InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC proposes new cybersecurity requirements
On March 15, a divided SEC issued several proposed amendments to the agency’s cybersecurity-related rules.
The first is a proposed rule that would implement cybersecurity requirements for participants in the securities market, including broker-dealers, clearing agencies, and major security-based swap participants, among others. (See also SEC press release and fact sheet.) Among other things, the proposed rule would require all market entities to establish, maintain, and enforce written policies and procedures that are reasonably designed to address cybersecurity risks. Market participants would also be required to review the design and effectiveness of their cybersecurity policies and procedures at least once a year, and immediately provide the SEC written electronic notice of a significant cybersecurity incident should the participant have a reasonable basis to conclude that the incident had occurred or is occurring. Certain market entities would also be required to make public disclosures addressing cybersecurity risks and significant cybersecurity incidents to improve transparency. The SEC explained that the “interconnectedness of [m]arket [e]ntities increases the risk that a significant cybersecurity incident can simultaneously impact multiple [m]arket [e]tities causing systemic harm to the U.S. securities markets.”
The second proposed rule would amend Regulation S-P to enhance the protection of customer information and provide a federal minimum standard for data breach notifications. Regulation S-P requires broker-dealers, investment companies, and registered investment advisers to implement written policies and procedures for safeguarding customer records and information. The regulation also imposes requirements for proper disposal of consumer report information, implements privacy notice and opt-out provisions, and requires covered institutions to tell customers how their financial information is used. (See also SEC press release and fact sheet.) Under the proposed rule, covered institutions would be required to adopt an incident response program to address unauthorized access or use of customer information. Covered institutions would also be required to notify customers affected by certain types of data breaches that may expose them to identity theft or other harm by providing “notice as soon as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.” The proposed rule would also “extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions.” Modifications to provisions related to registered transfer agents are also proposed.
Comments on both proposed rules are due 60 days after publication in the Federal Register.
Additionally, the SEC announced it has reopened the comment period on proposed cybersecurity risk management rules and amendments for registered investment advisers and funds. Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. The proposed rules also laid out additional requirements relating to the disclosure of cybersecurity risks and significant cybersecurity incidents as well as filing and recordkeeping. (Covered by InfoBytes here.) The SEC reopened the comment period for an additional 60 days.
In voting against the proposed rules, Commission Hester M. Pierce questioned, among other things, whether the amendments would create overlapping requirements for financial firms subject to state data breach laws that have customer notification provisions, some of which conflict with the SEC’s proposals. Commissioner Mark T. Uyeda also raised concerns as to how the three proposals interact with each other. He cautioned that the “lack of an integrated regulatory structure may even weaken cybersecurity protection by diverting attention to satisfy multiple overlapping regulatory regimes rather than focusing on the real threat of cyber intrusions and other malfeasance.”
Software company to pay $3 million to SEC for misleading disclosures about ransomware attack
On March 9, the SEC charged a South Carolina-based donor data management software company with allegedly making materially misleading disclosures about a 2020 ransomware attack. According to the SEC’s cease-and-desist order, the company issued statements that the ransomware attack did not affect donor bank account information or social security numbers. It was later revealed that the attacker had accessed and exfiltrated the unencrypted sensitive information. However, the SEC maintained that due to the company’s alleged failure to maintain disclosure controls and procedures, employees did not inform senior management responsible for public disclosures. As a result, the company’s quarterly report filed with the SEC allegedly omitted material information about the scope of the attack and “misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical,” the SEC said. The company did not admit or deny the SEC’s findings, but agreed to pay a $3 million civil penalty and said it would cease and desist from committing violations of the Securities Act of 1933 and the Securities Exchange Act of 1934.
SEC files emergency action on $100 million crypto fraud
On March 6, the SEC announced it had filed an emergency action against a Miami-based investment adviser and one of its principals (collectively, “defendants”) in connection with a $100 million crypto asset fraud scheme. According to the SEC’s complaint, filed in the U.S. District Court for the Southern District of Florida, the defendants allegedly promised investors that their money would be primarily used to trade crypto assets and would generate returns through separately managed accounts and five private funds. The SEC alleged, however, that the defendants “disregarded the [funds’] structure, commingled investor assets, and used over $3.6 million to make Ponzi-like payments to fund investors.” Moreover, the SEC claimed that the defendants falsely represented that one of the funds received an audit opinion from a “top four auditor,” when in fact none of the funds ever received an audit opinion. The individual defendant also allegedly misappropriated investor money for personal use and provided altered documents with inflated bank account balances to a third-party administrator of some of the funds.
The SEC’s complaint alleges violations of the antifraud provisions of the federal securities laws and seeks permanent injunctions, disgorgement, prejudgment interest, and civil money penalties. The SEC is also seeking an officer and director bar and conduct-based injunction against the individual defendant. Additionally, the complaint includes a list of “relief defendants” and seeks disgorgement from each of the funds and from another entity that allegedly received approximately $12 million from the defendants and the funds. The announcement noted that the SEC successfully received an asset freeze, appointment of a receiver, and other emergency relief against the defendants.
SEC fines gaming company $4 million as successor to a company charged with FCPA violations
On March 6, the SEC announced that an Ireland-based global gaming and sports betting company, as successor-in-interest to a company it acquired in 2020 (the “acquired company”), agreed to pay a $4 million civil money penalty to settle claims that the acquired company violated the books and records and internal accounting controls provisions of the FCPA by using third-party consultants in Russia. According to the SEC’s order, the acquired company operated several gaming brands, including an online poker website. The SEC said that between May 26, 2015 and May 15, 2020, while the acquired company’s shares were registered with the SEC, it paid roughly $8.9 million to consultants in Russia in an effort to legalize poker in the country. During this time period, the SEC explained, the acquired company lacked sufficient internal accounting controls over its Russian operations with respect to third-party consultants, and failed to “consistently make and keep accurate books and records regarding its consultant payments in Russia.” Many of these third-party consultants, the SEC said, were “retained without adequate due diligence or written contracts, and paid without adequate proof of services.” The order indicated that certain payments were inaccurately recorded as lobbying fees, and that some payments went towards reimbursements for gifts given to individuals, including Russian government officials, and to a Russian state agency responsible for administering internet censorship filters. The SEC charged the Ireland company, as successor-in-interest to the acquired company, with violating Sections 13(b)(2)(A) and 13(b)(2)(B) of the Securities Exchange Act of 1934. The resolution requires the Ireland company, which neither admitted nor denied the allegations, to pay a $4 million civil money penalty. The SEC recognized the Ireland company’s cooperation and remedial efforts.
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.
New York AG sues crypto trading platform for failing to register
On February 22, the New York attorney general filed a petition in state court against a virtual currency trading platform (respondent) for allegedly failing to register as a securities and commodities broker-dealer and falsely representing itself as a cryptocurrency exchange. The respondent’s website and mobile application enable investors to buy and sell cryptocurrency, including certain popular virtual currencies that are allegedly securities and commodities. According to the AG, securities and commodities brokers are required to register with the state, which the respondent allegedly failed to do. The AG further maintained that the respondent claimed to be an exchange but failed to appropriately register with the SEC as a national securities exchange or be designated by the CFTC as required under New York law. Nor did the respondent comply with a subpoena requesting additional information about its crypto-asset trading activities in the state, the AG said. The state seeks a court order (i) preventing the respondent from misrepresenting that it is an exchange; (ii) banning the respondent from operating in the state; and (iii) directing the respondent to undertake measures to prevent access to its mobile application, website, and services from within New York.
SEC proposes revisions to Privacy Act
On February 14, the SEC issued a proposed rule to revise the Commission’s regulations under the Privacy Act of 1974, as amended. The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained by the federal agencies. Under the Privacy Act, individuals are afforded a right of access to records pertaining to them and a right to have inaccurate records corrected. Among other things, the revisions would clarify, update, and streamline the language of several procedural provisions to codify current practices for processing public requests. The revisions would also clarify the SEC’s process for how individuals can access information pertaining to themselves. If adopted, the proposed rule would also revise procedural and fee provisions, eliminate unnecessary provisions, and allow for electronic methods to verify one’s identity and submit Privacy Act requests. Comments on the proposed rule are due April 17, or 30 days after publication in the Federal Register, whichever is later.
SEC awards whistleblowers $28 million
On January 24, the SEC announced awards totaling nearly $28 million to joint whistleblowers whose information and assistance led to successful SEC enforcement actions. According to the redacted order, the joint whistleblowers’ provided information that prompted the opening of the SEC staff’s investigation and significantly contributed to the success of the action through substantial analysis and ongoing assistance. The SEC also noted that the joint whistleblowers’ actions helped result in the return of millions of dollars to harmed investors.
SEC commissioner discusses state of the crypto industry
On January 20, SEC Commissioner Hester M. Peirce spoke before the Digital Assets at Duke Conference discussing cryptocurrency lessons for the future. In her remarks, Peirce discussed the current state of cryptocurrency, stating that “the crypto world is burning.” She encouraged the audience to “not wait for regulators to fix the problems that bubbled to the surface in 2022” within the crypto industry, and instead incentivize good behavior. She also emphasized “the point of crypto,” which she considers “is not driving up crypto prices so that you can dump your tokens on someone else. Digital assets need to trade, so centralized venues or decentralized exchange protocols are necessary, but trading markets are not the ultimate point.” Among other things related to crypto, she said lessons from traditional finance are equally applicable in crypto. For example, she noted that “[h]igher returns come with higher risks.” She also suggested that the SEC should conduct some form of notice and comment process to resolve the thorniest crypto-related policy issues.
Peirce noted that “sandboxing is coming.” She then explained that SEC Chair Gary Gensler has requested “‘staff to sort through how we might best allow investors to trade crypto security tokens versus or alongside crypto non-security tokens,’[] which is an area in which experimentation through no-action letters and exemptions would be possible.” She also strongly agrees with his sentiment that “‘[g]iven the nature of crypto investments . . . it may be appropriate to be flexible in applying existing disclosure requirements.’”
She also expressed that “[r]egulation is not a silver bullet, but understanding whether, by whom, and how the company is regulated can help you calibrate your own due diligence.” Peirce said that the SEC “needs to conduct better, more precise, and more transparent legal analysis” in crypto. She noted that its continued use of the precedent from the 1946 U.S. Supreme Court case in SEC v. W.J. Howey Co. has “fleshed out the investment contract subcategory of securities, we repeat the mantra that all, or virtually all, tokens are securities,” calling the SEC’s application of the test to crypto tokens “askew.” She then noted that “an initial fundraising transaction involving a crypto token can create an investment contract, but the token itself is not necessarily the security even if it is sold on the secondary market.” Peirce also noted that the SEC often “refers to the crypto assets themselves as securities.”
Company to pay $45 million to SEC, states for unregistered crypto-lending product
On January 19, the SEC charged a Cayman Islands digital asset firm for allegedly failing to register the offer and sale of its retail crypto-asset lending product. According to the SEC’s cease-and-desist order, the company’s product allowed U.S. investors to tender certain crypto assets with the company, which were then deposited in interest-yielding accounts and used by the company to generate income and fund interest payments to investors.
The SEC maintained that the company’s product was marketed as an opportunity for investors to earn interest on their crypto assets, and that company actions “included staking, lending, and engaging in arbitrage on purportedly ‘decentralized’ finance platforms; investing in certain crypto assets; loaning funds to retail and institutional borrowers; and entering into options and swap contracts with respect to the crypto assets tendered”— resulting in the company acquiring $2.7 billion in assets from approximately 112,000 investors. The SEC found that because the product qualified as a security and did not qualify for an exemption from registration under the Securities Act of 1933, the company was required to register its offer and sale of the product, which it failed to do.
The company did not admit or deny the SEC’s findings, but agreed to pay $22.5 million to the SEC, and said it would stop offering and selling the unregistered lending product to U.S. investors. The SEC considered remedial actions promptly taken by the company, as well as its cooperation with Commission staff in determining the settlement amount. The SEC reported that the company voluntarily stopped offering its product to new U.S. investors and ceased paying interest on new funds added to existing accounts after the SEC announced charges against a different company that offered a similar crypto investment product. The company also announced that the product would stop being offered in certain states and that it was phasing out all of its products and services in the U.S.
The company also agreed to pay another $22.5 million to state regulators from California, Kentucky, Maryland, New York, Oklahoma, South Carolina, Vermont, and Washington in a parallel action claiming the company offered interest-earning accounts without first registering the investment products as securities. According to the announcement, the company allegedly failed to comply with state securities registration requirements, and, among other things, deprived investors “of critical information and disclosures necessary to understand the potential risks of the [product].”
Pages
Upcoming Events
- Keisha Whitehall Wolfe to discuss “Tips for successfully engaging your state regulator” at the MBA's State and Local Workshop
- Max Bonici to discuss “Enforcement risk and trends for crypto and digital assets (Part 2)” at ABA’s 2023 Business Law Section Hybrid Spring Meeting
- Jedd R. Bellman to present “An insider’s look at handling regulatory investigations” at the Maryland State Bar Association Legal Summit