In order to provide an overview for busy in-house counsel and compliance professionals, we summarize below some of the most important U.S. Securities and Exchange Commission (SEC) enforcement developments from the past month, with links to primary resources. This month we examine:

  • A framework for CCO liability;
  • Whether scheme liability claims under Rule 10b-5 require more than misstatements or omissions;
  • Charges against a former Coinbase product manager in a crypto asset insider trading action;
  • A blast of insider trading actions generated by the SEC's own data analysis; and
  • Fines for three financial institutions for inadequate identity theft controls, in violation of Regulation S-ID.

1. SEC Holds Chief Compliance Officer (CCO) Liable for Failing to Implement Policies and Procedures

On July 1, 2022, Commissioner Hester M. Pierce issued a statement in support of a settled administrative hearing brought the day before against Hamilton Investment Counsel LLC ("Hamilton"), a registered investment adviser based in Georgia, and its CCO. Hamilton was found to have violated Section 206(4) of the Investment Advisers Act of 1940 and Rule 206(4)-7 thereunder, which require that registered investment advisers adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act; the CCO was charged with aiding and abetting those violations. Commissioner Pierce's support of this action is significant given her prior statements setting forth her concerns regarding personal liability for CCOs and her analysis of how one framework could be adopted for this analysis.

According to the SEC's order, from at least December 2019, Hamilton's CCO knew or should have known that the firm's compliance program was inadequately implemented, and he failed to make sufficient changes to the design or implementation of the program. According to the SEC order, the CCO, who was also a principal of the firm, knew of an outside business activity being conducted by a Hamilton investment adviser representative ("IAR"), but did not require the IAR to complete the reporting form required by the firm prior to engaging in such activities and did not conduct a review sufficient to determine whether the activity presented any conflicts of interest, as he was required to do under Hamilton's compliance manual. The CCO also failed to take sufficient steps to verify that the firm or the IAR had adequately disclosed to clients the IAR's relationship to the outside business activity or any associated conflicts. The SEC further alleged that over the course of a year, the CCO received numerous red flags, including learning about the transfer of Hamilton client assets to the IAR's outside business, that the IAR filed to meet the requirements of the firm's and another registered entity's compliance programs, and that the IAR was using Hamilton's office address for his outside business. Despite learning of these red flags, the CCO failed to take sufficient steps to monitor and report the conduct pursuant to the firm's compliance program.

In support of the settlement, Commissioner Peirce ran through a CCO liability framework recently proposed by the Compliance Committee of the New York City Bar Association. The SEC has not yet adopted such a framework, though FINRA issued new guidance on the role of CCOs with respect to supervisory liability at registered broker-dealers, as discussed in our March 2022 Top 5. The Bar Association's proposed framework asks various questions to determine whether conduct of a CCO represents a "wholesale failure" to carry out compliance responsibilities:

  • Did the CCO not make a good-faith effort to fulfill his or her responsibilities?
  • Did the wholesale failure relate to a fundamental or central aspect of a well-run compliance program at the registrant?
  • Did the wholesale failure persist over time and/or did the CCO have multiple opportunities to cure the lapse?
  • Did the wholesale failure relate to a discrete specified obligation under the securities law or the compliance program at the registrant?
  • Did the SEC issue rules or guidance on point to the substantive area of compliance to which the wholesale failure relates?
  • Did an aggravating factor add to the seriousness of the CCO's conduct?

Applying the framework in a way that might suggest a limiting principle, Commissioner Peirce noted that unlike some CCOs who are responsible for "something . . . ultimately determined by other human beings whom the CCO cannot control" Hamilton's CCO "was both a principal of the firm and the CCO, and therefore clearly had authority to exercise substantial control over his firm's compliance." As such, the CCO knew or should have known of the inadequacy of the firm's compliance program and had adequate authority to address it; the failure did not relate to an area of uncertainty for the firm because its own compliance program required disclosure of outside business activities; the failure to address known weaknesses persisted for more than a year, and the CCO had multiple opportunities to address the unreported outside business activity; this was a fundamental failure to deploy the compliance program effectively; the CCO's lapses cannot be tied to an absence of Commission guidance; and there was an added aggravating factor that another registered entity had flagged certain transfers of client assets to the IAR's outside business activity.

#CCOLiability #FrameworkForWholesaleFailure

2. Second Circuit Affirms District Court's Dismissal of Scheme Liability Claims in SEC v. Rio Tinto

On July 15, 2022, the Second Circuit affirmed the district court's dismissal of the SEC's scheme liability claims against Rio Tinto PLC and two of its executives. Specifically, as explained further in our recent Client Alert, the Second Circuit agreed with the lower court's decision that because the alleged conduct constituted misstatements and omissions only, there was an insufficient basis for scheme liability claims, which are covered under Rule 10b-5(a) and (c), promulgated under Section 10(b) of the Securities Exchange Act of 1934 and prohibit "any device, scheme, or artifice to defraud" and any act that operates as a fraud in connection with the purchase or sale of securities.

The district court opinion under review was issued in March 2019, where the district court cited the Second Circuit's 2005 decision in Lentell v. Merrill Lynch & Co. in holding that scheme liability does not exist when the sole basis for those claims is purported misrepresentations or omissions. One week later, the U.S. Supreme Court decided in Lorenzo v. SECthat an individual who disseminated a false statement—but did not make it—could be liable under Rule 10b-5's scheme liability provisions.

The SEC moved to reconsider the dismissal of its claims in Rio Tinto, arguing that Lorenzo expanded the scope of scheme liability so that allegations of misstatements and omissions alone are sufficient to state a scheme liability claim. The district court declined to reconsider, and the Second Circuit agreed on interlocutory appeal, noting that the SEC "has exerted substantial effort to shoehorn its allegations into a claim for scheme liability" but that its position would undermine parts of Rule 10b-5(b). "Until further guidance from the Supreme Court (or in banc consideration here), Lentell binds: misstatements and omissions can form part of a scheme liability claim, but an actionable scheme liability claim also requires something beyond misstatements and omissions, such as dissemination."

Rio Tinto surely will not be the last word regarding the scope of scheme liability. Indeed, while the Second Circuit made clear that "something beyond" misstatements or omissions is required for scheme liability, the court explicitly left for another day precisely what that something might be.

#SchemeLiability #MoreThanMisstatements

3. SEC Charges Former Coinbase Manager in Crypto Asset Insider Trading Action

On July 21, 2022, the SEC filed charges of insider trading in federal court in Seattle against former Coinbase Global, Inc. ("Coinbase") product manager Ishan Wahi, his brother, and a close friend. In addition, the U.S. Attorney's Office for the SDNY announced criminal charges against all three individuals. Notably, the criminal authorities charged wire fraud and wire fraud conspiracy rather than statutory securities fraud, so their actions will not depend on proving in the first instance that the crypto assets at issue are securities. The DOJ heralded the charges as "the first ever insider trading case involving cryptocurrency markets."

The SEC's case is particularly notable because it relies on treating the traded assets as securities at a time when many in the industry are either claiming otherwise or urging greater clarity from regulators as to when particular crypto assets qualify as securities. Indeed, in its press release, the SEC reiterated that "whether in equities, options, crypto assets, or other securities, we will vindicate our mission by identifying and combatting insider trading in securities wherever we see it."

According to the SEC's complaint, from at least June 2021 to April 2022, Ishan, while employed at Coinbase, repeatedly tipped the timing and content of upcoming public listing announcements of crypto assets on its trading platform to his brother and friend. The SEC alleges that these announcements included a description of which crypto assets or tokens would be made available for trading, and such announcements typically resulted in a quick and significant increase in the assets' prices.

The complaint further alleges that upon receipt of Ishan's tips ahead of the announcements, Ishan's brother and friend purchased at least 25 crypto assets, at least nine of which the SEC claims were securities, before selling them shortly after the announcement for a profit. The insider trading scheme allegedly generated illicit profits totaling more than $1.1 million made over 10 months.

#InsiderTradingInCrypto #Crypto=Securities?

4. SEC Files Multiple Insider Trading Actions against Former Chief Information Security Officer, Former FBI Trainee, and Investment Banker

On July 25, 2022, the SEC filed three complaints in the SDNY against nine individuals in connection with three separate alleged insider trading schemes that jointly yielded more than $6.8 million in ill-gotten gains. The SEC touted the discovery of these cases through the Enforcement Division's Market Abuse Unit's Analysis and Detection Center, which uses data analytics to detect suspicious trading patterns. Those charged include a former chief information security officer ("CISO"), an investment banker, and a former trainee of the Federal Bureau of Investigation ("FBI"). The U.S. Attorney's Office for the SDNY announced parallel criminal charges in each case.

In the first complaint, the SEC alleged that Amit Bhardwaj, the former CISO of Lumentum Holdings Inc. ("Lumentum"), and four friends traded ahead of two corporate acquisition announcements by Lumentum, profiting more than $5.2 million. Specifically, in January and October 2021, Bhardwaj, while working at Lumentum, learned material nonpublic information about the company's acquisition plans. In the first instance, Bhardwaj traded in the Lumentum's acquisition target and tipped a friend, with the understanding that his friend would later share some of his illicit profits. In the second instance, Bardwaj tipped three other friends who took large positions in another Lumentum acquisition target. After the announcement of the acquisition, one of the friends indirectly transferred funds to Bhardwaj's relative in India, as instructed by Bhardwaj.

In the second complaint, the SEC alleged that Brijesh Goel, an investment banker, and his friend from business school, Akshay Niranjan, a foreign exchange trader at a large financial institution, profited more than $275,000 from illegally trading ahead of four acquisition announcements in 2017 that Goel learned about through his employment. The complaint further alleges Niranjan purchased call options on the target companies and later wired Goel $85,000 for Goel's share of the proceeds.

In the third complaint, the SEC alleged that Seth Markin, a former FBI trainee, and his friend Brandon Wong made approximately $82,000 and $1.3 million, respectively, from illegally trading ahead of the February 2021 announcement of a tender offer by Merck & Co., Inc. ("Merck"), to acquire Pandion Therapeutics, Inc. The complaint alleged that Markin secretly reviewed the binder of deal documents about the planned tender offer from his then-romantic partner, who worked as an associate for a law firm representing Merck on the deal, traded on the information, and tipped his close friend Wong. After the announcement, Wong allegedly bought Markin a Rolex watch to thank him for the tip.

#MisappropriatingMNPIfromGirlfriendLawAssociate #FBItraineeChargedWithInsiderTrading #CISOInsiderTrading #InvestmentBankerInsiderTrading

5. SEC Fines Financial Institutions over Identity Theft Controls

On July 27, 2022, the SEC separately settled claims with three financial institutions for alleged deficiencies in their programs to prevent customer identity theft, in violation of the SEC's Identity Theft Red Flags Rule, or Rule 201 of Regulation S-ID.

Specifically, the SEC alleged that from at least January 2017 to October 2019, the firms' identity theft prevention programs did not include reasonable policies and procedures to identify relevant red flags of identity theft in connection with customer accounts or to incorporate those red flags into their programs. The SEC further alleged that the firms' programs lacked reasonable policies and procedures to respond appropriately to detected identity theft red flags, or to ensure that their programs were updated periodically to reflect changes in identity theft risks to customers.

None of the firms are alleged to have experienced an actual breach that resulted in identity theft, signaling an increasingly proactive approach by the SEC in scrutinizing companies' identity theft programs. Indeed, the SEC press release states that the investigations that resulted in enforcement action were started by examinations of the financial institutions.

According to the SEC's orders, two of the firms failed to exercise appropriate and effective oversight of all service provider arrangements and two of the firms failed to adequately involve the board of directors in overseeing and administering their identity theft prevention programs.

Without admitting or denying the SEC's findings, each firm agreed to pay penalties ranging from $425,000 to $1.2 million and to cease and desist from future violations of Rule 201.

#RegS-ID #IdentityTheftPreventionProgram

Sophie Barnett, a Law Clerk in our New York office, contributed to the writing of this alert.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved