In order to provide an overview for busy in-house counsel and compliance professionals, we summarize below some of the most important SEC enforcement developments from the past month, with links to primary resources. This month’s installment covers:

• A $6 million settlement by a registered broker-dealer and its parent company for allegedly failing to file hundreds of Suspicious Activity Reports;
• Inconsistent decisions regarding when offers and sales of crypto-assets are considered securities transactions;
• An $18 million settlement by a SPAC accused of fraud for misleading investors about its pre-IPO contact with its future target;
• Whether the attorney-client privilege extends to a client’s identity; and
• The SEC’s adoption of final rules regarding cybersecurity disclosures for public companies.

1. Broker-Dealer’s Failure to File SARs

On July 11, 2023, the SEC announced a settled enforcement action and $6 million penalty against a registered broker-dealer and its parent company for failing to file hundreds of Suspicious Activity Reports (SARs) from 2009 to late 2019.

According to the SEC’s order, when the broker-dealer was acquired in 2009, its new parent implemented a $25,000 threshold instead of the required $5,000 threshold for broker-dealers reporting attempted transactions where a suspect may be seeking to use the institution to facilitate criminal activity and could not be identified (“no-suspect criminal activity”). Here, the no-suspect criminal activity concerned broker-dealer customers who were victims of unauthorized debit card withdrawals, forged or altered checks, account intrusions, identity thefts, and phone or internet scams rather than transactions that may have involved money laundering or violations of the Bank Secrecy Act. This led to the broker-dealer and its parent failing to file hundreds of SARs and, according to the SEC, violating the books and records provisions of Securities Exchange Act of 1934 (“Exchange Act”) Section 17(a) and Rule 17a-8, thereunder.

In an apparent effort to emphasize that meaningful cooperation and remedial acts may impact the terms of the settlement, the SEC pointed to the broker-dealer’s and parent’s remedial actions and cooperation in determining to accept an offer of settlement. The cooperation and remedial acts included, after realizing the wrong threshold was being used: “(a) updating policies, procedures, and automated surveillance systems to properly account for the $5,000 threshold and training its Fraud Investigations Group personnel responsible for filing SARs; (b) reviewing all other thresholds with respect to [the broker-dealer] and confirming that they were using correct thresholds across the SAR program; (c) reporting the issue to Commission staff and other relevant regulators; and (d) conducting a look-back to 2014 (the earliest date for which [the broker-dealer] retained records) and filing 865 SARs on no-suspect criminal activity that met the proper $5,000 threshold” as well as voluntarily conducting and sharing the results of their internal investigation.

Without admitting or denying liability, the broker-dealer and its parent agreed to cease and desist from committing or causing violations of those provisions, and the broker-dealer agreed to a censure and $6 million fine. The broker-dealer agreed to pay a separate $6 million fine to settle charges brought by FINRA.

Also, on July 31, 2023—further signaling that compliance with anti-money laundering regulations will continue to be a priority—the SEC Division of Examinations issued a Risk Alert summarizing observations from its recent anti-money laundering and counter-financing of terrorism examinations. That alert included the following statement: “Some firms set SAR reporting thresholds at amounts significantly higher than the $5,000 threshold specified in the SAR Rule . . .” Read MoFo’s Client Alert on the SEC’s Risk Alert.

#$5kThresholdForSARRule #AMLRegulations

2. Ripple/Terraform Decisions in SDNY

On July 13, 2023, Judge Analisa Torres in the Southern District of New York issued a much-anticipated summary judgement order in the SEC’s case against Ripple Labs and two senior leaders. As discussed in greater detail in MoFo’s July 17 client alert, Judge Torres’s split decision granted and denied in part both the SEC’s and Ripple Labs’ cross-motions for summary judgment.

The parties’ dispute turned primarily on whether Ripple’s XRP tokens were investment contracts as defined by the so-called “Howey Test,” a standard set forth in the Supreme Court’s decision in SEC v. W.J. Howey Co., 328 U.S. 293 (1946). Under Howey, an investment contract constitutes a security “whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter of a third party.”

First, Judge Torres found that XRP “is not in and of itself a contract, transaction, or scheme,” but rather just a “digital token” that was not in and of itself an investment contract—and therefore not inherently a security. Second, Judge Torres found that Ripple’s Institutional Sales—those sold “directly” to “institutional buyers, hedge funds” and “on-demand liquidity” customers—constituted investment contracts. Third, Judge Torres found that Ripple’s Programmatic sales of XRP through “digital asset exchanges” did not establish the third Howey prong—i.e., that a reasonable expectation of profits be derived from the entrepreneurial or managerial efforts of others—because the programmatic buyers did not know to whom or what they were paying money, and therefore Ripple’s transactions with them did not constitute offers and sales of investment contracts. Fourth, Judge Torres found that XRP token distributions to employees and third parties to develop software for the XRP ecosystem were not offers and sales of investment contracts because the recipients did not pay money to Ripple. Judge Torres noted that Howey requires a showing that investors “provided the capital” or “put up their money,” and rejected the proposition that labor can constitute tangible and definable consideration.

Overall, Ripple is not a clean victory for the SEC or the crypto-industry, and the opinion leaves considerable room for interpretation. And within weeks, on July 31, 2023, Judge Jed S. Rakoff of the Southern District of New York expressly rejected the approach taken in Ripple in his ruling denying Terraform Labs’ motion to dismiss in SEC v. Terraform Labs. Judge Rakoff—whose order is described in more detail in our August 4 client alert—declined to distinguish between investors who purchased tokens directly from a defendant and those who obtain their tokens through secondary transactions, because “Howey makes no such distinction between purchasers.” The SEC has since noted this intra-circuit disagreement in its letter to Judge Torres signaling its intent to appeal her Ripple decision.

As we cautioned in our client alerts following Ripple and Terraform, observers should be careful to avoid drawing broad conclusions from one opinion in a rapidly growing body of precedent. And the SEC continues to bring cases against companies and individuals involving crypto-assets, which are at the center of its July 13, 2023 case charging Celsius Network Limited and its founder and former CEO, Alex Mashinsky, with violations of the registration and anti-fraud provisions of the federal securities laws.

#AreTokensInvestmentContracts? #CelciusRippleandTerraformOhMy!

3. SEC Charges Digital World SPAC for Material Misrepresentations to Investors

On July 20, 2023, the SEC announced settled fraud charges against Delaware-based Digital World Acquisition Corporation (DWAC), a special purpose acquisition company (SPAC), for allegedly making material misrepresentations in forms filed with the SEC as part of DWAC’s initial public offering and proposed merger with Trump Media & Technology Group Corp. (TMTG), a social media company.

According to the SEC, DWAC made misleading statements by failing to disclose that it had formulated a plan to acquire—and was actively pursuing the acquisition of—TMTG prior to DWAC’s IPO. In an amended Form S-1, DWAC represented that neither DWAC nor its officers and directors had had any discussions with any potential target companies prior to its September 2021 IPO. However, DWAC’s Chief Executive Officer and Chairman (“Individual A”) engaged in “extensive discussions” with TMTG on behalf of another SPAC he also controlled (“SPAC A”) and formulated a “Plan B” to acquire TMTG via DWAC if SPAC A could not. Further, Individual A had entered into a letter of intent to merge SPAC A and TMTG that made him personally liable to pay a $1 million breakup fee if the merger failed. Thus, the SEC contended Individual A had an undisclosed potential conflict of interest that, when paired with DWAC’s failure to disclose the prior negotiations and “Plan B,” made its amended Form S-1 materially false and misleading. The SEC also took issue with a later Form S-4, which “contain[ed] materially inadequate and misleading disclosures regarding various issues.”

As a result of DWAC’s conduct, the SEC found that DWAC violated Section 10(b) of the Exchange Act and Rule 10(b)-5(b) thereunder and violated Section 17(a)(2) of the Securities Act of 1933 (the “Securities Act”). Through the settlement, DWAC agreed to cease-and-desist from committing further violations of the aforementioned sections and to pay an $18 million penalty. DWAC also agreed that, should it file an amended Form S-4, it will be “materially complete and accurate.”

#SPACEnforcementCase #BlankCheckCompanyConflicts

4. SEC Successfully Compels Law Firm to Reveal the Identities of Seven Clients Affected in Cyberattack

On July 24, 2023, the District Court for the District of Columbia ordered Covington & Burling LLP to reveal to the SEC the names of seven clients compromised by a 2020 cyberattack, over the objections that the revelation would be a breach of attorney-client privilege. In its memorandum opinion, Judge Amit P. Mehta held that the SEC did not exceed its investigative authority and that the SEC has a legitimate purpose in trying to determine if any illegal trading had occurred using the information accessed through the law firm’s servers. The Court denied the SEC’s broader request to compel the names of every client affected by the attack. Instead, the Court held that the firm only needed to reveal the identities of clients whose material, nonpublic information was compromised in the attack—which was only seven out of the nearly 300 clients affected. The Court rejected the SEC’s argument that the entire client list was necessary “to conduct an effective investigation” on the grounds that the SEC admitted the identities of clients whose material nonpublic information was not accessed were “irrelevant to any analysis of potential unlawful trading.”

As we noted previously, this subpoena enforcement action generated a fair amount of debate regarding its implications for the attorney-client privilege. The Court, however, observed that “Covington’s disclosure of a client name would tell the SEC nothing about what, if any, legal advice the client sought, or how the firm responded, with respect to the cyberattack. Only through guesswork and speculation could the SEC discern from the name of the client alone any communication’s contents.”

#ClientNamesNotPrivileged #CyberBreachSubpoenaEnforcement

5. SEC Adopts Cybersecurity Disclosure Rules for Public Companies

On July 26, 2023, the SEC adopted amendments to its rules to require disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. As discussed in further detail in a recent MoFo client alert, the SEC’s adopted amendments require public companies to:

• Disclose any cybersecurity incident it deems to be material within four business days on a Form 8-K. Materiality determinations must be made “as soon as reasonably practicable.” In disclosing the material incident, the company must describe its nature, scope, and timing, and the impact or reasonably likely impact, including on the company’s financial condition and results of operations;
• Describe, on a periodic basis, the company’s processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, as well as whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition; and
• Describe, on a periodic basis, the board’s oversight of risks from cybersecurity threats and management’s role in assessing and managing those risks.

The SEC also adopted similar disclosure requirements that will apply to foreign private issuers.

The final amendments will be effective 30 days following publication of the Adopting Release in the Federal Register. The compliance timeframe is as follows:

• All issuers must start providing the required periodic disclosures via their annual reports for the fiscal years ending on or after December 15, 2023;
• All issuers (other than small companies) must begin complying with the current disclosure rules—including the rule that material incidents must be reported on a Form 8-K within four business days—90 days after publication of the Adopting Release in the Federal Register or December 18, 2023, whichever is later; and
• Smaller reporting companies must begin complying with the incident disclosure requirements 270 days after publication of the Adopting Release in the Federal Register or June 15, 2024, whichever is later.

Over the past few years, the SEC has stepped up their scrutiny of cybersecurity disclosure controls. Now, however, the SEC has promulgated rules to require such disclosures and, in doing so, has further empowered the SEC’s Enforcement staff to investigate whether a company has provided adequate and timely disclosure of a cyber breach or if it has adequate controls to prevent such a breach. For considerations in-house counsel should keep in mind in determining whether to proactively inform the SEC about a cyber incident before disclosing it in an 8-K, see our client alert.

#CyberecuritySafetyIsKey #Cyberattack #ADiscloureWithin4DaysKeepsTheFedsAway

[View source.]