Managing Compliance: The Devil Is in the Details

By Lawrence White    //    Volume 21,  Number 4   //    July/August 2013

Government regulation reaches deep into every sector of the economy, and colleges and universities are no exception, as the cover story in this Trusteeship makes clear. Higher education has been described by Federal Court of Appeals Judge Richard Posner, a former law school professor, as a “regulated industry” because of the thousands of laws, regulations, and ordinances with which institutions must comply.

The National Association of College and University Attorneys (NACUA) recently surveyed how institutions are managing their compliance obligations. It would be hard to imagine a more propitious moment to have done so. The number of institutions that report fully implemented compliance functions is still relatively small (31.2 percent of respondents). But a startlingly high percentage of additional respondents—almost 40 percent—are either planning to establish formal compliance functions or implementing plans for a compliance office. It is easy to surmise that, five years from now, most institutions will have compliance directors.

An institutional compliance program typically serves three functions. It sensitizes faculty and staff members to their compliance obligations and, through training programs and other forms of education, ensures they are aware of changes in applicable laws and regulations. It reduces the number of compliance-related audits and investigations that federal enforcement agencies initiate and reduces the likelihood of a damaging finding with consequent financial penalties and injury to reputation. And it improves insurance claims experience and reduces insurance premiums. Creating an institutional compliance program can pay for itself in reduced legal and insurance costs.

There are four reasons for the widespread push to appoint compliance directors.

Legal compulsion. If an institution is investigated by a federal agency and a statutory or regulatory violation is found at the end of the process, the institution will be required to execute a compliance agreement. That agreement invariably requires the institutional signatory to appoint a compliance officer.

Fiduciary duty. In recent years, several courts have ruled that a board may under certain circumstances be required by the doctrine of fiduciary duty to assure that the company has an effective compliance program. Some legal commentators interpret those cases effectively to require a formal institutional compliance program to insulate trustees from the potential consequences of breach-of-fiduciary claims for noncompliance with federal laws and regulations.

The Federal Sentencing Guidelines. In recent years, investigations of colleges and universities have been more common, and many institutions have been forced to negotiate financial settlements under the duress of threatened criminal prosecutions. Under the Federal Sentencing Guidelines, the amount of a negotiated penalty can be reduced if the institution has in place “an effective compliance and ethics program.”

Sound practices. There is an emerging sense that not having a compliance director will be viewed as an aggravating factor in determining culpability and exposure. The Freeh Report, prepared in the wake of the Jerry Sandusky child-abuse scandal at the Pennsylvania State University, recommended that Penn State appoint a “chief compliance officer” to “[h]ead an independent [compliance] office.” Penn State subsequently adopted that recommendation. Were a serious compliance lapse to occur at another university, lawyers for injured parties might seize upon the absence of a compliance office as evidence that the university does not abide by the standard of care expected in the post-Sandusky era.

The case for managing compliance is compelling. But, as is so often true, the devil is in the details. Many institutions already have entities and offices that are involved directly or peripherally with compliance: general counsel, risk manager, internal auditor, board audit committee. And many institutions already have compliance directors with responsibilities in specific areas, such as research, athletics, and human resources. How can jurisdictional lines be defined cleanly and turf collisions avoided? Does the corporate model of an independent compliance chief reporting directly to the board make sense in the more decentralized world of higher education?

A special NACUA advisory group will be considering these and other questions in the next year. Stay tuned for thoughtful analysis.