InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC settles with investment entities over ETF recommendations
On February 27, the SEC announced a settlement with a national bank to resolve allegations that two of its investment entities failed to monitor sales of exchange-traded funds (ETFs) to retail investors. The SEC alleged in its order that the bank’s compliance policies and procedures and supervisory processes were unable to adequately prevent and detect unsuitable recommendations of single-inverse ETFs, which allegedly led to bank investment advisors making recommendations to certain clients who were unaware of the risk of losses when ETFs are held long term. While the bank neither admitted nor denied the SEC’s findings, it agreed to pay a $35 million penalty and distribute funds to affected clients. The bank also agreed to cease and desist from engaging in any future violations of the relevant provisions.
SEC issues $7 million whistleblower award
On February 28, the SEC announced an award of over $7 million to a whistleblower in an enforcement action. According to the SEC’s press release, the whistleblower “provided extensive and sustained assistance, such as identifying witnesses,” which was “critically important to the success of [the] enforcement action.” The formal order also states that the whistleblower helped the SEC “understand complex fact patterns” and that “[t]he whistleblower’s information and assistance helped the SEC staff devise an investigative plan, craft document requests, and ultimately bring an important enforcement action focusing on serious financial abuses.”
The SEC’s press release states that it has awarded 73 individuals a total of approximately $394 million in whistleblower awards since 2012.
SEC settles with blockchain company over unregistered ICO
On February 19, the SEC announced a settlement with a blockchain technology company resolving allegations that the company conducted an unregistered initial coin offering (ICO). According to the order, the company raised approximately $45 million from sales of its digital tokens to raise capital to develop a digital asset trade-testing platform and to build a cryptocurrency-related data marketplace. The SEC alleges that the company violated Section 5(a) and 5(c) of the Securities Act because the digital assets it sold were securities under federal securities laws, and the company did not have the required registration statement filed or in effect, nor did it qualify for an exemption to the registration requirements. The order, which the company consented to without admitting or denying the findings, imposes a $500,000 penalty and requires the company to register its tokens as securities, refund harmed investors through a claims process, and file timely reports with the SEC.
FinCEN focuses on securities industry BSA/AML information sharing
On February 6, Financial Crimes Enforcement Network (FinCEN) Deputy Director Jamal El-Hindi delivered remarks at the Securities Industry and Financial Markets Association’s 20th Anti-Money Laundering (AML) and Financial Crimes Conference discussing, among other things, the agency’s focus on the Bank Secrecy Act (BSA). Specifically, El-Hindi stressed the importance of information sharing in the BSA context, remarking that the financial sector is “in an evolutionary state” dealing with “new technologies and new payment systems, such as those that involve virtual currency.” He asserted that innovators in the development of cryptocurrencies and messaging systems “cannot turn a blind eye to illicit transactions that they may be fostering,” and noted that FinCEN will regulate these emerging systems in accordance with existing principles that underlie the BSA and AML rules and regulations for the financial sector. El-Hindi encouraged the securities industry to share information, observing that only 14 percent of eligible securities companies are registered to take part in the 314(b) business-to-business information sharing program. He suggested that the industry needs better communication and cooperation to increase the effectiveness of BSA information collection. El-Hindi also discussed how cooperation has helped FinCEN’s cross-agency coordination and enhanced the agency’s rulemaking and guidance—specifically in the establishment of the Customer Due Diligence and Beneficial Ownership rule, but recognized that the lack of information collected regarding the formation of new corporations can frustrate the agency’s risk assessment abilities. To motivate information sharing, El-Hindi emphasized the importance of BSA information financial companies collect, sharing that SARs filings by securities companies have “increased roughly eight-fold” from 2003 to 2019, and that data provided from BSA filings is used frequently by law enforcement and regulators to inform their investigations and examinations and to “identify trends and focus resources.”
Broker-Dealer settles with SEC for improper handling of ADRs
On February 6, the SEC announced a settlement with a broker-dealer to resolve allegations concerning the improper handling of pre-released American Depositary Receipts (ADRs), or “U.S. securities that represent foreign shares of a foreign company.” The SEC noted in its press release that ADRs can be pre-released without the deposit of foreign shares only if: (i) the broker-dealers receiving the ADRs have an agreement with a depository bank; and (ii) the broker-dealer or the broker-dealer’s customer owns the number of foreign shares that corresponds to the number of shares the ADR represents. According to the SEC’s Order Instituting Administrative Proceedings (order), the broker-dealer improperly borrowed pre-released ADRs from other brokers that it should have known did not own the foreign shares necessary to support the ADRs. The SEC also found that the broker-dealer failed to implement policies and procedures to reasonably detect whether its securities lending desk personnel were engaging in such transactions. The broker-dealer neither admitted nor denied the SEC’s allegations, but agreed to pay more than $326,000 in disgorgement, roughly $80,970 in prejudgment interest, and a $179,353 penalty. The SEC’s order acknowledged the broker-dealer’s cooperation in the investigation and that the broker-dealer had entered into tolling agreements.
SEC commissioner proposes cryptocurrency safe harbor
On February 6, SEC Commissioner Hester M. Pierce announced her proposal for a three-year safe harbor rule applicable to companies developing digital assets and networks. Pierce suggested that not only would the rule provide regulatory flexibility “that allows innovation to flourish,” but it would also protect investors by “requiring disclosures tailored to their needs” while still maintaining anti-fraud safeguards, allowing investors to participate in token networks of their choice. Proposed Securities Act Rule 195 would allow companies to sell or offer tokens without being subject to the Securities Act of 1933, and without the tokens being subject to the registration requirements of the Securities Act of 1934. In order to qualify for these exemptions, the proposed rule requires that a company developing a network must, among other things, (i) “intend for the network on which the token functions to reach network maturity…within three years of the date of the first token sale”; (ii) disclose key information on a freely accessible public website,” including applicable source code and descriptions of how to search and verify transactions on the network; (iii) offer and sell its tokens in order to allow access to or development of its network; (iv) make “good faith and reasonable efforts to create liquidity for users”; and (v) “file a notice of reliance” with the SEC’s EDGAR system within 15 days of the company’s first token sale made in reliance on the safe harbor. Pierce suggested that the three-year grace period for qualifying companies would allow time for the development of decentralized or functional networks, and, at the end of the three years, a successful network’s tokens would not be regulated as securities.
FDIC finalizes securitization safe harbor
On January 30, the FDIC adopted the Final Rule to Revise Securitization Safe Harbor Rule (rule) as recommended by FDIC staff in a memorandum dated January 23. In July, as previously covered by InfoBytes, the FDIC approved a proposal to remove the requirement that, for safe harbor treatment, “the documents governing a securitization issuance require compliance with Regulation AB” of the SEC Regulation AB, “in circumstances where Regulation AB is not, by its terms, applicable to that transaction.” The proposal suggested that “it is no longer clear that compliance with the public disclosure requirements of Regulation AB in a private placement or in an issuance not otherwise required to be registered is needed to achieve the policy objective of preventing a buildup of opaque and potentially risky securitizations such as occurred during the pre-crisis years, particularly where the imposition of such a requirement may serve to restrict overall liquidity.” The final rule—which is unchanged from the proposal—eliminates the “significant disclosure requirements” to no longer mandate that private placements of securitization obligations provide Regulation AB disclosures. With the adoption of the final rule, only those transactions that are subject to Regulation AB are required to make the disclosures. The rule is expected to increase the securitization of residential mortgages and will become effective 30-60 days after it is published in the Federal Register.
SEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness and awareness related to cybersecurity. Echoing themes from the OCIE’s risk-based exam priorities, previously covered by InfoBytes here, the report also emphasizes risk management. Some of the highlights of the report include:
- Governance and Risk Management. OCIE lists senior level engagement as an important factor in an effective cybersecurity program. Also important is a thorough program risk assessment as well as the application of policies and procedures based on the assessment. Additionally, the cybersecurity program should continuously evolve, and provide for constant testing and monitoring.
- Access Rights and Controls. OCIE emphasizes the need for controls to limit access to certain data only to authorized users. Organizations should set out policies and procedures to monitor for unauthorized users, require periodic password changes for users, and review systems for changes that are not approved.
- Data Loss Prevention. Many firms protect sensitive data by using vulnerability scanning as well as perimeter security to monitor network traffic. Firms may utilize technology that can monitor for and detect network threats and insider threats. Also, encrypting data as it moves into and out of the network, and segmenting data for use only by authorized systems are key data loss prevention measures.
- Mobile Security. Firms that use mobile devices and applications may require enhanced security policies including the use of multi-factor authentication, limiting firm information that can be extracted from devices, and enabling the firm to remotely clear content when devices are lost or stolen. Training is also an important practice.
- Incidence Response and Resiliency. Effective risk-based incident response plans developed by firms focus on detection and corrective actions. The plans include business continuity as well as regular testing and reassessment of the plan.
- Vendor Management. OCIE promotes proper due diligence of vendors as well as effective management of vendors including monitoring and testing to ensure security requirements are continually met.
- Training and Awareness. OCIE notes that many firms incorporate effective policies and procedures into training, periodically re-evaluate training programs, and ensure employee participation.
SEC suit alleges fraudulent ICO
On January 21, the SEC announced that it filed suit in the U.S. District Court for the Eastern District of New York against a blockchain company and the company’s founder (defendants) for allegedly “conducting a fraudulent and unregistered initial coin offering (ICO).” The SEC alleges, among other things, that from 2017 until 2018, the defendants raised $600,000 from nearly 200 investors through promoting an ICO of digital asset securities called “OPP Tokens,” using material misrepresentations to create the false impression that the defendants’ platform was creating notable growth in the company. The defendants marketed the tokens by making misstatements to potential investors, greatly exaggerating the numbers of providers that were “willing to do business on, and contribute content to, [defendants’] blockchain-based platform.” The complaint also alleges that in marketing the ICO, the defendants provided a catalog of small businesses eligible to use the defendants’ platform that numbered in the millions, in order to create the false impression that the platform had a huge base of users. In reality, the catalog was not compiled by the defendants, but was simply acquired from a vendor. Additionally, the SEC alleges that the defendants provided numerous customer reviews in its promotions to create the impression that the platform had many users creating content, which were actually reviews stolen from a third-party website. The SEC charges that in addition to the above allegations, the defendants misrepresented that they had filed an SEC registration statement for the ICO. The SEC seeks injunctive relief, disgorgement of profits, civil money penalties, and a permanent bar preventing the founder from serving as officer or director of any public company.
Two whistleblowers earn SEC awards totaling $322,000
On January 22, the SEC announced that it had awarded a total of $322,000 to two whistleblowers in two separate enforcement actions. According to the SEC’s press release, the whistleblowers “played a crucial role in helping the Commission protect Main Street investors,” and “assisted the SEC in returning money to harmed investors.” One whistleblower provided information that reportedly helped the agency “shut down an ongoing fraudulent scheme that was preying on retail investors,” and was awarded $277,000 (see award order here). The other whistleblower, a harmed investor, assisted the agency to “shut down a fraudulent scheme targeting retail investors.” The whistleblower was awarded $45,000 (see award order here). Since 2012, the SEC whistleblower program has awarded roughly $387 million to 72 whistleblowers.