Rory Van Loo

The New Gatekeepers: Private Firms as Public Enforcers

The world’s largest businesses must routinely police other businesses. By public mandate, Facebook monitors app developers’ privacy safeguards, Citibank audits call centers for deceptive sales practices, and Exxon reviews offshore oil platforms’ environmental standards. Scholars have devoted significant attention to how policy makers deploy other private sector enforcers, such as certification bodies, accountants, lawyers, and other periphery “gatekeepers.” However, the literature has paid insufficient attention to the emerging regulatory conscription of large firms at the center of the economy. This Article examines the rise of the enforcer-firm through case studies of the industries that are home to the most valuable companies in technology, banking, oil, and pharmaceuticals. Over the past two decades, administrative agencies have used legal rules, guidance documents, and court orders to mandate that private firms in these and other industries perform the duties of a public regulator. More specifically, firms must write rules in their contracts that reserve the right to inspect third parties. When they find violations, they must pressure or punish the wrongdoer. This form of governance has important intellectual and policy implications. It imposes more of a public duty on the firm, alters corporate governance, and may even reshape business organizations. It also gives resource-strapped regulators promising tools. If designed poorly, however, the enforcer-firm will create an expansive area of unaccountable authority. Any comprehensive account of the firm or regulation must give a prominent role to the administrative state’s newest gatekeepers.

Introduction

In 2018, Facebook Chairman and CEO Mark Zuckerberg faced senators on national television regarding conduct that prompted the Federal Trade Commission (FTC) to seek its largest ever fine.1.Cecilia Kang, A Facebook Settlement with the F.T.C. Could Run into the Billions, N.Y. Times, Feb. 15, 2019, at B6.Show More The main issue was not what Facebook did directly to its users. Instead, the hearing focused on the social network’s failure to restrain third parties. Most notably, the political consulting firm Cambridge Analytica had accessed millions of users’ accounts in an effort to support election candidates.2.Katy Steinmetz, Mark Zuckerberg Survived Congress. Now Facebook Has to Survive the FTC, Time (Apr. 13, 2018, 12:42 PM), https://time.com/5237900/facebook-ftc-privacy-data-cambridge-analytica/ [https://perma.cc/4SJJ-YHP9].Show More Before Zuckerberg’s Senate testimony, the FTC had already sued Google and Amazon to force them to monitor third parties for privacy violations and in-app video game purchases by children that sometimes reached in the thousands of dollars.3.See FTC v. Amazon.com, Inc., No. C14-1038-JCC, 2016 WL 10654030, at *8 (W.D. Wash. July 22, 2016) (finding Amazon accountable for in-app charges); Agreement Containing Consent Order at 5, Google Inc., No. 102-3136, (F.T.C. Mar. 30, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110330googlebuzzagreeorder.pdf [https://perma.cc/7R6W-5VNP] (ordering Google to require “service providers by contract to implement and maintain appropriate privacy protections”).Show More In other words, the FTC is requiring large technology companies to act in ways traditionally associated with public regulators—by policing other businesses for legal violations.

Over time, policy makers have enlisted a large array of private actors in their quest for optimal regulatory design.4.See, e.g., Kenneth A. Bamberger, Regulation as Delegation: Private Firms, Decisionmaking, and Accountability in the Administrative State, 56 Duke L.J. 377, 453 (2006) (conceiving of regulators’ decisions to let regulated entities fill in vague mandates as delegation); Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 Law & Soc’y Rev. 691, 691, 726 (2003) (describing the “intertwining of the public and private sectors”); Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. Rev. 543, 549–56 (2000) (surveying the great diversity of private governance actors); Gillian E. Metzger, Privatization as Delegation, 103 Colum. L. Rev. 1367, 1369 (2003) (conceiving of privatization of health care, welfare provision, prisons, and public education as delegation); Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 Harv. L. Rev. 1229, 1237–42 (2003) (exploring implications of privatization for public values).Show More Scholarship on the private role in public governance has focused on third-party enforcers whose main function is to provide a support service. Those enforcers include self-regulatory organizations formed by industry and independent auditors mandated by regulators.5.See Bamberger, supra note 4, at 452–58; Freeman, supra note 4, at 635, 644. As another example, in policing stock exchanges, the Securities and Exchange Commission (SEC) relies heavily on self-regulatory organizations to monitor wrongdoing and propose rules. Jennifer M. Pacella, If the Shoe of the SEC Doesn’t Fit: Self-Regulatory Organizations and Absolute Immunity, 58 Wayne L. Rev. 201, 202 (2012). Courts also order third-party monitors. See Veronica Root, The Monitor-“Client” Relationship, 100 Va. L. Rev. 523, 531–33 (2014).Show More The corporate law strand of this enforcement literature emphasizes a network of “gatekeepers,” such as lawyers, accountants, and certifiers who guard against compliance and governance failures.6.See John C. Coffee, Jr., Gatekeepers: The Professions and Corporate Governance 2–3 (2006) (chronicling the evolution of auditors, attorneys, securities analysts, and credit-rating agencies in guarding against corporate governance failures); Assaf Hamdani, Gatekeeper Liability, 77 S. Cal. L. Rev. 53, 117–18 (2003) (discussing the need to expand gatekeeper liability in the wake of the Enron fraud scandal); Reinier H. Kraakman, Gatekeepers: The Anatomy of a Third-Party Enforcement Strategy, 2 J.L. Econ. & Org. 53, 54 (1986) (contrasting whistleblowers with gatekeepers, who are third parties that can “prevent misconduct by withholding support”).Show More For instance, before releasing annual reports, a publicly traded company must obtain the signoff of a certified accountant.7.15 U.S.C. § 78m(a) (2018) (“Every issuer of a security . . . shall file with the Commission . . . such annual reports (and such copies thereof), certified if required by the rules and regulations of the Commission by independent public accountants . . . .”).Show More In these more familiar private enforcement contexts, the private “cops on the beat”8.Kraakman, supra note 6, at 53 n.1 (attributing to Jeremy Bentham the “cop-on-the-beat” metaphor and using it to describe gatekeepers).Show More are ancillary actors rather than core market participants.9.The literature has also extensively analyzed self-regulation as part of a broader new governance that arose in recent decades. Administrative agencies now pursue collaborative and responsive models of public governance designed to encourage the business sector to self-regulate. See, e.g., Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 3 (1992); Jody Freeman, Collaborative Governance in the Administrative State, 45 UCLA L. Rev. 1, 6–7 (1997). Additionally, large businesses have dramatically grown their compliance departments to police the firm from within. See, e.g., Sean J. Griffith, Corporate Governance in an Era of Compliance, 57 Wm. & Mary L. Rev. 2075, 2077 (2016); Kimberly D. Krawiec, Organizational Misconduct: Beyond the Principal-Agent Model, 32 Fla. St. U. L. Rev. 571, 572 (2005); Veronica Root, Coordinating Compliance Incentives, 102 Cornell L. Rev. 1003, 1004 (2017). This important and nascent literature on corporate compliance has remained focused on the firm’s role in overseeing internal operations, or on traditional gatekeepers doing so.Show More

This Article demonstrates how policymakers have enlisted a new class of more powerful third-party enforcers: the businesses at the heart of the economy. The ten largest American companies by valuation operate in information technology, finance, oil, and pharmaceuticals.10 10.Fortune 500 List, Fortune (last visited Oct. 18, 2019), http://fortune.com/fortune­500/list/filtered?sortBy=mktval (identifying the ten most valuable American companies as Apple, Alphabet, Microsoft, Amazon, Berkshire Hathaway, Facebook, JPMorgan Chase, Johnson & Johnson, Exxon Mobil, and Bank of America). One of these companies, Berkshire Hathaway, is a conglomerate operating in diverse industries, including finance, while Johnson & Johnson sells pharmaceuticals in addition to consumer goods. Berkshire Hathaway, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/berkshire-hathaway/; Johnson & Johnson, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/johnson-johnson/.Show More A regulator has put leading firms in each of these industries on notice about their responsibilities for third-party oversight.11 11.See infra Part II.Show More In addition to the FTC, the Environmental Protection Agency (EPA)—along with the Department of Justice (DOJ)—requires BP Oil and other energy companies to audit offshore oil platform operators for environmental compliance.12 12.Consent Decree Among Defendant BP Exploration & Production Inc., the United States of America, and the States of Alabama, Florida, Louisiana, Mississippi, and Texas at 32–33, In re Oil Spill by the Oil Rig “Deepwater Horizon” in the Gulf of Mex., on Apr. 20, 2010, No. 10-MDL-2179 (E.D. La. Oct. 5, 2015), ECF No. 15436-1 [hereinafter BP Consent Decree].Show More The Food and Drug Administration (FDA) expects Pfizer and other drug companies to ensure suppliers and third-party labs follow the agency’s health and safety guidelines.13 13.21 C.F.R. § 211.22(a) (2018) (explaining best practices for quality control of contractors); FDA Warning Letter from Cheryl A. Bigham, Dist. Dir., Kan. City Dist., Office of Regulatory Affairs, to Thomas Handel, President & Gen. Manager, Meridian Med. Techs., Inc., a Pfizer Co. (Sept. 5, 2017), https://www.fda.gov/iceci/enforcementactions/warningletters/2017/ucm­574981.htm [https://perma.cc/JMX9-V7VL].Show More The Consumer Financial Protection Bureau (CFPB) orders financial institutions, such as American Express, to monitor independent debt collectors and call centers for deceptive practices.14 14.Am. Express Centurion Bank, CFPB No. 2012-CFPB-0002 (Oct. 1, 2012) (joint consent order).Show More

The widespread conscription of businesses as enforcers—also called “enforcer-firms” below—shares characteristics with, but differs meaningfully from, prior iterations of third-party regulation. For instance, the FTC’s original administrative order required Facebook to hire a third-party auditor—an example of the old gatekeeper model—to certify Facebook’s compliance.15 15.Facebook, Inc., FTC File No. 0923184, No. C-4365, at 3–4 (F.T.C. July 27, 2012) (decision and order).Show More In that arrangement, refusing to sign off on Facebook’s biennial reports to the FTC constituted the auditor’s main sanction.16 16.See id. at 6.Show More Facebook could, however, respond to that sanction by bringing its business elsewhere.17 17.The consent order does not prevent such a response. See id.Show More That ability to retaliate weakens traditional gatekeepers’ power and independence.18 18.See Joel S. Demski, Corporate Conflicts of Interest, 17 J. Econ. Persp. 51, 57 (2003).Show More

In contrast, the enforcer-firm is usually the client—or at least a crucial business partner—of the third parties it regulates. Its main sanction is to cease doing business with those third parties, which can prove devastating.19 19.See infra Section IV.A.Show More The client relationship that weakens traditional gatekeepers thus strengthens the enforcer-firm. In short, policymakers have begun relying on third-party enforcement by the real gatekeepers of the economy: the firms who control access to core product markets.20 20.A diversified firm may play both a new and traditional gatekeeper role. For instance, by allowing a company to serve as both a commercial bank and investment bank, the law enables large financial institutions to operate as both traditional gatekeepers—overseeing their clients by underwriting securities, prompted by liability avoidance under the Securities Act of 1933—and as new gatekeepers, being the clients who hire third-party businesses. See infraSection II.A; Kraakman, supranote 6, at 82–83.Show More

In highlighting an overlooked enforcement model, this Article builds on the literature scrutinizing the increasingly narrow divide between private businesses and the administrative state.21 21.See supra note 4 and accompanying text.Show More Although that scholarship has yet to examine the enforcer-firm in any sustained manner,22 22.To the extent scholars have discussed mandated third-party governance it has been in passing or in narrower contexts such as in criminal or international law. See, e.g., Larry Catá Backer, Surveillance and Control: Privatizing and Nationalizing Corporate Monitoring After Sarbanes-Oxley, 2004 Mich. St. L. Rev. 327, 433–34 (2004) (referencing how the Bank Secrecy Act causes a larger number of businesses to become “part of the network of the state’s eyes and ears”); John Braithwaite, Responsive Regulation and Developing Economies, 34 World Dev. 884, 889–90 (2006) (exploring how domestic firms can serve as a means of reaching foreign actors); Stavros Gadinis & Colby Mangels, Collaborative Gatekeepers, 73 Wash. & Lee L. Rev. 797, 910–11 (2016) (focusing on money laundering); Itai Grinberg, The Battle over Taxing Offshore Accounts, 60 UCLA L. Rev. 304, 304 (2012) (referencing a “growing consensus that financial institutions should act as cross-border tax intermediaries”). For other ways that scholars have recognized that businesses regulate other firms, see infra Part I.Show More mandated third-party governance raises some similar accountability issues as previous generations of third-party enforcement. In particular, as a new area of quasi-regulatory activity unlikely to be overturned by judicial review, conscripted enforcement lacks transparency and traditional measures of public involvement, such as notice and comment rulemaking.23 23.See, e.g., Rachel E. Barkow, Overseeing Agency Enforcement, 84 Geo. Wash. L. Rev. 1129, 1130 (2016) (“Most aspects of agency enforcement policy generally escape judicial review.”); Freeman, supra note 4, at 647 (“Most self-regulatory programs lack the transparency and public involvement that characterize legislative rulemaking.”); Lesley K. McAllister, Regulation by Third-Party Verification, 53 B.C. L. Rev. 1, 3–4 (2012) (identifying accountability challenges with third-party enforcement models).Show More

However, if designed well, the enforcer-firm offers some hope for improving upon prior regulatory models’ accountability. Because enforcer-firms often sell directly to consumers, they may prove more responsive to public concerns when compared to traditional gatekeepers, which interact most closely with regulated entities.24 24.See, e.g., Coffee, supra note 6, at 15–18 (describing gatekeeper shortcomings).Show More And because the enforcer-firm is itself a prime target of public regulation, it would be easier for an administrative agency to oversee it than to add a whole new category of firms as required for oversight of traditional gatekeepers.25 25.See infra Section IV.B.Show More The conscription of businesses proved crucial in other administrative contexts, including the implementation of a personal income tax.26 26.Ajay K. Mehrotra, Making the Modern American Fiscal State: Law, Politics, and the Rise of Progressive Taxation, 1877–1929, at 282–83 (2013).Show More The enforcer-firm could, by analogy, enable the regulatory state to bring dispersed business actors into compliance.

None of this should be taken as an endorsement of the enforcer-firm, which is too new and understudied to yield strong normative conclusions. However, an openness to the upsides of the enforcer-firm responds to the critique that administrative law scholars have too often portrayed private actors as an intrusion into legitimacy, which prevents “imagining the means by which private actors might contribute to accountability.”27 27.Freeman, supra note 4, at 675. Numerous scholars have taken up this call in other contexts. See, e.g., Sarah E. Light, The Law of the Corporation as Environmental Law, 71 Stan. L. Rev. 137, 139–41 (2019) (calling for a holistic view of corporations’ role in promoting environmental goals).Show More

Mandated third-party governance also speaks to vibrant corporate law inquiries. Scholars have paid considerable attention to the duties of directors and officers, personal liability for corporate wrongdoing, and organizational structure.28 28.See generally Nicolai J. Foss et al., The Theory of the Firm, in 3 Encyclopedia of Law and Economics 631 (Boudewijn Bouckaert & Gerrit De Geest eds., 2000); infra Part III.Show More Conscripted enforcement shapes each of these areas and pushes against depictions of the firm emphasizing its private nature. Those depictions are rooted in the influential metaphor—sometimes described as the most dominant theory of the firm—that the firm is a “nexus of contracts” among owners, managers, laborers, suppliers, and customers.29 29.See, e.g., Melvin A. Eisenberg, The Conception That the Corporation Is a Nexus of Contracts, and the Dual Nature of the Firm, 24 J. Corp. L. 819, 820 (1999); Michael C. Jensen & William H. Meckling, Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure, 3 J. Fin. Econ. 305, 310 (1976); Steven L. Schwarcz, Misalignment: Corporate Risk-Taking and Public Duty, 92 Notre Dame L. Rev. 1, 26 (2016).Show More The firm remains exceedingly private. But by directing businesses to write enforcement-oriented contract clauses and monitor external relationships for legal violations, as a descriptive matter the state is pushing the firm toward a larger public role.30 30.See infra Section III.A.Show More

That insight is relevant beyond theory and institutional design. In the highest legislative circles and corporate boardrooms, debates are unfolding about what duties corporations owe to society, with some taking particular aim at the idea that shareholders should come above all other stakeholders.31 31.See Elizabeth Warren, Companies Shouldn’t Be Accountable Only to Shareholders, Wall St. J., Aug. 15, 2018, at A17; Larry Fink, Larry Fink’s 2018 Letter to CEOs: A Sense of Purpose, BlackRock, https://www.blackrock.com/corporate/investor-relations/2018-larry-fin­k-ceo-letter [https://perma.cc/P9X6-HN85] (last visited Jan. 13, 2020); Martin Lipton et al., It’s Time to Adopt the New Paradigm, Harv. L. Sch. F. Corp. Governance, https://corpgov.­law.harvard.edu/2019/02/11/its-time-to-adopt-the-new-paradigm [https://perma.cc/3XH9-SSRS] (last visited Jan. 13, 2020); Business Roundtable Redefines the Purpose of a Corporation to Promote ‘An Economy That Serves All Americans,’ Business Roundtable (Aug. 19, 2019), [https://perma.cc/9K2F-2HLG]. On shareholder primacy, see infra note 189 and accompanying text.Show More Conscripted enforcement marks a significant uptick in federal regulatory involvement in the firm by imposing more of an affirmative public duty to act.32 32.See infra Section III.D.Show More Cast against the backdrop of the firm as public enforcer, calls for business leaders to do more for society appear less disconnected from reality than would be the case under a largely private conception of the firm.33 33.There is arguably a gap between rhetoric and reality. See Marcel Kahan & Edward Rock, Symbolic Corporate Governance Politics, 94 B.U. L. Rev. 1997, 2042 (2014).Show More

The Article is structured as follows. Part I provides an overview of the well-studied ways that private entities serve as enforcers. Part II offers four case studies of how regulators have implemented mandated enforcement of third parties in some of the largest U.S. industries: the FTC and technology, the CFPB and banking, the EPA and oil, and the FDA and pharmaceuticals. Part III examines how mandated enforcement alters the firm’s contracts, relationships, and governance. It also explores shifts in liability at the personal and entity level, which could influence organizational structure. Part IV concludes by considering implications for the effectiveness and accountability of the administrative state.

  1. * Associate Professor of Law, Boston University; Affiliated Fellow, Yale Law School Information Society Project. For extremely valuable input, I am grateful to Hilary Allen, William Eskridge, George Geis, Anna Gelpern, Jonathan Lipson, Nicholas Parrillo, Carla Reyes, Kevin Schwartz, Andrew Tuch, Michael Vandenbergh, David Walker, and Jay Wexler, and to workshop participants at Boston University, the University of Pennsylvania, the University of Virginia, and Yale ISP. Special thanks to Eric Talley for unusually formative early comments. Jacob Axelrod, Sam Burgess, Omeed Firoozgan, Christopher Hamilton, Allison Mcsorley, Tyler Stites, Kelsey Sullivan, and Gavin Tullis provided excellent research assistance. The Virginia Law Review editors, and particularly Mark Russell, were tremendously thorough and helpful throughout.
  2. Cecilia Kang, A Facebook Settlement with the F.T.C. Could Run into the Billions, N.Y. Times, Feb. 15, 2019, at B6.
  3. Katy Steinmetz, Mark Zuckerberg Survived Congress. Now Facebook Has to Survive the FTC, Time (Apr. 13, 2018, 12:42 PM), https://time.com/5237900/facebook-ftc-privacy-data-cambridge-analytica/ [https://perma.cc/4SJJ-YHP9].
  4. See FTC v. Amazon.com, Inc., No. C14-1038-JCC, 2016 WL 10654030, at *8 (W.D. Wash. July 22, 2016) (finding Amazon accountable for in-app charges); Agreement Containing Consent Order at 5, Google Inc., No. 102-3136, (F.T.C. Mar. 30, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110330googlebuzzagreeorder.pdf [https://perma.cc/7R6W-5VNP] (ordering Google to require “service providers by contract to implement and maintain appropriate privacy protections”).
  5. See, e.g., Kenneth A. Bamberger, Regulation as Delegation: Private Firms, Decisionmaking, and Accountability in the Administrative State, 56 Duke L.J. 377, 453 (2006) (conceiving of regulators’ decisions to let regulated entities fill in vague mandates as delegation); Cary Coglianese & David Lazer, Management-Based Regulation: Prescribing Private Management to Achieve Public Goals, 37 Law & Soc’y Rev. 691, 691, 726 (2003) (describing the “intertwining of the public and private sectors”); Jody Freeman, The Private Role in Public Governance, 75 N.Y.U. L. Rev. 543, 549–56 (2000) (surveying the great diversity of private governance actors); Gillian E. Metzger, Privatization as Delegation, 103 Colum. L. Rev. 1367, 1369 (2003) (conceiving of privatization of health care, welfare provision, prisons, and public education as delegation); Martha Minow, Public and Private Partnerships: Accounting for the New Religion, 116 Harv. L. Rev. 1229, 1237–42 (2003) (exploring implications of privatization for public values).
  6. See Bamberger, supra note 4, at 452–58; Freeman, supra note 4, at 635, 644. As another example, in policing stock exchanges, the Securities and Exchange Commission (SEC) relies heavily on self-regulatory organizations to monitor wrongdoing and propose rules. Jennifer M. Pacella, If the Shoe of the SEC Doesn’t Fit: Self-Regulatory Organizations and Absolute Immunity, 58 Wayne L. Rev. 201, 202 (2012). Courts also order third-party monitors. See Veronica Root, The Monitor-“Client” Relationship, 100 Va. L. Rev. 523, 531–33 (2014).
  7. See John C. Coffee, Jr., Gatekeepers: The Professions and Corporate Governance 2–3 (2006) (chronicling the evolution of auditors, attorneys, securities analysts, and credit-rating agencies in guarding against corporate governance failures); Assaf Hamdani, Gatekeeper Liability, 77 S. Cal. L. Rev. 53, 117–18 (2003) (discussing the need to expand gatekeeper liability in the wake of the Enron fraud scandal); Reinier H. Kraakman, Gatekeepers: The Anatomy of a Third-Party Enforcement Strategy, 2 J.L. Econ. & Org. 53, 54 (1986) (contrasting whistleblowers with gatekeepers, who are third parties that can “prevent misconduct by withholding support”).
  8. 15 U.S.C. § 78m(a) (2018) (“Every issuer of a security . . . shall file with the Commission . . . such annual reports (and such copies thereof), certified if required by the rules and regulations of the Commission by independent public accountants . . . .”).
  9. Kraakman, supra note 6, at 53 n.1 (attributing to Jeremy Bentham the “cop-on-the-beat” metaphor and using it to describe gatekeepers).
  10. The literature has also extensively analyzed self-regulation as part of a broader new governance that arose in recent decades. Administrative agencies now pursue collaborative and responsive models of public governance designed to encourage the business sector to self-regulate. See, e.g., Ian Ayres & John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate 3 (1992); Jody Freeman, Collaborative Governance in the Administrative State, 45 UCLA L. Rev. 1, 6–7 (1997). Additionally, large businesses have dramatically grown their compliance departments to police the firm from within. See, e.g., Sean J. Griffith, Corporate Governance in an Era of Compliance, 57 Wm. & Mary L. Rev. 2075, 2077 (2016); Kimberly D. Krawiec, Organizational Misconduct: Beyond the Principal-Agent Model, 32 Fla. St. U. L. Rev. 571, 572 (2005); Veronica Root, Coordinating Compliance Incentives, 102 Cornell L. Rev. 1003, 1004 (2017). This important and nascent literature on corporate compliance has remained focused on the firm’s role in overseeing internal operations, or on traditional gatekeepers doing so.
  11. Fortune 500 List, Fortune (last visited Oct. 18, 2019), http://fortune.com/fortune­500/list/filtered?sortBy=mktval (identifying the ten most valuable American companies as Apple, Alphabet, Microsoft, Amazon, Berkshire Hathaway, Facebook, JPMorgan Chase, Johnson & Johnson, Exxon Mobil, and Bank of America). One of these companies, Berkshire Hathaway, is a conglomerate operating in diverse industries, including finance, while Johnson & Johnson sells pharmaceuticals in addition to consumer goods. Berkshire Hathaway, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/berkshire-hathaway/; Johnson & Johnson, Fortune (updated Mar. 29, 2018), https://fortune.com/fortune500/2018/johnson-johnson/.
  12. See infra Part II.
  13. Consent Decree Among Defendant BP Exploration & Production Inc., the United States of America, and the States of Alabama, Florida, Louisiana, Mississippi, and Texas at 32–33, In re Oil Spill by the Oil Rig “Deepwater Horizon” in the Gulf of Mex., on Apr. 20, 2010, No. 10-MDL-2179 (E.D. La. Oct. 5, 2015), ECF No. 15436-1 [hereinafter BP Consent Decree].
  14. 21 C.F.R. § 211.22(a) (2018) (explaining best practices for quality control of contractors); FDA Warning Letter from Cheryl A. Bigham, Dist. Dir., Kan. City Dist., Office of Regulatory Affairs, to Thomas Handel, President & Gen. Manager, Meridian Med. Techs., Inc., a Pfizer Co. (Sept. 5, 2017), https://www.fda.gov/iceci/enforcementactions/warningletters/2017/ucm­574981.htm [https://perma.cc/JMX9-V7VL].
  15. Am. Express Centurion Bank, CFPB No. 2012-CFPB-0002 (Oct. 1, 2012) (joint consent order).
  16. Facebook, Inc., FTC File No. 0923184, No. C-4365, at 3–4 (F.T.C. July 27, 2012) (decision and order).
  17. See id. at 6.
  18. The consent order does not prevent such a response. See id.
  19. See Joel S. Demski, Corporate Conflicts of Interest, 17 J. Econ. Persp. 51, 57 (2003).
  20. See infra Section IV.A.
  21. A diversified firm may play both a new and traditional gatekeeper role. For instance, by allowing a company to serve as both a commercial bank and investment bank, the law enables large financial institutions to operate as both traditional gatekeepers—overseeing their clients by underwriting securities, prompted by liability avoidance under the Securities Act of 1933—and as new gatekeepers, being the clients who hire third-party businesses. See infra Section II.A; Kraakman, supra note 6, at 82–83.
  22. See supra note 4 and accompanying text.
  23. To the extent scholars have discussed mandated third-party governance it has been in passing or in narrower contexts such as in criminal or international law. See, e.g., Larry Catá Backer, Surveillance and Control: Privatizing and Nationalizing Corporate Monitoring After Sarbanes-Oxley, 2004 Mich. St. L. Rev. 327, 433–34 (2004) (referencing how the Bank Secrecy Act causes a larger number of businesses to become “part of the network of the state’s eyes and ears”); John Braithwaite, Responsive Regulation and Developing Economies, 34 World Dev. 884, 889–90 (2006) (exploring how domestic firms can serve as a means of reaching foreign actors); Stavros Gadinis & Colby Mangels, Collaborative Gatekeepers, 73 Wash. & Lee L. Rev. 797, 910–11 (2016) (focusing on money laundering); Itai Grinberg, The Battle over Taxing Offshore Accounts, 60 UCLA L. Rev. 304, 304 (2012) (referencing a “growing consensus that financial institutions should act as cross-border tax intermediaries”). For other ways that scholars have recognized that businesses regulate other firms, see infra Part I.
  24. See, e.g., Rachel E. Barkow, Overseeing Agency Enforcement, 84 Geo. Wash. L. Rev. 1129, 1130 (2016) (“Most aspects of agency enforcement policy generally escape judicial review.”); Freeman, supra note 4, at 647 (“Most self-regulatory programs lack the transparency and public involvement that characterize legislative rulemaking.”); Lesley K. McAllister, Regulation by Third-Party Verification, 53 B.C. L. Rev. 1, 3–4 (2012) (identifying accountability challenges with third-party enforcement models).
  25. See, e.g., Coffee, supra note 6, at 15–18 (describing gatekeeper shortcomings).
  26. See infra Section IV.B.
  27. Ajay K. Mehrotra, Making the Modern American Fiscal State: Law, Politics, and the Rise of Progressive Taxation, 1877–1929, at 282–83 (2013).
  28. Freeman, supra note 4, at 675. Numerous scholars have taken up this call in other contexts. See, e.g., Sarah E. Light, The Law of the Corporation as Environmental Law, 71 Stan. L. Rev. 137, 139–41 (2019) (calling for a holistic view of corporations’ role in promoting environmental goals).
  29. See generally Nicolai J. Foss et al., The Theory of the Firm, in 3 Encyclopedia of Law and Economics 631 (Boudewijn Bouckaert & Gerrit De Geest eds., 2000); infra Part III.
  30. See, e.g., Melvin A. Eisenberg, The Conception That the Corporation Is a Nexus of Contracts, and the Dual Nature of the Firm, 24 J. Corp. L. 819, 820 (1999); Michael C. Jensen & William H. Meckling, Theory of the Firm: Managerial Behavior, Agency Costs and Ownership Structure, 3 J. Fin. Econ. 305, 310 (1976); Steven L. Schwarcz, Misalignment: Corporate Risk-Taking and Public Duty, 92 Notre Dame L. Rev. 1, 26 (2016).
  31. See infra Section III.A.
  32. See Elizabeth Warren, Companies Shouldn’t Be Accountable Only to Shareholders, Wall St. J., Aug. 15, 2018, at A17; Larry Fink, Larry Fink’s 2018 Letter to CEOs: A Sense of Purpose, BlackRock, https://www.blackrock.com/corporate/investor-relations/2018-larry-fin­k-ceo-letter [https://perma.cc/P9X6-HN85] (last visited Jan. 13, 2020); Martin Lipton et al., It’s Time to Adopt the New Paradigm, Harv. L. Sch. F. Corp. Governance, https://corpgov.­law.harvard.edu/2019/02/11/its-time-to-adopt-the-new-paradigm [https://perma.cc/3XH9-SSRS] (last visited Jan. 13, 2020); Business Roundtable Redefines the Purpose of a Corporation to Promote ‘An Economy That Serves All Americans,’ Business Roundtable (Aug. 19, 2019), [https://perma.cc/9K2F-2HLG]. On shareholder primacy, see infra note 189 and accompanying text.
  33. See infra Section III.D.
  34. There is arguably a gap between rhetoric and reality. See Marcel Kahan & Edward Rock, Symbolic Corporate Governance Politics, 94 B.U. L. Rev. 1997, 2042 (2014).
©Virginia Law Review Association. All rights reserved.