voluntary expression of how the company will live out its regulated action.
The arena of corporate policy is fertile field for the development of
compliance law. When a company adopts a policy that indicates how it will
carry out and comply with a law, what is the company’s liability when the
company does not comply with its own policy but there is a strong argument
that no law has been broken? Can a regulated agency hold the company
accountable for violating an actual regulation (promulgated with at least a
deference to the notion that it is a binding law) if the company would not
have been out of conformance if it had not adopted a policy? This seems a
question with an answer that is straight forward – of course not. An actor
cannot be liable for breaking the law if no law has been broken. But legal
maxims of ancient origin have a tendency to fall in the wake of a tide of laws
and this seems to be something on the rise now. A host of laws purport to
hold the organization to a higher standard than the letter of the law if the
organization so chooses to go beyond the letter of the law. 30 If a law sets up
a structure so that X is required and non-compliance with X is subject to
penalties and the same law also allows a contingency that the actor can
voluntarily adopt X+Y as an obligation and be subject to penalties even if the
actor is only in non-compliance with Y (but in compliance with X), then
policy has become a type of law.
Now, to be sure, the common law certainly holds civil subjects
accountable for living up to their promises under contract law. Violations of
policy may have interesting enforcement mechanisms by parties to which
obligations are owed or promises are made. But the common law is enforced
by private parties and is not a state prosecution regime. Moreover, the goal
of the common law is to restore the parties to their original position (even if
not actually possible, then at least proximately to their original position
through pecuniary means). The state’s power in a regulation is often to
punish. A penalty does not restore the proper ordering of civil society but it
extracts a punishment. Regulatory penalties have more than the brush of
penal character. So then, can voluntary adoption of policies that go beyond
the words of a regulation subject the policy adopter to suffer the pains of state
penalties? This is the task of compliance law to sort out. I would not bet
money on the letter of the law being the guide-star of the arc of legal history.
C. Ethics as a Source of Compliance
Ethics is the final source of compliance this article identifies. It seems to
go without saying that law and policy must be grounded in ethics and doing
the right thing, assuming we agree that ethics is about doing the right thing.
30. For example, health care organizations may be held to higher standards than the law
requires in promises made in their Notices of Privacy Practices. 45 C.F.R. § 164.520 (2003).