United States: How to Implement an In-House Legal "Up the Ladder" Reporting System

By Arthur H. Bill, Susan Hackett, Aaron E. Hoffman, Jerry Okarma and David Sherbin

Since the Sarbanes-Oxley Act (SOX) went into effect in 2002, many of its corporate governance provisions have revolutionized the way publicly held companies operate. It dramatically changed the relationship between corporate boards and their companies’ accounting and audit firms. Although less widely discussed, SOX has also established new – and sometimes Byzantine – standards of professional conduct for attorneys, particularly corporate in-house legal staff. The rules affect how they process complaints of alleged securities law violations.

To help attorneys better understand the terms of SOX rules that affect their professional conduct, the national law firm Foley & Lardner hosted, "How to Implement an In-House Legal ‘Up the Ladder’ Reporting System." It was one of seven breakout sessions that were part of the firm’s third annual National Directors Institute (NDI) seminar held May 19, 2004, in Chicago. The breakout session featured a panel of attorneys and case studies presented by two in-house counsel. This paper is based on the proceedings of that session.

Arthur H. Bill, a partner in the Foley & Lardner Washington, D.C. office and a member of the firm’s Business Law Department, opened with an overview of the two SOX sections under discussion:

• Section 307, adopted in 2002, directed the U.S. Securities and Exchange Commission (the Commission or SEC) to adopt minimum standards of professional conduct for attorneys practicing before the Commission in the representation of issuers. It called for promulgation of rules related to "up the ladder" reporting.

• Rule 205, adopted in January 2003 and effective as of August 2003, is the operative rule. It sets forth two alternative ways for attorneys to report complaints of misconduct or suspicious

• activity either reporting "up the ladder" or reporting to a qualified legal compliance committee (QLCC).

Rules have also been proposed for "noisy withdrawal" guidelines in cases involving reporting of misconduct to the SEC but final guidelines have not been adopted.

For a variety of reasons, including corporate culture, companies have implemented "up the ladder" reporting systems that may be ambiguous, broader, or that go beyond the technical defined boundaries of Rule 205.

"Up the ladder" Rule 205(3)(b) consists of four steps:

Step 1 – An attorney appearing and practicing before the SEC who represents an issuer becomes aware of evidence of a material violation by the issuer or any officer, director, employee, or agent of the issuer is required to report that evidence "forthwith" to the issuer’s chief legal officer (CLO) – usually the in-house counsel – or to both the CLO and the chief executive officer (CEO) or their equivalent.

"An attorney who believes it would be futile to report the matter to the CLO or CEO can report directly to the audit committee of the issuer’s board, or to a committee of independent directors, or if there is no such committee, to the full board," Mr. Bill said.

Step 2 – The CLO is now obliged to instigate an appropriate investigation of the evidence of the violation and do one of the following:

• Reasonably conclude no material violation has occurred, is occurring, or is about to occur, and advise the reporting attorney.

• Attempt to have the issuer adopt an appropriate response and advise the reporting attorney of that response and the basis for it.

• Refer the matter to a previously created QLCC. In such a case, the attorney need not do anything further.

Step 3 – If the reporting attorney reasonably believes the CLO has – or both the CLO and CEO have provided a reasonable response within a reasonable time, the reporting attorney’s job is done and the process is over. If, however, the reporting attorney cannot reach such a conclusion, then he or she must report the matter to the audit committee, to an independent directors’ committee, or to the full board.

Step 4 – If the reporting attorney is not satisfied that there has been a reasonable response within a reasonable time to the report, he or she must report the reasons to the CLO and the CEO, and to the directors. Thus, the information has been reported all the way "up the ladder."

"The rule codifies the longstanding and basic principle that an attorney who represents an organization has that organization as a client, and not the organization’s officers, directors, or employees," Mr. Bill said, adding: "We unfortunately have to become mired in the defined terms that are contained within the codification. These are difficult interpretive issues that flow out of these definitions."

"The real meat of the subject matter involves the definition of terms that are in the rule itself," Mr. Bill said. Aaron E. Hoffman, vice president and director of loss prevention for Attorneys’ Liability Assurance Society, Inc., assisted with the definitions.

Attorney appearing and practicing before the Commission—Rule 205.2(a) – "The term is a linchpin of applicability of the rule in many ways," Mr. Hoffman said, "and it defines four express ways in which you can actually appear and practice before the SEC." These are:

1. Transacting business, including communications in any form

Mr. Hoffman noted that his organization had asked that the SEC offer further guidance on this point, but "they’ve indicated so far that they don’t intend to do so."

An attendee who said he was a corporate secretary as well as an in-house attorney said that, as corporate secretary, he must write occasional letters to the SEC requesting no action on proxy proposals. He asked: "Am I now ‘transacting business with the Commission,’ so that if we do have a material misstatement I’m suddenly involved in this process?" Mr. Hoffman said he would assume so. "These rules are going to be interpreted over time," probably in the wake of a major corporate failure.

Susan Hackett, senior vice president and general counsel of the Association of Corporate Counsel (ACC), added further clarification. Ms. Hackett served on panels with Richard Humes, an SEC lawyer associated with the Commission’s General Counsel’s Office and a primary author of the rule. Mr. Humes indicated that general counsel who play multiple roles would, in fact, become responsible when such compliance discrepancies were uncovered. Ms. Hackett stated, "If you’ve learned about it – regardless of your capacity at the time, and even if you overheard it in a restaurant or happened to overhear it in a conversation – you’re now obligated to act."

Cautioning against relying on hyper-technical interpretations of the rule, Mr. Hoffman added rhetorically: "If you are a director or an in-house lawyer or a member of management, wouldn’t you really want to know if somebody in your company is pulling something funny?"

2. Representing an issuer in a Commission administrative proceeding or in connection with any Commission investigation, inquiry, information request, or subpoena

"Perhaps the most straightforward definition in the whole darn rule," Mr. Hoffman opined.

3. Providing advice in respect of the U.S. securities laws or the Commission’s rules or regulations thereunder regarding any document that the attorney has notice will be filed with or submitted to, or incorporated into any document that will be filed with or submitted to, the Commission, including the provision of such advice in the context of preparing, or participating in the preparation of, any such document

Mr. Hoffman felt this was the least straightforward definition. While compiling a videotape about SOX for his organization, "the single most difficult scene for us to write was a vignette trying to show how this section works."

The reason, Mr. Hoffman continued, is that an in-house counsel who writes materials for attachment to an SEC Form 10-Q or Form 10-K filing would be construed as "appearing and practicing" under the first rule. However, he noted "it looks like they [the SEC] threw you a bit of rescue, because it says you have to provide advice with respect to the securities laws." Mr. Hoffman posed three hypotheticals to demonstrate the difficulty in interpreting Rule 205.2(a)(iii).

Hypothetical A – Sally, a deputy assistant general counsel for environmental matters, oversees several environmental issues plaguing her company. Every month, she routinely sends her supervisor a status report. While preparing to file a Form 10-Q quarterly report, her superior is asked for a description of an environmental matter for disclosure in the Form 10-Q. The superior offers Sally’s report without her knowledge. "Is she ‘appearing and practicing?’" Mr. Hoffman asked. "I think not."

Hypothetical B – A colleague from the same company’s securities compliance unit tells Sally about a pending SEC filing and asks her for a description of the environmental issue she is handling. The colleague asked that the description be acceptable to the SEC but without its disclosing every detail. "In that case," Mr. Hoffman said, "Sally is clearly ‘appearing and practicing’ before the Commission."

Hypothetical C -- Sally, is told the company plans to use her report in the filing and is asked if she thinks it is good enough for the SEC. "Obviously a little less clear," Mr. Hoffman said, adding that subparagraph 3 would be the most difficult scenario to interpret over time.

4. Advising an issuer as to whether information or a statement, opinion, or other writing is required under the U.S. securities laws or the Commission’s rules or regulations thereunder to be filed with or submitted to, or incorporated into any document that will be filed with or submitted to, the Commission

Here the rule further defines "appearing and practicing" by excluding two types of attorneys:

• (An attorney who) conducts the activities described in subparagraphs 1, 2 and 3 above, other than in the context of providing legal services to an issuer with whom the attorney has an attorney-client relationship

• A non-appearing foreign attorney

Calling this rule "a little more straightforward," Mr. Hoffman noted that attorneys who perform work for a wholly owned subsidiary might still find the provision vague.

He noted that during the comment period for the regulation, numerous comments were filed by people who do not practice law or run a business. Some significant changes were made to the final rule, such as excluding some lawyers who provide no legal services to an issuer. "That’s a break for the corporate employee who has a law degree and is admitted to practice but does not function in a legal capacity."

Ms. Hackett added that attorney-managers who perform multiple roles, including that of lawyer, are included. Mr. Bill added that the law also covered attorneys who do not practice securities law but supervise other attorneys who do.

Two panelists were very familiar with "up the ladder" reporting systems. The first was Jerome D. Okarma, vice president, assistant secretary, and general counsel of Johnson Controls, Inc. (Johnson Controls). The second panelist was David M. Sherbin, senior vice president, general counsel, chief compliance officer, and secretary of Federal-Mogul Corporation (Federal-Mogul). Each described how their companies' "up the ladder" reporting systems work and those included in the upward reporting chain.

Johnson Controls is a global manufacturer of automotive systems and provider of facilities management and controls, employing 30 lawyers, seven of whom serve overseas. Mr. Okarma noted that the general counsel’s office has interpreted the definitions of the regulation’s provisions, and it has decided that the terms apply to everyone. "We’ve taken the position that we want to encourage ‘up the ladder’ reporting."

"Foreign, non-foreign, people writing letters to the SEC – we told them all to behave with the understanding that they are looked to by the office of the general counsel as vehicles for raising issues worldwide and getting them into the system," Mr. Okarma continued. Paralegals worldwide are also covered under the scope of the regulation. "We told them, ‘We’re giving you a lot of access to key things. If you know something, we don’t want you to be hiding behind some defense that you didn’t fall within some subrule.’"

In addition, Johnson Controls notified its partner firms and preferred providers around the world. "We said, ‘You service us. The expectation is that you’re going to follow the same rules. If you come across anything that meets the definition [of violating securities laws or breach of fiduciary responsibility] or reasonably approaches it,’ we described how we want them to report that into the system."

"So we’ve pretty much told them what the expectation is if they are going to be a member of our law department or our extended legal team," Mr. Okarma said. "The way we want to apply it is with the broadest scope we can possibly apply." Currently, Johnson Controls has three "up the ladder" matters pending which have been referred to the company’s QLCC.

He discussed Johnson Controls’ Light System, a worldwide Internet system that manages legal matters and contains all reports and updates. Quarterly, the company generates a contingent liability report (CRL) that captures all matters that exceed certain thresholds, such as potential liability of $500,000 or higher; anything that might trigger an investigation; or an environmental concern, regardless of size or location. "Anything that potentially is a public relations issue. Even if it’s small dollars, if it could hit the press, we need to see it."

The CRLs are reviewed with management before SEC filings. "So we’ve told everybody to be on notice: ‘You’re handling a piece of the rock here. What you put into the system will generate a report we will use to make decisions on what’s reportable and what’s not.’"

Federal-Mogul is a global supplier of automotive components and subsystems serving original equipment manufacturers and aftermarket companies, employing a 10-member legal team in four countries. Like Johnson Controls, Federal-Mogul has interpreted the regulations, reviewed them with the legal team, the board, and senior management. Its reporting policy is posted on the Internet. Mr. Sherbin said he also advised the company’s non-U.S. attorneys that they, too, are covered by the regulation and he provided them with training via telephone. "We did not want to parse specific definitions and figure out what hats people are wearing. So I just said that everyone is covered by it. That sets the right tone, I think."

"We chose not to have a QLCC," Mr. Sherbin noted. "I wanted everything to come into me or to bob off immediately." Even though the company has 50,000 employees, he said he wanted everyone to "know the they have immediate access to me or to the CEO, or for that matter, to the chairman of the audit committee." The phone numbers and e-mail addresses for all three are published, and employees may "choose whichever they’re most comfortable with." He said the reporting system dovetails with the company’s whistle-blower program.

Also in place is a financial disclosure review committee, whose members certify the accuracy of drafts before they are filed with the SEC. Mr. Sherbin stated, "As CLO, I sit on that, so if any material violation is alleged, I would have the responsibility to investigate it and report it back to the audit committee immediately."

Ms. Hackett said her organization, whose services are aimed primarily at in-house counsel, has collected policies like Federal-Mogul’s and Johnson Controls’ from large and small companies throughout the country. Originally, ACC had hoped a general policy and procedure would emerge, but the diversity of companies made that impractical. "These are attorney-conduct rules, they’re ethics rules, and they apply to individual attorneys. Department or law firm policies will not trump the individual attorney responsibilities."

In addition, although attorney licenses are governed by state rules, there may be times when new SEC rules conflict with them.

"We obviously just discussed how ill-defined all those definitions are, but there are states – Washington and California among others – that are upset that the SEC has inserted itself into the attorney-conduct regulation business. They are waiting for the first case to come up because they’re dying to take on the SEC on this issue. They’re worried that it’s not only the SEC’s rules, but every other regulatory body within the federal government that may soon follow with their own sets of attorney-conduct rules."

Right now, two or three other agencies have begun developing their own rules for attorney conduct and others are likely to follow. The United States Patent and Trademark Office and the Internal Revenue Service are working on such rules now. "Imagine that, the world in which attorneys have 15 different sets of rules that will be regulating their behavior, and which may not be consistent." Adding to the complication is that most attorneys practice across state lines and, increasingly, in foreign countries as part of business. "It could be a real mess over time," Ms. Hackett said. "I’m painting a very dark picture of where ethics concerns are from those of us who are trying to figure out how to help you navigate." She added that the United States Patent and Trademark Office’s rules for attorneys traditionally mirrored those of the American Bar Association, so it posed few problems.

"The agency rules try to encourage lawyers to not only regulate their own behavior but to regulate their clients’ behavior," Ms. Hackett continued. "So now you are potentially liable if your clients do not do things the right way regardless of what you’ve done in the process. That’s a major change; it starts to interfere with that privity of relationship that lawyers have always looked at as being core to confidentiality and to attorney-client privilege that flows from it. While it goes too far to say that these rules put the lawyer in a policeman’s role, that’s certainly the corner we’ve started to turn with these rules."

The furor over the possible usurpation of states’ historic powers over attorney conduct might cause the SEC to halt action on the SOX Rule 205’s pending decision on "noisy withdrawal" for a while. Ms. Hackett indicated that SEC commissioners are divided on the issue as well.

Must attorney-client privilege be waived under Federal Sentencing Guidelines once an investigation is under way? Ms. Hackett said the guidelines, issued by the United States Sentencing Commission, operate by giving merits or demerits depending on the level of cooperation it receives from those being investigated. "You are not required to waive, but you will lose points if you haven’t. There is a general movement to diminish the attorney-client privilege within the corporate context, and a kind of expectation that you should openly discuss this with your clients and prepare them for it."

When is it appropriate to bring in outside counsel? How much of that interaction should be documented?

Mr. Hoffman stated the importance of early involvement of outside counsel for several reasons:

• To help preserve attorney-client privilege

• To avoid any personal or professional relationships that could compromise the investigation

• To gain additional expertise, some of it highly specialized

Mr. Hoffman even sometimes suggests that lawyers in a law firm talk with outside attorneys before beginning a written record, "because so often your initial reaction just isn’t correct." Additionally, Mr. Okarma cautioned against following the same practice in all cases. "I think it’s dangerous to say, ‘We always go outside, or we always go inside.’" Each situation should dictate the practice.

Certain subsections of Rule 205 contain language attorneys find vague, ambiguous, and troublesome. Ms. Hackett provided additional definitions.

Rule 205.2(e) requires attorneys to act on any "evidence of a material violation," a phrase whose definition "always garners a good laugh." The subrule reads as follows:

Means credible evidence, based upon which it would be unreasonable, under the circumstances, for a prudent and competent attorney not to conclude that it is reasonably likely that a material violation has occurred, is ongoing, or is about to occur.

"Even the folks at the SEC are unclear about what that means," Ms. Hackett said, although it is "probably one of the most crucial sections of the rule, and it is without question one of the most tortured." Based on her meetings with the SEC, the Commission attorneys who drafted the rule "don’t believe you have to be more than 20 percent sure you’ve got evidence." Therefore, she advised, it is highly likely "that you’re going to have to bring up pretty much anything you hear," to start the "up the ladder" process. The evidence need not be certified and attorneys will not be held to the "expert" standard.

In defense of the SEC, Mr. Bill said the Commission was striving for an objective standard. "They didn’t want it to be subjected to actual knowledge; they thought that would be too low a threshold. But they’ve created an incredibly un-user friendly standard." Ms. Hackett said most general counsel who have adopted reporting policies simply "go by the smell test."

In its definition, subrule 205.2(i) reads:

Means a material violation of an applicable United States federal or state securities law, a breach of fiduciary duty arising under United States federal or state law, or a similar violation of United States federal or state law.

This language, she said, broadens most attorneys’ understanding of those issues. "Everyone sort of assumed they knew what a material violation was – until they read the rule a little bit more closely and realized it wasn’t just material violations of securities laws but also material breaches of fiduciary duty" described in the definition." The only thing that’s excluded there, if you ask me, are foreign laws." Even that is debatable.

This, from Rule 205.2(d), "is really going to bite you, primarily in what I call ‘legal but stupid’ problems," Ms. Hackett said. In-house lawyers often see management make good executive business decisions and questionable ones. Under traditional securities laws, the "legal but stupid" actions would not trigger reporting; under this rule, however, they could.

"You’re going to have to decide whether to start an ‘up the ladder’ process because you heard management is doing something you don’t believe is smart. This causes severe discomfort for lawyers, because they don’t want to assert their business judgment over that of their managers."

"That is a real problem," Mr. Okarma agreed, adding that his company has "a very expansive definition of what key employees might feel uncomfortable about." Mr. Sherbin concurred, noting that he thought his attorneys "have a pretty good gut, and they see things across business groups." He said he conducts biweekly staff meetings where his legal colleagues can discuss issues that might fail the smell test.

Under Rule 205.2(b), attorneys are required to make an "appropriate response" once they receive evidence of a material violation. The SEC leaves it to attorneys to judge whether a response is appropriate and reasonable.

Mr. Hoffman offered this interpretation: First, the response has to be timely. Second, if necessary, an appropriate remedy must be taken, or there must be a "colorable defense." The final rule provides that a company may retain another attorney to investigate and evaluate reported evidence of a material violation, and if that attorney opines that the company may assert a colorable defense to any charges based on the reported matter, the company may cite its reliance on the attorney’s advice as "an appropriate response" to the reported evidence.

"Some critics are enraged by this ‘colorable defense’ provision," Mr. Hoffman said. "To them it means you can retain an attorney of dubious capabilities or repute who could look at the situation and say, ‘I can put up a straight-face defense. I won’t get sanctioned or disbarred for asserting the defense, and that would thwart the reporting-up process.’" Mr. Bill, however, said the SEC’s release announcing the adoption of the rule explained in considerable detail its expectation of what an appropriate response should be.

For a number of reasons, few companies are adopting this alternative to "up the ladder" reporting.

First, when the QLCC alternative was proposed, the reporting-out requirement was mandatory. Companies "assumed their lawyers would make good judgments and they didn’t need the QLCC to ‘keep it within the family’ on these kind of issues," Ms. Hackett explained.

Second, many general counsel were not enthusiastic about proposing a QLCC to their board. They were not comfortable telling the directors to "Remove me from responsibility," Ms. Hackett said, especially since "most in-house lawyers have spent significant amounts of time and energy encouraging the board to trust them to handle these issues. It just wasn’t a very smart move politically." Adding to this feeling was a concern that audit committees were already overburdened with complying with the requirements of other SOX provisions, in addition to their routine board agendas.

Third, many in-house counsel were concerned over who would advise the QLCC. They might turn to outside counsel, and that "had a couple of practical flaws," including:

• Costs – In-house attorneys feared an outside firm "would likely spend a lot more money and time on this than may be warranted," especially on cases with little merit. The budget would come from the legal department’s budget, not the board’s.

• Unfamiliarity – Since independent firms are, by definition, ignorant of the company and its people and processes, time and money would go into their learning curve.

• Approach – The independent firm "could have a more – shall we say – scorched-earth approach to the way they track things down." It scares employees, it’s disruptive, it can be insensitive to some relationships. Because hot lines generally encourage all employees to leave whistle-blower complaints, general counsels feared the board would be inundated. Ms. Hackett said she knew of at least 100 companies whose hot lines receive more than 10,000 calls a year.

Despite these concerns, "a number of companies have established QLCCs and are quite happy with them," Ms. Hackett said, noting that General Motors Corporation was one of the first to adopt the QLCC process. Whether QLCCs succeed, Mr. Bill noted, depends on the company’s culture. Some companies fear that QLCCs must report all activity to the SEC, but that is not the case; the rule allows the committees to simply investigate complaints.

According to Ms. Hackett, another misperception is that once a QLCC is in place, it becomes the only reporting process to be used. "Even if you have a QLCC, lawyers can still use the regular ‘up the ladder’ reporting structures if they wish."

Acknowledging that few companies use them, Mr. Okarma said the QLCC at Johnson Controls has worked well since it became effective July 2003. The board’s audit committee serves as its QLCC. He said the process was available for viewing on the company’s Web site, www.johnsoncontrols.com.

The reason Johnson Controls uses a QLCC is because the company and its legal staff are so widely dispersed around the world. "We did not view this as a threat to our authority or our position or the stature we hold within the company," Mr. Okarma said.

Even before SOX and its provisions were adopted, Mr. Okarma continued, problems or complaints would have been taken to the audit committee chairman, "so this is not like doing something new," Mr. Okarma said. "It was recognizing and putting in place an existing approach." In fact, he said, the company uses both "up the ladder" reporting and the QLCC "to make it as easy as possible for our folks to raise issues." He said he prefers using "up the ladder" unless there is a good reason not to, or when a whistle-blower would feel more comfortable using the QLCC.

Ms. Hackett noted that another benefit of having a QLCC in place was improving lawyer-to-board relationships. She and Mr. Bill both expressed the concern that the corporate watchdog Institutional Shareholder Services (ISS) was hinting it might expect QLCCs as a sign of good governance and an element in its Corporate Governance Quotient (CGQ) ratings.

To further guide attorneys in complying with their new professional conduct rules and other responsibilities under SOX, Mr. Bill recommended they view the Foley & Lardner Audit Committee Guide. The Audit Committee Guide is available for free download from Bowne. Chapter 12 of the guide discusses "up the ladder" reporting.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.