective compliance program governing financial reporting and oversight to enhance his own autonomy and free him from oversight, and that the board was aware of only the general outline of the program and failed to focus on the specific features that rendered the program ineffective. Distinguishing simple policing failures from those produced by policing agency costs thus requires consideration of factors that are often more easily observed by prosecutors ex post than by regulators ex ante. Unlike regulations, PDA mandates that are imposed postcrime, on a firm-by-firm basis, can therefore avoid the overbreadth problem.

Thus, ex ante regulation and PDA mandates each have advantages over the other depending on the circumstances. The central advantage (and disadvantage) of ex ante regulation as compared to PDA mandates is that it is broader in scope. On the one hand, it generally reaches more firms with policing agency costs than PDA mandates would, including firms with no detected wrongdoing. On the other, it also applies to more firms without policing agency costs. Accordingly, regulation is generally superior to PDAs when the benefits of broad imposition of the duties exceed the costs of overbreadth. Ex ante regulation may thus be superior for imposing duties that entail low net costs even for firms without substantial policing agency costs but generate significant benefits for firms with high policing agency costs. In such circumstances, it may be desirable to address policing agency costs by imposing ex ante regulatory duties on all publicly traded firms or on all such firms without a dominant shareholder.105

By contrast, PDA mandates are likely to be superior to ex ante regulation for imposing specific policing duties and metapolicing duties that are optimally imposed only on the subset of firms that are plagued by significant policing agency costs, because they generate significant net social costs when imposed on firms without substantial policing agency costs. Compliance with several policing and metapolicing duties imposed by PDAs that address policing agency costs is indeed very costly.106 The costs include not just direct out-of-pocket expenses associated with compliance—which can be considerable—but also the potential adverse effect that the policing and metapolicing have on the firm’s productivity. Policing imposes layers of oversight and scrutiny that may delay decision-making and reduce indepen­dent initiative. In addition, mandated policing may crowd out a different, more effective policing system that loyal managers (that is, those without policing agency costs) would have instituted on their own accord. Thus, PDAs are likely to be the preferable mode for imposing monitorships and other measures that are not cost-effective in firms without substantial policing agency costs.

PDAs are also preferable for imposing policing and metapolicing mandates designed to address specific policing agency costs salient in particular firms. The postcrime investigation provides information about the specific nature of the firm’s agency cost problem. This can enable prosecutors to impose duties that are designed to address the specific problem at hand. For example, the prosecutor can better determine ex post whether metapolicing should be done internally or requires external oversight. While prosecutors should have guidance on how to make these decisions, ex post imposition of mandates tailored to the specific situation of the firm may be superior to mandates imposed ex ante by regulators.

To be sure, because PDA mandates can be imposed only on firms with prior detected wrongdoing, they are an imperfect mechanism for addressing policing agency costs. PDA mandates will not reach firms with high policing agency costs that have no detected wrongdoing. Still, given the difficulty in identifying firms with high policing agency costs ex ante, PDA mandates are likely to be superior to ex ante regulation for imposing those policing and metapolicing duties that are optimal only when targeted at firms with high policing agency costs.

3.   PDA mandates versus agent liability.

PDA mandates are justified by policing agency costs only if they are superior to (or are needed as a supplement to) duties enforced by personal liability on the agents responsible for the company’s failure to undertake proper policing. Individual liability imposed on managers and directors who fail to implement the required policing is, in theory, the most direct way to address policing agency costs. Yet there are several reasons why individual liability for breach of a corporate policing duty either should not be imposed or should be supplemented with PDA mandates that impose corporate liability for policing breaches.

In practice, imposing direct agent liability for a general failure to act in order to ensure adequate corporate policing is difficult.107 First, in a corporate structure that involves many employees with authority to influence policing, it is often impossible to identify a single person who should be held responsible for a failure to act. This is particularly true of compliance, which requires decisions by the board and many officers, as well as attention across divisions of the firm and its subsidiaries.108

Second, to the extent that such a person can be identified, broad personal managerial liability for any deficiency in the firm’s policing is likely to induce managers to have the company engage in excessive policing. If, as is usually the case, the precise scope of the policing duty is not completely clear, individual managers will inevitably worry that, in hindsight, their policing efforts will be deemed deficient should a crime occur. Imposing liability on upper-level managers and directors with control over the firm’s purse strings can be expected to induce excessive expenditures on policing because managers spending the firm’s money will overinvest in compliance if doing so could reduce their own expected personal liability.109

In addition, even when individual managerial liability is appropriate,110 PDA mandates may be needed to supplement this liability because it often will not be possible to adequately deter this misconduct through individual liability alone. The person identified as responsible for policing may have insufficient assets to satisfy the optimal liability amount, or the person may be outside the jurisdiction of the United States and beyond the reach of its criminal and civil authorities. Thus, imposing liability only on managers for the firm’s failure to police properly may not be effective in addressing policing agency costs. PDA mandates that relocate authority over policing decisions or have the effect of exposing managers outside US jurisdiction to sanctions by the firm could compensate for these deficiencies in an agent liability regime.

B.    Asset Insufficiency

Besides policing agency costs, there is one other set of circumstances in which sanctions imposed on the firm may not provide adequate incentives to take proper policing measures: when firms do not have sufficient net assets to pay the optimal sanction (asset insufficiency).111

Asset insufficiency tends to have a greater negative impact on deterrence when firms are subject to harm-contingent liability than when potential liability is non–harm contingent, such as under ex ante regulation and PDA mandates. Thus, when firms are asset constrained, it may often be desirable to impose non-harm-contingent sanctions on firms.

Asset insufficiency is less of a concern under non-harm-contingent liability because the optimal non-harm-contingent sanction is generally substantially lower than the optimal harm-contingent sanction.112 The explanation for why optimal sanctions can be lower when liability is non–harm contingent is best illustrated through an example. Assume that it is optimal to induce firms to invest an amount C in corporate policing (for example, compliance). In order to induce firms to incur this cost, the government must ensure that each firm’s expected costs are lower if it invests C in compliance than if it does not.113 Enforcement authorities can provide this incentive by imposing a duty to have effective policing enforced by a fine of F on any firm that breaches this duty. As long as the expected sanction, P × F, imposed on firms with poor compliance—given by the amount of the fine (F) multiplied by the probability that policing breaches are sanctioned (P)—equals or exceeds the cost of optimal compliance (C), the firm will undertake optimal compliance. Accordingly, firms will police optimally so long as the sanction for inadequate policing, F, equals or exceeds the cost of optimal compliance divided by the probability that liability is imposed, C/P.114 As a result, when the probability that a firm will be sanctioned (P) is higher, the requisite sanction (F) needed to induce firms to invest C in policing is lower.

Non-harm-contingent liability entails a higher probability of sanction than does harm-contingent liability. With non-harm-contingent liability, the government can sanction any firms it detects breaching their policing duties, both those that also committed a substantive crime and those that did not. By contrast, with harm-contingent liability, enforcement authorities can sanction a firm that they detect a breaching duty only if, in addition, the firm commits a substantive crime and the authorities detect it. Because non-harm-contingent liability entails a higher probability of sanction than harm-contingent liability, the optimal sanction is lower. Accordingly, even when a firm would not have sufficient assets to pay the harm-contingent sanction required to induce optimal policing, enforcement authorities may still be able to use non-harm-contingent sanctions to induce optimal policing because the requisite sanctions are lower.

Asset insufficiency thus justifies supplementing or replacing harm-contingent duty-based liability with non-harm-contingent duty-based liability. PDA mandates constitute such a supplement, yet they are not the appropriate solution for firms that cannot pay the optimal harm-contingent sanctions.115 Instead, asset insufficiency should be addressed through ex ante regulations that impose policing duties and non-harm-contingent sanctions on firms that may not have sufficient assets to pay the optimal harm-contingent sanction. Ex ante regulations are more effective at dealing with asset insufficiency than PDA mandates are, because ex ante regulations can impose non-harm-contingent liability in all contexts in which asset insufficiency is a concern. By contrast, PDA mandates can impose non-harm-contingent liability on only those firms with prior detected wrongdoing—leaving all others needing this intervention with inadequate incentives to police.116

This ex ante regulatory approach is possible because regulators generally have sufficient information to identify—and establish standards that would allow firms to identify—situations in which asset insufficiency is a concern ex ante. For example, they can target firms with a small amount of net assets, firms operating in an industry in which optimal compliance expenditures are high relative to assets, or firms conducting operations that generate a small probability of very costly harm.117 To the extent that any additional duty, or any additional enforcement mechanism, is optimal to address asset insufficiency, this duty should be imposed, or the enforcement mechanism should be implemented, through ex ante regulation or regulatory enforcement policy that addresses this problem generally, rather than through PDAs that can apply only to the narrow subset of firms that happen to have engaged in prior wrongdoing.

Even to the extent that firms with asset insufficiency cannot be identified through clear ex ante rules, we see no room for PDA mandates. In cases involving high policing agency costs, the argument for PDA mandates is based on the prosecutors’ ability to obtain information about the extent of these costs in the course of, and as a by-product of, their investigation of the substantive crime. Assessing the severity of policing agency costs requires a case-by-case analysis. Prosecutors are likely to have a comparative advantage over regulators in conducting this analysis, given that they are already investigating the substantive crime. But we see no equivalent comparative advantage with respect to asset insufficiency. Unlike the type of soft information that may affect the assessment of policing agency costs, asset insufficiency is determined by hard factors—with the ultimate question being whether the company’s balance sheet is strong enough to pay the liability the firm may face if it commits a wrong. Any relevant information learned by prosecutors could be easily obtained by regulators, who, due to their financial and industry expertise, should be superior to prosecutors in their ability to make a determination of asset insufficiency based on this information.

Asset insufficiency thus resembles policing agency costs in one important respect: the possibility that corporate criminal sanctions do not provide adequate incentives for managers justifies additional interventions. But asset insufficiency differs from policing agency costs in the two other important respects: the ability to identify the firms that should be subject to additional duties ex ante and the absence of a reason to expect that prosecutors have a comparative advantage over regulators in identifying such firms on a case-by-case basis.

C.    Targeted Heightened Duties

In the course, and as a by-product, of their investigations, prosecutors may obtain information that indicates that a firm should be subject to heightened duties relative to those generally imposed ex ante. As we have argued in Section A, information that prosecutors obtain about policing agency costs at a specific firm may justify the imposition of PDA mandates on such a firm to address those policing agency cost problems. This raises the question: Are prosecutors similarly justified in using PDAs to impose heightened duties when they obtain other information suggesting that additional duties are needed for reasons other than policing agency costs? The answer, in brief, is no.

To be sure, optimal policing duties are likely to vary among firms. For example, the optimal compliance program to deter violations of the FCPA should differ between firms doing business in countries with low levels of corruption, such as Sweden, and those doing business in countries with high levels of corruption, such as Uzbekistan.118 PDAs enable prosecutors to impose mandates that can vary across firms in response to their different circumstances. But this aspect of PDA mandates does not justify prosecutors imposing mandates on firms ex post. Generally, the best response to the variation in optimal duties is to vary the policing duties imposed on firms ex ante, so that heightened policing duties are imposed on all firms that need them.119 This can be accomplished through heightened ex ante duties imposed through either harm-contingent corporate liability or regulation.

Ex ante duties are clearly superior when both the corporate characteristics warranting special or enhanced policing and the optimal policing responses to these characteristics can be identified based on criteria that are observable ex ante. In this situation, enforcement authorities can induce optimal policing by imposing the heightened duty ex ante on all firms with a particular characteristic. This is preferable to using PDAs, which can impose enhanced duties on only a small subset of the firms requiring enhanced policing—those with prior detected wrongdoing.

But ex ante duties may also be preferable to PDA mandates when regulators and prosecutors cannot, ex ante, identify which firms should be subject to heightened duties through clear rules. Ex ante duties are likely superior as long as regulators can both identify the type of firms requiring heightened duties and establish standards that would enable firms to determine ex ante which heightened duties they are subject to. Enforcement authorities can then determine ex post whether firms were subject to and breached heightened duties. As long as the firm’s policing is designed to maximize profits (and the duty and sanctions are set at proper levels)—that is, the firm is not subject to significant policing agency costs—authorities can provide proper incentives through such ex ante duties.

Ex ante regulation can be employed effectively to address circumstances warranting heightened policing, other than policing agency costs, by using firm-level liability to ensure that firms are better off if they comply with their enhanced duties. Absent policing agency costs, corporate liability can induce managers to ensure that the firm complies with its heightened duties. It is in this crucial respect that policing agency costs differ from other aspects of a firm that potentially support heightened policing duties. In the presence of policing agency costs, ex post sanctions imposed on the firm will not induce the firm to assess the likely scope of its duties and police accordingly, because managers are not seeking to undertake the policing that maximizes firm profits.

D.    PDA Mandates as Second Best

Our analysis so far of when PDAs are justified has assumed that firms would alternatively be subject to proper duty-based corporate liability. But corporate liability may not be structured optimally. Government authorities may fail to establish optimal ex ante policing duties or to impose optimal sanctions due to interest group capture, inertia, political gridlock, or time and resource constraints.120 A prosecutor may thus encounter situations in which she feels that the existing liability regime is not sufficient to induce optimal policing. The prosecutor may agree that the best way to address these problems would be to reform the existing ex ante duties and sanctions. But she may conclude that this is unlikely to happen, at least in the short run. This presents the question: Should an individual prosecutor try to remedy this situation by using PDAs to impose policing and metapolicing mandates on select firms with prior detected wrongdoing when the prosecutor has the power to do so? Our answer, again, is no.

First, individual prosecutors who conclude that incentives to adopt proper policing are insufficient may be wrong in either their assessment that the existing regime requires reform or their choice of what mandates to impose. Prosecutors’ expertise lies in detecting and sanctioning specific wrongdoing. Yet individual prosecutors are unlikely to have the expertise needed to substitute their judgment for that of Congress, regulators, and other authorities acting ex ante regarding the appropriate policing duties and sanctions to impose across an entire set of firms. Unlike Congress, regulators, and other authorities acting ex ante, individual prosecutors tend to lack industry-specific expertise, the staff needed to engage in studies or fact-finding, and the systematic input from firms subject to policing duties or from potential victims of wrongdoing. The probability of error by individual prosecutors is heightened when the regime they are trying to adopt could have easily been put in place by Congress, regulatory agencies, or other authorities who have the requisite expertise. These bodies—explicitly or implicitly—decided not to adopt the regime that the prosecutor would prefer, raising the possibility that these groups, deciding with the benefit of expert advice, correctly concluded the mandates should not generally be imposed.121 Thus, while authorities with rulemaking power to act ex ante may err, individual prosecutors attempting to address their deficiencies are even more likely to err when they override the judgment of these authorities.

Prosecutors also may err because they pursue either the wrong social goal or their own private aims. Prosecutors are trained to think about what is needed to make sure crime does not happen. But this is not, and should not be, the standard employed to establish “effective” or “reasonable” compliance. Compliance is costly.122 Optimal compliance policy thus involves trade-offs between the goals of deterring wrongdoing and of not burdening the firm with excessive costs.123 Prosecutors have expertise in only one side of this trade-off. Given their institutional bias, they are likely to overweight the benefits of crime reduction while giving insufficient weight to the costs of compliance.

In addition, some prosecutors may be tempted to impose mandates to serve their own aims, not social aims. Prosecutors may agree to reduce the monetary sanctions and substitute a general mandate in order to obtain a faster resolution of a high-profile case, while still appearing tough on crime. This practice may serve prosecutors’ personal aims, but it reduces the ex ante deterrent effect of duty-based corporate criminal liability if firms expect prosecutors to reduce the monetary sanctions imposed for their initial breach of policing duties. In addition, prosecutors can pursue personal aims when imposing mandates requiring the firm to appoint a particular person as either an independent director or an outside monitor,124 because a prosecutor has a significant say in the identity of these individuals.125

To be sure, the risk of error by prosecutors and the risk that prosecutors may pursue the wrong social goal or their own private aims are also present with PDA mandates imposed on firms believed to suffer from policing agency costs. However, the context of policing agency costs differs from other contexts in two respects that may justify the use of PDAs despite these risks. First, prosecutors enjoy a comparative advantage over regulators in identifying specific firms requiring additional regulation because of policing agency costs. Second, prosecutors imposing mandates to address policing agency costs are less likely to be overriding an ex ante informed decision by regulators that mandates are not necessary. Because regulators cannot easily identify firms with policing agency costs, their failure to impose ex ante duties that are justified by policing agency costs does not amount to an implicit rejection of the need for these heightened duties for firms identified as suffering from policing agency costs. As a result, as we have argued in Part III.A, PDA mandates that are properly designed can be superior to ex ante regulations in addressing policing agency costs. Even taking into account the risk that prosecutors get it wrong (as compared to the risk that legislators or regulators get it wrong), properly implemented PDA mandates can be a desirable component of the liability regime in the context of policing agency costs.

Outside the context of policing agency costs, however, we do not see a basis for concluding either that individual prosecutors, as a rule, are superior at devising duties and sanctions or that an individual prosecutor can identify the specific circumstances in which she is superior. These considerations suggest that individual prosecutors should not design firm-specific duties to remedy general problems best addressed through a general solution, such as ex ante regulation.

E.    Summary

Prosecutors are justified in imposing PDA mandates, but only to address one particular situation: when the firm failed to police properly because its managers or the board obtained private benefits from deficient policing. In such circumstances, it may be desirable to impose highly specific compliance duties or metapolicing duties through PDA mandates. Otherwise, Congress, regulators, and other authorities should address policing deficiencies through appropriate, generally applicable policing duties imposed ex ante.

IV.  Optimal and Actual Enforcement Policy Governing Mandates

In the preceding Part, we concluded that PDA mandates should be used to supplement duty-based corporate criminal liability only when firms are plagued by significant policing agency costs and then only when the mandates are superior to ex ante regulation and likely to reduce policing agency costs in an efficient manner. This conclusion has implications for federal enforcement policy. It helps to identify the type of firms that are appropriately subject to mandates and the appropriate structure of these mandates.

A.    When Should Mandates Be Imposed? Optimal versus Actual Policy

PDA mandates should be imposed only if two conditions are met. First, the firm with detected wrongdoing must have had a policing deficiency prior to the PDA attributable to policing agency costs. Second, the firm must be likely to be plagued by policing agency costs in the future absent intervention. In this Section, we evaluate existing Criminal Division policy and federal practice and show that the current approach to mandates is not justified.

1.   Mandates are not justified solely by inadequate compliance.

Existing DOJ policy and practice encourages prosecutors to impose compliance mandates whenever the firm did not have an effective compliance program at the time of the wrongdoing.126 This is too broad. Evidence of deficient policing is not sufficient, on its own, to infer that a firm was plagued by policing agency costs—the only circumstance in which a PDA mandate is justified.

First, any policing deficiencies identified by prosecutors may have been due to managers erring in determining the required level of compliance or the level of compliance the firm is actually undertaking. While the Organizational Sentencing Guidelines and federal enforcement policy in effect impose an ex ante duty on all firms to adopt an effective compliance system, this duty takes the form of general standards that leave considerable room for interpretation.127 Directors or managers of firms with deficient compliance programs may have believed in good faith that their firm complied with the requisite policing standard, only to find out later that the firm did not. This is particularly likely when the firm’s approach to compliance resembled that of other firms in the industry and the relevant regulatory authority never expressed disapproval of the standard approach. Alternatively, the firm may have underinvested in compliance because the existing regime does not provide firms with adequate incentives to adopt an effective compliance program. This can occur, even with large fines, if the additional compliance expenditures exceed the sanction discounted by the probability that a sanction will be imposed (which requires, for harm-contingent liability, that a substantive violation occurs and is detected).128 It may also occur, paradoxically, if compliance enhances the risk that wrongdoing is detected and the sanction for committing a substantive violation, even if the company has taken compliance measures, is too high.129 These problems are best rectified by measures such as clarification of the requisite policing standards or an increase (or decrease) in sanctions determined by the proper regulatory authorities on an ex ante basis (or, in the case of good-faith mistakes, may best be left alone), rather than by ex post mandates devised by prosecutors.

Thus, the current federal policy and practice should be replaced with one favoring mandates only when a firm with detected wrongdoing had policing deficiencies that were attributable to substantial policing agency costs that are likely to continue absent intervention.

2.   When mandates are inappropriate.

As previously discussed, the specific attributes of a firm that generate policing agency costs are hard to identify ex ante. Thus, individual prosecutors inevitably must be given some discretion to determine, based on the information they have obtained in the course of their investigation, whether policing agency costs were present at the time of the crime and are likely to continue in the future.

Nevertheless, it is possible to identify circumstances in which mandates are unlikely to be necessary. In these circumstances, prosecutors should generally not impose mandates, and the DOJ should instruct them accordingly. We discuss three such circumstances.

a) Controlling shareholders.  Mandates generally should not be imposed if an individual or a privately held corporate shareholder owns a stake in the firm that is sufficiently large to enable them to control the board (that is, if they are a controlling shareholder). Controlling shareholders generally have the incentives and the authority to ensure that the firm adopts the policing measures, including appropriate metapolicing measures, that serve shareholders’ interests. Enforcement authorities thus can induce the desired corporate policing through duty-based liability enforced by adequate monetary sanctions imposed on the firm.130

To be sure, even firms with controlling shareholders may commit corporate crimes and engage in inadequate policing. In these firms, however, policing is likely to be inadequate for reasons other than policing agency costs. Potential reasons include insufficient corporate financial incentives to undertake effective policing,131 insufficient information about effective policing, and asset insufficiency.132 These problems should be addressed through a combination of information and appropriate corporate and individual liability structured to ensure that the firm is better off ex ante if it adopts optimal policing. PDA mandates are neither an optimal substitute nor a proper complement to this regime in this situation.

Thus, for example, we are skeptical whether the PDA mandates imposed on Exactech, Inc, are justified.133 It is unlikely that the firm’s failure to adequately police to prevent salesmen from paying kickbacks to surgeons in order to enhance sales of the firm’s products was attributable to policing agency costs. Dr. William Petty and Betty Petty, Exactech’s founders, owned 29.2 percent and also had operational control of the firm. William was chairman of the board and chief executive officer. Betty was vice president of administration and corporate secretary. Their son, David, was president and a director of the firm.134 With these ownership stakes, adequate monetary sanctions imposed on the firm for deficient policing should provide sufficient incentives for the Petty family to ensure that Exactech undertakes the required policing measures.

b) Corporate self-reporting.  PDA mandates are questionable when top managers proactively responded to suspected wrongdoing by taking reasonable and good-faith measures to investigate the wrongdoing, report it to the enforcement authorities, and cooperate in their investigation. These actions suggest that top managers do not have the hear-no-evil, see-no-evil attitude that is the hallmark of policing agency costs.

To be sure, even if the firm and its managers investigated, self-reported, and cooperated, policing agency costs could conceivably affect other elements of corporate policing, such as the firm’s compliance program. Conceivably, managers investigated, self-reported, and cooperated only because the evidence of wrongdoing was staring them in the face but would have been happier if the compliance program had never uncovered such evidence.

However, if the company acted reasonably and in good faith once evidence of wrongdoing emerged, it is likely that any deficiency in ex ante compliance is not attributable to policing agency costs. Management, for example, may have instituted a deficient compliance program because they concluded in good faith either that the compliance program was effective135 or that the cost of effective compliance to the firm exceeded its benefit given expected sanctions. Both of these problems are better addressed through clearer ex ante compliance duties and adequate monetary sanctions for breach.

The DOJ, at present, does not treat prompt and full corporate self-reporting as a consideration that weighs against most mandates. The Criminal Division has informed prosecutors that one type of mandate, requiring a monitor, is likely inappropriate if the firm self-reported.136 But it has not reached a similar conclusion for other mandates, such as compliance program mandates.137 As a result, prosecutors impose compliance mandates and other mandates on firms that self-reported and fully cooperated. We question this practice.

Accordingly, we are skeptical whether certain mandates imposed on Johnson & Johnson (J&J) for FCPA violations by its subsidiaries were justified.138 In that case, prosecutors determined that the firm engaged in voluntary and timely self-reporting and fully cooperated. Yet prosecutors still imposed
extensive mandates, requiring, among other measures, the appointment of a chief compliance officer with significant FCPA experience who reports directly to the audit committee of the board, the identification of at least five operating companies that are at high risk for corruption, FCPA audits of these companies at least once every three years, and thorough FCPA diligence of all sales intermediaries as well as of any firm J&J plans to acquire.139 Given management’s response to the wrongdoing once it was detected, these PDA mandates are not warranted based on the information available from the PDA.

c) Firms with new ownership and management.  PDA mandates are not justified unless prosecutors detect policing agency costs that are likely to affect the firm’s future policing efforts. It is generally reasonable to assume that firms that had deficient policing in the past as a result of policing agency costs will continue to be plagued by policing agency costs in the future. But this presumption does not hold for a firm that underwent a transformation following the violation that directly affected its policing agency costs. Thus, when the firm was acquired by another firm, there is usually less reason to believe that preacquisition policing agency costs will persist postacquisition. Lesser changes, such as replacement of top management or significant changes in compensation policy, may also ameliorate the firm’s policing agency costs, depending on the source of the original problem. For example, if a firm’s policing agency costs were attributable to a CEO who was particularly averse to interference by the compliance department, a replacement of the CEO may substantially reduce policing agency costs.140 In these situations, past defects on their own are unlikely to justify PDA mandates.

Accordingly, we are skeptical whether the PDA mandates imposed on Massey Energy Company following an explosion at one of its coal mines were justified.141 Massey was acquired by Alpha Natural Resources after the accident and before the PDA was imposed.142 In addition, Massey’s CEO and president had left the company, and the Massey officer who replaced him as CEO was going to have only an advisory role after the merger.143 Thus, even if prosecutors had evidence that the deficient policing prior to the accident was due to policing agency costs, this would not establish that the firm was plagued by policing agency costs following the acquisition. The PDA mandate imposed on Massey would be justified only if prosecutors had evidence that Alpha suffered from significant policing agency costs.144 How­ever, it is unlikely that the prosecutors had obtained significant information about Alpha in their investigations of events that largely, if not entirely, preceded Massey’s acquisition by Alpha.

B.    What Type of Mandates?

The policing agency cost justification for PDA mandates also places limitations on the type of mandates that should be imposed. Mandates should be designed to induce optimal policing by a firm burdened by policing agency costs. This goal has several implications.

First, mandates should address the underlying problem: the presence of significant policing agency costs. As discussed above, mandates can do so in two ways: by imposing specific policing duties or by imposing metapolicing duties that shift authority or oversight over policing to persons inside or outside the firm who are not subject to significant policing agency costs. Mandates that contain neither of these measures are likely to be ineffective in addressing policing agency costs. Thus, we would not regard PDA mandates that require the firm merely to adopt a compliance program that satisfies the Organizational Sentencing Guidelines as justified. Such mandates are not sufficiently specific as to what policing duties a firm must undertake, nor do they provide for effective metapolicing. Similarly, PDAs that impose general policing duties supplemented by no more than a duty to make an annual self-report to prosecutors are suspect. Prosecutors receiving nothing more than an annual report prepared by the firm are often unlikely to provide effective oversight over compliance because they do not have sufficient industry expertise, time, or incentives to determine whether the firm has in fact adopted and is implementing an effective policing regime.145

Second, PDA mandates should generally be targeted at reducing policing agency costs, rather than at improving corporate governance more generally. PDA mandates create an inevitable risk that prosecutors will err when imposing internal reforms. The risk of error is lower, and may be worth incurring, when mandates relate directly to policing measures. After all, prosecutors have some general enforcement and firm-specific expertise that should enable them to identify both the policing deficiencies that exist within a firm and the policing and metapolicing mandates that could address the agency costs that led to the deficient policing. By contrast, prosecutors rarely have the requisite information or expertise to identify desirable corporate governance reforms more generally.146

These considerations lead us to be skeptical that a freestanding, PDA-imposed mandate to separate the chairman of the board and the CEO is justified.147 Corporate governance experts do not agree on whether and when it is desirable to separate these positions.148 In addition, institutional shareholders can readily determine whether a firm has adopted this reform and exert substantial pressure on boards to separate these positions when they deem it important to do so.149 Finally, the benefits from such a separation in reducing policing agency costs often will be incidental relative to the more fundamental impact on overall corporate governance. Nevertheless, in the right circumstances, a PDA-imposed mandate to separate the chairman of the board and the CEO that is coupled with provisions shifting responsibility for corporate policing to the chairman is justified. Such a mandate would assure that a corporate officer who is not subordinate to the CEO has responsibility for policing and would be targeted to the possibility that policing agency costs afflict the CEO.

C.    Summary of Reforms

Our analysis thus reveals that DOJ policy and prosecutors’ enforcement practice should be reformed along three dimensions: first, the general standard for imposing policing mandates; second, the criteria that determine when mandates are imposed; and third, the type of mandates imposed.

Most importantly, current DOJ policy encouraging prosecutors to impose policing mandates on any firm with detected wrongdoing and a deficient compliance program should be revised. Mandates should be imposed only if the prosecutor has evidence to conclude that the inadequate policing was due to substantial policing agency costs and that, absent intervention, such agency costs will result in inadequate policing in the future.

In addition, prosecutors should be given guidance on factors that generally indicate that policing agency costs either do not explain the firm’s past deficiencies or are unlikely to persist in the future. These factors include the company having a controlling shareholder; the company having taken reasonable, good-faith steps in investigating, self-reporting, and cooperating with prosecutors with respect to the wrongdoing; and the company having gone through a postcrime transformation, such as through an acquisition of the firm, that affected its policing agency costs.

Moreover, mandates must address the underlying policing agency cost problem. To do so, they should consist of specific, detailed policing duties or metapolicing measures. Mandates that contain neither of these provisions are likely to be ineffective in addressing policing agency costs. Duties that go beyond these measures are likely to do little to reduce policing agency costs and may be socially costly.

Finally, given that prosecutors imposing mandates act as quasi regulators, it would appear appropriate for the DOJ to obtain, make available, and study data on the mandates imposed, and to study firms subject to mandates over time, to determine which mandates are most effective.

Conclusion

Federal prosecutors overseeing corporate criminal enforcement have increasingly stepped out of the courtroom and are now making structural corporate reform decisions—decisions that are more normally the province of management, Congress, or civil regulators. In so doing, prosecutors have transformed their relationship with corporate wrongdoers, assuming the role of firm-specific regulators. The mandates they impose can be very consequential, for example, altering a firm’s internal governance or imposing hundreds of millions of dollars in additional compliance costs.

DOJ policy and practice encourages prosecutors to impose PDA mandates on firms with detected wrongdoing and inadequate compliance. We find that PDA mandates can be justified. Yet our analysis reveals that the DOJ’s broad embrace of PDA mandates is not warranted. Generally, proper incentives for firms to police wrongdoing should be supplied through harm-contingent liability or ex ante regulations that impose both up-front policing duties and adequate monetary sanctions on firms that violate their duties. PDA mandates are justified, in our view, only when a firm failed to take proper policing measures due to policing agency costs. Policing agency costs arise when managers derive personal benefits if the firm does not adopt the policing measures that maximize the firm’s profits. In the presence of policing agency costs, penalties imposed on the firm may not induce the firm to adopt optimal policing measures. Our analysis shows PDA mandates can reduce this problem.

Our conclusion that mandates are justified by policing agency costs limits the type of mandates that should be imposed. In particular, we can identify situations in which mandates presumptively should not be imposed, notwithstanding deficient policing, because it is unlikely that deficient policing is attributable to policing agency costs that will persist. Thus, PDA policing mandates generally are not justified when an individual or family-owned corporation owns a high stake in the firm; when top managers, reasonably and in good faith, investigated the wrongdoing, reported it to the enforcement authorities, and cooperated in the investigation; and when the firm, after the wrongdoing, underwent a transformative change that affected its policing agency cost structure.

In addition, in order to be justified, PDA mandates must be designed to effectively address policing agency costs. The only justifiable policing mandates, in our assessment, are those that impose specific policing duties and those that impose metapolicing duties. PDA mandates that merely restate the vague requirement to adopt a policing program that satisfies the Organizational Sentencing Guidelines or that are directed at improving corporate governance more generally, as is the case for some PDA mandates, are not justified. Such mandates are not likely to be cost-effective in reducing policing agency costs.

We thus call on the DOJ to reform its current policy and practices to ensure the proper use of mandates. In so doing, we disagree with those who suggest that the DOJ should abandon PDAs altogether on principle.150 PDA mandates can be desirable to address policing agency costs—a problem that often cannot be effectively handled by more generally applicable criminal liability or regulations—but mandates must be imposed more selectively than they presently are and must be structured to address these costs.

  • 13See note 6 (explaining that firms are effectively subject to ex ante duties to adopt effective compliance programs, self-report, and cooperate because, under federal policy, failure to take such actions increases both the probability of formal conviction and the expected sanction imposed). In addition, some statutes, such as the Foreign Corrupt Practices Act, require firms to adopt an effective compliance program to detect certain types of misconduct. See, for example, Foreign Corrupt Practices Act of 1977 (FCPA) § 102, Pub L No 95-213, 91 Stat 1494, 1494–95, codified as amended at 15 USC § 78m(b)(2).
  • 14See note 55 and accompanying text.
  • 15Corporations are “strictly” criminally liable in the sense that, in the United States, firms are liable for all crimes committed by employees in the scope of employment, even if the firm did all it reasonably could to prevent the crime and no member of senior management or the board participated in or condoned the crime. See United States v Potter, 463 F3d 9, 25–26 (1st Cir 2010); United States v Ionia Management SA, 555 F3d 303, 309–10 (2d Cir 2009) (per curiam); United States v Automated Medical Laboratories, Inc, 770 F2d 399, 406–08 (4th Cir 1985). See also Charles Doyle, Corporate Criminal Liability: An Overview of Federal Law *3 (Congressional Research Service, Oct 30, 2013), archived at http://perma.cc/2WH9-GLJF.
  • 16Individuals, too, are criminally liable for crimes committed with the requisite mens rea, even if they acted on behalf of the firm and were following instructions. See United States v Wise, 370 US 405, 407–08, 416 (1962). See also USAM § 9-28.210 (cited in note 6) (stating that prosecutors should proceed against individuals who commit corporate crimes); Doyle, Corporate Criminal Liability at *5–6 (cited in note 15).
  • 17See, for example, United States v Dye Construction Co, 510 F2d 78, 80–82, 84 (10th Cir 1975); Texas–Oklahoma Express, Inc v United States, 429 F2d 100, 101–02, 104 (10th Cir 1970); Riss & Co v United States, 262 F2d 245, 246, 251 (8th Cir 1958); United States v George F. Fish, Inc, 154 F2d 798, 799–81 (2d Cir 1946).
  • 18See, for example, United States v Twentieth Century Fox Film Corp, 882 F2d 656, 660–61, 666 (2d Cir 1989); United States v Hilton Hotels Corp, 467 F2d 1000, 1004–08 (9th Cir 1972).  
  • 19See Ionia Management SA, 555 F3d at 309–10. Under the Organizational Sentencing Guidelines, a corporation that had an effective compliance program, self-reported, and cooperated is eligible for a reduced fine. Organizational Sentencing Guidelines § 8C2.5(f)–(g) (cited in note 5). Yet the mitigation granted to larger firms is too low to incentivize firms to undertake effective compliance or to self-report. Jennifer Arlen, The Failure of the Organizational Sentencing Guidelines, 66 U Miami L Rev 321, 344–51 (2012). Moreover, convicted firms remain subject to the collateral penalties triggered by indictment or conviction, such as debarment, that can discourage corporate policing. See id at 359–60.
  • 20See Arlen, 66 U Miami L Rev at 341 n 53 (cited in note 19).
  • 21Nonfine sanctions plus civil penalties often dwarf the criminal fine. See Cindy R. Alexander, Jennifer Arlen, and Mark A. Cohen, Regulating Corporate Criminal Sanctions: Federal Guidelines and the Sentencing of Public Firms, 42 J L & Econ 393, 410 (1999) (providing empirical evidence).
  • 22See David M. Uhlmann, The Pendulum Swings: Reconsidering Corporate Criminal Prosecution, 49 UC Davis L Rev 1235, 1257–58 (2016); Memorandum: Bringing Criminal Charges against Corporations *9–10 (DOJ, June 16, 1999), archived at http://perma.cc/JC78-E78Y (“Holder Memo”). See also generally Baer, 50 BC L Rev 949 (cited in note 11).
  • 23The Principles of Federal Prosecution of Business Organizations apply to all firms. See note 6. Yet prosecutors tend to impose PDAs on firms in which control is separated from day-to-day management, such as publicly held firms. Owner-managed firms tend not to receive PDAs because owner-managers are often implicated in their firms’ criminal activity; these firms are thus unlikely to self-report and cooperate in return for leniency. See Jennifer Arlen, Corporate Criminal Liability: Theory and Evidence, in Alon Harel and Keith N. Hylton, eds, Research Handbook on the Economics of Criminal Law 144, 152–53 (Edward Elgar 2012) (finding that substantially more publicly traded firms obtain PDAs than are convicted of crimes governed by the Organizational Sentencing Guidelines). Indeed, there is evidence that prosecutors are particularly inclined to use PDAs to sanction parent corporations. Data collected by Cindy Alexander and Professor Mark Cohen show that, from 2007 through 2011, 58 percent of criminal settlement agreements with parent corporations were PDAs, while 70 percent of settlement agreements with subsidiaries were guilty pleas. See Alexander and Cohen, 52 Am Crim L Rev at 580–81 (cited in note 1).
  • 24USAM § 9-28.300 (cited in note 6). Then–Deputy Attorney General Eric Holder issued the first guidelines to federal prosecutors in 1999. The Holder Memo detailed factors prosecutors should consider in deciding whether to indict a firm. See generally Holder Memo (cited in note 22). The current guidelines, which build on the Holder Memo, are contained in the Principles. See USAM § 9-28.300 (cited in note 6).
  • 25See Arlen, Corporate Criminal Liability at 152 (cited in note 23). Firms also can avoid conviction under other circumstances, including when the firm would be subject to ruinous collateral penalties and agrees to fully cooperate. See USAM §§ 9-28.300, 9-28.900 (cited in note 6). See also Corporate Crime: Preliminary Observations on DOJ’s Use and Oversight of Deferred Prosecution and Non-prosecution Agreements *7–9 (GAO, June 25, 2009), archived at http://perma.cc/F32W-Z69V (“GAO Report”).
  • 26In some cases, the DOJ will formally decline to pursue a firm instead of imposing a PDA. See Beverley Earle and Anita Cava, The Mystery of Declinations under the Foreign Corrupt Practices Act: A Proposal to Incentivize Compliance, 49 UC Davis L Rev 567, 602–03 (2015) (providing an example of a declination letter sent to Allianz’s legal team indicating that a DOJ inquiry had ended as a result of Allianz’s cooperation with the investigation). The DOJ does not release data on most declinations, and thus it is hard to determine how often this happens. Declination appears to be more likely when the wrongdoing is limited and the firm self-reported and fully cooperated. See, for example, Weissmann, FCPA Pilot Program at *4–9 (cited in note 6).
  • 27See Alexander and Cohen, 52 Am Crim L Rev at 544–45 (cited in note 1). NPAs are expressed in the form of a letter, often not filed in court. See id at 544 n 38, 579 n 189.
  • 28Garrett, 93 Va L Rev at 855, 879 (cited in note 3). See also USAM § 9-28.1100 (cited in note 6) (providing that collateral consequences of a corporate conviction, such as debarment and delicensing, can justify use of a PDA designed in part to promote compliance with the law and prevent recidivism). It might appear that PDAs also enable the firm to avoid the reputational consequences of a criminal conviction. But under the DOJ’s current policy, it is unlikely that the decision of most prosecutors to impose a PDA instead of a guilty plea has a material effect on the reputational sanction, holding constant the nature of the crime and other publicly disclosed information about the firm and the crime. See Cindy Alexander and Jennifer Arlen, Does Conviction Matter? The Reputational and Collateral Effects of Corporate Crime *22–23 (forthcoming 2018), archived at http://perma.cc/HZ3W-5ABC.
  • 29See Weissmann, FCPA Pilot Program at *2–3, 8–9 (cited in note 6) (offering substantial fine mitigation to firms that self-report, fully cooperate, or had an effective compliance program at the time of the crime). See also generally Organizational Sentencing Guidelines (cited in note 5).
  • 30To be precise, corporate liability governing publicly held firms resembles what one of us has called “composite liability.” Under composite liability, firms are subject to both duty-based criminal liability and a residual layer of strict liability. See Arlen and Kraakman, 72 NYU L Rev at 689–90, 770–75 (cited in note 6) (defining composite liability and showing that composite liability with optimal policing duties and monetary sanctions can be used to optimally deter corporate crime). For a discussion of when and why firms that satisfy all their policing duties should still bear monetary sanctions if a wrong occurs, see id at 695–718; Arlen, 8 J Legal Analysis at 198–204 (cited in note 8).
  • 31See note 7 (defining “substantive violation” as the term is used in this Article and distinguishing it from violations predicated on the failure to comply with policing duties).
  • 32See Alexander and Cohen, 52 Am Crim L Rev at 571–72 (cited in note 1); Arlen, Corporate Criminal Liability at 149, 153 (cited in note 23) (comparing PDAs with federal convictions of publicly held firms). Pretrial diversion agreements were used prior to 2003, most prominently in the 1994 PDA with Prudential Services, Inc. Mary Jo White, Corporate Criminal Liability: What Has Gone Wrong?, in 37th Annual Institute on Securities Regulation 815, 818 (Practising Law Institute 2005). Nevertheless, the 2003 DOJ memo was the first official endorsement of these agreements, and dramatically increased their use. See Larry D. Thompson, Memorandum: Principles of Federal Prosecution of Business Organizations *6 (DOJ, Office of the Deputy Attorney General, Jan 20, 2003) archived at http://perma.cc/4FEG-AATF (“Thompson Memo”). In the entire period prior to issuance of the Thompson Memo in January 2003, prosecutors negotiated only thirteen PDAs. See Garrett, 93 Va L Rev at 894 n 167 (cited in note 3). By contrast, we find based on our dataset that they entered into at least 267 PDAs from 2004 through 2014 (excluding agreements involving antitrust, tax, and environmental violations). See also Alexander and Cohen, 52 Am Crim L Rev at 571 (cited in note 1) (finding that prosecutors entered into 155 PDAs against publicly held firms for all crimes from 2003 through 2011, and only 8 PDAs for antitrust or environmental violations). PDAs issued after the Thompson Memo are more likely to impose firm-specific policing duties and monitors. See Lisa Kern Griffin, Compelled Cooperation and the New Corporate Criminal Procedure, 82 NYU L Rev 311, 323 (2007); Spivack and Raman, 45 Am Crim L Rev at 166–67 (cited in note 3). See also Baer, 50 BC L Rev at 969–70 (cited in note 11) (discussing the evolution in mandates after 2003).
  • 33See Garrett, 93 Va L Rev at 893–902 (cited in note 3); Alexander and Cohen, 52 Am Crim L Rev at 538, 544, 587 (cited in note 1); Arlen, 8 J Legal Analysis at 199–203 (cited in note 8).
  • 34For example, in 2008 the DOJ concluded that Aibel Group failed to meet its obligations under its PDA and revoked its PDA with the firm. The firm pleaded guilty to its original offense and was required to pay a $4.2 million fine and serve two years on organization probation. Plea Agreement, United States v Aibel Group Ltd, CR H-07-005, §§ 7, 20 at *2–3, 10 (SD Tex, Nov 7, 2008), archived at http://perma.cc/Q556-GUYD. See also Christopher M. Matthews, Aruna Viswanatha, and Devlin Barrett, Justice Department to Tear Up Past UBS Settlement (Wall St J, May 14, 2015), online at http://www.wsj.com/articles/justice-department-to-tear-up-past-ubs-settlement-1431645723 (visited Nov 4, 2016) (Perma archive unavailable) (discussing the DOJ’s move to convict UBS for its 2012 LIBOR fixing, notwithstanding a 2012 PDA, following discovery of additional wrongs that occurred after that agreement). Courts have held that prosecutors have discretion to determine whether a firm’s conduct constitutes a sufficient breach of PDA mandates to justify a decision to indict. See, for example, Stolt–Nielsen, SA v United States, 442 F3d 177, 187 (3d Cir 2006) (holding that “nonprosecution agreements may not form the basis for enjoining indictments before they issue”); United States v Goldfarb, 2012 WL 3860756, *2–6 (ND Cal) (denying a motion to dismiss an indictment because the government had properly exercised its discretion in finding a lack of substantial performance of the DPA mandates).
  • 35See Alexander and Cohen, 52 Am Crim L Rev at 538, 577 (cited in note 1).
  • 36Our data on sanctions and mandates imposed through PDAs are based on our analysis of all PDAs imposed by the US Attorneys’ Offices or the Criminal Division of the DOJ in cases governed by the Principles of Federal Prosecution of Business Organizations and under the Organizational Sentencing Guidelines. Thus, we exclude antitrust and environmental PDAs, which are under the authority of the Antitrust and Environment Divisions, respectively, and have their own enforcement policies and sentencing guidelines. See id at 571–72 (finding few PDAs for antitrust or environmental violations).
  • 37Our findings are consistent with the results of Alexander and Cohen. See id at 589.
  • 38PDA-imposed compliance-program mandates regularly require firms to adopt compliance programs that differ materially from the programs that firms traditionally adopted voluntarily prior to the rise in PDA mandates. For example, a survey published in 2008 found that whereas voluntary programs often integrated compliance efforts into the corporate divisions most directly affected by compliance efforts, the mandated programs generally required the adoption of a compliance office separate from the core workings of the firm. Finder, McConnell, and Mitchell, 28 Corp Counsel Rev at 19 (cited in note 2). Moreover, voluntary programs tend to have compliance officers who report to the general counsel or the CEO. By contrast, mandated programs increasingly require that the chief compliance officer (CCO) be able to report directly to the board. Id.
  • 39See, for example, Nonprosecution Agreement, Merrill Lynch & Co, §§ 8–9 at *3–4 (DOJ Enron Task Force, Sept 17, 2003), archived at http://perma.cc/QCA5-VDPC (“Merrill Lynch NPA”).
  • 40PDA compliance provisions often dictate investment levels by stating that the firm has increased its compliance to a particular level (usually following negotiations with prosecutors) and agrees to maintain at least this investment in compliance going forward. See, for example, Non-prosecution Agreement, Alpha Natural Resources, Inc, § 5 at *2 (USAO SD W Va 2011), archived at http://perma.cc/KY88-JMMJ (“Alpha NPA”); Deferred Prosecution Agreement, United States v HSBC Bank USA, NA, CR No 12-763, § 7 at *3 (EDNY filed Dec 11, 2012), archived at http://perma.cc/W29S-FRWZ (“HSBC DPA”).
  • 41See Organizational Sentencing Guidelines § 8B2.1 (cited in note 5) (listing criteria to be employed to determine whether the firm has an effective compliance program). For examples of statutory requirements to adopt and maintain compliance programs, see note 55.
  • 42Moreover, PDAs also can affect the measures the firm employs to satisfy § 8B2.1 of the Organizational Sentencing Guidelines. Absent a PDA, directors can determine how best to comply with the Organizational Sentencing Guidelines’ definition of effective compliance. By contrast, PDA mandates, as a practical matter, shift power to a specific prosecutor to determine whether the firm’s actions satisfy the standard set forth in the Organizational Sentencing Guidelines, because a prosecutor who requires the firm to satisfy § 8B2.1 is free to indict the firm if the prosecutor determines that it breached the PDA. The threat of prosecutorial action is significant because, if the prosecutor does proceed, she will be armed with an admissible statement of guilt made by the firm. See, for example, Alpha NPA § 14 at *7 (cited in note 40). Prosecutors have particularly strong leverage over firms with NPAs because courts do not review a prosecutor’s decision to indict a firm deemed to be in breach of an NPA. See note 34 (discussing prosecutorial authority to determine whether a firm’s actions constitute a violation of the PDA that warrants sanction).
  • 43Finder, McConnell, and Mitchell, 28 Corp Counsel Rev at 22–23 (cited in note 2). See also, for example, Deferred Prosecution Agreement, United States v Computer Associates International, Inc, CR No 04-837, § 14(b) at *11 (EDNY filed Sept 22, 2004), archived at http://perma.cc/7RCC-LEHQ (“Computer Associates DPA”).
  • 44For example, Computer Associates International, Inc, was required to appoint three new independent directors to the board, including former SEC Commissioner Laura Unger. See Computer Associates DPA § 12 at *10–12 (cited in note 43).
  • 45For example, Computer Associates was required to create a compliance committee of the board. Computer Associates DPA § 12(b) at *10 (cited in note 43).
  • 46Merrill Lynch & Co was required to create a “Special Structured Products Committee” of senior management to review all complex financial transactions with a third party. See Merrill Lynch NPA Exhibit A at *1–2 (cited in note 39). General Re Corp’s PDA required a new complex transaction committee with the power to reject any proposed transactions. See Nonprosecution Agreement, General Re Corp, § 14(c) at *5 (DOJ Criminal Division, Fraud Section, Jan 19, 2010), archived at http://perma.cc/DT7D-WAJT (“General Re NPA”). Computer Associates and American Italian Pasta Company each were required to create a new “Disclosure Committee” consisting of C-suite executives and other senior management. Computer Associates DPA § 12(c) at *10 (cited in note 43); Nonprosecution Agreement, American Italian Pasta Co, § 7 at *2–3 (USAO WD Mo, Sept 15, 2008), archived at http://perma.cc/B6ST-GA4A. Monsanto’s DPA required that the board create a new committee to oversee the appointment of all foreign agents and to evaluate all joint ventures. Deferred Prosecution Agreement, United States v Monsanto Co, Appx B(3) at *2 (DDC filed Jan 6, 2005), archived at http://perma.cc/3ZCU-QFCW (“Monsanto DPA”).
  • 47See, for example, Deferred Prosecution Agreement, United States Securities Exchange Commission v Bristol-Myers Squibb Co, Civil Action No 04-3680, § 8 at *3 (USAO D NJ, June 15, 2005), archived at http://perma.cc/E5EC-5D5D (“BMS DPA”).
  • 48Firms whose PDAs require them to report annually or semiannually to federal authorities during the agreement include Schering-Plough Corp, Pfizer H.C.P. Corp, Baker Hughes, Inc, Merck & Co, Lufthansa Technik AG, Orthofix International, Tyco International, Ltd, Archer Daniels Midland Co, Deutsche Bank AG, and Daimler AG. Settlement Agreement and Release, Schering-Plough Corp, § 13 at *18 (USAO D Mass, Aug 29, 2006), archived at http://perma.cc/AD4J-U928; Deferred Prosecution Agreement, United States v Pfizer H.C.P. Corp, CR No 12-169, § 13 at *10 (DDC filed Aug 7, 2012), archived at http://perma.cc/Y2GZ-G63Q; Deferred Prosecution Agreement, United States v Baker Hughes Inc, § 13 at *10 (SD Tex filed Apr 11, 2007), archived at http://perma.cc/3W8H-6UPH; Nonprosecution Agreement, Merck & Co, Exhibit 2 § 10(a)(6) at *12 (USAO D Mass, Nov 7, 2011), archived at http://perma.cc/TU5E-VSMD; Nonprosecution Agreement, Lufthansa Technik AG, Appx B at *B1–B2 (DOJ, Criminal Division, Fraud Section, Dec 21, 2011), archived at http://perma.cc/G496-V5N8; Deferred Prosecution Agreement, United States v Orthofix International, NV, § 10 at *9 (DOJ Criminal Section, Fraud Section, July 10, 2012), archived at http://perma.cc/3VA6-KJ6B; Nonprosecution Agreement, Tyco International, Ltd, Attachment C at *C1–C2 (USAO ED Va, Sept 20, 2012), archived at http://perma.cc/452U-KKHZ; HSBC DPA § 6 at *8 (cited in note 40); Nonprosecution Agreement, Archer Daniels Midland Co, Attachment C at *C-1 to -2 (USAO CD Ill, Dec 20, 2013), archived at http://perma.cc/7DJG-CMTA; Deferred Prosecution Agreement, United States v Deutsche Bank AG, CR No 15-61, § 10 at *14–15 (D Conn filed Apr 23, 2015), archived at http://perma.cc/4V9U-MPMB; Deferred Prosecution Agreement, United States v Daimler AG, CR No 10-63, Attachment D § 7(e) at *3–5 (DDC filed Mar 24, 2010), archived at http://perma.cc/C7J2-3DZ3.
  • 49For a detailed discussion of the monitoring provisions in these agreements, see Khanna and Dickinson, 105 Mich L Rev at 1721–24 (cited in note 3) (discussing corporate monitor provisions in PDAs).

    In addition, PDAs occasionally contain mandates that are more properly characterized as prevention, rather than policing, measures. Prevention measures reduce the probability of a violation, but (unlike policing measures) do not increase the likelihood of detection if a violation occurs. Mandates that alter a firm’s compensation and promotion policies in ways that make wrongdoing less attractive to employees are prevention measures. As one of us has shown, a company can be induced to undertake optimal prevention measures through either strict or duty-based liability, whereas only duty-based liability can practically be used to induce optimal policing. Arlen and Kraakman, 72 NYU L Rev at 717–18 (cited in note 6). Our analysis in Parts III and IV of when it is desirable to supplement harm-contingent liability generally or with PDAs, as well as our discussion of how PDAs should be structured, applies equally well to PDAs with prevention mandates, with one qualification. Firms tend to face strict (rather than duty-based) liability with regard to prevention measures, because DOJ leniency focuses appropriately on policing. In this situation, the arguments in Parts III.C and III.D relating to the use of PDAs to address limitations with duty-based liability are not relevant to the analysis.

  • 50BMS DPA § 2 at *1 (cited in note 47) (describing the charges); id §§ 6–17 at *3–5 (setting out the requirements for the compliance program); id § 18 at *5 (requiring the separation of the roles of chairman and CEO); id § 8 at *3 (requiring the chairman’s participation in preparatory phone calls and requiring that the chairman, CEO, and general counsel monitor the calls); id § 9 at *3 (requiring the appointment of an outside director); id §§ 11–12 at *3–4 (requiring the appointment of a corporate monitor); id § 24 at *6–7 (setting out reporting requirements for the CEO and CFO).
  • 51See note 6 and accompanying text (defining policing and prevention); note 30 (discussing composite liability).
  • 52See note 7 (defining substantive violations).
  • 53In the case of individual liability, tort liability for injuries resulting from the defendant’s negligent failure to take reasonable care is an example of harm-contingent liability. Government-imposed sanctions on people who breach certain legal duties (for example, people who run a red light), whether or not a harm occurs, are an example of non-harm-contingent liability.
  • 54See note 5 (defining traditional corporate liability).
  • 55A few statutes, such as the accounting provisions of the FCPA and the Suspicious Activity Report provisions and Know Your Customer provisions of the PATRIOT Act, criminalize the willful failure to adopt or maintain an effective or reasonable compliance program. FCPA § 102, 91 Stat at 1494, codified at 15 USC § 78m(b)(2)(A)–(B); Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act) §§ 311–30, Pub L No 107-56, 115 Stat 272, 298–320; Sarbanes-Oxley Act of 2002 §§ 202–04, 404, Pub L No 107-204, 116 Stat 745, 772–73, 789, codified at 15 USC §§ 78j-1, 7262 (requiring the existence of a capable and empowered audit committee and that financial statements be audited).
  • 56See notes 5–6.
  • 57Accordingly, in our view, these mandates are not simply a nonmonetary sanction for past wrongdoing. Sanctions generally are backward-looking in that they are designed to induce compliance with the original duty—here, the ex ante policing duty imposed on all publicly held firms. While the threat of PDA mandates may have ex ante effects, the specific mandates imposed create new duties that alter future conduct. For an alternate view, see Khanna and Dickinson, 105 Mich L Rev at 1727–40 (cited in note 3) (describing the imposition of a corporate monitor as an additional sanction).
  • 58See note 62.
  • 59Although the USAM does not have an explicit provision governing when mandates should be incorporated into PDAs, it does state that prosecutors proceeding against firms should bear in mind all the goals of enforcement, including rehabilitation. Subsequent provisions governing corporate plea agreements provide that in order to ensure corporate rehabilitation, it is

    appropriate to require the corporation, as a condition of probation, to implement a compliance program or to reform an existing one. As discussed above, prosecutors may consult with the appropriate state and federal agencies and components of the Justice Department to ensure that a proposed compliance program is adequate and meets industry standards and best practices.

    USAM § 9-28.1500(B) (cited in note 6) (emphasis added).

    The USAM also indicates that prosecutors should charge and sentence defendant companies in a manner consistent with the Organizational Sentencing Guidelines. The Organizational Sentencing Guidelines recommend using probation to require firms to reform their compliance programs whenever a firm with over fifty employees did not have an effective compliance program at the time of sentencing. Organizational Sentencing Guidelines § 8D1.1(a)(3) (cited in note 5). The Organizational Sentencing Guidelines do not appear to support the imposition of prosecutor-designed mandates, however, in that the Guidelines recommend that the organization develop the effective compliance program. Organizational Sentencing Guidelines § 8D1.4(b) (cited in note 5) (recommending that judges require organizations with defective compliance programs to “develop and submit to the court an effective compliance and ethics program consistent with § 8B2.1 (Effective Compliance and Ethics Program)”).

    In the case of monitor mandates, the DOJ treats self-reporting as a factor weighing against the mandate. See A Resource Guide to the U.S. Foreign Corrupt Practices Act *71 (DOJ, Criminal Division and SEC, Enforcement Division, Nov 14, 2012), archived at http://perma.cc/2VTV-D5HD (“FCPA Resource Guide”) (summarizing DOJ and SEC policy on when compliance monitors are appropriately appointed).

  • 60Prosecutors evaluate the effectiveness of the program both at the time of the offense and at the time of the agreement. Firms that reform their programs after the offense may avoid mandates altogether, but prosecutors often impose mandates that either require firms to continue their preagreement reforms, require new reforms, or both. See, for example, Deferred Prosecution Agreement, Zimmer, Inc, §§ 4–5, 9 at *1–2 (USAO D NJ 2007), archived at http://perma.cc/D3KY-44R8 (“Zimmer DPA”); Deferred Prosecution Agreement, United States v Unico, Inc, CR No 13-355, §§ 4–5, 8–9 at *2–5, 7 (SD Cal filed Jan 30, 2013), archived at http://perma.cc/R46U-KDGY (“Unico DPA”); Settlement Agreement, Mellon Bank, NA, § I(11) at *2, Appx A at *1–3 (USAO WD Pa, Aug 14, 2006), archived at http://perma.cc/Q6FJ-EZWE; Nonprosecution Agreement, Deutsche Telekom AG, Appx B at *B-1 to -2 (USAO ED Va, Sept 29, 2011), archived at http://perma.cc/9HVY-UC4G; Deferred Prosecution Agreement, United States v MoneyGram International Inc, Case No 12-291, § 9 at *7 (MD Pa filed Nov 9, 2012), archived at http://perma.cc/4Z87-54F5; Nonprosecution Agreement, Ralph Lauren Corp, *1, Attachment B at *B-1 to -8 (DOJ, Criminal Division, Fraud Section, Apr 22, 2013), archived at http://perma.cc/9XZL-7X3C; General Re NPA § 14 at *5–7 (cited in note 46); Deferred Prosecution Agreement, United States v CommunityOne Bank, NA, CR No 11-122, § 7 at *6–7 (WD NC filed Apr 27, 2011), archived at http://perma.cc/5SZB-RU6Z; Nonprosecution Agreement, Las Vegas Sands Corp, Attachment B(1) at *16–18 (USAO CD Cal, Aug 26, 2013), archived at http://perma.cc/P77P-HH8X; Deferred Prosecution Agreement, Smith & Nephew, Inc, § 7 at *6 (DOJ, Criminal Division, Fraud Section, Feb 1, 2012), archived at http://perma.cc/32EK-832X (“Smith & Nephew DPA”); Deferred Prosecution Agreement, United States v Academi LLC, CR No 12-14, §§ 7–9 at *6–7 (ED NC filed Aug 7, 2012), archived at http://perma.cc/SXS5-UB3R (imposing a monitor in addition to the reforms already undertaken); Deferred Prosecution Agreement, United States v Endo Pharmaceuticals Inc, CR No 14-66, §§ I(c), V at *2, 16–24 (NDNY filed Feb 21, 2014), archived at http://perma.cc/5CK2-H88U.
  • 61For our methodology, see note 36.
  • 62The DOJ has a decentralized approach to prosecution. Each individual US attorney generally exercises full authority over the content of PDAs, except in a limited set of cases in which enforcement decisions are channeled through specialized divisions within Main Justice—for example, FCPA, antitrust, tax, and environmental cases. See note 36.

    In addition, the DOJ has not provided guidelines governing the policing mandates that prosecutors can impose governing corporate policing and other internal governance matters. The few guidelines issued on mandates apply to (and limit the use of) a narrow range of provisions: extraordinary restitution, waiver of the attorney-client privilege, the firm’s right to advance the legal fees of its employees, and the decision to impose a corporate monitor. USAM §§ 9-16.325, 9-28.1000, 9-28.710 (cited in note 6). See also generally Craig S. Morford, Memorandum for Heads of Department Components, United States Attorneys: Selection and Use of Monitors in Deferred Prosecution Agreements and Non-prosecution Agreements with Corporations (DOJ, Office of the Deputy Attorney General, Mar 7, 2008), archived at http://perma.cc/6NF2-8TXK.

    By contrast, the Organizational Sentencing Guidelines recommend that prosecutors impose compliance mandates on all firms subject to probation, but do not encourage prosecutors to design their own. Instead, they indicate that prosecutors should require firms to adopt a compliance program that satisfies the standard of effective compliance set forth in the Organizational Sentencing Guidelines. Organizational Sentencing Guidelines § 8D1.4(b)(1) (cited in note 5). Moreover, the Organizational Sentencing Guidelines envision that judges, not prosecutors, will determine what mandates are imposed, as the Guidelines were structured to govern formal conviction. See Organizational Sentencing Guidelines, Commentary on § 8D1.4 (cited in note 5).

  • 63At present, the judiciary also does not assert oversight of the types of mandates imposed. Only DPAs are potentially subject to judicial review; NPAs, by contrast, are not filed in court. The DOJ takes the position, now supported by the limited case law, that federal judges reviewing DPAs do not have authority to reject or alter specific mandates imposed. See United States v Fokker Services BV, 818 F3d 733, 740–42 (DC Cir 2016); Government’s Supplemental Brief Addressing the Scope of the Court’s Authority to Consider the Fairness and Reasonableness of a Deferred Prosecution Agreement in Deciding Whether to Accept or Reject the Agreement, United States v Saena Tech Corp, CR No 14-66, *8–10 (DDC filed Aug 8, 2014); Government’s Reply to Memorandum of Law of Amicus Curiae Law Professor, United States v Saena Tech Corp, CR No 14-66, *1 (DDC filed Aug 29, 2014). One district court has held that judges do have authority to review mandates that violate the Constitution, a statute, or the USAM. See United States v HSBC Bank USA, NA, 2013 WL 3306161, *6–13 (EDNY) (discussing the Government’s position). The DC Circuit in Fokker explicitly chose not to address the validity of this conclusion. See Arlen, 8 J Legal Analysis at 217–20 (cited in note 8) (discussing in more detail the Fokker decision and the narrow scope of judicial review over PDAs).
  • 64“Public firms” include all publicly held firms and all firms that are controlled (50 percent or more) by a publicly held firm.
  • 65See note 9.
  • 66In theory, strict liability could be employed, but only if fines could practicably adjust so that any corporate action that increases the probability of detection and sanction produces an equivalent reduction in the fine. Arlen and Kraakman, 72 NYU L Rev at 719–23 (cited in note 6).
  • 67See Arlen, 23 J Legal Stud at 852–55 (cited in note 10); Arlen and Kraakman, 72 NYU L Rev at 695–96 (cited in note 6); Sally Quillian Yates, Memorandum: Individual Accountability for Corporate Wrongdoing *1–2 (DOJ, Office of the Deputy Attorney General, Sept 9, 2015), archived at http://perma.cc/PBC2-TZPX (discussing the importance of individual liability for corporate crime). By contrast, corporate liability could be used to optimally deter crime by owner-managers of closely held firms, provided that the firms have sufficient assets to pay the optimal fine. Arlen, Corporate Criminal Liability at 157–58 (cited in note 23) (discussing corporate liability for closely held firms).
  • 68This discussion focuses on the type of corporate crimes that cause direct social harm, such as securities fraud and bribery, which generally require affirmative acts by individuals who know they are acting unlawfully. This discussion does not apply to criminal liability imposed for breach of corporations’ oversight duties. Responsibility for compliance with these duties can be diffuse, and there can be circumstances in which the firm is liable (or subject to a PDA) even though no individual in the firm made an affirmative decision to violate the law for personal benefit.
  • 69Many of the gains employees seek—such as promotions, bonuses, and avoiding termination—are one-way effects: an employee can get a promotion or bonus by committing a crime to benefit the firm, and the employee may retain it even if the wrong is detected, either because the wrong is not attributed to the employee or because the firm decides not to sanction or fire the employee. See Arlen, Corporate Criminal Liability at 170–71 (cited in note 23) (discussing why the government generally cannot rely on corporate liability alone to optimally deter crime by employees of publicly held firms).
  • 70See Arlen, 23 J Legal Stud at 834–36 (cited in note 10); Jonathan R. Macey, Agency Theory and the Criminal Liability of Organizations, 71 BU L Rev 315, 322 (1991); Arlen, Corporate Criminal Liability at 154 n 39 (cited in note 23) (discussing why corporate crime can be treated as the product of self-interested rational decision-making even if many street crimes are not). See also Cindy R. Alexander and Mark A. Cohen, Why Do Corporations Become Criminals? Ownership, Hidden Actions, and Crime as an Agency Cost, 5 J Corp Fin 1, 30–31 (1999) (finding that corporate crimes “occur less frequently among publicly traded firms in which top management has a larger ownership stake,” consistent with corporate crime being an agency cost); Jennifer H. Arlen and William J. Carney, Vicarious Liability for Fraud on Securities Markets: Theory and Evidence, 1992 U Ill L Rev 691, 701–03 (discussing whether securities fraud is an agency cost arising in the shadow of a managerial last period as a result of the low expected costs of fraud, which could include civil liability and job loss).
  • 71Arlen, Corporate Criminal Liability at 167–71 (cited in note 23) (providing the conditions that would be necessary for individual liability alone to create optimal deterrence). See also Arlen and Kraakman, 72 NYU L Rev at 695–96 (cited in note 6); Alexander Dyck, Adair Morse, and Luigi Zingales, Who Blows the Whistle on Corporate Fraud?, 65 J Fin 2213, 2225–26 (2010) (providing evidence that most corporate fraud is not detected by the government, including data that suggest that industry regulators discover only 13 percent of fraud cases that come to light).

    Individual liability fails to optimally deter when the probability of detection and sanction is very low for two reasons. First, rational actors are not deterred unless the expected sanction—given by the sanction multiplied by the probability of sanction, P—equals or exceeds the benefit of crime, B. Thus, the actual sanction must at least equal B divided by P. See Gary S. Becker, Crime and Punishment: An Economic Approach, 76 J Polit Econ 169, 180–85 (1968). When the probability of sanction is low, the optimal sanction will often exceed the amount that can be optimally imposed on individuals given their limited wealth and the high social cost of imprisonment. Id at 196–97. Second, behavioral analysis suggests that individuals may not be deterred when the probability of sanction is too low because people often discount very low probability events to zero. Eric A. Posner, Probability Errors: Some Positive and Normative Implications for Tort and Contract Law, 11 S Ct Econ Rev 125, 127–28 (2004). Corporate liability should reduce both problems because well-structured corporate liability should increase the probability that individuals are sanctioned, thereby increasing individuals’ expected sanctions and lowering the optimal individual sanction. See Arlen, Corporate Criminal Liability at 186–87 (cited in note 23).

  • 72Arlen and Kraakman, 72 NYU L Rev at 700–01 (cited in note 6) (comparing government monitoring and investigation with firms’ more cost-effective internal policing mechanisms). For a detailed discussion of why firms are the least-cost provider of many policing measures, see Arlen, Corporate Criminal Liability at 162–67 (cited in note 23).
  • 73Arlen and Kraakman, 72 NYU L Rev at 706–07 (cited in note 6); Arlen, Corporate Criminal Liability at 164–66 (cited in note 23). Firms also can lower the net social cost of crime both by adopting prevention measures, such as compensation policy reform, see Arlen and Kraakman, 72 NYU L Rev at 701–04 (cited in note 6), and by reducing activity levels. A. Mitchell Polinsky and Steven Shavell, Should Employees Be Subject to Fines and Imprisonment given the Existence of Corporate Liability?, 13 Intl Rev L & Econ 239, 246–47 (1993).
  • 74To be precise, firms should be subject to a composite liability regime that combines enhanced duty-based criminal liability for failure to adopt effective policing with strict civil liability for any harm caused. See note 30 and accompanying text. Duty-based liability is superior to strict respondeat superior because firms subject to strict corporate liability with a fixed fine have suboptimal incentives to undertake measures that increase the probability that wrongdoing is detected and sanctioned, as these actions can increase the firm’s own expected liability. See Arlen, 23 J Legal Stud at 836 (cited in note 10); Arlen and Kraakman, 72 NYU L Rev at 700, 707 & n 46 (cited in note 6); Arlen, Corporate Criminal Liability at 174–77 (cited in note 23) (showing that respondeat superior with a fixed fine cannot induce both optimal prevention and policing). For a confirmation of this phenomenon and a statistical assessment of how to shift incentives, see Louis Kaplow and Steven Shavell, Optimal Law Enforcement with Self-Reporting of Behavior, 102 J Polit Econ 583, 587–90 (1994) (showing that individuals can be induced to self-report by reducing the sanction to counteract the liability-enhancing effect of self-reporting on the probability of sanction).
  • 75Ex ante corporate policing in the form of compliance programs can be very expensive. For example, according to HSBC’s 2012 DPA, the firm spent over $290 million on antifraud and money-laundering compliance in 2011 alone. HSBC DPA Attachment A § 81 at *27–28 (cited in note 40).
  • 76Criminal liability should be reserved for firms that violate their policing duties, as this enables the state to offer a sufficiently big reward to firms that comply with their policing duties to make them willing to self-report, even when substantial civil sanctions will be imposed.
  • 77Arlen, Corporate Criminal Liability at 185–87 (cited in note 23); Arlen and Kraakman, 72 NYU L Rev at 709–12 (cited in note 6). Firms that comply with all their policing duties generally should not be exempt from sanctions. There should still be residual liability sufficient to induce them to pursue optimal prevention measures, such as reforming compensation and promotion systems. See Arlen and Kraakman, 72 NYU L Rev at 694, 726–30 (cited in note 6).

    In fact, federal authorities should use multiple levels of duty-based sanction enhancements targeted at specific types of policing because policing measures occur sequentially over time. Firms that undertake optimal policing should bear expected sanctions equal to the social cost of the crime in order to induce optimal prevention. Id at 726–30. See also note 30. For an in-depth discussion of the justifications for and optimal structure of corporate liability, see generally Arlen and Kraakman, 72 NYU L Rev 687 (cited in note 6). See also Arlen, Corporate Criminal Liability at 177–85 (cited in note 23). Nevertheless, firms that police optimally should not bear monetary sanctions when shareholders internalize the full cost of the crime absent liability, as is often the case with securities fraud. See Arlen and Carney, 1992 U Ill L Rev at 713 (cited in note 70); Arlen, Corporate Criminal Liability at 187–88 (cited in note 23).

  • 78This analysis focuses on the deterrence implications of having ex post mandates on firms with prior detected wrongdoing. For a discussion of the rule-of-law issues raised by prosecutors’ authority to create ad hoc mandates, usually without any genuine external review, see generally Arlen, 8 J Legal Analysis 191 (cited in note 8).
  • 79Jennifer Arlen, Removing Prosecutors from the Boardroom: Limiting Prosecutorial Discretion to Impose Structural Reforms, in Barkow and Barkow, eds, Prosecutors in the Boardroom 62, 79–81 (cited in note 9). For additional discussion of informational advantages, see Baer, 50 BC L Rev at 1003–04 (cited in note 11).
  • 80Prosecutors’ offices vary significantly in their use of PDAs. A small number of US Attorneys’ Offices and DOJ divisions are responsible for the vast majority of PDAs. See GAO Report at *3 (cited in note 25) (reporting the results of a preliminary survey finding only twelve offices with two or more PDAs). The content of PDAs also varies. The variation is greatest in the PDAs imposed by US Attorneys’ Offices. There is more consistency in the PDAs imposed by the specialized enforcement divisions of the DOJ, such as the Fraud and Money Laundering Sections. See note 62.
  • 81See note 62; Arlen, 8 J Legal Analysis at 204–05 (cited in note 8) (noting that neither the DOJ nor the judiciary provides guidance or oversight that could constrain the policing mandates that prosecutors impose in most cases).
  • 82Pub L No 95-213, 91 Stat 1494, codified as amended at 15 USC § 78a et seq.
  • 83Assistant US attorneys in certain US Attorney’s Offices—such as the Southern District of New York, Eastern District of New York, and District of New Jersey—and in specialized sections, such as those covering antitrust, environmental, the Foreign
    Corrupt Practice Act, fraud, money laundering, and tax cases, often will have considerable expertise in this area. Yet many assistant US attorneys in other offices do not.
  • 84Although some prosecutors work directly with regulators in designing PDAs, many do not. GAO Report at *17 (cited in note 25) (noting that eight of thirteen offices interviewed stated that their prosecutors commonly design compliance programs with the cooperation of the relevant regulatory agency). Those who do work with regulators retain full authority to impose the mandates they prefer. See Arlen, Removing Prosecutors from the Boardroom at 79–81 (cited in note 79) (discussing the benefits of vesting regulators with primary authority over mandates). See also Baer, 50 BC L Rev at 972–75 (cited in note 11) (critiquing the current system).
  • 85See Arlen and Kraakman, 72 NYU L Rev at 694 (cited in note 6) (arguing that duty-based, harm-contingent liability is the superior scheme to induce optimal policing measures).
  • 86The duty to have an effective compliance program is composed of two subduties—an ex ante duty to adopt an effective compliance program and an ex post duty to oversee it effectively and respond appropriately to red flags. This latter duty arises only once there is suspected wrongdoing. See In re Caremark International Inc Derivative Litigation, 698 A2d 959, 967–71 (Del Chanc 1996) (holding that directors have a duty to shareholders to adopt an effective monitoring and reporting system and to oversee it in good faith). See also Stone v Ritter, 911 A2d 362, 370 (Del 2006) (en banc) (adopting the duty and standard of liability announced in Caremark).
  • 87For a discussion of the problem of cosmetic compliance programs, see William S. Laufer, Corporate Liability, Risk Shifting, and the Paradox of Compliance, 52 Vand L Rev 1343, 1415–19 (1999) (observing that “cosmetic compliance” programs, adopted solely to reduce the firm’s liability and not to truly reduce corporate crime, could result in increased crime when combined with a corporate leniency program). For an argument that internal compliance is ineffective at deterring corporate crime, see Kimberly D. Krawiec, Cosmetic Compliance and the Failure of Negotiated Governance, 81 Wash U L Q 487, 510–15 (2003).

    In the torts context, others have argued that harm-contingent enforcement is more cost-effective because it focuses enforcement resources on firms that are more likely to have violated their duties. The idea is that, if compliance with legal duties reduces the risk of harm, firms with detected harms are probably more likely to be firms that failed to satisfy their duties. As a result, negligence liability, which is limited to firms that caused harm, may be more cost-effective than ex ante regulation that requires more general monitoring of firms. See Steven Shavell, A Fundamental Enforcement Cost Advantage of the Negligence Rule over Regulation, 42 J Legal Stud 275, 276, 281–87 (2013). This argument from the torts context does not apply to corporate crime, however, because corporate policing has two competing effects. On the one hand, it reduces the probability of crime. On the other, it increases the probability that wrongs that occur are detected and sanctioned. Arlen, 23 J Legal Stud at 834–36 (cited in note 10); Arlen and Kraakman, 72 NYU L Rev at 707 (cited in note 6). Thus, a firm with detected misconduct could have a weak compliance program—and thus be a proper target for the government’s limited enforcement resources—or, alternatively, it could have an exceptionally effective policing program that detected and reported isolated misconduct.

  • 88See Part II.B.
  • 89Our discussion of prosecutors applies as well to regulatory enforcement officials who intervene ex post, after a crime has occurred. Although we conclude that prosecutors should be well positioned to identify firms plagued by policing agency costs, we concur that they would benefit from better guidance from the DOJ and more input from regulatory experts in determining how best to design mandates.
  • 90Of course, compliance programs can benefit managers and directors, by providing them higher-quality information about the firm that enables them to perform their managerial and oversight functions at lower cost. But compliance programs can also impose a burden. For example, additional record keeping, bureaucracy, and oversight can impede managers’ ability to act quickly or creatively on important business matters. Managers may also find compliance programs costly when the firm is operating in an area in which the legal duties are vague, as the compliance officer may, in an abundance of caution, constrain the firm from taking profitable actions that are generally legal but are susceptible to abuse.
  • 91For example, consider a CEO of a health care company whose compensation is strongly linked to the firm’s profits at the end of the year. The CEO could benefit personally from a loose compliance program that allows the firm’s managers in other countries to enter into consulting and joint venture arrangements with favored doctors at large overseas hospitals that are likely to promote sales to these hospitals. This compliance program could benefit the CEO, even when it is not optimal for the firm, because the program creates a material risk of liability for the firm under the bribery and accounting provisions of the FCPA should authorities determine that the payments were made to induce doctors at government-run health facilities to favor the firm. By contrast, the CEO can likely retain the bonuses earned, without fear of personal liability, as long as there is no evidence that he willfully caused any deficiencies. See 15 USC §§ 78dd-2, 78ff.
  • 92See notes 67–70 and accompanying text.
  • 93Publicly held firms can use compensation policy to reduce or enhance policing agency costs: policing agency costs are increased to the extent that compensation is structured to enable managers to benefit from increases in the stock price or in corporate performance over the short term more than they are harmed by declines over a longer term.
  • 94Firms with high policing agency costs thus are firms in which neither the shareholders nor the outside directors are able (or willing) to intervene effectively to align managements’ interests with those of shareholders.  
  • 95Policing agency costs also may be present in situations in which the CEO or CFO of an underperforming firm commits a crime, such as securities fraud, that could be expected to confer private benefits on both the CEO and all of senior management. See Arlen and Carney, 1992 U Ill L Rev at 703 (cited in note 70) (explaining that intentional securities fraud by managers of publicly held firms is an agency cost that is not readily deterred by strict corporate liability, because top managers generally benefit if the wrong remains undetected). In this situation, detecting the crime and firing the CEO may not address the problem that management of the firm remains vulnerable—assuming it continues to underperform—and may continue to benefit from weak attention to compliance with financial reporting requirements. Thus, cases involving companies such as Unico Corporation and Swisher Hygiene, which both apparently pertained to securities fraud committed by the CEO and CFO, may be examples of situations in which policing agency costs justify mandates if it is true that, after the executives were fired, managers in charge of policing would likely continue to obtain direct or indirect private benefits from deficient compliance. See Unico DPA Attachment A §§ 3–4 at *14–15 (cited in note 60); Y. Peter Kang, Former Swisher Hygiene Execs Indicted for Securities Fraud (Law360, Oct 19, 2015), archived at http://perma.cc/C6NZ-6RV4 (describing how the CFO of Swisher Hygiene was indicted for securities fraud conspiracy). See also Deferred Prosecution Agreement, United States v Swisher Hygiene Inc, CR No 15-237, § 1 at *1 (WD NC filed Oct 27, 2015), archived at http://perma.cc/ZL5S-LYDD.
  • 96Without a controlling shareholder, individual shareholders generally cannot effectively impose or monitor corporate compliance efforts. The establishment and design of corporate compliance efforts is the role of the board, and shareholders lack the power, under general principles of corporate law, to require the board to establish a certain program. See, for example, 8 Del Code Ann § 141. Shareholders could try to request that the board establish a program through a shareholder resolution under Rule 14a-8 of the Securities Exchange Act of 1934, but the complexity of a program and the five-hundred-word limit for proposals under that rule would make it hard to get an effective rule adopted. See 17 CFR § 240.14a-8. Even if shareholders adopted a proposal, it would be difficult to monitor compliance, because many of the features that distinguish a truly effective program from an ineffective one involve matters that cannot easily be verified.

    Directors can often take actions to reduce policing agency costs, using many of the same measures that prosecutors often impose through PDA mandates. When a board has failed to do so, prosecutors should assess why before imposing mandates. In some circumstances, it may be sufficient for prosecutors to bring policing agency costs to the attention of the board and leave it to the board to take proper remedial measures. In other circumstances, however, prior deficiencies signal that the board cannot be relied on to adopt effective policing. Directors may be plagued by significant policing agency costs themselves, lack the incentives to confront managers, or be unlikely to remain diligent in maintaining and monitoring compliance with their policies unless the policies are part of a PDA mandate. The fact that the board did not properly address policing agency costs prior to the substantive violation that gave rise to a PDA suggests that one of these factors may be present.

    Of course, when shareholders or directors do, or can be expected to, respond appropriately to policing agency costs, mandates are unlikely to be needed, as we discuss in Part IV.

  • 97For example, the effective compliance program provisions of the Organizational Sentencing Guidelines are phrased as a broad general standard:

    To have an effective compliance and ethics program, for purposes of subsection (f) of § 8C2.5 (Culpability Score) and subsection (b)(1) of § 8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

    (1) exercise due diligence to prevent and detect criminal conduct; and

    (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

    Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

    Organizational Sentencing Guidelines § 8B2.1(a) (cited in note 5).

    The Organizational Sentencing Guidelines do state that, in order to be effective, most programs will need to satisfy a list of conditions, but most of these features are also quite general. For example, one section provides, “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.” Organizational Sentencing Guidelines § 8B2.1(b)(3) (cited in note 5).

  • 98698 A2d 959, 967–70 (Del Chanc 1996).
  • 99When policing duties and lines of authority are clear, shareholders of firms sanctioned for deficient policing can determine both whether managers breached a known duty and who is to blame for such a breach. This enables them to pressure the firm to terminate the agent. They are also better able to impose liability on directors and managers for bad-faith breaches of their oversight duties under Caremark. See id at 971. See also Jennifer Arlen, The Story of Allis–Chalmers, Caremark, and Stone: Directors’ Evolving Duty to Monitor, in J. Mark Ramseyer, ed, Corporate Law Stories 323, 344 (Foundation Press 2009) (discussing how Caremark liability is effective at inducing effective compliance only if the compliance duty is clearly defined).
  • 100BMS DPA §§ 23–24 at *6–7 (cited in note 47).
  • 101For example, outside directors often cannot provide sufficient oversight because they do not have the time to devote to policing oversight. They also may lack the information needed to effectively police compliance, because genuine oversight over compliance often requires in-depth knowledge of the firm’s overseas subsidiaries and indepen­dent contractors.
  • 102Directors are liable if they fail to act in good faith to ensure that the firm adopts an effective monitoring and reporting program and takes other mandated actions to ensure compliance with the law. These duties should include any duties mandated by a PDA. See Caremark, 698 A2d at 971; Stone v Ritter, 911 A2d 362, 369–70 (Del 2006) (en banc) (endorsing the Caremark duty and holding that a failure to act in good faith is essential to establishing director oversight liability). Thus, directors may face personal liability if they consciously disregard their oversight duties by failing to ensure that the firm complies with the metapolicing duties imposed on the firm by a PDA.
  • 103See Alexander and Cohen, 5 J Corp Fin at 30–32 (cited in note 70).
  • 104Uncertainty about whether the firm is subject to mandates designed to address policing agency costs can also undermine the effectiveness of policing and metapolicing duties enforced by sanctions imposed on the firm. When firms are plagued by policing agency costs, corporate liability is effective only if managers who could cause breach expect to be held responsible. Directors and shareholders are more likely to—and better able to—proceed against managers who clearly knew the duties they were required to comply with and who thus cannot claim that any noncompliance was in good faith.
  • 105Indeed, legislation or regulations sometimes impose such duties. For example, all public companies are required both to have their financial statements audited by an independent auditor and to place a board audit committee consisting of nonmanagement directors in charge of the audit. See 15 USC § 7262; 15 USC § 78j-1 (requiring the existence of a capable and empowered audit committee). Both of these provisions are examples of metapolicing duties.
  • 106See note 90.
  • 107For a discussion of the difficulties of holding directors liable for corporate crimes, see Assaf Hamdani and Reinier Kraakman, Rewarding Outside Directors, 105 Mich L Rev 1677, 1686–88 (2007).
  • 108For example, the failure to adopt and maintain an effective compliance program with respect to the FCPA regarding Country X could be attributed to a variety of people, including (i) the compliance officers in Country X, (ii) the head of the compliance department for the firm as a whole, (iii) the CFO who set the budget for the compliance department, (iv) the CEO who appointed the CFO and the head of the compliance department and to whom the CFO and the head of the compliance department reported, or (v) the board of directors.
  • 109Managers are particularly likely to divert excessive attention to compliance when that activity is directly regulated by sanctions but alternative activities (such as making good business decisions) are not closely supervised. For a discussion of the incentives surrounding task separation, see Bengt Holmstrom and Paul Milgrom, Multitask Principal–Agent Analyses: Incentive Contracts, Asset Ownership, and Job Design, 7 J L Econ & Org 24, 43–50 (Special Issue 1991).

    On the other hand, it may be difficult to hold a lower-level executive, who does not control the amount the company spends on compliance or the structure of the program, responsible for policing failures partly attributable to decisions outside his control. If the person identified as bearing personal responsibility for the company’s failure to comply has no control over the amount the company spends on compliance, it may also be difficult to find someone to take the position. To be sure, for the right price, the company will be able to fill the position. Note, however, that the requisite compensation structure––high salary to compensate for the possibility of legal sanction for failure to comply––is likely to be attractive to individuals who are risk seekers, which may not be the optimal personality type for a person in charge of compliance.

  • 110For example, personal liability may well be appropriate when managers or directors intentionally acted in bad faith to cause the firm to fail to adopt or maintain an effective compliance program.
  • 111See generally S. Shavell, The Judgment Proof Problem, 6 Intl Rev L & Econ 45 (1986) (showing that tort liability does not provide optimal incentives when the defendant’s wealth is less than the optimal damage award). See also Arlen, Corporate Criminal Liability at 170–71 (cited in note 23) (arguing that duty-based corporate liability will not induce optimal policing if the firm does not have sufficient assets to pay the optimal enhanced sanction for failing to police optimally and that individual liability, when used in combination with corporate liability, may reduce this problem).
  • 112This discussion tracks the general argument for why ex ante regulation is superior to tort liability when injurers are asset constrained. Steven Shavell, Liability for Harm versus Regulation of Safety, 13 J Legal Stud 357, 360–61 (1984) (identifying asset insufficiency as a justification for employing ex ante regulation instead of just liability for any harm caused); Khanna and Dickinson, 105 Mich L Rev at 1729–31 (cited in note 3) (concluding that corporate asset insufficiency is one of the primary justifications for imposing corporate monitors). See also generally Steven Shavell, A Model of the Optimal Use of Liability and Safety Regulation, 15 RAND J Econ 271 (1984) (proving that regulation is more likely than liability to induce efficient levels of care if the regulated parties have assets below a certain threshold).
  • 113By contrast, in order to induce optimal compliance with a duty, the government needs to ensure that the firm is better off incurring the costs to comply with the duty whenever the social cost of compliance is less than the expected cost to society of the increased crimes that result from the firm’s failure to comply.
  • 114Arlen, 23 J Legal Stud at 862–65 (cited in note 10). See also Becker, 76 J Polit Econ at 179–85 (cited in note 71) (discussing the optimal sanctions when some violations escape sanction).
  • 115We thus agree with Professors Vikramaditya Khanna and Timothy Dickinson that, in order to deter corporate crime, enforcement authorities should supplement harm-contingent sanctions with non-harm-contingent sanctions when firms are asset constrained. But we conclude that PDA mandates are not the optimal form of supplementary liability. For an alternate conclusion, see Khanna and Dickinson, 105 Mich L Rev at 1727–31 (cited in note 3) (suggesting that asset insufficiency would justify requiring corporate monitoring, which is one type of harm-contingent duty and sanction).
  • 116Non-harm-contingent liability is effective only when government authorities incur sufficient monitoring and enforcement expenditures to detect and sanction breaches of policing duties. Thus, non-harm-contingent liability is optimal only when the expected social cost of policing plus government monitoring is less than the social cost of the crimes deterred. We focus on crimes for which this condition is met. As applied to these crimes, it might appear that PDAs are superior to ex ante regulation because they apply to fewer firms, thus reducing monitoring and enforcement. Yet this is not necessarily the case for two reasons. First, total social costs may be higher under PDAs because PDAs deter fewer crimes, because they are not imposed until wrongdoing is detected. Second, to induce optimal policing through PDAs, the government would likely need to incur higher per-firm monitoring costs in order to yield the same expected sanction as can be imposed through regulation, because PDAs tend to be imposed on firms whose assets have already been reduced by fines imposed for the detected crime.
  • 117Regulators can obtain firm-specific information through publicly available financial statements or through regulatory examinations. Regulators may also be able to adopt regulations targeted at industries in which firms tend to be asset constrained, as can occur with firms in industries with high expected liability to third parties. See James B. Rebitzer, Job Safety and Contract Workers in the Petrochemical Industry, 34 Indust Relations 40, 45–47 (1995) (finding that, even though petrochemical safety training and supervision is more effective in-house, petrochemical firms tend to outsource safety training and supervision to smaller outside contractors in order to reduce expected liability).
  • 118Sweden received a (good) score of 9.2 for perceived corruption in 2010, while
    Uzbekistan received a (bad) score of 1.6. See Corruption Perceptions Index 2010 *10–11 (Transparency International 2010), archived at http://perma.cc/L7B6-R5MB.
  • 119Indeed, when properly applied, the duty of an “effective” or “reasonable” compliance program recognizes that successful compliance programs must balance a variety of factors, including the inherent risk of wrongdoing.
  • 120See generally Arlen, 66 U Miami L Rev 321 (cited in note 19) (critiquing the Organizational Sentencing Guidelines). For a discussion of Congress’s apparent use of intentional underfunding—through a failure to appropriate funds—to undermine the effectiveness of the corporate enforcement laws that it has adopted, see Daniel C. Richman, Corporate Headhunting, 8 Harv L & Pol Rev 265, 273–75 (2014).
  • 121In the case of policing agency costs, the imposition of mandates by prosecutors rests not on other authorities having adopted an inadequate regime but on prosecutors’ special ability to identify firms with significant policing agency costs. Thus, the argument that prosecutors should defer to other bodies with greater expertise does not apply with equal force to mandates intended to address policing agency costs. The general argument, however, that prosecutors’ limited expertise results in a significant possibility of prosecutors adopting inefficient mandates does apply.
  • 122For example, in 2014 HSBC reported that it was spending $750 million to $800 million per year on its compliance and risk program. Martin Arnold, HSBC Wrestles with Soaring Costs of Compliance (Fin Times, Aug 4, 2014), online at http://www.ft.com/content/0e3f0760-1bef-11e4-9666-00144feabdc0 (visited Jan 10, 2017) (Perma archive unavailable).
  • 123These costs can include both the direct costs of compliance and the indirect effect of compliance on the firm’s internal operations. See Geoffrey P. Miller, An Economic Analysis of Effective Compliance Programs, in Jennifer Arlen, ed, Research Handbook on Corporate Crime and Financial Misdealing *3–4 (forthcoming 2017).
  • 124Recognizing the fact that prosecutors may pursue private benefits when deciding to impose or select a monitor, the DOJ has increased centralized oversight of both decisions. See Criminal Resource Manual § 163 (DOJ 2015), archived at http://perma.cc/6AD8-TEN2; Criminal Resource Manual § 166 (DOJ 2015), archived at http://perma.cc/TFD3-LHCU. This oversight reduces but does not eliminate prosecutors’ ability to obtain private benefits from the decision to impose a monitor.
  • 125Even when prosecutors are right that the existing system is inadequate, the social benefits of prosecutors using firm-specific mandates to address systemic deficiencies are likely to be low. First, and most obviously, firm-specific duties created and imposed by individual prosecutors do not address the deficient ex ante incentives created by the existing system. Instead, they affect only one specific firm with detected wrongdoing and only after ex ante incentives have failed. Second, prosecutors’ exercise of individual authority to impose costly heightened policing duties on some firms in an industry may distort competition in the industry and may decrease social welfare, particularly when all firms should be subject to the duty. General solutions are the superior response to deficiencies of general application.
  • 126See notes 8–9 and accompanying text.
  • 127See note 97.
  • 128See notes 113–14 and accompanying text.
  • 129See Arlen, 23 J Legal Stud at 842–43 (cited in note 10). Specifically, firms will not undertake effective compliance if the expected sanction if the firm does undertake effective compliance—which is the fine discounted by the probability of sanction when compliance is effective—plus the added cost of compliance exceeds the expected sanction if it does not.
  • 130See James B. Jacobs and Ronald Goldstock, Monitors & IPSIGS: Emergence of a New Criminal Justice Role, 43 Crim L Bull 217, 235, 237 (Spring 2007) (discussing the rise of private monitors that firms can hire voluntarily to enhance compliance, which can improve the corporation’s image with shareholders and regulators).
  • 131See Arlen, 66 U Miami L Rev at 336–40 (cited in note 19) (showing that the Organizational Sentencing Guidelines do not provide large firms with adequate incentives to self-report or adopt expensive compliance programs).
  • 132See Part III.B. Policing may also be inadequate if the controlling shareholder directly commits and benefits from the crime, which is a form of policing agency costs. Such situations are best addressed through personal liability on the controlling shareholder for the underlying crime.
  • 133See generally Deferred Prosecution Agreement, United States v Exactech, Inc, CR No 10-837 (D NJ filed Dec 7, 2010), archived at http://perma.cc/6K39-2CFY.
  • 134Notice of Annual Meeting of Shareholders to Be Held on May 3, 2012 *4, 7–8 (Exactech, Inc, Mar 23, 2012), archived at http://perma.cc/2AEL-J8AY. One of the most famous recent cases involving a firm with a controlling shareholder is the pending FCPA case against Wal-Mart. According to The New York Times, employees of Wal-Mart’s Mexican subsidiary paid bribes to Mexican government officials to speed store expansions in violation of the FCPA. David Barstow, Vast Mexico Bribery Case Hushed Up by Wal-Mart after Top-Level Struggle (NY Times, Apr 21, 2012), online at http://www.nytimes.com/2012/04/22/business/at-wal-mart-in-mexico-a-bribe-inquiry-silenced.html (visited Jan 10, 2017) (Perma archive unavailable) The CEO apparently responded to concerns raised internally by delegating the investigation to the firm’s Mexican subsidiary, notwithstanding concerns that the subsidiary would not conduct an independent investigation. Aruna Viswanatha and Devlin Barrett, Wal-Mart Bribery Probe Finds Few Signs of Major Misconduct in Mexico (Wall St J, Oct 19, 2015), online at http://www.wsj.com/
    articles/wal-mart-bribery-probe-finds-little-misconduct-in-mexico-1445215737 (visited Oct 26, 2016) (Perma archive unavailable). This delegation arguably is evidence of deficient policing. Evidence of widespread bribery in India uncovered by the DOJ’s investigation also suggests policing deficiencies in that division of the company. Id. Yet these policing deficiencies are unlikely to be attributable to policing agency costs. The Walton family controls about 50 percent of the company’s stock and has family members on the board involved in management. See Wal-Mart Stores, Inc, Schedule 14A: Proxy Statement pursuant to Section 14(a) of the Securities Exchange Act of 1934 *15–24 (SEC, Apr 20, 2016), archived at http://perma.cc/QW57-XMPZ (listing the members of Wal-Mart’s Board of Directors). Indeed, there is reason to believe that a family member was aware of the conduct. Barstow, Vast Mexico Bribery Case Hushed Up (cited in note 134). Instead of PDA mandates, prosecutors should impose sufficient corporate (and potentially individual) liability to demonstrate to the Walton family that Wal-Mart will be healthier financially if it adopts a proper compliance program and acts promptly to deter bribery than if it does not.
  • 135This is particularly likely in firms with isolated wrongdoing—suggesting that the compliance program may in fact be effective.
  • 136FCPA Resource Guide at *71 (cited in note 59) (“[C]ompanies are sometimes allowed to engage in self-monitoring, typically in cases when the company has made a voluntary disclosure, has been fully cooperative, and has demonstrated a genuine commitment to reform.”).
  • 137USAM § 9-28.800 (cited in note 6) (listing the timeliness of a corporation’s voluntary disclosure of wrongdoing as one factor to be considered when determining whether a company’s compliance program is adequate); USAM § 9-28.900 (cited in note 6) (discussing how the fact that a company self-reported should be considered when a prosecutor is deciding to prosecute but stating that it is only one factor in the analysis).
  • 138See generally Deferred Prosecution Agreement, Johnson & Johnson (DOJ, Criminal Division, Fraud Section, Jan 14, 2011), archived at http://perma.cc/7NAC-2T6R (“J&J DPA”). The J&J DPA states that the firm reported “the majority” of the misconduct. Id § 4(a) at *2. The mandates could arguably be justified if prosecutors found that as a result of policing agency costs managers knowingly failed to report all the misconduct they detected and that the omitted misconduct was material. The PDA on ABB Ltd also imposed compliance mandates on a firm that self-reported. Deferred Prosecution Agreement, United States v ABB Ltd, CR No 10-665, § 4 at *4–5 (SD Tex filed Sept 29, 2010), archived at http://perma.cc/JBP8-L7E8. Other PDAs impose monitors on firms that self-reported.
  • 139J&J DPA Attachment D §§ 1(a), 6–7, 9 at *33–36 (cited in note 138). J&J’s is not the only PDA that imposed mandates on a firm while describing it as having self-reported the wrong. Many PDAs imposing mandates on firms that self-reported involve foreign bribery. See, for example, Monsanto DPA §§ 1, 12 at *1, 9 (cited in note 46); Nonprosecution Agreement, RAE Systems Inc, *1 (USAO ND Cal, Dec 10, 2010), archived at http://perma.cc/PES2-XGP5 (“RAE NPA”). It is possible that some of these firms had high policing agency costs and undertook incomplete or delayed self-reporting. Yet a number of these cases imposed a mandate on the firm or its controlled subsidiary even though the firm self-reported and the wrongdoing occurred only in a single country or was otherwise isolated. See, for example, J&J DPA § 2 at *1 (cited in note 138) (noting that the pending charges were against only one subsidiary of J&J); Monsanto DPA Appx A at *1–5 (cited in note 46) (describing the actions that gave rise to the charges against Monsanto, most of which were limited to Monsanto’s activities in Indonesia); RAE NPA Appx A at *1–10 (cited in note 139) (detailing the FCPA violations, which were limited to the company’s activities in China). Isolated wrongdoing would appear to be consistent with the firm having an effective compliance program that failed in one area. It is hard to see the justification for imposing a mandate instead of (or in addition to) enhanced sanctions on firms that self-report isolated wrongdoing.

    Indeed, in some cases prosecutors even imposed a monitor on a firm that self-reported a violation. For example, the prosecutors negotiating with Smith & Nephew concluded that the firm voluntarily self-reported the wrong prior to imminent threat of detection and fully cooperated. The firm also voluntarily reformed its compliance program. Nevertheless, the DPA required the firm to accept and pay for a corporate monitor. It also imposed compliance program mandates. Smith & Nephew DPA §§ 3, 8 at *2, 6 (cited in note 60). This mandate is striking because the USAM specifically notes that monitors generally are not appropriate for firms that self-reported.

  • 140In some cases, the agency costs may arise entirely from the interpersonal dynamic among a small constellation of replaceable managers and directors. When this is true, the firm may be able to eliminate the problem by replacing these individuals with outsiders. Past analyses of PDAs reveal that many firms with detected wrongdoing replace management, and firms with detected wrongdoing that implicates contracting parties often hire outsiders to replace existing managers, doubtlessly to signal that the firm has turned over a new leaf. See Cindy R. Alexander, On the Nature of the Reputational Penalty for Corporate Crime: Evidence, 42 J L & Econ 489, 514–16 (1999). See also Arlen, Corporate Criminal Liability at 149–51 (cited in note 23) (discussing the factors influencing the reputational penalty for corporate crime). These firms, going forward, may not be subject to the level of policing agency costs that caused the initial breach, and thus intervention may not be needed.
  • 141The policing mandates included provisions governing the frequency of safety compliance visits at each underground mine, the information to be collected during these visits, and internal and external reporting requirements following those visits, in addition to multiple other requirements. Alpha NPA § 5(g) at *3 (cited in note 40). Prevention mandates included a mandate to spend at least $80 million on safety remedial measures in the two years following the agreement and to undertake specific safety measures, including “launch[ing] a new state-of-the-art safety training facility in the Julian, West Virginia area” that includes lab space of approximately 96,000 square feet and purchasing specific amounts of monitoring equipment and mine escape equipment. Id § 5 at *2–3.
  • 142Mario Parker and Zachary R. Mider, Alpha Natural Agrees to Buy Massey Energy for $7.1 Billion (Bloomberg, Jan 29, 2011), archived at http://perma.cc/9L9Z-5WP2. The NPA was signed December 6, 2011. See Alpha NPA § 1 at *1 (cited in note 40).
  • 143Parker and Mider, Alpha Natural Agrees to Buy Massey Energy for $7.1 Billion (cited in note 142).
  • 144Prosecutors may have imposed policing mandates, instead of imposing enhanced monetary sanctions for Massey’s policing breaches, because Alpha did not commit those breaches. The DOJ should adopt a policy against this because it allows firms with detected wrongdoing to insulate shareholders by simply selling the firm. Alpha would have paid less for Massey—to Massey’s managers’ and shareholders’ detriment—if it was confident it would have to pay large, predictable monetary sanctions for Massey’s crime and policing failures. Moreover, the PDA policing mandates are not the only questionable feature of this PDA, which also requires Alpha to contribute $48 million to a trust to be used to fund research and development on mine health and safety by nonprofits and academic institutions. Alpha NPA § 6 at *4 (cited in note 40).
  • 145In addition, assistant US attorneys regularly obtain new employment during the pendency of a PDA; their replacements have their own cases to attend to and are unlikely to actively oversee compliance with past PDAs. See Richard T. Boylan and Cheryl X. Long, Salaries, Plea Rates, and the Career Objectives of Federal Prosecutors, 48 J L & Econ 627, 643–44 (2005).
  • 146Indeed, experts in corporate governance do not agree on what corporate governance reforms are optimal. See generally, for example, Roberta Romano, Quack Corporate Governance, 28 Reg 36 (Winter 2005–2006) (finding that empirical evidence does not support many of the governance reforms that have been mandated by Sarbanes-Oxley). See also Sanjai Bhagat, Brian Bolton, and Roberta Romano, The Promise and Peril of Corporate Governance Indices, 108 Colum L Rev 1803, 1826–58 (2008) (finding that leading indices of good corporate governance are not good predictors of performance).
  • 147See, for example, BMS DPA § 8 at *3 (cited in note 47). Similarly, our analysis calls into question the mandate imposed on Friedman’s, Inc, requiring it to have both a nominations committee and a compensation committee, without any evidence that the deficient policing was tied to policing agency costs arising from a compensation structure that these committees would alleviate. See Nonprosecution Agreement, Friedman’s, Inc, § 8(C)–(D) at *11–12 (USAO EDNY, Nov 29, 2005), archived at http://perma.cc/2UTV-BSNA.
  • 148For example, Professor Roberta Romano concluded that reviews of research on the economic impact of splitting the CEO and board chair roles on US companies did not find that splitting the two positions has a significant effect on share price or accounting income. Roberta Romano, Less Is More: Making Institutional Investor Activism a Valuable Mechanism of Corporate Governance, 18 Yale J Reg 174, 192 & n 52 (2001) (describing the compelling arguments in favor of and against separation).
  • 149Shareholders can, and often do, file precatory resolutions under Rule 14a-8 to separate the CEO and chairman positions. See 17 CFR § 240.14a-8. Firms often implement resolutions that receive majority shareholder support. See Marcel Kahan and
    Edward Rock, Embattled CEOs, 88 Tex L Rev 987, 1011–13 (2010). Nevertheless, not all firms with strong institutional shareholders have adopted these measures.
  • 150See Uhlmann, 72 Md L Rev at 1331–44 (cited in note 9).