SEC Fines Firm For Cyber Lapses Leading to Disclosure Of Info For 5,600 Customers

The Securities and Exchange Commission recently announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle allegations related to its failures in cyber security policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. In addition to a $1 million penalty, the firm was required to hire an independent consultant for a 2 year term, who will generate reports for submission to the SEC.

Over 6 days in April 2016, individuals impersonating independent contractor representatives to Voya Financial Advisors, Inc. (VFA) called VFA’s technical support line and requested resets of 3 representatives’ passwords for web portal access. Notably, the fraudsters used phone numbers the parent company, Voya, had previously identified as associated with fraudulent activity. Nonetheless, support staff reset the passwords and provided temporary passwords over the phone.

When an actual contractor representative called support to inform them that he had received an email confirming a password change that he had not requested, VFA did not immediately terminate the intruders’ access to the system. As a result of that any other security failures, the intruders were able to access to the personally identifiable information of at least 5,600 customers.

Although there were no known unauthorized transfers from customer accounts, the SEC found that VFA’s practices violated the Safeguards Rule, which requires every BD and RIA to have written policies and procedures that address technical and physical safeguards for the protection of customer records and information. The SEC concluded that VFA’s policies and systems relating to contractor password resets, terminating web sessions in its gateway system for contractors, and identifying higher risk representatives and customer accounts for additional security measures, were not reasonably designed.

For example, VFA’s 15-minute inactivity timeouts, which applied to employee representatives accessing the web portal, was not applied to the web portal for contractor representatives. In addition, VFA’s policy requiring a user to answer security questions when logging on from a new device was easily circumvented by the intruders calling support to reset their security questions.

Bottom line: Firms are faced with cyber threats on multiple fronts every day. Many threats take the form of malware or other web or software-based attacks probing systems for weaknesses. The VFA incident, however, was relatively low tech. It involved natural persons impersonating remote independent contractor representatives over the phone. Accordingly, firms should consider assessing not only their software-based bulwarks against intrusion, but also the training and policies overseeing phone conversations and other human interactions.

Link: https://www.sec.gov/litigation/admin/2018/34-84288.pdf

Advertisements

Supreme Court Limits “Whistleblower” Status to People Who Report Out to SEC

The Supreme Court, by unanimous decision, has held that “whistleblower” status under the 2010 Dodd-Frank Act, with its cash award and enhanced anti-retaliation benefits, is limited to individuals who report violations to the SEC and does not include people who internally report at a company but fail to report to the SEC. The decision is likely to increase call volume on the SEC’s whistleblower hotline, as well as costs and headaches for legal and compliance personnel at regulated companies.

Although an individual who reports internally (and not to the SEC) may still get the anti-retaliation benefits afforded under the 2002 Sarbanes-Oxley Act, that individual would not be entitled to the enhanced anti-retaliation benefits (e.g., double back pay) or the potential cash payout (10-30 percent of any SEC monetary penalties) under Dodd-Frank. Accordingly, individuals with information that could lead to SEC charges are now more likely to report out to the agency than try to resolve things internally.

Consequently, compliance and legal personnel at Pubcos, RIAs, and BDs should consider reviewing their policies and procedures to ensure that they are striking the correct balance between motivating employees to report potential problems internally and not limiting an employee’s ability to report out. This is especially true given the SEC’s focus (through enforcement actions) on entities who limit such reporting by requiring employees to sign restrictive confidentiality agreements that may have the effect of “chilling” an employee’s desire to report out.

Here is a link to the Supreme Court’s decision:

https://www.supremecourt.gov/opinions/17pdf/16-1276_b0nd.pdf

 

EB-5 “Golden Ticket” Visa Fraud Article Published in The Champion Magazine

Will Haddad’s article, “EB-5 Visa Fraud, What You Need to Know,” was published in The Champion Magazine. The article reviews recent legislative, legal and other issues related to these highly desirable “fast track” visas. Such developments include a number of securities fraud cases brought by the SEC, as well as some federal criminal cases.

A copy of the article is reproduced here, with the written permission of the publisher, the National Association of Criminal Defense Lawyers.

EB-5 Visa Fraud Article

(c) 2017, National Association of Criminal Defense Lawyers.

Supreme Court Holds 5-Year Statute of Limitations Applies to SEC Disgorgement

On June 5, 2017, by unanimous decision, the U.S. Supreme Court determined that disgorgement – a remedy that generated $3 billion in 2015 – is a “penalty” thereby subjecting it to the 5-year statute of limitations that applies to any “action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise.” Kokesh v. SEC, No. 16-529, slip op. at 1 (June 5, 2017) (quoting 28 U.S.C. §2462). The Court’s decision relieved Kokesh of a $30 million disgorgement order entered in the lower court.

The SEC had argued that disgorgement is a different animal – it simply places the defendant in the same position as he or she would have been but for the offense. The Court strongly disagreed noting the deterrent qualities of disgorgement, which is a hallmark of a penalty, “[s]anctions imposed for the purpose of deterring infractions of public laws are inherently punitive.” Id. at 8. The Court observed that the victims (if there are any) of a securities law violation need not participate in the enforcement action and may not even support it. In addition, money that is disgorged to the Treasury often stays there; i.e., there is no absolute requirement that the money that is recovered be distributed to the purportedly aggrieved investors.

Going forward, the SEC is faced with having to speed up its investigations and charging decisions.  That can be a challenge, especially in complex cases where the Enforcement Division would prefer to thoroughly build out a case in advance.

Here is the decision:

https://www.supremecourt.gov/opinions/16pdf/16-529_i426.pdf

 

EB-5 Program Operator Settles With SEC For Over $7.9 Million

The SEC has announced that an Idaho man who operated an EB-5 regional center has agreed to settle a case against him alleging that he took millions of dollars to pay for luxury cars and investments unrelated to the purpose of the particular EB-5 program at issue, i.e., to develop luxury real estate and invest in gold mining ventures in Idaho and Montana.

The EB-5 program is a special expedited path to a green card for foreign investors who provide a set minimum of investment capital that creates at least 10 U.S. jobs within 2 years of the investment. The program is designed to incentivize investment in rural areas (e.g., Idaho) or high unemployment areas. Whereas the minimum for such “targeted employment areas” is $500,000, the minimum for more affluent areas is $1 million.

The respondent, Serofim Muroff, and his assistant and bookkeeper are alleged to have diverted about $5.5 million of the $140.5 million in investment money provided by Chinese investors. In addition to disgorging the allegedly diverted proceeds, Muroff has agreed to a $2 million penalty plus interest, and to be barred from conducting further EB-5 offerings. Neither Muroff nor his assistant admitted or denied the allegations in the SEC’s complaint.

Here is the press release.

https://www.sec.gov/litigation/litreleases/2017/lr23818.htm

Senate Bill Would Increase SEC Penalties To $1 Million And Up

Under a Senate bill, the SEC would be able to administratively impose a maximum $1 million per violation penalty on individuals and a maximum $10 million per violation penalty on financial firms for the most serious (e.g., fraud, deceit) violations.  The current levels are substantially lower — at $181,071 for individuals and $905,353 for firms — though the SEC is empowered to go to federal court to get the equivalent of the ill-gotten gains in a given case.

Under the proposed measure, the SEC would not have to go to federal court to get large remedies, though the total remedy per violation would be capped – the maximum penalty for an individual could not exceed, for each violation, the greater of (i) $1 million, (ii) three times the gross pecuniary gain, or (iii) the losses incurred by victims as a result of the violation.  The maximum amount that could be obtained from entities could not exceed, for each violation, the greater of (i) $10 million, (ii) three times the gross pecuniary gain, or (iii) the losses incurred by victims as a result of the violation.

In addition, individuals and firms that were found civilly or criminally liable for securities law violations in the 5 years leading up to a new violation could face up to three times the new caps, e.g., penalties of $3 million/$30 million.

It is important to note that SEC administrative or “in-house” courts have faced substantial constitutional challenges recently and are often considered subject to agency bias.  At a minimum, it is clear that the SEC courts lack some of the procedural safeguards provided in federal court.  If the Senate bill becomes law, the SEC will have significantly increased leverage in negotiations with respondents not only because of the amounts involved but because the Enforcement staff would not need to go to federal court to get such amounts.

 

 

DOL Issues Temporary Enforcement Policy re: Fiduciary Rule

The DOL has issued a temporary policy stating that it will not bring enforcement actions against firms that are not Rule compliant by April 10. In other words, DOL will not bring enforcement actions against advisers for the “gap” period between April 10 and the date on which the DOL officially delays the Rule (if it, in fact, delays the Rule). If the DOL decides to not delay the Rule at all, firms have a “reasonable” period of time in which to send out the required disclosures and otherwise get compliant.

https://www.dol.gov/agencies/ebsa/employers-and-advisers/guidance/field-assistance-bulletins/2017-01