Last week, the Criminal Division of the DOJ announced a number of updates to its Evaluation of Corporate Compliance Programs guidance, including updates addressing risks related to emerging technology such as artificial intelligence, whistleblowers and the DOJ’s use of data analytics. As this Alston & Bird alert notes, the most significant changes to the guidance relate to the following three areas:
Emerging technology
Recognizing the rapid development and deployment of new technologies such as artificial intelligence (AI) by companies in a wide variety of industries, the updated ECCP instructs prosecutors to consider what “new and emerging technology” companies are using in conducting their business, whether (and how) companies have assessed the risk of such technology (e.g., how it could impact a company’s ability to comply with the law), and what companies have done “to mitigate any risk associated with” such technology.
The ECCP then includes a litany of potential follow-up questions for prosecutors to ask, such as: What governance structures has the company put in place for the use of new technologies such as AI in its commercial business, and what controls exist to ensure the technologies are only used for their intended purpose? What other steps has the company taken to curb any unintended negative consequences from the use of AI? If a company’s compliance program uses AI, what controls are in place “to monitor and ensure its trustworthiness, reliability, and use in compliance with applicable law”? How is the company training its employees on the use of AI and other emerging technologies?
In her speech, Argentieri cited as an example of the risk posed by emerging technology “whether the company is vulnerable to criminal schemes enabled by new technology, such as false approvals and documentation generated by AI.” In these AI-related updates to the ECCP, as elsewhere, the DOJ signals that it will inquire about these topics but does not prescribe specific one-size-fits-all measures companies must take. Rather, companies are generally expected to monitor and test their technology “to evaluate if it is functioning as intended and consistent with the company’s code of conduct.”
Whistleblower incentives and protection
The updated ECCP instructs prosecutors to consider the extent to which companies “encourage and incentivize” reporting of misconduct (or conversely, the extent to which companies “use practices that tend to chill such reporting”) as well as companies’ “commitment to whistleblower protection and anti-retaliation,” as demonstrated by how they actually treat employees who report misconduct. These additions are unsurprising, given the raft of policies issued by various components of the DOJ in recent months that are designed to incentivize – through monetary rewards or immunity – reporting of corporate wrongdoing by individuals (analyzed in prior Alston & Bird advisories, including here and here).
Use of data
Senior DOJ personnel have for several years emphasized the importance of companies deploying data analytics as part of effective compliance programs, and this emphasis is echoed in the updated ECCP, which instructs prosecutors to consider whether compliance personnel have access to relevant sources of data and how effectively companies are using data analytics in assessing the effectiveness of their compliance programs, as well as in their management of third-party relationships.
This Debevoise alert also observes: “The updated ECCP’s greatest impact likely will be on how companies tailor their compliance programs to address new technologies, particularly the expectation that companies will have “conducted a risk assessment regarding the use of [AI] . . . and . . . taken appropriate steps to mitigate any risk associated with the use of that technology.”
Lawrence Heim notes over the PracticalESG.com blog that California Governor Gavin Newsom has signed the climate disclosure amendments that I mentioned at the beginning of last month. The blog notes:
Governor Newsom signed SB219, modifying the state’s recent climate disclosure laws (SB253 – the Climate Corporate Data Accountability Act – and SB261 – Climate-Related Financial Risk Reporting). These amendments are more administrative than substantive.
Major elements of the amendments include:
– The state board has until July 1, 2025 to adopt regulations implementing SB253. This is a mere 6 month extension from the original January 1, 2025 deadline and the original dates for company reporting remain intact (2026 or by a date to be determined by the state board, for Scopes 1 and 2, and 2027 for Scope 3) as did the dates for assurance (limited assurance for scopes 1 and 2 starting 2026). The annual disclosures can be made to either the emissions reporting organization or the state board, and scope 3 emissions are to be reported on a schedule specified by the state board, rather than no later than 180 days after its scope 1 emissions and scope 2 emissions are publicly disclosed.
– Climate-related financial risk reporting (SB261) is still required on or before January 1, 2026, and biennially thereafter.
– Reports under both laws may be consolidated at the parent company level and the annual fee is no longer required to be paid upon filing the disclosure.
– The amendments authorize, rather than require, the state board to contract with an emissions reporting organization under both SB253 and SB261 to develop a reporting program to receive and make required disclosures publicly available and carry out duties that the state board deems appropriate.
Of course, the original laws are still being challenged in court. These amendments are unlikely to alter the trajectory of the court challenges since they don’t address the issues at the heart of the case. Plaintiffs argue the laws compel non-commercial speech in violation of the First Amendment, are precluded by the Clean Air Act, and run afoul of the Dormant Commerce Clause. That litigation is ongoing and we will provide updates as it develops.
If you do not already have access to all of the great content available on PracticalESG.com, I encourage you to sign up today!
A couple weeks ago, I was at an event and was reminiscing with a fellow attendee about the days of yore when SEC filings were submitted in paper. I recounted how the surly clerk would lock the door to the SEC filing desk at precisely 5:30 pm, much to the chagrin of the poor law firm associate who had just come running down 5th Street to submit a critical filing. While this daily drama was entertaining to a new SEC Staffer such as myself, it was certainly an inefficient way for important documents to be filed with the SEC, particularly when filings under the securities laws are often time sensitive.
Fortunately for all of the law firm associates of the world, EDGAR came along, and while we all have our own individual hangups about EDGAR’s quirks, it sure is better than the alternative. Now, the Commission is taking EDGAR to the Next level. Last Friday, over forty years after the SEC received its first electronic filing in the initial EDGAR pilot on September 24, 1984, the SEC announced the adoption of rule and form amendments intended to enhance the security of the EDGAR system and improve filers’ access and account management capabilities. The fact sheet for this rulemaking notes:
EDGAR is the system through which filings are submitted to the Commission under the federal securities laws. EDGAR historically has assigned each EDGAR filer a set of access codes that may be used by different individuals to make submissions on the filer’s behalf. The legacy EDGAR system does not employ multifactor authentication, a foundational security tool. The purpose of EDGAR Next is to enhance the security of EDGAR by requiring individual account credentials to log into EDGAR, allowing identification of the person making each submission, and to employ multifactor authentication. Filers will also be required to authorize individuals to manage their EDGAR accounts on a dashboard on the EDGAR system, which will further enhance account security, facilitate the filing process, and make account management easier and more efficient. Moreover, as part of the EDGAR Next changes, optional Application Programming Interfaces (APIs) will be added to allow filers to make submissions, retrieve information, and perform account management tasks on a machine-to-machine basis. The optional APIs will enhance the efficiency and speed of many filers’ interactions with EDGAR.
The rule and form amendments will become effective March 24, 2025. The compliance date for amended Form ID is March 24, 2025, and the compliance date for all other rule and form amendments is September 15, 2025.
For those who can’t wait to try out EDGAR Next, the press release announcing the rule changes notes:
On Sept. 30, 2024, the SEC will open for filer testing and feedback a beta software environment that will reflect the adopted rule and form amendments and the related technical changes. Information about signing up for beta testing and extensive additional information about the rule adoption and related technical changes can be found on the SEC website: EDGAR Next – Improving Filer Access and Account Management.
As with all things EDGAR, once the rulemaking is done, the hard work of implementing the changes begins, which will play out over a fifteen month-long process. Let’s hope we end up with a more secure, less hackable EDGAR on the other side.
Our hearts go out to all who have been impacted by Hurricane Helene. The devastation and loss of life has been heartbreaking to watch over the past five days. On the other hand, it is always uplifting to observe the response to such a terrible tragedy, as local, state and Federal resources work with individuals and private organizations to provide aid where it is needed most.
On Friday, the SEC announced that it is closely monitoring the impact of Hurricane Helene on investors and capital markets. The announcement notes:
The SEC divisions and offices that oversee companies, accountants, investment advisers, mutual funds, brokerage firms, transfer agents, and other regulated entities and investment professionals will continue to closely track developments. They will evaluate the possibility of granting relief from filing deadlines and other regulatory requirements for those affected by the storm. Entities and investment professionals affected by Hurricane Helene are encouraged to contact SEC staff with questions and concerns:
• Division of Examinations staff in the SEC’s Miami Regional Office can be reached by phone at 305-982-6300 or email at miami@sec.gov
• Division of Examinations staff in the SEC’s Atlanta Regional Office can be reached by phone at 404-842-7600 or email at atlanta@sec.gov
• Division of Corporation Finance staff can be reached by phone at 202-551-3500 or via online submission at www.sec.gov/forms/corp_fin_interpretive
• Division of Investment Management staff can be reached by phone at 202-551-6825 or email at imocc@sec.gov
• Division of Trading and Markets staff can be reached by phone at 202-551-5777 or email at tradingandmarkets@sec.gov
• Office of Municipal Securities staff can be reached by phone at 202-551-5680 or email at munis@sec.gov
Individuals experiencing problems accessing their securities accounts or with similar questions or concerns relating to the hurricane are encouraged to contact the SEC’s Office of Investor Education and Advocacy by phone at 1-800-SEC-0330 or email at help@sec.gov.
Investors should be vigilant for Hurricane Helene-related securities scams and check the background of anyone offering them an investment by using the free and simple search tool on Investor.gov. The SEC’s Division of Enforcement will vigorously prosecute those who attempt to defraud victims of the storm. The SEC is asking investors to report any suspicious solicitations at www.sec.gov/complaint/tipscomplaint.shtml.
I note that one of my proudest moments while serving at the SEC was working on the SEC’s response to Hurricane Katrina in August 2005. I fondly recall sitting in Marty Dunn’s office for hours coming up with ways in which Corp Fin could provide relief to public companies that were impacted by the storm. I can still hear Marty exclaiming “We just made this up!” as he looked at his legal pad where he had scratched out the proposed relief efforts. Our work culminated in a Commission exemptive order and Staff guidance for affected companies. That Hurricane Katrina relief effort served as model for future disasters, including the COVID-19 pandemic. It definitely felt good to help out in some way in the face of a such a historic weather-related event.
The SEC recently posted a notice & request for comment for a proposed NYSE rule change that would amend the listing standards in the NYSE Listed Company Manual to “provide additional emphasis of the existing relationship between the domestic and international listing standards as already articulated in Section 103.00.” The NYSE notes in its submission:
Notwithstanding the existence of separate listing standards for foreign private issuers, Section 103.00 of the Manual provides that foreign private issuers may list their common equity securities either under the quantitative standards for foreign private issuers set forth in Section 103.01 or the Exchange’s domestic listing criteria set forth in Section 102.01. As stated in Section 103.00, the foreign private issuer must meet all of the criteria within the standards under which it qualifies for listing, but is not required to meet the requirements of both of those sections in order for its common equity securities to qualify for listing. 4 Section 103.00 (“Foreign Private Issuers”) provides that, for purposes of the Manual, the terms “foreign private issuer” and “non-U.S. company” have the same meaning and are defined in accordance with the SEC’s definition of foreign private issuer set out in Rule 3b-4(c) of the Securities Exchange Act of 1934.
It has been the Exchange’s experience in recent years that almost all foreign private issuer applicants whose common equity securities qualify for listing on the Exchange do so by meeting the domestic listing requirements of Section 102.01. However, the Exchange has become aware that there is a certain level of confusion in the marketplace about how to understand the listing standards as they apply to foreign private issuer applicants. To provide greater clarity as to how the domestic and international listing standards relate to each other with regard to the listing of common equity securities, the Exchange proposes to adopt proposed new Section 101.01 (“Domestic and Foreign Private Issuer Quantitative Listing Standards”).
As proposed, Section 101.01 would read as follows:
“101.01 Domestic and Foreign Private Issuer Quantitative Listing Standards Section 102.01 (“Minimum Numerical Standards—Domestic Companies—Equity Listings”) sets forth the minimum quantitative standards for the listing of common equity securities of domestic companies. In addition, the Exchange also lists applicants that are foreign private issuers (as defined in Section 103.00 (“Foreign Private Issuers”)) under Section 102.01 where such applicants are qualified for listing thereunder. However, if a foreign private issuer applicant does not meet all of the requirements for the listing of common equity securities applicable to domestic issuers under Section 102.01, the Exchange will determine whether such foreign private issuer qualifies for listing under the quantitative standards for common equity securities set forth in Section 103.01 (“Minimum Numerical Standards Non-U.S. Companies Equity Listings”). It is important to note that a foreign private issuer applicant must meet all of the requirements for common equity securities of either Section 102.01 or Section 103.01 in their 4 entirety but is not required to meet the requirements of both of Section 102.01 and Section 103.01 in order to qualify for listing. Foreign private issuers that list under either Section 102.01 or Section 103.01 will be subject to Section 103.00 and all of the subsections thereunder (except that foreign private issuers that list under Section 102.01 are not required to comply with Section 103.01), including Sections 103.02 (“Securities Exchange Act of 1934”), 103.03 (“Sponsorship by an Exchange Member Firm”) and 103.04 (“Sponsored American Depository Receipts or Shares (‘ADRs’)”). All listed foreign private issuers must also comply with the applicable corporate governance requirements set forth in Section 303A hereof.”
The NYSE also proposes to amend Section 103.00 to include a cross-reference to proposed Section 101.01, to make certain non-substantive changes and to revise the language of Section 103.00 to conform to proposed Section 101.01. The NYSE notes that the proposed amendments would not make any substantive change to the initial listing standards, rather these changes are just emphasizing of the existing relationship between the domestic and international listing standards as specified in Section 103.00 of the listing standards.
In case you missed it in the avalanche of news last week, Congress actually did its job and passed a continuing resolution on September 25 to keep the Federal government open through mid-December. As this White House statement notes, this measure gives Congress additional time to hopefully pass full-year funding bills by the end of the year.
I was busy dusting off my government shutdown blogs early last week, in anticipation that no bipartisan solution could possibly be reached prior to the end of the government’s fiscal year. I was pleasantly surprised to see our lawmakers in action, kicking the can down the road for two and a half months. I can only imagine what sort of dystopian political nightmare we will be struggling though in mid-December, given all of the post-election uncertainty that hangs in the air. It is certainly possible that I might be dusting off those government shutdown blogs again before this year is out!
I must admit that I am not the world’s biggest Green Day fan, but this time of year I can’t help but sing to myself the outstanding Green Day ballad “Wake Me Up When September Ends.” The lyrics are particularly poignant for me this year, because my father passed away about a month and a half ago, and the song was written by Green Day frontman Billie Joe Armstrong to recount the death of his father in September 1982 and his life in grief after that. The end of Summer and the beginning of Autumn are usually my favorite time of year, but it definitely hits different this year, just as in the Green Day ballad.
The start of the SEC’s new fiscal year tomorrow means there are a few reminders that I should mention. As John noted back in August, the SEC issued a fee rate advisory for the fiscal 2025, indicating that filing fees were increasing for the third straight year. For fiscal 2025, the SEC indicated that the fees for transactional filings will increase from $147.60 per million dollars to $153.10 per million dollars, effective tomorrow. As John pointed out, that represents a 3.7% increase over fiscal 2024, but it is much less than the 34% fee increase that we experienced in fiscal 2024 and the 19% increase for fiscal 2023. If you are filing a Securities Act registration statement tomorrow, be sure to update the wiring instructions that you send to the client and the filing fee exhibit to calculate the filing fee using the new rate. If you do not have sufficient funds when the filing is submitted via EDGAR, the filing will be suspended until the correct amount of filing fees are paid.
Further, as Liz noted earlier this month, accelerated Schedule 13G reporting deadlines go into effect today, and these new deadlines will affect all categories of investors that use Schedule 13G to report their greater-than-5% beneficial ownership in public company securities.
I would have included a link to “Wake Me Up When September Ends” as I usually do in the normal course, but, as this article from Rolling Stone notes, thousands of music videos were removed from YouTube this weekend after the publishing rights organization SESAC failed to reach an agreement with YouTube. A representative of YouTube indicates in the article that they are continuing to negotiate with SESAC and hope to reach a new deal soon. As a result, you will have to pull the song up yourself on Spotify or wherever else you get your music these days!
Turning the calendar page over to October brings it home for me that our 2024 Proxy Disclosure and the 21st Annual Executive Compensation Conferences in San Francisco are just two short weeks away! If you have been on the fence about attending, I encourage you to sign up today to take in all of the critical topics that will be addressed by our outstanding speakers. Remember that there is also a virtual option if you are not up for making the trip to San Francisco. I look forward to seeing you there!
Yesterday, the SEC announced a settled enforcement proceeding against DraftKings arising out of the use of its CEO’s social media accounts to disseminate material non-public information. This excerpt from the SEC’s press release announcing the proceeding lays out the factual background of the case:
The order finds that, on July 27, 2023, at 5:52 p.m., DraftKings’ public relations firm published a post on the personal X account of the DraftKings CEO. The post, according to the order, stated that the company continued to see “really strong growth” in states where it was already operating. DraftKings’ public relations firm posted a similar statement that same day on the CEO’s LinkedIn account. At the time of the posts, DraftKings had not yet disclosed its second quarter 2023 financial results, nor had it otherwise publicly disclosed certain information contained in the posts.
Shortly after the public relations firm published the posts, it removed both posts at the request of DraftKings. According to the order, even though Regulation FD required DraftKings to promptly disclose the information to all investors after it was selectively disclosed to some, DraftKings did not disclose the information to the public until seven days later when it announced its financial earnings for the second quarter of 2023.
The SEC’s cease and desist order says that publication of these social media posts violated the company’s social media and Reg FD policies, which prohibited the use of social networks to disseminate MNPI and barred the company’s authorized spokespersons from discussing financial or operational results or guidance during the pre-earnings release “quiet period” specified in its Reg FD policy.
In addition to consenting, on a neither admit nor deny basis, to an order to cease and desist from future violations of Section 13(a) of the Exchange Act and Regulation FD thereunder, the company agreed to pay a $200,000 civil penalty and comply with certain undertakings, including Reg FD training for employees who have corporate communications responsibilities.
Earlier this month, a divided SEC approved the PCAOB’s new audit quality control standard, QC 1000 – A Firm’s System of Quality Control. Over on The Audit Blog, Dan Goelzer has a recent post that says public companies are going to feel the impact of the new standard.
On the plus side, he suggests that audit quality may improve, and that audit committees may have more visibility into audit deficiencies and audit firm quality controls. Unfortunately, those benefits may be accompanied by some fairly significant costs, including higher audit fees and, as this excerpt explains, an increase in “CYA” behavior by auditors:
Auditing requires the exercise of judgment, and the line between permissible judgments that in hindsight appear flawed and auditing standard violations is not always clear. QC 1000 seems to assume that an audit deficiency identified by the PCAOB’s inspectors is evidence of a potential QC lapse. In turn, a QC breakdown potentially raises questions about whether the individuals responsible for the operation of the system properly performed their responsibilities.
As a result, firm leadership will have strong new personal incentives to avoid inspection deficiency findings. This could of course be viewed as one the benefits of QC 1000. But it could also create a dynamic under which auditing becomes more focused on the mechanics of compliance and documentation at the expense of a big-picture understanding of the company’s financial reporting risks and the exercise of judgment concerning how best to address those risks in the audit.
The blog also echoes concerns expressed by Commissioner Peirce that the compliance costs associated with the new standard may drive some audit firms out of the public company market, thus providing smaller public companies with fewer audit firms to choose from.
