12 July 2011

Do you REALLY want to violate SEC Reg FD?

Violate Reg FD here
Okay, you've just finished your 10-K/10-Q. The final numbers are done, and the auditors have 'blessed' the document. Before the document is filed with the SEC, someone on your team creates an e-mail that attaches the draft 10-K/10-Q and sends it to an anonymous website that promises to let you see what the HTML version will look like. Congratulations, you've probably just breached SEC Reg FD and perhaps a host of other securities laws.

For all you or anyone knows, you've just sent your filing to a competitor, a newspaper, an analyst, a potential investor.

Exactly the same risk applies to the XBRL versions of financial statements that must now be provided by all filers. And indeed that is exactly what a website today suggests you do. A site that will allow you to upload a copy of your XBRL files and provide you with a viewer to see what your XBRL will look like once its filed with the SEC.

I tried the site today, using an XBRL document downloaded from the SEC (special thanks to the person who suggested this obvious way to test... so obvious I missed it). I wonder how many other people got to see the XBRL that I uploaded. Thank goodness it was not the XBRL of a real client or filer.

Broc Romanek, Editor of TheCorporateCounsel.net, notes: “If companies are accidentally selectively disclosing their financials, that appears problematic and they could be deemed to be violating Reg FD as well as be considered to have inadequate disclosure and internal controls.”

How innocent, and enticing - XBRL is complex, so to make sure your XBRL will be viewable on the SEC site, just upload it here and you can view it yourself.

But look closely at the site. There are no names, no contact individuals. A Who-is search comes back with no information. This should raise alarm bells to any IR professional, any CFO or any auditor. Just who will be accessing this information.

Last week, I went to their "Contact Us" page and sent a message asking who they are. I have not received an answer.

The "https" URL is a great red herring. It screams "we are a safe site, we encrypt to and from". But if you have no idea where the data is going, does it matter how safe the transmission is?

In November 2010, after the leaks of Walt Disney and NetApp finanicals, Dominic Jones of IRWebReport wrote "IR Web Report’s view is that the recent incidents are due to management at the companies failing to put in place proper disclosure controls and web publishing systems, not because of any inherent weaknesses in website technologies." (emphasis his)

We're now moving into a new world of filing, with the addition of XBRL documents as part of the filing package. These XBRL "instance" documents contain all the information included in the primary financial statements and notes to the financial statements. These documents in XBRL require the same level of protection and control as they did when they were just the financials. Prematurely disclosing the XBRL documents should be conceptually the same as releasing the HTML version of the official filing.

So now imagine finishing your 10-Q, and the XBRL version of that 10-Q. Well, the XBRL certainly does not look like the HTML that you have put so much work into - maybe you should load it into a viewer to see what it will look like, at least to confirm that the numbers and labels and elements are correct.

It would be difficult to come up with a better example of an opportunity to demonstrate poor controls over the release of financial information

Of course, I do not believe that this is a cynical attempt by a company to gain nonpublic insider information, or to get companies to accidentally violate Reg FD.

I also do not believe that any company that is providing a public service has any reason to do so from behind a mask of secrecy.

1 comment:

  1. Good point Dan. We have a document rendering test running at IRA that can take any filing. But we would not take an unsubmitted pre-Reg FD Exhibit 101 filing supplement unless there was in fact a documented privileged business relationship with that submitter that ensures the test falls well within their internal controls domain.

    Even on our end, such files still need to be isolated from the public data libraries and protected such that only the submitter can see the test results. We would not even push that test file to the public side after EDGAR filing is complete but instead pull the public filing down adhering to a proper and traceable chain of evidence going back to the official SEC EDGAR release point.

    This is the way it's supposed to be to protect the integrity of the financial reporting process. It is incumbent on everyone to realize that this is no longer an experiment. Proper controls are now operative.