As part of its “Fiscal Year 2015 Financial Report” released by the U.S. Securities and Exchange Commission (“SEC”) last month, the SEC discussed how “first-of-their-kind” and “high impact” cases highlighted a strong year of enforcement actions. According to the report, the SEC ended the fiscal year of 2015 (which for the SEC concludes on September 30th) having filed a record 807 enforcement actions, representing an increase of seven percent (7%) over the prior year’s number of enforcement actions. Of the 807 enforcement actions, a record 507 were independent actions for violations of federal securities laws and 300 were either actions against issuers who were delinquent in making required filings with the SEC, or administrative proceedings seeking bars against individuals based on criminal convictions, civil injunctions, or other orders.
Furthermore, the SEC stated the resulting disgorgement and monetary penalties arising from these enforcement actions totaled $4.2 billion according to preliminary figures. This figure furthers the trend of the SEC imposing more disgorgements and monetary penalties than what had been accomplished in the previous year (for reference, the SEC’s monetary penalties since 2012 are as follows: $3.1 billion in 2012, $3.4 billion in 2013, and $4.16 billion in 2014). The SEC also announced that its whistleblower program awarded eight whistleblowers with total awards of approximately $38 million for fiscal year 2015. According to SEC Chair Mary Jo White, “the [SEC’s] Enforcement Division’s leveraging of data, quantitative analytics and the expertise of our other divisions contributed significantly to this year’s very strong results.”
Notable Enforcement Actions of 2015
The enforcement actions in 2015 were spread out over a broad spectrum of misconduct. However, certain enforcement actions stood out due to their nature and/or the potential impact that such enforcement actions might have on the financial services industry. The following is a sampling of some of the more notable enforcement matters during the SEC’s past fiscal year:
1. Failure to Register as a Broker Dealer When Conducting EB-5 Transactions
In the Matter of Ireeco, LLC and Ireeco Limited, IA Rel. No. 75268 (June 23, 2015). The SEC charged Ireeco LLC, and its successor Ireeco Limited, with willfully violating Section 15(a)(1) of the Securities Exchange Act of 1934 (the “Exchange Act”) by using the U.S. mail and other instrumentalities of interstate commerce to solicit more than 158 investors for the EB-5 Immigrant Investor Program (“EB-5”) without registering as a broker-dealer with the SEC or without associating with a broker-dealer registered with the SEC. Such infractions resulted in the brokerage of more than $79 million of investments by foreigners seeking U.S. residency. The charges were the first of its kind against brokers handling investments in the government’s EB-5 Program. According to the SEC’s order, Ireeco LLC and Ireeco Limited used their website to solicit EB-5 investors, some of whom were already in the U.S. on a temporary visa. While Ireeco LLC and Ireeco Limited promised to help investors choose the right regional center with which to invest, they allegedly directed most EB-5 investors to the same handful of regional centers. Without admitting or denying the SEC’s findings, Ireeco LLC and Ireeco Limited agreed to be censured and to cease and desist from committing or causing similar violations in the future. They also agreed to administrative proceedings to determine whether they should be ordered to return their allegedly ill-gotten gains, pay penalties, or both based on their violations. The Ireeco case is notable in that it indicates the SEC’s intention to take action against U.S. persons who have received finder’s fees – or similar payments for referring investors certain EB-5 regional centers – going back several years perhaps even before industry players may have known that it would violate U.S. securities laws.
2. Cybersecurity Failures
In the Matter of R.T. Jones Capital Equities Management, Inc., IA Rel. No. 4204 (Sep. 22, 2015). R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) represents the first enforcement action against an investment adviser for failure to have adequate controls in place for cybersecurity. As part of its business model, R.T. Jones provides investment advice to individual plan participants using model portfolios through a program called Artesys. In order to log into the Artesys system, plan participants enter certain personally identifiable information (“PII”), including name, social security number, date of birth, etc. To verify the eligibility of the plan participant for enrollment, R.T. Jones received eligible participant PII from all plan sponsors. So while R.T. Jones provided investment advisement to only 8,000 plan participants, it actually received PII for over 100,000 individuals. In July 2013, the firm’s server was attacked by an unauthorized, unknown intruder from China, who gained access to the PII data on the server. The SEC found that R.T. Jones had stored the PII of the participants on its web server without adopting any written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access. Furthermore, the firm failed to conduct a risk assessment; did not use a firewall to protect the web server; did not encrypt the PII on the server; and did not have a plan for responding to a cyber incident. Even though there was no harm that resulted to the participants, and R.T. Jones proactively took remediation actions,1 nevertheless the SEC censured the firm and imposed a $75,000 civil penalty.
Since 2014, there have been over five releases from the SEC related to the need for advisers to adopt a robust cybersecurity plan. Consequently, advisers should be on notice that there is a regulatory expectation for them to adopt policies and procedures to protect cyber controls customized to their business or risk the potential for an enforcement action.
3. Failure to Disclose/CCO Liability
In the Matter of Blackrock Advisors, LLC and Bartholomew A. Battista, IA Rel. No. 4065 (Apr. 20, 2015). The SEC alleged, amongst other things, that BlackRock Advisors, LLC (“BlackRock”) and its Chief Compliance Officer, Bartholomew A. Battista (“Battista”), violated Rules 206(2) and 206(4) of the Advisers Act by breaching their fiduciary duty to clients by failing to disclose a conflict of interest created by the outside business activity of one of BlackRock’s portfolio managers. The SEC claims BlackRock additionally failed to adopt and implement policies and procedures for outside activities of employees. According to the SEC, Daniel J. Rice III (“Rice”) was managing energy-focused funds and separately managed accounts at BlackRock when he founded Rice Energy, a family-owned and operated oil-and- natural gas company. Rice was the general partner of Rice Energy and personally invested approximately $50 million in the company. Rice Energy later formed a joint venture with a publicly-traded coal company that eventually became the largest holding (almost 10 percent) in the $1.7 billion BlackRock Energy & Resources Portfolio, the largest Rice-managed fund. The SEC’s order finds that BlackRock knew and approved of Rice’s investment and involvement with Rice Energy as well as the joint venture, but failed to disclose this conflict of interest to either the boards of the BlackRock registered funds or its advisory clients. The SEC’s order also alleged that Battista was responsible for causing BlackRock’s Rule 206(4)-7 violations in connection with his alleged failure to ensure that the firm had compliance policies and procedures to assess and monitor the outside activities of employees and disclose conflicts of interest to fund boards and advisory clients. In an offer of settlement, BlackRock agreed to be censured, hire an independent compliance consultant to conduct an internal review and pay a $12 million penalty; and Battista agreed to be censured and pay a $60,000 penalty. Neither BlackRock nor Battista admitted or denied the SEC’s allegations. This case is notable in that it exemplifies both the importance of accurate disclosures, and also how the CCO can be held personally liable for the firm’s failure to efficiently draft, monitor and enforce the policies and procedures of the firm.
4. CCO Liability
In the Matter of Judy Wolf, IA Rel. No. 73350 (Oct. 15, 2014). The SEC alleged that Judy Wolf (“Wolf”) willfully aided and abetted and caused while she was employed as a compliance officer at Wells Fargo Advisors, LLC (“Wells Fargo Advisors”), a dually registered broker-dealer and investment adviser, a violation of the recordkeeping requirements of the Exchange Act and the record production requirements Advisers Act. According to the SEC, Wolf was responsible for identifying potentially suspicious trading by Wells Fargo Advisors personnel and its customers and clients, and then analyzing whether the trades may have been based on inside information. In an attempt to make it appear as though she had performed a more thorough review of such activities, Wolf altered a document that was produced to SEC staff during an investigation that was seeking to determine, among other things, whether a Wells Fargo Advisor’s registered representative committed insider trading and whether Wells Fargo Advisors failed to establish, maintain, and enforce written policies and procedures to prevent the misuse of material nonpublic information as required by Section 15(g) of the Exchange Act and Section 204A of the Advisers Act. SEC enforcement staff spotted the alteration and questioned Wolf specifically about the document. At first she unequivocally denied altering the document, but in later testimony she testified that she had done so. The SEC had previously charged Wells Fargo Advisors $5 million to settle the insider trading and inadequate policy and procedures claims related to Wolf’s actions. Prior to the settlement, Wells Fargo Advisors placed Wolf on administrative leave and ultimately fired her. The SEC then brought an enforcement action against Wolf, and in August of 2015, such claims were dismissed with the ruling judge noting that sanctions were not imposed against Wolf due to the violation being “decisively outweighed by the remaining public interest factors: egregiousness, degree of harm, and deterrence.” This case is notable in that it speaks directly to the liability faced by CCOs. In this case, the CCO was charged with specific tasks that she failed to properly perform – and then attempted to cover-up. This should serve as a warning to other CCOs regarding representations made to the staff during examinations and the diligence required in performing the duties as CCO.
5. Inadequate Policies and Procedures
In the Matter of Du Pasquier & Co., Inc., IA Rel. No. 4004 (Jan. 21, 2015). In January, the SEC charged Du Pasquier & Co. (“DPC”) with failing to maintain adequate investment advisory compliance policies and procedures and to ensure proper disclosure of its investment advisory business from 2007 until July 2014, when it ceased operations. Specifically, the agency faulted the firm for “relying on an ‘off-the-shelf’ template for a compliance manual without modifying certain sections” to reflect the nature of its own business, as well as for failing to adequately review personal securities transactions. The adviser agreed to pay a penalty of $50,000 to settle the charges. This case is notable in that the SEC is sending a clear message that registrant policies and procedures must be customized to accurately reflect the practices of the firm. The failure to do so led to further violations that would not have occurred had the firm properly drafted, monitored and tested its policies and procedures.
Conclusion
These cases highlight the ever increasing purview of the SEC. Matters such as EB-5 and cybersecurity had never before been brought to enforcement. While other matters, such as CCO liability, are gaining increasing frequency. All indications suggest that the SEC will continue its bold examination focus in 2016, and continue to expand upon the matters upon which it will bring enforcement. With this in mind, its recommended firms perform a review as to the adequacy and efficiency of the firms’ internal controls in order to help mitigate potential enforcement risks moving forward in 2016.
For more information on this topic, please contact us at (619) 298-2880 or at info@jackolg.com.
JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.
This article is for information purposes and does not contain or convey legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.
1 Such remedial actions included providing notification of the breach to the participants, appointing an information security manager to oversee data security, adopting a written information security policy, encrypting the internal network and retaining a cybersecurity firm to assist with the firm’s cybersecurity efforts.