Supreme Court Prohibits Use of Administrative Courts in SEC Fraud Actions

3 minute read

Sven Stricker

In a 6-3 ruling last Thursday, the Supreme Court ruled that defendants are entitled to a jury trial where the Securities and Exchange Commission (SEC) seeks civil penalties for securities fraud claims. The decision effectively overturns the portion of the Dodd-Frank Act authorizing the SEC to impose civil penalties through its own in-house proceedings; instead, the SEC must now pursue civil penalties in federal court because of the “close relationship” between common law fraud and the SEC’s securities fraud regime. 

Background

Between 2007 and 2010, George Jarkesy started two investment funds, raising about $24 million from 120 accredited investors. Patriot28, which Jarkesy managed, served as the funds’ investment adviser. According to the SEC, Jarkesy and Patriot28 misled investors by (1) misrepresenting the funds’ investment strategies, (2) lying about the identity of the funds’ auditor and prime broker, and (3) inflating the funds’ claimed value so that they could collect larger management fees.

The SEC initiated an enforcement action against Jarkesy and Patriot28, seeking civil penalties for alleged violations of the antifraud provisions of the Securities Act of 1933, the Securities Exchange Act of 1934, and the Investment Advisers Act of 1940. Relying on the Dodd-Frank Act, the SEC opted to adjudicate the matter itself rather than in federal court. In 2014, the presiding administrative law judge (ALJ) issued an initial decision. The SEC reviewed this decision and issued its final order in 2020, levying a civil penalty of $300,000 against Jarkesy and Patriot28. 

On appeal, the Fifth Circuit vacated the SEC’s final order, holding the agency’s decision to adjudicate the matter in-house violated Jarkesy’s and Patriot28’s Seventh Amendment right to a jury trial. After the Fifth Circuit denied rehearing, the Supreme Court granted certiorari. 

The SEC’s Action Implicates the Seventh Amendment

Chief Justice Roberts first framed the threshold issue – whether the SEC’s securities fraud claims implicate the Seventh Amendment, which guarantees the right to a jury trial for suits at common law. Because the SEC’s claims are “legal in nature,” the Seventh Amendment applies. 

In arriving at this conclusion, the Court stressed that monetary civil penalties at common law serve retributive or deterrent purposes. And while courts of equity could order a defendant to return unjustly obtained funds, only courts of law issued monetary penalties to “punish culpable individuals.” The Court explained if a civil remedy is designed to punish or deter conduct, it is a type of remedy at common law and can only be enforced in courts of law. 

Per the Court, the SEC’s civil penalty scheme cites these legal considerations, including deterrence and punishment. In sum, the “close relationship” between the SEC’s securities fraud claims and common law fraud implicate the Seventh Amendment and entitled Jarkesy to a jury on the claims. 

Public Rights Exception Does Not Apply

The Court held that the “public rights” exception to the Seventh Amendment did not apply. Here, the Court identified the classes of cases fitting within this exception, including government revenue collection, immigration, and tariffs designed to promote competition. But because the SEC’s securities fraud claims did not fall within any of those well-defined exceptions, the Dodd-Frank Act could not siphon a common law action from an Article III court. 

Another Loss for the SEC 

It will be interesting to follow how the SEC responds to this—whether it be by pursuing civil penalties less often or by pursuing more cases in federal court rather than in-house. This ruling feels like a continuation of efforts to limit the SEC’s ability to take punitive actions. In 2020, in Liu v. Securities and Exchange Commission, No. 18-1501, the Supreme Court limited disgorgement awards to ensure disgorgement was not being used as a penalty but represented actual profits from the fraud net of “legitimate expenses”. However, the SEC has continued to obtain disgorgement awards in the four years since. Having to try a case in federal court seems to be a higher hurdle than the Liu limitations of disgorgement and is likely to have a more meaningful impact on the SEC’s approach to future cases.

This decision also comes on the heels of the Fifth Circuit vacating the SEC’s recently adopted private fund rules, which the SEC designed to enhance compliance rules for private fund investment advisers. Additionally, several private fund industry groups have asked the Fifth Circuit to vacate the SEC’s new short-selling rules, which require investment managers to disclose details about their short positions. We previously outlined the SEC’s adopted Rule 13f-2 here. When the Fifth Circuit issues an opinion in that case, we will provide an update. 

NEW RIA PRIVACY AND CYBERSECURITY OBLIGATIONS

4 minute read

Sven Stricker

On May 16, 2024, the Securities
and Exchange Commission (“SEC”) unanimously voted to adopt amendments to
Regulation S-P (“Amended Regulation S-P”), which were proposed last year.
Adopted in 2000, Regulation S-P governs the way SEC registered investment
advisers (“RIAs”) (and certain other financial institutions) protect
sensitive customer information such as social security numbers, names, phone
numbers, and addresses. For an RIA that manages private funds this would
include the protected information of the fund’s investors. Amended Regulation
S-P expands protection of customer information and establishes standards for
data breach notification and recordkeeping. 17 CFR § 248.30. Below, we outline a
few key takeaways from Amended Regulation S-P as they apply to RIAs. The SEC’s
Adopting Release can be viewed here.

Incident Response Program

Amended Regulation S-P requires RIAs
to develop, implement, and maintain written policies and procedures that
address administrative, technical, and physical safeguards for the protection
of customer information. These written policies and procedures must include a
program reasonably designed to detect, respond to, and recover from
unauthorized access to or use of customer information, including customer
notification procedures. At a minimum, an incident response program must
include the following procedures:

Assessment

Assess the nature and scope of
any incident involving unauthorized access to or use of customer information
and identify the customer information systems and types of customer information
that may have been accessed or used without authorization.

Containment and Control

Take appropriate steps to contain
and control the incident to prevent further unauthorized access to or use of
customer information.

Notice to Affected
Individuals

Notify each affected individual
whose sensitive customer information was, or is reasonably likely to have been,
accessed or used without authorization. The notice must be transmitted by a
means designed to ensure that each affected individual can reasonably be
expected to receive actual notice in writing.

Generally, an RIA must provide
the notice as soon as practicable, but not later than 30 days, after becoming
aware that unauthorized access to or use of customer information has occurred
or is reasonably likely to have occurred.

The contents of the notice must
include, among other things, the nature and date of the incident, the data
involved, and means for the affected individuals to contact the RIA. Further,
the notice must recommend that the affected individual periodically obtain
credit reports from each nationwide credit reporting company and that the
individual have information relating to fraudulent transactions deleted.

Oversight of Service
Providers 

An RIA’s incident response
program must also include written policies and procedures designed to provide
oversight, including through due diligence and monitoring, of its service
providers (broadly defined to include any third party that receives, maintains,
processes, or otherwise is permitted to access customer information through its
provision of services directly to an RIA).  Specifically, the policies and procedures must
be reasonably designed to ensure that service providers (1) protect against
unauthorized access to or use of customer information; and (2) notify the RIA
as soon as possible, but no later than 72 hours after becoming aware of a
security breach so that the RIA can timely notify affected clients and
investors.

Although an RIA may require service
providers to notify affected individuals on the RIA’s behalf regarding data
breaches, the obligation to ensure that affected individuals are notified rests
with the RIA.

Recordkeeping

Amended Regulation S-P also
includes new recordkeeping requirements, which include creating and maintaining:

  • written documentation of any detected
    unauthorized access to or use of customer information, as well as any response
    to and recovery from such unauthorized access to or use of customer information
    required by the incident response program; 
  • written documentation of any investigation and
    determination made regarding whether notification to customers is required; 
  • written policies and procedures required as part of service provider oversight; and
  • written documentation of any contract entered into pursuant to the service provider oversight requirements.

Updates to Annual Privacy Notice

Current Regulation S-P requires
that a “clear and conspicuous” notice of the RIAs privacy practices be provided
to customers annually.  Amended
Regulation S-P clarifies that this means at least once in every consecutive 12-month
period. Nevertheless, the current exceptions to the annual notice requirement
(including an exception if the RIA has not changed its policies and practices
with respect to disclosing protected information since it last provided a
privacy notice to its customers) remain in effect.

Compliance Period

Per the SEC’s Press Release, Amended
Regulation S-P will become effective 60 days after publication in the Federal
Register. Larger entities (RIAs with $1.5 billion or more in assets under
management) will have 18 months after the date of publication in the Federal
Register to comply with Amended Regulation S-P, and smaller entities will have
24 months after the date of publication in the Federal Register to comply.

Going Forward

To the extent RIAs do not
currently maintain an incident response program, they should work on creating
policies and procedures consistent with Amended Regulation S-P. Many RIAs will
already have policies and procedures addressing data breach events. For
example, many RIAs in Texas must already report data breaches to the Office
of Texas Attorney General, if a data breach affects 250 or more Texans. In
these cases, RIAs should review and update those existing policies and
procedures to meet the compliance deadlines.

Covered institutions should also
review their contracts with service providers and update those contracts as
necessary to ensure service providers provide notice to the RIA as soon as
possible after a data breach event, but no later than 72 hours after a service
provider becomes aware of a data breach event.

Finally, RIAs should revisit
their recordkeeping protocols surrounding data breach events to ensure those
protocols record, maintain, and regularly update compliance efforts regarding
amended Regulation S-P. 

SEC CONTINUES PUSH AGAINST CRYPTOCURRENCY PLATFORMS’ “UNREGISTERED SECURITIES” DESPITE INDUSTRY PUSHBACK

4 minute read

 

 

Josh Sherman

The U.S. Securities and Exchange Commission continues to push forward in the face of industry resistance and legal uncertainty with enforcement actions against cryptocurrency exchange platforms for allegedly offering unregistered securities. Earlier this month, the SEC filed its opposition to Kraken’s motion to dismiss in one such action, while Coinbase moved to certify an interlocutory appeal of the court’s denial of its motion to dismiss in another. A common thread running through these cases is whether the purchase and sale of cryptocurrency assets counts as an “investment contract” under the Supreme Court’s 1946 decision in Howey. The Securities Exchange Act of 1934 says that “securities” under the SEC’s purview include “investment contracts,” which the Supreme Court in Howey defined as “contract[s], transaction[s], or scheme[s] whereby a person invests his money in a common enterprise and is led to expect profits solely from the efforts of the promoter or a third party.” Applying the Howey test to cryptocurrency exchanges, courts
have come up with different answers.

Kraken

On April 9, 2024, the SEC filed its response to Kraken’s February 22 motion to dismiss, in case number 3:23-cv-06003 in the Northern District of California, which the SEC initiated against Kraken in November of last year. In its motion, Kraken argues that the exchanges of certain cryptocurrency tokens on its platforms cannot constitute “investment contracts,” because the SEC has not plausibly alleged (1) the existence of any contracts, (2) post-sale obligations owed by digital asset issuers to Kraken customers, (3) investments in a common enterprise, (4) participation in a common enterprise, or (5) reasonable expectations of profits based solely on issuers’ efforts. In its response, the SEC argues that it has plausibly alleged the last three facts and that it need not allege the first two, calling Kraken’s contrary position a “perversion” of Howey. The motion is set to be heard on June 12.

Coinbase

On April 12, Coinbase moved to certify an interlocutory appeal of the denial of its motion to dismiss, in case number 1:23-cv-05738 in the Southern District of New York, which the SEC initiated against Coinbase in June of last year. The parties’ arguments at the motion to dismiss stage in the Coinbase action largely mirrored those in the Kraken one, and the court sided with the SEC.

Coinbase’s motion highlights that the Southern District itself has split over how Howey applies in the cryptocurrency context. In July 2023, in the SEC’s action against Ripple Labs in case number 1:20-cv-10832, the court issued a summary judgment ruling finding that Ripple’s token was not a security itself; that it was a security when it was sold directly to institutional investors; and that it was not a security when it was sold on public exchanges, used as payment for services, or used to compensate employees. But later that month, another court in the Southern District denied Terraform Labs’ motion to dismiss the SEC’s case against it, in case number 1:23-cv-01346, finding that the SEC had plausibly alleged Terraform offered “unregistered investment-contract securities” under Howey.

Coinbase’s motion also points out that in the SEC’s failed attempt to appeal the summary judgment ruling in its case against Ripple, the SEC argued that the “investment contract” question was purely legal, as Coinbase does in its motion.

The SEC has not yet responded to Coinbase’s motion. But last month, it offered as supplemental authority the court’s decision in SEC v. Wahi et al., case number 2:22-cv-01009 in the Western District of Washington, where the court entered a default judgment against Sameer Ramani, an associate of a former Coinbase manager. In its ruling, the court found that Ramani engaged in insider trading of securities based on the purchase and sale of cryptocurrency assets. Coinbase responded with its own letter to the court the next day—pointing out, among other issues, that the court in Wahi concluded that the cryptocurrency assets themselves constituted “investment contracts,” despite the SEC’s position in its action against Coinbase that the assets themselves are not securities.

Meanwhile, Coinbase reinvigorated its efforts to force the SEC to engage in rulemaking to support its cryptocurrency-related enforcement actions in case number 23-3202 in the Third Circuit. Coinbase’s previous such attempt—which it initiated in July 2022 prior to the SEC’s enforcement action against it—languished in December of last year, after the SEC responded with a two-page letter disagreeing with Coinbase’s position that the existing legal landscape of federal securities laws is “unworkable” as applied to cryptocurrency exchanges. Coinbase filed its brief in support of its new petition on March 11, and the SEC’s response is due May 10.

Takeaways

Since June 2023, the SEC has anchored down in its position that it has regulatory and enforcement authority over cryptocurrency exchanges, predominantly under the theory that buying and selling certain cryptocurrency assets constitutes “investment contracts” as defined by the Supreme Court in Howey. While industry stakeholders seek more clarity, the SEC seems reluctant to formally engage in rulemaking that would further solidify its stances. Decisions in the SEC’s actions against Kraken and Coinbase, among others, may shed more light on the legal landscape.