THE EFFECTS OF THE SARBANES-OXLEY ACT ON DIRECTORS’ RESPONSIBILITIES AND LIABILITIES Robert D. Strahota, Assistant Director* Office of International Affairs U.S. Securities and Exchange Commission Prepared for Third OECD South-Eastern Europe Corporate Governance Roundtable Zagreb, Croatia November 21-22, 2002 *The U.S. Securities and Exchange Commission, as a matter of policy, disclaims responsibility for any publication or presentation by its employees. The views expressed in this presentation are those of Mr. Strahota and do not necessarily reflect the views of the Commission, individual Commissioners, or Mr. Strahota’s colleagues on the staff of the Commission. SARBANES-OXLEY OVERVIEW • On July 30, 2002, President Bush signed the Sarbanes-Oxley Act of 2002 (SarbanesOxley) into law • Sarbanes-Oxley is the most important securities legislation affecting public companies, and thus, officers and directors of public companies, since the Securities and Exchange Commission (SEC) was formed in 1934 • While the new law was prompted by problems encountered in the U.S., these problems are global in dimension • Sarbanes-Oxley’s provisions generally make no distinction between U.S. and foreign issuers who seek to access U.S. capital markets – The terms “issuer” and “public company” as used in many places throughout SarbanesOxley mean an issuer the securities of which are registered under the Securities Exchange Act of 1934 (Exchange Act), which is required to file reports under the Exchange Act, or that has filed a registration statement for a public offering of its securities under the Securities Act of 1933 that has not become effective and that has not been withdrawn • SEC’s mandate is to implement Sarbanes-Oxley fully for all issuers, foreign and domestic, but it is prepared to consider how it may fulfill this mandate through rulemaking and interpretive authority in ways that accommodate home country requirements and regulatory approaches to foreign issuers and accountants OBJECTIVES OF THIS PRESENTATION • To identify the provisions of Sarbanes-Oxley that affect directors’ responsibilities and liabilities – Provisions affecting CEOs and CFOs also will be covered since CEOs and CFOs often serve as directors • To consider how Sarbanes-Oxley’s requirements may affect directors’ liabilities under U.S. securities laws and the common law duty of care • To consider the relevance of Sarbanes-Oxley’s approach to implementation of the OECD Principles of Corporate Governance provisions regarding directors’ responsibilities – No one would suggest that another country should enact legislation identical to Sarbanes-Oxley – Many, however, may wish to consider the Sarbanes-Oxley’s approach that places heightened responsibilities on corporate directors, CEOs and CFOs, provided that these persons have adequate legal defenses and other rights available to them SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING DIRECTORS, CEOs AND CFOs • Listed company audit committee independence requirements and responsibilities (Section 301) • CEO and CFO financial statement-related certifications (Sections 302 and 906) • Unlawful for any officer or director or person acting under the direction thereof to fraudulently influence, coerce, manipulate or mislead any independent accountant engaged to audit the financial statements of an issuer for purposes of rendering the financial statements materially misleading (Section 303) • If there is a material restatement of an issuer’s reported financial results due to the material noncompliance of the company, as a result of misconduct, the CEO and CFO shall reimburse the issuer for any bonus or incentive or equity-based compensation received within the 12 months following the filing with the financial statements subsequently required to be restated (Section 304) SUMMARY OF SARBANES OXLEY PROVISIONS AFFECTING DIRECTORS, CEOs AND CFOs • Prohibition on insider transactions during pension fund blackout periods (Section 306) • Audit Committee or committee of independent directors may have to consider attorney’s reports regarding material violations of securities law, breach of fiduciary duty or similar violations (Section 307) • Prohibition on personal loans to executive officers and directors of the issuer, subject to limited exceptions (Section 402) • Disclosure whether the issuer has a code of ethics for senior financial officers, and if so, of any determination to change or waive the code (Section 406) • Board designation and disclosure of audit committee financial expert (under SEC Section 407 rule proposals) SARBANES-OXLEY AUDIT COMMITTEE REQUIREMENTS • Sarbanes-Oxley defines “audit committee” for purposes of the Act and the Exchange Act as: “a committee (or equivalent body) established by and amongst the board of directors of an issuer for purposes of overseeing the accounting and financial reporting processes of the issuer and audits of the financial statements of the issuer; and …if no such committee exists with respect to an issuer, the entire board of directors of the issuer” • For certain purposes, however, Sarbanes-Oxley imposes additional requirements regarding the composition and responsibilities of an “audit committee” • E.g., Independence under Exchange Act Section 10A(m) means that an audit committee member is not an affiliate of the issuer or any subsidiary and that the member receives no consulting, advisory or compensatory fee from the issuer except is his capacity as a member of the audit committee, another board committee or the board of directors SARBANES-OXLEY AUDIT COMMITTEE REQUIREMENTS • Section 301 of Sarbanes-Oxley adds new Section 10A(m) to the Exchange Act and requires that by April 26, 2003 the SEC, by rule, direct the national securities exchanges and NASD to prohibit the listing of securities of any company, including foreign companies, that do not meet the following requirements: – Each member of the company’s audit committee must be a director and must otherwise be independent; : – The audit committee must be responsible for hiring and discharging the independent auditors – The audit committee shall be responsible for approval or all audit and non-audit services – The audit committee shall receive reports from the independent auditors regarding critical accounting polices and practices, discussions that have taken place with management regarding alternative treatments of financial information under GAAP, and any accounting disagreements and other material written communications between the auditors and management – The audit committee must establish procedures to receive and address complaints regarding accounting, internal control and audit issues, and to provide company employees an opportunity to make confidential, anonymous submissions regarding accounting and auditing matters CEO AND CFO CERTIFICATION OF FINANCIAL REPORTS • Sarbanes-Oxley requires two types of certifications by the CEOs and CFOs of all SEC reporting companies • On August 27, the SEC adopted Exchange Act rules required to implement Section 302 of Sarbanes-Oxley, which requires a company’s CEO and CFO to certify the contents of the company’s quarterly and annual reports. • The CEO and CFO must certify that: – he or she has reviewed the report; – based on his or her knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; – based on his or her knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report; EXCHANGE ACT – CEO AND CFO CERTFICATION CONTINUED The CEO and CFO – are responsible for establishing and maintaining "disclosure controls and procedures" (a newly-defined term reflecting the concept of controls and procedures related to disclosure) for the issuer; – have designed such disclosure controls and procedures to ensure that material information is made known to them, particularly during the period in which the periodic report is being prepared; – have evaluated the effectiveness of the issuer's disclosure controls and procedures within 90 days of the date of the report; and – have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on the required evaluation EXCHANGE ACT CERTIFICATION - CONT. • The CEO and CFO also must certify that they have disclosed to the company’s auditors and to the audit committee of the board of directors (or persons fulfilling the equivalent function): – All significant deficiencies in the design or operation of internal controls (a pre-existing term relating to internal controls regarding financial reporting) which could adversely affect the issuer's ability to record, process, summarize and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and – Any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and – Whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses. CEO AND CFO CERTIFICATION UNDER SECTION 906 OF SARBANES-OXLEY • Like Section 302, this certification requirement applies to the CEOs and CFOs of all companies required to file reports under the Exchange Act • Unlike Section 302, which is implemented by SEC rules, Section 906’s certification requirement is set forth as an amendment to the U.S. Criminal Code • Section 906 requires the CEO and CFO to certify that an Exchange Act periodic report containing financial statements complies with the reporting requirements of the Exchange Act and that the information in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the company • Both Section 302, as to financial statements and other financial information, and Section 906, as to information, require representations whether the financial condition and results of operations of the company are fairly presented. Unlike an audit report, however, these representations are not qualified by the words “in accordance with GAAP” This reflects SEC and Congressional intent that the CEO and CFO certifications are intended to be broader in scope • Unlike Section 302, Section 906’s certification is not qualified by knowledge or materiality; however, a person must act knowingly to violate Section 906 SARBANES-OXLEY ATTORNEY’S OBLIGATION TO REPORT ILLEGAL ACTS • Section 307 of Sarbanes-Oxley requires the SEC to issue rules by January 26, 2003 that will set forth minimum standards of professional conduct for attorneys appearing and practicing before the SEC in any way in the representation of issuers, including an “up the ladder” reporting rule: – Requiring an attorney to report evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the issuer or any agent thereof, to the chief legal counsel or the CEO of the issuer; and – If the counsel or officer does not appropriately respond to the evidence (adopting, as necessary, appropriate remedial measures or sanctions with respect to the violation), requiring the attorney to report the evidence to the audit committee of the board of directors of the issuer or to another committee of the board of directors comprised solely of directors not employed directly or indirectly by the issuer, or to the board of directors • SEC rule proposals to implement Section 307 were issued on November 6 and, as proposed, would apply to both outside counsel and in-house counsel as well as foreign attorneys representing an issuer before the SEC SECTION 307 RULE PROPOSALS • Section 205.3(d) of the SEC’s proposals would deal with the obligation of an attorney who has not received an appropriate response from the issuer and, in certain instances, permits a “noisy withdrawal” • The rule would provide that where an attorney files a notification with the SEC as part of a “noisy withdrawal,” no violation of the attorney/client privilege occurs • As an alternative process for considering attorneys’ reports of material violations, an issuer may (but is not required to) establish a qualified legal compliance committee (QLCC) comprised of at least one member of the issuer’s audit committee and two or more other members of the board of directors who are independent. • The QLLC would be authorized to require the issuer to take remedial action. If the issuer were to fail to act as directed, each QLLC member would have the responsibility to notify the SEC. • Attorneys who report evidence of a material violation to a QLLC would not be subject to the noisy withdrawal provision ADDITIONAL SARBANES-OXLEY PROVISIONS • In general, Sarbanes-Oxley – increases criminal penalties for securities fraud, including financial fraud; – eases the standard for barring persons who commit securities fraud from serving as officers and directors of public companies; – permits the SEC to pursue such officer and director bars in administrative proceedings as well as in the courts; – adds sanctions and strengthens existing sanctions, regarding destruction, alteration or falsification of records in investigations, and destruction of audit records; – provides a longer statute of limitations for securities fraud; – Includes whistle blower protections; and – limits discharge of securities law violators’ debts in bankruptcy ANY VIOLATION OF SARBANES-OXLEY MAY BE PROSECUTED AS A VIOLATION OF THE EXCHANGE ACT • Sarbanes-Oxley Section 3(b)(1) provides: A violation by any person of this Act, any rule or regulation of the Commission under this Act, of any rule of the [Public Company Accounting Oversight Board] shall be treated for all purposes in the same manner as a violation of the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.) or the rules or regulations issued thereunder, consistent with the provisions of this Act, and any such person shall be subject to the same penalties, and the same extent, as for a violation of that Act or such rules or regulations. STATUTORY BASIS OF DIRECTORS’ LIABILITY FEDERAL SECURITIES LAWS • • • • Exchange Act antifraud provisions of Section 10(b) and Rule 10b-5, for which the courts have implied a private right of action • Scienter or recklessness requirement • In connection with the purchase or sale of a security requirement Exchange Act Section 18(a) imposes liability;y on “[a]ny person who shall make or cause to be made” a false or misleading statement in an Exchange Act report. Liability is to the purchaser or seller of a security at a price affected by the false or misleading statement, for damages caused by such reliance, unless the defendant can prove that he acted in good faith and had no knowledge that such statement was false or misleading Exchange Act Section 20(a) controlling person liability. “Every person who, directly or indirectly, controls any person liable under any provision of this title or of any rule or regulation thereunder shall also be liable jointly and severally with and to the same extent as such controlled person to any person to whom such controlled person is liable, unless the controlling person acted in good faith and did not directly or indirectly induce the act or acts constituting the violation or cause of action Securities Act of 1933. Potential civil liability under Sections 11 and 12(a)2 DIRECTORS’ DUTY OF CARE • Audit committees of directors are charged with financial oversight responsibility as delegated by the full board of directors • Accordingly, both audit committee members and the full board of directors have a duty of care to the company and its shareholders • Discharge of this duty generally requires, among other things: – That board members be duly diligent and act in good faith – In the case of audit committee members, the duty of care requires members to: • Be fully informed and observe committee processes, which include attendance, proactive questioning and discussion with management and the independent auditors • Ensure that the company has an adequate system of internal controls to monitor red flags and preserve the integrity of financial reporting; and • Oversee the financial reporting process, which requires confirmation of the outside auditors’ independence and necessitates an understanding of the company’s business, its risks and critical accounting policies CAREMARK INT’L. DERIVATIVE LITIGATION • In this leading case, 698 A.2d 959 (Del.Ch. 1996), the Delaware Chancery Court held that the board of directors’ duty of oversight includes a duty to ensure that “appropriate information and reporting systems” exist to provide the board with access to timely accurate and adequate information to ensure corporate compliance and business performance; however, the level of detail required is a matter of business judgment • Caremark suggests that in evaluating a company’s management systems and the structure of internal controls, board (or audit committee) members should test and challenge those systems rather than just relying on the auditors’ and management’s reports to identify any deficiencies • While Caremark represents a departure from prior case law that recognized a presumption of business regularity and did not impose affirmative obligations on directors absent cause for suspicion. Caremark nevertheless follows a traditional business judgment rule analysis in holding that directors are able to fulfill their duty of monitoring under Delaware law by making a good faith, reasonable effort to implement an adequate reporting system • Compare the SEC’s Report of Investigation in W.R. Grace & Co. (Exchange Act. Rel. No. 34-39157 (Sept. 30, 1997)), indicating: “An officer or director may rely upon the company’s procedures for determining what disclosure is required only if he or she has a reasonable basis for believing that those procedures have resulted in full consideration of those issues” PROVISIONS Of U.S. LAWS THAT MITIGATE THE POTENTIAL CIVIL LIABILITY OF DIRECTORS • Business judgment rule • Due diligence defenses • Good faith reliance upon the records of the corporation and upon such information, reports opinions or statements provided by corporate officers, employees, board committees and professional advisors; e.g. Section Del Gen. Corp. Law, Section 141(e) • Charter provisions that limit liability for damages for breach of the duty of care; e.g. Del Gen. Corp. Law. Section 102(b)(7) • Indemnification and contribution • Insurance CONCLUSIONS • Sarbanes-Oxley makes it easier to prosecute securities fraud, particularly financial fraud. • One of the most direct ways in which the Act accomplishes this objective is to place greater responsibility on senior management and directors, particularly independent directors and audit committee members, by requiring them to take a substantially more proactive role in overseeing and monitoring the financial reporting process, including disclosure and reporting systems and internal controls • While Sarbanes-Oxley increases civil and criminal enforcement authority over the conduct of corporate officers and directors, it does not purport to change the civil liability provisions that may apply to directors’ conduct under federal securities laws or the common law duty of care • However, there is no question that potential civil liability for directors will be greater after Sarbanes-Oxley • For those countries considering provisions, such as Sarbanes-Oxley, that place increased responsibilities on directors, the prospect of directors’ civil liability such liability should be viewed in the context of whether there are sufficient legal defenses and other provisions available to mitigate such liability without compromising directorial responsibility, so that corporations will be able to attract and retain qualified corporate directors