The Securities and Exchange Commission’s (“SEC”) Division of Enforcement released its Annual Report (the “Report”) last month, which discusses enforcement cases and responses that occurred during the 2020 fiscal year. As detailed by this Report, despite the substantial effects of COVID-19, the SEC brought more than 700 enforcement cases during 2020; particularly, in March and April of 2020, the SEC suspended trading in the securities of two dozen issuers due to questions regarding the accuracy and adequacy of information the issuers were providing related to COVID-19 (i.e., claims about potential COVID-19 treatments, the manufacture and sale of personal protection equipment, and disaster-response capabilities).[1] Also, from mid-March through the end of the 2020 fiscal year, the Office of Market Intelligence triaged approximately 16,000 tips, complaints, and referrals and opened more than 150 COVID-19 related inquiries arising from COVID-19 related fraud actions.[2]
In addition, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued material guidance in the form of Risk Alerts as part of OCIE’s continuing efforts to educate and inform the financial services industry participants about important examination topics.
This month’s Legal Risk Management Tip summarizes some of the noteworthy SEC Enforcement activity and OCIE issuances that occurred in 2020.
Notable SEC Enforcement Actions of 2020
Certain enforcement actions stood out due to, at least in part, the substantial media coverage detailing the alleged wrongdoing and the significant impact on the everyday individual investor. The following items highlight some of the notable enforcement matters throughout the 2020 fiscal year:
- Wells Fargo & Co. In a settled action, the SEC found that Wells Fargo misled investors about the success of its core business strategy at a time when it was opening unauthorized or fraudulent accounts for unknowing customers and selling unnecessary products that went unused. Wells Fargo was ordered to pay the SEC a $500 million civil penalty as part of a combined $3 billion settlement with the SEC and the Department of Justice.[3]
- J.P. Morgan Securities LLC. In a settled action, the SEC found that J.P. Morgan fraudulently engaged in manipulative trading of U.S. Treasury securities. J.P. Morgan admitted the findings in the SEC’s order, and was ordered to pay disgorgement of $10 million and a civil penalty of $25 million to settle the action. The Department of Justice and the Commodity Futures Trading Commission resolved parallel matters against J.P. Morgan Chase & Co. and certain of its affiliates.
- SCANA Corp. In a litigated action, the SEC has charged SCANA Corp., two of its former top executives, and South Carolina Electric & Gas Co. with allegedly defrauding investors by making false and misleading statements about a nuclear power plant expansion that was ultimately abandoned.
Furthermore, 2020 was a record high year for whistleblower tips being offered to the SEC. Specifically, the SEC awarded 39 individuals approximately $175 million, of which included the SEC’s largest individual award in history in the amount of approximately $114 million to a single whistleblower.[4] As a result, the SEC has committed to continuing its focus in bringing more impactful change and accelerating the evaluation process available to individual whistleblowers.
COVID-19 Impact on SEC Guidance
In April 2020, the Division of Investment Management provided public guidance through its FAQs addressing regulatory obligations imposed on Registered Investment Advisers (“RIA”) that may result from the receipt of a loan under the Paycheck Protection Program (“PPP”).[5] For example, the FAQ provides that an RIA “must make full and fair disclosure to [its] clients of all material facts relating to the advisory relationship. If the circumstances leading you to seek a PPP loan or other type of financial assistance constitute material facts relating to your advisory relationship with clients, it is the staff’s view that your firm should provide disclosure of, for example, the nature, amounts and effects of such assistance. If, for instance, you require such assistance to pay the salaries of your employees who are primarily responsible for performing advisory functions for your clients, it is the staff’s view that you would need to disclose this fact. In addition, if your firm is experiencing conditions that are reasonably likely to impair its ability to meet contractual commitments to its clients, you may be required to disclose this financial condition in response to Item 18 (Financial Information) of Part 2A of Form ADV (brochure), or as part of Part 2A, Appendix 1 of Form ADV (wrap fee program brochure).”[6]
Also, throughout 2020, a number of SEC Risk Alerts were released detailing recommendations to account for the potential changes arising from COVID-19 restrictions. Most notably, in August 2020, the SEC published an OCIE Risk Alert regarding Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (the “August Risk Alert”).[7] The August Risk Alert recommendations fell broadly into the following six categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information. [8]
On a related topic, (and potentially a result of the increasing virtual presence throughout 2020), in September 2020, the SEC published a Risk Alert titled “Cybersecurity: Safeguarding Client Accounts against Credential Compromise (the “September Risk Alert”), which highlighted “credential stuffing”.[9] Although cyberattacks are a frequent concern throughout the financial industry, in the September Risk Alert, OCIE expressed concern regarding the number of cyberattacks leveraging this particular technique. Particularly, OCIE stated that the successful attacks it has investigated resulted in the loss of customer assets and unauthorized access to personal client data.[10] To remedy this concern, OCIE recommended that firms review and update both their Regulation S-P Policy to address certain safeguards to protect customer records and information, and their Regulation S-ID Policy with respect to the requirements to establish identify theft prevention programs within the firm. Also, OCIE cautioned that firms should be mindful of the dangers of reusing username and password credentials with their clients and staff and to consider the implementation of various multi-factor authentication methods.
Conclusion
The aforementioned cases and guidance highlight select SEC enforcement positions and efforts by OCIE to continue to illustrate important issues to the industry at the examination stage that arose in 2020.[11] With new dedicated units within the Division of Investment Management to investigate COVID-19 related matters, and additional expectations being placed on firms to continue to enhance their regulatory compliance policies and procedures, it is reasonable to expect that the SEC, at the Enforcement and OCIE levels, will continue to devote increased focus to these matters throughout 2021. With this in mind, its recommended that firms perform a comprehensive review as to the adequacy and efficiency of the internal controls and client-facing protections in order to help mitigate potential enforcement risks moving forward in 2021.
For more information or to ensure that your firm’s policies and procedures are up to par with the SEC standards, please contact us at (619) 298-2880 or at info@jackolg.com.
JLG works extensively with investment advisers, broker-dealers, investment companies, private equity and hedge funds, banks and corporate clients on securities and corporate counsel matters. For more information, please visit https://www.jackolg.com/.
The information contained in this article may contain information that is confidential and/or protected by the attorney-client privilege and attorney work product doctrine. This email is not intended for transmission to, or receipt by, any unauthorized persons. Inadvertent disclosure of the contents of this article to unintended recipients is not intended to and does not constitute a waiver of attorney-client privilege or attorney work product protections.
The Risk Management Tip is published solely based off the interests and relationship between the clients and friends of the Jacko Law Group P.C. (“JLG”) and in no way be construed as legal advice. The opinions shared in the publication reflect those of the authors, and not necessarily the views of JLG. For more specific information or recent industry developments or particular situations, you should seek legal opinion or counsel.
You hereby are notified that any review, dissemination or copying of this message and its attachments, if any, is strictly prohibited. These materials may be considered ATTORNEY ADVERTISING in some jurisdictions.
[1] See https://www.sec.gov/files/enforcement-annual-report-2020.pdf.
[2] See https://www.sec.gov/files/enforcement-annual-report-2020.pdf.
[3] Around the same period of time, the SEC also filed a separate action against Wells Fargo for its failing to reasonably supervise its investment advisers who had unfettered discretion to recommend complex, high-volatility single-inverse ETFs, and for lacking the required compliance policies and procedures in connection with such recommendations. As part of the resolution of that matter, the SEC imposed a penalty of $35 million, which will be distributed to investors.
[4] See https://www.sec.gov/rules/other/2020/34-90247.pdf.
[5] See https://www.sec.gov/investment/covid-19-response-faq.
[6] Id at Question II.4.
[7] See https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf.
[8] JLG has discussed the August Risk Alert in greater detail. See https://www.jackolg.com/tip-Why-Advisory-Fees-and-Expenses-Remain-a-Continued-Regulatory-Focus.
[9] “A method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information”. See https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf.
[10] Id at 2-4.
[11] Both OCIE and the Division of Enforcement continued to devote meaningful attention to prior initiatives, including, among others, the mutual fund share class initiative. See, e.g. https://www.sec.gov/news/press-release/2020-90.