Top 5 SEC Developments (November 2023)

Each month, we publish a roundup of the most important SEC enforcement developments for busy in-house lawyers and compliance professionals. This month, we examine:

• The SEC’s announcement of its Fiscal Year 2023 enforcement results;
• A settled action involving internal control failures relating to stock buybacks and the accompanying dissent;
• The second enforcement action brought against crypto-giant Kraken this year;
• The complaint filed with the SEC by a ransomware gang against the threat actor’s own cyber breach victim; and
• Supreme Court oral arguments analyzing the constitutionality of the SEC’s administrative courts.

1. The SEC’s Yearly Enforcement Results Are In

On November 14, 2023, the SEC announced its enforcement results for Fiscal Year 2023 (FY23). The Commission’s press release proclaims that it is “aggressively employ[ing]” all of its tools to sue regulated companies and individuals. Some statistical highlights include:

• Total enforcement actions filed increased 3%: The SEC filed 784 total enforcement actions in FY23, a 3% increase over FY22. Of those filed, 501 were original, or “stand-alone,” enforcement actions, representing an 8% increase over the prior fiscal year.
• The SEC obtained nearly $5 billion in remedies: The SEC’s $5 billion in remedies is the second-highest amount in SEC history, surpassed only by FY22’s record‑shattering $6.4 billion in remedies. Though disgorgement increased in FY23 (from $2.245 billion in FY22 to $3.369 billion in FY23), penalties actually decreased by 62% (from $4.194 billion in FY22 to $1.58 billion in FY23). 
• The Whistleblower Program continued to pay out: The SEC issued nearly $600 million to whistleblowers in FY22, the most awarded since the program’s creation in 2010, including a record-breaking $279 million awarded to an individual whistleblower.
• Continued focus on individuals: In FY23, approximately two-thirds of the SEC’s cases involved charges against one or more individuals. The SEC also obtained 133 orders barring individuals from serving as officers and directors of public companies, the highest number in a decade.

The SEC’s announcement highlighted themes, wins, and enforcement priorities from the past year, including detailing actions in the Crypto, Cybersecurity, and ESG-related arenas. The announcement also claimed that, in FY23, the SEC had “consistently rewarded meaningful cooperation” where parties proactively self-police, self-report, and remediate potential securities law violations. The announcement, however, will not do much to quiet skeptics. The SEC pointed to only three actions where such “rewards” were given, one of which still resulted in a $2.5 million civil penalty.

#2023’sAWrap #$5BillionInRemedies #MoreWhistleblowersMorePayouts

2. Charter Communications Agrees to Settle Violations of Exchange Act Section 13(b)(2)(B)

On November 14, 2023, the SEC announced settled charges against Charter Communications (Charter), a broadband connectivity company and cable operator, for internal accounting controls violations in connection with the company’s stock buybacks. The SEC claimed that Charter violated Exchange Act Section 13(b)(2)(B) by failing to implement a process to ensure that Charter’s trading plans were adequately reviewed for conformity with the requirements of Rule 10b5-1. 

According to the SEC’s order, stock buybacks authorized by Charter’s board were predicated on the company’s use of trading plans meant to conform to SEC Rule 10b5-1. Some of Charter’s plans, however, included “accordion” provisions allowing Charter to change the total dollar amounts available to buy back stock. According to the SEC, these plans did not satisfy the requirements of Rule 10b5-1 and, therefore, the company’s buybacks were not in accordance with the board’s authorization. The SEC’s order states that Charter “failed to implement a reasonable process to ensure that its trading plans were adequately reviewed for conformity with the requirements of Rule 10b5-1 prior to adoption.” As a result, Charter violated Exchange Act Section 13(b)(2)(B), which requires companies to “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that,” among other things, transactions are executed and access to assets is permitted “only in accordance with management’s general or specific authorization.”

Two Commissioners, Peirce and Uyeda, penned a short, but strongly worded, dissent, warning that the SEC’s theory in Charter Communications was an “unsupportable and ill-considered interpretation” of Section 13(b)(2)(B) and an “inappropriate extension[] of the agency’s authority.” The dissenting Commissioners emphasized that Section 13(b)(2)(B) requires certain standards of internal accounting controls, and that the SEC’s order failed to recite any facts suggesting that Charter’s internal accounting controls were insufficient. According to the dissent, “[c]ontrols designed to answer a legal question” (i.e., whether its trading plans complied with Rule 10b5-1) “are simply not internal accounting controls within Section 13(b)(2)(B)’s scope.” (emphasis in original).

#AreAllControlsAccountingControls? #TwoCommissionerDissent #10b5-1Plans

3. The SEC Targets Crypto-exchange Kraken for the Second Time This Year.

On November 20, 2023, the SEC filed a complaint in the Northern District of California against Payward Inc. and Payward Ventures Inc., together known as “Kraken,” alleging that Kraken operated a crypto trading platform as an unregistered securities exchange, broker, dealer, and clearing agency. The lawsuit comes just nine months after Kraken agreed to pay the SEC $30 million for failing to register the offer and sale of its staking services with the SEC.

In the recently filed complaint, the SEC alleges that Kraken has made hundreds of millions of dollars by unlawfully facilitating the buying and selling of crypto assets on its platform by intertwining the traditional services of an exchange, broker, dealer, and clearing agency without having registered with the Commission. The SEC’s complaint turns on its theory that the crypto assets bought and sold through the Kraken platform are subject to the U.S. securities laws as “investment contracts” within the meaning of the Howey test (SEC v. W.J. Howey Co., 328 U.S. 293 (1946)). 

The SEC also alleges that Kraken’s business practices, internal controls, and recordkeeping practices present risks. According to the complaint, Kraken allegedly commingles its customers’ money with its own, and commingles its customers’ crypto assets with its own. The Commission seeks injunctive relief, disgorgement, and civil penalties.

Kraken issued a lengthy statement in response to the SEC’s complaint. Kraken asserted that the complaint’s “technical argument” that digital assets are investment contracts “is incorrect as a matter of law, false as a matter of fact, and disastrous as a matter of policy.” Kraken also pointed to the court’s ruling in SEC v. Ripple Labs Inc., in which Judge Torres of the Southern District of New York found that the programmatic sale of Ripple’s digital token through digital asset exchanges was not a securities transaction. Kraken asserts that Ripple forecloses the SEC’s arguments against Kraken. For more details on the Ripple ruling, see our client alert.

#CryptoEnforcement #TwoEnforcementActionsInOneYear #DigitalAssetsInvestmentContracts?

4. Hacker Group Files a Complaint Against Its Victim for Failure to Disclose Cyber Breach.

In July 2023, the SEC adopted rules requiring registrants to disclose material cybersecurity incidents within four business days of a materiality determination. The new requirements went into effect on September 5, 2023, but compliance is not required until mid-December 2023. On November 15, 2023, the infamous hacking group AlphV/BlackCat (AlphV) filed with the Commission a complaint against one of its alleged victims, MeridianLink, alleging a failure to comply with the new disclosure rules after AlphV accessed MeridianLink’s environment and exfiltrated certain “customer data and operational information.”

In mid-November, AlphV identified MeridianLink, which provides digital solutions for financial organizations such as banks, credit unions, and mortgage lenders, on its data leak website. AlphV claimed that it would publish allegedly stolen data from MeridianLink unless the company paid a ransom within 24 hours. After MeridianLink apparently failed to make the ransom payment, AlphV filed a complaint on the SEC’s “Tips, Complaints, and Referrals” page, which AlphV then also posted online. 

According to the screenshot originally posted on AlphV’s site, the AlphV complaint with the SEC stated: “It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

The SEC has not commented on the AlphV complaint. For more information on the SEC’s new cybersecurity disclosure rules, see our detailed client alert.

#AudaciousHackers #RansomewareAttack #DisclosureWithin4DaysKeepsTheSECAway

5. SCOTUS Considers the Constitutionality of the SEC’s Administrative Courts.

On November 29, 2023, the Supreme Court of the United States heard oral argument in SEC v. Jarkesy Jr., et al., a challenge to the SEC’s in-house court system, which the Fifth Circuit has ruled unconstitutional. (For more details, see our client alert on the Fifth Circuit opinion). Specifically, the Supreme Court is considering (i) whether the SEC’s ability to initiate and adjudicate administrative enforcement proceedings seeking civil penalties violates the Seventh Amendment right to a jury trial, (ii) whether Congress unconstitutionally delegated to the SEC the power to decide whether an administrative (versus civil) action is appropriate to enforce the securities laws, and (iii) whether the procedures for appointment of the SEC’s administrative law judges violate Article II of the U.S. Constitution. Although the case focuses specifically on the SEC, the decision could have a far-reaching impact across numerous government agencies and how and where they may pursue certain claims.

During the more than two-hour argument, the justices focused on the Seventh Amendment issue and, though apparently divided, several justices seemed open to declaring the SEC’s administrative court system unconstitutional. Towards the end of the argument, Justice Neil Gorsuch seemed particularly sympathetic to Jarkesy’s arguments, stating that “[Congress] just can’t take away a person’s right to be heard before his peers.” 

Other justices, however, seemed skeptical of Jarkesy’s arguments. Justice Kagan, for example, pointed to the 1976 decision in Atlas Roofing Co. v. Occupational Health and Safety Review Commission, 430 U.S. 442 (1977), in which the Court held that Congress could create a new statutory cause of action for agency adjudication without violating the Seventh Amendment in the context of OSHA proceedings. Justice Kagan questioned why the Court was even considering the constitutionality of the SEC’s similar administrative proceedings when “Atlas Roofing simply resolves the issue.” She further commented that “Congress is not required by the Seventh Amendment to choke the already crowded federal courts . . . . [and] the Seventh Amendment was no bar to Congress making a decision that certain kinds of claims were best adjudicated in administrative agencies.”

If the Supreme Court affirms the Fifth Circuit’s decision, the SEC would be required to bring enforcement actions seeking civil penalties in federal court. A decision is expected by summer 2024.

#OralArgument #SCOTUS #AdminCourtsUnderFire #EnforcementRegimesInQuestion