Gambling with Compliance
Gambling with Compliance
February 17, 2006: Are the costs of complying with the single, clearly-defined corporate governance law that outlines your liabilities for record storage and recovery outweighing the benefits? This is the wager being placed by many Australian companies. Conni Christensen and Tim Smith put the cards on the table.
On the whole Australian businesses managers and even senior public servants are unreceptive to the concept of record-keeping compliance. Whether this is simple business-level intransigence based on the time and costs involved in updating extant practices and legacy systems, or whether it's simply down to ignorance of the potential pitfalls of non-compliance is a moot point. The bottom line as we move further into the maturing 'Age of Technology', however, is that if your organisation is not in a position to deliver its records to bodies such as the obvious ones like the Australian Tax Office (ATO), Australian Securities and Investments Commission (ASIC) and Australian Competition and Consumer Commission (ACCC) or the less obvious Australian Transaction Reports and Analysis Centre (AUSTRAC), you will be in serious danger of comprising your entire corporate structure.
Certainly record-keeping is a subset of wider corporate governance issues, and is often seen as just that; something for the filing clerks and maybe IT geeks to concern themselves with. This can often lead to the record-management infrastructure appearing as an afterthought line-item. However, with the push to global markets and global legal frameworks, it will not be long before U.S. or European legislation becomes essential knowledge for Australian traders. Consider that regulators such as the Securities and Exchange Commission (SEC) are still licking their wounds following the disgraceful state of one company's record delivery, that company being ENRON, and you begin to get a real-world idea of the dangers to be faced by entities that are slow off the mark.
If you are in that state, you're not alone. According to a report commissioned by Hewlett Packard back in June 2005 that explored the wider realm of corporate governance compliance: "…businesses are approaching compliance as a necessary 'tick-box' activity - they are singing the right song, but not really understanding the words - and this can be the difference between success and failure for a business."
The concept of 'compliance' is in itself not a new one - let's face it, it is in the best interests of all organisations to retain an audit trail for that end-of-year shuffle. However, the advent of greater (in the sense of sheer mass if not efficiency) communications deriving from IT implementation in all areas of business means that that concept is losing its previous focus.
To put this in context, even professional bodies such as the Sydney-based Australian Compliance Institute, point out that compliance is not based on any single cut-and-dried statute. The ACI makes this very plain when it states that:
"Compliance is about applying the law in a commercial context. It is the implementation process and is less about "black letter law" than the application of legal policy. Compliance professionals are obliged to assess the risks of breaches of the law and ensure that the Board and Senior Management are aware of these risks. While compliance activity covers regulatory and legal issues, it can also be applied to non-binding obligations that are important to an organisation."
Ignorance is no defence"Non-binding obligations" presents a huge grey area. And before long this ambiguity might not be simply the bailiwick of those "Board and Senior Management". This view is supported by the Federal Government's own Corporations and Markets Advisory Committee in its May 2005 discussion paper, "Personal liability for corporate fault" which introduces the concept of 'derivative liability".
In its own words, the discussion paper: "…draws attention to the broad range of differing statutory tests both within and between jurisdictions for imposing …liability. This lack of uniformity and resultant complexity may in itself:
- detract from effective corporate governance by reducing the possibility of directors fully understanding their legal responsibilities in performing their corporate functions
- unduly increase compliance costs for businesses in attempting to identify and respond to that complex legal environment."
The DP was instigated following the demise of HIH Insurance and the ensuing cost to the Commonwealth of document discovery. The paper concentrates on the problems facing regulatory authorities when they attempt to disentangle ignorance versus outright avoidance of existing laws. It recommends among other things that officers other than directors of companies can be made personally liable in the event that, for our example, discovery of relevant documents is not achievable. Those other officers mean middle to lower management; in other words - and drawing on our present premise, the people at the coalface responsible for implementation of document and record-keeping.
In short, although you know that record-keeping compliance is good for you; that being incompliant could have disastrous commercial consequences and that you really should get around to it, there is not a single, clear line of legislation that will ensure that you are using Australian best-practice.
Penalties KickUntil recently the chances of a company having their record-keeping knuckles rapped were slight, and any penalties imposed for poor record-keeping were inconsequential. It was therefore understandable that many executives would assess record keeping compliance as a low risk and focus instead on other organisational priorities.
These attitudes are slowly changing, helped along by recent events such as the collapse of Enron, Arthur Andersen and HIH. The spotlight is now on records management systems and practices.
It's taking a long time for managers to accept that electronic documents and email are actually records and need to be managed accordingly. For many the trigger for understanding is often the experience of being involved in a legal discovery exercise.
They are also learning that the cost of electronic discovery within a chaotic electronic environment results can be prohibitively high. Industry experts estimate that costs for fulfilling a single discovery request runs can run from tens to hundreds of thousands of dollars. For example, the cost to the White House of recovering 246,000 emails from approximately 4,900 backup tapes was estimated at US$ 10 million.
The cost of lost litigationThere are recurrent examples of litigation being lost due to the inability to produce records or the willful destruction of records.
The recent $1.45 billion judgment against Morgan Stanley in the Ronald Perelman case (May 2005) is a stunning example of what can happen when an organisation cannot reliably produce e-mails for the court. In this case the judge ruled that Morgan Stanley "deliberately" violated her orders.
McCabe v British American Tobacco Services Ltd brought to our attention Justice Geoffrey Eames who struck out British American Tobacco's defense in the Victorian Supreme Court, citing that the creation and implementation of a document retention and destruction policy was prejudicial to the Claimant's right to a fair trial. The Victorian Court of Appeal (6 December 2002) overturned the decision of the Victorian Supreme Court, but the cost to British American Tobacco was still high given that their public image suffered as a result of the first decision.
More recently, two employees of a Western Californian branch of the INS were indicted recently for ordering low-level employees to destroy documents. Over 90 thousand documents were destroyed including American and International passports, originals of birth certificates, work permits, citizenship application and associated documents that cannot be replaced. The documents were destroyed to reduce a growing backlog of unprocessed paperwork.
The role of Corporate RegulatorsFive years ago a search for record keeping on any regulator's web site would have provided very disappointing results. Today many of the regulators now publish record keeping guidelines for their corporate clients. For example a research on the Australian Tax Office web site returned 94 hits on record-keeping.
Record-keeping requirements are now being built into legislation and regulations. The Australian Securities and Investment Commission (ASIC) state that under section 286(1) of the Corporations Act, a company must keep written financial records that:
"Correctly record and explain its transactions and financial position and performance; and
"Would enable true and fair financial statements to be prepared and audited.
The Australian Tax Office (ATO) web site states that under tax law, you must keep records:
"That specify and explain all transactions. This includes any documents that are relevant for the purpose of working out your tax liabilities. You should make records of transactions as soon as they occur or as soon as possible afterwards
"Relate to all taxes for which you are liable. This may include income tax, goods and services tax, pay as you go taxes, capital gains tax, and fringe benefits tax.
Nearly all corporate regulators specify explicit record keeping requirements. Most employ the carrot approach to achieving compliance. However as the following examples show, some are also just as likely to use the stick.
Fine TimesIn the US there have been many recent examples of organisations being fined for the deliberate destruction of records.
Securities regulators fined the brokerage arm of Fidelity Investments $2 million for permitting its employees to alter and destroy documents at "numerous" branch offices. Regulators charged that employees at 21 branch offices of Fidelity Brokerage Services were encouraged to alter or destroy records in order to achieve better scores on annual inspections of the books and records at the branches. The document destruction took place between January 2001 and July 2002.
In march 2004 the Bank of America's securities unit agreed to pay a record $10 million penalty to the Securities and Exchange Commission for record-keeping violations and failing to produce documents - in particular, e-mails - requested as part of an SEC investigation.
And we all remember when in October 2002, the major American accounting firm, Arthur Andersen, received a $500,000.00 fine and five years probation for destruction of documents relating to its client, Enron, after it was aware that civil litigation and government investigations were imminent. We now know that that verdict was the death knell for the 89-year old company, once one of the world's top five accountants.
Enforceable UndertakingsWithin Australia some corporate regulators are increasingly using an instrument called an Enforceable Undertaking, as a means of to bring non compliant agencies into line. An enforceable undertaking is a legal agreement in which a person or organisation undertakes to carry out specific activities as a result of a contravention of the relevant Act. In many circumstances enforceable undertakings are viewed by the regulators as an effective alternative to other enforcement actions, such as litigation.
In 2001, financial planning and share broking group, D&D Tolhurst agreed to be subject to a court enforceable undertaking after the Australian Securities and Investment Commission (ASIC) became concerned about internal compliance procedures. The group agreed to engage a compliance consultant to review and assess compliance within the company and to report on any possible further changes to Tolhurst's compliance and training programs. The assessment included record keeping as a key review area.
More recently Zurich Financial Services Australia agreed to an enforceable undertaking with APRA after two Zurich entities failed to properly account for two reinsurance transactions entered into in 2000. Again record-keeping was targeted as a key area for review.
Beefing Up LegislationSince Enron, a raft of regulations such as Basel II, International Accounting Standards (IAS) and Sarbanes-Oxley (SOX), have been introduced to deliver improved corporate governance regulate, and all have included tightened record-keeping requirements. Australia is bringing in similar changes- such as the Corporate Law Economic Reform Program (CLERP).
However the main thrust of change is within existing legislation - in the form of minor amendments to Acts and regulations which incorporate more explicit record-keeping requirements. For example:
"The Dept of Immigration advises on their web site that Amendments were made to Part 6 'Record Keeping and Management' of Schedule 2 of the Migration Agents Regulations 1998
"The Federal Government's review of Australia's anti-money laundering system recommends that record-keeping obligations (of financial institutions) will need to be reviewed to ensure that information can be made available within three days of a request by an anti-money laundering regulator or nominated agency.
"Changes to the Therapeutic Goods Act following the Pan Pharmaceuticals product recall increase manufacturers' responsibilities in relation to ensuring the quality and safety of therapeutic goods available in Australia, and incorporate additional record-keeping requirements.
"The Crimes Legislation Amendment (Telecommunications Interception and Other Measures) Bill 2005 contains many detailed record keeping and reporting requirements for law enforcement agencies.
"Significant changes to the way that veterinary surgeons can use, prescribe, supply and recommend the use of veterinary chemical products came into effect on 4 April 2003, following amendments to the Chemical Usage (Agricultural and Veterinary) Control Act 1988 . There is now a requirement for veterinary surgeons to make detailed records of the treatment of trade species animals. These records must be kept for two years or another period prescribed under a regulation.
Still Prepared to Gamble?All of the available evidence points to an unprecedented level of interest by the courts, regulators and auditors in company record-keeping systems and practices. The examples quoted here may just be the tip of the iceberg.
The cost of compliance appears to be unreasonably high to many organisations. And yet in a recent report, 10 out of 12 IT chiefs on silicon.com's CIO Jury user panel said the investment has produced benefits beyond simply meeting regulatory targets and deadlines. The high IT cost of compliance projects has proved worth it for the wider business benefits such projects have brought, according to these UK CIOs. Some cited improvements in business processes as a result of compliance work as an immediate benefit. One commented that "compliance at first seems like a necessary evil but the long-term benefits will eventually manifest themselves".
The real challenge facing most companies is to build record-keeping solutions that achieve compliance and deliver better business outcomes within the same system. Now that could be a gamble worth taking.
Comment on this story
Related Article: