Sarbanes‑Oxley penalties top $5M, 20 years

Sarbanes-Oxley does not create one single “$5 million, 20 years” penalty. It is a bundle of rules enacted on July 30, 2002 after Enron and WorldCom, and different sections carry different remedies. (congress.gov) (govinfo.gov) The number most people cite comes from Section 906, now codified at 18 U.S.C. §1350. It requires a public company’s chief executive officer and chief financial officer to certify that periodic reports comply with securities law and fairly present the company’s financial condition. (law.cornell.edu) (uscode.house.gov) If an officer certifies a report knowing it does not comply, the statute allows a fine of up to $1 million and up to 10 years in prison. If the officer does it willfully, the ceiling rises to $5 million and up to 20 years. (law.cornell.edu) Another Sarbanes-Oxley provision, Section 304, is about money going back to the company. If an issuer must restate financials because of misconduct, the chief executive officer and chief financial officer can be required to reimburse bonuses, incentive pay, equity compensation, and stock-sale profits from the following 12 months. (law.cornell.edu) That is the “clawback” piece, and it is separate from the prison term people quote. Section 304 is aimed at repayment, while Section 906 and some record-tampering provisions are criminal statutes. (law.cornell.edu 1) (law.cornell.edu 2) Record handling is its own danger zone under Sarbanes-Oxley. Section 802 added 18 U.S.C. §1519, which makes knowingly destroying, falsifying, or concealing records to obstruct a federal matter punishable by up to 20 years in prison. (law.cornell.edu) That is why compliance teams focus so heavily on logs, retention schedules, audit trails, and executive sign-offs. In a Sarbanes-Oxley case, investigators often care as much about what was preserved, altered, or certified as they do about the underlying accounting entry. (govinfo.gov) (law.cornell.edu) The law is old, but the enforcement theory is not dead. In December 2025, the Securities and Exchange Commission sued former AMMO Inc. executives Fred W. Wagenhals, Robert D. Wiley, and Christopher D. Larson, seeking Section 304 reimbursement, civil penalties, and officer-and-director bars. (sec.gov) The Securities and Exchange Commission said Wagenhals and Wiley also submitted false certification statements, alongside allegations that they falsified books and records and misled auditors. That makes the case a current example of how Sarbanes-Oxley provisions can be stacked with broader antifraud claims. (sec.gov) The agency has used Section 304 that way before. In 2009, the Securities and Exchange Commission said its case against former CSK Auto chief executive Maynard Jenkins was the first clawback action against an executive who was not otherwise alleged to have violated securities laws. (sec.gov 1) (sec.gov 2) So the cleanest explainer is this: Sarbanes-Oxley’s “up to $5 million and 20 years” language is real, but it refers mainly to willful false certifications and some obstruction conduct, not every compliance lapse. The clawback risk is separate, and it can force chief executives and chief financial officers to give back pay even when the headline number comes from another section. (law.cornell.edu 1) (law.cornell.edu 2) (law.cornell.edu 3)