Several decades ago, while doing fieldwork with local officials in communist Romania, I asked a local administrator how he handled all the decrees and regulations that came down from the party and state organs. ‘Well’, he said, ‘some of them I follow to the letter, but others I just put in the desk drawer and forget about’. I often thought of this little incident when I began my research on ethics and compliance amongst modern private firms. How do employees and firms figure out which rules need to be followed to the letter, which ones can be manipulated or breached, and which ones can be ‘placed in the drawer’ and ignored? Under what conditions do we strictly respect certain rules, and under what conditions can we just not give a damn? These are the issues which revolve around the problem of compliance, both within organisations and in the way organisations relate to external authorities.
Private firms and public organisations are dependent on codes, rules, regulations and policies. Organisations routinely formulate ‘codes of conduct’ and more specific ‘policies and procedures’. Private and public organisations are also always overtly regulated: they must register as ‘legal persons’, report income and pay taxes, and are subject to laws, regulations and standards set by governments, agencies and trade associations. There are different regulatory regimes which outline compliance for sectors such as finance, health, pharmaceuticals, manufacturing or environmental safety. Firms can choose to comply with these rules, they can encourage other firms to comply, but they can also bend the rules and risk legal sanctions, heavy fines, loss of reputation and even bankruptcy. What is distinctive about compliance for contemporary private firms, non-governmental organisations (NGOs) and public authorities is the character of compliance. Organisations carry out formal compliance practices, that is, they perform rule-following. For private firms and organisations, such a formalised compliance regime has emerged only in the past two decades. It is this regime which is the focus of this article.
That firms now find themselves forced to establish and proclaim a ‘culture of compliance’ has its origin in a set of US government guidelines for the sentencing of firms convicted of corporate crime, the 1991 Federal Sentencing Guidelines, which I describe below. These guidelines form the basis of the ethics and compliance (E&C) industry.
While the US guidelines are technically not applicable to the E&C practices of firms in other countries, they have served as a model and an object lesson for the rise of a global compliance regime in Europe and elsewhere. Not to be confused with a corporation's legal department, its internal audit function or corporate social responsibility (CSR), which relates the firm to the larger society, the E&C department is now found as a separate unit in the vast majority of major private firms, public organisations, NGOs and international agencies. The purpose of this article is to describe the development and operation of this compliance assemblage, and assess whether E&C is simply a convenient tactic for capitalist expansion, or some kind of moral development. In order to assess whether E&C is indeed something new, I will use the remainder of this article to flesh out the various forces operating within the E&C industry.
Assemblage, industry, package?
For some years, I have been researching capitalist morality by focussing on the E&C industry. The term ‘industry’ is not meant to be pejorative (for a specification of what an industry is, see Sampson 2010). An industry is simply a package (Sampson 2015) of actors, resources, ideas and networks that can travel along certain vectors (cf. Ong and Collier 2007). To give a taste of the E&C industry, I will first provide a brief summary of an E&C code in a single company – Rolls-Royce (RR) – and then list some of the daily e-mails I receive from various E&C organisations and companies.
RR's E&C code, entitled ‘At Our Best’, is a full thirty-four pages.1 For dealing with ethical issues, RR uses the TRUST model, which stands for Think, Read, Understand, Speak, Take Action. The RR code then outlines various principles of company operations (respecting health and safety regulations, avoiding conflicts of interest, anti-bribery, etc.), describing how these principles fit with company operations and what employees should do if a potential ethics or abuse violation occurs, including who to contact and how. The final section of the code implores employees to ‘act with integrity’. RR rolled out this code in May 2018, just a year after it was forced to pay 671 million pounds to the UK, US and Brazilian authorities as a settlement to avoid criminal charges for bribery in procuring contracts.2
As another example of the E&C industry, let me list some of the e-mails I received during a single week in late June 2021 describing various E&C activities, publications, training courses and other products, some of them free of charge, others available only for purchase:
The Ethics and Compliance Initiative, which offers research and training in compliance, offered subscribers a webinar entitled ‘Why People Do What They Do So You Can Drive Behaviour Change’.
The Society for Corporate Compliance and Ethics (SCCE), an association of 6000 compliance professionals, invited its members to sign up as speakers at their annual ‘Academy’ to be held in Las Vegas in September 2022.
The Australian-based Government Risk and Compliance Institute (GRCI), a risk-management training organization, offered me a workshop on compliance and risk management, adding that I could earn valuable ‘certification points’ if I participated (GRCI forms part of the fifteen-member International Federation of Compliance Associations).
The web newsletter Compliance Week called my attention to a downloadable essay entitled ‘Identifying Risky Vendors, 7 Signs You Shouldn't Ignore’ and offered me trial demos of various ‘Third Party Risk Management’ (TPRM) software from the firms Archer, Mitratech and OneTrust.
An Australian business consultancy was promoting a course on how to write compliance documents.
Another compliance company offered me a webinar on the new German due diligence law intended to strengthen integrity in business.
Compliance Week offered a webinar on ‘Incident and Breach Management’ with the ‘reward’ of one compliance certification credit if I signed up. The blurb for the course begins: ‘Today's breach landscape is unprecedented and complex. Every organization is facing potential enforcement of many interconnected and overlapping laws in multiple jurisdictions, each with restrictive timelines. In this complex environment, it is not enough to have a response plan. Your organization needs a response system.’
An advertisement from the Foreign Corrupt Practices Act Blog (fcpablog.com), which follows enforcement of the US Foreign Corrupt Practices Act (FCPA), informs me that ‘award-winning compliance training videos co-produced by Mastercard are now available to other companies for customization. The videos – “Behind the Bribe” and “From Beach House to Blackmail” – won prestigious industry awards and have already been licensed by multinationals worldwide’.
In their variety of themes, they are a typical reflection of how E&C has penetrated the world of private business. Acronyms such as E&C, GRC (Government, Risk and Compliance), ESG (Environment Social and Corporate Governance), CCO (Chief Compliance Officer) and CECO (Chief Ethics and Compliance Officer) are now an integral part of business conferences, public sector management training and MBA programmes. The new E&C focus has become an integral part of all governmental and public sector organisations, from individual hospitals, universities and public utilities, to municipal administration and government ministries (e.g. the US Office of Government Ethics [OGE] and the US Department of Defense's Standards of Conduct Office, which has its own ‘Ethics and Compliance’ website).3
E&C is everywhere for two reasons: spectacular breaches of ethics that become public knowledge and subsequent measures to oversee aberrant firms and organisations; and firms’ own demonstrations that they have indeed learnt their lesson, become more responsible and pursue a more ethical policy. In this cycle of corporate scandal and promises of reform, the guilty firms promise to implement a more effective compliance programme, to upgrade their whistle-blowing, to be more transparent … until the next scandal. This cycle of corporate scandals (defence firms in the 1980s, Enron and WorldCom in 2001, Lehman Brothers and other financial firms in 2008, the Panama Papers, etc.) has been well described. The narrative is not just that of firms that commit economic crimes. It also includes the tolerance by, incompetence and outright collusion of government authorities in failing to prosecute corporate misconduct (see, for example, Bonime-Blanc 2011; Coffee 2020; Eisinger 2018; Garrett 2016; Rakoff 2020).
Corporate misconduct can be limited to violations of a company's ethics policy by its employees, or it can be outright fraud, corruption or other financial crimes. For the firm, the problem is not simply the potential costs of heavy fines and expensive trials, but also the loss of reputation due to acting unethically (e.g. climate insensitivity, failure to dismiss those accused of sexual harassment, damage to the brand). Because scandals can now spread faster and wider, and because more actors see themselves as stakeholders and therefore take offence, a firm's reputational damage can seriously affect its bottom line.
In this context, codes of ethical responsibility are being expanded, a form of ‘ethical creep’, with more concerns or special interests needing to be taken into account (e.g. climate sensitivity, respect of gender identity, etc). For firms, the ethical imperative now extends beyond their own employees to third party suppliers, partners, temporary staff and vendors. A similar process takes place among NGOs and other organisations with respect to staff, members and target groups. There is also a second kind of ‘creep’: ethical codes, once limited to the internal life of a few major firms, have now developed into industry-wide standards. These standards require their own monitoring and accountability systems, and entail enforceable sanctions; the sanctions can turn into laws and regulations; and the laws can evolve with more detail, more demands for accountability and more effective forms of government enforcement and monitoring. Firms are now busy disseminating their ethical, anti-corruption and sustainability commitments. They must report on them publicly and make available sufficient information so that outsiders can document their claims. This transparency imperative, for all its public relations benefits, thus also imposes a threat on firms and organisations. Since firms (in fact all kinds of social organisations) require some kind of secrecy or confidentiality to operate effectively, they must find ever more sophisticated ways of preventing disclosure of valuable information. The ‘light’ of transparency always creates ‘shadows’ elsewhere (Sampson 2019a).
The obvious question, therefore, is whether E&C is simply a façade, or whether management genuinely desires to become more ethical. This article argues that it is a case of both; business operations exist under internal and external norms – that is, firms and organisations are driven by the need for profitability/efficiency while also being held accountable by shareholders and the public. The problem of compliance arises from the inevitable dissonance between the two sets of norms. In this field, lying within the firm are the employees whose job it is to enforce the ethical code and ensure that the firm complies with external regulations and standards. These are the E&C officers.
E&C officers are part of the ethics and compliance ‘function’, which can be a specific unit or group of responsible persons within the organisation. As such, E&C is embedded with a ‘mission’ of promoting certain norms of employee behaviour. They are tasked with formulating, promoting and enforcing the firm's ethical code of conduct and with detecting and preventing abuse of these norms and laws (through control, audit and whistle-blower arrangements). Aside from ensuring that the internal codes are respected, the E&C function must also ensure that the organisation has complied with external regulations, industry standards, national laws and EU/international conventions. The task facing any compliance department is thus enormous and complex. It is also growing: even taking into account various neoliberal de-regulatory moves, previously unregulated areas are being increasingly audited, codified and systematised within an E&C framework. More actors or ‘stakeholders’ now have a say in how firms and organisations operate. These stakeholders include governmental and intergovernmental organisations, NGOs, consumers and affected groups and other firms seeking a ‘level playing field’. Within organisations, there are also conflicting interests in E&C. Some employees reject or oppose further audit. They want freer hands and complain about too much control and ‘not being able to do our jobs’. Hence, compliance is a field of contestation, much like so-called ‘audit culture’ (Power 1997; Strathern 2010). Ethical creep, the urge to control, the fear of uncertainty or ambiguity, the search for ever more risks to be dealt with, the suspicion of local judgement, the imperative to audit, all these factors confront the need for flexibility and rule-bending that any organisation requires in order to accomplish its tasks. These tensions come to the fore within compliance regimes.
With this context, let me use the remainder of this article to sketch out a ‘compliance industry’ or ‘package’ (Sampson 2010, 2015). In using these terms, I want to distinguish the financial and production operations of firms (and the everyday routines of bureaucratic agencies or NGOs) from their moral, legal and ethical drivers, while being aware that the debate about the moral nature of capitalism has a long history (Fourcade and Healy 2007; Hirschman 1982).
Practising compliance
Between 2013 and 2016, I attended a variety of compliance officer training courses, conferences and meetings. I met with compliance officers, read various texts, attended E&C game simulations, purchased training manuals and subscribed to hard copy and on-line publications such as Compliance Week and Compliance and Ethics Professional. I became a member of the Society of Corporate Compliance and Ethics, and I wrote an article for their magazine (Sampson 2014). I also attended local and specialist meetings on topics such as anti-corruption and data privacy compliance (e.g. the EU General Data Protection Regulation, GDPR). Time and geographic limitations were considerable, as was the reluctance of certain informants to reveal the inner workings of E&C in private firms with strict confidentiality rules. The cost of travel and meeting participation – Paris, Brussels, New York, Washington, Atlanta, Las Vegas, London – also prevented me from attending many meetings even further away (Dubai, Singapore, etc.). While I had obtained research funds from the Swedish Research Council, the normal conference fee for these gatherings was far beyond what we academics are accustomed to: 500 euros for a half-day session on anti-corruption, 1,800 dollars for a three-day compliance conference. Nevertheless, from this face-to-face participation and web sources, and from conversations with compliance officers, trainers and especially vendors selling compliance software, one can obtain some picture of the compliance industry as it has evolved.
As I indicated above, in the United States the emergence of the compliance industry is generally dated to the US Sentencing Commission's 1991 Federal Sentencing Guidelines for Organizations (FSGO) (see note 3 below; Murphy 2002). This was the first time the US Sentencing Commission elaborated a set of guidelines explicitly dealing with organisations found guilty of a crime. These guidelines have been revised several times due to the Enron affair and the 2008 financial crisis, and clarificational ‘memoranda’ specifying issues such as individual culpability and organisational co-operation with authorities have been issued.4
The Federal Sentencing Guidelines were a response to previous corporate fraud and corruption scandals, many involving the defence industry (Bonime-Blanc 2011; MacKessey 2010).5 More substantive, however, was the larger issue of how to penalise an organisation for illegal behaviour. Corporations and organisations cannot go to jail, although as legal persons they can be held accountable by stipulating that they pay fines, compensate victims, undergo probation, disgorge illicitly earned profits or be divested entirely (compulsory divestiture is applied to a sub-category of ‘criminal organisations’). Like other social units, corporations and organisations are ultimately composed of real people, who can and do commit ethical and criminal violations, either against their own organisation (e.g. embezzlement), alongside it (bribery) or under direct encouragement by management (cutting corners, corruption, etc). Governments attempt to stipulate the precise boundaries of individual and corporate responsibility for potential and actual abuses. In rare cases, such as the Enron case, a CEO who is totally malfeasant can go to prison if convicted of cheating their own company and its stockholders. This dynamic between the organisation, its individual members and the regulatory authorities is reflected in the FSGO.
The FSGO specify that an organisation or company convicted of violating federal criminal or financial statutes can receive a reduced penalty if it demonstrates that it has ‘an effective compliance and ethics program’. The FSGO thus mandated that firms be ethical, specifically, that they establish ‘an organizational culture that encourages ethical conduct’, also called a ‘culture of compliance’.
According to the FSGO (Section 8B2.1), such a robust compliance programme must have several elements: standards and procedures to prevent and detect criminal conduct; a leadership actively engaged in implementing the compliance and ethics programme effectively; employees trained and unethical or corrupt employees weeded out; continuous monitoring of the programme's effectiveness; and measures to allow and protect whistle-blowing. Subsequent revisions have focussed on specifying the individual responsibility of executives, auditing departments and Board members. No executive can use a defence of ‘I didn't know’.
The guidelines apply to all types of organisations (i.e. NGOs, labour unions, firms, etc). In determining the penalty for a corporation or organisation convicted of a crime, the FSGO begin with a ‘culpability score’. This score can be increased with the severity of the crime or size of the organisation, and it can be reduced if the firm actively co-operates with US government prosecutors. In addition, the score can be reduced (by three points) if the firm can show that it had set up an effective E&C programme. In other words, a ‘bad apple’ would not lead to corporate culpability. While application of the E&C programme reduction has proven difficult (especially after a firm has already pleaded guilty), the specifications of the guidelines led to the establishment of ‘a vast compliance and ethics movement’ (Ethics Research Center 2012: 8), the establishment of E&C units in dozens of companies, and to the emergence of the Ethics and Compliance Officer (ECO) as a management position (Murphy 2002).
The FSGO apply to corporations that have already pled guilty in court. But the US government wanted to use the FSGO as an incentive towards preventing abuse. Hence, the US Department of Justice can now negotiate more flexible settlements known as ‘deferred prosecution agreements’ (DPAs) and even ‘non-prosecution agreements’ (NPAs). Under such arrangements, a fine of several million dollars can be reduced to a few thousand dollars if the firm can show that it is willing to establish and maintain an effective E&C programme. In effect, this means that the government avoids actually prosecuting firms and seeks to impose an E&C package (see especially Coffee 2020; Garrett 2016; Rakoff 2020). Along with these measures, the US government's Office of the Whistleblower's programme grants generous rewards to employees (or former exployees) who reveal corporate misconduct: up to 30 per cent of the financial violation discovered. Under this programme, the US government has paid out 900 million dollars in whistle-blower awards, ten of which were above 28 million dollars.6
The FSGO, whistle-blowing reward incentives, enhanced enforcement of the US FCPA and the even more comprehensive UK Anti-Bribery Act have all led to a new emphasis on E&C within corporate management in both the United States and abroad. Encouraged by the FSGO as a model (Boehme and Murphy 2010), the European Union has followed suit with both national anti-bribery and compliance and integrity laws, and the upgrading of investigations connected with EU privacy regulations (GDPR), especially against US tech companies.
According to most compliance experts, the initial reaction to the imposition of compliance guidelines was one of ‘compliance’ rather than ‘ethics’. In this understanding, firms saw the obvious benefit of formally complying with externally imposed laws and regulations. By setting up E&C departments, that is, performing compliance, they could avoid prosecution or reduce penalties if caught. Compliance was based more on a fear of doing things wrong and avoiding litigation rather than a moral awakening to do things right. From a company perspective, compliance meant ensuring that employees would follow rules, regulations and codes of conduct, that they could report violations through internal hotlines and that management would not retaliate against them. As compliance departments were established, however, a more ethical dimension began to take form. Fear of punishment evolved into a rhetoric of ethical norms. Doing things right became ‘do the right thing’. ‘Ethical creep’ took hold, resulting in more standards, more expectations, more demands for more transparency, and more reporting to external stakeholders.
Today, most major companies have large-scale E&C departments conducting a wide variety of tasks: risk assessments, formulating and enforcing codes of conduct, monitoring new regulations and identifying potential ethical dilemmas the firm might encounter in various settings. Large companies can have hundreds of employees carrying out compliance-related tasks. I have been told that Siemens has over 600 compliance officers, Coca Cola 500, United Technologies 500, and Johnson and Johnson 240. Today, Siemens’ compliance programme – with its slogan of ‘Prevent, Detect, Respond’ on its website – is considered a model to be followed. According to Siemens’ website, it received 653 compliance cases in 2014, of which 195 resulted in disciplinary action.7 That the ‘Siemens Compliance System’ is now considered a model is no accident. After Siemens was implicated in a major corruption scandal, it had a compliance programme imposed upon it in order to reduce its penalty.8
Compliance departments bring together people who need to have knowledge of laws, regulations and codes of conduct and an awareness of risky business practices in their respective branch (pharmaceuticals, for example, would have different risks than defence contracting, maritime transport or financial services). In addition, they need to know how to communicate about ethics to fellow employees without being patronising or intimidating. They need to make sure that company employees are familiar with the code of conduct and that they themselves are acting in an ethical manner. They need to have a system that can continually update and revise internal policies and procedures whenever new laws are enacted by national governments or standards imposed by international organisations (GDPR being a prime example). A 2015 survey carried out by the accounting firm PwC lists nearly two dozen areas where compliance risks will need to be taken into account.9 Ethics and compliance is thus a job for the entire firm, not just for the E&C officer alone. Their job is to implant a culture of ethics in the organisation.
Expansion and professionalisation
Beginning with defence and financial services and the rest of the private sector, E&C has also expanded to public organisations in fields such as health, education, municipal administration and utilities. The impetus here is not that of ensuring profitability or avoiding financial or reputational risk, but to improve the workplace climate, prevent losing government grants or contracts, prevent conflict of interest in public procurement and ward off potential litigation by disgruntled employees or clients who might feel mistreated or abused. The Health Care Compliance Association (HCCA), bringing together E&C officers in both public and private health-care providers, was established in 1996; it now has over 11,000 members. Many HCCA members formed the core of what would become the Society for Corporate Compliance and Ethics (SCCE), now with over 6000 members.10
Based on the evolving threats of legal sanction, litigation or reputational damage, the compliance profession itself has expanded. Like other new professions, it has established a credentialisation regime, with courses, seminars, a point system based on documented activity and examinations, and certification organs such as the SCCE. There are now compliance officer associations in the United States and several other countries. New programmes offer the possibility to become a Certified E&C Officer at beginning, advanced, sectoral and international levels. There are E&C software companies selling a diverse range of services: due diligence investigations to vet third party contractors, training programmes for anti-bribery law, employee-monitoring systems to ensure that employees have actually read the company code of conduct and not just clicked through it, etc. In 2021, the International Standards Organization in Geneva published ISO standards for ‘Compliance Management Systems’ (no. 37301), and an ‘Anti-Bribery Management System’ (no. 37001). Universities and business schools now routinely offer courses and even degrees in E&C, while compliance professionals keep abreast of their field by subscribing to blogs and magazines such as Compliance Insider, Compliance Week and the Foreign Corrupt Practices Act Blog (fcpablog.com). Since 2016, September 26th has also been celebrated as National Compliance Officer Day. Compliance association meetings that I have attended have had up to 1,300 attendees with dozens of presentations and workshops. At each of these gatherings, participants can earn points towards compliance officer certification, a credential that can be placed on one's résumé. The E&C field is now so specialised that there are separate ethics and compliance meetings for those working in higher education, energy/utilities and health care. The breadth of the field can be indicated by my edition of the Complete Compliance and Ethics Manual, a full 1100 printed pages in a loose-leaf binder which I received after having attended a three-day, 500-euro training course.
An example of the breadth of the E&C field can be taken from the ninety-four sessions at the upcoming annual meeting of the SCCE, which is to be held in Las Vegas and which usually attracts some 1,500 attendees. The sessions in Las Vegas contain panels on themes such as third party and supply chain due diligence; the use of social media; how to involve Board members in compliance issues; conducting investigations on-line; making your data more effective through metrics; ensuring that your organisation strengthens its culture of compliance; and updates in specific sectors and regions, such as compliance risks in manufacturing in China, or EU data protection regulations.
The compliance package is promoted in various ways by compliance officer organisations. To the firms, they market their ethical project as an effective business strategy. Firms should establish qualified E&C departments and hire more qualified compliance officers. Addressing ambitious young MBAs and lawyers, they promote the growing compliance officer job market and the need for ever more refined E&C skills and competencies. Accompanying this is the necessary certification regime, with courses, manuals, tests and certificates. The E&C package is also promoted by a number of high-profile vendors that market a range of E&C technologies as ‘risk-reduction solutions’. These solutions take the form of software packages, ever more complex ‘systems’ and continuing employee training, both on-site and on-line. Major E&C vendors such as Navex Global and SAI360 target both small and large companies, emphasising the hazards of ignoring risks, the need to control potential abuses by employees and the importance of disseminating the code of conduct. Most importantly, they warn companies that having an ineffective compliance programme can be extremely costly, hence the need for continual updating, training, monitoring and the ubiquitous ‘metrics’. As in so many business service niches, what on first sight appears to be a competitive market for E&C tools ends up being a small number of high-profile firms, each of which offers dozens of software packages and training modules that can be adapted and transferred from one client to another, either as click-based instruction or in-house training and follow-up. As in other domains of organisational life, there is always some new, imminent risk that a firm needs to protect against, the most recent being invasions of user privacy, data protection from hackers, third party corruption and accusations of harassment.
The internal/external and legal/moral matrices
The domain of E&C, as most compliance specialists emphasise, has a dual character. At the internal firm level, compliance involves respecting the company code of conduct in areas such as conflict of interest, ‘facilitation payments’ (aka petty bribes) or the grey zone called ‘gifts and hospitality’. The project here is to create a robust ‘culture of compliance’ amongst management and employees. Outside the firm, E&C consists of respecting externally imposed laws, regulations and standards (‘what we have to do to stay out of jail’). Typically, these compliance obligations have to do with financial reporting to regulatory authorities and protecting against bribery accusations. Externally, the firm must demonstrate that it has a viable compliance policy and that it is conforming to voluntary industry standards – thus the need for ever more elaborate reporting channels and impact measurements now being elaborated in the new field of ‘sustainability reporting’ (e.g. Arvidsson 2019).
Beyond mere compliance, however, E&C also has a further, normative aspect of ethics, which is often invoked as ‘do the right thing’. E&C officers are therefore seen as not just having a job but an ethical mission: they are the moral watchdogs of their companies, ensuring that employees, managers and Board members follow both internal codes and external regulations, that potential abuse is detected before the company is subject to investigation or its offices raided by the authorities (or as one company counsel described an FBI raid: ‘those with initials on the back of their windbreakers’). A breach of ethical standards that becomes public knowledge (through the public prosecutor, the media or leaked by a disgruntled, whistle-blowing employee) is not just a potential legal or financial problem. It can also bring with it reputational damage. The public, creditors, partners and potential customers may now assess the moral quality or image of the firm with whom they do business and decide to look elsewhere; examples of such compliance breaches are the dangerous working conditions in Bangladesh garment factories or Volkswagen's misrepresentation of its diesel emissions. In both cases, the scandals involved were not so much financial as threats to the firms’ image or reputation. Hence, there is a need to combine compliance risk assessment with the more conventional ‘enterprise risk management’ (known as ERM).11
Every assemblage is embedded with certain discourses or tropes. The E&C assemblage is no different. Besides the discourse of ever-present risks lie compliance actors’ own explanations for unethical behaviour. Academic and other outside critics of capitalism or neoliberalism have a range of easily invoked explanations for unethical or illegal behaviour by private sector firms: greed, lust for profit, egotism, immediate reward or simple lack of principle. Within the world of compliance, however, where private firms are seen as benefitting society by providing needed goods and services, the prevailing understanding of unethical behaviour is quite different. It is about ‘good people doing bad things’. They do bad because they did not know it was bad. In this self-understanding, the sociopaths have largely been weeded out by the Human Resources Department, either before being hired or by observant managers. The firm might have the occasional bad apple, but bad apples are not the source of ethical breaches.
The explanation for breaches is a culture of non-compliance, a culture in which top management has not communicated its integrity standards strongly enough: executives and Board members have not set the proper ‘tone at the top’. In the absence of this tone at the top, without management encouragement or a strong whistle-blower programme, employees are hesitant to report ethical abuse. From a compliance perspective, the ‘good people doing bad things’ discourse means that violations such as bribery, corruption, slush funds, personal trips, speed payments, conflicts of interest, false accounting, sexual harassment or retaliation against whistle-blowers can be attributed to a variety of factors: poor communication from the top, lack of incentives to avoid or report bad behaviour, or simple temptation. These are the kind of ‘grey zones’ that are supposed to be reduced or eliminated if the firm has a ‘robust ethics and compliance program’. Compliance therefore requires clear statements of principles and values, management commitment, employee ‘buy-in’, unambiguous messages, continuing training, constant monitoring and effective feedback.
Inculcating and ensuring ethics therefore becomes a management task. This ‘management’ task has two aspects. First, in order to set the ‘tone at the top’ the Chief Compliance Officer (CCO or CECO) is supposed to become part of the ‘C-suite’.12 Second, E&C requires its own administrative machine in the form of ‘compliance management’ (or ‘compliance risk management’). Hence, Red Hat, a leading compliance consulting firm, defines compliance management as ‘the ongoing process of monitoring and assessing systems to ensure they comply with industry and security standards, as well as corporate and regulatory policies and requirements’.13 In this optic, employees are ethical beings. They are basically competent and good. E&C officers are the most ethical, the very conscience of the company. This is perhaps why, at a large gathering of E&C officers that I attended in 2015, the keynote speaker began by asking all 1,500 of us to stand for a minute and applaud ourselves. E&C officers are the embodiment of this new ethical turn in modern business.
Is ethics profitable?
Businesses and organisations establish compliance departments in order to avoid costly risks. Generally, the E&C units are seen as non-productive, that is, they do not generate the kind of value that manufacturing and sales units create. E&C is less amenable to the kind of bottom line quantification in terms of production costs or sales figures. Of course, E&C officers see their mission as adding value to the company, but here the concept of value is legal and ethical. The National Business Ethics Survey, a series of annual surveys carried out by the Ethics Resource Initiative (formerly the Ethics Resource Center), lists a frightening catalogue of company misconduct that E&C officers need to deal with: misuse of company time, abusive behaviour, lying to employees, company resource abuse, violating company Internet use policies, discrimination, conflicts of interest, inappropriate social networking, health or safety violations, lying to outside stakeholders, stealing, falsifying time reports or hours worked, employee benefits violations, sexual harassment and increasing whistle-blower retaliation (Ethics Resource Initiative 2018). Similar misconduct has been amply documented for public sector workplaces as well, especially conflict of interest, bribery, falsifying statistics and procurement abuses (Ethics Resource Center 2007).
In addition to adding the ethical dimension, however, E&C officers also see themselves as adding direct financial value. Assessing the financial value of ethics is difficult. One method is to compare the profitability of companies that have robust compliance programmes with those that do not. Compliance firms have therefore tried to promote ‘the business case for compliance’, emphasising various kinds of risk mitigation (Compliance and Ethics Leadership Council 2011: 22; Convercent 2015). E&C needs to be good for business. As the ethics software firm Convercent emphasises, the way to fight this ‘uphill battle’ (2015: 2) is to convince the Board that E&C is not just an extra cost but also a benefit and a protection for the Board.14 The idea that profitability can come from doing the right thing is therefore a new kind of compliance mission.
As the moral compass and legal watchdog of the organisation, the E&C officer is not simply another part of the firm's management team. The E&C officer, much like the accountants, now has an obligation to adhere to public values of trust and honesty and to represent the highest ideals of their profession. The demand for company loyalty and confidentiality thus clashes with the E&C officer's responsibility to external authorities. These responsibilities include areas such as ensuring anti-bribery enforcement, protecting data privacy and safeguarding employees from discrimination or harassment. In so far as they now have the obligation to report misconduct, E&C officers are thus a part of the state's legal regime. They are informally deputised regulatory agents within the company.
In this kind of environment, the career anxieties and legal risks for the ECO and/or CCO are obvious. Loyalty to the firm conflicts with enforcement of government laws and regulations. To add to these pressures, governments can also impose fines if they view a CCO as having acted in an improper manner. In 2015, the US Securities and Exchange Commission (SEC) imposed a 25,000 dollar fine on a CCO who did nothing illegal, but who violated the Investment Advisers Act for his ‘failure to “effectively implement” a company compliance policy’ (Killingsworth 2015).
Achieving compliance through strengthening the culture
The ‘culture of compliance’ rhetoric first appeared in the 1991 US FSGO (see above). Today, the concept of having a ‘strong’ culture pervades the compliance discourse and lies at the core of the employee E&C training courses. Employees must be socialised into the company's values on integrity. The firm's culture, defined by one compliance lecturer as ‘the way we do things around here’, needs to be crystal clear to all employees and to third party suppliers. Hence, the work of the compliance officer is to promote the company code of conduct and to clarify any grey zones through periodic training and monitoring, including proverbial ‘lessons learned’ and ‘best practice’ discussions.
A crucial problem in promoting a culture of compliance is to ensure that the company executives take compliance seriously. The operating phrase here is ‘tone at the top’ (see above). Executives need to ensure that middle management and employees, especially those stationed in vulnerable countries or working in sectors such as sales or procurement, take E&C seriously. A major task of the compliance officer, therefore, is to determine which employees are most vulnerable to ethical breaches. Who might be tempted to bribery, cutting corners, law-breaking, or abuse of company resources or industry regulations? Some of the most vulnerable links in the compliance chain are those employees stationed abroad, part-time workers, temporary staff, and the third party suppliers or vendors. These groups are less connected to ‘the way we do things around here’ and less familiar with the code of conduct. Nor do they know which regulations must be strictly enforced and which can be overlooked or ignored without penalty. Unsurprisingly, special attention is paid to those working in regions/countries with large bureaucracies and weak legal enforcement, such as China, Southeast Asia, Africa or the Middle East. Here, employees can abuse their ‘gifts and hospitality’ budget or undercut bidding procedures, especially in relation to third party suppliers. Hence, alongside working with employees, compliance regimes also seek to extend their mission to these outside suppliers, nudging them to adopt the same ethical standards as the firm for which they are providing services.
In this way, moral and legal norms spread (another form of ethical ‘creep’), but this diffusion is not a result of an awareness-raising mission. Rather, E&C becomes a condition of contract. To ensure that outsiders are ethically compatible, the firm must conduct due diligence on its suppliers for fear of becoming involved in some kind of scandal (child labour, bribes to public officials, kickbacks, etc). The need to vet third party suppliers is so pressing that there are now specialised companies which take on the task of managing ‘third party risk’. The best known of these firms is TRACE International, which promotes its ‘Third Party Management System’. TRACE is both a non-profit foundation (Trace International) and a for-profit company (Trace Compliance, Inc.). Firms can become members of TRACE (for a fee of 2,400 dollars), enabling them to obtain information about hundreds of potential suppliers who have been vetted and become ‘TRACE-certified’. To deal with bribery risk, TRACE International also offers their ‘TRACE gifts’ system, which is ‘a secure online system for tracking both incoming and outgoing gifts, meals, travel and entertainment and identifying spending patterns that may raise a compliance red flag’.15 On the consulting side, TRACE Compliance, Inc. also offers compliance training and specialist solutions in the compliance field.16 TRACE is just one example of how E&C packages travel, imposing themselves on foreign supplier companies to become ‘TRACE-certified’ if they want to obtain supplier contracts. At the same time, the firms which use TRACE services avoid unnecessary risks when going abroad; TRACE replaces the need to establish trust.
TRACE is just one example of the dilemma confronting compliance officers in modern firms and organisations: dealing with the ever-changing government regulations, demands for quality in products and services, strict controls over finances and data privacy, the need for flexible, changing partners in an unpredictable business environment – all while satisfying the career aspirations of ambitious employees who might be tempted to cut corners or ignore cumbersome procedures. These tasks cannot be fulfilled by even the most energetic compliance unit. Hence, compliance officers are constantly looking for solutions outside the firm or organisation: seeking out the latest pedagogical tools, new ethics training courses, cutting-edge monitoring software, all of which can make their jobs more efficient. These solutions are offered by a number of consulting firms, and especially by the Big Four accounting firms.17 They all offer tools to gather and crunch data (the search for ‘metrics’), systems that can ensure that employees understand the compliance programme, and presentation tools to help compliance officers show senior management that they are indeed doing their jobs and helping to generate revenue. For thousands of dollars, these outside vendors (and their specialist sub-contractors) can design and implement a complete compliance programme, convert the newest EU regulations into a compliance data base or disseminate the code of conduct to all employees at home and abroad. They can set up the ‘gifts and hospitality’ template, vet third party suppliers and operate the company's whistle-blower hot line. In effect, these external consultants can take over the firm's compliance function. Without exaggerating, we can call this the ‘outsourcing of ethics’. Both keeping out of jail and doing the right thing can be marketised and commodified.
Conclusion: Moral capitalism?
Over the past two decades, a veritable ethics and compliance package has emerged and been diffused around the world. The combination of new actors, powerful incentives, expensive scandals, a moralising ideology and global reach, all of which can be measured, assessed and monetarised as risk mitigation, has led to compliance departments becoming a standard element of private firms and public organisations. The need to comply, and the need to demonstrate compliance to others, leads to new relations between individual employees and their firms/organisations, firms and their supply chains, and firms and regulatory authorities. Firms and organisations must unequivocally demonstrate adherence to codes, laws and standards. New structures and linkages are created, the purpose of which is to avoid or reduce new kinds of risks, including the penalties when caught.
The linchpin of the E&C package is the individual compliance officer, who not only must act ethically vis-à-vis the firm in which they are employed, but must also reckon with outside legal authorities in case investigators make an enquiry about a suspicious payment or accusation of racism. Individuals and their organisations remain intimately linked, and the culpability of one can lead to the culpability of the other. Activities of the firm must now be grounded not only on profitability but also on a code of ethical conduct. The compliance officer is that first line of defence in the case of an ethical suspicion. In the public sector as well, front-line services and procurement contracts must be properly ‘aligned’ with ethical and compliance regulations for client privacy, workplace safety, employee free speech, prevention of sexual harassment, open bidding and public transparency.
Both capitalist firms and public organisations have always had some kind of moral background. They were never devoid of moral rhetoric or morally tinged missions. In this sense, E&C regimes are not new. What is new is their diffusion into ever more elements of capitalist commerce, organisational management and public sector operations. E&C regimes are now enforced by other private actors who, thanks to new technologies, can deploy real or ersatz auditing tools. These additional private actors – consumers, NGOs, media outlets, other firms – and state agencies with their reporting stipulations create new anxieties about potential risk, while external consultants offer quick-fix strategies to identify or mitigate risk. With all the ethical guidelines and changing compliance regulations, it is increasingly difficult for a compliance officer or firm to know if they are doing the right thing (the smallest mistake can become a major reputational scandal). The compliance officer as a moral compass is threatened by this uncertainty and insecurity. Little wonder that they take out special insurance in case of job loss.
A conspiracy theory of E&C would say that it is just talk and window-dressing, a kind of diversion. Yet the conspiracy approach is a little too neat. Modern capitalism is constructing its own morality with its own theory of human agency, with ‘good people doing bad things’, and its own theory of building ‘strong cultures’, ‘cultures of compliance’ and the right ‘tone’. Modern firms are now demanding that workers not only have specific professional skills but also a moral skill set to navigate the laws, regulations and codes. Modern organisational employees face a similar dilemma to the Romanian communist officials who had to decide which decrees that came down from the top had to be carried out and which ones could be ‘put into the drawer’. Employees must have that moral skill set by which they can reasonably navigate which laws, regulations and codes should be respected, and which ones can be put into the drawer, if not contravened entirely. Modern firms need workers who can identify which grey zones they can manipulate, and the risk areas that might cost them their jobs, or cost the company money or its reputation.
We often believe that the imposition of moral considerations into capitalist firms or bureaucratic organisations can provide some kind of brake on corporate ruthlessness or the cold authoritarianism of New Public Management. In this optic, capitalism can be softened around the edges with a bit of corporate social responsibility, a well-sculpted code of conduct, an anti-bribery policy and the right amount of training. This is the task of the E&C officer. What has emerged is not a moral capitalism, certainly, but some kind of hybrid moralised capitalism in which compliance is a convenient instrument to enforce some rules and evade others. Beneath the performance of compliance, modern firms and organisations are still grappling with the people who comprise them – the people who make the rules, adapt them, interpret them, negotiate them and evade them in creative ways. Compliance, evasion and resistance come together as everyday practice. The moral skill set is about what rules must be followed and which ones can be ignored or broken. This is the subtext behind even the most ambitious code of conduct.
Acknowledgements
Research for this article was financially supported by a grant from the Swedish Research Council (Vetenskapsrådet). I also wish to thank Will Rollason and Eric Hirsch, as well as the anonymous reviewers, for helpful comments on an earlier draft of this article.
Notes
For example, the US Department of Justice Guidelines on Federal Prosecution of Offenders (2018), the Department's Evaluation of Corporate Compliance Programs (2020) and the ‘Yates memo’ (Yates 2015) describing individual culpability for corporate crimes.
Ironically, it was defence industry actors who established the first industry-wide ethics and compliance standards, which were then taken by the United States Sentencing Commission when formulating the FSGO (Bonime-Blanc 2011). For additional details on the FSGO, including the various changes, see especially Murphy (2002), Finder and Warnecke (2005), Ethics Resource Center (2012), and United States Sentencing Commission (2018, 2021).
The Siemens corruption scandal is described by Schubert and Miller (2008) and Berghoff (2017).
The areas of perceived compliance risk, listed in order of priority, are data security, privacy and confidentially, industry-specific regulations, bribery/corruption, supplier/vendor/third party compliance, conflicts of interest, fraud, consumer protection, regulatory quality, money laundering, business continuity, intellectual property, employment and labour compliance, import–export controls/trade compliance, government contracting, safety/environmental, records management, fair competition/anti-trust, corporate social rsponsibilty, social media, insider trading, ethical sourcing and physical security (PwC 2015: 9).
See http://www.hcca-info.org. For another example, see the State of Illinois’ guide to health care compliance at http://www.icahn.org/files/HealthTech_Management_Services/Field_Guide_to_Healthcare_Compliance_Manual_FINAL_01062016.pdf. For the Society of Corporate Compliance and Ethics, see https://www.corporatecompliance.org/.
Brody and Woloszynski (2021) advocate a more integrated approach so that compliance becomes and integral part of the business rather than remaining in the background.
Other members of the ‘C-suite’ would normally be the Chief Executive Officer (CEO), Chief Financial Officer (CFO), Chief Operating Officer (COO) and Chief Information Officer (CIO).
A frequent theme in the compliance literature is that of Board members who have no idea what is going on in their companies. See Biegelman (2021) and Carryrou (2018).
For the compliance offerings of the Big Four, see Deloitte (2016), EY (2021), KPMG (2020) and PwC (n.d.).
References
Arvidsson, S. (ed) (2019), Challenges in Managing Sustainable Business: Reporting, Taxation, Ethics and Governance (London: Palgrave Macmillan).
Berghoff, H. (2017), ‘“Organised irresponsibility”? The Siemens corruption scandal of the 1990s and 2000s’, Business History 60, no. 3: 423–445, doi:10.1080/00076791.2017.1330332.
Biegelman, M. T. (2021), ‘When rampant organizational fraud occurs, where was the board?’ Compliance and Ethics Professional, August. https://compliancecosmos.org/when-rampant-organizational-fraud-occurs-where-was-board.
Boehme, D. and J. Murphy (2010), ‘International recognition for compliance and ethics programs: The 2010 OECD Good Practice Guidance on Internal Controls, Ethics and Compliance’, The Compliance Strategists Blog. http://compliancestrategists.com/csblog/2010/01/01/international-recognition-compliance-ethics-programs-2010-oecd-good-practice-guidance-internal-controls-ethics-compliance. (accessed 27 September 2021).
Bonime-Blanc, A. (2011), ‘The defense industry initiative: From business conduct program innovator to industry standard?’ In S. P. Sethi (ed), Globalization and Self-Regulation (New York: Palgrave Macmillan), 123–160.
Brody, T. and R. Woloszynski (2021), ‘Dismantling the silos: Integrating risk assessment activities across stakeholders’, Compliance and Ethics Professional, August. https://compliancecosmos.org/dismantling-silos-integrating-risk-assessment-activities-across-stakeholders?authkey = 9dd31d72a7f362a8e91a415307cdaa2ffd56ff3dac3167dad0ca713c30d738a6.
Carryrou, J. (2018), Bad Blood: Secrets and Lies in a Silicon Valley Startup (New York: Random House).
Coffee, J. C. (2020), Corporate Crime and Punishment: The Crisis of Underenforcement (Oakland, CA: Berrett-Koehler Publishers, Inc.).
Compliance and Ethics Leadership Council (2011), ‘Building an effective compliance program’. https://assets.corporatecompliance.org/Portals/1/PDF/Resources/past_handouts/Utilities-Energy-Compliance-Ethics/2011/Tues/501_BuildinganEffectiveComplianceandEthicsProgramPPT.pdf (accessed 27 September 2021).
Convercent (2015), ‘Building the business case for compliance’. http://www.convercent.com/resource/convercent-white-paper-building-the-business-case-for-compliance.pdf (accessed 27 September 2021).
Deloitte (2016), ‘Building world class ethics and compliance programs’. https://www2.deloitte.com/global/en/pages/risk/regulatory—legal/articles/building-world-class-ethics-and-compliance-programs.html (accessed 27 September 2021).
Eisinger, J. (2018), The Chickenshit Club: Why the Justice Department Fails to Prosecute Executives (New York: Simon and Schuster).
Ethics Resource Center (2012), The Federal Sentencing Guidelines for Organizations at Twenty Years. https://www.theagc.org/docs/f12.09.pdf (accessed 27 September 2021).
Ethics Resource Center (2007), ‘National government ethics survey: An inside view of public sector ethics. https://www.whistleblowers.org/wp-content/uploads/2018/11/ethicsresourcecentersuvey.pdf
Ethics Resource Initiative (2018), ‘Global Business Ethics Survey 2018’. https://mk0ecihomepagexcvllh.kinstacdn.com/wp-content/uploads/2018-ECI-GBES-State-of-Ethics-Compliance-in-Workplace.pdf (accessed 27 September 2021).
EY (2021), ‘Integrity, Compliance, Ethics’. http://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/assurance/assurance-pdfs/ey-integrity-compliance-ethics.pdf (accessed 27 September 2021).
Finder, L. and A. M. Warnecke (2005), ‘Overview of the Federal Sentencing Guidelines for Organizations and Corporate Compliance Programs. https://www.scribd.com/document/186862897/ (accessed 27 September 2021).
Fourcade, M. and K. Healy (2007), ‘Moral views of market society’, Annual Review of Sociology 33: 285–311. doi:10.1146/annurev.soc.33.040406.131642.
Garrett, B. (2016), Too Big to Jail: How Prosecutors Compromise with Corporations (Cambridge, MA: The Belknap Press of Harvard University Press).
Hirschman, A. (1982), ‘Rival interpretations of market society: Civilizing, destructive, or feeble?’, Journal of Economic Literature 20, no. 4: 1463–1484. doi:10.2307/27248.
Killingsworth, S. (2015), ‘CCO liability: Winds of change at the SEC?’, Compliance and Ethics Blog. https://complianceandethics.org/cco-liability-winds-of-change-at-the-sec/ (accessed 27 September 2021).
KPMG (2020), ‘Ethics and compliance program overview’. https://home.kpmg/content/dam/kpmg/us/pdf/2018/08/ethics-and-compliance.pdf (accessed 27 September 2021).
MacKessey, J. (2010), ‘Knowledge of good and evil: A brief history of compliance,’ The Finance Professionals’ Post, 26 May. https://post.nyssa.org/nyssa-news/ 2010/05/a-brief-history-of-compliance.html.
Murphy, D. E. (2002), ‘The Federal Sentencing Guidelines for Organizations: A decade of promoting compliance and ethics’, Iowa Law Review 87: 697–720, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=358741.
Ong, A. and S. Collier (eds.) (2007), Global Assemblages (Oxford: Blackwell).
Power, M. (1997), The Audit Society (Oxford: Oxford University Press).
PwC (n.d.), Elevating the Compliance Function to Drive Value to Your Business. https://www.pwc.com/m1/en/services/assurance/documents/elevating-compliance-function.pdf.
PwC (2015), ‘Trends in compliance and ethics’, 15 November. https://chapters.theiia.org/Orange%20County/IIA%20OC%20Presentation%20Downloads/2015-11-%20Full%20Day%20Event%20-%20Speaker%20Presentations/PwC%20-%20Ethics%20and%20Compliance%20Presentation.pdf.
Rakoff, J. S. (2020), ‘Getting away with murder’, New York Review of Books, 3 December. https://www.nybooks.com/articles/2020/12/03/getting-away-murder-executive-prosecution.
Rolls-Royce (2018), At Our Best: Our Code – Quick Reference Guide. https://ourcode.rolls-royce.com/∼/media/Files/R/Rolls-Royce-COC/documents/languages-pdf/rr-code-qrg-en-may%202018.pdf (accessed 27 September 2021).
Sampson, S. (2010), ‘The anti-corruption industry: From movement to institution’, Global Crime 11, no. 2: 261–278. doi:10.1080/17440571003669258.
Sampson, S. (2014), ‘Culture and compliance: An anthropologist's view’, Compliance and Ethics Professional, June. https://assets.corporatecompliance.org/Portals/1/PDF/Resources/ethikos/past-issues/2015/2015-02-mar-apr-ethikos-sampson.pdf.
Sampson, S. (2015), ‘The anti-corruption package’, Ephemera: Theory and Politics in Organization 15, no. 2: 435–443. http://www.ephemerajournal.org/sites/default/files/pdfs/contribution/15-2sampson.pdf.
Sampson, S. (2019a), ‘The morality of transparency: Clarity versus emptiness’, in F. Osrecki and V. August (eds.), Der Transparenz-Imperativ Normen – Praktiken – Strukturen [The Transparency Imperative – Norms, Practices, Structures] (Wiesbaden: Springer), 32–60.
Sampson, S. (2019b), ‘Citizen duty or Stasi society? Whistleblowing and disclosure regimes in organizations and communities’, Ephemera: Theory and Politics in Organization 19, no. 4: 11–140. http://www.ephemerajournal.org/sites/default/files/pdfs/contribution/19-4sampson.pdf.
Schubert, S. and C. Miller (2008), ‘At Siemens, bribery was just a line item’, New York Times, 20 December. https://www.nytimes.com/2008/12/21/business/worldbusiness/21siemens.html.
Strathern, M. (2010), Audit Cultures: Anthropological Studies in Accountability, Ethics and the Academy (London: Routledge).
United Nations Office of Drugs and Crime (UNODC) (2013), An Anti-Corruption Ethics and Compliance Program for Business: A Practical Guide. http://www.unodc.org/documents/corruption/Publications/2013/13-84498_Ebook.pdf (accessed 27 September 2021).
United States Department of Justice (2018), Principles of Federal Prosecution of Business Organizations, Sect. 9–28.210 (‘Focus on Individual Wrongdoers’), https://www.justice.gov/jm/jm-9-28000-principles-federal-prosecution-business-organizations#9-28.800 (accessed 27 September 2021).
United States Department of Justice (2020), Evaluation of Corporate Compliance Programs. https://www.justice.gov/criminal-fraud/page/file/937501/download (accessed 27 September 2021).
United States Sentencing Commission (2018), 2018 Guidelines Manual Annotated. https://www.ussc.gov/guidelines/2018-guidelines-manual-annotated (accessed 27 September 2021).
United States Sentencing Commission (2021), ‘Quick facts: Organizational offenders. https://www.ussc.gov/research/quick-facts/organizational-offenders (accessed 27 September 2021).
Yates, S. (2015), ‘Individual accountability for corporate wrongdoing’, US Department of Justice Memorandum, 9 September. https://www.justice.gov/archives/dag/file/769036/download.