Compliance Departments Are Elastic—Boards are Not

by Asaf Eckstein, Roy Shapira, and Ariel Shillo

Left to proper: Asaf Eckstein, Roy Shapira, and Ariel Shillo (photographs courtesy of the authors)

Over the previous twenty years, legislatures and enforcers have more and more required company boards to supervise compliance throughout a variety of points. The reasoning was easy: board involvement mandates elevate a sure concern to the best governance tier, thereby growing the possibilities of getting corporations to really purchase in (shaping the “tone on the high”). But when seen within the combination, these necessities create an issue by overloading the board. Boards in 2026 merely shouldn’t have the structural capability wanted to delve deep into all of the objects that “should” be on their agenda. Consequently, boards should prioritize (typically with out steering) and sure points fall by the cracks.

In a brand new paper (forthcoming in Washington College Legislation Assessment), we discover the causes and penalties of such “Board Overload” for company compliance and regulatory methods.

One primary perception underlying our evaluation is the distinction between the “elasticity” of compliance departments and that of company boards. Readers of this weblog are aware of the exponential growth of compliance departments over the previous couple of many years. But readers could also be shocked to be taught that over the identical time span, the capability of boards has remained remarkably steady: boards in 2026 have the identical variety of members (round ten) and frequency of conferences (round eight a 12 months), identical to their predecessors in 2006 did.

That straightforward statement carries vital classes for each regulators and practitioners. Regulators ought to rethink their newfound emphasis on demanding board involvement. They need to deal with telling corporations how one can behave, as an alternative of prescribing who inside the corporate ought to do what. For some corporations, cybersecurity is a matter that’s higher handled on the board degree; for others, it could be extra successfully dealt with by the CISO (liberating the board to dedicate extra consideration to, say, provide chain resiliency).

But right here the issue is one in every of inter-regulatory coordination. No single regulator manages the combination regulatory calls for on board agenda area. Regulators in a particular area shouldn’t have the power or incentive to prioritize throughout totally different fields. Consequently, every regulatory requirement for board involvement added to the agenda will are inclined to diminish the board’s consideration to the opposite, current regulatory necessities on its agenda.

Monetary markets regulators need boards to actively oversee the accuracy of monetary reporting. Anti-money-laundering regulators require financial institution administrators to undertake and oversee their financial institution’s AML insurance policies. Knowledge privateness regulators insist on board involvement in cybersecurity. Well being regulators demand that hospital boards formally approve credentialing standards as a situation for taking part in Medicare. And worldwide regulators more and more require that boards oversee and disclose their firm’s climate-related dangers and methods.

Additional, and pertinently for readers of this weblog, even when the regulation in query doesn’t comprise an specific board-involvement mandate, enforcement actions typically convey to boards that regulators count on them to be actively concerned. When the Division of Justice entered a plea take care of Boeing over the 737 MAX debacle, the regulator insisted that Boeing’s board meet with victims’ households. And the Workplace of the Comptroller of the Foreign money demanded that TD Financial institution’s board submit a certification that the financial institution corrected its AML deficiencies earlier than the financial institution be allowed to distribute dividends.

Extra not too long ago, regulators have even requested boards of enormous corporations to actively oversee compliance by their provide chain companions. As an example, when American Specific’s third-party service suppliers charged shoppers extreme late charges, the Client Monetary Safety Bureau (CFPB) explicitly faulted American Specific’s board for not partaking in oversight of those third-party suppliers. As a part of the settlement, American Specific dedicated to placing third-party oversight extra firmly on its board agenda: the compliance division should report back to the board on a quarterly foundation relating to the compliance of third-party suppliers, and the board is the one answerable for making certain that corrective actions are taken. Equally, in its settlement with Citibank over telemarketing facilities’ shenanigans, the CFPB required that Citi’s board kind a committee devoted to compliance, and stipulated that the committee should meet month-to-month and report back to the regulator quarterly on how the financial institution oversees third-party telemarketing facilities. To shift to an environmental regulation instance, when BP settled the Deepwater Horizon case, the regulator insisted that, as a part of the settlement, the BP board itself oversee the enhancements of drilling security at BP’s contractors.

To reiterate: when seemed in isolation, every one in every of these necessities could make good sense. And the ex-post enforcement mandates sometimes make much more sense than the legislative ones: the previous are company-specific whereas the latter are one-size-fits-all. The issue is one in every of accumulation and (lack of) coordination between the varied regulatory efforts that focus on boards.

A more practical approach to maintain boards accountable for a way they set their agendas and oversee compliance could also be by ex publish scrutiny by the courts, in oversight obligation litigation in company legislation. Judges in Delaware’s Court docket of Chancery have experience and expertise in adjudicating boardroom disputes frequently. They’ll consider the board’s prioritization in opposition to the backdrop of a particular firm’s context and tradeoffs. In different phrases, company legislation courts are higher suited to behave as meta-regulators of boards’ prioritization choices.

The total paper elaborates on the steps that practitioners can (and already began to) take to alleviate board overload issues. However as a result of a lot of the issue is a results of exterior mandates, some intervention by policymakers could also be wanted. In 2026, the primary hurdle for board effectiveness isn’t essentially that administrators aren’t impartial or professional sufficient, however quite that boards shouldn’t have sufficient structural capability to take care of their ever-expanding tasks. 

The total article is on the market for obtain right here.

Asaf Eckstein is Professor of Legislation at Hebrew College; Roy Shapira is Professor of Legislation at Reichman College, Visiting Mehrotra Professor at BU Questrom Faculty of Enterprise, Visiting Senior Fellow at Harvard’s Program on Company Governance, and an ECGI Analysis Member; Ariel Shillo is a legislation pupil at Hebrew College.

The views, opinions and positions expressed inside all posts are these of the writer(s) alone and don’t signify these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College Faculty of Legislation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this web site and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the writer(s) and any legal responsibility close to infringement of mental property rights stays with the writer(s).

by Asaf Eckstein, Roy Shapira, and Ariel Shillo

Left to proper: Asaf Eckstein, Roy Shapira, and Ariel Shillo (photographs courtesy of the authors)

Over the previous twenty years, legislatures and enforcers have more and more required company boards to supervise compliance throughout a variety of points. The reasoning was easy: board involvement mandates elevate a sure concern to the best governance tier, thereby growing the possibilities of getting corporations to really purchase in (shaping the “tone on the high”). But when seen within the combination, these necessities create an issue by overloading the board. Boards in 2026 merely shouldn’t have the structural capability wanted to delve deep into all of the objects that “should” be on their agenda. Consequently, boards should prioritize (typically with out steering) and sure points fall by the cracks.

In a brand new paper (forthcoming in Washington College Legislation Assessment), we discover the causes and penalties of such “Board Overload” for company compliance and regulatory methods.

One primary perception underlying our evaluation is the distinction between the “elasticity” of compliance departments and that of company boards. Readers of this weblog are aware of the exponential growth of compliance departments over the previous couple of many years. But readers could also be shocked to be taught that over the identical time span, the capability of boards has remained remarkably steady: boards in 2026 have the identical variety of members (round ten) and frequency of conferences (round eight a 12 months), identical to their predecessors in 2006 did.

That straightforward statement carries vital classes for each regulators and practitioners. Regulators ought to rethink their newfound emphasis on demanding board involvement. They need to deal with telling corporations how one can behave, as an alternative of prescribing who inside the corporate ought to do what. For some corporations, cybersecurity is a matter that’s higher handled on the board degree; for others, it could be extra successfully dealt with by the CISO (liberating the board to dedicate extra consideration to, say, provide chain resiliency).

But right here the issue is one in every of inter-regulatory coordination. No single regulator manages the combination regulatory calls for on board agenda area. Regulators in a particular area shouldn’t have the power or incentive to prioritize throughout totally different fields. Consequently, every regulatory requirement for board involvement added to the agenda will are inclined to diminish the board’s consideration to the opposite, current regulatory necessities on its agenda.

Monetary markets regulators need boards to actively oversee the accuracy of monetary reporting. Anti-money-laundering regulators require financial institution administrators to undertake and oversee their financial institution’s AML insurance policies. Knowledge privateness regulators insist on board involvement in cybersecurity. Well being regulators demand that hospital boards formally approve credentialing standards as a situation for taking part in Medicare. And worldwide regulators more and more require that boards oversee and disclose their firm’s climate-related dangers and methods.

Additional, and pertinently for readers of this weblog, even when the regulation in query doesn’t comprise an specific board-involvement mandate, enforcement actions typically convey to boards that regulators count on them to be actively concerned. When the Division of Justice entered a plea take care of Boeing over the 737 MAX debacle, the regulator insisted that Boeing’s board meet with victims’ households. And the Workplace of the Comptroller of the Foreign money demanded that TD Financial institution’s board submit a certification that the financial institution corrected its AML deficiencies earlier than the financial institution be allowed to distribute dividends.

Extra not too long ago, regulators have even requested boards of enormous corporations to actively oversee compliance by their provide chain companions. As an example, when American Specific’s third-party service suppliers charged shoppers extreme late charges, the Client Monetary Safety Bureau (CFPB) explicitly faulted American Specific’s board for not partaking in oversight of those third-party suppliers. As a part of the settlement, American Specific dedicated to placing third-party oversight extra firmly on its board agenda: the compliance division should report back to the board on a quarterly foundation relating to the compliance of third-party suppliers, and the board is the one answerable for making certain that corrective actions are taken. Equally, in its settlement with Citibank over telemarketing facilities’ shenanigans, the CFPB required that Citi’s board kind a committee devoted to compliance, and stipulated that the committee should meet month-to-month and report back to the regulator quarterly on how the financial institution oversees third-party telemarketing facilities. To shift to an environmental regulation instance, when BP settled the Deepwater Horizon case, the regulator insisted that, as a part of the settlement, the BP board itself oversee the enhancements of drilling security at BP’s contractors.

To reiterate: when seemed in isolation, every one in every of these necessities could make good sense. And the ex-post enforcement mandates sometimes make much more sense than the legislative ones: the previous are company-specific whereas the latter are one-size-fits-all. The issue is one in every of accumulation and (lack of) coordination between the varied regulatory efforts that focus on boards.

A more practical approach to maintain boards accountable for a way they set their agendas and oversee compliance could also be by ex publish scrutiny by the courts, in oversight obligation litigation in company legislation. Judges in Delaware’s Court docket of Chancery have experience and expertise in adjudicating boardroom disputes frequently. They’ll consider the board’s prioritization in opposition to the backdrop of a particular firm’s context and tradeoffs. In different phrases, company legislation courts are higher suited to behave as meta-regulators of boards’ prioritization choices.

The total paper elaborates on the steps that practitioners can (and already began to) take to alleviate board overload issues. However as a result of a lot of the issue is a results of exterior mandates, some intervention by policymakers could also be wanted. In 2026, the primary hurdle for board effectiveness isn’t essentially that administrators aren’t impartial or professional sufficient, however quite that boards shouldn’t have sufficient structural capability to take care of their ever-expanding tasks. 

The total article is on the market for obtain right here.

Asaf Eckstein is Professor of Legislation at Hebrew College; Roy Shapira is Professor of Legislation at Reichman College, Visiting Mehrotra Professor at BU Questrom Faculty of Enterprise, Visiting Senior Fellow at Harvard’s Program on Company Governance, and an ECGI Analysis Member; Ariel Shillo is a legislation pupil at Hebrew College.

The views, opinions and positions expressed inside all posts are these of the writer(s) alone and don’t signify these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College Faculty of Legislation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this web site and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the writer(s) and any legal responsibility close to infringement of mental property rights stays with the writer(s).