Article Business Crimes Bulletin

How CEOs, CFOs Can Avoid Criminal Exposure Under Sarbanes-Oxley Certification Provisions

The Sarbanes-Oxley Act of 2002 is the most sweeping corporate reform enacted by Congress in 50 years.  In response to numerous highly publicized accounting scandals and failures of corporate controls, Sarbanes-Oxley changes the way publicly traded companies in the United States must do business.  Of particular interest to white collar defense counsel is  906 of the act, which requires CEOs and CFOs to certify financial information and periodic reports filed with the Securities and Exchange Commission, and imposes criminal penalties for "knowing" or "willful" violations. 

Obviously, CEOs and CFOs must understand the new risks and responsibilities imposed by these provisions.  Here are some of the most important things they should know.

What Must a CEO and CFO Certify Under  906?


Sec. 906 requires a "written statement by the CEO and CFO (or equivalent thereof) of the issuer.i] that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act of 1934.and [ii] that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer."  (Emphasis added.)

Provision [ii] requires a certification that is broader than the typical outside auditor's report, which generally states that the company's financials are fairly presented in all material respects in accordance with generally accepted accounting principles (GAAP).  There are circumstances where American-rules based GAAP may support an accounting treatment that fails to present a "fair" picture of the company's financial situation.  In such case, because  906 omits the words "in accordance with GAAP," the CEO/CFO must ensure that portions of the SEC report other than the audited financial statements (e.g., "Management's Discussion and Analysis" section or other textual descriptions of the business) supply the additional information necessary so that the SEC report read as a whole fairly presents the company's financial picture in all material respects.

What Are Sec. 906's Penalties?


 Any individual who "certifies any [ 906] statement knowing that the periodic report accompanying the statement does not comport with all the [ 906] requirements.shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both."  For any person who "willfully certifies" such a statement "knowing" that it does not comply, the penalties are much higher: up to $5 million and/or 20 years. (Emphasis added.) On its face, the statute does not appear to impose any criminal penalty for failure to submit a certification at all.

How Much Do the Certification Requirements Increase CEO/CFO Criminal Exposure? 

Prior to Sarbanes-Oxley, federal law and SEC regulations already required public companies to disclose material information to shareholders and to present the company's financial results fairly and accurately.  However, Sarbanes-Oxley markedly increases the enforcement risks faced by the CEO/CFO since  906 requires that each of them personally play a substantially increased role in the disclosure process.  Individual criminal liability is based on personal knowledge and participation.  Hence, the certification requirement significantly increases the CEO's and CFO's criminal exposure.


The criminal exposure of CEOs and CFOs is further expanded under  302 of the act, which contains an additional provision requiring them to certify periodic reports.  For example,  302(a)(4)(B) requires the CEO and CFO to certify that they "have designed.internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared." 

Under this provision, the CEO and CFO are responsible for ensuring that all material information is made known personally to the CEO and CFO themselves, and this obligation extends not only to material information concerning the company, but also to material information about all the company's "consolidated subsidiaries."  Thus,  302 creates a heavy burden on the CEO and CFO to become personally aware of material information on a timely basis, and it likewise makes it difficult to argue in any investigation that the CEO or CFO in fact had no knowledge of material information that was available.  Indeed, the whole thrust of the act is to increase materially CEO/CFO personal involvement in monitoring and correcting misconduct and reporting to the public.

Although false certifications under  302 will generally be pursued civilly through SEC proceedings, the Department of Justice (DOJ) may seek to prosecute egregious  302 violations under criminal provisions prohibiting use of the mail, telephones or Internet to commit fraud (18 U.S.C.  1341 (mail fraud), 18 U.S.C.  1343 (wire fraud)) or under 1934 Act  32. 

Is Materiality Implied Throughout Sec. 906?


As discussed above,  906 requires two separate certifications:  (i) the periodic report "fully complies" with the requirements of  13(a) and 15(d) and (ii) the information in the periodic report "fairly presents, in all material respects, the financial condition and results of operations of the issuer."  As is plain from the text, the financial-condition representation is qualified by materiality, while the full compliance with  13(a)/15(d) representation is not.

The question arises, then, whether a CEO/CFO certification under  906 could give rise to criminal liability for an immaterial or technical  13(a)/ 15(d) violation.  It seems doubtful that the courts will sustain such a reading, particularly in light of the substantial penalties imposed for a violation, but the answer is not clear beyond doubt absent DOJ prosecutorial guidelines (which it has no obligation to issue), or judicial clarification in the context of actual prosecutions.  As a practical matter, it seems unlikely the DOJ would bring such a technical case, both for resource allocation and policy reasons.

The key questions, it seems, are: what does full compliance with  13(a) and 15(d) require, and do these sections import their own materiality requirement?  Sec. 906's plain language effectively requires certification of the timing, the form and the content of each SEC periodic report-including both the narrative portions  and the financial statements.  While there may be some ways to read  906 and its reference to  13(a) and 15(d) to narrow the certification, it appears Congress intended to require a broad certification of the accuracy of the periodic report's contents, and not merely a certification that the timing and form requirements of the sections have been met. 

With respect to whether  13(a) and 15(d) themselves incorporate a materiality qualifier, the answer appears to be no, with one caveat.  Some of the substantive matters that must be disclosed under the SEC's regulations do themselves incorporate standards for disclosure, e.g., the $60,000 minimum for related-party transactions.  However, there is no term or standard that could be relied on to import a global materiality qualification into the  906 certification.

What Is the Difference Between  `Knowing' a `Willful' Violation? 


 The act does not explain the difference between a "knowing" violation of  906 ($1 million fine and/or 10 years in prison) and "willfully" committing a "knowing" violation ($5 million fine and/or 20 years in prison).  With jail time doubled for a "willful" violation, the difference poses a significant interpretative question that in the absence of guidance from the DOJ, will unfortunately have to be resolved by the courts.


The federal criminal code does not define "knowing" and "willful," nor does Sarbanes-Oxley provide a hint.  In Bryan v. U.S., 524 U.S. 184 (1998), the Supreme Court examined the difference between the terms "willfully" and "knowingly" in the context of the federal criminal statute barring sale of firearms without a license and concluded that "unless the text of the statute dictates a different result, the term `knowingly' merely requires proof of knowledge of the facts that constitute the offense," while the term "willful" means that "[t]he jury must find that the defendant acted with an evil-meaning mind, that is to say, that he acted with knowledge that his conduct was unlawful."  Id. at 193.  See also Ratzlaf v. U.S., 510 U.S. 135, 137 (1994) ("willful" violation means "the defendant acted with knowledge that his conduct was unlawful"); Cheek v. U.S., 498 U.S. 192, 201 (1991) ("willful" requires proof that the law "imposed a duty on the defendant, that the defendant knew of this duty, and that he voluntarily and intentionally violated that duty").

However, in the context of  906, this distinction does not seem helpful.  Under  906, any violation calling for a criminal penalty would appear, by definition, to be committed with knowledge that the conduct is unlawful.  The statute proscribes making a certification "knowing" that the certification is false because the requirements of the statute have not been met.  Thus, even to qualify for the lesser sanction, the certifying CEO or CFO must know that his or her act is improper and that his conduct is unlawful.  In that context, it is difficult to see what else the term "willfully" could add. Congress obviously intended some subtle difference by adding the term willful, but it is simply not clear how the DOJ and the courts will distinguish between knowing and willful violations.

One thing that does seem clear is that the knowledge requirement does not protect an  executive who takes affirmative steps to be ignorant of material information.  Under other criminal statutes, courts have found the knowledge requirement to be met where there was evidence of willful blindness or deliberate ignorance of the facts.  One passage from the Sarbanes-Oxley legislative history is relevant in this regard.  Sen. Joseph Biden, D-Del., in attempting to explain the level of culpability required by the "knowing" standard, said that while "those who act out of ignorance, mistake, accident or even sloppiness" would not be held criminally liable, the statute nevertheless was intended to send a clear message to executives "to watch your books and not bury your heads in the sand!"  148 Cong. Rec. S. 7426 (7/26/02 Statement of Mr. Biden) (emphasis added). 

Procedures to Ensure That CEO, CFO Comply With Sec. 906


Many companies are investing significant amounts of time and money into reviewing their internal procedures with outside accountants and lawyers to ensure that their senior managers can file the appropriate certifications without risk of civil or criminal liability.  While it is entirely possible that a company's existing internal controls are adequate, modifications may be appropriate to minimize risk.  As the SEC stated in the preamble to its  302 regulations, the procedures a company must employ to ensure Sarbanes-Oxley compliance are company-specific.  That said, here are a number of practices that issuers have already been implementing to improve their internal controls in light of


  • establishment of a disclosure committee charged specifically with monitoring and making the required disclosures (a procedure specifically recommended by the SEC in its recent &00A7; 302 rule-making),
  • "sub-certifications" from executives responsible for the business units or staff functions providing the financial information that is "rolled up" into the consolidated financials,
  • certifications from individuals responsible for preparing the SEC report, and
  • additional due diligence by internal and/or external personnel to confirm the accuracy of the reports.

No list of procedures will ensure blanket protection for the CEO and CFO.  What counts is the ability of the overall set of controls to bring all material information concerning the business to the attention of the CEO and CFO.  Even extensive procedures could trigger liability if they intentionally or foreseeably fail to make the CEO and CFO aware of material problems within the company and its consolidated subsidiaries.

Jack S. Levin, a partner in Kirkland & Ellis' Chicago office, specializes in mergers, acquisitions, buyouts, venture capital/private equity, and other complex transactions.  Laurence A. Urgenson and Craig Primis are partners in Kirkland &  Ellis' Washington, D.C., office.  Mr. Urgenson specializes in white collar criminal defense andMr. Primis in complex commercial litigation.