Karen Seymour had high hopes for Sarbanes-Oxley. Ten years ago,
when the law was passed, Seymour was chief of the criminal
division of the U.S. Attorney's Office in Manhattan, which is
regarded as the country's most prolific prosecutor of financial
crimes. When she read Sarbanes-Oxley's certification provisions,
which specify that CEOs and CFOs can be sent to prison for
falsely certifying corporate financial reports and reports on
internal controls, she thought she finally had a way of getting
at wrongdoing by top officials. "I thought it was going to be a
really good tool," she said in an interview this week. "But it
never really developed."
As Sarbanes-Oxley marks its 10th anniversary on Monday, its
promise of holding CEOs and CFOs criminally responsible remains
unfulfilled. The law states that if top corporate executives
knowingly sign off on a false financial report, they're subject
to a prison term of up to 10 years and a fine of up to $1
million, with penalties escalating to 20 years and $5 million if
their misconduct is willful. After accounting scandals at Enron,
WorldCom and a host of other public companies, SOX's
certification provisions, according to Seymour and other former
prosecutors, seemed like a clean, simple way to tie CEOs and
CFOs to corporate crimes.
But in practice, exceedingly few defendants have even been
charged with false certification, and fewer still have been
convicted. The most notorious SOX criminal case, against former
HealthSouth CEO Richard Scrushy, ended in an acquittal in 2005.
In 2007, the former CFO of a medical equipment financing company
called DVI pleaded guilty to mail fraud and false certification
and was sentenced to 30 months in prison. In a more recent case,
a SOX false certification charge against former Vitesse CEO
Louis Tomasetta was dismissed.(Tomasetta's trial on other
charges ended in a mistrial in April.) The Justice Department
doesn't directly track Sarbanes-Oxley prosecutions, so there may
be another case here or there. Even four or five SOX criminal
cases in 10 years, though, makes them as rare as a blue moon.
There's been renewed interest in Sarbanes-Oxley as a
potential tool in investigations of Wal-Mart's alleged Mexican bribery and JPMorgan's risky credit default swap trading. On "60
Minutes" last December, correspondent Steve Kroft raised the
prospect of using SOX to prosecute bank executives for their
role in the mortgage crisis.
That makes the question of why, after a decade,
Sarbanes-Oxley hasn't been a boon to the prosecution of
corporate crime all the more pressing. Why aren't SOX's false
certification provisions producing the sort of quick, easy cases
that prosecutors like Seymour envisioned when the law was first
passed?
The answer, according to five current and former federal
prosecutors, lies partly in the specifics of the certification
provisions and partly in how corporations have responded to
Sarbanes-Oxley. Most major corporations have implemented
internal compliance systems that make it very difficult to show
that the CEO or CFO knowingly signed a false certification. And
when prosecutors have enough evidence to show that those
internal systems failed and top executives knowingly engaged in
wrongdoing, they prefer, for strategic reasons, to charge crimes
other than false certification.
After Sarbanes-Oxley was passed, said former Enron
prosecutor Thomas Hanusik, now a partner at Crowell & Moring,
most large corporations put in place multiple layers of
subcertification, requiring lower-level officials to attest to
the accuracy of financial reports all the way up the chain to
the CEO and CFO. "It was a natural reaction," said Hanusik.
"CEOs and CFOs looked at Sarbanes-Oxley and said, 'How can I
possibly sign this without subcertifications?'" Former fraud
prosecutor Joshua Hochberg, who is now a specialist in internal
investigations at McKenna Long & Aldridge, said he often sees
corporate minutes in which CEOs simply refuse to sign a
certification unless lower-tier officials sign first.
The subcertification process has two effects. First, it
forces corporations to be more vigilant about financial
reporting at all levels, which is likely one of the reasons
there have been few accounting scandals at major public
corporations since Sarbanes-Oxley took effect. In that regard,
the law is doing what it's supposed to, encouraging
accountability and deterring fraud.
But subcertifications also insulate CEOs and CFOs from false
certification charges. To prove SOX charges, prosecutors have to
show that top officials signed off on financial reports they
knew to be false. That's much tougher when CEOs and CFOs can
point to the certifications they received from lower-rung execs.
"Whether that's foolproof, I don't know. But I've certainly
argued it to prosecutors," said Seymour, who's now in private
practice at Sullivan & Cromwell. "I've said, 'Everything he
knew, he relied on other people to tell him.'"
"Unless you can get actual knowledge in the guy's hands,"
added Philip Urofsky of Shearman & Sterling, "(the CEO) can say,
'We have systems in place, the unit heads certified, I can't go
to every third-tier subsidiary and check results.'" Both Urofsky
and Seymour said they've represented clients under investigation
only for SOX false certification, and prosecutors have
ultimately decided not to bring charges.
Subcertification and other compliance systems, in other
words, are a strong shield against prosecution for top officers
who weren't directly involved in corporate wrongdoing. What
about those who were involved, though? What about CEOs and CFOs
who were explicitly aware that their financial reports were
misleading or their internal controls were inadequate, yet
certified them anyway?
In those cases, SOX false certification charges are almost
always a less-desirable alternative to fraud or other criminal
false reporting charges. When prosecutors have strong evidence
of corporate wrongdoing, they have an array of options, from
wire and mail fraud to lying to auditors or making false
statements to federal officials. In the Foreign Corrupt Practice
Act context, where SOX false certification could also be
asserted, prosecutors already have books-and-records charges at
their disposal. Those are all tried-and-true criminal offenses
that sho w up in case after case against corporate defendants.
Savvy prosecutors often don't charge every possible crime, since
that makes a case unwieldy and could alienate jurors. And if
they're picking and choosing, there are good strategic reasons
not to include SOX charges that essentially duplicate similar
counts in the indictment.
Defendants charged with SOX false certification, for
instance, could show jurors evidence of the corporation's
compliance systems. At the very least, such evidence could
distract the jury; at best, it's a chance for defendants to
shift the blame for alleged crimes. "You have to ask what you're
opening the door to," said Urofsky. Moreover, false
certification doesn't carry penalties as severe as some of the
other corporate crime charges, and it can be tougher to prove
than, say, lying to auditors who are available to testify.
Don't count SOX false certification out yet. There could be
circumstances in which it's still the best law prosecutors can
assert, especially when they can show a CEO or CFO had direct
knowledge of squirrelly behavior. If nothing else, SOX false
certification is a sword prosecutors can hang over the heads of
potential defendants, since no CEO or CFO welcomes the prospect
of spending 10 years in prison for signing a financial report.
And the Securities and Exchange Commission has brought dozens of
civil cases alleging false certification under Sarbanes-Oxley,
including civil SOX charges in an FCPA case the SEC filed in
March.
Nevertheless, as Sarbanes-Oxley turns 10, it's time to admit
that SOX is not a sufficiently powerful law, on its own, to keep
corporate executives honest. Then again, what law is?
(Reporting by Alison Frankel)
Follow us on Twitter @AlisonFrankel, @ReutersLegal | Like us on Facebook