Rory Van Loo

A Public Calling for Private Employees

Two of society’s most important institutions face a crisis of legitimacy: regulatory agencies and corporations. Regulators are on the front lines guarding against climate change, technological upheaval, economic disasters, and other large-scale threats to society. Yet they are under siege from all branches of government and derided as ineffective, inefficient, and undemocratic. Corporations develop life-saving medical innovations, dramatically lower the costs of everything from food to transportation, and provide free information to people at a scale unimaginable thirty years ago. Yet they are commonly viewed as unethical, exploitative, and destructive. It is fair to wonder whether administrative agencies and corporations are poised to tackle the existential challenges that they are arguably best situated to address.

This Article unites these two institutional crises by a common thread: the link between corporate employees and public servants. As a descriptive matter, corporate and administrative employees are more related than they may at first appear. Administrative agencies have long sought the help of corporate employees, many of whom now perform similar tasks to those of regulatory inspectors. Compliance officers, auditors, and other law-related employees within corporations are now at least as numerous as police officers patrolling the streets.

From a policy perspective, corporate employees could serve the public better if they had more power and motivation to act for the public good. To illustrate what increased power might look like, if public-minded employees had more confidential avenues to communicate problematic conduct to regulatory enforcers, they would have a greater ability to influence corporate conduct. A more ambitious agenda for increasing motivation and power would be to encourage a societal shift toward viewing private employees as having a duty not only to shareholders, but also to society. Whether through these or other options, it is important to pay greater attention to the part of the corporation where legal scholars have focused the least: its core, or the low- and mid-level employees who are not engaged in law-related work. Reorienting governance around these core employees offers promise to enhance regulatory effectiveness, cut corporate costs, make work more fulfilling, and lessen the institutional mistrust eroding the foundations of democracy.

Introduction

Private sector employees have become “the single most significant source for detecting and preventing crime—more so than government regulators, law enforcement personnel, and program auditors combined.”1.Jonathan P. West & James S. Bowman, Whistleblowing Policies in American States: A Nationwide Analysis, 50 Am. Rev. Pub. Admin. 119, 120 (2020).Show More Private employees exposed many of the most prominent corporate scandals, including Theranos’s life-threatening biotechnology blood testing practices,2.John Carreyrou, Bad Blood: Secrets and Lies in a Silicon Valley Startup 195, 281–82 (2018).Show More Wells Fargo’s creation of millions of fake accounts in customers’ names,3.See, e.g., J.S. Nelson, Disclosure-Driven Crime, 52 U.C. Davis L. Rev. 1487, 1498, 1533 (2019); Leslie Scism, Prudential Fires Back Against Three Former Employees, Wall St. J., htt‌ps://www.wsj.com/articles/prudential-fires-back-against-three-former-employees-1485437572 (last updated Jan. 26, 2017, at 14:44 ET).Show More and Meta’s knowledge that its algorithms fed children dangerous content with the potential to promote self-harm and eating disorders.4.See Hillary A. Sale, Monitoring Facebook,12 Harv. Bus. L. Rev. 439, 441 (2022).Show More The private employee is arguably the single most important regulatory agent guarding against pressing challenges, such as climate change, consumer exploitation, and disinformation.5.See infra Part I.Show More

Despite society relying heavily on private employees to govern, the law mostly forsakes them. An ethical employee’s main option is to become a whistleblower. But whistleblower protections are strongest when employees help shareholders, such as by reporting securities fraud or embezzlement of company funds.6.See infra Section II.A. Reporting such misconduct internally is more organizationally acceptable because doing so arguably increases shareholder wealth. This means that the conduct upholds shareholder primacy—the influential norm that corporations should prioritize maximizing shareholder wealth. See, e.g., Donald C. Langevoort, The Effects of Shareholder Primacy, Publicness, and “Privateness” on Corporate Cultures, 43 Seattle U. L. Rev. 377, 382–84 (2020) (summarizing the origins and influence of shareholder primacy and linking it to compliance).Show More In contrast, when employees raise ethical concerns about profitable environmental degradation or consumer manipulation, they risk being perceived internally as harming shareholders. If employees instead choose to go public, weak whistleblower protections mean that their careers are routinely ruined.7.Aaron S. Kesselheim, David M. Studdert & Michelle M. Mello, Whistle-Blowers’ Experiences in Fraud Litigation Against Pharmaceutical Companies, 362 NEJM1832, 1836 (2010) (describing the resulting personal toll of whistleblowing). In select areas with strong whistleblower protections, however, whistleblowers fare better. See infra Section III.A.Show More Even among whistleblowers who are ultimately vindicated, “most of them pay a horrible price with lifelong scars.”8.See Tom Devine & Tarek F. Maassarani, Gov’t Accountability Project, The Corporate Whistleblower’s Survival Guide: A Handbook for Committing the Truth 18 (2011); see also C. Fred Alford, Whistleblowers: Broken Lives and Organizational Power 1 (2001) (“[One whistleblower] put it this way: . . . ‘I stood up against the big corporation and I lost. I didn’t just lose my job. I lost my house, and then I lost my family.’”). In one study of False Claims Act lawsuits, employers retaliated against the employees in the vast majority of all cases. Aiyesha Dey, Jonas Heese & Gerardo Pérez-Cavazos, Cash-for-Information Whistleblower Programs: Effects on Whistleblowing and Consequences for Whistleblowers, 59 J. Acct. Rsch. 1689, 1692 (2021).Show More Additionally, corporations use trade secret laws, nondisclosure agreements, and company policies to scare employees away from sharing information with regulators.9.See infra Subsection III.A.1.Show More To enforce the law, employees must too often take on powerful corporate pressures from an isolated position of weakness.

This Article sketches private workers’ place at the center of the regulatory architecture, identifies weaknesses in that structure’s design, and proposes reforms that would enable workers to govern from a position of greater power. As a descriptive matter, corporate employees are connected to public servants in part because they often perform functions similar to those of administrative agency employees. Moreover, regulatory agencies often monitor, shape, and even informally manage the compliance systems within large companies.10 10.Rory Van Loo, Regulatory Monitors: Policing Firms in the Compliance Era, 119 Colum. L. Rev. 369, 369 (2019).Show More Agencies are thus one of the sources of external pressure that have made lawyers, compliance officers, and risk-management employees in the corporate sector about as numerous as police officers patrolling U.S. streets.11 11.See infra Section I.A (showing how large regulators have sought to enlist the help of corporate employees for decades). For data on the number of law-related personnel in the private sector, see William S. Laufer, A Very Special Regulatory Milestone, 20 U. Pa. J. Bus. L. 392, 393–94 (2017) (“There soon will be as many enterprise-wide risk, audit, legal, and compliance professionals on the payroll of corporations in the United States as municipal police officers keeping our streets safe.”). Since Laufer’s estimate that the two figures were close, the number of compliance officers alone has increased by over forty percent, while the number of police officers has decreased by nearly two percent. See id. at 393 n.1 (citing Press Release, Bureau of Lab. Stat., U.S. Dep’t of Lab., Occupational Employment and Wages—May 2016 (Mar. 31, 2017) [hereinafter 2016 Employment and Wages Press Release], https://w‌ww.bls.gov/news.release/archives/ocwage_03312017.pdf [https://perma.cc/Z9ZD-BQFU]) (providing a 2016 estimate for compliance officers as 273,000); Bureau of Lab. Stat., U.S. Dep’t of Lab., Occupational Employment and Wages, May 2023: 13-1041 Compliance Officers, https://www.bls.gov/oes/2023/may/oes131041.htm [https://perma.cc/FF27-2ZZS] (last updated Apr. 3, 2024) (providing a 2023 estimate for compliance officers as 383,620); 2016 Employment and Wages Press Release, supra (putting a 2016 police and sheriff’s patrol officer estimate at 657,690); Bureau of Lab. Stat., U.S. Dep’t of Lab., Occupational Employment and Wages, May 2023: 33-3051 Police and Sheriff’s Patrol Officers, https://ww‌w.bls.gov/oes/2023/may/oes333051.htm [https://perma.cc/BX4B-BLZB] (last updated Apr. 3, 2024) (reporting a 2023 police and sheriff’s patrol officer estimate of 646,310).Show More Although a substantial workforce of such law-related employees may be unavoidable, they are normatively less desirable for enforcing regulations than core employees.12 12.See infra Part II. These are not mutually exclusive categories in the sense that both law-related employees and core employees can become whistleblowers.Show More Relying as much as possible on core employees—such as pharmaceutical scientists, computer engineers, or sales agents—to enforce laws from within the corporation has the most potential to regulate costs effectively while improving legitimacy.13 13.See infra Part I.Show More Instead, the current regulatory architecture inverts the normative hierarchy by leaning heavily on law-related employees.14 14.See infra Part I.Show More Moreover, for core employees to promote the public interest, too often they must do so from a position of weakness unless they come forward publicly as whistleblowers, which is perhaps the least desirable outcome for both them and their employers.

This Article explores two main ways to improve the framework for enlisting private employees as public servants. Even with existing statutory authority, administrative agencies can extend greater power to core employees and thereby better align private enforcement with public norms. Alternatively, even without any administrative agency action, a societal shift to viewing frontline workers as having a public calling could itself lead to meaningful progress.

By situating private employees at the center of the regulatory state, this Article connects three vibrant strands of legal scholarship: administrative law, corporate law, and social movements. In recent years, administrative law scholarship has begun “crack[ing] open the black box of agencies to peer inside,”15 15.Elizabeth Magill & Adrian Vermeule, Allocating Power Within Agencies, 120 Yale L.J. 1032, 1035 (2011).Show More which has shown that administrative agency inspectors and other monitors lie at the heart of regulatory power.16 16.Van Loo, supra note 10 (chronicling “the statutory rise of regulatory monitors . . . to situate them empirically at the core of modern administrative power”).Show More These sub-organizational examinations have been motivated partly by the notion that conversations about administrative law “are incomplete because agencies are typically treated as unitary entities.”17 17.Magill & Vermeule, supra note 15, at 1032 (“Standard questions in the theory of administrative law involve the allocation of power among legislatures, courts, the President, and various types of agencies.”).Show More Conceptualizing corporate employees as regulatory agents means cracking open the black box of agencies, which requires understanding how agencies leverage corporate employees. Despite paying considerable attention to businesses as regulatory actors, however, administrative law scholars have rarely paid sustained attention to mapping corporations’ internal actors playing a regulatory role.18 18.The “religion” of privatization has sometimes drawn administrative and constitutional law scholars to examine businesses more closely. Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 Harv. L. Rev. 1229, 1229–30, 1247 (2003). Privatization, however, concerns the government moving traditionally public services, like operating prisons, toward private businesses. Id. at 1229–30. Of greater relevance is the early literature identifying a panoply of regulatory models, including a new governance era in which agencies and firms collaborate to solve problems rather than act as adversaries, which provides valuable foundations for the agency-firm connection on which this Article builds. See, e.g., Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 Law & Soc’y Rev. 691, 725 (2003) (analyzing a regulatory model in which government “regulators outline criteria for private sector planning and conduct varying degrees of oversight to ensure that firms are engaging in effective planning and implementation that satisfies the stated criteria”); Jody Freeman, Collaborative Governance in the Administrative State, 45 UCLA L. Rev. 1, 30 (1997); Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 4–7 (Donald R. Harris, Keith Hawkins, Sally Lloyd-Bostock & Doreen McBarnet eds., 1992); Orly Lobel, The Renew Deal: The Fall of Regulation and the Rise of Governance in Contemporary Legal Thought, 89 Minn. L. Rev. 342, 345–47, 376–78 (2004). Finally, scholars have increasingly examined agencies’ intersections with firms’ compliance officers. See Nicholas R. Parrillo, Federal Agency Guidance and the Power to Bind: An Empirical Study of Agencies and Industries, 36 Yale J. on Reg. 165, 204–05, 271 (2019) (concluding that compliance officers sometimes implement agency guidance). Compliance officers are, however, merely one subset of employee enforcers. See infra Section I.B.Show More

Consequently, the task of mapping the internal enforcement apparatus within the firm has largely fallen on corporate law scholars. Scholars have conceived of the rise of compliance departments as a transformation in corporate culture, governance, and organizational structure.19 19.Michele DeStefano, Creating a Culture of Compliance: Why Departmentalization May Not Be the Answer, 10 Hastings Bus. L.J. 71, 72 (2014) (“What might have been thought of twenty years ago as a basic corporate governance function is now being ceded to compliance departments.” (footnote omitted)); id. at 74–75; James A. Fanto, Surveillant and Counselor: A Reorientation in Compliance for Broker-Dealers, 2014 BYU L. Rev. 1121, 1139–42, 1163–67; Donald C. Langevoort, Cultures of Compliance, 54 Am. Crim. L. Rev. 933, 940–41 (2017).Show More Yet these corporate law literatures tend to pay limited attention to agencies or treat them as unitary entities.20 20.See infra Part I.Show More These literatures also overwhelmingly focus on white-collar crime and the Department of Justice (“DOJ”), and only secondarily on the Securities and Exchange Commission (“SEC”), which is the main agency dedicated to protecting investors.21 21.See, e.g., Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C. L. Rev. 949, 959 (2009) (focusing on the DOJ and, to a lesser extent, the SEC).Show More These entities do not conduct the bulk of enforcement activity, which occurs through Environmental Protection Agency (“EPA”) engineers, Federal Reserve examiners, Food and Drug Administration (“FDA”) inspectors, and other regulatory monitors.22 22.See Van Loo, supra note 10, at 373–74, 435 (demonstrating the centrality of monitors to regulatory agencies and linking them to compliance departments).Show More The Environmental, Social, and Governance (“ESG”) literature is also disconnected from regulatory agencies and revolves around public duties at the top of the organization rather than the bottom.23 23.For an important account of ESG and its limits, see Dorothy S. Lund & Elizabeth Pollman, The Corporate Governance Machine, 121 Colum. L. Rev. 2563, 2563, 2566, 2615 (2021). Although certainly of a similar spirit, scholarly calls for reforming shareholder primacy tend to see core employees mostly as beneficiaries of reforms rather than, as this Article does, central actors bringing about societal change. See, e.g., Oliver Hart & Luigi Zingales, The New Corporate Governance, 1 U. Chi. Bus. L. Rev. 195, 196–97 (2022) (calling for “shareholder welfare maximization” to replace “shareholder value maximization” as the guiding norm for the corporation (emphasis omitted)).Show More

Unlike administrative law or corporate law conversations, social movement scholarship sometimes situates frontline employees as the main object of study. In the technology industry in particular, scholars have observed that rather than remaining “on the sidelines, employees are taking a stand”24 24.Jennifer S. Fan, Employees as Regulators: The New Private Ordering in High Technology Companies, 2019 Utah L. Rev. 973, 1026.Show More to engage in “governance . . . from the bottom up.”25 25.Hannah Bloch-Wehba, Algorithmic Governance from the Bottom Up, 48 BYU L. Rev. 69, 69 (2022).Show More Yet those important conversations are mostly disconnected from administrative law and corporate law conversations at the heart of this Article. Missing from administrative law, corporate law, and social movement accounts is a mapping of the systematic sub-organizational links between administrative agencies and the broader set of actors within businesses working toward related goals.

In integrating the internal laws of administrative agencies and corporations, this Article also connects the distinct “crisis of legitimacy” facing each of these institutions.26 26.This is not a new issue for either field. See Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. Rev. 543, 545 (2000) (“Since the New Deal explosion of government agencies, administrative law has been defined by the crisis of legitimacy and the problem of agency discretion.”); Roland Marchand, Creating the Corporate Soul: The Rise of Public Relations and Corporate Imagery in American Big Business2 (1998) (“[M]ajor corporations expanded at a bewildering pace at the end of the nineteenth century . . . . This momentous shift in the balance of social forces created a crisis of legitimacy for the large corporations.”).Show More All branches of government have recently assailed administrative agencies. Presidents have led systematic “administrative sabotage”27 27.David L. Noll, Administrative Sabotage, 120 Mich. L. Rev. 753, 753 (2022).Show More that has damaged agency resources, expertise, and reputation.28 28.Jody Freeman & Sharon Jacobs, Structural Deregulation, 135 Harv. L. Rev. 585, 586, 588 (2021).Show More Lawmakers have dismantled years of agency rulemaking under the Congressional Review Act.29 29.Bethany A. Davis Noll & Richard L. Revesz, Regulation in Transition, 104 Minn. L. Rev. 1, 3 (2019).Show More And the Supreme Court has chipped away at agency authority while warning of “a ruling class of largely unaccountable ‘ministers.’”30 30.See, e.g., West Virginia v. EPA, 142 S. Ct. 2587, 2617 (2022) (Gorsuch, J., concurring) (citation omitted) (“[T]he framers believed that a republic—a thing of the people—would be more likely to enact just laws than a regime administered by a ruling class of largely unaccountable ‘ministers.’” (citation omitted)); Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244, 2273 (2024) (overturning Chevron deference); Gillian E. Metzger, The Supreme Court, 2016 Term—Foreword: 1930s Redux: The Administrative State Under Siege, 131 Harv. L. Rev. 1, 3 (2017) (“Justice Thomas, with Chief Justice Roberts, Justice Alito, and now Justice Gorsuch sounding similar complaints, . . . have attacked the modern administrative state as a threat to liberty and democracy and suggested that its central features may be unconstitutional.”).Show More Private governance has not, however, provoked the same backlash, and a greater reliance on private employees to govern is less likely to violate the more restrictive principles of the Court’s recent cases shrinking administrative authority.31 31.Private governance actors have historically withstood due process and nondelegation challenges. Freeman, supra note 26, at 665. Although the legal standards for administrative agency authority are in flux, the main implication for this Article is that wherever the Supreme Court establishes the administrative authority boundaries, Congress will need to write and enforce employee enforcement rules accordingly. The recent cases adjusting the lines do not infringe on agencies’ ability to work with industry to implement whatever authority remains. For examples of cases restricting formal authority without infringing on agencies’ ability to rely on private actors, see, e.g., Biden v. Nebraska, 143 S. Ct. 2355, 2375 (2023) (striking down student loan forgiveness by applying the major questions doctrine to find the statute did not permit the Secretary of Education to make such modifications to the loan forgiveness program); Loper Bright, 144 S. Ct. at 2273 (overturning Chevron deference and requiring that Article III judges independently determine a statute’s best meaning).Show More Indeed, leaning more heavily into cultivating help from private employees could enable the administrative state to operate more forcefully despite judicial curtailment of its authority. Moreover, relying on core employees’ moral compasses to regulate responds to arguably the central critique of agencies: regulation infringes on private autonomy.32 32.See infra Part II.Show More After all, core employees are the heart of the private sector. Thus, increasing their ability to voluntarily enforce the law from within the corporation could strengthen the administrative state’s legitimacy in the eyes of some of its chief critics.

Corporations’ legitimacy crisis stems from perceptions that they are responsible for climate change, economic inequality, the erosion of democracy, and other major threats to the social fabric.33 33.See Marchand, supra note 26, at 2.Show More Yet Congress is too divided, too influenced by industry lobbying, and too poorly designed to provide regulatory agencies with sufficient power or pass all regulatory legislation that society needs to constrain harmful corporate conduct.34 34.Jonathan S. Gould & Rory Van Loo, Legislating for the Future, 92 U. Chi. L. Rev. 375, 386–88, 390 (2025); Robert G. Kaiser, Act of Congress: How America’s Essential Institution Works, and How It Doesn’t 127–41 (2013).Show More With public enforcement limited, private employees become more important for pushing corporations to follow the law. Moreover, although not the focus of this Article, if core employees gain power, some may succeed in pushing their firm to act above the environmental or social minimum.35 35.Employee advocacy beyond legal compliance has benefits and drawbacks that are beyond the scope of this Article. They include the potential economic benefits of addressing externalities and the potential costs of more difficult management. See infra Section III.B.Show More Private employees thus offer an option for filling part of the democracy gap between gridlocked legislatures and public preferences.

Several policy implications flow from this description of the private employee architecture at the center of public governance. Even if employee enforcers never push corporations beyond legal compliance, they are key to current reform efforts that aim to tackle some of the world’s most high-stakes problems. Once whistleblowers are recognized as the endgame of a larger regulatory apparatus within the corporation, supporting them becomes even more important because doing so heightens the consequences for corporate executives ignoring core employees. Support should not only include, but also exceed, the scholarly focus on protecting whistleblowers from retaliation. Ideally, ethical employees would be able to stay in the corporation to continue to guide it, rather than have to leave it as whistleblowers. Regulatory agencies should therefore build more confidential and easily accessible communication channels that core employees who are ignored within the corporation can use to communicate problems to an actor with public power.

A more ambitious reform would be to shift the societal norms for what it means to be an employee in a large corporation. If more private employees viewed themselves as having a public calling, it should increase the chances that they advocate for the public interest from within the corporation. It would be true to history and the modern regulatory architecture to view private employees as having both a private and a public calling. Viewed through a broader paradigm, employees within agencies and firms comprise an extensive administrative infrastructure that—if leveraged effectively—has the potential to move the private sector toward greater public service.

The Article begins in Part I with five examples of administrative agencies that have long sought to enlist private employees as enforcers: the SEC, the Federal Trade Commission (“FTC”), the Equal Employment Opportunity Commission (“EEOC”), the EPA, and agencies in heavily regulated industries. These agencies reveal the architecture of employee enforcers. Part II takes up normative questions about how to design the system of public-private agents to enhance the regulatory goals of effectiveness, efficiency, autonomy, and legitimacy. Part III turns to the policy question of how to strengthen the employee enforcement architecture. With more public power and purpose, private employees will be better positioned to take on the incredible responsibility that society has entrusted to them.

Before proceeding to the main discussion, a caveat is in order. Leveraging the employee enforcer is only one piece of the broader regulatory system. The discussion below should not be taken to suggest that regulation should rely as much as it does on private employees or can rely only on them. This Article is instead focused on how to maximize private employees. Other potential avenues for reform include providing more resources and power to administrative agencies, eliminating regulations that harm competition, and increasing liability to promote deterrence—many of which I have proposed elsewhere.36 36.See, e.g., Rory Van Loo, Making Innovation More Competitive: The Case of Fintech, 65 UCLA L. Rev. 232, 244 (2018) (criticizing the licensing barriers holding back fintech and consumer finance competition); Kathryn E. Spier & Rory Van Loo, Foundations for Platform Liability, 100 Notre Dame L. Rev. 1137, 1187 (2025) (proposing increased tech platform liability for third-party harms to consumers); Rory Van Loo, The Missing Regulatory State: Monitoring Businesses in an Age of Surveillance, 72 Vand. L. Rev. 1563, 1617 (2019) (“[P]olicymakers should consider building new monitoring programs for the increasingly digital economy.”); Dorothy S. Lund & Natasha Sarin, Corporate Crime and Punishment: An Empirical Study, 100 Tex. L. Rev. 285, 28789, 292–94 (2021) (showing empirically the problem of insufficient penalties); J.S. Nelson, Paper Dragon Thieves, 105 Geo. L.J. 871, 872–73 (2017) (“When the behavior of these agents is coordinated to commit large-scale wrongdoing and to inflict damage on members of the public, the law should return to the traditional position of penalizing the behavior of the agents as individuals.”); Kaiser, supra note 34, at 127–41 (explaining the influence of industry lobbying on legislation).Show More When major regulatory reform opportunities arrive, the statutory blueprint tends not to limit itself to simply one regulatory tool.37 37.Kaiser, supra note 34, at 378–80.Show More Reforms related to employee enforcers are complementary to other reforms, and producing the most robust regulatory system possible requires getting all of its components right. Whether from Congress, the president, state governments, or the private sector, future regulatory reforms should include a more comprehensive view of how to best leverage employee enforcers. It is hard to imagine an effective regulatory architecture in the future without substantial involvement, if not leadership, by frontline employees throughout the corporate sector.

  1.  Jonathan P. West & James S. Bowman, Whistleblowing Policies in American States: A Nationwide Analysis, 50 Am. Rev. Pub. Admin. 119, 120 (2020).

  2.  John Carreyrou, Bad Blood: Secrets and Lies in a Silicon Valley Startup

    195, 281–82 (2018).

  3.  See, e.g., J.S. Nelson, Disclosure-Driven Crime, 52 U.C. Davis L. Rev
    .

    1487, 1498, 1533 (2019); Leslie Scism, Prudential Fires Back Against Three Former Employees, Wall St. J., htt‌ps://www.wsj.com/articles/prudential-fires-back-against-three-former-employees-1485437572 (last updated Jan. 26, 2017, at 14:44 ET).

  4.  See Hillary A. Sale, Monitoring Facebook, 12 Harv. Bus. L. Rev
    .

    439, 441 (2022).

  5.  See infra Part I.
  6.  See infra Section II.A. Reporting such misconduct internally is more organizationally acceptable because doing so arguably increases shareholder wealth. This means that the conduct upholds shareholder primacy—the influential norm that corporations should prioritize maximizing shareholder wealth. See, e.g., Donald C. Langevoort, The Effects of Shareholder Primacy, Publicness, and “Privateness” on Corporate Cultures, 43 Seattle U. L. Rev. 377, 382–84 (2020) (summarizing the origins and influence of shareholder primacy and linking it to compliance).
  7.  Aaron S. Kesselheim, David M. Studdert & Michelle M. Mello, Whistle-Blowers’ Experiences in Fraud Litigation Against Pharmaceutical Companies, 362 NEJM

    1832, 1836 (2010) (describing the resulting personal toll of whistleblowing). In select areas with strong whistleblower protections, however, whistleblowers fare better. See infra Section III.A.

  8.  See Tom Devine & Tarek F. Maassarani, Gov’t Accountability Project, The Corporate Whistleblower’s Survival Guide: A Handbook for Committing the Truth 18 (2011); see also C. Fred Alford, Whistleblowers: Broken Lives and Organizational Power
    1

    (2001) (“[One whistleblower] put it this way: . . . ‘I stood up against the big corporation and I lost. I didn’t just lose my job. I lost my house, and then I lost my family.’”). In one study of False Claims Act lawsuits, employers retaliated against the employees in the vast majority of all cases. Aiyesha Dey, Jonas Heese & Gerardo Pérez-Cavazos, Cash-for-Information Whistleblower Programs: Effects on Whistleblowing and Consequences for Whistleblowers, 59 J. Acct. Rsch. 1689, 1692 (2021).

  9.  See infra Subsection III.A.1.
  10.  Rory Van Loo, Regulatory Monitors: Policing Firms in the Compliance Era, 119 Colum. L. Rev. 369, 369 (2019).
  11.  See infra Section I.A (showing how large regulators have sought to enlist the help of corporate employees for decades). For data on the number of law-related personnel in the private sector, see William S. Laufer, A Very Special Regulatory Milestone, 20 U. Pa. J. Bus. L. 392, 393–94 (2017) (“There soon will be as many enterprise-wide risk, audit, legal, and compliance professionals on the payroll of corporations in the United States as municipal police officers keeping our streets safe.”). Since Laufer’s estimate that the two figures were close, the number of compliance officers alone has increased by over forty percent, while the number of police officers has decreased by nearly two percent. See id. at 393 n.1 (citing Press Release, Bureau of Lab. Stat., U.S. Dep’t of Lab., Occupational Employment and Wages—May 2016 (Mar. 31, 2017) [hereinafter 2016 Employment and Wages Press Release], https://w‌ww.bls.gov/news.release/archives/ocwage_03312017.pdf [https://perma.cc/Z9ZD-BQFU]) (providing a 2016 estimate for compliance officers as 273,000); Bureau of Lab. Stat., U.S. Dep’t of Lab., Occupational Employment and Wages, May 2023: 13-1041 Compliance Officers, https://www.bls.gov/oes/2023/may/oes131041.htm [https://perma.cc/FF27-2ZZS] (last updated Apr. 3, 2024) (providing a 2023 estimate for compliance officers as 383,620); 2016 Employment and Wages Press Release, supra (putting a 2016 police and sheriff’s patrol officer estimate at 657,690); Bureau of Lab. Stat., U.S. Dep’t of Lab., Occupational Employment and Wages, May 2023: 33-3051 Police and Sheriff’s Patrol Officers, https://ww‌w.bls.gov/oes/2023/may/oes333051.htm [https://perma.cc/BX4B-BLZB] (last updated Apr. 3, 2024)

    (reporting a 2023 police and sheriff’s patrol officer estimate of 646,310).

  12.  See infra Part II. These are not mutually exclusive categories in the sense that both law-related employees and core employees can become whistleblowers.
  13.  See infra Part I.
  14.  See infra Part I.
  15.  Elizabeth Magill & Adrian Vermeule, Allocating Power Within Agencies, 120 Yale L.J. 1032, 1035 (2011).
  16.  Van Loo, supra note 10 (chronicling “the statutory rise of regulatory monitors . . . to situate them empirically at the core of modern administrative power”).
  17.  Magill & Vermeule, supra note 15, at 1032 (“Standard questions in the theory of administrative law involve the allocation of power among legislatures, courts, the President, and various types of agencies.”).
  18.  The “religion” of privatization has sometimes drawn administrative and constitutional law scholars to examine businesses more closely. Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 Harv. L. Rev. 1229, 1229–30, 1247 (2003). Privatization, however, concerns the government moving traditionally public services, like operating prisons, toward private businesses. Id. at 1229–30. Of greater relevance is the early literature identifying a panoply of regulatory models, including a new governance era in which agencies and firms collaborate to solve problems rather than act as adversaries, which provides valuable foundations for the agency-firm connection on which this Article builds. See, e.g., Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals
    , 37

    Law & Soc’y Rev. 691, 725 (2003) (analyzing a regulatory model in which government “regulators outline criteria for private sector planning and conduct varying degrees of oversight to ensure that firms are engaging in effective planning and implementation that satisfies the stated criteria”); Jody Freeman, Collaborative Governance in the Administrative State, 45 UCLA L. Rev. 1, 30 (1997); Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 4–7 (Donald R. Harris, Keith Hawkins, Sally Lloyd-Bostock & Doreen McBarnet eds., 1992); Orly Lobel, The Renew Deal: The Fall of Regulation and the Rise of Governance in Contemporary Legal Thought, 89 Minn. L. Rev

    .

    342, 345–47, 376–78 (2004). Finally, scholars have increasingly examined agencies’ intersections with firms’ compliance officers. See Nicholas R. Parrillo, Federal Agency Guidance and the Power to Bind: An Empirical Study of Agencies and Industries, 36 Yale J. on Reg. 165, 204–05, 271 (2019) (concluding that compliance officers sometimes implement agency guidance). Compliance officers are, however, merely one subset of employee enforcers. See infra Section I.B.

  19.  Michele DeStefano, Creating a Culture of Compliance: Why Departmentalization May Not Be the Answer, 10 Hastings Bus. L.J. 71, 72 (2014) (“What might have been thought of twenty years ago as a basic corporate governance function is now being ceded to compliance departments.” (footnote omitted)); id. at 74–75; James A. Fanto, Surveillant and Counselor: A Reorientation in Compliance for Broker-Dealers, 2014 BYU L. Rev. 1121, 1139–42, 1163–67; Donald C. Langevoort, Cultures of Compliance, 54 Am. Crim. L. Rev. 933, 940–41 (2017).
  20.  See infra Part I.
  21.  See, e.g., Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C. L. Rev. 949, 959 (2009) (focusing on the DOJ and, to a lesser extent, the SEC).
  22.  See Van Loo, supra note 10, at 373–74, 435 (demonstrating the centrality of monitors to regulatory agencies and linking them to compliance departments).
  23.  For an important account of ESG and its limits, see Dorothy S. Lund & Elizabeth Pollman, The Corporate Governance Machine, 121 Colum. L. Rev. 2563, 2563, 2566, 2615 (2021). Although certainly of a similar spirit, scholarly calls for reforming shareholder primacy tend to see core employees mostly as beneficiaries of reforms rather than, as this Article does, central actors bringing about societal change. See, e.g., Oliver Hart & Luigi Zingales, The New Corporate Governance, 1 U. Chi. Bus. L. Rev. 195, 196–97 (2022) (calling for “shareholder welfare maximization” to replace “shareholder value maximization” as the guiding norm for the corporation (emphasis omitted)).
  24.  Jennifer S. Fan, Employees as Regulators: The New Private Ordering in High Technology Companies, 2019 Utah L. Rev. 973, 1026.
  25.  Hannah Bloch-Wehba, Algorithmic Governance from the Bottom Up, 48 BYU L. Rev. 69, 69 (2022).
  26.  This is not a new issue for either field. See Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. Rev. 543, 545 (2000) (“Since the New Deal explosion of government agencies, administrative law has been defined by the crisis of legitimacy and the problem of agency discretion.”); Roland Marchand, Creating the Corporate Soul: The Rise of Public Relations and Corporate Imagery in American Big Business 2 (1998) (“[M]ajor corporations expanded at a bewildering pace at the end of the nineteenth century . . . . This momentous shift in the balance of social forces created a crisis of legitimacy for the large corporations.”).
  27.  David L. Noll, Administrative Sabotage, 120 Mich. L. Rev. 753, 753 (2022).
  28.  Jody Freeman & Sharon Jacobs, Structural Deregulation, 135 Harv. L. Rev. 585, 586, 588 (2021).
  29.  Bethany A. Davis Noll & Richard L. Revesz, Regulation in Transition, 104 Minn. L. Rev. 1, 3 (2019).
  30.  See, e.g., West Virginia v. EPA, 142 S. Ct. 2587, 2617 (2022) (Gorsuch, J., concurring) (citation omitted) (“[T]he framers believed that a republic—a thing of the people—would be more likely to enact just laws than a regime administered by a ruling class of largely unaccountable ‘ministers.’” (citation omitted)); Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244, 2273 (2024) (overturning Chevron deference); Gillian E. Metzger, The Supreme Court, 2016 Term—Foreword: 1930s Redux: The Administrative State Under Siege, 131 Harv. L. Rev. 1, 3 (2017) (“Justice Thomas, with Chief Justice Roberts, Justice Alito, and now Justice Gorsuch sounding similar complaints, . . . have attacked the modern administrative state as a threat to liberty and democracy and suggested that its central features may be unconstitutional.”).
  31.  Private governance actors have historically withstood due process and nondelegation challenges. Freeman, supra note 26, at 665. Although the legal standards for administrative agency authority are in flux, the main implication for this Article is that wherever the Supreme Court establishes the administrative authority boundaries, Congress will need to write and enforce employee enforcement rules accordingly. The recent cases adjusting the lines do not infringe on agencies’ ability to work with industry to implement whatever authority remains. For examples of cases restricting formal authority without infringing on agencies’ ability to rely on private actors, see, e.g., Biden v. Nebraska, 143 S. Ct. 2355, 2375 (2023) (striking down student loan forgiveness by applying the major questions doctrine to find the statute did not permit the Secretary of Education to make such modifications to the loan forgiveness program); Loper Bright, 144 S. Ct. at 2273 (overturning Chevron deference and requiring that Article III judges independently determine a statute’s best meaning).
  32.  See infra Part II.
  33.  See Marchand, supra note 26, at 2.
  34.  Jonathan S. Gould & Rory Van Loo, Legislating for the Future, 92 U. Chi. L. Rev. 375, 386–88, 390 (2025); Robert G. Kaiser, Act of Congress: How America’s Essential Institution Works, and How It Doesn’t 127–41 (2013).
  35.  Employee advocacy beyond legal compliance has benefits and drawbacks that are beyond the scope of this Article. They include the potential economic benefits of addressing externalities and the potential costs of more difficult management. See infra Section III.B.
  36.  See, e.g., Rory Van Loo, Making Innovation More Competitive: The Case of Fintech, 65 UCLA L. Rev. 232, 244 (2018) (criticizing the licensing barriers holding back fintech and consumer finance competition); Kathryn E. Spier & Rory Van Loo, Foundations for Platform Liability, 100 Notre Dame L. Rev. 1137, 1187 (2025) (proposing increased tech platform liability for third-party harms to consumers); Rory Van Loo, The Missing Regulatory State: Monitoring Businesses in an Age of Surveillance, 72 Vand. L. Rev. 1563, 1617 (2019) (“[P]olicymakers should consider building new monitoring programs for the increasingly digital economy.”); Dorothy S. Lund & Natasha Sarin, Corporate Crime and Punishment: An Empirical Study, 100 Tex. L. Rev.
    285, 287

    89, 292–94

    (2021) (showing empirically the problem of insufficient penalties); J.S. Nelson, Paper Dragon Thieves, 105 Geo. L.J. 871, 872–73 (2017) (“When the behavior of these agents is coordinated to commit large-scale wrongdoing and to inflict damage on members of the public, the law should return to the traditional position of penalizing the behavior of the agents as individuals.”); Kaiser

    ,

    supra note 34, at 127–41 (explaining the influence of industry lobbying on legislation).

  37.  Kaiser
    ,

    supra note 34, at 378–80.

The New Gatekeepers: Private Firms as Public Enforcers

The world’s largest businesses must routinely police other businesses. By public mandate, Facebook monitors app developers’ privacy safeguards, Citibank audits call centers for deceptive sales practices, and Exxon reviews offshore oil platforms’ environmental standards. Scholars have devoted significant attention to how policy makers deploy other private sector enforcers, such as certification bodies, accountants, lawyers, and other periphery “gatekeepers.” However, the literature has paid insufficient attention to the emerging regulatory conscription of large firms at the center of the economy. This Article examines the rise of the enforcer-firm through case studies of the industries that are home to the most valuable companies in technology, banking, oil, and pharmaceuticals. Over the past two decades, administrative agencies have used legal rules, guidance documents, and court orders to mandate that private firms in these and other industries perform the duties of a public regulator. More specifically, firms must write rules in their contracts that reserve the right to inspect third parties. When they find violations, they must pressure or punish the wrongdoer. This form of governance has important intellectual and policy implications. It imposes more of a public duty on the firm, alters corporate governance, and may even reshape business organizations. It also gives resource-strapped regulators promising tools. If designed poorly, however, the enforcer-firm will create an expansive area of unaccountable authority. Any comprehensive account of the firm or regulation must give a prominent role to the administrative state’s newest gatekeepers.

Introduction

In 2018, Facebook Chairman and CEO Mark Zuckerberg faced senators on national television regarding conduct that prompted the Federal Trade Commission (FTC) to seek its largest ever fine.1.Cecilia Kang, A Facebook Settlement with the F.T.C. Could Run into the Billions, N.Y. Times, Feb. 15, 2019, at B6.Show More The main issue was not what Facebook did directly to its users. Instead, the hearing focused on the social network’s failure to restrain third parties. Most notably, the political consulting firm Cambridge Analytica had accessed millions of users’ accounts in an effort to support election candidates.2.Katy Steinmetz, Mark Zuckerberg Survived Congress. Now Facebook Has to Survive the FTC, Time (Apr. 13, 2018, 12:42 PM), https://time.com/5237900/facebook-ftc-privacy-data-cambridge-analytica/ [https://perma.cc/4SJJ-YHP9].Show More Before Zuckerberg’s Senate testimony, the FTC had already sued Google and Amazon to force them to monitor third parties for privacy violations and in-app video game purchases by children that sometimes reached in the thousands of dollars.3.See FTC v. Amazon.com, Inc., No. C14-1038-JCC, 2016 WL 10654030, at *8 (W.D. Wash. July 22, 2016) (finding Amazon accountable for in-app charges); Agreement Containing Consent Order at 5, Google Inc., No. 102-3136, (F.T.C. Mar. 30, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110330googlebuzzagreeorder.pdf [https://perma.cc/7R6W-5VNP] (ordering Google to require “service providers by contract to implement and maintain appropriate privacy protections”).Show More In other words, the FTC is requiring large technology companies to act in ways traditionally associated with public regulators—by policing other businesses for legal violations.

Over time, policy makers have enlisted a large array of private actors in their quest for optimal regulatory design.4.See, e.g., Kenneth A. Bamberger, Regulation as Delegation: Private Firms, Decisionmaking, and Accountability in the Administrative State, 56 Duke L.J. 377, 453 (2006) (conceiving of regulators’ decisions to let regulated entities fill in vague mandates as delegation); Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 Law & Soc’y Rev. 691, 691, 726 (2003) (describing the “intertwining of the public and private sectors”); Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. Rev. 543, 549–56 (2000) (surveying the great diversity of private governance actors); Gillian E. Metzger, Privatization as Delegation, 103 Colum. L. Rev. 1367, 1369 (2003) (conceiving of privatization of health care, welfare provision, prisons, and public education as delegation); Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 Harv. L. Rev. 1229, 1237–42 (2003) (exploring implications of privatization for public values).Show More Scholarship on the private role in public governance has focused on third-party enforcers whose main function is to provide a support service. Those enforcers include self-regulatory organizations formed by industry and independent auditors mandated by regulators.5.See Bamberger, supra note 4, at 452–58; Freeman, supra note 4, at 635, 644. As another example, in policing stock exchanges, the Securities and Exchange Commission (SEC) relies heavily on self-regulatory organizations to monitor wrongdoing and propose rules. Jennifer M. Pacella, If the Shoe of the SEC Doesn’t Fit: Self-Regulatory Organizations and Absolute Immunity, 58 Wayne L. Rev. 201, 202 (2012). Courts also order third-party monitors. See Veronica Root, The Monitor-“Client” Relationship, 100 Va. L. Rev. 523, 531–33 (2014).Show More The corporate law strand of this enforcement literature emphasizes a network of “gatekeepers,” such as lawyers, accountants, and certifiers who guard against compliance and governance failures.6.See John C. Coffee, Jr., Gatekeepers: The Professions and Corporate Governance 2–3 (2006) (chronicling the evolution of auditors, attorneys, securities analysts, and credit-rating agencies in guarding against corporate governance failures); Assaf Hamdani, Gatekeeper Liability, 77 S. Cal. L. Rev. 53, 117–18 (2003) (discussing the need to expand gatekeeper liability in the wake of the Enron fraud scandal); Reinier H. Kraakman, Gatekeepers: The Anatomy of a Third-Party Enforcement Strategy, 2 J.L. Econ. & Org. 53, 54 (1986) (contrasting whistleblowers with gatekeepers, who are third parties that can “prevent misconduct by withholding support”).Show More For instance, before releasing annual reports, a publicly traded company must obtain the signoff of a certified accountant.7.15 U.S.C. § 78m(a) (2018) (“Every issuer of a security . . . shall file with the Commission . . . such annual reports (and such copies thereof), certified if required by the rules and regulations of the Commission by independent public accountants . . . .”).Show More In these more familiar private enforcement contexts, the private “cops on the beat”8.Kraakman, supra note 6, at 53 n.1 (attributing to Jeremy Bentham the “cop-on-the-beat” metaphor and using it to describe gatekeepers).Show More are ancillary actors rather than core market participants.9.The literature has also extensively analyzed self-regulation as part of a broader new governance that arose in recent decades. Administrative agencies now pursue collaborative and responsive models of public governance designed to encourage the business sector to self-regulate. See, e.g., Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 3 (1992); Jody Freeman, Collaborative Governance in the Administrative State, 45 UCLA L. Rev. 1, 6–7 (1997). Additionally, large businesses have dramatically grown their compliance departments to police the firm from within. See, e.g., Sean J. Griffith, Corporate Governance in an Era of Compliance, 57 Wm. & Mary L. Rev. 2075, 2077 (2016); Kimberly D. Krawiec, Organizational Misconduct: Beyond the Principal-Agent Model, 32 Fla. St. U. L. Rev. 571, 572 (2005); Veronica Root, Coordinating Compliance Incentives, 102 Cornell L. Rev. 1003, 1004 (2017). This important and nascent literature on corporate compliance has remained focused on the firm’s role in overseeing internal operations, or on traditional gatekeepers doing so.Show More

This Article demonstrates how policymakers have enlisted a new class of more powerful third-party enforcers: the businesses at the heart of the economy. The ten largest American companies by valuation operate in information technology, finance, oil, and pharmaceuticals.10 10.Fortune 500 List, Fortune (last visited Oct. 18, 2019), http://fortune.com/fortune­500/list/filtered?sortBy=mktval (identifying the ten most valuable American companies as Apple, Alphabet, Microsoft, Amazon, Berkshire Hathaway, Facebook, JPMorgan Chase, Johnson & Johnson, Exxon Mobil, and Bank of America). One of these companies, Berkshire Hathaway, is a conglomerate operating in diverse industries, including finance, while Johnson & Johnson sells pharmaceuticals in addition to consumer goods. Berkshire Hathaway, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/berkshire-hathaway/; Johnson & Johnson, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/johnson-johnson/.Show More A regulator has put leading firms in each of these industries on notice about their responsibilities for third-party oversight.11 11.See infra Part II.Show More In addition to the FTC, the Environmental Protection Agency (EPA)—along with the Department of Justice (DOJ)—requires BP Oil and other energy companies to audit offshore oil platform operators for environmental compliance.12 12.Consent Decree Among Defendant BP Exploration & Production Inc., the United States of America, and the States of Alabama, Florida, Louisiana, Mississippi, and Texas at 32–33, In re Oil Spill by the Oil Rig “Deepwater Horizon” in the Gulf of Mex., on Apr. 20, 2010, No. 10-MDL-2179 (E.D. La. Oct. 5, 2015), ECF No. 15436-1 [hereinafter BP Consent Decree].Show More The Food and Drug Administration (FDA) expects Pfizer and other drug companies to ensure suppliers and third-party labs follow the agency’s health and safety guidelines.13 13.21 C.F.R. § 211.22(a) (2018) (explaining best practices for quality control of contractors); FDA Warning Letter from Cheryl A. Bigham, Dist. Dir., Kan. City Dist., Office of Regulatory Affairs, to Thomas Handel, President & Gen. Manager, Meridian Med. Techs., Inc., a Pfizer Co. (Sept. 5, 2017), https://www.fda.gov/iceci/enforcementactions/warningletters/2017/ucm­574981.htm [https://perma.cc/JMX9-V7VL].Show More The Consumer Financial Protection Bureau (CFPB) orders financial institutions, such as American Express, to monitor independent debt collectors and call centers for deceptive practices.14 14.Am. Express Centurion Bank, CFPB No. 2012-CFPB-0002 (Oct. 1, 2012) (joint consent order).Show More

The widespread conscription of businesses as enforcers—also called “enforcer-firms” below—shares characteristics with, but differs meaningfully from, prior iterations of third-party regulation. For instance, the FTC’s original administrative order required Facebook to hire a third-party auditor—an example of the old gatekeeper model—to certify Facebook’s compliance.15 15.Facebook, Inc., FTC File No. 0923184, No. C-4365, at 3–4 (F.T.C. July 27, 2012) (decision and order).Show More In that arrangement, refusing to sign off on Facebook’s biennial reports to the FTC constituted the auditor’s main sanction.16 16.See id. at 6.Show More Facebook could, however, respond to that sanction by bringing its business elsewhere.17 17.The consent order does not prevent such a response. See id.Show More That ability to retaliate weakens traditional gatekeepers’ power and independence.18 18.See Joel S. Demski, Corporate Conflicts of Interest, 17 J. Econ. Persp. 51, 57 (2003).Show More

In contrast, the enforcer-firm is usually the client—or at least a crucial business partner—of the third parties it regulates. Its main sanction is to cease doing business with those third parties, which can prove devastating.19 19.See infra Section IV.A.Show More The client relationship that weakens traditional gatekeepers thus strengthens the enforcer-firm. In short, policymakers have begun relying on third-party enforcement by the real gatekeepers of the economy: the firms who control access to core product markets.20 20.A diversified firm may play both a new and traditional gatekeeper role. For instance, by allowing a company to serve as both a commercial bank and investment bank, the law enables large financial institutions to operate as both traditional gatekeepers—overseeing their clients by underwriting securities, prompted by liability avoidance under the Securities Act of 1933—and as new gatekeepers, being the clients who hire third-party businesses. See infraSection II.A; Kraakman, supranote 6, at 82–83.Show More

In highlighting an overlooked enforcement model, this Article builds on the literature scrutinizing the increasingly narrow divide between private businesses and the administrative state.21 21.See supra note 4 and accompanying text.Show More Although that scholarship has yet to examine the enforcer-firm in any sustained manner,22 22.To the extent scholars have discussed mandated third-party governance it has been in passing or in narrower contexts such as in criminal or international law. See, e.g., Larry Catá Backer, Surveillance and Control: Privatizing and Nationalizing Corporate Monitoring After Sarbanes-Oxley, 2004 Mich. St. L. Rev. 327, 433–34 (2004) (referencing how the Bank Secrecy Act causes a larger number of businesses to become “part of the network of the state’s eyes and ears”); John Braithwaite, Responsive Regulation and Developing Economies, 34 World Dev. 884, 889–90 (2006) (exploring how domestic firms can serve as a means of reaching foreign actors); Stavros Gadinis & Colby Mangels, Collaborative Gatekeepers, 73 Wash. & Lee L. Rev. 797, 910–11 (2016) (focusing on money laundering); Itai Grinberg, The Battle over Taxing Offshore Accounts, 60 UCLA L. Rev. 304, 304 (2012) (referencing a “growing consensus that financial institutions should act as cross-border tax intermediaries”). For other ways that scholars have recognized that businesses regulate other firms, see infra Part I.Show More mandated third-party governance raises some similar accountability issues as previous generations of third-party enforcement. In particular, as a new area of quasi-regulatory activity unlikely to be overturned by judicial review, conscripted enforcement lacks transparency and traditional measures of public involvement, such as notice and comment rulemaking.23 23.See, e.g., Rachel E. Barkow, Overseeing Agency Enforcement, 84 Geo. Wash. L. Rev. 1129, 1130 (2016) (“Most aspects of agency enforcement policy generally escape judicial review.”); Freeman, supra note 4, at 647 (“Most self-regulatory programs lack the transparency and public involvement that characterize legislative rulemaking.”); Lesley K. McAllister, Regulation by Third-Party Verification, 53 B.C. L. Rev. 1, 3–4 (2012) (identifying accountability challenges with third-party enforcement models).Show More

However, if designed well, the enforcer-firm offers some hope for improving upon prior regulatory models’ accountability. Because enforcer-firms often sell directly to consumers, they may prove more responsive to public concerns when compared to traditional gatekeepers, which interact most closely with regulated entities.24 24.See, e.g., Coffee, supra note 6, at 15–18 (describing gatekeeper shortcomings).Show More And because the enforcer-firm is itself a prime target of public regulation, it would be easier for an administrative agency to oversee it than to add a whole new category of firms as required for oversight of traditional gatekeepers.25 25.See infra Section IV.B.Show More The conscription of businesses proved crucial in other administrative contexts, including the implementation of a personal income tax.26 26.Ajay K. Mehrotra, Making the Modern American Fiscal State: Law, Politics, and the Rise of Progressive Taxation, 1877–1929, at 282–83 (2013).Show More The enforcer-firm could, by analogy, enable the regulatory state to bring dispersed business actors into compliance.

None of this should be taken as an endorsement of the enforcer-firm, which is too new and understudied to yield strong normative conclusions. However, an openness to the upsides of the enforcer-firm responds to the critique that administrative law scholars have too often portrayed private actors as an intrusion into legitimacy, which prevents “imagining the means by which private actors might contribute to accountability.”27 27.Freeman, supra note 4, at 675. Numerous scholars have taken up this call in other contexts. See, e.g., Sarah E. Light, The Law of the Corporation as Environmental Law, 71 Stan. L. Rev. 137, 139–41 (2019) (calling for a holistic view of corporations’ role in promoting environmental goals).Show More

Mandated third-party governance also speaks to vibrant corporate law inquiries. Scholars have paid considerable attention to the duties of directors and officers, personal liability for corporate wrongdoing, and organizational structure.28 28.See generally Nicolai J. Foss et al., The Theory of the Firm, in 3 Encyclopedia of Law and Economics 631 (Boudewijn Bouckaert & Gerrit De Geest eds., 2000); infra Part III.Show More Conscripted enforcement shapes each of these areas and pushes against depictions of the firm emphasizing its private nature. Those depictions are rooted in the influential metaphor—sometimes described as the most dominant theory of the firm—that the firm is a “nexus of contracts” among owners, managers, laborers, suppliers, and customers.29 29.See, e.g., Melvin A. Eisenberg, The Conception That the Corporation Is a Nexus of Contracts, and the Dual Nature of the Firm, 24 J. Corp. L. 819, 820 (1999); Michael C. Jensen & William H. Meckling, Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure, 3 J. Fin. Econ. 305, 310 (1976); Steven L. Schwarcz, Misalignment: Corporate Risk-Taking and Public Duty, 92 Notre Dame L. Rev. 1, 26 (2016).Show More The firm remains exceedingly private. But by directing businesses to write enforcement-oriented contract clauses and monitor external relationships for legal violations, as a descriptive matter the state is pushing the firm toward a larger public role.30 30.See infra Section III.A.Show More

That insight is relevant beyond theory and institutional design. In the highest legislative circles and corporate boardrooms, debates are unfolding about what duties corporations owe to society, with some taking particular aim at the idea that shareholders should come above all other stakeholders.31 31.See Elizabeth Warren, Companies Shouldn’t Be Accountable Only to Shareholders, Wall St. J., Aug. 15, 2018, at A17; Larry Fink, Larry Fink’s 2018 Letter to CEOs: A Sense of Purpose, BlackRock, https://www.blackrock.com/corporate/investor-relations/2018-larry-fin­k-ceo-letter [https://perma.cc/P9X6-HN85] (last visited Jan. 13, 2020); Martin Lipton et al., It’s Time to Adopt the New Paradigm, Harv. L. Sch. F. Corp. Governance, https://corpgov.­law.harvard.edu/2019/02/11/its-time-to-adopt-the-new-paradigm [https://perma.cc/3XH9-SSRS] (last visited Jan. 13, 2020); Business Roundtable Redefines the Purpose of a Corporation to Promote ‘An Economy That Serves All Americans,’ Business Roundtable (Aug. 19, 2019), [https://perma.cc/9K2F-2HLG]. On shareholder primacy, see infra note 189 and accompanying text.Show More Conscripted enforcement marks a significant uptick in federal regulatory involvement in the firm by imposing more of an affirmative public duty to act.32 32.See infra Section III.D.Show More Cast against the backdrop of the firm as public enforcer, calls for business leaders to do more for society appear less disconnected from reality than would be the case under a largely private conception of the firm.33 33.There is arguably a gap between rhetoric and reality. See Marcel Kahan & Edward Rock, Symbolic Corporate Governance Politics, 94 B.U. L. Rev. 1997, 2042 (2014).Show More

The Article is structured as follows. Part I provides an overview of the well-studied ways that private entities serve as enforcers. Part II offers four case studies of how regulators have implemented mandated enforcement of third parties in some of the largest U.S. industries: the FTC and technology, the CFPB and banking, the EPA and oil, and the FDA and pharmaceuticals. Part III examines how mandated enforcement alters the firm’s contracts, relationships, and governance. It also explores shifts in liability at the personal and entity level, which could influence organizational structure. Part IV concludes by considering implications for the effectiveness and accountability of the administrative state.

  1. * Associate Professor of Law, Boston University; Affiliated Fellow, Yale Law School Information Society Project. For extremely valuable input, I am grateful to Hilary Allen, William Eskridge, George Geis, Anna Gelpern, Jonathan Lipson, Nicholas Parrillo, Carla Reyes, Kevin Schwartz, Andrew Tuch, Michael Vandenbergh, David Walker, and Jay Wexler, and to workshop participants at Boston University, the University of Pennsylvania, the University of Virginia, and Yale ISP. Special thanks to Eric Talley for unusually formative early comments. Jacob Axelrod, Sam Burgess, Omeed Firoozgan, Christopher Hamilton, Allison Mcsorley, Tyler Stites, Kelsey Sullivan, and Gavin Tullis provided excellent research assistance. The Virginia Law Review editors, and particularly Mark Russell, were tremendously thorough and helpful throughout.
  2. Cecilia Kang, A Facebook Settlement with the F.T.C. Could Run into the Billions, N.Y. Times, Feb. 15, 2019, at B6.
  3. Katy Steinmetz, Mark Zuckerberg Survived Congress. Now Facebook Has to Survive the FTC, Time (Apr. 13, 2018, 12:42 PM), https://time.com/5237900/facebook-ftc-privacy-data-cambridge-analytica/ [https://perma.cc/4SJJ-YHP9].
  4. See FTC v. Amazon.com, Inc., No. C14-1038-JCC, 2016 WL 10654030, at *8 (W.D. Wash. July 22, 2016) (finding Amazon accountable for in-app charges); Agreement Containing Consent Order at 5, Google Inc., No. 102-3136, (F.T.C. Mar. 30, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110330googlebuzzagreeorder.pdf [https://perma.cc/7R6W-5VNP] (ordering Google to require “service providers by contract to implement and maintain appropriate privacy protections”).
  5. See, e.g., Kenneth A. Bamberger, Regulation as Delegation: Private Firms, Decisionmaking, and Accountability in the Administrative State, 56 Duke L.J. 377, 453 (2006) (conceiving of regulators’ decisions to let regulated entities fill in vague mandates as delegation); Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 Law & Soc’y Rev. 691, 691, 726 (2003) (describing the “intertwining of the public and private sectors”); Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. Rev. 543, 549–56 (2000) (surveying the great diversity of private governance actors); Gillian E. Metzger, Privatization as Delegation, 103 Colum. L. Rev. 1367, 1369 (2003) (conceiving of privatization of health care, welfare provision, prisons, and public education as delegation); Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 Harv. L. Rev. 1229, 1237–42 (2003) (exploring implications of privatization for public values).
  6. See Bamberger, supra note 4, at 452–58; Freeman, supra note 4, at 635, 644. As another example, in policing stock exchanges, the Securities and Exchange Commission (SEC) relies heavily on self-regulatory organizations to monitor wrongdoing and propose rules. Jennifer M. Pacella, If the Shoe of the SEC Doesn’t Fit: Self-Regulatory Organizations and Absolute Immunity, 58 Wayne L. Rev. 201, 202 (2012). Courts also order third-party monitors. See Veronica Root, The Monitor-“Client” Relationship, 100 Va. L. Rev. 523, 531–33 (2014).
  7. See John C. Coffee, Jr., Gatekeepers: The Professions and Corporate Governance 2–3 (2006) (chronicling the evolution of auditors, attorneys, securities analysts, and credit-rating agencies in guarding against corporate governance failures); Assaf Hamdani, Gatekeeper Liability, 77 S. Cal. L. Rev. 53, 117–18 (2003) (discussing the need to expand gatekeeper liability in the wake of the Enron fraud scandal); Reinier H. Kraakman, Gatekeepers: The Anatomy of a Third-Party Enforcement Strategy, 2 J.L. Econ. & Org. 53, 54 (1986) (contrasting whistleblowers with gatekeepers, who are third parties that can “prevent misconduct by withholding support”).
  8. 15 U.S.C. § 78m(a) (2018) (“Every issuer of a security . . . shall file with the Commission . . . such annual reports (and such copies thereof), certified if required by the rules and regulations of the Commission by independent public accountants . . . .”).
  9. Kraakman, supra note 6, at 53 n.1 (attributing to Jeremy Bentham the “cop-on-the-beat” metaphor and using it to describe gatekeepers).
  10. The literature has also extensively analyzed self-regulation as part of a broader new governance that arose in recent decades. Administrative agencies now pursue collaborative and responsive models of public governance designed to encourage the business sector to self-regulate. See, e.g., Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 3 (1992); Jody Freeman, Collaborative Governance in the Administrative State, 45 UCLA L. Rev. 1, 6–7 (1997). Additionally, large businesses have dramatically grown their compliance departments to police the firm from within. See, e.g., Sean J. Griffith, Corporate Governance in an Era of Compliance, 57 Wm. & Mary L. Rev. 2075, 2077 (2016); Kimberly D. Krawiec, Organizational Misconduct: Beyond the Principal-Agent Model, 32 Fla. St. U. L. Rev. 571, 572 (2005); Veronica Root, Coordinating Compliance Incentives, 102 Cornell L. Rev. 1003, 1004 (2017). This important and nascent literature on corporate compliance has remained focused on the firm’s role in overseeing internal operations, or on traditional gatekeepers doing so.
  11. Fortune 500 List, Fortune (last visited Oct. 18, 2019), http://fortune.com/fortune­500/list/filtered?sortBy=mktval (identifying the ten most valuable American companies as Apple, Alphabet, Microsoft, Amazon, Berkshire Hathaway, Facebook, JPMorgan Chase, Johnson & Johnson, Exxon Mobil, and Bank of America). One of these companies, Berkshire Hathaway, is a conglomerate operating in diverse industries, including finance, while Johnson & Johnson sells pharmaceuticals in addition to consumer goods. Berkshire Hathaway, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/berkshire-hathaway/; Johnson & Johnson, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/johnson-johnson/.
  12. See infra Part II.
  13. Consent Decree Among Defendant BP Exploration & Production Inc., the United States of America, and the States of Alabama, Florida, Louisiana, Mississippi, and Texas at 32–33, In re Oil Spill by the Oil Rig “Deepwater Horizon” in the Gulf of Mex., on Apr. 20, 2010, No. 10-MDL-2179 (E.D. La. Oct. 5, 2015), ECF No. 15436-1 [hereinafter BP Consent Decree].
  14. 21 C.F.R. § 211.22(a) (2018) (explaining best practices for quality control of contractors); FDA Warning Letter from Cheryl A. Bigham, Dist. Dir., Kan. City Dist., Office of Regulatory Affairs, to Thomas Handel, President & Gen. Manager, Meridian Med. Techs., Inc., a Pfizer Co. (Sept. 5, 2017), https://www.fda.gov/iceci/enforcementactions/warningletters/2017/ucm­574981.htm [https://perma.cc/JMX9-V7VL].
  15. Am. Express Centurion Bank, CFPB No. 2012-CFPB-0002 (Oct. 1, 2012) (joint consent order).
  16. Facebook, Inc., FTC File No. 0923184, No. C-4365, at 3–4 (F.T.C. July 27, 2012) (decision and order).
  17. See id. at 6.
  18. The consent order does not prevent such a response. See id.
  19. See Joel S. Demski, Corporate Conflicts of Interest, 17 J. Econ. Persp. 51, 57 (2003).
  20. See infra Section IV.A.
  21. A diversified firm may play both a new and traditional gatekeeper role. For instance, by allowing a company to serve as both a commercial bank and investment bank, the law enables large financial institutions to operate as both traditional gatekeepers—overseeing their clients by underwriting securities, prompted by liability avoidance under the Securities Act of 1933—and as new gatekeepers, being the clients who hire third-party businesses. See infra Section II.A; Kraakman, supra note 6, at 82–83.
  22. See supra note 4 and accompanying text.
  23. To the extent scholars have discussed mandated third-party governance it has been in passing or in narrower contexts such as in criminal or international law. See, e.g., Larry Catá Backer, Surveillance and Control: Privatizing and Nationalizing Corporate Monitoring After Sarbanes-Oxley, 2004 Mich. St. L. Rev. 327, 433–34 (2004) (referencing how the Bank Secrecy Act causes a larger number of businesses to become “part of the network of the state’s eyes and ears”); John Braithwaite, Responsive Regulation and Developing Economies, 34 World Dev. 884, 889–90 (2006) (exploring how domestic firms can serve as a means of reaching foreign actors); Stavros Gadinis & Colby Mangels, Collaborative Gatekeepers, 73 Wash. & Lee L. Rev. 797, 910–11 (2016) (focusing on money laundering); Itai Grinberg, The Battle over Taxing Offshore Accounts, 60 UCLA L. Rev. 304, 304 (2012) (referencing a “growing consensus that financial institutions should act as cross-border tax intermediaries”). For other ways that scholars have recognized that businesses regulate other firms, see infra Part I.
  24. See, e.g., Rachel E. Barkow, Overseeing Agency Enforcement, 84 Geo. Wash. L. Rev. 1129, 1130 (2016) (“Most aspects of agency enforcement policy generally escape judicial review.”); Freeman, supra note 4, at 647 (“Most self-regulatory programs lack the transparency and public involvement that characterize legislative rulemaking.”); Lesley K. McAllister, Regulation by Third-Party Verification, 53 B.C. L. Rev. 1, 3–4 (2012) (identifying accountability challenges with third-party enforcement models).
  25. See, e.g., Coffee, supra note 6, at 15–18 (describing gatekeeper shortcomings).
  26. See infra Section IV.B.
  27. Ajay K. Mehrotra, Making the Modern American Fiscal State: Law, Politics, and the Rise of Progressive Taxation, 1877–1929, at 282–83 (2013).
  28. Freeman, supra note 4, at 675. Numerous scholars have taken up this call in other contexts. See, e.g., Sarah E. Light, The Law of the Corporation as Environmental Law, 71 Stan. L. Rev. 137, 139–41 (2019) (calling for a holistic view of corporations’ role in promoting environmental goals).
  29. See generally Nicolai J. Foss et al., The Theory of the Firm, in 3 Encyclopedia of Law and Economics 631 (Boudewijn Bouckaert & Gerrit De Geest eds., 2000); infra Part III.
  30. See, e.g., Melvin A. Eisenberg, The Conception That the Corporation Is a Nexus of Contracts, and the Dual Nature of the Firm, 24 J. Corp. L. 819, 820 (1999); Michael C. Jensen & William H. Meckling, Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure, 3 J. Fin. Econ. 305, 310 (1976); Steven L. Schwarcz, Misalignment: Corporate Risk-Taking and Public Duty, 92 Notre Dame L. Rev. 1, 26 (2016).
  31. See infra Section III.A.
  32. See Elizabeth Warren, Companies Shouldn’t Be Accountable Only to Shareholders, Wall St. J., Aug. 15, 2018, at A17; Larry Fink, Larry Fink’s 2018 Letter to CEOs: A Sense of Purpose, BlackRock, https://www.blackrock.com/corporate/investor-relations/2018-larry-fin­k-ceo-letter [https://perma.cc/P9X6-HN85] (last visited Jan. 13, 2020); Martin Lipton et al., It’s Time to Adopt the New Paradigm, Harv. L. Sch. F. Corp. Governance, https://corpgov.­law.harvard.edu/2019/02/11/its-time-to-adopt-the-new-paradigm [https://perma.cc/3XH9-SSRS] (last visited Jan. 13, 2020); Business Roundtable Redefines the Purpose of a Corporation to Promote ‘An Economy That Serves All Americans,’ Business Roundtable (Aug. 19, 2019), [https://perma.cc/9K2F-2HLG]. On shareholder primacy, see infra note 189 and accompanying text.
  33. See infra Section III.D.
  34. There is arguably a gap between rhetoric and reality. See Marcel Kahan & Edward Rock, Symbolic Corporate Governance Politics, 94 B.U. L. Rev. 1997, 2042 (2014).
©Virginia Law Review Association. All rights reserved.