The SEC’s Office of Compliance Inspections and Examinations (OCIE) released two Risk Alerts, on April 16, 2019 and May 23, 2019, highlighting the importance of privacy and cybersecurity compliance for SEC-registered investment advisors and broker-dealers under Regulation S-P. As previously covered on Data Matters, OCIE has consistently identified cybersecurity as one of its main areas of focus for examinations.
Indeed, cybersecurity was once again identified by OCIE in its 2019 National Exam Program Examination Priorities (2019 Exam Priorities), which placed a particular emphasis on proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security. With the issuance of the April 16 and May 23 Risk Alerts, OCIE has provided additional detail regarding specific issues that SEC-registered entities should focus on to mitigate privacy and cybersecurity risk, as well as to prepare for examinations.
On April 3, the U.S. Securities and Exchange Commission (SEC)’s Strategic Hub for Innovation and Financial Technology (FinHub or Staff) released its much-anticipated guidance, the Framework for “Investment Contract” Analysis of Digital Assets (Framework), regarding its views on factors to consider in applying the Howey test to digital assets. In conjunction with the Framework, the SEC’s Division of Corporation Finance published its first no-action letter in connection with the sale of digital assets, providing relief to TurnKey Jet, Inc., for its proposed token sale.
On February 27, 2019, the Federal Trade Commission (“FTC”) announced a record-setting $5.7 million civil penalty against makers of the popular free video creation and sharing app, Musical.ly (now known as TikTok), for violations of U.S. children’s privacy rules. This is the largest civil penalty the FTC has issued concerning violations of the Children’s Online Privacy Protection Act (“COPPA”).
On February 8, 2019, U.S. Securities and Exchange (SEC) Commissioner Hester Peirce delivered a speech addressing the relationship between technological innovation and regulation, in particular addressing some of the pending regulatory challenges surrounding blockchain and digital assets.1 The key takeaways from Commissioner Peirce’s speech, titled “Regulation: A View From Inside the Machine,” 2 are these:
On December 20, 2018, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the SEC) released its report (the 2019 Report) setting forth its list of examination priorities for 2019 (the Exam Priorities).1 OCIE announces its exam priorities annually to provide insights into the areas it believes present potentially heightened risk to investors or the integrity of the U.S. capital markets.2 The Exam Priorities can serve as a roadmap to assist advisers in assessing their policies, procedures and compliance programs; testing for and remediating any suspected deficiencies related to the Exam Priorities; and preparing for OCIE exams. (more…)
On November 16, the U.S. Securities and Exchange Commission (SEC) announced its first enforcement actions against issuers of initial coin offerings solely for failing to register the offerings in violation of the federal securities laws since Munchee (i.e., without allegations of fraud). Unlike the Munchee order, these settlements impose penalties against the issuers and require certain undertakings, such as registering the digital assets as securities under the Exchange Act. The same day, the SEC’s Divisions of Corporation Finance, Investment Management and Trading and Markets released a joint statement reiterating the SEC’s lessons from recent enforcement actions related to digital assets. (more…)
On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.
On September 11, the Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority (FINRA) separately announced three “first of their kind” enforcement actions against participants in the digital asset (or “token”) market:
- In the Matter of TokenLot LLC. The SEC took action against a token sale website for operating as an unregistered broker-dealer in violation of the federal securities laws.
- In the Matter of Crypto Asset Management, LP. The SEC entered an order against a digital asset hedge fund manager for failing to register its fund as an investment company and offering and selling its fund’s securities in an unregistered offering.
- Department of Enforcement vs. Timothy Tilton Ayre. In its first disciplinary action involving digital assets, FINRA filed a complaint alleging that a registered person of a member firm violated federal securities laws and FINRA rules in its offering of a blockchain token as an unregistered security.
In the months following director William Hinman’s noteworthy speech on whether and when a digital asset is subject to securities laws, U.S. regulators have continued their stern warnings regarding the importance of compliance with the securities laws. This post highlights three important regulatory updates:
- On August 14, 2018, the Securities and Exchange Commission (SEC or Commission) issued an administrative order, In the Matter of Tomahawk Exploration LLC and David Thompson Laurance, taking action against an unregistered and fraudulent initial coin offering (ICO).
- On August 28, the North American Securities Administrators Association (NASAA) released an update on the progress of its ongoing Operation Cryptosweep.
- The Financial Industry Regulatory Authority (FINRA) issued two investor alerts, on July 27 and August 16, regarding blockchain tokens and ICOs.