Questions for Incoming SEC Chairman
Last week President-elect Trump said he will nominate Paul Atkins to be the next chairman of the Securities and Exchange Commission. Now compliance and audit professionals can start considering how an Atkins-led SEC will shape corporate compliance for the next few years, and there are lots of questions to contemplate here.
Start with the biographical stuff. Atkins, 66, has a long history with the agency. He originally worked as an SEC staffer in the 1990s under chairmen Richard Breeden and Arthur Levitt, and then served as a Republican commissioner in the 2000s under chairmen Harvey Pitt, Bill Donaldson, and Christopher Cox. Atkins left the agency in 2008 to form his own consulting firm, Patomak Global Partners, where he’s been CEO ever since.
Clearly Atkins is qualified to run the agency, and is someone who cares about the SEC as an institution. Sure, his views about capital markets policy and regulatory enforcement will drive Democrats nuts — but that’s not the same as Trump’s other nominees who are totally unqualified for their job and want to burn their respective agencies to the ground. Like him or hate him, Atkins is an establishment nominee and that’s a good thing.
Barring any wild surprise, Atkins is going to be confirmed. He has survived Senate confirmation before, and his politics are very much in step with Republican senators now. If all goes according to schedule, Atkins should be SEC chairman by April or May.
What happens after that, we won’t know for many months. But compliance and audit professionals can begin by pondering a few big questions that, in the fullness of time, could have a big effect on what you do.
How much time will Atkins spend on cryptocurrency?
Yes, yes, we get it: Trump won the election partly thanks to cryptocurrency fans, who hate how current SEC chairman Gary Gensler kept bringing enforcement actions for sketchy cryptocurrency offerings, and now Atkins is poised to relax crypto enforcement while he and other Republicans figure out how they want to regulate this stuff — but seriously, are we going to talk about crypto all the time?
Like, aside from compliance officers who specifically work in the crypto sector, cryptocurrency never comes up in conversations I have with other compliance professionals. It remains a miniscule part of overall commerce, and most non-financial companies would just as soon never deal with crypto because of the extra risks that it brings. Yet crypto has emerged as a top priority for Trump (presumably because he makes money from a family a crypto business), unelected co-president Elon Musk, Republicans in Congress, and Atkins, who is co-chair of a crypto-focused “Token Alliance” sponsored by the U.S. Chamber of Commerce.
So how much time will an Atkins-led SEC spend on crypto issues? Will this tiny part of the capital markets dominate the SEC policy-making conversation in 2025, at the expense of other issues more relevant to a wider range of people?
What will Atkins do about monetary penalties in corporate enforcement?
When he was an SEC commissioner in the 2000s, Atkins embraced the theory that monetary penalties against corporations did more harm than good. Such penalties only take money from shareholders, this theory says, and shareholders typically play no role in the misconduct in question — so why should they suffer financial consequences from it? (Consider a speech Atkins gave in 2006 where he said, “In financial fraud cases, shareholders, who are the ultimate owners of the corporations on which we impose these penalties, may already have been punished through reputational and stock-price damage.”)
A few thoughts here. First, Atkins’ view on penalties harkens back to an era when accounting fraud was a pressing priority. The Enron and WorldCom accounting implosions were still fresh in people’s minds, compliance with the Sarbanes-Oxley Act was a new-fangled thing, and we had seen a surge of corporate financial restatements as companies grappled with SOX compliance for the first time. Hence in Aktins’ statement above, he was talking about financial fraud cases.
The enforcement landscape today is very different. Enforcement of the FCPA is much more robust, and those infractions typically don’t impose harm on shareholders; an offending company’s share price might burp down 1 or 2 percent for a day or two, and then zoom along as always. Atkins’ theory of shareholder harm, which can be true in cases of financial fraud, is nowhere near as true for other corporate misconduct that today’s SEC enforces as a matter of course.
So how will Atkins adjust his theory of monetary penalties, if at all? Will he acknowledge the importance of disgorgement of ill-gotten gains, which are an important part of FCPA enforcement but don’t exist in accounting frauds? (A company can’t disgorge profits that never actually existed in the first place, after all.) Will he offer the reward of no penalties for companies that voluntarily self-disclose trouble and implement effective controls?
If you want another view on corporate penalties, consider this speech from Democratic commissioner Carolyn Crenshaw from 2021; she squarely came down in favor of using penalties to make corporations change their behavior. Crenshaw and Atkins represent the two poles of perspective on penalties. Now Atkins has the chance to pull policy toward his end.
What will Atkins do, if anything, about cybersecurity issues?
Cybersecurity is another field that has changed vastly since Atkins was last at the agency. The first piece of SEC guidance on cybersecurity wasn’t even adopted until 2011, years after Atkins had left. The most recent action happened in 2023, when the SEC adopted new rules for required disclosure of cybersecurity risks and “material cybersecurity incidents.” Those 2023 rules aren’t nearly as prescriptive as critics had originally feared, but they do challenge companies trying to assess whether a cybersecurity incident is or isn’t material.
So will Atkins move to relax those 2023 rules? What about blunders such as the UnitedHealth breach earlier this year, where the company failed to implement multi-factor authentication on critical servers of a subsidiary; is that a failure of internal control that deserves punishment? Or can a company say it has effective internal control (which would include effective IT general controls, such as implementing multi-factor authentication on critical servers) and then suffer a disastrously expensive cyber failure — and there’d be no regulatory consequence for that?
This could be quite important to auditors, since audits of internal control over financial reporting now require far more attention to cybersecurity controls than they ever did when Atkins was last at the SEC. The world has changed. Effective cybersecurity is a crucial part of corporate governance and financial reporting. So how will Atkins handle this complicated but vital issue?
How will he handle ESG disclosures?
This one is easy. Atkins doesn’t believe ESG disclosures should be mandatory; companies should only need to discuss ESG issues that the company deems material. So lots of the work Gensler has done on ESG disclosure will just evaporate like your local river dried out from climate change.
The greenhouse gas emissions rule adopted by the SEC in March of this year? Trust that Atkins will work to water it down any way he can, from lax enforcement to revising and rescinding the rule out of existence (although going that route takes a bit of time).
If an Atkins-led SEC makes any nod to ESG disclosures at all, expect that work to take the form of the human capital disclosure rule the SEC adopted in 2020: one based on materiality, where the company decides which issues it does or doesn’t need to disclose to investors. Given the rabid opposition to corporate diversity programs these days, I suspect lots of companies will disclose as little as possible.
How will he handle the PCAOB?
The Public Company Accounting Oversight Board was a dysfunctional agency for years, until the Biden Administration replaced almost the whole board in 2021. It had been led ever since by Erica Williams, a lawyer by trade who was re-appointed as chairman earlier this year. Williams has embraced a far more aggressive enforcement and inspection regime for audit firms, and her term as chairman should continue until 2029.
I have a hard time imagining that a conservative like Atkins (or Trump, for that matter) will allow Williams to keep doing her thing for another five years. Maybe Williams will leave early; maybe she’ll get fired; maybe she’ll relinquish the chairman job in favor of someone more in tune with Atkins’ thinking, such as fellow PCAOB board member Christina Ho.
Heck, let’s think even bigger! Maybe Atkins will push to abolish PCAOB entirely, subsuming its function into some sort of Division of Audit Oversight with the SEC. (Musk and his DOGE committee would love that idea.)
Whatever might happen specifically, assume that generally audit firms will face more lenient inspections, which in turn might make your annual audit just a bit more bearable. Investors would pay the price for that in the event of an audit failure, such is life.