Compliance officers responsible for accurate books and records and effective internal control over financial reporting may be entering, shall we say, a brave new world of regulatory enforcement.

For a while now, corporate defense lawyers and similar experts have warned that the Securities and Exchange Commission will be increasing its enforcement on books and records violations of the Foreign Corrupt Practices Act. What’s more, they said, companies should prepare to defend against those accusations in the SEC’s in-house administrative proceedings, rather than before a federal court.

Well, that prediction came to pass on April 1, when the SEC held an administrative proceeding against a North Carolina telecom company regarding violations of the prohibition on “knowing falsification of any book, record, or account or circumvention of internal controls.” The former CEO of TelWorx Communications has agreed to a settlement of $545,000; two employees each agreed to pay $25,000.

Mary Hansen, a corporate defense attorney with the law firm Drinker Biddle, is one of many who say that April 1 hearing is only an early warning of what’s to come. She expects the SEC to continue using books-and-records and internal control charges to pursue companies and senior executives who play a role in fraudulent schemes, “even where an individual did not act intentionally or even recklessly.”

“Statements by the SEC make it clear they are going to be paying more attention to books and records,” says Sanjay Bhandari, a partner at law firm Ballard Spahr and a former federal prosecutor and SEC enforcement attorney. “The SEC also plans to use administrative proceedings in all kinds of enforcement matters … There is going to be a preference for doing things internally at the SEC, even in contested matters.”

Fueling these efforts, in part, is SEC Chairman Mary Jo White’s pronouncement that enforcement will focus on “broken windows” violations, where the agency brings charges against companies more frequently for relatively minor recordkeeping and filing lapses. As for the expanded use of administrative proceedings, the Commission proceeded cautiously at first, hoping to prevail against inevitable constitutional challenges. It has been emboldened by a string of legal victories in recent months. “It is going to be a hard sell to prove administrative hearings are unconstitutional,” Hansen says.

Another trigger goes back to accounting provisions of the FCPA that give the SEC latitude to bring charges on books, records, and internal control failures even if the underlying bribe could not be proved. The broad application, according to the 2012 resource guide issued by the SEC and Justice Department: “Although the accounting provisions were originally enacted as part of the FCPA, they do not apply only to bribery-related violations.”

“With the end of financial crisis cases that are basically being aged out, the SEC is rightly turning back to its core mission and competency of proper reporting of a company’s financial condition.”
David Smyth, Partner, Brooks Pierce

Over the years, the accounting provisions were rarely used as a stand-alone enforcement tool for the SEC. A former Enforcement Division staffer, who asked not to be identified, says that books and records and internal controls violations would seldom lead to an enforcement action without a bigger, underlying misdeed. “You did not ask for authority to file a case, almost without exception, that didn’t involve fraud,” the ex-staffer said. “It might not be scienter-based fraud, it may be negligence-based fraud, but you certainly weren’t going to ask to bring a books-and-records violation. You were not bringing an action on a strict liability provision.” 

Losing Control

The broken-windows approach has changed that thinking. “Internal control problems have been prominently featured in recent enforcement cases we have brought in the financial reporting area, even in cases without accompanying charges of fraud,” Andrew Ceresney, director of the SEC’s Division of Enforcement, said in March.

“This is a huge change,” Hansen says. “The SEC was always out there going after the fraudsters. What they are now saying is they need to enforce even minor rules because maybe those are entry-level violations. Then they started talking about increasing the use of administrative proceedings. And where better to bring strict liability cases than in an administrative proceeding, because you don’t have a jury?”

Prior to the Dodd-Frank Act of 2010, the SEC’s authority to impose penalties in administrative proceedings was restricted to regulated entities such as broker-dealers, investment advisers, and mutual funds. Dodd-Frank gave the SEC authority to impose a civil penalty in an administrative proceeding against any individual or company. With in-house judges and a home court advantage, the SEC can hold expedited trials to levy fines, discouragements, and disciplinary actions.


The following is an excerpt from a March 2015 speech by Andrew Ceresney director of the Securities and Exchange Commission’s Division of Enforcement.
Internal control problems have been prominently featured in recent enforcement cases we have brought in the financial reporting area, even in cases without accompanying charges of fraud. This reflects our view that adequate internal controls are the building blocks for accurate financial reporting and can prevent fraudulent activity.
Senior leadership of companies should place strong emphasis on the importance of designing and implementing strong internal controls. Senior officers need to ask questions about what they are being told about their internal controls—but perhaps more importantly, ask questions about the things that are not being reported to them. Dropping those occasional inquiries into conversations where they won’t be expected sends a powerful message that you want these issues to be on your employees’ minds.
What is needed is not just involvement from senior leadership but also from the audit committee.  Instead of a check-the-box mentality, it is important to use careful thought at the outset to how controls should be designed in light of a firm’s business operations.  This entails an up-front assessment of financial reporting risks, designing controls that address those risks, and ensuring that the resulting controls are well documented and communicated. And, as the company’s business evolves and changes, management must consider whether the existing internal controls are appropriate, or need to be enhanced or changed.  Appropriate resources and attention also need to be devoted to monitoring those controls for effectiveness and making changes as needed.
 Sources: SEC.

The defense bar has a litany of concerns. Discovery and evidence rules are too loose in some regards and overly restrictive in others, they say. Judges are required to issue an opinion within 300 days, leaving little time for pre-trial preparation. Evidence that would be barred under the Federal Rules of Evidence, such as hearsay and unverified documentation, can be admitted. The use of administrative proceedings simply runs contrary to the traditional presumption that complex cases, with the threat of substantial penalties, should be litigated in federal court before a jury and not just a single administrative judge.

Big fines—rather than the traditional wrist slaps of SEC proceedings—may also be looming as books-and-records violations and internal controls failures find their way before in-house judges. Currently, the SEC has levied more than $1 billion in penalties and disgorgement for FCPA violations over the past five years.

“When you look at those cases, they are not all bribery cases,” Hansen says. “A lot of them are books-and-records violations. This is a pot of gold for the SEC. The threat is that not only are they going to charge you with these rule violations; they are going to bring it in an administrative proceeding, so good luck defending yourself.”

The SEC’s $200 million settlement in 2013 against JPMorgan Chase for its “London Whale” manipulations, is another harbinger of increased focus on books and records. “They charged JPMorgan with internal controls and books-and-records violations and got an enormous amount of money,” Hansen says. “They did not charge JPMorgan with fraud. They didn’t charge them with a 10b-5 violation,” the SEC rule that governs securities fraud. “They made them admit to books-and-records and internal controls violations.”

“The SEC is pushing pretty hard on the internal controls provisions in the FCPA area, and a lot of reasonable people think they are pushing beyond what the statute authorizes, to the extent that they are using those provisions to sanction companies for failure to prevent or detect illicit payments, which is not really what the provisions say,” says David Smyth, a partner with the law firm Brooks Pierce. “It essentially converts the FCPA into a strict liability statute, which is not what the statute is about.”

Avoiding an administrative hearing over books, records, or internal controls requires assurances that day-to-day details are as much a part of the compliance function’s overview as rooting out major malfeasance. “If you have a situation where somebody is approving their own expenses, does that seem right? As a business matter that doesn’t make any sense,” Smyth says. “There needs to be some sort of check.”

Periodic compliance reviews are important and they don’t always have to be top-down, Bhandari says. “Pick a part of the program and focus on what needs to be done,” he says. “This would be a good time to focus in on internal controls specifically,” he adds. “If a company doesn’t have a regular program of reviewing its compliance program, they need to implement one and focus on internal controls as a priority.”