Top 5 SEC Enforcement Developments for August 2024

Each month, we publish a roundup of the most important SEC enforcement developments for busy in-house lawyers and compliance professionals. This month, we examine:

• The SEC’s case against crypto firm Kraken is permitted to proceed;
• An SEC penalty of almost $400 million for 26 firms for record keeping failures;
• An SEC settlement of a claim for failure to protect client funds from a cyber attack;
• An investment adviser’s settlement with the SEC for a failure to maintain and enforce procedures to prevent the misuse of material nonpublic information; and
• A penalty of $125 million imposed on Ripple for the sales of digital tokens deemed unregistered securities transactions.

1. Court Denies Kraken’s Motion to Dismiss SEC Claims

On August 23, 2024, the United States District Court for the Northern District of California denied defendants’ motion to dismiss in Securities and Exchange Commission v. Payward, Inc., et al., allowing the SEC’s Securities Act claims to proceed.

In Payward, the SEC alleges that Payward, Inc. and Payward Ventures (d/b/a “Kraken”) have violated Sections 5, 15(a), and 17A(b) of the Securities Act by operating as a broker, dealer, exchange, and clearing agency for “crypto asset securities” without registering with the SEC. Kraken contended that it did not need to register because the transactions on its platform do not involve securities.

District Judge William H. Orrick’s decision focused on whether the SEC’s complaint adequately alleged that the cryptocurrency transactions on Kraken’s platform met the criteria for investment contracts under the Howey test. SEC v. W.J. Howey Co., 328 U.S. 293 (1946). Howey holds that to qualify as an investment contract, there must be (1) an investment of money (2) in a common enterprise (3) with an expectation of profits produced by the efforts of others. The court found that the SEC plausibly alleged that investors committed fiat currency or crypto assets to purchase crypto assets on Kraken’s platform, satisfying the first prong of Howey. The court also found that the SEC plausibly alleged vertical commonality, where the fortunes of investors are linked with those of the promoters who retain ownership or control over significant amounts of the crypto assets they promote. Finally, the SEC alleged that investors had an expectation of profits from the efforts of the promoters, who worked to develop the networks or ecosystems supporting the value of the crypto assets, meeting the third prong of Howey.

Kraken also argued that the SEC’s claims violated the major question doctrine—i.e., that the SEC’s regulation of the cryptocurrency industry has such vast economic and political significance that the SEC requires clear Congressional authorization to regulate that space. But the court rejected Kraken’s argument, holding that the SEC’s attempts to regulate cryptocurrency transactions do not constitute a “transformative expansion of its regulatory authority” and are consistent with its established authority to regulate securities. 

2. SEC Fines Twenty-Six Firms Nearly $400 Million Combined for Alleged Off-Channel Communications Record Keeping Failures.

On August 14, 2024, the Securities and Exchange Commission (SEC) announced charges against 26 broker-dealers, investment advisers, and dually-registered broker-dealers and investment advisers for allegedly widespread and longstanding failures to maintain and preserve electronic communications. The firms acknowledged that their conduct violated the law and agreed to pay combined civil penalties of $392.75 million, with individual penalties ranging from $400,000 to $50 million.

These settlements are the latest in the SEC’s continuing focus on how broker-dealers and investment advisers manage retention of off-channel communications and make clear the Commission has not moved on from this issue. The SEC has long encouraged firms to step forward and self-report similar record-keeping violations, and here noted that three firms, Truist Securities, Inc., Cetera Advisor Networks LLC, and Hilltop Securities Inc., received reduced penalties for doing so. The Commission considered how all three companies conducted internal investigations and enhanced their policies and procedures prior to the Commission’s action. Notably, all three were among those receiving some of the lowest fines—Truist Securities, Inc. and Cetera Advisor Networks LLC were fined $4.5 million each, and Hilltop Securities Inc. was fined $1.6 million; only two other companies had lower fines.

As set forth in the companies’ respective settlement orders, the financial entities’ failures involved personnel at multiple levels, including supervisors and senior managers. The firms were charged with violating recordkeeping provisions of the Securities Exchange Act, the Investment Advisers Act, or both and failing to reasonably supervise their personnel. In addition to financial penalties, the firms were ordered to cease and desist from future violations of the relevant recordkeeping provisions and were censured. The Commodity Futures Trading Commission also announced settlements with several banks for related conduct.

3. SEC Settles with Equiniti Trust Company for Allegedly Failing to Protect Client Funds from Cyber Attacks:

On August 20, 2024, the SEC imposed a penalty on Equiniti Trust Company, LLC of $850,000 for alleged violations of Section 17A(d) of the Exchange Act and Rule 17Ad-12 thereunder for, according to the Commission’s order, “failing to assure that: (i) all securities in its custody or possession related to its transfer agent activities were held in safekeeping and were handled, in light of all facts and circumstances, in a manner reasonably free from risk of theft, loss or destruction, and (ii) all funds in its custody or possession related to its transfer agent activities were protected, in light of all facts and circumstances, against misuse.”

The SEC’s order addressed two cyber incidents that occurred in 2022 and 2023, leading to a net loss of approximately $4.08 million in client funds and highlighting Equiniti’s alleged deficiencies in safeguarding assets. In the September 2022 incident, an unknown threat actor impersonated an issuer-client contact and directed Equiniti to issue and liquidate millions of shares, transferring the proceeds to bank accounts in Hong Kong. Equiniti allegedly failed to verify the authenticity of the request, resulting in a loss of approximately $3.78 million, of which $1 million was recovered. Equiniti had previously issued a warning email in January 2022, instructing employees to verify emailed requests through call-backs and to be vigilant about email addresses, but allegedly failed to ensure these procedures were followed or that employees were adequately trained. In the April 2023 incident, an unknown threat actor used stolen Social Security numbers to access online accounts and transfer approximately $1.9 million in proceeds to external bank accounts. According to the SEC, Equiniti’s system automatically linked accounts with matching Social Security numbers, facilitating the fraud, and Equiniti did not notice the fraudulent transfers on its own and was informed by the bank handling the transfers. Approximately $1.6 million was recovered, and Respondent reimbursed the remaining $300,000 to affected accountholders.

As a result of these incidents, the Commission found that Equiniti willfully violated Section 17A(d) of the Exchange Act and Rule 17Ad-12 by failing to assure that securities and funds in its custody were reasonably free from risk of theft, loss, or misuse. In response, Equiniti hired a Chief Control Officer responsible for overseeing cybersecurity, engaged a third-party cybersecurity firm to conduct a forensic review of its systems, and fully reimbursed clients and accountholders for losses resulting from the cyber incidents.

4. Fund Advisor Settles with SEC over Allegedly Deficient Policies to Guard MNPI

On August 26, 2024, the SEC Commission issued an order instituting settled administrative and cease-and-desist proceedings against a registered investment adviser (“RIA”) for allegedly failing to establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of material nonpublic information (“MNPI”) concerning its trading of collateralized loan obligations (“CLOs”) from May 2018 to June 2024.

These alleged deficiencies were highlighted by an incident in July 2019, when the SEC claims the RIA sold two CLO equity tranches while allegedly in possession of MNPI about a media services company. The MNPI allegedly was obtained through the RIA’s participation in an ad hoc lender group for the media company, and when the MNPI was publicly released on July 31, 2019, the value of the company’s loans in these CLO tranches dropped by over 50%, materially decreasing the value of the CLO tranches the RIA had sold the previous day by approximately $685,000. The RIA’s personnel allegedly recognized the possession of MNPI but failed to consider its materiality with respect to the CLO tranches before the sale.

According to the settled order, prior to July 2022, the RIA had no written policies and procedures aimed at preventing the misuse of MNPI about the underlying loans when trading the RIA’s CLOs or Third-Party CLOs. Although the RIA began conducting pre-clearance reviews in July 2019 to assess the potential impact of MNPI about underlying loans on the trading of its CLOs, it did not adopt written policies and procedures for such reviews until July 2022, or establish, maintain, or enforce any written policies or procedures concerning the misuse of MNPI regarding the underlying loans in Third Party CLOs at any time during the relevant period.

As a result of these deficiencies, the RIA was found to have willfully violated Sections 204A and 206(4) of the Advisers Act and Rule 206(4)-7 promulgated thereunder. The Commission noted that as a result of the staff’s investigation, the RIA began conducting pre-clearance reviews aimed at preventing the misuse of MNPI about the underlying loans in Third Party CLOs in April 2024 and adopted written policies and procedures for these reviews in June 2024. The Commission stated that it considered remedial acts promptly undertaken by the RIA and cooperation afforded to the Commission staff in determining the appropriate remedy, which ordered the RIA to cease and desist from committing or causing any violations and any future violations of Sections 204A and 206(4) of the Advisers Act and Rule 206(4)-7, censuring the RIA, and imposing a civil money penalty of $1,800,000.

5. Court Fines Ripple $125 Million for Section 5 Violations

On August 7, 2024, the United States District Court for the Southern District of New York granted in part and denied in part the SEC’s motion for remedies and entry of final judgment in Securities and Exchange Commission v. Ripple Labs, Inc. The case centered on the SEC’s allegations that Ripple engaged in the unlawful offer and sale of securities in violation of Section 5 of the Securities Act of 1933, 15 U.S.C. § 77e(a), (c) through its sale of XRP, the native digital token of the XRP Ledger.

Judge Analisa Torres’s opinion followed her ruling last year on summary judgment (described in more detail in this client alert) that Ripple’s sales of the XRP token to “sophisticated individuals and entities” were considered unregistered sales of securities, but that “Programmatic Sales,” blind sales on digital asset exchanges or trading algorithms, payments of XRP to employees as compensation, and exchanges by Ripple executives in their individual capacities, were not investment contracts.

The court granted the SEC’s request for certain injunctive relief, finding a reasonable probability of future violations by Ripple, and stated it would impose a permanent injunction restraining and enjoining Ripple from violating Section 5 of the Securities Act. Judge Torres denied the SEC’s request for disgorgement and prejudgment interest, holding that the SEC did not establish pecuniary harm to investors, as required by the Second Circuit’s decision in SEC v. Govil, and determined that a first-tier penalty was appropriate given the absence of fraud, deceit, or reckless disregard of regulatory requirements. The court imposed a penalty of more than $125 million—far less that the $2 billion the SEC requested, but more than the $10 million advanced by Ripple—calculated based on 1,278 transactions that the court found violated Section 5.