Broker-Dealers Ignoring Red Flags Lead to SEC Releases and Enforcement Action

In October 2014, the SEC’s Division of Trading & Markets issued FAQs to remind broker-dealers of their obligation to conduct a reasonable inquiry when selling securities in an unregistered transaction in reliance on Section 4(a)(4) of the Securities Act. The FAQs explain that “[i]n order to rely on the Section 4(a)(4) exemption, a broker-dealer must conduct a “reasonable inquiry” into the facts surrounding a proposed unregistered sale of securities before selling the securities to form reasonable grounds for believing that a selling customer’s part of the transaction is exempt from Section 5.  . . . [W]hen conducting a reasonable inquiry into whether the transaction would violate Section 5, it is not sufficient for the broker-dealer merely to accept self-serving statements of his sellers and their counsel without reasonably exploring the possibility of contrary facts.  Nor, where there are indicia of an illegal distribution of securities, can a broker-dealer claim that its sales of a security were exempt from registration simply because the stock certificates lack a restrictive legend or a clearing firm or transfer agent raises no objections to the sales.” The FAQs provide a list of factors that the SEC will consider in assessing the reasonableness of a broker-dealer’s inquiry and its reliance on the Section 4(a)(4) exemption.

Simultaneously with the issuance of the FAQs, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert which summarized deficiencies which OCIE observed in examining 22 broker-dealers. Among other matters, the examinations uncovered deficiencies related to controls put in place to comply with obligations related to sales of securities, including the performance of a reasonable inquiry in connection with unregistered sales of securities in reliance on Section 4(a)(4) of the Securities Act.

In conjunction with the FAQs and the Risk Alert, the SEC announced an enforcement action against certain current and former E*Trade subsidiaries (the “Subsidiaries”) for ignoring red flags in connection with the sale of unregistered penny stocks. The SEC’s order finds that the Subsidiaries were not entitled to rely on the Section 4(a)(4) exemption because they did not perform a “reasonable inquiry.” The Subsidiaries agreed to settle the SEC’s charges by paying back more than $1.5 million in disgorgement and prejudgment interest from commissions they earned on the improper sales. They also must pay a combined penalty of $1 million.

In light of the above, broker-dealers should reexamine their policies and procedures related to the sale of unregistered securities and provide training to their personnel concerning what constitutes a “reasonable inquiry.”

Is the SEC Doing Enough to Promote Capital Formation?

If you believe Commissioner Daniel M. Gallagher, the answer is an emphatic “no”, at least with respect to small businesses. On September 17, 2014, at a Heritage Foundation event, Commission Gallagher gave a speech criticizing the Securities and Exchange Commission’s failure to adequately promote capital formation by small businesses:

[S]adly, we at the SEC are not doing nearly enough to ensure that small businesses have the access to capital that they need to grow. We layer on rule after rule until it becomes prohibitively expensive to access the public capital markets.

After noting that not all of the regulatory burden is the SEC’s fault as “much of the ever-growing rulebook is a direct result of congressional mandates,” Commissioner Gallagher makes a number of recommendations for the SEC. Highlights include recommendations to:

  • Withdraw the proposed amendments to Regulation D. (Commission Gallagher did not support the proposed amendments as he stated in the SEC’s July 10, 2013 open meeting.)
  • Consider more deeply Regulation D, including considering broadening the blue sky exemption to help make the choice between the various exemptions available under Regulation D more meaningful.  According to Commissioner Gallagher, nearly all Regulation D offerings are conducted under Rule 506, even though 2/3 of the offerings are small enough that they could have been conducted pursuant to Rule 504 or 505, because Rule 506 offerings are exempt from blue sky regulations.
  • Analyze the secondary market for private company shares, where innovation has slowed. “We need more facilities to improve trading among accredited investors in the private secondary market.”
  • Finish implementing the JOBS Act’s reforms to Regulation A and couple the reforms with the formation of venture exchanges (national exchanges with listing rules tailored for smaller companies, including those issuing shares issued pursuant to Regulation A). Commission Gallagher noted that the SEC had proposed a robust set of rules, including blue sky preemption in certain larger Regulation A Offerings. (Commissioner Gallagher also noted, with respect to the proposal for blue sky exemption, that an “outpouring of anger from state regulators . . . wasn’t unexpected. After all, state regulators have been “protecting” investors from investment opportunities that are too risky for decades – I’m sure the Massachusetts residents who missed out on the offering of Apple Computer in 1980 because of their regulator’s concerns about the risk know this all too well.”)
  • Reconsider the current thresholds for scaled disclosure and the amount of disclosure that is required at each level – including having two tiers of scaling: significant scaling of disclosure for “nanocap” companies (i.e., companies with market capitalizations of up to $50 million) and moderate scaling for “microcap” companies with market capitalizations of $50 million to $300 million.

Coincidently, the SEC released its 2014 – 2018 Strategic Plan on September 19, 2014, two days after Commissioner Gallagher’s speech. Featured on the cover of the Strategic Plan is the SEC’s mission statement – “Protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation” (emphasis added).

But, judging by the SEC’s own Strategic Plan and its current rulemaking agenda, it is unlikely that the SEC will be vigorously addressing many of Commissioner Gallagher’s concerns regarding capital formation for small businesses in the near future.

Cybersecurity as an Investment Risk

PricewaterhouseCoopers LLP (PwC) and Investor Responsibility Research Center Institute (IRRCi) have weighed in on the cybersecurity issue from an investor’s point of view in their paper called What investors need to know about cybersecurity: How to evaluate investment risks. Cybersecurity has been on the public company disclosure radar screen since the SEC’s guidance released in 2011, but PwC’s and IRRCi’s paper states that cybersecurity disclosures “rarely provide differentiated or actionable information for investors.”

The paper suggests that cybersecurity risk should be one of the elements in an investor’s decision-making process to diversify the investor’s portfolio. For example, even if an investor holds securities of retail, financial services and aerospace & defense companies, such industry diversification may still be vulnerable because all these industries are more likely to be targeted in cyber attacks than others. One of the solutions suggested by the paper is that investors should be better informed about the company’s “preparedness to respond quickly to contain or mitigate the potential harm” from a cyber attack.

The paper provides a list of questions, responses to which should enable investors to evaluate the company’s level of vulnerability to potential cyber attacks. Some of the questions included in the paper are listed below. Such questions can also serve as a roadmap for public company disclosure regarding cybersecurity:

  • Does the organization have a Security & Privacy executive that reports to a senior level position within the company? What are the skills, experiences and qualifications of this executive?
  • Does the organization have a documented cybersecurity strategy that is regularly reviewed and updated? How is the board engaged in the cybersecurity strategy and review process?
  • Does the organization perform periodic risk assessments and technical audits of its security posture?
  • Does the “tone at the top” seem to make security a priority?
  • What is the organization doing to address security with its business partners?
  • Does the organization have a response plan for a cyber incident? Is it tested regularly through simulations and table top exercises? Does it include testing with key 3rd party relationships?

SIFMA Issues Guidance on Rule 506(c) Verification

On June 23, 2014, the Securities Industry and Financial Markets Association (“SIFMA”) issued a memorandum (the “Memorandum”) containing guidance for broker-dealers and investment advisers with respect to verifying the status of purchasers as accredited investors in connection with offerings made pursuant to Rule 506(c) (Reg D offerings utilizing general solicitation, as we have previously blogged about).

Pursuant to Rule 506(c), an issuer utilizing general solicitation for a Reg D offering must, among other things, take reasonable steps to verify that purchasers in the offering are accredited investors. The reasonable verification requirement is a separate condition from the condition that all purchasers in a Rule 506(c) offering must be accredited investors, and the requirement has generated significant commentary.

The Rule 506(c) adopting release provided four non-exclusive safe harbor methods that an issuer can utilize for such reasonable verification, two of which require the issuer to obtain detailed financial information from a purchaser. An issuer may also rely on the written confirmation of a purchaser’s accredited investor status issued by a registered broker-dealer or investment adviser, licensed attorney or certified public accountant. Any such third party must, however, take reasonable steps to verify the purchaser’s accredited investor status before providing written confirmation to the issuer.

To this end, the Memorandum provides two verification methods for broker-dealers and investment advisers to use in verifying natural persons as accredited investors that SIFMA believes satisfies the “reasonable verification” requirement.

One verification method (the “account balance method”) is essentially a determination by the broker-dealer or investment adviser of the purchaser’s net worth. For a broker-dealer or investment adviser to utilize the account balance method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must have (either individually or together with a spouse, if applicable) at least $2 million in cash and marketable securities in the purchaser’s account prior to making the investment in the Rule 506(c) offering, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) regarding, among other things, the purchaser’s indebtedness, and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor.

The other method (the “investment amount method”) uses the purchaser’s investment amount as a proxy for the purchaser’s status as an accredited investor. For a broker-dealer or investment adviser to utilize the investment amount method, a purchaser must have been a client of the broker-dealer or investment adviser for at least six months, must invest, or unconditionally commit to fund, at least $250,000 in a Rule 506(c) offering, which commitment is callable in whole at any time, must make certain representations (pursuant to purchaser representations provided by SIFMA as part of the Memorandum) including, among other things, that the investment in the Rule 506(c) offering is less than 25% of the purchaser’s net worth (either individually or together with a spouse), and the broker-dealer or investment adviser must be unaware of any facts to indicate that the client is not an accredited investor and, in the case of a commitment, the broker-dealer or investment adviser has knowledge that the purchaser has fulfilled a call under a prior commitment.

The Memorandum also provides a method for broker-dealers and investment advisers to use in verifying legal entities (i.e., corporations, LLCs, etc.) as accredited investors. For a broker-dealer or investment adviser to utilize this method, a purchaser-entity must be named on the broker-dealer’s or investment adviser’s current list of clients that qualify as “institutional accounts” as defined in FINRA Rule 4512(c)(3)or as Qualified Institutional Buyers (which are required to have investible assets of at least $100 million), or the purchaser-entity must make an investment in the Rule 506(c) offering in excess of $5 million and must provide a written representation that it was not formed for the purpose of making that investment and that it has made at least one prior investment in securities (whether in a primary offering or in the secondary market).

If issuers begin to use Rule 506(c) offerings with increasing frequency, SIFMA’s guidance in the Memorandum may be an important guidepost for broker-dealers and investment advisers and other third parties (e.g., attorneys and accountants) in assisting issuers to comply with the “reasonable verification” requirement set forth in Rule 506(c). This guidance may also be useful to issuers and other market participants.

Commissioner Aguilar Shares His Views on Directors’ Oversight of Cyber-Risk Management

On June 10, 2014, Commissioner Luis A. Aguilar spoke at a NYSE conference, “Cyber Risks and the Boardroom,” about what boards of directors should do to ensure that their companies are appropriately considering and addressing cyber threats.

Commissioner Aguilar was concerned that “there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps, or lack thereof, that many corporate boards have taken to address these risks.” Commissioner Aguilar stressed that boards should, among other matters:

  • review annual budgets for privacy and IT security programs;
  • assign roles and responsibilities for privacy and security; and
  • receive regular reports on breaches and IT risks.

Boards should also:

  • have a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices; and
  • put time and resources into making sure that management has developed a well-constructed response plan that is consistent with best practices for a company in the same industry (including a consideration of whether and how cyber-attacks should be disclosed to customers and to investors).

Commissioner Aguilar suggested that one conceptual roadmap boards should consider is the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST) in February 2014. The NIST Cybersecurity Framework provides companies with a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk consisting of five concurrent and continuous functions:

(i)                 identify known cybersecurity risks to the company’s infrastructure;

(ii)               develop safeguards to protect the delivery and maintenance of infrastructure    services;

(iii)             implement methods to detect the occurrence of a cybersecurity event;

(iv)             develop methods to respond to a detected cybersecurity event; and

(v)               develop plans to recover and restore the company’s capabilities that were impaired as a result of a cybersecurity event.

Boards should work with management to assess their corporate policies to ensure how they measure up to the Framework’s guideline.

Commissioner Aguilar emphasized that cyber-risk is part of a board of director’s overall risk oversight responsibilities, in addition to liquidity and operational risks facing the company. Generally, the board’s risk oversight function lies either with the full board or is delegated to the board’s audit committee. But the board’s audit committee may not have the expertise, support, or skills necessary to add oversight of a company’s cyber-risk management to its agenda. Some boards create a separate enterprise risk committee.

There is obviously no “one-size-fits-all” way to address cybersecurity issues at the board level and each company should evaluate its board composition and determine what would be the most effective way for its board to oversee cyber-risk management.

Investing in Bitcoin? Think Twice Says the SEC.

Bitcoin has been in the news a lot recently and most of the news has been bad, including news of the bankruptcy of Mt. Gox, formerly one of the world’s largest Bitcoin exchanges. Most recently, on May 7, 2014, the SEC issued an Investor Alert to make investors aware of the potential risks of investments involving Bitcoin and other forms of virtual currency.

According to the Investor Alert, Bitcoin has been described as a decentralized, peer-to-peer virtual currency that can be exchanged for traditional currencies, or used to purchase goods or services, usually online. What most distinguishes Bitcoin and similar virtual currencies from more traditional currencies is the fact that they are not backed by any government and operate without any central authority or oversight.

In its release, the SEC discusses:

  • The heightened risk of fraud that investments involving Bitcoin may have, noting that “innovations and new technologies are often used by fraudsters to perpetrate fraudulent investment schemes.”
  • Potential warning signs of investment fraud, including “guaranteed” high investment returns, unsolicited sales pitches, unlicensed sellers, no net worth or income requirements for investors, and pressure to buy immediately.
  • Limited recovery options if fraud or theft results in the loss of Bitcoin.
  • Certain unique risks of investments involving Bitcoin, including lack of insurance usually held by banks and brokerage firms, historic Bitcoin exchange rate volatility, potential governmental restrictions, and the potential that Bitcoin exchanges may stop operating due to fraud, technical difficulties, hackers or malware.

If the SEC’s recent guidance is not enough to make you pause and think before investing in anything relating to Bitcoin, you may want to review the SEC’s July 2013 Investor Alert about the use of Bitcoin in Ponzi schemes, the Financial Industry Regulatory Authority’s recent Investor Alert cautioning investors about the risks of buying and using digital currency such as Bitcoin and the North American Securities Administrators Association listing of digital currency on its list of the top 10 threats to investors for 2013. In addition, the IRS has issued guidance stating that the IRS will treat virtual currencies, such a Bitcoin, as property, which has the potential to make transactions in Bitcoin far more complex than transactions in traditional currencies.

SEC Issues Partial Stay of Conflict Minerals Rule

On Friday, the SEC issued an official order staying the effective date for compliance with the portions of the conflict mineral rules that would require issuers to make statements that the United States Court of Appeals for the District of Columbia held would violate the First Amendment.  This order does not provide companies with additional relief than that already provided in the SEC’s Statement on the Effect of the Recent Court of Appeals Decision on the Conflict Minerals Rule which was issued on April 29th. (See my earlier blog describing such statement).

SEC Issues Statement Regarding the Status of the Conflict Minerals Rule

Today the SEC issued a Statement on the Effect of the Recent Court of Appeals Decision on the Conflict Minerals Rule.   (See our earlier blogs regarding the conflict minerals rule and the legal challenge thereto).  Form SD did not go away and compliance with the conflict minerals rule was not stayed. The SEC tried to reach some sort of a compromise and provided the following in its statement:

“Subject to the guidance below and any further action that may be taken either by the Commission or a court, the Division expects companies to file any reports required under Rule 13p-1 on or before the due date. The Form SD, and any related Conflict Minerals Report, should comply with and address those portions of Rule 13p-1 and Form SD that the Court upheld. Thus, companies that do not need to file a Conflict Minerals Report should disclose their reasonable country of origin inquiry and briefly describe the inquiry they undertook. For those companies that are required to file a Conflict Minerals Report, the report should include a description of the due diligence that the company undertook. If the company has products that fall within the scope of Items 1.01(c)(2) or 1.01(c)(2)(i) of Form SD, it would not have to identify the products as “DRC conflict undeterminable” or “not found to be ‘DRC conflict free,’” but should disclose, for those products, the facilities used to produce the conflict minerals, the country of origin of the minerals and the efforts to determine the mine or location of origin.

No company is required to describe its products as “DRC conflict free,” having “not been found to be ‘DRC conflict free,’” or “DRC conflict undeterminable.” If a company voluntarily elects to describe any of its products as “DRC conflict free” in its Conflict Minerals Report, it would be permitted to do so provided it had obtained an independent private sector audit (IPSA) as required by the rule.  Pending further action, an IPSA will not be required unless a company voluntarily elects to describe a product as “DRC conflict free” in its Conflict Minerals Report.

The Division will consider the need to provide additional guidance in advance of the filing due date. Companies with questions about the content of the Form SD and Conflict Minerals Report should contact the Office of Rulemaking in the Division of Corporation Finance at (202) 551-3430.”

Conflict Minerals Rules…What Action will the SEC Take?

The recent opinion by the United States Court of Appeals for the District of Columbia has ignited much debate in the legal community as to what action the SEC will or should take in response.

 Today, SEC Commissioners Daniel M. Gallagher and Michael S. Piwowar issued a Joint Statement on the Conflict Minerals Decision in which they stated that they think the SEC should stay the effectiveness of the conflict minerals rules and no further regulatory obligations should be imposed, pending the outcome of the conflict minerals litigation. Moreover, Commissioners Gallagher and Piwowar further state that in their view the District Court should determine that the entire rule is invalid.

 In contrast, last week members of Congress wrote a letter to the SEC Chair urging the SEC to continue the implementation of the conflict minerals rules as scheduled.

Many public companies who are busy preparing their initial Form SD are anxious to know how the SEC will respond. But, it remains to be seen as to what official action the SEC will take.

Is the Disclosure Pendulum Swinging Back?

At the beginning of this year, I blogged about the SEC Staff Report on Public Company Disclosure issued on December 20, 2013, which has an ambitious goal of modernizing and simplifying the disclosure that public companies are obligated to provide, but it was unclear how soon the SEC will start moving forward with this initiative.

On April 11, 2014, when Keith F. Higgins, Director of the SEC Division of Corporation Finance, delivered his speech on disclosure effectiveness before the ABA Business Law Section Spring Meeting, it has become clear that the SEC is going to take a close look at existing disclosure requirements soon. Mr. Higgins said that Chair White had asked the Division to “lead the effort to develop specific recommendations for updating the disclosure requirements.” However, Mr. Higgins was also very clear that “reducing the volume of disclosures” is not going to be the “sole end game” of this project. If the SEC identifies “potential gaps in disclosure or opportunities to increase the transparency of information,” it may “recommend new disclosure requirements.”

Mr. Higgins provided a roadmap of the disclosure project that is being undertaken by his Division. It will start with the Division’s review of Regulation S-K requirements related to (i) business and financial disclosures that flow into Forms 10-K, 10-Q and 8-K and transactional filings, (ii) industry guides and form-specific disclosures, and (iii) scaling of disclosure provided by smaller reporting companies and emerging growth companies. The Division will also look at Regulation S-X requirements related to acquired businesses and guarantors, differences in the disclosure requirements under the Securities Act of 1933 and Securities Exchange Act of 1934 as well as the overlap between the GAAP requirements in the footnotes to the financial statements and the SEC requirements. The Division will also explore whether the focus and navigability of disclosure documents can be improved by using structured data or hyperlinks.

While it will obviously take some time to review the areas described above and implement changes through the rulemaking process, Mr. Higgins included in his speech a “Call to Action” for public companies to improve their disclosure now. He posed a few fresh questions for the audience:

“Before you repeat anything in a filing, please step back and ask yourself — do I need to say it again?”

If a company includes new disclosure because a client alert says that it is a “hot button” issue for the Staff, “the first question should be ‘does this issue apply to the company?’”

The point that Mr. Higgins was making was that public companies should:

  • reduce repetition in an SEC filing (for ex., by using cross-references);
  • focus their disclosure on matters that actually apply to the company as opposed to including disclosure only because other public companies have done so or a client alert recommended it; and
  • eliminate outdated or immaterial information from the filings, even if such information is “sacred” because it was included in response to prior SEC comments.