The SEC’s First Risk Alert of Fiscal Year 2017 Targets Registrant Rule 21F-17 Compliance

The Securities and Exchange Commission (SEC or Commission) Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on October 24, 2016, titled “Examining Whistleblower Rule Compliance.” This recent Risk Alert continues the SEC’s aggressive efforts to compel Rule 21F-17 compliance and puts the investment management and broker-dealer industries on formal notice that OCIE intends to scrutinize registrants’ compliance with the whistleblower provisions of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd–Frank). By way of background, Dodd–Frank established a whistleblower protection program to encourage individuals to report possible violations of securities laws. Importantly, in addition to providing whistleblowers with financial incentives, Rule 21F-17 provides that no person may take action to impede a whistleblower from communicating directly with the SEC about potential securities law violations, including by enforcing or threatening to enforce a severance agreement or a confidentiality agreement related to such communications. As discussed in our prior publications, the SEC’s Division of Enforcement (Enforcement) has instituted several settled actions against public companies for violating the “chilling effect” provisions of Rule 21F-17. During the past two months, the SEC has filed two additional settled enforcement actions, as summarized below. Thus, as the SEC embarks on the start of its 2017 fiscal year (FY2017), Rule 21F-17 remains an agency-wide priority, and issuers, investment management firms, and broker-dealers—if they have not done so already—need to take heed and proactively remediate any vulnerabilities that they may have regarding their Rule 21F-17 compliance.

OCIE Alerts Registrants

As described previously, the SEC’s most recent annual report stated that assessing confidentiality terms and language for compliance with Rule 21F-17 was a top priority for fiscal year 2016 and that staff had started the practice of examining company documents for such compliance. Now, less than one month into FY2017, OCIE has formalized this practice and notified the registrant community accordingly.

The Risk Alert spells out how OCIE plans to examine documents for these compliance issues. First, OCIE staff will examine whether any terms that are contained in company documents “(a) purport to limit the types of information that an employee may convey to the Commission or other authorities; and (b) require departing employees to waive their rights to any individual monetary recovery in connection with reporting information to the government.” Second, regarding the books and records to be examined, staff will analyze the following types of documents: compliance manuals; codes of ethics; employment agreements; and severance agreements. Finally, the Risk Alert identifies provisions that may contribute to violations of Rule 21F-17 or may impede employees or former employees from communicating with the Commission, such as provisions that:

  1. require an employee to represent that he or she has not assisted in any investigation involving the registrant;
  2.  prohibit any and all disclosures of confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations;
  3. require an employee to notify and/or obtain consent from the registrant prior to disclosing confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations; or
  4. purport to permit disclosures of confidential information only as required by law, without any  exception for voluntary communications with the Commission concerning possible securities laws violations.

Enforcement Update

Since August 16, 2016, the SEC has instituted two additional enforcement actions for violations of Rule 21F-17 based on prohibitions contained in severance agreements. First, in the Health Net, Inc., matter, the relevant violations involved release language in severance agreements that required employees to waive their right to any monetary recovery resulting from participating in a whistleblower program, among other issues. As part of the settlement, Health Net agreed to pay a $340,000 civil penalty and to engage in undertakings similar to those in the prior Rule 21F-17 cases. A review of the SEC’s Rule 21F-17 stand-alone cases reveals that the penalties have increased with each matter and that Health Net payed the largest fine to date. More recently, and within a month of OCIE’s Risk Alert, an international beverage conglomerate agreed to pay a civil penalty for violations of Rule 21F-17, among other charges. The Rule 21F-17 violations were related to a liquidated damages provision in the company’s separation agreement that did in fact cause an employee to stop communicating with the SEC until he received a subpoena. In this case, the primary charges involved books and records violations and internal control infractions that arose under the terms of the Foreign Corrupt Practices Act of 1977. Consistent with one other Rule 21F-17 case, the SEC appears to routinely investigate possible Rule 21F-17 violations while investigating other charges.

Takeaways

OCIE’s first Risk Alert of FY2017 puts the investment management and broker-dealer industries on notice that OCIE staff will examine and scrutinizing company documents for Rule 21F-17 compliance. More importantly and not stated in the Risk Alert—when coupled with Enforcement’s ongoing and aggressive interest—this combination indicates that OCIE staff will be looking to refer violations of Rule 21F-17 to their receptive Enforcement colleagues. Thus, investment management and broker-dealer registrants need to be proactive in assessing their risks and in reviewing all agreements, policies and procedures that may create exposure to SEC Rule 21F-17 violations. If there are any potential violations, Registrants should then execute a remediation plan. Cleary, this Risk Alert serves as a “notice,” and registrants who fail to act will likely be subjected to an OCIE referral to Enforcement.

Latest Auditor Suspensions Illustrate Key SEC Enforcement Focal Points

On July 22, 2016, the SEC suspended an accounting firm and permanently suspended one of its former partners for conducting a defective audit for a publicly-traded company allegedly engaged in a fraud scheme that resulted in numerous material misstatements on its financial statements. Exchange Act Rel. No. 78393 (July 22, 2016). These suspensions derived from the SEC’s settlement with New York-based EFP Rotenberg, LLP and engagement partner Nicholas Bottini, CPA, for audit services performed on behalf of ContinuityX Solutions, Inc., which claimed to sell Internet services to businesses. The SEC found that EFP Rotenberg violated and Bottini aided and abetted and caused EFP Rotenberg’s violations of Sections 10A(a)(1) and 10A(a)(2) of the Securities Exchange Act of 1934 and Rule 2-02(b)(1) of Regulation S-X. It also concluded that the accounting firm and its former audit partner engaged in improper professional conduct pursuant to Section 4C(a)(2) of the Exchange Act and Rule 102(e)(1)(ii) and (iii) of the SEC’s Rules of Practice.

According to the Order, ContinuityX’s financial misstatements included impermissibly recognizing commission revenue from fraudulent sales transactions, recording assets belonging to third parties as its own and failing to disclose related party transactions. The SEC alleged that when auditing ContinuityX’s fiscal year 2012 financial statements, EFP Rotenberg and Bottini failed to perform sufficient audit procedures and repeatedly engaged in improper professional conduct that resulted in violations of PCAOB standards and demonstrated a lack of competence.  Specifically, the SEC found that the respondents failed to: “(1) appropriately respond to risks of material misstatement; (2) identify related party transactions; (3) obtain sufficient audit evidence; (4) perform procedures to resolve and properly document inconsistencies; (5) investigate management representations that contradicted other audit evidence; and (6) exercise due professional care.” Notwithstanding these shortfalls, the audit firm provided an unqualified opinion on the company’s annual financial statements.

The SEC supported its factual findings with numerous alleged instances in which EFP Rotenberg and Bottini either capitulated to the will of ContinuityX’s management or seemingly concluded their audit procedures prior to obtaining reasonable assurances. These alleged instances included:

  • Acquiescence to a scope limitation resulting from the company’s refusal to permit the auditors to obtain accounts receivable confirmations from third parties;
  • A failure of the engagement team to perform procedures sufficient to detect whether revenue was earned legitimately despite obtaining adequate documentation to do so;
  • An absence of audit workpaper documentation explaining the resolution of material inconsistencies between audit evidence and representations from management; and
  • A failure to insist that the company respond to an auditor inquiry regarding whether its chief financial officer had a related party relationship with a particular customer.

Without either respondent admitting or denying the SEC’s findings, EFP Rotenberg agreed to pay a $100,000 penalty and accept a one-year suspension from public company audits, conditioned upon the certification of an independent consultant that it has remedied the various causes behind its failure to detect ContinuityX’s fraud. Bottini agreed to a $25,000 penalty and a permanent suspension from appearing and practicing before the SEC as an accountant, which includes not participating in the financial reporting or audits of public companies. In imposing these penalties, the Order stated that these were not the respondents’ first SEC violations. Both EFP Rotenberg and Bottini each had settled an unrelated 2014 SEC proceeding involving an audit for a separate client that occurred during 2011. In that earlier proceeding, which also included violations of Section 4C(a)(2) and Rule 102(e)(1)(ii), EFP Rotenberg consented to a $50,000 penalty while Bottini agreed to pay $25,000 and accept a minimum two-year suspension. Exchange Act Rel. No. 72503 (July 1, 2014).

Given the presence of repeat offenders and numerous audit deficiencies, it is tempting to discount the overall significance in these particular proceedings, especially when compared to recent enforcement actions brought against more recognizable accounting firms. This would be a mistake, however, as this case serves as a cautionary tale concerning both the particularized financial reporting issues that are receiving heightened regulatory attention and the actions (or inactions) that potentially trigger “gatekeeper” culpability. As Andrew Ceresney, Director of the SEC’s Division of Enforcement, confirmed in a speech earlier this year, two of the central accounting issues in these proceedings – revenue recognition and related party transactions – remain high enforcement priorities. At the same time, Director Ceresney also signaled to the auditing profession that it “must be the bulwark against client pressure” and “demand objective evidence and investigation when they come across situations which suggest inaccuracies in the company filings.” Otherwise, as these proceedings reveal, the SEC intends to make examples of auditors who are found to have shirked these responsibilities and “fail[ed] to heed numerous warnings and red flags concerning alleged frauds.”

Settlement with Large Firm Audit Partner Reaffirms SEC’s Emphasis on Related Party Disclosures

The SEC’s Division of Enforcement has made a concerted effort in recent months to warn auditors and other corporate “gatekeepers” that it intends to scrutinize the adequacy of related party disclosures in financial filings. This emerging trend continued on April 29, 2015, when the SEC announced the settlement of an enforcement proceeding against McGladrey LLP partner Simon Lesser. See Exchange Act Rel. 74827 (Apr. 29, 2015). Lesser, who served as lead engagement partner during McGladrey’s financial statement audits of investment advisory firm Alpha Titans LLC and several related private funds over a four-year fiscal span, settled claims that he engaged in improper professional conduct within the meaning of Section 4C of the Securities Exchange Act of 1934 and Rule 102(e)(1)(iv)(B)(2) of the SEC’s Rules of Practice. The SEC also alleged that Lesser willfully aided and abetted and caused his audit client to violate Section 206(4) of the Investment Advisers Act of 1940 and Rule 206(4)-2 thereunder.

Lesser’s settlement derived from assertions that Alpha Titans failed to adequately disclose related party relationships and material related party transactions in accordance with generally accepted accounting principles (GAAP). Specifically, Alpha Titans’s chief executive officer and general counsel were alleged to have transferred more than $3.4 million in client assets among the various funds to pay for adviser-related operating expenses during fiscal years 2009 through 2012. These payments purportedly were not agreed to by fund clients or authorized under the various operating documents. As asserted, Lesser knew about these related party relationships and the underlying transactions, which should have been disclosed under Financial Accounting Standards Board (FASB) Accounting Standards Codification (ASC) 850, but, nonetheless, “gave his final approval for McGladrey to issue audit reports containing unqualified opinions.”

The SEC also claimed in the settlement that Lesser failed to ensure that McGladrey’s audits for each fiscal year were conducted in conformity with generally accepted auditing standards (GAAS). Lesser allegedly did not exhibit the requisite level of due professional care in that he “should have … place[d] greater emphasis on the related party relationships and transactions, and the adequacy of the related party disclosures.” The SEC further contended that Lesser did not obtain sufficient audit evidence or prepare audit documentation explaining adequately why he considered the financial statements GAAP compliant absent such related party disclosures. Without admitting or denying the SEC’s findings, Lesser agreed to a $75,000 civil penalty and a minimum three-year suspension from appearing or practicing before the SEC as an accountant.

Although the circumstances surrounding this particular proceeding were announced only last week, high-ranking SEC representatives began eluding to the likelihood of related party-based enforcement actions earlier this year. In late February, Julie M. Riewe, Co-Chief of the Division of Enforcement’s Asset Management Unit (AMU)—the same unit that conducted the investigation against Lesser—provided a revealing glimpse into AMU’s 2015 priorities during her presentation at the IA Watch 17th Annual IA Compliance Conference. Ms. Riewe cautioned:

For private funds—meaning hedge funds and private equity funds—the AMU’s 2015 priorities include conflicts of interest, valuation, and compliance and controls. On the horizon, on the hedge fund side, we anticipate cases involving undisclosed fees; all types of undisclosed conflicts, including related-party transactions; and valuation issues, including use of friendly broker marks.

(Emphasis added.)

Stephanie Avakian, Deputy Director of the Division Enforcement, provided parallel commentary in the context of auditors and other corporate “gatekeepers” during SEC Speaks 2015 in February. Ms. Avakian emphasized that accounting and financial reporting violations are considered an ongoing enforcement priority with particularized attention to related party disclosures.

Indeed, another recent enforcement proceeding further underscores that last week’s settlement with Lesser should not be construed as an isolated occurrence. The SEC announced a similar settlement with a Hong-Kong based auditing firm and two of its auditors in December 2014, involving an alleged “fail[ure] to uphold U.S. auditing standards and exercise appropriate professional care and skepticism with regard to numerous related-party transactions” not adequately disclosed by a Chinese-based oil company. See Press Rel. 2014-284, SEC Imposes Sanctions Against Hong Kong-Based Firm and Two Accountants for Audit Failures. The firm in that instance agreed to pay a $75,000 civil penalty with the two professionals agreeing to pay penalties of $20,000 and $10,000, respectively, and to accept three-year minimum suspensions. Accordingly, the enforcement action against Lesser is not the first recent settlement involving related party disclosures and, given the SEC’s pointed remarks earlier this year, it almost certainly will not be the last.

Commissioner’s Dissent May Signal Harsher Sanctions Against Accountants

Commissioner Luis A. Aguilar provided the most recent illustration of the SEC’s renewed emphasis on enforcement actions involving accounting and financial statement fraud when, on August 28, 2014, he issued a rare written dissent from the agreed-upon settlement in In the Matter of Lynn R. Blodgett and Kevin R. Kyser, CPA,File No. 3-16045 (Aug. 28, 2014). In Blodgett, the SEC charged the former chief executive officer and chief financial officer of Affiliated Computer Services, Inc. (“ACS”) with causing the company’s failure to comply with its reporting, record-keeping, and internal control obligations in violation of Sections 13(a), 13(b)(2)(A), and 13(b)(2)(B) of the Exchange Act and Rules 12b-20, 13a-1, 13a-11, 13a-13, and 13a-14 thereunder. The two senior executives collectively paid nearly $675,000 in penalties, disgorgement and prejudgment interest to settle these cease-and-desist proceedings.

According to the SEC, ACS overstated revenue by $124.5 million in fiscal year 2009 by arranging for an equipment manufacturer to redirect through ACS certain preexisting orders that the manufacturer had already received from another company. These so-called “resale transactions” created the false appearance that ACS was involved in these transactions and, in violation of generally accepted accounting principles, generated revenue that allowed ACS to meet both company and analyst growth expectations. The SEC found that the senior executives, who certified the company’s Form 10-K and Forms 10-Q during this period, “understood the origination of these ‘resale transactions’ and their impact on ACS’s reported revenue growth,” but “did not ensure that ACS adequately described their significance in ACS’s public filings and on analyst calls.” Further, the SEC found that both senior executives personally benefitted from ACS’s overstated revenues because their bonuses were tied to the company’s financial performance.

In a Dissenting Statement published concurrent with the Order, Commissioner Aguilar singled out CFO Kyser’s “egregious conduct” and characterized the settlement with him as “a wrist slap at best.” Commissioner Aguilar expressed his belief that Kyser’s actions, “at a minimum,” also violated the nonscienter-based antifraud provisions under Sections 17(a)(2) and/or (3) of the Securities Act and warranted a suspension of Kyser’s ability to appear and practice before the Commission, pursuant to Rule 102(e) of the SEC’s Rules of Practice. As Commissioner Aguilar explained:

Accountants—especially CPAs—serve as gatekeepers in our securities markets. They play an important role in maintaining investor confidence and fostering fair and efficient markets. When they serve as officers of public companies, they take on an even greater responsibility by virtue of holding a position of public trust. To this end, when these accountants engage in fraudulent misconduct, the Commission must be willing to charge fraud and must not hesitate to suspend the accountant from appearing or practicing before the Commission. This is true regardless of whether the fraudulent misconduct involves scienter.

. . . .

I am concerned that this case is emblematic of a broader trend at the Commission where fraud charges—particularly non-scienter fraud charges—are warranted, but instead are downgraded to books and records and internal control charges. This practice often results in individuals who willingly engaged in fraudulent misconduct retaining their ability to appear and practice before the Commission.

While Commissioner Aguilar’s comments may have represented the minority position in Blodgett, this public airing of differences triggered a prompt response from within the Commission. SEC Director of Enforcement Andrew Ceresney issued a press release the following day underscoring that accounting and financial fraud cases remain a “high priority” and noting that “financial reporting cases for 2014 so far have surpassed last year’s total number of cases by 21 percent.” Director Chesney also referenced the recent increase in investigations being conducted by the Financial Reporting and Audit Task Force, which the SEC formed in July 2013.

This documented upsurge in enforcement actions and investigations is consistent with the SEC’s stated policy initiatives for 2014. SEC Chair Mary Jo White warned registrants in January that the Commission would prioritize financial fraud with a particularized focus on the actions of auditors and senior executives. In doing so, she explained, the SEC intended to convey the message “that critical accounting issues are the responsibility of all those involved in the preparation and review of financial disclosures.” Now, less than eight months later, Commissioner Aguilar has sought to further strengthen this message by imposing tougher sanctions on accountants deemed to be at the center of the misconduct. Future settlements will demonstrate to the accounting industry—and the securities profession as a whole—whether his publicized appeal prompted significant change at the Commission.

D.C. Circuit Court of Appeals Issues Ruling on Conflict Minerals

On April 14, 2014, the U.S. Court of Appeals for the District of Columbia Circuit issued its opinion in the conflicts minerals case, National Association of Manufacturers, et al., v. Securities and Exchange Commission. The Court of Appeals upheld most aspects of the statute and the rule, but found that the statute and rule violate the First Amendment “to the extent that the statute and rule require regulated entities to report to the Commission and to state on their website that any of their products have not been found to be ‘DRC conflict free.’” The Court of Appeals remanded the case to the U.S. District Court for the District of Columbia for further proceedings consistent with its opinion. As of this time, there is no reprieve for issuers from the requirement to file a Form SD or conflict minerals report with the Securities and Exchange Commission (SEC) by June 2, 2014.

Background

As part of the Dodd-Frank Wall Street Reform and Consumer Protection Act, Congress required that the SEC issue regulations requiring firms using “conflict minerals” to investigate and disclose the origins of those minerals. The SEC’s rule applies to issuers that file reports with the SEC under Sections 13(a) or 15(d) of the Securities Exchange Act of 1934 (the Exchange Act) and for whom conflict minerals are necessary to the functionality or production of a product manufactured or contracted to be manufactured.

“Conflict minerals” are used in many different types of products and are defined as cassiterite, columbite-tantalite, gold, wolframite and their derivatives, tantalum, tin and tungsten. Many non-SEC reporting companies also have been impacted by the scope of the rule’s “reasonable country of origin” (RCOI) and supply chain due diligence provisions, notwithstanding the fact that the rule only applies to issuers. For more on the adoption of the conflict minerals rules and the specific requirements, see Drinker Biddle’s September 2013 Client Alert.

Court Ruling

The National Association of Manufacturers challenged the SEC’s final rule, raising Administrative Procedure Act (APA), Exchange Act and First Amendment claims. The District Court rejected all of those claims and granted summary judgment for the SEC and intervenor Amnesty International. On appeal, the Court of Appeals affirmed the District Court’s ruling on the APA and Exchange Act claims, but reversed the ruling on the First Amendment claim.

In particular, the Court of Appeals found that the requirement to disclose that products are not “DRC conflict free” violates the prohibition against compelled speech. The court explained:

The label “conflict free” is a metaphor that conveys moral responsibility for the Congo war.  It requires an issuer to tell consumers that its products are ethically tainted, even if they only indirectly finance armed groups . . . By compelling an issuer to confess blood on its hands, the statute interferes with that exercise of the freedom of speech under the First Amendment.

The Court of Appeals found insufficient the SEC’s argument that issuers could explain the meaning of “conflict free,” stating that “the right to explain compelled speech is present in almost every such case and is inadequate to cure a First Amendment violation.” Also of note, the Court of Appeals found that the SEC did not act arbitrarily and capriciously by choosing not to include a de minimis exception to the conflict minerals rules. As conflict minerals are often used in limited amounts, the Court of Appeals found that a de minimis exception could leave small quantities of conflict minerals unmonitored across many issuers.

Implications

Unfortunately for many issuers who are racing to complete their specialized disclosure report on Form SD and their first conflict minerals report, due by June 2, 2014, there is no reprieve from that deadline at this time. While it is difficult to predict what action the SEC may take, it is possible that the SEC could seek further review of the rule, could stay the upcoming filing deadline in light of the ongoing proceedings, or could otherwise clarify its expectations regarding disclosure obligations, although there are no guarantees. Given that uncertainty, it would be wise for issuers to continue to work on their Form SD and conflict minerals report unless and until the SEC takes further action.

Because the Court of Appeals upheld most aspects of the conflict minerals statute and rule, the due diligence requirements remain intact, and it is possible that they could survive with modified disclosure requirements.  Therefore, notwithstanding the Court of Appeals ruling, it is advisable that SEC reporting companies continue their due diligence efforts. For those companies who are not SEC reporting companies but who are nonetheless impacted by the conflict minerals rule via the required RCOI and supply chain due diligence process, it is advisable to continue responding to RCOI and due diligence inquiries.