Cringley's got a great columns about some possible dangerous usage of our regulation law:
Here's an example of how it will work. Imagine your bank is a medium-sized publicly traded bank headquartered in the U.S. midwest with a national charter (that is, regulated by federal, rather than state, banking authorities). Now imagine your bank is not in compliance with Section 404 of Sarbanes Oxley. Section 404 requires as part of the regular audit process that the bank's accounting firm (generally one of the Big 4) certify whether or not the bank is Section 404 compliant. Accounting firms, having paid billions in penalties recently for overlooking accounting errors at companies like Enron and Tyco, aren't going to be lax about this provision. If the bank isn't Section 404 compliant, which means they haven't applied sufficient internal controls to data, the auditors will report that.
Now what?
Well, if your bank isn't in compliance (many won't be), they'll have to very quickly get in compliance. They'll also have to pay a fine and perhaps one or more officers of the bank will do some time in prison. Really.
But there is a funny thing about banks, and that's the way they are regulated and controlled, which makes possible a very different outcome in the case of a Section 404 violation. Technically, the bank can't even continue to operate, because the legal definition of a bank is as a compliant organization. So a very real possibility is that your bank will be forced to merge with another bank that IS in compliance.
That's the new scam. Big banks with sophisticated IT operations are going to appear at the doors of smaller, less sophisticated, banks literally demanding the keys. They'll take over the building, the tellers, and of course the deposits for a price tag that may well be zero.
That's a heck of a deal for everyone except the bank's current shareholders.