Header graphic for print

Cady Bar the Door

Insight & Commentary on SEC Enforcement Actions and White Collar Crime

Phil Mickelson is very glad United States v. Newman is the law in the Second Circuit.

Posted in Insider Trading

Phil Mickelson, whom the SEC describes as a “successful professional golfer,” was not charged with insider trading earlier today.  I wasn’t either, and I’m glad about that.  And you probably weren’t either!  High fives all around.  But mostly, Phil wasn’t charged, and he’s really glad, because that guy was %$&*@! close to being charged with insider trading.  Instead, he was merely named as a relief defendant in an SEC complaint filed today, and completely avoided criminal charges in a parallel case brought in the Southern District of New York.

There is so much here, it’s hard to know where to begin.  But let’s start with the allegations, the description of which here is derived from the summary in the SEC’s complaint.  These are not proven, and I don’t know if they’re true.  The defendants’ lawyers say they’re not!


Anyway, from 2008 through 2012, Thomas Davis, a director of Dean Foods Company, tipped his long-time friend and “professional sports bettor” Billy Walters, to confidential information about the company.  This information included “sneak previews of at least six of the company’s quarterly earnings announcements and advance notice of the spin-off of Dean Foods’s profitable subsidiary, The WhiteWave Foods Company.”  In exchange for these insider trading tips, Walters gave Davis almost $1 million.  In July 2012, Walters called Mickelson, who had placed bets with Walters and owed Walters money at the time of the call.  “At a time when Walters was in possession of material nonpublic information regarding Dean Foods, Walters . . .  urged Mickelson to trade in Dean Foods stock, which Mickelson did the next trading day in three brokerage accounts he controlled.” A week later, Dean Foods’s stock price jumped 40% on the announcements of the WhiteWave spin-off and strong second quarter 2012 earnings, allowing Mickelson to profit by approximately $931,000.

Again, maybe not true.

Phil Mickelson

But I’m mostly interested in Mickelson here.  What they’re saying he did sounds a lot like insider trading, but he wasn’t named as a defendant.  Instead, the SEC named him as a relief defendant.  Here’s how the Second Circuit described relief defendants in SEC v. Contorinis, 743 F.3d 296, 305 n.11 (2014):

When certain conditions are met, innocent third parties (“relief defendants”) may be ordered to disgorge the proceeds generated by the illegal conduct of a fraudulent investor. However, imposing such liability upon innocent third parties is elective rather than mandatory. See, e.g., SEC v. Cavanagh, 155 F.3d 129, 136 (2d Cir. 1998) (“Federal courts may order equitable relief against a person who is not accused of wrongdoing in a securities enforcement action where that person: (1) has received ill-gotten funds; and (2) does not have a legitimate claim to those funds.”) (emphasis added). Here the SEC could have sought to recover illegal gains from the Paragon Fund as a relief defendant, but chose, as our case law has indicated is an established and legitimate alternative, to seek damages from the wrongdoer Contorinis directly.

So maybe the SEC could have gone after Walters only for Mickelson’s profits, if Mickelson really was an “innocent third party,” as described in Contorinis.  But the SEC named Mickelson as a relief defendant, and have required him to disgorge the $931,000 and to pay prejudgment interest of $105,000.  I have never seen prejudgment interest as part of a settlement involving a relief defendant, though it may have happened before.

Why no charges?

Why didn’t the SEC and the Justice Department go ahead and charge Mickelson, instead of doing this weird relief defendant thing?  I think there are a couple of reasons that may be rooted in the evidence the government was able to gather.  First, the SEC doesn’t allege that Walters actually told Mickelson any material, nonpublic information about Dean Foods.  Sure, Walters “was in possession of” that information and urged Mickelson to buy Dean Foods shares, but the SEC doesn’t say Walters told Mickelson what that information was.  So maybe Mickelson didn’t have it, and without it, he wouldn’t be liable.

Second, the government alleges that Walters gave Davis a lot of money for the Dean Foods information, almost $1 million.  But it doesn’t say that Mickelson knew about those payments back to Davis.  And under United States v. Newman, which is the law of the Second Circuit at least until United States v. Salman is decided by the Supreme Court later this year, Mickelson needs to have been aware of that personal benefit being kicked back to the original tipper, Davis.  Without that knowledge, Mickelson wouldn’t be liable.

Mickelson’s knowledge may have been too hard to prove given the fighting posture Walters and Davis are now in.  Those evidentiary problems may explain the weird relief-defendant-plus-prejudgment-interest result for Mickelson.

Custody rule examiners need to, you know, examine.

Posted in Investment Advisers

Here’s a thing I know: South Carolina doesn’t require vehicle inspections.  Dumb, right?  If your car is properly registered, you can drive it there all you want no matter how dangerous it is.  Here’s a thing I think I know: The state abandoned those inspections a long time ago because everybody had a “guy,” somebody who would pass them no matter how dangerous the car was.  The custody rule for investment advisers who have custody of their clients’ assets is sort of the same way, except you’re not allowed to have a “guy.”

One of the requirements of the custody rule is that those investment advisers must undergo an annual surprise examination by an independent public accountant that verifies client funds and securities.  See Rule 206(4)-2(a)(4).  And given the potential consequences of mishandling client assets, you can see why.  Actual people’s actual money could get stolen.  You certainly can’t have a “guy” do the “surprise examination” and pretend you’re good.  It looks like that may have happened with Santos, Postal & Co., though.

The SEC had previously announced charges against the Brian Ourand, the president of SFX Financial Advisory Management Enterprises, who was later found to have misappropriated funds from client accounts.  In the course of the SFX investigation, the SEC apparently turned to the CPAs assigned to conduct the surprise exams under the custody rule: Santos, Postal and its partner Joseph A. Scolaro.  In a settled administrative order on April 29th, the SEC found that Santos and Scolaro conducted deficient surprise custody examinations of SFX and did not adequately consider fraud risk factors.  They allegedly twice filed paperwork with the SEC that contained untrue statements.  In one instance they said that they complied with certain procedures to verify client assets when they actually had not.  In the second instance they stated that client assets were held with a qualified custodian when in fact they were not.

Without admitting or denying the findings, Santos and Scolaro agreed to be suspended from appearing and practicing before the SEC as an accountant, which includes not participating in the financial reporting or audits of public companies.  The SEC’s order lets Santos apply for reinstatement after one year and Scolaro after five years.  Santos agreed to disgorgement of $25,800 in profits that the firm obtained for performing the exams plus interest and a penalty of $15,000.  Scolaro also agreed to pay a $15,000 penalty.

If you’re a CPA being asked to conduct such a surprise exam, don’t do what these guys allegedly did!  You can’t rent out your license to paper over what could be real problems.  The SEC hates it and may well punch you in the mouth for doing it.

Stop Faxing

Posted in Cybersecurity

I’ve long thought that sending faxes was a pretty silly means of communication.  Don’t send me a fax.  I don’t want it.  At some point I’m hoping that even my kids’ doctor’s office will get dragged into the 20th century and drop their insistence on faxing.  In the meantime a pdf will be fine, thanks.  In addition to the many reasons faxes are antiquated and annoying, the SEC has just provided us another reason to avoid them: they encourage violations of Reg. S-P!

The Rule

Reg. S-P’s Safeguards Rule requires that every broker-dealer registered with the SEC adopt policies and procedures reasonably designed to:

  1. insure the security and confidentiality of customer records and information;
  2. protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
  3. protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

The Allegations

Craig Scott Capital, LLC, a broker-dealer in Uniondale, New York, had written supervisory procedures that purported to describe the manner in which the firm complied with the Safeguards Rule.  But those procedures allegedly had some problems.  For example, the procedures said the “Designated Supervisor” was responsible for ensuring compliance, but did not identify the Designated Supervisor.  Also, the procedures allegedly contained blanks to be filled in later, such as: “[The Firm] has adopted procedures to protect customer information, including the following: [methods].”

But let’s get to the faxes. As last month’s administrative order sanctioning Craig Scott Capital says:

From January 20, 2012 until approximately June 2014 (the “Relevant Period”), CSC used email addresses other than those with the Firm’s domain name–@craigscottcapital.com – to electronically receive more than 4,000 faxes from customers and other third parties. These faxes routinely included sensitive customer records and information, such as customer names, addresses, social security numbers, bank and brokerage account numbers, copies of driver’s licenses and passports, and other customer financial information. During the Relevant Period, Taddonio and Porges, CSC’s principals, as well as other CSC employees and registered representatives, also used their personal (i.e., non-Firm) email addresses for matters relating to the business of CSC. CSC did not maintain and preserve either these faxes or this email correspondence as required by Section 17(a) of the Exchange Act and Rule 17a-4 thereunder.

The problem was the same as with all faxes: nobody wants them.  They want emails instead.  So when the firm set up an electronic faxing service, they added an extra step in the communication chain, and routed the faxes to email addresses. While they should have sent those faxes to email addresses with the firm’s domain name, thousands went to personal email addresses instead.  Those personal email addresses were outside the firm’s communication management system, and the data in the faxes was unprotected.

The violations of Reg. S-P and Rule 17a-4 have cost Craig Scott Capital a $100,000 penalty and left the firms’ principals subject to cease-and-desist orders.

A Three-Step Data Security Plan[1] for Your Business

  1. Have a good reason for the communication methods your firm uses. Do you have a plan for your faxes?  Can you protect the integrity of the data they contain?  If not, quit it with the faxes.
  2. Keep your business in front, and party in the back. Are you using personal emails for your business?  Can you protect the integrity of the data they contain?  If not, quit it with the personal emails and save them for your fantasy jai alai league.  They are a terrible idea.
  3. Re-read your data security procedures. Do they have actual blank spaces that will leave you exposed later?  Fill those, and then look for your other problems, which you surely have.


[1] This is an incomplete plan.  You need way more than this plan.

Two Thoughts about the (Second) Smallest Insider Trading Case in All of Captivity

Posted in Insider Trading

I shouldn’t write this post, because the SEC surely wants me to write at least part of it.  I mean, they don’t care about what I write; I can promise you that.  But they want somebody to cover it because of the message they hope to send to people out there who are thinking about doing just a little bit of insider trading.  And the message is, don’t do it, or you’ll end up like this guy.  It seems like piling on to use his name, so I won’t.


But here’s what allegedly happened.  Person A’s spouse worked at GSI Commerce, an e-commerce company whose stock traded on the NASDAQ until it was acquired by eBay in 2011.  Spouse told “A” about the impending acquisition, in late January of that year.  “A” knew the information was material and nonpublic, but on February 21, allegedly told Person “B” in confidence about the eBay deal for GSI. Critically for purposes of holding this insider trading case together, “A” and “B” had “a long-standing relationship of trust and confidence built on years of sharing personal and professional confidences about their lives which they understood were to be maintained confidentially.”  You may not think about your personal relationships in these terms, but believe me when I say it matters that the preceding sentence says what it does.

“B” then allegedly told her good friend “C” about the acquisition – and that she learned about it from “A” – at some point before March 15th, when “C” bought 100 shares of GSI.  As the order alleges, “B” “intentionally tipped that information to [“C”] and obtained a personal benefit.”   On March 28th, eBay and GSI announced the merger, and GSI’s share price jumped more than 50% from the prior day’s close.  “C” then “allowed his GSI shares to convert to cash at the close of the deal on June 21, 2011 for a profit of $1,083.”

Two Thoughts  

I have two main thoughts here.  First – oh, man, that is not a lot of money.  Believe me, I would like to have $1,083, and I will take yours right now.  But I wouldn’t risk a career or even a job for $1,083 and you shouldn’t either.  Stay in school.  Don’t do drugs.  Don’t insider trade if you can help it.  I sometimes warn clients that the SEC will occasionally bring a dinky insider trading case just to show there’s no floor or de minimis level it thinks is okay.  And to look at this case, there’s not a lot of room to go down.  I’ve never heard of a lower disgorgement figure, and am prepared to declare this case the smallest one ever.  Please write if you’ve seen one that’s dinkier.

Second, the Commission sort of blows past the personal benefit issue here.  “A” and “B” supposedly had a relationship of such trust and confidence that misuse of the eBay information by “B” could be characterized as a misappropriation by “B”.  The order doesn’t have to get into whether “A” merely tipped “B” and therefore had to have received a personal benefit for “A” to be liable for illegal tipping.  The order does characterize the second transfer of information – from “B” to “good friend” “C” – as a tip and not a misappropriation by “C”.  So there does have to be a personal benefit being kicked back to “B”.  And the order assures us that there is one.  It says so right there in Paragraph 12, that “B” “obtained a personal benefit.”  But what was it?  The order doesn’t say.  Would it have been enough to get past the standard set in United States v. Newman in the Second Circuit?  We don’t know.  And because the Commission brought this case as a settled administrative proceeding, we’re not going to know.  It is unreviewable.  At a time when the personal benefit issue is currently on review before the Supreme Court, I’m not sure it’s a good look for the SEC to be ducking it entirely by filing a settled case in an administrative forum.  But here we are.

P.S. “B” isn’t charged in this case, but got hers in another case filed on Tuesday.

UPDATE: Bruce Carton writes in Compliance Week to point out that this case is in fact not the dinkiest one in history, but maybe the second dinkiest.  This one, for $922.14 in 2003, was even smaller!

Rob Cohen Discusses SEC’s Analysis and Detection Center

Posted in Insider Trading

One other interesting thing coming out of last Friday’s enforcement discussion at SEC Speaks (there weren’t many): Market Abuse Unit co-chief Rob Cohen’s mention of the SEC’s Analysis and Detection Center.

First, though, a brief rundown on how the SEC has traditionally started insider trading cases.  In short, they tend to come from outside reports (whistleblowers or Suspicious Activity Reports)  or FINRA or other self-regulatory organizations such as the Chicago Board Options Exchange.  Historically, these are the places with their fingers on the electronic pulse of the securities markets.  Maybe that’s too melodramatic.  These are the places with all the data.  There.  That’s better.  When, say, a corporate merger, FDA drug approval, or patent approval happens, FINRA can look at the trading in that issuer for several weeks before the event and see who was trading before the news was made public.  If something seems amiss, after a brief investigation a referral is sent to the SEC.  The SEC can certainly get this data on its own, but the process is extremely cumbersome.  FINRA’s data, and the CBOE’s for options cases, is much better.

Enter the Analysis and Detection Center.  I have a friend whose job requires him to think about insider trading for, oh, probably more than half of every day.  When the SEC filed its first case referring to the Analysis and Detection Center, he emailed me asking something like, “There is one?”  We both wondered what it was.  So did Bruce Carton.  It turns out the SEC is using it, whatever it is, to generate its own insider trading cases, without relying on FINRA or CBOE or any ol’ whistleblower.

And, Cohen said last Friday, the Market Abuse Unit has filed five insider trading cases generated from the Center over the last year.  This is noteworthy.  Here is one of the cases, and here is another one.  Lexis doesn’t tell me about the other two.  But what I want to know is, what data do they have?  Where are they getting it?  How are they using it?  Would they have been able to do these cases without the Center?  Is the Center a place or just software?  I want it to be a room with a thermometer-like meter in the corner that lights up in a different color at the top, for the craziest insider trading schemes or the most money at stake.  I also want a snoozing SEC staff attorney to be startled awake while spilling coffee when the “thermometer” hits Defcon 1.  But because SEC Speaks is uniquely designed not to answer questions like these, we don’t know what it looks like.  Ugh.  Maybe Cohen will show up at Securities Enforcement Forum 2016 and we’ll find out.

SEC Enforcement Lays out Approach to Cybersecurity Cases

Posted in Cybersecurity

If you’ve ever attended the annual SEC Speaks conference, you know that the official program is an intensely uninteresting collection of short speeches by SEC officials who don’t have a lot of incentives to say groundbreaking things.  But occasionally there are exceptions.  I think Deputy Enforcement Director Stephanie Avakian’s discussion of cybersecurity cases on Friday was one of those.

Avakian broke those cases down into three categories.

  1. Failures of registered entities to safeguard information. She cited the T. Jones Capital Equities Management case from September of last year (covered here) as an example of those.
  2. Electronic thefts of material nonpublic information, and illicit securities trading following the thefts. Avakian cited the Dubovoy case filed in the District of New Jersey last August and updated on Thursday as an example of these.
  3. Cyber-related disclosure failures by public companies. The SEC hasn’t brought any cases in this category yet, and much of Avakian’s discussion focused on why that is the case and how the SEC might get to the point of bringing one.

Assuringly for companies that are investing resources in cybersecurity and trying to do the right things for its customers and shareholders, Avakian said, “A company that has been a victim of an intrusion is just that: a victim.”  She also said in several different ways that the Division understands that when attacks happen, critical facts can change and develop very quickly.  These developing facts can make any necessary disclosures a moving target.  Along these lines, the Enforcement Division will appreciate the difficulty of the circumstances, Avakian says.  She added that the SEC is not looking to second guess well-thought decisions in this area.

With all of that said, the Enforcement Division very much wants companies that are victims of cyber attacks to involve appropriate law enforcement authorities as quickly as they reasonably can.  It will also examine (1) whether companies have policies and procedures that are reasonably designed to protect customer information; and (2) whether companies with potential liability have self-reported issues to the Division.  Regarding the second factor, the SEC’s Seaboard Report from 2001 continues to include the guideposts the Division will consider.

While no cases have yet been brought against public companies in this third category, Avakian can imagine circumstances in which the Commission does file a case to penalize inadequate cybersecurity disclosures.  I can, too.  Be careful out there.