The cooperation of public and private actors to achieve public goals is not new. More than 80 years ago, Louis Jaffe lauded the longstanding and substantial involvement of private groups in the regulatory sphere. The scope, range, and legal significance of coordination between the public and private spheres have expanded since then. Modern governance is a complicated web of relationships between public and private actors, command and cooperative structures, and hard law versus soft guidance. A robust academic literature assigns different labels to this phenomenon: privatization, public/private partnerships, and new governance, to name just a few.
By necessity, these arrangements entail the exercise of policymaking discretion by private actors, to varying degrees depending upon the scenario. The result is a diffusion of governmental power that neither Congress nor the courts are likely to roll back substantially. With The New Gatekeepers: Private Firms As Public Enforcers, Rory Van Loo identifies and explores yet another way in which government relies on private actors—by looking to large corporations to serve as “enforcer firms” or “gatekeepers” ensuring compliance with federal law.
Van Loo begins his analysis with a survey of “prior narratives of third-party private regulation.” Private firms independently monitor other firms for compliance with the law in order to protect their own interests: e.g., banks monitoring their borrowers for illegal activity that might impair the value of collateral, or insurance companies monitoring their insureds for legal noncompliance that might trigger insurance payouts. Self-regulatory organizations like the New York Stock Exchange police the actions of their members to protect the reputation of their industries. Legislatures pass laws imposing vicarious liability and information disclosure requirements, authorizing citizen suits, and protecting or even rewarding whistleblowers to encourage private enforcement of the law. Legislators and agencies also mandate private enforcement when they require certification from accredited, third-party inspectors before a business can operate.
Van Loo argues that the scholarly literature lacks “an examination of mandates that explicitly direct regulated entities to serve as enforcers.” To fill that void, he offers case studies based on “[t]he ten largest companies operat[ing] in four main industries: information technology, banking, pharmaceuticals, and oil,” asserting that these case studies “demonstrate how administrative agencies, after receiving authority from Congress, have delegated” enforcement authority to these private actors.
For the technology sector, Van Loo points to FTC third-party oversight orders against Amazon, Facebook, Google, and Lenovo, for example requiring Facebook to audit the security and privacy practices of app developers for the purpose of protecting consumer data privacy. For the banking sector, Van Loo documents CFPB lawsuits, and subsequent settlement agreements, holding banks like JP Morgan Chase and Wells Fargo responsible for the deceptive acts or practices of third-party call centers, debt collectors, software developers, and real estate lawyers with which the banks do business, thereby forcing the banks to police the behavior of those third parties. For the pharmaceutical industry, Van Loo identifies an expansive regime of FDA regulations, guidance statements, and warning letters explicitly requiring drug companies to maintain quality control units “responsible for approving or rejecting drug products manufactured, processed, packed, or held under contract by another company,” thus requiring the drug companies’ to monitor not only the “output” but also the “inputs”—i.e., materials and ingredients—of those third-party contractors.
In summary, according to Van Loo, “[f]ederal regulators have established an expectation that today’s largest companies regulate independent contractual parties for legal violations” and, thus, “serve as a new breed of gatekeepers because the regulated entities must now decide whether to give the third parties market access based on regulatory considerations.”
Van Loo next turns his attention to the ways in which large corporations perform this new regulatory role. In particular, he describes a system of private regulation through contract drafting. At the suggestion (or instruction) of federal agencies, enforcer firms incorporate into written agreements with third-party contractors their own expectations regarding compliance with regulatory requirements, as well as penalties for noncompliance. Federal regulators in turn monitor the efforts of the enforcer firms to monitor third-party compliance those contractual requirements and the law more generally. In this way, the federal government deputizes and delegates enforcement authority to a small number of large, private corporations.
Turning to concerns about this new regulatory tool, Van Loo argues that conscripting private corporations to serve as enforcer firms represents “greater federal intervention into corporate governance and operations [that allows] a large number of federal agencies to shape the firm’s relationships, contracts, board activities, and liability.” He notes further that, in some instances, government efforts to force private corporations into the enforcer firm role have extended to imposing potential legal liability upon individual corporate officers and directors for the actions of third-party contractors as well.
Irrespective of whether one favors or disfavors more government involvement in corporate activity, Van Loo posits unintended consequences and economic tradeoffs. Mandated third-party governance by large corporations will alter corporate structures by incentivizing those firms to stop outsourcing functions to third parties and instead to bring more activities back in-house or to purchase third-party service providers outright. The compliance departments of large corporate firms have grown dramatically in recent decades, expanding the regulatory state bureaucracy and resources dedicated to regulatory compliance substantially; Goldman Sachs employs twice as many compliance personnel as the CFPB, and Facebook’s compliance reviewers far outnumber the total employees of the FTC, Facebook’s main regulator. Yet, we have little evidence to evaluate whether or under what circumstances enforcement firms are an effective and efficient regulatory compliance tool.
Van Loo raises practical concerns about overlapping jurisdiction, strategic shirking, cosmetic box checking, and other efficacy issues. Moreover, accountability is a problem. Government agencies may monitor the regulatory enforcement activities of large corporations, but courts have few mechanisms and seemingly little role to play in holding enforcer firms accountable for their actions in this regard.
Van Loo’s article comes at a potentially pivotal time in administrative law jurisprudence and scholarship. We are in the midst of the latest round of debate over whether the regulatory state has become too powerful and needs to be curtailed by the courts. In Lucia v. SEC and Seila Law LLC v. CFPB, the Supreme Court has taken up issues concerning the constitutionality of how agencies are structured. The last year has seen opinions in Gundy v. United States and United States v. Paul representing a majority of the Justices signaling concerns about congressional delegations of legislative power to agencies and the desire to adopt a more robust nondelegation doctrine to curtail such actions. Yet, at this moment of national discussion and debate, and notwithstanding a robust and longstanding academic literature on the topic, the extensive delegation of regulatory power from agencies to nongovernmental actors has received much less attention. Perhaps Van Loo’s article will spark further discussion.