On November 6, 2019, the SEC Division of Enforcement published its annual report for fiscal year 2019. The report provides valuable insight, not only as to the Division’s performance over the past year, but also about its current priorities and where it will be focused in the near-term future. Overall, Enforcement’s program since 2017, when SEC Chairman Jay Clayton assumed leadership of the agency, has been shaped by five “core principles”: (1) focus on the retail investor; (2) focus on individual accountability; (3) keeping pace with technological change; (4) imposing remedies that most effectively further its enforcement goals; and (5) constant assessment of the allocation of the Division’s resources. 2019 saw significant developments in each of these areas.
In terms of the numbers, SEC Enforcement had a very busy year. Though its Co-Directors, Stephanie Avakian and Steven Peikin, discourage evaluating the Division’s performance based solely on the number of filed actions, that metric does provide an indication of how aggressively Enforcement is pursuing its goals. In fiscal 2019, the SEC filed 526 “standalone” cases (actions brought in federal court or as administrative proceedings, as distinguished from “follow-on” proceedings seeking industry bars based on the outcome of actions brought by the SEC, criminal authorities or other regulators), up from 490 such actions in fiscal 2018, an increase of 7 percent. The uptick is due in part to the expedited settlement process of the Share Class Disclosure Initiative (see below), but it is nevertheless significant that Enforcement reached these numbers despite the 35-day federal government shutdown in December 2018 and January 2019, which brought the SEC to a near-standstill, and despite reduced Enforcement staffing levels that, due to attrition and a hiring freeze in place until April of this year, are 9 percent below the level of fiscal 2016.
The types of cases that Enforcement brought provide a revealing look at its priorities. Consistent with Chairman Clayton’s longstanding emphasis on retail or “Main Street” investors, a persistent focus of this year’s enforcement actions was “misconduct that occurs in the interactions between investment professionals and retail investors.”1 Accordingly, as in 2018, standalone cases involving investment advisory and investment company issues were by far the largest category of enforcement actions, making up 36 percent of the total, followed by securities offerings (21 percent), issuer reporting/audit and accounting (17 percent), broker-dealers (7 percent), insider trading (6 percent), market manipulation (6 percent), Foreign Corrupt Practices Act (3 percent) and public finance (3 percent). The Division’s Retail Strategy Task Force, which was created in 2017 in large part to develop data-driven, analytical strategies for identifying practices that harm retail investors and to generate enforcement actions targeting those practices, spearheaded much of Enforcement’s retail investor-focused activity in fiscal 2019.
During the year, the SEC obtained $1.101 billion in penalties and $3.248 billion in disgorgement, compared to $1.439 billion and $2.506 billion, respectively, for fiscal 2018. The Division reported, however, that it continues to suffer the effects of the Supreme Court’s 2017 decision in Kokesh v. SEC,2 which held that disgorgement is a penalty and thus subject to a five-year statute of limitations. Enforcement estimates that the SEC has foregone approximately $1.1 billion in disgorgement in filed cases as a result of Kokesh, and that the impact of the decision is likely greater because the Division has prioritized investigations that are most likely to lead to the return of funds to investors. (The SEC’s authority to obtain disgorgement at all is now in question following the Supreme Court’s grant of certiorari in Liu v SEC. Click here to read our recent blog post on the topic.)
Other key takeaways from the annual report:
Investment Advisers Remain a Prime Target
As in 2018, the SEC was intensely focused on misconduct by investment advisers – in particular, failure to disclose conflicts of interest, improper valuation of fund assets, and improper allocation of fees and expenses. The Division of Enforcement filed several cases against advisers in each of these areas, typically involving non-scienter, negligence-based charges under Sections 206(2) and 206(4) of the Investment Advisers Act and Rule 206(4)-7 thereunder, which requires advisers to adopt policies and procedures reasonably designed to prevent violations of the Act.
The annual report highlights the culmination of Enforcement’s Share Class Disclosure Initiative (“SCDI”), announced in February 2018, which targeted the conflict arising from advisers’ selection of 12b-1 fee-paying mutual fund share classes for clients when alternative lower- or no-cost share classes of the same fund were available. Under the SCDI, advisers who self-reported their failure to disclose the conflict were required to disgorge the improperly obtained fees, but were not required to pay a penalty. As of September 2019, the SEC filed settled charges under the SCDI against 95 advisers, who agreed to disgorge a total of $135 million.
Other notable cases against advisers included: a settled administrative proceeding against two BMO adviser entities, which agreed to pay disgorgement and prejudgment interest of nearly $30 million and a penalty of $8.25 million to settle charges that they failed to disclose to clients their preferential selection of their Proprietary Mutual Funds, resulting in additional management fees through revenue-sharing agreements;3 a settled administrative proceeding against Colorado-based private fund manager Deer Park Road Management and its chief investment officer based on the firm’s alleged failure to value assets in accordance with GAAP, resulting in a $5 million penalty against the firm and a $250,000 penalty against the CIO;4 and a settled administrative proceeding against NB Alternatives Advisers LLC, a Dallas-based private equity fund adviser to three private equity funds sponsored by NBAA and its Neuberger affiliates, for alleged improper allocation of $2 million of compensation-related expenses to the funds, contrary to the governing limited partnership agreement, resulting in NBAA’s agreement to disgorgement and prejudgment interest of approximately $2.3 million and a $375,000 penalty.5
Digital Assets and Cybersecurity Remain Front and Center
Through the work of its Cyber Unit, Enforcement continued to prioritize cases involving the sale of digital assets and the security of data against cyber threats. Having previously determined that digital tokens can qualify as securities, and thus fall within the SEC’s power to regulate, the agency brought charges against several issuers engaging in initial coin offerings (“ICOs”) that made misleading statements or omissions in connection with the ICOs and/or failed to register the offerings in violation of Section 5 of the Securities Act. Increasingly, the SEC has filed cases against issuers for failure to register alone, and have set out a “path to compliance” in its settlements with those issuers, whereby the issuers agree to rescission of investors’ purchases of tokens under the illegal offerings, notify investors of their right to rescind, register their tokens under Section 12(g) of the Securities Exchange Act, and comply with applicable reporting requirements. Two significant ICO cases in 2019, however, are being litigated in federal court: one against Kik Interactive, Inc.,6 in which the company is disputing that its tokens are securities, and another against ICOBox for failure to register a digital token offering and for acting as an unregistered broker in facilitating other ICOs.7 Industry participants and the defense bar will be watching these cases closely for judicial guidance on these issues.
Data security was also at the top of Enforcement’s agenda. At the start of the fiscal year, Enforcement issued a report under Section 21(a) of the Exchange Act, which warned that public companies need to take into account cyber threats when designing their internal accounting controls.8 The nine issuers that were the subject of the report had fallen victim to “business email compromises,” in which company personnel received spoofed or otherwise compromised emails purporting to be from a company executive or vendor, resulting in payments of large sums of money to the perpetrators, even though the companies had in place policies and procedures intended to prevent such scams.
The Cyber Unit, along with the Market Abuse Unit, brought charges against nine defendants, including a Ukraine-based hacker, in an international scheme to hack into the SEC’s EDGAR database during 2016 and extract “test filings” containing at least 157 earnings releases and other non-public information, which other scheme participants used to engage in insider trading.9 The case illustrates Enforcement’s increasingly enhanced ability to analyze massive amounts of data to identify suspicious trading. As the Division acknowledged in the annual report, the case “might not have been possible to bring just a few years ago due to the geographical dispersal and technological sophistication of the perpetrators.”10
Enforcement also brought cases against regulated entities under Regulation Systems Compliance and Integrity (“Reg SCI”), which aims to protect the security and capabilities of the technological infrastructure of the U.S. securities markets. These included a settled action against Options Clearing Corporation (“OCC”), the sole registered clearing agency for exchange-listed options contracts on equities.11 The SEC found that OCC violated Reg SCI by failing to establish adequate policies and procedures to effectuate the purposes of the regulation and for changing policies on core risk management without obtaining required SEC approval. OCC agreed to pay a $15 million penalty and to comply with an extensive set of undertakings, including hiring an independent compliance auditor.
Public Company Disclosure and Auditor Issues Prominent on the Enforcement Agenda
Though by no means a new area of focus, Enforcement brought 92 standalone actions involving issuer reporting and auditor issues in fiscal 2019, up from 79 in fiscal 2018, constituting 17 percent of the SEC’s total standalone cases. These actions covered a range of alleged misconduct, including misleading financial reporting, misleading disclosures about business operations and risks, and auditor independence.
Significant cases in this space included: a settled federal court action against Facebook, which agreed to a $100 million penalty for allegedly misrepresenting the misuse of its users’ data in its risk factors as hypothetical, even though it knew that a researcher had improperly sold information about tens of millions of its users to Cambridge Analytica for the purpose of targeting advertising at U.S. voters;12 a settled federal court action against Mylan N.V., resulting in a $30 million penalty for the company’s alleged failure to disclose or accrue a loss for a Department of Justice investigation into whether it overcharged Medicaid for its EpiPen device;13 a federal court action against Volkswagen, two of its subsidiaries and its former CEO in connection with the “clean diesel” scandal, in which the company and CEO allegedly made false and misleading statements about vehicle quality, environmental compliance and the company’s financial condition;14 and cases against Deloitte Touche Tohmatsu LLC and PricewaterhouseCoopers LLP for alleged violations of the auditor independence rules.15
Individual Accountability Still a Major Theme
Consistent with its stated priority of bringing cases against individual wrongdoers, 69 percent of the SEC’s standalone cases in fiscal 2019 (other than cases that were part of the SCDI) involved charges against one or more individuals, on the rationale that “individual accountability drives behavior and can also broadly impact corporate culture.”16 This rate is consistent with the last several fiscal years, and given the Co-Directors’ repeated emphasis on this issue, Enforcement can be expected to continue targeting individual violators for the foreseeable future.
1. Id. at 10.
2. 137 S. Ct. 1635 (2017).
6. SEC v. Kik Interactive Inc., Civ. A. No. 19-cv-5244 (S.D.N.Y. June 4, 2019).
7. SEC v. ICOBox, No. 2:19-cv-08066 (C.D. Cal. Sept. 18, 2019).
8. Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements, Exch. Act. Rel. No. 84429 (Oct. 16, 2018), available here.
9. SEC v. Ieremenko, et al., No. 19-cv-505 (D.N.J. Jan. 2019).
10. Supra note 1 at 13.
15. Press Release 2019-9, “Deloitte Japan Charged With Violating Auditor Independence Rules,” (Feb. 13, 2019), available here; Press Release 2019-184, “SEC Charges PwC LLP With Violating Auditor Independence Rules and Engaging in Improper Professional Conduct,” (Sept. 23, 2019), available here.\
16. Supra note 1 at 17.