On March 2nd, SEC Commissioner Daniel M. Gallagher issued a statement expressing his concern about the number and aggregate impact of regulations that have been imposed on U.S. financial services firms since the enactment of the Dodd-Frank Act. He presented a remarkable diagram of the rules adopted since July 2010 affecting U.S. financial services holding companies. It shows a sprawling network of rules emanating like spokes from an oval-shaped hub, representing a single US financial services holding company. The image recalls a golden egg sitting on a bed of squid-ink angel hair pasta; or perhaps a fat, amber-bellied spider crouched on its web. Click the image to see the full PDF.
The SIFMA Compliance & Legal Society’s Annual Seminar will be held the week after next (March 15 to18) in Phoenix. SEC Chair Mary Jo White is among the keynote speakers on the program, which features 65 panels dedicated to keeping compliance and legal professionals in financial services ahead of the curve.
Joining Chair White in the sunny Southwest will be a contingent of LexisNexis representatives, including our own Jason Hinz. If you’re at SIFMA, be sure to swing by and say hello to Jason, who’ll be happy to tell you about all that is great and new and on the horizon for Lexis Securities Mosaic and Lexis Practice Advisor.
SIFMA (the Securities Industry and Financial Markets Association) advocates the interests of securities firms, banks, and asset managers.
Ever since SEC Commissioner Kara M. Stein asked last April whether some financial firms were too big to bar, there has been a growing debate over whether and when the SEC should waive a firm’s automatic disqualification from participation in certain securities-related activities after a SEC enforcement action.
What the debate is about (or supposedly not about). According to Stein and Commissioner Luis A. Aguilar, who has joined Stein in her dissents, the imposition (or non-imposition) of an automatic bar is not about punishment. Rather, automatic bars are about reducing recidivism. In the profession of that belief they are joined by Commissioner Daniel M. Gallagher and one assumes by Commissioner Michael S. Piwowar and Chair Mary Jo White.
But how should recidivism be reduced? In mid-February Gallagher gave a speech in which he recounted the historical antecedents of administrative waivers, noting that waiver requests were “dispassionately considered by the relevant policy division staff, on the merits and not in conjunction with the underlying enforcement case giving rise to the disqualification.” View the text of the speech here. (emphasis added). And therein lies the rub. While a majority of the Commissioners appear willing to support a waiver provided it is unrelated to the underlying enforcement action (and therefore unrelated to reducing recidivism), Stein is not. At the recent SEC Speaks conference Stein voiced her view that “the argument that we should grant a waiver whenever the reason for automatic disqualification is ‘unrelated’ to the waiver defies common sense.” She continues, “problems of compliance start and end at the top. The degree to which those at the top knew or should have known about a violation or a failed culture of compliance is an important factor in analyzing whether an automatic bad actor bar should occur. I have been urging the Commission to adopt and use this factor in the context of evaluating these bars. And if a firm is so sprawling and large that the top simply cannot manage it at all, isn’t that a problem in and of itself?” View the text of her remarks here.
Despite this apparent impasse, a possible way forward may be in the offing. In his mid-February speech Gallagher said he intends to condition his votes on enforcement recommendations on an understanding of the planned disposition of requested waivers, a position for which Piwowar voiced support in his remarks at the SEC Speaks conference. View the text of Piwowar’s remarks here.
But an irony remains. Although the Commissioners agree that automatic disqualifications are not an additional punishment, it appears their waiver will be considered in the sanctions context. And the consideration of waivers in this context may force firms to agree to additional undertakings as part of the settlement process.
When Stein and Aguilar dissented from a SEC order granting a waiver to Oppenheimer & Co. from the “bad actor” automatic disqualification provision of Securities Act Rule 506(d)(1)(ii), they criticized the majority’s failure to require the involvement of Oppenheimer’s senior management in future compliance reviews and the failure to condition the continuation of the waiver on evidence of Oppenheimer’s continued compliance with the securities laws. View the text of the dissent here.
Because Stein and Aguilar were outvoted with respect to Oppenheimer, such conditions were never imposed. But given the frequency with which Commissioners must recuse themselves, instances in which additional undertakings may be required in order to secure the necessary votes to approve a settlement may arrive in the near future.
Last week, the SEC and FINRA separately issued warnings to investment firms about lurking cybersecurity threats.
The SEC’s Risk Alert summarizes the Office of Compliance Inspections and Examinations’ recent examination sweep of 57 broker-dealers and 49 investment advisers. The examinations focused on how firms identify cybersecurity risks; establish cybersecurity policies, procedures, and oversight processes; protect their networks and information; identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors; and detect unauthorized activity.
The Good, the bad and the ugly. On the positive side, OCIE’s examination found that the vast majority of examined broker-dealers and advisers have adopted written information security policies and most also conduct periodic audits to determine compliance with these policies and procedures. The policies and procedures generally address mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident. However, the policies generally fail to address how firms determine whether they are responsible for client losses associated with cyber incidents and even fewer offered security guarantees to protect their clients against cyber-related losses.
Similarly, while the vast majority of examined firms conduct periodic risk assessments, few applied these requirements to their vendors even though a majority of firms experienced cyber-attacks directly or through one or more of their vendors.
Almost two-thirds of the broker-dealers that received fraudulent emails reported the emails to the Financial Crimes Enforcement Network by filing a Suspicious Activity Report, but only a small number of those firms reported the fraudulent emails to law enforcement or other regulatory agencies. With the exception of an investment adviser who lost in excess of $75,000 as a result of a fraudulent email, advisers generally did not report incidents to a regulator or law enforcement.
Good practices. FINRA’s Report on Cybersecurity Practices identifies principles and effective practices for firms to consider. Good practices include a sound governance framework with strong leadership; the use of risk assessments; the adoption of technical controls; the development, implementation and testing of incident response plans; the exercise of strong due diligence across the lifecycle of vendor relationships; the training of staff; and the use of intelligence-sharing opportunities. FINRA expects firms to consider the principles and effective practices it presents and will assess the adequacy of firms’ cybersecurity programs in light of the risks they face.
Bad consequences. The consequences of failing to adopt a comprehensive cybersecurity policy were recounted by Kevin LaCroix of the D&O Diary. LaCroix noted that a federal district court has upheld the Federal Trade Commission’s authority to bring enforcement actions based on a company’s failure to protect its customers’ private information. And the SEC’s OCIE has made cybersecurity an examination priority for 2015. See, SEC Press Release. And citing the recent remarks of Vincente Martinez, who heads the SEC’s Office of Market Intelligence, Think Advisor said that the Commission and FINRA are using Regulation SP for cybersecurity enforcement purposes and that FINRA is also employing FINRA Rule 2010.
Lexis Securities Mosaic will have a presence at the 2015 LegalTech Trade Show, happening February 3, 4, and 5 in New York City. I’ll be there alongside my colleagues from our sister product Lexis Practice Advisor.
I’ve had the honor of talking with many of you over the years from my post in Seattle — but I haven’t met most of you in person. If you’re at LegalTech, come on by our booth and say hi!
Over the past seven days the SEC proved the old adage wrong. Good things don’t come in threes, they come in twos. SEC staff published two no-action letters, two new Compliance and Disclosure Interpretations (“CDIs”), and two new frequently asked questions and answers (“FAQs”) regarding the implementation of the Volcker rule.
No-Action Letters. The first no-action letter was issued by the Division of Corporation Finance and addresses abbreviated, five-day tender offers for non-convertible debt securities. The no-action position is notable not only for the relief it provides, but also for how it was obtained. Attorneys from 18 different law firms collaborated to submit and obtain the relief.
The no-action relief supersedes all previously issued relief relating to abbreviated offering periods in non-convertible debt tender offers. The no-action letter confirms that the Division of Corporation Finance will not recommend any enforcement action if an offeror conducts a tender offer for non-convertible debt securities and holds the tender offer open for at least five business days from and including the date the tender offer is first published by means of “immediate widespread dissemination” and continues to hold open the tender offer for at least three business days from and including the date of the announcement of any material change in the offer other than a change in the consideration offered. Unlike the previously issued no-action position, the relief requires “immediate widespread dissemination” of offer materials; employs a business day instead of a calendar day construct; allows for offers to be made with Qualified Debt Securities; and eliminates the distinction between investment grade and non-investment grade debt securities. View the no-action letter here.
The second no-action letter was issued by the Division of Trading and Markets, which advised it will not recommend enforcement action under Rule 10b-10 of the Securities Exchange Act of 1934 against broker-dealers effecting repurchase transactions on behalf of their institutional customers that rely on MarketAxess’ electronic platform to satisfy confirmation delivery obligations to their institutional investors if all of the disclosures required by Rule 10b-10 are provided electronically. View the no-action letter here.
Compliance and Disclosure Interpretations. The Division of Corporation Finance added Question 279.01 and Question 118.01 to its CDIs. Question 279.01 concerns Securities Act Rule 905, which provides that any “restricted securities” under Rule 144 that are equity securities of a domestic issuer will continue to be deemed to be restricted securities notwithstanding that they were acquired in a resale transaction pursuant to Rule 901 or 904. The CDI clarifies that Rule 905 only applies to equity securities that, at the time of issuance, were those of a domestic issuer. Therefore, a holder of restricted securities, which were originally acquired from a foreign private issuer in a transaction described in Rule 144(a)(3) (other than Rule 144(a)(3)(v)), may resell those securities offshore pursuant to Rule 904 and without regard to Rule 905, even if the issuer no longer qualifies as a foreign private issuer at the time of resale. View Question 279.01 here.
Question 118.01, concerns Rule 304(e) of Regulation S-T, which requires information filed with the SEC to be in a searchable form. The CDI notes that with regard to required disclosures, a filer may present required information using graphics that are not text-searchable and still comply with Rule 304(e) if the filer also presents the same information as searchable text or in a searchable table within the filing. Any additional information that the filer chooses to include in the filing and that is not required to be disclosed may be presented graphically without a separate text-searchable presentation. View Question 118.01 here.
Volcker Rule Guidance. The Division of Trading and Markets added two new FAQs regarding the implementation of the Dodd-Frank Act’s Volcker rule. The first addresses when banking entities subject to metrics reporting must begin doing so within 10 days of the end of each calendar month. Beginning with metrics for the month of August 2015, banking entities must submit metrics within 10 days of the end of the month. As a result, metrics for the month of August 2015 must be reported by September 10, 2015.
The second discusses the Treasury Department’s Separate Trading of Registered Interest and Principal of Securities (“STRIPS”) program. Under the program, eligible Treasury securities are authorized to be separated into principal and interest components and transferred separately. Because these separate principal and interest components are backed by the full faith and credit of the United States, the interest-only and principal-only components also are exempt from the Volcker rule. View the Volcker Rule FAQs here.
Wednesday morning, the SEC announced it has fined and imposed a one-year suspension against Standard & Poor’s Ratings Services for its fraudulent misconduct in the ratings of certain commercial mortgage-backed securities (“CMBS”). To settle three SEC administrative proceedings, S&P agreed to pay over $58 million in disgorgement, interest, and penalties. S&P will pay an additional $19 million to settle related cases brought by the New York Attorney General’s office and the Massachusetts Attorney General’s office. View the SEC’s announcement here, the New York Attorney General’s announcement here, and the Massachusetts Attorney General’s announcement here.
The SEC’s first order addressed S&P’s practices in its conduit fusion CMBS ratings methodology. S&P admitted that its public disclosures affirmatively misrepresented the methodology it used in 2011 to rate six conduit fusion CMBS transactions and to issue preliminary ratings on two more transactions. As part of this settlement, S&P agreed to a one-year suspension from rating conduit fusion CMBS. It further agreed to pay disgorgement of $6.2 million, prejudgment interest of $800,000, and a civil money penalty of $35 million to the SEC.
The second SEC order found that after being frozen out of the market for rating conduit fusion CMBS in 2011, S&P sought to re-enter that market with an overhauled ratings criteria. To illustrate its new criteria’s relative conservatism, S&P published an article purporting to show that the new credit enhancement levels could withstand Depression-era levels of economic stress. S&P’s research, however, relied on flawed and inappropriate assumptions. Without admitting or denying these allegations, S&P agreed to settle this action by, among other things, paying a $15 million civil penalty.
The third order addressed S&P’s self-reported internal control failures which occurred in October 2012 to June 2014. During that time, S&P changed an important assumption which made its ratings less conservative and inconsistent with its publicized assumptions. When it made those changes, S&P did not follow its internal policies, using instead ad hoc workarounds that were not fully disclosed to investors. Without admitting or denying these findings, S&P agreed to extensive undertakings.
Finally, in a contested order the SEC’s Enforcement Division instituted administrative proceedings alleging that Barbara Duka, the former head of S&P’s CMBS Group, fraudulently misrepresented the manner in which the firm calculated conduit fusion CMBS ratings in 2011. This matter will be scheduled for a public hearing before an administrative law judge.