For an organization as polarizing as the National Rifle Association (NRA), a robust compliance program can be the greatest line of defense when under regulatory scrutiny. In contrast, a disingenuous approach to compliance can be among such a firm’s greatest weaknesses, increasing the size of the target on its back.

That notion is expected to take center stage as dueling lawsuits filed by the NRA and the New York Attorney General’s office (NYAG) last week play out. In the lawsuit seeking to dissolve the NRA, NYAG Letitia James alleges that a “culture of noncompliance” allowed NRA Executive Vice President Wayne LaPierre and three other officers to steal $64 million from the organization over three years. Meanwhile, the NRA in its countersuit says it operates in “substantial compliance” with New York not-for-profit law andis the victim of a politically motivated attack.

Key to this juxtaposition is a “top-down compliance review” launched by the NRA’s outside counsel—Brewer, Attorneys & Counselors—in late 2018 amid hints of the NYAG’s impending investigation, which began in February 2019. Neither the NRA nor Brewer returned requests to comment on what the review entailed or any specific actions taken upon its conclusion.

Instead, we have the wording of the NRA’s countersuit filed by Brewer, which casts the review as more of a bad PR move than the right thing to do. “In the [review] process, the NRA made enemies: vendors and executives who had grown comfortable with the status quo did not welcome the NRA’s push for additional documentation and transparency,” the countersuit says. “Over the ensuing year, the NRA endured slings and arrows from those discontented with the principled path it had chosen and became embroiled in litigation. But the NRA stuck to its guns, determined to prepare itself to fend off a political attack from the NYAG if one came.”

Since when is transparency and a principled path such a negative thing? Ironically, that kind of description might only serve to strengthen the allegations of the NYAG’s lawsuit, which hits hard at the idea compliance has never been a priority at the NRA. “Since at least 2014, the NRA has failed to put in place an effective compliance program to ensure that NRA officers, directors, and employees comply with New York law and the NRA’s internal policy,” the lawsuit states. “Upon information and belief, the NRA does not have and has never had a dedicated compliance officer.” The NRA did not return a request seeking to clarify whether it currently has a chief compliance officer.

Instead, the position appears to be musical chairs of sorts for the organization. Former Chief of Staff and Executive Director of Operations Joshua Powell—a defendant in the lawsuit—was tasked with handling “compliance issues” in late 2018, though that only lasted until Powell was suspended in October 2019 pending an investigation into his improper use of NRA money. Meanwhile, the chair and vice chair of the NRA’s audit committee couldn’t describe to the NYAG an existing compliance program at the organization, with the chair identifying general counsel and fellow defendant John Frazer as responsible for regulatory compliance.

The NYAG’s lawsuit continues to drive home these kind of flaws in compliance, most notably around whistleblower protections. It paints the audit committee as equally problematic in this area, citing as an example the chair of the committee knowingly leaving early a 2018 meeting at which serious whistleblower allegations would be raised. According to the NYAG, the meeting’s minutes made no mention of the whistleblower complaints, and the complaints weren’t shared with external audit firm RSM, which would routinely ask about whistleblower concerns during the audit process.

What about internal audit? Such doesn’t exist at the NRA, the audit committee chair testified. As the committee chair recalled to the NYAG, former Chief Financial Officer Wilson “Woody” Phillips—another defendant in the lawsuit—believed the external auditor was enough to render judgment on internal controls, despite the external auditor explicitly stating in its audits that it would “express no opinion” on the adequacy of the entity’s internal controls.

The NYAG notes the NRA adopted an updated Statement of Corporate Ethics in January 2020 that expanded on whistleblower protections, though the timing—nine months after the NYAG’s probe began—suggests the changes will be viewed as too little, too late.

All this isn’t to say the NRA is doomed, though. It would appear its best legal defense would be to distance itself from LaPierre, which it has begun to do by not mentioning his name once in its countersuit. The bulk of the NYAG’s lawsuit centers around allegations of misconduct focused on LaPierre and his inner circle, whom he tasked with handling compliance despite none of them having experience in the area. Both Powell, who was accused of being “abusive” by employees and later described by the treasurer as “not a good choice for compliance,” and Frazer, who was hired to his high-profile legal role despite only 18 months prior in private practice, “lacked the necessary knowledge, training, experience, skills and temperament for senior roles overseeing compliance,” the NYAG states, and it shows in the detailed allegations.

The NRA clearly has work to do in the area of compliance. The bet here is it will get the chance to, as its hard to imagine the organization being dissolved in a way as straightforward as the NYAG is pursuing. Here’s a free tip, no top-down review required: hire an actual chief compliance officer.