In April 2017, the U.S. Securities and Exchange Commission’s (SEC’s) Division of Corporate Finance announced it will not recommend enforcement action for companies that disclose, but do not further investigate usage of conflict minerals which may be from the Democratic Republic of Congo (DRC). Any company manufacturing or contracting to manufacture products using such minerals had previously been required to conduct extensive due diligence on its supply chain and make this diligence publicly known with a note that its products contained minerals which “have not been found to be ‘DRC conflict free.’” However, following a series of partial losses in court, the SEC appears to be backing off the rule—for now.
The Conflict Minerals Rule and Disclosure Requirements
A provision in the Dodd-Frank Act aims to cut off funding sources for armed rebel groups in the DRC and surrounding countries in central Africa. It requires companies manufacturing products containing certain minerals to conduct supply chain audits and disclose if those minerals were known to have originated in the DRC or adjoining countries. The SEC, as the enforcer of this provision, issued a rule requiring issuers of securities who filed reports with the SEC under Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 and who manufactured or contracted to manufacture a product in which the defined conflict minerals were a necessary part, to file a separate special disclosure form, Form SD. Although these obligations were placed on manufacturing issuers, in practice, the diligence requirement was imposed on others in the supply chain because many manufacturers required their supply chain partners to certify origin of minerals and compliance with the rule.
When Form SD was first issued, items 101(a) and (b) required companies using conflict minerals to attempt to identify the country of origin of those minerals. If after conducting a “reasonable country of origin inquiry” the company determined that the country of origin was neither the DRC nor an adjacent country, it had to disclose this finding (and a description of the country of origin inquiry conducted) on its website as well as to the SEC. Per item 101(c) of Form SD, if a company’s minerals may have originated in either the DRC or its neighboring countries, the company was required to conduct additional, more extensive due diligence, and then file and publish a conflict minerals report. This report had to include a description of the company’s due diligence efforts, certified results of an independent private audit, and a list of planned changes as a result of the audit. In the report and on its website, companies also had to describe which products had “not been found to be ‘DRC conflict free,’” although for the first two years of enforcement they could use the label “DRC conflict undeterminable.”
The National Association for Manufacturers challenged these regulations on both procedural and constitutional grounds. After the district court granted the SEC summary judgment, the Association appealed to the DC Circuit of Appeals. Ultimately, the appeals court found that forcing companies to note whether or not their products are DRC conflict free was unconstitutional under the First Amendment. The case was remanded to the U.S. District Court for the District of Columbia, which issued its final judgment in April 2017 and set aside the part of the rule that requires companies to add language that their products are “DRC conflict free” or “have not been found to be ‘DRC conflict free.’” Citing both the court decision and the unclear efficacy of the rule, SEC Chair Michael Piwowar reopened comments and the SEC stayed the compliance portions of the rule pending the conclusion of litigation. The SEC announced it would not pursue enforcement actions against companies who only complete Form SD items 101(a) and (b) and do not pursue more extensive diligence on sourcing or secure an independent audit. The SEC has taken the view that the purpose of item 101(c) of Form SD and the related conflict minerals reports was to determine the status of conflict minerals by requiring the “conflict free” or “not conflict free” labels, and that these measures and the requirements for more detailed due diligence are in need of re-evaluation and clarification given recent court rulings on this matter.
Although companies are not currently expected to conduct the extensive due diligence envisioned by item 101(c) of Form SD, they are still expected to conduct in good faith a reasonable country of origin inquiry and disclose this information to the SEC and the public. Companies and boards still need to ensure there are effective diligence programs in place that allow reasonable inquiry into supply chain partners and components, particularly if conflict minerals are necessary to any product the company manufactures. By statute, the SEC is required to issue a rule relating to due diligence for conflict minerals. Although the “conflict free” labeling requirement has been eliminated, the question remains whether conflict minerals reports, in their current form, are otherwise valid. The SEC is currently developing its future enforcement recommendations with respect to the rule.
In the interim, companies should continue to ensure effective supply chain diligence mechanisms are in place that allow them to confirm where components, particularly conflict minerals, are sourced. To the extent that auditing or diligence measures had already been put into place prior to the final judgment and SEC announcement, companies may want to continue to implement these measures given the lingering uncertainty about future application of the rule. Companies also have the ability to submit comments on the rule to the SEC and should make their views known to influence future enforcement on this issue.
At Baker & McKenzie, Joan Meyer is a partner and chairs the North America Compliance, Investigations & Government Enforcement Practice Group. Reagan Demas is a partner and Maria McMahon is a professional support lawyer in the North America Compliance, Investigations & Government Enforcement Practice Group in Washington, DC.
To learn more about strategy and risk, attend the 2017 Global Board Leaders’ Summit where you will have the opportunity to explore emerging risk issues with peers. A detailed agenda of NACD and Marsh & McLennan’s Board Committee Forum on strategy and risk, can be found here.
Investors now see corporate governance as a hallmark of the board’s effectiveness and one of the best sources of insight into the way companies operate. In response to this trend, Farient Advisors LLC, in partnership with the Global Governance and Executive Compensation Group, produced the report 2017—Global Trends in Corporate Governance, an analysis of corporate governance practices in the areas of executive compensation, board structure and composition, and shareholder rights covering 17 countries across six continents.
NACD, Farient Advisors LLC, and Katten Muchin Rosenman LLP cohosted a meeting of the NACD Compensation Committee Chair Advisory Council on April 4, 2017, during which Fortune 500 compensation committee chairs discussed the report’s findings in the context of the current proxy season. The discussion was held using a modified version of the Chatham House Rule, under which participants’ quotes (italicized below) are not attributed to those individuals or their organizations, with the exception of cohosts. A list of attendees’ names are available here.
Global Governance Trends
2017—Global Trends in Corporate Governance finds that governance standards around the world have strengthened in response to financial crises and breakdowns in corporate ethics and compliance. Those crises and breakdowns have led to greater pressure from governments and investors, who are demanding economic stability and safe capital markets. In regard to executive compensation, the report notes a number of global governance trends:
Source: Farient Advisors, 2017—Global Trends in Corporate Governance, p. 18.
Most of the 17 countries surveyed (94%) require executive compensation disclosure, although the disclosures made and the quality of these disclosures varies from country to country. Surveyed countries that had the least developed disclosures are South Africa, China, Brazil, and Mexico.
Say-on-pay voting is mandatory in most developed countries, although there is variance on whether the votes are binding or not. For developed countries where the vote is voluntary (e.g., Canada, Belgium, Germany, and Ireland), it still remains a leading practice.
Common leading practices are to use competitive benchmarks, such as peer groups to establish rationales for pay, and to provide investors with information on components of pay packages and performance goals.
2017 Proxy Season Developments
Meeting participants shared a number of observations and practices from the current proxy season:
Continuous improvement on disclosures Council participants indicated they are sharing more information with shareholders, in a more consumable way. “We want to be in the front ranks as far as providing information to shareholders,” said one director. “Instead of asking ‘why should we share that?’ we’re starting to ask ‘why not?’” Another director added, “Over the last few years we’ve moved from a very dense legalistic document to something that’s much more readable. Our board set up a process to do a deep-dive review every two years; this fall is our next review. It’s a way to ensure our disclosures keep pace with current practices and also reflect where we are as a company and board.”
Council members also discussed the status of Dodd-Frank rulemaking, given the new presidential administration and SEC commission. S. Ward Atterbury, partner at Katten Muchin Rosenmann LLP, said, “While it’s unclear exactly what the SEC will do with Dodd-Frank requirements in the future, investors have spoken on some of the issues, especially on things like say on pay and pay for performance. There may be less formal regulation, but the expectations on companies and boards are still there [to provide pay-for-performance disclosure].”
Growing interest in board processes According to one director, “We’re hearing more interest about CEO succession as it relates to strategy. Investors are asking us to describe our process—they understand we can’t discuss specifics.”
Director Pay Dayna Harris, partner at Farient Advisors LLC, discussed the increased focus on director pay: “Given the recent law suits regarding excessive director compensation and an increase in director pay proposals in 2016, Institutional Shareholder Services (ISS) created a new framework for shareholder ratification of director pay programs and equity plans.” ISS’ framework evaluates director pay programs based on stock ownership guidelines and holding requirements, equity vesting, mix of cash and equity, meaningful limits on director pay, and quality of director pay disclosure. ISS’ updated factors for evaluating director equity plans include relative pay magnitude and meaningful pay limits.
Environmental, social, and governance (ESG) issues Meeting participants agreed that social issues, such as ESG and gender pay equity, are increasing in popularity among investors. In particular, nonbinding shareholder proposals on climate change received majority support this year at Exxon Mobil Corp., Occidental Petroleum Corp., and PPL Corp.
Refining approaches to outreach and engagement with investors Meeting participants discussed leading practices for engaging shareholders. Some directors indicated that investors have turned down their offers to speak on a regular basis because of time constraints. One delegate emphasized that just making the offer to meet with shareholders is appreciated, even if that offer is turned down. One director said, “We invited one of our major long-term shareholders to speak at one of our off-site [meetings] as part of a board-education session. It was a different type of engagement and very valuable.”
China’s legislature approved its Cybersecurity Law this past November, solidifying China’s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China’s desire for “cyber-sovereignty” (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP) faces pressure from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.
Significant Provisions of the Law
Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law’s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:
1. Data localization: Article 37 of the law is one of the most contentious and requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China to be storedin mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.” The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.
Impact: The broad applicability of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.
2. Support for Chinese security authorities: Article 28 requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include anyone operating a business over the Internet or networks.
Impact: The loose definition of “technical support” creates the concern that MNCs will be required to grant Chinese authorities access to confidential information, compromising private information and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide decryption assistance and backdoor access to authorities upon request.
3. Certified network equipment and products: For network operators, Article 23 indicates that “critical network equipment” and “specialized network security products” must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.
Impact: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China’s resolve to mitigate this risk and may pose a significant barrier to foreign IT equipment manufacturers selling products in China.
How Directors Can Prepare
China’s Cybersecurity Law has been criticized by the foreign business community, and, depending on the law’s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China’s rise: “The Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.”
Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government’s implementation of the law, may be key. “Leading domestic companies have a stake in seeing a better definition of the law, and their interests aren’t unaligned with multinational companies,” Manning says. “Chinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.”
Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China’s Cybersecurity Law:
Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
For computer hardware or software manufactures, are we willing to share our source code with the Chinese government?
For technology firms, how does the law alter the playing field for our company to compete in China against domestic firms?
What additional investments do we need to make in order to comply with this law?