Last week we wrote about the three-pronged attack that the Department of Justice (DOJ) will use to get more aggressive in prosecuting cases and how they punish corporate offenders. Now, the U.S. Securities and Exchange Commission (SEC) has announced its own intention to conduct faster investigations, bring bigger cases, and to seek harsher penalties. In his first speech on enforcement, SEC Chairman Gary Gensler quoted the agency’s first Chair, Joseph Kennedy, to summarize his own agenda: “The Commission will make war without quarter on any who sell securities by fraud or misrepresentation.”
Chairman Gensler announced four principles that he’s asking that the Enforcement Division utilize to guide their investigations and recommendations to the Commission.
First, Gensler wants the Commission to focus on the “economic realities” of the activity at question. While also applicable elsewhere, this appears to focus on Chairman Gensler’s efforts to increase the SEC’s role in regulating cryptocurrency. In fact, he went off script during the speech and urged lawyers who represent clients in the crypto space to “come in, get them to register,” instead of trying to find ways to avoid SEC regulation through what Gensler calls “regulatory arbitrage.” Crypto trading has been one of several hot-topic areas, like climate change disclosures, special-purpose acquisition companies (SPACs), and trading apps, in which Gensler is trying to expand the SEC’s role. Implicitly acknowledging the lack of clear crypto regulations, Gensler wants companies to focus on the “spirit of the law,” and to err on the side of registration, rather than trying to take advantage of legal ambiguities.
Second, Gensler asked the Enforcement Division to focus on accountability. Recently, Enforcement Director Gurbir Grewal announced a shift back to the Obama-era policy of requiring admission of wrongdoing in certain SEC settlements. For decades, the SEC has settled nearly every case on a “no admit, no deny” basis in which the settling party neither admits nor denies the allegations or charges. While admissions will not likely be required in most cases, when they are, companies and individuals will face tough decisions. An admission of federal securities violations will often result in significant collateral consequences to defendants, such as shareholder claims, parallel criminal investigations, and reputational fallout for companies and individuals. Indeed, the DOJ announced it will use prior misconduct as part of its charging decisions and an admission in connection with an SEC action could weigh heavily with prosecutors. In addition, as we are already seeing, the SEC is becoming more aggressive in seeking relief, including seeking higher amounts for disgorgement and penalties and more aggressively using bars and injunctions, and, like DOJ, it is increasingly demanding that individuals be held responsible for corporate wrongdoing. As an example, the Division of Enforcement reportedly is seeking a hefty $125 million from Nikola Corp. to settle an investigation of alleged misstatements by its founder and executive chairman, who separately has been indicted and sued by the SEC.
Third, Gensler wants the SEC to pursue more “high-impact” cases. This principle dovetails with Gensler’s efforts to make the SEC more aggressive in novel areas, like cryptocurrency and decentralized finance apps, SPACs, and environmental, social, and governance (ESG). Speaking frankly, Gensler said that he wants the SEC to bring cases that cause law firms and advisors to send out alerts to their clients. This “high-impact” approach can lead to the SEC being accused of “regulating by enforcement,” where the SEC brings cases for alleged activity that is not squarely prohibited under the federal securities laws and regulations. While Gensler brushed aside this criticism, he and some of the other Commissioners appear ready to let the Enforcement Divisions pursue cases to change conduct rather than waiting for the often slow administrative or congressional process to address the novel issues.
Fourth, Chairman Gensler wants to improve and speed up the enforcement process. Gensler appeared to place the blame for the often slow investigation process on the defense bar, which, whether a fair claim or not, has caused Gensler to direct Commission staff to take fewer meetings with lawyers trying to persuade them against recommending the threatened charges. Gensler also wants the SEC to work more closely with other federal and state agencies, such as the Commodity Futures Trading Commission (CFTC) with whom the SEC is already closely aligned. Here, Gensler specifically referenced Deputy Attorney General Lisa Monaco’s recent speech on corporate criminal enforcement. Gensler wants the SEC to adopt principles from the new DOJ policy, specifically on (1) taking a company’s entire history of misconduct, not just the specific area at issue, into account in making enforcement action decision; (2) requiring companies looking for cooperation credit to provide the SEC with all relevant facts relating to the individuals involved in the alleged misconduct; and (3) considering on-going agency oversight for certain recidivist companies. Finally, in addressing how the SEC sources cases, Chairman Gensler indicated that the SEC will be seeking more from companies wanting cooperation credit, including reviewing and disclosing misconduct beyond that prompting the self-reporting.
So what does this all mean? For one, none of this comes as too much of a surprise as most everyone expected significantly more enforcement activity under the Biden administration. But, consistent with our guidance to gear up for the new DOJ policies, companies can and should take measures to get ahead of issues in order to be in the best posture should an enforcement inquiry arise. Companies should consider taking the following steps:
- Meaningfully review and update the compliance program. Too often, compliance policies and procedures are viewed as “set it and forget it” because other priorities for time and budget prevail. The SEC, CFTC, and DOJ, however, have made clear that they expect companies to have an effective compliance program and will punish those who do not. Among other steps, companies should conduct an updated risk assessment, which is the foundation of any effective, risk-based compliance program. Particular attention should be given to new, hot issues, such as internal controls relating to disclosure of cybersecurity risks, which was the subject of a “high-impact” case brought by the SEC earlier this year. Companies should also conduct fresh audits to identify control gaps and then to incorporate the updated risk assessment, audit results, and “lessons learned” through prior incidents into an updated compliance program. Fresh, updated employee training can also be very impactful and often helps employees identify how processes can be improved.
- Review how the company’s whistleblower process is working. The SEC continues to have success with its whistleblower bounty program, but data shows that most people that report to the SEC first report internally and usually multiple times. It is important for a company to be able to take charge of an issue and, if needed, earn cooperation credit by self-reporting instead of having stakeholders run to the SEC, CFTC, or DOJ. Often, through the right communication and training, companies ensure that those who report internally feel like their reports are being taking seriously, which lessens the chance they run to the government. Boards/Audit Committees should also ask for details about internal reports and the process by which they were handled. For instance, a spike in hotline reports could signal management issues within a region or division.
- Get outside experts involved for ESG, crypto, and other key areas. If you are in an industry particularly impacted by ESG or are involved in cytpocurrency or SPACs, get outside experts involved. In particular, companies should take a fresh look at their ESG-related disclosures and compliance policies. And, those in crypto or operating through SPACs need to review their business model to ensure compliance with any applicable securities laws or other regulatory bodies, like the CFTC. The SEC wants to regulate in these areas and will be looking for cases in which to try to change behavior through enforcement actions either alone or in coordination with other agencies.