Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 15, the SEC announced whistleblower awards totaling nearly $114 million to two whistleblowers who provided information and assistance leading to successful SEC and related actions. According to the redacted order, the first whistleblower was awarded $110 million for providing “significant independent information that bridged the gap between certain publicly available information and the possible securities violations.” The SEC noted that the “$110 million award consists of an approximately $40 million award in connection with an SEC case and an approximately $70 million award arising out of related actions by another agency.” The $110 million award is the second-highest award in the program's history, following an approximately $114 million whistleblower award the SEC issued in October 2020 (covered by InfoBytes here). After the SEC staff opened an investigation and undertook significant investigative steps, a second whistleblower voluntarily provided original information and received an approximately $4 million award.
The SEC has awarded approximately $1 billion in whistleblower awards to 207 individuals since issuing its first award in 2012, which includes over $500 million in fiscal year 2021 alone.
On September 14, the SEC announced a settlement with an alternative data provider and one of the company’s co-founders (collectively, "respondents") resolving allegations that the company violated antifraud provisions by engaging in deceptive practices and making material misrepresentations regarding alternative data. According to the order, the respondents understood that companies would share their confidential app performance data if they promised not to disclose it to third parties. As a result, the respondents assured companies that their data would be aggregated and anonymized before being used by a statistical model to generate estimates of app performance. However, the respondents, between 2014 and mid-2018, utilized non-aggregated and non-anonymized data to alter its model-generated estimates to make them more valuable to sell to trading firms. The SEC alleged that the respondents violated provisions of the Exchange Act, such as Section 10(b) and Rule 10b-5 thereunder, because their misrepresentations and other deceptive practices misled subscribers regarding how the company’s intelligence estimates were calculated. The order, to which the respondents consented, imposes civil money penalties of $300,000 and $10 million. The order also provides that the company must cease and desist from committing or causing any future violations of the Exchange Act, and prohibits the co-founder from serving as an officer or director of a public company for three years.
On September 13, the SEC announced charges against three media companies (respondents) for allegedly violating the Securities Act of 1933 (Securities Act) by conducting an illegal unregistered offering of stock and coin security. In addition, two of the companies were also charged for allegedly conducting an illegal unregistered offering of a digital asset security. According to the SEC’s order, between April and June 2020, the respondents generally solicited thousands of individuals to invest in a common stock offering. During the same time period, two of the companies solicited individuals to invest in their offering of a digital asset coin security. As a result of these two unregistered securities offerings, whose proceeds were commingled, the respondents collectively raised approximately $487 million from over 5,000 investors.
The order finds that, through both the stock and coin offering, the respondents violated Sections 5(a) and 5(c) of the Securities Act by offering and selling securities without having properly registered. The order, to which the companies consented without admitting or denying the findings, notes that the respondents are banned from participating in any offering of a digital asset security, and are required to cease and desist from future violations of the Securities Act and assist the SEC staff in the administration of a distribution plan, among other things. Two of the companies agreed to pay, jointly and severally, disgorgement of approximately $434 million plus prejudgment interest of approximately $16 million, in addition to a civil penalty of $15 million each. The other company agreed to pay disgorgement of approximately $52 million plus prejudgment interest of almost $2 million, as well as a civil penalty of $5 million. The order also establishes a Fair Fund to return monies to injured investors.
On September 7, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver, and Consent, with a New York-based broker-dealer subsidiary of a global financial services company to resolve allegations that it distributed reports to the firm’s institutional customers that omitted required disclosures or included inaccurate disclosures. Among other things, FINRA alleged that the firm’s failure to implement a supervisory system reasonably designed to achieve compliance with the disclosure requirements and failure to enforce the supervisory procedures it had in place, led to the publication of 60 debt research reports with a total of 333 disclosure omissions. The letter reports that after identifying the issue and reporting it to FINRA, the firm “immediately ceased the production of all debt research and suspended the issuance of equity research.” The firm neither admitted nor denied the findings set forth in the AWC letter but agreed to pay a $175,000 fine.
On September 1, the SEC filed a complaint against an online cryptocurrency lending platform, its founder, and an additional executive and his affiliated company (collectively, “defendants”) alleging they fraudulently raised approximately $2 billion from retail investors through a global unregistered offering of investments involving digital assets. According to the SEC, the defendants sold securities in the form of investments tied to the company’s lending program, and falsely promised investors that its purported proprietary “volatility software trading bot” could generate monthly returns as high as 40 percent. However, the SEC alleged that instead of trading investor funds, the defendants used the funds for their own benefit, such as transferring funds to a digital wallet controlled by their top U.S. promoter (one of the defendants here). To hide the fact that they were not trading the funds as promised, the SEC claimed the defendants “conducted a Ponzi-like scheme in which they at times used funds deposited by newer investors in order to satisfy withdrawal demands made by earlier investors.” The SEC charged the defendants with violating antifraud and registration provisions of the federal securities laws, and is seeking injunctive relief, disgorgement plus prejudgment interest, and civil penalties. In a parallel action, the DOJ announced the same day that the top U.S. promoter pleaded guilty to criminal charges for his role in the cryptocurrency scheme.
On August 30, the SEC announced sanctions against eight firms in three actions for alleged failures in their cybersecurity policies and procedures that resulted in email account takeovers of employee email accounts, which exposed the personal information of thousands of customers and clients at each firm. Each order finds that the firms violated Regulation 30(a) of the Safeguards Rule, “which requires every broker-dealer and every investment adviser registered with the Commission to adopt written policies and procedures that are reasonably designed to safeguard customer records and information.” According to the SEC’s first order against a California-based investment firm, from November 2017 to June 2020, cloud-based email accounts of more than 60 of the firm’s entities' personnel were taken over by unauthorized third parties, which resulted in the exposure of personally identifying information (PII) of over 4,388 customers and clients. According to the order, none of these accounts were protected by multi-factor authentication (MFA), even though the firm’s policies required use of MFA since 2018 “wherever possible.” This failure resulted in sending breach notifications to clients that included misleading template language, which suggested that the notifications were issued much sooner than they actually were after discovery of the incidents. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $300,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.
According to the SEC’s second order against an Iowa-based investment firm, from January 2018 to July 2021, cloud-based email accounts of over 121 of the firm’s representatives were taken over by unauthorized third parties, which resulted in the PII exposure of at least 2,177 customers and clients. The order finds that though the firm discovered the first email account takeover in January 2018, it failed to adopt written policies and procedures for cloud-based email accounts reasonably designed to protect customer records and information, such as the use of MFA. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $250,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.
According to the SEC's third order against a Washington-based investment firm, from September 2018 to December 2019, cloud-based email accounts of 15 of the firm’s financial advisers or their assistants were taken over by unauthorized third parties, which resulted in the PII exposure of approximately 4,900 customers and clients. The order also finds that the firm “failed to adopt written policies and procedures requiring additional firm-wide security measures for all [of the firm’s] email users until May 2020, and did not fully implement those measures until August 2020,” which placed additional customer and client records and information at risk. The policies recommended, but did not require, the use of MFA for accessing sensitive data. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $200,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.
On August 27, the SEC announced a request for information and public comments regarding the use of digital engagement practices by broker-dealers and investment advisers, such as behavioral prompts, differential marketing, game-like features (gamification), and other design elements or features designed to engage with retail investors on digital platforms, as well as analytical and technological tools and methods (collectively “digital engagement practices” or “DEPs”). The SEC issued the request to better understand the market practices related to firms' use of DEPs and intends “to learn what conflicts of interest may arise from optimization practices and whether those optimization practices affect the determination of whether DEPs are making a recommendation or providing investment advice.” The request is also intended to provide a forum for market participants to provide their perspectives regarding the use of DEPs, including the potential benefits that DEPs provide to retail investors, and protection concerns related to potential investors. The request will assist in the Commission's assessment of existing regulations and consideration regarding whether regulatory action may be required to continue the Commission's mission. A statement by SEC Chair Gary Gensler noted that though “new technologies can bring us greater access and product choice, they also raise questions as to whether we as investors are appropriately protected when we trade and get financial advice.” The public comment period for the request will remain open for 30 days after publication in the Federal Register.
On August 27, the SEC announced whistleblower awards to five individuals totaling nearly $2.6 million for information provided in three separate enforcement actions. According to the first redacted order, the SEC awarded a whistleblower nearly $1.2 million for voluntarily providing an “’independent analysis’ by creating and applying a complex algorithm to publicly available data,” which saved resources and time for Commission staff, and assisted the staff during settlement negotiations. In the second redacted order, the SEC awarded approximately $1 million to three individuals for providing original information and assistance that led to a successful enforcement action. According to the order, though the whistleblowers held compliance roles at the company, they are eligible for an award since they submitted information to the Commission more than 120 days after the alleged conduct was internally reported. The first whistleblower who received the highest award provided extraordinary assistance and comprehensive information that was vital to the successful enforcement action. In the third redacted order, the SEC awarded a whistleblower over $350,000 for providing independent analysis based on an unusual effort and expertise developed over many years. The whistleblower identified patterns among publicly available information that allowed the Commission to quickly identify and prevent wrongdoing and to preserve assets, which led to a successful enforcement action.
On August 19, the SEC announced enhancements to provide public access to publicly traded companies’ EDGAR financial statements and other disclosures. For the first time, the SEC is releasing Application Programming Interfaces (APIs) that aggregate financial statement data in order to make corporate disclosures quicker and easier for developers and third-party services to use. APIs will also “allow developers to create web or mobile apps that directly serve retail investors.” According to EDGAR Business Office Director Jed Hickman, the “new APIs make important information about public companies more accessible and usable than ever before.” He added that this is another step in “the SEC’s continuing efforts to facilitate innovation and make financial disclosure data accessible to all market participants.”
On August 16, the SEC and the European Central Bank (ECB) entered into a Memorandum of Understanding (MOU) intended to facilitate the consultation, cooperation, and exchange of information connected with the supervision, enforcement, oversight, and inspection of certain security-based swap dealers and major security-based swap entities in EU member states registered with the SEC and supervised by the ECB. These include SEC-registered security-based swap entities participating in the Single Supervisory Mechanism (SSM), the EU’s system of banking supervision, which “is composed of the ECB and the relevant national competent authorities of participating EU Member States.” Among other things, the MOU will “support the SEC’s oversight of the operation of substituted compliance orders that the Commission has issued for security-based swap entities in France and Germany, as well as any future substituted compliance orders for such firms in other EU Member States that participate in the SSM,” to enable an entity to comply with certain Dodd-Frank Act requirements by complying with comparable EU and EU Member State laws. The MOU, which is intended to “foster cooperation” and exchange information between the authorities, states that at the date of execution, “no bank secrecy, blocking laws, or other regulations or legal barriers, should prevent an Authority from providing assistance to the other Authority pursuant to this MOU, or otherwise adversely affect or hinder the operation of this MOU.”
- Buckley Webcast: Best practices for incident-response planning in a dangerous and regulated world
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- APPROVED Webcast: California debt collection license requirement: Overview and analysis
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- Jeffrey P. Naimon to discuss “Regulators are gearing up: Are you ready?” at HousingWire Annual
- Amanda R. Lawrence and Elizabeth E. McGinn discuss “U.S. state privacy legislation – Are you compliant?” at the Privacy+Security Forum
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek