For years, these pages have highlighted off-the-rails enforcement of the Foreign Corrupt Practices Act’s books and records and internal controls provisions (see here , here , here , here , here , here , here  and here  among other posts).
Among other things, the prior posts have discussed FCPA legislative history, the FCPA’s statutory text, SEC v. World-Wide Coin Investments (believed to be the only judicial decision to directly address the substance of the books and records and internal controls provisions) and prior FCPA enforcement agency guidance – all in an effort to highlight the difficulty of reconciling existing legal authority and even enforcement agency guidance with certain FCPA books and records and internal controls enforcement theories in recent years.
Last week, SEC Commissioners Hester Peirce and Elad Roisman issued this statement  to explain why they voted against the SEC’s recent settled action against Andeavor LLC (see here  in which the company agreed to pay $20 million). As highlighted below, Commissioners Peirce and Roisman discussed the same concepts and cited the same authority which have been highlighted on these pages for years and in the process hit an internal controls home run.
In terms of background, in the Andeavor enforcement action the SEC found in summary fashion as follows:
“This matter involves Andeavor’s failure to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurance that stock buyback transactions were executed in accordance with management’s authorization.
In 2015 and 2016, Andeavor’s Board of Directors authorized the company to spend $2 billion for share repurchases. This authorization required Andeavor to comply with a policy that prohibited the company from repurchasing stock while it was in possession of material nonpublic information.
Andeavor did not, however, have internal accounting controls sufficient to provide reasonable assurance it was complying with this policy such that buyback transactions were executed in accordance with management’s authorization. Specifically, Andeavor lacked an effective process for obtaining an accurate and complete understanding of the facts and circumstances necessary to determine whether it was in possession of material non-public information and therefore prohibited from engaging in buyback transactions. As a consequence of this internal accounting controls failure, Andeavor engaged in buyback transactions that were not executed in accordance with management’s authorization.
On February 21, 2018, Andeavor’s then-Chairman and Chief Executive Officer (Andeavor’s CEO) directed the company’s Chief Financial Officer to initiate a share buyback to repurchase $250 million of shares over a period of several weeks. At the time of this direction, Andeavor’s CEO was scheduled to meet with his counterpart at Marathon two days later to resume the confidential discussions about Marathon’s potential acquisition of Andeavor at a significant premium that had taken place in 2017 (but were suspended in October of that year).
On February 22, 2018, Andeavor’s legal department approved a Rule 10b5-1 plan to repurchase $250 million of stock. It did so after concluding, based on a deficient understanding of all relevant facts and circumstances regarding the two companies’ discussions, that those discussions did not constitute material non-public information.
This lack of understanding was the result of Andeavor’s insufficient internal accounting controls. Andeavor used an abbreviated and informal process to evaluate the materiality of the acquisition discussions that did not allow for a proper analysis of the probability that Andeavor would be acquired. Andeavor’s informal process did not require conferring with persons reasonably likely to have potentially material information regarding significant corporate developments prior to approval of share repurchases. As a result, for example, despite Andeavor’s CEO’s leadership role at the company and the fact that he was the primary negotiator with Marathon, no one involved in Andeavor’s process discussed with him the prospects that Andeavor and Marathon would agree to a deal. Because they did not do so, the company failed to appreciate that the probability of Marathon’s acquisition of Andeavor was sufficiently high at that time as to be material to investors. In short, Andeavor did not have internal accounting controls that provided reasonable assurance that its buyback would be executed in accordance with its Board’s authorization.
On February 23, 2018, Andeavor executed the Rule 10b5-1 plan that its legal department had approved. Pursuant to that plan, Andeavor repurchased 2.6 million shares of its stock from investors at an average of $97 per share in February and March 2018. About six weeks after initiating the buyback, and two weeks after completing the buyback, the two companies’ CEOs reached an agreement in principle for Marathon to acquire Andeavor. On April 30, 2018, Andeavor publicly announced that it would be acquired by Marathon in a deal valuing Andeavor at over $150 per share.”
In their statement, Commissioners Peirce and Roisman began:
“Make no mistake: Insider trading by public companies engaged in share repurchases is unacceptable, and we support all appropriate actions—including charges under Rule 10b-5—when companies use material nonpublic information to take advantage of their shareholders. We also support all appropriate actions under Section 13(b)(2)(B) [the FCPA’s internal controls provisions] when companies have inadequate internal accounting controls that threaten to erode confidence in their financial statements. In short, we have supported, and will continue to support, vigorous enforcement of the antifraud, disclosure, and other securities laws against corporate wrongdoers whenever appropriate. But the tools we use must be fit for the task. And in this case, we believe Section 13(b)(2)(B) is not the appropriate tool.”
In pertinent part, the statement then continues (footnotes omitted unless highlighted):
“Since Section 13(b)(2)(B)’s enactment in 1977, the Commission has never before found that the “internal accounting controls” required by that provision include management’s assessment of a company’s potential insider trading liability. This application of Section 13(b)(2)(B) exceeds its limited scope.
Many have come to think of Section 13(b)(2)(B) as a general “internal controls” provision, and some may be tempted to view it as a way to ensure that companies adopt and follow all manner of worthy practices, policies, and procedures for good corporate governance and legal or ethical compliance. That temptation may be heightened by the ease with which a violation of this provision can be alleged. No scienter need be found; even good-faith corporate behavior may be scrutinized with 20/20 hindsight; and as others have recognized, “there are no specific standards” in the statute “by which to evaluate the sufficiency of controls,” making it “a highly subjective process in which knowledgeable individuals can arrive at totally different conclusions.”
In light of those temptations, we should be especially mindful of the limits Congress chose to enact along with this provision. By thinking of Section 13(b)(2)(B) as a generic “internal controls” provision, we overlook an important limit: This provision requires not “internal controls” but “internal accounting controls.” Its full text makes clear that accounting is its central focus:
[Issuers shall] devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—
- transactions are executed in accordance with management’s general or specific authorization;
- transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
- access to assets is permitted only in accordance with management’s general or specific authorization; and
- the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
Section 13(b)(2)(B)’s companion provision, Section 13(b)(2)(A) [the books and records provisions], likewise requires issuers to make and keep “books, records, and accounts” that “accurately and fairly reflect the transactions and dispositions of the assets” of the issuer.
Read in its statutory context, the required internal accounting controls seem primarily to concern the accounting for a public company’s assets and transactions to ensure that its financial statements are prepared in accordance with generally accepted accounting principles, thereby ensuring that financial statements are accurate and reliable when disclosed to investors. To be sure, if one reads in isolation the language of the statute regarding “management’s general or specific authorization” for “transactions” and “access to assets,” one might take a broader view. After all, nearly every corporate action involves transactions or corporate assets in some way; and at least in some general sense, management directs, authorizes, or controls every such action (or fails to do so).”
In a footnote, the statement then rightly notes that the FCPA defines “reasonable assurances” as the “degree of assurance as would satisfy prudent officials in the conduct of their own affairs” and states: “While this element might restrain the most extreme possible applications of the [internal controls provisions] the open-ended nature of the standard underscores the need to be attentive to other textual limits.”
The statement continues:
“However, such a reading would go well beyond the realm of “accounting controls” to which Congress confined Section 13(b)(2)(B), and thus would read that limitation out of the statutory text.
Both the “internal accounting controls” and “books, records, and accounts” provisions were enacted in the Foreign Corrupt Practices Act of 1977 (FCPA) in response to concerns about companies paying bribes to foreign officials. Such corrupt behavior was often facilitated by inadequate accounting controls that enabled employees to omit, disguise, or conceal the source and application of corporate funds from management, auditors, and investors—for example, off-the-books “slush funds” disbursed “outside the normal financial accountability system.” As the Commission explained in an influential report to Congress in which it proposed the language that became Section 13(b)(2)(B), “[t]hese practices cast doubt on the integrity and reliability of the corporate books and records which are the very foundation of the disclosure system established by the federal securities laws.” Thus, the Commission characterized internal accounting controls as the means by which corporations ensure that they “account for their funds properly” in their accounting records. The Senate report on the FCPA echoed the same theme. Under the heading “Accurate accounting,” the report explained that “[t]he purpose” of the section of the bill including internal accounting controls was “to strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.”
Moreover, as the two reports acknowledged, the precise language of Section 13(b)(2)(B) was taken from the authoritative accounting literature, namely from a Statement on Auditing Standards published by the American Institute of Certified Public Accountants. Those auditing standards further delineated the limited scope of internal accounting controls by emphasizing a distinction between “administrative control” and “accounting control.” The standards defined “accounting control” as limited to the plan of organization and the procedures and records “that are concerned with the safeguarding of assets and the reliability of financial records.” By “safeguarding” assets, the standards clarified that they do not mean “protection against something undesirable,” which “could lead to a broad interpretation” that “any procedures or records entering into management’s decision-making processes are comprehended.” In contrast to the limited definition of accounting control, administrative control was defined in a more open-ended manner that “includes” procedures and records “concerned with the decision processes leading to management’s authorization of transactions” and is “directly associated with the responsibility for achieving the objectives of the organization.”
Thus, accounting control “is within the scope of the study and evaluation of internal control contemplated by generally accepted auditing standards, while administrative control is not.” Put another way, “accounting controls . . . generally bear directly and importantly on the reliability of financial records and require evaluation by the auditor,” while “[a]dministrative controls . . . ordinarily relate only indirectly to the financial records and thus would not require evaluation.”
More specifically with respect to the requirements that “transactions” and “access to assets” be executed or permitted “in accordance with management’s general or specific authorization,” the auditing standards shed additional light. While the standards noted that the authorization of a transaction encompasses the transaction’s terms, the examples involved only accounting and financial terms. Accounting controls thus may involve comparing “invoices” with “purchase orders in approving vouchers for payments,” comparing “paid checks” with “approved vouchers” through reconciliations and related procedures, or comparing transactions to company policies such as “general price lists, credit policies, or automatic reorder points.”
The standards were even more circumscribed when addressing authorization of “access to assets,” which was described as requiring only that “access to assets be limited to authorized personnel.” In fact, the standards cautioned that “limiting access to authorized personnel is the maximum constraint that is feasible for accounting control purposes in this respect.” Notably absent from discussion of these standards is any reference to ethics or legal compliance policies, or to any of the other myriad corporate policies and practices that are very important in every corporation, but that do not implicate accounting.
We are concerned that the Commission’s resolution of this case—if pursued to its logical conclusion in future cases—risks uprooting the core concept of “internal accounting controls” from the language, statutory context, and history of Section 13(b)(2)(B). There may be temptation to simply view this provision as a generic “internal controls” requirement. While this case is unprecedented in its application of the provision to the insider trading compliance context, the Commission has settled other actions in the recent past based on similar theories of inadequate internal controls that go well beyond the realm of “accounting controls.” It has found a violation, for example, where controls were inadequate to ensure that an airline’s approval of a domestic flight route was consistent with its ethics policy.”
In a footnote, the statement then references the SEC’s 2016 enforcement action against United Continental Holdings (see here  for the prior post) and an article titled “The SEC’s Unlawful and Dangerous Expansion of the Exchange Act” (see here  for the FCPA Flash podcast with the article’s author). The statement then says: “While some of these recent settled actions have been brought during our time on the Commission, our discomfort with the use of the [internal controls provisions] outside the accounting context has grown as we have given the matter further thought. With the benefit of this throught, we may have a different view in future actions than we have taken in the past.”
The statement concludes:
“No court, however, has adopted the expansive view of Section 13(b)(2)(B) that such actions seem to require.
As for this case, we see no evidence that Andeavor’s internal controls were inadequate with respect to the accounting for its repurchase transactions. Andeavor’s Board of Directors authorized the company to spend $2 billion for share repurchases, and its CEO directed the company’s CFO to initiate the repurchase of $250 million of its shares over a period of several weeks. While we agree that Andeavor’s decision processes in this case left substantial room for improvement, and inadequate processes may expose a company to potential Rule 10b-5 liability, we doubt it is our role under Section 13(b)(2)(B) to second-guess management’s decision processes on matters that do not directly implicate the accuracy of a company’s accounting and financial statements.”
Save Money With FCPA Connect
Keep it simple. Not all FCPA issues warrant a team of lawyers or other professional advisers. Achieve client and business objectives in a more efficient manner through FCPA Connect. Candid, Comprehensive, and Cost-Effective.