Yesterday, the Corp Fin Staff released another set of Compliance & Disclosure Interpretations updates. As the Goodwin Public Company Advisory blog highlighted yesterday, the big news here is that four CDIs were updated or withdrawn to allow all Form S-3 issuers, not just WKSIs, to go effective on Form S-3 registration statements between the Form 10-K filing and the filing of the proxy statement containing forward-incorporated Part III disclosure.
Securities Act Forms CDI 114.05 & Securities Act Rules CDI 198.05 were both updated, and related Securities Act Forms CDI 123.01 was withdrawn. (That CDI previously stated that a registrant filing a non-automatically effective Form S-3 had to either file its proxy or include Part III information in its 10-K before the Form S-3 was declared effective to have a complete Section 10(a) prospectus.) Plus Regulation S-K CDI 117.05 was updated to remove the reference to the withdrawn CDI.
The CDIs also reflect one other substantive change. The Staff added a CDI on Form 20-F (Exchange Act Forms CDI 110.10) that reads as follows:
Question: Item 16F(a) of Form 20-F requires disclosure about a change in a registrant’s certifying accountant. Instruction 2 to this item states the disclosure called for need not be provided if it has been “previously reported,” as defined in Exchange Act Rule 12b-2. The rule states that information has been “previously reported” if it has been reported in, among other things, a report under Exchange Act Sections 13 or 15(d). Would disclosure about a change in accountant that otherwise satisfies the requirements of Item 16F(a) of Form 20-F but has been included in a Form 6-K be considered “previously reported,” such that it does not need to be included in Form 20-F?
Answer: Yes, if the Form 6-K contains disclosure that satisfied the requirements of Item 16F(a), then it is considered “previously reported” and is not required to be included in Form 20-F. [March 20, 2025]
Finally, three CDIs were withdrawn to clean up old references to the share repurchase disclosure modernization rulemaking.
Transition to EDGAR Next starts on Monday! That means the new EDGAR Filer Management website will go live, and filers may begin to enroll. There are multiple important dates to remember for this transition, so here are some more details from the staff of the EDGAR Business Office for a quick refresher:
Amended Form ID will be effective and available on the dashboard.
Enrollment will open. Filers need current passphrase and CCC to enroll. Prior to March 24, 2025, filers without a current passphrase should obtain a new passphrase and filers without a current CCC should obtain a new CCC.
Enroll in EDGAR Next between March 24, 2025 and September 12, 2025 to avoid interruption in filing.
Compliance is required September 15, 2025 in order to file on EDGAR.
The implications of point 2 above are significant! This means that entities and individuals will need to complete the new Form ID application process beginning Monday. Also, just to clarify, points 4 and 6 mean that the current EDGAR platform and EDGAR Next will be running simultaneously between Monday and September 12.
If you feel like you’re already behind when it comes to EDGAR Next and missed Tuesday’s Section16.net webcast “How to Prepare for EDGAR Next,” do yourself a favor and listen to the archive (now available!) and peruse the slides. The speakers — NASPP’s Barbara Baksa, McKesson’s Jim Brashear and HPE’s Linda Epstein — are undoubtedly ahead of the curve and shared tons of practical tips that will help make your EDGAR Next journey a smooth(er) one.
In connection with the previously announced 44th Annual Small Business Forum on April 10 (with options to participate in-person or virtually), the Office of the Advocate for Small Business Capital Formation is asking the public to register in advance and submit suggestions ahead of the Forum. Public input will help shape the capital-raising policy recommendations that the Office will deliver to the Commission and to Congress. Here’s the process detailed in the Office’s outreach email:
– Submit your policy recommendations ahead of the Forum via our submission portal. This allows you time to be thoughtful with your recommendations and allows all voices to be heard.
– We will compile the recommendations from all participants and share at the live event.
– We will reserve time at the end of the event to allow in-person attendees to address the audience briefly to discuss any recommendations submitted. Following this discussion, the recommendations will be opened for voting via our online polling for all participants (including those via webcast).
– Voting allows you to rank the policy recommendations based on what you think is a priority for the Commission and Congress.
– After the event, a report will be delivered to Congress highlighting the event’s discussions and the prioritized policy recommendations, based on participant voting.
If you’d like to submit a recommendation (or two or three), the submission portal is open until April 9.
A week ago, PwC released the results of its 2025 Global Compliance Survey (available for download) that asked 1,802 executives from 63 territories across a wide range of industry sectors about their companies’ current compliance challenges and practices and how they hope to evolve them. Not surprisingly:
– 85% stated that compliance requirements have become more complex in the last three years
– 77% said that their company has been negatively impacted by compliance complexity in several areas that drive growth
– Only 7% consider themselves to be leading in compliance right now
That said, the survey shared some good news too:
– 59% had greater confidence in compliance decision-making due to better coordination
– Respondents cited investments in compliance to take advantage of new technology (32%), enhance effectiveness (30%) and reduce costs (21%)
– 82% plan to invest more in technology to drive compliance activities
– Respondents are already leveraging compliance technology for better visibility of risks and risk management activities (64%), faster identification and proactive response to compliance issues (53%), higher quality/more insightful reporting (48%), and increased productivity and cost savings (43%)
– 71% believe that AI will have a net positive impact overall on compliance
Clearly, the adoption of emerging technologies was an area of focus for survey questions. The report says this will be necessary to keep up with the pace of change. “The level of regulatory change, shifting stakeholder expectations, and changes in industry ecosystems and macro risks, means that responding in a ‘traditional way’ – more people, more controls – is unlikely to be sustainable.”
Speaking of keeping up with the pace of change, this recent KPMG regulatory alert includes a table detailing what it calls “regulatory signals” of the Trump Administration’s mandate for de-regulation. This table is a really helpful tool for compliance professionals who may be struggling to stay on top of developments. Here are the types of “regulatory signals” identified:
– Executive actions (like Executive Orders)
– The use of the Congressional Review Act
– Workforce and organization changes across the federal government
– Pressure on global regulation
– Agency rule or guidance modifications or withdrawals
– Agency withdrawals from legal actions
– Agencies redefining their enforcement focus
It lists specific examples (and descriptions) for each of these to better understand the current regulatory environment. For example, with respect to agencies redefining their enforcement focus, it cites the following:
– Implementation of the Executive Order pausing investigations and enforcement of the FCPA and directing review/revision of the related guidelines and policies.
– Implementation of the DOJ Memo re-prioritizing enforcement focus of FCPA to foreign bribery that facilitates the criminal operations of Cartels and Transnational Criminal Organizations.
– Increased application/ enforcement under the False Claims Act (e.g., DOJ).
– Focus on the “letter of the law”.
– Flexibility toward innovation and technology, including digital assets/crypto and AI.
– Introduction of a framework to assess self-reporting, cooperation, and remediation in investigations and enforcement actions (e.g., CFTC).
– Determination not to enforce fines/ penalties associated with rulemaking (e.g., FinCEN Beneficial Ownership Information reporting requirements).
What does all this mean (at a high level) for compliance professionals? The memo includes these reminders:
– ‘Deregulation’ is not ‘No Regulation’: Despite new directives, shifts in enforcement intensity and priority, and select rule recissions, existing regulations stand and require ongoing adherence.
– New Rulemaking to Plummet: Expect ongoing withdrawals of proposed rules, modifications to existing regulations, and the increasing use of statements versus guidance.
– Quick Investigation/Enforcement Shifts: Expect enforcement activities to focus on the “letter of the law”, and cases to include those deemed “egregious” under the new Administration’s directives and to be impacted by workforce reductions and mission/enforcement shifts (e.g., FCPA, CTA).
– Global Pressures: Expect the Administration to continue pressure globally to “de-regulate”, including but not limited to technology regulations (e.g., DSA, AI Act).
Now that we better understand the shifting regulatory environment, how should companies be responding to change through their compliance programs — beyond investing in technology for process and automation improvements? This Freshfields blog walks through four regulatory areas of interest — including FCPA compliance, newly designated terrorist organizations, DEI policies and tariffs. The blog then shares some actionable steps compliance professionals should consider to enhance their companies’ compliance programs in light of current federal regulatory priorities.
Here they are:
– Conduct ongoing assessments of legal and compliance risks to business operations in light of these new enforcement priorities, so that corporations may deploy compliance resources appropriately, particularly where there may be differences in applicable laws, policies and enforcement priorities across different jurisdictions relevant to multinational corporations (e.g., with regard to anti-bribery and corruption, DEI, and international trade and sanctions).
– Evaluate existing due diligence processes and KYC protocols, and whether any such processes should be amended to reflect evolving priorities, including for instance:
enhancing due diligence of vendors, suppliers, and other third party intermediaries in Mexico and other Latin American countries to address potential exposure to sanctioned parties including newly designated terrorist organizations; and
reviewing global supply chain due diligence and monitoring processes, particularly relating to suppliers located in jurisdictions that have been targeted by recently announced tariffs.
– Enhance compliance policies and trainings for relevant employees in jurisdictions or business functions potentially subject to increased risk, such as by providing specific training for identifying and mitigating potential risks associated with conducting business operations in Latin American countries and along trade routes where recently designated terrorist organizations (cartels and transnational criminal groups) are perceived to be embedded in the local economies.
– Update compliance hotlines and internal communication pathways so that relevant stakeholders may raise any concerns, and legal and compliance teams may promptly and appropriately triage, investigate, and address such matters.
We’ve been posting tons of memos in our “Regulatory Reform” Practice Area on TheCorporateCounsel.net. Also, be sure to check out our “Compliance Programs” Practice Area.
On Monday at the Investment Company Institute’s 2025 Investment Management Conference, Acting SEC Chair Mark Uyeda shared his thoughts on what a “robust and informed rulemaking process” should look like. He notes that one of his objectives is to “set forth a blueprint for restoring the Commission’s rulemaking processes to the ‘gold standard’ among regulatory agencies,” noting “the Commission should act like a super-sized freighter, not a speed boat.”
Here are some practices he promotes in his remarks:
– Restore historical comment periods — i.e., a 60-day minimum and even 90 days for more complex rulemakings.
– Avoid over-broad or dense rulemaking proposals. When rulemaking tackles too many topics, commentators may focus on one area and other aspects of the rule may get adopted with little public input.
– Re-propose rules or re-open the comment file, which may be appropriate to take into account issues commenters raised in iterating on the prior rule proposal, to respond to changed conditions or when significant time has passed since the original proposal.
– Identify the rule’s purpose and the problem it’s trying to solve upfront.
– Provide additional means for obtaining feedback to help shape proposals — including public roundtables, requests for information, concept releases, advance notices of proposed rulemaking and investor testing.
– Improve the Commission’s analysis of rules’ economic impacts by ensuring cost estimates are as up-to-date as possible and considering the impact on small entities.
– Respect the limits of the Commission’s statutory authority.
With respect to that last point, Acting Chair Uyeda notes, “We must be clear-eyed about how existing proposals fare under this rubric.” He notes that the Staff is considering withdrawing proposals, pausing recently-adopted rules or extending or delaying compliance dates — although the rules cited relate to the Division of Investment Management.
I think it’s safe to say that Item 1.05 cyber incident Form 8-Ks have evolved during the last 15 months or so — particularly following the May 2024 Corp Fin statement regarding voluntary disclosure of an immaterial incident or early disclosure while a materiality determination is still being made. This Debevoise alert shares some granular statistics from the 26 companies (as of February 11) that had reported a cybersecurity incident under Item 1.05 since the effective date of the newly required 8-K disclosure. For example, there was a notable shift to Item 8.01 after the Corp Fin Statement — with 28 companies using Item 8.01 thereafter.
Here are some other key stats from the article:
– The average time between detection and disclosure has been 7.88 business days, and the median length has been 4.5 business days. Nearly half have filed within 4 business days of detecting the cybersecurity incident. (Reminder that the disclosure is required within 4 business days of determining that the incident is material — not the initial detection.)
– 65% of companies disclosed an operational disruption related to the incident (which may be more readily identifiable in early stages compared to financial or more qualitative (like reputational) impacts). For 14 of those companies, the operational impacts were caused, at least in part, by remediation or mitigation efforts.
– 77% of companies disclosed that the incident resulted in access to or exfiltration of data (e.g., client or customer data, or information contained within corporate email accounts). Of those, 6 disclosed the nature of the exfiltrated data or targeted information in the initial Form 8-K and 9 disclosed this information in an amendment.
– 23% of companies identified the threat actor by name or nature.
– No companies disclosed payment of a ransom.
– 50% of companies filed 8-K amendments (required by the rule to the extent any required information is not determined or unavailable at the time of the initial filing).
– Those amendments disclosed “remediation of the relevant cybersecurity incident, details regarding the impact of the incident (including the material or immaterial nature of certain impacts), further actions taken by the threat actor and details regarding the nature of the incident.”
– Three companies initially disclosed cybersecurity incidents on Item 8.01 (all following the Corp Fin statement) before subsequently filing on Item 1.05.
According to the December 2024 Semi-Annual Report to Congress Regarding Public and Internal Use of Machine-Readable Data for Corporate Disclosures, there are currently 55 forms, schedules and statements containing disclosures required under Securities Act Section 7 and Exchange Act Section 13 or 14 and approximately 75% of those require some machine-readable data. Compliance with all of these tagging requirements — like the new insider trading policy disclosure required by Item 408(b) of Regulation S-K and cybersecurity disclosures required Item 106 of Regulation S-K (which just became subject to Inline XBRL tagging requirements after a one-year phase in) — is important because missing them has consequences.
We’ve posted a new checklist to assist you in this effort. Our “Checklist: Corporate Disclosures Tagged in Inline XBRL” includes the list of corporate disclosures required to be tagged in Inline XBRL identified on an individual form, schedule and statement basis — pulled from the appendix to the SEC’s Semi-Annual Report to Congress. Pulling this existing list as a form-check tool was a no-brainer, but we’ll endeavor to pull our weight around here and update this more often than semi-annually.
The FactSet team reviewed S&P 500 earnings calls from December 15 through March 14 to look for comments on AI. In those fourth-quarter earnings calls, 241 S&P 500 companies cited AI. To give context to this number, this FactSet article gives these comparator stats:
– This is the highest number over the past 10 years
– The 5-year average is 105 and 10-year average is 67
– The previous record over the past 10 years was 212
– This is the fourth straight quarter in which more than 200 S&P 500 companies cited “AI” on earnings calls
As Liz recently shared, “When it comes to AI-related opportunities, ‘anything you say can and will be held against you.’” And AI is certainly still an area of focus for the SEC. For example:
– The SEC recently announced the formation of a new Cyber and Emerging Technologies Unit to “root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies”
– In January, the SEC (while still under Chair Gensler) announced what seems to be the first “AI washing” case against a public company
While we continue to cover SEC compliance and board governance issues associated with AI on this blog and in our “Artificial Intelligence” Practice Area on TheCorporateCounsel.net, we know that many of our members are not just dealing with board-level issues like these but also with more granular aspects of the AI & EmTech risk management and compliance process. On our new “AI Counsel” blog, John and Zachary are highlighting useful resources and sharing guidance on best practices for front-line risk management and compliance professionals who are dealing with the challenges of artificial intelligence, cyber, and other emerging technologies.
The blogs run Monday through Thursday of each week. You can subscribe to get free blog notifications in your inbox! The site also includes a “blog roll” featuring blogs and resource pages that they think readers will find useful. John and Zachary encourage readers to reach out with blog topics and suggestions.