InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC opens comment period on defining “exchange”
On April 14, the SEC reopened the comment period on proposed amendments to the statutory definition of “exchange” under Exchange Act rule 3b-16, which now includes systems that facilitate the trading of crypto asset securities. (See also SEC fact sheet here.) The comment period was reopened in response to feedback requesting information about how existing rules and the proposed amendments would apply to systems that trade crypto asset securities and meet the proposed definition of an exchange, or to trading systems that use distributed ledger or blockchain technology, including such systems characterized as decentralized finance (DeFi). The SEC also provided supplement information and economic analysis for systems that would now fall under the new, proposed definition of exchange. The reopened comment period allows an opportunity for interested persons to analyze and comment on the proposed amendments in light of the supplemental information. Comments are due 30 days after publication in the Federal Register.
“[G]iven how crypto trading platforms operate, many of them currently are exchanges, regardless of the reopening release we’re considering today,” SEC Chair Gary Gensler said. “These platforms match orders of multiple buyers and sellers of crypto securities using established, non-discretionary methods. That’s the definition of an exchange—and today, most crypto trading platforms meet it. That’s the case regardless of whether they call themselves centralized or decentralized.” He added that crypto-market investors must receive the same protections that the securities laws afford to all other markets. Commissioners Mark T. Uyeda and Hester M. Peirce voted against reopening the comment period. Uyeda cautioned against expanding the definition of an “exchange” in an “ambiguous manner,” saying it could “suppress further beneficial innovation.” Peirce also dissented, arguing that the proposal stretches the statutory definition of an “exchange” beyond a reasonable reading in an attempt to “reach a poorly defined set of activities with no evidence that investors will benefit.”
California joins multistate settlement with securities brokerage
On April 6, the California Department of Financial Protection and Innovation (DFPI) joined a multi-state settlement with a securities brokerage company stemming from an investigation spearheaded by state securities regulators from Alabama, Colorado, California, Delaware, New Jersey, South Dakota, and Texas relating to certain alleged operational and technical failures. According to DFPI, the investigation was triggered by a March 2020 incident in which the brokerage company experienced several platform outages during a period in which hundreds of thousands of investors relied on the company’s app to make trades, thus preventing some users from being able to process trades. The settlement order sets out multiple alleged violations by the brokerage company, including negligently disseminating inaccurate information to customers, failing to have a “reasonably designed customer identification program,” inadequately supervising critical technology, having a deficient system for dealing with customer inquiries, failing to exercise due diligence before approving certain option accounts, and failing to report all customer complaints to FINRA and state securities regulators.
While the company neither admitted nor denied the findings, it agreed to pay up to $10.2 million in penalties and will continue to implement recommendations to address the alleged misconduct. DFPI noted in its announcement that it “found no evidence of willful or fraudulent conduct” by the company, and said the company fully cooperated with the investigation.
SEC awards whistleblowers more than $12 million
On March 31, the SEC announced awards totaling more than $12 million to two whistleblowers whose information and assistance led to a successful SEC enforcement action. According to the redacted order, the first whistleblower prompted the opening of the investigation and provided information on violations that would otherwise have been difficult to detect, including by identifying key witnesses and helping enforcement staff understand complex fact patterns and issues concerning the matters under investigation. This information was also used to create an investigative plan and craft initial document requests. Citing the first whistleblower’s persistent efforts to remedy the issues, and the fact that the information was received several years before the second whistleblower’s information, the SEC said the first whistleblower will receive more than $9 million. The second whistleblower will receive $3 million for submitting important information “as a percipient witness” during the course of the investigation on topics that went beyond what the first whistleblower had been able to provide.
SEC charges companies and executives for operating an unregistered exchange
On March 29, the SEC filed a complaint in the U.S. District Court for the Northern District of Illinois against a cryptocurrency trading platform and its executives for allegedly failing to register as a national securities exchange, broker, and clearing agency. The SEC also claimed the founder of the platform used it to raise $8 million in an unregistered token offering and misappropriated at least $900,000 for personal use. Additionally, the SEC charged certain defendant “market makers” operating on the platform as unregistered dealers. The complaint flagged certain defendants as being responsible for maintaining and providing the platform that facilitated the crypto assets that were offered and sold as securities and cited other defendants for operating as an unregistered exchange, broker, and clearing agency or as unregistered dealers.
According to the SEC’s announcement, some of the defendants—without admitting or denying the allegations—“have agreed to perform certain undertakings, including ceasing all activities as an unregistered exchange, clearing agency, broker, and dealer; shutting down the [platform]; providing an accounting of assets and funds for the benefit of customers; transferring all customer assets and funds to each respective customer; and destroying any and all [tokens] in [one of the defendant company’s] possession.” These defendants have agreed to permanent injunctions prohibiting them from engaging in future securities law violations and will pay civil penalties collectively totaling $165,800. Two of these defendants have also agreed to pay a combined amount of $62,779 in disgorgement and prejudgment interest. The SEC said it is continuing to litigate its charges against other defendants for securities fraud and for offering unregistered tokens.
SEC proposes to expand EDGAR filings
On March 22, the SEC proposed amendments intended to “modernize” filing procedures through the use of electronic filings on EDGAR using structured data as appropriate. (See also SEC fact sheet here.) Currently, registrants must submit many forms required by the Securities Exchange Act, as well as other materials and submissions, in paper form. The proposed rule would require covered self-regulatory organizations (SROs) to submit these filings electronically, and would apply to national securities exchanges, national securities associations, clearing agencies, broker-dealers, security-based swap dealers, and major security-based swap participants. The proposed rule also would require SROs to make certain submissions in a structured, machine-readable data language, and would amend certain provisions regarding the Financial and Operational Combined Uniform Single Report to harmonize it with other rules, make technical corrections, and provide clarifications. Additionally, the announcement noted that the proposed rule would require, in certain circumstances, withdrawal of notices “filed in connection with an exception to counting certain dealing transactions toward determining whether a person is a security-based swap dealer.” Comments on the proposed rule will be accepted 30 days after publication in the Federal Register or until May 22, whichever is later.
SEC proposes new cybersecurity requirements
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules.
The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based swap participants, among others. (See also SEC press release and fact sheet.) Among other things, the proposed rule would require all market entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address cybersecurity risks. Market participants would also be required to review the design and effectiveness of their cybersecurity policies and procedures at least once a year, and immediately provide the SEC written electronic notice of a significant cybersecurity incident should the participant have a reasonable basis to conclude that the incident had occurred or is occurring. Certain market entities would also be required to make public disclosures addressing cybersecurity risks and significant cybersecurity incidents to improve transparency. The SEC explained that the “interconnectedness of [m]arket [e]ntities increases the risk that a significant cybersecurity incident can simultaneously impact multiple [m]arket [e]tities causing systemic harm to the U.S. securities markets.”
The second proposed rule would amend Regulation S-P to enhance the protection of customer information and provide a federal minimum standard for data breach notifications. Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to implement written policies and procedures for safeguarding customer records and information. The regulation also imposes requirements for proper disposal of consumer report information, implements privacy notice and opt-out provisions, and requires covered institutions to tell customers how their financial information is used. (See also SEC press release and fact sheet.) Under the proposed rule, covered institutions would be required to adopt an incident response program to address unauthorized access or use of customer information. Covered institutions would also be required to notify customers affected by certain types of data breaches that may expose them to identity theft or other harm by providing “notice as soon as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” The proposed rule would also “extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions.” Modifications to provisions related to registered transfer agents are also proposed.
Comments on both proposed rules are due 60 days after publication in the Federal Register.
Additionally, the SEC announced it has reopened the comment period on proposed cybersecurity risk management rules and amendments for registered investment advisers and funds. Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also laid out additional requirements relating to the disclosure of cybersecurity risks and significant cybersecurity incidents as well as filing and recordkeeping. (Covered by InfoBytes here.) The SEC reopened the comment period for an additional 60 days.
In voting against the proposed rules, Commission Hester M. Pierce questioned, among other things, whether the amendments would create overlapping requirements for financial firms subject to state data breach laws that have customer notification provisions, some of which conflict with the SEC’s proposals. Commissioner Mark T. Uyeda also raised concerns as to how the three proposals interact with each other. He cautioned that the “lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
SEC files emergency action on $100 million crypto fraud
On March 6, the SEC announced it had filed an emergency action against a Miami-based investment adviser and one of its principals (collectively, “defendants”) in connection with a $100 million crypto asset fraud scheme. According to the SEC’s complaint, filed in the U.S. District Court for the Southern District of Florida, the defendants allegedly promised investors that their money would be primarily used to trade crypto assets and would generate returns through separately managed accounts and five private funds. The SEC alleged, however, that the defendants “disregarded the [funds’] structure, commingled investor assets, and used over $3.6 million to make Ponzi-like payments to fund investors.” Moreover, the SEC claimed that the defendants falsely represented that one of the funds received an audit opinion from a “top four auditor,” when in fact none of the funds ever received an audit opinion. The individual defendant also allegedly misappropriated investor money for personal use and provided altered documents with inflated bank account balances to a third-party administrator of some of the funds.
The SEC’s complaint alleges violations of the antifraud provisions of the federal securities laws and seeks permanent injunctions, disgorgement, prejudgment interest, and civil money penalties. The SEC is also seeking an officer and director bar and conduct-based injunction against the individual defendant. Additionally, the complaint includes a list of “relief defendants” and seeks disgorgement from each of the funds and from another entity that allegedly received approximately $12 million from the defendants and the funds. The announcement noted that the SEC successfully received an asset freeze, appointment of a receiver, and other emergency relief against the defendants.
SEC fines gaming company $4 million as successor to a company charged with FCPA violations
On March 6, the SEC announced that an Ireland-based global gaming and sports betting company, as successor-in-interest to a company it acquired in 2020 (the “acquired company”), agreed to pay a $4 million civil money penalty to settle claims that the acquired company violated the books and records and internal accounting controls provisions of the FCPA by using third-party consultants in Russia. According to the SEC’s order, the acquired company operated several gaming brands, including an online poker website. The SEC said that between May 26, 2015 and May 15, 2020, while the acquired company’s shares were registered with the SEC, it paid roughly $8.9 million to consultants in Russia in an effort to legalize poker in the country. During this time period, the SEC explained, the acquired company lacked sufficient internal accounting controls over its Russian operations with respect to third-party consultants, and failed to “consistently make and keep accurate books and records regarding its consultant payments in Russia.” Many of these third-party consultants, the SEC said, were “retained without adequate due diligence or written contracts, and paid without adequate proof of services.” The order indicated that certain payments were inaccurately recorded as lobbying fees, and that some payments went towards reimbursements for gifts given to individuals, including Russian government officials, and to a Russian state agency responsible for administering internet censorship filters. The SEC charged the Ireland company, as successor-in-interest to the acquired company, with violating Sections 13(b)(2)(A) and 13(b)(2)(B) of the Securities Exchange Act of 1934. The resolution requires the Ireland company, which neither admitted nor denied the allegations, to pay a $4 million civil money penalty. The SEC recognized the Ireland company’s cooperation and remedial efforts.
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.