Welcome to 2020, everyone! This has been a long winter break, but before we return to the grind of emails to answer and staff meetings to avoid, let’s spare a few moments to ponder how the corporate compliance landscape might evolve in the coming year.
Without further delay, then: my annual list of compliance issues worth watching in the next 12 months. In no particular order…
A fix to the Supreme Court’s Digital Realty Trust decision of 2018, which ruled that whistleblowers must first report their concerns to the Securities and Exchange Commission if they want to claim anti-retaliation protections under the Dodd-Frank Act. That decision was correct in law but terrible in practice, since it sends the message to would-be whistleblowers that they should not bring concerns to the compliance function until they’ve already filed a tip to the SEC.
Last year the House approved legislation to extend Dodd-Frank protections even to those whistleblowers who first report to internal compliance departments. The Senate introduced similar legislation with bipartisan support. So later this year compliance officers may, finally, see a fix that restores common sense to whistleblower protection.
The Federal Reserve’s inspection of technology service providers. Last summer Capital One suffered a huge data breach through Amazon Web Services, which Capital One uses to host its software systems. By coincidence, Fed banking examiners had just started reviewing AWS’ cybersecurity posture at that time — and since then, Fed officials have said they want more power to review tech service providers, because those vendors have become so instrumental to the banking sector.
Compliance officers should watch to see how those reviews work in practice, because the Fed won’t be the only regulator that decides to do this. Tech companies will need to accept the reality of greater scrutiny; companies using tech vendors will need to brace for more questions — from regulators, the board, investors, business partners — about how you assure the cybersecurity posture of vendors you use.
Climate change disclosures. So you may have noticed that the world is on fire. What’s interesting now is that more regulators have noticed that too. For example, last October the Federal Reserve Bank of San Francisco published a lengthy paper about the financial risks that stem from climate change, and European regulators are even further ahead of the U.S. on this issue. The SEC at least has a rule about disclosing climate change risks, even if that rule is weakly enforced; and shareholders have been increasing the pressure for companies to say more about climate change for years.
I don’t expect sweeping new rules for disclosing climate change risks or related information (greenhouse gas emissions, energy or water use, and so forth). I do believe that CEOs are just as worried about climate change as anyone who isn’t an elected Republican — so they’re trying to figure out what to do or say, before investors and regulators force the issue more directly. It will be worth following this proxy season.
SEC disgorgement powers before the Supreme Court. On March 3 the Supreme Court will hear arguments in Liu v. SEC, debating whether the SEC has statutory authority to order disgorgement of ill-gotten gains in securities law violations. If the court rules against the SEC, that would be a heavy blow to SEC enforcement authority — and also to compliance officers trying to argue that breaking the law doesn’t pay. That is a hard argument to make if the court literally lets wrongdoers keep the proceeds of their schemes.
Will the Supreme Court really neuter one of the SEC’s primary enforcement tools? Well, for the case even to reach this stage, at least five of the nine justices had to say the case is worth hearing. Meanwhile, the House has already passed legislation to codify the SEC’s disgorgement power once and for all, and companion legislation is plodding through the Senate. So if the Supreme Court does overturn decades of standard enforcement practice, Congress may overturn the court right back.
Critical audit matters, which will go mainstream by this spring. Those are disclosures external audit firms must include in their audit reports, which catalog their concerns about items that are material to the financial statements and also involve especially complex, subjective judgment. CAMs began appearing last fall as companies with June 30 year-ends started filing their annual reports. Most companies, however, have a Dec. 31 year-end — so we’ll see many more CAMs by spring, and the first wave of second-year CAMs next fall.
My question is how disclosure of CAMs might lead audit committees and internal audit teams to revisit internal control over financial reporting. For example, if you have weak internal controls over allowances for doubtful accounts and the audit firm declares that a CAM, will the audit committee insist on strengthening those controls to eliminate its CAM-ness? If the committee does, what does that mean for audit and compliance teams? By later this year, we might know.
Effective sanctions compliance programs. Just a few weeks ago the Justice Department expanded its cooperation credit policy to include sanctions and export control offenses. One of the three criteria to win cooperation credit is that the company must have an effective compliance program at the time of settlement with the Justice Department.
Fair enough, but the Justice Department has one set of standards for effective compliance programs generally, while the Office of Foreign Assets Control published its own guidance about effective sanctions compliance programs last May — with many more specifics than the Justice Department counterpart. So how will prosecutors and OFAC coordinate their evaluation of your sanctions compliance program, if you’re trying to settle a case? Maybe we’ll see an example sometime this year.
The Institutional Shareholder Services lawsuit against the SEC. In August the SEC enacted new rules for proxy advisory firms. ISS, the largest of those firms, filed a lawsuit against the SEC in October, accusing the SEC of misinterpreting the role ISS plays in the proxy advisory world and of violating the Administrative Procedures Act while SEC staffers were preparing the rules.
ISS isn’t the only group unhappy with the SEC’s approach to rulemaking these days — so even while proxy advisory issues aren’t the purview of compliance officers, judicial review of SEC rulemaking is something we should watch. That could have implications for how other outside groups respond to new SEC rules on everything from whistleblower awards to exemptions from SOX compliance, and more.
SEC chairman Jay Clayton is under pressure to advance his agenda ASAP, before the Trump Administration perhaps gets turned out of office in November; and the threat of litigation tying his plans into knots is genuine.
What are we forgetting? Those are seven items on my radar screen for 2020, but this list is by no means exhaustive. If you have something else worth discussion, let me know at [email protected].