InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC issues whistleblower awards totaling $11.5 million
On September 17, the SEC announced whistleblower awards totaling approximately $11.5 million to two whistleblowers who provided information and assistance leading to a successful SEC enforcement action. According to the redacted order, the SEC paid one of the whistleblowers nearly $7 million for being the initial source that led enforcement staff to open an investigation into hard-to-detect violations and for providing subsequent substantial assistance. According to the SEC, the whistleblower also “made persistent efforts to remedy the issues, while suffering hardships.” The second whistleblower, who provided information several years after the investigation was already underway, was paid more than $4.5 million. The SEC noted that the information was particularly helpful as it was based on the second whistleblower’s more recent experience. However, the SEC reduced the award after determining that the whistleblower delayed reporting to the SEC for several years after becoming aware of the wrongdoing.
The SEC has awarded approximately $1 billion in whistleblower awards to 212 individuals since issuing its first award in 2012.
SEC reaches $1 billion milestone in whistleblower awards
On September 15, the SEC announced whistleblower awards totaling nearly $114 million to two whistleblowers who provided information and assistance leading to successful SEC and related actions. According to the redacted order, the first whistleblower was awarded $110 million for providing “significant independent information that bridged the gap between certain publicly available information and the possible securities violations.” The SEC noted that the “$110 million award consists of an approximately $40 million award in connection with an SEC case and an approximately $70 million award arising out of related actions by another agency.” The $110 million award is the second-highest award in the program's history, following an approximately $114 million whistleblower award the SEC issued in October 2020 (covered by InfoBytes here). After the SEC staff opened an investigation and undertook significant investigative steps, a second whistleblower voluntarily provided original information and received an approximately $4 million award.
The SEC has awarded approximately $1 billion in whistleblower awards to 207 individuals since issuing its first award in 2012, which includes over $500 million in fiscal year 2021 alone.
FTC to use CIDs and subpoenas to streamline investigations
On September 14, the FTC voted 3-2, at the recommendation of the Bureau of Consumer Protection and Bureau of Competition, to approve a series of resolutions intended to streamline consumer protection and competition investigations in core FTC-priority areas over the next decade. At the recommendation of the Bureaus, the FTC authorized eight new compulsory process resolutions, which authorize the use of civil investigative demands and subpoenas when investigating the following areas: (i) acts or practices affecting U.S. servicemember and veterans; (ii) acts or practices affecting children under 18; (iii) algorithmic and biometric bias; (iv) deceptive and manipulative online conduct, including matters related to tech support scams, payment processing, marketing of goods and services, and user interface manipulation; (v) repair restrictions; (vi) intellectual property abuse; (vii) common directors and officers and common ownership; and (viii) monopolization offenses. According to the FTC, adopting these resolutions will enhance and streamline the ability of FTC investigators and prosecutors to obtain evidence in critical investigations relating to potential violations of the FTC Act. FTC Commissioner Rohit Chopra issued a statement following the vote, commenting that the adoption “will improve the agency’s ability to order documents and data in investigations and fills a notable gap in the Commission’s long list of enforcement authorizations developed over many years.”
SEC takes action against firms for cybersecurity procedures
On August 30, the SEC announced sanctions against eight firms in three actions for alleged failures in their cybersecurity policies and procedures that resulted in email account takeovers of employee email accounts, which exposed the personal information of thousands of customers and clients at each firm. Each order finds that the firms violated Regulation 30(a) of the Safeguards Rule, “which requires every broker-dealer and every investment adviser registered with the Commission to adopt written policies and procedures that are reasonably designed to safeguard customer records and information.” According to the SEC’s first order against a California-based investment firm, from November 2017 to June 2020, cloud-based email accounts of more than 60 of the firm’s entities' personnel were taken over by unauthorized third parties, which resulted in the exposure of personally identifying information (PII) of over 4,388 customers and clients. According to the order, none of these accounts were protected by multi-factor authentication (MFA), even though the firm’s policies required use of MFA since 2018 “wherever possible.” This failure resulted in sending breach notifications to clients that included misleading template language, which suggested that the notifications were issued much sooner than they actually were after discovery of the incidents. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $300,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.
According to the SEC’s second order against an Iowa-based investment firm, from January 2018 to July 2021, cloud-based email accounts of over 121 of the firm’s representatives were taken over by unauthorized third parties, which resulted in the PII exposure of at least 2,177 customers and clients. The order finds that though the firm discovered the first email account takeover in January 2018, it failed to adopt written policies and procedures for cloud-based email accounts reasonably designed to protect customer records and information, such as the use of MFA. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $250,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.
According to the SEC's third order against a Washington-based investment firm, from September 2018 to December 2019, cloud-based email accounts of 15 of the firm’s financial advisers or their assistants were taken over by unauthorized third parties, which resulted in the PII exposure of approximately 4,900 customers and clients. The order also finds that the firm “failed to adopt written policies and procedures requiring additional firm-wide security measures for all [of the firm’s] email users until May 2020, and did not fully implement those measures until August 2020,” which placed additional customer and client records and information at risk. The policies recommended, but did not require, the use of MFA for accessing sensitive data. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $200,000, and provides that the company must cease and desist from committing or causing any future violations of the Safeguards Rule.
SEC issues whistleblower awards totaling nearly $2.6 million
On August 27, the SEC announced whistleblower awards to five individuals totaling nearly $2.6 million for information provided in three separate enforcement actions. According to the first redacted order, the SEC awarded a whistleblower nearly $1.2 million for voluntarily providing an “’independent analysis’ by creating and applying a complex algorithm to publicly available data,” which saved resources and time for Commission staff, and assisted the staff during settlement negotiations. In the second redacted order, the SEC awarded approximately $1 million to three individuals for providing original information and assistance that led to a successful enforcement action. According to the order, though the whistleblowers held compliance roles at the company, they are eligible for an award since they submitted information to the Commission more than 120 days after the alleged conduct was internally reported. The first whistleblower who received the highest award provided extraordinary assistance and comprehensive information that was vital to the successful enforcement action. In the third redacted order, the SEC awarded a whistleblower over $350,000 for providing independent analysis based on an unusual effort and expertise developed over many years. The whistleblower identified patterns among publicly available information that allowed the Commission to quickly identify and prevent wrongdoing and to preserve assets, which led to a successful enforcement action.
SEC settles with company over data breach
On August 16, the SEC announced charges against a London-based educational publishing company for its role in allegedly misleading investors regarding a cyber breach that involved millions of student records and had inadequate disclosure controls and procedures in place. According to the SEC’s order, the company made material misstatements and omissions about a 2018 cyber intrusion that affected millions of rows of data across 13,000 school, district, and university customer accounts in the U.S. According to a 2019 report furnished to the Commission, the company’s risk factor disclosure implied that the company faced the hypothetical risk that a “data privacy incident” “could result in a major data privacy or confidentiality breach” but did not disclose that a data breach involving the company had previously taken place. In response to an inquiry by a media outlet, the company sent a breach notification to its affected customers and issued a previously prepared statement that included misstatements regarding the breach and data involved. The order found that the company failed “to maintain disclosure controls and procedures designed to analyze or assess such incidents for potential disclosure in the company’s filings.” The SEC charged the company with violating, among other things, Rule 13a-15(a) of the Securities Act, which requires every issuer to maintain disclosure controls and procedures, and Section 13(a) of the Exchange Act which requires “every foreign issuer of a security registered pursuant to Section 12 of the Exchange Act to furnish the Commission with periodic reports containing information that is accurate and not misleading.” The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of $1 million and provides that the company must cease and desist from committing or causing any future violations of the Securities Act and the Exchange Act.
SEC takes emergency action against investor fraud scheme
On August 13, the SEC announced it obtained a temporary restraining order through an emergency action filed against an individual and his two entities, which allegedly induced dozens of consumers to invest by falsely claiming that their funds would be used to acquire real estate and to make commercial loans. According to the SEC, the individual misappropriated the vast majority of the investors' funds to pay for his residences, cover credit cards bills, and make student loan payments. The complaint also alleges that the individual hid the fraud from investors by providing investors with false valuations, among other things. The SEC’s complaint alleges violations of the antifraud provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, the Investment Advisers Act of 1940, and seeks a permanent injunction against the defendants enjoining them from future violations, disgorgement of all ill-gotten gains, and civil penalties, among other things.
SEC awards $9.5 million to whistleblowers
On August 10, the SEC announced awards totaling nearly $6 million to two whistleblowers whose information and assistance led to separate successful SEC enforcement actions. According to the first redacted order, the SEC awarded a whistleblower nearly $3.5 million for voluntarily providing original information to the Commission, which expanded an existing investigation into a new geographic area and led to a successful enforcement action. The whistleblower also traveled to meet in person with staff, identified an important witness, and provided multiple supplemental submissions that assisted the SEC with the charges in the underlying enforcement action. In the second redacted order, the SEC awarded a whistleblower approximately $2.4 million for alerting the SEC to previously unknown conduct, which initiated the opening of the investigation. The whistleblower also met in person with SEC staff, provided documents, and identified potential witnesses.
Earlier on August 6, the SEC announced awards totaling more than $3.5 million to three whistleblowers whose information and assistance led to two SEC enforcement actions. According to the first redacted order, the SEC awarded a whistleblower nearly $2 million for voluntarily providing original information to the Commission, which led to a successful enforcement action. The whistleblower also provided ongoing assistance, participated in interviews, and provided information that saved staff time and resources. In the second redacted order, the SEC awarded a whistleblower approximately $1 million and a second whistleblower approximately $500,000. The SEC noted that though both whistleblowers provided valuable information, the whistleblower who received the larger award provided information and cooperation that was more impactful in the enforcement action.
The SEC has awarded approximately $956 million to 195 individuals since issuing its first award in 2012.
SEC issues whistleblower awards totaling nearly $4 million
On August 2, the SEC announced whistleblower awards to four individuals totaling nearly $4 million for information provided in two separate enforcement actions. According to the first redacted order, the SEC awarded a whistleblower nearly $2 million for voluntarily providing original information to the Commission, which initiated an investigation. The whistleblower also provided ongoing assistance, participated in interviews, and identified key witnesses, which led to a successful enforcement action. In the same enforcement action, the SEC awarded over $150,000 to another whistleblower, whose information helped SEC staff expand its investigation. In the second redacted order, the SEC awarded approximately $1.1 million to an individual for reporting misconduct internally and notifying the SEC of the violations, in addition to more than $500,000 to another whistleblower for providing important, but not sufficiently timely, information.
The SEC has awarded approximately $946 million to 190 individuals since issuing its first award in 2012.
SEC settles with company over ETP implementation failure
On July 19, the SEC announced a settlement with a financial services company for its role in alleged compliance failures connected to volatility-linked-exchange traded products (ETPs). According to the order, the issuer of the ETP, which was designed to track short-term volatility expectations in the market as measured against derivatives of a volatility index, warned the company that it was not suitable to hold the product for extended periods of time, and that the product’s offering documents proved that the product’s value was likely to decline. The SEC alleged that the company violated the Advisers Act and Advisers Act Rule, such as Section 206(4), because the company failed to adopt reasonably designed written policies and procedures directed at ETPs and failed to implement its existing policies and procedures. The order includes allegations that the company prohibited brokerage representatives from soliciting sales of the product and placed other sales restrictions of the product, but did not place similar restrictions on some financial advisers’ use of the product in discretionary managed client accounts. The order further noted that the company allegedly adopted a concentration limit on ETPs but failed to implement a system for monitoring and enforcing that limit for five years. The order, which the company consented to without admitting or denying the findings, imposes a civil money penalty of approximately $8 million and $96,344 in disgorgement, and requires the company to cease and desist from committing or causing any future violations of Section 206(4) of the Advisers Act and Advisers Act Rule.