Is Regulation By Enforcement Coming Next?
Here’s a hypothetical: What if the Supreme Court’s recent curbs on regulatory power turn out to be a mess for Corporate America? What if those limits lead to more regulation by enforcement? What would the implications be for corporate compliance programs and legal teams?
Those questions are on my mind today thanks to an intriguing paper published last Friday by Todd Phillips, a law professor at Georgia State University who studies banking regulation and administrative procedure. Phillips’ paper first reviews the court’s four major rulings, which collectively make agency rulemaking an even more painful burden for regulatory agencies — one where just about every rule could be challenged in court year after year, with judges newly empowered to cast aside rules they don’t like.
In that case, Phillips says, agencies might conclude that adopting new rules is no longer worth the effort; they could just as well telegraph their desires through more enforcement actions and more informal guidance, such as speeches, open letters, and the like.
Or, as Phillips put it:
Agencies are likely to rationally respond to these recent cases by conducting fewer rulemakings. Other ways for agencies to make policy exist — primarily, by bringing targeted enforcement actions and developing the law piecemeal in case-by-case adjudications … If regulations are difficult to promulgate and will not receive deference, why write rules unless absolutely necessary?
Phillips’ full argument is compelling; it’s worth your time to read the whole 21-page paper. Now consider the potential effect on corporate compliance programs. Will compliance programs become more important, because your company will need better ability to defend itself against accusations that you’ve violated the law? Aren’t the items you’d need to defend yourself against regulation by enforcement — a heaping pile of documentation that says, “See? We’ve been busting our butts to obey the law!” — exactly what a compliance program does?
How the Court’s Rulings Open This Door
Phillips walks through four major rulings the Court delivered this year to curb regulatory agencies’ power:
- Loper Bright v. Raimondo, which ended Chevron deference to regulatory agencies when rules drafted under ambiguous legislation were challenged in court.
- Ohio v. EPA, which gives courts stronger footing to decide that rules were adopted in an arbitrary or capricious way (and therefore can be invalidated).
- West Virginia v. EPA, which allows courts to invalidate even rules drafted with clear statutory permission if the judge believes the issue is a “major question” which should be decided by Congress.
- Corner Post v. Board of Governors, which allows even newly formed businesses to bring litigation against long-established rules.
Taken altogether, these decisions make agency rulemaking a costly, tedious, risky, and overall miserable experience for the agency. Right-wingers pushing the above cases would say that’s the point; they want to curb the power of “the administrative state” to tell organizations how they must behave.
OK, the right-wingers achieved their objective. So what might come next?
Well, Phillips has one answer: “Agencies may, accordingly, revive a strategy from prior eras — articulating policies in the course of adjudications where facial challenges are wholly unavailable.”
That is, regulators will simply accuse an organization of violating existing law and bring charges. The company will then most likely settle, as most companies do; and the settlement order will provide the agency with the chance to express how it wants companies to behave. Such regulation by enforcement would side-step all those obstacles the Supreme Court threw up with its four rulings.
For example, rather than engage in a lengthy proposal-and-comment period to draft a new rule, the SEC could fire off a few speeches warning about some issue, and then launch an enforcement sweep. Nobody could sue to challenge the rule as invalid (because the rule was never written) and nobody could say it violates the Major Questions Doctrine (because each single enforcement action isn’t major unto itself).
Could judges still rule against the SEC in those cases? Sure. But that requires a company to go to court and defend itself. Is that really how most companies want to spend their legal budgets? Because contesting cases is expensive, and if you’re the general counsel who advocates that strategy and then loses, you’ll have the “Open to Work” sticker on your LinkedIn profile by the following Monday.
Regulation by Enforcement Is Already Here
For anyone thinking, “Nah, that will never happen,” let’s remember that this already does happen, today, and it demonstrates just how important compliance functions can be.
For example, it’s pretty much how FCPA enforcement happens. The Justice Department publishes guidance, such as the FCPA Resource Guide and the guidelines on Evaluation of Corporate Compliance Programs; but there are no “rules” for FCPA compliance in the traditional sense. The Justice Department just brings cases, companies settle, and we all pore over settlement orders like they’re one of the Dead Sea Scrolls.
Does anybody need to follow those two sacred FCPA texts? No, but good luck avoiding prosecution if you don’t. Here in the real world, everyone understands the message behind that guidance — obey or brace for outrageous legal bills — and we fall into line by building anti-corruption compliance programs. That’s regulation by enforcement.
This is also how the SEC operates, such as its enforcement cases over AI-washing, and even its recent enforcement action against RR Donnelley, where the agency used internal accounting controls as a vehicle to sanction Donnelley over poor cybersecurity practices. The SEC simply declared that the companies in question were violating long-standing rules expressly derived from the Exchange Act, and now we’re all jumping like jackrabbits to pay attention to AI and cybersecurity disclosures.
In such a world, a strong compliance program becomes more important. When agencies accuse you of wrongdoing, and your legal team is looking for ways to settle the case quickly, the best ways are to demonstrate that you didn’t do it, or to demonstrate that you have the apparatus in place not to repeat it. Strong compliance functions serve both those needs.
None of this is any way to run a railroad, of course. Phillips rightly notes that regulation by enforcement is a terrible idea. It leads to more arbitrary outcomes, and more cost for companies caught in the enforcement crosshairs. It leads to a less predictable business landscape, and reduces public input in the regulatory framework since the proposal-and-comment process will be used less often. Different administrations will declare and discard enforcement priorities like fashions going in and out of style.
Compliance and ethics programs, then, might be the corporate equivalent of a good pair of jeans: useful year-round, always in style, and makes your ass look great. That matters when you’re trying to make a good first impression with regulators.