Increased Criminal Penalties Under Securities Exchange Act

SOX Section 1106 increases the criminal exposure for willful violations of the Securities Exchange Act, so your job is to treat “willful” conduct risk as an operational control problem: tighten governance, documentation, escalation, and reporting integrity around securities-law obligations. Operationalize it by mapping high-risk activities, assigning accountable owners, and proving training, supervision, and investigative discipline. ¹

Key takeaways:

• SOX Section 1106 is a penalty escalator; it changes your risk calculus and control rigor for Exchange Act compliance. ¹
• Focus on preventing, detecting, and remediating “willful” misconduct through clear ownership, approvals, documentation, and escalation. ¹
• Build evidence that shows intent to comply: training, certifications, surveillance, investigations, and corrective actions tied to reporting and disclosure processes. ¹

SOX Section 1106 does not read like a traditional “you must do X” control requirement. It raises the criminal penalties available for willful violations under the Securities Exchange Act of 1934, increasing personal and corporate downside if misconduct is proven willful. ¹ For a CCO or GRC lead, the operational objective is straightforward: reduce the probability that any Exchange Act violation occurs, and reduce the probability that any violation can be characterized as willful due to poor governance, ignored red flags, weak supervision, or sloppy documentation.

That translates into execution work in a few places: (1) identify where your organization touches Exchange Act obligations (disclosure controls, financial reporting, insider trading controls, books and records, communications with investors, and interactions with auditors); (2) harden decision-making and escalation paths; (3) document training and certifications for officers, directors, and employees in sensitive roles; and (4) run a defensible compliance program that produces contemporaneous evidence.

This page gives requirement-level guidance you can implement quickly, with step-by-step actions, evidence to retain, and common audit/exam friction points, all anchored to the statutory change in SOX Section 1106. ¹

Regulatory text

Regulatory excerpt (provided): “Increases maximum individual fine to $5M and imprisonment to 20 years; entity fines to $25M for willful violations.” ¹

What it means for operators: SOX Section 1106 increases potential criminal penalties tied to willful violations under the Securities Exchange Act. ¹ The operational requirement is to maintain a compliance and controls environment that prevents Exchange Act violations and demonstrates good-faith compliance conduct if issues arise (clear policies, training, supervision, escalation, investigations, and remediation). ¹

Plain-English interpretation

• Penalties are higher when a securities-law violation is willful, so you must treat “willfulness risk” as something your controls can increase or reduce. ¹
• Prosecutors and regulators evaluate facts like ignored warnings, weak oversight, misleading disclosures, backdated documentation, and failure to correct known control problems when arguing intent. Your program should make those narratives hard to support. ¹

Who it applies to

Entity scope

• Public companies (issuers) subject to Exchange Act obligations and related disclosure/reporting duties. ¹

Individual scope

• Officers and directors with oversight, certification, disclosure, reporting, and governance responsibilities. ¹

Operational contexts where this becomes “real”

Prioritize control rigor where Exchange Act exposure concentrates:

• Financial reporting close, disclosure committee processes, and earnings release workflows.
• Books and records practices and supporting documentation for key judgments.
• Insider trading compliance (pre-clearance, restricted lists, blackout periods) where applicable to your program design.
• Market-facing communications (IR scripts, investor decks, guidance language).
• Auditor interactions, audit committee reporting, and issue tracking.

SOX Section 1106 itself is a penalty change, but it effectively raises the stakes for weak execution across these processes. ¹

What you actually need to do (step-by-step)

1) Define the “Exchange Act compliance perimeter”

Create a short inventory that answers:

• Which teams create, review, approve, or disseminate investor-facing information?
• Which systems produce financial reporting inputs?
• Which committees exist (disclosure committee, audit committee support, valuation committee)?
• Which third parties influence reporting or disclosures (external auditors, valuation firms, IR agencies, consultants)?

Output: an Exchange Act obligation map that names process owners and approvers.

2) Assign accountable owners and escalation paths

Operationalize accountability in writing:

• Name an executive owner for disclosure controls and financial reporting integrity.
• Document escalation triggers (material errors, whistleblower allegations, audit findings, suspected misconduct, significant control deficiencies).
• Define who decides: stop-the-line authority for questionable disclosures, accounting positions, or market statements.

Practical note: “Escalation exists” is not enough. Auditors and regulators look for evidence that escalation is used, tracked, and resolved.

3) Tighten policies that reduce “willfulness narratives”

Review and refresh policies that commonly appear in enforcement fact patterns:

• Code of conduct and reporting obligations.
• Financial reporting and disclosure controls policy (who can approve what, what must be documented).
• Records retention and legal hold procedures.
• Whistleblower intake and non-retaliation commitments.
• Investigations protocol (triage, privilege strategy, evidence handling, remediation governance).

Keep language specific: who does what, when, and where records live.

4) Build a “red flags to resolution” workflow

Set a single operating rhythm for issues:

• Intake: hotline, audit findings, management reports, third-party complaints.
• Triage: severity, scope, potential disclosure implications.
• Assignment: independent investigator, business owner, Legal/Compliance oversight.
• Containment: access changes, trading restrictions, preservation steps.
• Resolution: root cause, corrective action plan, discipline, control updates.
• Closure: documented decision, approvals, and validation.

This workflow is your primary defense against allegations that leadership ignored warning signs. ¹

5) Train the right populations and capture proof

Training should be role-based:

• Officers/directors: disclosure oversight, escalation expectations, documentation discipline.
• Finance/accounting: books and records, judgment documentation, close controls.
• IR/Comms: approved messaging, forward-looking statement controls, rumor response.
• All employees: reporting concerns, non-retaliation, records integrity.

Evidence matters more than slides. Keep rosters, attestations, and completion follow-up.

6) Stress-test disclosures and close processes

Run periodic internal reviews focused on intent-risk:

• Are key judgments supported contemporaneously?
• Do reviewers ask hard questions, and are the questions logged?
• Are late changes tracked with rationale and approval?
• Do you have a clean record of what leadership knew and when?

Where practical, sample high-risk disclosures (earnings, non-GAAP metrics narratives, risk factor changes) and verify support.

7) Manage third parties that touch reporting or disclosures

For third parties supporting financial reporting, valuation, IR, or compliance operations:

• Contractual expectations for accuracy, recordkeeping, confidentiality, cooperation, and audit rights.
• Onboarding diligence proportional to impact (credentials, independence, prior issues, delivery controls).
• Ongoing oversight: performance review, exception handling, documented approvals.

Third-party failures can still create issuer liability and can amplify intent narratives if oversight is weak.

Required evidence and artifacts to retain

Maintain an evidence set that demonstrates governance, supervision, and good faith:

• Disclosure controls and procedures documentation (owners, committee charters, approval matrices).
• Meeting minutes and decision logs for disclosure-related committees.
• Support files for key accounting judgments and disclosure changes (memos, calculations, source data).
• Training content, assignments by role, completion records, attestations, and remediation for non-completion.
• Incident/issue register: intake, triage notes, investigation plan, outcome, corrective actions, sign-offs.
• Records retention schedule, legal hold notices, and confirmation of preservation steps.
• Third-party contracts and oversight records for parties impacting disclosures/reporting.

Design your retention so you can reconstruct what happened without relying on oral history.

Common exam/audit questions and hangups

Expect pushback in these areas:

• “Show me how issues are escalated.” They will want specific examples, not a policy excerpt.
• “How do you control last-minute disclosure changes?” Weak version control and unclear approvals create avoidable risk.
• “How do you ensure accountability for certifications and sign-offs?” Missing attestations or unclear ownership reads as weak supervision.
• “Where’s the evidence that the disclosure committee challenges management?” Minutes that only record attendance look performative.
• “How do you manage third parties that draft or influence market communications?” If an agency writes content, your approvals must be explicit and archived.

Frequent implementation mistakes (and how to avoid them)

1. Treating SOX Section 1106 as “just legal.”
   Fix: translate penalty risk into controls and evidence around Exchange Act-touching workflows. ¹

2. Over-indexing on policies, under-investing in records.
   Fix: require decision logs, version control, and documented rationale for sensitive judgments.

3. No defined “stop-the-line” authority.
   Fix: assign authority to pause releases or filings pending review, and document its use.

4. Inconsistent investigations.
   Fix: standardize triage, scoping, and closure steps; track remediation to completion.

5. Third parties treated as outside the perimeter.
   Fix: include third parties in the disclosure/reporting risk map and oversight plan.

Enforcement context and risk implications

SOX Section 1106 raises maximum criminal penalties for willful Exchange Act violations, increasing personal and corporate downside where intent can be proven. ¹ That changes how you should prioritize:

• Rapid escalation and containment of potential misstatements.
• Documentation discipline (what was reviewed, by whom, and what questions were asked).
• Remediation speed and completeness when control gaps emerge.

A practical framing for leadership: higher penalties increase the cost of “grey area” behavior and informal governance, even if the underlying business pressure feels routine. ¹

Practical 30/60/90-day execution plan

Use phases rather than day counts.

Immediate phase (stabilize governance)

• Build the Exchange Act compliance perimeter map (processes, owners, third parties).
• Confirm escalation triggers and stop-the-line authority in writing.
• Centralize where disclosure support and approvals are stored.

Near-term phase (prove repeatability)

• Implement the red flags to resolution workflow and issue register.
• Refresh role-based training and launch attestations for high-risk roles.
• Run a tabletop exercise: suspected misstatement discovery close to a filing or earnings event.

Ongoing phase (make it exam-ready)

• Periodically sample disclosures and accounting judgments for support quality.
• Track corrective actions to closure with management reporting.
• Review third-party oversight for any party touching reporting, disclosures, or investor communications.

Where Daydream fits

If you are coordinating evidence across Legal, Finance, Internal Audit, and third parties, Daydream can act as a single system of record for control ownership, issue tracking, and audit-ready evidence collection. Use it to tie each disclosure control to an owner, a testing cadence, and the artifacts you need to defend good-faith execution. ¹

Frequently Asked Questions

Does SOX Section 1106 create new controls I must implement?

It increases criminal penalties for willful Exchange Act violations, so it raises the standard of operational discipline you should apply to existing disclosure, reporting, and escalation controls. Your controls should reduce the chance of a violation and reduce the chance it can be framed as willful. ¹

What does “willful” mean for a compliance program in practice?

Treat willfulness risk as “ignored red flags, weak supervision, or deceptive documentation.” Your program should force escalation, create contemporaneous records, and show that leadership responded appropriately to issues. ¹

Which teams should I prioritize first?

Start with Finance/accounting, Legal, IR/Comms, and the executive owners involved in disclosure oversight. Include third parties that draft, calculate, or otherwise influence disclosures or reporting inputs. ¹

What evidence is most persuasive in an investigation or exam?

Decision records, version-controlled support for key judgments, documented escalation and remediation, and training/attestation proof for accountable roles. Regulators and prosecutors focus on what people knew, when they knew it, and what they did next. ¹

How do I handle last-minute disclosure changes without slowing the business?

Predefine what qualifies as “sensitive” and require a tracked approval and rationale for those changes. Put templates and storage paths in place so documentation happens during the work, not after. ¹

We outsource parts of financial reporting support. How does that affect this requirement?

Outsourcing does not remove issuer accountability, and weak oversight can worsen intent narratives. Contract for cooperation and audit rights, set approval boundaries, and retain the evidence trail for third-party work products used in disclosures or reporting. ¹

Footnotes

1. Public Law 107-204