Is the SEC Doing Enough to Promote Capital Formation?

If you believe Commissioner Daniel M. Gallagher, the answer is an emphatic “no”, at least with respect to small businesses. On September 17, 2014, at a Heritage Foundation event, Commission Gallagher gave a speech criticizing the Securities and Exchange Commission’s failure to adequately promote capital formation by small businesses:

[S]adly, we at the SEC are not doing nearly enough to ensure that small businesses have the access to capital that they need to grow. We layer on rule after rule until it becomes prohibitively expensive to access the public capital markets.

After noting that not all of the regulatory burden is the SEC’s fault as “much of the ever-growing rulebook is a direct result of congressional mandates,” Commissioner Gallagher makes a number of recommendations for the SEC. Highlights include recommendations to:

  • Withdraw the proposed amendments to Regulation D. (Commission Gallagher did not support the proposed amendments as he stated in the SEC’s July 10, 2013 open meeting.)
  • Consider more deeply Regulation D, including considering broadening the blue sky exemption to help make the choice between the various exemptions available under Regulation D more meaningful.  According to Commissioner Gallagher, nearly all Regulation D offerings are conducted under Rule 506, even though 2/3 of the offerings are small enough that they could have been conducted pursuant to Rule 504 or 505, because Rule 506 offerings are exempt from blue sky regulations.
  • Analyze the secondary market for private company shares, where innovation has slowed. “We need more facilities to improve trading among accredited investors in the private secondary market.”
  • Finish implementing the JOBS Act’s reforms to Regulation A and couple the reforms with the formation of venture exchanges (national exchanges with listing rules tailored for smaller companies, including those issuing shares issued pursuant to Regulation A). Commission Gallagher noted that the SEC had proposed a robust set of rules, including blue sky preemption in certain larger Regulation A Offerings. (Commissioner Gallagher also noted, with respect to the proposal for blue sky exemption, that an “outpouring of anger from state regulators . . . wasn’t unexpected. After all, state regulators have been “protecting” investors from investment opportunities that are too risky for decades – I’m sure the Massachusetts residents who missed out on the offering of Apple Computer in 1980 because of their regulator’s concerns about the risk know this all too well.”)
  • Reconsider the current thresholds for scaled disclosure and the amount of disclosure that is required at each level – including having two tiers of scaling: significant scaling of disclosure for “nanocap” companies (i.e., companies with market capitalizations of up to $50 million) and moderate scaling for “microcap” companies with market capitalizations of $50 million to $300 million.

Coincidently, the SEC released its 2014 – 2018 Strategic Plan on September 19, 2014, two days after Commissioner Gallagher’s speech. Featured on the cover of the Strategic Plan is the SEC’s mission statement – “Protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation” (emphasis added).

But, judging by the SEC’s own Strategic Plan and its current rulemaking agenda, it is unlikely that the SEC will be vigorously addressing many of Commissioner Gallagher’s concerns regarding capital formation for small businesses in the near future.

ISS’ FAQs on Equity Plan Data Verification – Roadmap for Proxy Statement Disclosures

If you have a proposal to adopt or amend the company’s equity plan in the proxy statement that you file with the SEC after September 8, 2014, then you can use a new data verification portal recently launched by Institutional Shareholder Services Inc. (ISS) to verify key data points underlying ISS’ evaluation of the plan. ISS explains on its website the mechanics of registering for the Equity Plan Data Verification and requesting modifications after reviewing data points posted by ISS.

One of the most interesting pieces of information provided by ISS in connection with the new portal is Appendix A to the FAQs on Equity Plan Data Verification because it lists the questions that ISS includes in its evaluation of equity plans. The questions are divided into several categories: (i) equity plan provisions, (ii) outstanding stock and convertibles, (iii) equity grant activity, and (iv) shares reserved and outstanding under equity compensation programs.

Listed below are certain questions from each category. Some of these questions can be used as a roadmap for proxy statement disclosures related to equity plan proposals in order to facilitate ISS’ review and evaluation of the plan.

Equity Plan Provisions:

  • Is stock option repricing permitted without shareholder approval?
  • Are cash buyouts of underwater stock options permitted without shareholder approval?
  • Does the plan provide for share recycling, whereby the plan’s share reserve is reduced by the net number of shares delivered through equity awards, not the gross number underlying the original awards?
  • Does the plan contain an evergreen provision, pursuant to which the plan’s share reserve is automatically increased annually?
  • What stock acquisition percentage triggers a change-in-control under the plan?
  • Does the plan provide for tax gross-ups on equity awards?

Outstanding Stock and Convertibles:

  • How many common shares are outstanding (includes all classes of common stock) as of the record date?
  • How many common shares are issuable upon (i) exercise of outstanding warrants, (ii) conversion of outstanding convertible debt, and (iii) conversion of outstanding convertible equity?
  • How many weighted average common shares were outstanding in the past 3 fiscal years, as used in the computation of basic EPS?

Equity Grant Activity:

  • What is the total number of time-vesting options/SARs and full value awards granted in the past 3 fiscal years?
  • What is the number of performance-based options/SARs that vested in the past 3 fiscal years?
  • What is the total number of performance-based full value awards earned in the past 3 fiscal years?

Shares Reserved and Outstanding under Equity Compensation Programs:

  • How many shares are reserved under the proposed new plan or pursuant to the plan amendment?
  • How many shares remain available for grant under all equity compensation plans?
  • How many shares are subject to outstanding awards?

Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

SIFMA Issues Guidance on Rule 506(c) Verification

On June 23, 2014, the Securities Industry and Financial Markets Association (“SIFMA”) issued a memorandum (the “Memorandum”) containing guidance for broker-dealers and investment advisers with respect to verifying the status of purchasers as accredited investors in connection with offerings made pursuant to Rule 506(c) (Reg D offerings utilizing general solicitation, as we have previously blogged about).

Pursuant to Rule 506(c), an issuer utilizing general solicitation for a Reg D offering must, among other things, take reasonable steps to verify that purchasers in the offering are accredited investors. The reasonable verification requirement is a separate condition from the condition that all purchasers in a Rule 506(c) offering must be accredited investors, and the requirement has generated significant commentary.

The Rule 506(c) adopting release provided four non-exclusive safe harbor methods that an issuer can utilize for such reasonable verification, two of which require the issuer to obtain detailed financial information from a purchaser. An issuer may also rely on the written confirmation of a purchaser’s accredited investor status issued by a registered broker-dealer or investment adviser, licensed attorney or certified public accountant. Any such third party must, however, take reasonable steps to verify the purchaser’s accredited investor status before providing written confirmation to the issuer.

To this end, the Memorandum provides two verification methods for broker-dealers and investment advisers to use in verifying natural persons as accredited investors that SIFMA believes satisfies the “reasonable verification” requirement.

One verification method (the “account balance method”) is essentially a determination by the broker-dealer or investment adviser of the purchaser’s net worth. For a broker-dealer or investment adviser to utilize the account balance method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must have (either individually or together with a spouse, if applicable) at least $2 million in cash and marketable securities in the purchaser’s account prior to making the investment in the Rule 506(c) offering, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) regarding, among other things, the purchaser’s indebtedness, and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor.

The other method (the “investment amount method”) uses the purchaser’s investment amount as a proxy for the purchaser’s status as an accredited investor. For a broker-dealer or investment adviser to utilize the investment amount method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must invest, or unconditionally commit to fund, at least $250,000 in a Rule 506(c) offering, which commitment is callable in whole at any time, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) including, among other things, that the investment in the Rule 506(c) offering is less than 25% of the purchaser’s net worth (either individually or together with a spouse), and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor and, in the case of a commitment, the broker-dealer or investment adviser has knowledge that the purchaser has fulfilled a call under a prior commitment.

The Memorandum also provides a method for broker-dealers and investment advisers to use in verifying legal entities (i.e., corporations, LLCs, etc.) as accredited investors. For a broker-dealer or investment adviser to utilize this method, a purchaser-entity must be named on the broker-dealer’s or investment adviser’s current list of clients that qualify as “institutional accounts” as defined in FINRA Rule 4512(c)(3)or as Qualified Institutional Buyers (which are required to have investible assets of at least $100 million), or the purchaser-entity must make an investment in the Rule 506(c) offering in excess of $5 million and must provide a written representation that it was not formed for the purpose of making that investment and that it has made at least one prior investment in securities (whether in a primary offering or in the secondary market).

If issuers begin to use Rule 506(c) offerings with increasing frequency, SIFMA’s guidance in the Memorandum may be an important guidepost for broker-dealers and investment advisers and other third parties (e.g., attorneys and accountants) in assisting issuers to comply with the “reasonable verification” requirement set forth in Rule 506(c). This guidance may also be useful to issuers and other market participants.

FRIDAY AFTERNOON SMACKDOWN – THE SEC v. THE HOUSE OF REPRESENTATIVES

On Friday, June 20, 2014, the Securities and Exchange Commission filed an action against the Committee on Ways and Means of the U.S. House of Representatives and congressional staffer Brian Sutter seeking enforcement of subpoenas the SEC issued. The SEC is investigating whether laws against insider trading, specifically applicable to members and employees of Congress via the Stop Trading on Congressional Knowledge Act of 2012 (the “STOCK Act”), were violated by the disclosure of non-public information about Medicare reimbursement rates. This is pretty exciting stuff for securities lawyers. It isn’t everyday that one branch of the federal government sues another. (Generally, the facts set forth below are derived from the SEC’s court filing and have not yet been established as true in court.)

About a year after the STOCK Act became law, the SEC launched an investigation into whether information regarding the April 1, 2013 announcement by the U.S. Centers for Medicare and Medicaid Services (“CMS”) on the 2014 reimbursement rates for the Medicare Advantage program was leaked improperly prior to the official public announcement. In its brief filed with the United States District Court for the Southern District of New York, the SEC details the opening of a formal investigation to determine, among other things, the source(s) of information in an email sent from a lobbyist to a broker-dealer that issued a “flash report” indicating that certain Medicare reimbursement rates would actually increase, rather than decrease as had been expected. The flash report was issued approximately 40 minutes before the official CMS announcement regarding the reimbursement rates and was followed promptly by a dramatic increase in the price and trading volume of certain health care stocks.

On May 6, 2014 the SEC staff issued subpoenas to the House Committee on Ways and Means and Brian Sutter. Mr. Sutter is the Staff Director of the House Ways and Means Committee’s Healthcare Committee. Before becoming Staff Director, Mr. Sutter was a staff member to the Subcommittee. Both the Committee and Mr. Sutter have refused to comply with the subpoenas, citing a number of legal objections, including that the documents demanded are protected by the Constitution’s Speech or Debate Clause. The SEC is having none of that and, on June 20, 2014, the SEC filed an action to enforce subpoenas it issued in connection with its investigation, potentially setting up a Constitutional showdown.    

From my perspective, there are at least two interesting points here. First, the SEC appears to be aggressively enforcing the STOCK Act. Hopefully, the courts will find a way to support the SEC in its efforts to conduct the investigation. If the SEC cannot investigate, the STOCK Act may have little, if any, bite. (If you would like to read more about the STOCK Act, please see our summary in the April 2012 issue of Up to Date.) Second, it will be very interesting to watch the matter unfold from a Constitutional perspective.

PCAOB Adopts New Auditing Standard No. 18, Related Parties

On June 10, 2014, the Public Company Accounting Oversight Board (PCAOB) adopted Auditing Standard No. 18, Related Parties, as well as amendments to certain PCAOB auditing standards regarding significant unusual transactions and other related amendments to PCAOB auditing standards. Auditing Standard No. 18 superseded the PCAOB’s auditing standard AU sec. 334, Related Parties, which was issued in 1983. The new auditing standard and amendments will be effective, subject to approval by the SEC, for audits of financial statements for fiscal years beginning on or after December 15, 2014.

Generally, under the new standard, auditors will be required to engage in a detailed analysis of transactions with related parties and inquire of management regarding:

a.         the names of the company’s related parties during the period under audit, including changes from the prior period;

b.         background information concerning the related parties (for example, physical location, industry, size, and extent of operations);

c.         the nature of any relationships, including ownership structure, between the company and its related parties;

d.         the transactions entered into, modified or terminated, with its related parties during the period under audit and the terms and business purposes (or the lack thereof) of such transactions;

e.         the business purpose for entering into a transaction with a related party versus an unrelated party;

 f.         any related party transactions that have not been authorized and approved in accordance with the company’s established policies or procedures regarding the authorization and approval of transactions with related parties; and

 g.        any related party transactions for which exceptions to the company’s established policies or procedures were granted and the reasons for granting those exceptions.

In addition to obtaining information regarding related party transactions from management, auditors will be required to inquire of others within the company regarding their knowledge of the foregoing matters. The auditor is expected to identify others within the company to whom inquiries should be directed, and determine the extent of such inquires, by considering whether such individuals are likely to have knowledge regarding such matters as:

a.         the company’s related parties or relationships or transactions with related parties;

b.         the company’s controls over relationships or transactions with related parties; and

c.         the existence of related parties or relationships or transactions with related parties previously undisclosed to the auditor.

The audit committee, or its chair, will also be questioned by the auditor regarding:

a.         the audit committee’s understanding of the company’s relationships and transactions with related parties that are significant to the company; and

b.         whether any member of the audit committee has concerns regarding relationships or transactions with related parties and, if so, the substance of those concerns.

The auditor will be required to communicate to the audit committee the results of the auditor’s evaluation of the company’s identification of, accounting for, and disclosure of its relationships and transactions with related parties, as well as other significant matters arising from the audit regarding the company’s relationships and transactions with related parties including, but not limited to:

a.         the identification of related parties or relationships or transactions with related parties that were previously undisclosed to the auditor;

b.         the identification of significant related party transactions that have not been authorized or approved in accordance with the company’s established policies or procedures;

c.         the identification of significant related party transactions for which exceptions to the company’s established policies or procedures were granted;

d.         the inclusion of a statement in the financial statements that a transaction with a related party was conducted on terms equivalent to those prevailing in an arm’s-length transaction and the evidence obtained by the auditor to support or contradict such an assertion; and

e.         the identification of significant related party transactions that appear to the auditor to lack a business purpose.

New Revenue Recognition Standard Adopted

The Financial Accounting Standards Board (“FASB”) and the International Accounting Standards Board (“IASB”) issued jointly written revenue recognition standards on May 28, 2014.  The new guidance standardizes how companies should recognize revenue in financial statements under both U.S. generally accepted accounting principles (GAAP) and international financial reporting standards (IFRS). This new revenue recognition standard will replace most of the current revenue recognition guidance, including much of the industry-specific guidance that exists under GAAP today.

 The new guidance aims to:

 1.  Remove inconsistencies and weaknesses in revenue requirements.

 2.  Provide a more robust framework for addressing revenue issues.

 3. Improve comparability of revenue recognition practices across entities, industries,  jurisdictions, and capital markets.

  4.Provide more useful information to users of financial statements through improved disclosure requirements.

  5.Simplify the preparation of financial statements by reducing the numberof requirements to which an entity must refer.

 The core principle of the new guidance is that “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” The guidance contains the following five step process:

           Step 1: Identify the contract(s) with a customer.

           Step 2: Identify the performance obligations in the contract.

           Step 3: Determine the transaction price.

           Step 4: Allocate the transaction price to the performance obligations in the contract.

           Step 5: Recognize revenue when (or as) the entity satisfies a performance obligation.

 Public companies using GAAP will be required to apply the new revenue recognition standard for annual reporting periods beginning after December 15, 2016, including interim reporting periods therein. Public companies are not permitted to apply this new standard early.

 

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.

Spreading Sunshine in Private Equity

Title: Spreading Sunshine in Private Equity

On May 6, 2014, Andrew J. Bowden, Director of the SEC’s Office of Compliance Inspections and Examinations (“OCIE”), gave a speech entitled “Spreading Sunshine in Private Equity” to the Private Fund Compliance Forum (sponsored by Private Equity International) in New York.

The OCIE administers the SEC’s “examination and inspection” program, and oversees a multitude of registrants, including investment advisers, investment companies and broker-dealers. As a result of the Dodd-Frank Act, many private equity and other funds are now required to register with the SEC and are also subject to SEC inspection and certain other regulatory requirements. This statutory change brought an end to the minimal regulatory environment in which most private equity funds operated in for decades.

At the outset, Director Bowden presented an overview of the OCIE’s initial efforts to understand, and begin oversight of, the private equity industry. Director Bowden highlighted certain differences – some inherent and some borne of practice – in the private equity industry that pose different regulatory (including disclosure) challenges than those associated with regulating publicly-traded registrants. Some of these differences, certain of which have been addressed publicly by other SEC officials, include:

  • A private equity fund’s control over its privately-held portfolio companies, and the ability of the fund to influence the management and decision-making of such companies;
  • The typically “voluminous” limited partnership agreement that permits a fund a wide latitude of control and contains terms that are often subject to varying interpretations; and
  • That a fund typically is not subject to significant scrutiny by its limited partners (i.e., the lack of information rights).

Given these differences, Director Bowden described a number of observations from more than 150 examinations of private equity funds conducted by OCIE. In over half of the examinations, Director Bowden noted that OCIE found what it believes to be “violations of law or material weaknesses in controls” with respect to the treatment of fees and expenses. Director Bowden seemed to, at a fundamental level, take the position that private equity funds do not adequately disclose to investors the manner in which the funds allocate fees and expenses. For instance, the Director noted the typical practice of allocating “operating partner” expenses to a fund’s portfolio companies or to the fund itself, which the Director characterized as creating a “back door” fee that investors do not expect. In addition, Director Bowden spent some time discussing the inconsistent valuation methodologies that are sometimes used by a private equity fund, especially during the fundraising cycle, although he noted that OCIE only seeks to ensure consistency of valuation methodologies and has no intention of determining the type of methodologies employed by any particular fund.

In his concluding remarks, the Director stated that there is room for improvement in the overall compliance programs of many funds. In addition to promoting a culture of compliance, Director Bowden posited that funds would foster more effective compliance by involving compliance personnel in the deal-making process, including participating in investment committee meetings and reviewing deal memos.

Investing in Bitcoin? Think Twice Says the SEC.

Bitcoin has been in the news a lot recently and most of the news has been bad, including news of the bankruptcy of Mt. Gox, formerly one of the world’s largest Bitcoin exchanges. Most recently, on May 7, 2014, the SEC issued an Investor Alert to make investors aware of the potential risks of investments involving Bitcoin and other forms of virtual currency.

According to the Investor Alert, Bitcoin has been described as a decentralized, peer-to-peer virtual currency that can be exchanged for traditional currencies, or used to purchase goods or services, usually online. What most distinguishes Bitcoin and similar virtual currencies from more traditional currencies is the fact that they are not backed by any government and operate without any central authority or oversight.

In its release, the SEC discusses:

  • The heightened risk of fraud that investments involving Bitcoin may have, noting that “innovations and new technologies are often used by fraudsters to perpetrate fraudulent investment schemes.”
  • Potential warning signs of investment fraud, including “guaranteed” high investment returns, unsolicited sales pitches, unlicensed sellers, no net worth or income requirements for investors, and pressure to buy immediately.
  • Limited recovery options if fraud or theft results in the loss of Bitcoin.
  • Certain unique risks of investments involving Bitcoin, including lack of insurance usually held by banks and brokerage firms, historic Bitcoin exchange rate volatility, potential governmental restrictions, and the potential that Bitcoin exchanges may stop operating due to fraud, technical difficulties, hackers or malware.

If the SEC’s recent guidance is not enough to make you pause and think before investing in anything relating to Bitcoin, you may want to review the SEC’s July 2013 Investor Alert about the use of Bitcoin in Ponzi schemes, the Financial Industry Regulatory Authority’s recent Investor Alert cautioning investors about the risks of buying and using digital currency such as Bitcoin and the North American Securities Administrators Association listing of digital currency on its list of the top 10 threats to investors for 2013. In addition, the IRS has issued guidance stating that the IRS will treat virtual currencies, such a Bitcoin, as property, which has the potential to make transactions in Bitcoin far more complex than transactions in traditional currencies.