Priorities, Trends and Developments in Enforcement and Compliance

by Joon H. Kim, Matthew C. SolomonVictor L. HouLisa Vicens, and Samuel Levander

2021 was a year of transition for white-collar criminal and regulatory enforcement. As courthouses reopened and trials resumed, newly-installed heads of law enforcement authorities looked to reset priorities and ramp up enforcement in the first year of the Biden administration. Policy priorities shifted toward enforcement against sophisticated financial institutions, corporates and their executives, in contrast to the previous administration’s focus on retail investors and schemes with identifiable victims. While the shift at the SEC was more immediately visible with major new enforcement priorities, investigations and resolutions, the DOJ adopted policies and announced new initiatives that will likely only find expression in 2022.

The SEC

New leadership at the SEC made its mark quickly, with a palpable change in tone across the agency and a robust agenda that has seen rapid progression. In a transition year following a presidential election and with the turnover of leadership, enforcement has been a priority, with actions in fiscal year 2021 increasing 7% from the previous year (but still down from pre-pandemic enforcement levels in fiscal year 2019).[1] The SEC staff is under increased pressure to bring impactful cases quickly and engage more aggressively with defense counsel earlier in investigations, including by expediting deadlines for everything from document productions to oral presentations and written submissions. Aggressive approaches to investigations, together with the stated desire to impose more onerous settlement terms even if such terms result in damaging collateral consequences from a capital-raising standpoint,[2] suggest that the SEC is at least for now more willing to litigate cases even at the risk of trial losses or long-term programmatic damage that could result from pressing aggressive and controversial legal theories in federal court.

The SEC has already made use of sweeps across entire industries and areas of priority, including cybersecurity, digital assets, ESG, SPACs and most recently to explore the potentially improper use of personal devices for business communications.[3] Alongside this focus on emerging technologies and risks, the SEC’s traditional enforcement actions involving accounting and auditing misconduct and alleged fraudulent conduct by financial professionals and investment advisers have continued apace.[4] The SEC has also emphasized vigorous enforcement of the insider trading laws, with a particular focus on corporate insiders and Rule 10b5-1 plans (plans designed to allow executives and companies to trade in their own securities via a safe-harbor), which we anticipate will only increase with the expected approval of proposed amendments aimed at closing perceived loopholes in the rules.[5] The Division of Enforcement has also returned to some of the more controversial tactics it applied in the past, including the insistence in certain cases on factual and legal admissions in settlements, the renewed use of Section 304 of the Sarbanes-Oxley Act to seek reimbursement of money from corporate executives for alleged misconduct on their watch, a refusal to negotiate waivers of certain collateral consequences for registrants and a renewed focus on bringing charges against individual actors where at all possible. Simply put, the SEC seems intent on aggressively using all of the weapons in its enforcement arsenal to further its policy goals.

Cybersecurity

Orders in three settled actions in 2021 underscored the SEC’s focus on corporate disclosures and internal controls around cyber incidents. These resolutions suggest that companies may face regulatory scrutiny not only for alleged material misstatements and omissions about cyber incidents and related public statements, but also based on the SEC’s view that the companies in question failed to institute reasonable controls to prevent them.[6] One such action reflected a growing trend where the SEC takes issue with a hypothetical statement that a risk “may” occur where the event in question has already taken place.[7] The SEC also conducted a major sweep on cyber incident responses and disclosures related to the SolarWinds cyberattack, with the issuance of subpoenas to hundreds of companies, including many in the technology, finance and energy sectors, thought to be potentially impacted.[8] Combined with the SEC’s recent actions related to cybersecurity disclosures and controls, this sweep suggests that the SEC is building up its resources on this topic and trying to set benchmarks.

Digital Assets

The SEC is devoting significant investigation and litigation resources – as well as public airtime – to emphasize its intent to continue to ramp up enforcement in the digital asset space. Prior SEC leadership principally focused on cryptocurrency frauds and entities that in the Commission’s view were issuers of digital asset securities.[9] The agency has now broadened its investigative focus to market participants that are integral to the infrastructure of the digital asset space – such as digital asset trading platforms and market makers – and that would be subject to SEC regulation if the digital assets they list or trade were found to be securities.[10] Investigations of these market participants will continue into 2022, with litigated actions possible in 2022. With this increased scrutiny by the SEC and other state and federal regulators has come significant regulatory uncertainty and an internal debate within the Commission and indeed among the multiple criminal and regulatory agencies with a potential role to play in the space about the proper approach to the regulation of digital assets.[11]

ESG

Following significant grassroots investor focus, the SEC announced in March 2021 the creation of a 22-member Climate and ESG Task Force housed in the Division of Enforcement to develop initiatives to proactively identify ESG-related misconduct.[12] After the creation of the Task Force, there appeared to be a notable increase in SEC staff inquiries about ESG-related disclosures in ongoing investigations, including related to risk factors and greenwashing, even where the initial focus of the investigations did not appear to be ESG-related. Newly promised disclosure requirements combined with greater enforcement resources presage a likely uptick in ESG-related actions in 2022 as the Commission looks to put its stamp of approval on the alleged increased need for corporate disclosure in this space.

Retail Markets

With the rise in 2021 of “meme stocks” and commission-free brokerage firms, the SEC has also turned its attention to the gamification of the financial markets and the increasing participation of retail (often amateur) investors focused on potentially riskier investments such as cryptocurrencies and SPACs. There is a philosophical divide among regulators as to whether retail investors should have access to the full range of existing financial products or whether they require extra protection and should only have access to certain well-established financial products. Chair Gensler falls in the second camp, having indicated that he does not consider these investors to be adequately protected,[13] and also believes that some conflicts with retail investors cannot be “disclosed away.” Chair Gensler has also been critical of payment for order flow, and has said publicly that a full ban of the practice is “on the table.”[14] In particular, the SEC is likely to carefully scrutinize hedge funds and private equity firms that are involved in the retail market.

SPACs

As the market’s appetite for SPACs cooled in the second half of 2021, the SEC’s focus on SPAC enforcement started to heat up. Last spring, the Division of Corporation Finance issued guidance on financial reporting considerations for SPACs, signaling that the SEC would be more closely scrutinizing this reporting.[15] A short time later, the SEC announced charges against a SPAC, its sponsor and the SPAC’s proposed merger target for allegedly misleading claims about the target’s technology and national security risks related to the target’s founder.[16] Most recently, the SEC announced a $125 million settlement with an electric vehicle company that went public through a SPAC acquisition in March 2020.[17] The SEC has persistently voiced concerns related to incentives and disclosures around SPACs, and more enforcement actions are likely to follow.

The DOJ

The DOJ ramped up resources and adopted policies in 2021 that are expected to take time to find expression in pleas and convictions. Many resolutions in 2021 were carryovers from the prior administration, and there was not a significant uptick in new actions. However, there was a visible increase during the first year of the Biden administration on the DOJ’s focus on white-collar crime, including cases against major corporations and their executives. The Trump administration had taken less aggressive stances on corporate criminal enforcement, including loosening the standard for obtaining corporate cooperation credit, taking into account ability to pay in imposing fines and imposing monitorships less frequently. The result had been historic lows during the Trump administration in the number of white collar prosecutions brought by the DOJ.[18]

The DOJ under the Biden administration has signaled a return to the Obama administration, both in personnel and philosophy. Several senior DOJ officials returned from the Obama administration. They have signaled a strong commitment to white-collar criminal enforcement in relation to companies and individuals, including new initiatives on cyber-fraud, cryptocurrency and environmental justice.[19] DOJ officials have stressed the importance for companies to adopt and implement policies related to ephemeral messaging on apps such as Signal, SnapChat and WhatsApp, as collection of this content has become a regular part of enforcement agencies’ investigatory playbooks.[20]

Corporate Enforcement Policies

Last fall, the DOJ announced three significant changes to its policies on corporate criminal enforcement.[21]

  1. To be eligible for cooperation credit, companies must provide the DOJ with all non-privileged information about all individuals involved in or responsible for the misconduct at issue.
  2. The DOJ will consider the full range of a company’s prior misconduct – not just a narrower subset of similar misconduct – as part of its decision-making on the proper form of resolution.
  3. For companies that cooperate with the government, there will be no default presumption against corporate monitors.[22]

The DOJ also called into question whether negotiated corporation resolutions that do not involve a guilty plea – non-prosecution agreements and deferred prosecution agreements – are appropriate for “recidivist” corporations that have a documented history of corporate wrongdoing by multiple sections and divisions across the DOJ.[23] The DOJ simultaneously announced the creation of a “Corporate Crime Advisory Group” within the DOJ tasked with reviewing the DOJ’s approach to prosecuting criminal conduct by corporations and their executives, management and employees.[24]

FCPA

Last summer, the DOJ announced that it intends to take an “entirely new” approach to FCPA enforcement by spending more time and resources actively developing its own cases, including through data mining, the use of cooperating witnesses (including by leveraging existing whistleblower programs) and partnerships with foreign governments, in addition to its historical reliance on self-reporting to drive new actions.[25] In December 2021, the Biden administration issued the “United States Strategy on Countering Corruption,” which seeks to enhance collaboration across governmental agencies and signals that the U.S. government will increase the scope of its anti-corruption laws, regulations and initiatives in the coming year.[26]

Cybersecurity and Cryptocurrency

The DOJ announced new initiatives in 2021 on cybersecurity and cryptocurrency that are likely to lead to increased corporate enforcement activity in 2022. The DOJ recently announced the launch of a Civil Cyber-Fraud Initiative, designed to combat new and emerging cyber threats to the security of sensitive information and critical systems.[27] At the same time the DOJ announced the creation of a National Cryptocurrency Enforcement Team to organize and help spearhead investigations and criminal prosecutions related to cryptocurrency, including cases against cryptocurrency exchanges, infrastructure providers and other entities that misuse cryptocurrency and related products to commit or facilitate criminal activity.[28] The Team will also assist in tracing and recovery of assets lost to fraud and extortion, including cryptocurrency payments to ransomware groups.[29]

Key Takeaways

Boards of directors should be prepared for investigations and actions designed to drive policy goals and foster deterrence stemming from the ambitious agenda and numerous initiatives formed in the first year of the Biden administration.

  • Companies should update their policies and procedures to ensure that they adequately address enforcement agencies’ priorities, and should devote resources to ensuring executives’ compliance with these policies and procedures and appropriate related disclosures.
  • All companies, including private companies and foreign private issuers, should maintain a continued focus on accounting policies and procedures and handling of MNPI as enforcement agencies have cast a broad net and shown a willingness to test the limits of their jurisdictional authority.
  • Financial institutions should expect increased regulatory scrutiny, particularly related to digital assets and SPACS, as well as the continued focus on the use of personal devices for business communications.
  • Companies in the oil and gas, mining, automotive, aerospace and industrial sectors should enhance their internal monitoring and compliance protocols for ESG targets and anti-corruption in light of the Biden administration’s focus on these issues.
  • Enforcement authorities are particularly focused on demonstrating capabilities and leadership in new areas, such as cybersecurity, digital assets and ESG, and companies need to be keenly focused on their conduct and disclosures in these areas.
  • Public companies need to be particularly attuned to the accuracy of their cybersecurity disclosures and to ensure that in the wake of a cyber incident they will be able to demonstrate that they followed well-established protocols and that they appropriately escalated issues and timely disclosed material facts.
  • Public companies should pay careful attention to their ESG disclosures in light of the lack of clear, concrete guidance combined with increased scrutiny from the SEC’s Enforcement Division.
  • Companies with any exposure to digital assets should carefully scrutinize their potential legal exposure given enforcement authorities’ widespread focus on the entire industry and demonstrated willingness to bring actions even in areas of regulatory uncertainty.
  • Companies facing active or potential criminal investigation, as well as those who have resolved enforcement actions in the last few years, should take particular heed of the new DOJ policies announced in 2021. Both the DOJ and the SEC will likely come down hard on perceived “recidivist” conduct. Advocacy related to which individuals may have been involved in misconduct, the relevance of prior misconduct and whether a monitor is warranted will be of critical importance. Companies should also consider these new policies in consideration of potential self-reporting decisions given the impact on cooperation credit.

Footnotes

[1]  SEC, “SEC Announces Enforcement Results for FY 2021” (November 18, 2021), available here.

[2]  See, e.g., SEC, “Remarks at SEC Speaks 2021: Gurbir Grewal, Director, Division of Enforcement” (October 13, 2021), available here.

[3]  The SEC and CFTC issued orders on December 17 against a global financial institution, with the bank admitting violations of the federal securities laws for failing to maintain required records and agreeing to pay a total $200 million penalty. SEC, “In re J.P. Morgan Securities LLC, Release No. 93807” (December 17, 2021), available here; CTFC, “In re JPMorgan Chase Bank, N.A., CFTC Docket No. 22-07” (December 17, 2021), available here.

[4]  SEC, “Addendum to Division of Enforcement Press Release Fiscal Year 2021” (November 18, 2021), available here.

[5]  See, e.g., SEC, “SEC Proposes Amendments Regarding Rule 10b5-1 Insider Trading Plans and Related Disclosures” (December 15, 2021), available here. For additional details on proposed rule changes to 10b5-1, see our December Alert Memo here.

[6]  SEC, “In re First American Fin. Corp., Release No. 92176” (June 14, 2021), available here; SEC, “In re Pearson plc, Release No 10963, 92676” (August 16, 2021) available here; SEC, “SEC Announces Three Actions Charging Deficient Cybersecurity Procedures” (August 30, 2021), available here (“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”).

[7]  See, SEC “In the Matter of Altaba Inc. f/d/b/a Yahoo! Inc., Securities Act Release No. 10485, Exchange Act Release No. 83096, Accounting and Audit Enforcement Release No. 3937” (April 24, 2018), available here (issuer’s “risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches” that might expose issuer to loss and liability “without disclosing that a massive data breach had in fact already occurred”); SEC, “In re Pearson plc, Release No 10963, 92676” (August 16, 2021) available here; SEC “In re Alphabet, Inc. Sec. Litig., 1 F.4th 687, 69394, 703 (9th Cir. 2021)”; SEC, “Mylan to Pay $30 Million for Disclosure and Accounting Failure Relating to EpiPen” (September 27, 2019), available here.

[8]  See, e.g., Reuters, “U.S. SEC Probing SolarWinds Clients over Cyber Breach Disclosures,” (June 21, 2021), available here.

[9]  Notable examples of litigated enforcement actions in this first wave included SEC v. Kik Interactive Inc., No. 19-cv-5244 (S.D.N.Y. 2019), and SEC v. Telegram Grp. Inc., No. 19 Civ. 9439 (PKC) (S.D.N.Y. 2019). The SEC filed a lawsuit in December 2020 against Ripple Labs Inc. and two of its executives for allegedly conducting an eight-year long unregistered securities offering.

[10] See, e.g., SEC Chair Gary Gensler, “Remarks before the Aspen Security Forum” (August 3, 2021), available here (“While each token’s legal status depends on its own facts and circumstances, the probability is quite remote that, with 50 or 100 tokens, any given platform has zero securities.”).

[11] See, e.g., Commissioner Hester M. Peirce and Commissioner Elad L. Roisman, “Statement: In the Matter of Coinschedule” (July 14, 2021), available here (“There is a decided lack of clarity for market participants around the application of the securities laws to digital assets and their trading, as is evidenced by the requests each of us receives for clarity and the consistent outreach to the Commission staff for no-action and other relief.”); Commissioner Hester M. Peirce and Commissioner Elad L. Roisman, “Falling Further Back – Statement on Chair Gensler’s Regulatory Agenda” (December 13, 2021), here (critiquing Chair Gensler’s regulatory agenda as “failing to provide more clarity on digital assets” and making “no mention of any regulation with respect to digital assets,” even while the “sector has grown in size, complexity, diversity, and investor interest.”).

[12] SEC, “SEC Announces Enforcement Task Force Focused on Climate and ESG Issues” (March 4, 2021), available here.

[13] NPR, “Why Wall Street’s Top Cop Thinks It’s Time To Get Tough,” (December 19, 2021), available here.

[14] Barron’s, “SEC Chairman Says Banning Payment for Order Flow Is ‘On the Table’” (August 30, 2021), available here.

[15] SEC, “Staff Statement on Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies (‘SPACs’)” (April 12, 2021), available here.

[16] SEC, “SEC Charges SPAC, Sponsor, Merger Target, and CEOs for Misleading Disclosures Ahead of Proposed Business Combination” (July 13, 2021), available here.

[17] SEC, “Nikola Corporation to Pay $125 Million to Resolve Fraud Charges” (December 21, 2021), available here.

[18] See, e.g., Bloomberg, “Trump Oversees All Time Low in White Collar Crime Enforcement” (August 10, 2020), available here.

[19] See, e.g., Law360, “Corruption, Cybercrime in Crosshairs for DOJ Crime Chief” (December 10, 2021), available here (Assistant Attorney General Kenneth Polite: “Corporate enforcement is a very high priority, not just for me, but for the overall DOJ leadership. Individual accountability is a very high-profile priority for me and the leadership as well.”); Executive Office of the Presidency, “Tackling the Climate Crisis at Home and Abroad” 86 FR 7619 (Jan. 27, 2021); The United States Attorney’s Office for the Eastern District of New York, “Acting United States Attorney Jacquelyn M. Kasulis Announces Formation of Environmental Justice Team in the Office’s Civil Division” (June 24, 2021) available here.

[20] See, e.g., The Wall Street Journal, “Justice Department Officials Dig in on Corporate Repeat Offenders” (December 1, 2021), available here.

[21] U.S. Department of Justice Press Release, “Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime” (October 28, 2021), available here.

[22] Memorandum from Deputy Attorney General Lisa O. Monaco, “Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies” (October 28, 2021), available here; for additional details, see our November Alert Memo available here.

[23] U.S. Department of Justice Press Release, “Deputy Attorney General Lisa O. Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime” (October 28, 2021), available here; see The Wall Street Journal, “Justice Department Officials Dig in on Corporate Repeat Offenders” (December 1, 2021), available here. Recent reports suggest that the DOJ has been taking a harder line on existing deferred prosecution agreements. See, e.g., Bloomberg, “Deutsche Bank Haunted by Control Lapses as U.S. Warns of Breach” (December 8, 2021), available here.

[24] Id.

[25] Nicholas McQuaid, Acting Assistant Attorney General, American Conference Institute, Keynote Address at the Foreign Corrupt Practices Act Conference (June 2, 2021).

[26] The White House, “United States Strategy on Countering Corruption” (December 2021), available here.

[27] DOJ, “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative” (October 6, 2021), available here.

[28] DOJ, “Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team” (October 6, 2021), available here.

[29] Id.

Joon H. Kim, Matthew C. SolomonVictor L. Hou, and Lisa Vicens are partners, and Samuel Levander is an associate, at Cleary Gottlieb Steen & Hamilton LLP.

Disclaimer

The views, opinions and positions expressed within all posts are those of the authors alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law.  The accuracy, completeness and validity of any statements made within this article are not guaranteed.  We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the authors and any liability with regards to infringement of intellectual property rights remains with them.