Building Better Compliance

Response - Online Edition - Volume 100

After about twenty years in the advertising business, multimillionaire Chester Bowles embarked on an extraordinary career in public service. From the 1940s through the 1960s, Bowles held a string of leadership positions in government: the administrator of the Office of Price Administration; director of the Office of Economic Stabilization; Governor of Connecticut; Ambassador to India; Under Secretary of State; and a member of Congress. Although now long deceased, Bowles is still frequently cited by both scholars and practitioners for a “simple yet enduring”[1] rule of thumb he espoused about regulatory compliance: “20 percent of the regulated population will automatically comply with any regulation, 5 percent will attempt to evade it, and the remaining 75 percent will comply as long as they think that the 5 percent will be caught and punished.”[2]

Bowles’s aphorism, despite being widely cited, was never based on any systematic empirical research. Instead, it was grounded in the experiential wisdom of a reflective public leader. The main point behind the aphorism—that most businesses and business managers stand ready to follow the law, as long as the truly recalcitrant businesses receive their due—surely has a grain of truth to it. But as much as firms do vary in their propensity to comply with the law, the exact percentage of the regulated population falling into each of Bowles’s three categories could very well differ considerably from the numbers he estimated. In fact, it would be quite surprising if the percentages across the three categories in the Bowles aphorism held true for all industries, with respect to all types of regulations, and during all times.[3] In industries facing distinctive economic stress, or perhaps for firms in all industries during periods of overall economic distress, legal recalcitrance might even reasonably be expected as the norm rather than just the exception.[4] And in any period of time, whenever noncompliance is hard to detect and legal requirements are especially costly to satisfy, a much higher percentage of resistance might also be expected.

Compared to the time when Bowles informed his impressions, decision-makers today have more research about corporate crime and organizational compliance to draw upon in making their decisions. Still, empirical knowledge about corporate legal behavior surprisingly remains much too scant. Indeed, more than a quarter century after Bowles shared his oft-quoted aphorism in his memoir, several leading criminologists conducted an exhaustive review of existing empirical research and concluded that “[c]orporate crime is a poorly understood problem with little known about effective strategies to prevent and control it.”[5] Although the study of compliance by individuals has been aided by the regular collection of data, such as through the annual criminal victimization studies conducted by the Bureau of Justice Statistics within the U.S. Department of Justice, no similarly routine, across-the-board data collection on corporate compliance exists.[6] As a result, the practice of corporate law enforcement and regulatory compliance assurance remains still much too driven by aphorisms and hunches.

This is what makes Dorothy Lund and Natasha Sarin’s article, Corporate Crime and Punishment: An Empirical Study, such a significant scholarly contribution.[7] Lund and Sarin deploy existing federal administrative data as proxies for corporate noncompliance, and they then use these data to reach some appropriately tentative but nevertheless important conclusions about the apparently insufficient deterrence of corporate crime in the United States. Their data suggest that the way to increase corporate compliance does not rest with merely increasing fines but also with finding other ways to ensure that corporate leaders and their employees take compliance more seriously.

Lund and Sarin’s exceptional contribution derives from how well they have overcome some of the prevailing limitations created by a lack of data on corporate compliance. Overall, their work is to be applauded and emulated, as it points the way forward toward exactly the kind of rigorous, data-rich research that is needed to build better corporate compliance in the future. Of course, many other major contributions have been made by other social scientists and legal scholars over the decades. Yet policymakers and regulators still need a better understanding of corporate crime, its antecedents, and its consequences. As Lund and Sarin aptly note, without additional efforts to use better data on “corporate crime—which can affect millions of people’s lives and bring down entire economies—enforcement plows forward blindly, subject to political winds rather than taking a clear look at whether crime is being adequately deterred.”[8]

I. Why Corporate Compliance Matters

To appreciate the significance of Lund and Sarin’s scholarship and the need for additional efforts to study corporate compliance empirically, it helps at the outset to elaborate the pivotal role that compliance plays within a much larger, society- and economy-wide perspective of law and its role in delivering public value.[9] When viewed from this perspective, compliance matters not for its own sake but for the sake of what it means for the welfare of society. In any system of reasonably well-designed laws, corporate compliance will be pivotal to solving important problems and making the world a better place.[10]

Business organizations need certain legal obligations imposed on them because, even though these organizations fulfill a vital role in delivering valuable goods and services throughout society, their managers’ incentives are not always fully aligned with outcomes that are optimal for society.[11] Competing businesses sometimes need rules to provide essential coordination of their products and actions, such as when electric utilities seek to transmit the power they produce over a common grid of transmission lines. Such coordination is similar to any other public good that cannot be easily commodified and, without legal rules, will end up being undersupplied. Moreover, when left to their own devices, businesses can generate harmful externalities, such as pollution and other residual side effects. Some businesses can also take advantage of consumers and investors by failing to provide them with needed information or even by outright deceiving them. Businesses can also find it in their interest to collude with each other or otherwise acquire market power so they can charge excessive prices to consumers.

To address the variety of problems that otherwise desirable and needed business activity can create, governments impose regulations. But regulations are not magic pixie dust. Merely creating rules does not guarantee that problems will be miraculously solved. Regulations can work only if they change behavior from what would have otherwise occurred to a more desirable state of affairs. Legal rules, if designed properly, operate essentially as signposts, pointing businesses in a direction that will enhance overall welfare. These rules, or signposts, enhance welfare only if they are followed—that is, when businesses comply with the rules.

This is not to suggest that legal rules provide the only means for channeling business behavior in a more socially optimal direction. Far from it. Corporations can certainly find it within their own interests to engage in socially responsible behavior.[12] Investors, employees, and customers may provide their own incentives for businesses to solve market failures and other public problems, wholly apart from any legal requirements.[13]

In an important cross-national study of businesses’ efforts to minimize the environmental impacts of their operations, Neil Gunningham, Robert A. Kagan, and Dorothy Thornton identified three clusters of factors that shape business behavior, which they organized under an overarching rubric of what they have called a “license to operate.” [14] These include not only the official regulatory license reflected in the law’s mandates but also an economic license made up of competitive market pressures—including investor expectations—and a social license comprising the pressures provided by community groups and activist organizations.[15]

Gunningham, Kagan, and Thornton argued that even though some companies respond to economic-license pressures by resisting or just barely following the terms of their regulatory license, other businesses take the high road.[16] Some companies earnestly seek not merely to comply with their regulatory license but also to embrace their social license and make socially valuable investments that go well beyond the minimum required by law.[17] It is not hard to see examples of such firms, whether in corporations that make serious pledges to reduce their emissions of greenhouse gases or companies that have taken public stands against restrictive immigration policies.[18] Taking firms together and deploying a schema that resembles the one used by Chester Bowles, Gunningham, Kagan, and Thornton classified companies into five groupings: (1) laggards, (2) reluctant compliers, (3) committed compliers, (4) strategists, and (5) true believers—the last of which consistently seek to go above and beyond what the law requires.[19]

Recognizing that firms can be motivated by their social license, scholars and activists have proposed efforts to influence corporate behavior without depending on compliance with binding legal mandates. Nongovernmental organizations around the world, for example, have created voluntary standards for environmental and energy sustainability that some companies have opted to follow, obtaining either literal or proverbial seals of approval that come from certification of their conformity with these standards.[20] Investors have paid considerable attention to ratings given to companies’ efforts to manage the environmental, social, and governance facets of their businesses—or so-called ESG behavior.[21] Large manufacturers and retail companies have sometimes required that their suppliers meet various types of social and environmental requirements that are not demanded by law.[22] Similarly, private hedge funds have insisted that firms they invest in undertake commitments to issues such as diversity and climate action that the firms are not legally required to undertake.[23] Even government regulators have entered the scene by creating voluntary programs designed to recognize and reward companies for engaging in socially responsible behaviors beyond those required by law.[24]

A growing body of empirical research shows that companies can and do respond to nonregulatory incentives to solve what would traditionally be viewed as regulatory problems.[25] This research gives hope to advocates of voluntary programs and standards—and it might even lead some observers to wonder whether corporate compliance with regulatory law even matters much anymore. After all, some scholars argue that private, nonregulatory governance strategies are the way forward and that, for some problems, they have come to “play the standard-setting, implementation, monitoring, enforcement, and adjudication roles traditionally played by public regulatory regimes.”[26]

But it would be a mistake to discount the value to society of corporate compliance with legal mandates. The empirical research on firms’ responses to social-license pressures is certainly important, especially in showing the complexity of pressures confronting business managers. This research does not, though, support the conclusion that voluntary programs and standards can act as full substitutes for legal requirements. Some of the evidence in support of voluntary behavioral change is quite mixed, but even when research studies show statistically significant changes from social-license pressures, these changes often tend to be substantively quite modest.[27] The level of voluntary investment in solving public problems associated with business activity almost certainly remains well below the socially optimal level.

Indeed, it is precisely because of the myriad competing pressures bearing down on firms—especially the economic ones—that there remains a need for legal rules, along with regulatory sanctions to induce compliance with them. Although the study by Gunningham, Kagan, and Thornton is best known for its central focus on and pathbreaking elucidation of the social license, when these researchers collected data on changes in pollution levels from the firms in their study, they found that the most significant decline over time—upwards of 80 to 90 percent reductions in certain contaminated discharges—came about in response not to social-license pressures but to regulations.[28] Regulations do matter. And when they are well-designed, and when regulators can ensure compliance with them, they can lead to real behavioral change and improved outcomes for society.

II. Compliance as a Bridge

The importance of compliance has been tragically reinforced in recent decades by a variety of catastrophes that have followed businesses’ failures to comply with applicable rules.[29] The U.S. mortgage market, for example, was rife with fraud in the years preceding the financial crisis of 2008.[30] As Lund and Sarin note, “many commentators view lax regulatory oversight and policing of fraud and misconduct as contributing factors to the global economic collapse.”[31] In addition to the financial crisis, investigations of major industrial accidents commonly reveal that these calamities have followed from a failure of facility owners and operators to comply with basic safety rules.[32]

When regulation works well, though, calamities can be avoided. Effective regulation proceeds in three straightforward steps, with compliance situated in the middle: (1) the government adopts mandatory rules and pursues enforcement and other compliance-oriented activities; (2) the rules, penalty risks, and associated compliance-oriented activities change the behavior of the individuals and organizations they target; and (3) the changed behavior results in improved conditions in the world, such as reductions in bank failures, fraudulent transactions, hazardous emissions, workplace accidents, and other regulatory problems.[33]

In this simple model of effective regulation, compliance serves as a bridge between regulation and outcomes. What ultimately matters for society are the outcomes realized at the third step of this model. In the best of circumstances, these outcomes will improve because the efforts at the first step lead to behavioral change at the second step. Yet, unfortunately, regulators have historically paid insufficient attention to measuring the outcomes at the third step and assessing whether they are affected by what the regulator does at the first step.[34]

The first step is easy to measure, and perhaps for that reason it too often both begins and ends most inquiries. Regulators, the media, policymakers, and even scholars focus where the light is: on the easily acquired numbers of rules, audits, and enforcement actions undertaken in a given year. They also easily see the size of penalties assessed. In the end, as Lund and Sarin aptly observe, scholars and others “have generally relied on corporate criminal enforcement as a proxy for crime levels,”[35] rather than gathering reliable data on steps two or three of the regulatory model.[36]

A focus only on step one is merely bean counting.[37] In isolation from the other two steps, focusing on what the regulator does at the first step is of little value. After all, a world with no enforcement actions by the regulator could be, without knowing anything more, equally consistent with either (i) a total free-for-all state of rampant noncompliance, or (ii) a world in which all regulated entities are fully complying with the rules. Any regulatory agency should be so lucky as to get to a point where it no longer needs to take any enforcement actions because all firms are in full compliance.

Another problem with relying just on enforcement data, as Lund and Sarin note, is that the number of such actions taken by a regulator (step one) can vary based on a host of factors unrelated to the underlying rate of noncompliance (step two) and the levels of regulatory problems (step three).[38] It is well understood, for example, that federal enforcement activity varies from one administration to the next.[39] It would be surprising if this variation in enforcement activity matched varying levels of firms’ compliance in a way that just so happened to correspond with changes in the political party occupying the White House.

Cautioning against relying on bean counting, though, is not to say that data on a regulator’s actions are meaningless. These data actually do matter because regulators need to know how their actions affect compliance and outcomes. This is why Lund and Sarin provide first-step data in the early part of their article, showing that, “since the early 2000s, enforcement agencies have pursued fewer cases against corporations, brought fewer actions against individuals, increased the number of settlements, and obtained increasingly higher fines.”[40] They are not sharing these data because they think they indicate underlying rates of compliance and regulatory problems. Rather, they ultimately want to answer the $64,000 question: whether changes in regulators’ actions are changing compliance with the law and, ultimately, reducing the problems targeted by the law.

By themselves, even outcome data cannot answer the $64,000 question. Outcomes might well be improving when the regulator takes more enforcement actions, but this does not necessarily mean that the improvements have come about from the regulator’s actions. Consider the regulation of industrial pollution. Over the last fifty years, the air in the United States has seen a marked reduction in ambient levels of various regulated pollutants.[41] Although at first glance this reduction in polluted air would seem to be a sign that environmental regulation has worked as intended—and the U.S. Environmental Protection Agency (EPA) has long suggested as much—it must be recognized that lower labor costs in other countries have driven many polluting industries overseas. The U.S. economy has transformed from a manufacturing to a service economy over the last half century for reasons unrelated to regulation. As a result of these changes in the overall economy, the actions taken by environmental regulators surely cannot fully explain all the improvement in air quality, as some of this improvement—perhaps even a substantial amount—would have happened anyway given the shift in the nature of economic activity.[42]

In any regulatory setting, outcomes might be similarly improving for reasons having little or nothing to do with what the regulator is doing. The corollary is also true: outcomes might be getting worse, but this does not mean that the regulator’s actions are not helping. Outcomes could be worse but still better than they would have been in the absence of regulation.

The only way to know whether regulators’ actions are working—and to learn how to make their actions work better—is to collect data on all three steps. The aim should be to do exactly what Lund and Sarin have so ably shown how to do: think rigorously about what variation in first-step data on regulatory actions might have to do with variation in data on the latter steps in the regulatory model. Lund and Sarin do not satisfy themselves just with relying on the easily available data on regulatory beans; they seek out better sources of data on the impacts of regulation. One of the major contributions of their study is its compilation—and triangulation—of extensive time-series data from three new sources: suspicious activity reports (SARs) submitted to the Financial Crimes Enforcement Network (FinCEN); consumer complaints filed with the Consumer Financial Protection Bureau (CFPB); and whistleblower reports submitted to the Securities and Exchange Commission (SEC). Lund and Sarin show the regulatory and research community not only how to break free of the reliance on bean counting but also how to think rigorously about making causal connections between regulatory enforcement actions and regulatory results.

Lund and Sarin do not, of course, present the three-step model of regulatory efficacy in the precise terms that I have presented it here, with compliance as a bridge between regulatory actions and outcomes. Indeed, it would hardly be surprising if some readers of their article concluded that they never fully distinguish between compliance (step two) and outcomes (step three). They treat their data from SAR reports, consumer complaints, and whistleblower reports as proxies for underlying corporate crime, which is simply another way of saying noncompliance.[43] This is technically just a step-two concern—the bridge, not the destination. Where, one might ask, are their outcome data?

Even if distinct outcome data are not present in detail in Lund and Sarin’s study, this would not diminish the significance of what they have contributed. After all, a focus on compliance is still a major advance over just relying on regulatory bean counting.[44] It moves at least somewhat along the causal chain. Furthermore, compliance is itself an outcome of concern. It is an important outcome, too. Lawmakers and regulators presumably created rules because they thought it would be a good thing for firms to behave in accord with them.

Compliance is simply not the ultimate outcome of concern. The ultimate outcome is what the law aims to achieve, such as market fairness or efficiency. Sometimes, though, compliance is coextensive with the ultimate outcome of concern. This occurs when outcomes are embedded within the legal obligations in the rules, such as when rules prohibit the very outcomes that regulators seek to avoid or mandate the very outcomes desired.[45] In such instances, the three-step model effectively collapses to two steps and compliance takes on intrinsic value; it becomes identical to the ultimate outcome of concern. And that is likely the case for some of the financial rules of interest to Lund and Sarin, such as fraud.

Having said all this, estimates of compliance may sometimes be reasonable proxies for the ultimate outcomes of concern, especially when the ultimate outcomes are hard to measure. It is clear that this is what Lund and Sarin have in mind. Admittedly, they do not always write in the exact terms of the three-step model, and they do treat their main data as proxies just for crime or noncompliance. But they also undeniably recognize compliance to be a bridge. They just see their compliance-related data, appropriately, as serving as reasonable proxies for the ultimate outcomes that follow from noncompliance. As they note, “[m]easures of white-collar crime in the United States estimate that it costs anywhere from $426 billion to $1.7 trillion annually.”[46] They continue by observing that, “[p]ut simply, corporate crime affects all of us—as consumers, employees, and investors who increasingly save for retirement by investing in the stock market.”[47] Surely anyone who was planning to retire in the fall of 2008 would agree.

III. What Do We Know About Compliance?

Given the importance of compliance, both as a bridge to ultimate outcomes and, in some cases, as coextensive with these ultimate outcomes, what do we know about it? A short answer would be that, just as Lund and Sarin’s data indicate, compliance is far from complete. Perhaps Bowles was wrong about most firms being willing to comply as long as regulatory enforcers target the recalcitrant firms—or perhaps the government has been failing across the board to prosecute the proverbial “five percent” that are the true laggards.

Scholars and regulators have known that compliance falters long before Lund and Sarin published their study. If there is anything close to a golden rule in the study of regulation, it might be that noncompliance is common across all areas of law and in all jurisdictions. As Jonathan Feinstein has put it, “[c]rime and underground economic activity are a fact of life around the world.”[48] When it comes to complying with rules about payment of taxes, for example, it has been noted that “[t]he problem of tax compliance is as old as taxes themselves”[49] and that “[t]ax evasion is widespread, always has been, and probably always will be.”[50] In the realm of environmental regulation, Dan Farber has described noncompliance—or what he calls “slippage”—as “so ubiquitous that we take it for granted,” noting that it is “such a commonplace phenomenon that it becomes almost invisible.”[51]

The actual level of noncompliance can be difficult for researchers to ascertain, as those who fail to comply with regulations rarely seek to make their illegal behavior transparent. Noncompliers actually have an affirmative incentive to conceal their noncomplying behavior to avoid detection and punishment. Notwithstanding this challenge, researchers and policy officials have been able sometimes to estimate noncompliance using random audits, such as those the U.S. Internal Revenue Service (IRS) has for many years used to identify noncompliance with federal tax rules.[52] On the basis of these audits, the IRS has estimated that the amount of revenue the IRS is unable to collect due to noncompliance amounts to hundreds of billions of dollars annually.[53] Others have similarly estimated that noncompliance with tax regulations may result in as much as $750 billion in lost revenues annually.[54]

The former head of the EPA’s Office of Enforcement and Compliance Assurance, Cynthia Giles, has described an effort that her agency embarked on twenty years ago to determine the level of compliance with air pollution, water pollution, and hazardous waste regulations.[55] The agency picked one important rule in each of these three categories of environmental regulation and then randomly selected several hundred facilities to inspect for compliance with these three rules. Noncompliance ranged from about 35% for the hazardous waste rule to slightly more than 60% for the water pollution rule.[56] More generally, Giles has reported that the EPA’s overall repository of water discharge self-reports—that is, forms submitted by firms themselves—shows that as many as 75% of all major dischargers violate their legal requirements each year.[57] Giles concludes that, plainly, “[s]erious noncompliance with environmental rules is common. It is common across all programs and industry types.”[58]

Much the same can be said across other policy domains.[59] The research literature provides a variety of sporadic but broadly consistent findings that reveal substantial levels of noncompliance with business regulations across different industries and in different substantive policy domains. This is not to suggest, of course, that all violations of the law are equal. Although some studies do distinguish between serious and nonserious violations, an important direction for future research continues to be to investigate different forms and degrees of compliance and noncompliance. Not all noncompliance creates the same social harm. Moreover, sometimes compliance itself can be rote and formulaic, adhering to the letter of the law but still missing its spirit and thereby suboptimally addressing the problems that motivated the law in the first place.[60]

Still, the research documenting considerable levels of noncompliance from across a range of substantive regulatory domains reinforces Lund and Sarin’s suggestion that prevailing regulatory practices underdeter corporate crime.[61] Lund and Sarin, though, go further. Not only do they report data suggestive of significant levels of noncompliance with financial regulations, but they also find indicators that such corporate crime is on the rise.[62] This temporal dimension makes Lund and Sarin’s contribution stand out from much past research. They report data revealing trends in noncompliance over five- to seven-year time periods following the adoption of postcrisis financial reforms—the same time period during which they observe that the volume of prosecutions for corporate crime declined.

Lund and Sarin’s conclusion about the inadequacy of current levels of enforcement would appear to be bolstered by additional data they report on recidivism in corporate crime.[63] Reviewing data on a sample of nearly 275 companies subjected to prosecution from 2001 to 2018, they find that companies prosecuted more than once during this period tended to be larger firms that received relatively smaller fines—at least as a fraction of their overall assets or revenues.[64] Lund and Sarin also report data showing that repeat prosecutions against large companies are on the rise, especially after 2011.[65] They recognize that these data could well be affected by a number of other factors; these data are, after all, reflecting enforcement “beans,” not compli-ance levels or ultimate outcomes.[66] But Lund and Sarin still worry that “even very large fines imposed on . . . [a large corporate] entity might not induce the company to deter future incidents of wrongdoing.”[67]

If current levels of enforcement fines fail to provide specific deterrence to keep prosecuted firms from reoffending, then an even bigger worry presumably exists about the efficacy of general deterrence—that is, how fines imposed against one firm deter other firms. This is the very mechanism that Bowles apparently saw as key to inducing compliance by the bulk of the population who simply do not want the experience of “being had.”[68]

In work separate from the cross-national research described in Part I, the team of Gunningham, Kagan, and Thornton carried out a distinctive study investigating general deterrence in the context of environmental regulation.[69] Drawing on a sample of completed enforcement cases across different industries and states that had been publicly announced by the federal EPA, Thornton, Gunningham, and Kagan surveyed managers at facilities in the same states and industries.[70] When asked about the specific enforcement case in the sample from their own state and industry, only about 40% of the surveyed managers had ever even heard of it.[71] And when asked about their general awareness of other enforcement cases, the managers overall reported awareness of far fewer enforcement actions than the EPA actually completed.[72] Perhaps most striking, Thornton, Gunningham, and Kagan found that their respondents who were best aware of the EPA’s enforcement actions were no more likely than respondents from other firms to report taking steps to improve their facilities’ regulatory compliance.[73]

Needless to say, in expressing skepticism about how well current enforcement patterns are deterring noncompliance, Lund and Sarin join a chorus with many voices. As Mihailis Diamantis and Bill Laufer have noted, analysts and decision-makers have long expressed “persistent and very serious concern” over “whether the sanctions presently levied against corporations are sufficient to prevent future corporate crime”—and “[n]o one seriously argues that they are.”[74]

IV. The Path Forward

With the present trajectory widely acknowledged to be unsatisfactory, the challenge ahead will be one of finding out how to build better compliance. It is here that Lund and Sarin again point in exactly the right direction. The key to meaningful progress rests in the first instance on understanding better the connections between regulators’ actions (the first step of the three-step model outlined in Part II) and the resulting outcomes in terms of either compliance or social and economic conditions (steps two and three, respectively).

The federal government currently conducts regular surveys on the incidence of violent crimes and other individual-level crimes, and these data efforts allow researchers and law enforcement officials to gauge whether specific interventions may be helping.[75] But no one is conducting any general, regular research into the incidence or consequences of corporate crime. The existing data tend to be too fragmentary and collected only sporadically.[76] It is against this backdrop that Lund and Sarin’s research is especially consequential. In demonstrating how multiple sources of regularly collected administrative data can be used as proxies for compliance,[77] Lund and Sarin have made an important step forward to show how to start filling a major gap in actionable knowledge.

Other efforts along these lines are needed if regulators and law enforcement officials are to learn how to do their work better. As Lund and Sarin rightly conclude, only “[b]etter data would enable a better understanding of the aspects of the federal enforcement regime that are succeeding or failing and where additional attention and resources should be directed.”[78]

The path forward is admittedly a challenging one. A big part of that challenge stems from the organizational nature of corporate compliance. Organizational behavior is inherently complex. It encompasses individual behavior and all the factors that affect what individuals do, along with the interactions between individuals that make up an organization and interact with it within its environment.[79] Organizations are affected by external economic, legal, and regulatory pressures, but also by their own internal “licenses to operate.”[80] The complexity of organizational behavior makes the relative paucity of regular, systematic data on corporate compliance that much more unfortunate. If anything, to understand corporate compliance well, we need more, not fewer, empirical datasets on business behavior than we have on individuals’ compliance with the law.[81]

Data are especially needed to identify how well different regulatory and compliance assurance efforts work under different conditions to alter levels of compliance and affect ultimate outcomes of concern. And when current practices are not leading to desired results, we need to learn what alternative options might perform better.

One set of options would entail simply doing more of what is currently being done: conducting more audits and prosecutions, and imposing bigger fines. Lund and Sarin’s analysis offers little reason to think that these options would make much of a difference. Although fines have increased over time in their data, these penalty increases are not associated with a corresponding increase in compliance, according to their data.[82] Even though increasing audits and prosecutions would increase the probability of companies being fined, Lund and Sarin’s data on corporate recidivists also raise the question of whether a mere increase in probability would do much to lead companies to comply better.[83]

Still, with today’s technology, such as artificial intelligence or machine-learning algorithms, regulators could improve their ability to monitor and detect violations, perhaps even intervening before fraud or other forms of noncompliance become widespread.[84] It is simply no longer impossible to envision regulatory systems in which real-time data sharing between firms and regulators could occur, thereby facilitating the use of digital tools that can rapidly detect and respond to legal violations.[85]

Managerial remedies inside the firm represent another set of options to consider. Perhaps regulators can improve compliance by imposing certain kinds of metacompliance requirements, such as requiring firms to implement compliance management systems, conduct compliance audits, or subject themselves to the scrutiny of corporate monitors.[86] We need to know more about these tools, but to date there is little systematic research to indicate that they will make a substantial difference. Lund and Sarin’s own analysis of recidivism fails to find any correlation with audit or corporate monitoring requirements.[87] The extant research on compliance management systems, at least as they have operated in the past, indicates that these internal processes have at most only a small positive impact on compliance.[88] More research would be helpful, especially as applications of newer digital technologies might help improve such systems.[89]

Overall, technological innovations promise to provide another range of options that merit study and consideration. Some of these tools could help in building compliance and its monitoring into the rules themselves, using what Cynthia Giles has called “compliance drivers”[90] or what Edward Chang has called “structural laws.”[91] Probably the most common, but decidedly low-tech, examples of structural compliance measures are literal speed bumps placed onto roadways, as these bumps function on their own to slow vehicles and obviate the need to enforce posted speed limits.

Another simple example of such a built-in compliance driver is the federal regulation that helped ensure that station attendants and automobile owners would not use leaded gasoline to fill the gas tanks of cars designed to use unleaded gasoline.[92] Although it was illegal for anyone to put leaded gasoline into an automobile designed for unleaded gasoline, federal regulation also specified the size of gas pump nozzles so that gas pump nozzles for leaded gasoline simply would not fit into the inlet ports of cars that run on unleaded fuel.[93] The latter requirement effectively drove compliance by making the easy, default action one that complies with the law.

Similar compliance-inducing structures, appropriately adapted to entirely different contexts, could be created in other regulatory systems aimed at corporate behavior. Such compliance drivers or defaults could increasingly be built into the computer systems that corporate managers and employees use as part of the routine internal operations of their firms, essentially hardwiring compliance into the automation of transactions and internal workflows.

Finally, there remains a key option that Lund and Sarin raise: holding corporations’ top individual leaders liable when their firms fail to comply with the law.[94] Lund and Sarin argue that “low-level offenders tend to commit crimes in response to organizational pressure, and yet there is almost no way to pin criminal charges on the top executives who are responsible for that culture.”[95] To allow prosecutors to target high-ranking executives more easily, Lund and Sarin propose greater application in the corporate compliance realm of causes of action such as control person liability or aiding and abetting.[96] As a further method of keeping executives accountable, they point to Section 302 of the Sarbanes-Oxley Act, which requires the top executives at public companies to sign off on their firms’ financial statements.[97] And other scholars have suggested still another approach: shaming the managers of companies that experience compliance problems.[98]

Any of these options could potentially bolster corporate compliance. Some, though, will do better than others. And some might not work at all. All of them will have their costs, perhaps some with untoward side effects, such as increased incentives for deception and evasion.[99] Finding out which of these effects occur, and ultimately how to deliver net improvements by building better compliance, will demand careful empirical inquiry. The key to charting the path forward will be to collect data, conduct experiments, and undertake rigorous evaluations to learn what alternative interventions make a positive difference.[100]


Regulations can protect the public from deception and other harmful effects of corporate conduct. But they can only provide that protection if corporations comply with the law. Unfortunately, regulators and law enforcement officials have for too long had available to them little more than their own hunches on which to base their enforcement decisions and to try to increase compliance by business organizations. These hunches may well have some grain of truth to them—much as Chester Bowles’s aphorism may well reflect certain intuitive patterns in when and why corporations comply with the law. When the stakes are high, though, as they necessarily are when corporate misbehavior can affect millions of people’s lives and livelihoods, we need to know much more. Surely government can do better than to continue to rely on intuitions or aphorisms from a bygone era, even those offered by the most thoughtful of public leaders.

To do better, officials will need to learn from additional rigorous empirical work along the lines of the important contribution that Lund and Sarin have made. Their research offers hope that the aspiration of a more empirically informed approach to corporate compliance is realizable. The attainability of such an aspiration is also reflected in the increasing attention federal agency officials are giving to evidence-based decision-making more generally.[101] It is also evinced by emerging efforts by both private firms as well as regulatory agencies to build data infrastructures that can take advantage of advances in digital technologies. According to a 2020 study of the use of artificial intelligence by federal agencies in the United States, general research and law enforcement have so far made up the most frequent tasks that agencies have assigned to these advanced data analytic tools.[102] Further applications of digital technologies, combined with new data collection and management efforts, will add further hope that regulators and law enforcement officials can learn to do better.

Over eighty years have passed since Chester Bowles’s days serving as a regulator. It would not diminish in any way his distinguished public service to abandon citing him in regulatory compliance research or, more generally, for regulatory officials to resist the influence of intuition in their decision-making about compliance. The best way to advance the spirit of public service that animated Bowles’s long governmental career would be to do more to test out empirically what actually works—and what does not.[103] Only with better empirical analysis can we foster the kind of policy learning needed to make smarter regulatory decisions. And only then can we build a future with better compliance.

  1. .Douglas C. Michael, Cooperative Implementation of Federal Regulations, 13 Yale J. on Reg. 535, 537 (1996).
  2. .The language quoted in the text is a common paraphrasing of Bowles, not an exact quotation of him. See, e.g., Clifford Rechtschaffen, Deterrence vs. Cooperation and the Evolving Theory of Environmental Enforcement, 71 S. Cal. L. Rev. 1181, 1223 (1998) (using the paraphrasing shown in the text); Durwood Zaelke & Thomas Higdon, The Role of Compliance in the Rule of Law, Good Governance, and Sustainable Development, 3 J. Eur. Env’t. & Planning L. 376, 383 (2006) (using nearly identical paraphrasing); Eugene Bardach & Robert A. Kagan, Going by the Book: The Problem of Regulatory Unreasonableness 65–66 (1982) (using nearly identical paraphrasing). Although the paraphrasing of Bowles is typically offered to describe business behavior, the original source of Bowles’s actual quotation makes clear he was speaking of individual compliance, based on observations he made as an administrator in Connecticut charged with overseeing gasoline rationing in the early 1940s. Specifically, it was from observing the general public’s reaction to a federal ban on “pleasure driving” in Eastern states that Bowles concluded:

    [A] very small percentage of the public—perhaps 2 or 3 percent—are inherently dishonest; while something like 20 percent can be trusted to obey the law regardless of what others do. The remaining 75 percent or so genuinely want to be honest, but they are also determined not to confirm P.T. Barnum’s assertion that “a sucker is born every minute”; breaking a law or two is a small price to pay to escape the unpleasant sense of being had. The solution clearly is to avoid unenforceable laws and rigidly to enforce those which the majority are prepared to support.

    Chester Bowles, Promises to Keep: My Years in Public Life, 19411969, at 41–42 (1971). Bowles elsewhere did express confidence that most businesses tended to follow the law, but he did not do so using the three categories of compliance propensities that have been widely attributed to him. See, e.g., id. at 87 (claiming that “most businessmen, who might be termed the ‘vast silent majority,’ realized [the] importance [of price controls] and did all they could to make them work”); Chester Bowles, Bowles Answers Six Vital Questions, N.Y. Times, Mar. 24, 1946 (“The overwhelming majority of business men, manufacturers, wholesalers, and retailers—like the overwhelming majority of consumers—have never entered, nor will enter, the black market.”); Chester Bowles, Regulating Meat Prices, N.Y. Times, Nov. 5, 1947, at 26 (“The great majority of American industries with which I worked during the war cooperated whole-heartedly with their Government in the fight against inflation. Although they were often critical of our regulations, with a handful of exceptions they understood the absolute necessity for price controls and played the game squarely.”).

  3. .After all, the period during which Bowles served as a regulator—World War II—was an exceptional time when compliance with rationing orders and price controls may have been increased by prevailing sentiments of patriotic duty.
  4. .Sometimes during economic downturns, regulators will even relax their enforcement of the law—perhaps in anticipation of large-scale noncompliance or perhaps in a gesture to help industry during times of distress. See, e.g., Memorandum from Susan Parker Bodine, Assistant Adm’r Enf’t & Compliance Assurance, Env’t Prot. Agency (Mar. 26, 2020), https://‌‌/sites‌/default‌/files‌/2020-03‌/documents‌/oecamemooncovid19implications.pdf [].
  5. .Sally S. Simpson, Melissa Rorie, Mariel Alper, Natalie Schell-Busey, William S. Laufer & N. Craig Smith, Corporate Crime Deterrence: A Systematic Review, Campbell Systematic Revs., May 1, 2014, at 1, 5.
  6. .See Sally S. Simpson, Reimagining Sutherland 80 Years After White-Collar Crime, 57 Crimi-nology 189, 193 (discussing how “systematic counts and measures of business crimes still do not exist”).
  7. .Dorothy S. Lund & Natasha Sarin, Corporate Crime and Punishment: An Empirical Study, 100 Texas L. Rev. 285 (2021).
  8. .Id. at 287.
  9. .See Mark Moore, Recognizing Public Value 12 (2013).
  10. .Malcolm Sparrow, The Regulatory Craft: Controlling Risks, Solving Problems & Managing Compliance 63–64 (2000); Cary Coglianese, Regulating for a Better Tomorrow (forthcoming 2023).
  11. .Richard Cordray, Watchdog: How Protecting Consumers Can Save Our Families, Our Economy, and Our Democracy 224 (2020) (explaining that regulation is needed “to fortify the market against the defects of imperfect competition.”).
  12. .David Vogel, The Market for Virtue: The Potential and Limits of Corporate Social Responsibility 2–3 (2d ed. 2006); Forest L. Reinhardt, Environmental Protection and the Social Responsibility of Firms: Perspectives from the Business Literature, in Environmental Protection and the Social Responsibility of Firms: Perspectives from Law, Economics, and Business 151, 157 (Bruce L. Hay, Robert N. Stavins & Richard H.K. Vietor eds., 2005).
  13. .See, e.g., Forest L. Reinhardt, Down to Earth: Applying Business Principles to Environmental Management ix, 2–3 (2000). For a review of empirical studies on the financial performance of firms that voluntarily engage in responsible behavior, see Elizabeth Pollman, Corporate Social Responsibility, ESG, and Compliance, in The Cambridge Handbook of Compliance 662, 665 (Benjamin Van Rooij & D. Daniel Sokol eds., 2021). Robert Kagan and I have noted elsewhere that “many business managers regard the risk of informal social sanctions as far more salient and economically threatening than even the risk of regulatory penalties.” Cary Coglianese & Robert A. Kagan, Introduction, in Regulation and Regulatory Processes xi, xxii (2007). This may well be because, as Lund and Sarin note, sometimes regulatory sanctions can be considered to be largely “inconsequential ‘parking tickets’”—or just a “cost of doing business.” Lund & Sarin, supra note 7, at 291–92, 341, 352 (quoting Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security: Hearing Before the Subcomm. on Consumer Prot. & Com. of the H. Comm. on Energy & Com., 116th Cong. 51 (2019) (statement of Rohit Chopra, Comm’r, Fed. Trade Comm’n)).
  14. .Neil Gunningham, Robert A. Kagan & Dorothy Thornton, Shades of Green: Business, Regulation, and Environment 4345 (2003).
  15. . Id.
  16. . Id.
  17. . See generally Hillary A. Sale, The Corporate Purpose of Social License, 94 S. Cal. L. Rev. 785 (2021).
  18. .See generally Tom C.W. Lin, The Capitalist and the Activist: Corporate Social Activism and the New Business of Change (2022); Judith Rodlin & Saadia Madsbjerg, Making Money Moral: How a New Wave of Visionaries is Linking Purpose and Profit (2021); Aaron K. Chatterji & Michael W. Toffel, The New CEO Activists: A Playbook for Polarized Political Times, Harv. Bus. Rev., Jan.–Feb. 2018, at 78.
  19. . Gunningham, Kagan & Thornton, supra note 14, at 101–02. For Gunningham, Kagan, and Thornton, these differences across firms exemplified distinct “styles” of management. Id. at 96–98; see also Cary Coglianese, Robert A. Kagan: Man of Style, Regul. Rev. (Dec. 17, 2013), https://‌‌/2013‌/12‌/17‌/coglianese-kagan-man-of-style‌/ [ ZXT2-9B5G]. These might also be considered a type of internal license to operate. See Jennifer Howard-Grenville, Jennifer Nash & Cary Coglianese, Constructing the License to Operate: Internal Factors and Their Influence on Corporate Environmental Decisions, 30 Law & Pol’y 73, 75–76 (2008).
  20. .Cary Coglianese, Environmental Soft Law as a Governance Strategy, 61 Jurimetrics 19, 22–24 (2020).
  21. .See, e.g., Quinn Curtis, Jill Fisch & Adriana Z. Robertson, Do ESG Mutual Funds Deliver on Their Promises?, 120 Mich. L. Rev. 393, 398, 401 (2021) (discussing the “ESG movement” and empirically investigating the performance of ESG investment funds).
  22. .Ford Motor Company requires its suppliers to meet ISO 14001 certification requirements. Jonathan W. Newton, Driving Supply Chain Sustainability, Inside Supply Mgmt., April 2013, at 32, 33. For a discussion of automobile firms requiring or requesting suppliers to meet certain voluntary environmental standards, see Magali Delmas & Ivan Montiel, Greening the Supply Chain: When is Customer Pressure Effective?, 18 J. Econ. & Mgmt. Strategy 171, 172 (2009). For other examples of firms requiring suppliers to meet social and environmental requirements not demanded by law, see, e.g., Kristin Broughton & Mark Maurer, Companies Push Suppliers to Disclose More Climate Data, Wall St. J. (Nov. 17, 2021, 5:30 AM), https://‌‌/articles‌/companies-push-suppliers-to-disclose-more-climate-data-11637145001 []; Nitasha Tiku, Google Will Now Require Suppliers to Give Benefits to Workers, Wired: Bus. (Apr. 3, 2019, 6:39 PM), https://‌‌/story‌/google-require-suppliers-give-benefits-workers‌/ []; Wal-Mart Stores, Inc., 2016 Global Responsibility Report 58 (2016) (discussing how developing energy-efficient consumer products contributes to Walmart’s reduction in energy intensity).
  23. .Dorothy Lund, Asset Managers as Regulators, 171 U. Pa. L. Rev. (forthcoming 2022).
  24. .See Cary Coglianese & Jennifer Nash, The Law of the Test: Performance-Based Regulation and Diesel Emissions Control, 34 Yale J. on Regul. 33, 64 (2017); see also Cary Coglianese & Jennifer Nash, Government Clubs: Theory and Evidence from Voluntary Environmental Programs, in Voluntary Programs: A Club Theory Perspective 231, 231 (Matthew Potoski & Aseem Prakash eds., 2009); Jonathan C. Borck, Cary Coglianese & Jennifer Nash, Evaluating the Social Effects of Environmental Leadership Programs, 38 Env’t L. Rep. 10697, 10697 (2008).
  25. . For a helpful review of some of this research, see generally David Vogel, Private Global Business Regulation, 11 Ann. Rev. Polit. Sci. 261 (2008); see also supra notes 14, 18, 20, and 22. For relevant empirical work focused on nonregulatory drivers of responsible environmental behavior by firms, see generally Cary Coglianese & Jennifer Nash, Performance Track’s Postmortem: Lessons from the Rise and Fall of EPA’s “Flagship” Voluntary Program, 38 Harv. Envtl. L. Rev. 1 (2014); Jennifer A. Howard-Grenville, Corporate Culture and Environmental Practice: Making Change at a High-Tech Manufacturer (2007); Aseem Prakash & Matthew Potoski, The Voluntary Environmentalists: Green Clubs, ISO 14001, and Voluntary Environmental Regulations (2006).
  26. .Michael P. Vandenbergh, Private Environmental Governance, 99 Cornell L. Rev. 129, 133 (2013).
  27. .See Coglianese, supra note 20, at 31, 50.
  28. .Gunningham, Kagan & Thornton, supra note 14, at 45–51 (noting “that pollution-reduction technologies induced by regulatory demands have been responsible for the bulk of the large reductions in . . . pollution” in their studied facilities); see also Dorothy Thornton, Robert A. Kagan & Neil Gunningham, When Social Norms and Pressures Are Not Enough: Environmental Performance in the Trucking Industry, 41 Law & Soc’y Rev. 405, 426–31 (2009) (concluding that compliance and “beyond compliance” behavior is least prevalent when social and regulatory demands are weak and economic demands are strong); Robert A. Kagan, Neil Gunningham & Dorothy Thornton, Fear, Duty, and Regulatory Compliance: Lessons from Three Research Projects, in Explaining Compliance: Business Responses to Regulation 37, 39, 50, 52–53 (Christine Parker & Vibeke Lehmann Nielsen eds., 2011).
  29. .Christopher Carrigan & Cary Coglianese, Oversight in Hindsight: Assessing the U.S. Regulatory System in the Wake of Calamity, in Regulatory Breakdown: The Crisis of Confidence in U.S. Regulation 1, 1 (Cary Coglianese ed., 2012) (“In the wake of each calamity [in the United States in recent years], politicians and members of the public have attributed much of the blame to a general breakdown in the U.S. regulatory system.”).
  30. .Fin. Crisis Inquiry Comm’n, The Financial Crisis Inquiry Report: Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States 160–64 (2011), [].
  31. .Lund & Sarin, supra note 7, at 340.
  32. .See generally, e.g., Nat’l Comm’n on BP Deepwater Horizon Oil Spill & Offshore Drilling, Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling (2011), https://‌‌/content‌/pkg‌/GPO-OILCOMMISSION‌/pdf‌/GPO-OILCOMMISSION.pdf []; Nat’l Transp. Safety Bd., Pipeline Accident Report: Pacific Gas and Electric Company Natural Gas Transmission Pipeline Rupture and Fire, San Bruno, California, September 9, 2010, NTSB‌/PAR-11‌/01 (2011), https://‌‌/investigations‌/accidentreports‌/reports‌/par1101.pdf []; Governor’s Indep. Investigation Panel, Upper Big Branch: The April 5, 2010, Explosion: A Failure of Basic Coal Mine Safety Practices (2011), https://‌‌/documents‌/2011‌/may‌/giip-massey-report.pdf [].
  33. .At the level of generality presented here, this three-step model does not imply any particular mechanism for behavioral change at the second step. The classic rational choice mechanism relies on altered incentives created by the risk of punishment facing those subjected to legal rules. See Gary S. Becker, Crime and Punishment: An Economic Approach, 76 J. Pol. Econ. 169, 202–03 (1968); Daniel R. Fischel & Alan O. Sykes, Corporate Crime, 25 J. Legal Stud. 319, 324 (1996). Some scholars have surmised, though, that the very existence of legal rules not only can alter incentives but also can change individual actors’ preferences at a fundamental level. See, e,g., Oren Bar-Gill & Chaim Fershtman, Law and Preferences, 20 J. L. Econ. & Org. 331, 332 (2004); Cass R. Sunstein, On the Expressive Function of Law, 144 U. Pa. L. Rev. 2021, 2024–25 (1996). Others have questioned the extent to which the law actually changes preferences. See generally Jennifer Arlen & Lewis A. Kornhauser, Does the Law Change Preferences?, 22 Theoretical Inquiries L. 175 (2021). As preferences must be inferred from behavior, the incentives-versus-preferences might not be so crucial for recommending steps to be taken by regulatory and law enforcement officials. What may matter more to regulators is research indicating that efforts to ensure public participation and transparency in the creation of rules, as well as to provide overall fair treatment in the implementation and enforcement of rules, are associated with increased compliance. See, e.g., Edmund Malesky & Markus Taussig, Participation, Government Legitimacy, and Regulatory Compliance in Emerging Economies: A Firm-Level Field Experiment in Vietnam, 113 Am. Pol. Sci. Rev. 530, 548 (2019) (finding that efforts to allow firms to comment on proposed regulations increases eventual compliance); E. Allan Lind & Christiane Arndt, Perceived Fairness and Regulatory Policy: A Behavioural Science Perspective on Government-Citizen Interactions 29 (Org. for Econ. Coop. & Dev., Regulatory Policy Working Paper No. 6, 2016), [] (discussing research indicating that “when citizens feel fairly treated in their encounters with government agencies, they are more likely to accept and comply with regulatory rules and decisions”); Tom R. Tyler, Why People Obey the Law 19–70 (2006) (discussing the tie between compliance and legitimacy). For broader discussion of procedural fairness and transparency with respect to regulation, see generally Competition Comm., Org. for Econ. Coop. & Dev., Pro-cedural Fairness and Transparency (2012), [].
  34. .Cary Coglianese, Moving Forward with Regulatory Lookback, 30 Yale J. on Regul. 57, 59 (2013).
  35. .Lund & Sarin, supra note 7, at 310.
  36. .The unattended and even unobserved level of noncompliance—that is, beyond what gets identified in data drawn from regulatory actions—has sometimes been referred to as the “dark figure.” See, e.g., William S. Laufer, A Very Special Regulatory Milestone, 20 U. Pa. J. Bus. L. 392, 421 (2018) (describing the “significant share of uninvestigated and un-adjudicated wrongdoing” as the “dark figure of corporate culpability”); Albert D. Biderman & Albert J. Reiss, On Exploring the “Dark Figure” of Crime, 374 Annals Am. Acad. Pol. & Soc. Sci. 1 (1967) (defining the “dark figure of crime” in terms of “occurrences that by some criteria are called crime yet that are not registered in the statistics of whatever agency was the source of the data being used”).
  37. .“Bean counting” refers to the collection of or reference to largely meaningless data, such as data on actions taken without any effort to consider the results of the actions. See Michael Stahl, Beyond the Bean Count: Measuring Performance of Regulatory Compliance Programs, 28 Pub. Manager: New Bureaucrat 31 (1999); Suellen Keiner, Finally, Systems Are Linking to Support Performance Goals, 20 Env’t F. 20, 20 (2003); see generally Shelley Metzenbaum, More Nutritious Beans, 20 Env’t F. 19 (2003).
  38. .Lund & Sarin, supra note 7, at 310 (“Enforcement data is subject to a host of exogenous variables: enforcement agency priorities, enforcement resources, and technological advances, to name a few.”).
  39. .See, e.g., B. Dan Wood & Richard W. Waterman, The Dynamics of Political Control of the Bureaucracy, 85 Am. Pol. Sci. Rev. 801, 801 (1991). For more recent observations, see Charles Piller, Exclusive: FDA Enforcement Actions Plummet Under Trump, Science (July 2, 2019), https://‌‌/content‌/article‌/exclusive-fda-enforcement-actions-plummet-under-trump []; Eric Lipton & Danielle Ivory, Under Trump, E.P.A. Has Slowed Actions Against Polluters, and Put Limits on Enforcement Officers, N.Y. Times (Dec. 10, 2017), https://‌‌/2017‌/12‌/10‌/us‌/politics‌/pollution-epa-regulations.html [].
  40. .See Lund & Sarin, supra note 7, at 295.
  41. .See, e.g., Env’t Prot. Agency, Our Nation’s Air: Trends Through 2020 (2021), https://‌‌/air‌/trendsreport‌/2021‌/ [].
  42. .Although some of the shift in manufacturing could plausibly be attributable to the costs associated with environmental regulation itself, empirical research indicates that regulation is far from the main driver of reliance on overseas production. See, e.g., Joseph E. Aldy, Frameworks for Evaluating Policy Approaches to Address the Competitiveness Concerns of Mitigating Greenhouse Gas Emissions, 70 Nat’l Tax J. 395, 398 (2017) (noting that “the empirical literature typically finds quite limited impacts of environmental regulations on international competitiveness”).
  43. .To be sure, although all corporate crime is noncompliance, not all noncompliance rises to the level of a crime. Still, the two are so intertwined—with many regulations today backed up with the potential for criminal sanctions—that they can be treated synonymously here for economy of expression, if for no other reason. In this respect, the discussion in this essay is not unlike that of others. See Marshall B. Clinard & Peter C. Yeager, Corporate Crime xiv (2006) (noting that “the definition of a ‘crime’ used in Corporate Crime is any act punishable by the state,” including any act punishable with administrative or civil sanctions). For a discussion of definitional challenges in the field of corporate crime, see Simpson, supra note 6, at 201–02.
  44. .I do not mean to imply that no one has ever tried to estimate compliance using anything other than regulatory beans. On the contrary, as Lund and Sarin themselves acknowledge, others have relied on survey research and other strategies to estimate compliance through means other than enforcement data. But Lund and Sarin are also correct to point out that these efforts are still far too scarce and that they come with their own limitations. See Lund & Sarin, supra note 7, at 293–94.
  45. . See Nat’l Acads. of Sciences, Eng’g, and Medicine, Designing Safety Regulations for High-Hazard Industries 2829, 32, 11214 (2018) (discussing rule designs that create legal obligations to avoid or achieve ultimate regulatory goals).
  46. .Lund & Sarin, supra note 7, at 350.
  47. .Id. Legal violations that affect everyone, of course, make it difficult to identify the victims of corporate crime whose harms can be incorporated into policy analysis, a practical difficulty which may reinforce the need to rely on measures of compliance as proxies for ultimate outcomes.
  48. .Jonathan S. Feinstein, Approaches for Estimating Noncompliance: Examples from Federal Taxation in the United States, 109 Econ. J. F360, F360 (1999).
  49. .James Andreoni, Brian Erard & Jonathan Feinstein, Tax Compliance, 36 J. Econ. Literature 818, 818 (1998).
  50. .Joel Slemrod, Cheating Ourselves: The Economics of Tax Evasion, 21 J. Econ. Persps. 25, 45 (2007).
  51. .Daniel A. Farber, Taking Slippage Seriously: Noncompliance and Creative Compliance in Environmental Law, 23 Harv. Env’t L. Rev. 297, 299 (1999).
  52. .See Feinstein, supra note 48, at F361.
  53. .In 2006, the tax liability that was not paid on time amounted to about $450 billion. Internal Revenue Serv., Tax Gap for Tax Year 2006: Overview (2012), http://‌‌/pub‌/newsroom‌/overview‌_tax‌_gap‌_2006.pdf []. Of this total “tax gap,” $65 billion was estimated to be collected through late payments and enforcement actions, leaving an estimated $385 billion that was “never paid.” Id. These tax gap estimates have remained consistent over the last several years. IRS Releases New Tax Gap Estimates; Compliance Rates Remain Substantially Unchanged From Prior Study, IRS: Newsroom (Sept. 26, 2019), https://‌‌/newsroom‌/irs-releases-new-tax-gap-estimates-compliance-rates-remain-substantially-unchanged-from-prior-study [].
  54. .Natasha Sarin & Lawrence H. Summers, Shrinking the Tax Gap: Approaches and Revenue Potential (Nat’l Bureau of Econ. Rsch., Working Paper No. 26475, 2019), https://‌‌/system‌/files‌/working‌_papers‌/w26475‌/w26475.pdf []. Admittedly, the tax gap stems from both individual and corporate noncompliance, with estimates of unpaid taxes much larger from individual taxpayers. Id.
  55. .Cynthia Giles, Next Generation Compliance: Environmental Regulation for the Modern Era (forthcoming 2022) (manuscript at 40) (on file with author).
  56. .Id. at 41.
  57. .Id. at 42.
  58. .Id. at 35.
  59. .For example, according to one estimate, “between 28 and 44 percent of organizations are noncompliant” with family medical leave requirements. See Erin L. Kelly, Failure to Update: An Institutional Perspective on Noncompliance with the Family & Medical Leave Act, 44 L. & Soc’y Rev. 33, 36 (2010); see also Naomi Gerstel & Amy Armenia, Giving and Taking Family Leaves: Right or Privilege?, 21 Yale J.L. & Feminism 161, 178 (2009). And even when a regulatory enforcement action results in the imposition of a fine or other monetary judgment against a violator, noncompliance can occur in the collection of that money from the businesses determined to have violated the law. From 1997 to 2000, the federal Office of Surface Mining reported a noncollection rate of 95%, primarily due to the offending mining companies’ weak financial circumstances that led them to go bankrupt or close their businesses without making payment. U.S. Gov’t Accountability Off., GAO-02-211, Civil Fines and Penalties Debt: Review of OSM’s Management and Collection Processes 9–10 (2001).
  60. .See, e.g., Garry C. Gray & Susan S. Silbey, Governing Inside the Organization: Interpreting Regulation and Compliance, 120 Am. J. Socio. 96, 116 (2014) (discussing “individual and organizational efforts to ‘look compliant,’ regardless of whether or not the appearance of compliance corresponds to the espoused goals of regulation”). For a thoughtful discussion of the limits of rules and rule compliance as a means of protecting the public from the harms of corporate behavior, see Michael L. Michael, Business Ethics: The Law of Rules, 16 Bus. Ethics Q. 475, 492 (2006).
  61. .This is also a theme in other legal scholarship. See generally, e.g., John Coffee, Corporate Crime and Punishment: The Crisis of Underenforcement (2020); Rena Steinzor, Why Not Jail?: Industrial Catastrophes, Corporate Malfeasance, and Government Inaction (2015).
  62. . See, e.g., Lund & Sarin, supra note 7, at 292.
  63. .Corporate recidivism has been noted by other scholars. See Brandon L. Garrett, Declining Corporate Prosecutions, 57 Am. Crim. L. Rev. 109, 125 (2020); John Braithwaite, Macrocriminology and Freedom 477, 485, 487 (2022). The issue has also been given prominent treatment by the head of a leading financial regulator in the United States. See Rohit Chopra, “Reining in Repeat Offenders”: 2022 Distinguished Lecture on Regulation, University of Pennsylvania, Consumer Fin. Prot. Bureau (Mar. 28, 2022), https://‌‌/about-us‌/newsroom‌/reining-in-repeat-offenders-2022-distinguished-lecture-on-regulation-university-of-pennsylvania-law-school‌/ [].
  64. .Lund & Sarin, supra note 7, at 336–38.
  65. .Id. at 339.
  66. .See supra note 37. Regulators may have sound policy reasons to target large businesses with greater scrutiny. Moreover, if regulators target firms at random within the categories of large firms and small firms, the existence of many more small firms than large ones would make the probability much lower of any one of the small firms being targeted more than once. In other words, it could well be that small firms recidivate at the same (or even higher) rate as large firms but that their repeat offenses are not as likely to be detected as repeat offenses at larger, more scrutinized firms.
  67. .Lund & Sarin, supra note 7, at 341.
  68. .See supra note 2 and accompanying text.
  69. .See Dorothy Thornton, Neil A. Gunningham & Robert A. Kagan, General Deterrence and Corporate Environmental Behavior, 27 Law & Policy 262 (2005).
  70. .Id. at 267.
  71. .Id. at 273.
  72. .Id. at 271–72.
  73. .Id. at 275.
  74. .Mihailis E. Diamantis & William S. Laufer, Prosecution and Punishment of Corporate Criminality, 15 Ann. Rev. L. & Soc. Sci. 453, 466 (2019).
  75. . See Lund & Sarin, supra note 7, at 287.
  76. .See Simpson, supra note 6, at 202 (“[A] glaring data problem remains that thwarts our basic knowledge about corporate crime.”).
  77. .See Lund & Sarin, supra note 7, at 311 (relying on FinCEN Suspicious Activity Reports, consumer complaints to the CFPB, and whistleblower complaints made to the SEC).
  78. .Id. at 350.
  79. .For an excellent discussion of individual behavior within the setting of a business organization, see Eugene Soltes, Why They Do It: Inside the Mind of the White-Collar Criminal (2016).
  80. .Howard-Grenville, Nash & Coglianese, supra note 19, at 77–78 (reporting results from an empirical study of businesses’ internal “licenses to operate,” including factors such as managers’ commitments, organizational cultures, and organizational identities).
  81. .Cf. William S. Laufer, The Missing Account of Progressive Corporate Criminal Law, 14 N.Y.U. J. L. & Bus. 71, 123 (2017) (“Conceptual models of corporate compliance that span individual, organizational, regulatory, and institutional levels reveal the complexity of the research enterprise—and how much more scholarship is needed.”). In addition to becoming better informed by data, regulators seeking to increase compliance must pursue a variety of related organizational improvements, both in terms of workforce capabilities and overall regulatory agility. For a review of other ways of improving compliance-oriented efforts at a regulatory agency, Nat’l Acads. of Sciences, Eng’g, and Medicine, Modernizing the U.S. Offshore Oil and Gas Inspection Program for Increased Agility and Safety Vigilance 131–46 (2021).
  82. .Lund & Sarin, supra note 7, at 342.
  83. .Some researchers, though, have suggested that more “consistent inspections” may improve compliance. See Natalie Schell-Busey, Sally S. Simpson, Melissa Rorie & Mariel Alper, What Works? A Systematic Review of Corporate Crime Deterrence, 15 Criminology & Pub. Pol. 387, 405 (2016).
  84. .See, e.g., Cary Coglianese & David Lehr, Regulating by Robot: Administrative Decision Making in the Machine-Learning Era, 105 Geo. L.J. 1147, 1166 (2017) (envisioning “an extension of the SEC’s cloud computing program that would eventually allow agency computers to monitor trading activities in real time, predicting in milliseconds whether a financial transaction is the result of insider trading and then automatically stopping or reversing trades based on those predictions”).
  85. .Cary Coglianese, Optimizing Regulation for an Optimizing Economy, 4 U. Pa. J. L. & Pub. Aff. 1 (2018); Cary Coglianese & Alicia Lai, Antitrust by Algorithm, 2 Stan. J. Computational Antitrust 1 (2022). In addition to using big data and machine-learning algorithms to improve the targeting of enforcement efforts, regulators and law enforcement officials have other ways that they could vary how they approach enforcement, and innovative options in their enforcement styles could be considered as well. See, e.g., Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 4 (1992) (proposing tailored approaches to regulatory enforcement that are responsive to different firms and their behaviors); Neil Gunningham, Compliance, Enforcement, and Regulatory Excellence, in Achieving Regulatory Excellence 189-193 (Cary Coglianese ed., 2017) (articulating a range of enforcement styles and strategies available to promote compliance).
  86. .See, e.g., Vikramaditya Khanna & Timothy L. Dickinson, The Corporate Monitor: The New Corporate Czar?, 105 Mich. L. Rev. 1713, 1714, 1740–42 (2007); Veronica Root, Modern-Day Monitorships, 33 Yale J. on Regul. 109, 127–30 (2016).
  87. .Lund & Sarin, supra note 7, at 332–33, 338.
  88. .Cary Coglianese & Jennifer Nash, Compliance Management Systems: Do They Make a Difference?, in Cambridge Handbook of Compliance 571 (Benjamin van Rooij & D. Daniel Sokol eds., 2021).
  89. .The emergence of a veritable industry around “regtech” may hold promise in improving compliance. See, e.g., World Econ. F., Regulatory Technology for the 21st Century 19 (2022) (“RegTech uses technologies, such as cloud computing, big data and artificial intelligence, to meet regulatory compliance while automating parts of the process.”); Laufer, supra note 36, at 419–20 (suggesting hope that “the advent of technology that allows for a sharing of data and systems between the regulated and regulators” may usher in compliance improvements).
  90. .Giles, supra note 55.
  91. .Edward K. Cheng, Structural Laws and the Puzzle of Regulating Behavior, 100 Nw. U. L. Rev. 655, 657 (2006).
  92. .This regulation had originally appeared at 40 C.F.R. § 80.22 (2021). Long after leaded gasoline had been phased out of the automobile market altogether, the U.S. Environmental Protection Agency adopted a rule that removed this provision, amended nozzle requirements, and relocated them to 40 C.F.R. § 1090.1550. Environmental Protection Agency, 85 Fed. Reg. 78,412, 78,451, 78,467, 78,528 (Dec. 4, 2020).
  93. .See 40 C.F.R. § 80.22 (2021).
  94. .Lund & Sarin, supra note 7, at 344 (“Both as a matter of equity and as a matter of deterrence, it is important to punish high-ranking executives who create environments that facilitate criminal behavior.”).
  95. .Id. (footnote omitted) (citing Mark Colvin, Crime and Coercion: An Integrated Theory of Chronic Criminality 130–32 (2000)). A related problem arises due to “corporate scapegoating” or “reverse whistle-blowing,” a tendency for top management to blame lower-level employees. See, e.g., William S. Laufer, Corporate Prosecution, Cooperation, and the Trading of Favors, 87 Iowa L. Rev. 643, 648, 658 (2002) (“Corporate scapegoating is a defensive act that channels, displaces, and disposes of blame . . . away from the firm and toward vulnerable targets.”).
  96. .Id. at 345–46.
  97. .Id. at 349. For a similar proposal, see Cary Coglianese & Sierra Blazer, Putting Executives on the Hook Can Bolster Airplane Safety, The Hill (Apr. 30, 2019), https://‌‌/opinion‌/finance‌/441216-putting-ceos-on-the-hook-can-boost-airplane-safety‌/ [].
  98. .Soltes, supra note 79, at 322–30; David A. Skeel, Jr., Shaming in Corporate Law, 149 U. Pa. L. Rev. 1811, 1812 (2001).
  99. .Lund & Sarin, supra note 7, at 348.
  100. .See, e.g., Schell-Busey, Simpson, Rorie & Alper, supra note 83, at 410 (“Scholars need better data and consistent measures of corporate crime.”); Laufer, supra note 81, at 124 (“Studies are needed across institutional and organizational contexts.”); see also Cary Coglianese, Thinking Ahead, Looking Back: Assessing the Value of Regulatory Impact Analysis and Procedures for Its Use, 3 KLRI J.L. & Legis. 5, 14–20 (2013) (discussing the importance of causally oriented evaluation research on regulatory actions).
  101. .See, e.g., Foundations for Evidence-Based Policymaking Act of 2018, Pub. L. No. 115-435 132 Stat. 5529 (2019); see also Memorandum from Russell T. Vought, Acting Dir., Off. of Mgmt. & Budget, to the Heads of Exec. Dep’ts & Agencies 1 (July 10, 2019), [] (“Investing in and focusing on the management and use of data and evidence across the Federal Government will enable agencies to shift away from low-value activities toward actions that will support decision makers . . . [in] delivering on mission, better managing enterprise risks, and promoting civic engagement and transparency.”); Comm’n on Evidence-Based Policymaking, The Promise of Evidence-Based Policymaking 8 (2017), [https://] (“The American people want a government that solves problems. This requires that decision makers have good information to guide their choices about how current programs and policies are working and how they can be improved.”).
  102. .David Freeman Engstrom, Daniel E. Ho, Catherine M. Sharkey & Mariano-Florentino Cuéllar, Government By Algorithm: Artificial Intelligence in Federal Administrative Agencies 17 fig.2 (2020), https://‌‌/sites‌/default‌/files‌/documents‌/Government%20by%20Algorithm.pdf []. Law enforcement also made up the largest number of “use cases” of artificial intelligence. Id. at 17 fig.1.
  103. .See Shelley H. Metzenbaum, Environmental Compliance and Enforcement Measurement: Why, What and How?, in 4 Compliance and Enforcement of Environmental Law 242, 256 (Lee Paddock, David L. Markell, & Nicholas S. Bryner eds., 2017) (“Without a strong system of outcome-focused measurement, regulators run a high risk of being wasteful and ineffective.”).