Securities Enforcement Forum 2014 -- SEC/FINRA Investigations & Cybersecurity Priorities
Today I'm blogging from Securities Enforcement Forum 2014, Bruce Carton's excellent one-day conference, this year being held at the Four Seasons hotel in Washington, D.C. The posts will be fairly raw, and certainly not verbatim accounts of what is being said. This post covers the SEC/FINRA and cybersecurity panel. Jacob Frenkel at Shulman Rogers moderating.
Stephanie Avakian, SEC's Deputy Director of Enforcement: An array of cases against IAs. Misrepresentations, undisclosed conflicts and fees. Adequacy of compliance programs. IAs not disclosing fees. Custody rule. Best execution. Allocation of expenses. B-D side: 15(g) case against Wells Fargo. E*Trade case on unregistered sales of penny stocks. Gatekeeper responsibilities. Developing expertise by centralizing information on B-D cases. Churning initiative, building on OCIE work. AML initiative. Focusing on IRA rollovers. Complex products being sold to retail customers. ATSs. Market access rule. High frequency trading.
Brad Bennett at FINRA: Single-broker cases are FINRA's bread and butter. Those are up 10% year over year. Lots of cases involving microcap securities and liquidations. Real harm to real people. B-Ds are gateways to those schemes. Nuts and bolts type cases. Reg. SHO, e.g. Compliance is not a place to save money. We'll have a strong sanctions year. A non-compliant firm shouldn't have a competitive advantage over a compliant firm.
Karl Groskaufmanis at Fried Frank: In addition to people who missed Madoff in the government, sophisticated investors missed it, too. Investors want to know about principles and strategies.
John Stark at Stroz Friedberg: Lots of challenges with ESI. Back in the day as a staff attorney, we didn't want to ask for too much. Now the secret information is available and has turned full circle. You can ask for all data and they can mine it. Staff says let's make the subpoenas as broad as possible. Data exists in so many different places. Lots of "deleted" data on your systems. Witnesses often testify that they think they've deleted an email or whatever. It can be found. Now you have to find it and review it before producing it to the government. Home devices have to be considered as well.
Bennett: Our enforcement program is only as good as its examination program. But you should not be receiving overbroad document requests from FINRA. We start focused and then expand if necessary.
Stark: Regulated entities have recordkeeping obligations. But then public companies could have more and looser data without those same obligations. Too many places where your data may reside.
Groskaufmanis: With any buy-side investor, when you come into possession of material, nonpublic information, talk to your compliance staff. You can't be omnipresent, but if you do that, you're doing a lot to protect yourself. Legal and compliance is challenging in this environment. Also, don't suspend your common sense. A statute won't, say, tell you specifically not to manipulate LIBOR, but probably don't do that.
Bennett: As a compliance officer, your job comes with responsibility. If you have a duty and don't do it, you'll be charged.
Avakian: I would echo Brad. We view compliance people as the front line and our partners in this. We'll bring cases where warranted.
Frenkel: How should a compliance officer act to preserve the attorney-client privilege?
Groskaufmanis: First, segregate clearly privileged communications. In all of these entities, management looks to you to be someone who makes judgments as they go along. There's a technical definition for an advice of counsel defense. If you can meet those factors, that will count more than anything else. Real challenge for the inside counsel is how to maximize the effectiveness of your judgments in a way that sticks four years later. Some documentation of what you're doing is much better than none. Don't let the perfect be the enemy of the good in terms of getting some record of your advice down in black and white.
Bennett: SEC v. Howard on advice of counsel defense. Sometimes it comes up very late and very few respondents can actually show reliance.
Avakian: We see the range. Some people come in with all the boxes properly checked. In the middle, there was a lawyer in the room or on the emails. On other end, sort of a reliance on process defense. We're going to ask for all of the facts surrounding the advice, so we'll ask for a waiver and will have to dig into those.
Stark: When it comes to giant document productions, sometimes just the collection of data is a huge process. We sometimes have to set up data collection centers abroad because data privacy laws don't allow the production of documents to the U.S. Defendants should push back on SEC subpoenas for hard drives. Those subpoenas are more like search warrants, which the staff aren't authorized to get. The more transparent you can be, the better.
Avakian: We expect staff to be reasonable and seek what they need. We rely on people to exercise their judgment.
Bennett: People who have gotten overbroad requests should negotiate them with the staff. We can go in and take hard drives from recalcitrant firms. When you sign up to be a member firm, you sign on for that. Those seizures haven't been litigated as far as he knows. We have to be aggressive because real harm can be done to real investors. The SEC has done good work against stock liquidators. We have quarantines to avoid getting privileged material. For some people, only criminal prosecutions work.
Stark: Interesting times for cybersecurity. Historically it was the data of customers. Then market manipulations. That paradigm has shifted. OCIE cybersecurity module released in April 2014. Has anyone seen it? It is very sophisticated and requires a lot from IAs. The SEC is showing its cards in a way it doesn't normally do. You read about these data breaches. If you're hacked, you're the victim of a crime and then treated like a criminal. The only one who's your friend is the FBI because they want to figure out who did it. State regulators are calling. Customers are calling. Board is irate. Boards are hiring independent investigators. Hacking investigations are sort of like FCPA investigations in that there are multiple workstreams. Remediation efforts are massive. Most IAs are almost unable to comply with OCIE's module.
Bennett: What is the standard on which one should be judged?
Stark: We have extremely sophisticated clients who are suffering breaches.
Bennett: Still, individuals are falling down on the job and signing security certifications that they shouldn't.
Avakian: Putting aside the giant breaches, B-Ds and IAs need to have policies and procedures in place.
Bennett: If you are devoting inadequate resources to customer protection, then you might have an enforcement action. We won't file cases indiscriminately.
Karl: For some of companies, these may be material developments.
Bennett: Your enforcement liability may pale compared to your private civil liability.