On November 14, the Securities and Exchange Commission announced its enforcement results for the 2023 fiscal year,[1] with case numbers up from fiscal year 2022 and monetary sanctions at the second highest level in the agency’s history, though down significantly from last year’s record highs. In a press release announcing the results, Enforcement Director Gurbir Grewal noted that the past year’s cases demonstrate how the agency “work[s] with a sense of urgency, using all the tools in our toolkit.” This post evaluates how the SEC used its enforcement tools in the past year and surveys the enforcement highlights in key substantive areas.
By the Numbers
In fiscal year 2023, which ended on September 30, 2023, the SEC filed 784 enforcement actions, up 3% from fiscal year 2022. Of those, 501 were “stand-alone” enforcement actions, meaning original investigations that did not merely involve revocation actions against delinquent filers or “follow-on” administrative proceedings seeking professional bars based on criminal convictions, civil injunctions, or other orders. Stand-alone cases – the best measure of core enforcement productivity – were up 8% from 2022. While the agency obtained orders for $1.58 billion in civil penalties, which was the second-highest total ever, this was a significant drop from 2022’s record total of $4.194 billion. Part of the difference was due to a slowdown in the SEC’s industry sweep involving financial institution employees’ alleged use of “off-channel communications.” In fiscal year 2023, the agency obtained more than $400 million in penalties in those cases,[2] down from a whopping $1.235 billion the year before. It remains to be seen how long the agency can continue to extract large penalties from its off-channel communications initiative before it either runs out of targets or faces internal pressure to use its limited resources in other high priority areas.
The SEC also obtained $3.369 billion in disgorgement and prejudgment interest, an increase of over $1 billion from the year before. For the second straight year, the agency distributed over $900 million to harmed investors.
The SEC’s Enforcement Toolkit
Individual Accountability
SEC officials have focused on individual accountability in their public comments, and that was matched by action in fiscal year 2023, with the agency charging individuals in more than two‑thirds of its cases and barring 133 people from serving as public company officers and directors, the highest total in a decade. Notable examples included:
- In a case alleging investor fraud, the SEC charged a global financial institution and two executives with allegedly misleading investors about key performance metrics. One executive agreed to a $3 million penalty and a permanent officer and director bar.[3]
- The SEC charged three executives of a telecommunications company in an alleged scheme to improperly recognize and inflate revenue. All three executives, including the former controller, were permanently barred from serving as officers or directors.[4]
Whistleblowers
It was a banner year for SEC whistleblowers: the agency received over 18,000 whistleblower tips, topping last year’s then-record of 12,300, and distributed a record of almost $600 million in whistleblower awards, including a $279 million all-time-high award to one individual. The SEC again pursued retaliation cases in this area, including two relating to employment or separation agreements. In one case, an investment adviser was fined $10 million for allegedly requiring employees to sign confidentiality and separation agreements that prohibited providing confidential corporate information to third parties, with no exception for SEC whistleblowers.[5] The hefty fine was imposed even though the SEC did not allege that the provisions actually did interfere with any would-be whistleblower, and even though the SEC acknowledged extensive actions the adviser took to remediate the issues on its own, signaling how seriously the SEC views any restrictions on potential whistleblowing activity.
Moving forward, the SEC appears poised to continue its rigorous enforcement of whistleblower protection rules, in addition to leveraging potentially enormous whistleblower rewards in order to root out information about potential legal violations.
Cooperation
The SEC continues to tout the benefits of cooperation to entities under investigation, but the examples it identified give mixed messages on how tangible those benefits really are. To highlight a few:
- The most notable recent no-penalty cases involved both extraordinary cooperation and considerable doubt that the company in fact had the resources to pay a meaningful penalty. In one, a recently-bankrupt telecommunications company settled with the SEC after it allegedly failed to disclose material information regarding unsupported accounting adjustments relating to its cost of revenue. According to the SEC, the company avoided a civil penalty because of its prompt self-reporting, substantial cooperation, and voluntary affirmative remedial measures.[6] While there is some precedent for the SEC foregoing a penalty against a company that provided extraordinary cooperation and has the resources to pay, those cases involved unique circumstances, including non-fraud charges such as the failure to report executive perks [7] or instances where the company could be seen as the victim of an executive’s alleged misconduct.[8]
- One case, however, suggests that a company not facing any of these unique circumstances can still avoid a penalty. In a case against a manufacturer of “smart” windows alleging the failure to disclose the extent of its warranty claims, the SEC imposed no civil penalty, citing the company’s remedial and cooperation efforts. The company hired a new CFO and other senior accounting personnel and promptly responded to the staff’s requests with explanations for accounting and finance issues without requiring subpoenas.[9]
- More likely, cooperation may lead to reduced penalties rather than no penalty at all, as in the case of a broker-dealer that self-reported violations of recordkeeping rules and received substantially lower penalties than other firms that had not self‑reported.[10]
One trend of note is that the SEC has become much more descriptive about what it views as exemplary cooperation or remediation. Merely timely responding to requests for documents does not, in the agency’s view, constitute exemplary cooperation; to get a tangible benefit, the SEC expects entities to identify key documents and witnesses, provide presentations on complex topics, inform the Staff of conduct it has not yet discovered, and otherwise find ways to bring efficiency to the investigation.[11]
Sweeps and Other Initiatives
The SEC announced actions resulting from a number of risk-based sweeps and other initiatives in fiscal year 2023, including a sweep of investment advisers for compliance with the Advisers Act’s Marketing Rule; cases against company insiders for late filing of forms disclosing their stock holdings; the highly publicized, ongoing sweep of the use of off-channel communications at regulated entities; and the “EPS initiative,” which used data analytics to identify potential accounting and disclosure fraud.
Litigation
The SEC has shown that it will pursue cases in litigation even where doing so threatens to constrain agency resources. Indeed, more than 40% of its stand-alone cases involved litigated charges, in whole or in part, including high-profile crypto cases against well‑funded individuals and service providers, such as exchanges. Yet once in court, the SEC has encountered mixed results. While the SEC notched trial victories in several cases involving penny stock and microcap fraud, they also encountered litigation setbacks, including abandoning intentional fraud claims in a case involving a mining company’s safety disclosures in connection with a dam collapse, and walking away from its long-running case against two crypto executives after a string of court losses.[12] Other notable examples included:
- A win for the SEC in a Fourth Circuit appeal in an insider trading case, overturning the trial court’s ruling entering judgment against the SEC. The parties recently settled the case pending re-trial.[13]
- A loss for the SEC in a Second Circuit ruling that the remedy of disgorgement must be “for the benefit of victims,” meaning that it must be linked to a measurable pecuniary harm. This could significantly restrict the disgorgement remedy and complicate the SEC’s burden of proof in establishing disgorgement.[14]
Subpoena Enforcement
The SEC has shown increased willingness to enforce its subpoenas in court when there are delays, incomplete responses, or outright refusal to comply. Two high-profile court battles included an action to enforce a subpoena against a law firm that had refused requests for information on clients whose files were subject to a cyber hack,[15] and the SEC’s continuing conflict with Elon Musk.[16]
Substantive Enforcement Priorities
ESG
The SEC continues to home in on Environmental, Social, and Governance (“ESG”) issues and has pursued charges against companies for governance related issues, charges which the agency’s announcement characterize as a core part of its ESG approach. For example, the SEC reached a $35 million settlement with a video game company for failing to maintain disclosure controls and procedures to collect and analyze employee complaints of workplace misconduct.[17] And in connection with the allegedly undisclosed improper workplace relationships involving a fast food company’s former CEO, the agency’s settlement with the ex-CEO required him to pay $400,000 and imposed a five-year officer or director bar.[18] Meanwhile, the company in that case was charged—but not fined—for failing to disclose in its proxy statements that it had exercised discretion in deciding to terminate the CEO without cause, which allegedly allowed him to obtain millions in compensation.[19] While there is serious doubt whether that omission was material or misleading, there is no doubt that the company responded vigorously when it learned it had been deceived, suing the former CEO and winning the largest-ever executive compensation claw-back victory. This likely influenced the no-penalty outcome in the company’s SEC case, but the case nonetheless underscores the SEC’s willingness to charge companies for disclosure violations even when many would perceive the company as a victim.
Cybersecurity
The SEC’s willingness to sue the victim is most clearly on display in the realm of cybersecurity. In one example, the SEC charged a software company for allegedly misleading disclosures after the company did not disclose that a ransomware attacker had accessed sensitive donor information, including donor bank information and social security numbers. The company agreed to a $3 million penalty.[20] As it has begun to do as a matter of course in these cyber cases, the SEC included charges for failure to maintain adequate disclosure controls that ensure that cyber incidents are properly considered for disclosure by management.
While coming just after the close of its fiscal year, the SEC’s action against a software company and its Chief Information Security Officer (CISO), has turned heads.[21] In that case—which the company and CISO are litigating—the SEC alleges that the company overstated its cybersecurity in public statements while understating the risks of cyber‑attacks, and that the company’s public disclosure of a massive, state-sponsored hack misleadingly failed to disclose the extent of the breach. The SEC broke ground by alleging for the first time that a company’s cybersecurity controls are part of the internal controls system required by the securities laws. The SEC also seeks to hold the CISO liable for intentional fraud based on statements that he “participated” in drafting, including statements that were posted on the company’s website or promoted on social media, but were not included in the company’s SEC filings. The company and CISO can be expected to argue, among other things, that the SEC has overstepped its bounds, extending the securities laws to a subject outside its expertise, and that it has failed to link the alleged vulnerabilities to the actual hack and that it has overstated the importance that investors place on such things as a company’s password policy. This case will be closely watched in the year ahead, and public companies should expect the SEC to continue its focus on cybersecurity controls and disclosures, especially when companies are the victims of significant cyber-intrusions.
Crypto
In the face of increasing criticism that it is exceeding its authority and expertise and “regulating by enforcement,” the SEC and Chair Gary Gensler have doubled down on tough talk when it comes to crypto, bringing a slew of new cases, including several against high-profile trading platforms and other service providers. The headline cases included:
- A company and its CEO of allegedly defrauding investors after raising billions of dollars in alleged unregistered transactions.[22]
- A company operating the largest crypto asset trading platform in the world with allegedly operating as an unregistered exchange, clearing agency, and broker-dealer and for the alleged unregistered offer and sale of the company’s own crypto assets.[23]
- A company for allegedly running its crypto asset trading platform as an unregistered national securities exchange, broker, and clearing agency. The SEC alleged that the company’s failure to register had deprived its investors of significant protections, including SEC inspection.[24]
- Samuel Bankman-Fried, CEO and co-founder of the now-defunct crypto trading platform FTX, for allegedly coordinating a scheme to defraud investors, even touting the company’s risk measures designed to protect customer assets. After the recent month-long trial, Bankman-Fried was found guilty of all seven criminal charges related to this scheme.[25]
- Additionally, the SEC brought numerous cases alleging that crypto asset lending or staking programs constituted unregistered securities offerings.
The SEC also broke ground in the non-fungible tokens (NFTs) market and filed its first actions against issuers of the cryptocurrency. The SEC brought charges against a media and entertainment company that raised approximately $30 million from investments into the company’s three tiers of NFTs or “Founder’s Keys.” The SEC ordered the company to pay over $6.1 million in disgorgement, prejudgment interest, and a civil penalty after determining that the NFTS offered and sold were investment contracts and therefore securities.[26]
The SEC also targeted Hollywood for unlawfully touting crypto asset securities without disclosing to investors that the celebrities had been compensated to do so. Nearly a dozen celebrities were charged, with an NBA Hall of Famer and a popular media personality paying over $1 million each in civil penalties, disgorgement, and prejudgment interest.[27]
Accounting Fraud and Issuer Disclosures
The SEC showed that it is increasingly comfortable with highly technical, judgmental areas of accounting, bringing two cases in the complex realm of percentage of completion accounting, often used in large engineering and construction projects.[28]
In the past year, the SEC brought its sixth case arising out of its EPS Initiative, in which the SEC used data analytics to identify companies with suspicious patterns in their reported earnings-per-share metrics, and then opened accounting fraud investigations. In the latest case, a manufacturer paid $4 million and its CFO paid $75,000 to settle charges that they improperly manipulated bonus accruals to help them meet EPS targets in multiple quarters.[29] The EPS Initiative shows that the SEC will charge accounting fraud over seemingly small accounting adjustments if they make the difference in a company missing or meeting key metrics like EPS. Similarly, the SEC has shown that it will charge accounting fraud where a company fails to disclose the role that accounting maneuvers play in its reported results, particularly for non-GAAP metrics like sales growth that are touted as giving a “truer” view of a company’s underlying performance and trends.[30]
Insider Trading and Market Abuse
Market abuse cases continue to be a priority in SEC enforcement. One of the most notable insider trading cases this year involved charges against an executive of a healthcare services company for allegedly setting up a Rule 10b5-1 trading plan to sell company securities while in possession of material non-public information.[31] Notably, the DOJ filed parallel criminal charges, marking its first such indictment for insider trading based solely on an executive’s use of a Rule 10b5-1 trading plan.
Eight social media influencers were also charged in a $100 million stock manipulation scheme whereby a number of these individuals allegedly promoted certain stocks to their substantial social media followers without disclosing their intent to dump the securities.[32] The SEC also charged two financial services industry professionals for allegedly perpetrating a multi-year front running scheme.[33]
Other Areas
- Investment Advisers: Following the adoption of the Marketing Rule under the Advisers Act,[34] which imposes various requirements on advertising by investment advisers, the SEC has been conducting a sweep initiative. The agency charged nine investment advisers for alleged violations of the Marketing Rule[35] by advertising hypothetical performance on their websites without having the required policies and procedures. The firms settled for low penalty amounts, totaling $850,000 across all cases.
- Insider Filings: The SEC undertook an initiative focused on the timeliness of ownership reports that company insiders and major shareholders are required to file regarding their holdings of company stock. As part of that initiative, the SEC filed eleven actions, including five against publicly traded companies and six against various officers, directors, and major shareholders of public companies.[36]
- Off-channel Cases: The SEC has continued to rake in large fines against regulatory entities and has sought to move these cases quickly and in lockstep, sometimes resulting in take-it-or-leave-it negotiating tactics.
- Recordkeeping: The SEC targeted banks and financial services companies for alleged shortcomings in recordkeeping and documentation. These cases are notable in part because they are “no-harm” cases – while there is no harm to investors, the SEC will impose penalties to vindicate its interest in having accurate historical records.
- Anti-Corruption and the Foreign Corrupt Practices Act: The SEC has shown that it will go its own way and bring charges in FCPA matters where the DOJ does not take action and has also showed its increased focus on cases involving internal controls and books and records violations—even in the absence of more substantive violations.
[1] https://www.sec.gov/news/press-release/2023-234.
[2] https://www.sec.gov/news/press-release/2023-212; https://www.sec.gov/news/press-release/2023-211; https://www.sec.gov/news/press-release/2023-149; https://www.sec.gov/news/press-release/2023-91.
[3] https://www.sec.gov/news/press-release/2023-99.
[4] https://www.sec.gov/news/press-release/2023-205.
[5] https://www.sec.gov/news/press-release/2023-213.
[6] https://www.clearyenforcementwatch.com/2023/10/sec-no-penalty-settlement-signals-heightened-focus-on-self-reporting-and-cooperation/.
[7] https://www.sec.gov/news/press-release/2023-111.
[8] https://www.sec.gov/news/press-release/2023-4.
[9] https://www.sec.gov/news/press-release/2023-126.
[10] https://www.sec.gov/files/litigation/admin/2023/34-98632.pdf.
[11] See https://www.sec.gov/news/press-release/2023-111 (no penalty in executive perks reporting case against a publicly traded tools company after company self-reported before completion of internal investigation); https://www.sec.gov/news/press-release/2022-191 (no financial penalty in accounting fraud case against Canadian cannabis company where company’s internal mechanisms alerted to potential accounting errors and led to concurrent internal investigation and SEC self-report); https://www.sec.gov/news/press-release/2021-244 (no penalty in executive perks reporting case against a natural and organic food company, where company overhauled board, management, and accounting teams).
[12] https://www.sec.gov/news/press-release/2023-63; https://www.clearygottlieb.com/news-and-insights/news-listing/ripple-ceo-brad-garlinghouse-in-dismissal-of-all-sec-claims.
[13] SEC v. Clark, No. 1:20-cv-01529 (E.D. Va. 2020).
[14] SEC v. Govil, No. 22-1658 (2d Cir. 2023).
[15] https://www.sec.gov/litigation/litreleases/lr-25612.
[16] https://www.sec.gov/litigation/litreleases/lr-25880.
[17] https://www.sec.gov/news/press-release/2023-22.
[18] https://www.sec.gov/news/press-release/2023-4.
[19] https://www.sec.gov/news/press-release/2023-4.
[20] https://www.sec.gov/news/press-release/2023-48.
[21] https://www.sec.gov/news/press-release/2023-227.
[22] https://www.sec.gov/news/press-release/2023-32.
[23] https://www.sec.gov/news/press-release/2023-101.
[24] https://www.sec.gov/news/press-release/2023-102.
[25] https://www.sec.gov/news/press-release/2022-219.
[26] https://www.sec.gov/news/press-release/2023-163.
[27] https://www.sec.gov/news/press-release/2023-34 (Hall of Famer who promoted crypto asset securities on X, formerly Twitter); https://www.sec.gov/news/press-release/2022-183 (media personality who promoted crypto asset security on Instagram).
[28] https://www.sec.gov/news/press-release/2023-170; https://www.sec.gov/news/press-release/2023-69.
[29] https://www.sec.gov/enforce/34-96819-s.
[30] https://www.sec.gov/news/press-release/2023-210.
[31] https://www.sec.gov/news/press-release/2023-42; https://www.clearyenforcementwatch.com/2023/03/doj-and-sec-charge-healthcare-executive-with-insider-trading-through-a-rule-10b5-1-trading-plan-marking-dojs-first-such-indictment/.
[32] https://www.sec.gov/news/press-release/2022-221.
[33] https://www.sec.gov/news/press-release/2022-228.
[34] https://www.clearyenforcementwatch.com/2023/06/sec-expands-the-scope-of-its-marketing-rule-examination-sweep-but-still-no-guidance/
[35] https://www.sec.gov/news/press-release/2023-173.
[36] https://www.sec.gov/news/press-release/2023-201.