The SEC’s Continuing Refinement of Internal Controls Enforcement
My good friend and colleague, Tom Fox, has written an interesting post (here) on the SEC’s recent United Airlines settlement for $2.4 million for domestic bribery. As Tom has noted, the interesting aspect of the SEC’s enforcement theory is that United violated its Business Code of Ethics (and Continental’s Code of Ethics, which was in force in 2011 as well), resulting in the failure to seek an exception to the financial accounting controls requiring authorized use of assets. As a result, United also violated the books and records requirements.
The SEC’s enforcement action raises interesting questions for public companies when adopting a code of conduct. The SEC has now embraced the potential liability for violating internal controls when a company violates its code of conduct.
The implications of this may be significant. First, such a reading of the SEC’s authority provides it with a huge enforcement tool that can be levied against any company for any type of legal violation that may be referenced in its code of conduct. For example, if a company’s code of conduct prohibits anti-competitive agreements, such as price fixing or territorial allocations, a company that violates the antitrust laws and is criminally prosecuted by the Justice Department may be subject to a parallel SEC enforcement action for violating its internal controls as reflected in its code of conduct (and/or specific antitrust compliance policy). That is a very broad reading and set of possibilities for SEC prosecutors to pursue.
Let’s be honest – companies are not weighing this potential risk when putting together their codes of conduct or corporate compliance policies and procedures. To the contrary, companies draft their codes as an important aspirational set of goals and standards to govern corporate behavior. A code of conduct establishes an important set of behavioral and culture standards and is never meant to create a set of laws and regulations that can be enforced against the company.
Not to pat myself on the back (or as I recall the expression – “Don’t break your arm patting yourself on the back”) but I have written in the past that a company has to be careful how it drafts its internal controls because it may be, in effect, creating a set of federally enforceable set of rules and regulations governing its conduct. The SEC’s recent action in the United case highlights this risk, but frankly this risk has been growing in a number of recent enforcement actions against companies in the FCPA context where the SEC held companies accountable for its invoice-to-pay procedures, as well as other specific financial accounting controls.
I have never been a doomsayer or one that has tried to market legal services through fear and chicken little, the sky is falling, descriptions of DOJ and SEC enforcement strategies.
The fact is that the SEC’s internal controls enforcement authority is very broad and can be applied in a variety of situations. It is important to consider that a compliance program is really just one component of a company’s overall internal controls.
Companies have to take greater care in the drafting and application of its internal controls. Too often, a company drafts and implements its internal controls in silos or to address specific issues as they arise. This haphazard approach can lead to real difficulties and problems.
Legal and compliance staff need to be involved in this process to make sure that the company is not exposing itself to unjustified risks. A company’s financial and operations staff typically leads this effort and legal and compliance are rarely, if ever, at the drafting table. Often, a set of internal controls is a historical accretion of policies and procedures adopted on an ad hoc basis. This shortsighted approach has to be replaced with a more careful strategic weighing of benefits and risks.