1. Off-channel communications
In the last few years, the SEC has conducted multiple investigatory sweeps of registrants whose employees are communicating on “off-channel” platforms, such as through text messages, personal emails, or messaging apps such as WhatsApp. The SEC has issued significant penalties against broker-dealers and investment advisors whose document retention policies and procedures failed to prevent or collect employees’ off-channel business-related communications.
On December 17, 2021, the SEC issued a $125 million penalty against a major bank. On September 27, 2022, the SEC issued a combined $1.1 billion in penalties against 16 financial firms. On May 11, 2023, the SEC issued $15 million and $7.5 million in fines against two foreign banks and their U.S.-based broker-dealers. On August 8, 2023, the SEC issued a combined $289 million in penalties against 11 financial firms.
The SEC’s various investigations uncovered the following key issues:
- Employees at all levels of seniority routinely communicate about business matters off-channel.
- Communications and data exchanged off-channel were often not preserved by the registrant.
- As a result, the SEC asserted that business records were not properly retained in accordance with recordkeeping provisions and often could not be produced when requested by regulators.
Further, recent SEC activity indicates that additional investigations may be forthcoming. As a result, it is crucial to ensure that registrants have robust compliance policies and procedures that properly preserve business-related data and communications.
2. Private funds
On August 23, 2023, the SEC adopted final rules and rule amendments to enhance the regulation of private equity firms and hedge funds and update existing compliance rules for investment advisors. The final rules impose new disclosure and reporting requirements, which will require funds, fund managers, and investment advisors to file quarterly reports on performance and associated fees and expenses and disclose to the SEC certain fee structures, thereby limiting funds’ ability to give preferential treatment to certain investors.
Although the final rules will impose substantial new compliance requirements, they are significantly less burdensome than the proposed rules the SEC published in February 2022 and have mostly been met with relief by the industry. Significantly, whereas the SEC had initially contemplated banning “side letters” that include special terms for preferred investors, the final rules only require funds to disclose such letters’ existence. Nevertheless, the increased regulatory burden and costs the implementation of the new rules will likely carry may adversely impact smaller funds, which could be forced to consolidate as a result.
The rules, which will apply to new agreements, will go into effect 60 days following their adoption, although some will be phased in gradually depending on the fund’s size.
On July 26, 2023, the SEC adopted final rules that establish registrants’ disclosure obligations concerning cybersecurity risk management, governance, and reporting of material cybersecurity incidents within four days by a public SEC filing using Form 8-K. The new rules further require (1) annual disclosures that describe the registrant’s processes to assess, identify and manage material cybersecurity risks and whether such risks have materially affected or are reasonably likely to materially affect the registrant’s business; and (2) disclosures that describe the extent of board oversight of cybersecurity risks and the role management plays in assessing and managing such material cybersecurity risks. These disclosures will be required in the registrant’s annual report on Form 10-K. Foreign private issuers will be subject to similar reporting requirements in Form 6-K for material cybersecurity incidents and Form 20-F for cybersecurity risk management, strategy, and governance.
A cybersecurity incident will be deemed to be material if “there is a substantial likelihood that a reasonable shareholder would consider it important” in making an investment decision or if it will significantly alter the “total mix” of available information. Where a registrant has determined that a material cybersecurity incident has occurred, the registrant would be required to describe in its Form 8-K submission the incident’s nature, scope, and timing, and any material impact or reasonably likely material impact the incident will have on the registrant’s business. Notably, the SEC’s final rules did not maintain the proposed requirement to disclose the board of directors’ cybersecurity expertise.
The final rules will become effective 30 days following publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.
1. Off-channel communications
The SEC has recently issued significant fines and penalties against registrants determined to be in violation of federal recordkeeping rules. Following a review of the recordkeeping activities and off-channel communications of employees at certain broker-dealer and investment advisor firms, the SEC noted that employees at all levels of seniority at these firms routinely communicated about business matters off-channel, such as through personal text message or WhatsApp. As a result, these records were not preserved by the firms. The SEC stated that these recordkeeping failures impeded the SEC’s timely access to evidence and ability to investigate securities violations. In 2021, the SEC fined a major bank $125 million for such violations. In 2022, the SEC similarly issued a combined $1.1 billion in fines against 16 financial firms, with fines ranging from $10 million to $125 million. Most recently, in May and August 2023, the SEC issued a combined $311.5 million in fines against 12 financial firms, with fines ranging from $7.5 million to $125 million.
Notably, recently, recordkeeping failures have also been penalized in civil cases where SEC recordkeeping obligations did not apply. While not directly relevant, this development in civil cases may portend even stricter enforcement for SEC registrants. In March 2023, a California court sanctioned a multinational technology company in an ongoing antitrust case for violating the duty to preserve electronically stored information under Federal Rule of Civil Procedure 37(e). The company had destroyed employee chat evidence and had permitted individual employees to identify internal chat conversations responsive to a litigation hold. The court said that the business “fell strikingly short” in its duties to preserve records. The company failed to implement an evidence preservation strategy once it had been notified of the case and was delayed in notifying the court of its transgressions.
2. Digital tokens as unregistered securities
In 2020, the SEC brought an action against Ripple Labs, the creator of the XRP token, and several of its executives. The SEC claimed that Ripple had raised over $1.3 billion through the sale of XRP tokens in an unregistered securities offering. On July 13, 2023, Southern District of New York Judge Analisa Torres issued a landmark ruling for the crypto community, holding that programmatic, or open market, sales of XRP tokens do not constitute investment contracts, and are thus not securities regulated by the SEC. Judge Torres relied on the “Howey test”, which defines an investment contract as a scheme whereby a person (1) invests his money (2) in a common enterprise and (3) is led to expect profits solely from the efforts of others. While the court found that XRP constituted a security for institutional buyers under the Howey test, the court found that the third Howey prong was not satisfied when it came to programmatic sales. The court noted that “Ripple’s Programmatic Sales were not blind bid/ask transactions, and Programmatic Buyers could not have known if their payments of money went to Ripple, or any other seller of XRP.” Therefore, the programmatic buyer “stood in the same shoes as a secondary market purchaser who did not know to whom or what it was paying its money.” While the SEC is seeking to appeal the decision, the partial victory for Ripple has impacted the SEC’s regulatory authority over certain digital tokens.