Thursday, 31 October 2019

Experts address cybersecurity trends, best practices at fintech webinar

By Jay Fishman, J.D.

The North American Securities Administrators Association, Inc. (NASAA) included a panel discussion on cybersecurity data breaches and the best ways to prevent them as part of its October 29, 2019 Fintech and Cybersecurity Symposium held in Washington D.C. and online. Jake van der Laan, the director and chief information officer of the Information Technology and Regulatory Informatics Division at the Financial and Consumer Services Commission in New Brunswick, Canada moderated the panel. The panelists included David Kelley, the surveillance director at FINRA’s Kansas City District Office; Assunta Vivolo, the assistant director of the Cyber Unit at the SEC’s Philadelphia Regional Office; and Charles de Simone, the vice president of Technology and Operations for the Securities Industry and Financial Markets Association (SIFMA).

Van der Laan heightened the topic’s importance by first citing the significant Equifax, Yahoo, Marriot, and Capital One data breaches of the past three years, and then adding the following statistics—that by 2020 there will be six billion Internet users who could become cyberattack victims, and that there are 250 pieces of malicious software released daily to perpetrate those attacks.

Van der Laan asked the panelists the following questions:
  1. What types of data breaches are you seeing now and predict for the future?
  2. How should firms manage their risk now and in the future?
  3. What help is there for a firm’s clients and U.S. citizens to prevent cyberattacks to their own data?
What types of data breaches are you seeing now and predict for the future? Kelley said that FINRA’s staff, when going on broker-dealer firm examinations, have asked members about the types of cyberattacks they have been subjected to. The firms replied: (1) phishing emails; (2) account compromise; (3) imposter websites; (4) ransomware; and (5) malware. Kelley and Vivolo both remarked on the rise of two types of imposter websites, one type where the firm already has a legitimate website but a copycat website suddenly appears containing the same accurate information about the firm and perfect photos of its executives.

The criminals try to lure unsuspecting clients to add their personal, confidential information onto the fake website before the firm or regulatory authorities discover the scam. The other type occurs when a firm does not have a website and then suddenly has one. The sudden website is, of course, fake.

All three panelists additionally mentioned a rise in client accounts being compromised inadvertently by third parties. De Simone said that this type of data breach begins innocently when a firm entrusts a third-party vendor to provide the technology for protecting the firm’s clients’ account data. The third party, itself, might be trustworthy but may rely on a fourth party vendor to supply the nuts and bolts of that technology, which could cause the data breach. Essentially, the firm does not become aware of the client data breach until it is too late because the firm only directly contracted with the third party so was not even aware of the fourth party’s existence.

The panelists also proclaimed a rise in cyberattacks caused by company insiders who are either malicious or unintentional insiders. The panelists mentioned the 2017 Verizon data breach caused by a "malicious insider" out for revenge against the company in order to cite the statistic that 25 percent of all data breaches are caused by insiders. The "unintentional insider" they referred to as a "weak link in the company" who may be a fine person but believes he or she is doing a good deed in relaying confidential data to someone outside the company, who then causes the attack.

How should firms manage their risk now and in the future? Regarding data breaches that occur through account compromise, Vivolo said that firms should create and require a two-tiered authentication process for accessing client account information. Concerning insiders, de Simone stated that SIFMA encourages its members to create an insider threat program to train employees on steps to take to mitigate cyberattacks. All the panelists agreed that it is much easier to proactively create cyberattack programs to test before an attack occurs rather than to wait until an attack happens.

But Kelley and Vivolo emphasized that there is not a "one size fits all" approach for all firms. Kelley said that small, medium, and large size firms each have different risks, and that the appropriate method also depends on a company’s type of business, which often prescribes the type and amount of data it maintains. Kelley said that FINRA tries to assess a member firm’s risks by raising the issue when staff performs a field examination, and then hints that the firm should implement a data breach prevention program. He stressed the importance of having these talks with firms especially in light of FINRA’s discovery that many firms do not even know where their data is stored. And Vivolo added that assessing the risks of data stored on the cloud is increasingly becoming a concern because many firms now rely on the cloud to store their data. She also declared the importance of firms’ knowing if their critical data is being stored by a fourth party because in the event of a breach, the firm itself will be liable.

But Vivolo also mentioned that SEC Regulations SCI, SID, and SP were promulgated to help issuers and firms assess their cybersecurity risks. And de Simone exclaimed that firms should hire enough people to work on cybersecurity matters behind the scenes in their offices so that the firm’s consulting cybersecurity technology experts can proactively address the problem in the field.

Concerning the future, the panelists remarked upon the increase in insurance companies selling firms cybersecurity insurance. The panelists agreed that having this insurance is a good idea in the event of a cybersecurity attack, which they declared will inevitably happen to all firms. The panelists further proclaimed that the process of applying for the insurance is a good thing if, in order to calculate the amount of insurance a firm needs, it forces the firm to assess its cybersecurity assets, its data, where the data is stored, and the risk of that data being subject to cyberattack.

What help is there for a firm’s clients and U.S. citizens to prevent cyberattacks to their own data? All the panelists emphasized that the firms alone cannot prevent cyberattacks. They said that it is up to everyone in the chain including the firms’ clients and U.S. citizens to bear some of the responsibility at the community level. The panelists said, for example, that individuals can take steps to mitigate data breaches by protecting their router, creating a two-tiered authentication process to access data, updating their devices’ virus protections, and installing patches.

When Van der Laan asked the panelists what they are doing to help citizens protect themselves from data breaches, Kelley remarked upon FINRA’s website now having a web page to provide cyber information as hot topics develop. Vivolo mentioned the SEC’s investor.gov website, together with the Commission’s Office of Investor Advocacy and Education. And de Simone said that SIFMA members routinely inform their clients about cybersecurity issues to protect them from attack.

Wednesday, 30 October 2019

Paxos greenlighted to use DLT to clear equity trades during limited production test

By Mark S. Nelson, J.D.

A no-action letter issued by the SEC’s division of Trading and Markets to Paxos Trust Company, LLC will allow Paxos to conduct a 24-month test of its Paxos Settlement Service (PSS) using distributed ledger technology (DLT). Paxos had raised the possibility that, absent no-action relief, its production test of the PSS could make it an unregistered clearing agency without a relevant registration exemption. The exact role of the SEC’s clearing agency regulations in the DLT/blockchain space was not directly addressed in the SEC’s key documents on digital asset securities, such as the DAO Report or the SEC’s "Framework," both of which focus on investment contracts, although several other divisional statements strongly hint at the requirements for clearing agencies. As a result, the Paxos no-action letter will serve as one example of how DLT/blockchain activities might be addressed in the clearing agency context, but it remains to be seen if such relief can be scaled up for a larger group of securities with much higher trading volumes on a permanent basis.

A Paxos press release emphasized that the PSS would be the first settlement system for U.S. equities that was not part of the legacy market infrastructure developed nearly 50 years ago. "The U.S. equities business continues to face unprecedented consolidation and economic pressures, requiring a comprehensive transformation of market structure," said Paxos CEO and co-founder Charles Cascarilla. "This is an important first step on our journey to reimagine the entire post-trade infrastructure, and one that creates immediate benefits for market participants." Cascarilla added that the PSS could be scaled up for other asset classes and clients.

Paxos’s website explains its business as that of attempting to "democratize access to a new, global, frictionless economy." The company also boasts several prominent directors, including former Senator and Democratic presidential candidate Bill Bradley and former FDIC Chairwoman Sheila Bair.

PSS production test. The PSS is designed to test the feasibility of using DLT to settle equity trades. Specifically, the PSS leverages multiple accounts at Paxos and The Depository Trust Co. plus wire transfers from participants to a Paxos bank account to create a "digitized security entitlement" that is credited to a participant’s account within the PSS on the Paxos ledger. However, the PSS trial, at least initially, will not attempt corporate actions processing (e.g., dividend payments), so PSS participants will have to transfer their securities from their PSS Accounts to their DTC accounts nightly. The PSS will utilize a private, permissioned DLT.

Paxos argued in its no-action request letter that its PSS would be consistent with the Congressional findings expressed in Exchange Act Section 17A(a)(1)(C): "New data processing and communications techniques create the opportunity for more efficient, effective, and safe procedures for clearance and settlement." Paxos, for example, said its PSS would bring several benefits, including faster settlement through the use of T+0 or T+1 and not just the current standard of T+2. The PSS also would facilitate enhanced intraday liquidity by employing a simultaneous delivery versus payment process that results in settlements that are irrevocable and unconditional.

According to the Division of Trading and Markets, its staff will not recommend enforcement against Paxos if Paxos conducts a test to gauge the feasibility of operating a settlement system for U.S.-listed equity securities without registering as a clearing agency. The SEC’s reply to Paxos’s request emphasized that the no-action relief would be granted for a limited time for the purpose of processing a de minimis volume of trades in a small number of equity securities, which themselves will subject to multiple selection criteria. Paxos must begin to wind up the test one month before the end of the 24-month test period.

More specifically, the PSS trial will adhere to a number of parameters, including: (1) a limit of seven participants; (2) securities will be public securities registered under Securities Act Section 6 or Exchange Act Section 12; (3) a security must satisfy six criteria, including being a component of the Dow, S&P 500, or the Russell 1000; and (4) trading must comply with volume limits. Paxos said it will monitor for compliance with the parameters of the test period.

Registration looms without no-action relief. The SEC has on at least two occasions warned securities markets participants that some entities engaged in the business of digital asset securities may have to comply with the regulations for clearing agencies. The SEC’s guidance on whether digital asset securities are investment contracts, however, is far more detailed than its several statements on market participants such as exchanges and clearing agencies operating in the same space.

In its November 2018 Statement on Digital Asset Securities Issuance and Trading, the Division of Trading and Markets along with the Division of Corporation Finance and the Division of Investment Management, expressed numerous concerns about the trading of digital asset securities. The last footnote to the statement observed that regulations applicable to clearing agencies also could be relevant in this context. In March 2018, the Division of Trading and Markets and the Division of Enforcement also had warned that some entities may need to register as clearing agencies in a Statement on Potentially Unlawful Online Platforms for Trading Digital Assets .

Exchange Act Section 17A(b)(1) mandates that clearing agencies be registered. Under Exchange Act Section 3(a)(23), a "clearing agency" is any person who, among other things, acts as an intermediary in making payments or deliveries in connection with securities transactions. The statutory definition also provides a long list of entities that are excluded from the definition, including national securities exchanges, national securities associations, or broker-dealers solely because they perform certain specified activities.

Tuesday, 29 October 2019

Enforcement Co-Director Peikin touts self-reporting, creative remedies at Securities Docket conference

By Amanda Maine, J.D.

Steve Peikin, co-director of the SEC’s Division of Enforcement, recently participated in a panel discussion at the Securities Docket 2019 Enforcement Forum. Peikin addressed recent Division initiatives, such as its Share Class Selection Disclosure Initiative, as well as the SEC’s approach to remedies and settlements.

SCSD Initiative and self-reporting. Peikin touted the Commission’s Share Class Selection Disclosure (SCSD) Initiative, which encouraged mutual funds to self-report violations of SEC disclosure rules relating to mutual fund fee structures, including 12b-1 fees, in exchange for favorable settlement terms. Nearly 100 firms have entered into settlements with the Commission, including 79 in March and 16 in September.

Bradley J. Bondi of Cahill Gordon & Reindel, who moderated the discussion, asked Peikin if the SEC would pursue similar self-reporting initiatives like the SCSD Initiative and the Municipalities Continuing Disclosure Cooperation Initiative. Peikin said that he would not rule it out but stated that the self-reporting initiatives established by the SEC in recent years involved certain criteria such as behavior that was widespread and difficult to detect.

Bondi also inquired why the SEC chose a self-reporting initiative to capture mutual fund disclosure failures as opposed to a 21A report. For example, Bondi pointed to the Commission’s 21A report from October 2018 which outlined various cybersecurity-related incidents but did not sanction the companies cited in the report. Peikin explained that the SEC had already brought several enforcement actions relating to 12b-1 fee disclosures before the SCSD Initiative, so the self-reporting initiative would be more appropriate.

Regarding self-reporting in general, former SEC Enforcement Director William McLucas, now at Wilmer Hale, said that the lack of guidance about self-reporting from the SEC can result in tough discussions with clients because there are no guarantees for self-reporting in contrast to the detailed guidelines from the Department of Justice. George S. Canellos, formerly of the SEC’s Enforcement Division and currently at Milbank, agreed, stating that without formal guidelines for cooperation credit, the SEC is “all over the map.”

Remedies. Bondi asked Peikin about the Commission’s use of non-monetary penalties. Peikin said that the SEC is taking a creative approach to remedies which may not involve financial sanctions. The SEC wants to address the cause of the problem, he said. As an example, he cited the SEC’s enforcement action against Tesla and its CEO Elon Musk, which involved a settlement requiring Musk to step down as Tesla chairman and imposed certain procedures for monitoring Musk’s public statements about the company.

Bondi cited a Cornerstone report that SEC penalties are trending downward and inquired about how the Commission assesses penalties. Peikin said that the SEC continues to evaluate the harm caused by the conduct, its egregiousness, and how widespread the conduct was in assessing penalties. Peikin also said the Commission wants companies and firms to be aware of the message it sends when imposing a penalty.

Settlements and waivers. Bondi brought up a recent change at the Commission involving the way the SEC approaches settlements and subsequent waivers. Under the new approach, instead of considering settlements and waiver requests separately, the Commission will examine them simultaneously. Peikin said that the policy is still very new and that CorpFin makes its own recommendations separate from Enforcement. He said that the Division is still studying it and to “stay tuned.”

Canellos was not as shy in expressing his opinion on the new policy. He praised the new procedure, stating that before it was enacted, he couldn’t inform his client what the consequences would be when entering a settlement with the SEC. He went on to say that most disqualifications that result from an SEC order, such as disqualification from well-known seasoned issuer (WKSI) status, are “dumb” and can occur from the “tiniest infraction.” According to Canellos, these collateral disqualifications should be a remedy that the SEC seeks, rather than something that flows automatically from the imposition of an administrative order.

Monday, 28 October 2019

SEC proposes updates to filing fees systems

By Lene Powell, J.D.

The SEC has issued proposed rule amendments designed to make filing fee systems more efficient. The amendments would automate some aspects of the currently highly manual systems for filing fee preparation and payment processing by companies and investment companies, with the aim of making processes faster, easier, and less error-prone. The proposal would make fee data machine-readable by requiring it to be presented in eXtensible Business Reporting Language (XBRL). The proposal would also allow fees to be paid via Automated Clearing House (ACH) and eliminate the option for payment via paper checks and money orders (Filing Fee Disclosure and Payment Methods Modernization, Release No. 33-10720, October 24, 2019).

Improved efficiency. Currently, filers and Commission staff must process and validate EDGAR filing fee information within the filing by highly manual and labor-intensive methods. Filing-fee related information is generally not machine-readable, and the underlying components used for the calculation are not always required to be reported, sometimes resulting in calculation and re-keying errors. In addition, complexity and number of transactions can make fee calculation difficult.

Proposed changes. The proposal would make changes to the following forms to require disclosure and structuring of all information necessary to calculate the fee in Inline XBRL format:
  • Forms S-1, S-3, S-8, S-11, S-4, F-1, F-3, F-4, and F-10 under the Securities Act;
  • Schedules 13E-3, 13E-4F, 14A, 14C, TO, and 14D-1F under the Exchange Act; and
  • Forms N-2, N-5, and N-14 under the Investment Company Act.
The proposal would also add an option for fee payment via ACH, which offers faster and more accurate fee payment processing through standardized fee payment identification fields, and eliminate the option for fee payment via paper checks and money orders.

Cost to implement. The SEC said that costs to implement the changes will vary across filers, depending how much of their data is already in structured format, but should be minimal because the information is already required to be gathered. The SEC believes that 266 filers would be newly subject to Inline XBRL requirements as a result of the proposed amendments and would therefore incur costs to develop processes and potentially license software or engage a third party to comply with the proposed requirements.

Request for comment. The SEC asked for comments on costs and benefits of the proposed rules from the point of view of filers, investors, and other market participants, as well as on reasonable alternatives. The SEC asked 47 specific questions, including whether the amendments should be phased in over time.

The release is No. 33-10720.

Friday, 25 October 2019

Judge vacates $16M Kraft-CFTC consent order and reopens manipulation case over wheat trades

By Mark S. Nelson, J.D.

U.S. District Judge John Robert Blakey vacated a consent order agreed to by the CFTC, Kraft Foods Group, Inc., and Mondelez Global LLC regarding alleged manipulation by Kraft of markets for red winter wheat, a key ingredient in Kraft’s snack foods. The district court’s latest order preserves part of the contempt proceedings that were ongoing against the CFTC before the Seventh Circuit was asked to clarify how the district court should proceed on the contempt issues. The district court also reopened the case and directed the parties to either reach a new settlement or to prepare to agree to a trial date at a hearing set for late November (CFTC v. Kraft Foods Group, Inc., October 23, 2019).

Contempt proceedings. Just days ago, the Seventh Circuit ruled on the CFTC’s petition for a writ of mandamus filed after the district judge had raised the prospect of CFTC officials being called to testify about public statements the Commission and individual commissioners made following entry of the original consent order that settled the CFTC’s case against Kraft for $16 million but without the court making any factual findings or conclusions of law. Kraft and Mondelez had asked the district court to find the CFTC and several of its commissioners in contempt of court for allegedly violating the consent order’s gag rule provision. The Commission’s public statement and a separate public statement by Commissioners Dan Berkovitz and Rostin Behnam asserted a right to speak on the matter based on a provision in the Commodity Exchange Act (CEA) and an interpretation of the consent order’s gag rule.

As the Seventh Circuit had noted, the district judge responded in the mandamus proceeding to the effect that criminal contempt was no longer a possibility for the CFTC or its individual commissioners or staff. That means the remaining contempt proceedings will focus on civil contempt issues. But Judge Blakey’s newest order makes clear that the civil contempt motion filed by Kraft is denied with respect "to any request for civil contempt personally against the CFTC Chairman, Commissioners, or staff members." The civil contempt proceeding, however, remains open to address other related issues.

Judge Blakey also clarified that CFTC commissioners and staff will no longer face the prospect of testifying in court in any further contempt proceedings. The judge will issue a separate order resolving the open contempt issues, including whether the CFTC violated the consent order and other alleged violations of prior court orders, such as one regarding the privacy of settlement conference discussions. Said the court: "Consistent with this Court's practice throughout these proceedings, no other aspect of this case has been made private, and no secret adjudication has been, or will be, authorized."

Consent order vacated. Judge Blakey also vacated the consent order previously agreed to by the CFTC, Kraft, and Mondelez, citing language in the Seventh Circuit’s opinion to the effect that the consent order’s gag rule was "ineffectual" at least regarding public statements made by individual CFTC commissioners. As a result, in combination with the view that the gag rule was material to the prior settlement, the court vacated the consent order, the court’s approval of the consent order, and the court’s judgment.

The Seventh Circuit had reasoned thus regarding the public statement by Commissioners Berkovitz and Behnam: "So if we understand the consent decree as an effort to silence individual members of the Commission, it is ineffectual, for no litigant may accomplish through a consent decree something it lacks the power to accomplish directly, unless some other statute grants that power—and no one argues that any other statute overrides §2(a)(10)(C)." The provision cited is CEA Section 2(a)(10)(C), which states: "Whenever the Commission issues for official publication any opinion, release, rule, order, interpretation, or other determination on a matter, the Commission shall provide that any dissenting, concurring, or separate opinion by any Commissioner on the matter be published in full along with the Commission opinion, release, rule, order, interpretation, or determination."

The statement issued by Commissioners Berkovitz and Behnam expressly relied upon the CEA provision as the basis for their speaking publicly on the CFTC-Kraft settlement. The Commission’s public statement on the settlement interpreted the gag rule in the consent order to apply only to a "party" (i.e., the Commission, Kraft, and Mondelez), but not to individual commissioners speaking on their own behalf.

Judge Blakey further explained the vacatur as follows: "Quite simply, the factual record undermines the notion that the parties ever agreed to the CFTC's recent legal theory that the Consent Order would somehow bind the CFTC as an entity, but not bind the very agents through which it acts, i.e., its Chairman, Commissioners or staff members."

Case reopened. Having vacated the consent order, Judge Blakey then reopened the CFTC’s case against Kraft and Mondelez and lifted the stay that had halted proceedings in the district court while the Seventh Circuit mulled the CFTC’s mandamus petition. That means numerous motions also have been reinstated and must be resolved as the case moves forward, including:
  • CFTC’s motion for summary judgment on Count III (speculative position limits) and Count IV (wash sales). The CFTC’s overall theory was that Kraft signaled the market not to store wheat such that sellers would be forced to sell wheat to Kraft at lower prices.
  • Kraft’s/Mondelez’s motion for summary judgment. The motion emphasizes the lack of evidence (while also seeking to exclude Dr. Wilson’s report on false signaling), the lack of an artificial price, the presence of a valid hedge exemption, and that wash sales claims fail as a matter of law.
  • Kraft’s/Mondelez’s motion to exclude testimony of Dr. William Wilson, the CFTC’s economics expert
  • Kraft’s/Mondelez’s motion to strike Dr. Wilson’s report of August 31, 2018.
  • CFTC’s motion to compel Kraft/Mondelez to produce deposition transcripts and exhibits from the related private civil case of Ploss v. Kraft (N.D. Ill, No. 15-cv-2937). U.S. District Court Judge Edmond E. Chang is considering several motions and the next scheduled status hearing is set for November 25, 2019.
Judge Blakey observed that CFTC, Kraft, and Mondelez can enter into a new settlement agreement and submit a new proposed consent order to the court. But if the parties cannot agree to a settlement, they should be prepared on November 20, 2019 to set a trial date.

The case is No. 15-cv-2881.

Thursday, 24 October 2019

Zuckerberg defends Facebook, Libra before FSC

By Amy Leisinger, J.D.

Facebook CEO Mark Zuckerberg spoke to members of the House Financial Services Committee regarding Facebook’s involvement with the proposed Libra payment system and the ongoing challenges facing the tech giant. According to Zuckerberg, the digital currency would serve consumers with limited access to means to transfer money, but the legislators expressed concerns about privacy and security, power concentration in the Libra Association governing the system, and the potential for systemic issues arising resulting from widespread adoption. Several of the committee members also pressed the Facebook official on the company’s approaches to discriminatory advertising and issues surrounding employee diversity.

Libra. In June 2019, the Libra Association (a consortium of organizations, including Facebook’s Calibra subsidiary) announced plans to develop Libra, a currency that would be built on a blockchain and backed by a reserve of real assets called the Libra Reserve. Calibra would develop a digital wallet for Libra that would be available both as a standalone app and through Facebook’s Messenger and WhatsApp products. Libra is designed to target more mainstream users than traditional cryptocurrencies, particularly those who do not engage with the traditional financial system but have access to a mobile phone

FSC Chairwoman Maxine Waters (D-Cal) opened the discussion by urging Facebook to address its other privacy and advertising concerns before jumping into the cryptocurrency arena. According to Zuckerberg, however, the primary purpose of Libra is not strictly to act as a cryptocurrency but to promote financial inclusion for the unbanked and underbanked with a safe, efficient means of sending and receiving payments around the world. Money should be able to move as quickly as a message, he said. In his view, the financial structure in United States is outdated, and a more modern approach could serve the financial system as a whole. In response to Rep. Carolyn Maloney (D-NY), Zuckerberg stressed that Facebook does not ultimately control the Libra Association and would not be involved the Libra project if approval from U.S. regulators cannot be obtained.

“[W]e support Libra delaying its launch until it has fully addressed U.S. regulatory concerns,” Zuckerberg stated.

Regarding risks, several committee members asked why individuals and businesses should trust Facebook given its history of failing to protect private information. Zuckerberg reiterated that compliance with U.S. regulations will be a prerequisite of Facebook’s involvement in the Libra project, and “know your customer” and anti-money laundering regulations, as well as other federal regulations, will apply. In addition, there is and will remain a clear separation between Facebook’s social data and Calibra’s financial data, he explained. Zuckerberg stressed that the goal is to create global payment system not a currency, and the United States needs to innovate to ensure that the dollar continues to lead. Representative Andy Barr (R-Ky) agreed that it is always better to be on the side of innovation, and Zuckerberg noted that there are also risks to not trying new things. Legislation and regulation could put the United States at odds with counterparts around the world, including China, which is moving forward with a system similar to Libra. Assets would be used to underpin Libra, and protections would be in place for unauthorized transactions, Zuckerberg explained. However, Rep. Juan Vargas (D-Cal) stated, “when something threatens the dollar, we get nervous.”

When asked why companies including Visa, Mastercard, PayPal, and eBay have dropped out of the Libra Association, Zuckerberg noted that the Libra project is an innovative project that comes with a certain amount of risk. Over 20 companies remain in the association, and other entities have expressed interest in getting involved, he stated. Calibra is only one member of the group, and Facebook does not expect to continue leading Libra efforts; the Libra Association now has a governance structure in place and will be driving the project going forward, according to Zuckerberg.

Chuy Garcia (D-Ill) questioned Zuckerberg on the potential for Facebook to overpower traditional financial institutions, noting his introduction of the Keep Big Tech Out of Finance Act, which is designed to prohibit large platforms from becoming financial institutions or being affiliated with financial institutions, as well as to prohibit them from establishing or operating a digital asset intended to be broadly used as medium of exchange. Garcia asked whether Libra should be regulated as a bank, and Zuckerberg stated that, although Libra is a different type of payment system, the SEC should ultimately decide. Garcia replied that blurring the lines between banking and commerce tends to cause problems.

Other concerns.
Several committee members also questioned Zuckerberg regarding potential discrimination in connection with Facebook advertisements and diversity issues in employment. He acknowledged that as part of a settlement, those who seek to advertise housing, employment, or credit opportunities are now required to go through a special advertisement purchasing process that prohibits targeting by age, gender, or zip code. Separately, he noted that Facebook has made diversity a priority in hiring and plans; within the next five years, Facebook plans to have women, people of color, and other underrepresented groups make up at least 50 percent of its workforce, Zuckerberg said. Diversity leads to “better decisions, better products, and better culture,” he concluded.

Wednesday, 23 October 2019

PCAOB officials outline inspections trends, best practices

By Amanda Maine, J.D.

Top officials in the PCAOB’s Division of Registration and Inspections recently addressed ALI-CLE’s 2019 Accountants’ Liability Conference in Washington, D.C. The officials gave advice on how to prepare for an inspection and identified the most common deficiencies the staff has encountered during recent inspections.

Areas of focus. George Botic, director of the Division of Registration and Inspections, advised that the Board’s five-year strategic plan, which was issued as a draft in August 2018, and approved by the PCAOB in November 2018, emphasized that the inspections program should seek to prevent audit failures and not just detect them. The staff has kept this is mind in its approach to quality control by taking what it has learned from the inspections of the six largest firms and applying these lessons to inspections of smaller firms, he said.

According to Botic, the staff has maintained an external focus on issues such as updating what goes into an inspection report. Inspection reports as they exist now are very long, so the staff is thinking about how to make them more user-friendly. Botic said the staff hopes to issue a draft of an improved inspection report later this year or early next year.

The staff has also taken a more proactive approach to communications with audit committee chairs, Inspections Deputy Director Christine Gunia said. Compared to previous years, the staff engaged with all audit committee chairs of audits selected for inspection in 2019, instead of just some of them, according to Gunia. She also said that the staff has been engaging in two-way dialogue with audit committee chairs rather than simply asking them questions. As of September 30, the Board’s inspection teams had dialogues with over 325 audit committee chairs, Gunia stated.

Preparing for an inspection. Gunia also gave tips on how to prepare for an inspection, the most important of which is clear and timely communication. Gunia advised that beginning in 2019, as part of responding to comment forms, firms are being asked to link the stated deficiency to their system of quality control. According to Gunia, this will help inform and possibly identify where in a system of quality control the failure occurred and detect or prevent a deficiency from occurring.

One effective way of communicating with inspections staff is through the use of visual aids, such as process flow diagrams and whiteboarding, Gunia recommended. She added that communication does not end when the inspectors leave. For example, post-inspection communication occurs in the context of written replies to the comment forms, Gunia said.

Frequent findings. Inspections Deputy Director Timothy P. Sikesoutlined several recurring findings that arise during inspections that can negatively impact audit quality. One common practice that continues to arise is the alteration of audit work papers. Sikes warned that altering work papers can result in sanctions, including the revocation of a firm’s registration and barring individuals from the industry. Firms are also failing to timely archive their audit documentation within 45 days of the inspection, he noted.

The staff has noted that some firms are not meeting their obligations under Form AP. Some Forms AP contain incomplete or inaccurate information or are not filed at all, Sikes stated. He encouraged auditors to review the Board’s guidance on Form AP, which was issued in February 2017.

Independence issues continue to be a problem, according to Sikes. The staff frequently identifies deficiencies that suggest some firms and their personnel either do not understand independence requirements or do not have controls in place to prevent independence violations. Other common inspections findings the staff has encountered include those related to internal control over financial reporting, revenue recognition, accounting estimates, and evaluating the risk of material misstatement, he added.

Good practices. Sikes also highlighted a number of good practices the staff has observed. These include extending accountability to key firm leaders, developing guidance to identify and assess risks of material misstatements, revising training programs and providing support from experienced personnel, and enhancing audit tools in areas of significant judgement.

Tuesday, 22 October 2019

SEC directors address Enforcement Division matters including cybersecurity

By Jay Fishman, J.D.

SEC Enforcement Division Co-Directors Stephanie Avakian and Steven Peikin, in an October 21, 2019, hour-long SEC Historical Society webinar moderated by Merri Jo Gillette (the deputy general counsel at Edward Jones), answered questions about the Division’s handling of cybersecurity and other enforcement matters.

Fiscal years 2019 and 2020. Gillette separated her questions into those pertaining to the Division’s handling of enforcement issues in the just-now-ending 2019 fiscal year, and those enforcement matters being addressed in the new fiscal year.

Avakian and Peikin emphasized that the Commission’s primary issue in any fiscal year is investor protection but that fiscal year 2019 saw an uptick in cybersecurity and initial coin offering cases, with the particular challenge being how to keep pace with the increasing technologies used to perpetrate these cyber and virtual currency crimes. The co-directors added that until recently, limited resources prevented them adding staff to help prosecute these frauds. Moreover, they proclaimed that the 35-day government shutdown earlier this year prevented them from even investigating these cases but that they learned during the shutdown how to expedite the handling of cases to more quickly resolve them when the shutdown ended.

When Gillette asked about fiscal year 2020, Peikin said he does not anticipate a big change because the landscape from 2019 was broad enough to extend into the new year. Peikin and Avakian both stated that the Division will always get the typical fraud cases but that 2020 will probably see escalating schemes involving cybersecurity, initial coin offerings and conflicts of interest. And they remarked that other than the challenge from having limited resources to go after these schemes, the additional challenge particularly nowadays is discovering and then educating themselves on these technologically advanced securities crimes, e.g., cybersecurity and virtual currencies, as the crimes so quickly develop electronically to victimize investors.

Cybersecurity. Regarding cybersecurity, Gillette relied on a SEC cybersecurity report to ask whether the Commission expects corporate boards to provide steps to prevent or mitigate a cyberattack. Avakian and Peikin answered that the Commission does not expect companies to have a specific approach in place but would hope that they have something to disclose to investors along with the risks of a data breach. The co-directors then went on to cite the Yahoo case as an example of a company whose lack of any cyber policy in place allowed wholesale data breaches to occur. They additionally pointed out that Yahoo was one of the only companies whose data breach warranted SEC prosecution.

When asked what factors would prompt an SEC investigation, Avakian and Peikin were quick to point out that because of having limited resources, the Enforcement Division must look at a number of factors including the size of the entity and, depending on size, what, if any, cyber policy is in place, what type and how many disclosures the entity has failed to provide investors about potential data breaches, and whether other U.S. or foreign government agencies have gotten involved. If other agencies such as the Environment Protection Agency have gotten involved because the company is, say, polluting the air, the SEC won’t join the case unless investors were involved and collectively lost a certain large amount of money from investing in the entity. Likewise, if a foreign government were prosecuting an entity domiciled in that country, even if U.S. investors were involved and lost money on U.S. bonds or stocks, the SEC would weigh a number of factors such as how many U.S. investors were involved and how much money they lost before deciding whether to enter the fray.

When Gillette asked about the Division’s prosecution of individuals such as a company’s CEO versus just the company itself, Avakian and Peikin stated that 70 percent of the Division’s cases name individuals while the other 30 percent name the company alone because the evidence does not show one or more individuals as being responsible for the crime. But they emphasized that prosecuting individuals has a deterrent effect, although sometimes it is a long process because the individual has a lot to lose, including reputation, and so spends a lot of money on litigation.

Digital coin offerings. The co-directors made a point of mentioning that they do not prosecute only fraud, but that especially in the emerging initial coin offering arena they will go after the issuers who fail to register an offering. They said that for whatever reason these issuers think that the coins are not securities and so are exempt from registration, and attempt to sell them without claiming an appropriate exemption or absent that, without registering them with the SEC. By simply selling them, they are not providing investors with the appropriate disclosures they need to make an informed decision about whether to invest and, thereby, open the investors up to experiencing significant financial losses if the investment is a bust, which it often is.

Self-reporting and tolling. Gillette spent some time asking about the issue of tolling and self-reporting. The co-directors said that this SEC self-reporting initiative incentivizes the alleged wrongdoing entities and individuals to sign tolling agreements for the possible receipt of a reduced crime and sentence down the line. They said, however, that signing a tolling agreement is not in theory supposed to equate with a defendant’s “being cooperative” to earn them reduced crime and sentencing status but that in reality a defendant’s signing the agreement can work to mitigate circumstances by, for example, permitting a settlement. Conversely, a defendant’s refusal to sign a tolling agreement often prompts Division staff to expedite the investigation to bring about a quick, harsh resolution for the defendant. And the reason for expedition is to avoid from the tolling of a fraud statute, the loss of disgorgement from the defendant’s ill-gotten gain to pay back the victimized investors.

Usefulness of white papers and Wells process. When Gillette asked about the usefulness of white papers and the Wells process for resolving cases, Peikin and Avakian answered in the affirmative. Peikin further stated that white papers have sometimes actually resulted in decisions and parts of an outcome going in a different direction from what was previously thought.

Monday, 21 October 2019

Cybersecurity issues top of mind at Chicago-Kent Conference on Futures and Derivatives

By Brad Rosen, J.D.

Representatives of the CFTC, NFA, and CME Group, along with some of the industry’s top lawyers and experts, shared their insights, guidance and advice about the current state of law and regulation at the 11th Annual Chicago Kent Annual Conference on Futures and Derivatives. This year, the gathering of industry compliance and legal professionals heard the usual updates on CFTC enforcement actions and NFA regulatory matters, but also had the opportunity to learn about the intersection of antitrust and derivatives law, ethical issues implicated in regulatory investigations, and lessons on aggressive courtroom tactics from a lawyer who took on the DOJ in United States v. Flotron, a high-profile spoofing prosecution, and won.

Issues surrounding cybersecurity cut across a number of the conference sessions as the current cyberthreat landscape continues to grow increasingly more complex. In the past years, regulators have become more demanding as cyber breaches have clearly implicated supervisory obligations and raised the stakes in connection with CFTC enforcement liability.

NFA guiding members in an everchanging cyber landscape. Cyber security issues were at the top of the NFA’s list, in the second panel of the day led by Patricia Cushing and Jennifer Sunu, both NFA compliance directors. Cushing explained in 2019, the NFA updated its 2016 notice on cybersecurity which required members to adopt and enforce written procedures to secure customer data and access to their electronic systems. That notice also required firms to document their policies and procedures in an Information Systems Security Program (ISSP).

In April 2019, the NFA updated the interpretive notice which, in part, specifies a member’s reporting obligations in the event of cyberbreach. Under the new requirements, a member should promptly notify NFA if there is a cybersecurity incident that results in:
  1. any loss of customer or counterparty funds;
  2. any loss of the member's own capital; or
  3. the member is required to providing notice to customers or counterparties under state or federal law. 
The notice was updated to indicate that firms should be familiar with notice requirements in applicable US and non-US data security and privacy statutes and regulations. Cushing indicated that the NFA is still very much taking an educational approach with respect to working with its members regarding these cybersecurity requirements. However, if history is any guide, the enforcement shoe will drop eventually for NFA members in this area as well.

Cyberbreaches, supervisory failures, and enforcement liabilities from a CFTC perspective. In her presentation, CFTC Department of Enforcement Trial Attorney Allison Passman made it loud and clear that a cyberbreach by a CFTC registrant could clearly implicate CFTC supervisory obligations under Regulation 166.3 or Regulation 23.602, which relates swaps dealers and major swap participants. Passman pointed to In the Matter of Phillip Capital Inc., a case filed in September 2019, where a registered futures commission merchant was found to have violated the Regulation 166.3 by permitting cyber criminals to breach the firm’s email systems, access customer information, and successfully withdraw $1 million in firm customer funds.

The order in that matter also found that the firm failed to disclose the cyber breach to its customers in a timely manner, and the firm failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements. The order imposed monetary sanctions totaling $1.5 million, which included a civil monetary penalty of $500,000, and $1 million in restitution. The order also required Phillips Capital to provide reports to the CFTC on its remediation efforts. 

An afternoon of emerging threats. In his well-received presentation, Skadden Arps attorney William Ridgway took conference attendees on a brief, but terrifying, tour of the emerging cyberthreat landscape. He noted that matters are becoming increasingly complex especially with regard to the rise of ransomware. In 2016, ransomware accounted for $1 billion in losses. That figure grew $5 billion in 2017 and $8 billion in 2018, but still many incidents don’t get reported he explained. According to Ridgway’s research, ransomware attacks are increasingly targeting financial institutions, ransom demands are larger, and increasingly perpetrators seek to embarrass their victims. Ransom amounts now often exceed $50,000 while 70 percent of the victims typically pay the required ransom.

Ridgway also observed that the dark web is increasingly facilitating criminal activity. Ransomware as a service has emerged whereby one party can create a ransomware package while another can utilize it for their own nefarious purposes. Moreover, Bitcoin, which is often used to pay ransomware extortionists, can be mixed and laundered so as to make the funds used to pay the ransom untraceable.

Ridgway also observed the trend by which regulations are becoming more demanding. In particular, he pointed to New York Division of Financial Services regulations which require:
  • annual penetration testing and bi-annual vulnerability testing;
  • auditing of third-party vendors;
  • multi-factor authentication for remote access;
  • encryption of all non-public information; and
  • annual board certification of compliance with the regulations. 
In concluding, Ridgway left conference attendees with four key takeaways:
  1. Technology is empowering a more robust cyberthreat.
  2. We are more vulnerable with the rise of the Internet of Things, big data, and the cloud. 
  3. Regulators around the globe are raising the bar.
  4. Basic cybersecurity is essential.

Friday, 18 October 2019

Shkreli cert petition challenges jury instructions, forfeiture calculation

By Rodney F. Tonkovic, J.D.

Former Retrophin, Inc. head Martin Shkreli has filed a petition for certiorari with the Supreme Court challenging the jury instructions in his securities fraud prosecution. Shkreli's petition challenges the Second Circuit's approval of a "no ultimate harm" instruction in the securities fraud context. He also takes issues with how his forfeitable profits were calculated. A response is due on November 15, 2019 (Shkreli v. U.S., October 10, 2019).

Shkreli was convicted of three counts (out of eight charged): two counts of securities fraud under Exchange Act Section 10(b) in connection with the hedge funds he managed and one count of conspiracy to commit securities fraud in connection with his pharmaceutical company, Retrophin. The Second Circuit ultimately affirmed the district court's judgment, amending it to impose a concurrent term of imprisonment of 84 months. He was also ordered to pay fines totaling $75,000, restitution in the amount of $388,336.49 and forfeiture of substitute assets in the amount of $7,360,450.

"No ultimate harm" instruction. Shkreli objects to the "no ultimate harm" instruction given to the jury. According to the petition, the court gave two different versions of the instruction for the securities fraud (for which Shkreli was convicted) and wire fraud counts (for which Shkreli was acquitted) and then incorporated both versions by reference when the court instructed the jury on the good faith defense. The instruction for the securities fraud charges told the jury that a defendant's belief that everything would work out so that no investors would lose any money does not require a finding that the defendant acted in good faith. On the other hand, the instructions for the wire fraud charges included language specifying that "an intent to defraud" means to intend to deceive for the purpose of causing loss to another.

Before the Second Circuit, Shkreli argued that his inconsistent acquittals and convictions were explained by the district court's disparate jury instructions regarding "no ultimate harm" between the securities fraud-related counts and the wire fraud conspiracies. If it was correct to give the instruction as to securities fraud in the first place, the additional language from the wire fraud instructions should have been included, Shkreli said. The Second Circuit saw no error in including a "no ultimate harm" instruction in securities fraud cases, noting that it has previously upheld such an instruction on multiple occasions. There was no error in the differing language between the two instructions because the crimes have different elements, and the instructions correctly stated the law.

The petition asks the Court to consider, as a matter of first impression, whether a "no ultimate harm" instruction is appropriate in the securities fraud context, since there is no element of loss or intended loss. The instruction effectively holds the accused to a higher standard of conduct than the statute requires. Shkreli notes that mail, wire and bank fraud are premised on a showing of intended harm. Securities fraud, on the other hand, requires an intent to defraud—intent to harm is not an element. Almost all of the circuit courts of appeals have approved the "no ultimate harm" instruction, the petition says, but almost uniformly with respect to mail or wire fraud; some have approved the instruction in the context of securities fraud under a different section than that involved in this case, such as mail, bank, or wire fraud. If the instruction is approved in a securities fraud case, the petition asks that the Court consider whether additional language should be required in order to avoid prejudice.

Forfeitable profits. Shkreli's second question concerns the calculation of forfeitable profits. Prior to sentencing, the government moved for forfeiture of Shkreli's profits, and Shkreli countered that the forfeitable proceeds should be reduced by money returned to investors. The district court ruled in favor of the government.

According to Shkreli, the forfeiture statute requires a precise determination of the proceeds illegally collected, minus certain offsets that the district court failed to consider, such as the returns received by the investors. The Second Circuit disagreed, stating that "forfeiture is gain based" and, at the very least, Shkreli's gains included the money he caused his investors to invest via his misrepresentations.

Shkreli asserts that the forfeiture provision is ambiguous enough to reasonably preclude consideration of a defendant’s "gains" until the investors' own gains are then subtracted. In this case, then, it can be argued that no forfeitable funds—or at least a much lower amount—remained after the robust profits paid to investors.

The petition is No. 19-459.

Thursday, 17 October 2019

Exchanges, SEC spar over transaction fee pilot

By John M. Jascob, J.D., LL.M.

In oral argument before the D.C. Circuit Court of Appeals, several national exchanges and the SEC debated the Commission’s statutory authority to adopt a rule creating a transaction fee pilot for national market system (NMS) stocks. The NYSE Group, Nasdaq, and Cboe Global Markets have all challenged the legality of the controversial pilot, which is designed to study NMS stocks and the effects that exchange transaction fee and rebate pricing models may have on order routing behavior, execution quality, and general market quality (New York Stock Exchange LLC v. SEC, October 11, 2019).

Created under New Rule 610T of Regulation NMS, the pilot subjects exchange transaction-fee pricing, including "maker-taker" fee-and-rebate pricing models, to new temporary pricing restrictions across three test groups. The pilot, which will last for a maximum of two years with a potential one-year sunset period, applies to all NMS stocks and includes all equities exchanges.

“Reckless experiment.” Arguing on behalf of the NYSE exchanges, Thomas G. Hungar of Gibson, Dunn & Crutcher asserted that the SEC has created an "exogenous shock" to the securities market that threatens to harm investors, reduce liquidity, and unfairly tilt the competitive playing field in a way that harms exchanges and benefits off-exchange, dark venues without advancing any of the objectives of the Exchange Act. Hungar stated that the SEC did not even find that its new rule will do more good than harm, nor did it conclude that the information that it hopes to obtain from the "reckless experiment" will actually benefit investors, strengthen the market, or promote the purposes of the Exchange Act. In the exchanges’ view, the Commission is acting like a doctor who is subjecting his patient to risky open-heart surgery without first using all the available diagnostic tools to find out whether there's anything wrong and without knowing whether anything good will come of the risky experiment.

Noting that the purpose of the new rule is to gather data, Judge Edwards asked whether the exchanges were contending that this was an impermissible purpose under the Administrative Procedure Act (APA). Hungar responded “no,” provided that the agency is able to engage in an experiment that it predicts, based on the record, will reasonably further the Exchange Act. Although a pilot program is not prohibited just because an agency has not been given explicit statutory authority, the Exchange Act does not give SEC a free pass to evade the requirements of the APA, Hungar stated. Moreover, Exchange Act Section 11(a) requires the Commission to find that the rule will carry out the objectives specified by Congress.

Returning to Hungar’s medical analogy, Judge Edwards observed that sometimes the best we can do is exploratory surgery because we are not precisely sure, so we need to take a look. Judge Pillard noted that the exchanges appear to be faulting the SEC for its neutrality on the question of whether the maker-taker system is harmful to the markets and investors. Why, she asked, would pushing the SEC off this position make the agency more in compliance with its statutory obligations? Hungar replied that the fact that the Commission thinks there is a question does not allow it to issue rules that threaten harm to the markets it is supposed to protect. Agencies don't have to predict with certainty, but they do have to predict that it is more likely than not that the rule will do good.

Answering an abstract question that does not achieve any of the objectives of the Exchange Act is not permissible, Hungar continued. And even conceding that the Commission can issue rules that threaten the market, the SEC has not exhausted all alternatives. Although the Commission claims that it lacks data, the SEC has comprehensive authority to demand that information from brokers at its whim, Hungar asserted.

Hungar cited the Albuquerque Study, which found that $6 billion in investor losses resulted from the SEC’s tick size pilot alone. The exchanges believe that the losses to investors from this pilot will be 10 times as great. Moreover, the SEC has no experimental exception under the statute, Hungar contended. If the SEC is permitted to go forward, then a huge truck will be driven through the APA because a new rule will always provide more information about how that rule affects the regulated markets.

SEC’s response. Arguing on behalf of the SEC, Tracey A. Hardin began by stating that the SEC specifically concluded in its adopting release that gathering the necessary data in the pilot would further the purposes of the Exchange Act. Hardin observed that the statute gives the Commission a continuing regulatory responsibility to ensure the efficient operation of the national market system. Here, the SEC is faced with a credible case on both sides of the question of whether the existing fee structure is causing market distortions. Forbidding the rule creating the pilot would put the SEC in a Catch-22 situation where it cannot gather the data needed to determine whether there is market distortion because it does not have the data.

The SEC believes that this informational benefit will further the public interest, Hardin stated. Moreover, there is a regulatory need for this information because there is a fundamental question of whether the status quo is causing market distortions. Although information-gathering is not one of the listed objectives of Exchange Act Section 11(a), engaging in data-driven decision-making is well within the purposes of the Act, Hardin said, and is something which the court itself has indicated that the Commission should be striving to do.

Regarding the availability of other data sources, Hardin said that the Commission specifically went through the existing sources and concluded that ultimately none of the data would reach the question of causality. The pilot is reasonably designed to get to the causality question because fees and rebates and order routing can be jointly determined. Without holding one of those factors constant. Hardin stated, one cannot really know what the causational factor is.

Observing that there are already markets that do not use the maker-taker model, Judge Pillard asked why those markets are not being used as sources of data. Hardin answered that as long as rebates are being paid at other exchanges, this data will not tell us what will happen if no exchange pays rebates. For example, the data will not you tell the effect on spreads across different classes of securities if rebate-sensitive orders can just go next door to another NYSE-sponsored exchange that pays rebates. Many execution-quality questions cannot be answered as long as you have most exchanges paying rebates, Hardin stated.

Regarding the exclusion from the pilot of off-exchange data, Hardin argued that existing data will allow the SEC to track order flow both on- and off-exchange. This is the important question for purposes of this pilot because off-exchange venues are not part of the regulatory scheme that is being tested. For example, they do not charge transaction-based fees and typically do not pay rebates, so none of the other questions the Commission is asking concerning the appropriate regulatory structure for transaction-based fees really apply off-exchange. The pertinent question, Hardin said, is whether the on-exchange regulatory scheme shifts order flow back or forth off-exchange, which is something the SEC can track with existing data. Including off-exchange data would have greatly expanded the scope and cost of the pilot, Hardin concluded.

The case is No. 19-1042.

Wednesday, 16 October 2019

Kraft-Mondelez tells appellate panel why Commissioners are not entitled to mandamus relief

By Brad Rosen, J.D.

In response to a motion to intervene filed on behalf CFTC Chairman Heath Tarbert and Commissioners Dan Berkovitz and Rostin Behnam, defendants Kraft Foods Group Inc. and Mondelez Global LLC forcefully assert their reasons for the Seventh Circuit appellate panel not to issue the requested writ of mandamus. If granted, the mandamus relief would either direct District Judge Robert Blakey not to hold an evidentiary hearing or deny the defendants’ underlying motion for contempt (CFTC v. Kraft Foods Group, Inc., October 11, 2019).

A brief case history. The current controversy in this matter centers around the CFTC’s alleged breach of a consent order entered on August 14, 2019, which settled a long-running market manipulation enforcement action pending in the Northern District of Illinois. Paragraph 8 of that consent order limited public statements by the parties regarding the settlement. After an emergency hearing held on August 19, 2019, the district court set an evidentiary hearing to consider contempt and sanctions in connection with the CFTC and various personnel’s conduct with regard to post-settlement press releases on the agency’s website. That prompted the Commission to file its mandamus petition. Three of the five CFTC commissioners have filed a motion to intervene in order to address and protect their personal interests relating to the case.

The commissioners knowingly disregarded paragraph 8. In their opposition brief, the defendants note that Paragraph 8 of the consent order prohibits any statement that characterizes the settlement in any way. Moreover, the defendants assert that the commissioners knew Paragraph 8 prohibited them from making any statements characterizing the settlement, and further point to that as the reason why the commissioners twice directed their trial lawyers to seek its removal and express to defendants that they did not want to be bound as to what they could say. The defendants also note that in the eight briefs the CFTC or commissioners have filed in the district court or the appellate court, they have never denied those admissions nor offered an alternative explanation for their requests to remove Paragraph 8.

Notably, the CFTC, and the commissioners involved in this matter, have steadfastly questioned the legal relevance of their pre-settlement requests to remove Paragraph 8. They maintain those matters are irrelevant. Notwithstanding, the defendants’ note that the commissioners now ask the appellate court to ignore their admissions, ignore Paragraph 8, and cloak them with blanket immunity from the consequences of their knowing violation of the consent order—all without affording the district court the opportunity to hold a hearing and rule on the contempt motion.

The appellate court should not issue the writ of mandamus. The defendants’ argument to reject the mandamus petition is premised upon the following four bases:
  1. The relief the commissioners seek is premature and beyond the scope of mandamus. The CFTC and commissioners are seeking the writ to direct the district court to deny the defendants’ contempt motion because they contend the defendants cannot carry their burden of proof. In large part, the commissioners argue Paragraph 8 does not apply to them because they are not “parties”, they have a statutory right to make statements, and any testimony that would help the defendants carry their burden is privileged. The defendants assert that all of those issues are fully briefed and pending before Judge Blakey. Accordingly, he should consider them in the first instance.
  2. The commissioners are not entitled to immunity. The commissioners have claimed that they are entitled to absolute or qualified immunity. The defendants observe that the commissioners did not present this argument to the district court, nor has the district court ruled on any immunity the CFTC asserted on their behalf. Accordingly, that alone makes granting the mandamus remedy inappropriate according to the defendants.
  3. The commissioners understood Paragraph 8 to restrict their statements. The defendants urge the court to read Paragraph 8 in light of its plain meaning and apply that to the commissioners’ statements. They reject the commissioners’ position by which the court is being asked to disregard that language because, as a practical matter, the CFTC could not have intended to “subvert” the commissioners’ statutory right to make statements. The defendants note that the CFTC did not tie the commissioners’ hands in this regard, but rather the commissioners did so themselves when they unanimously approved the settlement. 
  4. Confining sanctions to the CFTC will be insufficient to ensure compliance and deter future violations. The defendants reject the commissioners’ argument that the appellate court should postpone any contempt proceedings against them until the court has attempted to secure compliance by sanctioning the CFTC. The defendants note this argument was previously presented to Judge Blakey, and he is the judicial official who should resolve it in the first instance. 
Next up. Not surprisingly, the CFTC stands in direct opposition to the defendants’ positions as contained in the motion for opposition. In the Commission’s view, the petition is indeed ripe for consideration, and the evidentiary hearing as contemplated by the district court should be halted. A reply in support of mandamus petition by the CFTC is expected to be filed shortly.

The case is No. 19-2769.

Tuesday, 15 October 2019

Inspector General discusses challenges facing the SEC

By Amy Leisinger, J.D.

The SEC’s Office of Inspector General has issued a report identifying the most pressing challenges faced by the Commission. The report notes that, with regard to significance in relation to the SEC’s mission and potential fraud or abuse, the agency must continue to evolve in meeting its regulatory oversight responsibilities with respect to industry developments, in its efforts to protect its information systems and the data stored therein, and in improving management of outside contracts and internal personnel.

Oversight responsibilities. According to the report, the IG’s office continues to recognize that, as markets and products increase in size and complexity, the SEC faces additional challenges in fulfilling its mission of protecting investors, maintaining fair and efficient markets, and facilitating capital formation. The Commission’s Strategic Plan establishes goals to ensure that the agency adapts its operational focus to remain an effective regulator and keeps pace with changing markets while also ensuring sufficient examination coverage and investigations, the report notes.

Industry advancements have introduced new risks and magnified existing risks, but, for several years, the SEC’s annual appropriation was essentially flat, which required difficult operational decisions, according to the IG. Increased FY 2019 funding allowed the SEC to begin lifting the hiring freeze and address critical priorities, the reports explains, but the Office of Compliance Inspections and Examinations continues to face challenges with regard to limited resources and the size and complexity of SEC-regulated entities continues to grow. In addition, the timeliness of enforcement investigations remains a concern, according to the report.

The SEC continues to leverage technology and analytics to meet its obligations while conserving resources, the report states. To efficiently use resources, the IG notes that the agency continues to develop a modernized, more secure EDGAR filing system, to expand secure cloud computing, and to enhance analytic systems and to retire legacy applications. The SEC is also working on digitizing business processes to improve efficiency, the report explains.

Systems and data protection. The SEC also has taken steps to reduce the amount of sensitive information stored in its systems and to improve related security controls. However, the report explains, opportunities to strengthen its cybersecurity and information security program remain. While the Commission has introduced new security capabilities, improved its security controls and practices, and engaged outside experts to complete testing, the agency is assessing means by which to further reduce its “attack surface,” according to the IG. Although the SEC’s Office of Information Technology has taken steps to strengthen authentication mechanisms and reduce critical vulnerabilities, more must be done to implement recommendations from cybersecurity experts, the report states. The report also highlights the ongoing audit of the SEC’s management of its cloud computing services and the assessment of the agency’s mobile device program and controls for information protection that will be completed.

Contract and human capital management. The SEC relies on contractor support in a wide variety of its programs and operations, and contract management remains challenge, according to the IG. Commission management plans to further promote effective contract management by improving contracting officer communications, ensuring proper training, and conducting annual reviews of contract files, the report states. The agency also will continue to assess the use of time-and-materials contracts and related variations in costs to minimize risks to the Commission, the IG explains. In FY 2020, the report notes, the agency will further assess contract management and acquisition processes across each phase of the contracting life cycle.

Separately, the SEC will continue to work toward implementation of a new performance management program and to address previously identified human capital management challenges, the report concludes.

Monday, 14 October 2019

NFA president touts global benefits of industry self-regulation

By Lene Powell, J.D.

As Europe struggles with the projected exit of the U.K. from the European Union, National Futures Industry (NFA) President Thomas Sexton explained to an audience of market participants and regulators in Paris the advantages of the U.S. model of relying on self-regulation as a first line of defense, including insight, responsiveness, and global reach. Sexton emphasized NFA’s strong relationships with international counterparts as well as non-U.S. regulators and IOSCO and described attributes essential for successful self-regulation, including mandatory membership and government oversight.

Sexton’s remarks were prepared for delivery at the Annual Compliance and Legal Conference of the Association for Financial Markets in Europe (AFME) on October 3, 2019 in Paris, France.

NFA’s mission and operations. Noting that the self-regulatory model does not exist in many jurisdictions outside the U.S., Sexton explained that as a self-regulatory organization (SRO) closely overseen by the CFTC, NFA does not operate a market, is not a trade association, and is not a statutory regulator. Rather, NFA passes and enforces rules for its members relating to business conduct, sales practices, and financial requirements. NFA has six primary functions: registration, rulemaking, monitoring members, enforcement and disciplinary process, market regulation, and dispute resolution.

NFA’s focus has evolved over time in response to changing market realities and statutory oversight responsibilities, including taking on increased oversight in the retail forex area after passage of the Commodity Futures Modernization Act (CFMA) in 2000 and certain swaps oversight activities after the Dodd-Frank Act passed in 2010.

New focus on virtual currencies and cybersecurity. As NFA continues to respond to emerging developments, virtual currencies have recently taken on increased focus, said Sexton. Although NFA members’ activity in virtual currency products has been “modest to date,” NFA carefully monitors members’ activities in these products through specific reporting requirements. NFA has also issued an investor advisory and adopted other requirements in this area, including requiring NFA members to provide detailed additional disclosures to customers.

Sexton revealed that NFA faces particular challenges in overseeing spot virtual currencies, especially with respect to verifying ownership and control. He emphasized that if an SRO is developed to oversee virtual currencies, it needs to have essential elements of successful SROs, including mandatory membership.

Cybersecurity is another area of increased NFA scrutiny. In addition to taking steps to enhance its own cybersecurity, NFA requires member firms to conduct security and risk analysis, deploy protective measures, develop a response and recovery plan, train employees, and review their programs at least every twelve months. NFA works with member firms during examinations to make sure they understand the requirements and comply.

Benefits of self-regulation. Sexton highlighted advantages of the self-regulatory model, including bringing significant resources to bear in ensuring market integrity and investor protection. NFA has 536 employees and a budget of approximately $107 million. Due to economic, reputational, and regulatory self-interest, SROs are motivated to act responsibly, develop best practices, and monitor their markets. SROs also maintain market insight by using market professionals throughout the regulatory process and can respond much more quickly than government regulators to rapid developments in the market, said Sexton.

Given uncertainties about the future of government oversight after Brexit, it is particularly helpful that SRO oversight reaches across international boundaries. Sexton pointed out that members are located around the globe, and self-regulation is defined by contract and rulebook rather than national legislative acts. NFA also coordinates closely with global counterparts. In performing on-site examinations of non-U.S. members in numerous foreign countries, including the U.K., Canada, Australia, Sweden, Hong Kong, and Singapore, NFA offers global counterparts the opportunity to participate in examinations and join NFA on-site. NFA also offers to provide NFA's examination report and the non-U.S. member's response to the report, as well as periodic examination updates.

Essential requirements. For self-regulation to work, Sexton said SROs need the following characteristics: 
  • Mandatory membership, so that firms the most in need of self-regulation do not simply evade it;
  • Recognition by industry leaders that strong self-regulation is in the industry’s long-term best interest;
  • A board and committee structure that ensures that no one industry sector dominates;
  • Commitment by the SRO’s senior management to the ideals of self-regulation;
  • Rulemaking and enforcement authority to ensure vigorous protection of market integrity and investors;
  • Effective government oversight that covers all aspects of the SRO's regulatory activity, yet does not oppressively micromanage the SRO in every detail. 
In conclusion, Sexton said that although NFA has and must continue to evolve to meet changing regulatory challenges, its mission today is the same as it was in 1982—to protect customers, protect market integrity, and foster the public's confidence in the derivatives markets.

Friday, 11 October 2019

Excessive fee case wraps up in adviser's favor

By Rodney F. Tonkovic, J.D.

The district court sitting in Manhattan has dismissed a breach of fiduciary duty claim against Calamos Advisors LLC. According to the court, the majority of the Gartenberg factors weighed decisively in the adviser's favor. The court accordingly concluded that the shareholder plaintiffs failed to prove that Calamos breached its duty under Section 36(b) and dismissed the complaint (Chill v. Calamos Advisors LLC, October 9, 2019, Ramos, E.).

This suit was filed in early 2015 on behalf of the Calamos Growth Fund. Calamos Advisors serves as adviser to the fund under an investment management agreement that provides for an annual advisory fee. The complaint brought a claim under Investment Company Act Section 36(b) that the fees received by Calamos were, and remain, so disproportionately large that they bore no reasonable relationship to the services rendered and could not have been the product of arms-length bargaining.

Calamos has twice been unsuccessful in seeking dismissal of the claims. In March 2016, the court denied the firm's motion to dismiss the shareholders' claims alleging excessive compensation for investment adviser and distribution services. After 18 months of discovery, the plaintiffs dropped the challenge to distribution fees, and Calamos again filed a motion for summary judgment. In October 2018, the court granted Calamos' motion in part, but concluded that triable issues of fact remained as to the allegations concerning comparative fee structures, profitability, the nature and quality of services provided, and the overall conscientiousness of the trustees' evaluation of the fees (i.e., four of the six Gartenberg factors).

No breach. After a bench trial commencing in November 2018, the court concluded that the shareholder plaintiffs failed to prove that Calamos breached its duty under Section 36(b). The court first considered the trustees' evaluation of the fees and concluded that this factor weighed in favor of Calamos. According to the court, the weight of the credible evidence showed that the trustees were "fully informed, conscientious, and careful" in approving the annual fee. The evidence presented at trial was far in excess of what had been presented at the summary judgment stage and showed a robust review of the differences between services rendered to the fund versus Calamos' non-fund clients.

The court next found that Calamos' fees were not excessive when compared to fees charged by peer mutual funds or what Calamos charged its non-fund clients. First, while Calamos' fees were above industry average, they were still within the range charges by its peers; charging an above-average fee does not, without more, show a violation of Section 36(b). And, the higher fees charged to the fund versus Calamos' other accounts reflected the substantial difference in the administrative, legal, regulatory and compliance services provided plus the greater risks involved in the management of the fund, the court said.

Next, the profitability of the fund to Calamos also did not support a conclusion that the advisory fees were excessive. Here, the estimates of Calamos' profitability fell well within the ranges approved by other courts, and there was no other evidence indicating that the profit margins were excessive.

Finally, in considering the nature and quality of the services provided to the fund, the court noted that the fund's performance was "often underwhelming." While this factor supported the contention that the fees were excessive, it did so weakly because investors are usually more concerned with future performance over past performance. In this case, Calamos made numerous changes to its investment team and investment process in an effort to improve. The court also considered the fund's long-term performance, which included periods in which it outperformed peer funds.

Of the six Gartenberg factors, only one—the quality of services provided—even marginally supported the shareholders' claim, the court concluded. The five remaining factors weighed decisively in Calamos' favor. The court accordingly found that there was no breach of the fiduciary duty under Section 36(b), dismissed the complaint, and directed that the case be closed.

The case is No. 15 CIV. 1014.

Thursday, 10 October 2019

IRS freshens guidance on taxation of cryptocurrencies

By Mark S. Nelson, J.D.

The Internal Revenue Service issued a revenue ruling and a set of FAQs that are intended to supplement earlier guidance issued by the IRS in a 2014 notice regarding how to treat transactions in virtual currencies under federal tax laws and regulations. The additional guidance had been widely anticipated because of recent calls by lawmakers for more clarity on the taxation of virtual currencies and because of changes in the virtual currency market place, specifically the rapid growth (and periodic crashes) of some of the most popular virtual currencies, since the IRS last addressed the topic five years ago in Notice 2014-21 (Revenue Ruling 2019-24, October 9, 2019).

IRS Commissioner Charles Rettig said in a press release that the IRS is “committed” to educating the public on tax obligations related to virtual currencies. “The new guidance will help taxpayers and tax professionals better understand how longstanding tax principles apply in this rapidly changing environment,” said Rettig. “We want to help taxpayers understand the reporting requirements as well as take steps to ensure fair enforcement of the tax laws for those who don't follow the rules.”

Hard forks and Revenue Ruling 2019-24. On a virtual currency blockchain, a hard fork occurs when a protocol change in the blockchain produces a new virtual currency in addition to the original virtual currency. Examples would be the hard forks that resulted in Bitcoin and Bitcoin Cash and Ethereum and Ethereum Classic. The reasons for a hard fork can vary, but they include the more innocuous such as a group of users who want to create a rival virtual currency with different characteristics as well as the potentially less innocuous such as a 51-percent attack waged by those with a controlling share of the original virtual currency. In any event, a hard fork of a virtual currency can implicate tax laws and the application of those laws can become ever more complicated depending on how the hard fork was executed.

Revenue Ruling 2019-24 seeks to address some of the tax issues that can result from a hard fork. The Revenue Ruling defines “hard fork” to mean “a protocol change resulting in a permanent diversion from the legacy or existing distributed ledger.” Transactions in the new virtual currency would be recorded on that virtual currency’s distributed ledger and transactions in the legacy virtual currency would be recorded on the legacy distributed ledger.

The Revenue Ruling posits two examples of hard forks, both of which contemplate the creation of new virtual currencies, but only one of which results in an “airdrop” of the new virtual currency. The Revenue Ruling defines “airdrop” as the distribution of a virtual currency to multiple taxpayers’ distributed ledger addresses (note that not all forks result in air drops). The tax treatment of the two hypothetical hard forks varies significantly based on the presence or absence of an airdrop and the taxpayer’s ability to dispose of the new virtual currency. The two examples also address only ordinary income under Internal Revenue Code Section 61, which contemplates income from whatever source derived, unless such income is adjusted under another Code provision. The following examples have been abstracted from the Revenue Ruling:
  • Example 1—Taxpayer holds units of the virtual currency Crypto M. A hard fork results in the creation of new virtual currency Crypto N. The new virtual currency is neither airdropped to the taxpayer nor is it transferred to an account owned or controlled by the taxpayer. The taxpayer never received the new virtual currency and, thus, had no accession to wealth. The taxpayer has no gross income from the hard fork.
  • Example 2—Taxpayer holds units of the virtual currency Crypto R. A hard fork results in the creation of new virtual currency Crypto S. The hard fork results in an airdrop of 25 units of Crypto S to the taxpayer’s distributed ledger address and the taxpayer is able to immediately dispose of Crypto S. The Crypto S airdrop is recorded on the applicable distributed ledger and, as of that time, the taxpayer’s Crypto S has a fair market value of $50. The taxpayer received an accession to wealth in the form of units of Crypto S, which constitutes $50 in gross (ordinary) income in the taxable year in which the Crypto S was received. The taxpayer’s basis in Crypto S is also $50. 
The Revenue Ruling then posits two somewhat more abstract principles for dealing with hard forks (the following are taken verbatim from the Revenue Ruling):
  • A taxpayer does not have gross income under Section 61 as a result of a hard fork of a cryptocurrency the taxpayer owns if the taxpayer does not receive units of a new cryptocurrency.
  • A taxpayer has gross income, ordinary in character, under Section 61 as a result of an airdrop of a new cryptocurrency following a hard fork if the taxpayer receives units of new cryptocurrency. 
The IRS’s revised and expanded virtual currency FAQs are discussed more fully below. However, with respect to hard forks, Questions 23 and 24 discuss how to calculate income and basis in the context of an airdrop following a hard fork.

Revised FAQs. The IRS also published an expanded set of FAQs that more than doubles the number of FAQs published with the 2014 Notice from 16 to 43. The new FAQs re-affirm that, for purposes of federal tax law, virtual currencies are treated as property and virtual currency transactions are subject to general principles of taxation. However, the IRS noted that the new FAQs generally are limited to the treatment of virtual currencies as capital assets.

Still, some of the new FAQs address previously un-addressed issues. For example, Question 29 addresses soft forks (as opposed to the hard forks discussed in Revenue Ruling 2019-24), something that occurs normally in the building of a blockchain or distributed ledger and which the IRS states does not result in a diversion of the ledger or the creation of a new virtual currency. As a result, a taxpayer would not have any income from a soft fork.

Question 35 states that a transfer from one digital wallet or other account belonging to a taxpayer to another digital wallet or account that also belongs to that same taxpayer would not be a taxable event. Questions 36-38 state that a taxpayer may identify specific units of a virtual currency to be disposed of but the taxpayer must document her basis in those units (e.g., detailed information about the virtual currency associated with a unique digital identifier such a private or public key); absent proper documentation, units of a virtual currency to be disposed of are accounted for on a first in, first out (FIFO) basis.

Question 5 states that, for purposes of determining whether a taxpayer has a long- or short-term capital gain, the holding period begins the day after acquisition of the virtual currency and ends when the virtual currency is disposed of. If the virtual currency was held for more than one year, the gain/loss is a long-term capital gain/loss, while there would be a short-term capital gain/loss if it was held for one year or less.

Questions 30-32 state that income from a bona fide gift of virtual currency would not be recognized until the virtual currency is disposed of. This group of questions also addresses how to calculate basis in gifted virtual currency and confirms that the holding period for gifted virtual currency includes the donor’s holding period, at least to the extent the recipient can document the donor’s holding period. Questions 33 and 34 address charitable contributions of virtual currency, which generally would not result in recognized income, gain, or loss if donated to a charity described in Code Section 170(c).

Lawmakers seek clarity from IRS. Lawmakers have periodically called for additional IRS guidance during the past several years. A reply by Commissioner Rettig to a letter from Rep. Tom Emmer (D-Minn) earlier this year indicated that the issuance of further guidance on virtual currencies was a priority for the IRS. Specifically, Commissioner Rettig said the IRS intended to publish guidance addressing three topics: (1) acceptable methods for calculating cost basis; (2) acceptable methods of cost basis assignment; and (3) tax treatment of forks. (See, Letter of Rep. Tom Emmer to IRS Commissioner Rettig, April 11, 2019; Letter from Commissioner Rettig to Rep. Tom Emmer, May 16, 2019).

In the 116th Congress, the Safe Harbor for Taxpayers with Forked Assets Act of 2019 (H.R. 3650; the bill was originally introduced in the 115th Congress as H.R. 6973), sponsored by Rep. Emmer, would provide temporary relief for taxpayers who experience forks in the virtual currency they hold. First, the bill would provide that the IRS could not impose penalties or additions to tax regarding underpayments or understatements attributable to a taxpayer’s attempt to comply with tax laws applicable to the receipt or disposition of virtual currency. The provision would provide relief from Code Sections 6662 to 6664 regarding accuracy-related and fraud penalties.

Second, the bill would provide for no penalties or additions to tax regarding any failure during the applicable period to file a return or report or to make a tax payment that is attributable to the filing or payment requirements for the receipt or disposition of virtual currency. The provision would impact the following Code provisions: (1) Section 6651—failure to file a return or to pay tax; (2) Section 6654—individual’s failure to pay estimated income tax; (3) Section 6655—corporation’s failure to pay estimated income tax; (4) Section 6656—failure to make a deposit of taxes; (5) Section 6698—failure to file a partnership tax return; (6) Section 6699—failure to file an S corporation tax return.

Other proposed tax legislation, such as the Token Taxonomy Act (see, H.R. 2144 and H.R. 7356), sponsored by Rep. Warren Davidson (R-Ohio) and first introduced in the last Congress, would address IRAs, collectibles, like kind exchanges, and the taxation of gains from the sale of virtual currencies. The Token Taxonomy Act also would exempt digital tokens from the definition of “security” under federal securities laws.