Enhanced Conflict of Interest Provisions

SOX Section 402’s enhanced conflict of interest provisions prohibit an issuer from extending, maintaining, or arranging personal loans to any director or executive officer, subject to limited exceptions in the statute. To operationalize it fast, you need a clear “no personal loans” rule, tight controls over treasury/AP/corporate card and expense practices, and an ongoing disclosure-and-attestation process that catches indirect or disguised loans before they post. (Public Law 107-204)

Key takeaways:

• You must prevent both direct and indirect personal loans to directors and executive officers, not just “new loans.” (Public Law 107-204)
• Operational risk concentrates in treasury, payroll, expense, corporate cards, relocation, and any “advance” or “receivable from employee” workflows.
• Build evidence around policy, system controls, approvals, and monitoring that proves loans cannot be initiated or quietly maintained.

“Enhanced Conflict of Interest Provisions” is commonly discussed as a governance topic, but SOX Section 402 is an operational prohibition with sharp edges: “It shall be unlawful for any issuer to extend or maintain personal loans to any director or executive officer.” (Public Law 107-204) For a CCO or GRC lead, the practical job is to make sure the company cannot accidentally create a personal loan through routine processes such as relocation support, retention arrangements, payroll advances, executive perquisites, expense exceptions, corporate card balances, or “temporary” receivables booked to an officer.

Most breakdowns happen because teams define “loan” too narrowly and only look for formal promissory notes. Section 402 also reaches indirect arrangements and “maintenance” of existing loans. (Public Law 107-204) That pushes this requirement into controllership, treasury, payroll, HR operations, and procurement/payment operations, not only legal.

This page gives requirement-level implementation guidance you can implement quickly: scope, control design, evidence to retain, exam/audit friction points, and a phased execution plan you can run with your finance partners. Where helpful, it also notes how tools like Daydream can centralize attestations, exception tracking, and evidence collection across multiple control owners.

Regulatory text

Text (excerpt): “It shall be unlawful for any issuer to extend or maintain personal loans to any director or executive officer.” (Public Law 107-204)

What an operator must do:
Translate that single sentence into prevent/detect controls across the full payments and “amounts due from employee” lifecycle:

1. Prevent “extension”: block creation of any personal loan to a director or executive officer through any workflow (treasury, AP, payroll, corporate card, travel/expense, relocation, executive benefits). (Public Law 107-204)
2. Prevent “maintenance”: ensure no grandfathered or legacy arrangements remain outstanding, rolled, renewed, or carried as receivables. If something exists, it requires immediate escalation and a documented remediation path. (Public Law 107-204)
3. Cover indirect arrangements: treat “arranged” or “indirect” support as in-scope. Operationally, that means scrutinizing third parties that might front funds on the issuer’s behalf (for example, relocation providers, travel agencies, card issuers, or other program administrators) where the company could be seen as extending credit or keeping a balance for an executive. (Public Law 107-204)

Plain-English interpretation (what this requirement means)

• If you are an issuer, you cannot let directors or executive officers borrow from the company for personal purposes. (Public Law 107-204)
• “Loan” risk includes obvious instruments (notes) and subtle equivalents (open receivables, “advances,” long-dated reimbursements, repayment plans, or paying an executive’s personal obligation and settling later). (Public Law 107-204)
• “Extend or maintain” means you need controls that stop new loans and also identify and unwind existing ones. (Public Law 107-204)

Who it applies to (entity and operational context)

In scope

• Entity types: Public companies that are “issuers.” (Public Law 107-204)
• People: Directors and executive officers. (Public Law 107-204)

Business functions that must participate

This is where you operationalize the prohibition:

• Treasury: wires, emergency disbursements, ad hoc payments, executive financial arrangements.
• Accounts Payable / Procurement: payments that could be personal in nature, exceptions to vendor setup, misc payees.
• Payroll: advances, off-cycle payments, repayment deductions, “gross-ups” that mask personal obligations.
• Travel & Expense: late substantiation, cash advances, reimbursable vs. personal spend classification.
• Corporate card administration: delinquency handling, company-paid balances, repayment plans.
• HR / executive compensation: relocation and retention arrangements, executive perquisites, special programs.
• Legal / Corporate Secretary: director and officer rosters; onboarding/offboarding; governance approvals and disclosures.
• Controllership: accounting treatment for receivables and related-party considerations; close reviews that can surface “amounts due from officers.”

What you actually need to do (step-by-step)

1) Define the prohibition in a short, enforceable standard

Write a requirement statement that mirrors the statute and closes common loopholes:

• Prohibit: the company (and anyone acting on its behalf) from extending, maintaining, or arranging personal loans to directors and executive officers. (Public Law 107-204)
• Define “personal loan” operationally: any transfer of value with an expectation of repayment or settlement later, including open receivables, advances, repayment plans, or company payment of a personal obligation. (Public Law 107-204)
• Define covered persons: maintain a controlled list of current directors and executive officers, with effective dates and changes controlled by the corporate secretary or HR. (Public Law 107-204)

Implementation tip: Don’t bury this inside a generic conflicts policy. Publish a short “SOX 402 Executive/Director Personal Loan Prohibition” standard and cross-reference it from travel/expense, payroll, and treasury procedures.

2) Map where a “loan-like” balance could be created

Run a focused process mapping workshop with finance ops:

• Where can an employee receive cash or value first and settle later?
• Where can the company pay a third party for something that is arguably personal?
• Where do you book receivables from employees or officers?

Produce a one-page SOX 402 risk map that lists each workflow, system, and the control owner. This becomes your audit-ready story.

3) Put preventive controls at the point of initiation

Best practice is to block problems before money moves or a receivable is created:

• Payment controls (treasury/AP): require payee purpose codes and independent approval for any payment where the payee is a director/executive officer or where memo/purpose indicates personal nature. (Public Law 107-204)
• Vendor/payee master controls: block setup of directors/executive officers as payees unless legal/compliance approval is attached and a business justification exists (for example, reimbursable expenses through controlled channels).
• Payroll controls: restrict advances and off-cycle payments for covered persons; require compliance sign-off for exceptions; block repayment-plan style deductions that look like loan amortization. (Public Law 107-204)
• Expense controls: enforce timely substantiation and automatic reclassification/escalation of aged unsubstantiated expenses for covered persons, because “we’ll settle later” can become a de facto extension of credit.
• Corporate card controls: define whether the company is ever permitted to pay personal card balances for covered persons. If there is any scenario where the company pays and recovers later, treat it as a high-risk pathway and design it out. (Public Law 107-204)

4) Add detective controls that search for disguised or indirect loans

Even with prevention, you need monitoring that finds what slips through:

• GL/close analytics: query for “due from employee/officer,” “employee receivable,” “advance,” “misc receivable,” and manual journal entries tied to covered persons. Escalate anything that persists beyond normal settlement windows. (Public Law 107-204)
• AP spend reviews: sample payments with ambiguous descriptions for covered persons and check for repayment expectations.
• Third party program reviews: review contracts and operating procedures for relocation, travel, and card providers to confirm the program does not create issuer-funded personal credit for covered persons. (Public Law 107-204)

5) Establish an exception-handling and escalation path

SOX 402 is framed as “unlawful” in the statutory excerpt, so you need a serious escalation path. (Public Law 107-204)

Minimum elements:

• Single intake for suspected issues (compliance mailbox or case system).
• Triage decision tree: Is this a personal loan? Is the person covered? Is the balance still outstanding (maintenance risk)? (Public Law 107-204)
• Documented remediation actions: reverse payment if possible, convert to compliant reimbursement mechanics if appropriate, ensure settlement, and record root cause fixes.

Daydream can help here by centralizing attestations, exception intake, evidence requests to finance owners, and a single control-to-evidence record you can hand to internal audit without rework.

6) Train the people who can accidentally create a loan

Skip broad employee training. Target the roles that touch money movement and executive arrangements:

• AP, treasury, payroll leads, expense admins, HR exec comp, corporate secretary team.
  Training should include examples of “loan-like” scenarios and the escalation route.

Required evidence and artifacts to retain

Build an audit packet that proves you can prevent and detect prohibited loans:

1. Policy/standard: SOX 402 personal loan prohibition, scope definitions, and exception philosophy aligned to the statute’s limited exceptions language (keep your text precise and reviewed by counsel). (Public Law 107-204)
2. Roster control: controlled list of directors and executive officers, with update logs and owner accountability. (Public Law 107-204)
3. Process map + control matrix: each workflow, control, frequency/trigger, owner, and evidence produced.
4. System configurations: screenshots/config exports showing blocks, approval routing, and role restrictions.
5. Monitoring outputs: GL queries, exception reports, investigations, and resolution notes.
6. Third party documentation: contracts/SOWs and program descriptions for relocation, corporate card, or travel providers, plus your assessment of whether the arrangement could create an issuer-funded personal loan.
7. Attestations: periodic sign-offs from control owners (treasury/AP/payroll/expense) that no prohibited loans were extended or maintained, and that monitoring was performed.

Common exam/audit questions and hangups

Expect internal audit, external audit, or SOX program teams to ask:

• “Show me how you know no loans exist today.” You need GL evidence and a covered-person roster tied to the testing population. (Public Law 107-204)
• “How do you prevent indirect loans?” Auditors look for third party program analysis and payment workflow controls, not just a policy statement. (Public Law 107-204)
• “What counts as a loan in your environment?” If your definition is vague, testing becomes argumentative. Put concrete examples in procedures.
• “What happens when an executive can’t substantiate expenses?” If you allow extended settlement, you may create “maintenance” risk. (Public Law 107-204)

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating this as an annual disclosure question only.
   Fix: Place controls in AP/treasury/payroll/expense where transactions originate.

2. Mistake: Only blocking “new loans,” ignoring “maintenance.”
   Fix: Add monthly close queries for officer/director receivables and require documented resolution. (Public Law 107-204)

3. Mistake: Forgetting third parties can create credit-like structures.
   Fix: Review relocation and corporate card program terms and how balances are handled for covered persons. (Public Law 107-204)

4. Mistake: No single owner for the covered-person list.
   Fix: Corporate secretary (or HR for officers) owns the roster; changes feed finance systems.

5. Mistake: Allowing “temporary” executive exceptions without documentation.
   Fix: Require compliance/legal pre-approval and a documented path that avoids any expectation of repayment to the issuer.

Enforcement context and risk implications

The statutory excerpt uses “unlawful,” which signals regulator sensitivity and raises the stakes for weak controls. (Public Law 107-204) Practically, failures create:

• Legal/compliance risk from prohibited arrangements. (Public Law 107-204)
• Financial reporting risk if receivables or repayments are misclassified or hidden in misc accounts.
• Governance risk because loans to executives/directors are a classic related-party concern.

Practical execution plan (30/60/90-day)

You asked for speed; here is an operator plan you can run without waiting for a multi-quarter program.

First 30 days (stabilize and find exposure)

• Assign an executive owner (often controller or chief accounting officer) and a compliance owner (CCO/GRC).
• Publish an interim SOX 402 prohibition notice to treasury/AP/payroll/expense/HR exec comp. (Public Law 107-204)
• Build the covered-person roster and distribute it to control owners. (Public Law 107-204)
• Run targeted GL queries for officer/director receivables and “advance” accounts; open investigations for any hits.
• Identify third party programs (relocation, card, travel) that could create loan-like balances for covered persons.

Next 60 days (implement controls and evidence)

• Finalize the SOX 402 standard and embed cross-references into expense, payroll, treasury procedures. (Public Law 107-204)
• Implement system/workflow controls: approval routing, payee blocks, exception flags.
• Stand up monthly monitoring tied to the close and a documented escalation workflow.
• Create your audit packet structure and start storing evidence consistently (Daydream can act as the evidence hub and attestation tracker).

By 90 days (operate, test, and harden)

• Perform a control self-test: sample transactions involving covered persons, confirm controls fired, confirm monitoring detects anomalies.
• Formalize training for the small set of operators who can create a prohibited arrangement.
• Review third party contracts and operating procedures; document your conclusions and any program changes needed. (Public Law 107-204)
• Set ongoing governance: quarterly review of roster changes, monitoring outcomes, and exception trends.

Frequently Asked Questions

Does SOX Section 402 only prohibit new loans, or does it also cover existing balances?

The excerpt prohibits an issuer from “extend[ing] or maintain[ing]” personal loans to directors or executive officers, so you need to prevent new loans and also identify and resolve any outstanding ones. (Public Law 107-204)

What are the most common operational places a “personal loan” shows up?

Payroll advances, off-cycle payments with repayment expectations, long-outstanding expense items, corporate card balances paid by the company with later recovery, and employee receivable accounts are common pathways. You control these through workflow restrictions and close-based monitoring.

If a third party (like a relocation provider) fronts funds, can that still be a SOX 402 problem?

It can be, depending on whether the issuer is effectively extending, arranging, or maintaining personal credit for a covered person through the program structure. Review program terms and settlement mechanics with legal/compliance against the statutory prohibition. (Public Law 107-204)

How do we prove compliance to auditors without drowning in paperwork?

Keep a tight evidence set: the covered-person roster, the written prohibition standard, system control screenshots, monthly monitoring reports, and documented resolution of any exceptions. Centralizing attestations and evidence requests in Daydream reduces back-and-forth during testing.

Can we allow an exception if the executive repays quickly?

The statute’s excerpt frames the conduct as unlawful, so treat “repayment later” structures as high risk and route any edge case to legal/compliance before money moves. Design workflows that avoid creating a receivable or repayment expectation for covered persons. (Public Law 107-204)

Who should own this requirement day-to-day?

Compliance or GRC should own the requirement and oversight, while controllership/treasury and payroll/expense owners run the controls. Clear ownership matters because most failures are process failures, not policy failures.