Sarbanes-Oxley: Legislate in haste, repent at leisure?

United Kingdom
If a company has a listing in the US, or makes registered securities offerings in the US, or is a subsidiary of such a company, the chances are that the US Sarbanes-Oxley Act of 2002 will impact on its operations. The message from regulators on both sides of the Atlantic is clear - UK companies should not assume that current corporate practices that meet English legal and regulatory requirements will necessarily satisfy the new US rules.

On 17 December 2002, The Securities and Exchange Commission are due to hold two interactive roundtable meetings to discuss the international impact of proposed rules on auditor independence and attorney conduct to be promolgated under the Act. The webcasts of the roundtable discussions will be available at 9am and 2pm (Washington DC time) on the following link:

http://www.sec.gov/news/otherwebcasts.shtml

In a recent speech, Patricia Hewitt, Secretary of State for Trade and Industry, raised concerns about the Act, the US's legislative response to a series of US corporate scandals and their effect on investor confidence:

"the way the Act has come out - it gives the impression, in places, of simply having been drafted too quickly, with no consultation, and with apparently little thought to the international dimension".

Harvey Pitt, the former SEC Chairman, acknowledged that some of the abuses covered by the Act are addressed outside the US in different ways from those required by the Act. Indeed, he urged non-US companies and their advisers to comment on the SEC's rule proposals and to notify the SEC of areas where its proposals conflict with local law or local stock exchange requirements, or where problems that proposals are intended to cover are addressed in other ways in other jurisdictions. But it remains to be seen whether his successor as SEC Chairman will share his concern with the impact of the Act on non-US issuers.

Scope

The Act applies to all companies, including non-US companies, that are required to file reports under the US Securities Exchange Act of 1934 or that have filed (and not withdrawn) registration statements under the US Securities Act of 1933 that are not yet effective.

The Act is a dramatic departure from SEC practice under the existing US securities laws, rules and regulations in that it makes virtually no dispensations for non-US companies.

Certification of Disclosure in Financial Reports

The SEC has already adopted rules in accordance with section 302 of the Act requiring the certification, by an issuer's chief executive officer and chief financial officer, of financial and other information contained in the issuer's quarterly and annual reports, any amendments thereof or any quarterly and annual transition reports (Forms 10-K, 20-F and 10-Q). Accordingly, the rules apply to non-US issuers that file annual reports on Form 20-F, but do not apply to current reports by non-US issuers on Form 6-K (as these are not considered "periodic").

In particular, the issuer's chief executive officer and chief financial officer must each certify in reports filed or submitted by the issuer under section 13(a) or 15(d) of the Exchange Act that:

  • the report has been reviewed by that person;

  • based on that person's knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by the report; and

  • based on that person's knowledge, the financial statements, and other financial information included in the report, fairly present in all material respects the financial condition, results of operations and cash flows of the issuer for the periods presented in the report. This statement is not limited to a representation that the financial statements and other financial information have been presented in accordance with Generally Accepted Accounting Principles (GAAP). Instead it goes further, requiring assurance that the financial information disclosed in the report as a whole meets a standard of overall material accuracy and completeness that is broader than financial reporting requirements under GAAP. In the SEC's view, a "fair presentation" of an issuer's financial condition, results or operations and cashflows encompasses the selection of appropriate accounting policies, proper application of accounting policies, disclosure of financial information that is informative and reasonably reflects the underlying transactions and events and inclusion of any additional disclosure necessary to provide investors with a materially accurate and complete picture of an issuer's financial condition, results of operations and cashflows.

In respect of reports filed covering a period ended after 29 August 2002:

  • the certifying officers must certify that they:
    • are responsible for establishing and maintaining disclosure controls and procedures for the issuer;
    • have designed such disclosure controls and procedures to ensure that material information is made known to them, particularly during the period in which the report is being prepared;
    • have evaluated the effectiveness of the issuer's disclosure controls and procedures as of a date within 90 days prior to the filing date of the report; and
    • have presented in the report their conclusions about the effectiveness of the disclosure controls and procedures based on the required evaluation as of that date.

Accordingly, the disclosure controls and procedures put in place must be designed to ensure that information required to be disclosed by the issuer in reports submitted by it under the Exchange Act is recorded, processed, summarised and reported in the form and within the time period specified in the Act. They must also include controls and procedures designed to ensure that information required to be disclosed by the issuer in its Exchange Act reports is communicated to the issuer's management, including its chief executive officer and chief financial officer, as appropriate to allow timely decisions regarding required disclosure;

  • the certifying officers must certify that they have disclosed to the issuer’s auditors and to the audit committee of the board of directors:

    • all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarise and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and

    • any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls; and

  • the certifying officers must certify that they have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.

The SEC has prescribed a standard form of certification (which must be used without alteration) for annual reports such as Form 20-F for non-US companies or Form 10-K for US companies.

Subsidiaries of companies subject to the Act

Although the Act does not directly require the certification of financial information by subsidiaries, in many groups it is likely that, in order for the certifying officers to be sufficiently comfortable with their own certification, they will ask directors of their subsidiaries (wherever incorporated) to give some form of comfort in relation to the subsidiaries' own financial information.

Penalties, forfeiture of bonuses and profits

Under section 906 of the Act, which also imposes a certification requirement similar to (but apparently separate from) section 302, a person who "knowingly" signs an untrue certificate is subject to a fine of up to USD1m or imprisonment of up to 10 years, or both. A person who "wilfully" (that is, with an intent to violate the law) certifies a false periodic report is subject to a fine of up to USD5m or imprisonment of up to 20 years, or both. It is being left to the US courts to distinguish between "knowing" and "wilful" violations.

The Act also amends the Exchange Act to permit the SEC to prohibit any person found guilty of violating certain provisions of the securities laws and deemed to be "unfit" from acting as an officer or director of a public company.

Where because of material non-compliance with any financial reporting requirement under the securities laws an issuer has to restate its financial statements, the Act requires the chief executive officer and chief financial officer to forfeit any bonus or other incentive-based or equity-based compensation received from the issuer during the 12 month period following the first public issue or the filing with the SEC of the financial document embodying such financial reporting requirements (whichever is the earlier), and any profits realised from the sale of securities of the issuer during that 12 month period.

Off-balance sheet transactions

The Act requires the SEC to issue rules that will require annual and quarterly reports to disclose all material off-balance sheet transactions with unconsolidated entities. The SEC must also issue rules that will require any pro forma financial information included in any report filed with the SEC or otherwise publicly disclosed to be reconciled with the financial condition and results of operations of the issuer under GAAP.

Use of Non-GAAP financial measures

As required by the Act, the SEC has proposed new rules to address public companies' disclosure or release of financial information that is derived on the basis of methodologies other than in accordance with GAAP. The new rules, which have been issued for comment, would require public companies that disclose or release non-GAAP financial measures to include, in that disclosure or release, a presentation of the most comparable GAAP financial measure and a reconciliation of the disclosed non-GAAP financial measure to the most comparable GAAP financial measure.

These rules are one of the few areas under the Act where a dispensation is made for non-US companies. The proposal provides a limited exception for non-US companies that qualify as "foreign private issuers" based on what the SEC believes to be an appropriate territorial approach and applies principles of territoriality based on where the disclosure is initially made. The new rules would not apply to public disclosure of a non-GAAP financial measure by or on behalf of a foreign private issuer if the following conditions were satisfied:

  • the securities of the issuer are listed or quoted on a securities exchange or inter-dealer quotation system outside the US;

  • the non-GAAP financial measure and the most comparable GAAP financial measure are not calculated and presented in accordance with GAAP in the US; and

  • the disclosure is made by or on behalf of the issuer outside the US, or is included in a written communication that is released by or on behalf of the issuer only outside the US.

Under the SEC's proposal, the exception for foreign private issuers would continue to apply where:

  • non-US or US journalists or other third parties have access to the information, so long as the information is disclosed or released by or on the behalf of the issuer only outside the US;

  • following its release or disclosure, the information appears on one or more web sites maintained by the registrant, so long as the web sites, taken together, are not available exclusively to, or targeted at, persons located in the US; and/or

  • following the disclosure or release of the information outside the US, the information is included in a submission to the SEC made under cover of SEC Form 6-K.

Public Company Accounting Oversight Board

The Public Company Accounting Oversight Board established by the Act will be responsible for overseeing the audit of issuers and regulating accounting firms that conduct such audits. The Oversight Board will be subject to the oversight and enforcement of the SEC and will be funded by issuers, who will have to pay an annual fee based on market capitalisation.

Any public accounting firm that participates in the preparation or issuance of any audit report with respect to an issuer must be registered with the Oversight Board. This requirement appears to include any non-US public accounting firm that prepares or furnishes an audit report with respect to an issuer (within the meaning of the Act). The Act requires the Oversight Board to establish rules for the investigation and disciplining of accounting firms and may impose disciplinary sanctions.

Audit committee and regulation of audits

The Act requires the SEC to issue rules directing the national securities exchanges and national securities associations to prohibit the listing of any security of any company that does not comply with the Act's general requirements with respect to the responsibilities and independence of audit committee members. These include a requirement that the audit committee be comprised entirely of independent directors. To qualify as independent, committee members cannot, other than in their capacity as members of the board of directors, accept any compensation from the company or be an "affiliated person" (which is not defined under the Act) of the company or any of its subsidiaries. In addition, the audit committee must:

  • be directly responsible for the appointment, compensation and oversight of the company's auditors (including resolution of disagreements between management and the auditors) - this is likely to give problems in the UK where it is the company in general meeting that appoints the auditors each year;

  • establish procedures for handling;

  • complaints received by the company regarding accounting matters and for the confidential, anonymous submission of employee concerns regarding questionable accounting or auditing matters; and

  • have authority to engage independent counsel and other advisers to carry out its duties.

Under the Act, auditors are prohibited from providing non-audit services to their clients, including:

  • bookkeeping services relating to accounting records or financial statements;

  • financial information systems design and implementation;

  • appraisal or valuation services and fairness opinions;

  • actuarial services;

  • internal audit outsourcing services;

  • management functions or human resources;

  • broker or dealer, investment adviser, or investment banking services;

  • legal and expert services unrelated to the audit; and

  • any other service the Oversight Board determines is prohibited.

However, the Act does permit auditors to provide other non-audit services, including tax services, if pre-approved by the company's audit committee. Any such approval by the audit committee must be disclosed by the issuer in its periodic reports.

The Oversight Board will be permitted to exempt any person, issuer, public accounting firm or transaction from the independence rules if the Oversight Board deems the exemption to be in the public interest.

In addition, public accounting firms must make reports to the audit committee of all critical accounting policies, all alternative accounting treatments of financial information that have been discussed with the management of the issuer including the ramifications and the treatment preferred by the firm, and other material written communications between the firm and the management of the issuer. The Act also contains stricter auditor independence standards and guidelines regarding any conflicts of interest between a public accounting firm and officers of an issuer.

The Act also obliges the SEC to issue rules that will require an issuer to disclose in its periodic reports whether or not (and if not, why not) the issuer's audit committee is comprised of at least one member who is a "financial expert" (as defined in the Act).

Standards of professional conduct for lawyers

The Act requires the SEC to issue professional conduct rules for lawyers appearing and practising before it in any way in the representation of issuers registered with and reporting to the SEC, even those issuers located outside the US. The rules will require lawyers, including, it would appear, even non-US qualified lawyers and/or lawyers practising outside the US, to report evidence of material violations of securities laws or breaches of fiduciary duty by the issuer or any of its agents, to that company's chief legal counsel or chief executive officer. Where the counsel or officer to whom the evidence is reported does not respond appropriately (adopting appropriate remedial measures or sanctions in relation to the violation), the lawyer will be required to report the evidence to the audit committee, or another committee of the board comprised solely of non-executive directors, or to the board itself.

The SEC has not yet formally proposed any rules for this, and there is a great deal of uncertainty as to the probable extent of the rules. In particular, will it only be the actual knowledge of the individual lawyer that is relevant, or will he be deemed to have knowledge of all matters of which his firm is, or ought to be, aware? Will the individual, or the whole firm, be liable under the Act? How much expertise in analysing complex US laws and regulations, financial matters and accounting issues will lawyers be expected to have? Are there any circumstances in which the new rules will conflict with a lawyer’s fiduciary duties to his client or the lawyers' professional conduct rules in his home jurisdiction? The position of in-house counsel is also unclear.

Code of Ethics

The Act requires the SEC to issue rules requiring issuers to disclose in periodic reports under the Exchange Act whether or not they have adopted a code of ethics for their senior financial officers (and if not, why not) and any change in or waiver of the code of ethics for senior financial officers. The SEC recommends that each issuer creates a committee with responsibility for considering the materiality of information and determining disclosure obligations on a timely basis.

Loans to directors and senior executives

Under the Act, as of 30 July 2002 issuers are prohibited (subject to certain limited exceptions) from extending or maintaining credit in the form of a personal loan to or for any of their directors or executive officers. Any loan maintained by the issuer on or before 30 July 2002 will not be in violation of the Act provided that it is not renewed or that there is no material modification to any of its terms on or after that date. Although loans to directors and connected persons are generally prohibited in the UK this does not extend to non-board members, and there are de minimis exceptions that are not matched under the US rules. There is also a concern that permitted ordinary course of business lending by UK banks to their directors may be caught. US banks are exempt from the prohibition because they are regulated on such matters by the Federal Reserve.

Insider trades during pension fund blackout periods

As required by section 306 of the Act, the SEC has proposed new rules to prohibit the directors and executive officers of an issuer from, directly or indirectly, purchasing, selling or otherwise acquiring or transferring any equity security of the issuer during a pension plan blackout period that prevents plan participants or beneficiaries from engaging in equity securities transactions, if the equity security was acquired in connection with the director or executive officer's service or employment as a director or executive officer.

In addition, the new rules, which have been issued for comment, would specify the content and timing of the notice that issuers must provide to their directors and executive officers and to the SEC about a blackout period. Specifically, the prohibition is proposed to take effect upon any period of more than three consecutive business days during which the ability to purchase, sell or otherwise acquire or transfer an interest in any equity security of such issuer held in a relevant individual account plan is temporarily suspended by the issuer or by a fiduciary of the plan with respect to not fewer than 50 per cent of the participants or beneficiaries under all individual account plans maintained by the issuer. For the purposes of making this calculation it is proposed that relevant individual account plans will be only those account plans in which participants or beneficiaries hold or could hold equity securities of the issuer, whether or not the account plan actually contained equity securities of the issuer at the time of calculation.

These rules again are among the few under the Act where a dispensation is made for non-US companies. The proposal provides a limited exception for non-US companies that qualify as "foreign private issuers". Under the proposed exceptions, the rules would not apply if a blackout period affected only plan participants or beneficiaries located outside the US. In addition, the rules would not apply even if 50 per cent or more of the affected participants or beneficiaries are located in the US, if the number of affected participants or beneficiaries located in the US represents no more than 15 per cent of the overall number of participants or beneficiaries under all relevant individual account plans maintained by the issuer worldwide.

The implications of other proposed rules issued by the SEC for comment will be considered in future editions of the Bulletin or on Law-Now.

We should like to thank Walter Van Dorn, a partner in the New York office of Thacher Proffitt & Wood, for his assistance with this article.

For more information please contact:

Gary Green
Corporate partner
gary.green@cms-cmck.com
+44 (0)20 7367 2111

Ian Stevens
Corporate solicitor
ian.stevens@cms-cmck.com
+44 (0)20 7367 2297