New SEC Cyber Enforcement Initiative

Now that the Securities and Exchange Commission has some first-hand experience with cybersecurity and getting hacked, it has launched a new initiatives to address cyber-based threats.

There is new Cyber Unit originating in the enforcement division. Robert A. Cohen will be Chief of the Cyber Unit, stepping away from being Co-Chief of the Market Abuse Unit. The cyber unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information
  • Violations involving distributed ledger technology and initial coin offerings
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts
  • Cyber-related threats to trading platforms and other critical market infrastructure

According to Francine McKenna, one hacking case may involve the SEC itself. According to Ms. McKenna, the enforcement lawyers had a case based on non-public information stolen from the SEC’s system. It was this case that forced them to tell SEC Chairman about the breach.

Sources:

Improperly Allocating Broken Deal Expenses

The Securities and Exchange Commission has been looking at fees and expenses at private equity funds for several years. Two years ago it brought a case against Kohlberg Kravis Roberts & Co. for misallocating more than $17 million in “broken deal” expenses to its private equity funds. An SEC investigation found that from 2006 to 2011, KKR incurred $338 million in broken deal or diligence expenses.  Even though KKR’s co-investors, including KKR executives, participated in the firm’s successful transactions efforts, KKR largely did not allocate any portion of these broken deal expenses to them.

The SEC just brought a similar case against Platinum Equity. According to the SEC’s order, from 2004 to 2015, Platinum’s funds invested in 85 companies, in which co-investors connected with Platinum also invested. Platinum incurred broken deal expenses that were paid by the funds. While the co-investors participated in Platinum’s successful transactions and benefited from Platinum’s sourcing of the transactions, Platinum did not allocate any of the broken deal expenses to the co-investors.

Platinum did not have a standing co-investment vehicle. Platinum used a separate investment vehicle to co-invest in each transaction. While there was some overlap in the co-investors from deal to deal (officers, directors, executives, and employees of Platinum), the co-Investors varied from transaction to transaction. The co-investment vehicles required payments of a pro-rata share of expenses related to the investment. There was no arrangement for Platinum to charge co-investors for broken deal expenses.

It’s tough to address the broken deal expenses for co-investments. There is no vehicle to create the contractual obligation for reimbursement. Of course, it is not right for the fund investors to bear all of the costs if the fund manager is having so many co-investments.

At least it’s not right if it’s not disclosed in the fund documents. That is what the SEC pointed out in the order. The allocation of the broken deal expenses to the fund was not disclosed in the fund documents. That could be fixed by stating that the fund pays for the broken deal expenses even when there are co-investors. Assuming you can get investors to agree to that.

This is also the first case I have noticed that the SEC has self-imposed the Kokesh limitation on disgorgement. The Kokesh case said the the SEC’s power of disgorgement was limited to going back five years. Even though Platinum was improperly allocating expenses back to 2004, the disgorgement only goes back five years to 2012.

Sources:

World Champions

Peter Sagan, for an historic third time in a row, earned the rainbow stripes of men’s road cycling world champion. And Chantal Blaak earned the rainbow stripes of women’s road cycling world champion. Over the weekend they competed on a thrilling course in Bergen, Norway. Salmon Hill, only 10 kilometers from the finish, splintered the peloton of leading riders, leaving only the best of the best for the run into the finish line.

Peter Sagan, beat Alexander Kristoff at the finish line by half of a wheel length after 267 kilometers of racing, with Michael Matthews coming in third. These are not the names you hear as the winners of the grand tours: the Tour de France, the Vuelta de Espana or the Giro d’Italia. Those three week stage races are very different than the one day races like the world championship. They are on bikes, but the racing involves different skills.

The same is true about compliance across firms and industries. There are similar concepts and similar goals. But the execution and implementation of the compliance program will be different. There are different regulatory requirements. There are different risks.

Can you be successful in compliance across different industries and firms? Of course.

Just as a bike race involves a bike. You can get to the finish line.

Compliance Bricks and Mortar for September 22

These are some of the compliance-related stories that recently caught my attention.

Other People’s Money: SEC Disgorgement After Kokesh by Daniel R. Walfish in NYU’s Compliance & Enforcement

 Kokesh held that the disgorgement remedy in SEC enforcement actions is a “penalty” for purposes of the five-year limitations period for the “enforcement of any civil fine, penalty, or forfeiture.” 28 U.S.C. § 2462. Many have assumed, on the basis of a footnote in Kokesh, that courts will soon be considering whether they have authority to order disgorgement at all in SEC enforcement actions. That issue certainly lurks, but I suspect that courts first will revisit the proper scope of the remedy, including whether a court may force a defendant to “disgorge” ill-gotten gains that the defendant did not personally receive but that went to third parties, such as individuals and entities associated with the defendant. [More…]

Anti-Fraud Triangle Paper by Matt Kelly in Radical Compliance

As devout Radical Compliance readers might already know, from time to time I have written about something I call the Anti-Fraud Triangle—a method of assessing misconduct risk in your organization, based on the Fraud Triangle that auditors have used for decades to understand fraud risk.

Well, I just published a longer white paper on the Anti-Fraud Triangle with Workiva, and hosted a companion webcast not long ago on the same subject. If you like geeking out over risk assessment techniques, swing by Workiva’s website and take a look. [More…]

Why It’s Lights Out for LIBOR by 2021 by Jane Rogers in the CLS Blue Sky Blog

In light of LIBOR’s unsustainability, the FCA has decided to replace rather than reform LIBOR, and therefore not to encourage or compel panel banks to continue to contribute quotes and maintain LIBOR after 2021. Market participants are urged to begin planning a transition to replacement rates anchored in observable transactions by 2021. [More…]

 

When You Look And Find That You Are The Problem

Cybersecurity is hard. It’s nearly impossible to stop an attack. If someone really wants in, they can continue to attack and attack until they find a gap. It’s hard to know that you have been breached until well after the breach. It may be just as hard to figure out what was accessed and what damage has been done. It’s hard to know what the right response should be.

Of course, I could be talking about the enormous Equifax breach. But this time it’s the Securities and Exchange Commission.

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. … Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”

SEC Chair Clayton noted that the breach did not “result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

If that is the standard for cybersecurity, then that is what the SEC should also use in its enforcement against investment advisers and broker/dealers. Instead we have cases like the one against R.T. Jones where there was no resulting losses to its clients, only the potential loss of data.

As is typical with a company with bad news, it buries the bad news in a pile of other disclosures. The SEC did the same thing. It spent one paragraph revealing the breach in an eight-page statement chiding the industry to be better about cybersecurity and touting its own initiatives.

The SEC’s statement, like Equifax’s revelation, did not explain why there was a such a lengthy delay between the announcement and the discovery of the breach.

The likely result of the breach is that the hackers were able to access EDGAR filings before the general public and trade on that information before the general public.

Sources:

The One With the Scalping

An investment adviser should not buy positions on their own behalf shortly before recommending that position to its clients. Nor should the adviser make recommendations to buy when the adviser is selling in the adviser’s personal accounts. Mark A. Gomes was doing just that.

The test case came against Capital Gains Research Bureau. The firm produced a monthly newsletter recommending securities. In 1960 the firm purchased securities before recommending them in its report for long-term investment. On each occasion, there was an increase in the market price and the volume of trading of the recommended security within a few days after the distribution of the Report. Immediately thereafter, the firm sold its position at a profit.

As you might expect, it’s the internet that has replaced the monthly newsletter. “Stock analysts” are making claims on SeekingAlpha, Twitter, and other websites.

Mr. Gomes distributed his recommendations through his own website and a third party website. He had a premium subscription that gave subscribers more access. He never disclosed that he held positions in some of the stocks he was discussing.

On at least five occasions between February 2014 and July 2014, (1) Gomes purchased shares in a stock (2) recommended buying that stock, and then (3) sold shares in his personal accounts within days of his recommendation. In at least one instance, Gomes began selling shares only a few hours after posting his recommendation.

By recommending investments, but failing to disclose that he would trade in the opposite direction of his recommendations, Gomes omitted material information necessary in order to make his recommendations not misleading. A reasonable investor would consider Gomes’s intention to sell his shares as an important factor in assessing the objectivity and credibility of his descriptions.

I did find it interesting that the complaint skipped over the fact that Mr. Gomes was not registered as an investment adviser. According to Section 202(a)(11):

‘‘Investment adviser’’ means any person who, for compensation, engages in the business of advising others, either directly or through publications or writings, as to the value of securities or as to the advisability of investing in, purchasing, or selling securities, or who, for compensation and as part of a regular business, issues or promulgates analyses or reports concerning securities;…”

Sources:

Most Frequent Advertising Rule Compliance Issues

It looks like the Securities and Exchange Commission has been taking a close look at advertising by investment advisers. The Office of Compliance Inspections and Examinations issued a risk alert on The Most Frequent Advertising Rule Compliance Issues Identified in OCIE Examinations of Investment Advisers.

I didn’t see any surprises in the alert.

  • Advisers presented performance results without deducting advisory fees.
  • Advertisements that compared results to a benchmark but did not include disclosures about the limitations inherent in such comparisons, including instances where, for example, an advertisement did not disclose that the advertised strategy materially differed from the composition of the benchmark to which it was compared.
  • Advertisements that contained hypothetical and backtested performance results, but did not explain how these returns were derived.
  • Advertised performance results complied with a certain voluntary performance standard, when it was not clear to staff that the performance results in fact adhered to the performance standard’s guidelines. (i.e. GIPS compliance)
  • Advertisements that staff believe contain cherry-picked stock selections
  • Disclosure of past specific investment recommendations
    that may have been misleading because they included only certain, and not all, recommendations, in order to illustrate a particular investment strategy, and they did not meet the conditions set forth in Subsection (a)(2) of the Advertising Rule. In addition, they did not satisfy the representations upon which IM staff based certain no-action assurances as provided in the TCW Group and Franklin no-action letters.
  • Advertisements that referred to advisers receiving high rankings in various publications, but those publications were issued several years prior, and the rankings were no longer applicable.
  • References to professional designations that have lapsed or that did not
    explain the minimum qualifications required to attain such designations.
  • Statements of clients attesting to their services or otherwise endorsing the adviser that may be prohibited testimonials.

The only tidbit of information is that OCIE conducted a “Touting Initiative” in 2016. The focus was to examine the adequacy of disclosures that advisers provided to their clients when touting awards, promoting ranking lists, or identifying professional designations  in their marketing materials.

OCIE launched the Touting Initiative because of the “regularity with which staff encounters advisers that advertise these accolades without disclosing material facts about them.”

Sources:

Another One with Improper Fees Charged to a Private Fund

For years, the Securities and Exchange Commission has been focused on fees and expenses allocated by a private fund managers to their sponsored funds. The latest to be caught improperly allocating fees and expenses is Potomac Asset Management.

First, Potomac improperly charged $2.2 million in fees to the fund for services provided by Potomac to a portfolio company of Fund I. After the portfolio company subsequently reimbursed the cost of the fees, Potomac failed to offset those fees against the management fees it charged to Fund as required by the fund documents. That meant Potomac earned a larger advisory fee that was in violation of the fund documents and was failed to be disclosed on Form ADV.

Second, Potomac improperly used the Funds’ assets to pay some expenses that should have been paid by Potomac. An individual with the title of “Principal”, who was required to perform at least 35 hours of “consulting” per week, and who was treated internally as a Potomac employee was billed to the fund improperly. Potomac also billed office rent to the fund.

The fund documents provided:

In general, [Potomac] shall bear compensation and expenses of its employees and fees and expenses for administrative, clerical and related support services, maintenance of books and records for the Fund, office space and facilities, utilities, and telephone insofar as they relate to the investment activities of the Fund. All other expenses will be borne by the Fund.

Third, Potomac used fund assets to pay costs associated with the Potomac’s regulatory obligations. Potomac charged some of the costs associated with the SEC exam and enforcement investigation to the fund. [That is always a big mistake.]

Fourth, the Funds’ audited financial statements failed to disclose these payments as related party transactions. Because the financial statements did not reflect the related party relationships and material transactions, they were not prepared in accordance with Generally Accepted Accounting Principles . Therefore, Potomac did not have a good audit under the Custody Rule. That left Potomac outside the audit exception for private funds and in custody of client assets in violation of the Custody Rule.

Fifth, the general partners of the Funds, failed to timely make certain capital contributions to the Funds as required by the terms of the Fund documents.

I don’t see any novel items in this list of mistakes and misdeeds. The SEC has been speaking about these concerns and bringing actions against firms who have done similar things. The first three items are only wrong to the extent it’s in contravention of the fund documents. Many fund managers are getting more explicit in the fund documents about what expenses can be charged to the fund. Although, I don’t think many fund investors would accept fund documents that allocated those expenses to the fund.

It has been a few months since I have seen a private equity fees and expenses case. It’s a good reminder to make sure funds are following the fund documents.

Sources:

Blockchain for Corporate Records

Jamie Dimon, chief executive of JPMorgan Chase & Co, speaking at a bank investor conference said Bitcoin “is a fraud” and will blow up. Further, that if any JPMorgan traders were trading the crypto-currency, “I would fire them in a second, for two reasons: It is against our rules and they are stupid, and both are dangerous.”

I’ve said it before. I don’t find Bitcoin to be a currency and it’s utility is suspect. But like Tesla stock and Dutch tulip bulbs, people will trade on the item if there is a dollar to be made. I don’t think it’s a fraud. There is value.

The interesting part of Bitcoin is the underlying blockchain technology that traces who holds all of the bitcoins in circulation. Imagine if Bank of America, JP Morgan, US Bank, Wells Fargo and all of the other banks used one ledger to track the movement of cash and each of them had a copy to prevent fraud. That’s blockchain, a distributed ledger.

Blockchain has uses outside of the tracking of money. It can be used to track almost anything.

Delaware and Nevada passed laws this summer allowing Blockchain to be used to track corporate records. It sounds innovative, but I’m skeptical.

The grand theme of Blockchain is trust. Since many people have copies of the distributed ledger, you prevent fraud. Because everyone has direct access information, you cut out intermediaries who would intervene to charge a transaction fee.

Most corporate records don’t fall into that category. There is a single instance and that is all that is needed.

The exception is stock ownership. I see some utility there to track ownership of a firm’s shares. For it to work, all of the shareholders and the firm would need to have the Blockchain ledger. For a small firm, it’s probably overkill. For a large company there may be some economies of scale.

I’m not sure how it works for a public company. Trading in public companies is fraught with issues. The markets do more than just transfer ownership. Their main role is pricing the shares. Blockchain could be used for the record-keeping but not does not lend itself well to the pricing.

For Bitcoin, Blockchain does a great job of tracks who holds the currency. The pricing comes from converting bitcoins into dollars which is outside of Blockchain and done by intermediaries who charge a fee. I assume the same would true if company moved the trading of public company shares onto blockchain.

The other problem is whether one Blockchain instance could address the shares at multiple firms or would there need to be separate instances of Blockchain. That also has some scaling issue.

I think there are tremendous uses for Blockchain to share value and information across firms and eliminate transaction costs. In these early days, it sounds more like people with a hammer thinking everything looks like a nail.

Sources: