Sarbanes-Oxley Act (SOX): CEOs and CFOs Face Personal Liability
The Sarbanes-Oxley Act (SOX) was enacted to protect investors from corporate accounting fraud. In addition to imposing various corporate compliance obligations, SOX also creates personal liability risk for corporate executives.
Specifically, CEOs and CFOs face the risk of substantial fines and long-term federal imprisonment if they violate SOX’s personal certification requirements. As the U.S. Department of Justice (DOJ) explains, the law’s annual certification requirements apply to “the signing officer” who was in the role during the covered period—and failing to fulfill these requirements can have severe consequences for those who sign off on the annual filings submitted to the U.S. Securities and Exchange Commission (SEC).
The Personal Certification Requirements Under SOX
Broadly, SOX requires public companies’ CEOs and CFOs to certify that their companies’ annual reports are both accurate and in compliance with all applicable federal laws and regulations. Under the statute, CEOs and CFOs must not only certify the accuracy of the financial statements included in public companies’ annual reports, but they must certify the efficacy of their companies’ internal controls as well.
The specific personal certification requirements under SOX are:
1. Section 302
Section 302 of SOX requires public companies’ CEOs and CFOs to certify (i) the accuracy of their companies’ financial statements, and (ii) that their companies’ internal controls are effective. While SOX Section 302 primarily addresses corporate reporting requirements, it also imposes personal certification obligations on CEOs and CFOs.
Notably, Section 302 does not require CEOs and CFOs to certify their companies’ compliance with generally accepted accounting principles (GAAP). However, companies must still prepare their financial statements in accordance with GAAP, and CEOs and CFOs should not sign personal certifications under Section 302 if they know that their companies have violated GAAP’s requirements.
2. Section 906
Section 906 of SOX requires CEOs and CFOs to certify that their companies’ annual reports “fully compl[y] with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.” While Section 906 does not specifically discuss internal controls, they are referenced in Sections 13(a) and 15(d) of the Securities Exchange Act, as well as in SEC Regulation S-K (which interprets and implements these statutory provisions).
Penalties for Violating the Personal Certification Requirements Under SOX
CEOs and CFOs who violate the personal certification requirements under SOX can face criminal prosecution by the DOJ. Federal prosecutors can pursue charges under Section 906 as well as under various other federal statutes—including the federal wire fraud statute and the False Statements Act.
The statutory penalties for violating the personal certification requirements under SOX are:
- To knowingly certify a public company’s annual report when it does not comply with federal securities laws or SEC regulations (including GAAP) is a criminal felony punishable by a fine of up to $1,000,000 and up to 10 years of federal imprisonment.
- To willfully violate the personal certification requirements under SOX is a criminal felony punishable by a fine of up to $5,000,000 and up to 20 years of federal imprisonment.
Along with fines and prison time, CEOs and CFOs who violate the personal certification requirements under SOX can face additional penalties as well. For example, under Section 1103 of SOX, public companies’ CEOs and CFOs can be subject to an SEC order freezing their personal assets if they are suspected of being involved in a SOX violation. The SEC can seek a freeze order before (or even without) filing a formal complaint, and it can obtain a freeze order on an ex parte basis (i.e., without having to provide the CEO or CFO with advance notice).
CEOs and CFOs who violate the personal certification requirements under SOX can face civil enforcement action and penalties as well. While SOX generally focuses on the public companies themselves, some provisions can apply to CEOs and CFOs, and the SEC can pursue civil enforcement action for alleged violations of the Securities Exchange Act, the SEC’s regulations, and other provisions of federal law. For example, under Section 1102 of SOX, it is a criminal offense to “corruptly alter[], destroy[], mutilate[], or conceal[] a record, document, or other object, or attempt[] to do so, with the intent to impair the object’s integrity or availability for use in an official proceeding.” Attempting to alter or conceal corporate records is also a civil offense that can trigger substantial penalties.
When Are CEOs and CFOs at Risk of Facing Personal Liability Under SOX?
Given the substantial risks involved, CEOs and CFOs need to do everything they can to avoid violating SOX’s personal certification requirements. This starts with understanding the risks involved.
The SEC and DOJ can pursue enforcement action against CEOs and CFOs for SOX violations that are either knowing or willful. As discussed above, knowing violations carry maximum fines of $1,000,000 and up to 10 years of federal imprisonment, while willful violations carry fines of up to $5,000,000 and up to 20 years of federal imprisonment. So, when are SOX violations considered knowing, and when are they considered willful?
Knowing SOX Violations: When a CEO or CFO certifies an annual report knowing that it contains false or misleading information, this is considered a knowing SOX violation. For example, if a CEO or CFO certifies financial statements knowing that those statements are not in compliance with GAAP, this would constitute a knowing violation. The same is true if a CEO or CFO certifies a company’s annual report knowing that the company’s internal controls are not in compliance with federal law.
Willful SOX Violations: When a CEO or CFO not only knows that a company’s annual report or internal controls are not in compliance, but takes affirmative steps to hide or perpetuate the noncompliance, this is considered a willful SOX violation. In effect, knowingly violating SOX is a criminal offense, and willfully violating SOX is an aggravated criminal offense.
FAQs: Avoiding Personal Liability Under SOX
How Can CEOs and CFOs Avoid Personal Liability Under SOX?
To avoid personal liability under SOX, CEOs and CFOs must have a clear understanding of their companies’ annual reporting and internal control compliance obligations. They must also have a clear understanding of their companies’ annual reporting procedures and internal control mechanisms. CEOs and CFOs must ensure that their companies’ systems are functioning properly and in compliance with all pertinent federal laws and regulations. They must also ensure that their companies’ annual reports and other filings with the SEC contain only truthful and complete information.
What Happens if a CEO or CFO Violates SOX?
If a CEO or CFO violates SOX, the SEC or DOJ may launch a federal investigation. If the SEC or DOJ uncovers evidence of a violation, it may bring formal charges, and the CEO or CFO may face fines and federal imprisonment.
How Does the SEC Investigate SOX Violations Involving CEOs and CFOs?
The SEC investigates SOX violations involving CEOs and CFOs using several means. Typically, the SEC’s SOX investigations involve a combination of whistleblower complaints, mandatory filings, and compliance monitoring.
When Can CEOs and CFOs Be Held Personally Liable Under SOX?
CEOs and CFOs can be held personally liable under SOX when they violate the statute’s personal certification requirements. CEOs and CFOs can also face personal liability for conspiring to violate SOX’s corporate reporting requirements and for attempting to defraud investors.
What Are the Potential Consequences of Violating SOX’s Personal Certification Requirements?
In broad terms, the potential consequences of violating SOX’s personal certification requirements include substantial fines and long-term federal imprisonment. The specific consequences in any particular case will depend on the specific allegations against the CEO or CFO and the severity of the alleged violation.
