The SEC’s First Risk Alert of Fiscal Year 2017 Targets Registrant Rule 21F-17 Compliance

The Securities and Exchange Commission (SEC or Commission) Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on October 24, 2016, titled “Examining Whistleblower Rule Compliance.” This recent Risk Alert continues the SEC’s aggressive efforts to compel Rule 21F-17 compliance and puts the investment management and broker-dealer industries on formal notice that OCIE intends to scrutinize registrants’ compliance with the whistleblower provisions of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd–Frank). By way of background, Dodd–Frank established a whistleblower protection program to encourage individuals to report possible violations of securities laws. Importantly, in addition to providing whistleblowers with financial incentives, Rule 21F-17 provides that no person may take action to impede a whistleblower from communicating directly with the SEC about potential securities law violations, including by enforcing or threatening to enforce a severance agreement or a confidentiality agreement related to such communications. As discussed in our prior publications, the SEC’s Division of Enforcement (Enforcement) has instituted several settled actions against public companies for violating the “chilling effect” provisions of Rule 21F-17. During the past two months, the SEC has filed two additional settled enforcement actions, as summarized below. Thus, as the SEC embarks on the start of its 2017 fiscal year (FY2017), Rule 21F-17 remains an agency-wide priority, and issuers, investment management firms, and broker-dealers—if they have not done so already—need to take heed and proactively remediate any vulnerabilities that they may have regarding their Rule 21F-17 compliance.

OCIE Alerts Registrants

As described previously, the SEC’s most recent annual report stated that assessing confidentiality terms and language for compliance with Rule 21F-17 was a top priority for fiscal year 2016 and that staff had started the practice of examining company documents for such compliance. Now, less than one month into FY2017, OCIE has formalized this practice and notified the registrant community accordingly.

The Risk Alert spells out how OCIE plans to examine documents for these compliance issues. First, OCIE staff will examine whether any terms that are contained in company documents “(a) purport to limit the types of information that an employee may convey to the Commission or other authorities; and (b) require departing employees to waive their rights to any individual monetary recovery in connection with reporting information to the government.” Second, regarding the books and records to be examined, staff will analyze the following types of documents: compliance manuals; codes of ethics; employment agreements; and severance agreements. Finally, the Risk Alert identifies provisions that may contribute to violations of Rule 21F-17 or may impede employees or former employees from communicating with the Commission, such as provisions that:

  1. require an employee to represent that he or she has not assisted in any investigation involving the registrant;
  2.  prohibit any and all disclosures of confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations;
  3. require an employee to notify and/or obtain consent from the registrant prior to disclosing confidential information, without any exception for voluntary communications with the Commission concerning possible securities laws violations; or
  4. purport to permit disclosures of confidential information only as required by law, without any  exception for voluntary communications with the Commission concerning possible securities laws violations.

Enforcement Update

Since August 16, 2016, the SEC has instituted two additional enforcement actions for violations of Rule 21F-17 based on prohibitions contained in severance agreements. First, in the Health Net, Inc., matter, the relevant violations involved release language in severance agreements that required employees to waive their right to any monetary recovery resulting from participating in a whistleblower program, among other issues. As part of the settlement, Health Net agreed to pay a $340,000 civil penalty and to engage in undertakings similar to those in the prior Rule 21F-17 cases. A review of the SEC’s Rule 21F-17 stand-alone cases reveals that the penalties have increased with each matter and that Health Net payed the largest fine to date. More recently, and within a month of OCIE’s Risk Alert, an international beverage conglomerate agreed to pay a civil penalty for violations of Rule 21F-17, among other charges. The Rule 21F-17 violations were related to a liquidated damages provision in the company’s separation agreement that did in fact cause an employee to stop communicating with the SEC until he received a subpoena. In this case, the primary charges involved books and records violations and internal control infractions that arose under the terms of the Foreign Corrupt Practices Act of 1977. Consistent with one other Rule 21F-17 case, the SEC appears to routinely investigate possible Rule 21F-17 violations while investigating other charges.

Takeaways

OCIE’s first Risk Alert of FY2017 puts the investment management and broker-dealer industries on notice that OCIE staff will examine and scrutinizing company documents for Rule 21F-17 compliance. More importantly and not stated in the Risk Alert—when coupled with Enforcement’s ongoing and aggressive interest—this combination indicates that OCIE staff will be looking to refer violations of Rule 21F-17 to their receptive Enforcement colleagues. Thus, investment management and broker-dealer registrants need to be proactive in assessing their risks and in reviewing all agreements, policies and procedures that may create exposure to SEC Rule 21F-17 violations. If there are any potential violations, Registrants should then execute a remediation plan. Cleary, this Risk Alert serves as a “notice,” and registrants who fail to act will likely be subjected to an OCIE referral to Enforcement.

Director of SEC’s Division of Investment Management Provides Insights into Agency’s View of Alternative Mutual Funds and Focus of Upcoming Sweep Exam

On June 30, 2014, in remarks to the Practising Law Institute’s Private Equity Forum, Norm Champ, Director of the SEC’s Division of Investment Management, addressed the increase in the number of mutual funds that use alternative investment strategies and the potential risks that the Division of Investment Management has identified with those strategies. See SEC Press Release. Champ’s observations are particularly relevant in light of the Office of Compliance Inspections and Examination’s (“OCIE’s”) announcement that it will conduct a national sweep exam involving between fifteen and twenty alternative mutual funds beginning this summer and continuing into the fall. According to Champ, the exams are intended to produce valuable insight into how alternative mutual funds attempt to generate yield and how much risk they undertake, in addition to monitoring how boards are overseeing the funds’ operations. To that end, Champ said that the exams will focus on liquidity, leverage, and board oversight.

Continue reading “Director of SEC’s Division of Investment Management Provides Insights into Agency’s View of Alternative Mutual Funds and Focus of Upcoming Sweep Exam”

SEC to Examine Registered Broker-Dealers’ and Investment Advisers’ Procedures for Countering Cybersecurity Threats

Background and Purposes

On April 15, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” explaining a new initiative to assess cybersecurity preparedness in the securities industry.  Although not an official rule, regulation or statement of the SEC, the Risk Alert advised that OCIE will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, regarding their cybersecurity and data security procedures and policies.

OCIE’s cybersecurity initiative is designed to obtain information about the industry’s recent experiences with certain types of cyber threats.  The examinations will focus on the following topics: the firm’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain specific cybersecurity threats.

Questions Registered Entities May be Asked

As an appendix to the Risk Alert document it released this week, OCIE included a sample list of requests for information that OCIE may use to assess registered firm’s preparedness to deal with cybersecurity threats. A primary area of OCIE inquiry is the firm’s internal policies and procedures for data preservation and cybersecurity.  For example, one sample question asks the firm to identify the last time it completed certain cybersecurity precautions, such as: preparing a firm-wide inventory of physical devices and systems; mapping network resources, connections and data flows; and cataloguing connections to the firm’s network from external sources.  Another asks the firm whether it maintains data breach/cybersecurity insurance, and if so, the firm is asked to describe the nature of the coverage and whether the firm has filed any claims against the policy.  The OCIE also asks if the firm maintains written data destruction policies or cybersecurity incident response policies, and if so, the firm is asked to provide copies of the policies and identify the date they were last updated.

Unsurprisingly, the security of customer-related data and fund transfer information is also a primary OCIE focus.  One sample question asks the firm about its customers’ online account access platform, including how customers are authenticated for online transactions, a description of any security measures used to protect stored customer PINs, and software used to detect anomalous transaction requests that may be the result of compromised customer access.  Another question asks for a copy of the firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds.

OCIE also plans to inquire about risks related to vendors and other third parties.  The sample questions include cybersecurity requirements the firm incorporates in contracts with third parties; policies, procedures and training provided to third parties about cybersecurity; and how the firm segregates network components to which third parties have access from purely internal components.

Other areas of inquiry include how the firm detects unauthorized activity on its networks and devices, whether the firm conducts “white-hat” hacker penetration tests and vulnerability scans; how the firm identifies and implements “best practices” for cybersecurity; and whether (and how) the firm has been the target of digital attacks or data breaches, and how it responded to those incidents.

Conclusion

The regulatory environment for cybersecurity compliance in all business sectors is fast-moving, particularly for companies in the financial services industry. This is clearly an area to which the SEC is giving a great deal of attention and the sample requests signal the specific concerns that the SEC has identified thus far. The OCIE Risk Alert to broker-dealers and investment advisers comes less than three weeks after the SEC held a day-long roundtable discussion on cybersecurity.

SEC Establishes Dedicated Group to Focus on Private Funds

Since the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, private funds have become the subject of heightened scrutiny by both the SEC’s Division of Enforcement and the Office of Compliance Inspections and Examinations (“OCIE”). Based on recent announcements, this trend is likely to continue.

In 2012, OCIE announced an initiative to conduct “Presence Exams” or focused, risk-based examinations of investment advisers to private funds who recently registered with the SEC. See the OCIE’s National Exam Program letter. More recently in the SEC’s 2014 CCO Outreach Program, the SEC announced that it had conducted 250 Presence Exams. The SEC added that many of the exams revealed “significant findings,” but did not disclose whether those findings led to enforcement referrals or were resolved in the deficiency letter process. The SEC reiterated that focus areas of the Presence Exams included: (1) investment conflicts of interest including personal and affiliates’ transactions and fees paid to advisers and expenses charged to funds; (2) marketing, including the use of placement agents and using past performance; (3) valuation; and (4) custody.

Recently, the SEC formed a new “group” within OCIE to focus on the approximately 1,500 newly registered advisers to private equity and hedge funds. The new group is being led by two “industry experts” hired by the SEC in the last few years and will include staff from four regional offices across the country. If the group is successful, the SEC intends to expand the unit to additional regional offices.

Traditionally, the SEC has created working groups or specialized units in the Division of Enforcement to focus on what it perceives to be high-risk areas, i.e., where investor funds are most at risk. The Division of Enforcement currently has five specialized units: (1) Market Abuse, (2) Asset Management, (3) Municipal Securities and Public Pensions, (4) Foreign Corrupt Practices Act, and (5) Complex Financial Instruments. These units were formed in significant part due to the criticism of the agency for failing to detect Bernie Madoff’s massive Ponzi scheme. Each of these units is led by a senior officer who reports to the Director of the Division of Enforcement and is staffed by members of regional offices across the country.

It is very likely that the new private equity group will coordinate closely with the Asset Management Unit as that unit has developed significant expertise with respect to hedge funds, investment advisers and private equity funds. One of the group’s leaders, Igor Rozenblit, was with the Asset Management Unit since 2010. Moreover, the Asset Management Unit has been very active in bringing “message” cases against the very funds that the new group is charged with policing.

In addition to forming the new group, the SEC has also asked Congress for additional funds to support its examination program. The SEC seeks to add 316 staff to its examination program. Currently, there are approximately 450 examiners, accountants and lawyers in 12 regional offices. If the SEC receives the additional funds, it could almost double the size of its examination staff allowing it to conduct significantly more exams and assist with more enforcement investigations.

In the last few months, the Division of Enforcement formed three other new “groups” to focus on different areas. Last summer, the SEC announced the creation of: (1) the Financial Reporting and Audit Task Force, (2) the Microcap Fraud Task Force, and (3) the Center for Risk and Quantitative Analytics. These groups, unlike the formal units, will not conduct investigation. They are intended to identify potential violations and make referrals to the investigative staff.