Dipping Through Geometries

On September 26, the Securities and Exchange Commission (SEC) announced that it had brought its first enforcement action under Rule 201 of Regulation S-ID (the Identity Theft Red Flags Rule), against broker-dealer and investment adviser Voya Financial Advisors Inc. (VFA).  The SEC’s Identity Theft Red Flags Rule was adopted in 2010, pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.  The rule, as summarized by the SEC, requires certain SEC-regulated entities to adopt a written identity theft program that includes policies and procedures designed to accomplish four objectives: (1) “Identify relevant types of identity theft red flags”; (2) “Detect the occurrence of those red flags”; (3) “Respond appropriately to the detected red flags”; and (4) “Periodically update the identity theft program.”  Those entities “also must provide for the administration of the program, including staff training and oversight of service providers.”

In VFA’s case, the SEC brought an enforcement action under Rule 30(a) of Regulation S-P (the Safeguards Rule) and the Identity Theft Red Flags Rule.  The SEC Order stated that over six days in April 2016,

one or more persons impersonating VFA contractor representatives called VFA’s technical support line and requested a reset of three representatives’ passwords for the web portal used to access VFA customer information, in two instances using phone numbers Voya had previously identified as associated with prior fraudulent activity. The prior activity also involved attempts to impersonate VFA contractor representatives in calls to Voya’s technical and customer support lines. Voya’s technical support staff reset the passwords and provided temporary passwords over the phone, and on two of the three occasions, they also provided the representative’s username.

Thereafter, despite certain steps by VFA to respond to the intrusion, the intruders obtained passwords and gained access to VFA’s portal over the next several days.  They impersonated two additional representatives’ accounts “due to deficient cybersecurity controls and an erroneous understanding of the operation of the portal.”  The intruders used the VFA representatives’ usernames and passwords to log in to the portal and gain access to personal identifying information (PII) for at least 5,600 of VFA’s customers, and to obtain account documents containing PII of at least one Voya customer. The intruders “also used customer information to create new Voya.com customer profiles, which gave them access to PII and account information of two additional customers.”

The Order stated that VFA violated the Safeguards Rule

because its policies and procedures to protect customer information and to prevent and respond to cybersecurity incidents were not reasonably designed to meet these objectives. Among other things, VFA’s policies and procedures with respect to resetting VFA contractor representatives’ passwords, terminating web sessions in its proprietary gateway system for VFA contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of Voya.com customer profiles, were not reasonably designed. In addition, a number of VFA’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives.

It also stated that VFA violated the Identity Theft Red Flags Rule because “it did not review and update the Identity Theft Prevention Program in response to changes in risks to its customers or provide adequate training to its employees, and because its Program “did not include reasonable policies and procedures to respond to identity theft red flags, such as those that were detected by VFA during the April 2016 intrusion.”

The Order specifically took note of VFA’s prompt undertaking of certain remedial acts after the intrusion.  Those acts included “(a) blocking the malicious IP addresses; (b) revising its user authentication policy to prohibit provision of a temporary password by phone; (c) issuing breach notices to the affected customers, describing the intrusion and offering one year of free credit monitoring; and (d) implementing effective [multifactor authentication] for [VFA’s proprietary web portal].”  It also named a new Chief Information Security Officer responsible for creating and maintaining cybersecurity policies and procedures and an incident response plan that was tailored to VFA’s business.”

As part of the resolution of the case, the Order stated that VFA had agreed to certain specific undertakings that included:

• Retention, at its own expense, of an independent compliance consultant (“Consultant”) to conduct a comprehensive review of Respondent’s policies and procedures the Safeguards Rule and the Identity Theft Red Flags Rule;
• Full cooperation with the Consultant;
• Within three months after September 26 (the date of the issuance of this Order), requiring the Consultant to submit to VFA and to the Commission staff a written Initial Report, which is to “describe the review performed [and], the conclusions reached,” and “include any recommendations deemed necessary to make the policies and procedures and their implementation comply with applicable requirements.”
• Adoption of all recommendations contained in the Initial Report within 90 days of the date of its issuance, unless within 30 days of the issuance of the Initial Report, VFA advises, in writing, the Consultant and the Commission staff of any recommendations that VFA considers to be unduly burdensome, impractical, or inappropriate.
• Within nine months after September 26, requiring the Consultant to complete its review and issue to VFA and the Commission staff a written Final Report that is to describe the review performed, the conclusions reached, the recommendations made by the Consultant, any recommendations not adopted by VFA pursuant to the preceding undertaking, any proposals made by Respondent, any alternative policies, procedures or systems adopted by VFA pursuant to the preceding undertaking, and how VFA is implementing the Consultant’s final recommendations.

In addition to those undertakings, VFA agreed to be censured and to pay a $1 million penalty.

Note: This case deserves wider attention from chief compliance officers and chief information security officers, and not only because it is the first SEC action under the Identity Theft Red Flags Rule.  Since Dodd-Frank’s enactment, the SEC has repeatedly made clear – in part through its guidance on disclosure obligations and its Cybersecurity  1 and 2 Initiatives – that firms under its authority need to pay attention to their cybersecurity preparedness.  In VFA’s case, even though the SEC order stated that there were no known unauthorized transfers of funds or securities from VFA customer accounts as a result of the attack, the number and variety of significant weaknesses that the SEC identified in its cybersecurity policies and procedures made VFA a prime candidate for the SEC’s first Identity Theft Red Flags Rule enforcement action.

Moreover, subsequent action by the SEC’s Enforcement Division sends an additional signal that the SEC will have little patience with companies that give their cybersecurity measures short shrift.  On October 16, the SEC issued a report of an investigation by the Enforcement Division, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant into whether certain public issuers (from numerous industries) “that were victims of cyber-related frauds may have violated the federal securities laws by failing to have a sufficient system of internal accounting controls.”  Although the Commission determined not to pursue an enforcement action in these matters, it stated that it issued the Report of Investigation “to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws.”  This report sends a strong signal that in the future, the Commission expects to use internal-controls requirements, either alone or in conjunction with the Safeguards Rule and the Identity Theft Red Flags Rule, as a basis for sanctioning companies that fail to establish and maintain robust cybersecurity programs.

On October 3, Steven Peikin, Co-Director of the Enforcement Division at the Securities and Exchange Commission (SEC), delivered a speech at the PLI White Collar Crime 2018 Conference that focused on “how particular remedies and relief that the Division of Enforcement recommends to the Commission advance our goals.”  Because this speech appears to have received comparatively little legal- and trade-media coverage, this post will summarize the main points of the Co-Director’s speech.

• Non-Monetary Relief: Peikin began by noting that “in most of our actions, non-monetary relief can be highly important to achieving the Commission’s overall goals.”  Stressing that “a case-specific approach to remedies and relief is important,” he discussed “a few forms of non-monetary relief that are of particular significance – undertakings and conduct-based injunctions, and bars and suspensions”:
  • Undertakings and Conduct-Based Injunctions: Peikin cited undertakings – “which require a defendant to take affirmative steps – either in conjunction with entry of the order or in the future – in order to come into and remain in compliance with the specific terms of the court’s order” — and conduct-based injunctions, “which prohibit a defendant from engaging in conduct that, while otherwise legal, poses risk of harm to investors in the future” – as “two of the most effective forms of equitable relief in Commission enforcement actions.” Some undertakings may be directed at constraining a defendant’s conduct, as in SEC v. McFarland and SEC v. Holmes and Theranos, Inc.  In the latter case, Peikin explained,
    • “one of the most important elements of the Commission’s settlement with Holmes were undertakings that (1) required her to relinquish her voting control over Theranos by converting her supermajority shares to common shares, and (2) guaranteed that in a liquidation event, Holmes would not profit from her ownership stake in the company until $750 million had been returned to other Theranos investors. In Theranos, the Commission confronted a situation where, because of the capital structure of the company, Holmes had nearly complete control of the company.  And given what we alleged had occurred, it was appropriate to seek relief that protected investors from potential misuse of that controlling position going forward.  The undertakings were designed to do exactly that.”
  • Peikin also discussed the Commission’s litigation with Elon Musk, which led to undertakings that would require (1) Musk’s resignation as Chairman of Tesla and replacement by an independent Chairman, (2) the addition of two independent directors to Tesla’s board, (3) Tesla’s establishment of a committee of independent directors and adoption of mandatory controls and procedures to oversee Musk’s public communications about the company, and (4) Tesla’s employment of “an experienced securities counsel” within its legal department.  He stated that these undertakings “specifically target and attempt to address specific risks – in this case, the potential harm to investors caused by Musk’s communication practices and a lack of sufficient oversight and control of those communications.  The undertakings were specifically targeted to put in place stronger corporate governance by increasing the independence of the Tesla board and imposing closer oversight and control of Musk’s communications.
  • Peikin commented that many undertakings “require the settling party to retain a compliance consultant or monitor to make recommendations to the issuer and report to the Commission on terms specifically defined in the settlement papers. Such undertakings make it possible for an SEC action to seed change in a corporation’s processes in a way that serves the long-term interests of investors.”
  • Bars and Suspensions: Peikin discussed “other forms of forward-looking or remedial relief, such as officer and director bars and associational bars and suspensions.” He noted that like undertakings, “bars and suspensions are not a punishment,” but “serve a critical prophylactic function – preserving the integrity of our markets and protecting investors by limiting the activity of known bad actors by removing them from the industry or preventing them from serving as officers or directors at public companies.”  He acknowledged that “bars can be a resource-intensive remedy for the agency,” but emphasized that because bars and suspensions “can have direct, far-reaching, and positive effects for investors . . . obtaining bars and suspensions, when warranted by the facts and circumstances, are a high priority for the Division.”
• Monetary Relief: Peikin also took time to discuss the roles and significance of monetary relief such as civil penalties and disgorgement.
  • Civil Penalties: After summarizing a number of cases in which the Enforcement Division recommended, and the SEC obtained, substantial civil penalties, he noted that “not every case warrants a penalty.” As one example, he cited the SEC’s case against biopharmaceutical company Provectus, in which the company’s extensive remedial efforts persuaded the Division not to recommend a corporate penalty.
  • Disgorgement: Peikin also stated that in contrast to civil penalties, which involve ”a careful weighing of factors,” disgorgement “is handled quite differently. Even where a defendant or respondent cooperates and agrees to meaningful undertakings, it should not be entitled to keep its ill-gotten gains, which we are often in a position to restore to harmed investors.”  He concluded his remarks with observations about the effect of the Supreme Court’s 2017 decision in Kokesh v. SEC, which held that because SEC disgorgement operates as a penalty,  any disgorgement claim in an SEC enforcement action must be commenced within five years of the date that the claim accrued.  Peikin stated that the effect of Kokesh across the Division’s enforcement program has been and will continue to be “very significant.”  He said that Kokesh has led the Division to forego seeking more than $800 million in potential disgorgement in filed and settled cases.

Note: Peikin’s remarks contain a number of points of which securities practitioners and compliance officers should be mindful.  At a minimum, in-house professionals can use the information in Peikin’s speech to help company executives understand the full range of monetary and non-monetary penalties that the SEC can bring to bear on publicly traded companies.  In addition, for any company that finds itself under SEC investigation, board members and C-level executives need to understand that monetary penalties are far from the only risk on which they should focus in negotiations with Enforcement Division staff.  As Peikin’s remarks make clear, other factors such as the degree of vigor that the board and senior management show in undertaking remediation can be influential in warding off a civil penalty.  Finally, given the general unpopularity of monitorships, companies need to be prepared, in negotiations with Enforcement Division staff, to explain in detail why no external overseer of remedial efforts, or at most a compliance consultant, is sufficient to ensure that the company will complete and sustain its remedial efforts.

On October 22, the United Kingdom Competition & Markets Authority (CMA) released the results of an extensive survey of 1,200 United Kingdom businesses of all types and sectors about businesses’ understanding and awareness of competition law.  The survey, which ICM Unlimited conducted on behalf of the CMA, included the following findings, which in some instances included results from a 2014 survey of United Kingdom businesses about competition-law knowledge:

• Knowledge About Specific Anti-Competitive Behaviors
  • Sixty percent of respondents correctly responded that price fixing with other companies can lead to imprisonment. That represents a 7 point increase over the percentage of correct responses to the question in 2014.  In contrast, 30 percent responded that they did not know whether it can lead to imprisonment.
  • Fifty-nine percent were aware that it can be illegal to attend a meeting where competitors agree on prices.
  • Thirty-four percent were aware that it is unlawful to set the price at which others resell their product(s).
  • Fifty-seven percent correctly responded that it was not “okay for competitors to agree prices in order to avoid losing money.”
• Noncompliance Risks
  • Although nearly all respondents (95 percent) regarded compliance with competition law as important, 57 percent believed that “the risk of breaching it is low within their sector.”
  • Sixty-eight percent responded that they “have a ‘poor’ awareness of the penalties for non-compliance with competition law.”  This finding is consistent with the 2014 survey responses.
• Corporate Commitment to Compliance
  • With regard to corporate motive for compliance, “[t]he strongest factor for compliance is moral”: 80 percent responded that complying with competition law is “the right thing to do ethically,” 75 percent responded that “it provides a level playing field for everyone in the market,” and 75 percent responded that “it is important for our reputation.”
  • “Even though compliance with competition law is more likely to be encouraged by ‘pull’ factors, the majority of businesses are also influenced by several ‘push’ factors.” Seventy-five percent of respondents agreed that they were motivated to comply with the law because “it’s obligatory-it’s the law,” 68 percent agreed that “non-compliance leads to the risks of fines,” and 65 percent agreed that “non-compliance risks directors being prosecuted.”
  • Fifty-seven percent regarded their commercial activities as being at a low risk of breaching competition law (virtually unchanged from 56 percent in 2014). Of those who indicated that they know competition law “very/fairly well,” 39 percent responded that there is at least a medium risk and 48 percent saw a low risk.  By comparison, of those who indicated they know competition law “less well/have never heard of it,” 29 percent saw at least a medium risk and 57 percent saw a low risk.
  • Eighty-eight percent stated that they would take action if illegal activity was taking place within their own business, and 77 percent stated that they would do so if it were taking place within a competing business.

Note:  The ICM survey results contain a number of lessons for the CMA and for corporate compliance functions.  For the CMA, not the least of those lessons is the need for the CMA to increase its public visibility: 64 percent of respondents indicated that they do not know who enforces competition law in the United Kingdom, 39 percent had never heard of the CMA, and only 3 percent responded that they know the CMA “well.”  The CMA has harnessed the survey results to a broad-based “cartel awareness campaign [that] aims to educate businesses about which practices are illegal and urges people to come forward if they suspect a business has taken part in cartel behaviour, such as fixing prices or rigging contracts.”

For their part, compliance functions should draw on the survey results to review their companies’ antitrust and competition law-related training courses.  Those courses need to include clear explanations of what business conduct is permissible under United Kingdom competition law, along with simple and stark messages such as, “If you participate in fixing prices with our competitors in any way – in person, by phone, or online — you can go to prison.”

At the same time, corporate training and dialogue between senior leadership and compliance officers should recognize the value of “pull” factors, such as compliance being “the right thing to do ethically” and being important for corporate reputation.  Specific actions and statements by C-level executives that demonstrate their commitment to competition-law compliance, including the ethical dimensions of that commitment, can be influential with regulators such as the CMA in evaluating the soundness of a company’s competition compliance program.

On October 10, the Swiss Bundesgericht (Federal Supreme Court), by a 3-2 margin, affirmed the acquittal of a former Julius Baer accountant, Rudolf Elmer, who had been charged with violating the banking-secrecy offense in Article 47 of the Swiss Banking Law.  Elmer had been chief operating officer of Julius Baer Bank & Trust Company Ltd, a Cayman Islands-based unit of Julius Baer.  In 2002, he reportedly was fired because he allegedly was involved in theft of bank data, and subsequently leaked bank client data on several occasions.

The President of the Court of Penal Law, Christian Denys, stated that Elmer, as an officer of the Cayman Islands unit, “was neither an employee nor representative of a Swiss bank” under Article 47, and therefore that Article 47 was inapplicable to his conduct.  The majority of the court reasoned, according to Neue Zürcher Zeitung, that Julius Baer “had outsourced part of its business to the Cayman Islands and thereby had placed it under the law there.  The motive for doing so played no role here.”

In 2011, Elmer had publicly handed over two CDs reportedly containing bank-client data to Julian Assange of Wikileaks.  That act reportedly led to Zurich prosecutors having Elmer detained for 220 days, and eventually securing his conviction on multiple charges under Article 47 in 2015.  Elmer was not imprisoned after his conviction, but was given a suspended fine of just CHF 16,800 (equivalent to nearly $17,000).

On appeal, however, the regional supreme court in Zurich reversed the Article 47 conviction, but meted out “a 14-month suspended sentence for sending threatening letters to former colleagues — one of which began ‘Dirty Pig’ and threatened the colleague’s safety — and for falsifying documents.”  The Federal Supreme Court allowed that sentence to stand.  Elmer’s attorney indicated that his client would not appeal those parts of the verdict, but would appeal the judge’s decision that Elmer bear legal costs that exceed CHF 200,000.

Note: Although various legal developments have been reducing the ambit of Swiss banking secrecy for quite some time, this decision by the Federal Supreme Court appears to establish a significant jurisdictional limitation on the scope of Article 47 – at least if a Swiss bank chooses to take advantage of a foreign jurisdiction’s laws in establishing a subsidiary in accordance with those laws.  If that construction is correct, it could give law enforcement authorities in the United States and other countries – in time, perhaps even Switzerland – greater confidence about seeking bank records from such Swiss bank subsidiaries for use in foreign-corruption, fraud, money-laundering, sanctions, and tax-fraud investigations.

In one of a recent series of television advertisements featuring StarKist products, actress Candace Cameron Bure exclaims to StarKist’s legendary cartoon tuna Charlie, “Bold choice, Charlie!”  Today, StarKist made a bold, if difficult, choice of its own: to plead guilty to a criminal violation of price-fixing under section 1 of the Sherman Act, exposing it to a criminal fine of as much as $100 million, and to cooperate with the U.S. Department of Justice.

In a press release announcing the plea, the Department stated that StarKist and its coconspirators “agreed to fix the prices of canned tuna fish from as early as November 2011, through at least as late as December 2013.”  As part of the Antitrust Division’s continuing investigation of the packaged seafood industry, the Division has already charged five defendants since 2016.  The first four agreed to plead guilty to price-fixing under section 1 and cooperate with the government:

1. December 7, 2016: a Bumble Bee Seafoods senior vice president of sales;
2. December 21, 2016: a Bumble Bee senior vice president of trade marketing;
3. May 8, 2017: Bumble Bee Foods;
4. June 28, 2017: a former vice president of sales at StarKist; and
5. May 1, 2018: the President and Chief Executive Officer (CEO) of Bumble Bee Foods, who was indicted.

All three of the individual cooperating defendants face criminal fines.  Bumble Bee has been sentenced to a $25 million criminal fine, which the Department said “will be increased to a maximum of $81.5 million if Bumble Bee is sold, subject to certain terms and conditions.”

Note: The packaged seafood market reportedly is a multi-billion dollar industry in the United States, in which tuna “represents about 73 percent of the market and generates about $1.7 billion in annual sales.”  Bumble Bee, StarKist, and Tri-Union Seafoods, which trades under the Chicken of the Sea brand, together “controlled 80 to 85 percent of the U.S. market between 2003-2015.”

The StarKist information, like the Bumble Bee information, described the conspiracy’s means and methods in bland and general terms: “engag[ing] in conversations and discussions and attend[ing] meetings with representatives of other major packaged-seafood-producing firms; agree[ing] and reach[ing] mutual understandings during these conversations, discussions, and meetings, to fix, raise, and maintain the prices of packaged seafood sold in the United States; and negotiat[ing] prices with customers and issued price announcements for packaged seafood in accordance with the agreements and mutual understandings reached.”

The Bumble Bee CEO indictment, by contrast, describes the conspiracy’s means and methods in more telling detail.  It alleged that the conspirators

a) participated in meetings, conversations, and communications concerning prices of packaged seafood to be sold in the United States;

b) agreed during those meetings, conversations, and communications on prices for packaged seafood sold in the United States;

c) agreed during those meetings, conversations, and communications to limit and restrict competition between the conspirators as to certain types and categories of products, including, but not limited to, competition for products based on certain types of fishing methods;

d) collected, exchanged, monitored, and discussed information on prices, sales, supply, demand, and the production of packaged seafood for the purpose of reaching agreements on prices and monitoring and enforcing adherence to the agreements reached;

e) issued price announcements and pricing guidance for packaged seafood in accordance with the agreements reached;

f) sold packaged seafood in the United States at collusive and noncompetitive prices;

g) accepted payments for packaged seafood sold in the United States at collusive and noncompetitive prices; and

h) employed measures to conceal their conduct, including, but not limited to, using code when referring to coconspirators, meeting at offsite locations to avoid detection, limiting distribution and discouraging retention of documents reflecting conspiratorial contacts, and providing misleading justifications for prices.

To date, neither Tri-Union nor any of its executives have been criminally charged in the Antitrust  Division’s investigation.  The guilty pleas by Tri-Union’s principal competitors, however, are likely to intensify the pressure on Tri-Union to plead and cooperate.  That, in turn, should hearten the dozens of companies seeking class-action certifications in their civil price-fixing litigation against the three companies.