Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.
According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology” section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.
SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.
On October 5, a software provider serving nonprofit fundraising entities agreed to pay almost $50 million to settle claims with 49 states and the District of Columbia alleging that the provider maintained insufficient data security measures and inadequately responded to a 2020 data breach. Specifically, the settlement resolved claims that the software provider violated state consumer protection laws, breach-notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).
According to the allegations, the data breach exposed donor information, including Social Security numbers and financial records, of over 13,000 nonprofit groups and organizations and the provider waited two months before informing these clients of the breach.
The settlement requires the provider to improve its cybersecurity protections and breach notification procedures.
Earlier this year, the software provider also settled claims with the SEC for $3 million to address allegations of misleading disclosures relating to the same 2020 data breach.
On September 26, a group of bipartisan members from the House Financial Services Committee sent a letter to Gary Gensler, the Chair of the SEC, to promptly approve the listing of spot Bitcoin exchange-traded products (ETPs). They have criticized the SEC's stance on these products, which they deem to be discriminatory, arguing that the commission’s purpose of making compliant products available to investors. In addition, the letter cites the recent D.C. Circuit decision that overruled the SEC’s denial of a company’s application to convert its Bitcoin trust into an ETF (covered by InfoBytes here). The members, including Tom Emmer (R-MN), Mike Flood (R-NE), and Wiley Nickel (D-NC) and Ritchie Torres (D-NY), argue that approving Bitcoin ETPs would enhance investor safety and transparency by providing a regulated framework.
On September 25, the SEC announced two enforcement actions against a subsidiary (respondent) of a German multinational investment bank and financial services company, in which the respondent agreed to pay a total of $25 million in penalties arising from (i) purportedly misleading statements respondent made regarding its Environmental, Social, and Governance (ESG) program; and (ii) its failure to develop a mutual fund Anti-Money Laundering (AML) program. According to the order, respondent allegedly marketed itself to clients and investors as a leader in ESG that adhered to specific policies for integrating ESG considerations into its investments but failed to implement certain provisions of its global ESG integration policy. The order contains a number of statements that respondent made concerning its ESG program that the SEC found to be materially misleading. For example, respondent allegedly represented through its ESG Policy that its research analysts were required to include financially material and reputation relevant ESG aspects into its valuation models, investment recommendations and research reports and consider material ESG aspects as part of their investment decision, but respondent’s internal analyses allegedly showed that research analysts have inconsistent levels of documented compliance with this requirement. The SEC determined that respondent’s failure to implement certain policies and procedures violated multiple sections of the Advisers Act, including Section 206(2), “which prohibits an investment adviser, directly or indirectly, from engaging ‘in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.’”
Through the ESG order, respondent has agreed to pay a $19 million civil penalty and to cease and desist from committing any further violations of the violated sections of the Advisors Act. The SEC also charged respondent with a separate Anti-Money Laundering order, for failure to comply with the Bank Secrecy Act and FinCen regulations. Respondent did not admit nor deny the SEC’s claims.
On September 20, the SEC adopted amendments (as set forth in the final rule and as discussed in the fact sheet) to the Investment Companies Act rule that requires investment companies whose names suggest a focus in a particular type of investment to adopt a policy to invest not less than 80 percent of the value of their assets in those investments (the “Names Rule”). The agency said amendments to the Names Rule will enhance its protections by addressing gaps in the current requirements and will “help ensure that a fund’s portfolio aligns with a fund’s name.”
The Names Rule promotes truth-in-advertising by ensuring that a fund whose name accurately suggests a focus on a particular type of investment adopt a policy to align its portfolio to put 80 percent of its assets toward the cause suggested by its name (the “80 percent investment policy”).
The SEC said, “the amendments will enhance the rule’s protections by requiring more funds to adopt an 80 percent investment policy, including funds with names suggesting a focus in investments with particular characteristics, for example, terms such as 'growth' or 'value,' or certain terms that reference a thematic investment focus, such as the incorporation of one or more Environmental, Social, or Governance factors.”
The amendments will expand the requirement to adopt an 80 percent investment policy to more funds, including those with names suggesting a focus in investments with particular characteristics (e.g., “growth” or “value”), or certain terms that reference the incorporation of one or more ESG factors. The amendments will also (i) require that a fund conduct a quarterly review of its portfolio assets’ treatment under its 80 percent investment policy; (ii) establish deadlines for getting back into compliance if a fund departs from its 80 percent investment policy; (iii) enhanced prospectus disclosure requirements to require that terminology used in fund names that suggest an investment focus must be consistent with the plain English meaning or established industry use of such terms.
The amendments will become effective 60 days after publication in the Federal Register. Fund groups with more than $1 billion in assets under management will have two years to comply with the rule. Funds that manage less than $1 billion will be given 30 months to comply with the rule.
On September 20, the SEC announced the approval of its revised Privacy Act rules, which govern the handling of personal information in the federal government. Among other things, the final rule will update, clarify, and streamline the SEC’s Privacy Act Regulations by (i) clarifying the purpose and scope of the regulations; (ii) updating definitions to plainly describe regulation processes; (iii) allowing for electronic methods to verify requesters identities and submit Privacy Act requests; and (iv) providing for a shorter response time to Privacy Act requests. The final rule will also update fee provisions and eliminate unnecessary provisions. The SEC last updated its Privacy Act rules in 2011, and due to the extent of the provisions, the final rule will replace the commission’s current Privacy Act regulations entirely.
The revised rule will take effect 30 days after publication in the Federal Register.
SEC files brief in its Supreme Court appeal to reverse 5th Circuit ruling against use of adjudication powers and ALJs
On August 28, the SEC filed a brief in its appeal to the U.S. Supreme Court to reverse the decision of the U.S. Court of Appeals for the Fifth Circuit’s 2022 ruling that the commission’s in-house adjudication is unconstitutional. As previously covered by InfoBytes, the 5th Circuit held that the SEC’s in-house adjudication of a petitioners’ case violated their Seventh Amendment right to a jury trial and relied on unconstitutionally delegated legislative power. The brief argues that securities laws are “distinct from common law because they authorize the government to seek civil penalties even if no private person has yet suffered harm from the defendant’s violation (and therefore no person could obtain damages).” Moreover, the SEC argues that the Court has continually upheld the right of an agency to decide whether to enter an enforcement action through the civil or criminal process. The SEC referenced the 1985 Heckler v. Chaney case, which set the precedent that there is no constitutional difference between the power to decide whether to pursue an enforcement action and where to pursue an enforcement action, as they are both executive powers, supporting the claim that there is “a long and unbroken line of decisions that have relied on the public-rights doctrine in upholding such statutory schemes against Article III and Seventh Amendment challenges.” The SEC also reminded the Court that when it enforces securities laws through an administrative enforcement proceeding with a result that is not in favor of the respondent, the respondent may obtain a judicial review through the court of appeals. Finally, the commission contends that the 5th Circuit erred when it held that statutory removal restrictions for ALJs are unconstitutional, and that Congress has “acted permissibly in requiring agencies to establish cause for their removal of ALJs.”
On August 29, the SEC announced that it had brought charges against a Chicago-based broker-dealer. The SEC alleged that between August 2012 and September 2020 the broker-dealer failed to file over 400 hundred legally required suspicious financial transaction reports related to over-the-counter securities transactions executed in the broker-dealer’s alternative trading system (ATS). According to the SEC’s order, it was found that the broker-dealer did not establish an anti-money laundering surveillance program until September 2020, despite having thousands of high-risk microcap and penny stock securities transactions executed daily on its ATS.
Daniel R. Gregus, Director of the SEC’s Chicago Regional Office, stated, “All SEC-registered broker-dealers have the responsibility to comply with the requirements of the Bank Secrecy Act, including the obligation to file SARs.”
Without admitting or denying that it violated Section 17(a) of the Securities Exchange Act and Rule 17a-8, the broker-dealer agreed to a censure and a cease-and-desist order, along with a $1.5 million penalty.