SOX and MiFID

Compliance with Sarbanes-Oxley Act of 2002

There is a lot of discussion within business and political circles about the Sarbanes-Oxley Act and, in particular, the costs involved in its implementation. Some non-US companies have even considered withdrawing their securities from being traded in the US, while others have analysed their profits from their US business against the cost of compliance. Analysts have reported that not only has London overtaken New York as the market of choice for international IPOs, but Europe (led by London) surpassed the United States in terms of the value of all new listings in 2005. Cynics point out that this trend owes much to Sarbanes-Oxley and its convoluted corporate regulatory regime.

Whether or not you agree with the requirements of the Act, it is clear that companies are gaining benefits by implementing stronger internal controls. Such benefits include the reinforcement of fundamental disciplines, responsibilities and structure, improving risk assessment and mitigation, improved data quality and information, and providing assurance that management's instructions are executed as intended.

The Sarbanes-Oxley Act of 30th July, 2002, also referred to as SOX, is one of the most significant changes to federal securities laws in the United States since the introduction of the Securities Exchange Act of 1934 and has brought in a new era of corporate governance and accountability. It was enacted following a wave of well-publicised corporate financial scandals that included Enron, WorldCom, Global Crossing and Arthur Andersen. Its purpose is stated as 'To protect investors by improving the accuracy and reliability of Corporate disclosures made pursuant to the securities laws, and for other purposes'.

Compliance with the Act is mandatory for:

• all publicly-traded companies in the United States (US), including all wholly-owned subsidiaries, within and outside of the US, and non-US companies publicly-traded in the US; and
  
• all publicly-traded non-US companies doing business in the US.
  All companies that fall into this classification, irrespective of size, are required to have registered and be in full compliance with the requirements.
  The SOX legislation is wide ranging and has established:
  
• legal accountability, responsibility and criminal and civil penalties for executive management;
  
• enhanced reporting requirements, including an assessment on the effectiveness of internal controls;
  
• new independence standards for public accounting firms;
  
• a Public Company Accounting Oversight Board (PCAOB) under the Security and Exchange Commission (SEC) to oversee public accounting firms and issue accounting standards.

By now all companies falling into the above classification should have established their financial reporting frameworks, the purpose of which includes the submission of an annual assessment of the effectiveness of the company's internal accounting controls to the Securities and Exchange Commission (SEC). The following paragraphs are intended to refresh the reader with the principal sections of the Act pertaining to company compliance requirements.

The Sarbanes-Oxley Act itself is organised into eleven sections but, if we exclude the requirements for public accounting firms and the establishment and operation of the PCAOB, the most important, in terms of compliance, are as follows:

Section 301 - Public Companies Audit Committees

Section 301 states that each company should have an Audit Committee made up of independent individuals appointed from the company's Board of Directors, for the purpose of overseeing the accounting and financial reporting processes and audits of the financial statements of the company. Such responsibilities specifically include the appointment, compensation and oversight of the work of any registered public accounting firm (external auditor or consultants) employed by the company for audit, financial reporting or related purposes, to whom such public accounting firms will report directly. The Committee will also establish procedures for the receipt, retention and treatment of any issues relating to accounting, internal accounting or auditing matters, as well as processes for 'whistle blowers' that maintain individual's confidentiality and anonymity.

Of course, if the Board has not appointed an Audit Committee then the entire Board of Directors will be accountable for enacting the Audit Committee's specified responsibilities.


Section 302 - Corporate responsibility for financial reports

Corporate responsibility for the content of financial reports filed with the Securities and Exchange Commission is stated as being with the principal executive officer and the principal financial officer. These individuals are now required to certify that:
a. they have reviewed the report and that it fairly presents in all material respects the financial condition and results of the company;
b. they are responsible for establishing, maintaining and evaluating the effectiveness of internal accounting controls;
c. they have disclosed to the company's external auditors and Audit Committee all significant deficiencies in the design or operation of internal controls and any fraud that involves management or other employees;
d. that they have indicated whether or not there were significant changes in internal controls or any other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions taken.


Section 401 - Disclosure in periodic reports

All financial reports are required to be prepared in accordance with generally accepted accounting principles.

Section 409 - Real-time issuer disclosures

Companies are required to disclose to the public, on a rapid and current basis information concerning any material changes in the financial conditions or operations of the company.
The above compliance requirements either take a one-off effort to establish or the implementation of a repeatable process and are executed at Corporate level.

The compliance requirements to Section 404 relating to 'Management Assessment of Internal Controls' are, however, a different matter. Section 404 states that each annual report will contain:

• an Internal Control Report which states that it is the responsibility of management for establishing and maintaining an adequate internal control over financial reporting for the company;
  
• a statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company`s internal control over financial reporting;
  
• management`s assessment of the effectiveness of the company`s internal control over financial reporting as of the end of the company`s most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective. The assessment must include disclosure of any "material weaknesses" in the company's internal control over financial reporting identified by management. Management is not permitted to conclude that the company's internal control over financial reporting is effective if there are one or more material weaknesses in the company's internal controls; and
  
• a statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting.

There have been considerable discussions on how wide the definition of internal controls over financial reporting are, as non-financial events have a way of impacting a company's financial position. The SEC has now determined that the term 'internal control over financial reporting' means:

A process designed by, or under the supervision of, the company's principal executive (CEO) and principal financial officer (CFO) and effected by the company's Board of Directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:

1. pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the company;
   
2. provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial statements in accordance with generally accepted accounting principles, and that receipts and expenditures of the registrant are being made only in accordance with authorisations of management and directors of the company; and
   
3. provide reasonable assurance regarding prevention or timely detection of unauthorised acquisition, use or disposition of the company's assets that could have a material affect on the financial statements.

The scope of Section 404 of the Sarbanes-Oxley Act has therefore been deemed to include all transactional records involving the acquisition or disposal of the companies and customer assets. Such records have to be recorded and maintained in a manner that can provide assurance that they are accurate, complete, authorised, recoverable and have not been compromised by any attempt or conspiracy to commit fraud.
The question is therefor what needs to be done to comply?
Obviously the responsibility of the CEO and CFO must be delegated through the organisation to those with the necessary skills in designing effective and efficient internal controls and individuals dealing directly with the recording and maintenance of data.
A good starting point is to undertake a complete review of the company's Policies and Standards. The objective of this review is to ensure that the company's values and operational principles comply with the Board of Directors and all regulatory requirements. It is strongly recommended that, in reviewing operating standards, serious consideration be given to complying with those issued by recognised standards bodies, such as ISO, AICPA, IIA, ISACA/CobiT, COSO and Basel II. Implementing and maintaining such recognised standards of operation will enable management to demonstrate compliance to SOX and can be used within marketing material to provide assurance to shareholders, investors and customers as to the adequacy of the company's operational controls (e.g. ISO 9000 certified; SAS 70 compliant).
The next step is to identify and document current processes, procedures and the associated internal controls that are used in the recording and maintenance of transactional records. An effective method is to flowchart the processes. This exercise will then lead to an evaluation of the procedures effectiveness, identification of efficiencies or deficiencies and compliance to defined standards.
This exercise must not only include all manual procedures but also all computer-based practices, from data centre operations, contingency, to logical access over accounting records. It should be noted that the focus of any corrective actions should be to utilise computer-based controls, which are less susceptible to failure. Significant emphasis must also be put on the adequacy of audit trailing all actions involving transactional data as well as the associated application programmes used to record such data.
Such an exercise generally brings value to a company by leading to tighter controls and efficiencies to procedures. Most companies have policies in place, but for many there is a layer of dust on the policy manual that has been neglected over the years, while some companies have never promoted their policies to management or staff. Meanwhile, controls may have been developed haphazardly over time in an effort to keep up with growth or have not been updated to correspond to structural changes. Sarbanes-Oxley provides the opportunity to undertake a process review and re-engineering, the results of which may prove very beneficial.
Responsibility should be allocated for ensuring continued compliance at director level. Larger companies should give consideration to appointing a dedicated Governance Process Director whose responsibilities should include:

maintaining Corporate Governance, Policies and Standards (at Corporate or local level, as appropriate);
executing the above processes reviews on an ongoing basis;
maintaining the internal control structure (COSO, CobiT);
incorporate internal controls into system designs and new business processes;
drafting the required periodic regulatory reports (SOX, CSSF, FSA, etc) for CEO and CFO review and sign off;
resolving internal control issues raised by audits;
keeping current on all regulatory requirements (delegated to the Compliance Officer);
act as the primary contact for regulators;
own standard certification projects;
manage CEO and CFO expectations.
Internal audit's work programmes should incorporate regulatory compliance testing and, if not already in place, an effective exception reporting matrix under a risk management framework should be implemented.

Non-compliance with the requirements of the Act will lead to criminal prosecution involving significant fines or imprisonment for up to 20 years or both. The exact penalties are detailed within specific sections of the Act.

This article is intended to provide the reader with an overview of the more generally relevant compliance requirements for a company falling under the Acts classification and is in no way intended to be comprehensive. The reader is encouraged to review the requirements in their entirety as well as those published on the SEC web site http://www.sec.gov/about/laws.shtml and apply the necessary compliance controls over their organisation.


MiFID Overview

MiFID 'The Markets in Financial Instruments Directive' is likely to apply from 1 November 2007. Its implementation will significantly alter financial services regulation in the UK, how firms operate their businesses and the way they interact with their customers. Most FSA-regulated firms carrying on investment business are likely to be affected, whether or not that business falls within MiFID's scope. Implementation is therefore a major challenge, both for us and for industry. November 2007 may seem a long way off. But preparing to meet the challenge cannot begin too soon. Significant aspects of the MiFID package have yet to be agreed at European level. So we cannot be certain at this stage about the final detail of the legislative requirements. During 2006, Treasury and the FSA will consult on the UK implementation and publish cost-benefit analysis of those final requirements (see the overview below). But it is already clear that implementation will mean significant sections of our Handbook will need to be reworked, for example, the conduct of business and systems and controls sourcebooks. This will affect, to a greater or lesser extent, all firms carrying on investment business, bringing changes to the nature of their regulatory obligations to their clients and to their supervisory relationship with us. Potentially, there will also be new business opportunities.

More services will be pass portable. And implementation across the European Union may bring about significant changes in market structure. The precise impact will vary from sector to sector, firm to firm. Firms that are well-prepared will be positioned to make the most of these changes. Firms are advised to start planning now to meet the implementation challenge. There is sufficient information and detail available for that process to begin. To help you get started, we have developed this document 'Planning for MiFID' after dialogue with a number of trade associations and they have given us some useful input for it. Its purpose is to highlight the key impacts of MiFID and the types of compliance and business issues that are likely to arise, which you should consider in drawing up your plans. It is not a consultation document. It does not contain any FSA proposals on implementation or guidance on interpreting MiFID. That will be covered in our 2006 consultation programme.

Much of the preparation is likely to fall into the 2006-07 and 2007-08 financial years. Senior management are advised to earmark sufficient resource to assess the likely impacts of MiFID on their firm, and to consider how to respond to the business, operational and compliance issues that will arise.
Early planning will help identify implementation issues whose timely resolution will be important to delivering an orderly transition to the post-MiFID world. That is in the interests of consumers, industry and the FSA.

Planning for MiFID 4

What is MiFID?

The Investment Services Directive (ISD) has been the most significant European Union legislation for investment intermediaries and financial markets since it was implemented in 1995. It is now being completely replaced by MiFID1 which extends the coverage of the current ISD regime and introduces new and more extensive requirements to which firms will have to adapt, in particular in relation to their conduct of business and internal organisation. MiFID is a major part of the European Union's Financial Services Action Plan (FSAP), which is designed to create a single market in financial services. MiFID comprises two levels of European legislation. 'Level 1', the Directive itself, was adopted in April 2004. In several areas, however, it makes provision for its requirements to be supplemented by 'Technical implementing measures', so-called 'Level 2' legislation. The Commission's proposed Level 2 measures, developed on the basis of advice provided by the Committee of European Securities Regulators (CESR) earlier this year, are the subject of continuing negotiation at European level in the European Securities Committee. Formal Commission recommendations for the Level 2 measures are expected to be published in December 2005, or in January 2006. Their final adoption, following consideration by the European Parliament, is unlikely before the second quarter of 2006. Nevertheless, the broad shape and nature of the Level 2 measures is becoming clear. And while we cannot be definitive at this stage, we can identify the main areas of likely regulatory change, and some of the issues that will arise for firms (see section below on 'MiFID:meeting the challenges'. Which firms will be affected?

MiFID will directly affect those firms that fall within its scope. Scope is uncertain to some degree pending the finalisation of the Level 2 measures, as some important definitions, such as investment advice and commodity derivatives, depend on those measures. The position of any particular firm will also depend on the nature of that firm's business, and whether it falls within any of the exemptions in the Directive. In general, MiFID will cover most if not all firms currently subject to the ISD, plus some that currently are not. It will include:

• investment banks;
  
• portfolio managers;
  
• stockbrokers and broker dealers;
  
• corporate finance firms;
  
• many futures and options firms; and
  
• some commodities firms.

In some other areas, the position for firms will be less clear-cut. Retail banks and building societies will be subject to MiFID for some parts of their business, for example, the sale of securities, or investment products which contain securities, but not for others. And there is the prospect, particularly in the retail market, of firms competing for the same type of business being subject to different regulatory standards, depending on whether the firm falls within the scope of MiFID. On the basis of the needs of consumers, business efficiency and competition considerations we shall be considering whether all firms should be subject to substantially the same requirements, whether relating to organisational matters or conduct of business matters.

Planning for MiFID

In that context, some complicated judgements will be required. Such changes will be made only where consistent with our statutory objectives and principles of good regulation. The cost-benefit balance will be a major component of any decision. But in implementing MiFID requirements we expect to review, and potentially amend, much of the detail of our current regime, even for firms not directly within MiFID's scope. We will also use this opportunity to advance our approach to reviewing our Handbook, particularly our proposals for simplifying the retail conduct of business regime (as outlined in July in our Consultation Paper 05/10). On this basis, the types of firm that are likely to fall outside MiFID scope but nevertheless likely to be affected to some extent by Handbook changes associated with MiFID include:

• operators of collective investment schemes when acting as such, for example, operators of hedge funds and private equity funds (a special regime applies to UCITS management companies);
  
• occupational pension scheme firms;
  
• life companies and friendly societies;
  
• financial advisers (FAs) that do not hold client assets; and
  
• authorised professional firms.

So, even if your firm's investment business is partly or wholly outside the scope of MiFID, this does not mean that you will be unaffected by our approach to its implementation.

What does MiFID do?

One of the main purposes of the ISD was to give a 'passport' to investment firms to enable them to provide investment services on a cross-border basis or to establish a branch in another Member State, in each case on the basis of Home State authorisation. It set out some basic high-level provisions governing the organisational and conduct of business requirements that should apply to firms. It also aimed to harmonise certain conditions governing the operation of regulated markets. MiFID has the same basic purpose. But it makes significant changes to the regulatory framework to reflect developments in financial services and markets since the ISD was implemented.

Scope is wider
Firstly, MiFID widens the range of 'core' investment services and activities that can be passported. In addition to the services covered by the ISD, MiFID:

• upgrades advice that involves a personal recommendation to a core investment service that can be passported on a stand-alone basis;
  
• clarifies that operating a multilateral trading facility (MTF) is covered by the passport; and
  
• extends the scope of the passport to cover commodity derivatives, credit derivatives and financial contracts for differences for the first time.

A greater degree of harmonisation

Secondly, MiFID sets more detailed requirements governing the organisation and conduct of business of investment firms, and how regulated markets and MTFs operate. It also includes new pre-and post-trade transparency requirements for equity markets; the creation of a new regime for 'Systematic internalisers' of retail order flow in liquid equities; and more extensive transaction reporting requirements.

Doing business cross-border

Thirdly, MiFID improves the operation of the passport for investment firms by more clearly delineating the allocation of responsibility between home state and host state for passported branches and generally clarifying some of the jurisdictional uncertainties that arose under the ISD. For example, going forward, it is clear that a firm will be subject only to home state requirements under MiFID where it provides cross-border services from that state into another Member State. MiFID also more clearly recognises the concept of tied agents, who will be able to carry on some cross-border business under the passport of their principal.

Capital Requirements Directive

Fourthly, most firms that fall within the scope of MiFID will also have to comply with the new Capital Requirements Directive (CRD) which will set requirements for the regulatory capital which a firm must hold. Those firms brought into regulation by MiFID will be subject to directive-based capital requirements for the first time. The CRD will commence on 1 January 2007; that is, before MiFID. It amends the Banking Consolidation Directive and the Capital Adequacy Directive. We have commenced consultation on implementation of these directives and firms are referred to Consultation Paper 05/3 and Feedback Statement 05/1. We plan to give guidance to firms in our forthcoming consultations to assist them to determine the capital requirements relevant to them.