On May 9, David Humphrey, a former branch chief in the Securities and Exchange Commission’s Division of Corporate Finance, pleaded guilty to charges brought by the US Department of Justice before a US court in Washington, DC, to making false statements in government filings in order to conceal his unauthorized trading of options and securities at various times while employed by the SEC from 1998 through 2014.

On the same day, Mr. Humphrey also agreed to settle civil charges brought by the SEC related to the same matter. He consented to pay the SEC a fine of US $51,917 and disgorge profits of the same amount plus interest.

According to the SEC, during the relevant time, Mr. Humphrey was subject to numerous ethics rules that, among other things, prohibited SEC employees from (1) purchasing or holding securities of companies directly regulated by the Commission; (2) engaging in transactions in financial instruments that are derivatives of securities; (3) not confirming with the SEC before entering into a securities transaction that the transaction was authorized; and (4) not holding securities for a minimum of six months after trade date. The SEC claimed that, during the relevant time, Mr. Humphrey engaged in securities and options on securities transactions without preclearance; filed false forms with the SEC Ethics Office that did not disclose his prohibited transactions; falsely denied to the SEC Office of Inspector General that he engaged in prohibited transactions; and various other offenses.

According to the SEC, Mr. Humphrey engaged in false transactions for his own accounts, for his mother and for a friend. Mr. Humphrey principally conducted his illicit activities “using his SEC computer during business hours,” said the SEC.

Sentencing for Mr. Humphrey is scheduled for August 8, while his SEC settlement is subject to court approval.

My View: Under Regulation Automated Trading as initially proposed, the Commodity Futures Trading Commission would have been permitted to obtain proprietary source code of so-called “AT Persons” pursuant to its general inspection authority. Subsequently, the CFTC modified its proposal to limit such access to requests made pursuant to enhanced special call procedures, but did not restrict such access to requests through subpoena only. The industry vehemently criticized both proposals, as did then commissioner and now Acting Chairman, J. Christopher Giancarlo. (Click here for background regarding Reg AT in the article “Proposed Regulation AT Amended by CFTC; Attempts to Reduce Universe of Most Affected to No More than 120 Persons” in the November 6, 2016 edition of Bridging the Week.)

Last week’s criminal prosecution and civil action against a 16-year SEC veteran, for illicitly trading securities and options on securities and then lying about his actions to his employer, concretely evidences one of many concerns of critics fearful of turning over proprietary source code to staff of the CFTC or Department of Justice other than pursuant to lawful subpoena. Although Mr. Humphrey’s alleged wrongful conduct likely represents only the rarest of behavior by otherwise ordinarily and overwhelmingly very honest and ethical government employees, it illustrates how, over a relatively long period of time, a rogue government employee could disregard important safeguards to routinely and flagrantly engage in illicit activity right under the nose of his/her employer – including potentially misappropriating confidential information such as source code provided by a private entity. Only in connection with the issuance of a lawful subpoena can a private entity have an effective opportunity to address in federal court concerns about confidentiality and attempt to tailor government access to proprietary source code subject to reasonable conditions.

Moreover, President Trump’s issuance of an executive order last week requiring federal agencies to enhance their cybersecurity by implementing risk management measures developed by the National Institute of Standards and Technology is a reminder that, today, federal agencies are not obligated to maintain standards of protection as high as those adopted by many private companies. Accordingly, government agencies may be at greater risk of cyber-attack and theft than many companies such agencies regulate. (Click here to access last week’s executive order regarding government agencies’ cybersecurity; click here to access background on NIST and its recommendations for enhancing critical infrastructure cybersecurity.)

The source code provisions of Reg AT are not expected to survive the next rendition (if any) of any revised Reg AT proposal, but hopefully last week’s developments will eliminate any lingering support the source code provisions may continue to have.