Posted b y Charles J. Clark, Craig S. Warkol and Alex Wharton, Schulte Roth & Zab el LLP, on Wednesday, Novemb er 24, 2021
Editor's note: Charles J. Clark and Craig S. Warkol are partners and Alex Wharton is an associate at Schulte Roth & Zabel LLP. This post is based on their SRZ memorandum.
While the third quarter of 2021 marked the end of the fiscal year for the U.S. Securities and Exchange Commission ("SEC" or "Commission"), it also seems to be the start of an aggressive enforcement agenda led by its new Chairman and Director of Enforcement. In this post, we discuss the latest enforcement actions and statements from regulators related to digital assets, the SEC's innovative "shadow trading" insider trading case, and fraud claims brought against an alternative data vendor notwithstanding that it was not engaged in securities transactions. This post also describes recent enforcement actions against investment advisers and broker-dealers for deficient cybersecurity procedures aimed at protecting customer information. We conclude by summarizing enforcement cases of particular interest to this audience, many of which illustrate the enforcement themes highlighted in previous editions of SRZ's Securities Enforcement Quarterly.
SEC Chair Gary Gensler continues to signal that the SEC will take an aggressive approach toward digital asset issuers, exchanges, and lending platforms. The SEC Chair recently characterized the cryptocurrency market as the "Wild West" and indicated his belief that it requires more federal oversight.1 Speaking on a panel at the Aspen Security Forum in August 2021, Gensler said the crypto market, which is currently valued at over $1.5 trillion, lacked necessary and common investor protections that the SEC is tasked with providing, allowing the market to become "rife with fraud, scams and abuse."2 At a September 2021 appearance before the Senate Banking Committee, Gensler commented that Coinbase, the nation's largest cryptocurrency exchange, has yet to register with the SEC "even though they have dozens of tokens that may be securities,"3 and later stated that "hundreds or thousands" of tokens that are
1 Dean Seal, Gensler Calls For Amped-Up Regulation Of Crypto `Wild West,' Law360, Aug. 3, 2021, available here.
2 Id. 3 Oversight of the U.S. Securities and Exchange Commission, Hearing before the Committee on Banking, Housing and Urban Affairs, Sept. 14, 2021 (testimony by Gary Gensler, Chairman of the U.S. Securities and Exchange Commission), video available here.
traded on such exchange platforms are likely securities,4 which would require the platforms to register with the SEC or apply for an exemption.
The SEC has faced criticism, including by members of Congress, that it has not provided clear guidance and rules governing the cryptocurrency market, including which cryptocurrencies constitute securities. At the Aspen Security Forum in August, Gensler stated that he disagreed with this criticism, noting that the SEC has brought 75 enforcement cases related to digital assets in the past decade.5 Since his appointment, Gensler has rebuffed accusations that the SEC relies on "regulation by enforcement" regarding what constitutes a security, saying that "[t]here's usually a handful of entrepreneurs and technologists that, in effect, the investor is hoping will do well. That means anticipation of profits on the efforts of others . . . I think it's kind of just reasonably clear--I would say very clear."6 In addressing cryptocurrencies specifically, Gensler recently referenced the decades old definition of "investment contracts" in the U.S. Supreme Court's ruling in Howey as the appropriate regulatory framework to consider which tokens are securities. 7
One issue of particular focus concerns so-called "stablecoins," which are cryptocurrencies that have a value pegged to a fiat currency, exchange-traded commodity, or other cryptocurrency. Stablecoins are a fast-growing sector of the marketplace and constitute a significant percentage of trading activity in cryptocurrencies. The value of the three largest stablecoins allegedly exceeds $100 billion, having increased approximately tenfold in the past year.8 Senator Patrick Toomey (R-Pa.), the ranking Republican on the Senate Banking Committee, in criticizing the SEC's approach of "regulation by enforcement" during Gensler's appearance before the Senate Banking Committee, focused on stablecoins as not constituting a security because "stablecoins do not have an inherent expectation of profit, they're just linked to the dollar." He questioned whether it was Gensler's view "that stablecoins themselves can be securities."9 Gensler responded that stablecoins "may well be securities" and noted that Congress painted with a "very wide brush" in defining the SEC's enforcement power, but observed that stablecoins do share characteristics with traditional banking products and suggested that new banking regulations may be necessary to address them.10
In the weeks following Gensler's first appearance before Congress, and in response to prior concerns voiced by Treasury Secretary Janet Yellen11 and the Federal Reserve,12 the Administration has indicated that it is considering imposing bank -like regulations on stablecoin issuers and prodding the issuers to register as banks to safeguard against financial panics and
4 David Ignatius, The Path Forward: Cryptocurrency with Gary Gensler, Washington Post Live, Sept. 21, 2021, available here.
5 Dean Seal, supra note 1. 6 Id. 7 Dean Seal, Coinbase May Face SEC Action Over Cryptocurrency Product, Law360, Sept. 8, 2021, available here. 8 Andrew Ackerman, Stablecoins in Spotlight as U.S. Begins to Lay Ground for Rules on Cryptocurrencies, Wall Street Journal, Sept. 25, 2021, available here. 9 Oversight of the U.S. Securities and Exchange Commission, supra note 3. 10 Id. 11 Paul Vigna, Risks of Crypto Stablecoins Attract Attention of Yellen, Fed and SEC, Wall Street Journal, July 17, 2021, available here. 12 Tanya Macheel, The Fed Is Worried the Rise of Stablecoins Could Impact Financial Stability, CNBC, Aug. 18, 2021, available here.
instability.13 The Administration's recommendations as to how to implement such regulations are expected to be included in a report from the President's Working Group on Financial Markets-- which includes Chair Gensler, Secretary Yellen, and Federal Reserve Chairman Jerome Powell -- in late October 2021. It remains to be seen whether that report will clarify the SEC's position on whether stablecoins constitute securities.
Despite criticisms of "regulation by enforcement," the SEC continues to pursue enforcement actions related to digital asset issuers and exchanges. In August, Poloniex, LLC agreed to pay approximately $10.4 million to settle claims with the SEC that it operated as an unregistered exchange for digital assets, many of which constitute "investment contracts."14 Poloniex offered a trading platform that allowed global users to trade cryptocurrencies. One SEC commissioner, Hester Peirce, spoke out against the action, saying regulators were engaged in an "aggressive, enforcement-centric approach to crypto,"15 and her colleague Elad Roisman also has joined in the condemnation, criticizing the SEC's enforcement actions in the crypto sphere given the "decided lack of clarity"16 and "reluctance to provide additional guidance about how to determine . . . which tokens are securities."17
Both the SEC and state regulators are taking aim at interest-earning cryptocurrency products, arguing that they constitute securities as well. In September, Coinbase revealed that it had received a Wells notice--a formal notice from the SEC staff--informing Coinbase that the staff was prepared to seek authorization to pursue an enforcement action related to Coinbase's recently announced Lend program, which would offer customers the ability to earn 4% interest on stablecoin holdings.18 Coinbase canceled the launch of Lend one week later, which had been advertised as a high-yield alternative to traditional savings accounts, with interest rates "more than 50x the national average of a traditional savings account."19 State regulatory bodies have also been active with respect to these platforms. In one recent example, New Jersey's securities regulator ordered digital asset companies Celsius Network LLC and BlockFi to stop offering interest-earning cryptocurrency products, stating that Celsius has raised over $14 billion by selling unregistered securities in the form of interest-earning crypto-asset accounts.20
In addition, in a significant development, the Commodity Futures Trading Commission ("CFTC") recently asserted some enforcement authority over stablecoins. On Oct. 15, 2021, the CFTC issued an order fining Tether Holdings Limited, Tether Limited, Tether Operations Limited, and Tether International Limited (d/b/a Tether), the largest stablecoin issuer, $41 million for making untrue or misleading statements and omissions of material fact in connection with the Tether U.S. dollar stablecoin ("USDT") token. The CFTC also issued an order fining iFinex Inc., BFXNA Inc.,
13 Andrew Ackerman and AnnaMaria Andriotis, Biden Administration Seeks to Regulate Stablecoin Issuers as Banks, Wall Street Journal, Oct. 1, 2021, available here.
14 SEC Charges Poloniex for Operating Unregistered Digital Asset Exchange, SEC Press Release No. 2021147, Aug. 9, 2021, available here. We discuss Poloniex in greater detail infra at 25.
15 Tom Zanki, Crypto Platforms To See More SEC Crackdowns, Gensler Says , Law 360, Sept. 21, 2021, available here.
16 Dean Seal, SEC Settles With Crypto Exchange Poloniex For $10M, Law360, Aug. 9, 2021, available here. 17 Al Barbarino, SEC Members `Disappointed' By Latest Crypto Order, Law 360, July 14, 2021, available here. 18 Dean Seal, supra note 7. 19 Elise Hansen, Coinbase Backs Off Lending Program After SEC Pressure, Law360, Sept. 20, 2021, available here. 20 Elise Hansen, States Flag Celsius' Interest-Earning Crypto Accounts, Law360, Sept. 17, 2021, available here.
and BFXWW Inc. (d/b/a Bitfinex) $1.5 million for operating as a future commodities merchant ("FCM") without registering with the CFTC. Notably, this is the first time the CFTC, or any regulator, has asserted jurisdiction over stablecoins. The CFTC order stated that "bitcoin, ether, litecoin, and tether tokens are commodities" and that USDT tokens "constitute a commodity in interstate commerce under Section 6(c)(1) of the [Commodity Exchange Act]."21
These recent actions by the SEC, CFTC, and state regulators shed light on the regulatory risks participants face in the digital asset market. We expect novel, yet significant, enforcement actions will follow the rhetoric and shape the marketplace. Consistent with that expectation, we note that on Oct. 6, 2021, the Department of Justice ("DOJ") announced the launch of the National Cryptocurrency Enforcement Team, a new team that will focus on cryptocurrency exchanges and infrastructure providers and their activities that enable money laundering. 22
The multibillion dollar market for alternative data has exploded in recent years among investment advisers that use the data to inform trading decisions. There is an endless array of alternative data sources--including satellite imagery, geolocation data, and social media; even golf courses have found a way to collect, aggregate, and monetize their data.
The SEC has taken notice in a variety of ways.
Most recently, on Sept. 14, 2021, in an announcement that rocked the industry, the SEC charged App Annie, one of the most commonly used alternative data vendors, and its founder, Bertrand Schmitt, with securities fraud for material misrepresentations they made to the corporate clients whose data App Annie collected and to the fund managers that licensed this data.23 Although App Annie was not charged with insider trading, the SEC order acknowledged that the data products at issue had the potential to contain material non-public information ("MNPI"). This first-of-its-kind action highlights the critical importance of conducting thorough vendor diligence commensurate with the securities fraud risks associated with these data products. It also demonstrates the aggressive approach that this SEC, under Chair Gensler, will take in pushing the boundaries of its securities enforcement mandate.
The SEC's hook for the securities fraud charges against App Annie was the fact that App Annie's data product, which includes app downloads, revenue figures, and usage metrics, was sold to investment firms to inform their trading decisions. The SEC's charges were premised on the notion that material misrepresentations related to alternative data products are sufficiently "in connection with" the purchase or sale of securities under Section 10(b) of the Securities Exchange Act of 1934 ("Exchange Act"). Specifically, the SEC concluded that App Annie, in
21 Tether Holdings Limited, et al., CFTC Docket No. 22-04, Oct. 15, 2021, available here; see iFinex Inc., et al., CFTC Docket No. 22-05, Oct. 15, 2021, available here.
22 See Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team, DOJ Press Release 21-974, Oct. 6, 2021, available here.
23 See SEC Charges App Annie and its Founder with Securities Fraud, SEC Press Release No. 2021-176, Sept. 14, 2021, available here.
statements to its fund manager clients, had misrepresented the nature of the information it had gathered from its corporate clients and had manipulated this data in a manner inconsistent with its disclosures. The aggressive application of Section 10(b) raises the stakes for any misrepresentations in connection with these data products, whether by vendors or consumers, including fund managers.
In addition to insider trading and other securities fraud risks, private fund managers that acquire alternative data have to consider their obligations under the Investment Advisers Act of 1940 ("Advisers Act"), including the requirement that firms have policies and procedures in place to prevent violations of the Advisers Act (17 CFR 275.206(4)-7) and to prevent the misuse of MNPI (Section 204A of the Advisers Act).
To address these risks, many fund managers subject alternative data vendors to robust diligence. The most common diligence efforts focus on reviewing the so-called "chain of consent"--pushing vendors to show the consents they receive from all sources of dat a in the "data chain." Acknowledging the importance of this diligence, the SEC in its action against App Annie emphasized that App Annie's consents and representations about the absence of MNPI in its data products were "material to trading firms' decisions to use App Annie's estimates for investment purposes[.]"
Even though the charges are against a data vendor, the action nonetheless has important lessons for fund managers:
Policies and Procedures--Firms should craft their policies and procedures to be proportionate to the operative risks that alternative data sets pose. It is often useful to clearly delineate the roles and responsibilities of compliance personnel, on the one hand, and investment professionals and data scientists, on the other.
Onboarding Diligence--It is not enough to rely solely on contractual representations in data licensing agreements. Managers should conduct diligence of the vendors consistent with the relevant risks before receiving data sets (including sample data sets) that present a risk of MNPI or personal information. Documentation of this process must demonstrate that the manager understood the data and its sources before approving it, including, as appropriate, evidence that the data was collected consistent with applicable law and without any breach of duty. Vendors that cannot satisfy a manager's diligence process should not be approved.
Periodic Diligence--The need for diligence doesn't end with onboarding a vendor--the frequency of diligence can be tailored to the specific risks presented by the vendor and the data products. Ongoing monitoring can identify negative news, enforcement actions and civil litigation that may require additional diligence.
Training--Although much of the vetting is performed by legal and compliance personnel, investment professionals and data scientists are important partners, particularly given they often identify the data sets for acquisition and interface with vendor representatives and sales people. Training is a useful way to sensitize these individuals to the compliance risks.
Disclosures--Fund managers that use alternative data should consider whether they are making appropriate disclosures to investors about those risks in offering documents and in their Form ADV.
Lack of Guidance on Web Scraped Data--The SEC's order only focused on App Annie's nonpublic data sources, and did not address public or quasi-public data collected through automation, such as web scraping, for use in data products. App Annie's updates to its public disclosures acknowledge its use of automated methods to collect data from various sources but do not offer detail about such practices.
This action marks a new stage in the SEC's increasing focus on alternative data--one likely to include continued examination focus and additional enforcement activity.
On Aug. 17, 2021, the SEC filed a complaint against a former corporate executive for "shadow trading," a form of insider trading where a person uses confidential information about one company to trade in the securities of an "economically linked" company, such as a competitor in the same industry.24 As further detailed below, the SEC alleged that moments after learning his company was being acquired, a corporate executive purchased the securities of a competing company based on the belief that the competitor's stock price would rise following the public announcement of the merger.
While the charges appear to be grounded in existing law, the SEC has never brought a case like this. The defendant is contesting the charges which should create an opportunity for a court to provide clarity as to whether awareness of MNPI about one company precludes trading in an unaffiliated company. In the interim, this enforcement action reveals a new way in which the SEC intends to apply insider trading concepts--one which likely will have significant implications for the entire investment community.
The SEC complaint alleges that, "within minutes" of learning that Medivation Inc. ("Medivation") would be acquired by Pfizer Inc., Matthew Panuwat, a senior business development executive at Medivation, purchased out-of-the-money, short-term call options in Medivation's competitor, Incyte Corporation ("Incyte").25 The stock options purchased by Panuwat roughly doubled in value following announcement of the Medivation acquisition, resulting in profits of $107,066. The complaint notes that Panuwat had never before traded in the stock or options of Incyte. 26
The SEC's complaint describes in detail the correlation between the confidential information about the pending acquisition of Medivation and the anticipated positive impact on the stock price of its competitor, Incyte, alleging that Panuwat knew, or was reckless in not knowing, that the information concerning Medivation's imminent acquisition was not only material to Medivation, but also to Incyte.27 Specifically, in advance of the announcement, Panuwat reviewed presentations from Medivation's investment bankers concluding that Medivation and Incyte were similarly
24 Complaint, SEC v. Panuwat, No. 4:21-cv-06322 (N.D. Cal. Aug. 17, 2021), ECF No. 1, available here; SEC Charges Biopharmaceutical Company Employee with Insider Trading, SEC Press Release No. 2021-155, Aug. 17, 2021, available here; see also Mihir N. Mehta et al., Shadow Trading, Acct. Rev., July 2021, at 367, manuscript available here.
25 Complaint, Panuwat, at 8. 26 Id. at 8-9. 27 Id. at 7.
situated firms. The complaint notes that Panuwat closely tracked both Incyte and Medivation's stock prices and knew that a prior M&A announcement by a peer firm the previous year had resulted in material increases to both Incyte's and Medivation's stock prices, and therefore Panuwat appreciated the impact that the takeover announcement would have on the competitor's stock price.28 The complaint also portrays Panuwat as a sophisticated market participant, in that he had worked in the biopharmaceutical industry for 15 years, including eight years in the global healthcare investment banking division of a top investment bank. 29
As a Medivation employee, the SEC maintains that Panuwat owed Medivation a duty of trust and confidence, including a duty to refrain from using Medivation's proprietary information for personal gain. In its complaint, the SEC quoted Medivation's insider trading policy which expressly forbade Panuwat from using Medivation's confidential information to trade in the securities of any other publicly traded company.30 Panuwat also did not seek pre-clearance or authorization from Medivation for his options trades and did not inform anyone at Medivation about them after the fact.
The SEC's action alleges violations by Panuwat of the anti-fraud provisions of the Exchange Act, and seeks injunctive relief, civil penalties, and a bar from serving as an officer or director of a public company.
Under the classical theory of insider trading, a corporate insider violates Section 10(b) and Rule 10b-5 by trading in the securities of their own company on the basis of MNPI. The misappropriation theory, by contrast, prohibits corporate outsiders from trading based on MNPI obtained in breach of a duty owed to the source of the information. While the misappropriation theory was controversial when first advanced by the government, it has become well -established by the courts.31
The legality of shadow trading in any particular instance will turn on the question of materiality and the specific facts and circumstances related to the information and the companies at issue, including the scope of the duty owed by the insider to the company. In particular, the SEC will need to establish whether the MNPI was material to the company whose securities were traded. In this case, the specific facts are critical to understanding why the SEC brought this action. The complaint emphasizes that the investment banks advising Medivation "drew close parallels between Medivation and Incyte, including that both were valuable, mid-cap, oncology-focused companies with a profitable FDA-approved (commercial-stage) drug on the U.S. market."32 The SEC also highlighted that Panuwat knew Medivation and Incyte securities traded similarly
28 Id. at 5-6. 29 Id. at 3. 30 The policy stated: "During the course of your employment ... you may receive important information that is not yet publicly disseminated . . . about the Company. ... Because of your access to this information, you may be in a position to profit financially by buying or selling or in some other w ay dealing in the Company's securities ... or the securities of another publicly traded company, including all ... competitors of the Company ... . For anyone to use such information to gain personal benefit ... is illegal." Id. at 5 (emphasis added). 31 See United States v. O'Hagan, 521 U.S. 642, 65153 (1997). 32 Complaint, Panuwat, at 5.
following a previous merger in the sector and that, although he had never traded Incyte securities previously, Panuwat did so within minutes of learning about the confidential information.
The implications of this case, particularly for private investment funds, are significant. The SEC has staked out new ground that all market professionals should take into consideration and that will continue to define the scope of insider trading in the c oming years.
As with any case of first impression, the SEC has not provided any specific guidance as to what it will consider shadow trading, nor has it defined what it considers economically linked companies. Legal and compliance professionals at private investment funds should pay particular attention to this matter and its impact to their compliance programs, and should consider whether it may be appropriate to update relevant policies and procedures and to provide targeted training. When evaluating whether to restrict trading in a security upon the receipt of MNPI, even if inadvertent, such an analysis should include a determination of whether to restrict trading in "economically linked" companies.
The SEC has highlighted cybersecurity risks to investment advisers for many years and routinely reminds firms of their obligations as fiduciaries and under other applicable laws. Cybersecurity is also a common part of exam staff sweeps and enforcement inquiries. In June, the SEC Enforcement staff reached out to numerous companies, including private funds, in what it described on its website as a "confidential fact-finding investigation" of the December 2020 SolarWinds attack. While providing a response was voluntary, the SEC staff offered that it would not recommend charges against victims who agreed to provide information about the widely publicized attacks.33 A trio of enforcement actions in August against investment advisory firms and broker-dealers shows how seriously the SEC takes cybersecurity risks and provides lessons for private fund managers on how to satisfy these obligations.
On Aug. 30, 2021, the SEC announced the settlement of charges in three separate enforcement actions against investment advisers and broker-dealers for deficient cybersecurity procedures, where each firm had experienced breaches of cloud-based email accounts that exposed the personal information of thousands of investors of each firm.34 The actions demonstrate the SEC's more aggressive enforcement of the Safeguards Rule of Regulation S -P at a time when financial institutions are increasingly targets of cyberattacks. The Safeguards Rule requires advisers to adopt written policies and procedures reasonably designed to protect customer records and information.35 In its enforcement of the Safeguards Rule, the SEC staff has focused its attent ion on cybersecurity policies and procedures, including in the context of cloud-based solutions.36 The
33 See In the Matter of Certain Cybersecurity-Related Events (last modified June 25, 2021), available here. 34 SEC Announces Three Actions Charging Deficient Cybersecurity Procedures , SECPress Release No. 2021169, Aug. 30, 2021, available here. 35 17 CFR 248.30, available here. 36 The SEC's Office of Compliance Inspections and Examinations ("OCIE") has previously issued guidance on cybersecurity-related compliance issues under the Safeguards Rule, in particular, in a Risk Alert dated Apr. 16, 2019, available here, in w hich OCIE identified numerous compliance issues under the Safeguards Rule arising frominsufficient cybersecurity policies (or failures to properly implement such policies), and a Risk Alert dated May 23, 2019,
SEC also charged one of the advisory firms for violating the anti-fraud provision of the Advisers Act, and the Compliance Rule (206(4)-7) thereunder, for failing to adopt sufficient written policies and procedures. The fines ranged from $200,000 to $300,000. The enforcement actions each began with deficiencies identified by the exam staff and demonstrate the coordination between the exam staff and the Cyber Unit of the Enforcement Division on these issues.
We discuss below each of the actions and the lessons they provide for fund managers, including specific recommendations for cybersecurity compliance.
Cetera. The SEC found that, between November 2017 and June 2020, cloud-based email accounts of 60 representatives of Cetera Advisor Networks LLC and four of its affiliates ("Cetera") were taken over through phishing,37 credential stuffing,38 or other modes of attack, resulting in the exposure of personal information of at least 4,388 clients. Cetera responded by amending its policies to require multifactor authentication ("MFA") to be turned on for "privileged or high-risk access." While Cetera activated MFA for its employees and certain other cloud-based email accounts, it did not activate MFA for independent contractors, including contractor accounts that had been breached as recently as the first half of 2020. In finding Cetera violated the Safeguards Rule, the SEC observed that Cetera's policy of requiring MFA for "privileged or high risk access" was not reasonably designed; it did not apply to accounts of independent contractors, who had access to data that was no less high risk than the data to which employees had access.
The SEC also charged Cetera with violations of Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder, which require advisers to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act. Cetera engaged outside counsel to prepare breach notices that were sent to clients impacted by the breach. Certain of these notices relied on template language that was misleading about the timing around the incident. In particular, certain breach notices stated that Cetera had learned of the breach two months before the notification when, in fact, Cetera had learned of the breach at least six months earlier. In finding a violation of the Advisers Act, the SEC noted that, while Cetera had a policy requiring that its personnel review all client communications before they were sent, Cetera failed to implement a reasonably designed policy because Cetera personnel failed to correct the template language that Cetera knew to be misleading at the time personnel conducted their review of the breach notices.
Cambridge. Between January 2018 and July 2021, cloud-based email accounts of 121 representatives of Cambridge Investment Research, Inc. and Cambridge Investment Research Advisors, Inc. ("Cambridge") were taken over through phishing, credential
available here, in w hich OCIE discussed compliance issues, including under the Safeguards Rule, associated w ith the use of cloud-based solutions. SRZ discussed these Risk Alerts in an article entitled OCIE Focusing on Safeguarding of Customer Information and Books and Records Retention, available here, w hich appeared in the August 2019 edition of SRZ's Private Funds Regulatory Update.
37 Phishing is a type of attack perpetrated by using a fraudulent or "spoofed" email address to trick a victim into dow nloading malicious software, or entering login credentials, and employing such software or credentials to gain unauthorized access to accounts and systems.
38 Credential stuffing is a type of attack perpetrated by collecting compromised client login credentials fromthe dark w eb and, through the use of automated scripts, employing such credentials to gain unauthorized access to accounts and systems. See SEC Provides Observations on "Credential Stuffing" Cyberattacks, SRZ Private Funds Regulatory Update, Oct. 2020, available here.
stuffing, or other modes of attack, resulting in the exposure of personal information of at least 2,177 clients. During that period, Cambridge's policies recommended, b ut did not require, individuals registered with FINRA as independent contractors, and associated with independent branch offices providing brokerage and investment advisory services, to implement enhanced security measures, such as MFA, on cloud-based email accounts.
After discovering the email account breaches, Cambridge suspended and reset the passwords for the accounts of the affected independent representatives. Cambridge also recommended, but did not require, these representatives to implement MFA or other enhanced security measures to prevent future breaches of cloud-based accounts. Some, but not all, representatives followed Cambridge's recommendations, and takeovers of independent contractor email accounts persisted. Not until April 2021 did Cambridge revise its policy to require MFA for all cloud-based accounts. The SEC found that Cambridge's failure to timely adopt and implement a firmwide policy requiring enhanced security measures for cloud-based email accounts violated the Safeguards Rule.
KMS. Between September 2018 and December 2019, cloud-based email accounts of 15 independent financial advisers of KMS Financial Services, Inc. ("KMS") were taken over through phishing and other modes of attack, resulting in the exposure of personal information of approximately 4,900 clients. During this period, KMS maintained a policy manual that required its financial advisers to (1) "[c]onduct [their] business practices in a way that safeguards the confidentiality of [their] client's identity, including protecting all sensitive client information," and (2) "[p]eriodically review [their] internal business policies to make sure they are adequately designed to protect sensitive client information." The policy manual also required advisers to comply with KMS's Compu ter Network and Security Policies, which contained detailed technical security requirements,39 but did not require the use of MFA for accessing sensitive data.
After discovering the email account breaches, KMS reset passwords, removed email forwarding rules and enabled MFA for the accounts of the affected financial advisers. However, KMS did not implement these security measures for all independent advisers until approximately 21 months after the discovery of the first breach, a period during which approximately 2,700 emails of one KMS financial advisor were exposed and forwarded outside the firm. The SEC's order also notes that KMS failed to adopt enhanced security measures firmwide, despite several of the incident reports prepared by the forensic firms KMS hired to investigate the breach recommending that KMS expedite the enabling of MFA for all independent contractor email addresses. As in the Cambridge action, the SEC found that KMS's delay in adopting and implementing a firmwide policy requiring enhanced security measures for cloud-based email accounts violated the Safeguards Rule.
These enforcement actions serve as an important reminder that, to comply with the Safeguards Rule and the Advisers Act, investment managers must (1) adopt and implement a robust written cybersecurity policy, (2) regularly update the policy to account for risks introduced by the use of
39 These requirements included maintaining strong passwords, securing wireless networks, using anti-virus and malw are protection, securing backup and stored data, and encrypting hard drives.
new technologies and in response to known cybersecurity incidents, and (3) regularly test the policy to ensure the security measures it mandates have been properly implemented. In the SEC's announcement of these three actions, the Chief of the SEC Enforcement Division's Cyber Unit remarked: "It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks."40 The involvement of the SEC's examination staff in pursuing these actions also serves as a reminder to managers to keep good records of their compliance, as questions about cybersecurity compliance are likely to come up in exams.
The three actions brought by the SEC share common themes that underscore the importance of the following cybersecurity considerations for fund managers:
Use of Cloud Solutions. The SEC staff continues to be focused on risks presented by the use of new technologies, in particular the use of cloud-based email and other cloudbased solutions. In making IT infrastructure changes that impact how client records are handled, including what third parties have access to client records and how client records are stored, managers should review and update their cybersecurity policies to account for the risks that have been introduced.
Application of Policies to Contractors Where Appropriate . Cybersecurity policies should be written, implemented and updated on a firmwide basis, including to properly account for the role of any independent contractors who have access to personal or other sensitive information.
Implementation and Testing. Managers should periodically test the effectiveness of their cybersecurity policies and procedures to determine if they are reasonably designed in light of current developments, including any recent cyberattacks, and whether they are being effectively implemented.
Multifactor Authentication. The SEC's recent enforcement actions and risk alerts signal that the SEC staff views MFA as a valuable tool for safeguarding email accounts and other electronic systems containing sensitive client information. Managers should, i n consultation with their outside IT advisers, review their cybersecurity policies to ensure that MFA is required where appropriate and, where it is required, has in fact been implemented.
Training on Phishing and Credential-Stuffing. Phishing and credential stuffing continue to be the most common modes through which threat actors are able to breach systems. In addition to implementing MFA, managers should conduct annual training on these tactics for all personnel (including independent contractors) that is targeted to the types of threats the firm is facing.
Remedial Measures Following a Breach. Managers should carefully consider the advice of forensic consultants and other advisors they hire to investigate incidents; failure to follow that advice could be viewed by the SEC as a contributing factor in determining that the manager's cybersecurity policies are deficient.
Scrutiny of Notices to Investors. Managers should consider including details on the handling of breach notices in their policies and procedures to ensure drafts of such notices (including notices prepared by outside counsel) are carefully reviewed by personnel with knowledge of the incident to ensure any inaccuracies or misleading information are rectified.
40 SEC Press Release No. 2021-169, supra note 34, available here.
Absence of Harm. The SEC does not require there to have been actual harm to investors for there to be a violation of Regulation S-P and the Advisers Act. In all three cases, the SEC's order notes that the breaches do not appear to have resulted in any unauthorized trades or fund transfers. Therefore, managers should carefully document their response to all cyber incidents.
On Sept. 24, 2021, the SEC filed a complaint against Carebourn Capital, L.P. and its managing partner, Chip A. Rice, in the District of Minnesota, alleging each was acting as an unregistered securities dealer in connection with the buying and selling of convertible securities in ultramicrocap issuers, in violation of Section 15 of the Exchange Act. 41 This case is the most recent in a series of SEC enforcement actions, reinforcing its theory that firms that are financing and converting debt at a discount to the current market price and subsequently selling the company's equity securities in the market are engaging in dealer activity under Section 15.42 Exchange Act Section 3(a)(5)'s definition of a dealer--one who buys or sells securities for one's own account as a part of a regular business--is so broad that it would appear to capture the activities of almost all investment managers, family offices, and even day traders. For many years, fund managers and other similar investors have been comfortable relying on no-action relief and other SEC guidance suggesting that their activities were merely "trader" activities, as distinct from "dealer" activities requiring registration. With this novel legal theory, the SEC has blurred the distinction between "trader" and "dealer" activities, deviating from its own prior guidance and revealing that, in its view, the two labels are no longer mutually exclusive.
In 2020, the SEC filed SEC v. Fierro43 in the District of New Jersey and SEC v. Keener44 in the Southern District of Florida. In each case, the defendant had provided convertible debt financing to ultra-microcap issuers. As alleged in each complaint, the defendants regularly converted debt to equity shares at a negotiated discount and sold the resulting billions of shares in the open market, generating substantial profits and receiving "highly favorable" terms. The SEC alleged that both defendants operated websites advertising their debt conversion businesses to issuers and, notably, held themselves out to the public as being willing to purchase convertibl e notes at their regular places of business. Additionally, both Fierro and Keener purportedly solicited business from issuers by attending conferences and hiring commission-based contractors to coldcall potential issuers.
Both the Fierro and Keener defendants moved to dismiss the SEC's complaints, arguing that they were acting as traders, not dealers, primarily based on the historical distinction between the two terms, including as set forth by the SEC in its 2008 Guide to Broker-Dealer Registration.45 The defendants also argued that the SEC was circumventing the rulemaking process by asserting
41 See Complaint, SEC v. Carebourn Capital, L.P., No. 21-02114 (D. Minn. Sept. 24, 2021), ECF No. 1. 42 A "dealer" is defined as "any person engaged in the business of buying and selling securities for his ow n account, through a broker or otherw ise." See 15 U.S.C. 78c(a)(5)(A). 43 See Complaint, SEC v. Fierro, No. 20-02104 (D.N.J. Mar. 24, 2020), ECF No. 1. 44 See Complaint, SEC v. Keener (d/b/a JMJ Financial), No. 20-21254 (S.D. Fla. Mar. 24, 2020), ECF No. 1. 45 The SEC's Guide to Broker-Dealer Registration states, "[t]he definition of "dealer" does not include a "trader," that is, a person w ho buys and sells securities for his or her ow n account, either individually or in a fiduciary capacity, but not as part of a regular business. Individuals w ho buy and sell securities for themselves generally are considered traders and not dealers." See SEC Guide to Broker-Dealer Registration, Division of Trading and Markets, Apr. 2008, available here.
claims under a theory that contradicted years of prior authority and enforcement actions, violating their right to due process. The courts in both cases denied the motions to dismiss, finding that the SEC had adequately alleged dealer activity, indicating that courts are willing to entertain the SEC's broad and sweeping characterization of "dealers."46 The Keener and Fierro courts were unpersuaded by defendants' due process arguments, finding that the definition in Section 3(a)(5) puts market participants on notice that they may be subject to registration. The Keener and Fierro cases, each currently in different phases of discovery, are being aggressively litigated on both sides and it appears that the defendants are preparing to take the cases to trial.
Days after the Southern District of Florida issued its ruling denying the Keener motion to dismiss, the same court granted summary judgment to the SEC in SEC v. Almagarby.47 The SEC brought the case against Ibrahim Almagarby and his wholly-owned and controlled business entity in 2017 for buying the convertible debt of microcap issuers and then selling billions of shares of the microcap issuers' stock into the market without registering as a dealer. In its order granting summary judgment, the court noted that Almagarby paid finders to put him in touch with issuers with which he could negotiate favorable debt conversion terms. As it did in Keener, the court relied on the statutory language of Section 3(a)(5) to find that those who buy and sell securities as a part of a "regular business" must register as dealers with the SEC. It found that, where a company's business model is "based entirely on the purchase and sale of securities, that fact constitutes conclusive proof that the company is a dealer." Almagarby had argued that his business did not resemble the activities described in various SEC guidance regarding indicia of dealer activity. In response, the court noted that staff guidance on these issues in the context of "no-action" relief is "no more than informal advice given by members of the Commission's staff" and not dispositive on legal issues.48 In a recent Report and Recommendation issued in the case, the Magistrate Judge recommended a range of remedies against the defendants, including disgorgement of all profits, plus prejudgment interest, totaling approximately $1 milli on, and a civil penalty in the amount of $80,000. The Magistrate Judge also recommended a penny stock bar be imposed against the defendants and that the defendants be required to surrender their shares for cancellation.49 Judge Cooke adopted the Report and Recommendation in its entirety at the end of September 2021.50
Parallel to the cases that came before it, the Carebourn Capital case filed last month hinges on the SEC's theory that, by engaging in a regular business of buying discounted convertible notes for their own account and selling the resulting newly-issued shares of stock into the public market, the defendants operated as unregistered securities dealers.51 The defendants paid independent contractors and attended conferences to solicit issuers and held themselves out to the public --on their website and otherwise--as in the business of buying convertible notes. The SEC noted that the defendants sought to engage in deals in "trending industries" to ensure sufficient public
46 See Order Den. Mot. to Dismiss, Fierro, ECF No. 19 (citing Order Den. Mot. to Dismiss, Keener, ECF No. 29 (citing SEC v. River N. Equity LLC, 415 F. Supp. 3d 853, 858 (N.D. Ill. 2019)) (denying motion to dismiss, and noting that "these factors (and any decisions construing them) are not controlling. They are neither exclusive, nor function as a checklist through w hich a court must march to resolve a dispositive motion. And w hether and w hich are met is necessarily a fact-based inquiry best reserved for summary judgment or trial").
47 See Order Granting Summ. J., SEC v. Almagarby, No. 17-62255-MGC (S.D. Fla. Aug. 17, 2020), ECF No. 112; see also Complaint, Almagarby, ECF No. 1.
48 Order Granting Summ. J., Almagarby, at 7, 8, ECF No. 112. 49 See R. & R., Almagarby, ECF No. 138. 50 See Order Adopting Mag. R. & R., Almagarby, ECF No. 144. 51 Complaint, Carebourn Capital, at 2, ECF No. 1.
investment interest, such as marijuana, cybersecurity, pollution reduction technologies, and COVID-19-related products. As with each case asserted under this theory, the SEC is seeking civil penalties, return of all profits from the subject activity, and an order barring defendants from participating in the offering of any penny stock.52
The principal arguments being made by the SEC in these cases include that defendants purchased a substantial number of convertible promissory notes with "highly favorable," deeply discounted terms, resulting in a large volume of converted microcap shares and millions of dollars of profits. Although none of these cases alleges specific fraudulent behavior, the SEC's view appears to be that the ultra-microcap market is, by its very nature, rife with fraud and abuse. In pursuing cases against institutional investors who provide financing to these companies, the SEC may be attempting to prevent microcap issuers from further flooding the market with new issuances in a practice that was, up to now, widely accepted in the market. Notably, the SEC's legal theory in these cases provides no bright-line distinction between these defendants' activities and activities relating to more traditional investments in PIPEs or other convertible debt lending activities. The courts' rulings in Keener, Fierro, and Almagarby have opened the door for the SEC to pursue more cases under this theory and may broaden their reach to other types of investors. Investors in convertible instruments should be aware of the risk that the developments in these cases may form the basis of future enforcement actions based on similar or relat ed fact patterns.
Obscuring Financial Incentives Creating Conflicts: In re TIAA-CREF Individual & Institutional Services, LLC
Investment advisers must accurately disclose financial incentives that create conflicts between their financial advisers and their clients. On July 13, 2021, the SEC announced a settled administrative action against TIAA-CREF Individual & Institutional Services, LLC ("TC Services").54 The SEC's order required TC Services to pay $97 million to settle allegations of inaccurate and misleading statements and a failure to adequately disclose conflicts of interest when recommending that clients who were invested in Teachers Insurance and Annuity Association of America ("TIAA") record-kept employer-sponsored retirement plans ("ESPs") roll over retirement assets into a managed account that generated greater revenue than other available alternatives. The $97 million settled both the SEC's case and a parallel action by the Office of the New York Attorney General announced the same day.55
According to the SEC's order, between Jan. 1, 2013 and March 30, 2018, TC Services failed to adequately disclose conflicts of interest, made inaccurate and misleading statements, and failed to implement policies and procedures necessary to prevent such conduct in connection with
52 Id. at 6, 7, 18. 53 The enforcement proceedings described below are based on allegations by the SEC or CFTC that either are being contested in active litigation or are part of a settled action in w hich the respondents have agreed to "neither admit nor deny" the allegations. 54 TIAA-CREF Individual and Institutional Services, Advisers Act Release No. 5772, July 13, 2021, available here. 55 See SEC Announces $97 Million Enforcement Action Against TIAA Subsidiary for Violations in Retirement Rollover Recommendations, SEC Press Release No. 2021-123, available here.
recommendations to clients. Specifically, the SEC's order found that TC Services created positive incentives and negative pressures for its Wealth Management Advisors ("WMAs") to prioritize the rollover of TIAA ESP assets into a managed account program, known as Portfolio Advisor, over lower cost alternatives for rollover-eligible ESP participants who were receiving advisory services as part of TC Services' financial planning services. Despite having financial incentives for its WMAs to recommend Portfolio Advisor, TC Services trained its WMAs to represent, and they did represent, that their advice was "objective," "non-commissioned" and "put the client first."
TC Services was charged with willfully violating Section 206(2) and (4) of the Advisers Act, Rule 206(4)-7 thereunder, and Sections 17(a)(2) and (3) of the Securities Act of 1933 ("Securities Act"). Under the terms of the order, TC Services was required to pay approximately $74 million in disgorgement, $14 million in prejudgment interest, and a $9 million civil penalty.
Inadequate Policies and Procedures Regarding Investment Oversight: In re UBS Financial Services Inc.
Investment advisers must continue to be vigilant in their adoption and implementation of written policies and procedures. On July 19, 2021, the SEC filed a settled administrative proceeding against UBS Financial Services ("UBS") for its failure to adopt and implement written policies and procedures reasonably designed to prevent unsuitable investments. 56
According to the SEC's order, financial advisers in UBS's Portfolio Management Program held a volatility-linked-exchange-t raded product called iPath S&P 500 VIX Short-Term Futures ETN, or VXX, for their advisory clients for a period of time that was inconsistent with the purpose of the product. The SEC's order found that UBS failed to have adequate controls and systems in place for the product-in-question, despite having controls and systems in place to monitor holding period risk for other products. UBS's failure to have adequate controls and systems in place led to increased risk for client accounts--1,882 of which held the product for extended periods--and resulted in meaningful losses.
UBS was charged with willful violations of Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder. UBS was required to pay a total penalty of $8,112,274, consisting of $96,344 in disgorgement, $15,930 in prejudgment interest, and a civil monetary penalty of $8 million.
Unsuitable Investment Recommendations: In re Frontier Wealth Management, LLC, et al.
Investment advisers must ensure their investment adviser representatives thoroughly understand the investments they recommend and their clients' ris k tolerances and investment objectives. On Sept. 3, 2021, the SEC announced a fully settled administrative enforcement proceeding against Frontier Wealth Management, LLC ("Frontier") and Shawn Sokolosky, a Frontier investment adviser representative ("IAR"), for Frontier's failure to adopt and implement written policies and procedures reasonably designed to prevent IARs from recommending certain types of complex products to clients for whom they were not suitable and for Sokolosky's misleading statements. 57
56 UBS Financial Services Inc., Advisers Act Release No. 5772, July 19, 2021, available here. 57 Frontier Wealth Management, LLC et al., Advisers Act Release No. 5847, Sept. 3, 2021, available here.
The SEC found that Frontier created a feeder fund in January 2016 that enabled its clients to invest in a fund managed by a third-party. The third-party fund disclosed that an investment carried substantial risks associated with its high volatility and, from January 2016 through February 2018, 177 Frontier clients invested in the feeder fund. In February 2018, Frontier clients lost $16 million due to extreme volatility, about 35% of the value of the feeder fund. The SEC found that Frontier delegated autonomy over client investment recommendations to its IARs but failed to provide its IARs with adequate policies, procedures, training, and supervision regarding the suitability of complex products like the feeder fund. According to the SEC's order, Sokolosky recommended that certain clients invest in the feeder fund without sufficiently considering each client's risk tolerances, investment objectives, or financial circumstances, rendering those investment recommendations unsuitable. Further, Sokolosky himself did not adequately understand the feeder fund's trading strategy, underlying investments, and risks, and he allegedly made misleading statements about the fees associated with the feeder fund.
Frontier was charged with willfully violating Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder and failing to reasonably supervise within the meaning of Section 203(e)(6) of the Advisers Act. Frontier was censured, ordered to cease and desist from further violations, ordered to pay disgorgement of $261,617, prejudgment interest of $47,095, and a civil monetary penalty of $350,000. Sokolosky was charged with willfully violating the antifraud provisions of Sections 17(a)(2) and (3) of the Securities Act and Section 206(2) of the Advisers Act. He was ordered to cease and desist from further violations and agreed to an industry bar for one year.
Artificial Fund Performance Figures: In re Robert D. Press; In re Donna Silverman
The SEC will pursue advisers who fail to provide truthful fund performance and asset valuation information. On the final day of the quarter, the SEC announced settled administrative enforcement proceedings against Robert D. Press, the former CEO of the advisory firm TCA Fund Management Group Corp. ("TCA"), and Donna M. Silverman, TCA's former chief portfolio manager.58 The SEC alleged that Press and Silverman were involved in TCA's scheme to artificially inflate the net asset values and performance results of several funds that TCA managed. Previously, the SEC charged TCA, its affiliate TCA Global Credit Fund GP Ltd. ("TCA GP"), and two TCA executives for their roles in the alleged fraud.59
In Press, the SEC alleged that, through Press's actions, TCA fraudulently inflated net asset values and performance of the TCA funds by recording non-binding transactions and fraudulent investment banking fees on the funds' books and records. TCA then included the fraudulent and inflated information in promotional materials and account statements distributed to prospective investors. In addition, according to the order, Press decided on numerous occasions to waive monthly management and performance fees that the funds owed to TCA or TCA -GP to create the appearance of higher performance results, without disclosing those fee waivers to investors. For his part, Silverman allegedly included the non-binding transactions and fraudulent investment
58 SEC Charges Former Executives of Registered Investment Adviser with Fraud, SEC Press Release 2021204, Sept. 30, 2021, available here.
59 See SEC Obtains Receiver Over Florida Investment Adviser Charged With Fraud, SEC Press Release 2020110, May 12, 2020, available here; see also SEC Settles Fraud Charges with Two Former Executives of TCA Fund Management Group Corp., SEC Administrative Proceeding File No. 3-20057, Sept. 24, 2020, available here.
banking fees, which he knew or should have known would fraudulently inflate performance figures, in information that TCA sent to its fund administrator.
Press was charged with willfully violating the antifraud provisions of the federal securities laws -- Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act and Rule 10b-5 thereunder--as well as Sections 206(1), (2), and (4) of the Advisers Act, Rule 206(4)-8 thereunder, and Section 207 of the Advisers Act, and with aiding and abetting TCA's violations of Section 206(4) of the Advisers Act and Rule 206(4)-7 thereunder. Press agreed to (i) cease and desist any further violations, (ii) an industry bar, and (iii) pay disgorgement of overcharged management and performance fees of $4,409,546, plus prejudgment interest of $755,178, and a civil penalty of $292,570.
Silverman was charged with willfully aiding and abetting TCA's and TCA-GP's violations of Sections 17(a)(2) and (3) of the Securities Act and Sections 206(2) and (4) of the Advisers Act as well as Rule 206(4)-8 thereunder. Silverman agreed to a limitation from acting in a director or officer capacity in the securities industry, with a right to apply after three years, and to pay a civil penalty of $50,000.
Failure to Disclose Conflicts of Interest Continues to be a Theme
The SEC continues to bring actions against registered investment advisers for failing to disclose conflicts of interest that subsequently result in their receipt of fees through revenue sharing, payments to affiliates, or other undisclosed arrangements. The SEC brought several actions this quarter, broadly falling into two categories: those related to cash sweep accounts and those related to affiliated brokers. We have briefly summarized six of these matters below.
In re St. Germain Investment Management, Inc.60 Respondent breached its fiduciary duty to advisory clients in connection with receipt of revenue from clients' cash sweep accounts. Respondent was censured; agreed to a cease-and-desist order and to pay disgorgement, prejudgment interest, and a civil penalty, totaling $1,925,250; and the order established a Fair Fund for affected investors.
In re Kestra Advisory Services, LLC and In re Kestra Private Wealth Services, LLC.61 Respondents breached their fiduciary duties by failing to provide full and fair disclosure of their conflicts of interest when they invested advisory client assets in certain mutual funds for which their affiliated broker-dealer received revenue sharing payments from its clearing broker, even though there were lower-cost options available for clients. Respondents agreed to censures; cease-and-desist orders; and to pay disgorgement, prejudgment interest, and a civil penalty (totaling approximately $10 million for Kestra Advisory Services and $299,569 for Kestra Private Wealth Services); and the order established a Fair Fund.
In re First Heartland Consultants, Inc.62 Respondent breached its fiduciary duty to advisory clients by failing to disclose three types of compensation paid to its affiliated broker. Respondent agreed to a cease-and-desist order; to a censure; to certify the revision and correction of relevant disclosure documents and that it had evaluated
60 St. Germain Investment Management, Inc., Advisers Act Release No. 5767, July 8, 2021, available here. 61 Kestra Advisory Services, LLC, Advisers Act Release No. 5770, July 9, 2021, available here; Kestra Private Wealth Services, LLC, Advisers Act Release No. 5771, July 9, 2021, available here. 62 First Heartland Consultants, Inc., Advisers Act Release No. 5812, Aug. 2, 2021, available here.
whether existing clients should be moved to a lower-cost share class; to pay disgorgement, prejudgment interest, and a civil penalty, totaling approximately $1 million; and the order established a Fair Fund. In re USA Financial Securities Corporation.63 Respondent breached its fiduciary duty to advisory clients by failing to fully and fairly disclose its conflicts of interest in connection with the investment of client assets in cash sweep products that resulted in revenue sharing. Respondent agreed to a censure; to a cease-and-desist order; to pay disgorgement, prejudgment interest, and a civil penalty, totaling $249,455; and the order established a Fair Fund. In re Cantella & Co., Inc.64 Respondent breached its fiduciary duty and failed to fully and fairly disclose conflicts of interest in connection with the receipt of third-party compensation associated with client investments. Respondent agreed to a cease-anddesist order; to a censure; to comply with stated undertakings; to pay disgorgement, prejudgment interest, and a civil penalty, totaling $701,630; and the order established a Fair Fund. In re Cowen Prime Advisors LLC.65 Respondent breached its fiduciary duty in connection with the receipt of revenue sharing payments from its unaffiliated clearing broker as a result of sweeping its advisory clients' cash into certain money market mutual funds instead of available lower-cost money market funds from which it would not have received any revenue sharing. Respondent agreed to a censure; a cease-and-desist order; to pay disgorgement, prejudgment interest, and a civil penalty, totaling $768,879; and the order established a Fair Fund.
Short Tender Rule Violation: SEC v. Lupo Securities, LLC
Market participants in tender offers must take care to comply with the dec ades-old short tender rule, Rule 14e-4, promulgated under the Exchange Act. On July 29, 2021, the SEC announced the filing of a contested civil action in the Northern District of Illinois against Lupo Securities, LLC ("Lupo") for violating the short tender rule and enriching itself at the expense of other participants in a partial tender offer.66
According to the SEC's complaint, Lupo, an SEC-registered broker-dealer participated in a partial tender offer for the common stock of Lockheed Martin Corp. ("Lockheed") and, in doing so, tendered more shares than it owned on a net basis. The SEC's complaint alleges that Lupo received more shares of the company acquiring a Lockheed business unit through the tender offer than it was entitled to due to Lupo's tendering of excess Lockheed shares. Lupo's misconduct is alleged to have resulted in ill-gotten gains of more than $1 million through the receipt of 611,752 excess shares of the acquiring company.
63 USA Financial Securities Corp., Advisers Act Release No. 92553, Aug. 3, 2021, available here. 64 Cantella & Co., Inc., Advisers Act Release No. 92809, Aug. 30, 2021, available here. 65 Cowen Prime Advisors LLC, Advisers Act Release No. 5874, Sept. 27, 2021, available here. 66 See Complaint, SEC v. Lupo Securities LLC, f/k/a Alphagen Securities LLC, No. 1:21-cv-04027 (N.D. Ill. July 29, 2021), available here.
Lupo is alleged to have violated Rule 14e-4, and the SEC seeks disgorgement, prejudgment interest, and a civil monetary penalty. On Oct. 15, 2021, Lupo moved t o dismiss the complaint.67 Briefing on the motion to dismiss is expected to be completed in January 2022.
Failure to Disclose Order Routing Practices: In re Coda Markets, Inc., et al.
Broker-dealers must be transparent about their routing arrangements and how they handle orders for execution. On Sept. 20, 2021, in a settled administrative enforcement proceeding brought against Coda Markets, Inc. ("Coda") and its President, Edward G. O'Malley, the SEC alleged that Coda, a broker-dealer, omitted material facts and made misleading statements to its subscribers about how it handled and routed orders for execution.68 In particular, the order found that, from December 2016 to July 2019, Coda failed to disclose its use of a circular routing arrangement when handling subscriber orders. When Coda had discretion over the routing table, it inserted one of two broker-dealers as the first external destination because Coda had an arrangement with them to share trading profits on order executions. O'Malley allegedly knew about Coda's circular routing arrangement and reviewed and approved Coda's disclosure documents containing material omissions and misleading statements.
The SEC alleged Coda willfully violated Sections 17(a)(2) and 17(a)(3) of the Securities Act and that O'Malley caused those violations. In addition to censure and an agreement to cease and desist from future violations, Coda and O'Malley agreed to pay $1.2 million and $35,000 in civil penalties respectively.
Fraudulent Trading in Connection with `Meme Stocks': SEC v. Gu, et al.
The SEC has made clear that it will not hesitate to charge those allegedly engaged in fraudulent trading in connection with so-called "meme stocks." On Sept. 27, 2021, the SEC filed a civil complaint in the District of New Jersey charging Suyun Gu and Yong Lee for engaging in a fraudulent scheme designed to collect liquidity rebates from exchanges by wash trading put options of certain "meme stocks" in early 2021.69 The SEC alleged that, starting in late February 2021, Gu and Lee devised a scheme to use the "maker taker" program offered by exchanges to trade "meme stocks" with themselves.
According to the SEC, Gu and Lee selected "meme stocks" because the increased buy demand and the related price increases would make put options on those stocks less attractive. Some broker-dealers closed Gu and Lee's accounts, but Gu continued his scheme by concealing his identity. The complaint alleges that Gu generated $668,671 in liquidity -rebates through approximately 11,400 trades with himself and Lee generated $51,334 in liquidity rebates through 2,300 trades with himself. Gu and Lee were charged with violating Section 10(b) of the Exchange Act and Rule 10b-5 thereunder and Section 17(a) of the Securities Act.
67 See Motion to Dismiss, SEC v. Lupo Securities LLC, f/k/a Alphagen Securities LLC, No. 1:21-cv-04027 (N.D. Ill. July 29, 2021).
68 Coda Markets, Inc., et al., Securities Act Release No. 10985, Sept. 20, 2021, available here. 69 SEC Charges Two Individuals for Wash Trading Scheme Involving Options of "Meme Stocks," SEC Litigation Release No. 25224, Sept. 27, 2021, available here; see also Complaint, SEC v. Gu, No. 2:21-cv-17578 (D.N.J. Sep 27, 2021), available here.
Without admitting or denying the SEC's allegations, Lee consented to the entry of a final judgment, which has now been approved by the court, that enjoins him from violating the antifraud provisions and orders him to pay $51,334 in disgorgement, plus $515 in prejudgment interest, and a civil monetary penalty of $25,000. The SEC's case against Gu remains pending.
Reg SHO and Merger Arbitrage: In re Tradition Securities and Derivatives, LLC
A recent enforcement proceeding highlights that broker-dealers must mark orders correctly to avoid being charged for running afoul of Regulation SHO of the Exchange Act ("Reg SHO"). On Sept. 28, 2021, in a settled administrative enforcement proceeding against Tradition Securities and Derivatives LLC ("Tradition"), the SEC alleged that Tradition violated Reg SHO in connection with its customer and principal merger arbitrage trading practices. 70
According to the order, "[m]erger arbitrage involves identifying announced mergers and acquisitions of publicly traded companies, and then selling short shares of the acquiring company, while at the same time purchasing shares in the target company." In executing its merger arbitrage strategy, Tradition mismarked more than 1,000 short sales as long sales in its customers' accounts, and approximately 50 short sales as long sales in its principal accounts in violation of Rule 200(g)(1) of Reg SHO. For each of the short sales, Tradition also failed to obtain and document a locate as required under Rule 203(b)(1) of Reg SHO.
As a result of this conduct, Tradition generated $841,627 in revenues comprised of commissions and trading profits, which it was ordered to disgorge together with prejudgment interest of $104,205. In addition, Tradition agreed to cease and desist from future violations of Reg SHO, a censure, and a civil penalty of $841,627.
SEC Focuses on Front Running: SEC v. Polevikov; SEC v. Wygovsky
The SEC has renewed its focus on combatting front running schemes and now relies on increasingly sophisticated data analytics tools to identify suspicious trading patterns. For example, on Sept. 23, 2021, the SEC filed a contested action in the Southern District of New York alleging that Sergei Polevikov, a quantitative analyst for two asset management firms, used his access to non-public information regarding the size and timing of his employers' securities orders and trades to trade ahead of, and profit off, his employers' trades. 71 According to the complaint, Polevikov executed approximately 3,000 trades on the same side of his employers and used his wife's account to conceal his actions. As part of his scheme, he typically closed his positions the same day he opened them in order to capitalize on the price movement caused by his employers' large trades.
Similarly, on July 2, 2021, in another front-running case, the SEC filed a civil action in the Southern District of New York against Sean Wygovsky, a trader at a major Canadian asset
70 Tradition Securities and Derivatives, LLC, Exchange Act Release No. 93154, Sept. 28, 2021, available here. 71 SEC Charges Quant Analyst in Multimillion Dollar Front-Running Scheme, SEC Press Release No. 2021186, Sept. 23, 2021, available here; see also Complaint, SEC v. Polevikov, No. 1:21-cv-07925 (S.D.N.Y. Sept. 23, 2021), available here.
management firm, for perpetrating a lucrative and fraudulent front-running scheme.72 According to the SEC's complaint, Wygovsky traded based on MNPI that he was privy to as a trader at an asset manager. He allegedly used this MNPI to trade in the brokerage accounts of family members ahead of large trades executed by his employer--generating at least $3.6 million in trading profits. Wygovsky is alleged to have followed a pattern where his family members' brokerage accounts would buy or sell a stock either before Wygovsky's employer's accounts began executing a large order for the same stock on the same side of the market or while tranches of such orders were being executed. Wygovsky would then close out the positions in his family member's accounts usually at a profit.
The SEC's respective complaints against Polevikov and Wygovsky allege that each violated the antifraud provisions of the federal securities laws and seek disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief. The SEC also charged Polevikov with violating the reporting provisions of the Investment Company Act, Section 17(j) and Rules 17j-1(b)(1), (b)(3), and (d) thereunder. Polevikov and Wygovsky were each charged criminally in the Southern District of New York as well.73
SPAC Disclosures: In re Momentus, Inc., et al.; SEC v. Milton
In a first-of-its-kind action, the SEC targeted all sides of a transaction involving a special purpose acquisition company, or SPAC, for making misleading claims. On July 13, 2021, the SEC announced settled charges against the SPAC, Stable Road Acquisition Company; its sponsor, SRC-NI; its CEO, Brian Kabot; its proposed merger target, Momentus Inc.; and Momentus's founder and former CEO, Mikhail Kokorich, for misleading claims about Momentus's technology and national security risks associated with Kokorich.74 With the exception of Kokorich, the parties settled with the SEC, with terms including total penalties of more than $8 million, tailored investor protection undertakings, and SRC-NI's agreement to forfeit the founders' shares it stands to receive if the merger ultimately is approved.
According to the SEC's order, Momentus and Kokorich made multiple misrepresentations to investors, including telling investors that Momentus had succeeded in testing its propulsion technology in space and misrepresenting its ability to secure required government licenses due t o national security concerns about Kokorich. Stable Road allegedly repeated these misrepresentations in public filings associated with the proposed transaction and failed to satisfy disclosure obligations to its investors.
Momentus was charged with violations of Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act and Rule 10b-5 thereunder. Stable Road was charged with violating Sections 17(a)(2) and (3) of the Securities Act, Section 14(a) of the Exchange Act and Rule 14a-9 thereunder, and Section 13(a) of the Exchange Act and Rules 12b-20 and 13a-11 thereunder. SRC-NI and Kabot were charged with causing Stable Road's violations of Section 17(a)(3) of the
72 See SEC Charges Hedge Fund Trader in Lucrative Front-Running Scheme, SEC Press Release No. 2021118, July 2, 2021, available here; see also Complaint, SEC v. Wygovsky, No. 1:21-cv-05730 (S.D.N.Y. July 2, 2021), available here.
73 See Trader At Large Canadian Asset Management Firm Charged With Insider Trading For Engaging In Multimillion-Dollar Front Running Scheme, DOJ Press Release 21-161, July 2, 2021, available here; see also Former Analyst Charged With $8 Million Insider Trading Scheme For Front-Running Employer's Pending Trades, DOJ Press Release 21-251, Sept. 23, 2021, available here.
74 Momentus, Inc., et al., Securities Act Release No. 10955, July 13, 2021, available here.
Securities Act. Kabot was charged with violating Section 14(a) of the Exchange Act and Rule 14a-9 thereunder. The following civil penalties were imposed: $7 million (Momentus), $1 million (Stable Road), and $40,000 (Kabot).
Kokorich faces a separate complaint in the U.S. District Court for the District of Columbia for allegedly violating Section 10(b) of the Exchange Act and Rule 10b-5 thereunder, Section 17(a) of the Securities Act, and aiding and abetting Momentus's violations. 75
In another SPAC-related matter, on July 29, 2021, the SEC charged the founder, former CEO, and former Executive Chairman of Nikola Corporation, Trevor Milton, with violating the antifraud provisions of the Securities Act and the Exchange Act.76 According to the SEC's complaint, Milton helped Nikola raise more than $1 billion and go public through a SPAC. Milton allegedly acted as Nikola's primary spokesperson and repeatedly misled investors about, among other things, Nikola's technological advancements, products, in-house production capabilities, and commercial achievements. According to the complaint, Milton made tens of millions of dollars as a result of the alleged misconduct.
Milton is charged with violating Section 17(a) of the Securities Act and Section 10(b) of the Exchange Act and Rule 10b-5 thereunder. The complaint seeks a permanent injunction, a conduct-based injunction, an officer and director bar, disgorgement with prejudgment interest, and civil penalties. Milton also was criminally charged in the Southern District of New York for his role in the scheme.77
Accounting Fraud: SEC v. Palleschi, et al.
The SEC continues to focus on holding individuals accountable for securities laws violations, reflecting its view that actions against individuals have a greater deterrent effect than those brought against only entities. On July 15, 2021, the SEC charged FTE Networks Inc.'s former CEO, Michael Palleschi, and former CFO, David Lethem, with accounting fraud in the Middle District of Florida.78 The defendants' alleged scheme involved inflating the company's revenues for certain periods by as much as 108%, misappropriating millions of dollars of company funds for personal use, and concealing the then-NYSE listed publicly traded company's issuance of almost $23 million in convertible notes.
According to the complaint, Palleschi and Lethem directed the company to issue approximately $22.7 million in convertible notes with short-term maturities, steep interest rates, and marketprice-based formulas for conversion into shares. The two then misled in-house accounting personnel and FTE Network's outside auditor about certain material terms of the notes, which were not properly accounted for or disclosed in FTE Networks' financial statements. Further, the complaint alleges the executives inflated FTE Network's revenue by directing the company to improperly recognize revenue and related accounts receivable for nonexistent construction
75 See Complaint, SEC v. Mikhail Kokorich, No. 1:21-cv-1869 (D.D.C. July 13, 2021), available here. 76 SEC Charges Founder of Nikola Corp. With Fraud, SECPress Release No. 2021-141, July 29, 2021, available here; see Complaint, SEC v. Milton, No. 1:21-cv-6445 (S.D.N.Y. July 29, 2021), available here. 77 See Indictment, U.S. v. Trevor Milton, No. 1:21-cr-478 (S.D.N.Y. July 29, 2021), available here. 78 SEC Charges Executives of Network Infrastructure Company with Accounting Fraud, SEC Litigation Release No. 25141, July 15, 2021, available here; see Complaint, SEC v. Palleschi, No. 2:21-cv-00530 (M.D. Fla. July 15, 2021), available here.
projects. According to the complaint, they also misappropriated millions of dollars of company funds to pay for personal expenses and unauthorized salary increases.
The SEC's complaint includes 14 counts. Both defendants are charged with violating the antifraud provisions of Section 17(a) of the Securities Act, Section 10(b) of the Exchange Act and Rule 10b-5 thereunder, the reporting provisions of Section 13(b)(5) of the Exchange Act and Rules 13a-14, 13b2-1, and 13b2-2 thereunder, and with aiding and abetting FTE Network's violations of the securities laws. Palleschi is also charged with violating Section 304 of the Sarbanes Oxley Act of 2002 and the proxy solicitation provisions of Section 14(a) of the Exchange Act and Rules 14a3 and 14a-9 thereunder.
Palleschi and Lethem are contesting the SEC's civil charges and also face criminal charges in the Southern District of New York for their alleged misconduct.79
Auditor Independence Rules: In re Ernst & Young LLP, et al.
An action in early August serves as a good reminder that that the SEC views auditor independence as the foundation supporting sound financial reporting practices. On Aug. 2, 2021, the SEC announced it settled charges with Ernst & Young LLP ("EY"),80 one of EY's current partners, and two former partners accused of professional misconduct for violating auditor independence rules in connection with EY's pursuit to serve as the independent auditor for a public company. In a separate action, the Commission brought charges against the public company's then-Chief Accounting Officer ("CAO") for his role in the alleged misconduct. 81
The settlement order found that EY and the current and former partners improperly interfered with the public company's selection of an independent auditor by soliciting and receiving confidential competitive intelligence and audit committee information from the former CAO. The order alleged that, as a result of their actions, a reasonable investor would conclude that objectivity and impartiality would be impossible after the audit engagement began. The order alleged that EY violated Rule 2-02(b)(1) of Regulation S-X, that the associated partners caused such violation as well as the public company's violations of the Exchange Act, and that each defendant engaged in improper professional conduct within the meaning of Section 4C(a)(2) of the Exchange Act and Rules 102(e)(1)(ii) and 102(e)(1)(iv)(B) of the SEC's Rules of Practice.
Without admitting or denying the charges, EY and the associated partners agreed to cease and desist from future violations of the securities laws and the partners cannot appear or practice before the SEC as accountants, with the ability to reapply in the future. EY has agreed to a censure, a $10 million civil penalty, and to comply with a set of undertakings for two years. The individuals agreed to pay civil penalties ranging from $15,000 to $50,000. Without admitting or denying the charges, the public company's CAO consented to an order that found he caused and willfully aided and abetted the public company's violations of its reporting obligations, ordered him to cease and desist from future violations, pay a civil penalty of $51,000, and agree to a
79 See Indictment, U.S. v. Palleschi, No. 1:21-cr-00454 (S.D.N.Y. July 15, 2021), available here. 80 Ernst & Young LLP, et al., Exchange Act Release No. 92540, Aug. 2, 2021, available here. 81 William G. Stiehl, CPA., SEC Release No. 92539, Aug. 2, 2021, available here.
suspension of appearing or practicing before the SEC as an accountant, with the right to reapply after two years.
Insider Trading: SEC v. Jun, et al.
The SEC continues to pursue insider trading rings, charging five people with insider trading in the Western District of Washington on Aug. 18, 2021.82 The respondents--three former Netflix Inc. software engineers and two close associates--allegedly generated more than $3 million in profits by trading on confidential information about Netflix's subscriber growth.
The complaint alleges that, from 2016 to 2017, a software engineer repeatedly tipped such subscriber information to his brother and a close friend, who used it to trade in advance of Netflix's earnings announcements. After the software engineer left the company, he continued to obtain subscriber growth information from two other insiders.
All five respondents consented to the entry of final judgments, which were approved by the court on Sept. 2, 2021, that permanently enjoin each from violating Sect ion 10(b) of the Exchange Act and Rule 10b-5 thereunder and impose civil penalties to be determined at a later date, except that one defendant agreed to a penalty of approximately $73,000. One individual also agreed to an officer and director bar. Parallel criminal charges were brought by the U.S. Attorney's Office for the Western District of Washington.83
Accounting Misconduct: In re The Kraft Heinz Co., et al.
The SEC's long-running investigation into accounting improprieties in the procurement division of The Kraft Heinz Company ("Kraft") was resolved on Sept. 3, 2021, when the SEC announced a fully settled administrative enforcement proceeding against Kraft and its former Chief Operating Officer, Eduardo Pelleissone, for engaging in an alleged expense management misconduct that resulted in the restatement of several years of financial reporting. 84 The SEC also brought a settled civil action against Kraft's former Chief Procurement Officer, Klaus Hofmann, for his alleged participation in this misconduct.85
According to the SEC's order, from 2015 through 2018, Kraft engaged in several types of accounting misconduct, including recognizing unearned discounts and maintaining false and misleading supplier contracts. This improperly reduced Kraft's cost of goods sold and allegedly achieved cost savings, which resulted in Kraft reporting inflated adjusted EBITDA. The SEC also found that Kraft failed to design and maintain effective internal accounting controls for its procurement division and that finance and gatekeeping personnel overlooked indications that expenses were being accounted for incorrectly. For his part, the SEC found that Pelleissone was presented with numerous warning signs that expenses were being managed through manipulated agreements with Kraft's suppliers but, rather than addressing these risks, Pelleissone pressured the procurement division to deliver unrealistic savings targets. Hofmann allegedly approved several improper supplier contracts used to further the misconduct despite numerous warning
82 SEC Charges Netflix Insider Trading Ring, SEC Press Release No. 2021-158, Aug. 18, 2021, available here. 83 Former Netflix engineer pleads guilty to insider trading, Dep't of Justice, Aug. 30, 2021, available here. 84 SEC Charges The Kraft Heinz Company and Two Former Executive for Engaging in Years-Long Accounting Scheme, SEC Press Release No. 2021-174, Sept. 3, 2021, available here. 85 Complaint, SEC v. Hofmann, No. 21-cv-7407 (S.D.N.Y. Sept. 3, 2021), available here.
signs that procurement division employees were circumventing internal controls. He also certified the accuracy and completeness of the procurement division's financial statements when the misconduct was occurring. As a member of Kraft's disclosure committee, Pelleissone then improperly approved the company's financial statements.
Upon filing, the administrative proceedings against Kraft and Pelleissone were fully settled. Each was charged with violating the antifraud provisions of Sections 17(a) of the Securities Act, Sections 13(a) and 13(b) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, and 13a-13 thereunder. Pelleissone was additionally charged with violating Exchange Act Section 13b-5 and Rules 13b2-1 and 13b2-2(a) thereunder and with causing certain of Kraft's violations. Kraft and Pelleissone were ordered to cease and desist any further violations. Kraft was ordered to pay a civil penalty of $62 million. Pelleissone was ordered to pay a civil penalty of $300,000, disgorgement of $12,500, and prejudgment interest of $1,711.31. Hoffman was charged with violating the antifraud provisions of Section 17(a) of the Securities Act, Section 13(b)(5) of the Exchange Act and Rules 13b2-1 and 13b2-2 thereunder, and consented to a final judgment permanently enjoining him from future violations, ordering him to pay a civil penalty of $100,000, and barring him from serving as an officer or director of a public company for five years.
Regulation Crowdfunding: SEC v. Shumake, et al.
On Sept. 20, 2021, in the Eastern District of Michigan, the SEC filed its first enforcement action under Regulation Crowdfunding against a crowdfunding portal, sending the message that the SEC will hold gatekeepers liable for fraud if they ignore signs of misconduct. In addition to charging the funding portal, TruCrowd Inc., and its CEO, Vincent Petrescu, the complaint charges three individuals and one issuer for their fraudulent scheme to use two crowdfunding offerings to sell approximately $2 million of unregistered securities.86
According to the complaint, Robert Shumake, Nicole Birch, and Willard Jackson, conducted fraudulent and unregistered crowdfunding offerings through two cannabis and hemp companies, Transatlantic Real Estate LLC and 420 Real Estate LLC. Instead of using the funds for the purposes disclosed to investors, the individuals allegedly pocketed the money for their personal use. TruCrowd and Petrescu allegedly hosted the offerings on their platform and ignored various red flags, including Shumake's prior criminal history and involvement in the crowdfunding offerings.
The SEC charged TruCrowd and Petrescu with violating crowdfunding rules under the Securities Act, Section 4A(a)(5) and Rule 301(c)(2) thereunder, and seeks disgorgement plus pre-judgment interest, penalties, and permanent injunctions. The complaint charged Shumake, Birch, Jackson, and 420 Real Estate with violating the antifraud and registration provisions of the Securities Act and Exchange Act, and seeks disgorgement plus pre-judgment interest, penalties, permanent injunctions, and officer and director bars. All of the defendants are contesting these charges.
FCPA Violations: In re WPP PLC
86 SEC Charges Crowdfunding Portal, Issuer, and Related Individuals for Fraudulent Offerings, SEC Press Release No. 2021-182, Sept. 20, 2021, available here.
In another headline-grabbing announcement, in a settled administrative proceeding action, the SEC charged WPP PLC ("WPP"), the world's largest advertising group, with violating anti-bribery, books and records, and internal accounting controls provisions of the Foreign Corrupt Practices Act ("FCPA").87
The complaint alleged that WPP acquired a majority interest in various advertising agencies but failed to ensure that the acquired entities implemented adequate internal accounting controls and compliance policies. The complaint also alleges that WPP ignored a number of warning signs regarding improper behavior, including anonymous complaints regarding an ongoing arrangement in which a WPP subsidiary paid bribes to Indian officials in exchange for advertising contracts.
Without admitting or denying the SEC's findings, WPP agreed to cease and desist violating the FCPA and to pay $10.1 million in disgorgement, $1.1 million in prejudgment interest, and an $8 million penalty.
Swap Reporting Violations: In re Citibank, N.A., et al.
At the end of the quarter, on Sept. 27, 2021, in a settled administrative proceeding action, the CFTC charged Citibank, N.A. and Citigroup Global Markets Limited (collectively, "Citi"), two provisionally registered swap dealers, for their failure to properly report and supervise the gathering of Legal Entity Identifier ("LEI") information in violation of the Commodity Exchange Act and CFTC regulations.88 According to the CFTC, Citi's alleged conduct also violated a 2017 cease and desist order relating to reporting and supervision failures.
Specifically, the CFTC alleged that, from 2013 to November 2019, Citi reported the counterparty identified for certain swaps as "Name Withheld" instead of reporting a valid LEI or a Privacy Law Identifier compliant with available CFTC no-action relief. These failures were due in part to Citi taking more than 18 months to upgrade its internal systems and other supervisory failures. Additionally, the order alleged that Citi failed to backload LEIs for live trades to a swap data repository within 30 days of the expiration of the no-action relief and failing to backload LEIs for expired or terminated trades entirely. As a result, Citi must pay a $1 million civil monetary penalty, cease and desist from future violations, and update the CFTC on its remediation efforts.
Unregistered Crypto Exchange: In re Poloniex, LLC
Consistent with its recent statements, the SEC's action against Poloniex, LLC signals that it will pursue unregistered crypto exchanges that fail to register as a securities exchange where required. On Aug. 9, 2021, the SEC announced that Poloniex agreed to pay more than $10 million to settle charges for operating an unregistered online digital asset exchange in connection
87 SEC Charges World's Largest Advertising Group with FCPA Violations, SEC Press Release No. 2021-191, Sept. 20, 2021, available here.
88 CFTC Orders Citibank and Citigroup Global Markets Limited to Pay a $1 Million Penalty for Swap Data Reporting Violations,Related Supervision Failures, and Violation of a prior CFTC Order, CFTC Press Release No. 842821, Sept. 27, 2021, available here.
with its operation of a trading platform that facilitated buying and selling of digital asset securities.89
Specifically, the order found that, between July 2017 and November 2019, Poloniex operated a web-based trading platform that facilitated buying and selling digital assets, including digital assets that were investment contracts and therefore securities. According to the order, the trading platform constituted an "exchange" because the trading platform provided the non-discretionary means for trade orders to interact and execute through the combined use of the Poloniex website and the Poloniex trading engine. Poloniex, however, never registered its platform as a national securities exchange. Moreover, employees made internal statements about aggressively making new digital assets available for trading, and the company decided to provide us ers with the trading platform to trade digital assets that were at "medium risk" of being classified as securities under Howey.
As a result of its conduct, the SEC's order found that Poloniex violated Section 5 of the Exchange Act. Without admitting or denying the findings, Poloniex agreed to the entry of a cease-and-desist order, disgorgement of approximately $8.5 million, prejudgment interest of almost $404,000, and a civil penalty of approximately $ 1.4 million. The order also established a Fair Fund for the benefit of victims.
Offering Fraud Involving Digital Assets: SEC v. BitConnect, et al.
Expanding upon its action against five BitConnect promoters announced in May 2021, 90 the SEC filed another contested action in the U.S. District Court for the Southern District of New York on Sept. 1, 2021, alleging that BitConnect; its founder, Satish Kumbhani; its largest U.S. promoter, Glenn Arcaro; and Arcaro's website, Future Money, defrauded investors out of $2 billion through a fraudulent and unregistered offering involving digital assets. 91
According to the SEC's complaint, defendants conducted a fraudulent and unregistered offering and sale of securities in the form of investments in a "Lending Program" offered by BitConnect.92 To induce investors to deposit funds into the Lending Program, defendants falsely represented that BitConnect would use its proprietary volatility software trading bot to generate significant returns. The SEC alleges that, instead of using investor funds for trading with the bot, BitConnect and Kumbhani siphoned funds off for their own benefit by transferring those funds to digital wallet addresses controlled by them, Arcaro, and others. BitConnect and Kumbhani established a network of promoters around the world, and rewarded them by paying commissions, a substantial portion of which they concealed from investors. One such promoter was Arcaro, who used the website he created, Future Money, to bring investors into the Lending Program.
The complaint charges the defendants with violating the registration provisions of Sections 5(a) and (c) of the Securities Act, the antifraud provisions of Sections 17(a) of the Securities Act, and
89 Poloniex, LLC, Exchange Act Release No. 92607, Aug. 9, 2021, available here. 90 See SEC Charges U.S. Promoters of $2 Billion Global Crypto Lending Securities Offering, SEC Press Release No. 2021-90, May 28, 2021, available here. 91 SEC Charges Global Crypto Lending Platform and Top Executives in $2 Billion Fraud, SEC Press Release No. 2021-172, Sept. 1, 2021, available here. 92 See Complaint, SEC v. BitConnect, No. 21-cv-7349 (S.D.N.Y. Sept. 1, 2021), available here.
Section 10(b) of the Exchange Act and Rule 10b-5 thereunder. The complaint additionally charges Arcaro and Future Money with violations of the broker-dealer registration provisions of Section 15(a) of the Exchange Act. The SEC seeks an order permanently enjoining defendants from further violations of the charged provisions and requiring them to pay disgorgement with prejudgment interest and civil monetary penalties. The SEC also seeks an order permanently prohibiting Kumbhani, Arcaro, and Future Money from participating in any marketing or sales program in which the participant is compensated or promised compensation primarily for inducing another person to become a participant in the program and from participating in any offering of digital asset securities. Arcaro was also charged criminally for his role in the scheme and pleaded guilty to conspiracy to commit wire fraud on Sept. 1, 2021. 93
CFTC Charges Crypto Platforms
A recently filed series of enforcement actions suggest that the CFTC could soon join the ranks of the SEC, DOJ, and Treasury as a key regulator of the cryptocurrency market. On Sept. 28, 2021, the CFTC filed a settled administrative proceeding order against Payward Ventures, Inc. d/b/a Kraken, one of the largest and most popular digital asset exchanges in the United States.94 According to the order, from June 2020 to July 2021, Kraken violated Section 4(a) of the Commodity Exchange Act ("Act") by entering into off-exchange retail commodity transactions with U.S. customers who were not eligible contract participants or eligible commercial entities. The order also finds that Kraken violated Section 4d(a)(1) of the Act by operating as an FCM. The order requires Kraken to cease and desist from violating Sections 4(a) and 4d(a)(1) of the Act, pay a civil penalty of $1.25 million, and comply with several undertakings, including implementing and maintaining systems and procedures designed to prevent future unlawful trading by ineligible customers.
A day after issuing the Krak en order, the CFTC filed administrative proceeding charges against 14 additional cryptocurrency trading platforms for either failing to register as FCMs or making false and misleading claims of having CFTC registration and National Futures Association membership.95 In each complaint, the CFTC alleges that the defendant offered services to the general public, including "soliciting or accepting orders for binary options that are based off the value of a variety of assets including commodities such as foreign currencies and cryptocurrencies including Bitcoin, and accepting and holding customer money in connection with those purchases of binary options."96 The CFTC alleges that "binary options that are based on the price of an underlying commodity like forex or cryptocurrency are swaps and commodity options as used in the definition of an FCM."
The CFTC has long considered three cryptocurrencies--Bitcoin, Ethereum, and Litecoin-- commodities and has occasionally participated in regulating the cryptocurrency market. But targeting multiple market participants in a two-day span and referencing "commodities such as
93 Director and Promoter of BitConnect Pleads Guilty in Global $2 Billion Cryptocurrency Scheme, Dep't of Justice Release No. CAS21-0901-Arcaro, Sept. 1, 2021, available here.
94 Payward Ventures, Inc. (d/b/a Kraken), CFTC Docket No. 21-20, Sept. 28, 2021, available here. 95 See CFTC Charges 14 Entities for Failing to Register as FCMs or Falsely Claiming to be Registered, CFTC Release No. 8434-21, Sept. 29, 2021, available here. 96 See, e.g., Complaint, Cryptofxtrader, CFTC Docket No. 21-23, Sept. 29, 2021, available here.
foreign currencies and cryptocurrencies including Bitcoin" in the complaints, could be signs that the CFTC is deliberately moving towards expanding its jurisdiction further into the crypto space. Enforcement activity in the third quarter was, at times , innovative and far-reaching. In particular, the enforcement actions brought by the SEC to close out its fiscal year signal that it will deliver on the aggressive agenda promised earlier in the year. It seems apparent that financial regulators during the current administration will continue to increase oversight of emerging technologies in the financial services industry and are not afraid of bringing groundbreaking new cases while aggressively pursuing traditional priorities.