Y Compliance

As stated in the Articles of Faith of The Church of Jesus Christ of Latter-day Saints, members of the BYU community "believe in . . . obeying, honoring, and sustaining the law." Higher education is one of the most highly regulated sectors of the economy, and American universities are subject to a myriad of constantly changing laws and unique risks. Failure to comply with relevant laws and standards can result in institutional embarrassment, fines, litigation, loss of federal funding, suspension of research activities, loss of donor support, loss of employment, imprisonment, and more. In the current regulatory and social climate, addressing these risks has become a top priority.

The ultimate goal of a compliance program is to maintain compliance with law and university policy and to prevent legal violations or compliance failures, thus avoiding injury to students, employees, and patrons and protecting the university from financial or reputational damage. A compliance program also demonstrates to law enforcement and regulators that the university is committed to following the law and that any compliance failure is the exception at an otherwise compliant institution. Compliance is about more than getting people to follow rules; it is about creating a culture of ethical conduct where a community upholds and advances the core values underlying laws and policies such as privacy, freedom, safety, and respect.

Below are some compelling reasons for implementing a formal compliance program.

1. Benefits to the University

While most universities have many compliance activities underway across their campuses, a formal compliance program with structure, documentation, and allocated resources provides several important benefits to university executives, including the following:

  • Confidence that significant compliance requirements are being met, thus providing protection to the university community as well as to the institution itself
  • Assurance that the effectiveness of the university's compliance with federal and state laws and contractual obligations will continue to improve rather then retrograde
  • Protection of the university's reputation and resources
  • Evidence to point to when asked what university leaders are or were doing to address significant compliance exposures on their campus
  • Deterrence and detection of misconduct through self-policing
  • Opportunities to discover and address emerging risks and compliance issues earlier in their life cycle thus limiting or reducing the potential damage a compliance failure might cause
  • An opportunity to voluntarily control the development and implementation of an effective compliance and ethics program rather than have the courts force a program upon an institution found to be neglecting its compliance responsibilities

2. Complex and Numerous Applicable Laws

Colleges and universities are complex communities that engage in a wide range of regulated activities. BYU and other large educational institutions regularly deal with housing matters, facilities management, research labs (including the use and disposal of biohazards), entertainment venues, campus security, international students and immigration requirements, and more. They face most of the laws applicable to other corporations and employers while also being subject to regulations unique to their educational operations. For example, universities must address governmental requirements applicable to federal research activities and federal grant recipients; they are also subject to many disclosure and reporting requirements imposed by the Higher Education Act.

Since the individual rights movement of 1960s, universities have been barraged with federal and state laws governing every aspect of their operations. With the added fuel of significant corporate ethics failures appearing almost every decadeand an increasing maturity of thought, research, and regulation on risk management practicesuniversities are expected to implement the best practices that their publicly traded cousins must follow. BYU is subject to hundreds of laws and, like other corporations, can be found liable for violations. A compliance program gives a centralized and organized approach to meeting the many legal obligations of an educational institution.

3. Institutional Liability

Like people, institutions such as universities can be sued and found civilly or criminally liable for the actions of their employees, even though they have policies that prohibit illegal activities. Judges may, however, consider factors such as an institution's involvement in or tolerance of the wrongdoing, its prior history of violations, and the extent to which the institution disclosed the wrongdoing and cooperated with an investigation. Importantly, the existence of an effective compliance and ethics programand any efforts to improve a compliance programare relevant factors when prosecutors conduct investigations and negotiate plea agreements.

The U.S. Department of Justice has established criteria to be used by federal prosecutors to determine if prosecution will even be pursued. As set forth in multiple documents including the 2008 "Filip Memo," named after Deputy Attorney General Mark Filip, one significant criterion used by the Department of Justice is the existence and adequacy of an institutional compliance program.

4. Federal Sentencing Guidelines

In 1987, the United States Sentencing Commission established the federal sentencing guidelines, which aim to ensure that federal courts impose fair, effective, and consistent punishments on those convicted of federal crimes. The federal sentencing guidelines were expanded in 1991 to address situations when the convicted person is an organizational defendant and again in 2004 to address compliance programs.

Chapter eight of the federal sentencing guidelines sets forth seven minimum elements for an effective compliance and ethics program. In short, these elements require the following:

  1. Establishing standards and procedures to prevent and detect misconduct
  2. Keeping the organization's governing authority informed about and exercising its oversight of the compliance and ethics program, assigning overall responsibility for the program to specific high-level personnel and delegating day-to-day operational responsibility to specific individuals, who report to the governing authority
  3. Excluding bad actors from the organization's substantial authority personnel
  4. Communicating standards and procedures and conducting effective training programs
  5. Monitoring, auditing, and evaluating compliance and having and publicizing a system for employees to anonymously or confidentially report misconduct without fear of retaliation
  6. Promoting and enforcing the compliance and ethics program through appropriate incentives and disciplinary measures
  7. Taking reasonable steps to respond to and prevent misconduct

Notably, an organization that has established an effective compliance and ethics program as described may qualify for a lower culpability score and a lesser punishment if criminal conduct occurs. In other words, having a formal compliance program can be a mitigating factor if the university is found to have engaged in criminal conduct.

5. Personal Liability

Directors and officers of a universityincluding the president and members of a university's governing boardmay be held personally liable for the corporation's legal violations, in addition to their own. This reality has played out in numerous campus scandals and court cases throughout the years in which high-level leaders were criminally convicted and punished.

In the landmark Caremark International decision, a Delaware court warned of personal liability risks when an organization fails to comply with applicable legal standards. Specifically, the court clarified that the corporate board duty to be informed requires

assuring themselves that information and reporting systems exist in the organization that are reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to allow management and the board, each within its scope, to reach informed judgments concerning . . . the [organization's] compliance with law[.]

In re Caremark Int'l Inc. Derivative Litig., 698 A.2d 959, 970 (Del. Ch. 1996).

In 2015, the Department of Justice published a memorandum known as the "Yates Memo," named after Deputy Attorney General Sally Yates, which indicates a commitment to holding individuals accountable in cases of corporate wrongdoing (both in civil and criminal cases). Thus, an effective compliance program can keep management informed and assist leaders in exercising necessary compliance oversight, thereby helping to insulate individuals from personal liability.

6. Program Participation Agreement

Eligibility to participate in federal student aid programs is contingent on a university entering into a written program participation agreement with the U.S. Department of Education. Every six years, the university president must sign the agreement, which certifies the university's compliance with specific conditions and also documents the university's agreement to comply with specific statutes and regulations, including Title VI, Title IX, FERPA, and Section 504. A compliance program helps assure BYU's president that the university is meeting the terms of its program participation agreement and qualifies the university to continue receiving federal aid for its students.

7. Other Conditions of Federal Funding

A higher education institution that enters into federal contracts, receives federal grants, or conducts federally funded research becomes subject to the terms of those federal agreements and also must comply with relevant regulations governing such relationships. For example, the Office of Federal Contract Compliance Programs has published and enforces regulations requiring federal contractors to take affirmative action and not discriminate on the basis of specific characteristics. Additionally, some federal agencies include provisions in their contracts requiring adherence to particular standards, such as the NIST cybersecurity framework, or particular systems, such as the national incident management system. Compliance with individual contracts and grants can be significantly aided by a compliance program.