In a new article, we focus on the Securities and Exchange Commission’s enforcement of the CEO and CFO certification requirement pursuant to the Sarbanes-Oxley Act (SOX). The article analyzes the appropriate interpretation of the statute’s reach, the SEC enforcement proceedings instituted for alleged violation of this provision, and the statute’s failure to meet its legislative objectives.

 SOX was enacted in response to the massive corporate frauds that were perpetrated by such companies as Enron, Global Crossings, Tyco, and Worldcom.  The legislation, in effect, federalized substantial aspects of corporation law that previously were within the sole province of state company law.  One key component of this legislation was Section 302, which seeks to deter fraud and encourage chief executive officers (CEOs) and chief financial officers (CFOs) to exercise adequate diligence with respect to their respective company’s periodic filings with the SEC. The SEC subsequently adopted Rule 13a-14 to implement the statute.

One could have reasonably expected that false CEO and CFO certifications under Section 302 would become a valuable SEC enforcement weapon. In over two decades, however, the Commission has not substantively pursued alleged violations of Section 302 in a manner that a securities regulator should.  As the empirical data generated by our study proves, the overwhelming majority of actions alleging noncompliance with the certification requirement have named CEOs and CFOs of smaller publicly held companies. Moreover, nearly all of these SEC enforcement actions alleging deficient disclosure by publicly held companies have only tangentially implicated Section 302. Instead, the SEC has focused on allegedly fraudulent conduct under Section 10(b) of the Securities Exchange Act. In other words, the SOX false certification claim is often simply an add-on to SEC enforcement actions that address allegedly fraudulent conduct by publicly held companies and their insiders.

The scope of Section 302 and Rule 13a-14 encompasses both negligent and intentional conduct by CEOs and CFOs, leaving the SEC low hanging fruit. Yet, the Commission ordinarily abstains from utilizing this attractive resource, and its record does not merit kudos. Consider that, during fiscal year 2023, the SEC filed 784 total enforcement actions and, during fiscal year 2024, 583 total enforcement actions.  By contrast, from 2020–2024, the Commission brought fewer than two dozen enforcement actions against CEOs and CFOs alleging a violation of Rule 13a-14.

The SEC’s abstention from faithfully enforcing Rule 13a-14 is a deliberate policy choice. Notably, this approach is consistent with other SEC practices that largely refrain from holding high-level executives of large cap publicly held companies responsible for their neglect. As addressed by one of the authors in one of his books, this inaction also is shown by the Commission’s refusal to invoke the control person provision of Section 20(a) of the Securities Exchange Act against corporate executives. See Marc I. Steinberg, Rethinking Securities Law 276–292 (Oxford University Press 2021).

Accordingly, in both SEC judicial and administrative proceedings, claims based on alleged violation of the Rule 13a-14 CEO and CFO certification requirement are instituted as a supplement to fraud or aiding and abetting claims that require proof of wrongful conduct. The empirical data shows how the CEO and CFO certification mandate has little, if any, substantive impact on the initiation and resolution of SEC enforcement actions.

From the empirical data, several additional findings come to light. First, to date, the SEC has not brought a single standalone Rule 13a-14 enforcement proceeding based on a CEO’s or CFO’s alleged negligence with respect to the SOX certification requirement. Second, the Commission apparently has brought only one standalone Rule 13a-14 enforcement action alleging knowing misconduct since the rule’s promulgation over 20 years ago. Third, although the Commission has settled many Rule 13a-14 claims in both administrative and judicial actions premised on a CEO’s or CFO’s alleged negligent conduct pursuant to the consent negotiation process, a Section 10(b) fraud claim will follow if litigation ensues. Fourth, with over two decades of data regarding Rule 13a-14 enforcement, the SEC generally has declined to faithfully implement its enforcement obligations under the SOX certification mandate. Fifth, when the Commission chooses to utilize Rule 13a-14, the targets normally are CEOs and CFOs of micro-cap or small-cap publicly traded companies.

Perhaps at some point the Commission will adequately enforce the SOX certification requirement (as implemented by Rule 13a-14). If it does so in an even-handed manner with respect to both smaller and larger publicly traded corporations and their executive officers, the accuracy of SEC periodic reports should be enhanced. Nonetheless, the SEC’s inaction to faithfully abide by Congress’s statutory directive regarding the SOX certification requirement bodes ill for the future, effective implementation of this important provision. The consequence is that the investing public and the integrity of the securities markets will continue to be harmed.

Our article is the first work to analyze the SOX CEO and CFO certification requirement from the perspective of SEC enforcement practice. Through the use of strong empirical data, the article unveils the Commission’s lack of zeal with respect to its enforcement of this important statute and implementing rule. The upshot is that current SEC enforcement policies signify that the SOX certification mandate as envisioned by Congress likely will continue its path as a mission unaccomplished.

This post come to us from Marc I. Steinberg, the Radford Professor of Law at the SMU Dedman School of Law, and A.B. Steinberg, a May 2025 J.D. candidate at the SMU Dedman School of Law. It is based on their new article, “Unflexed Muscle: SEC Enforcement and Officer SOX 302 Certifications,” forthcoming in the University of Miami Law Review and available here.