SEC enforcement initiatives can take the form of targeting specific executives at issuers for violations of the securities laws. In this first of a two-part series addressing hazards for CFOs, the authors discuss the circumstances of CFOs found to be “control persons,” who can be legally responsible for material misstatements or omissions in the financial statements even if they are unaware of them.
Successful CFOs need a broad set of skills, including experience in general management, strategy, corporate development, and international operations. With these myriad responsibilities, CFOs face increased hazards, especially given the SEC’s increased scrutiny of their positions as “control persons,” that is, individuals with the power to direct corporate management or policies or to compel an issuer to file a registration statement under the Securities Act of 1933. Fortunately, CFOs can avoid both control person liability and internal control liability if they are able to prove that they instituted and administered internal controls with due care.
The Nature of Control Person Liability
The control person liability of a CFO is similar to that of a CPA in public practice. If either knowingly makes a materially false statement (e.g., a false audit report, a false financial statement, or a false certification filed with the SEC), they can be liable for fraud under section 10(b) of the Securities Exchange Act of 1934 and SEC Rule 10b-5, the most commonly invoked rules against securities fraud. There is, however, an important difference between CPAs and CFOs in federal civil securities fraud cases: An auditor who fails to discover a corporate client’s financial statement fraud will usually not be liable to the corporation’s stockholders or the SEC unless the auditor knew of the fraud and turned a blind eye. As control persons, however, CFOs can be held legally responsible even if they made no statement of their own (e.g., if another officer or the corporation made a finance-related misstatement, knowing it to be false), or even if they were unaware of the falsity of their own misstatement.
Both private investors and the SEC may file fraud complaints—in contrast to section 13(b) cases, which may only be filed by the SEC. In a Rule 10b-5 action, private litigants such as stockholders may seek recovery of monetary damages to compensate their loss, such as the amount they overpaid for their shares because of the financial statement fraud.
The SEC may also civilly enforce Rule 10b-5. It may sue in federal district court for an injunction to prohibit someone from serving as an officer or director of a publicly traded company or to seek a civil monetary penalty. The SEC may also, in its own administrative proceeding, assess monetary penalties, order disgorgement of ill-gotten gains, enter cease-and-desist orders, and prohibit persons from service as an officer or director of a publicly traded company (Exchange Act sections 21B, 21C, 21D).
Two provisions of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 enhanced the SEC’s ability to bring such cases against control persons. One of the provisions confirmed the SEC’s ability to bring control person cases—which some courts had doubted the SEC’s ability to do—while another gave the SEC increased nationwide subpoena power.
Section 20(a) of the Exchange Act provides that “every person who, directly or indirectly, controls any person liable under any provision of this chapter or of any rule or regulation thereunder shall also be liable jointly and severally with and to the same extent as such controlled person to any person to whom such controlled person is liable (including to the Commission …), unless the controlling person acted in good faith and did not directly or indirectly induce the act or acts constituting the violation or cause of action.” A plaintiff must prove at least two things: 1) that a primary securities law violation was committed by another, and 2) that the executive charged with control person liability had control over the primary violator (Brianna L. Gates, “The SEC on a Forum Shopping Spree: SEC Enforcement Power and Control Person Liability After Dodd–Frank,” Iowa Law Review, vol. 99, pp. 393, 2013). Financial statement fraud committed by the CFO’s colleagues or by the corporation itself would count as a primary violation.
The CFO as a Control Person and Cases of Related Liability
In several cases, the courts have deemed the CFO to be a control person. Three such cases have been brought under Rule 10b-5, and one under the Foreign Corrupt Practices Act of 1977 (FCPA) for violations related to internal control provisions. Adams v. Kinder-Morgan [340 F.3d 1083 (10th Cir 2003)] was a stockholder class action lawsuit alleging that the financial statements in Kinder-Morgan’s Form 10-Q and Form 10-K filings were false because they contained GAAP violations that overstated income. The plaintiffs alleged securities fraud by the corporation and a control person claim against the CFO. Regarding the control person claim, the court held the CFO to be a control person: “The claims of securities fraud relate specifically to official reports of the company’s financial performance. As Kinder-Morgan’s chief financial officer, it is reasonable to infer that McKenzie [the CFO] had at least indirect control over KM’s financial reporting.”
In re Thornburg Mortgage Inc. Securities Litigation [10 824 F. Supp. 2d 1214 (D. N.M. 2011)] was a stockholder securities fraud action in which false statements were alleged to have been made by the CEO in a Form 8-K filing and otherwise. The CFO was held to be a control person with respect to the form’s statement of the company’s financial performance. In a parallel SEC enforcement action [SEC v. Goldstone, 952 F. Supp. 2d 1060 (D. N. M. 2013)], the CFO was similarly found to be a control person with regard to misstatements made in the 2007 Form 10-K.
Most recently, Masterson v. Commonwealth Bankshares [2014 U.S. Dist. Lexis 30797 (E.D. Va. 2014)] involved alleged misrepresentations in several Form 10-Qs, Form 10-Ks and Sarbanes-Oxley Act of 2002 (SOX) certifications. The CFO signed these documents, but she was not alleged to be aware of their falsity. Her signature, though, established her control over the violation and her potential liability as a control person for securities fraud.
In re Nature’s Sunshine Products (NSP) [486 F. Supp. 2d 1301 (D. Utah 2007)], the FCPA case, was also a stockholder class action suit alleging securities fraud. The false statements were allegedly made by the corporation’s CEO, who stated in his 2005 SOX certifications that he knew of no fraud involving management. In fact, certain alleged payments made by the corporation and known to the CEO violated the FCPA. Allegedly false reassurances regarding the corporation’s finances were repeated in a press release and in a Form 8-K. The CFO was also sued. “Plaintiffs assert that [the CFO] exercised control over the alleged misrepresentations and exerted control and influence over the day-to-day operations of NSP. Plaintiffs assert that [the CFO] was responsible for accounting and financial reporting, signed all of the 2005 SOX certifications at issue, and issued, with [the CEO], the false and misleading reassurances that the financial statements were accurate.” There was no allegation that the CFO was aware of the payments or of the falsity of the statements, and the court ruled that “as CFO responsible for the financial reporting which is the subject matter of the alleged primary violation, [he] is a control person.” Given that, and that only one case of control person liability under the FCPA (enacted in 1977) seems to exist, it would seem unlikely that a CFO is in grave jeopardy on these grounds. Nevertheless, CFO complacency in an era of stepped-up SEC enforcement would be inadvisable.
That same CFO was also sued as a control person by the SEC in a parallel enforcement action [SEC v. Nature’s Sunshine Products, Inc., Douglas Faggioli and Craig D. Huff, Case No. 09CV672 (D. Utah, filed July 31, 2009)]. NSP’s books accounted for alleged bribe payments as though they were legitimate expenses, and its Form 10-K did not disclose the payments. The SEC alleged that the CFO was a control person and that he “failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions were recorded as necessary to permit preparation of financial statements in conformity with generally accepted accounting principles.” The CFO agreed to pay the SEC a civil penalty of $25,000.
The above cases clearly demonstrate that CFOs can be found to be control persons. It is worth mentioning at least one contrary decision, in New Jersey v. Sprint Corp. [314 F. Supp. 2d 1119 (D. Kan. 2004)], wherein a CFO did not face control-person liability because the alleged misstatements made in the SEC filings had nothing to do with financial reporting and instead concerned the departure from the corporation of the CEO and COO.
In the Second and Third Circuits, which include Connecticut, Delaware, New Jersey, New York, Pennsylvania, and Vermont, a plaintiff must prove three things: 1) that there was a primary violation, 2) that the primary violator was controlled by the defendant, and 3) that the defendant was in some meaningful sense a culpable participant in the primary violation. The logic of the New Jersey district court in Lautenberg Foundation v. Peter Madoff [2009 U.S. Dist. Lexis 82084, *43 (D. N.J. 2009)], which considered a control person claim against the Chief Compliance Officer and General Counsel of Bernard Madoff Investment Securities (BMIS), is instructive here:
Inaction that intentionally furthers the fraud committed by the controlled person or entity or prevents its discovery establishes the controlling person’s culpable participation in the fraud. While mere inaction is not enough to rise to culpable participation, this Complaint pleads more than that. Peter Madoff was charged with the responsibility and authority to run BMIS in accordance with the law. Assuming the truth of the allegations, his reckless failure to detect the fraud through enforcement of a reasonably adequate system of internal controls establishes his participation in the fraud for purposes of the Section 20(a) claim.
The Good Faith Defense
The Exchange Act expressly provides an affirmative defense if the control person acted in “good faith” by taking precautionary measures to prevent the controlled party from causing injury to someone else. This usually requires that the control person diligently maintain an adequate system of internal controls [see Carpenter v. Harris, Upham & Co., Inc., 594 F.2d 388, 394 (4th Cir. 1979)]. The burden of proof is on CFOs to establish that they did not act recklessly in inducing the fraud, either by their action or their inaction [see G.A. Thompson & Co., v. Partridge, 636 F.2d 945, 960 (5th Cir. 1981)].
To conduct themselves in such good faith, CFOs must be able to show that they exercised due care in their supervision of the preparation of the firm’s financial reports by enforcing a reasonable system of supervision and internal control [see SEC v. First Jersey Securities, 101 F.3d 1450, 1473 (2d Cir. 1996)]. In-house compliance programs must be in place, as well as documented systems of supervision, and they must be working and effective. CFOs should keep an eye out for signs that something may be amiss and not disregard them; red flags must be chased down [see Harrison v. Dean Witter, 79 F.3d 609, 615 (7th Cir 1996)]. CFOs are also part of creating a firm’s culture and must establish a tone at the top, making it clear that misconduct concerning the firm’s financial statements will not be tolerated. Finally, CFOs must take care that the systems of supervision and internal control comply with and satisfy the SEC’s internal control rules. These rules, and the perils of running afoul of them, are discussed in the second part of this series.