The frequency of corporate misconduct: public enforcement versus private reality

Eugene Soltes (Department of Business Administration, Harvard Business School, Boston, Massachusetts, USA)

Journal of Financial Crime

ISSN: 1359-0790

Publication date: 7 October 2019



Perceptions about the frequency of misconduct – among the public, academics and even regulators – have largely been formed by examining enforcement statistics, which rely on the detection and sanctioning of the misconduct. This study aims to illuminate the real occurrence of corporate misconduct, much of which escapes public detection.


By examining confidential firm records describing misconduct within organizations, the author shows that public enforcement statistics significantly underestimate the amount of serious malfeasance that arises within firms.


Through analyzing records for several large multinational firms, the author finds that there are, on average, more than two instances of internally substantiated misconduct per week per firm.


Ultimately, this analysis illustrates the challenge of addressing corporate malfeasance within large organizations.



Soltes, E. (2019), "The frequency of corporate misconduct: public enforcement versus private reality", Journal of Financial Crime, Vol. 26 No. 4, pp. 923-937.

Download as .RIS



Emerald Publishing Limited

Copyright © 2019, Emerald Publishing Limited

1. Introduction

One question that researchers, regulators and the public perennially ask is whether the level of corporate misconduct is rising or falling over time. Responses to this question tend to be quite speculative, as the most basic fact – the base rate of actual corporate misconduct – is unknown. Without more information on the true frequency of offenses, researchers often rely on public enforcement statistics to ascertain the level of misconduct and the effectiveness of regulatory bodies. However, based on prior scholarship (Dyck et al., 2017) and investigative journalists’ work (Eisinger, 2017), there is strong suspicion that a considerable amount of misconduct goes undocumented in these public statistics. Assessing how much misconduct lies outside the enforcement records has been challenging because this malfeasance is not usually publicly observable.

In this paper, I begin to offer a more thorough depiction of the amount of corporate misconduct by examining the frequency of offenses within firms based on companies’ own internal investigative data. Publicly traded firms are required to have an anonymous reporting channel or “hotline” for accounting and financial matters. In practice, firms use these hotlines to receive information about a variety of issues that potentially constitute legal and regulatory violations (Soltes, 2018a). Supplementing these hotlines, firms often have additional monitoring and analytic systems to detect deviations from company policy (Soltes, 2018b). When members of a firm’s legal or compliance team receive an allegation, the claim is examined, and if substantiated, the firm responds (e.g. by disciplining the employee, creating new policies). By examining these internal company records, it is possible to gather a significantly more representative depiction of the type and frequency of misconduct that occurs within companies.

I show that misconduct is considerably more common – by several orders of magnitude – than indicated in any publicly accessible data on corporate offending. Table I shows the likelihood that a publicly traded firm would face sanctions on several popular databases often used by researchers. The likelihood that a firm would be criminally sanctioned by the Department of Justice (DOJ) or face a civil enforcement action for accounting matters by the Securities and Exchange Commission (SEC) is 0.5 per cent and 1.1 per cent, in a given year. Such sanctions are severe and expectedly rather infrequent because of both resource constraints within regulatory and enforcement agencies and the legal hurdles for making such cases. A more expansive way of examining potential misconduct from public records is to analyze lawsuits brought against firms for securities violations. Notably, while bringing such suits is not constrained by resources such as the SEC or DOJ, some of these suits represent frivolous matters. Lawsuit records indicate that a publicly traded firm has a nearly 5 per cent likelihood of facing an allegation of misconduct in a particular year. A still more expansive way of assessing the frequency of corporate misconduct through public data is by analyzing all regulatory violations that can arise from sanctions by any federal agency. Through this broad analysis, 23 per cent of firms face such violations in a given year. Put together, this public enforcement data suggest that corporate misconduct is an uncommon phenomenon, with many – in fact, the vast majority – of these firms rarely facing sanctions for malfeasance in any given year.

A considerably different picture of corporate misconduct emerges by examining the frequency of misconduct within organizations. Using data from three Fortune 500 companies – none of which faced recent criminal or serious civil sanctions – I show that misconduct is a ubiquitous phenomenon. These three firms have a substantiated violation every three days per firm on average. As an indication that the rates of offending from these sample firms are representative of publicly traded firms more broadly, I provide aggregated data from the largest corporate hotline provider about the number of substantiated claims. Within these statistics, the median number of violations would indicate 124 cases of corporate malfeasance per year. Thus, internal records suggest that a case of corporate misconduct arises nearly every three days per company on average. In contrast, a “back of the envelope” estimate, even based on the most inclusive public database (i.e. all regulatory violations), would indicate an act of corporate misconduct occurs every 1,586 days per company on average[1].

One important note in interpreting this analysis is that, compared to the conduct subject to enforcement and regulatory action, much of the internal firm misconduct that is not detected by regulators or identified in public databases is less egregious in nature, even when it includes acts of bribery or financial reporting fraud. Thus, it would be inappropriate to extrapolate that the damages from the average case prosecuted by the DOJ or disciplined by the SEC are indicative of the scope or damages of the average case that arises internally within firms without being detected or sanctioned by regulators. In general, more serious misconduct has a greater likelihood of being sanctioned because of both regulatory priorities and the incentives for individuals to make agencies aware of the misconduct[2].

Ultimately, firms’ own investigative and hotline records show that corporate misconduct is not a rare or exceptional event that happens within only a small number of “low-integrity” firms once every few years, as described in the public enforcement record. Rather, consistent with recent research in behavioral ethics that shows people are not nearly as ethical as they believe (Bazerman and Tenbrunsel, 2011; Gino, 2013), misconduct is a regular and omnipresent challenge within large organizations. For compliance officers and general counsels, the regularity of this misconduct suggests that their pragmatic objective is to minimize the frequency and magnitude of offenses, rather than to seek “zero” misconduct[3].

This investigation contributes to the literature on corporate and financial misconduct research. This literature – in accounting, finance and law – tends to rely on public databases to assess which firms engage in fraud. However, as described in this analysis, there is a far more pervasive state of misconduct than that shown by public enforcement records, complicating analyses that rely on public databases to conclude which organizations engaged in misconduct and which did not[4]. As the evidence here shows, the vast majority of corporate offending – even in serious financial matters such as reporting fraud or bribery – is not publicly detected, sanctioned or reported. Thus, investigations that rely on public enforcement databases to draw inferences should appreciate that while such records do indicate conduct that was detected and sanctioned by regulators and enforcement agencies, such records cannot identify which firms do – or do not – engage in misconduct[5]. As a result, such statistics are not appropriate for some research questions that focus on identifying misconduct. In this way, this paper complements the analysis in Dyck et al. (2017), who estimate the magnitude of financial misreporting that goes undetected, and builds on the obstacles associated with different misconduct databases described by Karpoff et al. (2017)[6].

This analysis also contributes to an ongoing debate about sanctioning companies for the actions of their employees (Rakoff, 2015). Many of the recent multibillion-dollar fines in the USA have drawn criticism for both unnecessarily punishing shareholders and not holding accountable the individual executives who engaged in the misconduct. As part of the corporate sanctioning process, firms are often required to institute or improve internal compliance programs. To the extent that the vast majority of misconduct is not detected or sanctioned by regulatory bodies for a variety of political and economic reasons, reducing the aggregate incidence of corporate misconduct is likely to rely on firms’ own efforts. Given this, appropriately incentivizing companies to mitigate misconduct within their own organizations could serve as an effective strategy to prevent and remediate misconduct more broadly[7].

There are a number of caveats to interpreting the statistics described in this paper. While these are discussed in more detail in subsequent sections, there are two points to mention here. First, the public enforcement statistics described here focus on sanctions by US regulators on publicly traded firms. While the USA has historically taken the most aggressive stance against white-collar crime, these statistics are likely to vary internationally, and so too are perceptions of offending[8]. Second, the private data on misconduct are a record of only those offenses that were captured by internal processes and are not a comprehensive record of all misconduct that conceivably occurred. While this means that even these numbers are likely to be a conservative estimate of the true amount of malfeasance, this analysis does not solve the ultimate measurement challenge of assessing the total amount of unreported crime, known as the “dark figure” among criminologists[9].

2. Public enforcement data

Researchers have relied on a number of different data sources to understand the frequency, location and magnitude of corporate misconduct. The disparate types of cases examined by these data sources include criminal cases brought by prosecutors (e.g. DOJ), regulatory offenses sanctioned by civil entities (e.g. SEC) and lawsuits filed by private plaintiffs.

As a way to estimate the likelihood that a particular company will engage in misconduct, it is necessary to develop a measure of the total number of possible organizations that could engage in misconduct in a particular year. To create a meaningful and measurable group, I focus on the subset of companies that are publicly traded. While excluding private organizations means excluding a considerable number of firms, such a restriction facilities a more meaningful count of the total number of firms that could be realistically sanctioned and included in public enforcement data[10]. In Table II, I provide the total number of publicly traded firms each year from 2001 to 2017. The number of firms includes all operating firms on the New York Stock Exchange (NYSE), Nasdaq, or NYSE American exchanges on Wharton Research Data Services with shares traded at least one day during the calendar year[11]. In subsequent analyses, I will use this annual count of firms as the set of firms that could have been sanctioned in a given year.

In the following subsections, I will discuss five different public databases that offer different depictions of the amount of corporate offending. Prior to examining the databases, I first provide clarity around how corporate misconduct is defined from the standpoint of measurement across the databases. Then, in Sections 2.2, 2.3 and 2.5, I focus on criminal and civil enforcement databases against firms by government entities, and in Section 2.4, I examine lawsuits by private plaintiffs.

2.1 Defining corporate misconduct

Throughout much of the twentieth century, criminologists, sociologists and legal scholars debated what constituted white-collar crime and corporate deviance (Tappan, 1947)[12]. For example, the sociologist Edwin Sutherland, who coined the term “white-collar crime,” encountered considerable resistance for describing business conduct that was not sanctioned by regulators or prosecutors as “criminal” (Sutherland, 1944; Sutherland, 1983). While some sociologists described corporate conduct as “criminal” even if it was not prosecuted, other scholars took a stricter legal approach and only deemed acts sanctioned by criminal authorities as criminal conduct.

Following much of the more recent literature in accounting and finance, I use a broader category of behavior that I refer to as “corporate misconduct.” Such actions include criminal violations that are formally prosecuted and regulatory offenses that are civilly sanctioned. Owing to both resource constraints and political considerations, not all misconduct is sanctioned by formal legal institutions. As in prior literature, researchers have used lawsuits filed by private plaintiffs against firms as another measure of “corporate misconduct,” although claims by plaintiffs may not reflect criminal or civil violations of law that would be sanctioned by regulatory or enforcement agencies.

While enforcement records against firms present a clear delineation of which white-collar crimes are corporate offenses, not all “white-collar crimes” represent instances of corporate misconduct. Specifically, to apply a more consistent standard across the sample, I distinguish acts of corporate misconduct, which serve to benefit a company, from offenses committed by an employee during the course of work at a firm. In relying on this approach, I follow the standard of respondeat superior for corporate liability as appealed to by federal courts. Under respondeat superior, “the corporation is held criminally liable for the criminal acts of its agent within the scope of his or her employment that are intended to benefit the corporation” (Podgor et al., 2013a, 2013b, p. 28). While this delineation can be imperfect in some instances, it helps separate some offenses committed by employees that do not serve the firms’ interests and would be unlikely to attract regulatory attention at the corporate level. As an example, a manager who bribes a government minister would be committing an act of “corporate misconduct,” as the actions of the employee benefit the company. In contrast, an employee who takes cash from a company’s safe (i.e. embezzlement) would not be committing an act of corporate misconduct, as embezzlement does not benefit the firm[13].

2.2 Department of justice criminal prosecutions of organizations

The DOJ prosecutes organizations criminally. Although firms – as entities – cannot be sentenced to prison like individuals, criminal remedies for organizations include substantial fines, operating restrictions and monitorships (Khanna and Dickinson, 2007). While trial convictions and pleas have long been public, data on alternative organizational “prosecutions,” including deferred and non-prosecution agreements, have only recently become common. The Corporate Prosecution Registry, created by Brandon Garrett and now updated by the Legal Data Lab at the University of Virginia School of Law and Duke University School of Law (Garrett, 2014 for additional background), provides a comprehensive list of criminal organizational prosecutions. The data includes all federal organizational case trial convictions, pleas, deferred prosecution agreements and non-prosecution agreements[14]. All organizational sanctions in the data are criminal, but span a broad set of categories including fraud, workplace safety, environmental, immigration, antitrust, import/export, money laundering, obstruction and bribery (i.e. violations of the Foreign Corrupt Practices Act, or FCPA). As shown in Table II, the average number of criminal sanctions against publicly traded firms was 21 per year between 2001 and 2017, with a low of 8 cases in 2002 and a high of 39 cases in 2010[15].

Criminal enforcement is the most severe sanction available for organizations that offend and is reserved for organizations that engage in the most egregious conduct, where prosecutors can gather sufficient evidence. Even after taking into account deferred and non-prosecution agreements, which have been subject of considerable scrutiny (Arlen and Kahan, 2017; Arlen, 2016; Garrett, 2014), criminal prosecution of publicly traded firms is uncommon. Based on the number of publicly traded firms, the likelihood that a publicly traded firm is sanctioned criminally in a given year is less than 0.5 per cent.

2.3 Securities and Exchange Commission accounting and auditing enforcement actions

The SEC sanctions firms that engage in financial misreporting, and these actions are documented in Accounting and Auditing Enforcement Releases (AAERs). The SEC, as a regulatory body, has the power to civilly sanction firms with fines and other operating restrictions that are described in these enforcement releases. Dechow et al. (2012) collected all AAERs, and this sample has been updated through the University of California, Berkeley Center for Financial Reporting and Management. While some of these releases are against individuals (e.g. private accountants), I restrict the sample to include only firms sanctioned through an AAER[16]. As shown in Table II, the average number of AAER firms was 54 firms per year from 2001 to 2013, with a low of 24 in 2013 and a high of 87 in 2007. Although the number of firms annually sanctioned by the SEC (as described in AAERs) is more than double the number sanctioned by the DOJ (52 vs 21), the likelihood that a specific firm faces an SEC enforcement action through an AAER in a given year is relatively infrequent at 1.1 per cent.

2.4 Stanford securities class action clearinghouse database

Investors who believe they have been harmed by misstatements made by public companies can seek penalties by initiating a lawsuit against the firm[17]. As compared with the DOJ and SEC enforcement data in Sections 2.1 and 2.2, which rely on violations as alleged by government entities, private lawsuits are not constrained by the same institutional restrictions or resources (Kedia and Rajgopal, 2011; Nguyen, 2018)[18]. At the same time, private litigants are motivated by their own goals (e.g. monetary damages), placing a different type of constraint on what types of lawsuits may or may not be brought. As a result, class action lawsuits represent a different means of assessing the amount of alleged corporate misconduct. The Stanford Securities Class Action Clearinghouse Database compiles securities class actions filed in federal courts.

The number of lawsuits against firms for alleged fraud is shown in the final column of Table II[19]. It should be noted that these are cases that are filed against firms, but not always cases that are successful or have merit even if settled (Coffee, 2015)[20]. Between 2001 and 2014, 220 lawsuits on average were brought per year, with a low of 120 in 2006 and a high of 504 in 2001. Based on the annual number of firms that have publicly traded equity, the likelihood that a firm would face a securities lawsuit in a particular year is 4.6 per cent. Therefore, as compared with SEC regulatory enforcement actions, alleged corporate misconduct as measured by the number of lawsuits is more prevalent, but still uncommon with more than 95 per cent of firms not facing such an allegation in a particular year.

2.5 Regulatory violations

The DOJ and SEC are two agencies in the federal government that can sanction firms for misconduct. However, there are dozens of other agencies that can also sanction firms, both criminally and civilly, for legal and regulatory violations. For example, the Environmental Protection Agency can both civilly and criminally sanction firms for environmental violations. Moreover, unlike the DOJ and even SEC, which often sanction firms for especially egregious conduct, with correspondingly significant fines that can be in the hundreds of millions or billions of dollars, other regulatory agencies sanction firms for more “routine” misconduct. Many of these fines are considerably smaller. For example, the average fine for the Federal Railroad Administration is $10,633[21].

There is no centralized database hosted by a government entity that aggregates the violations across all agencies. However, a non-governmental organization, Good Jobs First, created Violation Tracker, which aggregates data across 42 agencies[22]. Using the Violation Tracker database matched to publicly traded firms, I calculate the rate at which firms face a sanction by any regulatory and enforcement body.

As shown in Table II Panel B, 654 publicly traded firms on average per year from 2010 to 2017 had at least one criminal or civil regulatory sanction. Owing to the time-consuming nature of hand-matching the various databases, Violation Tracker includes a subset of all publicly traded firms or 2,845 in total. Based on the average frequency of offending, this implies a 23 per cent likelihood that a firm will be sanctioned in a given year. These data show that the propensity for a firm to be sanctioned for engaging in some form of corporate misconduct is considerably more common than indicated by more narrowly looking at DOJ criminal sanctions or SEC sanctions. Nevertheless, it should be observed that according to these records, the majority of firms (i.e. more than three-quarters) are not sanctioned in any given year, implicitly suggesting – by these records – that corporate offending is still not the norm for publicly traded organizations.

3. Experimental research and survey data on misconduct

One indication that the rate of corporate offending is potentially higher than shown in public enforcement data is provided in the experimental research and survey data on misconduct. In this section, I discuss experimental evidence describing managers’ propensity to engage in dishonesty and two surveys that indicate managers’ expressed willingness to engage in misconduct. I also discuss one study that quantifies the frequency with which firms report offenses to regulators.

3.1 Experimental laboratory research on dishonesty

A considerable body of research in psychology and behavioral ethics has examined the proclivity to behave dishonestly (Gino, 2013; Ariely, 2012; Bazerman and Tenbrunsel, 2011). Through numerous laboratory experiments, researchers have demonstrated that individuals are more likely to engage in dishonest acts than they themselves believe (i.e. people believe that they are more honest than they turn out to be in practice). As one example, in Shu et al. (2012), participants were given math puzzles and then asked to report their earnings for correct solutions on an “income tax” form. When participants were not required to provide a signature attesting to their earnings, 64 per cent cheated, and 79 per cent cheated when a signature was required at the bottom of the form. Shu et al. (2012) included a novel intervention where individuals signed the top of the “income tax” sheet before filling it out, which moderated cheating to 37 per cent of participants. Thus, while the researchers devised a means to substantially reduce cheating, the aggregate rate of dishonesty was still in excess of one out of every three participants. In another experiment, Cohn et al. (2014) examine how one’s professional identity in the financial sector is associated with dishonesty by conducting a laboratory experiment with employees of a large international bank. In a coin-tossing task, 26 per cent of bank employees cheated when primed with a reminder of their professional identity.

While the decision-making within a laboratory context may not always generalize to environments where business decisions are actually made, these experiments provide compelling evidence showing that the predilection to engage in dishonest conduct is high, with more than half the participants behaving unethically in some experiments.

3.2 Survey data on misconduct

An alternative experimental means of assessing business employees’ willingness to engage in illicit conduct is to directly survey them on their inclination to engage in different actions. Although this does not actually indicate what managers have done (i.e. actual misconduct), it does provide an indication of the willingness of managers to potentially engage in corporate misconduct if the opportunity arises.

EY, the auditing and professional services firm, conducted interviews with 2,825 managers in 62 countries about compliance and integrity issues. In the interviews, managers were asked, “Which, if any, of the following do you feel can be justified if they help a business survive an economic downturn?” Presented with four actions, 24 per cent of managers stated offering entertainment, 13 per cent stated cash payments, 12 per cent stated personal gifts or services and 4 per cent stated misstating financial performance as justifiable. Overall, 36 per cent of the respondents said that at least one of these acts could be justified.

In another recent survey project focused on financial misreporting, Bedi et al. (2019) gave nearly 500 experienced managers a set of five vignettes with an opportunity to engage in misreporting. The vignettes included situations about hiding a loss-making customer, changing an expense cutoff, manipulating a fair-value estimate, adjusting a footnote disclosure and inflating an inventory count. The authors find that nearly 60 per cent of managers stated that they would likely engage in misreporting in at least one of the situations presented to them. Thus, the survey evidence on managers’ own willingness to misreport is consistent with laboratory work about individuals’ predilection to deviate from expected norms and standards.

One additional piece of survey data further indicates that enforcement statistics are likely to severely underestimate the amount of corporate misconduct. Using a proprietary data set from nearly 700 firms, Healy and Serafeim (2016) show that only 17 per cent of firms reported internal violations to regulatory agencies. While some of these violations may be detected by regulatory agencies through other means (e.g. media, employees calling regulators), these data indicate the obstacles that regulatory bodies confront in detecting most misconduct. Moreover, even once a violation is detected, sanctioning a firm civilly or criminally poses another challenge that regulators must surmount before the violation would enter the public enforcement record. Collectively, this evidence indicates that the public enforcement records are likely to considerably underestimate the actual amount of corporate offending.

4. Internal corporate violation data

Corporate compliance programs monitor for potential violations within firms (Soltes, 2018b). Many of these allegations are brought to senior management attention through firms’ integrity hotlines, but others are conveyed internally via legal, compliance or human resources departments. These records are viewed as highly confidential. Specifically, in many instances, they are deemed privileged files (i.e. subject to attorney–client confidentiality). While firms may have incentives to disclose violations to regulators (e.g. DOJ FCPA self-disclosure program), in many instances firm leaders choose not to disclose these offenses to regulators[23]. As a result, internal investigation records offer a more comprehensive measure of the alleged misconduct taking place within firms, as compared to the public enforcement statistics[24].

In Table III, I present data on the average number of violations in 2017 for three publicly traded, multinational firms that have an average of approximately 96,000 employees[25]. According to their own records, these firms detected an average of 18 cases of bribery and 16 cases of fraud (financial reporting and accounting) in 2017. Beyond this, on average they detected 94 other cases of corporate misconduct (e.g. environmental violations, worker rights abuse and supply chain violations) for a total of 128 instances per firm.

To help put these numbers in perspective, none of these three firms appeared in any of the DOJ, SEC or securities fraud records in 2017. The average number of violations for these three firms in Violation Tracker in 2017 is two. Thus, the sample firms’ own measures of the incidence of corporate misconduct is 64 times that described in even the most expansive public database[26].

To provide a sense of the generalizability of the average statistics from these three firms, I compare the incidence of misconduct to those compiled by the largest hotline provider, NAVEX (Soltes, 2018a). NAVEX provides statistics on the number of incidents reported through hotlines for 5,779 firms. They find that firms received 1.4 reports per 100 employees, implying 1,344 reports per year for a firm of 96,000 employees[27]. These allegations involve a wide variety of matters including auditing deficiencies, harassment, workplace safety and misappropriation of assets. Of the total, 18.5 per cent of the allegations would constitute corporate misconduct (e.g. financial fraud, bribery and environmental violations), thus resulting in 249 allegations of corporate misconduct per year[28]. However, not all of these allegations are substantiated violations. After receiving an allegation, companies investigate the claim to ascertain whether the claim has merit[29]. In 2017, 50 per cent of the allegations were substantiated in the NAVEX data. Thus, a firm with 96,000 employees would have approximately 124 corporate misconduct violations per year according to these data[30]. Although this hotline estimate excludes other ways that investigations can begin (e.g. internal reporting through a manager), the estimated rate of offending from the NAVEX data (124 cases) is very similar to the actual number of instances (n = 128) in the sample firm data, providing additional confidence that these internal data comport with a representative view of how often such violations are internally detected.

5. Discussion

The internal corporate violations data and hotline statistics support the notion that the frequency of corporate misconduct is considerably higher than that described by public databases that rely on criminal/civil enforcement or private action (i.e. class action lawsuits). While these internal records provide a closer depiction of the “true” level of corporate misconduct, as they do not depend on a regulatory/enforcement body detecting and sanctioning the firm, corporate investigative records still do not provide a complete picture of the amount of misconduct for two reasons. First, some of the allegations of misconduct may go unexamined or be overlooked, thereby not substantiating legitimate claims. As examples, Uber and Wells Fargo have faced scrutiny for improperly investigating claims of misconduct that later proved substantive in nature. Second, not all misconduct will be internally reported or detected. A number of larger firms conduct analysis to try and assess the amount of misconduct that is not reported and therefore missing from investigations records. Gartner, a research and advisory firm, has compiled these data for 20 firms with more than 50,000 respondents, and these data show that less than half of employees report misconduct when they observe it. As examples, 40 per cent of accounting irregularities, 27 per cent of inappropriate giving or receiving of gifts, and 43 per cent of fraud are reported conditional on the employee observing the particular type of misconduct[31]. As explanations for why employees do not report this misconduct, 29 per cent said they feared retaliation, 14 per cent did not think the company would do anything and 1 per cent feared the consequences would jeopardize the company’s financial goals. Although the way that these survey data were collected does not permit inferences on the precise amount of misconduct missed through internal investigative channels, these data indicate that there is even more misconduct, and Section 4 estimates should be viewed as conservative underestimates of the true amount of malfeasance.

The considerable amount of misconduct that arises but goes largely unsanctioned by public agencies raises the question of the most effective regulatory and enforcement strategy to reduce corporate malfeasance. A considerable amount of discussion has been focused on whether, and to what extent, organizations should be held accountable as compared with individual offenders (Stewart, 2011). Within this discussion, the DOJ has faced considerable criticism for the growth in corporate sanctions without corresponding growth in individual sanctions of executives within offending organizations[32]. Some policy leaders have suggested substantially increasing the resources available to regulatory and enforcement agencies to address this apparent underenforcement of white-collar laws.

An alternative strategy – and one that the agencies have increasingly relied upon – is to force firms to engage in their own prevention, detection and remediation efforts. In this spirit, the DOJ efforts follow the US Sentencing Guidelines in providing credit for firms that design effective compliance programs (Soltes, 2018b for background). To the extent that firms design effective internal programs or are forced to correct deficient programs as part of their sentencing agreement, these efforts can serve to reduce the incidence of misconduct. Naturally, there is a challenging question about how effective such internal programs are in preventing misconduct, whether managers actually desire strong compliance programs and whether such programs are in the appropriate spirit of privatizing the role of public law enforcement (Haugh 2017). Nonetheless, to the extent that there is considerably more misconduct than can be detected and enforced because of the constraints at regulatory agencies under the current design of those institutions, incentivizing firms – as entities – to create their own internal deterrence mechanisms potentially offers a constructive means to reduce the incidence of such offenses (Chen and Soltes, 2018; Soltes, 2018b).

The plethora of misconduct that arises within companies also provides an indication of the challenge facing general counsels and chief compliance officers. While many firms publicly project a stance of “zero tolerance” toward misconduct, privately many tolerate some amount of malfeasance. In this regard, the objective of many compliance officers is not “zero misconduct,” but rather to keep the frequency and magnitude of such offenses low and to strive toward reducing their incidence over time. Yet, as the internal data in Section 4 suggest and the behavioral evidence about human proclivity toward dishonesty underscores, the ultimate objective of sustained zero misconduct in a large business is unlikely to be realistically achieved under the current methods of prevention and remediation.

6. Conclusion

Since the mid-twentieth century, corporate misconduct has been widely recognized as a growing problem. The level of offending has long drawn speculation among researchers, who tend to rely on different public enforcement databases to draw inferences on the frequency of misconduct. In this paper, I present internal investigations data from several large firms showing that the actual amount of offending is orders of magnitude larger than that described in the public data.

The prevalence of misconduct that goes unsanctioned raises numerous challenging regulatory and political questions. Should regulators and enforcement agencies be given more resources to increase their own detection efforts? To the extent that we rely on firms’ own programs, how can we assess firms’ own remediation efforts? Are there better ways to incentivize firms’ efforts to create more effective compliance programs? These questions deserve greater research and regulatory attention in both the USA and other jurisdictions around the world.

Public vs private rates of misconduct summary

Data source Likelihood of misconduct/year (%) Mean violations/year
Public DOJ criminal 0.5
SEC enforcement cases 1.1
Securities lawsuits 4.6
Regulatory violations 23.0 4
Private Investigations data 100* 128

Table I shows the likelihood that a publicly traded firm will be sanctioned in the public sample (as defined in Section 2). In the private sample, mean violations per year is calculated as described in Section 4. *All firms in the private sample have some violations each year internally, implying an effective “likelihood of misconduct” of 100 per cent

Public enforcement records

Panel A: DOJ criminal, SEC civil and lawsuits
Year #Public firms DOJ criminal SEC (AAER) cases Securities lawsuits
2001 6,414 12 35 504
2002 5,749 8 84 267
2003 5,349 9 75 290
2004 5,170 18 60 244
2005 5,112 15 55 182
2006 5,037 21 54 120
2007 5,015 38 87 178
2008 4,728 28 45 224
2009 4,439 32 62 174
2010 4,246 39 46 183
2011 4,078 31 44 208
2012 3,925 24 32 160
2013 3,891 30 24 173
2014 3,978 19 179
2015 3,998 9
2016 3,900 11
2017 3,844 16
Average/year 4,640 21 54 220
Likelihood (%) 0.46 1.11 4.60
Panel B: aggregate legal and regulatory violations
#Violations Mean violations per firm Median violations per firm
2010 627 4.9 2
2011 654 4.9 2
2012 670 4.6 2
2013 637 4.1 2
2014 650 3.7 2
2015 696 3.6 2
2016 690 3.7 2
2017 605 3.8 2
Average/year 654 4.2 2.0
Likelihood (%) 23.0

Table II shows the incidence of sanctions against publicly traded firms by the DOJ, SEC, private plaintiffs and all federal agencies (as described in Section 2)

Private investigations records

Type of violation # Substantiated violations (corporate)
Bribery 18
Fraud 16
Other corporate misconduct 94
Total violations – internal (mean) 128
Total violations – Violation Tracker (mean) 2

Table III shows the number of internally investigated and substantiated violations among three sample firms, as described in Section 4. Total violations (mean) is the average number of violations for the three sample firms according to Violation Tracker (Section 2)



This estimate assumes that violations are independently distributed over firms over time in public enforcement statistics. In practice, violations often cluster by firm in public records. Thus, while this statistic may be representative on average, it overestimates the days between incidents for firms that often offend and underestimates the days between incidents for firms that less often experience enforcement or regulatory violations.


As a reflection of enforcement priorities, the United States Attorneys' Manual and the Securities and Exchange Commission Enforcement Manual both cite the severity of the harm and impact as important factors when considering an enforcement action against a firm. The more recent government-sponsored whistleblowing programs (e.g. SEC whistleblower program) also offer significant financial incentives to those who report misconduct to federal agencies. The awards are a function of the size of the money collected by agencies, but tend to be limited to “larger” frauds (e.g. for the SEC, an enforcement action of at least $1m must be ordered for an individual to collect a reward.)


There are other challenges related to the costs of seeking “zero” misconduct (Soltes, 2016).


Focusing on the financial sector and employing quasi-public data, Egan et al. (2019) find that 7 per cent of financial advisors have misconduct records. This incidence of misconduct is considerably higher than other data sources that examine misconduct in the non-financial sector indicate.


Public enforcement records generally do not include firms that drew regulatory scrutiny (e.g. start of a formal investigation) but were not eventually subject to an enforcement action (Solomon and Soltes 2018).


Dyck et al. (2017) estimate that one-eighth of publicly traded firms were engaged in fraud during their sample period. One interesting question raised by examining this analysis in light of their estimate is how often regulators detect frauds but find the amounts “below” their threshold (or are too constrained in resources) to formally pursue action. In this regard, one limitation of the current analysis is the focus on frequency rather than magnitude.


Firms can – and often do – design ineffective compliance programs (Haugh 2017, Laufer, 2018) that inhibit firms’ ability to effectively limit misconduct internally. One could imagine a different institutional design where regulatory and enforcement agencies would have far more resources. However, under the constraints in the current regulatory system, regulatory and enforcement agencies often rely on firms’ own policing and investigative efforts to both detect and remediate misconduct.


For a more detailed discussion on the international record regarding enforcement, see Garrett (2018).


I greatly appreciate William Laufer bringing the criminological term “dark figure” to my attention, as it aptly conveys what I sought to describe in this analysis.


Focusing on public firms does not mean that private firms do not face sanctions (e.g. Theranos). However, given the more dispersed ownership of public firms and the additional incentives associated with detecting misconduct (e.g. short sellers), publicly traded firms tend to draw greater scrutiny on average.


I exclude exchange-traded funds and other publicly traded investment vehicles that do not have ordinary common shares on the Center for Research in Security Prices.


For a discussion of how and why corporations themselves can face criminal sanctions, see Buell (2016).


Embezzlement would, however, be regarded as a white-collar crime by most scholars and public officials.


The database does not include cases brought only in state courts, convictions overturned on appeal, indictments that were dismissed or companies acquitted at trial. I further exclude declinations in the number of cases described here.


I utilize the sentencing data to determine the year of sanctioning, although in most instances the actual offending occurred prior to this date.


To assign dates to the AAERs, I follow Karpoff et al. (2017) and rely on the date of AAER issuance.


Such claims are generally made under Section 10(b) of the Securities and Exchange Act and Section 11 of the Securities Act.


Differences between SEC investigations and securities class actions are examined in Choi and Pritchard (2016).


Following Karpoff et al. (2017), the statistics here depict all financial reporting fraud (e.g. 10(b)-5) lawsuits.


A firm may choose to settle a suit that has little merit out of consideration that it can be less costly than continuing litigation.


Based on data from Violation Tracker from 2000 to 2017. During this time, the Federal Railroad Administration issued 11,737 violations with a median sanction amount of $7,850.


The complete list of agencies is provided at Violation Tracker typically includes only violations that include at least $5,000 or more in final penalties. The database also included a limited number of cases from state courts.


The costs and benefits associated with disclosing violations to any regulator are subject to considerable debate among practitioners. For an examination in an environmental context, see Short and Toffel (2008).


As discussed in Section 5 in more detail, even these internal statistics are not comprehensive records of all misconduct and thus should still be viewed as a lower bound of the amount of misconduct within an organization.


Due to the sensitive nature of these data and my agreement to protect the firms’ identities, all statistics are presented as averages across the three firms.


For the internal violations, I only include those that would be deemed “corporate misconduct” for which the firm could be held responsible under respondeat superior. If I expand this estimate to all violations (embezzlement, conflict of interest, theft, etc.), the average number of violations would rise to over 600, on average, in 2017.


The 1.4 reports is the median number of reports per 100 employees. NAVEX does not report average values; however, the top of the range, which NAVEX does report, is 11.0 indicating that the mean value would be higher than the median.


According to NAVEX, the median percentage reports that are of accounting, auditing, and financial reporting matters; business integrity matters and environment, health and safety matters are 3 per cent, 17 per cent and 7 percent, respectively. Business integrity violations include bribery, customer issues and fraud – which can be viewed as corporate misconduct – but also conflict of interests that are less likely to be “corporate misconduct” (i.e. such conflicts are usually for the employee, rather than firm’s benefits). As a result, I make the assumption in the above calculation that half of the business integrity violations are “firm” violations (i.e. corporate misconduct).


The ability of firms to effectively investigate claims varies (Soltes 2018b). Assessments of how well firms evaluate similar claims are not provided by NAVEX.


NAVEX reports all data for their median, rather than average, client. Thus, the 124 violations reflect a median estimate for the number of corporate violations based on NAVEX data.


Gartner reports these statistics in a presentation titled “Culture’s Impact on Risk and Business Performance.”


The DOJ responded with the “Yates Memo”, which emphasized holding individuals accountable for corporate wrongdoing (DOJ 2015). One concern is whether compliance officers have become the “fall person” when offenses do occur because of their position within the firm (Golumbic 2018).


Ariely, D. (2012), The Honest Truth about Dishonesty: How We Lie to Everyone – Especially Ourselves, HarperCollins, New York, NY.

Arlen, J. (2016), “Prosecuting beyond the rule of law: corporate mandates imposed through deferred prosecution agreements”, Journal of Legal Analysis, Vol. 8, No. 1, pp. 191-234.

Arlen, J. and Kahan, M. (2017), “Corporate governance regulation through nonprosecution”, The University of Chicago Law Review, Vol. 84 No. 1, pp. 323-387.

Bazerman, M.H. and Tenbrunsel, A.E. (2011), Blind Spots: Why We Fail to Do What’s Right and What to Do about It, Princeton University Press, Princeton.

Bedi, S., Schrand, C.M and Soltes, E.F. (2019), “Managerial proclivities to financially misreport”, Working Paper.

Buell, S.W. (2016), Capital Offenses: Business Crime and Punishment in America’s Corporate Age, W.W. Norton and Company, New York, NY.

Chen, H. and Soltes, E. (2018), “Why compliance programs fail: and how to fix them”, Harvard Business Review, Vol. 96 No. 2, pp. 116-125.

Choi, S.J. and Pritchard, A.C. (2016), “SEC investigations and securities class actions: an empirical comparison”, Journal of Empirical Legal Studies, Vol. 13 No. 1, pp. 27-49.

Coffee, J.C. (2015), Entrepreneurial Litigation: Its Rise Fall and Future, Harvard University Press, Cambridge.

Cohn, A., Fehr, E. and Maréchal, M.A. (2014), “Business culture and dishonesty in the banking industry”, Nature, Vol. 516 No. 7529, pp. 86-89.

Dechow, P.M., Hutton, A.P., Kim, J.H. and Sloan, R.G. (2012), “Detecting earnings management: a new approach”, Journal of Accounting Research, Vol. 50 No. 2, pp. 275-334.

Dyck, A., Morse, A. and Zingales, L. (2017), “How pervasive is corporate fraud?”, Working Paper.

Egan, M., Matvos, G. and Seru, A. (2019), “The market for financial advisor misconduct”, Journal of Political Economy, Vol. 127 No. 1, pp. 233-295.

Eisinger, J. (2017), The Chickenshit Club: Why the Justice Department Fails to Prosecute Executives, Simon and Schuster, New York, NY.

Garrett, B.L. (2014), Too Big to Jail: How Prosecutors Compromise with Corporations, Belknap Press, Cambridge.

Garrett, B.L. (2018), “International corporate prosecutions”, Comparative Criminal Procedure, Oxford University Press, Oxford.

Gino, F. (2013), Sidetracked: Why Our Decisions Get Derailed, and How We Can Stick to the Plan, Harvard Business Review Press, Boston.

Golumbic, C.E. (2018), “‘The big chill’: personal liability and the targeting of financial sector compliance officers”, Hastings Law Journal, Vol. 69 No. 1, pp. 45-94.

Haugh, T. (2017), “The criminalization of compliance”, Notre Dame Law Review, Vol. 92 No. 3, pp. 1215-1269.

Healy, P. and Serafeim, G. (2016), “Who pays for white-collar crime”, HBS Working Paper Series.

Karpoff, J.M., Koester, A., Lee, D.S. and Martin, G.S. (2017), “Proxies and databases in financial misconduct research”, The Accounting Review, Vol. 92 No. 6, pp. 129-163.

Kedia, S. and Rajgopal, S. (2011), “Do the SEC’s enforcement preferences affect corporate misconduct?”, Journal of Accounting and Economics, Vol. 51 No. 3, pp. 259-278.

Khanna, V. and Dickinson, T.L. (2007), “The corporate monitor: the new corporate czar?”, Michigan Law Review, Vol. 105 No. 8, pp. 1713-1755.

Laufer, W.S. (2018), “A very special regulatory milestone”, University of Pennsylvania Journal of Business Law, Vol. 20 No. 2, pp. 392-428.

Nguyen, T. (2018), “The effectiveness of white-collar crime enforcement: evidence from the war on terror”, Harvard Business School Working Paper.

Podgor, E.S., Henning, P.J., Israel, J.H. and King, N.J. (2013a), White Collar Crime, West Academic Publishing, Eagen.

Podgor, S., Henning, P.J., Taslitz, A. and Garcia, A. (2013b), Criminal Law: Concepts and Practice, Third Edition, Carolina Academic Press, Durham.

Rakoff, J.S. (2015), “Justice deferred is justice denied”, The New York Review of Books, February 19.

Short, J.L. and Toffel, M.W. (2008), “Coerced confessions: self-policing in the shadow of the regulator”, Journal of Law, Economics and Organization, Vol. 24 No. 1, pp. 45-71.

Shu, L.L., Mazar, N., Gino, F., Ariely, D. and Bazerman, M.H. (2012), “Signing at the beginning makes ethics salient and decreases dishonest self-reports in comparison to signing at the end”, Proceedings of the National Academy of Sciences, Vol. 109 No. 38, pp. 15197-15200.

Solomon, D. and Soltes, E. (2018), “Is ‘not guilty’ the same as ‘innocent’? Evidence from SEC financial fraud investigations”, Working Paper.

Soltes, E. (2016), Why They Do It: Inside the Mind of the White-Collar Criminal, Hachette/PublicAffairs.

Soltes, E. (2018a), “The difficulty of being good: the efficacy of integrity hotlines”, Working Paper.

Soltes, E. (2018b), “Evaluating the effectiveness of corporate compliance programs: establishing a model for prosecutors, courts, and firms”, NYU Journal of Law and Business, Vol. 14 No. 3.

Stewart, J.B. (2011), Tangled Webs: How False Statements Are Undermining America: From Martha Stewart to Bernie Madoff, Penguin Press, New York, NY.

Sutherland, E.H. (1944), “Is ‘white collar crime’ crime?”, American Sociological Review, Vol. 10 No. 2, pp. 132-139.

Sutherland, E.H. (1983), White Collar Crime, Praeger, Westport.

Tappan, P.W. (1947), “Who is the criminal?”, American Sociological Review, Vol. 12 No. 1, pp. 96-102.

Further reading

Sutherland, E.H. (1985), White Collar Crime: The Uncut Version, Yale University Press, New Haven.


I would like to thank Jihwon Park, Alexa Scherf, Grace Liu, participants at the Cambridge International Symposium on Economic Crime and students in Corporate Criminal Investigations at Harvard Law School for helpful feedback on earlier drafts.

Corresponding author

Eugene Soltes can be contacted at: