Broker-Dealers Ignoring Red Flags Lead to SEC Releases and Enforcement Action

In October 2014, the SEC’s Division of Trading & Markets issued FAQs to remind broker-dealers of their obligation to conduct a reasonable inquiry when selling securities in an unregistered transaction in reliance on Section 4(a)(4) of the Securities Act. The FAQs explain that “[i]n order to rely on the Section 4(a)(4) exemption, a broker-dealer must conduct a “reasonable inquiry” into the facts surrounding a proposed unregistered sale of securities before selling the securities to form reasonable grounds for believing that a selling customer’s part of the transaction is exempt from Section 5.  . . . [W]hen conducting a reasonable inquiry into whether the transaction would violate Section 5, it is not sufficient for the broker-dealer merely to accept self-serving statements of his sellers and their counsel without reasonably exploring the possibility of contrary facts.  Nor, where there are indicia of an illegal distribution of securities, can a broker-dealer claim that its sales of a security were exempt from registration simply because the stock certificates lack a restrictive legend or a clearing firm or transfer agent raises no objections to the sales.” The FAQs provide a list of factors that the SEC will consider in assessing the reasonableness of a broker-dealer’s inquiry and its reliance on the Section 4(a)(4) exemption.

Simultaneously with the issuance of the FAQs, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert which summarized deficiencies which OCIE observed in examining 22 broker-dealers. Among other matters, the examinations uncovered deficiencies related to controls put in place to comply with obligations related to sales of securities, including the performance of a reasonable inquiry in connection with unregistered sales of securities in reliance on Section 4(a)(4) of the Securities Act.

In conjunction with the FAQs and the Risk Alert, the SEC announced an enforcement action against certain current and former E*Trade subsidiaries (the “Subsidiaries”) for ignoring red flags in connection with the sale of unregistered penny stocks. The SEC’s order finds that the Subsidiaries were not entitled to rely on the Section 4(a)(4) exemption because they did not perform a “reasonable inquiry.” The Subsidiaries agreed to settle the SEC’s charges by paying back more than $1.5 million in disgorgement and prejudgment interest from commissions they earned on the improper sales. They also must pay a combined penalty of $1 million.

In light of the above, broker-dealers should reexamine their policies and procedures related to the sale of unregistered securities and provide training to their personnel concerning what constitutes a “reasonable inquiry.”

NYSE Proposes New Global Market Capitalization Test for Listing Companies

On September 30, 2014, the SEC published an NYSE amendment, effective as of such publication, to adopt a new initial listing standard, and to eliminate all but one of the current NYSE initial listing standards, for US operating companies.

The amendment provides for a global market capitalization test to serve as a new initial listing standard for US operating companies. The global market capitalization test requires that a listing operating company have a minimum total global market capitalization of $200 million at the time of initial listing. A company that is already publicly traded at the time it applies to list on the NYSE must meet the $200 million global market capitalization requirement for at least 90 consecutive trading days immediately preceding the date on which it receives clearance to submit an application to list on the NYSE.

The amendment also eliminates four of the NYSE’s five current initial listing standards for US operating companies: (1) the valuation/revenue with cash flow test, (2) the pure valuation/revenue test, (3) the affiliated company test, and (4) the assets and equity test.

Despite the proposed global market capitalization test, companies listing must also meet both the existing distribution requirements of Section 102.01A, and the stock price and market value of publicly-held shares requirements of Section 102.01B, of the Listed Company Manual. In addition, companies listing under the proposed global market capitalization test must comply with all other applicable NYSE listing rules.

The notes relating to the amendment highlight that Nasdaq and Nasdaq Global Market have a competitive advantage over the NYSE under existing listing standards, particularly with respect to pre-revenue research and development companies. The amendment, and the implementation of the global market capitalization test, is the NYSE’s attempt to level the playing field.

Is the SEC Doing Enough to Promote Capital Formation?

If you believe Commissioner Daniel M. Gallagher, the answer is an emphatic “no”, at least with respect to small businesses. On September 17, 2014, at a Heritage Foundation event, Commission Gallagher gave a speech criticizing the Securities and Exchange Commission’s failure to adequately promote capital formation by small businesses:

[S]adly, we at the SEC are not doing nearly enough to ensure that small businesses have the access to capital that they need to grow. We layer on rule after rule until it becomes prohibitively expensive to access the public capital markets.

After noting that not all of the regulatory burden is the SEC’s fault as “much of the ever-growing rulebook is a direct result of congressional mandates,” Commissioner Gallagher makes a number of recommendations for the SEC. Highlights include recommendations to:

  • Withdraw the proposed amendments to Regulation D. (Commission Gallagher did not support the proposed amendments as he stated in the SEC’s July 10, 2013 open meeting.)
  • Consider more deeply Regulation D, including considering broadening the blue sky exemption to help make the choice between the various exemptions available under Regulation D more meaningful.  According to Commissioner Gallagher, nearly all Regulation D offerings are conducted under Rule 506, even though 2/3 of the offerings are small enough that they could have been conducted pursuant to Rule 504 or 505, because Rule 506 offerings are exempt from blue sky regulations.
  • Analyze the secondary market for private company shares, where innovation has slowed. “We need more facilities to improve trading among accredited investors in the private secondary market.”
  • Finish implementing the JOBS Act’s reforms to Regulation A and couple the reforms with the formation of venture exchanges (national exchanges with listing rules tailored for smaller companies, including those issuing shares issued pursuant to Regulation A). Commission Gallagher noted that the SEC had proposed a robust set of rules, including blue sky preemption in certain larger Regulation A Offerings. (Commissioner Gallagher also noted, with respect to the proposal for blue sky exemption, that an “outpouring of anger from state regulators . . . wasn’t unexpected. After all, state regulators have been “protecting” investors from investment opportunities that are too risky for decades – I’m sure the Massachusetts residents who missed out on the offering of Apple Computer in 1980 because of their regulator’s concerns about the risk know this all too well.”)
  • Reconsider the current thresholds for scaled disclosure and the amount of disclosure that is required at each level – including having two tiers of scaling: significant scaling of disclosure for “nanocap” companies (i.e., companies with market capitalizations of up to $50 million) and moderate scaling for “microcap” companies with market capitalizations of $50 million to $300 million.

Coincidently, the SEC released its 2014 – 2018 Strategic Plan on September 19, 2014, two days after Commissioner Gallagher’s speech. Featured on the cover of the Strategic Plan is the SEC’s mission statement – “Protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation” (emphasis added).

But, judging by the SEC’s own Strategic Plan and its current rulemaking agenda, it is unlikely that the SEC will be vigorously addressing many of Commissioner Gallagher’s concerns regarding capital formation for small businesses in the near future.

ISS’ FAQs on Equity Plan Data Verification – Roadmap for Proxy Statement Disclosures

If you have a proposal to adopt or amend the company’s equity plan in the proxy statement that you file with the SEC after September 8, 2014, then you can use a new data verification portal recently launched by Institutional Shareholder Services Inc. (ISS) to verify key data points underlying ISS’ evaluation of the plan. ISS explains on its website the mechanics of registering for the Equity Plan Data Verification and requesting modifications after reviewing data points posted by ISS.

One of the most interesting pieces of information provided by ISS in connection with the new portal is Appendix A to the FAQs on Equity Plan Data Verification because it lists the questions that ISS includes in its evaluation of equity plans. The questions are divided into several categories: (i) equity plan provisions, (ii) outstanding stock and convertibles, (iii) equity grant activity, and (iv) shares reserved and outstanding under equity compensation programs.

Listed below are certain questions from each category. Some of these questions can be used as a roadmap for proxy statement disclosures related to equity plan proposals in order to facilitate ISS’ review and evaluation of the plan.

Equity Plan Provisions:

  • Is stock option repricing permitted without shareholder approval?
  • Are cash buyouts of underwater stock options permitted without shareholder approval?
  • Does the plan provide for share recycling, whereby the plan’s share reserve is reduced by the net number of shares delivered through equity awards, not the gross number underlying the original awards?
  • Does the plan contain an evergreen provision, pursuant to which the plan’s share reserve is automatically increased annually?
  • What stock acquisition percentage triggers a change-in-control under the plan?
  • Does the plan provide for tax gross-ups on equity awards?

Outstanding Stock and Convertibles:

  • How many common shares are outstanding (includes all classes of common stock) as of the record date?
  • How many common shares are issuable upon (i) exercise of outstanding warrants, (ii) conversion of outstanding convertible debt, and (iii) conversion of outstanding convertible equity?
  • How many weighted average common shares were outstanding in the past 3 fiscal years, as used in the computation of basic EPS?

Equity Grant Activity:

  • What is the total number of time-vesting options/SARs and full value awards granted in the past 3 fiscal years?
  • What is the number of performance-based options/SARs that vested in the past 3 fiscal years?
  • What is the total number of performance-based full value awards earned in the past 3 fiscal years?

Shares Reserved and Outstanding under Equity Compensation Programs:

  • How many shares are reserved under the proposed new plan or pursuant to the plan amendment?
  • How many shares remain available for grant under all equity compensation plans?
  • How many shares are subject to outstanding awards?

Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

SIFMA Issues Guidance on Rule 506(c) Verification

On June 23, 2014, the Securities Industry and Financial Markets Association (“SIFMA”) issued a memorandum (the “Memorandum”) containing guidance for broker-dealers and investment advisers with respect to verifying the status of purchasers as accredited investors in connection with offerings made pursuant to Rule 506(c) (Reg D offerings utilizing general solicitation, as we have previously blogged about).

Pursuant to Rule 506(c), an issuer utilizing general solicitation for a Reg D offering must, among other things, take reasonable steps to verify that purchasers in the offering are accredited investors. The reasonable verification requirement is a separate condition from the condition that all purchasers in a Rule 506(c) offering must be accredited investors, and the requirement has generated significant commentary.

The Rule 506(c) adopting release provided four non-exclusive safe harbor methods that an issuer can utilize for such reasonable verification, two of which require the issuer to obtain detailed financial information from a purchaser. An issuer may also rely on the written confirmation of a purchaser’s accredited investor status issued by a registered broker-dealer or investment adviser, licensed attorney or certified public accountant. Any such third party must, however, take reasonable steps to verify the purchaser’s accredited investor status before providing written confirmation to the issuer.

To this end, the Memorandum provides two verification methods for broker-dealers and investment advisers to use in verifying natural persons as accredited investors that SIFMA believes satisfies the “reasonable verification” requirement.

One verification method (the “account balance method”) is essentially a determination by the broker-dealer or investment adviser of the purchaser’s net worth. For a broker-dealer or investment adviser to utilize the account balance method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must have (either individually or together with a spouse, if applicable) at least $2 million in cash and marketable securities in the purchaser’s account prior to making the investment in the Rule 506(c) offering, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) regarding, among other things, the purchaser’s indebtedness, and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor.

The other method (the “investment amount method”) uses the purchaser’s investment amount as a proxy for the purchaser’s status as an accredited investor. For a broker-dealer or investment adviser to utilize the investment amount method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must invest, or unconditionally commit to fund, at least $250,000 in a Rule 506(c) offering, which commitment is callable in whole at any time, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) including, among other things, that the investment in the Rule 506(c) offering is less than 25% of the purchaser’s net worth (either individually or together with a spouse), and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor and, in the case of a commitment, the broker-dealer or investment adviser has knowledge that the purchaser has fulfilled a call under a prior commitment.

The Memorandum also provides a method for broker-dealers and investment advisers to use in verifying legal entities (i.e., corporations, LLCs, etc.) as accredited investors. For a broker-dealer or investment adviser to utilize this method, a purchaser-entity must be named on the broker-dealer’s or investment adviser’s current list of clients that qualify as “institutional accounts” as defined in FINRA Rule 4512(c)(3)or as Qualified Institutional Buyers (which are required to have investible assets of at least $100 million), or the purchaser-entity must make an investment in the Rule 506(c) offering in excess of $5 million and must provide a written representation that it was not formed for the purpose of making that investment and that it has made at least one prior investment in securities (whether in a primary offering or in the secondary market).

If issuers begin to use Rule 506(c) offerings with increasing frequency, SIFMA’s guidance in the Memorandum may be an important guidepost for broker-dealers and investment advisers and other third parties (e.g., attorneys and accountants) in assisting issuers to comply with the “reasonable verification” requirement set forth in Rule 506(c). This guidance may also be useful to issuers and other market participants.

FRIDAY AFTERNOON SMACKDOWN – THE SEC v. THE HOUSE OF REPRESENTATIVES

On Friday, June 20, 2014, the Securities and Exchange Commission filed an action against the Committee on Ways and Means of the U.S. House of Representatives and congressional staffer Brian Sutter seeking enforcement of subpoenas the SEC issued. The SEC is investigating whether laws against insider trading, specifically applicable to members and employees of Congress via the Stop Trading on Congressional Knowledge Act of 2012 (the “STOCK Act”), were violated by the disclosure of non-public information about Medicare reimbursement rates. This is pretty exciting stuff for securities lawyers. It isn’t everyday that one branch of the federal government sues another. (Generally, the facts set forth below are derived from the SEC’s court filing and have not yet been established as true in court.)

About a year after the STOCK Act became law, the SEC launched an investigation into whether information regarding the April 1, 2013 announcement by the U.S. Centers for Medicare and Medicaid Services (“CMS”) on the 2014 reimbursement rates for the Medicare Advantage program was leaked improperly prior to the official public announcement. In its brief filed with the United States District Court for the Southern District of New York, the SEC details the opening of a formal investigation to determine, among other things, the source(s) of information in an email sent from a lobbyist to a broker-dealer that issued a “flash report” indicating that certain Medicare reimbursement rates would actually increase, rather than decrease as had been expected. The flash report was issued approximately 40 minutes before the official CMS announcement regarding the reimbursement rates and was followed promptly by a dramatic increase in the price and trading volume of certain health care stocks.

On May 6, 2014 the SEC staff issued subpoenas to the House Committee on Ways and Means and Brian Sutter. Mr. Sutter is the Staff Director of the House Ways and Means Committee’s Healthcare Committee. Before becoming Staff Director, Mr. Sutter was a staff member to the Subcommittee. Both the Committee and Mr. Sutter have refused to comply with the subpoenas, citing a number of legal objections, including that the documents demanded are protected by the Constitution’s Speech or Debate Clause. The SEC is having none of that and, on June 20, 2014, the SEC filed an action to enforce subpoenas it issued in connection with its investigation, potentially setting up a Constitutional showdown.    

From my perspective, there are at least two interesting points here. First, the SEC appears to be aggressively enforcing the STOCK Act. Hopefully, the courts will find a way to support the SEC in its efforts to conduct the investigation. If the SEC cannot investigate, the STOCK Act may have little, if any, bite. (If you would like to read more about the STOCK Act, please see our summary in the April 2012 issue of Up to Date.) Second, it will be very interesting to watch the matter unfold from a Constitutional perspective.

PCAOB Adopts New Auditing Standard No. 18, Related Parties

On June 10, 2014, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 18, Related Parties, as well as amendments to certain PCAOB auditing standards regarding significant unusual transactions and other related amendments to PCAOB auditing standards. Auditing Standard No. 18 superseded the PCAOB’s auditing standard AU sec. 334, Related Parties, which was issued in 1983. The new auditing standard and amendments will be effective, subject to approval by the SEC, for audits of financial statements for fiscal years beginning on or after December 15, 2014.

Generally, under the new standard, auditors will be required to engage in a detailed analysis of transactions with related parties and inquire of management regarding:

a.         the names of the company’s related parties during the period under audit, including changes from the prior period;

b.         background information concerning the related parties (for example, physical location, industry, size, and extent of operations);

c.         the nature of any relationships, including ownership structure, between the company and its related parties;

d.         the transactions entered into, modified or terminated, with its related parties during the period under audit and the terms and business purposes (or the lack thereof) of such transactions;

e.         the business purpose for entering into a transaction with a related party versus an unrelated party;

 f.         any related party transactions that have not been authorized and approved in accordance with the company’s established policies or procedures regarding the authorization and approval of transactions with related parties; and

 g.        any related party transactions for which exceptions to the company’s established policies or procedures were granted and the reasons for granting those exceptions.

In addition to obtaining information regarding related party transactions from management, auditors will be required to inquire of others within the company regarding their knowledge of the foregoing matters. The auditor is expected to identify others within the company to whom inquiries should be directed, and determine the extent of such inquires, by considering whether such individuals are likely to have knowledge regarding such matters as:

a.         the company’s related parties or relationships or transactions with related parties;

b.         the company’s controls over relationships or transactions with related parties; and

c.         the existence of related parties or relationships or transactions with related parties previously undisclosed to the auditor.

The audit committee, or its chair, will also be questioned by the auditor regarding:

a.         the audit committee’s understanding of the company’s relationships and transactions with related parties that are significant to the company; and

b.         whether any member of the audit committee has concerns regarding relationships or transactions with related parties and, if so, the substance of those concerns.

The auditor will be required to communicate to the audit committee the results of the auditor’s evaluation of the company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties, as well as other significant matters arising from the audit regarding the company’s relationships and transactions with related parties including, but not limited to:

a.         the identification of related parties or relationships or transactions with related parties that were previously undisclosed to the auditor;

b.         the identification of significant related party transactions that have not been authorized or approved in accordance with the company’s established policies or procedures;

c.         the identification of significant related party transactions for which exceptions to the company’s established policies or procedures were granted;

d.         the inclusion of a statement in the financial statements that a transaction with a related party was conducted on terms equivalent to those prevailing in an arm’s-length transaction and the evidence obtained by the auditor to support or contradict such an assertion; and

e.         the identification of significant related party transactions that appear to the auditor to lack a business purpose.

New Revenue Recognition Standard Adopted

The Financial Accounting Standards Board (“FASB”) and the International Accounting Standards Board (“IASB”) issued jointly written revenue recognition standards on May 28, 2014.  The new guidance standardizes how companies should recognize revenue in financial statements under both U.S. generally accepted accounting principles (GAAP) and international financial reporting standards (IFRS). This new revenue recognition standard will replace most of the current revenue recognition guidance, including much of the industry-specific guidance that exists under GAAP today.

 The new guidance aims to:

 1.  Remove inconsistencies and weaknesses in revenue requirements.

 2.  Provide a more robust framework for addressing revenue issues.

 3. Improve comparability of revenue recognition practices across entities, industries,  jurisdictions, and capital markets.

  4.Provide more useful information to users of financial statements through improved disclosure requirements.

  5.Simplify the preparation of financial statements by reducing the numberof requirements to which an entity must refer.

 The core principle of the new guidance is that “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” The guidance contains the following five step process:

           Step 1: Identify the contract(s) with a customer.

           Step 2: Identify the performance obligations in the contract.

           Step 3: Determine the transaction price.

           Step 4: Allocate the transaction price to the performance obligations in the contract.

           Step 5: Recognize revenue when (or as) the entity satisfies a performance obligation.

 Public companies using GAAP will be required to apply the new revenue recognition standard for annual reporting periods beginning after December 15, 2016, including interim reporting periods therein. Public companies are not permitted to apply this new standard early.

 

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.