A Few Things Directors Should Know About the SEC
Chair Mary Jo White
Stanford University Rock Center for Corporate Governance
Twentieth Annual Stanford Directors’ College
June 23, 2014
Thank you very much for that kind introduction. I am honored to be here tonight before this audience to talk about a few of the many things that directors should know about the SEC.
The Stanford Directors’ College is a remarkable program. It brings together directors and senior executives from start-ups to the largest public companies in America, to learn and share experiences with each other and with some of the top lawyers, jurists, and academics. I hope my remarks tonight will add a little to the insights you are absorbing here.
The SEC today has about 4,200 employees, located in Washington and 11 regional offices across the country, including one in San Francisco that is very ably led by Regional Director Jina Choi, who is here tonight. Many of you have likely had some contact with our Division of Corporation Finance, which, among other things, has the responsibility to review your periodic filings and your securities offerings. Some of you that work for or represent a company that we oversee know our staff in our National Exam Program, and I imagine a few of your companies know something about our Enforcement Division staff. Our other major divisions are Investment Management, Trading and Markets and the Division of Economic and Risk Analysis.
So that is just a quick snapshot of the structure of the SEC and as you undoubtedly know, the SEC has a lot on its regulatory plate that is relevant to you – completion of the mandated rulemakings under the Dodd Frank Act and JOBS Act, adopting a final rule on money market funds, enhancing the structure and transparency of our equity and fixed income markets, reviewing the effectiveness of disclosures by public companies, to name just a few. But what you may not be as focused on is the mindset of the agency on some other things that are also relevant to you as directors.
I have selected three such topics for tonight: one attitudinal, one advisory, and one more descriptive, but all of which I think are important. I will begin with how the SEC thinks about the important role that you occupy as gatekeepers for your shareholders; next, I will discuss how we view self-reporting of wrongdoing and cooperating in SEC investigations; and then I will finish with a description of the SEC’s whistleblower program, how it works and how the SEC thinks about the relationship between it and a company’s own internal compliance programs.
Directors Are Essential Gatekeepers
Those of you who are directors play a critically important role in overseeing what your company is doing, and by preventing, detecting, and stopping violations of the federal securities laws at your companies, and responding to any problems that do occur. In other words, you are the essential gatekeepers upon whom your investors and, frankly, the SEC rely. We see you as our partners in the effort to ensure that investors in our capital markets can invest with confidence and, hopefully, success.
At the SEC, we typically use the term “gatekeeper” to refer to auditors, lawyers, and others who have professional obligations to spot and prevent potential misconduct. And while there are certainly other gatekeepers who may be closer to some of the action or more familiar with the details of a transaction or a disclosure document, a company’s directors serve as its most important gatekeepers. For by law, it is ultimately the fiduciary responsibility of the board of directors to oversee the business and affairs of a company.
In discharging this important responsibility, it is essential for directors to establish expectations for senior management and the company as a whole, and exercise appropriate oversight to ensure that those expectations are met. It is up to directors, along with senior management under the purview of the board, to set the all-important “tone at the top” for the entire company.
Ensuring the right “tone at the top” for a company is a critical responsibility for each director and the board collectively. Setting the standard in the boardroom that good corporate governance and rigorous compliance are essential goes a long way in engendering a strong corporate culture throughout an organization.
How directors can most effectively instill a strong corporate culture and how challenging it is to do so will vary from company to company. CEOs come with a range of experiences and perspectives. Many, including some here in Silicon Valley, are, at heart, innovators whose day job has come to include being the business leader of a public company. As board members, one of the most important duties you have is to select the right CEO for your company and to ensure that he or she “gets it,” in terms of understanding the importance of tone at the top and a strong corporate culture. Deficient corporate cultures are often the cause of the most egregious securities law violations, and directors, both directly and through the oversight of senior management, play a key role in shaping the prevailing attitude and behaviors within a company.
As a former director and member of an audit committee of a public company, I know the heavy responsibilities you bear and the time-consuming work that is required of you. The best advice I can give for being an effective director is to learn and be engaged. As directors, you must understand your company’s business model and the associated risks, its financial condition, its industry and its competitors. You must pay attention to what senior managers say, but also listen for the things they are not saying. You have to know what is going on in your company’s industry, but also the broader market. You need to know what your company’s competitors are doing and what your shareholders are thinking.
At the risk of hearing a collective groan in response, I would also urge you to consider another outside view that would also be useful to you as a director – the view of your regulators. Listen to what they say publicly is important to them, what is problematic to them. Talk to them. Perhaps visit them. I know of an audit committee chair who visits all of his company’s major regulators once a year, including the international regulators. You may get an earful from time-to-time, but it will be invaluable input for you as a director.
To state the obvious, you must ask the difficult questions, particularly if you see something suspicious or problematic, or, simply, when you do not understand. You should never hesitate to ask more questions, and, always, insist on answers when questions arise. It also goes without saying that you should never ignore red flags. It is your job to be knowledgeable about issues, to be vigilant in protecting against wrongdoing, and to tackle difficult issues head on.
Of course, it is always important for you to know what your shareholders – the owners of your company – are thinking. As most boards today recognize, an open and constructive dialogue with shareholders is not only the right thing to do, but also very helpful in providing perspective on the challenges a company is facing. Many institutional shareholders have unique insights on industry dynamics, competitive challenges and how macroeconomic events are shaping the environment for your company. But it is important not to forget about your other shareholders. There is real value in listening to their views and their voice, as well.
Look thoughtfully at the proposals shareholders are submitting to your company. Ask your management team about them and about the proposals that other companies are receiving that could be relevant to your company. Look at the voting results at shareholder meetings – the percentage of votes for a shareholder– supported resolution or against a management–supported resolution are important, irrespective of whether the resolution is approved, or not.
Ethics and honesty can become core corporate values when directors and senior executives embrace them. This includes establishing strong corporate compliance programs focused on regular training of employees, effective and accessible codes of conduct, and procedures that ensure complaints are thoroughly and fairly investigated. And, it must be obvious to all in your organization that the board and senior management highly value and respect the company’s legal and compliance functions. Creating a robust compliance culture also means rewarding employees who do the right thing and ensuring that no one at the company is considered above the law. Ignoring the misconduct of a high performer or a key executive will not cut it. Compliance simply must be an enterprise-wide effort.
One question we are often asked is whether some of the things we are doing may actually discourage strong directors from serving on boards because of the risk that they may unfairly find themselves on the wrong end of an SEC enforcement action. While we do bring cases against directors, these cases should not strike fear in the heart of a conscientious, diligent director. Let me give a couple of examples to show you what I mean.
We recently brought two cases against audit committee chairs, an infrequent but disturbing occurrence.
In one case, the chair of the audit committee, along with other top executives, were charged for their role in a massive accounting fraud in which the company reported nearly a quarter billion dollars of fictitious revenue. The complaint alleges that, in the face of massive red flags, including emails indicating serious problems with the oversight of financial reporting, a report from an internal review detailing how revenue had been falsified, and a recommendation to retain a third-party to investigate, the audit committee chair failed to ensure a proper investigation and disclosure of the scheme.
In the second case, the audit committee chair was charged for signing an annual report that contained a false Sarbanes-Oxley certification. After being informed that the company had lied about who was running the business, the audit committee chair helped advance the fraud by signing a Form 10-K that failed to disclose the false representation. As I trust you will agree, these were clear lines crossed by directors not doing their jobs, and then some.
I mention these cases because audit committees, in particular, have an extraordinarily important role in creating a culture of compliance through their oversight of financial reporting. As you know, under the Sarbanes-Oxley Act, audit committees are required to establish procedures for handling complaints regarding accounting, internal controls, and auditing matters, as well as whistleblower tips concerning questionable accounting or auditing practices. Audit committees also play a critical role in the selection and oversight of the company’s auditors. These responsibilities are critical ones and we want to support you. Service as a director is not for the faint of heart, but nor should it be a role where you fear a game of “gotcha” is being played by the SEC.
Self-Reporting and Cooperation
Even in the best run companies with strong boards, the right tone at the top and robust compliance programs, wrongdoing will almost inevitably occur from time-to-time. What should you do when that happens? How should you respond? What does the SEC expect you to do? When should a company self-report wrongdoing to the SEC or other authorities? All of these questions require careful consideration and appropriate action. For tonight, I will focus just on the last one about self-reporting.
If your company has uncovered serious wrongdoing, you will need to decide whether, how and when to report the matter to the SEC. One immediate question you will have to answer is whether what has been discovered constitutes material information that requires public disclosure. If the answer is yes, that fact will also invariably dictate an obvious affirmative answer to broader self-reporting to the SEC.
In other situations, you will need to decide whether to call us about a serious, but non-material event – perhaps a rogue employee in a small foreign subsidiary has been bribing a foreign official in violation of the Foreign Corrupt Practices Act (“FCPA”). You intend to take decisive action against the employee and enhance your FCPA compliance program. Your disclosure lawyer’s view is that the occurrence does not require public disclosure. That does not, however, end your inquiry or responsibilities. Your company still needs to decide whether to self-report to the SEC, and consider what that may mean for the company.
As many of you know, the Commission in the 2001 Seaboard statement on cooperation, explained how self-reporting, cooperation, self-policing, and remediation factor into our decisions when considering enforcement actions. And, I can tell you from experience that of those four factors, self-reporting is especially important to both the SEC and the Department of Justice.
What are the benefits to your company of self-reporting? You can read about that in the SEC’s press releases on enforcement actions, which routinely highlight how the quality of a company’s cooperation has affected any resulting enforcement action. Typically, a company realizes the benefits of cooperation through a reduced penalty, or, at times, no penalty or even not proceeding in an exceptional case.
Not that you should need any extra incentive, but keep in mind that there are also downsides in deciding not to self-report. If the wrongdoing is not self-reported, the opportunity to earn significant credit for cooperation may be lost. And, with our new whistleblower program, which I will discuss in a moment, the SEC is more likely than ever to learn of the misconduct through another channel.
Let me just say a few words about how to cooperate with SEC investigations.
As an initial matter, the decision to cooperate should be made early in the investigation. The tone and substance of the early communications we have with a company are critical in establishing the tenor of our investigations and how the staff and the Commission will view your cooperation in the final stages of an investigation. Holding back information, perhaps out of a desire to keep options open as the investigation develops, can, in fact, foreclose the opportunity for cooperation credit. We are looking for companies to be forthcoming and candid partners with the SEC investigative team – and the board has a responsibility to ensure that management and the legal team are providing this kind of cooperation.
When choosing the path of self-reporting and cooperation, do so decisively. Make it clear from the outset that the board’s expectation is that any internal investigation will search for misconduct wherever and however high up it occurred; that the company will act promptly and report real-time to the Enforcement staff on any misconduct uncovered; and that the company will hold its responsible employees to account.
There is, of course, cooperation and then there is cooperation, just as there are compliance programs that look great on paper but are not strongly enforced. We know the difference. Cooperation means more than complying with our subpoenas for documents and testimony – the law requires you to do that. If you want your company to get credit for cooperation – and you should – then sincere and thorough partnering with the Division of Enforcement to uncover all the facts is required.
The SEC Whistleblower Program
One possibility that companies worry about is that whistleblowers may get to the SEC first with evidence of corporate wrongdoing that is either unknown to senior management or that the company has not yet reported to the government. As you know, under the Dodd-Frank Act, the SEC created a new whistleblower program, which provides monetary awards to individuals who provide original information to the SEC that leads to an enforcement action resulting in monetary sanctions that exceed $1 million. Last year, the SEC awarded over $14 million to a single whistleblower whose information led to an SEC enforcement action that recovered very substantial investor funds. And earlier this month, we awarded more than $875,000 split between two whistleblowers who provided valuable tips and assistance that helped us bring a significant enforcement action. These rewards provide a powerful financial incentive to report wrongdoing to us.
The SEC’s whistleblower program, which has been fully operational for three years, has already had a significant impact on our investigations. We received over 3,000 whistleblower tips in each of the last two fiscal years  and many of these were of high quality and extremely useful. They have helped the Enforcement Division identify more possible fraud and other violations and earlier than would otherwise have been possible.
It is important to emphasize, however, that the whistleblower program is designed to motivate those with reliable information about misconduct to come forward, while also encouraging them to work within their company’s own compliance procedures. If a whistleblower first reports to the company and then reports to the SEC within 120 days, the whistleblower not only receives credit for the information the company discovers as part of its internal inquiry, but the whistleblower is also considered to have reported to the SEC on the date he or she first reported to the company.  And, we consider whether the whistleblower first reported wrongdoing to the company as a factor that determines the amount of an award, something we generally regard as a positive for the whistleblower.
Because of these incentives, we find that in-house whistleblowers often have first reported the issue internally at their company. That is a good thing. And we would expect that you, as directors, are fostering a culture that affirmatively encourages and empowers employees to report wrongdoing and, of course, without fear of being harassed, demoted, or fired.
The Dodd-Frank Act also provided the SEC with expanded authority to protect whistleblowers by bringing enforcement actions against companies that retaliate against whistleblowers for reporting misconduct. And, last week, we exercised that authority for the first time when we brought an action against a company for retaliating against a whistleblower who reported a possible securities violation to the Commission. We take any retaliation against whistleblowers very seriously and will continue to aggressively take action whenever companies attempt to stifle, deter, or punish efforts to expose wrongful conduct.
Let me end our discussion of whistleblowers with one final word of advice that I have passed on to my staffs at the SEC and in the United States Attorney’s Office, and to my former clients in private practice. You may well have doubts about the bona fides of a particular whistleblower – perhaps because his or her prior nine tips have not proven to be true or management tells you that the would-be whistleblower is a disgruntled employee. But always think – because it is so – that her tenth tip may be right on target. The bottom line is that it is a mistake not to take all tips from whistleblowers seriously.
I will conclude my remarks tonight where I started them. You, as critical gatekeepers, share in the SEC’s mission to ensure that investors in our capital markets can invest with confidence, knowing that a company’s disclosures are accurate, that their finances have been adequately and transparently reported and audited, and that their management is carrying out the business in the way they have said they are. Our capital markets are the strongest in the world. An engaged, committed director community is one of the keys to maintaining that strength. Thank you for all you do.
 See SEC v. WorldCom, 2003 WL 22004827 (S.D.N.Y Aug. 26, 2003) (“[B]oards of directors, outside auditors and outside counsel are the gatekeepers of behavior standards who are able to prevent damage before it occurs if they are alert, and above all if they are willing to act when necessary. A common denominator in many of the major frauds has been the failure of these gatekeepers to stop improper practices at the outset.).
 8 Del.C. § 141(a) (“The business and affairs of every corporation organized under this chapter shall be managed by or under the direction of a board of directors, except as may be otherwise provided in this chapter or in its certificate of incorporation.”). See also, Revlon, Inc. v. MacAndrews & Forbes Holdings, Inc., 506 A.2d 173, 179 (1986). “In discharging this function the directors owe fiduciary duties of care and loyalty to the corporation and its shareholders.” Revlon, Inc. v. MacAndrews & Forbes Holdings, Inc., 506 A.2d 173, 179 (1986).
 See Press Release No. 2014-47, SEC Charges Animal Feed Company and Top Executives in China and U.S. With Accounting Fraud (Mar. 11, 2014), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370541102314.
 See Press Release No. 2014-59, SEC Announces Fraud Charges Against Coal Company and CEO for False Disclosures About Management (Mar. 27, 2014), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370541317697.
 See Exchange Act Section 10A(m)(4).
 See Exchange Act Section 10A(m).
 See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Release No. 34-44969 (Oct. 23, 2001) (commonly referred to as the “Seaboard report”).
 See, e.g., Press Release No. 2013-65, SEC Announces Non-Prosecution Agreement With Ralph Lauren Corporation Involving FCPA Misconduct (Apr. 22, 2013), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1365171514780 (listing various ways that the entity cooperated with the SEC, and noting its “significant remedial measures,” which led to a non-prosecution agreement); Lit. Release No. 22589, SEC Charges Volt Information Sciences, Inc. and Two Former Officers with Securities Fraud (Jan. 11, 2013), available at http://www.sec.gov/litigation/litreleases/2013/lr22589.htm (noting entity’s cooperation and significant remediation efforts in connection with a settlement where the entity paid no civil penalty); Press Release No. 2011-37, SEC Charges AXA Rosenberg Entities for Concealing Error in Quantitative Investment Model (Feb. 3, 2011), available at http://www.sec.gov/news/press/2011/2011-37.htm (noting that the SEC considered the entities’ remedial actions and cooperation in settling with the entities).
 See Press Release No. 2013-209, SEC Awards More than $14 Million to Whistleblower (Oct. 1, 2013), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539854258.
 See Press Release No. 2014-113, SEC Awards $875,000 to Two Whistleblowers Who Aided Agency Investigation (June 3, 2014), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370541980219.
 2013 Annual Report to Congress on the Dodd-Frank Whistleblower Program, available at http://www.sec.gov/whistleblower/reportspubs/annual-reports/annual-report-2013.pdf.
 See Exchange Act Rule 21F-4(c).
 See Exchange Act Rule 21F-4(b)(7).
 See Exchange Act Rule 21F-6(a)(4).
 See Exchange Act Rule 21F-2.
 See Press Release No. 2014-118, SEC Charges Hedge Fund Adviser With Conducting Conflicted Transactions and Retaliating Against Whistleblower (June 16, 2104), available at http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370542096307.