Compliance programs even more essential after Jensen

With a recent 9th U.S. Circuit Court of Appeals decision (SEC v. Jensen, 2016 DJDAR 9113 (Aug. 31, 2016)) endorsing a broad disgorgement remedy under the Sarbanes-Oxley Act against corporate executives whether or not their personal misconduct caused an accounting restatement, compliance programs designed to eliminate - or at least substantially diminish the likelihood of - corporate "misconduct" are more essential than ever. Having the right "people, policies and practices" in place, and thinking about those matters proactively, provides the only credible path towards achieving critical compliance objectives and avoiding "Jensen-like" circumstances in which one person's misconduct may be attributed to, and impose liability on, another.

In 2011, the Securities and Exchange Commission initiated an enforcement action under Section 304 of the Sarbanes-Oxley Act against the former chief executive officer and chief financial officer of a public company (a second SEC claim under Rule 13a-14 of the Securities Exchange Act of 1934 against these same officers, regarding the certification of financial reports, is not addressed in this article). Section 304 provides that "[i]f an issuer is required to prepare an accounting restatement due to the material noncompliance of the issuer, as a result of misconduct [emphasis added], with any financial reporting requirement under the securities laws," the CEO and CFO "shall reimburse the issuer" for bonus or other incentive- and equity-based compensation received "during the 12-month period following the first public issuance or filing with the Commission (whichever first occurs) of the financial document embodying such financial reporting requirement."

The SEC alleged that the executives had participated in a scheme to defraud investors by failing to comply with generally accepted accounting principles (GAAP) applicable to revenue recognition. That failure resulted in reported revenues that were higher than appropriate under GAAP, allowing the two executives to receive "unearned" incentive-based compensation. Had revenues been properly recorded, the incentives would not have been met and the compensation not paid. After discovering the problem, the company restated its financial results and the company's stock price declined substantially.

The SEC sued to recoup the incentive compensation paid to the executives. The district court concluded that Section 304 requires CEOs and CFOs to disgorge bonus or other incentive-based compensation only if their companies issue an accounting restatement because of the officers' own misconduct, not if the restatement was caused by conduct in which the officers were not directly involved. Personal culpability was a presumed requirement of forced disgorgement. The 9th Circuit reversed.

On appeal, the SEC argued that the provision is "concerned not with the individual misconduct on the part of the CEO and CFO, but rather with the misconduct of the issuer." The 9th Circuit focused on the "plain language" of Section 304, holding that "it is the issuer's misconduct that matters, and not the personal misconduct of the CEO or CFO." Extending that thread, the 9th Circuit further noted "Congress's intent to craft a broad remedy that focused on disgorging unearned profits rather than punishing individual wrongdoing." If that's the correct focus, where does that leave senior management when personal liability arises through the unrelated misconduct of others?

As an initial matter, these conclusions must lead management to ask counsel what constitutes "misconduct" in these circumstances. The answer is unfortunately muddled. The 9th Circuit refused, in Jensen, to define "misconduct," instead leaving it to the SEC and future courts to determine its meaning. Without clarity about the real meaning or scope of "misconduct," but yet certainty now that the "misconduct" of others may attach itself directly to the CEO and CFO, the practical question is no longer simply what "constitutes" misconduct. The response that "you'll know it when you see it" will not suffice. Rather, to avoid attributions of wrongdoing to senior management who were not directly involved in specific misconduct, the corporation must implement and follow a thoughtful, thorough, effective compliance program designed to avoid misconduct. That should be the focus of any answer. It is the "people, policies and practices" of the organization that should fundamentally inform a response and set the essential framework for compliance.

People. The only way to avoid misconduct is to hire and retain the right people. Fixing the post-hiring foibles of "bad hires" rarely works. Teaching "integrity" on the job, in real-time to an experienced professional is too late. It is imperative that corporate hiring focus on individuals who exhibit, and who have manifested, the "high performance, high integrity" traits identified by Ben Heineman, the former general counsel of the General Electric Company, as essential characteristics of the successful general counsel in his recent book, "The Inside Counsel Revolution." Subject matter expertise may be acquired, but an ethical foundation, and knowing the right thing to do, may not. The efficacy of any compliance program that seeks to eliminate misconduct starts with a hiring process that seeks individuals, especially lawyers, with an existing sense of integrity and an intuitive sense of what is right.

Policies. Any credible compliance program requires thoughtful, written policies. The process of developing these policies and tailoring them for the corporation, and industry, to which they apply should be undertaken with great care. Downloading generic policies off the internet and simply changing the name in the header doesn't work. The process should be iterative and cross-functional. Policies that evolve from an insular, siloed legal department are unlikely to be relevant or readily accepted beyond the legal department. If the policy affects the finance function, its development should include representatives from finance. If it involves human resources, its creation should involve human resource colleagues. Policies should be enacted that document basic processes, that offer structure for daily corporate activities and that provide substantive, functional guidance for rank-and-file employees. Written policies should range far and wide, addressing matters, from the mundane to the arcane, throughout the organization. Signature requirements should be documented. Approval processes fully crafted. Communications protocols established. Governance and conflict of interest standards laid out. The use of non-GAAP financial measures carefully addressed and understood. Other subjects should receive similar attention. Critical thought should inform these corporate policies. The process of documenting that critical thought in coherent, written policies available for all to review and consider will lead inevitably to enhanced compliance.

Practices. Practices should integrate, internalize and reflect effective corporate policies, with the goal of developing a corporate culture that does not tolerate or countenance misconduct. Training must be implemented with the aim of inculcating proper values and teaching proper practices. Policies that live in the dust-bin will offer little protection against organizational malfeasance. Senior management must set a "tone at the top" that reinforces these precepts and drives toward the adoption of policies that are fully translated into effective, consistently applied corporate practices.

Jensen demands that corporate compliance programs aspire to eliminate, not simply to identify or surface, potential or actual misconduct. The failure to inculcate this aspirational goal, and to focus on an underlying paradigm necessary to support that heightened aspirational goal, places corporate executives at added risk and potentially increased personal exposure. That is especially so when the determination of "misconduct" will be left to the SEC and future judicial decisions.

Whether or not individual liability should attach even in the absence of direct culpability may remain an open question of policy and potential debate. The corporate governance implications, however, do not remain unsettled. After Jensen, the course should be clear. Misconduct must be avoided. To best achieve that objective, an organization must have the right people in the right positions, practicing the right set of well-crafted, written policies. In the end, the "people, policies and practices" of an organization will surely determine whether that organization maintains a compliance program capable of averting the misconduct that can give rise to executive liability.