To gain insight into where the Securities and Exchange Commission (“SEC”) and Commodity Futures Trading Commission (“CFTC”) have been focusing their oversight and what their priorities will be in 2020, look no further than their recent words and deeds. A common thread running through the recent public statements and enforcement activity of both agencies is a commitment to maximizing the resources at their disposal to expedite resolutions, whether by leveraging technology, deploying multi-pronged approaches, engaging in industry outreach, or coordinating with fellow regulators.
One critical component of the SEC’s current enforcement arsenal is its use of sophisticated proprietary data analytics. For example, the SEC’s Retail Strategy Task Force, established in 2017, analyzes a “big data” feed of hundreds of millions of securities transactions to proactively identify patterns of suspicious activity and recidivist bad actors. Through the Task Force, the SEC has thwarted schemes targeting retail investors, including offering fraud, securities fraud, and market manipulation. The Task Force has also used data analysis to trace assets for disgorgement and remediation.
The Commission is also analyzing “big data” to identify patterns of suspected insider trading. During a panel at the Securities Enforcement Forum 2019 on October 23, 2019, presented by Securities Docket, in Washington, D.C., Joseph Brenner, Chief Counsel of the SEC’s Enforcement Division, stated that 20% of the Commission’s insider trading cases are generated through data analysis by the Market Abuse unit. Brenner explained that analysts are able to compare trading activity both within and outside a period when suspects had access to material non-public information. For example, in the EDGAR hacking case, the data analysis showed that the defendants’ rate of investing successfully ranged from 70-98% within the period, but dropped to 0-50% outside the period, effectively eliminating any defense of coincidence.
Another strategy the SEC has deployed to streamline enforcement is the use of self-reporting initiatives. In February 2018, the SEC implemented the Share Class Selection Disclosure Initiative (“SCSDI”). Under the initiative, investment advisors were encouraged to self-report possible securities law violations relating to their failure to properly disclose fees associated with mutual fund share classes. Those who disclosed were offered favorable settlement terms, including standardized statutory charges and disgorgement of ill-gotten gains, but no additional penalties. The initiative has, thus far, resulted in 95 settlements and investor restitution of $135 million, as compared to nine settlements in the 12 months prior to the first SCSDI orders. Over two recent appearances at the Southeastern Securities Conference in September, and the Securities Enforcement Forum in October, Steven Peikin, Co-Director for the SEC Division of Enforcement, touted the success rate of the SCSDI and credited the initiative for pushing firms to improve their sales practices regarding mutual fund share class suitability and related disclosures. Peikin indicated the SEC will look to repeat the SCSDI’s success with the deployment of more initiatives where the Commission identifies systemic industry issues.
In addition to maximizing its existing resources, the SEC is also exploring multiple fronts for enforcement, as in the case of cybersecurity, where the SEC is targeting disclosures both before and after a data security breach. The SEC has consistently required public companies to disclose data breaches promptly and to enact policies and procedures governing breach response, and has prosecuted companies that fail to timely disclose breaches. In February 2018, the SEC issued guidance regarding disclosure of cyber risks in a company’s public filings. Companies must accurately disclose to investors not only the risks of a data breach, but also the potential impact a breach could have on the company’s business and operations. In October, at the Securities Enforcement Forum, Carolyn Welshhans, an Associate Director in the SEC’s Enforcement Division, clarified that cybersecurity disclosure – both the risk and the breach – would be a top enforcement priority. Welshhans specifically mentioned that companies that have experienced data breaches who then file disclosures that only disclose the possibility of a breach would almost certainly violate Reg FD (i.e., “fair disclosure”) (17 CFR Parts 240, 243, and 249). At the same event, SEC Chairman Jay Clayton explained that a key risk factor companies will need to consider in connection with the cyber risk disclosure is whether loss or impairment of their intellectual property through a cyberattack or data breach poses a material risk that must be disclosed to investors.
Finally, the SEC is broadening its cryptocurrency enforcement arsenal. Initial actions in this area primarily focused on prosecuting fraudulent conduct in connection with Initial Coin Offerings. More recently, however, enforcement actions have expanded to encompass a more generic set of non-fraud securities violations, such as touting and failure to register cases. This treatment belies any notion that cryptocurrencies are an “exotic” asset subject to special treatment by the SEC, and cryptocurrency companies should expect the same level of enforcement as any other public company.
For its part, the CFTC has advanced its enforcement initiatives by ramping up its whistleblower program and successfully bringing joint actions with other regulators and law enforcement. Since May, the CFTC has heavily marketed its whistleblower program by way of four alerts on the topics of money laundering, insider trading, foreign bribery, and virtual currency. In a recent press release announcing a whistleblower award of $7 million, CFTC Director of Enforcement James McDonald highlighted how critical the CFTC’s whistleblower program is to its enforcement efforts, stating that “forty percent of our investigations now involve whistleblowers. We expect that number to increase as the CFTC continues to expand its whistleblower program.”
In terms of enforcement activity, the CFTC has significantly increased its coordination with other agencies, filing fourteen actions in parallel with criminal actions brought by other entities in 2018. This number eclipsed the total from the previous five years combined. These actions primarily are spoofing cases, but also include retail and virtual currency fraud, manipulation of global benchmarks, and investigatory obstruction. Just this past month, the CFTC coordinated civil enforcement actions against two individuals indicted by the U.S. Department of Justice for engaging in a spoofing scheme to artificially affect the prices of precious metals in order to maximize trading profits and minimize losses.
Going forward, those regulated by the SEC and CFTC can expect these two regulators to continue refining innovative approaches to enforcement, with the specific areas of enforcement remaining consistent – cybersecurity, retail investor protection, insider trading, market manipulation, money laundering, foreign bribery, and disclosure enforcement. The SEC has taken great pride in its advancements in data analytics, self-reporting initiatives, and programs designed to protect the most vulnerable retail protectors. The CFTC, meanwhile, is charging ahead with a spirit of regulatory burden sharing and coordination. Whether this will translate into increased regulation, smarter regulation, or both come 2020 remains to be seen.