SEC Attacks the Rating Agencies

The SEC took its first swing at the failure of credit rating agencies by serving a Wells Notice on Moody’s Investor Service.

At issue, according to the Moody’s filing, is the determination in 2007 that members of one of its European rating committees “engaged in conduct contrary to Moody’s Code of Professional Conduct.”  Members of a credit committee knew that some of the products had been given inflated ratings because of a problem in the company’s risk modeling software.

Moody’s is one of only 10 Nationally Recognized Statistical Rating Organizations under the Credit Rating Agency Reform Act of 2006.

The disclosure in Moody’s 10-Q states that the SEC “is considering recommending that the SEC institute administrative and cease-and-desist proceedings against MIS in connection with MIS’s initial June 2007 application on SEC Form NRSRO to register as a nationally recognized statistical rating organization under the Credit Rating Agency Reform Act of 2006.” The theory is that Moody’s description of its procedures and principles were “rendered false and misleading” as of the time the application because of the Company’s finding that a rating committee policy had been violated.

The case reminds me of the Hennessee Group action where the SEC brought an action against a hedge fund for failing to conduct adequate diligence. The reason was that the hedge fund claimed that they had a particular due diligence program, but failed to follow the program. The diligence failure by itself was not actionable, but failing to live up to your self-professed standards made it actionable.

It sounds the SEC is making a similar case against Moody’s. In their application, they claimed to have a certain procedure but failed to follow it. We all know that credit agencies did a poor job of rating CDOs. That by itself caused damages but may not be actionable. So the SEC is going after them for failing to follow their own self-professed standards and policies.

It’s too early to tell what may happen. A worst case scenario would be removing Moody’s status as a NRSRO.  Obviously that would be a nuclear option that would destroy the company. The SEC action sounds like it is related to Moody’s ratings of just one type credit product, so the effects might be minimal.

Will the SEC go after the other rating agencies? or will Moody’s be the sacrificial lamb to warn the others?

Sources:

Trust and Compliance

To some extent, compliance programs are about the opposite of trust. A compliance professional wants to check on the status of a person’s actions to make sure rules are not being broken. Theoretically, you wouldn’t need to check on the status if you trusted that the person would not break the rules.

There are two big reasons that you can’t rely on trust and should have a compliance program.

The rules can be complex

Depending on the industry, a company can be subject to hundreds, thousands or even millions of separate rules affecting its internal and external behavior. Some rules are clear and simple to understand. Other rules are very complex and require the organization to interpret how it wants to act in relation to the rule.

I think the vast majority of non-compliance comes from misunderstanding the rules.

An important part of compliance is educating the people in your organization about the rules. They are less likely to inadvertently break a rule if they know the rule exists and what it requires. Also, there are some studies that show intentional non-compliance can be reduced by regular exposure to education about the rules.

There are bad actors

There may be people in your organization who are bad actors. You hope that everyone you’ve hired will act in the best interests of the organization. They were probably trust-worthy when you hired them. But behavior changes.

A role of compliance is to find the bad actors and either change their behavior or get them out of your organization.

Compliance is Pixie Dust

As Peter Pan said: “What’s the matter with you. All it takes is faith and trust. …  And something I forgot, dust. Just a little bit of pixie dust.” A good compliance program is the pixie dust.

Sources:

Image is by m-c: Trust

You know you’ve failed as a CCO when you get barred by FINRA

finra

The Financial Industry Regulatory Authority permanently barred Tod Bretton, former chief compliance officer and head trader for Prestige Financial Center, Inc.

“FINRA found that, from at least September 2006 through June 2009, Bretton, working from the firm’s New York office, engaged in a fraudulent trading scheme in which he took advantage of customers placing large orders (generally 1,000 shares or more) to buy or sell stocks. Rather than effecting the trades in the customers’ accounts, FINRA found, Bretton first placed the orders in a firm proprietary account. He would then increase the price per share for securities purchased by approximately $.02 to $.05 above the market price before allocating the shares to the customers’ accounts. Similarly, he would decrease the price per share for securities sold by approximately $.02 to $.05 below the market price before allocating the proceeds to the customers’ accounts. This improper price change was not disclosed to or authorized by the customers.”

In settling this matter, Bretton neither admitted nor denied the charges, but consented to the entry of FINRA’s findings. Regardless of whether he admits the charges, he is barred from associating with any FINRA member in any capacity.

It seems that Mr. Bretton was a bad choice for CCO at his former firm.

I was also disappointed to see that the BrokerCheck did not throw up a bigger red flag for this type of discipline. After all, this is a permanent bar. The BrokerCheck webpage for Tod Bretton just states that there are events disclosed in the Detailed Report. You have to get to the ninth page to find out that he is under a permanent bar.

I understand the difficult issues with disclosing disciplinary actions, since some may be unfounded or of little merit. Bretton got the nuclear discipline, ending his career with securities. Such a definitive and absolute result should be made more obvious.

Sources:

Compliance Bits and Pieces for May 7

Here are some recent compliance related stories that I found interesting:

Why Executive Pay Is So High by Neil Weinberg in Forbes.com

So [Gary] Wilson can say, with more than a little credibility, that the boards supposedly overseeing management are instead packed with lackeys with appalling frequency. It’s a familiar complaint but one that he believes is responsible for out-of-control pay, the short-term greed that helped spawn the recent financial meltdown and a staggering waste of resources. Wilson’s solution: Abolish the joint role of chief executive and chairman and install independent bosses to oversee boards.

The Executive Session by Fred Wilson in A VC

Every board meeting should end with an executive session. The term executive session is an oxymoron because it is a meeting of all the board members other than the executives of the company.The first time most CEOs hear of this idea, they hate it. The words “we want to meet without you” strike fear in the hearts of most CEOs. And understandably so.

What is the Cost of FCPA Compliance? Or what is the cost of non-compliance? by Tom Fox

How do you measure the cost of FCPA compliance? Put another way, can your company afford not to be FCPA compliant? What will the costs be if there are allegations of bribery and corruption in your company? Will the investigative costs exceed $100 million as they may well do in Avon’s case? Will your fine, penalty and any profit disgorgement exceed $550 million as happened with Halliburton or simply be in the $330-$340 million range as with its former Joint Venture partners?

Google Move Steps Up Interest in Web Disclosure By Melissa Klein Aguilar in Compliance Week

Last month, the search engine giant published a press release touting its first-quarter 2010 results—without actually detailing what the results were. Instead, it directed anybody curious to visit Google’s investors relations Website and announced that it intends to make all future announcements about financial performance exclusively through news posted there.

That’s a departure from prevalent practice in Corporate America, which is to publish the full text of earnings information in a press release. It also puts Google in the vanguard of companies taking advantage of guidance the Securities and Exchange Commission published nearly two years ago to encourage companies to use disclosure via Website more often.

How The Hell Did GM Pay Back Its Loans “in Full And Ahead of Schedule”? Well, It Didn’t.

Social Networking / Web 2.0 Revolution

This morning I presented to the Association of Legal Administrators. They asked me to give the view as a lawyer, law firm client, former legal administrator and blogger on what law firms should know about web 2.0. I also mixed risks, policies and compliance issues.

The crowd was a diverse bunch in terms of how they use the tools personally and at their law firms.

Here are the materials, with references and links to tools I mentioned in the presentation.

Here is a link to my social media policies database.

Here is the slidedeck:

Evolving Employee Rights in the Age of Web 2.0

Morgan Lewis presented and informative webcast on Web 2.0 from the viewpoint of the company/employee perspective. These are my notes.

Panelists:

Companies cannot limit the personal use of these sites. But the line between personal and professional can be very fuzzy. You limit access over the company’s network, but employees have easy access from mobile phones and home computers.

They cited Deloitte’s 2009 Ethics & Workplace Survey Examines the Reputational Risk Implications of Social Networks to point out the need of company’s to address social media.

One issues is the reasonable expectation of privacy. This is even more complicated given that the data is in the internet cloud and not the company’s hardware or storage. Most (if not all) of your Web 2.0 data resides in the cloud, not your hard drive or network storage that you control.

Personal Use of Mobile Devices

The first issue with privacy is the use of mobile devices. Its hard to prevent ALL personal use of a company supplied device, especially a mobile device. Even if you ban personal use of the device, it is hard to monitor and hard to enforce. Would you really discipline an employee who made a personal phone call on their blackberry? You need a clear policy that is enforceable. You also need to set reasonable expectations of privacy.

This is exactly the issue addressed in the Quon case, recently argued at the Supreme Court. The panel spent some time discussing the Quon case and some lessons that may be coming out of this case. There are some lessons to be learned from this case, even though the decision may be limited to government workplaces.

The additional complication is that the company (in this case the government) pulled the personal information from a third-party service provider. That implicated the Electronic Communications Privacy Act

Personal Email

They also took a close look at the . That was more focused on the use of personal email and attorney-client privilege. There are some interesting attacks on that company’s computer use policy.

They raised the Convertino v. U.S. Department of Justice (674 F. Supp 2d 97 (D.D.C. 2009). The DOJ found email between an Assistant Attorney General and his personal attorney. He had used a DOJ email account. He deleted the email, but didn’t realize that a deleted copy would be kept. He deleted the emails immediately after they were sent or received.  The court used a similar test as that used in Stengart court to look at the employee’s expectation of privacy. DOJ did not ban personal email on the company system.

The take away is that employees should inform employees that they have no reasonable expectation of privacy in any technology provided by the company. (It is probably too hard to monitor and enforce a complete ban on personal use.) You should also let them know that back-up copies may exist even if the employee deletes a copy.

Proposed Internet/Email Policy

Here are some items they propose :

  • Limit personal use of the company email system.
  • Inform employees they have no reasonable expectation of privacy in any technology provided by the company (e.g., email, Internet, laptop, PDA).
  • All information forwarded or received via the company email system is subject to monitoring and may be stored.
  • All information sent, received or viewed on the Internet, including personal, web-based communications, instant messages, text messages or other forms of communication, can be stored on a computer’s hard drive, the company’s servers, etc. and can be reviewed and retrieved by the company at any time.
  • Back-up copies of electronic communications may exist, even if “deleted” from the computer.
  • Issue periodic reminders to employees that the computers they are working on do not belong to them, and that information accessed on the computers may be subject to inspection and collection.
  • Describe prohibited activities:
    • Disseminating confidential information;
    • Any actions that could be seen as harassing;
    • “Hacking” and related activities;
    • Tampering with or disabling security mechanisms on company computers;
    • Unauthorized downloads; and
    • Violations of copyright laws.
  • Enforce the policy and punish violators.
  • Obtain signed acknowledgements and post the policy.

HR using Web 2.0

There are special limitations for HR and hiring managers. You need to be careful when using social networking sites to find information about potential hires. Do not try to gain a view of someone’s online account through deception.

You should consider whether employees can give recommendations on sites like LinkedIn.

You can’t prohibit employees from discussing terms and conditions of employment. Such a ban would be a violation under the National Labor Relations Act.

FTC Guidelines and the Workplace

The FTC guidelines are also something to keep in mind. Your employees may be the biggest fans of your products. If an employee is talking about your company’s product, the employee needs to disclose they are an employee. Otherwise it could be consider a deceptive testimonial, creating potential liability for the employee and the company.

The FTC guidelines requires disclosure of a material connection between the blogger (commenter, Twitter-er, etc.) and the company. Employment is clearly a material connection. That means it needs to be clearly and conspicuously disclosed. (16 C.F.R. §255.5 ) The existence of a policy will consider the existence of a policy in deciding in whether to bring an enforcement action.

A company should make it clear that the policy is applicable across all communication platforms.

Should you search the internet for information on job applicants?

There are issues. Many people may argue that it is an invasion of privacy. Beyond the practical issues, there are legal issues such as discrimination and unlawful background checks.

You also need to be concerned that the information you find is applicable to that person. There are lots of people out there with similar names. (Even I am not unique: Another Doug Cornelius)

Are you liable for false statements made by your employees?

If the company sponsors the content, then yes the company can be held responsible. Even on a non-sponsored site, if the company does nothing then that could be viewed as assent and be held responsible.

Can you discipline an employee for using these site?

Not if they are complaining about their working environment to other employees. That is protected under the National Labor Relations Act.

If the activity is akin to whistle-blowing, then the activity could be protected under Sarbanes-Oxley or state statute.

A few states specifically protect off-duty, off-site conduct.

Can you prevent employees from saying bad things about the company?

An injunction acts as a prior restraint on speech. [See: Bynorg v. SL Green Realty Corp., 2005 WL 3497821 (S.D.N.Y. 2005)]

It  is easier to get damages for defamation and invasion of privacy. [See: Varian Medical Systems, Inc. v. Delfino]

If the blogger is anonymous, it’s harder to do. Particularly in California, you need to prove defamation before a court will grant a subpoena.

Protect your IP

You want to be careful about how employees are using your logo or other intellectual property on their own sites.

Materials

They posted a copy of the slidedeck from the presentation on their website if you want more detail: Presentation Slidedeck

FTC and Bloggers

Back in December, the Federal Trade Commission released new guidelines that specifically required bloggers to disclose any material connections to a product or company they are writing about.

The FTC had opened an investigation against Ann Taylor Stores for providing gifts to bloggers who the company expected would post blog content about Ann Taylor’s LOFT stores.

Apparently Ann Taylor missed the memo from their law firm about these guidelines.  LOFT held a preview of their Summer 2010 collection and provided gifts to bloggers at January 26, 2010 event. Bloggers who attended failed to disclose that they received gifts for posting blog content about that event.

“Depending on the circumstances, an advertiser’s provision of a gift to a blogger for posting blog content about an event could constitute a material connection that is not reasonably expected by readers of the blog.”

The FTC decided not to bring an enforcement action and Ann Taylor escaped punishment. The FTC gave these reasons:

  1. The January 26,2010 preview was the first (and, to date, only) such preview event.
  2. Only a very small number of bloggers posted content about the preview, and several of those bloggers disclosed that LOFT had provided them gifts at the preview.
  3. LOFT adopted a written policy in February 2010 stating that LOFT will not issue any gift to any blogger without first telling the blogger that the blogger must disclose the gift in his or her blog.

Apparently, LOFT posted a sign at the event stating that bloggers should disclose that they received gifts. It seems clear that companies should get a signed agreement from their endorsers about their requirement to disclose before handing out gifts.

As the FTC had stated when the released the Guidelines, they went after the company not the bloggers. Although the FTC may go after the bloggers also.

Sources:

SEC is Probing Hedge Funds

They’re looking at you.

Rob Kaplan and Bruce Karpati, co-chiefs of the Asset Management Unit of the SEC enforcement division, held their first full staff meeting last week. This new unit will be focusing on misbehavior by private-equity funds, hedge funds, buyout firms, mutual funds and other asset managers. The unit is one of the five specialty units the SEC formed earlier this year.

Side Pockets

Hedge funds use side pockets to protect new investments, long term investments and other assets that they do not want to liquidate in the face of redemptions in the fund. In the Great Panic of 2008 funds used side pockets to limit redemption.

Valuations

One issue related to the side pocket is valuation of the assets. One reason for keeping the assets is because the fund managers feel the assets are not being properly valued in the market. On the bad side, the fund may be charging fees against the inflated value of those side pockets assets. Most side pocket assets are illiquid, which makes valuations difficult to determine.

Management Investment

One surprising priority for the unit is evaluating whether fund managers really have their own wealth invested in the fund when they are saying so in the prospectus and marketing materials.

It sounds like some enforcement proceedings are likely to appear in this area in the next few months.

Sources:

Picture is by Daniel Rosenbaum for The New York Times