Following the 2008 financial crisis, government regulators and
prosecutors have been under tremendous public pressure to prosecute
individuals.1 Senior government officials have responded
by speaking forcefully about their desires to sue or prosecute more
individuals.2 What does the government's heated
rhetoric and renewed focus on individual liability mean for
corporate directors? As the chairman of the Securities and Exchange
Commission ("SEC") recently noted, "[s]ervice as a
director is not for the faint of heart...."3 But
the good news is that directors who perform their role with even a
modicum of reasonableness are highly unlikely to be held personally
liable in carrying out their responsibilities.4 Of
course, most directors aspire to more than staying out of trouble.
As a former SEC chairman put it: "It is not an adequate
ethical standard to aspire to get through the day without being
indicted."5
This Commentary will discuss the landscape of director
liability in the SEC context and provide some suggestions that may
help directors minimize the risks of regulatory scrutiny.
A "New" Focus on Individuals
The current chairman of the SEC noted in her confirmation
hearing that enforcement would be a top priority, emphasizing an
intent to pursue "all wrongdoers—individual and
institutional, of whatever position or size."6 But
the SEC's focus on individuals has actually been quite
commonplace over the years. Corporations act only through the
individuals who run them, and thus any investigations of corporate
misconduct necessarily require an investigation of individual
conduct. The SEC's enforcement statistics bear this out. Since
the beginning of the 2011 fiscal year, the SEC charged individuals
in 83 percent of its actions.7 And since 2000, the SEC
has charged individuals in 93 percent of its fraud and financial
reporting cases.8 These numbers include a small number
of directors, although it is a relatively rare event relative to
the hundreds of cases the SEC brings each year.
A criminal prosecution against a director, on the other hand, is an
almost unheard-of event in the securities context.9 And
while the DOJ has sued individuals for securities fraud, it
hasn't been enough to appease critics of the department. So,
the DOJ recently announced six changes to its policies governing
investigations of corporate misconduct that are aimed at increasing
prosecutions against individuals. 10 The so-called
"Yates Memo" directs prosecutors to "focus on
individual wrongdoing from the very beginning of any
investigation" and directs companies seeking to cooperate to
"identify all individuals involved or responsible for the
misconduct at issue, regardless of their position, status, or
seniority."11 The clear goal is to force line
prosecutors and companies seeking cooperation to more
aggressively gather and produce evidence of individual wrongdoing.
The Yates Memo has the potential to affect many aspects of
corporate investigations and prosecutions, but it does not change
the standards for proving criminal conduct beyond a reasonable
doubt, which is a serious hurdle to proving individual liability.
Nevertheless, the government's focus on individual liability
creates additional risks.
SEC Enforcement Against Directors
A review of recent SEC enforcement allegations against directors
provides insight into what this risk means in
practice:12
The SEC entered into a settlement with four defendants, including a
former outside director and member of the audit
committee,13 who failed to exercise oversight when he
"recklessly signed a number of financial statements that were
materially misleading and took no care to ensure their
accuracy."14
The SEC settled claims against two audit committee members for
failure to make timely 10-K filings and concealing
information.15 The SEC alleged that the directors
"directly and indirectly, aided and abetted" the
company's reporting violations by authorizing management to not
timely file the company's Form 10-K and a Form 10-Q to prevent
the release of a going concern opinion, despite being presented
with evidence that doing so could be unlawful. In addition, the two
directors allegedly ignored red flags from their auditors, outside
counsel, and internal memoranda. The directors received "an
interoffice memorandum [...] entitled 'Pros/Cons to Filing the
Form 10-K.' The 'Cons' included the fact that not
filing '[i]ncreases the chances of an SEC enforcement
action.'"
The SEC alleged that an audit committee chair "failed to
respond appropriately to various red flags" and failed to
investigate and take meaningful action to address improprieties,
even when directed to do so by the company's
board.16 The director allegedly "failed to take
appropriate action regarding the concerns expressed to him" by
two internal auditors regarding reimbursements for personal
expenses, and after failing to investigate, "omitted critical
facts in his report to the board."
The SEC alleged that three independent directors were
"willfully blind to numerous red flags signaling accounting
fraud, reporting violations, and misappropriating" that
allowed senior management to manipulate reports and
filings.17 The SEC alleged that "[i]n addition to a
close personal relationship, [the directors] each had business
relationships with [the CEO] that influenced their impartiality and
independence" and that they "willfully ignored [a]
controller's concerns about [the company's] inventory
valuation." In addition, the directors allegedly remained
blindly deferential to management, "ma[king] little or no
effort even to understand their Audit Committee
responsibilities" and being financially rewarded with
"lucrative perks" for doing so.
The SEC charged an audit committee chair with failure to
appropriately investigate and disclose accounting
fraud.18 The director ignored the advice of a former
director to hire professional investigators and outside counsel
despite the warning that there was "not just smoke but
fire" and that "the company appeared to have engaged in
fraud and maintained two sets of books." The director also
allegedly failed to properly oversee the filing of accurate
financial statements.
The SEC settled with two outside directors who allegedly misled
investors when they "improperly extended, renewed, and rolled
over bad loans to avoid impairment and the need to report
ever-increasing allowances for loan and lease losses ... in its
financial accounting."19
The SEC settled claims against an audit committee chair for
knowingly signing a falsely certified Sarbanes-Oxley compliance
report stating that the company had an active CFO.20 The
SEC alleged the director signed the company's 10-K as
"Audit Committee Chair and a Director, when she knew or should
have known that any fraud, whether or not material, involving
management had not been disclosed to the company's auditors and
the company's Audit Committee." The director's
settlement permanently banned her from signing any public filing
with the SEC that contains any certification required by the
Sarbanes-Oxley Act.
The SEC charged the chairman of the board and majority shareholder
of a small staffing solutions company with misleading auditors and
investors about the misuse of company funds.21 The
director "secretly held the controlling stake in [the company]
on behalf of [...] a convicted felon" and, when asked about
missing company funds, "falsely claimed that he did not know
what happened and deliberately failed to disclose important
information relevant to the auditors' inquiry."
An audit committee chair settled charges relating to failures to
disclose perquisites paid to executives and signing materially
false statements regarding executive compensation.22 The
SEC alleged that he had "reason to know" the company had
not adequately disclosed certain of the perquisites because he had
"direct involvement" in the company's internal review
of the area. He and the company nevertheless continued to make
filings with the Commission that materially understated perquisite
compensation.
The SEC entered into its first deferred prosecution agreement with
a corporate director on March 9, 2016. The company allegedly began
issuing false press releases touting sales of its product
"when in fact only a few samples had been manually
completed." The director allegedly testified that the
company's CEO was "basically out of control on company
press releases," and although he "repeatedly"
instructed the CEO to stop issuing false press releases, "took
no affirmative steps to implement any oversight of outgoing press
releases or correct misleading press releases after their
issuance." In exchange for the SEC deferring prosecution on
aiding and abetting reporting, books-and-records, and internal
controls charges, the director agreed, among other things, to
cooperate with the SEC in its case against two of the company's
officers and to be banned from serving as a director or officer of
a public company for five years.
There are three principles we can cull from these and recent public
statements by the SEC commissioners and staff.23
First, the SEC will scrutinize director conduct, especially in
financial reporting and issuer disclosure investigations. In
practice, this means the agency will look for instances where
"directors have either taken affirmative steps to participate
in fraud or enabled fraudulent conduct by unreasonably turning a
blind eye to obvious red flags."24 This is
uncontroversial and should be expected.
Second, the SEC expects the board to exercise actual oversight of
management, not to serve as "mere figureheads or rubber
stamps."25 A former commissioner recently put it
this way: "shareholders elect a board of directors to
represent their interests, and, in turn, the board of directors,
through effective corporate governance, makes sure that management
effectively serves the corporation and its
shareholders."26 The SEC has long expected
corporate directors to serve as gatekeepers. As the SEC's
chairman recently commented, "a company's directors serve
as its most important gatekeepers" and "audit committees,
in particular, have an extraordinarily important role in creating a
culture of compliance through their oversight of financial
reporting."27 They do this in part by "by
preventing, detecting, and stopping violations of the federal
securities laws" and "responding to any problems that do
occur."28 When the SEC perceives that a director
has failed to fulfill that role, it will try harder to bring
charges.
Finally, the SEC is ready to pursue negligence-based claims and is
eagerly looking to bring cases alleging internal controls
violations as the primary claim, even where there is no fraud or
negligence. An example from the past year is the settled matter
against an audit committee member who allegedly "had reason to
know" the company had not adequately disclosed certain
executive perquisites.29 This is a recent evolution in
SEC enforcement and perhaps the most likely to increase the risk of
potential individual liability. Drawing the line between serious
misconduct and simple mistake becomes much harder. Although the SEC
says it "isn't second guessing good-faith decisions by the
board,"30 that is precisely what happens in an
investigation. And this is especially true for members of the audit
committee because of their oversight of financial reporting and
disclosures.
Suggestions for Mitigating the Risk of Personal and Corporate Liability
Directors have every interest in minimizing the likelihood of
getting caught up in any civil or criminal investigation. And they
have every interest in keeping their companies out of trouble.
Below are some suggestions on how to do both those things:
Stay Informed on Regulatory Expectations and
Compliance. To demonstrate their commitment to a strong
cultural and ethical environment, directors should stay on top of
current regulatory expectations and priorities. They should receive
regular updates from the company's general counsel and the
company's outside counsel on the latest enforcement priorities
and on the latest developments in ethics and compliance. The board
should also receive regular updates from the company's
corporate ethics and compliance officer. As the DOJ and the SEC
have noted more than once, a sign of a strong corporate ethics and
compliance program is that it is constantly improving.31
Directors who are informed will be able to ask better questions and
challenge the legal and compliance programs at their
companies.
Play Your Part in Creating a Strong Culture. The
board needs to have a strong sense of the ethics and compliance
environment at the company. Creating and maintaining a strong
ethical culture is much more than just having a strong compliance
program. Some of the companies involved in the biggest frauds in
history had award-winning compliance programs while serious fraud
went undetected. A strong culture does not tolerate misconduct, and
it values the firm's long-term reputation over any possible
short-term benefit.32 This isn't just about
complying with the law—it is about getting everyone in the
enterprise to recognize that "ethics pays and ethical behavior
is good business."33 The key is to avoid short-term
thinking and make decisions with concern for the company's
long-term business and reputation. What matters here is not the
compliance structure but how the company's leaders and
employees act and think, how they react in times of stress, and how
leaders motivate employees to do the right thing.
Avoid Passivity. Much has been written on how
boards should be structured and composed.34 But that
isn't what matters in assessing the board's oversight of
ethics and compliance; rather, it is how individual directors
act.35 Directors need to actively engage management by
asking questions and by challenging them. One former commissioner
decrying the rise of activist pressure on boards put it this way:
"much of the pressure for shareholder direct democracy flows
from boards that are mismanaged: boards that are stale, full of
individuals with irrelevant skills, too chummy with management, and
so forth. By contrast, a vigorous, responsive board that takes
affirmative steps to drive good corporate governance moots the need
for shareholder direct democracy."36 Think about
your last few board meetings. In making decisions, did your board
engage in open and frank discussions even if it meant disagreeing?
Were directors willing to challenge management? Were conflicting
views heard and sought after? Disagreement and rigorous engagement
can highlight conflicts, counter biases, and encourage
outside-the-box thinking.37 A good board is one that
asks questions and is willing to challenge management, each other,
and the conventional wisdom.
Encourage Openness. The board itself should be
willing to hear difficult news. Moreover, it should encourage
leadership to bring difficult news to the board as soon as possible
because bad news rarely gets better with age. Whistleblowers are a
particular area of concern because they can sometimes be annoying,
disgruntled, and wrong. But companies and directors should never
tolerate retaliation38 or
"pre-taliation"39 against
whistleblowers.40 And that is only the minimum standard
of behavior. Good companies will create an environment where
employees are willing to speak up. Hotlines and policies are
necessary, but not sufficient. Everyone and every department must
see themselves as having responsibility for ethics and compliance.
And, the compensation and reward system—even for the most
senior executives—must reflect the connection between ethics
and the business. The key is accountability at all levels. The
board plays a critical role in ensuring the right leadership is in
place to create and sustain this environment.
Be Prepared for Failures and Near Misses. No
system of compliance is perfect. Good boards recognize there will
be slip-ups and lapses. The sign of a good compliance system is
that it is constantly improving and learning from experience and
mistakes. Failures, breaches, and near misses should be considered
part of the company's "early warning
system."41 Companies with strong ethics and
compliance programs identify wrongdoing early and remedy the
problem quickly. They learn from mistakes and improve controls. As
one SEC senior official put it recently: "It's critical
that when a director learns information suggesting that company
filings are materially inaccurate they take concrete steps to learn
all of the relevant facts and ensure that the company cease filing
annual and quarterly reports until they are satisfied with the
accuracy of the filings."42 Thus, when the company
discovers a potential violation, it must be able to escalate
issues, know how and when to engage internal and external auditors
and disclosure counsel, and have a plan on how to self-report to
the government (if necessary). These suggestions become especially
important in times of company stress, when it's easier to cut
corners and make decisions without proper appreciation for the
long-term consequences. The board's role in all of this is not
one of execution or day-to-day management but, rather, oversight
over management's execution and design and a curiosity about
what management is doing to be prepared.
Understand and Reinforce the Need for Good Internal
Controls. Management is responsible for designing and
implementing internal controls over accounting and financial
reporting and disclosures. The board's oversight role, usually
through the audit committee, is critical because the SEC is keenly
interested in the state of a company's internal controls. All
financial reporting and disclosure investigations will involve a
detailed look at a company's internal controls, and most of
these investigations will involve an analysis and investigation
into the board's oversight over financial reporting and
internal controls. Can your audit committee members explain the
difference between a "material weakness" and a
"significant deficiency"? How about the difference among
"internal controls over financial reporting,"
"disclosure controls and procedures," and "internal
accounting controls"? Do they understand the different
frameworks a company can use to evaluate internal controls? Can
they describe the company's key entity-level controls? Is the
company's internal audit department appropriately funded,
staffed, and independent? The board, and especially the audit
committee, needs to be particularly vigilant in exercising its
oversight duties over not just financial reporting but also
internal controls because in financial reporting or disclosure
investigations, it will be an area of focus.
Looking Forward
The board's most critical role is in ensuring that the leaders who run the day-to-day affairs of the company are not just talented and creative but have a desire and a willingness to do the right thing—i.e., that they are ethical and responsible. By playing a bigger role in building a strong ethics and compliance culture at their companies, directors can protect their companies and protect themselves from personal liability.
Footnotes
1 Aruna Viswanatha, "Elizabeth Warren Says DOJ and SEC Are Lousy at Enforcement," The Wall Street Journal, (Jan. 29, 2016).
2 Mary Jo White, Chair, SEC, Address at the Twentieth Annual Stanford Directors' College (June 23, 2014); Sally Q. Yates, Deputy Att'y General, DOJ, "Individual Accountability for Corporate Wrongdoing," Memorandum (Sept. 9, 2015) (the "Yates Memo"); Jones Day, " U.S. Department of Justice Announces Updated Guidelines on Individual Accountability for Corporate Wrongdoing: Implications for Internal and Government Investigations," (Sept. 2015).
3 White, supra note 2.
4 David F. Larcker & Brian Tayan, "Seven Myths of Boards of Directors," Stanford Closer Look Series (Sept. 30, 2015) ("Seven Myths").
5 Phillip V. Lewis & Marilyn Hermann Lewis, "From Boardroom to Whiteboard: A New Generation of Leadership," 109 (Tate Publishing 2011) (quoting Richard Breeden).
6 Marcy Gordon, "Senate Confirms Mary Jo White to Head SEC," ASSOCIATED PRESS (Apr. 8, 2013).
7 Mary Jo White, Chair, SEC, "Three Key Pressure Points in the Current Enforcement Environment" (May 19, 2014).
8 Id.
9 See Andrew Ross Sorkin, "Tyco Figure Pays $22.5 Million in Guilty Plea," The New York Times (Dec. 18, 2002) (charged with felony violation of New York's Martin Act and "acknowledge[ing] that he received a $20 million payment from Tyco for helping to broker an acquisition but did not disclose his compensation arrangement to the rest of the board or to shareholders").
10 Yates Memo, supra note 2.
11 Id.
12 This discussion does not include insider trading cases or regulatory cases such as investment company director cases.
13 Lit. Release No. 19177 (Apr. 11, 2005).
14 Complaint, 03-cv-10762 (D. Mass. Apr. 24, 2003).
15 Lit. Release No. 19897 ( November 2, 2006).
16 Lit. Rel. No. 21451 (Mar. 15, 2010).
17 Lit. Rel. No. 21867 (Feb. 28, 2011).
18 "SEC Charges Animal Feed Company and Top Executives in China and U.S. With Accounting Fraud," Press Release, SEC (Mar. 11, 2014).
19 "SEC Charges 11 Bank Officers and Directors With Fraud" (Jan. 13, 2016).
20 Exchange Act Release No. 71824 (Mar. 27, 2014).
21 Complaint, No. 1:15-cv-07077 (S.D.N.Y., Sept, 9, 2015). Litigation in this matter is ongoing. Although still relevant to an analysis of director actions, directors who play officer or large shareholder roles are in a different boat than pure directors when it comes to SEC enforcement.
22 Exchange Act Release No. 75855 (Sept. 8, 2015).
23 See Robert Khuzami, Director, Division of Enforcement, SEC, Remarks at AICPA National Conference on Current SEC and PCAOB Developments (Dec. 8, 2009).
24 "SEC Will Only Target Directors in Egregious Cases," Bloomberg Law (Feb. 11, 2016) (quoting Lara Shalov Mehraban, Associate Regional Director, Securities and Exchange Commission).
25 Khuzami, supra note 25.; see In re Caremark Int'l Inc. Deriv. Litig., 698 A.2d 959 (Del.Ch.1996)("Generally where a claim of directorial liability for corporate loss is predicated upon ignorance of liability creating activities within the corporation ... only a sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability.").
26 Commissioner Luis A. Aguilar, Boards of Directors, "Corporate Governance and Cyber-Risks: Sharpening the Focus," Cyber Risks and the Boardroom Conference New York Stock Exchange New York, NY (June 10, 2014).
27 White, supra note 2.
28 White, supra note 2.
29 Exchange Act Release No. 75855 (Sept. 8, 2015).
30 Bloomberg, supra note 26.
31 FCPA Resource Guide, DOJ & SEC 28 (2012).
32 Troy A. Paredes, Commissioner, SEC, "Corporate Governance and the New Financial Regulation: Complements or Substitutes?" (Oct. 25, 2010) ("Paredes").
33 Enterprise Risk Management—Integrated Framework, Executive Summary, COSO (Sept. 2004) at 29.
34 See Seven Myths, supra note 4.
35 Id. at 7–8.
36 Commissioner Daniel M. Gallagher, "Activism, Short-Termism, and the SEC": Remarks at the 21st Annual Stanford Directors' College (June 23, 2015).
37 Paredes, supra note 33.
38 See Wadler v. Bio-Rad Labs, Inc., No. 15-cv-02356-JCS, 2015 WL 6438670 (N.D. Cal. Oct. 23, 2015).
39 "Agency Announces First Whistleblower Protection Case Involving Restrictive Language," Press Release, SEC (Apr. 1, 2015).
40 Exchange Act Release No. 74619 (Apr. 1, 2015).
41 "Principles and Practices of High-Quality Ethics & Compliance Programs," Blue Ribbon Panel: Ethics & Compliance Initiative (Unpublished Draft) (Dec. 2, 2015).
42 Bloomberg, supra note 26.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.