Alex Lipman and Ashley Baynham, Brown Rudnick
This is an extract from the third edition of GIR's The Guide to Monitorships. The whole publication is available here.
In enforcement matters, the US Securities and Exchange Commission (SEC) routinely requires companies, broker dealers, investment advisers and others to engage a monitor where there is a concern that a defendant organisation does not have effective internal compliance programmes or internal control systems to prevent the recurrence of the misconduct identified in the government investigation. A compliance monitor is, therefore, appointed as 'an independent third party who assesses and monitors a company's adherence to the compliance requirements of an agreement that was designed to reduce the risk of recurrence of the company's misconduct'.
Most of the information about how the SEC uses monitors and when it thinks a monitor may be appropriate can be gleaned from the various settlements of its enforcement actions involving corporate entities. In addition, the SEC and the US Department of Justice's (DOJ) joint guidance on enforcement of the Foreign Corrupt Practices Act (FCPA) provides the most explicit general guidance on the SEC's use of monitors and, in particular, which factors favour the imposition of monitorship. Because, from the SEC's perspective, the FCPA is a books-and-records violation and – relatedly, to the extent that hidden bribes distort reported results and affect a company's reported prospects and risks – a predicate of anti-fraud violations, the Resource Guide has wide application to most of the SEC's enforcement cases.
Generally, the SEC, like the DOJ, will seek to tailor the scope and duration of a monitorship to the nature of the violation, the quality and reliability of management, the resources of the defendant, and any other factors bearing on the likelihood of recurrence. Although monitorships can be very expensive and intrusive, they offer several benefits, including, when they can be narrowly tailored, allowing a company to reduce the severity of penalties and collateral effects of an enforcement action. They can also provide the impetus, where necessary, for reforming a recalcitrant bureaucracy, and they can foster a culture and record of compliance that could help address any future violations of law should compliance programmes fail again.
This chapter will focus on the SEC's use of monitors, focusing on the statutory authority for monitorships, historical use and analysis of prior monitors, and specific guidance issued by the DOJ regarding monitorships.
Statutory authority for monitors
The SEC has sought the imposition of corporate monitors or 'review persons' since at least 1980 in civil enforcement cases in federal courts by invoking the federal courts' power to order 'ancillary relief' attendant to statutory authorisation for courts to enjoin defendants from violating the federal securities laws in the future. At the time, there was no explicit authorisation for federal courts to order any such ancillary relief, but courts fairly uniformly had held that because Congress granted them the power to impose injunctions, they could rely on their general equitable powers to impose other remedies, such as monitorships, to ensure compliance with their injunction orders.
In 2002, Congress authorised the SEC to seek 'equitable relief' for the 'benefit of investors', ostensibly removing any need to rely on the court's inherent equitable powers to order monitorships. Arguably, explicit Congressional authorisation to order equitable relief for the benefit of investors supplants and narrows courts' ability to use their equitable powers in aid of injunctions. Equitable relief in the Supreme Court's jurisprudence has specific, narrowly defined contours: it must be the type of relief that was available to courts of equity at the time of the divided bench. An equitable remedy may not, therefore, and most importantly for present purposes, be punitive. A monitorship, it follows, must be narrowly tailored to facilitate injunctive relief and nothing more. Of course, as noted, most SEC monitorships are imposed by consent. However, understanding the limits of equity jurisdiction may be helpful to counsel to negotiate the narrowest possible monitorship scope on the theory that a broader scope may be ruled to be punitive and unenforceable by a court.
Similarly in administrative proceedings, the SEC is empowered to order a respondent to cease and desist from violating the securities laws. A cease-and-desist order may 'require future compliance or steps to effect future compliance, either permanently or for such period of time as the Commission may specify'. The SEC interprets this provision as authorising imposition of monitors in administrative proceedings. This provision may be read as giving the SEC the ability to impose broader-scope monitorships than those district courts may impose. Of course, these monitorships are also usually imposed by consent, but, here too, counsel may be able to argue that, as a matter of statutory authorisation, the scope and duration of the monitorship must be narrowly tailored to effect future compliance with the SEC's order and nothing more.
The SEC's use of monitors
Case study: the expansive power of the monitor in WorldCom
The current use of SEC monitors stems in part from the spectacular corporate failures of Enron and WorldCom. In fact, WorldCom's experience with monitorship – largely viewed as the first 'modern era' monitorship – influenced the nature of the monitorships that followed. As discussed below, the WorldCom monitor began with a limited role. However, it was expanded incrementally until he, ultimately, revamped the company's entire corporate governance structure. That expansive role in WorldCom and in other matters has been the target of much criticism: observers have wondered to what extent a monitor, who is an agent of the court (or the SEC) rather than the shareholders, should be able to effectuate changes in corporate governance or dictate management decisions. An overview of the WorldCom monitorship is thus instructive as background to more recent trends regarding when a monitor will be imposed and the scope of that monitor's review.
The SEC brought a civil enforcement action against WorldCom in 2002 alleging that WorldCom's managers fraudulently misstated the company's income by over $9 billion. Among other remedies, the SEC requested that the court enter an order prohibiting document destruction and extraordinary payments to any present or former affiliate, or officer, director or employee of WorldCom. The SEC then asked for the appointment of 'a corporate monitor to ensure compliance' with those two prohibitions.
Shortly after the complaint was filed, the SEC and WorldCom entered into a stipulation agreeing to the appointment of a monitor with 'oversight responsibility with respect to all compensation paid by WorldCom'. Judge Jed S Rakoff of the Southern District of New York granted the requested relief and the parties jointly selected Richard Breeden, a former SEC chairman, as the corporate monitor. Despite the seemingly narrow scope of Mr Breeden's original appointment, his authority at the company quickly expanded. The potential for an expansion of his authority, in fact, was explicitly recognised by the court as necessary when Mr Breeden was first appointed. Among other things, the court interpreted Mr Breeden's role to monitor 'compensation' as not only including payments to executives, but also including any payments to advisers and consultants, such as investment bankers and attorneys. Then, after WorldCom filed for bankruptcy, Mr Breeden's access to information about WorldCom broadened. As a result of the bankruptcy, for example, the court explicitly allowed Mr Breeden to receive 'complete information about every aspect of the business he deems relevant to his assessments'. Mr Breeden was then permitted by the court to attend all board meetings, to attend board committee meetings and to receive information about essentially anything he personally deemed necessary to his appointment.
The SEC eventually entered into a consent decree or partial settlement with WorldCom in November 2002. That decree further expanded Mr Breeden's role. The decree required him to review WorldCom's future corporate governance. As one indication of his powers over the company, in the settlement, WorldCom stipulated that it would adopt Mr Breeden's recommendations before his report was even issued.
Mr Breeden eventually prepared a full report based on his investigation, making 78 recommendations for WorldCom to implement. Most of the proposals sought to increase shareholder participation and control of the company, while also limiting executive power and compensation. Among other corporate governance changes, he recommended a new legal and ethics compliance programme to ensure an improved corporate culture.
In sum, Mr Breeden's activities at WorldCom were all-encompassing: they extended well beyond his initial charge to monitor 'compensation'. He was making high-level decisions about WorldCom's business.
Guidance post-WorldCom has restrained and defined corporate monitors
While WorldCom acts as an initial case study into the modern era of corporate monitors, the recent trend and guidance, as discussed below, has been to more narrowly conscribe the role of monitors.
Since WorldCom, the SEC has sought the appointment of monitors in a broad spectrum of civil and administrative enforcement proceedings across various aspects of the securities laws. For example, monitors have been imposed to:
- review and correct an organisation's 'policies, procedures, and practices relating to issuance and transfer of securities' under the Securities Act.
- monitor various due diligence and compliance requirements under the Investment Advisers Act;
- review and recommend changes to an organisation's policies related to underwriting of municipal securities under the Securities Act.
- review customer identification and anti-money laundering programmes under the Exchange Act;
- assess the effectiveness of an organisation's policies and procedures to prevent FCPA violations;
- correct procedures to prevent failures to supervise insider trading under the Investment Advisers Act.
As noted, outside of the joint SEC/DOJ FCPA Resource Guide published in 2012, the SEC has not published any express general guidance setting forth when, as a general matter, it would seek to impose a monitor and what form such a monitorship would take. Nonetheless, as explained above the Resource Guide is instructive for most, if not all, SEC matters.
The Resource Guide explains:
In civil cases, a company may . . . be required to retain an independent compliance consultant or monitor to provide an independent third-party review of the company's internal controls. The consultant recommends improvements, to the extent necessary, which the company must adopt.
In the Resource Guide, the SEC and DOJ enumerated the following factors that they consider in determining whether a monitor is appropriate:
- the 'seriousness of the offense';
- the 'duration of the misconduct';
- the 'pervasiveness of the misconduct, including whether the conduct cuts across geographic and product lines';
- the 'nature and size of the company';
- the 'quality of the company's compliance program at the time of the misconduct'; and
These factors demonstrate, as the SEC and DOJ concede, that the 'appointment of a monitor is not appropriate in all circumstances, but it may be appropriate, for example, where a company does not already have an effective internal compliance program or needs to establish necessary internal controls'. Put differently, these factors demonstrate that the SEC's decision regarding whether to impose a monitor will depend on its assessment that the organisation has an effective compliance programme and has otherwise demonstrated a commitment to compliance in its controls, remediation measures, and corporate culture.
The Resource Guide is the only SEC guidance setting forth the factors that the SEC considers when deciding to impose a monitor. From our review of the consent decrees and administrative orders implementing monitors, those documents do not elaborate on the SEC's criteria or analysis regarding when a monitor is appropriate. Rather, from these case-specific documents, one can glean general guidance as to the general terms and scope of monitorships.
It is helpful, therefore, to review briefly the DOJ's guidance on monitorships from the time that the joint Resource Guide was issued. Because the Resource Guide did not supplant the guidance was in place at the time, the then-current DOJ guidance aids one's understanding of the 2012 Resource Guide. In addition, more current DOJ guidance informs how the SEC would analyse monitorships because the SEC and DOJ often work in parallel and impose a single monitor to assure compliance with both the federal securities laws and the criminal code.
In March 2008, then-Acting Deputy Attorney General Craig S Morford issued the DOJ's first memorandum relating to the scope and appointment of monitors (the Morford Memorandum). This memorandum governed the selection and use of monitors in DPAs and NPAs with corporations. It established nine 'principles' – guidelines and decision-making procedures – for monitorship programmes, including selection of monitors, scope of the monitor's duties, reporting requirements, and duration. In all these areas, the DOJ stressed that the monitor's responsibilities and his or her selection should be tailored to the limited scope of addressing the reoccurrence of the misconduct and nothing further:
A monitor's primary responsibility is to assess and monitor a corporation's compliance with the terms of the agreement specifically designed to address and reduce the risk of recurrence of the corporation's misconduct, and not to further punitive goals.
Along those lines, prosecutors were cautioned to be mindful not just of the 'potential benefits' of a monitor, but 'the cost' as well. The Morford Memorandum's treatment of each of these principles is analysed below.
Under the terms of the Morford Memorandum, the monitor must be selected 'based on the merits'; however, the government can choose to play a greater or lesser role in the selection depending on the fact and circumstances of the matter. As a result, in some circumstances, the corporation may select a monitor candidate, with the government vetoing the proposed choice if the monitor is 'unacceptable' to the government; in others, the government may create a committee to consider candidates, with the Office of the Attorney General approving the monitor and the organisation having little input.
The Morford Memorandum recommended the scope of a monitor's duties be limited to the misconduct at issue, stating that the monitor's 'primary responsibility' is to assess and monitor a corporation's compliance with those terms of the agreement 'specifically designed to address and reduce the risk of recurrence of the corporation's misconduct'. The government, in fact, acknowledged that because the 'monitor is not responsible to the corporation's shareholders', the 'responsibility for designing an ethics and compliance program . . . should remain with the corporation, subject to the monitor's input, evaluation and recommendations'.
The Morford Memorandum encouraged communications between the government, the corporation and the monitor, including as to the monitor's recommendations. Organisations are not required to accept all the monitor recommendations, however. Instead, the DOJ guidance gave the corporation power to decide whether to implement the monitor recommendations, because the corporation and its officers 'are ultimately responsible for the ethical and legal operations of the corporation'. If the corporation declines to adopt a recommendation by the monitor, the government considers both the monitor's recommendation and the corporation's reasons in determining whether the corporation fulfilled its obligations under the agreement.
Finally, the Morford Memorandum recommended that the duration of the monitorship agreement be tailored based on the following criteria:
- the seriousness of the offence;
- duration of the misconduct;
- pervasiveness across geographic and product lines;
- nature and size of the organisation;
- quality of the compliance programme at the time of the misconduct; and
More recently, on 12 October 2018, Assistant Attorney General Brian A Benczkowski issued a memorandum significantly expanding the DOJ's guidance regarding application, need, selection and scope of monitorships. First, although the Morford Memorandum applied only to DPAs and NPAs and specifically excluded plea agreements, the Benczkowski Memorandum clarified that the Criminal Division should apply the same principles to plea agreements that impose a monitor as long as the presiding court approves the agreement.
Second, and more importantly, the Benczkowski Memorandum stressed, more so than the earlier guidance, that monitors were only appropriate in certain cases:
In general, the Criminal Division should favor the imposition of a monitor only where there is a demonstrated need for, and clear benefit to be derived from, a monitorship relative to the projected costs and burdens. Where a corporation's compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will likely not be necessary.
The Benczkowski Memorandum further set forth that:
In evaluating the 'potential benefits' of a monitor, Criminal Division attorneys should consider, among other factors: (a) whether the underlying misconduct involve the manipulation of corporate books and records or the exploitation of an inadequate compliance program or internal control systems; (b) whether the misconduct at issue was pervasive across the business organization or approved or facilitated by senior management; (c) whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems; and (d) whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future.
And, when weighing the potential costs, the Benczkowski Memorandum requires the Criminal Division attorney to 'consider not only the projected monetary costs to the business organization, but also whether the proposed scope of a monitor's role is appropriately tailored to avoid unnecessary burdens to the business's operations'.
Third, the Benczkowski Memorandum further expands the prior guidance by clearly outlining a step-by-step process for monitor selection. It requires the following steps for approval of an independent monitor candidate:
- nomination of monitor candidates by counsel for the company;
- initial review of monitor candidates by the Criminal Division attorneys handling the matter;
- preparation of a monitor selection memorandum by the Criminal Division attorneys handling the matter;
- review of a monitor candidate by a standing committee of prosecutors;
- review by the Assistant Attorney General; and
Notably, the Benczkowski Memorandum now allows companies to designate their first-choice candidate to serve as the monitor.
Recent case studies
While the Benczkowski Memorandum was issued by the DOJ and not the SEC, these changes will impact monitorships where both the SEC and DOJ are involved. It likely will also predict how the SEC may approach future monitorships in which it acts alone. For example, the chair of the SEC's foreign bribery unit, Charles Cain, has already indicated that the SEC is supportive of the DOJ's newest approach. In November 2018, after the publication of the Benczkowski Memorandum, Mr Cain said that the era of 'cookie-cutter' monitorships is over, and that authorities now tend to tailor the monitor's appointment narrowly. Indeed, while early monitors such as Mr Breeden enjoyed unfettered access to all areas of WorldCom's business, more recent administrative orders tie a monitor's appointment to each specific area of misconduct identified in the order.
This trend is exemplified by the cases discussed below.
In the Matter of Stryker Corp
One example of the more tailored approach to the scope of monitors' responsibilities is illustrated in the September 2018 settlement reached between the SEC and Stryker Corporation (Stryker) for violations of the FCPA's internal accounting controls and books and records provision. The SEC's investigation found that Stryker's internal accounting controls failed to (and were insufficient to) detect improper payments related to sales of Stryker's products in India, China and Kuwait. The sales were made through Stryker's wholly owned subsidiaries, as well as through third-party deals and distributors. The order also found that Stryker's Indian subsidiary maintained deficient books and records. This case followed a 2013 consent settlement between Stryker and the SEC in which Stryker had also paid a $3.5 million penalty and more than $7.5 million in disgorgement to resolve related FCPA concerns.
Issued just a couple of weeks prior to the Benczkowski Memorandum, the settlement between SEC and Stryker included a tailored monitorship limited to reviewing Stryker's internal controls, policies, and procedures relating to the use of and transactions by third parties. This narrow scope directly tied the monitor's responsibility with the underlying charges against Stryker, which involved improper payments made by third parties. The factors enumerated in the Benczkowski Memorandum appear to be fully incorporated into the SEC's order. For example, the 'manipulation of corporate books and reports' and an 'inadequate compliance program' (specific indicators of the need for a monitor mentioned in the Benczkowski Memorandum) are explicitly referenced in Stryker as deficiencies that led to the monitor implementation. Further, as Stryker was under a prior settlement with the SEC in 2013 for similar conduct, its lack of 'significant investment in, and improvements to, its corporate compliance program and internal controls systems' were clearly a factor in determining whether a monitor was necessary. Finally, consistent with the Benczkowski Memorandum and despite Stryker being a repeat offender, the SEC's imposition of the monitor was still narrowly tailored to the specific conduct at issue in the investigation.
In re EFP Rotenberg
EFP Rotenberg LLP (EFP Rotenberg), a registered public accounting firm, reached a settlement agreement with the SEC in July 2016 for violating Section 10A(a) of the Exchange Act. In connection with EFP Rotenberg's audit of ContinuityX Solutions, Inc (ContinuityX), EFP Rotenberg failed to implement proper procedures to 'obtain appropriate audit evidence that ContinuityX's revenue was legitimate', despite being aware of significant risk with ContinuityX's reported revenues. EFP Rotenberg further failed to perform procedures, as required by Section 10A(a), identify related party transactions, obtain appropriate evidence to support its audit opinion, and resolve inconsistencies in document findings. The administrative order also noted that EFP Rotenberg improperly relied on management representations, failed to exercise due professional care, and that its policies and procedures were deficient. As a result of this misconduct, ContinuityX's Form 10-K contained several material misstatements and omissions of material fact.
In addition to censure, cease and desist, and a $100,000 fine, the SEC required EFP Rotenberg to retain 'an independent consultant' to review and evaluate EFP Rotenberg's audit and interim review policies and procedures for a variety of conduct. Unlike the initial appointment in WorldCom, however, the SEC tailored the scope of the monitor's appointment to specific conduct relevant to the investigation, including:
- 'the exercise of due professional care' in audits;
- 'obtaining sufficient appropriate audit evidence';
- checking third-party confirmations;
- 'detecting and reporting misstatements resulting from illegal acts';
- identifying and considering 'the adequacy of the disclosures of related parties and related party transactions';
- evaluating and relying upon management representations;
- supervising 'individuals working on audits'; and
Notably, and consistent with current guidance from the DOJ memoranda, each of the items the monitor was to inspect was tied to a relevant deficiency in EFP Rotenberg's controls that was referenced in the SEC's order. The SEC also prevented EFP Rotenberg from retaining any new clients until the independent consultant certified compliance with the recommended changes.
In the Matter of Voya Financial Advisors, Inc
Most recently, the SEC has turned its attention toward enforcement actions involving cybersecurity issues. These actions have used monitors as a remedy where the companies that are the subject of security breaches do not have adequate data security policies.
For example, in September 2018, the SEC concluded one such enforcement action in a matter involving Voya Financial Advisors (VFA). The conduct at issue invoked the Identity Theft Red Flags Rule (Rule 201 of Regulation S-ID). This rule requires investment firms to create and maintain a policy that safeguards customer information from identity theft, and pay attention to 'red flag' warning signs that hackers may be attempting to steal information. In 2016, hackers infiltrated VFA and gained access to personal information for 5,600 VFA customers by calling a support hotline and requesting password resets. Key to the SEC's allegations was that VFA's security policy was not updated for 10 years, and it was not administered by the company's senior management, as required by the rule. In settling the SEC's charges, VFA agreed to pay a $1 million penalty and was required to undertake a list of remedial actions and engaging a monitor.
The monitor, termed a 'compliance consultant' in the settlement, was tasked with conducting a comprehensive review of VFA's data security policies and procedures, specific to the violation. This case demonstrates how the SEC is continuing to find new ways to use monitors to remedy alleged misconduct, while still tailoring the monitorship to the specific misconduct at issue and consistently with guidance.
SEC monitors: common elements
Examining administrative and civil federal court enforcement orders appointing monitors reveals certain common themes. While the scope of a monitor's appointment will be tailored to the relevant misconduct that the SEC seeks to prevent, the terms of monitorships remain fairly consistent. Indeed, almost all monitor appointments will include the following elements:
- Retention of an independent monitor by the organisation that is acceptable to the SEC. To ensure independence, the SEC often requires that the monitor has not provided any professional services to the organisation within a specified time period (including services provided as a former employee or board member).
- A prohibition against terminating the monitor without approval from SEC staff, and an express waiver against any claim that an attorney–client relationship exists between the company and the compliance monitor. This requirement prevents the company from withholding information on the basis that it communicated with the monitor on a privileged basis.
- A requirement that the company bear all costs and expenses associated with the monitor.
- A description of the business areas that the monitor is to review and evaluate.
- A requirement that the monitor have reasonable access to company records, employees, and information as required to properly evaluate and assess the specified areas.
- A requirement that the monitor issue an initial report and provide a copy to the SEC within a specified time period. Such a report will summarise the review, evaluate the business areas identified, and make appropriate recommendations to mitigate risks in the specified areas.
- In many cases, an organisation is also required to adopt the recommendations contained within the initial report within a specific time period. If the company believes that any recommendations are 'unnecessary, unduly burdensome, or impractical', it may submit a written alternative proposal to the monitor and the SEC. The monitor and the organisation can then negotiate an alternative proposal within a specified time period. If no agreement can be reached, the organisation must either abide by the original proposal or submit its objections to the SEC for consideration. In some instances, the organisation may be able to obtain a third party mediator to resolve the issue.
- Following the recommendations, the organisation must eventually certify, within a specified period time, that it has complied with the recommendations and implemented all required changes.
- Finally, after the organisation certifies implementation, the monitor is required to re-examine the organisation at a later date to ensure it remains in compliance with the recommendations. The monitor will then issue a final report to the SEC and certify compliance.
While no two cases are identical, recent SEC orders requiring monitors generally include some form of the terms referenced here, with modifications based on the scope of the review, the length of the monitor appointment, and the severity of the conduct.
Costs and benefits of SEC monitors
Generally, a corporate monitor imposed by the SEC can be beneficial for both the organisation and the SEC. The monitor can recommend, as well as help implement and guide, necessary changes to an organisation's internal system controls to prevent future investigations, penalties, and fines by the SEC and other regulators. Further, agreeing to a monitor as part of a settlement could end any litigation or investigation sooner than it would otherwise, and could reduce penalties and ameliorate collateral consequences.
However, monitorships are expensive and often intrusive. That cost can be quite high, especially where the monitor has been empowered to oversee significant or large parts of the organisation's operations and where the monitor's tenure is several years. An alternative, therefore, to an independent monitor that may be suggested in a settlement negotiation is the imposition of a 'self-monitoring' arrangement that requires the entity to charge an independent committee of the board of directors to appoint an individual to make periodic reports on progress with undertakings and agree to report any reasonable suspicions of violations of the federal securities laws.
As SEC-imposed monitors have taken their modern form in the wake of WorldCom, the SEC's use of monitors has become widespread across a variety of industries for a broad range of conduct. While the use of monitors has expanded, recent trends and DOJ guidance demonstrate that the SEC has shifted from seeking all-encompassing roles for monitors to roles that are more tailored to remediating the problematic behaviour outlined in the charging or settlement papers. Even with this narrower scope, an organisation should still carefully evaluate the benefits and costs of accepting a monitor appointment as part of the resolution of an SEC investigation. Monitor appointments are unlikely to wane anytime in the near future, and, if anything, will likely be used more frequently to aid the SEC's regulatory function in a variety of contexts to protect the public from perceived recidivist corporate misconduct.
Subscribe here for related content, breaking news and market analysis from Global Investigations Review.
Global Investigations Review provides exclusive news and analysis and other thought-provoking content for those who specialise in investigating and resolving suspected corporate wrongdoing.