In order to provide an overview for busy in-house counsel and compliance professionals, we summarize below some of the most important SEC enforcement developments from the past month, with links to primary resources. This month’s installment covers:

• An enforcement action against the former CEO of a public company charging violations of scienter-based fraud for making false and misleading statements to investors and a zero-penalty settlement with the company for its alleged failure to disclose certain information about its ex-CEO’s termination;
• The SEC’s subpoena enforcement action against a law firm after it refused to turn over client names affected by a massive 2020 cyberattack;
• The latest crypto enforcement actions filed and settled with crypto lending programs;
• An enforcement action against a financial information provider for misleading disclosures relating to its paid subscription pricing service that provides valuations for fixed income securities to financial services entities; and
• A Regulation Best Interest (Reg BI) Risk Alert that highlights the deficiencies SEC examiners have encountered in broker-dealer compliance programs since Reg BI went into effect in 2020.

Ex-CEO and Company Settle SEC Claims Related to Ex-CEO’s Workplace Sexual Misconduct Termination; Two Commissioners Dissent

On January 9, 2023, the Commission brought a settled enforcement action against McDonald’s former CEO Stephen J. Easterbrook for making false and misleading statements about the circumstances leading to his termination in November 2019. The SEC charged Easterbrook with violating the anti-fraud provisions of federal securities laws and causing the company to violate Sections 13(a) and 14(a) of the Securities Exchange Act of 1934 (the “Exchange Act”). The SEC imposed a five-year officer and director bar and a $400,000 civil penalty against Easterbrook (in addition to disgorgement of almost $53 million that was satisfied by compensation he repaid to McDonald’s to resolve a lawsuit brought by the Company).

While the SEC also found that McDonald’s violated Section 14(a) of the Exchange Act and Rule 14a-3 for allegedly failing to disclose it exercised discretion in terminating Easterbrook “without cause,” the SEC did not fine McDonald’s because of its substantial cooperation during the SEC’s investigation and affirmative remedial measures. This included voluntarily providing information not otherwise required to be produced and recovering the compensation Easterbrook received. The Company neither admitted nor denied the allegations in the settlement.

In November 2019, after conducting an “independent internal investigation,” McDonald’s terminated Easterbrook for exercising poor judgment and violating the Company’s Standards of Business Conduct. The press release announcing the termination, which was filed with the Commission on a Form 8-K, stated that Easterbrook “separated from the Company following the Board’s determination that he violated company policy and demonstrated poor judgment involving a recent consensual relationship with an employee.” The Company and Easterbrook entered into a Separation Agreement and General Release that stipulated that Easterbrook’s termination would be without cause and allowed Easterbrook to retain compensation valued at over $47 million, including $44 million in stock options and Performance-Based Restricted Stock Units (PRSUs) that would continue to vest over the three years following his termination.

On April 9, 2020, McDonald’s filed its Definitive Proxy for 2020, in which it disclosed that Easterbrook was terminated “without cause.” The SEC alleged that the proxy did not disclose that, absent the Company’s exercise of discretion in treating Easterbrook’s termination as without cause, Easterbrook would have forfeited unvested options and PRSUs as a result of his termination on account of a violation of the Company’s Standards of Business Conduct.

In July 2020, after the receipt of an anonymous tip, McDonald’s conducted a second internal investigation, which revealed evidence that Easterbrook had engaged in inappropriate personal relationships with other employees and withheld potentially relevant information from the Company in its first investigation. The SEC’s order alleges that Easterbrook essentially knew that his misleading conduct in the first investigation would influence the Company’s disclosure to investors in its proxy. In August 2020, McDonald’s sued Easterbrook for fraud and breach of fiduciary duties in Delaware Chancery Court in relation to the Company’s first internal investigation in October 2019. In December 2021, McDonald’s announced it had reached a settlement with Easterbrook and agreed to dismiss the Delaware suit in exchange for Easterbrook’s payment to the Company of his cash severance, prorated bonus, certain proceeds realized from the sale of securities resulting from his exercise of options and PRSUs, and certain attorney’s fees, along with forfeiture of all outstanding equity and awards.

Commissioners Hester M. Peirce and Mark T. Uyeda issued a joint statement disagreeing with the SEC’s charges against McDonald’s. They argued that when McDonald’s was preparing its 2020 proxy statement, it did so in alignment with the industry’s developed practice for complying with Item 402 of Regulation S-K that requires companies to disclose all material elements of compensation for executive officers. The Commissioners did not support the charges in this “case of first impression” and expressed “concerns that this action creates a slippery slope that may expand Item 402’s disclosure requirements into unintended areas—a form of regulatory expansion through enforcement.”

#FraudChargesForCEO’sMisleadingStatementsInInternalInvestigation #CooperationLeadsToZeroPenalty

SEC Sues Law Firm for Refusing to Disclose Client Information After Cybersecurity Breach

On January 10, 2023, the Commission filed suit in D.C. District Court seeking subpoena enforcement following a law firm’s refusal to disclose its clients’ identities accessed in a cyberattack. The subpoena was issued as part of the Commission’s investigation of potential securities law violations arising from a cyberattack beginning in late 2020 and continuing into early 2021.

The Commission’s official investigation into the cyberattack began in March 2021 to investigate the attack’s impact on public companies and regulated entities. The investigation’s stated goals are to understand the nature and scope of the attack; assess and identify potential illegal trading based on information gathered during the attack; and determine relevant disclosure obligations for companies affected by the attack. A year into its investigation in March 2022, the SEC discovered that “threat actors gained unauthorized access to Covington [and Burling LLP]’s computer network and certain individuals’ devices and accessed legal files for approximately 300 of its clients.”

The SEC subpoenaed the firm in March 2022 to obtain information about the impacted parties and the extent of the impact. The law firm and staff of the Commission negotiated over the parameters of the details about impacted clients. Covington represented it had fulfilled its obligations for all the requests under the subpoena except for disclosing the names of the clients whose information had been viewed, copied, modified, or exfiltrated during the attack.

The SEC applied for an order to show cause as to why Covington should not be directed to comply with the SEC’s subpoena. Briefing is set to be completed by March 14, with a hearing scheduled for March 20, 2023.

The SEC’s action has generated a fair amount of debate regarding use of the SEC’s subpoena power to identify a law firm’s clients that have been the victims of a cyberattack, the extent to which the names of clients are subject to the attorney-client privilege, and the willingness of the SEC to pursue subpoena enforcement against a third-party law firm to access arguably privileged information and documents.

#Cyberattack #AttorneyClientPrivilege #SECSubpoenaEnforcement

SEC January Enforcement Actions Against Crypto Lending Programs

On January 12, 2023, the Commission filed suit in the Southern District of New York alleging that cryptocurrency companies Genesis Global Capital, LLC, and Gemini Trust, LLC, violated the Securities Act through the unregistered offer and sale of securities to U.S. retail investors through the Defendants’ investment opportunity, which they called “Gemini Earn” (GE). Beginning in February 2021, the Defendants allegedly marketed the GE program and touted the high interest rates that GE investors could earn in exchange for tendering their crypto assets to Genesis. In order to participate in the GE program, GE investors were required to enter into a tri-party Master Digital Asset Loan Agreement with the Defendants called the “Gemini Earn Agreement.” According to the complaint, the Gemini Earn Agreements, as offered and sold through the GE program, constituted unregistered offers and sales of securities by which the Defendants raised billions of dollars in crypto assets from GE investors.

According to the SEC, Genesis acted as the issuer and entity that received, pooled, deployed, and paid interest on GE investors’ crypto assets. Gemini allegedly acted as the agent of the issuance and provided retail investors access to Genesis, which otherwise only engaged in crypto asset transactions with large institutional and other accredited investors.

As a result of the crypto market’s volatility in late 2022, that November Genesis unilaterally announced that it would not allow GE retail investors to withdraw their crypto assets because the withdrawal requests from GE investors exceeded Genesis’s current liquidity. At the time of the announcement, Genesis held approximately $900 million in crypto assets from approximately 340,000 GE investors mostly residing in the United States. The complaint alleges that because the lending program did not register its GE program, GE investors lacked material information that would have been relevant to their investment decisions.

Although the GE program has been terminated, both Defendants continue to do business in the crypto asset industry. The complaint requests a permanent injunction enjoining Defendants from violating the registration provisions of the Securities Act, disgorgement of ill-gotten gains with prejudgment interest, and additional civil penalties.

A week later, on January 19, the Commission announced a $45 million settlement with crypto lender Nexo for failing to register its retail crypto lending product before offering it to the public. Nexo Capital was charged with failing to register the offer and sale of its retail crypto asset lending product, EIP, which allowed users to collect interest on crypto assets deposited on the platform. The SEC found that EIP was a security that did not qualify for an exemption from registration and thus Nexo’s conduct violated Section 5(a) and (c) of the Securities Act by failing to register its offer and sale of EIP.

Without admitting or denying the allegations, Nexo agreed to pay a total of $45 million in penalties: $22.5 million to settle the SEC’s action and $22.5 million in the state regulatory authorities’ parallel action on similar charges. In accepting Nexo’s settlement, the Commission stated it considered the company’s remedial action and cooperation.

According to the order, Nexo promptly took voluntary remedial action in February 2022 following the SEC’s publicized charges against a similar crypto investment product BlockFi—the first-of-its-kind securities enforcement action against crypto lending platforms. BlockFi settled the SEC action and the related state authorities’ action for a total of $100 million, $50 million each, for the same violations Nexo was charged with, plus charges for making false and misleading statements on its website. Following the BlockFi announcement, Nexo immediately barred new U.S. customers from enrolling in EIP, halted interest payments to those with open accounts, and ultimately in December 2022 announced it would pull back from the U.S. market due to what it called “inconsistent and changing positions” from U.S. regulators.

#CryptoSecurity #OhNoCrypto #GeminiGenesis #Nexo

Bloomberg Subsidiary Settles with SEC over Alleged Misleading Disclosures Regarding Fixed Income Pricing Service

On January 23, 2023, the Commission announced settled charges with a Bloomberg subsidiary, Bloomberg Finance, L.P. (“Bloomberg”), for its misleading disclosures relating to Bloomberg’s independent pricing service (“BVAL”), which provides daily valuations for more than 2.5 million fixed income securities for its paid subscribers. The SEC’s order alleged that, between at least 2016 and October 2022, Bloomberg failed to disclose to BVAL customers that valuations for certain fixed income securities could be based on a single data point, which made other statements Bloomberg made to customers about its valuation methodologies materially misleading. The SEC alleged that because Bloomberg’s customers include mutual funds, money managers, and hedge funds that may use BVAL prices to impact pricing at which securities are offered or sold, Bloomberg violated Section 17(a)(2) of the Securities Act. The Company did not admit or deny the findings but agreed to cease and desist from future violations and pay a $5 million penalty.

Bloomberg made disclosures to its customers regarding its proprietary, algorithmic methodologies but allegedly omitted the fact that a “very small fraction” of the total reported valuations for some fixed income securities could be based on a thinly sourced data point, which did not adhere to the disclosed methodologies. BVAL and other independent pricing services are used by market participants to facilitate price discovery and to perform valuations of fixed income securities for thinly traded or difficult-to-price assets. The order states that Bloomberg was aware that many registered investment companies and private funds utilized its service to mark-to-market holdings of fixed income securities, including for determining net asset value (NAV) calculations and to compute the prices at which fund shares are offered to, sold to, or redeemed from investors.

Commissioners Hester M. Peirce and Mark T. Uyeda issued a joint statement opposing this enforcement action because they do not believe that the particular statements at issue were made in the offer or sale of securities, as is required for a violation of Section 17(a)(2) of the Securities Act. They explained that a wide range of market participants use pricing services like BVAL for multiple purposes, and the services provide helpful information to those participants when providing valuations for certain illiquid, thinly traded securities for which little observable market data exists. While BVAL is useful and important to securities transactions and market participants, Commissioners Peirce and Uyeda do not believe that Bloomberg was offering or selling, or attempting to offer or dispose of, the securities being priced by its pricing service; rather it was offering and selling its services. Bloomberg’s description of its pricing methodologies to its BVAL customers, they conclude, is too far removed from any offers or sales of securities contemplated by the statute or precedent.

#MatieralOmmissions #FixedIncomeSecurities #PricingServices

Regulation Best Interest Risk Alert

On January 30, 2023, the Division of Examinations (“EXAMS”) issued a Risk Alert to highlight the deficiencies they have encountered in exams for compliance with Regulation Best Interest (“Reg BI”). Reg BI provides that, when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer, a broker-dealer and its associated persons must act in the best interest of the customer at the time the recommendation is made.

In the two and a half years since Reg BI went into effect in June 2020, EXAMS highlighted the most commonly observed compliance failures and deficiencies in four obligations (as set forth in Rule 15l-1(a)(2) of the Exchange Act) brokers-dealers and their associated persons must satisfy: disclosure, care, conflict of interest, and compliance.

For example, the EXAMS staff highlighted they consistently found deficient written policies and procedures necessary for broker-dealers to actually comply with the Regulation’s conflicts of interests and disclosure obligations. In multiple instances the staff found generic written policies and procedures that were not tailored to the firm’s business model or otherwise were limited to restating the rule’s requirements. These generic policies and procedures were not reasonably designed to achieve compliance with the obligations.

Some of the cited deficiencies include lack of specificity regarding when disclosures should be updated, how the updated disclosures should be delivered to retail customers, and how to demonstrate that disclosures had been shared in order for the firm to have effective controls to review compliance. EXAMS identified that some firms’ conflicts of interest policies and procedures did not reasonably specify how conflicts would be identified or addressed and also identified some firms inappropriately relying on disclosure to mitigate conflicts or limiting identified conflicts to specific prohibited activities like churning.

Now that EXAMS has issued this Risk Alert and has identified Reg BI as a 2023 Examination Priority, it is likely that we will see enforcement actions in this space in the year to come.

#RiskAlert #ComplyWithRegBI #WrittenPolicysAndProcedures

[View source.]