Ever since the creation of Bitcoin in the late 2000s, the SEC has warned that, depending on the circumstances, “initial coin offerings” (ICOs) involving digital tokens or coins may be subject to regulation under the federal securities laws.1 The SEC has provided “facts and circumstances” guidance regarding whether a particular cryptocurrency offering involves a security. See, e.g., the SEC’s Framework for “Investment Contract Analysis of Digital Assets.” But officials have opined that cryptocurrencies sold only to be used to purchase a good or service, such as Bitcoin or Ethereum, may not be securities.2
In Faegre Drinker’s “Enforcement Highlights” inaugural podcast, Jim Lundy moderates a panel with fellow SEC and Regulatory Enforcement partners Mike MacPhail and David Porteous, Capital Markets Team Co-Leader Beth Diffley, and Investment Management Group partner Jillian Bosmann to discuss the pandemic’s impact on the SEC’s Division of Enforcement and the potential impacts of the 2020 election on the SEC and its future.
On October 6, 2020, the Commodity Futures Trading Commission (“CFTC”) issued a release describing its record-breaking enforcement year. The release noted that in fiscal year 2020 (“FY2020”), the CFTC filed more enforcement actions than any other year in the history of the agency. CFTC Chairman Heath P. Tarbert stated “[w]e are tough on those who break the rules, and this historic year only further underscores this point.”
The most recent headlines emphasize the CFTC’s enthusiasm in pursuing spoofing-related actions. Of note, the CFTC ordered a registrant and affiliates associated with one of the largest bank holding companies to pay a record $920 million for spoofing and manipulation that spanned over eight years. This penalty comes as the largest monetary relief in the agency’s history. In September alone, the CFTC announced three other spoofing settlements with fines totaling nearly $1.8 million, and brought charges against a trading firm and two of their traders.
On September 17, 2020, the SEC announced the imposition of a cease-and-desist order against private equity firm Welsh, Carson, Anderson & Stowe (Welsh Carson), an SEC-registered investment manager, in connection with alleged violations of reporting obligations under Section 13(d) of the Securities Exchange Act of 1934 (Exchange Act). The SEC alleged that Welsh Carson had failed to timely amend a Schedule 13D report – commonly known as a beneficial ownership statement – after its investment position changed from an intent to acquire and restructure a company to an intent to liquidate its entire position in the company. In connection with the entry of the SEC’s cease-and-desist order, Welsh Carson agreed to pay a civil penalty of $100,000.
On September 28, 2020, the U.S. Securities and Exchange Commission (the “SEC”) announced two settlements against public companies and individual charges against the former controller and chief accounting officer and the former chief financial officer of one of the companies. In its accompanying public announcement, the SEC advised that “The actions are the first arising from investigations generated by the Division of Enforcement’s EPS Initiative, which utilizes risk-based data analytics to uncover potential accounting and disclosure violations caused by, among other things, earnings management practices.” This initiative exemplifies the harnessing of “Big Data,” i.e., large data sets that may be analyzed computationally to reveal patterns, trends, and associations.
On September 10, 2020, the CFTC announced the issuance of new, public, guidance to its enforcement staff on evaluating the adequacy of corporate compliance programs. The new guidance provides enforcement staff a framework with which to assess participants’ compliance programs, and is intended to ensure consistency and transparency in such reviews.
The latest publication continues the Commission’s efforts to increase transparency in the enforcement process. In May, the CFTC formally issued guidance regarding Enforcement’s decisions to recommend the imposition of civil monetary penalties, and last year the Division issued its first public Enforcement Manual. More details on these previous issuances from the CFTC can be found here and here.
On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.
Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.
A Spoofing Record Breaker
On August 19, 2020, the Commodity Futures Trading Commission (“CFTC”) issued three orders filing and settling charges against a bank with a provisionally registered swap dealer (the “Firm”) requiring the Firm to pay $127.4 million for spoofing and making false statements, as well as for swap dealer compliance and supervision violations.