NEW YORK (Reuters) - Karen Seymour had high hopes for Sarbanes-Oxley. Ten years ago, when the law was passed, Seymour was chief of the criminal division of the U.S. Attorney's Office in Manhattan, which is regarded as the country's most prolific prosecutor of financial crimes. When she read Sarbanes-Oxley's certification provisions, which specify that CEOs and CFOs can be sent to prison for falsely certifying corporate financial reports and reports on internal controls, she thought she finally had a way of getting at wrongdoing by top officials. "I thought it was going to be a really good tool," she said in an interview this week. "But it never really developed."
As Sarbanes-Oxley marks its 10th anniversary on Monday, its promise of holding CEOs and CFOs criminally responsible remains unfulfilled. The law states that if top corporate executives knowingly sign off on a false financial report, they're subject to a prison term of up to 10 years and a fine of up to $1 million, with penalties escalating to 20 years and $5 million if their misconduct is willful. After accounting scandals at Enron, WorldCom and a host of other public companies, SOX's certification provisions, according to Seymour and other former prosecutors, seemed like a clean, simple way to tie CEOs and CFOs to corporate crimes.
But in practice, exceedingly few defendants have even been charged with false certification, and fewer still have been convicted. The most notorious SOX criminal case, against former HealthSouth CEO Richard Scrushy, ended in an acquittal in 2005. In 2007, the former CFO of a medical equipment financing company called DVI pleaded guilty to mail fraud and false certification and was sentenced to 30 months in prison. In a more recent case, a SOX false certification charge against former Vitesse CEO Louis Tomasetta was dismissed.(Tomasetta's trial on other charges ended in a mistrial in April.) The Justice Department doesn't directly track Sarbanes-Oxley prosecutions, so there may be another case here or there. Even four or five SOX criminal cases in 10 years, though, makes them as rare as a blue moon.
There's been renewed interest in Sarbanes-Oxley as a potential tool in investigations of Wal-Mart's alleged Mexican bribery and JPMorgan's risky credit default swap trading. On "60 Minutes" last December, correspondent Steve Kroft raised the prospect of using SOX to prosecute bank executives for their role in the mortgage crisis.
That makes the question of why, after a decade, Sarbanes-Oxley hasn't been a boon to the prosecution of corporate crime all the more pressing. Why aren't SOX's false certification provisions producing the sort of quick, easy cases that prosecutors like Seymour envisioned when the law was first passed?
The answer, according to five current and former federal prosecutors, lies partly in the specifics of the certification provisions and partly in how corporations have responded to Sarbanes-Oxley. Most major corporations have implemented internal compliance systems that make it very difficult to show that the CEO or CFO knowingly signed a false certification. And when prosecutors have enough evidence to show that those internal systems failed and top executives knowingly engaged in wrongdoing, they prefer, for strategic reasons, to charge crimes other than false certification.
After Sarbanes-Oxley was passed, said former Enron prosecutor Thomas Hanusik, now a partner at Crowell & Moring, most large corporations put in place multiple layers of subcertification, requiring lower-level officials to attest to the accuracy of financial reports all the way up the chain to the CEO and CFO. "It was a natural reaction," said Hanusik. "CEOs and CFOs looked at Sarbanes-Oxley and said, 'How can I possibly sign this without subcertifications?'" Former fraud prosecutor Joshua Hochberg, who is now a specialist in internal investigations at McKenna Long & Aldridge, said he often sees corporate minutes in which CEOs simply refuse to sign a certification unless lower-tier officials sign first.
The subcertification process has two effects. First, it forces corporations to be more vigilant about financial reporting at all levels, which is likely one of the reasons there have been few accounting scandals at major public corporations since Sarbanes-Oxley took effect. In that regard, the law is doing what it's supposed to, encouraging accountability and deterring fraud.
But subcertifications also insulate CEOs and CFOs from false certification charges. To prove SOX charges, prosecutors have to show that top officials signed off on financial reports they knew to be false. That's much tougher when CEOs and CFOs can point to the certifications they received from lower-rung execs. "Whether that's foolproof, I don't know. But I've certainly argued it to prosecutors," said Seymour, who's now in private practice at Sullivan & Cromwell. "I've said, ‘Everything he knew, he relied on other people to tell him.'"
"Unless you can get actual knowledge in the guy's hands," added Philip Urofsky of Shearman & Sterling, "(the CEO) can say, ‘We have systems in place, the unit heads certified, I can't go to every third-tier subsidiary and check results.'" Both Urofsky and Seymour said they've represented clients under investigation only for SOX false certification, and prosecutors have ultimately decided not to bring charges.
Subcertification and other compliance systems, in other words, are a strong shield against prosecution for top officers who weren't directly involved in corporate wrongdoing. What about those who were involved, though? What about CEOs and CFOs who were explicitly aware that their financial reports were misleading or their internal controls were inadequate, yet certified them anyway?
In those cases, SOX false certification charges are almost always a less-desirable alternative to fraud or other criminal false reporting charges. When prosecutors have strong evidence of corporate wrongdoing, they have an array of options, from wire and mail fraud to lying to auditors or making false statements to federal officials. In the Foreign Corrupt Practice Act context, where SOX false certification could also be asserted, prosecutors already have books-and-records charges at their disposal. Those are all tried-and-true criminal offenses that show up in case after case against corporate defendants. Savvy prosecutors often don't charge every possible crime, since that makes a case unwieldy and could alienate jurors. And if they're picking and choosing, there are good strategic reasons not to include SOX charges that essentially duplicate similar counts in the indictment.
Defendants charged with SOX false certification, for instance, could show jurors evidence of the corporation's compliance systems. At the very least, such evidence could distract the jury; at best, it's a chance for defendants to shift the blame for alleged crimes. "You have to ask what you're opening the door to," said Urofsky. Moreover, false certification doesn't carry penalties as severe as some of the other corporate crime charges, and it can be tougher to prove than, say, lying to auditors who are available to testify.
Don't count SOX false certification out yet. There could be circumstances in which it's still the best law prosecutors can assert, especially when they can show a CEO or CFO had direct knowledge of squirrelly behavior. If nothing else, SOX false certification is a sword prosecutors can hang over the heads of potential defendants, since no CEO or CFO welcomes the prospect of spending 10 years in prison for signing a financial report. And the Securities and Exchange Commission has brought dozens of civil cases alleging false certification under Sarbanes-Oxley, including civil SOX charges in an FCPA case the SEC filed in March.
Nevertheless, as Sarbanes-Oxley turns 10, it's time to admit that SOX is not a sufficiently powerful law, on its own, to keep corporate executives honest. Then again, what law is?
(Alison Frankel writes the On the Case blog for Thomson Reuters News & Insight (newsandinsight.com). The views expressed are her own.)
Reporting by Alison Frankel; Editing by Eddie Evans