A little-noticed consent decree entered into by the U.S. Securities and Exchange Commission earlier this year should be setting off alarm bells for financial firms and their boards of directors.
In a cease and desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the SEC – for the first time – enforced its “Identity Theft Red Flags Rule” in punishing the firm for allegedly lackluster data security practices. The SEC charged that hackers were able to access sensitive client information including Social Security Numbers, account balances and even details of client investment accounts. The commission called out the company’s board of directors for failing to “administer and oversee” compliance with the rule. Continue reading →
A new Department of Justice policy (the “Policy”) modifies critical elements of the prominent 2015 “Yates Memorandum” on individual accountability. Introduced on November 29 by Deputy Attorney General Rod J. Rosenstein (the “DAG”), the Policy is manifested, in part, by specific revisions toJustice Manual (previously referred to as the U.S. Attorneys’ Manual).
The Policy clarifies the relationship between the scope of a defendant’s disclosures regarding individuals and qualifying for cooperation credit, particularly in the context of civil litigation. In so doing, it also raises critical compliance oversight issues for corporate governance. Continue reading →
In a pair of settled enforcement actions announced on November 16 in which it concluded that initial coin offerings conducted by Paragon Coin, Inc. (PDF: 232 KB) and AirFox (PDF: 223 KB) were illegal unregistered securities offerings, the SEC imposed an agreed-upon remedy that it will likely seek to use as the template for resolving its backlog of investigations into recent ICOs. Significantly, both ICOs took place after the SEC issued its July 2017 Section 21(a) report (PDF: 168 KB) addressing a crypto-token offering by The DAO, where the SEC warned the market (PDF: 169 KB) that some ICOs may violate the federal securities laws.
Neither Paragon nor AirFox agreed to conduct a “rescission offer” whereby the company would offer to repurchase the illegally offered tokens and any investor who declined the offer would retain freely tradable tokens (a remedy that Googleundertook shortly after its IPO in order to resolve claims that certain pre-IPO compensatory equity grants were made in violation of the registration provisions of the Securities Act of 1933). Instead, each company agreed to distribute a “claim form” to all token purchasers offering return of the consideration paid, plus interest, in exchange for tender of the tokens, or offering damages to token purchasers who no longer hold their tokens. Purchasers of tokens located outside the United States are apparently not excluded from participation. Each company was also fined $250,000 and required to register its token as a security and become an SEC-reporting company for at least one year. Continue reading →
OCC’s New and Revised Sections of Policies and Procedures Manual Relating to Enforcement Actions Suggest Continued Heightened Interest in Actions Against Individuals
Historically, the Office of the Comptroller of the Currency (the “OCC”) has applied a single set of internal policies and procedures to enforcement actions brought against individuals (institution-affiliated parties (“IAPs”)) and institutions (national banks, federal savings associations, and federal branches and agencies of foreign banks (collectively, “banks”)). On November 13, the OCC issued a new section to its Policies and Procedures Manual (“PPM”) specific to enforcement actions against IAPs (the “IAP PPM”) and simultaneously updated the existing sections for Bank Enforcement Actions and Related Matters (the “Bank PPM”)and for Civil Money Penalties (“CMPs”) (the “CMP PPM”). The new IAP PPM generally breaks no new ground, and most changes to the Bank PPM and CMP PPM align those two sections with, and reflect the issuance of, the IAP PPM. There are, however, several notable additions and modifications to the new and revised sections that serve to improve the clarity and transparency of the OCC’s enforcement action process.
Beyond those distinctions, the issuance of a standalone IAP PPM suggests a continued, if not increased, focus by the OCC on actions against IAPs going forward, and is consistent with the broader theme, evidenced over the last several years, of regulatory and law enforcement focus on holding individuals accountable in cases of financial institution wrongdoing. The new OCC IAP PPM suggests a continual focus on holding individuals accountable for corporate misconduct in the financial industry. Continue reading →
The settled order is the first SEC action charging a seller of digital tokens as an unregistered broker-dealer.
On September 11, 2018, the U.S. Securities and Exchange Commission (SEC) announced a settled order instituting cease-and-desist proceedings and imposing remedial sanctions against TokenLot LLC (TokenLot), a self-described “ICO Superstore,” and its owners in connection with their sales of digital tokens to the general public through a website. The SEC found that TokenLot and its owners acted as unregistered broker-dealers in violation of Section 15(a) of the Securities Exchange Act of 1934 (Exchange Act) and engaged in unregistered securities offerings in violation of Section 5 of the Securities Act of 1933 (Securities Act). Continue reading →
One of the most frequently discussed white collar issues of late has been the benefits of voluntarily self-disclosing to the U.S. Department of Justice (“DOJ”) allegations of misconduct involving a corporation. This is the beginning of periodic analyses of white collar issues unique to financial institutions, and in this issue we examine whether and to what extent a financial institution can expect a benefit from DOJ for a voluntary self-disclosure (“VSD”), especially with regard to money laundering or Bank Secrecy Act violations. Although the public discourse regarding VSDs tends to suggest that there are benefits to be gained, a close examination of the issue specifically with respect to financial institutions shows that the benefits that will confer in this area, if any, are neither easy to anticipate nor to quantify. A full consideration of whether to make a VSD to DOJ should include a host of factors beyond the quantifiable benefit, ranging from the likelihood of independent enforcer discovery; to the severity, duration, and evidentiary support for a potential violation; and to the expectations of prudential regulators and any associated licensing or regulatory consequences, as well as other factors. Continue reading →
Corporate misconduct allegations often result in investigations by multiple agencies, including foreign, federal, state, and local authorities. Without proper coordination, companies risk being hit with duplicative penalties for the same misconduct. Duplicative corporate penalties can be avoided, but coordinating a corporate resolution with multiple authorities is hard to navigate.
Within the United States, federal prosecutors often have overlapping jurisdiction with other federal criminal and civil prosecutors, federal and state regulators, and local prosecutors. In international investigations, federal prosecutors also have to cooperate with foreign authorities with overlapping jurisdiction. All of these players can have a legitimate interest in protecting the public from economic crimes. Regulatory competition, however, often leads government authorities to want to take the lead over other authorities. Other times, government authorities jump from the sidelines onto the field of play when a corporate resolution is near and refuse to leave the field without a share of the penalties. A coordinated resolution is difficult to achieve in either case. In the end, the overlapping jurisdiction and regulatory competition can either lead to (1) each authority “piling on” their share of penalties or (2) a coordinated resolution that identifies the collective harm caused by the company’s misconduct, the appropriate penalties for that harm, and the fair allocation of the penalties among the interested government players. Continue reading →
In 2010, in the wake of the financial crisis, Congress passed comprehensive financial regulation reform legislation known as the Dodd-Frank Act (Pub.L. 111-203). Section 922 of the Dodd-Frank Act established both a bounty award program as well as anti-retaliation protection for whistleblowers who report securities law violations.
Pursuant to the mandate of Section 922, the US Securities and Exchange Commission (“SEC”) established an Office of the Whistleblower, and implemented its final rules on the Dodd-Frank Program through a comprehensive rulemaking process that involved significant public input in May 2011. Continue reading →
In today’s world, data breaches are a regular occurrence. The size and scale varies, and they have different causes, but those matters are irrelevant if you are a data subject affected – you just want the situation resolved and compensation for any losses you suffer. Who should be responsible for those breaches? Where a company has not taken sufficient steps to safeguard personal data, the answer is obvious. But what about where a rogue employee leaks personal data with the deliberate intention of harming his employer? The English High Court has recently decided that even in that instance, the employer is liable to data subjects. Although there is no specific case on this point, we believe that a similar outcome would be reached in an action under US law. Continue reading →
On January 12, 2018, the Supreme Court granted a writ of certiorari in Raymond J. Lucia Cos., Inc. v. SEC, No. 17 130, a case raising a key constitutional issue relating to the manner in which the U.S. Securities and Exchange Commission’s (SEC or Commission) appoints its administrative law judges (ALJs). The Court will decide “[w]hether administrative law judges of the [SEC] are Officers of the United States within the meaning of the Appointments Clause.” The answer to this question matters because if SEC ALJs are “officers,” then they should have been appointed by the Commission itself instead of hired through traditional government channels—and the Commission only exercised its ALJ appointment authority in late-2017. Although the question is limited to SEC ALJs, any decision could also impact ALJs at other agencies government-wide.
At this point, both the petitioner and the Solicitor General (SG) actually agree that ALJs are officers. In its response to the cert petition raising this issue in Lucia, the SG, in an about-face, had abandoned the SEC’s long-held defense of the manner in which it appoints its ALJs. Up until now, in an attempt to fend off an asserted constitutional defect in their AJL’s method of appointment, the SEC has argued (with SG approval) that ALJs are “mere employees” of the SEC, and not “officers.” The day after the SG dropped this position—and with no warning in its briefing—the Commission took the step to appoint the current ALJs.Continue reading →