Like a good horror movie, the specter of SEC administrative bars haunts anyone subject to an enforcement action. It was therefore fitting that the SEC’s Division of Corporation Finance should issue a policy statement on waivers — on Friday the 13th. The quietly issued policy statement specifically addresses the waiver of the automatic disqualification provisions under Regulation A and Rules 505 and 506 of Regulation D. View the Policy Statement here.
The disqualification provisions of Rules 262, 505, and 506 under the Securities Act make the exemptions from registration under Regulation A and Rule 505 of Regulation D unavailable for an offering if an issuer, its affiliates, or certain persons is subject to certain administrative orders, industry bars, injunctions, or specified criminal convictions.
The Commission may waive a disqualification upon a showing of good cause that it is not necessary under the circumstances that the exemptions be denied. The Commission has delegated authority to grant these waivers to the Director of the Division of Corporation Finance, although the Commission retains authority to consider waiver requests and review actions taken pursuant to the delegated authority.
When considering an application for a waiver, the Division will consider the nature of the violation or conviction and whether it involved the offer and sale of securities. In addition, the Division will consider whether the conduct involved a criminal conviction or scienter based violation. Where there is a criminal conviction or a scienter based violation involving the offer and sale of securities, the burden on the party seeking the waiver will be significantly greater.
The Division emphasized that the provisions from which the waiver applicant is disqualified are safe harbors that facilitate private or limited offerings of securities and investors in such offerings do not receive the benefits of the registration requirements of the Securities Act. Therefore, the focus of the Division’s waiver analysis will be on how the identified misconduct bears on the applicant’s fitness to participate in these exempt offerings.
The Division also will consider the following factors, none of which is dispositive.
- Who was responsible for the misconduct and his or her relationship with the waiver applicant. The Division will also consider whether the misconduct reflects more broadly on the entity as a whole. Removal or termination of those responsible for the misconduct will generally be viewed favorably.
- The duration of the misconduct. An isolated event will be treated more favorably than that which occurred over an extended period.
- Remedial measures. The Division will consider what remedial measures the waiver applicant has taken, when those remedial measures began, and whether those measures are likely to prevent a recurrence of the misconduct and mitigate the possibility of future violations.
- The impact if the waiver is denied. The Division will consider the severity of the impact on the issuer or third parties, such as investors, clients or customers, if the waiver request is denied. Applicants should submit information concerning whether or how often they have used the relevant exemption in the past, or how they plan to use the exemption in the future, and explain why a waiver is needed.
Parties seeking a waiver must submit a waiver request that includes appropriate justification, addressing the factors outlined above, describing why a waiver should be granted.
Lexis® Securities Mosaic® is available once again after scheduled maintenance this weekend. Please note that the official URL of our website has also changed to lexissecuritiesmosaic.com. However, other URLs you may have used (securitiesmosaic.com, knowledgemosaic.com) are being automatically redirected and should work fine as well.
We appreciate your patience while the work was being done. Among other benefits, the system upgrade will put us in a better position to make enhancements to the product going forward!
Important notice: Lexis® Securities Mosaic® will temporarily be unavailable this weekend, while we make upgrades to improve our service to you. Our upgrade will begin on Friday, March 20th at 8:00pm EDT / 5:00pm PDT through mid-day Sunday, March 22nd. We apologize in advance for any inconvenience and appreciate your patience. Thank you.
The SIFMA Compliance & Legal Society’s Annual Seminar is happening now in Phoenix. SEC Chair Mary Jo White is among the keynote speakers on the program, which features 65 panels dedicated to keeping compliance and legal professionals in financial services ahead of the curve.
Joining Chair White in the sunny Southwest is a contingent of LexisNexis representatives, including our own Jason Hinz. If you’re at SIFMA, be sure to swing by and say hello to Jason, who’ll be happy to tell you about all that is great and new and on the horizon for Lexis Securities Mosaic and Lexis Practice Advisor.
SIFMA (the Securities Industry and Financial Markets Association) advocates the interests of securities firms, banks, and asset managers
On March 2nd, SEC Commissioner Daniel M. Gallagher issued a statement expressing his concern about the number and aggregate impact of regulations that have been imposed on U.S. financial services firms since the enactment of the Dodd-Frank Act. He presented a remarkable diagram of the rules adopted since July 2010 affecting U.S. financial services holding companies. It shows a sprawling network of rules emanating like spokes from an oval-shaped hub, representing a single US financial services holding company. The image recalls a golden egg sitting on a bed of squid-ink angel hair pasta; or perhaps a fat, amber-bellied spider crouched on its web. Click the image to see the full PDF.
Ever since SEC Commissioner Kara M. Stein asked last April whether some financial firms were too big to bar, there has been a growing debate over whether and when the SEC should waive a firm’s automatic disqualification from participation in certain securities-related activities after a SEC enforcement action.
What the debate is about (or supposedly not about). According to Stein and Commissioner Luis A. Aguilar, who has joined Stein in her dissents, the imposition (or non-imposition) of an automatic bar is not about punishment. Rather, automatic bars are about reducing recidivism. In the profession of that belief they are joined by Commissioner Daniel M. Gallagher and one assumes by Commissioner Michael S. Piwowar and Chair Mary Jo White.
But how should recidivism be reduced? In mid-February Gallagher gave a speech in which he recounted the historical antecedents of administrative waivers, noting that waiver requests were “dispassionately considered by the relevant policy division staff, on the merits and not in conjunction with the underlying enforcement case giving rise to the disqualification.” View the text of the speech here. (emphasis added). And therein lies the rub. While a majority of the Commissioners appear willing to support a waiver provided it is unrelated to the underlying enforcement action (and therefore unrelated to reducing recidivism), Stein is not. At the recent SEC Speaks conference Stein voiced her view that “the argument that we should grant a waiver whenever the reason for automatic disqualification is ‘unrelated’ to the waiver defies common sense.” She continues, “problems of compliance start and end at the top. The degree to which those at the top knew or should have known about a violation or a failed culture of compliance is an important factor in analyzing whether an automatic bad actor bar should occur. I have been urging the Commission to adopt and use this factor in the context of evaluating these bars. And if a firm is so sprawling and large that the top simply cannot manage it at all, isn’t that a problem in and of itself?” View the text of her remarks here.
Despite this apparent impasse, a possible way forward may be in the offing. In his mid-February speech Gallagher said he intends to condition his votes on enforcement recommendations on an understanding of the planned disposition of requested waivers, a position for which Piwowar voiced support in his remarks at the SEC Speaks conference. View the text of Piwowar’s remarks here.
But an irony remains. Although the Commissioners agree that automatic disqualifications are not an additional punishment, it appears their waiver will be considered in the sanctions context. And the consideration of waivers in this context may force firms to agree to additional undertakings as part of the settlement process.
When Stein and Aguilar dissented from a SEC order granting a waiver to Oppenheimer & Co. from the “bad actor” automatic disqualification provision of Securities Act Rule 506(d)(1)(ii), they criticized the majority’s failure to require the involvement of Oppenheimer’s senior management in future compliance reviews and the failure to condition the continuation of the waiver on evidence of Oppenheimer’s continued compliance with the securities laws. View the text of the dissent here.
Because Stein and Aguilar were outvoted with respect to Oppenheimer, such conditions were never imposed. But given the frequency with which Commissioners must recuse themselves, instances in which additional undertakings may be required in order to secure the necessary votes to approve a settlement may arrive in the near future.
Last week, the SEC and FINRA separately issued warnings to investment firms about lurking cybersecurity threats.
The SEC’s Risk Alert summarizes the Office of Compliance Inspections and Examinations’ recent examination sweep of 57 broker-dealers and 49 investment advisers. The examinations focused on how firms identify cybersecurity risks; establish cybersecurity policies, procedures, and oversight processes; protect their networks and information; identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors; and detect unauthorized activity.
The Good, the bad and the ugly. On the positive side, OCIE’s examination found that the vast majority of examined broker-dealers and advisers have adopted written information security policies and most also conduct periodic audits to determine compliance with these policies and procedures. The policies and procedures generally address mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident. However, the policies generally fail to address how firms determine whether they are responsible for client losses associated with cyber incidents and even fewer offered security guarantees to protect their clients against cyber-related losses.
Similarly, while the vast majority of examined firms conduct periodic risk assessments, few applied these requirements to their vendors even though a majority of firms experienced cyber-attacks directly or through one or more of their vendors.
Almost two-thirds of the broker-dealers that received fraudulent emails reported the emails to the Financial Crimes Enforcement Network by filing a Suspicious Activity Report, but only a small number of those firms reported the fraudulent emails to law enforcement or other regulatory agencies. With the exception of an investment adviser who lost in excess of $75,000 as a result of a fraudulent email, advisers generally did not report incidents to a regulator or law enforcement.
Good practices. FINRA’s Report on Cybersecurity Practices identifies principles and effective practices for firms to consider. Good practices include a sound governance framework with strong leadership; the use of risk assessments; the adoption of technical controls; the development, implementation and testing of incident response plans; the exercise of strong due diligence across the lifecycle of vendor relationships; the training of staff; and the use of intelligence-sharing opportunities. FINRA expects firms to consider the principles and effective practices it presents and will assess the adequacy of firms’ cybersecurity programs in light of the risks they face.
Bad consequences. The consequences of failing to adopt a comprehensive cybersecurity policy were recounted by Kevin LaCroix of the D&O Diary. LaCroix noted that a federal district court has upheld the Federal Trade Commission’s authority to bring enforcement actions based on a company’s failure to protect its customers’ private information. And the SEC’s OCIE has made cybersecurity an examination priority for 2015. See, SEC Press Release. And citing the recent remarks of Vincente Martinez, who heads the SEC’s Office of Market Intelligence, Think Advisor said that the Commission and FINRA are using Regulation SP for cybersecurity enforcement purposes and that FINRA is also employing FINRA Rule 2010.