You may have noticed a risk factor in annual reports and SEC registration statements about “conflicting laws and regulations.” Once rare, the warning has become common, thanks to globalized operations and proliferating regulators. For compliance officers, it’s a growing minefield.
What do “conflicting laws and regulations” warnings look like?
Here’s one from the annual report Frequency Therapeutics filed with the SEC on March 29:
Doing business internationally involves several risks, including, but not limited to multiple, conflicting, and changing laws and regulations, such as data privacy and security laws and regulations, tax laws, export and import restrictions, economic sanctions laws and regulations, employment laws, regulatory requirements, and other governmental approvals, permits, and licenses.
From Goldman Sachs:
Legal, regulatory and reputational risks may also exist in connection with activities and transactions involving new products or markets where there is regulatory uncertainty or where there are different or conflicting regulations depending on the regulator or the jurisdiction involved, particularly where transactions in such products may involve multiple jurisdictions.
And from Tesla:
[R]egulations continue to rapidly change, which increases the likelihood of a patchwork of complex or conflicting regulations, or may delay products or restrict self-driving features and availability, which could adversely affect our business.
The risk of encountering conflicting laws and regulations is real.
What are some problems it causes?
Problem #1: Is your Code of Conduct still accurate? Most companies say publicly they aspire to obey all laws applicable to them. Typical is Value Line’s Code of Business Conduct and Ethics: “The Company requires that all employees and directors comply with all laws, rules and regulations applicable to the Company wherever it does business.”
Similarly, Ionis Pharmaceuticals’ Code of Ethics and Business Conduct says, “When conducting business for Ionis, we strive to comply with the spirit of the law, and we will not take any action that we know, or reasonably should know, violates any law, regulation or judicial decree.”
But when companies face conflicting laws and must choose which ones to violate, are those Codes accurate?
Asked another way: Should a company that has warned about potentially conflicting laws publish an unqualified statement that it intends to comply with all applicable laws and regulations?
Problem #2: Breaking promises to lenders or others. All big companies borrow money through syndicated loans or exchange-traded securities. And all borrowers at some point promise they will “comply with all laws, rules, regulations and requirements of any governmental authority applicable to the borrower.”
A borrower violating conflicting laws is probably in technical breach of its covenants. The consequences of such breaches can range from merely troublesome reporting obligations to catastrophic defaults.
Problem #3: Who decides which conflicting laws and regulations to violate? Should directors make or approve all decisions to violate an applicable law? Or the CEO alone, or a C-suite team? Is it a question for government affairs, HR, or PR? What role does the legal department play, and compliance? And anyway, who wants to go on record in favor of violating any law or regulation anywhere?
Problem #4: What about methodology and disclosure? Should internal deliberations be memorialized? Should a company disclose to investors any decision to violate conflicting laws and regulations? Would disclosure be an admission against interest — a signed confession of criminality? What’s the risk that confidential internal records about the decision will become public or be discoverable in a legal or regulatory proceeding?
Problem #5: Does violating conflicting laws and regulations cause certification problems? Compliance programs and outside auditors require officers and others to say whether they know of any illegal conduct. CEOs and CFOs must also certify under Sarbanes-Oxley the accuracy of an issuer’s books and records and robustness of its internal controls. Can anyone make “clean” certifications if they know about decisions to violate conflicting laws and regulations?
As conflicting-law problems become more common, are they likely to be showstoppers? Probably not.
Business is good at solving problems. Maybe standardized “exception sheets” will help. Or lawyers will draft effective this-or-that disclaimers when companies have to pick which conflicting laws to violate. Maybe insurers will offer D&O riders expressly for conflicting-law decisions. Or the SEC will provide relevant safe-harbor guidance.
The possibilities are endless, and so far, mainly untested.
For now, then, we should all step carefully through this compliance minefield.