CHAPTER 20
Legal Risk Post-SOX and the Subprime Fiasco: Back to the Drawing Board
STEVEN A. RAMIREZ
Director, Business & Corporate Governance Law Center, Loyola University Chicago
INTRODUCTION
Enterprise-wide risk management (ERM) views all risks to the firm as subject to management and control. Legal risk management is certainly no exception. Indeed, this chapter is premised on the principle that legal risk is simply one of many types of risk facing a firm. This necessarily means that like other risks legal risk should be managed in accordance with basic notions of risk management generally—that it should not exist within a risk “silo” but should be managed with a view toward the firm’s overall risk tolerance and through coordinated efforts of senior management, including the board (Simkins and Ramirez 2008). Therefore, ERM includes consideration of the optimal means of managing legal risk.
After the revelation of widespread fraud and illegality within American public companies in late 2001 and 2002, leading to the failure of such major firms as Enron and WorldCom, Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). SOX preempted state rules of professional responsibility governing attorneys and imposed federal standards for those representing public companies. SOX also prompted the SEC to create a new mechanism for the management of legal compliance (the Qualified Legal Compliance Committee or QLCC) within public corporations in the United States. SOX completely reworked the regulation of the audit function. It further encouraged firms to impose codes of conduct as a means of assuring ethical conduct. Finally, it promulgated new statutory provisions giving whistle-blowers expanded protections from retaliation. Thus, SOX paved the way for a more optimal legal and reputational risk management mechanism within the public company. In particular, the Commission’s QLCC innovation may prove to be an “invaluable” corporate governance organ for the management and reduction of legal and reputational risk, if properly structured and managed (Volz and Tazian 2006).
The subprime mortgage fiasco posed the first major test of this new regime. Unfortunately, it does not appear that the SOX framework effectively reduced legal and reputational risk to an optimal level. Firms that originated subprime mortgages like Countrywide Financial faced allegations of predatory lending leading to multibillion dollar settlements with state authorities. Firms that securitized such mortgages like Goldman Sachs were sued for fraud in connection with the packaging of mortgages to investors throughout the world. In testimony before Congress, the rating agencies admitted that their ratings had a questionable basis (text message records produced to Congress showed a ratings agency employee stating: “we would rate a deal structured by a cow”) and that the quest for revenue outweighed the need to provide accurate information to the investors (Paletta and Scannell 2009). Citigroup was forced to repurchase billions in subprime mortgage instruments pursuant to contractual obligations that were not even disclosed to senior management or the board, much less public shareholders, and Merrill Lynch settled securities fraud claims for more than $500 million (S. Ramirez 2009). Ultimately each of these firms faced major restructurings and inflicted precipitous losses upon their shareholders. As of the end of 2008, the macroeconomic consequences of this massive mismanagement of legal and reputational risk continued to unwind, but had aggregated to a multitrillion dollar debacle.
Legal and reputational risk can take many forms, beyond losses from lawsuits or criminal and regulatory penalties. Prior to the subprime fiasco, firms like Texaco suffered huge shareholder losses and consumer boycotts as a result of disclosure of apparent violations of antidiscrimination laws (S. Ramirez 2000). A large number of firms used backdated options to illegally enhance the compensation of their executives that led to huge shareholder losses when this practice was disclosed to the investing public (Ramirez 2007). In the lead up to the passage of Sarbanes-Oxley a slew of firms suffered adverse financial consequences from disclosure of auditing irregularities (S. Ramirez 2002). Finally, there is growing movement toward social investing, which suggests that a firm’s cost of capital may increase if its conduct is found to be legal but morally questionable; assets under management in so-called social investment funds grew 18 percent from 2005 to 2007 to $2.7 trillion (Social Investment Forum 2007). Firms, therefore, face a myriad of risks from legal noncompliance, and associated irregularities that can harm a firm’s ability to inspire investor confidence, to protect shareholders from undisclosed legal liabilities, to maximize consumer market penetration, and to avoid regulatory sanctions or scrutiny.
This chapter reviews the legal and regulatory framework currently governing the efforts of public corporations to control and mitigate legal and reputational risk. Next, this chapter assesses the shortcomings of this regime, focusing on the recent meltdown in global financial markets arising from subprime mortgages that too often were originated, packaged, and sold to investors worldwide in illegal and inappropriate ways. Finally, this chapter articulates a more efficacious means of controlling reputational and legal risk, both at the firm level and in terms of a superior legal framework. In short, the subprime fiasco sheds light on the nature of legal and reputational risk, and provides lessons for the proper management of these risks.
THE LEGAL FRAMEWORK OF LEGAL AND REPUTATIONAL RISK MANAGEMENT
Prior to SOX, there was little substance to the law governing legal and reputational risk management. In general, the rules of professional responsibility governing lawyers were flawed, corporate law was stunted, whistle-blowing was not encouraged, codes of conduct were wholly optional, and there was insufficient regulation of the audit function.
There were scattered legal provisions governing whistle-blower protection, but these protections were too complex and difficult to predict to encourage much whistle-blowing, and the best advice an attorney could give a putative whistleblower was to refrain from blowing the whistle. According to Professor Mary Ramirez:
Whistleblower protection has evolved in response to specific breakdowns in law enforcement over time. Instead of a tightly woven blanket, the evolution has yielded a porous net of protections that is complex and non-intuitive; under current protections, being a whistleblower requires bearing costs and risks. Two key considerations tend to arise for employees faced with this decision of stepping forward: First, will coming forward with the information change the status quo and fix the problem; and second, will they be protected from a destroyed career, financial ruin, and, perhaps, physical threat. Given the stakes, the only sound course of action for a putative whistleblower is to get a lawyer.1
Naturally, this limits the universe of whistle-blowers to the ill-informed and those with enough money to make substantial expenditures, in order to enforce legal and ethical obligations upon firms.
Similarly, attorneys have few incentives to blow the whistle on their clients. The Model Rules of Professional Responsibility do not even mandate an attorney representing a corporation to alert its management that wrongdoing is afoot, unless they “know” there had been a violation of law. Of course, “[l]awyers never ‘know’ their client is committing a crime” (Koniak 2003). Furthermore, corporate illegality could not be disclosed to authorities unless it threatened “substantial bodily harm.” However, “lawyers will have strong economic incentives to please the managers of their current or potential clients by refraining from reporting, even if their inaction allows questionable activity to go unchecked” (Harvard Law Review 2004). Thus, prior to SOX, much illegality was not detected, and even if an attorney had notice of possible illegal conduct that could prove harmful to a firm’s shareholders, the attorney could remain silent rather than risk alienating important corporate agents.
No law required any corporate code of conduct for public companies. Professor Cynthia Williams argued in 1999 that the SEC was incorrect to maintain its position, heralding from the 1970s, that matters of social responsibility were not material to the business of the public corporation, and therefore did not require any disclosure in a firm’s securities filings. She demonstrated the potential financial consequences of questionable corporate behavior and the increasing interest of investors in the approach of firms to questions of corporate ethics (Williams 1999). Nevertheless, it took the corporate corruption crises of the turn of the twenty-first century to prompt congress to change the SEC’s position.
With respect to corporate governance law and regulation, Delaware law (the most influential jurisdiction in terms of corporate law) permits a high degree of flexibility in the structure of corporate governance with few legal mandates insofar as legal and reputational risk management is concerned. Given the excessive CEO influence over corporate governance constraints (such as autonomy over the selection of directors and control over the proxy machinery) that marks American corporate governance law (S. Ramirez 2007), it should come as no surprise that CEOs are risk silos for legal and reputational risk management. The CEO, however, is not institutionally suited for exclusive management of legal and reputation risk, just as the CEO really is not the optimal manager of the audit function. As will be discussed, SOX stripped the CEO of control over the audit. The same cannot be said of the legal function. Perhaps the prime lesson of the subprime fiasco is that incentives matter, and too often CEOs face compensation incentives that encourage the deferral of substantial risks in order maximize current profitability and thus compensation (Rajan 2007). Moreover, the CEO is not required to have any particular expertise in the management of legal and associated reputational risk, or in the communication of that risk to the board or to shareholders. The outcome of this regime is likely to be too much legal and reputational risk, with inadequate transparency to investors. Finally, Delaware law imposes little sanction on management for failure to detect and prevent illegal conduct, as it has effectively abolished duty of care liability for directors; directors will not be held liable so long as they exercise good faith (Sale 2007).
The federal securities laws (prior to SOX) required the disclosure of all material facts concerning a public firm, and mandated that the auditors of public firms build in measures to ferret out illegal conduct as part of their audit, at least to the extent illegal conduct could have a material effect on the firm’s financial condition (Backer 2003). Nevertheless, private enforcement of the securities laws has been hopelessly restricted (S. Ramirez 1999), and the SEC generally has insufficient resources to enforce the securities laws effectively. Recent revelations regarding a massive Ponzi scheme operated within a firm regulated by the SEC have painfully illustrated once again the limits on public enforcement of the securities laws due to resource constraints. Further, not all illegal conduct will be detected within the audit process (Orol 2008). Consequently, the federal securities regime has not been effective in assuring that illegal conduct is detected and disclosed to shareholders.
SOX changed this regime, at least with respect to public companies, in four important ways: (1) SOX preempted state regulation of attorneys representing public firms (to a limited extent, at least) and mandated a new regime for reporting violations of certain laws to senior management as well as to the SEC; (2) SOX revamped audit regulation; (3) SOX expanded whistle-blower protections; (4) SOX encouraged firms to impose codes of conduct. Each of these changes means that the detection of wrongdoing is more likely, and that detection should be sooner than under the preexisting regime.
As such, SOX represented a revolution in the legal framework governing legal and reputational risk management. Unfortunately, this revolution has been incomplete if not aborted. SOX only applies to public firms. The most innovative elements of the SOX regime are optional and the vast majority of firms have declined to adopt its institutional reforms. One effort of the SEC to enhance reports of wrongdoing within the public firm never became law. Overall, the SOX initiative and the SEC’s implementation of that initiative are suboptimal.
Nevertheless, this chapter attempts to articulate an optimized legal and reputational risk management regime within the context of U.S. corporate governance law, building upon the SOX framework, and the flaws within that framework as revealed by the subprime debacle.
The Federal Rules of Professional Responsibility for Attorneys
The most important element of SOX reform insofar as legal risk management is concerned relate to the exercise of federal power to govern the professional responsibility of certain counsel representing issuers of publicly traded securities. There has long been hope that corporate counsel could act to protect their client from the often severe financial losses accompanying illegal conduct. Historically counsel has been hobbled by their financial dependence on corporate managers who are often involved in wrongdoing and are always wary of having an attorney second-guess business judgment (Henning 2004). The SEC regulations promulgated under SOX create an important new innovation that may operate to enhance the ability of public companies to manage and reduce legal and reputational risk.
Overview and Introduction
Section 307 of SOX required the SEC to promulgate regulations applicable to attorneys “appearing or practicing before the Commission” on behalf of public companies. Congress specified that the SEC issue regulations providing that attorneys report certain “material violations” of certain laws to senior management and monitor the response of management. As such, congress has supplemented state regulation of counsel’s obligations to report legal violations within the public corporation. This authority to regulate “minimum standards of professional conduct for attorneys” represented the first substantial federal regulation of the standards of professional conduct for attorneys.
The SEC issued Part 205 of its regulations to implement this congressional directive, and these regulations became effective on August 3, 2003. As a threshold matter, the SEC defined certain elements of the statute. For example, in Section 205.2 the Commission broadly defined attorneys “appearing or practicing before the commission” to include any attorney advising a public company with respect to filings pursuant to the federal securities laws or with respect to information that may be included in any public filing. The comments to the rules suggest that any attorney responding to an audit letter would be with the ambit of Part 205. Naturally, in the absence of judicial authority counsel for public firms should presume they are within the scope of the SEC’s rules.
Attorneys within the scope of Part 205 are obliged to act when the attorney has “credible evidence, based upon which it would be unreasonable, under the circumstances for a prudent and competent attorney not to conclude that it is reasonably likely that a material violation has occurred.” Stripped of the double negative, it appears that if the attorney has credible evidence that reasonably supports that a violation has occurred, the rules are triggered. Credible evidence means evidence that does not include gossip, hearsay, or innuendo, according to the SEC’s comments accompanying the release of its rules.
Section 205.2 also defines “material violation” to include either a material violation of the federal securities laws or state securities law, or a material breach of fiduciary duty under state or federal law. The SEC also defined “similar” legal violations to be “material violations.” There is no substantive means for determining when a legal or regulatory violation is similar to a securities law violation or a breach of federal or state fiduciary duty—presumably common law fraud, consumer fraud, and negligent misrepresentation would qualify as “similar” under the statute. The SEC did not define the term “material,” but case law under the federal securities laws measures materiality by whether a reasonable investor would want such information in making an investment decision.
The ambiguity and uncertainty in the definition of “material violation” is troubling because the two primary obligations of attorneys under the SEC’s rules (specifically delineated in Section 205.3) are triggered by an attorney having “credible evidence” that would lead a “prudent and competent attorney” to conclude that it is “reasonably likely” a material violation has occurred. The first obligation is to report material violations to the chief legal officer or to the chief legal officer and the chief executive officer. The second obligation is to monitor the response of those officers and if the response is found not to be “appropriate” then the attorney must notify the board of directors.
The SEC also authorized (under Section 205.3) attorneys practicing and appearing before the Commission to report material violations to the SEC, without violating state confidentiality standards, so long as the attorney reasonably believes that disclosure to the SEC is necessary to prevent a material violation that would harm the public corporation or the investing public; that disclosure is necessary to prevent perjury or fraud on the Commission; and that disclosure is necessary to rectify a material violation the attorney furthered. The regulation suggests such reporting to the SEC is optional; however, counsel should be aware that the failure to report a material violation that subsequently leads to losses to the public company could well form the basis of a malpractice claim. Counsel may assume that expert testimony would be available to support claims that if counsel fails to notify the SEC of a material violation that harms the corporate-client, the attorney has breached common law duties.
The Qualified Legal Compliance Committee
The new federal rules of professional responsibility imposed under SOX create two risks for counsel of public companies. First, the rules put counsel in the uncomfortable position of monitoring the response of senior management to any report of a material violation. Second, the rules authorize disclosures to the SEC whether or not counsel finds management’s response to be appropriate, raising the specter of a potential malpractice claim. Both of these risks can be eliminated through an innovation of the SEC—the qualified legal compliance committee.
Under Section 205.2(k), a qualified legal compliance committee (QLCC) is a committee of the board, which includes at least one member of the audit committee and at least two members of the board not otherwise employed by the public company. The QLCC must be empowered to receive reports of material violations and to determine if an investigation of the report is warranted. The QLCC must be authorized to hire outside attorneys and experts to assist and reports its activities to the full board or the audit committee. The QLCC recommends an appropriate response to the report of material violation or its investigation, and to recommend any remedial measures based on its conclusions. The QLCC may also report its findings to the SEC if its recommendations are ignored.
The advantage of the QLCC is that under Section 205.3(c) a counsel working for a public firm need not monitor the firm’s response to a report of evidence of a material violation. A report to the QLCC discharges the attorney’s duties under the SEC’s rules. Moreover, since the QLCC has the power to pursue any report and even report its findings to the SEC, it is difficult to imagine an attorney having exposure to malpractice liability for reporting to the QLCC instead of making a report to the SEC. Thus, firms with a QLCC can expect counsel to perceive less risk in representation versus firms without QLCCs because of these advantages.
The QLCC also remedies certain deficiencies within the SEC’s rules of professional responsibility for lawyers. Early on commentators identified key weaknesses in the SEC’s approach. For example, the SEC’s approach did not create any true whistle-blowers because attorneys will rarely find it in their interest to blow the whistle on their corporate agents; indeed, it would be difficult to imagine that a whistle-blowing lawyer would find many future clients at all. Similarly, lawyers may well report violations up the ladder to corporate managers, but this will not usually disrupt illegal transactions where senior management or the board is complicit in wrongdoing or simply refuses to confront wrongdoing (Harvard Law Review 2004). The QLCC, on the other hand, has both the power to stop wrongdoing, by notifying either the full board or (in a worst-case scenario) the SEC. Additionally, the QLCC has the incentive to disrupt wrongdoing, in order to avoid director liability as well as SEC sanction. Therefore, the QLCC is a superior means of stemming legal and reputational risks. As will be discussed below, the QLCC can be further optimized by a public firm, so long as it meets the minimum requirements set forth by the SEC.
Yet, a QLCC remains optional. Surveys suggest that only a small percentage of public firms have opted for QLCCs. According to Rosen (2005), 96 percent of NYSE listed firms opted not to use a QLCC as of late 2005. Nonpublic firms are not even subject to the SEC’s professional responsibility regulation, and are thus unlikely to have QLCCs. There seems to be sound arguments for concluding that QLCCs are a corporate governance best practice and that they are likely to enhance legal compliance and lower outside counsel fees (Lipman and Lipman 2006). It appears that firms resist the QLCC despite its clear benefits.
Whistle-Blower Protection Under Sox
Congress has long appreciated that sound law enforcement regimes encourage whistle-blowing. Thus, Section 806 of SOX grants employees of public firms limited whistle-blower protection from retaliation. An employee is protected if the employee provides information regarding conduct that the employee reasonably believes violates the federal securities laws (or wire fraud, mail fraud, or bank fraud prohibitions); to a supervisor, federal agency, or a congressional committee investigation; and the employee seeks relief (before the Department of Labor) within 90 days of the retaliation. If the employee prevails, the employee may seek reinstatement, back pay, and litigation costs. Section 1107 of SOX provides that anyone who interferes with a person providing truthful information to a federal law enforcement agent shall be subject to fine or imprisonment of not more than 10 years.
Far more employees seek protection under the SOX whistle-blower provisions than the number found to be within SOX protection. As of mid-2006, 702 petitioners sought protection and 499 claims for protection had been dismissed. In the first 27 months following the enactment of the SOX whistle-blower protection, the Department of Labor dismissed more than 95 percent of claims. Thus, it is clear that many employees expect to be protected but are not. It seems likely that the SOX whistle-blower provision protecting employees is not functioning to encourage employees to blow the whistle on wrongdoing; it almost certainly is insufficient to overcome the powerful social mores against being a “snitch” or “rat.” One scholar has suggested that an omnibus statute is needed to grant broad protection to any person blowing the whistle on any wrongful conduct to any government authority or any authority within the corporation (M. Ramirez 2007). Another has suggested a system of monetary rewards for whistle-blowers (Dworkin 2007). Assuring anonymity also could encourage more whistle-blowing, and this will be addressed in the context of audit committee reform under SOX.
Audit Reform
Many commentators and policy makers identified audit failure as the prime cause of the corporate crises of 2001–2002. SOX consequently reconfigured the audit function of the public firm. In addition to an entirely new regulatory structure over the public audit industry (the Public Company Accounting Oversight Board), the SOX mandated an independent audit committee for every public firm; required each such committee to have at least one financial expert; vested power over the audit function in the audit committee (and removed that function from the scope of CEO authority); and required the audit committee to create procedures for the receipt and investigation of whistle-blowing complaints relating to audit and accounting matters (Section 301).
On this point SOX revolutionized corporate governance. For the first time federal law mandated a corporate governance structure—the independent audit committee—that no state law had ever required. Additionally, the relocation of the audit function from just another management issue under the control of the CEO to an independent board committee represented a breakthrough in rethinking the institutional structure of corporate governance; more specifically, SOX amounted to a determination that the CEO has no particular expertise in the management of the audit function, and is institutionally ill-suited to manage that function because of the incentives the CEO may have to corrupt the audit process. There is simply no reason for the law to permit unbridled CEO autonomy over the audit. This realization is important for thinking about optimal structure for the management of legal and reputational risk.
Codes of Conduct
Much conduct that may not be illegal can nevertheless cast a firm in a negative public light that impedes its ability to maximize shareholder wealth and financial performance. Corporate behavior viewed as unethical is not likely to be costless and there is evidence that there are close links between corporate financial performance and commitment to ethical behavior. Consumers, employees, and investors are not insensitive to ethical business conduct or unethical business conduct (Verschoor 1999). Thus, firms should consider how ethics can inspire consumer and employee loyalty as well as a lower cost of capital. Additionally, a robust culture of ethical behavior is apt to lead to enhanced legal compliance and lower costs in terms of legal sanctions.
Section 406 of SOX requires the SEC to enact regulations providing for the disclosure of whether a public firm has a code of ethics for its financial officers. The SEC expanded this statutory directive to include executive officers. More importantly, the SEC approved listing requirement rules at both the NYSE and the Nasdaq Marketplace that require listed firms to have a code of ethics, to disclose these codes and to disclose any waivers from these codes. These codes must apply to all directors, officers, and employees (Barclift 2008). The vast majority of public firms have codes of conduct or ethics codes that are publicly disclosed. This disclosure obligation is content-neutral.
Backer (2008) suggests that mere disclosure of ethics codes is sufficient to assure that corporations operate in accordance with community norms as reflected in the decisions of important constituencies such as employees, consumers, suppliers, and investors. Since there is no objective consensus regarding ethical corporate behavior, Backer argues that the market is an appropriate mechanism for setting such standards as it permits economic actors to “effectively impose values upon themselves through their economic decisions.” Certainly, Backer is correct that it is difficult to articulate an alternative basis for setting ethical norms, particularly in a globalized economy that spans multiple cultures. It is also difficult to argue that disclosure of corporate behavior and standards is not positive.
Nevertheless, there is clearly more to ethical behavior than that which is embodied in the norms of market decisions. Sometimes markets may find behavior acceptable that is found unacceptable by some authority that is not dominated merely by markets. For example, consider decisions made by German firms during World War II. In particular it is worth noting that 13 IG Farben executives were sentenced at Nuremberg to terms ranging from 18 months to 8 years for using slave labor. German steel magnate Friedrich Flick was sentenced to seven years in prison for seizing foreign factories and using slave labor. Alfried Krup was sentenced to 12 years for similar war crimes (Ehrenfreund 2007). Nuremberg should not be viewed as an aberration, as other firms have faced sanctions as a result of misconduct related to World War II. Indeed, Swiss banks, French banks, and even the Ford Motor Company faced substantial litigation risk and paid settlements that were well in excess of $1 billion, combined, more than 50 years after the conclusion of World War II (Bazyler and Alford 2007).
Perhaps Backer’s market-based notion of corporate ethics is presumptively appropriate, so long as management comprehends the cost of short-term market signals being overridden over the long term. The best approach is probably to rely on the market with a strong moral compass to avoid market-based excesses.
AN ASSESSMENT OF THE SOX FRAMEWORK ON LEGAL AND REPUTATIONAL RISK
The SEC created the QLCC from whole cloth. By so doing, it essentially challenged the development of corporate governance law at the state level; the SEC’s innovation amounted to an assertion that state corporate governance law was underdeveloped. Yet, as of 2005, Professor Rosen could find only one instance where a QLCC had ever been called into action (Rosen 2005). Moreover, it does not appear that for all the apparent wrongdoing arising from the subprime mortgage crisis, any whistles were blowing. Professor Peter J. Henning predicted that Sarbanes-Oxley would not be effective in encouraging counsel to blow the whistle, and the subprime mortgage shows he was correct (Henning 2004). This section will review the wrongdoing that is emerging in connection with the subprime fiasco and use that review to illustrate the shortcomings of SOX approach insofar as legal and reputational risk management is concerned.
The Subprime Fiasco
As of this writing, the full tale of the subprime crisis remains untold. Still, the picture emerging is one of pervasive illegality, and near illegality. Indeed, every key step in the subprime mortgage process, from origination to securitization, to investment and to the ratings game seems to have been corrupt. This corruption has resulted in billions of payouts already. More will no doubt follow. This section cannot at this date comprehensively summarize the toll of legal and reputational risk arising from the subprime debacle. Others have sought to write a first draft of that history (Bethel, Ferrell, and Hu 2008). Instead this section will simply provide a broad overview in an effort to illustrate the role of legal and reputational risk mismanagement.
The allegations leveled against Countrywide illustrate the kind of corruption present in the origination of subprime mortgages. Both the State of Illinois and the State of California sued Countrywide for predatory and deceptive lending. Ultimately Countrywide agreed with 11 states to modify 400,000 mortgages at a cost of $8.7 billion. Countrywide originated more mortgages than any other lender and originated more subprime mortgages than any other lender. Countrywide allegedly sought to saddle borrowers with unnecessarily costly and risky mortgages in order to enhance cash generated from the sale of those loans into the world’s capital markets. Countrywide incentivized its loan officers to sell riskier, more expensive loans. Consequently, the subprime loans that Countrywide originated defaulted at a disproportionately high rate (Illinois v. Countrywide 2008). According to the attorney general of the State of Illinois, Lisa Madigan, the multibillion dollar settlement of these allegations: “holds the number-one mortgage lender in the country accountable for deceptively putting borrowers into loans they didn’t understand, couldn’t afford, and couldn’t get out of. These are the very practices that have created the economic crisis we’re currently experiencing” (Illinois Attorney General Lisa Madigan 2008). Countrywide essentially engaged in systematic predatory lending that contributed greatly to the crash of the nation’s residential real estate market.
The securitization of mortgages has also spawned substantial legal and reputational risks for those selling mortgage-backed securities to investors. Private plaintiffs have already filed suits against investment banks such as Goldman Sachs for disclosure deficiencies under the federal securities laws. The allegations in these suits mirror the allegations against Countrywide, and involve many loans originated by Countrywide:
The underwriting, quality control, and due diligence practices and policies utilized in connection with the approval and funding of the mortgage loans were so weak that borrowers were being extended loans based on stated income that could not … possibly be reconciled with the jobs claims on the loan application or through a check of free “online” salary databases.
—NECA-IBEW Health and Welfare Fund v. Goldman Sachs & Co. 2008
The City of Cleveland sued 21 investment banks for creating public nuisance caused by massive foreclosures within the City of Cleveland leading to lost property tax revenues and increased costs in dealing with abandoned property (City of Cleveland v. Deutsche Bank 2008). It may be some time before the total losses from these kinds of claims is finally tallied, but in all events the risks that firms took with respect to subprime securitizations appear not to have been managed in any rational way. The securitization of mortgages also involved the pervasive mismanagement of legal and reputational risk.
The Congressional testimony and documents produced by representatives from the ratings industry also paints a bleak picture of short-term profits trumping sound legal and reputational risk management. For example, one document produced to the Committee on Oversight and Government Reform was a series of text messages between two representatives of a rating agency:
| Official number one. | By the way, that deal is ridiculous. |
| Official number two. | I know, right, model definitely does not capture half the risk. |
| Official number one. | We should not be rating it. |
| Official number two. | We rate every deal. It could be structured by cows, and we would rate it. |
Another former senior manager of a rating agency explained “we sold our soul to the devil for revenue” (Committee on Oversight and Government Reform 2008). The rating agencies apparently miscalculated the long-term damage that their cavalier attitude toward risk would inflict on their business. For example, on December 3, 2008, the SEC approved new regulations on the rating agencies; this is not likely to be the last regulatory initiative arising from the agencies’ rather suboptimal performance in connection with the subprime fiasco.
Legal risk mismanagement also plagued the investment in subprime-related mortgages. For example, Citigroup, one of the most sophisticated banks in the world, offered investors in certain collateralized debt obligation funds a so-called liquidity put, which obligated Citigroup to repurchase the instruments at cost in the event of specified market disruptions. Citigroup thus ended up with $50 billion in subprime products on its balance sheet without disclosure of this risk to its shareholders or even its own senior management. Amazingly, Robert Rubin, the Chair of Citigroup’s Executive Committee was unaware of the liquidity puts (Loomis 2007). AIG specifically told stock analysts in late 2007 that it had “minimal” exposure to subprime mortgages (Villagran 2007). Ultimately, the firm recognized $43 billion in such losses and required a government bailout of $150 billion (Son 2008). Apparently at the time AIG reassured the investing public that it had controlled its risk exposure on subprime assets, its operating subsidiaries were entering into long-term derivatives contracts that led to billions in subprime losses (Loomis 2008).
In sum, poor legal risk management infected all phases of the subprime fiasco, from origination, to securitization, to risk assessment, to investment. Indeed, the full range of legal and reputational risk management, from regulatory risk to litigation risk, proved defective.
The SOX Shortcomings
The SOX regime may have been a step in the right direction. The lesson of the massive mismanagement of legal and reputational risk underlying the subprime fiasco is that much more is needed. There is a strong case that congress should step in and remedy the deficiencies inherent in corporate risk management with respect to law and ethics. Firms wishing to manage these risks can undertake many of these suggestions even without congressional action. The following steps should be taken.
Step 1: The QLCC Should Become Mandatory
Perhaps the most compelling context for a mandatory QLCC for the purpose of managing and reducing legal and reputational risk is the financial services industry. Indeed, the Basel Core Principles for Bank Regulation specifically highlight legal and reputational risks for financial institutions. The Basel statement suggests that legal risk should be thought of as broader than the risk of legal or regulatory violations or outcomes in lawsuits, to include the “the risk that assets will turn out to be worth less or liabilities will turn out to be greater than expected because of inadequate or incorrect legal advice or documentation.” This appears to be a perfect description of the risks Citigroup faced under so-called “liquidity puts” relating to subprime mortgage product, leading to that bank being forced to reacquire billions in questionable assets—a risk that not even the Chair of Citigroup’s Executive Committee, Robert Rubin, understood. The Basel statement also asserts that banks are uniquely exposed to reputational risk, depending as they do on the confidence of their depositors for their viability.
The Core Principles therefore urge regulators to assure that banks have mechanisms to manage and reduce legal and reputational risk. The Basel statement suggests that policies be “comprehensive” and include “appropriate board and senior management oversight” (Basel Committee on Banking Supervision 1997). The QLCC accomplishes these aspirations by formally involving the board, for the first time in U.S. corporate governance law, in legal compliance across the full range of the public firm’s business. In the author’s opinion, the QLCC should become mandatory for all firms, particularly financial institutions.
Step 2: The Definition of a Violation Should Be Broader
A firm (and its shareholders) may be harmed by any material violation of law or governing regulation. Further, violations of ethical norms may harm the firm regardless of whether they are related to securities laws, fraud, or fiduciary duty. The public reaction and the market reaction to revelations of racism within the business culture of Texaco demonstrate this point. Countrywide paid $8.7 billion to settle claims of predatory lending. Consequently, there is little basis to limiting the SEC’s rules of professional responsibility only to violations as defined; a definition limited to federal fraud and violations of securities laws. The QLCC should be empowered to investigate reports of all wrongdoing or illegality regardless of which laws or ethics standards are violated or suspected of being violated. Similarly, there is no reason to limit those reporting violations to lawyers; any corporate agent having information relating to a violation should be required to report to the QLCC. This would allow the QLCC to act with maximum effectiveness to protect the firm from legal and reputational risk from all potential legal and ethical violations.
Step 3: Broader Whistle-Blower Protection Is Needed
SOX’s whistle-blower protection fails to secure whistle-blowing. Professor Mary Ramirez (2008) suggests a broad-based protection that shields whistle-blowers from retaliation as broadly as possible. The social pressures against whistle-blowing are so strong that the broadest protection is needed to facilitate the flow of information. If reports can be made to a QLCC composed of lawyers such communications would enjoy attorney-client privilege. Firms should make the privileged nature of such communications clear to their workers, and also contractually assure employees that retaliation for filing reports constitutes grounds for dismissal. This will maximize the flow of information to the appropriate corporate decision maker—presumably the QLCC.
Step 4: Anonymity
One further method of securing more reports is to allow anonymous reporting. Attorneys, for example, do not want to alienate client-representatives that sign the checks that pay the attorney’s fees. Under these circumstances it is not rational for attorneys to make reports unless the evidence in support of the report is overwhelming. Optimal management of legal and reputational risk mandates that mere suspicions be weighed by the appropriate corporate authority (as previously shown the current best practice is the QLCC). That authority does not suffer from the inherent institutional infirmity as counsel who may understandably be preoccupied with payment of fees and maintaining functional relationships with the client-representative. The only means of assuring the proper flow of material legal and reputational risk is to maximize the confidentiality of any reports. This would effectively change the calculus counsel faces: risk of employment loss is minimized while malpractice liability for failure to report is maximized because anonymity renders reporting nearly costless. A nonreporting attorney would find decisions not to report difficult to justify, if such reports enjoyed both maximum anonymity as well as privileged status.
TOWARD OPTIMAL REPUTATIONAL AND LEGAL RISK MANAGEMENT
SOX innovations and the subprime experience teach much about the optimal means of managing and reducing legal and reputational risk, beyond legal reform. Empirical support is difficult to come by, because the vast majority of firms have historically and currently leave these issues in the hands of the CEO. Nevertheless, there are certain conclusions that seem reasonable.
First, there appears to be good reason for firms to embrace the QLCC and little reason to eschew that option. Susan Hackett, the General Counsel for the American Corporate Counsel Association has termed the QLCC a “very bright solution” to the problem facing lawyers after SOX—specifically the challenges of assessing when a client has responded appropriately to a report of a “violation” or determining when a report to the SEC is proper (American University Law Review 2003). Other commentators suggest QLCCs “threaten dominant hierarchal relations” within corporations and this is the reason for the lack of diffusion of QLCCs (Rosen 2005). Given the clear advantages of the QLCC, and the institutionally suspect nature of leaving legal and reputational risk in the hands of CEOs, the QLCC should be embraced by firms that are serious about managing legal and reputational risk. Additionally, in order to secure the benefits of institutional expertise, as well as maximizing the applicability of the attorney-client privilege, the QLCC should consist entirely of lawyers.
Second, the QLCC can be easily enhanced to address not just “violations” as defined by the Commission but to be a general mechanism for weighing and managing legal and reputational risk in a manner that reduces (but certainly does not eliminate) CEO control over this function, based on the same policy underlying the reconfiguration of the audit function under SOX. The QLCC is the logical locus for investigation and enforcement not just of violations as defined by the SEC but of all potential legal violations and violations of the firm’s code of conduct. The charter of the QLCC should be as expansive as the firm’s legal and reputational risk.
Third, corporations wishing to control legal and reputational risk should have an ethics code that is sensitive to its consumers, investors, suppliers, and regulatory context, as well as minimal notions of morally acceptable behavior. Under the approach of Professor Backer, as endorsed (in modified form) herein, there is little down side to managing reputational risk (and indirectly legal risk) through a code of conduct that is enforced and that reflects the moral sensibilities of key corporate constituencies. In fact, properly conceived, an ethics code should enhance corporate profitability over the long term.
Fourth, on optimized QLCC can create an anonymous means of reporting violations of law or regulation, conduct that violates the corporate code of conduct, or otherwise unacceptable behavior that shields the reporting individual from the adverse consequences of reporting. The social stigma associated with being a whistle-blower is too powerful to ignore. The only means of effectively countering this stigma is to eliminate to the maximum extent possible by maximizing the confidential nature of such whistle-blower communications. Anonymity protects reporters from retaliation.
Fifth, the structure of the QLCC should assure that it works closely with the audit committee. The audit committee is involved in all aspects of the firm’s business. Unlike the QLCC, the audit committee will necessarily be testing financial data against actual evidence demonstrating the validity and accuracy of that data. This detailed analysis of the firm’s business can no doubt facilitate investigations of the QLCC as well as corroborate reports of violations. Moreover, audit committee members are familiar with the firm’s system of internal controls, as well as that system’s limitations. Finally, audit-related personnel will also be a source of reports. Thus, the relationship between the QLCC and the audit committee should be as close as possible. The SEC’s requirement that one member of the QLCC also be a member of the audit committee should be viewed as an absolute minimum, not the ideal.
Finally, firms should consider the utility of an annual legal audit. The QLCC as conceived by the SEC is a dormant committee until a report is made to it. This is in part a response to objections raised to the American Law Institute’s proposal in the 1990s that the board assume responsibility for legal compliance (Rosen 2005). The expertise called for, however, in order for the QLCC to function properly, creates an expert committee of the board to act to guide the board with respect to issues of legal compliance and reputational risk. Thus, the corporation now has an institutionally competent board committee with legal expertise to assist the board in all facets of legal and reputational risk. The final step in optimizing the corporate governance structure for dealing with legal and reputational risk is to empower the QLCC to conduct annual legal and reputational risk assessments, with reporting to the chief risk officer as well as the chief legal officer. Note that the concept of a legal audit also highlights the role of the firm’s chief legal officer. The QLCC would have no role other than to receive reports of potential violations. A legal audit function would expand its role only marginally—by means of annual analysis of the firm’s legal and reputational risk profile. Other than receiving reports and the possibility of an audit the legal function of the firm remains under the control of management, as it has historically been.
CONCLUSION
This chapter reviewed the most developed legal framework governing legal and reputational risk—SOX. It then tested that framework against the legal and reputational risk manifest in the subprime mortgage fiasco. Overall, the SOX framework appears flawed. Legal and reputational risk was ill-managed, and these largely unabated risks contributed to the causes of subprime mortgage fiasco and exacerbated it. Nevertheless, SOX still forms the foundation for thinking about how best to control legal and reputational risk. The linchpin for managing legal and reputational risk is the QLCC (which probably should be mandated by law to a greater extent than is now the case). A robust QLCC, including the enhancements articulated, should be associated with superior financial performance over the long term, by removing legal and reputational risk from the exclusive control of the CEO to a more institutionally suited organ of corporate governance—the QLCC.
NOTE
REFERENCES
Backer, Larry Cata. 2008. From Moral obligation to international law: Disclosure systems, markets and the regulation of multinational corporations, 39. Georgetown Journal of International Law 591.
Backer, Larry Cata. 2003. The duty to monitor: Emerging obligations of outside lawyers and auditors to detect and report corporate wrongdoing beyond the federal securities laws, 77. St. John’s Law Review 919, 928–929.
Barclift, Jill. 2008. Codes of ethics and state fiduciary duties: Where is the line? 1. Journal of Business, Entrepreneurship and the Law. 237.
Basel Committee on Banking Supervision, Core Principles for Effective Banking Supervision, September 1997, available at www.bis.org/publ/bcbs30a.pdf?noframes=1.
Bazyler, Michael, and Roger P. Alford. 2007. Holocaust restitution: Perspectives on the litigation and its legacy. New York: New York University Press.
Bethel, Jennifer E., Allen Ferrell, and Gang Hu. 2008. Legal and economic issues in litigation arising from the 2007–2008 credit crisis. November 17. Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1096582&rec=1&srcabs=980025.
City of Cleveland v. Deutsche Bank Trust, et al., Court of Common Pleas, Cuyahoga County, No. CV 08 646970, available at www.pbs.org/moyers/journal/07182008/Foreclosure_Doc.pdf.
Committee on Oversight and Government Reform, U.S. House of Representatives, Credit Rating Agencies and the Financial Crisis, October 22, 2008, available at http://oversight.house.gov/documents/20081023162631.pdf.
Developments in the law: Corporations and society. 2004. 117 Harvard Law Review 2169, 2244–2248.
Dworkin, Terry M. 2007. SOX and whistleblowing, Michigan Law Review 1757–1780.
Ehrenfreund, Edmund. 2007. The Nuremberg legacy: How the Nazi war crime trials changed the course of history. New York: Palgrave MacMillan.
Henning, Peter J. 2004. Sarbanes-Oxley Act § 307 and Corporate Counsel: Who better to prevent corporate crime? 8 Buffalo Criminal Law Review 323.
Implementation of Standards of Professional Conduct for Attorneys, 67 Fed. Reg. 71, 670 (Dec. 2, 2002) (codified at 17 C.F.R. § 205) available at www.sec.gov/rules/final/33-8185.htm.
Koniak, Susan P. 2003. When the hurlyburly’s done: The bar’s struggle with the SEC, 103. Columbia Law Review 1236, 1271.
Lipman, Frederick D., and Keith Lipman. 2006. Corporate governance best practices 190–192. Hoboken, NJ: John Wiley & Sons.
Loomis, Carol J. 2008. AIG’s rescue has a long way to go. CNNmoney.com, December 24, available at http://money.cnn.com/2008/12/23/news/companies/AIG_150bailout_Loomis.fortune/index.htm.
Loomis, Carol. 2007. Robert Rubin on the job he didn’t want. November 11. CNNmoney.com available at http://money.cnn.com/2007/11/09/news/newsmakers/merrill_rubin.fortune/index.htm.
NECA-IBEW Health and Welfare Fund v. Goldman Sachs & Co., et al. 2008. U.S. District Court for the Southern District of New York. Available at http://securities.stanford.edu/1041/GS_01/20081211_f01c_.pdf.
Orol, Ronald D. 2008. Madoff arrest raises questions about SEC oversight, Marketwatch.com, December 8. Available at http://www.marketwatch.com/news/story/madoff-arrest-raises-questions-about/story.aspx?guid=%7BE2002EFA-C24D-453B-BF6C-EC67992A0A3C%7D&dist=msr_44.
Paletta, Damien, and Kara Scannell. 2009. Ten questions for those fixing the financial mess. WSJ.com, March 9. Available at http://online.wsj.com/article/SB123665023774979341.html.
People of the State of Illinois v. Countrywide Financial Corporation, et al. Circuit Court of Cook County, No. 08-22994. Available at www.illinoisattorneygeneral.gov/pressroom/2008_06/countrywide_complaint.pdf.
Rajan, Raghuram. 2008. Bankers pay is deeply flawed. Financial Times January 8. Available at www.ft.com/cms/s/0/18895dea-be06-11dc-8bc9-0000779fd2ac.html.
Ramirez, Mary Kreiner. 2007. Blowing the whistle on whistleblower protection: A tale of reform versus power, 76 University Cincinnati Law Review 183, 191.
Ramirez, Steven A. 2000. Diversity and the boardroom, 6 Stanford Journal of Law, Business and Finance 85, 108.
Ramirez, Steven A. 2007. The end of corporate governance law: Optimizing regulatory structures for a race to the top, 24 Yale Journal on Regulation 313.
Ramirez, Steven A. 2002. Fear and social capitalism: The law and macroeconomics of investor confidence, 42 Washburn Law Journal 31.
Ramirez, Steven A. 2009. Lessons from the subprime debacle: Stress testing CEO autonomy. March 18. Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1364146.
Rosen, Robert Eli 2005. Resistances to reforming corporate governance: The diffusion of QLCCs, 74 Fordham Law Review 1251, 1309.
Sale, Hillary A. 2007. Monitoring Caremark’s good faith, 32 (3) Delaware Journal of Corporate Law 719–755.
Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (codified in scattered sections of 11, 15, 18, 28, and 29 U.S.C.S. [2005]). Available at www.pcaobus.org/About_the_PCAOB/Sarbanes_Oxley_Act_of_2002.pdf.
Simkins, Betty J. and Steven A. Ramirez. 2008. Enterprise-wide risk management and corporate governance, 39 (3) Loyola University Chicago Law Journal.
Social Investment Forum, Press Release. 2008. Report: Socially Responsible Investing Assets In U.S Surged 18 Percent From 2005 To 2007, Outpacing Broader Managed Assets, March 8. Available at www.socialinvest.org/news/releases/pressrelease.cfm?id=108.
Son, Hugh. 2008. With fed’s help, AIG unloads $16 billion in credit default swaps. Washington Post, December 25, at D-2. Available at www.washingtonpost.com/wpdyn/content/article/2008/12/24/AR2008122402128.html.
Verschoor, Curtis C. 1999. Corporate performance is closely linked to a strong ethical commitment, 4. Business and Society Review 407.
Villagran, Lauren. 2007. AIG reassures investors on subprime, Washingtonpost.com, August 9. Available at www.washingtonpost.com/wp-dyn/content/article/2007/08/09/AR2007080901027.html.
Volz, William H., and Vahe Tazian. 2006. The role of attorneys under Sarbanes-Oxley: The qualified legal compliance committee as facilitator of corporate integrity. 43 American Business Law Journal 439.
Williams, Cynthia A. 1999. The securities and exchange commission and corporate social transparency. 112. Harvard Law Review 1197, 1294–1296.
ABOUT THE AUTHOR
Steven A. Ramirez is a Professor of Law at Loyola University Chicago, where he also directs the Business & Corporate Governance Law Center. Prior to entering the legal academy he practiced law for 10 years, including working as an Enforcement Attorney for the Securities and Exchange Commission and as a Senior Attorney with the FDIC/RTC, Professional Liability Section. He has served on a number of corporate boards.