Share |
Article Categories Advertising, Marketing & Trademark Antitrust and Trade Regulation Bank & Finance China Construction Corporate & Securities Electronic Discovery Resources Employment & Labor Energy Family Law Government Relations Health Law Immigration Intellectual Property Internal Investigations International Internet, Technology &
E–Commerce Life Sciences Litigation Non-Competes & Trade Secrets Real Estate Shareholder Disputes Tax Planning & Business Organization Trusts & Estates White Collar & Regulatory Defense
 
Karen L. Grandstrand

Karen L. Grandstrand Banking & Financial Services

kgrandstrand@fredlaw.com
612.492.7153
Printable Version

SOX and Beyond

By: KAREN L. GRANDSTRAND

March 2004

The Sarbanes-Oxley Act of 2002 (SOX) was passed by Congress following several widely-publicized financial scandals. While SOX applies only to public companies and not to nonpublic community banks, it is important to have a basic understanding of SOX to understand current corporate governance issues for community banks.

Overview of Some Key SOX Provisions

In general, SOX addresses audits, financial reporting and disclosure, conflicts of interest and corporate governance.

With respect to audits, SOX requires a company’s audit committee to be comprised of independent directors. The committee is responsible for appointing and compensating the outside auditor, overseeing the auditor’s work, and establishing procedures to address complaints regarding accounting practices. The committee has the authority to retain and compensate independent counsel and other advisers.

Financial disclosure and reporting obligations include additional SEC disclosure rules, CEO and CFO certification of financial information (the “Section 302 Certification”), and a requirement that management assess the company’s internal controls (the so-called “Section 404 Report”).

Other significant provisions in SOX include restrictions on loans to executive officers, accelerated timeframes for insiders to disclose purchases or sales, and executive compensation reimbursement if financials are restated. Also, a public company must disclose whether it has a code of ethics and if not, why not, and whether the audit committee includes a “financial expert.” Significantly, all public company accounting firms must register with a new Public Company Accounting Oversight Board and comply with expanded independence rules.

SOX Regulations Applicable to Nonpublic Banking Organizations

As noted earlier, SOX expressly applies only to public companies. However, this does not mean that nonpublic financial institutions can ignore SOX. As of February 6, 2004, the federal banking agencies have issued several regulatory pronouncements directed at nonpublic entities as a result of SOX: (i) Corporate Governance, Audits, and Reporting Requirements (FDIC, FIL-17-2003, March 5, 2003); (ii) Interagency Policy Statement on the Internal Audit Function and Its Outsourcing (Federal Reserve, FDIC, OCC and OTS, March 17, 2003); (iii) Statement on Application of Recent Corporate Governance Initiatives to Nonpublic Banking Organizations (Federal Reserve, OCC and OTS, May 5, 2003); and (iv) Final Rule on Removal, Suspension, and Debarment of Accountants from Performing Audit Services (Federal Reserve, FDIC, OCC and OTS, August 13, 2003).

SOX Regulations: Banks with Assets of $500 Million or More

Public and nonpublic banks with assets of $500 million or more are subject to the annual audit and reporting requirements of Section 36 of the FDI Act as implemented by Part 363 of the FDIC’s regulations. Section 36 and Part 363 impose

  • annual auditing and attestation;
  • an annual management report, which includes a statement on management’s responsibility for preparing annual financial statements, adequate internal controls, and compliance with laws and regulations, and management’s assessment of the effectiveness of internal controls and compliance; and
  • audit committee requirements.

Further, the FDIC’s Part 363 rules incorporate the SEC’s auditor independence rules.

SOX has several implications for nonpublic and public banks subject to Section 36. First, the auditor independence requirements under Sections 201, 202, 203 and 206 of Title II of SOX apply. These sections contain restrictions on non-audit services, require the audit committee to preapprove services, and require audit partner rotation. Second, the banking agencies have indicated that the SOX Section 302 certification cannot be used in place of the required Section 36 management report. Third, the SOX Section 404 Report does not replace the Section 36 Report even though there is considerable overlap between the two.

Banks under $500 Million

The FDIC issued guidance in March 2003 explaining how SOX applies to banks under $500 million. The Fed, OCC and OTS issued separate guidance in May 2003. While the two issuances are similar, they are not identical.

The FDIC guidance encourages banks under $500 million to follow the SOX provisions. For example, it “encourages”

  • prohibitions on internal audit outsourcing,
  • the audit committee to preapprove audit services,
  • incorporation of audit partner rotation and reporting practices in auditor engagement letters, and
  • adoption of a code of ethics.

It strongly encourages compliance with Section 303, which prohibits management from improperly influencing audits. The FDIC, however, “does not expect” a bank to disclose whether it has a financial expert on its audit committee.

The Fed, OCC and OTS guidance explains that the existing regulations encourage corporate governance and auditing practices similar to SOX. Existing regulations encourage annual audits by independent public accountants, audit committees that are independent of management, and the use of different firms for external and internal audit. In addition, Call Reports are certified, prepared in accordance with GAAP and disclose off-balance sheet assets. Further, Regulation O controls credit to insiders. Thus, these agencies concluded no new rules for banks under $500 million are needed, but stated that banking organizations are encouraged to “periodically review their policies and procedures relating to corporate governance and auditing matters.”

Affect on Supervision

While the guidance issued by the Fed, OCC and OTS states that no new rules are in place, SOX has affected how the agencies are supervising banks – expectations are higher. For example, Federal Reserve Governor Bies in her numerous corporate governance speeches has said: “Simply stated, the current status quo for corporate governance is unacceptable and must change.” New expectations vary, by bank and by regulator. For banks under $100 million with normal growth, no expansion into new markets or new products, and no financial or compliance problems, supervision is much as it has been. However, supervision is not the same for banks

  • experiencing higher growth, particularly growth in new branch markets or in commercial loans;
  • that have grown so that they are now at or over $100 million; or
  • with credit or compliance problems.

For these banks, the regulators are focusing on the composition of the board (whether it is controlled by management, insiders or outside directors), the board’s committee structure (whether the bank has loan, audit, asset/liability and investment committees), and the amount of information provided to the board and the board’s oversight (as reflected in minutes, etc.).

The Future

Going forward, we will likely see more regulation in this area, and perhaps not only at the federal level. Alabama has proposed new minimum audit standards for Alabama state-chartered banks. Increasingly, regulators, bank stock lenders, and investors will focus on corporate governance issues – the qualification of board members, the board’s independence from management, ethics policies, and audit committees. And, as directors (particularly outside directors) are asked to do more, banks will need to address issues of compensation.