2016 SEC Enforcement Cases: A Year In Review
As part of its "Fiscal Year 2016 Agency Financial Report" released by the U.S. Securities and Exchange Commission ("SEC") last month, the SEC discussed enforcement cases for its fiscal year of 2016 (which concluded on September 30th). According to the Report, the SEC once again set a new record for the number of enforcement actions filed in a fiscal year, having filed a record 868 enforcement actions in 2016, representing an increase of about seven percent (7%) from the number of actions brought in 2015. Of the 868 enforcement actions, a record 160 were cases involving investment advisers or investment companies.1
Furthermore, the SEC stated the resulting disgorgement and monetary penalties arising from these enforcement actions exceeded $4 billion2 according to preliminary figures. This figure furthers the trend of the SEC imposing significant disgorgements and monetary penalties as part of its enforcement actions.3 The SEC also announced that its whistleblower program awarded whistleblowers with approximately $57 million for fiscal year 2016, which is more than all previous years combined.4 According to SEC Chair Mary Jo White, "by every measure the enforcement program continues to be a resounding success holding executives, companies and market participants accountable."5
Notable Enforcement Actions of 2016
The enforcement actions in 2016 were spread out over a broad spectrum of misconduct. However, certain enforcement actions stood out due to their nature and/or the potential impact that such enforcement actions might have on the financial services industry. The following is a sampling of some of the more notable enforcement matters during the SEC's past fiscal year:
1. Failure to Conduct Due Diligence - Making False Performance Claims
In the Matter of Cantella & Co., IA Rel. No. 4338 (Feb. 23, 2016). In this matter, the SEC alleged that Cantella, a registered investment adviser, took insufficient steps to confirm the accuracy of F-Squared Investments, Inc.'s ("F-Squared") historical data and other information contained in advertising materials distributed by Cantella. Had Cantella performed adequate due diligence on F-Squared, its proposed data and calculation methodologies, such inaccuracies would have been identified. As a result of failing to perform such diligence, the advertisements showed results that were inflated substantially over what F-Squared's actual performance had been. Cantella consented to the entry of the order finding that it violated, among other things, Section 206(4) of the Advisers Act, and, without admitting or denying the findings, agreed to pay a $100,000 penalty.
Following the Cantella matter, the SEC sanctioned thirteen additional advisers in a series of SEC Orders6 who had also relied upon F-Squared for marketing purposes without properly performing due diligence on F-Squared, its calculation methodologies and/or obtaining proper documentation to verify such calculations. The penalties assessed against the firms ranged from $100,000 to a half-million dollars based upon the fees each firm earned from the related strategies. As stated by Andrew J. Ceresney, Director of the SEC Enforcement Division, "when an investment adviser echoes another firm's performance claims in its own advertisements, it must verify the information first rather than merely accept it as fact."7
Risk Management Tip: These matters, as well as the message sent by Mr. Ceresney, clearly illustrate the SEC's position that due diligence of third-parties is the responsibility of the adviser. Firms who do not have policies and procedures in place to perform due diligence on critical third party providers should generate such policies to reasonably ensure that violations of regulations do not occur.
2. Violations of Rule 21F-17 - Whistleblower Regulations
In the Matter of Merrill Lynch, Pierce, Fenner & Smith Incorporated et al, Release No 78141, (June 23, 2016).8 The SEC alleged, among other things, that Merrill Lynch, Pierce, Fenner & Smith Incorporated ("Merrill Lynch") violated rules pertaining to Customer Protection Rules embodied in Exchange Act Rule 15c3-3. As part of this violation, the SEC noted that Merrill Lynch compounded the problem by having overly restrictive agreements that disallowed individuals from bringing such violations to the SEC's attention as part of its Whistleblower Regulations.
Rule 21F-17 provides in relevant part, that "[n]o person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications."9 The SEC alleged that Merrill Lynch "used language in certain of its policies, procedures, and agreements with employees that unduly limited the disclosure of confidential information."10 The SEC specifically pointed to Merrill Lynch's severance agreement that prohibited departing employees from disclosing any aspect of the confidential information or trade secrets of Merrill Lynch to any person or entity unless the former employee first obtained written approval from Merrill Lynch. The SEC further noted that while the severance agreement "expressly permitted an individual to disclose confidential information pursuant to an order or other requirement of a court, administrative agency, or other authority, it did not permit an individual to voluntarily disclose confidential information to such bodies."
The SEC brought similar actions against other firms in 2015 and 2016 as well. The SEC viewed this as being such an issue within the industry that it issued a "National Exam Program Risk Alert" in October of 2016 that discussed the use of over-inclusive confidentiality language that impede employees and/or former employees communicating with the SEC concerning possible securities law violations.11 The SEC advised registrants to review their compliance manuals, codes of ethics, employment agreements, severance agreements, and other documents where restrictive confidentiality language may be found, to ensure that such language does not prevent voluntary disclosure to the SEC of wrongdoing. The SEC noted that many of the violations were due to "template" language found in these agreements that are widely used throughout the industry.
Risk Management Tip: Firms are strongly encouraged to review the above-referenced documents and provide a specific "carve-out" to their confidentiality language permitting the voluntary disclosure of such information for the limited purpose of reporting wrongdoing to regulatory bodies.
3. Failure to Safeguard Customer Data
In the Matter of Morgan Stanley Smith Barney LLC, IA Rel. No. 4415 (June 08, 2016). The SEC alleged, amongst other things, that Morgan Stanley Smith Barney ("MSSB") failed to adopt written policies and procedures reasonably designed to protect customer records and information, violating Regulation S-P (17 C.F.R. § 248.30(a)). The SEC stated that this failure allowed an employee of MSSB to transfer sensitive client information12 from MSSB servers to the employee's personal server, which was ultimately hacked by third-parties. The SEC's order stated that MSSB's policies and procedures were not reasonable in light of known risks, and that not only did MSSB not have an effective program in place to prevent employees from personally storing client information, but they did not audit, test or monitor existing policies to ensure there was no access to client information that would put such information at risk.
In an offer of settlement, MSSB agreed to take immediate efforts to remedy the deficiencies, be censured, and pay a $1 million civil penalty. MSSB neither admitted or denied the SEC's allegations.13
This matter exemplifies the SEC's position that policies and procedures must be "reasonable" in light of the specific risks associated with a business, especially when it comes to cybersecurity matters. As stated by Andrew Ceresney, former Director of the SEC Enforcement Division, "given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information."14 Firms who have not recently reviewed their policies and procedures, or have not developed policies and procedures related specifically to cybersecurity matters, should do so immediately to ensure that such policies reasonably address the risks associated with the firm.
Risk Management Tip: Having a robust cybersecurity program to protect customer information is a duty owed by the financial industry to its consumers. Review internal controls and engage appropriate professionals, when needed, to test the adequacy of your customer data safeguards.
4. Over-Billing and Failure to Properly Disclose
In the Matter of Marco Investment Management, LLC and Steven S. Marco, IA Rel. No. 4348 (Mar. 02, 2016). The SEC alleged Marco Investment Management, LLC ("MIM"), and Steven Marco ("Mr. Marco"), the firm's CCO, overbilled clients, charging asset management fees on total asset balances that did not deduct the proceeds of securities sales from margin balances.
According to the SEC, MIM's advisory agreements with its clients called for a fee to be paid based on the "market value of all gross assets."15 Some of these clients also had margin accounts. Investment proceeds were supposed to be used to repay margin loans. However, according to Mr. Marco, he had undocumented understandings with several clients that such clients wanted the proceeds to be reinvested. When this occurred, MIM charged a fee on the proceeds in the accounts. In addition to cease and desist and censure orders for both MIM and Marco, MIM also paid disgorgements of nearly $125,000, prejudgment interest of $7,600 and civil penalties of $100,000; (Mr. Marco also paid civil penalties of $50,000 individually). Moreover, MIM was ordered to hire a new CCO as Mr. Marco was suspended from serving in such a capacity for a period of three (3) years.16
It should be noted that the net result of the over-charging and under-charging clients by MIM was a net negative to MIM according to the firm's letter to investors. Thus, even though MIM did not profit from its errors, there were still mistakes made in calculating fees, which lead to enforcement. This matter serves as an important reminder about the significance of business practices and disclosures relating to fees assessed to investors. Billing of fees is a critical area that is heavily scrutinized by the SEC. JLG expects this will continue to be an area of focus moving forward.
Risk Management Tip: Firms are encouraged to review their current client agreements and other disclosure documents (including Form ADV) for prominent disclosure and perform testing to ensure that such fees are accurately assessed and clearly explained to clients. Be sure that an oversight system of checks and balances is in place and track the billing amount, methods and timing stipulated in client agreements.
These cases highlight the ever increasing purview of the SEC. Matters such as due diligence and marketing still are receiving significant attention from regulators. Other matters, such as cybersecurity and whistleblower protections, are gaining increasing attention. With a new political regime taking office in 2017, it is unknown what future regulations lie ahead; however, we believe that the SEC will continue to have a robust examination program to protect all investors. As we head into the new year, it is essential for financial institutions to perform a review as to the adequacy and efficiency of their internal controls in order to help mitigate potential enforcement risks moving forward, to safeguard its clients and advance the firm's culture of compliance in 2017 and beyond.
For more information on this topic, please contact us at (619) 298-2880 or at email@example.com.
JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.
This article is for information purposes and does not contain or convey legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.
3 Notably, the SEC's monetary penalties since 2012 are as follows: $3.1 billion in 2012, $3.4 billion in 2013, $4.16 billion in 2014 and $4.2 billion in 2015.
6 For a list of the related Orders, see https://www.sec.gov/news/pressrelease/2016-167.html.
12 Such information included client's full names, phone numbers, street addresses, account numbers, account balances and securities holdings.