Despite budgetary constraints, an agency-wide hiring freeze, and a set of legal setbacks, the Securities and Exchange Commission has set out a demanding enforcement agenda for 2019. At the top of its list: retail investors and cyber-related misconduct.

During fiscal year 2018, the SEC brought 821 enforcement actions (490 of which were standalone actions) and obtained judgments and orders totaling $3.9 billion in disgorgement and penalties. It also returned $794 million to harmed investors, suspended trading in the securities of 280 companies, and obtained nearly 550 bars and suspensions.

In its “Strategic Plan for 2018-2022,” the SEC outlined three goals that will guide its work moving forward. It also recently announced its enforcement priorities for fiscal year 2019. Both reports serve as helpful guideposts for regulated firms to assess the adequacy of their compliance programs. Those priorities are …

Focus on Main Street investors

“Our first goal, which has been a priority of mine since I became Chairman, is focusing on the interests of our long-term Main Street investors,” SEC Chairman Jay Clayton said in testimony before the U.S. Senate Committee on Banking, Housing, and Urban Affairs on Dec. 11. In FY 2018, over half of the standalone enforcement actions brought by the SEC involved wrongdoing against retail investors.

Formed in September 2017, the Retail Strategy Task Force (RSTF) significantly contributed to the Division’s retail focus. The RSTF has two primary objectives: (1) to develop data-driven, analytical strategies for identifying practices in the securities markets that harm retail investors and generating enforcement matters in these areas; and (2) to collaborate within and beyond the SEC on retail investor advocacy and outreach.

“Specifically, the RSTF undertook several lead-generation initiatives built on the use of data analytics,” the SEC’s annual report states. RSTF lead-generation initiatives involve collaboration between many divisions and offices, including the Division of Economic and Risk Analysis and the Office of Compliance Inspections and Examinations.

These initiatives involve several important issues impacting retail investors, including disclosures concerning fees and expenses and conflicts of interest for managed accounts, market manipulations, and fraud involving unregistered offerings. Additionally, in partnership with the Division’s Cyber Unit and Microcap Fraud Task Force and the Division of Corporation Finance’s Digital Asset Working Group, the RSTF has launched a lead-generation and referral initiative involving trading suspensions related to companies that purport to be in the cryptocurrency and distributed ledger technology space.

Policing cyber-related misconduct

“Our second goal—to be innovative and responsive—reflects the changing nature of our markets,” Clayton said. “As technological advancements and commercial developments have changed how our securities markets operate, the SEC’s ability to remain an effective regulator requires that we continually monitor the market environment and adapt our rules, regulations and oversight.”

“If a company thinks that because we have [Jay] Clayton and the new administration that [the SEC is] going to go a little easier on companies for FCPA violations, I would suggest they might want to revisit that thinking.”

Mike Piazza, Partner, McDermott Will & Emery

It is in this vein that the SEC Enforcement Division established a Cyber Unit in September 2017 to combat cyber-related threats, and more recently, its new Strategic Hub for Innovation and Financial Technology (FinHub). “Together with the FinHub, the resources we have dedicated to the Cyber Unit’s important work demonstrate the high priority that we continue to place on cyber-related issues affecting investors and our markets,” Clayton said.

Initial Coin Offerings (ICOs) were one of the first targets of the Cyber Unit, mainly because many SEC staff fear they could be construed as “21st Century Ponzi schemes,” says Mike Piazza, a partner at law firm McDermott Will & Emery. “I think you’re going to see an increased focus on these ICOs, because some senior folks in the SEC view those as potential channels for fraud.” Because there is no real regulation on them yet, however, it remains an evolving area of enforcement.

The Cyber Unit focuses the Division’s resources and expertise on such things as hacking to obtain material, non-public information and violations involving distributed ledger technology and cyber intrusions. From a practical standpoint, broker-dealers and investment advisors can expect to have their cyber-related policies and procedures much more closely scrutinized moving forward.

Since the formation of the Cyber Unit, the Division’s focus on cyber-related misconduct has steadily increased. At the end of the fiscal year, the Division had more than 225 cyber-related investigations ongoing.

In one case, the SEC brought its first ever enforcement action for violations of the Identity Theft Red Flags Rule. In that case, Voya Financial Advisors in September 2018 agreed to pay $1 million to settle charges for having deficient cyber-security policies and procedures concerning a cyber intrusion that compromised the personal information of thousands of customers.

In another significant case, the Commission brought its first enforcement action involving charges against Altaba—the entity formerly known as Yahoo—for failing to properly inform investors about what was then the largest known cyber-intrusion in history, in which hackers stole personal data relating to at least 500 million user accounts. Altaba agreed to a $35 million penalty to settle charges for failing to properly assess the scope, business impact, or legal implications of the breach, including whether, when, and how the breach should have been disclosed.

From the SEC’s standpoint, advisors, broker-dealers, and public companies have an obligation to do everything on the front end to protect themselves from a cyber-attack. “When firms do not have practices that allow for that, the SEC’s fear is that cyber-attacks and breaches will be more traumatic for those firms, for the market more generally, and for the individual investors,” says Kit Addleman, a partner at Haynes and Boone.

The Share Class Selection Disclosure Initiative

The Enforcement Division will also continue its focus on misconduct that occurs in interactions between investment professionals and retail investors. One aspect of these interactions involves disclosure failures relating to marketing and distribution fees paid by advisory clients, often referred to as “12b-1 fees.” These fees are typical for certain share classes offered throughout the mutual fund industry, and advisers are required to accurately disclose their practice of selecting a more expensive mutual fund share class when a lower-cost share class for the same fund is available. “The 12b-1 fees are not necessarily obvious to investors in all instances,” Addleman says.

To address its backlog of ongoing investigations—which, on average, take nearly two years to complete—relating to these practices, the Division launched the Share Class Selection Disclosure Initiative in FY 2018. The Initiative is a voluntary program for investment advisers to self-report to the Commission their failures to disclose their financial conflicts of interest relating to compensation they received in the form of 12b-1 fees.

“What the SEC is saying here is, ‘If you don’t self-disclose and we pick up on something in an exam, we’re going to open an enforcement matter, and your opportunity to decrease the amount of a civil penalty is going to be nil,’” says Paul Monnin, a partner at Alston & Bird.

According to the SEC’s latest enforcement report, “the Commission has brought more than 15 enforcement matters involving share class disclosures in just the last five years, and OCIE has continued to make such disclosures a priority in its exams and public statements.”

Piazza says he’s representing a client who is going through that process right now. “What we are having to do for this particular client—and I think this is true for anybody who receives one of these subpoenas or requests from the SEC—is we’re having to go back five years and pull all the information on any 12b-1, find out how they were allocated, and the impact, if any, to the customers.”

Specifically, what the SEC said is, “‘We want you to look at all your data and summarize it,’ and they gave us the format that they want us to summarize it,” Piazza explains. “Essentially, we’re doing the leg work.”

“The problem is that sometimes the clients don’t know what they have until they really dig deep, and so we’re going to be dealing with that in the new year, too,” Piazza adds.

As an incentive, the Enforcement Division said it would recommend that the Commission not impose a penalty against those who participate in the Initiative. “We believe that by pursuing this Initiative, we will identify, address, and remediate many more violations—and will do so much more quickly—than if we had continued to pursue these violations on a case-by-case basis,” the SEC’s enforcement report states.

Tolling agreements

“I’ve gotten four requests from SEC staff in the last day for tolling agreements, because they’re terrified of this government shutdown,” Piazza says. “We’re having to grapple with that, too.”

In June 2017, a unanimous Supreme Court ruled in the case Kokesh v. SEC that disgorgement collected by the SEC is subject to the general five-year statute of limitations on monetary civil penalties. Since Kokesh, statute-of-limitations issues for the SEC have only grown.

Tolling agreements essentially pause the statute of limitations for a limited period. “That’s how the SEC enforcement practice has developed in the last couple of years,” Piazza says. “We would almost never get a request for a tolling agreement up until a couple of years ago, and now it’s almost routine.”

FCPA books and records and internal controls

Piazza warns regulated firms not to expect a slowdown in cases related to FCPA books and records and internal controls violations. “There’s been some perception on the private bar side that the pipeline is not that full,” he says. But during a panel discussion, moderated by Piazza, at the International Conference on the Foreign Corrupt Practices Act in November, SEC enforcement officials commented that they’re getting a lot of cases fed to them through the SEC’s Whistleblower program.

“If a company thinks that because we have Clayton and the new administration that they’re going to go a little easier on companies for FCPA violations, I would suggest they might want to revisit that thinking,” Piazza says. “It’s still a very vital part of SEC enforcement.”