I’ve long believed that in certain instances, the SEC should use its Section 21(a) report of investigation powers to address emerging Foreign Corrupt Practices Act issues rather than bring an actual enforcement action.
Recently the SEC did just that in this report “regarding certain cyber-related frauds perpetrated against public companies and related internal accounting controls requirements.”
As highlighted below, in the report the SEC cites FCPA legislative history, prior SEC FCPA guidance, and otherwise takes positions in the report that seemingly undermine its internal controls enforcement theories in many traditional FCPA enforcement actions involving alleged foreign bribery.
As stated in the intro of the SEC’s report:
“The United States Securities and Exchange Commission’s (“Commission”) Division of Enforcement (“Division”), in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, investigated whether certain public issuers that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.
In connection with the investigation, the Commission considered whether the issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (“Exchange Act”) [the FCPA’s internal controls provisions]. Those provisions require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization. As the Senate emphasized over four decades ago when passing these provisions, “[a] fundamental aspect of management’s stewardship responsibility is to provide shareholders with reasonable assurances that the business is adequately controlled.” While the cyber-related threats posed to issuers’ assets are relatively new, the expectation that issuers will have sufficient internal accounting controls and that those controls will be reviewed and updated as circumstances warrant is not.
The Commission has determined not to pursue an enforcement action in these matters based on the conduct and activities of these public issuers that are known to the Commission at this time. The Commission, however, deems it appropriate and in the public interest to issue this Report of Investigation (“Report”) pursuant to Section 21(a) of the Exchange Act to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws. Having sufficient internal accounting controls plays an important role in an issuer’s risk management approach to external cyber-related threats, and, ultimately, in the protection of investors.”
As noted in the report, “the Division’s investigation focused on the internal accounting controls of nine issuers that were victims of one of two variants of schemes involving spoofed or compromised electronic communications from persons purporting to be company executives or vendors. […] Each of the nine issuers lost at least $1 million; two lost more than $30 million.”
According to the SEC, there were two schemes: “e-mails from fake executives” and “e-mails from fake vendors.” As to the former, the SEC stated:
“These were not sophisticated frauds in general design or the use of technology. In fact, from a technological perspective they only required creating an email address to mimic the executive’s address.”
As to the later, the SEC stated:
“Unlike the fake executive scams, the spoofed vendor emails had fewer indicia of illegitimacy or red flags. In fact, several victims only learned of the scam when the real vendor raised concerns about nonpayment on outstanding invoices. Because vendors often afford issuers months before considering a payment delinquent, the scams, in certain circumstances, were able to continue for an extended period of time.”
The discussion portion of the report states in pertinent part:
“In light of the risks associated with today’s ever expanding digital interconnectedness, public companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds. More specifically, Section 13(b)(2)(B)(i) and (iii) require certain issuers to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization,” and that “(iii) access to assets is permitted only in accordance with management’s general or specific authorization.” As the Senate underscored when these provisions were passed, “[t]he expected benefits from the conscientious discharge of these responsibilities are of basic importance to investors and the maintenance of the integrity of our capital market system.”
Virtually all economic activities now take place through digital technology and electronic communication, leaving business transactions and assets susceptible to a variety of cyber-related threats. This is a growing global problem, and cyberscams like the ones described above that target an issuer’s assets are an ever-increasing part of the cybersecurity threats faced by a wide variety of businesses, including issuers with Section 13(b)(2)(B) obligations. The financial and other impacts of these frauds can be significant, as the instances described above attest.
As noted above, these frauds were not sophisticated in design or the use of technology; instead, they relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective. Having internal accounting control systems that factor in such cyber-related threats, and related human vulnerabilities, may be vital to maintaining a sufficient accounting control environment and safeguarding assets.
These examples underscore the importance of devising and maintaining a system of internal accounting controls attuned to this kind of cyber-related fraud, as well as the critical role training plays in implementing controls that serve their purpose and protect assets in compliance with the federal securities laws. The issuers here, for instance, had procedures that required certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data. Yet they still became victims of these attacks. The existing controls could be (and were) interpreted by the company’s personnel to mean that the (ultimately compromised) electronic communications were, standing alone, sufficient to process significant wire transfers or changes to vendor banking data. To that end, after falling victim to these frauds, each of the issuers sought to enhance their payment authorization procedures, and verification requirements for vendor information changes. Moreover, as noted above, many of these issuers only learned of the fraud as a result of third-party notices, such as from law enforcement or foreign banks. Thereafter, these issuers took steps to bolster their account reconciliation procedures and outgoing payment notification processes to aid detection of payments resulting from fraud.”
The SEC’s report also concludes, no doubt with the benefit of hindsight, that there were things the issuers could have done better and states:
“Systems of internal accounting controls, by their nature, depend also on the personnel that implement, maintain, and follow them. In the context of the business email compromises the Division reviewed, the frauds succeeded, at least in part, because the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability. For example, in one matter, the accounting employee who received the spoofed email did not follow the company’s dual-authorization requirement for wire payments, directing unqualified subordinates to sign-off on the wires. In another, the accounting employee misinterpreted the company’s authorization matrix as giving him approval authority at a level reserved for the CFO. And there were numerous examples where the recipients of the fraudulent communications asked no questions about the nature of the supposed transactions, even where such transactions were clearly outside of the recipient employee’s domain and even where the employee was asked to make multiple payments over days and even weeks. In two instances the targeted recipients were themselves executive-level employees—chief accounting officers—who initiated payments in response to fake executive emails. To this end, while most of the issuers had some form of training regarding controls and information technology in place prior to the scams, all of them enhanced their training of responsible personnel about relevant threats, as well as about pertinent policies and procedures following the frauds.”
In conclusion, the report states:
“By this report, the Commission is not suggesting that every issuer that is the victim of a cyber-related scam is, by extension, in violation of the internal accounting controls requirements of the federal securities laws. What is clear, however, is that internal accounting controls may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds. Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.
Ultimately, issuers themselves are in the best position to develop internal accounting controls that account for their particular operational needs and risks in complying with Section 13(b)(2)(B). In performing this analysis, issuers should evaluate to what extent they should consider cyber-related threats when devising and maintaining their internal accounting control systems. Given the prevalence and continued expansion of these attacks, issuers should be mindful of the risks that cyber-related frauds pose and consider, as appropriate, whether their internal accounting control systems are sufficient to provide reasonable assurances in safeguarding their assets from these risks.”
In this SEC release, Stephanie Avakian (Co-Director of the SEC Enforcement Division) stated:
“In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”
There are obvious parallels in the SEC’s report to certain FCPA enforcement actions and seeming contradictions between its no-enforcement approach to many traditional FCPA enforcement actions involving alleged foreign bribery.
In the report, the SEC stated that the issuers were “victims” of fraud.
Well, in certain FCPA enforcement actions a legitimate conclusion to draw is that the issuer was a victim of fraud by a small group of employees or outside third parties. By way of example (several other enforcement actions could be cited as well), consider the SEC’s enforcement action against Nordion (see here and here for prior posts). The salient findings were as follows.
- Approximately 16 years prior to the enforcement action, Mikhail Gourevitch (a dual Canadian and Israeli citizen who was fired years ago by Nordion) represented to the company that “his purported childhood friend from Russia” could help the company’s business in Russia.
- Gourevitch and this eventual agent “conspired to use a portion of the funds Nordion paid the Agent to bribe Russian government officials to obtain approval for TheraSphere” a liver cancer therapy.
- Gourevitch also received kickbacks from the Agent and otherwise “hid the scheme from Nordion” through, among other things, misrepresentations to his employer. In the words of the SEC, through his conduct Gourevitch “secretly enrich[ed] himself” and received “at least $100,000 for his role in the arrangement which was not disclosed to Nordion.”
Nowhere in the SEC’s recent report are the words “prevent or detect” and that is with good reason because those standards do not even exist in the FCPA’s internal controls provisions. Why then, as has been highlighted for years on these pages, does the SEC frequently invoke the “prevent or detect” standard in FCPA enforcement actions? (See here for instance).
The SEC’s recent report cites FCPA legislative history. Now that the SEC has a new found appreciation for the FCPA’s legislative history, how about SEC recognition of the following relevant excerpts from the legislative history:
“The committee recognizes, however, that management must exercise judgment in determining the steps to be taken, and the cost incurred, in giving assurance that the objectives expressed will be achieved. Here, standards of reasonableness must apply. In this regard, the term ‘accurately’ does not mean exact precision as measured by some abstract principle. Rather it means that an issuer’s records should reflect transactions in conformity with generally accepted accounting principles or other applicable criteria. While management should observe every reasonable prudence in satisfying the objections called for [in the books and records and internal controls provisions] the committee recognizes that management must necessarily estimate and evaluate the cost/benefit relationships to the steps to be taken in fulfillment of its responsibilities … The size of the business, diversity of operations, degree of centralization of financial and operating management, amount of contact by top management with day-to-day operations, and numerous other circumstances are factors which management must consider in establishing and maintaining an internal accounting controls systems.”
“The conference committee adopted the ‘in reasonable detail’ qualification to the accurate and fair requirement in light of the concern that such a standard, if unqualified, might connote a degree of exactitude and precision which is unrealistic.”
In 1988, the FCPA’s books and records and internal control provisions were amended specifically as to an issuer’s responsibility for the books and records and internal controls of minority subsidiaries, an important issue in this new era given that issuers often operate in foreign markets through subsidiaries or other indirect relationships. The relevant provision added to the FCPA generally states, as to issuers which hold 50% or less of the voting power with respect to a firm, that the books and records and internal control provisions:
“require only that the issuer proceed in good faith to use its influence, to the extent reasonable under the issuer’s circumstances, to cause such [firm] to devise and maintain a system of internal accounting controls consistent [with the books and records and internal controls provisions]. Such circumstances include the relative degree of the issuer’s ownership of the [firm] and the laws and practices governing the business operations of the country in which such firm is located. An issuer which demonstrates good faith efforts to use such influence shall be conclusively presumed to have complied with the requirements [of the books and records and internal controls provisions.”
As to the above provision, a 1988 House Conference Report stated:
“[The provision] recognizes that it is unrealistic to expect a minority owner to exert a disproportionate degree of influence over the accounting practices of a subsidiary. The amount of influence which an issuer may exercise necessarily varies from case to case. While the relative degree of ownership is obviously one factor, other factors may also be important in determining whether an issuer has demonstrated good-faith efforts to use its influence.”
The FCPA’s books and records and internal control provisions were further amended in 1988 by defining the terms “reasonable assurance” and “reasonable detail” to mean such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” Legislative history states as follows:
“The prudent man qualification [was adopted] in order to clarify that the current standard does not connote an unrealistic degree of exactitude or precision. The concept of reasonableness of necessity contemplates the weighing of a number of relevant factors, including the costs of compliance.”
The SEC’s recent report cites its prior 1981 FCPA guidance (technically a speech by the SEC Chairman that was thereafter adopted as a formal statement of SEC policy – a document that has been discussed for years on these pages). Now that the SEC has a new found appreciation for this prior FCPA guidance, how about SEC recognition of the following relevant excerpts from this policy document.
As to the FCPA’s books and records provisions:
“This provision is intimately related to the requirement for a system of internal accounting controls, and we believe that records which are not relevant to accomplishing the objectives specified in the statute for the system of internal controls are not within the purview of the recordkeeping provision. […] Nor could a company be enjoined for a falsification of which its management, broadly defined, was not aware and reasonably should not have known.”
As to the FCPA’s internal control provisions:
“The Act does not mandate any particular kind of internal controls system. The test is whether a system, taken as a whole, reasonably meets the statute’s specified objectives. ‘Reasonableness,’ a familiar legal concept, depends on an evaluation of all the facts and circumstances.”
“Private sector decisions implementing these statutory objectives are business decisions. And, reasonable business decisions should be afforded deference. This means that the issuer need not always select the best or the most effective control measure. However, the one selected must be reasonable under all the circumstances.”
“The accounting provisions principal objective is to reaching knowing or reckless conduct.”
“The primary thrust of the Act’s accounting provisions, in short, was to require those public companies which lacked effective internal controls or tolerated unreliable recordkeeping to comply with the standards of their better managed peers. That is the context in which these provisions should be construed.”
The 1981 guidance then addresses “four of the most important” interpretative questions concerning the FCPA: “first, the degree of exactitude in recordkeeping mandated by the Act; second, the deference it affords business decisions concerning internal controls; third, whether a particular state of mind is necessary for a violation to exist; and finally, liability for compliance by subsidiaries.”
As to the “degree of exactitude”:
“I turn first to the question of whether the Act’s text or purpose mandates that business records and controls conform to a standard of absolute exactitude or that a company’s control system meet some absolute ideal. The answer is ‘no.’ Both of the Act’s accounting provisions, it should be noted are modified by the key term ‘reasonable.’ […] In essence, therefore, the Act does provide a de minimus exemption, though not in absolute quantitative terms.
“Reasonableness, as a standard, allows flexibility in responding to particular facts and circumstances. Inherent in this concept is a toleration of deviations from the absolute. One measure of the reasonableness of a system relates to whether the expected benefits from improving it would be significantly greater than the anticipated costs of doing so. Thousands of dollars ordinarily should not be spent conserving hundreds. Further, not every procedure which may be individually cost-justifiable need be implemented; the Act allows a range of reasonable judgments.”
As to the “specific recordkeeping requirement” in the FCPA:
“This provision is not an independent unrestrained mandate to the Commission to establish novel or unprecedented corporate recordkeeping standards; it is, rather, an integral part of Congress’ efforts to assure that the business community records transactions and assets in such a way as to maintain adequate control over them. And this leads to two important conclusions: First, the Act does not establish any absolute standard of exactitude for corporate records. And, second, records which are not related to internal or external audits or to the four internal control objectives set forth in the Act are not within the purview of the Act’s accounting provisions.”
As to “deference” with respect to “issuer liability for recordkeeping violations,” the guidance states that the SEC “will look to the adequacy of the internal control system of the issuer, the involvement of top management in the violation, and the corrective actions taken once the violation was uncovered.”
It then states as follows:
“If a violation was committed by a low level employee, without the knowledge of top management, with an adequate system of internal control, and with appropriate corrective action taken by the issuer, we do not believe that any action against the company would be called for.”
The guidance next turned to the “state of mind needed to violate the Act’s accounting provisions” and reiterates that the “Act’s principal purpose is to reach knowing or reckless misconduct.” It states:
“Depending on the circumstances, intentional circumventions of a company’s system of records and of accounting controls by a low-level employee would not always be considered violations of the Act by the issuer. No system of adequate records and controls – no matter how effectively devised or conscientiously applied – could be expected to prevent all mistaken and improper transactions and disposition of assets. Given human nature, regardless of the adequacy of the system, a bookkeeper may still erroneously post entries, an overzealous agent may make unauthorized payments, or an unscrupulous employee may falsify records for his own purposes. The Act recognizes each of these limitations. Neither its text and legislative history nor its purposes suggest that occasional, inadvertent errors were the kind of problem that Congress sought to remedy in passing the Act. No rational federal interest in punishing insignificant mistakes has been articulated. And, the Act’s accounting provisions do not require a company or its senior officials to be the guarantors of all conduct of company employees.”
“The test of a company’s internal control system is not whether occasional failings can occur. Those will happen in the most ideally managed company. But, an adequate system of internal controls means that, when such breaches do arise, they will be isolated rather than systemic, and they will be subject to a reasonable likelihood of being uncovered in a timely manner and then remedied promptly. Barring, of course, the participation or complicity of senior company officials in the deed, when discovery and correction expeditiously follow, no failing in the company’s internal accounting system would have existed. To the contrary, routine discovery and correction would evidence its effectiveness.”
As to the SEC’s enforcement policy, the guidance states.
“The genius – and challenge – of [the FCPA’s books and records and internal controls provisions] , it should be remembered, is their reliance on private sector decisionmaking – rather than specific federal edicts – to address an area of public concern. The Act’s eventual success or failure will, therefore, depend primarily upon business’s response. The Commission’s obligation, in turn, is to provide a regulatory environment in which the private sector can address these issues meaningfully and creatively. In this regard, we must encourage public companies to develop innovative records and control systems, to modify and improve them as circumstances change, and to correct recordkeeping errors when they occur without a chilling fear of penalty or inference that a violation of the Act is involved.”
Can you imagine what the current FCPA enforcement climate would look like if the SEC actually acted consistent with this guidance – guidance it recently cited in its report of investigation?
Save Money With FCPA Connect
Keep it simple. Not all FCPA issues warrant a team of lawyers or other professional advisers. Achieve client and business objectives in a more efficient manner through FCPA Connect. Candid, Comprehensive, and Cost-Effective.