Corporate compliance is at an inflection point. As courts, regulators, and prosecutors simultaneously but independently incentivize companies to develop bespoke compliance programs, corporate policies have evolved into an essential private ordering mechanism for customized compliance. Corporate policies serve not merely as guidelines for corporate employees; they also signal the level of a company’s internal compliance mechanisms to external parties. Despite the ever-growing demand for the implementation of written corporate policies, how these policies are customized and monitored is largely unknown. Given the predominantly mandatory nature of regulatory compliance, how much discretion do corporate managers use — and how much should they use — in customizing compliance?

An analysis of original, hand-collected data on corporate policies from S&P 500 companies indicates that corporate managers actively customize not just compliance procedures, but also the definitional boundaries of compliance, either to be stricter or more lenient than is set by external regulations. For instance, the data show that most insider trading policies tend to have a broader definition of prohibited insider trading, while, in contrast, related party transaction policies often provide categorical exclusions that substantially narrow the definition of related party transactions. To better explain this puzzling trend of divergence, this Article introduces the concept of “strategic compliance,” suggesting that corporate policies amplify companies’ incentives to implement stringent internal monitoring where external enforcement is rigorous and adopt lenient internal monitoring where external enforcement is weak. However, it is essential to recognize that strategic compliance driven by external enforcement intensity, rather than tailored to each company’s unique risks, can result in suboptimal allocation of compliance resources and undermine the benefits of customized compliance.

This Article’s contribution is three-fold. First, it presents original, hand-collected empirical data from internal corporate policies, illuminating the prevailing trends in companies’ customization of regulatory compliance. Second, it introduces the concept of strategic compliance as a novel theoretical framework that connects corporate compliance and corporate contract literature, providing insights into the strategic processes companies employ in tailoring their corporate policies. Third, it offers normative proposals to companies, shareholders, regulators, and prosecutors for more effective use of corporate policies and emphasizes the information-gathering functions of those policies.