InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
SEC files emergency action on $100 million crypto fraud
On March 6, the SEC announced it had filed an emergency action against a Miami-based investment adviser and one of its principals (collectively, “defendants”) in connection with a $100 million crypto asset fraud scheme. According to the SEC’s complaint, filed in the U.S. District Court for the Southern District of Florida, the defendants allegedly promised investors that their money would be primarily used to trade crypto assets and would generate returns through separately managed accounts and five private funds. The SEC alleged, however, that the defendants “disregarded the [funds’] structure, commingled investor assets, and used over $3.6 million to make Ponzi-like payments to fund investors.” Moreover, the SEC claimed that the defendants falsely represented that one of the funds received an audit opinion from a “top four auditor,” when in fact none of the funds ever received an audit opinion. The individual defendant also allegedly misappropriated investor money for personal use and provided altered documents with inflated bank account balances to a third-party administrator of some of the funds.
The SEC’s complaint alleges violations of the antifraud provisions of the federal securities laws and seeks permanent injunctions, disgorgement, prejudgment interest, and civil money penalties. The SEC is also seeking an officer and director bar and conduct-based injunction against the individual defendant. Additionally, the complaint includes a list of “relief defendants” and seeks disgorgement from each of the funds and from another entity that allegedly received approximately $12 million from the defendants and the funds. The announcement noted that the SEC successfully received an asset freeze, appointment of a receiver, and other emergency relief against the defendants.
SEC fines gaming company $4 million as successor to a company charged with FCPA violations
On March 6, the SEC announced that an Ireland-based global gaming and sports betting company, as successor-in-interest to a company it acquired in 2020 (the “acquired company”), agreed to pay a $4 million civil money penalty to settle claims that the acquired company violated the books and records and internal accounting controls provisions of the FCPA by using third-party consultants in Russia. According to the SEC’s order, the acquired company operated several gaming brands, including an online poker website. The SEC said that between May 26, 2015 and May 15, 2020, while the acquired company’s shares were registered with the SEC, it paid roughly $8.9 million to consultants in Russia in an effort to legalize poker in the country. During this time period, the SEC explained, the acquired company lacked sufficient internal accounting controls over its Russian operations with respect to third-party consultants, and failed to “consistently make and keep accurate books and records regarding its consultant payments in Russia.” Many of these third-party consultants, the SEC said, were “retained without adequate due diligence or written contracts, and paid without adequate proof of services.” The order indicated that certain payments were inaccurately recorded as lobbying fees, and that some payments went towards reimbursements for gifts given to individuals, including Russian government officials, and to a Russian state agency responsible for administering internet censorship filters. The SEC charged the Ireland company, as successor-in-interest to the acquired company, with violating Sections 13(b)(2)(A) and 13(b)(2)(B) of the Securities Exchange Act of 1934. The resolution requires the Ireland company, which neither admitted nor denied the allegations, to pay a $4 million civil money penalty. The SEC recognized the Ireland company’s cooperation and remedial efforts.
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.
SEC proposes new protections for crypto assets
On February 15, the SEC proposed new rules to enhance protections for customer assets, including cryptocurrency assets, managed by registered investment advisers. (See also SEC Fact Sheet here.) The proposed rules would implement measures under the Investment Advisers Act of 1940 to address how client assets are safeguarded, and would broaden the definition of “asset class” to ensure investment advisers are protecting not only their clients’ securities and funds but also “other positions held in a client’s account,” including crypto assets.
Under the proposed rules, investment advisers would be required to, among other things, segregate such crypto assets into separate accounts for safekeeping, prevent commingling of assets with the adviser’s or another related persons’ assets, and place crypto assets with a qualified custodian such as a federal or state-chartered bank or savings association, a registered broker-dealer or futures commission merchant, or certain foreign financial institutions. Foreign financial institutions would have to adhere to enhanced requirements to serve as a qualified custodian.
In a statement accompanying the release of the proposed rules, SEC Chairman Gary Gensler stated that “advisers who trade an investor’s assets cannot circumvent the custody rule and the safeguards it provides.” Gensler added that the proposal would impose several recordkeeping requirements, and require, for the first time, that advisers and qualified custodians enter into written agreements to help guarantee that customer assets are being protected.
Comments on the proposed rules are due 60 days after publication in the Federal Register.
SEC awards whistleblowers $28 million
On January 24, the SEC announced awards totaling nearly $28 million to joint whistleblowers whose information and assistance led to successful SEC enforcement actions. According to the redacted order, the joint whistleblowers’ provided information that prompted the opening of the SEC staff’s investigation and significantly contributed to the success of the action through substantial analysis and ongoing assistance. The SEC also noted that the joint whistleblowers’ actions helped result in the return of millions of dollars to harmed investors.
SEC commissioner discusses state of the crypto industry
On January 20, SEC Commissioner Hester M. Peirce spoke before the Digital Assets at Duke Conference discussing cryptocurrency lessons for the future. In her remarks, Peirce discussed the current state of cryptocurrency, stating that “the crypto world is burning.” She encouraged the audience to “not wait for regulators to fix the problems that bubbled to the surface in 2022” within the crypto industry, and instead incentivize good behavior. She also emphasized “the point of crypto,” which she considers “is not driving up crypto prices so that you can dump your tokens on someone else. Digital assets need to trade, so centralized venues or decentralized exchange protocols are necessary, but trading markets are not the ultimate point.” Among other things related to crypto, she said lessons from traditional finance are equally applicable in crypto. For example, she noted that “[h]igher returns come with higher risks.” She also suggested that the SEC should conduct some form of notice and comment process to resolve the thorniest crypto-related policy issues.
Peirce noted that “sandboxing is coming.” She then explained that SEC Chair Gary Gensler has requested “‘staff to sort through how we might best allow investors to trade crypto security tokens versus or alongside crypto non-security tokens,’[] which is an area in which experimentation through no-action letters and exemptions would be possible.” She also strongly agrees with his sentiment that “‘[g]iven the nature of crypto investments . . . it may be appropriate to be flexible in applying existing disclosure requirements.’”
She also expressed that “[r]egulation is not a silver bullet, but understanding whether, by whom, and how the company is regulated can help you calibrate your own due diligence.” Peirce said that the SEC “needs to conduct better, more precise, and more transparent legal analysis” in crypto. She noted that its continued use of the precedent from the 1946 U.S. Supreme Court case in SEC v. W.J. Howey Co. has “fleshed out the investment contract subcategory of securities, we repeat the mantra that all, or virtually all, tokens are securities,” calling the SEC’s application of the test to crypto tokens “askew.” She then noted that “an initial fundraising transaction involving a crypto token can create an investment contract, but the token itself is not necessarily the security even if it is sold on the secondary market.” Peirce also noted that the SEC often “refers to the crypto assets themselves as securities.”
Company to pay $45 million to SEC, states for unregistered crypto-lending product
On January 19, the SEC charged a Cayman Islands digital asset firm for allegedly failing to register the offer and sale of its retail crypto-asset lending product. According to the SEC’s cease-and-desist order, the company’s product allowed U.S. investors to tender certain crypto assets with the company, which were then deposited in interest-yielding accounts and used by the company to generate income and fund interest payments to investors.
The SEC maintained that the company’s product was marketed as an opportunity for investors to earn interest on their crypto assets, and that company actions “included staking, lending, and engaging in arbitrage on purportedly ‘decentralized’ finance platforms; investing in certain crypto assets; loaning funds to retail and institutional borrowers; and entering into options and swap contracts with respect to the crypto assets tendered”— resulting in the company acquiring $2.7 billion in assets from approximately 112,000 investors. The SEC found that because the product qualified as a security and did not qualify for an exemption from registration under the Securities Act of 1933, the company was required to register its offer and sale of the product, which it failed to do.
The company did not admit or deny the SEC’s findings, but agreed to pay $22.5 million to the SEC, and said it would stop offering and selling the unregistered lending product to U.S. investors. The SEC considered remedial actions promptly taken by the company, as well as its cooperation with Commission staff in determining the settlement amount. The SEC reported that the company voluntarily stopped offering its product to new U.S. investors and ceased paying interest on new funds added to existing accounts after the SEC announced charges against a different company that offered a similar crypto investment product. The company also announced that the product would stop being offered in certain states and that it was phasing out all of its products and services in the U.S.
The company also agreed to pay another $22.5 million to state regulators from California, Kentucky, Maryland, New York, Oklahoma, South Carolina, Vermont, and Washington in a parallel action claiming the company offered interest-earning accounts without first registering the investment products as securities. According to the announcement, the company allegedly failed to comply with state securities registration requirements, and, among other things, deprived investors “of critical information and disclosures necessary to understand the potential risks of the [product].”
SEC awards whistleblowers approximately $18 million
On January 19, the SEC announced three whistleblower awards totaling approximately $18 million to claimants who provided information and assistance that led to a successful enforcement action. According to the redacted order, the first whistleblower voluntarily provided detailed and significant information that prompted the opening of an investigation into a fraudulent scheme and had a significant impact on the overall success of the enforcement action. The whistleblower’s assistance saved staff time and resources, the SEC said, adding that the second and third whistleblowers voluntarily provided timely information later in the investigation that also significantly contributed to the enforcement action’s success.
SEC issues $5 million whistleblower award
On January 13, the SEC announced an award totaling nearly $5 million to a whistleblower whose new information and assistance led to a successful SEC enforcement action. According to the redacted order, the whistleblower provided substantial ongoing information that helped SEC staff shape its investigative strategy, identify witnesses, and draft document and information requests, which saved staff time and resources during the investigation.