The SEC’s ‘Swiss Army statute’: broad enforcement under the FCPA’s internal accounting controls provision
February 2024 | SPECIAL REPORT: CORPORATE FRAUD & CORRUPTION
Financier Worldwide Magazine
February 2024 Issue
In recent months, the Securities and Exchange Commission (SEC) charged two companies, Charter Communications and SolarWinds Corporation, with violating the “internal accounting controls” provision of the Exchange Act. This provision requires public companies to maintain such controls to help ensure the reliability of the execution and recording of their transactions, and access to and accounting for their assets.
What internal accounting controls allegedly failed at these companies, according to the SEC? None. Instead, in each case, the SEC premised its charge on its criticism of risk management and control function activities in other areas, namely, legal and compliance (in Charter Communications) and cyber security (in SolarWinds).
The cases represent the SEC’s latest – and in the SolarWinds case, its most expansive – assertion of jurisdiction under the internal accounting controls provision to punish companies for any perceived deficiency in risk management or control function activity, not limited to accounting controls. This article explores the SEC’s assertion of broad jurisdiction under the provision, and the lack of apparent support for that assertion in the language and legislative history of the statute, the case law and analogous legal contexts.
Background and legislative history
The internal accounting controls provision of the Foreign Corrupt Practices Act (FCPA), codified in section 13(b)(2)(B) of the Exchange Act, requires publicly traded companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that: (i) transactions are executed in accordance with management’s general or specific authorisation, and are recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and to maintain accountability for assets; (ii) access to assets is permitted only in accordance with management’s general or specific authorisation; and (iii) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
Charter Communications
On 14 November 2023, the SEC announced a settled consent order with Charter Communications, including a $20m penalty, in connection with the company’s stock repurchase plan. The company’s board had authorised certain buybacks using trading plans that comply with rule 10b5-1 of the Exchange Act, which provides an affirmative defence to insider trading liability for trading plans that satisfy certain conditions, including that planned trades are not changed after the trading plan’s adoption.
The SEC alleged that the company’s plans did not comply with rule 10b5-1 because they afforded management some flexibility to alter the timing and amount of buybacks. But the SEC did not assert an insider trading claim based on the company’s actual buybacks. Instead, the SEC asserted a violation of the internal accounting controls provision, claiming that the company lacked reasonable controls to assess whether the plans complied with rule 10b5-1, and thus that the company’s buybacks were “effectively unauthorised” even though the board had authorised them. The SEC justified its theory on the basis that the provision “goes beyond the preparation of financial statements and broadly covers management authorisations for transactions”.
Two SEC commissioners took the rare step of dissenting, observing that the consent order was “simply the latest application of the unsupportable and ill-considered interpretation” of the internal accounting controls provision that the SEC offered in an earlier consent order (among others). The commissioners argued that it was improper for the SEC to read the provision broadly to cover all internal controls when, on its face, it applies only to accounting controls.
They further criticised the SEC’s use of the provision as “its own Swiss Army statute – a multi-use tool handy for compelling companies to adopt and adhere to policies and procedures that the Commission deems good corporate practice... [and] that magically converts every corporate activity into something the Commission regulates”.
SolarWinds
Notwithstanding the commissioners’ concern, in a lawsuit recently filed against SolarWinds and its chief information security officer, the SEC has expanded the asserted scope of its jurisdiction under the internal accounting controls provision further than ever before.
The lawsuit stems from the breach of SolarWinds and its software product, Orion, which was widely used for IT management. Through the breach, Russia’s Foreign Intelligence Service compromised many US government agencies, the apparent focus of the attack, and companies across sectors.
The SEC’s complaint alleges that SolarWinds misled investors and customers about known, material cyber security weaknesses and risks, and lacked adequate disclosure controls and procedures. The SEC also claimed that SolarWinds violated the internal accounting controls provision on the theory that the company lacked adequate cyber security controls to ensure that its “assets”, in the form of its IT infrastructure, source code and products, “were accessed only in accordance with management’s authorisation” for purposes of the provision.
In asserting that the company’s “assets” for purposes of the internal accounting controls provision include non-financial assets, such as products, IT infrastructure and source code, the SEC’s claim is unprecedented in scope. By this reading, whenever a company’s physical assets, IT system or intellectual property is accessed without authorisation, damaged or stolen, the company could potentially face an SEC action for violating the securities laws.
The SEC’s claim in context
The SEC’s interpretation of the scope of its authority under the internal accounting controls provision lacks support in the language and legislative history of the statute, the case law and analogous legal contexts. As the SEC commissioners noted in their dissent in Charter Communications, the plain language of the provision is limited in scope to internal accounting controls – that is, controls designed to ensure that corporate transactions are duly authorised, accounted for and reconciled – and the SEC’s interpretation relies on impermissibly ignoring the word “accounting” in the statute.
The provision’s legislative history indicates that Congress intended the statute to regulate accounting controls and not internal control activity more broadly. In a report on the adoption of the FCPA, the Senate stated that while the SEC already had “broad authority to promulgate accounting standards”, the SEC’s “current programme for accurate accounting should be supplemented by an explicit statement of statutory policy”. The Senate also noted that assistance from “[t]he accounting profession” would be necessary to evaluate the internal accounting controls established by companies in conformity with the new law.
In fact, in a report to Congress in support of adopting the FCPA in 1976, the SEC itself made no suggestion that the provision was intended or would be interpreted broadly to regulate control activity outside of accounting controls, or to cover non-financial assets. Instead, the SEC observed that the provision imposes accounting-specific obligations, and that, “[b]ecause the accounting profession has defined the objectives of a system of accounting control, the definition of the objectives contained in this subsection is taken from the authoritative accounting literature”.
Moreover, Harold Williams, then-SEC chairman, commented on the limited scope of the provision and the need for the SEC to pay “considerable deference... to the company’s reasonable business judgments in this area. The purpose of the internal accounting control provisions, after all, is to assure that a public company adopts accepted methods of recording economic events, safe-guarding assets and conforming transactions to management’s authorisation”.
The SEC’s assertion of broad jurisdiction also finds little support in the case law. On the contrary, in SEC v. World-Wide Coin Investments (1983), the court explained: “Internal accounting control is, generally speaking, only one aspect of a company’s total control system; in order to maintain accountability for the disposition of its assets, a business must attempt to make it difficult for its assets to be misappropriated.”
The SEC’s theory also appears inconsistent with the use of the term “accounting controls” in related statutory contexts. The Sarbanes-Oxley Act of 2002 requires public companies to maintain internal control over financial reporting that provides reasonable assurance regarding the reliability of such controls and procedures.
Under Sarbanes-Oxley, management is required annually to assess and certify the effectiveness of a company’s internal control over financial reporting, and an independent auditor must attest to whether the company maintained effective internal control over financial reporting. The SEC itself has equated the system of accounting controls required by the FCPA with the internal control over financial reporting required under Sarbanes-Oxley, and in rulemaking, the SEC has made this comparison explicit.
Yet there is no question that public companies do not include all internal control function-related activity within the scope of their Sarbanes-Oxley certifications, and that independent auditors do not generally review all such activity for purposes of assessing whether the company maintained effective internal control over financial reporting. Nor has any court or regulator apparently interpreted Sarbanes-Oxley to require otherwise.
Given the lack of legal support for the SEC’s position, it is unclear whether the agency’s expansive use of the internal accounting controls provision will survive a legal challenge in the SolarWinds case, particularly given the SEC’s novel reading of the term “assets” for purposes of the provision. The outcome of the challenge may have significant implications for all public companies.
Nicole Friedlander is a partner at Sullivan & Cromwell LLP. She can be contacted on +1 (212) 558 4332 or by email: friedlandern@sullcrom.com.
© Financier Worldwide
BY
Nicole Friedlander at Sullivan & Cromwell LLP
Q&A: Data-driven anticorruption compliance programmes
US government agencies raise the bar on national security-related corporate compliance
Economic uncertainty and fraud
The ‘je ne sais quoi’ of preventing corporate fraud
Corporate integrity: employee training on fraud awareness and ethical conduct
Whistleblower programmes: the why and the how