Repeat Corporate Misconduct

by Veronica Root

But for other more salacious political concerns, the biggest story of the last couple weeks likely would have been Mark Zuckerberg’s testimony before Congress.  Zuckerberg spent two days answering hundreds of questions from lawmakers.[1]  Much of the questioning was concerned with Facebook’s protection, or alleged lack thereof, of its users’ privacy.  The testimony, however, once again raises questions about how companies that engage in repeated instances of misconduct should be sanctioned.

Facebook has been sanctioned on multiple occasions by various regulators worldwide for its conduct related to user privacy.  For example, in 2011, Facebook “agreed to settle Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”[2]  In 2017, Facebook was fined by French authorities for “fail[ing] to properly inform users of how their personal data is tracked and shared with advertisers.”[3]  More recently, Federal Trade Commission officials have stated that Facebook may have “breached [the] 2011 consent agreement to safeguard users’ personal information.”  And, of course, there was last week’s congressional testimony prompted by the alleged misuse of Facebook users’ profiles by Cambridge Analytica.[4] 

Facebook is not, however, all that special or unusual.  Whether it is Facebook, HSBC,[5]  or Wells Fargo, there are many large, sophisticated organizations that engage in multiple instances of wrongdoing.  And regulators often treat each incident as an isolated matter that should be addressed on its own without consideration of other occasions where misconduct occurred within the organization.[6] 

In fact, truly aggressive sanctions are so rare that when they are in fact levied it sometimes prompts speculation that the governmental actor may have had ulterior motives when imposing the sanction.  Take Wells Fargo.  On February 2, 2018, the Federal Reserve “announced that it would restrict the growth of [Wells Fargo] until it sufficiently improves its governance and controls,” in addition to other corporate governance reforms.[7]  Shortly thereafter, an argument was made that the actions by the Federal Reserve were a “piercing political statement” made “on Chair Janet Yellen’s last day in office.”[8]  The authors noted that these actions by the Federal Reserve “c[a]me on the heels of significant actions already taken by Wells, including appointing a former Federal Reserve governor as Independent Chair and replacing a number of independent directors as well as its General Counsel.”[9]

Whether the sanction imposed by the Federal Reserve against Wells Fargo was a legitimate sanction or a politically motivated aberration is debatable.  It is, however, concerning that aggressive sanctions are deemed suspect when levied against a firm with a documented history of engaging in repeated instances of misconduct.  If aggressive sanctions are really that unusual, it may suggest that the enforcement policy by U.S. governmental actors within the United States is in need of reassessment. 

U.S. regulators, prosecutors, and perhaps even members of Congress, need to think critically about the types of sanctions that are likely to deter corporations like Facebook and Wells Fargo from engaging in misconduct.  There has been some mention of corporate recidivism recently—like what’s found in the FCPA Corporate Enforcement Policy (PDF: 51 KB)—but the ability or willingness of governmental actors to look at organizational misconduct across diverse regulatory areas when considering appropriate sanctions is not at all clear.  Indeed, recent experience and scholarship suggests that much more can be done.

Footnotes

[1] Zach Wichter, 2 Days, 10 Hours, 600 Questions:  What Happened When Mark Zuckerberg Went to Washington, N.Y. Times (April 12, 2018).

[2] Press Release, Fed. Trade Comm’n, Facebook Settles FTC Charges that it Deceived Consumers by Failing to Keep Privacy Promises (Nov. 29, 2011).

[3] Amar Toor, Facebook Is Still Violating User Privacy, Dutch and French Regulators Say, Verge (May 17, 2017).

[4] Kevin Granville, Facebook and Cambridge Analytica:  What You Need to Know as Fallout Widens, N.Y. Times (March 19, 2018).

[5] See, e.g., Veronica Root, Coordinating Compliance Incentives, 102 Cornell L. Rev. 1003 (2017).

[6] Id.

[7] Press Release, Bd. of Governors of the Fed. Reserve Sys., Responding to Widespread Consumer Abuses and Compliance Breakdowns by Wells Fargo, Federal Reserve Restricts Wells’ Growth Until Firm Improves Governance and Controls.  Concurrent with Fed Action, Wells to Replace Three Directors by April, One by Year End (Feb. 2, 2018).

[8] Edward D. Herlihy, Richard K. Kim & Sabastian V. Niles, Federal Reserve Takes Severe and Unprecedented Action Against Wells Fargo:  Implications for Directors of All Public Companies, NYU PCCE Blog (Feb. 6, 2018).

[9] Id.

Veronica Root is an Associate Professor of Law at University of Notre Dame Law School. Professor Root teaches Corporate Compliance & Ethics, Professional Responsibility, and Contracts.  Her scholarship on compliance and other matters.

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.