On November 8, the Securities and Exchange Commission (“SEC”) imposed a cease-and-desist order against Zachary Coburn for causing his former company, EtherDelta, to operate as an unregistered securities exchange in violation of Section 5 of the Securities Exchange Act of 1934 (“Exchange Act”).  Notably, EtherDelta, a trading platform specializing in digital assets known as Ether and ERC20 tokens,[1] was not operated like a traditional exchange with centralized operations, as there was no ongoing, active management of the platform’s order taking and execution functions. Instead, EtherDelta was “decentralized,” in that it connected buyers and sellers through a pre-established smart contract protocol upon which all operational decisions were carried out.

In the SEC’s view, EtherDelta met Exchange Act Rule 3b-16(a)’s definition of an exchange notwithstanding the lack of ongoing centralized management of order taking and execution.  Robert Cohen, the Chief of the SEC’s Cyber Unit within the Division of Enforcement stated after the order’s release, “The focus is not on the label you put on something . . . The focus is on the function . . . whether it’s decentralized or not, whether it’s on a smart contract or not, what matters is it’s an exchange.” This functional approach echoes prior SEC guidance and enforcement actions in the digital asset securities markets in emphasizing that the Commission will look to the substance and not the form of a market participants’ operations in evaluating their effective compliance with U.S. securities laws. Continue Reading SEC Brings First Enforcement Action Against a Digital Assets Trading Platform for Failure to Register as a Securities Exchange

For the first time, the SEC’s staff issued guidance last week under its rule governing audit committees for listed issuers.  The guidance addresses the composition of audit committees for issuers that are listed in both Brazil and the United States, and it takes the form of an interpretive letter from the Division of Corporation Finance to law firms Cleary Gottlieb and Simpson Thacher.

Please click here to read the full alert memorandum.

On November 2, the SEC’s Enforcement Division released its annual report detailing the facts and figures of its enforcement efforts in fiscal year 2018.  At first blush, this year’s report looks strikingly similar to those from recent years, as the headline numbers in most categories are nearly indistinguishable from 2015, 2016, and 2017.  This consistency may be surprising given that 2018 is the first such report reflecting exclusively the enforcement priorities of the Commission since it was reconstituted under Chair Jay Clayton.

But a closer examination of the report, including the components feeding into the top-line facts and figures and commentary by Division co-directors Stephanie Avakian and Steven Peikin, reveals a clear shift in priorities by the Division.  These range from a philosophical shift in its mission to the reallocation of resources during a hiring freeze.  We address here the most notable of these subtle but important changes.  Continue Reading Retail, Remedies, Resources and Results: Observations From the SEC Enforcement Division 2018 Annual Report

There have been plenty of press reports about the SEC’s settlement with Elon Musk arising from his tweeting about taking Tesla private.  But the concurrent settlement with Tesla itself provides interesting lessons for disclosure and governance at public companies.

Tesla agreed to pay a $20 million penalty and agreed to several “undertakings” to strengthen its governance and controls including a requirement that it add two independent directors to its Board.  And, under his own settlement, Musk agreed to step down for three years as chairman of the Board of Directors, although he is allowed to continue as CEO.  Continue Reading The Tesla Settlement – What It Means for Other Companies

On October 16, 2018, the Securities and Exchange Commission released a Report of Investigation that cautioned public companies to consider cyber threats when designing and implementing internal accounting controls.  The report was based on an investigation of nine victims of email cyber-fraud schemes for potentially failing to have adequate internal accounting controls, in violation of the Securities Exchange Act of 1934.  The report highlights the need for companies to reassess their controls in light of the current cybersecurity risk environment.  By describing the remedial steps taken by the investigated companies, it further provides guidance about the key areas that companies should consider when assessing their own policies and procedures. Continue Reading SEC Investigative Report Urges Public Companies to Guard Against Cyber Threats When Implementing Internal Accounting Controls

On October 15, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a $16 million settlement with Anthem, Inc. over alleged violations of federal privacy and security regulations under the Health Insurance Portability and Accountability Act (HIPAA).  The settlement resolves an investigation following a data breach that exposed protected health information of nearly 79 million people.  According to OCR, the incident is the largest health data breach to date in the United States and Anthem’s payment similarly represents the largest HIPAA settlement to date.  The settlement is consistent with OCR’s recent focus on enforcing regulatory requirements to conduct an accurate and thorough risk analysis and maintain appropriate mechanisms to monitor systems that contain protected health information and to control access to that information. It also highlights the agency’s distinct cybersecurity remediation approach. Continue Reading The U.S. Department of Health And Human Services Settles With Anthem for Record $16M Over Alleged HIPAA Violations

On Friday, October 12, 2018, during remarks at the NYU School of Law Program on Corporate Compliance and Enforcement Conference on Achieving Effective Compliance, Assistant Attorney General Brian A. Benczkowski of the Department of Justice announced new guidance, issued on October 11, relating to the imposition and selection of corporate compliance monitors in Criminal Division matters. Acknowledging the significant burden that monitors place on corporations, Benczkowski announced that the new guidance is intended to ensure the Criminal Division is acting in a consistent and responsible manner when it imposes a compliance monitor and is designed to “further refine the factors that go into the determination of whether a monitor is needed, as well as to clarify and refine the monitor selection process.”

Please click here to read the full alert memorandum.

Last month, Guatemalan President Jimmy Morales effectively shut down the operation of the UN-operated International Commission against Impunity in Guatemala (called by its Spanish initials, “CICIG”) by declining to renew its mandate past its September 2019 expiration date and by barring the head of CICIG, Iván Velásquez, from re-entering the country.  CICIG, a uniquely independent organ of the United Nations (“U.N.”), was created in 2007 to support and assist Guatemalan institutions in identifying, investigating, and prosecuting public corruption.  Over the past decade, it has investigated nearly 200 public officials, and its efforts led to the prosecution and ultimate resignation of former Guatemalan President, Otto Pérez Molina.[1]  Continue Reading Anti-Corruption in Guatemala: A Critical Moment for CICIG

The English High Court has dismissed an application to discharge the U.K.’s first Unexplained Wealth Order which was obtained by the National Crime Agency on February 27, 2018.

Since January 31, 2018 a number of U.K. enforcement authorities have been able to apply to the English courts for an Unexplained Wealth Order in circumstances where a person’s assets appear disproportionate to their known income.  Once granted, an Unexplained Wealth Order requires an individual or company suspected of serious crime, or a politically exposed person from outside the EEA, to explain and account for the source of their wealth.

In summary, the High Court ruled that:

  1. The respondent fell within the category of persons against whom an Unexplained Wealth Order can be made as her husband is a non-EEA PEP (by virtue of his former role as the Chairman of the state-owned International Bank of Azerbaijan).
  2. There were reasonable grounds for suspecting that a property in London owned by the respondent was purchased with unlawfully obtained income.
  3. The order did not breach the respondent’s human rights.
  4. Neither privilege against self-incrimination nor spousal privilege excuse compliance with an Unexplained Wealth Order.

Please click here to read the full alert memorandum.

The £16.4 million fine imposed by the UK Financial Conduct Authority on Tesco Personal Finance plc provides a salutary lesson on the regulatory exposure associated with failing adequately to prepare for and respond to a cyber-attack – one of the FCA’s stated regulatory priorities.

The episode illustrates how cybersecurity failures can expose a business not only to increasingly draconian penalties under the EU’s General Data Protection Regulation where personal data is involved (effective from 25 May 2018), but also to regulatory enforcement penalties where systems are not in place or are not operated effectively in a crisis.

It highlights the critical importance for businesses of:

  • Establishing cybersecurity and data protection compliance firmly on the management and risk agenda. More than just the costs of doing business in the digital economy, these can give rise to serious regulatory and franchise exposure;
  • Taking effective action to prevent foreseeable cyber-attacks;
  • Establishing appropriate crisis management procedures and providing training to staff on how to invoke them, including through desktop exercises that provide scenario planning training; and

Engaging constructively and immediately with the relevant authorities and stakeholders to mitigate even greater damage to the business once an attack has occurred.

Please click here to read the full alert memorandum.