Corporate Compliance Lessons Lurk Within Operation Varsity Blues (Bloomberg Law)
Operation Varsity Blues, the investigation into the college admissions conspiracy, provides important compliance lessons for major corporations, according to Andrew E. Lelling, a Jones Day partner and the former U.S. Attorney who led the inquiry, and associate Shelbie Rose. They provide critical advice that compliance departments need to heed.
Operation Varsity Blues—the sweeping federal prosecution targeting corruption in college admissions—has riveted the country for more than two years. In a plot that has been scrutinized in the press, books, and a Netflix documentary, a college counselor named Rick Singer made millions by offering the children of wealthy parents guaranteed admission to elite universities in exchange for payments averaging $250,000 per student.
The first Varsity Blues trial in Boston federal court recently ended with convictions of both parent-defendants on all counts.
Public attention has obsessively focused on the parents—the "catalogue of wealth and privilege" I referenced when I announced the case in March 2019. But, from the compliance perspective, that focus has obscured the significance of this scheme for those it victimized: elite universities that routinely try to identify and mitigate compliance risks, often with the help of sophisticated outside counsel.
Yet every school Singer targeted—from the Ivy League on down—was successfully victimized in precisely the same way, because their internal systems worked in roughly the same way: Singer (1) found coaches in under-financed sports and bribed them to recruit high school applicants with fake athletic credentials, after which (2) the coaches deceived their own admissions committees, which accepted those candidates, relying on the judgment of the coach.
It was simple, it worked across schools and regions, and it remained undetected. How is that possible?
The answers provide timely compliance lessons for any major organization.
Lesson #1: Insularity Within Industries
Companies tend to build and assess their compliance programs by referencing other programs in the same sector. This is not unreasonable; organizations within an industry occupy the same commercial and regulatory space and draw from one another, and the same official sources, in addressing shared compliance concerns.
This commonality can mask compliance vulnerabilities, particularly if professionals within a single industry seek, and themselves amplify, advice only from within that industry. Thus, Singer was able to perpetrate the identical fraud across schools.
Obviously, substantially different industries have different compliance concerns—aerospace manufacturers operate differently than, say, accounting firms. But insularity is a sustained and unrecognized risk in many sectors, and mitigating it is simple and with relatively low cost. Compare benchmark compliance protocols against programs inside and outside the same industry, and seek fresh perspective, whether by attending compliance seminars in different industries or conferring with compliance personnel in a different but relatable business.
Lesson #2: Focusing on Opportunity Instead of Motivation
Corporate compliance programs invariably include controls for detecting and deterring employee wrongdoing, e.g., controlled access to corporate finances or audits for handling sensitive information. And every compliance professional has been told the importance of building a "culture of compliance" with the right "tone from the top."
But many compliance programs may not fully consider whether the organization's structure itself motivates employee misconduct in a way that overcomes inducements to ethical behavior. This factor is receiving increasing attention in academic studies.
Singer knew that college coaches in second-tier sports (e.g., water polo, sailing) were usually paid less, and received less program funding, than their counterparts in high-profile sports such as football or basketball. This disparity created a financial incentive to take Singer's money—whether out of greed or to better support their own programs.
The lesson here is not to level pay disparities among corporate functions, but rather to remain aware that corporate structure is relevant to predicting employee misconduct. Categorical differences in compensation or prestige across an organization provide a built-in "heat map" of potential problem areas.
One remedy is directing additional training to those areas and creating management initiatives to boost morale and cohesion.
Lesson #3: Care and Feeding of Non-Core Functions
Core business functions obviously get more attention than non-core functions. In the university context, major institutions inevitably pay less attention to smaller club sports than to high-profile, revenue-generating sports such as football or basketball. Less well-known sports also lack dedicated outside observers; in football, for example, outside agencies follow the best high school players, creating an independent check on claims regarding a given recruit's athletic abilities.
The less attention a business function receives, the greater the compliance risks. This pitfall is common across industries. For example, lack of attention to overseas operations is a key feature in many Foreign Corrupt Practices Act cases—compliance personnel may spend less time in foreign offices, foreign employees may feel disconnected from the larger company, and corporate culture competes with local influences.
This seems unremarkable until problems arise, draining resources and threatening the company with legal, financial, and reputational harm. Avoiding this trap requires, at the outset, an appreciation for the outsized risks underlying certain non-core functions and funding sufficient to mitigate that risk. Moreover, compliance departments should routinize attending to non-core functions, including personal interaction with employees involved in those functions.
Lesson #4: The (Former) Insider Threat
Singer knew how to craft his scheme because he used to be a college basketball coach. He understood how coaches identified athletic recruits; what credentials mattered; how coaches interacted with admissions committees; and how admissions decisions were made.
In short, Singer was akin to an insider threat. Most industries, especially those working with intellectual property, health data, or classified information understand the risks posed by disaffected insiders. Many, however, are less focused on risks posed by former insiders.
The employee who just left knows how his former employer does business. The release of that employee can be like a software vulnerability: Once it's public, a patch is needed. Companies should review their employee off-boarding procedures, including the obvious (exit interviews and non-disclosure agreements) and the less obvious (for example, using corporate security personnel to monitor social media activity).
Operation Varsity Blues certainly carried harsh lessons for the anxious parents of high school students and for a number of major academic institutions, but it should also resonate with those who protect the health and resiliency of other complex organizations.
Reproduced with permission. Published November 5, 2021. Copyright 2021 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
