Following the 2008 financial crisis, government regulators and prosecutors have been under tremendous public pressure to prosecute individuals.[1]Senior government officials have responded by speaking forcefully about their desires to sue or prosecute more individuals.[2] What does the government's heated rhetoric and renewed focus on individual liability mean for corporate directors? As the chairman of the Securities and Exchange Commission ("SEC") recently noted, "[s]ervice as a director is not for the faint of heart…."[3] But the good news is that directors who perform their role with even a modicum of reasonableness are highly unlikely to be held personally liable in carrying out their responsibilities.[4] Of course, most directors aspire to more than staying out of trouble. As a former SEC chairman put it: "It is not an adequate ethical standard to aspire to get through the day without being indicted."[5] 

This Commentary will discuss the landscape of director liability in the SEC context and provide some suggestions that may help directors minimize the risks of regulatory scrutiny.

A "New" Focus on Individuals

The current chairman of the SEC noted in her confirmation hearing that enforcement would be a top priority, emphasizing an intent to pursue "all wrongdoers—individual and institutional, of whatever position or size."[6]But the SEC's focus on individuals has actually been quite commonplace over the years. Corporations act only through the individuals who run them, and thus any investigations of corporate misconduct necessarily require an investigation of individual conduct. The SEC's enforcement statistics bear this out. Since the beginning of the 2011 fiscal year, the SEC charged individuals in 83 percent of its actions.[7] And since 2000, the SEC has charged individuals in 93 percent of its fraud and financial reporting cases.[8] These numbers include a small number of directors, although it is a relatively rare event relative to the hundreds of cases the SEC brings each year.

A criminal prosecution against a director, on the other hand, is an almost unheard-of event in the securities context.[9] And while the DOJ has sued individuals for securities fraud, it hasn't been enough to appease critics of the department. So, the DOJ recently announced six changes to its policies governing investigations of corporate misconduct that are aimed at increasing prosecutions against individuals. [10] The so-called "Yates Memo" directs prosecutors to "focus on individual wrongdoing from the very beginning of any investigation" and directs companies seeking to cooperate to "identify all individuals involved or responsible for the misconduct at issue, regardless of their position, status, or seniority."[11]The clear goal is to force line prosecutors and companies seeking cooperation to more aggressively gather and produce evidence of individual wrongdoing. The Yates Memo has the potential to affect many aspects of corporate investigations and prosecutions, but it does not change the standards for proving criminal conduct beyond a reasonable doubt, which is a serious hurdle to proving individual liability. Nevertheless, the government's focus on individual liability creates additional risks.

SEC Enforcement Against Directors

A review of recent SEC enforcement allegations against directors provides insight into what this risk means in practice:[12]

The SEC entered into a settlement with four defendants, including a former outside director and member of the audit committee,[13] who failed to exercise oversight when he "recklessly signed a number of financial statements that were materially misleading and took no care to ensure their accuracy."[14]

The SEC settled claims against two audit committee members for failure to make timely 10-K filings and concealing information.[15] The SEC alleged that the directors "directly and indirectly, aided and abetted" the company's reporting violations by authorizing management to not timely file the company's Form 10-K and a Form 10-Q to prevent the release of a going concern opinion, despite being presented with evidence that doing so could be unlawful. In addition, the two directors allegedly ignored red flags from their auditors, outside counsel, and internal memoranda. The directors received "an interoffice memorandum […] entitled 'Pros/Cons to Filing the Form 10-K.' The 'Cons' included the fact that not filing '[i]ncreases the chances of an SEC enforcement action.'"

The SEC alleged that an audit committee chair "failed to respond appropriately to various red flags" and failed to investigate and take meaningful action to address improprieties, even when directed to do so by the company's board.[16] The director allegedly "failed to take appropriate action regarding the concerns expressed to him" by two internal auditors regarding reimbursements for personal expenses, and after failing to investigate, "omitted critical facts in his report to the board."

The SEC alleged that three independent directors were "willfully blind to numerous red flags signaling accounting fraud, reporting violations, and misappropriating" that allowed senior management to manipulate reports and filings.[17] The SEC alleged that "[i]n addition to a close personal relationship, [the directors] each had business relationships with [the CEO] that influenced their impartiality and independence" and that they "willfully ignored [a] controller's concerns about [the company's] inventory valuation." In addition, the directors allegedly remained blindly deferential to management, "ma[king] little or no effort even to understand their Audit Committee responsibilities" and being financially rewarded with "lucrative perks" for doing so.

The SEC charged an audit committee chair with failure to appropriately investigate and disclose accounting fraud.[18] The director ignored the advice of a former director to hire professional investigators and outside counsel despite the warning that there was "not just smoke but fire" and that "the company appeared to have engaged in fraud and maintained two sets of books." The director also allegedly failed to properly oversee the filing of accurate financial statements.

The SEC settled with two outside directors who allegedly misled investors when they "improperly extended, renewed, and rolled over bad loans to avoid impairment and the need to report ever-increasing allowances for loan and lease losses … in its financial accounting."[19] 

The SEC settled claims against an audit committee chair for knowingly signing a falsely certified Sarbanes-Oxley compliance report stating that the company had an active CFO.[20] The SEC alleged the director signed the company's 10-K as "Audit Committee Chair and a Director, when she knew or should have known that any fraud, whether or not material, involving management had not been disclosed to the company's auditors and the company's Audit Committee." The director's settlement permanently banned her from signing any public filing with the SEC that contains any certification required by the Sarbanes-Oxley Act.

The SEC charged the chairman of the board and majority shareholder of a small staffing solutions company with misleading auditors and investors about the misuse of company funds.[21] The director "secretly held the controlling stake in [the company] on behalf of […] a convicted felon" and, when asked about missing company funds, "falsely claimed that he did not know what happened and deliberately failed to disclose important information relevant to the auditors' inquiry."

An audit committee chair settled charges relating to failures to disclose perquisites paid to executives and signing materially false statements regarding executive compensation.[22] The SEC alleged that he had "reason to know" the company had not adequately disclosed certain of the perquisites because he had "direct involvement" in the company's internal review of the area. He and the company nevertheless continued to make filings with the Commission that materially understated perquisite compensation.

The SEC entered into its first deferred prosecution agreement with a corporate director on March 9, 2016. The company allegedly began issuing false press releases touting sales of its product "when in fact only a few samples had been manually completed." The director allegedly testified that the company's CEO was "basically out of control on company press releases," and although he "repeatedly" instructed the CEO to stop issuing false press releases, "took no affirmative steps to implement any oversight of outgoing press releases or correct misleading press releases after their issuance." In exchange for the SEC deferring prosecution on aiding and abetting reporting, books-and-records, and internal controls charges, the director agreed, among other things, to cooperate with the SEC in its case against two of the company's officers and to be banned from serving as a director or officer of a public company for five years.

There are three principles we can cull from these and recent public statements by the SEC commissioners and staff.[23] 

First, the SEC will scrutinize director conduct, especially in financial reporting and issuer disclosure investigations. In practice, this means the agency will look for instances where "directors have either taken affirmative steps to participate in fraud or enabled fraudulent conduct by unreasonably turning a blind eye to obvious red flags."[24] This is uncontroversial and should be expected.

Second, the SEC expects the board to exercise actual oversight of management, not to serve as "mere figureheads or rubber stamps."[25] A former commissioner recently put it this way: "shareholders elect a board of directors to represent their interests, and, in turn, the board of directors, through effective corporate governance, makes sure that management effectively serves the corporation and its shareholders."[26]The SEC has long expected corporate directors to serve as gatekeepers. As the SEC's chairman recently commented, "a company's directors serve as its most important gatekeepers" and "audit committees, in particular, have an extraordinarily important role in creating a culture of compliance through their oversight of financial reporting."[27] They do this in part by "by preventing, detecting, and stopping violations of the federal securities laws" and "responding to any problems that do occur."[28] When the SEC perceives that a director has failed to fulfill that role, it will try harder to bring charges. 

Finally, the SEC is ready to pursue negligence-based claims and is eagerly looking to bring cases alleging internal controls violations as the primary claim, even where there is no fraud or negligence. An example from the past year is the settled matter against an audit committee member who allegedly "had reason to know" the company had not adequately disclosed certain executive perquisites.[29] This is a recent evolution in SEC enforcement and perhaps the most likely to increase the risk of potential individual liability. Drawing the line between serious misconduct and simple mistake becomes much harder. Although the SEC says it "isn't second guessing good-faith decisions by the board,"[30] that is precisely what happens in an investigation. And this is especially true for members of the audit committee because of their oversight of financial reporting and disclosures.

Suggestions for Mitigating the Risk of Personal and Corporate Liability

Directors have every interest in minimizing the likelihood of getting caught up in any civil or criminal investigation. And they have every interest in keeping their companies out of trouble. Below are some suggestions on how to do both those things:

Stay Informed on Regulatory Expectations and Compliance. To demonstrate their commitment to a strong cultural and ethical environment, directors should stay on top of current regulatory expectations and priorities. They should receive regular updates from the company's general counsel and the company's outside counsel on the latest enforcement priorities and on the latest developments in ethics and compliance. The board should also receive regular updates from the company's corporate ethics and compliance officer. As the DOJ and the SEC have noted more than once, a sign of a strong corporate ethics and compliance program is that it is constantly improving.[31] Directors who are informed will be able to ask better questions and challenge the legal and compliance programs at their companies.

Play Your Part in Creating a Strong Culture. The board needs to have a strong sense of the ethics and compliance environment at the company. Creating and maintaining a strong ethical culture is much more than just having a strong compliance program. Some of the companies involved in the biggest frauds in history had award-winning compliance programs while serious fraud went undetected. A strong culture does not tolerate misconduct, and it values the firm's long-term reputation over any possible short-term benefit.[32] This isn't just about complying with the law—it is about getting everyone in the enterprise to recognize that "ethics pays and ethical behavior is good business."[33] The key is to avoid short-term thinking and make decisions with concern for the company's long-term business and reputation. What matters here is not the compliance structure but how the company's leaders and employees act and think, how they react in times of stress, and how leaders motivate employees to do the right thing.

Avoid Passivity. Much has been written on how boards should be structured and composed.[34] But that isn't what matters in assessing the board's oversight of ethics and compliance; rather, it is how individual directors act.[35] Directors need to actively engage management by asking questions and by challenging them. One former commissioner decrying the rise of activist pressure on boards put it this way: "much of the pressure for shareholder direct democracy flows from boards that are mismanaged: boards that are stale, full of individuals with irrelevant skills, too chummy with management, and so forth. By contrast, a vigorous, responsive board that takes affirmative steps to drive good corporate governance moots the need for shareholder direct democracy."[36] Think about your last few board meetings. In making decisions, did your board engage in open and frank discussions even if it meant disagreeing? Were directors willing to challenge management? Were conflicting views heard and sought after? Disagreement and rigorous engagement can highlight conflicts, counter biases, and encourage outside-the-box thinking.[37] A good board is one that asks questions and is willing to challenge management, each other, and the conventional wisdom.

Encourage Openness. The board itself should be willing to hear difficult news. Moreover, it should encourage leadership to bring difficult news to the board as soon as possible because bad news rarely gets better with age. Whistleblowers are a particular area of concern because they can sometimes be annoying, disgruntled, and wrong. But companies and directors should never tolerate retaliation[38] or "pre-taliation"[39]against whistleblowers.[40] And that is only the minimum standard of behavior. Good companies will create an environment where employees are willing to speak up. Hotlines and policies are necessary, but not sufficient. Everyone and every department must see themselves as having responsibility for ethics and compliance. And, the compensation and reward system—even for the most senior executives—must reflect the connection between ethics and the business. The key is accountability at all levels. The board plays a critical role in ensuring the right leadership is in place to create and sustain this environment.

Be Prepared for Failures and Near Misses. No system of compliance is perfect. Good boards recognize there will be slip-ups and lapses. The sign of a good compliance system is that it is constantly improving and learning from experience and mistakes. Failures, breaches, and near misses should be considered part of the company's "early warning system."[41] Companies with strong ethics and compliance programs identify wrongdoing early and remedy the problem quickly. They learn from mistakes and improve controls. As one SEC senior official put it recently: "It's critical that when a director learns information suggesting that company filings are materially inaccurate they take concrete steps to learn all of the relevant facts and ensure that the company cease filing annual and quarterly reports until they are satisfied with the accuracy of the filings."[42] Thus, when the company discovers a potential violation, it must be able to escalate issues, know how and when to engage internal and external auditors and disclosure counsel, and have a plan on how to self-report to the government (if necessary). These suggestions become especially important in times of company stress, when it's easier to cut corners and make decisions without proper appreciation for the long-term consequences. The board's role in all of this is not one of execution or day-to-day management but, rather, oversight over management's execution and design and a curiosity about what management is doing to be prepared. 

Understand and Reinforce the Need for Good Internal Controls. Management is responsible for designing and implementing internal controls over accounting and financial reporting and disclosures. The board's oversight role, usually through the audit committee, is critical because the SEC is keenly interested in the state of a company's internal controls. All financial reporting and disclosure investigations will involve a detailed look at a company's internal controls, and most of these investigations will involve an analysis and investigation into the board's oversight over financial reporting and internal controls. Can your audit committee members explain the difference between a "material weakness" and a "significant deficiency"? How about the difference among "internal controls over financial reporting," "disclosure controls and procedures," and "internal accounting controls"? Do they understand the different frameworks a company can use to evaluate internal controls? Can they describe the company's key entity-level controls? Is the company's internal audit department appropriately funded, staffed, and independent? The board, and especially the audit committee, needs to be particularly vigilant in exercising its oversight duties over not just financial reporting but also internal controls because in financial reporting or disclosure investigations, it will be an area of focus.

Looking Forward

The board's most critical role is in ensuring that the leaders who run the day-to-day affairs of the company are not just talented and creative but have a desire and a willingness to do the right thing—i.e., that they are ethical and responsible. By playing a bigger role in building a strong ethics and compliance culture at their companies, directors can protect their companies and protect themselves from personal liability.