The Securities and Exchange Commission (SEC) recently published its enforcement results for FY2022. This report is a valuable compliance resource for regulated entities and General Counsels and CCOs, who can learn a great deal from the cases that the Enforcement Division pursues and where the SEC allocates its resources.
The SEC brought 760 total enforcement actions in FY 2022, which was a 9 percent increase over FY 2021. These included 462 new, or “stand alone,” enforcement actions, representing a 6.5 percent increase over FY 2021.
Record-breaking penalties resulting from compliance violations were paid by regulated firms. Civil penalties totaled $4.194 billion, which was the highest on record to date. Disgorgement, at $2.245 billion, decreased by 6 percent from FY 2021. Overall, the SEC imposed $6.4 billion in penalties and disgorgement, which was the most on record in SEC history and up from $3.852 billion in FY 2021. Additionally, FY 2022 was the SEC's second highest year ever in whistleblower awards, in terms of both the number of individuals awarded and the total dollar amounts awarded.
SEC Chair Gary Gensler emphasized that enforcement numbers tell only part of the story. The SEC's FY 2022 enforcement fines reveal several trends that can help senior management of regulated entities boost their compliance efforts and lower their risks of enforcement penalties in FY 2023.
Many of the enforcement trends are not surprising, as they reflect areas where the SEC is pursuing regulatory changes, such as environmental, social, and governance (ESG) issues and cybersecurity. The SEC also brought several high-profile enforcement actions in the rapidly evolving crypto asset securities space. Charges included a first-of-its-kind action against crypto lending platforms for violating the registration requirements of the Investment Company Act of 1940.
With regard to cybersecurity incident responses, the SEC brought significant enforcement actions concerning failures by major firms to comply with core protection obligations including record-keeping and safeguarding customer information. Charges included having insufficient policies and procedures to protect investors from identity theft, in violation of the SEC's Identity Theft Red Flags Rule (Regulation S-ID) and failing to protect the personal identifying information (PII) of brokerage customers.
In March, the SEC proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Among other requirements, the rules would require material cybersecurity incidents to be reported on Form 8-K within four (4) business days of discovery and updates on previously reported cyber incidents be disclosed on Forms 10-K and 10-Q. Companies would also be required to make periodic disclosures about their policies and procedures to identify and manage cybersecurity risks, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise, if any, and its oversight of cybersecurity risk. Now is an opportunity for Companies to review existing policies/procedures, conduct additional risk assessments, and prepare for adoption and implementation of new policies and procedures.
In terms of ESG, the SEC focused on public companies, as well as investment products and strategies. In one action, the agency charged an investment adviser with making materially misleading statements and omissions about its consideration of ESG principles in making investment decisions for certain mutual funds. In another, the SEC charged one of the world's largest iron ore producers with allegedly making false and misleading claims to local governments, communities, and investors about the safety of its dams. The collapse of the Brumadinho dam in Brazil, which killed 270 people, caused serious environmental and social harm, and reduced the company's market capitalization by more than $4 billion.
The SEC is still reviewing comments on a series of proposed ESG rulemakings that call for enhanced climate risk disclosures by issuers, enhanced ESG disclosures by registered funds and investment advisers, and modernized rules governing ESG-related fund names. Issuers will need to be responsive when the Final Rules are published.
The SEC's enforcement results were achieved by the tools and strategies that the agency and its staff is prioritizing. For instance, the Enforcement Division is increasingly requiring parties to retain independent compliance consultants (ICCs). In actions against several broker-dealers for failures to maintain and preserve work-related text message communications conducted on employees' personal devices, the SEC mandated the retention of compliance consultants to, among other things, conduct comprehensive reviews of the firms' policies and procedures relating to the retention of electronic communications found on personal devices. Fines, penalties and ICC costs for record keeping failures were significant.
The SEC emphasized that it continues to recognize meaningful cooperation, citing that assistance from cooperators can help expedite completion of investigations and bring to light important evidence. For example, the agency noted that a company whose former CEO allegedly fraudulently inflated key financial metrics and doctored internal sales records to boost the company's valuation, was not penalized for its wrongful conduct after taking significant remedial measures.
The SEC's enforcement results reveal who may be in the agency's crosshairs during 2023. Most notably, the SEC brought a number of enforcement actions against “gatekeepers”, such as auditors, lawyers, and transfer agents. CCOs have not been exempt either.
In one action, an auditor's China-based affiliate was charged failing to comply with fundamental U.S. auditing requirements when auditing U.S. issuers and foreign companies listed on U.S. exchanges, allowing clients to select their own samples for testing, and having clients prepare their own audit documentation. In another action, a former general counsel of a public company settled an action for his role in an unregistered, fraudulent securities offering. According to the SEC, the attorney knew or was reckless in not knowing that there was no exemption from registration available.
The SEC continues to emphasize that public company disclosure is the bedrock of the securities markets. In a press statement announcing the enforcement data, the SEC stated that it “places a high priority on pursuing issuers or their employees who make materially inaccurate disclosures, as well as auditors and their professionals who violate applicable laws and rules in connection with such disclosures.”
The Enforcement Division's actions in this area targeted misconduct by issuers, auditors, and their employees. For instance, the SEC brought charges against a mining company for misleading investors about a technology upgrade the company claimed would reduce costs but ultimately increased costs, and for failing to properly assess whether to disclose financial risks created by their excessive discharge of mercury in Brazil. The SEC also brought an enforcement action against an audit firm and three senior-level employees for failing to properly audit a client company's financial statements over a four-year period, when that client was improperly inflating revenues.
This article discusses several trends that can be gleaned from the SEC's FY 2022 enforcement data. We recommend that entities subject to agency oversight review the enforcement results in their entirety and consult with experienced counsel about how they could be impacted in FY 2023 by failing to assess current policies/procedures against Rule changes that will be adopted and implemented during FY 2023 and later.
We encourage the management of regulated entities to regularly review what types of enforcement actions the SEC is bringing and use the information to align your firm's compliance priorities with the agency's evolving enforcement agenda. Continue to monitor the SEC's Exam Priority and Deficiency notifications and Cybersecurity Breach Incident reporting to level set your firm's threat and risk assessments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.