The U.S. Securities and Exchange Commission’s focus on cybersecurity continues in its most recent effort to modernize financial privacy rules and emphasize transparency between SEC-regulated entities who suffer from a cyber breach and the individuals impacted by the breach. The SEC’s latest proposals focus on registrants including broker-dealers, investment advisors, and investment companies, and seek to impose cyberbreach disclosure requirements similar to those the SEC previously proposed for public companies.

On March 15, 2023, the SEC proposed amendments to current data privacy rules that would require covered firms to adopt written policies and procedures for incident response programs. Under the proposed amendments, such policies and procedures must address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The proposed changes would come through amendments to rules under Regulation S-P.

Regulation S-P currently requires covered registrants to notify customers about how they use their financial information, but it does not require them to notify customers about breaches. The proposed amendments would also ensure that breaches are properly identified, and that sensitive customer data is monitored to determine whether it was accessed.

In announcing the proposed amendments, Chairman Gensler explained that investors would benefit from a financial privacy rule “more modern than the AOL era.”

Continue Reading Highlighting Enforcement Focus on Cybersecurity, SEC Proposes New Disclosure & Incident Response Rules

Just this week, the Securities and Exchange Commission announced its enforcement results from fiscal year 2022. The Commission recovered a record $6.4 billion in penalties and disgorgement from companies and individuals. The announcement touted the 760 total enforcement actions in FY 2022—a nine percent increase from the year before—and summarized areas of innovation and growth within the Enforcement Division. Two such areas are familiar refrains that are worth highlighting: (1) the SEC leveraging its investigative process—emphasizing its use of data analytics—to identify suspicious activity; and (2) its penalties against “gatekeepers” (i.e., individuals and companies who owe a heightened duty of trust and responsibility to clients and investors).

Continue Reading Play it again, SEC: Two Familiar Refrains from the FY 2022 Enforcement Results

On September 27, 2022, the United States Securities and Exchange Commission (SEC) announced a settlement with Oracle Corporation (Oracle) to resolve allegations that its subsidiaries in India, Turkey, and the United Arab Emirates violated the Foreign Corrupt Practices Act (FCPA) by creating off-the-books slush funds and using those slush funds to bribe foreign government officials.

Without admitting or denying the SEC’s findings, Oracle agreed to cease and desist from violating the anti-bribery, books and records, and accounting provisions of the FCPA and to pay approximately $8 million in disgorgement and a $15 million penalty.

Notably for both attorneys and companies, the SEC’s order provides insights into how to design an effective corporate compliance program to minimize legal risk, including FCPA risk.

The SEC’s Findings

The SEC found that, from at least 2014 to 2019, Oracle’s subsidiaries in India, Turkey, and the United Arab Emirates “used discount schemes and sham marketing reimbursement payments” to finance slush funds, which were held by Oracle’s “channel partners” (i.e., distributors and resellers) in those markets. The subsidiaries transacted through these channel partners during the relevant period under Oracle’s indirect sales model, by which channel partners sell Oracle products to end customers. According to the SEC, the subsidiaries and the complicit channel partners used the slush funds—which employees of the subsidiaries referred to as the “buffer,” “moneybox,” “pool,” and “wallet”—to bribe government officials in return for business. Specifically, the SEC determined that, among other things, (i) employees of Oracle Turkey and Oracle UAE used slush funds to pay for travel for government officials, including to Oracle’s annual technology conference in California; (ii) an Oracle Turkey employee directed cash bribes to government officials; (iii) an Oracle UAE employee paid approximately $130,000 in bribes to the chief technology officer of a state-owned entity (SOE) in return for six contracts in 2018 and 2019; (iv) Oracle India employees funneled $330,000 to an entity known for paying government officials; and (v) an Oracle India employee maintained a spreadsheet indicating that $67,000 was available to make payments to a government official.

Continue Reading Key Compliance Takeaways from Oracle’s $23M FCPA Settlement with the SEC

The U.S. Securities and Exchange Commission (SEC) is putting some muscle behind Regulation Best Interest (Reg BI). On June 16, 2022, nearly two years after Reg BI went into effect, the SEC filed its first federal lawsuit to enforce the rule against a broker-dealer and its registered representatives.

The SEC sued Western International Securities, Inc. (Western), a dually registered broker-dealer and investment advisor, along with five of its registered representatives, in the U.S. District Court for the Central District of California for allegedly violating Reg BI’s care obligation; the defendants allegedly recommended certain high-risk, speculative bonds to retail customers without themselves fully understanding the associated asset risks and without establishing how the investments served the customers’ best interests. The SEC also charged Western with violating its compliance obligation under Reg BI for allegedly failing to maintain adequate policies and procedures and other controls.

The fact that the SEC sued registered representatives — notwithstanding allegations that their firm had inadequate internal controls and policies —  is a strong statement that individuals must use their best judgment to make their own independent inquiries and determinations about the products they recommend to their clients. Registered representatives cannot hide behind their firm’s guidance and control failures to escape primary liability under Reg BI.

Continue Reading SEC’s First Reg BI Lawsuit Takes Strong Position on Individual Liability

Recent briefing in SEC v. Team Resources, Inc., a long-running case challenging a U.S. Securities and Exchange Commission (“SEC”) disgorgement award, is a reminder of both the significance of the Supreme Court’s 2020 decision in Liu v. SEC and the open questions that remain regarding the SEC’s disgorgement remedy.

Continue Reading SEC v. Team Resources, Inc.: Exploring SEC Disgorgement Post-Liu

Fiscal Year (FY) 2021 was a record-breaking year for the U.S. Securities and Exchange Commission’s (SEC’s) Office of the Whistleblower. Between October 1, 2020 and September 30, 2021, the SEC issued awards to more whistleblowers, and distributed more money in whistleblower funds, than in all prior years of the program combined. Now, just a few months into FY 2022 and two weeks into calendar year 2022, all signs point to a continued robust whistleblower program.

Continue Reading SEC Awards Over $17 Million to Whistleblowers in the First Two Weeks of 2022

In Audet v. Fraser, an unusual case where federal jurors in a class action lawsuit considered whether digital assets known as “Hashlets” constitute securities, the District of Connecticut jury found that the Hashlets were not securities, and therefore the defendant was not liable for securities fraud. Notably, the SEC took a contrary position on Hashlets in 2015, when it sued GAW Miners, LLC, its founder Homero Joshua Garza, and another company founded by Garza for securities fraud, alleging that Hashlets were, in fact, securities. Both companies were permanently enjoined from violating securities laws and ordered to disgorge more than $10 million, and each was ordered to pay a $1 million civil penalty. Garza was later sentenced to 21 months imprisonment in a related criminal case.

The jury’s verdict comes as the SEC has expressed increased interest in regulating digital assets as securities. For example, in November, SEC Chair Gary Gensler noted that his staff’s enforcement mission includes bringing “novel” and “high-impact” cases involving crypto. And in September, Gensler called for greater regulation of crypto assets, likening the environment in crypto finance, issuance, trading, and lending to “the Wild West.” While increased enforcement in crypto markets may be on the horizon, the jury’s decision in Audet highlights some of the uncertainties that currently pertain to the regulation of digital assets, such as “Hashlets.”

Continue Reading Co-Founder of Crypto Mining Firm Prevails in Jury Verdict Based on Interpretation of Unique Securities Fraud Instruction

What does military policy have to do with the SEC? Tucked into the 1,480 page National Defense Authorization Act (NDAA) is a provision expanding the SEC’s disgorgement authority. The NDAA, specifying the budget and expenditures for the Department of Defense for fiscal year 2021 (H.R. 6395), was passed on December 11, 2020 by both chambers of Congress. Despite any obvious connection between the national defense and the SEC, the bill would amend the Securities Exchange Act of 1934 to give the SEC authority to seek disgorgement in enforcement actions brought in federal court.  These amendments would also increase the statute of limitations for disgorgement from five to ten years.

Continue Reading Congress Sneaks in Expansion of SEC Disgorgement Authority in Annual Defense Bill

On July 28, 2020, the U.S. Securities and Exchange Commission (SEC) accused six individuals and their companies with securities fraud in connection with two cannabis-related businesses in California that raised $25 million in an unregistered securities offering.  The SEC’s complaint was filed in the Central District of California and seeks permanent injunctions, disgorgement of ill-gotten

On June 22, 2020, the U.S. Supreme Court decided in Liu v. SEC that in an SEC civil proceeding a disgorgement award that does not exceed a wrongdoer’s profit and is awarded for victims is equitable relief permissible under the applicable statute. The opinion answers an important question left open by the Court in Kokesh v. SEC that disgorgement operates as a “penalty,” rendering claims for disgorgement subject to the five-year statute of limitations. See Supreme Court Reigns in SEC’s Disgorgement Power. Liu closes the door on speculation that the Court was poised to hold that the SEC did not have authority to seek disgorgement.
Continue Reading SEC Can Recover Disgorgement, With Limits