We are now approaching the half-way point of 2009, and most of us are still trying to figure out the nature and scope of regulations that will descend in reaction to the massive corporate failures of the last 9 months. Considering the hefty burden brought by Sarbanes-Oxley in reaction to — by comparison — less egregious issues, it’s no wonder risk and compliance professionals are waiting with nervous anticipation.
New legislation continues to pass at a fast clip in the US under the new administration, however we have only seen pieces of what we can expect will be significant changes to the regulatory controls mandated for many aspects of corporate operations.
Some of the most revealing actions taken so far include:
– May 20, 2009 – President Obama signed the Fraud Enforcement and Recovery Act of 2009. FERA allocates substantial budget (more than $300 million) to the SEC, FBI, Justice Department, and other agencies to investigate “possible criminal, civil, or administrative violations and for criminal, civil, or administrative proceedings involving financial crimes and crimes against Federal assistance programs.” It will also create a commission to explore possible causes of the financial crisis, including regulatory mistakes, fraud, poor compensation practices, and over-reliance on numeric tools such as risk models and credit ratings.
– June 12, 2009 – United States Congressman Gary Peters introduced his Shareholder Empowerment Act to the House. This bill would give shareholders greater voice in votes on executive compensation and board membership as well as more disclosure on specific performance targets and bonuses. Senator Charles Schumer proposed similar legislation on May 19th. The one major addition in Senator Schumer’s Shareholder Bill of Rights Act of 2009 is the requirement that all public companies have an independent board-level risk committee, whose responsibility would be “the establishment and evaluation of the risk management practices of the issuer.”
– June 17, 2009 – President Obama outlined plans for more sweeping reform of financial regulations that would aim to consolidate supervision over all firms that pose a risk to the financial system as a whole. Specifics are still in the works, but the Treasury Department explained that aspects of this regulation would include the creation of an agency to protect consumers by further regulation of firms that provide credit, savings, payments, or other financial services; further protection of corporate whistleblowers and larger sanctions for regulatory enforcement; review and possible modification of risk management guidance based on Basel II; and increased international cooperation to enforce anti-money laundering and terrorist funding standards.
Themes among these legislative actions include fraud prevention, transparency, shareholder and consumer rights, and stronger risk management oversight. The burden will be placed squarely on risk and compliance professionals and their cohort in the IT department. Even more visibility and control will be required for financial transactions as well as the context (emails, voice mails, related transactions, etc.) in which they took place. Monitoring and reporting more detailed risk information to regulators as well as potentially to a risk committee will also require a level of rigor most companies are not yet set up to tackle.
By now, plans should be in place to start addressing some of these high level concerns. The exact methods and timelines by which organizations will need to comply with these new regulations are still being worked out, however it’s quite clearly a matter of when, not if they will come. And for those of you not working in financial services, please note that much of the focus has been on public companies as a whole, not just those in the financial sector.
As always, you’re welcome to share your thoughts on how your company is preparing, and whether you expect these new regulations to have more or less of an impact on risk and compliance departments compared to SOX.