Developments in Securities Regulation, Corporate Governance, Capital Markets, M&A and Other Topics of Interest. MORE

Three federal banking regulatory agencies have approved an advance notice of proposed rulemaking (ANPR) inviting comment on a set of potential enhanced cybersecurity risk-management and resilience standards that would apply to large and interconnected entities under their supervision. The standards would apply as well to services provided by third parties to these firms.

The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency are considering applying the enhanced standards to depository institutions and depository institution holding companies with total consolidated assets of $50 billion or more, the U.S. operations of foreign banking organizations with total U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Board. The proposed enhanced standards would not apply to community banks.

The standards would be tiered, with an additional set of higher standards for systems that provide key functionality to the financial sector. For these sector-critical systems, the agencies are considering requiring firms to substantially mitigate the risk of a disruption or failure due to a cyber event.

To benefit from comments on all aspects of the potential enhanced standards, the agencies are issuing an ANPR before developing a more detailed proposal for consideration. The agencies are also asking for comments on potential methodologies that could be used to quantify cyber risk and to compare cyber risk at entities across the financial sector. Comments on the ANPR are due January 17, 2017.

 

On October 7, 2016, a bipartisan contingent of members of the U.S. House of Representatives and the president of the North American Securities Administrator Association (NASAA) coordinated a duel message to the SEC regarding its rule amendments to accommodate intrastate crowdfunding. The specific SEC rules at issue are Rules 147 and 504.

The letter from the congressional group included fifteen total signatories from both sides of the aisle and offered support and a few changes to SEC Release No. 33-9973 – Proposed Rule Amendments to Facilitate Intrastate and Regional Securities Offerings.  Separately, Mike Rothman, NASAA President and Minnesota Commissioner of Commerce, issued a press release commending the congressional letter and indicating NASAA’s full support of the SEC’s proposed rule changes:

“NASAA has strongly supported the SEC’s efforts to modernize Rules 147 and 504, and we are encouraged to see members of Congress, led by Rep. Tom Emmer (R-MN) and Rep. Gwen Moore (D-WI), weigh in to support the SEC’s important proposed actions. These key changes will benefit small and local businesses conducting intrastate crowdfunding and regional securities offerings to raise capital, while maintaining important investor protections.

The much-needed improvements to Rules 147 and 504 could provide a tremendous benefit to small businesses in the 35 U.S. jurisdictions that have regulations to implement intrastate crowdfunding exemptions.”

The congressional letter offered a specific technical change to the proposed rules that would make “Rule 147 a safe harbor under Section 3(a)(11) of the Securities Act . . . to avoid state legislatures from having to amend their existing crowdfunding statutes.” In addition, the congressional letter asked the SEC to remove the proposed $5 million offering cap, because “states are better positioned to determine offering and investor caps that best meet their local population and business needs.”

Read the NASAA press release here and the letter from members of Congress here.

ABOUT STINSON LEONARD STREET

Stinson Leonard Street LLP provides sophisticated transactional and litigation legal services to clients ranging from individuals and privately held enterprises to national and international public companies. As one of the 100 largest firms in the U.S., Stinson Leonard Street has offices in 13 cities, including Minneapolis, Mankato and St. Cloud, MN; Kansas City, St. Louis and Jefferson City, MO; Phoenix, AZ.; Denver, CO; Washington, D.C.; Decatur, IL; Wichita, KS; Omaha, NE; and Bismarck, ND.

Drew Kuettel is a member of the firm’s corporate finance group.  Drew works in the firm’s Minneapolis office and can be reached at andrew.kuettel@stinson.com or 612.335.1743.

The SEC has published five FAQs on its pay ratio rule – see new questions 128C.01 to 128C.05. As we noted in our checklist of preliminary planning matters for the upcoming proxy season, the pay ratio disclosure need not be made in annual reports or proxy statements that include information for the calendar year ended December 31, 2016 (i.e., this proxy season). The disclosures must be included in annual reports and proxy statements which include information for the first fiscal year beginning on or after January 1, 2017.

Some of the FAQs, or in SEC parlance CDIs (Compliance and Disclosure Interpretations), address the question of certain permissible matters if an issuer decides to identify the median employee using a consistently applied compensation measure (“CACM”) instead of annual total compensation. According to the SEC:

  • Any measure that reasonably reflects the annual compensation of employees could serve as a CACM. The appropriateness of any measure will depend on the registrant’s particular facts and circumstances. For example, total cash compensation could be a CACM unless the registrant also distributed annual equity awards widely among its employees. Social Security taxes withheld would likely not be a CACM unless all employees earned less than the Social Security wage base.
  • Can a registrant exclusively use hourly or annual rates of pay as its CACM? Using an hourly rate without taking into account the number of hours actually worked would be similar to making a full-time equivalent adjustment for part-time employees, which is not permitted. Similarly, using an annual rate only, without regard to whether the employees worked the entire year and were actually paid that amount during the year, would be similar to annualizing pay, which the rule only permits in limited circumstances.
  • To calculate the required pay ratio, a registrant must first select a date, which must be within three months of the end of its fiscal year, to determine the population of its employees from which to identify the median. Once the employee population is determined, the registrant must then identify the median employee from that population using either annual total compensation or another CACM. In applying the CACM to identify the median employee, a registrant is not required to use a period that includes the date on which the employee population is determined nor is it required to use a full annual period. A CACM may also consist of annual total compensation from the registrant’s prior fiscal year so long as there has not been a change in the registrant’s employee population or employee compensation arrangements that would result in a significant change of its pay distribution to its workforce.

The SEC also noted that Item 402(u) does not define or even address furloughed employees. Because a furlough could have different meanings for different employers, registrants will need to determine whether furloughed workers should be included as employees based on the facts and circumstances. If the furloughed worker is determined to be an employee of the registrant on the date the employee population is determined, his or her compensation should be determined by the same method as for a non-furloughed employee.

The SEC also addressed the question of “Who is an employee?” In furtherance of this, a registrant should include those workers whose compensation it or one of its consolidated subsidiaries determines regardless of whether these workers would be considered “employees” for tax or employment law purposes or under other definitions of that term. Frequently, a registrant will obtain the services of workers by contracting with an unaffiliated third party that employs the workers. When a registrant obtains services in this way, we do not believe it is determining the workers’ compensation for purposes of the rule if, for example, the registrant only specifies that those workers receive a minimum level of compensation. Further, an individual who is an independent contractor may be the “unaffiliated third party” who determines his or her own compensation.

Mysteriously, the SEC also posted this document to its web site titled “17 CFR §229.402(a)(6) of Regulation S-K in effect as of July 20, 2010.” The document also includes the text of 17 CFR §229.402(c) as of July 20, 2010.

What is the SEC trying to signal? It may be difficult to discern, but the adopting release for the pay ratio rules states “In the Proposing Release, we noted that Section 953(b) refers to Item 402(c)(2)(x) [which is a reference to total compensation in the summary compensation table.] in effect on the day before enactment of the Dodd-Frank Act, or July 20, 2010. We also indicated that, because no substantive amendments have been made to Item 402(c) since that date, the proposed rule would refer to Item 402(c)(2)(x) without reference to the rules in effect on July 20, 2010. We further stated that we expect to address the impact on the proposed rule of any future amendments to Item 402(c)(2)(x) if and when such future amendments are considered. No substantive amendments have been made to Item 402(c) since July 20, 2010. We continue, therefore, to take the approach articulated in the Proposing Release on this issue.”

Some research showed that Item 402(c)(2)(x) has not been amended since the pay ratio rules were adopted. So perhaps the SEC is putting this document out there for historical reference, or so that people can see that has been no change yet to Item 402.

On September 13, 2016, the New York State Department of Financial Services (DFS) proposed new rules that would require certain “Covered Entities” to establish and implement cybersecurity programs designed to protect nonpublic consumer information (Nonpublic Information) and technology systems from cyber-attacks (Proposed Rules). Below are some of the highlights of the Proposed Rules:

Covered Entities

The Proposed Rules would apply to any person or entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law, or the financial services law.”

The Proposed Rules would not apply to a Covered Entity with (i) fewer than 1,000 customers in each of the last three calendar years; (ii) less than $5,000,000 in gross annual revenue in each of the last three fiscal years; and (iii) less than $10,000,000 in year-end total assets.

Effective Date

The Proposed Rules are subject to a 45-day notice and public comment period and, if approved, would be effective beginning January 1, 2017 (Effective Date). Covered Entities would then have 180 days from the Effective Date to comply.

Cybersecurity Program

Covered Entities must establish a cybersecurity program designed to perform the following “core cybersecurity functions”:

  • Identify internal and external cyber risks by identifying Nonpublic Information stored on the Covered Entity’s systems and how that information can be accessed
  • Use defensive infrastructure and the implementation of policies and procedures to protect Nonpublic Information and the Covered Entity’s systems
  • Detect certain “Cybersecurity Events”
  • Respond to identified or detected Cybersecurity Events
  • Recover from Cybersecurity Events
  • Fulfill regulatory reporting obligations

Cybersecurity Policy

Covered Entities must implement and maintain a written cybersecurity policy addressing the following areas:

  • Information security
  • Data governance and classification
  • Access controls and identity management
  • Business continuity and disaster recovery planning and resources
  • Capacity and performance planning
  • Systems operations and availability concerns
  • Systems and network security and monitoring
  • Systems and application development and quality assurance
  • Physical security and environmental controls
  • Customer data privacy
  • Vendor and third-party service provider management
  • Risk assessment
  • Incident response

The cybersecurity policy must be reviewed by the Covered Entity’s board of directors, or equivalent governing body, and approved by a senior officer of the Covered Entity.

Appointment of Chief Information Officer and Other Cybersecurity Personnel

A Covered Entity must appoint a qualified individual to serve as the entity’s chief information security officer, who will be responsible for overseeing and implementing the entity’s cybersecurity program. In addition, each Covered Entity must employ cybersecurity personnel to manage the entity’s cybersecurity risks.

Penetration Testing and Vulnerability Assessments

A Covered Entity’s cybersecurity program must include annual penetration testing and quarterly vulnerability assessments.

Audit Trail System

Cybersecurity programs must include implementing and maintaining audit trail systems that track, maintain, and log certain data, including financial transactions necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.

Limiting Access Privileges and Multi-Factor Authentication

A Covered Entity’s cybersecurity program must limit access privileges to the entity’s systems that provide access to Nonpublic Information solely to those individuals who require such access. In addition, each Covered Entity must require multi-factor authentication for accessing internal systems, plus privileged access to database servers that provide access to Nonpublic Information, and for individuals accessing web applications that contain Nonpublic Information.

Annual Risk Assessments

Each Covered Entity is required to conduct an annual risk assessment of its information systems.

Third-Party Vendors

Each Covered Entity is required to implement written policies and procedures that are designed to ensure the security of Nonpublic Information and the Covered Entity’s information systems that are accessible to or maintained by third parties that do business with the Covered Entity.

Limitations on Data Retention and Encryption of Nonpublic Information

Each Covered Entity is required to implement policies that require the destruction of Nonpublic Information that is no longer necessary.

Employee Training and Monitoring

Each Covered Entity must implement policies, procedures, and controls that are designed to monitor user activity and detected unauthorized use. In addition, each Covered Entity must require that all personnel attend regular cybersecurity awareness training sessions.

Incident Response Plan

Each Covered Entity must implement a written incident response plan that is designed to respond immediately to a Cybersecurity Event. The plan must address at least the following areas:

  • The internal processes for responding to a Cybersecurity Event
  • The goals of the incident response plan
  • The definition of roles, responsibilities, and decision-making authority
  • External and internal communications and information sharing
  • Remediation of any weaknesses in information systems and other controls
  • Documentation and reporting concerning Cybersecurity Events and response activities
  • The evaluation and revision of the incident response plan following a Cybersecurity Event

Notices of Cybersecurity Event to DFS Superintendent

Each Covered Entity is required to notify the DFS superintendent of any Cybersecurity Event “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” The notice must be provided no later than 72 hours after the Covered Entity becomes aware of the incident.

Conclusion and Insight

While many institutions have already taken significant strides to address cybersecurity threats, if the Proposed Rules are enacted, Covered Entities will be required to go beyond what many institutions have already done. As such, Covered Entities should begin evaluating their cybersecurity programs and preparing for possible changes based on the Proposed Rules. Further, even non-Covered Entities should pay attention to the outcome of these proposals as they will likely serve as a template for other states and regulators to propose similar requirements.

ABOUT STINSON LEONARD STREET

Stinson Leonard Street LLP provides sophisticated transactional and litigation legal services to clients ranging from individuals and privately held enterprises to national and international public companies. As one of the 100 largest firms in the U.S., Stinson Leonard Street has offices in 14 cities, including Minneapolis, Mankato and St. Cloud, Minn.; Kansas City, St. Louis and Jefferson City, Mo.; Phoenix, Ariz.; Denver, Colo.; Washington, D.C.; Decatur, Ill.; Wichita and Overland Park, Kan.; Omaha, Neb.; and Bismarck, N.D.

Zane Gilmer is a member of the firm’s litigation practice group.  His practice focuses on business litigation and compliance.  Zane works out of the firm’s Denver office and he can be reached at zane.gilmer@stinson.com or 303.376.8416.

The views expressed herein are the views of the blogger and not those of Stinson Leonard Street or any client.

As has been rumored in recent weeks, the CFTC has adopted an order establishing December 31, 2018 as the swap dealer registration de minimis threshold phase-in termination date. With this approval, the de minimis threshold will remain at $8 billion until December 31, 2018 instead of changing to $3 billion on December 31, 2017.

CFTC Chairman Timothy Massad noted:

“There are now more than 100 swap dealers provisionally registered with the CFTC, which include most of the largest global banking entities. Absent our action today, the threshold would have dropped from $8 billion to $3 billion at the end of 2017. That means firms would have been required to start determining whether their activity exceeds that lower threshold just a few months from now – in January of next year. Pushing back this date is a sensible and responsible step for several reasons.

First, our staff has completed the study required by the rule on the threshold. They estimated that lowering the threshold would not increase significantly the percentage of interest rate swaps (IRS) and credit default swaps (CDS) covered by swap dealer regulation, but it would require many additional firms to register. This might include some smaller banks whose swap activity is related to their commercial lending business. At the same time, the study notes that the data has certain shortcomings, particularly when it comes to nonfinancial commodity swaps. This market is very different than the IRS and CDS markets, and I know there is much concern about the threshold with respect to it. This delay will allow us to consider all these issues further.”

I previously discussed an SEC Investor Alert which said fantasy stock trading for small amounts of money can violate provisions of securities laws implemented by the Dodd-Frank Act. According to the SEC, the terms “swap,” “security-based swap,” and “derivative” includes any agreement, contract, or transaction whose value is based upon – or “derivative” of – the value or performance of some other financial product, event, or characteristic.  The SEC stated there are many different ways that virtual games referencing securities could involve a security-based swap.  For example, a website could charge people an entry fee to join an online fantasy stock trading competition in which they would “buy” or “sell” a virtual portfolio of securities and in which they could win a prize.

At the time the Investor Alert was issued, I also noted the SEC announced the first settlement with a company that illegally offered “complex derivatives” products to retail investors.  The Dodd-Frank Act implemented two key requirements for any security-based swaps offering to a retail investor who doesn’t meet the high standard of an “eligible contract participant” defined in the law.  A registration statement must be effective for the offering, and the contracts must be sold on a national securities exchange.

The “complex derivative” was an online business involving the valuation of private startup companies along the lines of a fantasy sports league.

Now the SEC has announced another settled enforcement action against Forcerank, LLC, a provider of a mobile phone game. For a $5 entry fee, entrants would rank 10 stocks or ETFs in the contest from #1 to #10 based on the expected percentage change in market price, predicting for each security where it would fall from the best-performing (#1) to the worse-performing (#10) in the upcoming week.  In each week-long game, players won points for each instrument based on the accuracy of their prediction, and players with the most aggregate points received cash prizes at the end of the competition. Forcerank LLC kept 10% of the entry fees and obtained a data set about market expectations that it hoped to sell to hedge funds and other investors.

According to the SEC, each Forcerank entry was a swap because each participant paid to enter into an agreement with Forcerank LLC that provided for the payment of points and, in certain cases, cash. Those payments were dependent upon the occurrence, or the extent of the occurrence, of an event or contingency (i.e., the player’s predictions about the price performance of individual securities being compared to actual performance and the player’s aggregate points being compared to other players). Such event or contingency was “associated with a potential financial, economic or commercial consequence” because it was calculated by measuring the change in the market price of an individual security over a period of time and comparing that change to an identical metric based on the market price of other individual securities.

In addition, the SEC said each swap was a security-based swap because it was based on the value of single securities. The term “based on” does not require an exclusive relationship between the payment and the movement of a security. In the Forcerank contests, players received points based on the change in the market price of a single security relative to the change in the market price of a security to finish first in a contest and it outperformed each of the other securities. For example, a player would receive 100 points if the player correctly predicted a security to finish first in a contest and it outperformed each of the other securities. In addition, a player could receive cash based on several factors, including 1) that player’s score, which was calculated by aggregating the points derived from the change in the market price of each single security in the contest relative to the change in the market price of other securities and 2) a comparison of that score to other players’ aggregate points derived from equivalent calculations. For example, a player would receive cash as the first place finisher if the player made predictions precise enough to receive points such that his or her score was higher than the other players’ scores.

Forcerank did not admit or deny the SEC’s findings and agreed to pay a civil money penalty in the amount of $50,000.

On October 11, 2016, the United States Court of Appeals for the D.C. Circuit issued its highly anticipated opinion in PHH Corp., et al. v. CFPB, holding that the Consumer Financial Protection Bureau’s (CFPB) structure is unconstitutional.

The underlying case arose following a CFPB administrative enforcement action against PHH Corp. (PHH), in which the CFPB fined PHH $109 million for alleged violations of Section 8 of the Real Estate Procedures Act (RESPA).  Specifically, the CFPB’s administrative enforcement action found that PHH violated Section 8 of RESPA by engaging in so-called captive reinsurance arrangements.

In response, PHH appealed the CFPB’s action based on the following arguments: (1) that the CFPB’s single Director structure violates Article II of the Constitution; (2) the CFPB misinterpreted Section 8 of RESPA when it determined that captive reinsurance arrangements are not permitted; (3) the CFPB violated PHH’s Due Process rights by applying the CFPB’s interpretation of RESPA retroactively against PHH; and (4) the CFPB improperly ignored the three-year statute of limitations provision set forth in RESPA in determining PHH’s alleged offending conduct.

Constitutional Challenge

The D.C. Circuit agreed with PHH’s constitutional argument and held that the CFPB’s single Director structure violated Article II of the Constitution.  Specifically, the Court found that the CFPB’s structure was problematic because (1) it is an independent agency created by Congress through Dodd-Frank, (2) is headed by a single Director (rather than a multi-head agency or commission), and (3) the Director can only be removed for cause (rather than at will or at the discretion of the President).  As a result of this structure, the CFPB Director has unchecked and virtually unfettered power, which conflicts with Article II’s pronouncement that “[t]he executive Power shall be vested in the President of the United States of America.”  As the D.C. Circuit stated, the CFPB structure results in “the Director of the CFPB [being] the single most powerful official in the entire United States Government, at least when measured in terms of unilateral power.”

As a result of declaring the CFPB’s structure unconstitutional, the D.C. Circuit was faced with determining the proper remedy for such a violation.  The Court rejected PHH’s request to strike down the CFPB in its entirety and prevent it from operating until Congress passes legislation to cure the constitutional violation.  Rather, the D.C. Circuit fashioned a narrow remedy that struck down the “for cause” removal provision and gave the President the authority to remove the Director at the President’s discretion.  The Court reasoned that this remedy was consistent with other single-head agencies and would ensure that the President was able to direct and supervise the Director, thus preserving the President’s authority under Article II.  As such, the CFPB was largely spared by the ruling.

RESPA Interpretation

After holding that the CFPB’s structure was unconstitutional, the Court moved on to address PHH’s RESPA arguments.  The Court sided with PHH on each of its arguments.  As an initial matter, the Court held that the plain text of Section 8 of RESPA does not ban all captive reinsurance arrangements.  Rather, the Court held that the issue was whether the arrangements were made for above fair market value.  If so, then they may violate RESPA.  In addition, the Court held that there was a long history of permitting transactions similar to the one the CFPB targeted PHH for and, as such, the CFPB’s about-face in that regard and its enforcement of PHH’s conduct, retroactively, based on the CFPB’s new interpretation, violated PHH’s Due Process rights.  Finally, and perhaps most significantly of all, the D.C. Circuit held that CFPB administrative enforcement actions are subject to applicable statute of limitations.  The CFPB argued, as it has repeatedly in the past, that its administrative enforcement actions are not subject to statute of limitations, meaning that it could theoretically bring an administrative action based on conduct occurring at any time in the past, because the Dodd-Frank Act does not expressly state that such actions are subject to any statute of limitations.  The Court outright rejected the CFPB’s arguments and held that CFPB enforcement actions, whether brought as administrative actions or in court, are subject to applicable statutes of limitations that are found in the underlying consumer protection laws that it is enforcing (in this particular case, RESPA).  As such, because RESPA provides for a three-year statute of limitations for actions brought by the government, the Court held that the CFPB’s action against PHH was limited to conduct occurring within that three-year window.

The Court ultimately vacated the $109 million order against PHH and remanded the case for further proceedings.  Specifically, on remand, the CFPB must determine whether the captive reinsurance arrangements were for an amount above their fair market value and, if so, whether that conduct occurred within the applicable three-year limitations period.  Only conduct fitting within those criteria could be grounds for any CFPB enforcement action against PHH.

Take Aways

The primary take away from this decision is that the CFPB is here to stay—at least for now.  It is unclear at this point if either party will appeal the Court’s decision, but at least for now the CFPB has survived its most serious challenge to date to its structure and operations.  This opinion is also significant in that it expressly holds that the CFPB is bound by applicable statutes of limitations.  That holding is a fairly significant blow to the CFPB’s perceived authority and in many cases can greatly reduce a company’s exposure that is facing a CFPB enforcement action.

ABOUT STINSON LEONARD STREET

Stinson Leonard Street LLP provides sophisticated transactional and litigation legal services to clients ranging from individuals and privately held enterprises to national and international public companies. As one of the 100 largest firms in the U.S., Stinson Leonard Street has offices in 14 cities, including Minneapolis, Mankato and St. Cloud, Minn.; Kansas City, St. Louis and Jefferson City, Mo.; Phoenix, Ariz.; Denver, Colo.; Washington, D.C.; Decatur, Ill.; Wichita and Overland Park, Kan.; Omaha, Neb.; and Bismarck, N.D.

Zane Gilmer is a member of the firm’s litigation practice group.  His practice focuses on business litigation and compliance and he is a member of the firm’s CFPB taskforce.  Zane works out of the firm’s Denver office and he can be reached at zane.gilmer@stinson.com or 303.376.8416.

The views expressed herein are the views of the blogger and not those of Stinson Leonard Street or any client.

 

 

The SEC has brought its second case for retaliation against a whistleblower against International Game Technology. According to the SEC, the whistleblower, a director of an IGT division, started working at IGT in 2008 and received positive performance evaluations throughout his tenure, including his mid-year review in 2014. Shortly after his favorable 2014 mid-year review, the whistleblower raised concerns to his managers, to the company’s internal complaint hotline, and to the SEC that IGT’s publicly-reported financial statements may have been misstated due to IGT’s cost accounting model relating to its used parts business. As part of the whistleblower’s job function, he had been tasked with evaluating the pricing methodology for used parts used by IGT, but he did not oversee the company’s accounting functions. IGT conducted an internal investigation with the assistance of outside counsel and determined that its reported financial statements contained no misstatements. Approximately three months after the whistleblower raised his concerns, IGT terminated him.

The SEC also said that during a presentation to the whistleblowers supervisors, the whistleblower raised the possible impact of the cost model on the accuracy of the company’s financial statements and had a heated disagreement with an executive supervisor on the issue. Following the meeting, the executive supervisor emailed a vice president regarding the whistleblower’s presentation, stating that “I can’t allow [the whistleblower] to place those inflammatory statements into presentations, if there is no basis in fact.”

The SEC seems to have accepted the fact that IGTs accounting was correct. So be mindful that termination of a whistleblower violates the law, according to the SEC, even if there is no factual basis for the whistleblowers allegations.

Without admitting or denying the SEC’s findings, IGT agreed to pay the $500,000 penalty and cease and desist from committing or causing any further violations of Section 21F(h) of the Securities Exchange Act of 1934.

The SEC has agreed to propose rules that would shorten the standard settlement cycle for most broker-dealer transactions from three business days after the trade date (also known as T+3 settlement) to two business days after the trade date (also known as T+2 settlement). Proponents of shortening the settlement period have consistently argued that such further acceleration of settlement will benefit investors, reduce counterparty risk, decrease capital requirements for clearing, and align global settlement practices with similar T+2 requirements already in use by the United Kingdom and various European countries.   The Commission’s recent support for the proposed amendments to Rule 15c6-1 suggests that the SEC is taking the next logical step in facilitating these goals.

However, it remains unclear whether final rules amending Rule 15c6-1 of the Exchange Act will retain the current exceptions available for firm commitment offerings.

As currently formulated, Rule 15c6-1 provides an exception under Rule 15c6-1(c) for “firm commitment offerings registered under the Securities Act or the sale to an initial purchaser by a broker-dealer participating in such offering” which allows such offerings to rely on an extended T+4 settlement cycle instead of the standard T+3 settlement. The proposed rules, however, seek comment on whether the settlement cycle timeframe under Rule 15c6-1(c) should be similarly shortened to T+3 or T+2 in conjunction with the broader proposed change to Rule 15c6-1 and how such changes would impact “risk, costs or operations of retaining the current provision for firm commitment offerings but shortening the settlement cycle to T+2 for regular-way transactions, as proposed.”

The SEC’s 2004 concept release on the benefits and costs of shortening the settlement cycle provides a helpful perspective on how such changes could impact the existing exception for underwritten offerings. In particular, the 2004 concept release specifically highlights the “extensive due diligence between trade date and settlement date” underlying the exception and acknowledged that “[t]he current settlement cycle may be the shortest time frame within which customers may be provided with final prospectuses prior to or simultaneously with” required delivery of written confirmation of a purchase or sale of securities. The 2004 concept release also reflects concerns among industry participants that accelerated settlement could make it “extremely challenging to accurately complete necessary due diligence and satisfy the physical prospectus delivery requirements” and suggests possible solutions to the challenge of expedited prospectus delivery might include “eliminating the requirement that the final prospectus be delivered at the same time as the Rule 10b-10 confirmation” or adopting “an electronic access standard as a means to satisfy prospectus delivery.”

 

On two successive days, the SEC brought settled enforcement actions against issuers for failure to report sales of unregistered securities. Under Item 1.01 of Form 8-K, a registrant must disclose its entry into a material definitive agreement, not made in the ordinary course of business of the registrant, that provides for obligations that are material to and enforceable against the registrant. Under Item 3.02 of Form 8-K, certain unregistered sales of equity securities must be reported. Likewise, under Item 2 of Form 10-Q, a registrant must furnish the information required by Item 701 of Regulation S-K as to all equity securities of the registrant sold by the registrant during the period covered by the report that were not registered under the Securities Act unless it was previously included in a Current Report on Form 8-K.

In an action against Connexus Corporation, the SEC noted in one instance “Connexus failed to file a Form 8-K with the Commission within four business days of a financing agreement becoming enforceable against it” and that “In its Form 10-Q covering the period ended September 30, 2013, Connexus failed to disclose the financing agreement and the sale of unregistered equity securities.”

The SEC did not allege any fraudulent activity, just failure to make required filings. The sales of unregistered securities appeared to be particularly material, and in one instance included “an amount of common stock in excess of 600 percent of the last reported number of common stock issued and outstanding.”  Connexus agreed to pay a civil penalty of $50,000.

In an action against Bluefire Renewables, Inc., the SEC describes a transaction on December 9, 2013, where Bluefire sold shares of its common stock to a financing company in an unregistered transaction where Bluefire was required to issue an amount of common stock in excess of 100% of the last reported amount of common stock issued and outstanding. The SEC again alleges “Bluefire failed to file a Form 8-K with the Commission within four business days of the financing agreement becoming enforceable against it.”  Again, no fraudulent activity was alleged.  Bluefire agreed to pay a civil penalty of $25,000.

Neither issuer admitted or denied the SEC’s findings.

[Update: On September 30, 2016, the SEC announced a third enforcement action for failure to report sales of unregistered securities.]