Welcome back to the grind, fellow compliance enthusiasts — and if you need a break from answering all those emails you ignored last week, fear not! Radical Compliance is here to help, with our annual list of compliance events worth watching in the next 12 months.
Every January I try to identify those events likely to happen in the coming year that will be most consequential for corporate compliance and audit professionals. Compiling the list is never easy since there’s always so much going on, and 2023 is no exception.
So in no particular order, this is what’s on my radar screen…
SEC Rule on Greenhouse Gas Disclosures
This issue also made our list for 2022, when the corporate world was bracing for the SEC to require disclosure of a wide range of ESG metrics. Instead, the SEC proposed a rule to require annual disclosure of six specific greenhouse gasses. The proposal was 490 pages long, enormously complicated, and fiercely criticized by conservatives as an overreach of SEC authority.
Now the SEC’s final rule should arrive sometime this spring; I’ll be corny and predict it arrives just before Earth Day. The big questions are: (1) Will the SEC scale back the number of companies required to disclose Scope 3 emissions from their supply chain? and (2) Which disclosures will be subject to independent audits, at what level of assurance, and when?
Of course Republicans will file a lawsuit against the rule as soon as it arrives, and what then happens in federal court is anyone’s guess. But at least the ball will be in motion.
A More Aggressive PCAOB
The Public Company Accounting Oversight Board received a slate of new leaders at the end of 2021, who then spent most of 2022 developing new plans for revising audit standards and taking more aggressive postures in audit firm inspections and enforcement.
Only in the last few months have we seen that organizational spadework start to bear fruit: more enforcement actions against firms and individuals (with record-breaking penalties), proposals to update audit standards, and even an eye-popping speech from PCAOB chairman Erica Williams in December who tersely told auditors: “Your vigilance must be higher. Unfortunately, right now, the trendline is moving in the wrong direction.”
This year I’ll be watching to see how the PCAOB handles several proposed auditing standards, such as that plan for third-party confirmations that alienated internal auditors; and what sort of enforcement action we’ll see against audit firms for continued sloppy audits. Williams clearly wants the PCAOB to matter, and 2023 is the year she can prove that ambition.
Federal Trade Commission and Privacy Enforcement
Lena Khan, chairman of the FTC, is another Biden Administration official with big ambitions for enforcement and policy making. Compliance officers should watch her agency closely because the enforcement actions it takes can give us valuable clues about what an effective privacy compliance program should be able to do.
In the latter part of 2022 we saw a string of enforcement actions for poor privacy practices. First were Drizly.com and Chegg.com, then a $520 million haymaker the FTC threw at Epic Games for its failure to protect the privacy of children playing Fortnite. The terms of those three settlements read like a best practices guide for privacy compliance.
In 2023 I’ll be watching the FTC for a few reasons. First, we’re likely to see more enforcement actions, which will give compliance officers even more insight into the agency’s thinking on privacy compliance. We might also (ideally) see a more comprehensive policy statement, something akin to the Justice Department’s FCPA Resource Guide but for privacy. And we might hear news of an FTC investigation into whatever mess passes for information protection at Twitter these days — although that will say more about Khan’s appetite to challenge Elon Musk, rather than offer useful lessons for compliance officers as a whole.
The Oracle FCPA Enforcement Action
Remember that FCPA enforcement action against Oracle from the Securities and Exchange Commission last September? Subsidiaries in India, Turkey, and the United Arab Emirates used sham discount schemes and marketing reimbursement plans to create slush funds for bribes. It was Oracle’s second FCPA encounter with the SEC in 10 years, with plenty of parallels to the first enforcement action back in 2012.
The Justice Department took no action of its own against Oracle last year; so I’m waiting to see whether the department finally takes action this year.
After all, plenty of Justice Department officials have stressed the importance of vigorous enforcement against recidivist FCPA offenders. The facts described in the SEC order against Oracle are egregious enough that the Justice Department could impose its own penalty if prosecutors so choose. So what’s going on with this case, and why?
Of course, it’s also possible that the Justice Department might take no action against Oracle; or that the department won’t count a 10-year-old civil enforcement action as recidivist behavior — but those actions would tell compliance officers something too, as we all try to understand what FCPA enforcement and effective compliance programs truly entail these days.
More Justice Department Enforcement Policies
Let’s also remember that throughout last fall, senior Justice Department officials said they would be promulgating new policies for enforcement against corporate crime. In 2023 I’ll be watching to see exactly what those policies are.
Most notably, all sections of the Justice Department are supposed to be preparing or updating policies about voluntary self-disclosure of corporate misconduct; senior department official Marshall Miller said that in December. Miller has also said the department is “reviewing and updating” policies for selection of compliance monitors. Other department officials have said guidance is forthcoming on how prosecutors will evaluate companies’ use of executive compensation clawback policies. (Actually, the clawback guidance was supposed to arrive by the end of last year. It didn’t.)
More broadly, I wonder whether the Justice Department will consolidate all of these efforts into a new edition of its Guidelines for the Evaluation of Corporate Compliance Programs. That document was last updated in 2020, and a lot has changed since then.
Rise of the ESG Controller
This is the human resources corollary to all those articles we see lately about the demand for more ESG disclosure. For those disclosures to pass muster with regulators, investors, consumers, and other stakeholders, the data needs to be reliable. Someone at your corporation will need to assure that it is.
Lately I’ve encountered numerous companies assigning the corporate controller to manage ESG disclosures, because controllers have solid experience with assembling and reporting reliable financial data. So in 2023 I’ll be watching to see whether that trend accelerates — especially with the SEC’s forthcoming rule on greenhouse gas disclosures, and the European Union’s new Corporate Sustainability Reporting Directive.
For example, in our Dec. 23 Compliance Jobs Report, we included an item that Dick’s Sporting Goods was looking for an analyst to help with SOX compliance and ESG disclosures. That’s an entry-level of the phenomenon. Further up the org chart, companies such as Google, Halliburton, and Bank of America all have controllers dedicated to ESG issues.
Advisory firms have talked up the idea of ESG controllers for a while. Now, however, as ESG disclosures become codified into securities rules or national law, we could see the role go from nifty idea to personnel reality.
The Governance Comeuppance of Elon Musk
Elon Musk is a brilliant visionary, but a terrible executive. In mere weeks of owning Twitter he turned that company into a managerial dumpster fire; and more importantly, his preoccupation with Twitter throughout 2022 coincided with a collapse in Tesla’s share price.
Musk is CEO of both companies. These failures, which have caused real harm to countless employees and investors, are his responsibility. So in 2023 I’ll be watching to see whether anyone at either company does anything to repair the damage Musk has done.
For example, perhaps shareholder activists could push for a reconstituted board at Tesla, which could then fire Musk or at least demote him to some more suitable title like “chief evangelist.” Maybe the lenders who gave Musk $44 billion to fund his tweeting addiction could pressure him to hire a competent CEO. Maybe the EU or regulators in the United States might finally take enforcement action against this overrated blowhard for violations of privacy law, securities law, or fiduciary duties.
It’s also entirely possible that nobody will do anything about Musk’s antics. Which will be a mighty sad statement about society’s ability to hold rich people accountable for the mistakes they inflict on the rest of us.
Anyway, that’s my list for 2023 — and paring it down to seven items was not easy! Drop me a line at [email protected] to tell me what’s on your list, what I overlooked, or anything else on your mind about the coming year.