Header graphic for print

Cady Bar the Door

Insight & Commentary on SEC Enforcement Actions and White Collar Crime

SEC Comments on Whistleblower Anti-Retaliation Provisions/Internal Reporting

Posted in SEC Litigation, Whistleblowers

In the wake of Dodd-Frank’s passage in July 2010, many companies and corporate organizations lobbied the SEC on its upcoming whistleblower rules.  One of their specific goals was to require whistleblowers, to be eligible for the awards provided in the statute, to report potential securities violations to internal compliance departments before bringing them to the Commission.  Ultimately, the SEC didn’t go along.  In writing the various provisions of Rule 21F, it built in a number of incentives to encourage internal reporting, but didn’t require it.

Years later, there’s something of a disconnect between this push for internal reporting and the whistleblower rule’s anti-retaliation provisions.  In brief, some companies are arguing in litigation that the anti-retaliation provisions don’t apply unless whistleblowers goes directly to the SEC with their tips.  Put another way, if the whistleblower makes securities law allegations to an internal corporate compliance department, the companies cannot be constrained by the anti-retaliation provisions as it deals with the whistleblower.  This position has prevailed in one federal circuit, Asadi v. G.E. Energy (USA), LLC, 720 F.3d 620 (5th Cir. 2013), and the issue is pending in another, Berman v. Neo@Ogilvy LLC, 14-4626 (2d Cir.).

It’s a little odd in that the position that’s in the best interest of an individual company in specific litigation may not be in the best interest of public companies generally.  That is, an individual company wants to stop a lawsuit against it however it can.  But more broadly, companies still want to encourage their employees to report potential securities violations internally before racing off to the SEC.  And if the Asadi position spreads to other circuits, and internal reporters are deemed not to have the protection of the anti-retaliation provisions, they won’t make internal reports.  They’ll do what’s in their self-interest, and go to the SEC directly.

The SEC’s position is that the anti-retaliation provisions do apply to whistleblowers who make internal reports.  They’ve said as much in amicus briefs, and on August 4th the Commission issued an Interpretation of the SEC’s Whistleblower Rules under Section 21F of the Securities Exchange Act of 1934.   The interpretation reaffirms this position, and is plainly designed to guide courts that consider the issue, including the Second Circuit in the upcoming Berman case.

As the issue unfolds, Companies may be pulling for the SEC to prevail in its interpretation, even if they would be fighting tooth and nail against it if they were facing the question in litigation.

Probably Don’t Do What the Red Cross CEO Just Did

Posted in Investigations

You might have read the NPR/ProPublica story from Monday about the Government Accountability Office’s investigation of the Red Cross, and CEO Gail McGovern’s attempts to end that investigation.  The article says that in 2014 the GAO “started an inquiry into the Red Cross’ federally mandated role responding to disasters and whether the group gets enough oversight.”  The story’s title, “Red Cross CEO Tried to Kill Government Investigation,” appears to be accurate but somewhat misses the point.

The issue isn’t so much that McGovern tried to kill the investigation.  It’s probably not a bold statement to say all CEOs in the history of the world have tried to end every government investigation into their organizations.  They’re sort of obligated to try.  The issue is how McGovern tried to end the investigation.  Instead of more conventional methods, McGovern apparently decided to TAKE IT STRAIGHT TO THE TOP and in June 2014 wrote a letter to Rep. Bennie Thompson, D-Miss., whose request had initiated the GAO inquiry.  She wrote, “I would like to respectfully request that you consider us meeting face-to-face rather than requesting information via letter and end the GAO inquiry that is currently underway.”  In lieu of a personal meeting (or the investigation itself), the congressman could call her cell phone directly with questions. Wouldn’t that be enough?  Now her ham-handed attempt to quash the investigation has been published and she’s being hammered for her apparent lack of commitment to “transparency.”

This is a mistake I’ve seen before among people who have accomplished a lot but haven’t dealt frequently with government regulators or law enforcement.  The inclination is to tap a connection to a Cabinet-level secretary or member of Congress when almost any other option would be more effective.  If you find yourself in such a situation, you might try these mundane alternatives:

  • Figure out what happened.  Get a command of the actual facts as soon as possible.
  • If you can (and you can), use those facts to create a narrative that makes sense for the organization.
  • Find competent counsel with a reputation for rigor and intellectual integrity and experience in government investigations.  If that counsel knows staff at the investigating agency, that sort of connection could be immensely valuable.  Not because it will be a shortcut to killing the investigation, but because it could bring a level of trust that inures to the organization’s benefit.
  • Respond quickly and diligently to investigators’ questions.
  • Be ready to fight if appropriate.

It doesn’t always work.  Even excellent lawyering isn’t always enough to “kill” some investigations.  But if you’re in the government’s crosshairs, it’s the best plan you have.  And it’s a lot better than McGovern’s Operation Big Shot.

The Justice Department Has Some Things to Tell You about Cybersecurity

Posted in Cybersecurity

In April the Justice Department’s Computer Crime and Intellectual Property Section issued its Best Practices for Victim Response and Reporting of Cyber Incidents.  It is an excellent guide for a business organization to respond to cyber attacks and, one hopes, move forward with its business intact.  The guide outlines what to do before, during, and after a data breach, and is quite detailed.  It includes specific steps to take regarding:

  • Identifying the business’s most critical information assets;
  • Having a plan in place before an intrusion occurs;
  • Efficiently assessing the damage from an attack;
  • Minimizing that damage;
  • Collecting and assessing information from the attack;
  • Notifying the proper authorities and personnel; and
  • Avoiding further damage after an incident has occurred, among many, many other things.

Any organization should incorporate it into its own plans for stopping the figurative hemorrhage from a cyber attack and getting back to business as soon as possible.  I have three main thoughts about the guidance.

First, it repeatedly refers to organizations that are the victims of cyber attacks as “victim organizations.”  I don’t mean that sentence to be as obtuse (or obnoxious) as it might sound.  But it’s helpful to know that federal prosecutors will treat business that are attacked in this way as the victims and not the criminals.  With a view toward maintaining that perspective, plan ahead.  The guidance says early on: “Having well-established plans and procedures in place for managing and responding to a cyber intrusion or attack is a critical first step toward preparing an organization to weather a cyber incident. Such pre-planning can help victim organizations limit damage to their computer networks, minimize work stoppages, and maximize the ability of law enforcement to locate and apprehend perpetrators.”  If you do that pre-planning, you will be much more likely to maintain that “victim” posture in DOJ’s eyes, and look less like a negligent custodian of your customers’ data.

Second, the Justice Department really wants you to let it and the FBI know about cyber attacks when they happen.  The guidance provides extensive assurances that the FBI and the U.S. Secret Service will try not to wreck businesses in the process of investigating attacks against those businesses.  “The FBI and U.S. Secret Service place a priority on conducting cyber investigations that cause as little disruption as possible to a victim organization’s normal operations and recognize the need to work cooperatively and discreetly with victim companies. They will use investigative measures that avoid computer downtime or displacement of a company’s employees.”  They even want organizations to “establish a relationship with their local federal law enforcement offices long before they suffer a cyber incident.”  And the Department of Homeland Security might be able to provide “technical assistance capable of mitigating an ongoing cyber incident.”

Finally, if you are attacked, DOJ urges you to be careful about seeking justice on your own.  “A victimized organization should not attempt to access, damage, or impair another system that may appear to be involved in the intrusion or attack. Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability.”  Don’t consider this an idle warning.  The FBI and Secret Service would much rather be in the position of investigating bad actors, without businesses seeking vigilante justice.

The Best Practices is a good document.  Bake it into your incident response program. It could go a long way toward minimizing damage and maintaining good relationships with federal law enforcement if a cyber attack goes from bad to worse.

The SEC’s Investment Management Division Has Some Things to Tell You about Cybersecurity

Posted in Cybersecurity

Lots of agencies and organizations want to boss you around about cybersecurity.  In April, the SEC and the Justice Department published more directions on the issue.  We’ll cover the very brief guidance issued by the SEC’s Division of Investment Management first, and then turn to DOJ in a later post.

First, as with everyone else, the IM Division thinks cybersecurity is very, very important for investment companies and investment advisers.

Second, the staff recommended that advisers and funds consider a number of measures to strengthen cybersecurity:

  • Conduct a periodic risk assessment.
  • Create a strategy designed to prevent, detect and respond to cybersecurity threats. Specific pieces of the strategy could include: tiered access to sensitive information and network resources; data encryption; restricted use of removable storage media; and development of an incident response plan.
  • Implement the strategy through written policies and procedures and training that provide guidance to officers and employees. Then monitor compliance.
  • Assess whether protective cybersecurity measures are in place at relevant service providers.

This is a truncated list, and it isn’t magical.  The suggestions could apply to literally any business. You can read the full version here, but FINRA is way ahead of the Investment Management Division in providing usable guidance on how to bolster cybersecurity.

Third, and more interestingly, the guidance suggests that funds and advisers should take their compliance obligations under the federal securities laws into account in assessing their ability to prevent, detect and respond to cyber attacks.  So, maintaining a compliance program that is reasonably designed to prevent violations of the securities laws could also mitigate exposure to cyber threats, the guidance says.  “For example, the compliance program of a fund or an adviser could address cybersecurity risk as it relates to identity theft and data protection, fraud, and business continuity, as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions.”  In other words, if a cyber attack prevents you from, say, being able to process shareholder transactions, the staff is going to look back and see how well prepared you were before the assault.  If you weren’t prepared at all, the end result probably won’t be pretty, for the shareholders or you.

The guidance recognizes that it’s impossible to anticipate and prevent every cyber attack.  But it wants you to try.  And appropriate planning could mitigate the impacts of those attacks, as well as help “compl[iance] with the federal securities laws.”  Consider yourself warned.

You Can Settle Your Insider Trading Case with a Negligence-based Charge

Posted in Insider Trading, SEC Litigation

This is almost certainly not true anymore.  But it was true once!  Maybe only once.  Back in October 1991, the SEC sued Shared Medical Systems, a Pennsylvania health care information services company and three of its officers and directors: the company for financial reporting fraud and the individuals for insider trading, among other things.  Here’s what the litigation release said about the insider trading piece:

The Commission’s Complaint alleges that [James] Macaleer, the chairman and chief executive officer of SMS, [James] Kelly, the former executive vice president, treasurer, and secretary of SMS, and [Clyde] Hyde, a former director of SMS, received nonpublic information during 1986 and early 1987 which disclosed a decline in SMS’ historic annual growth rate of 20%. Between October and December 1986, while in possession of this information, they sold a total of more than 157,300 shares of SMS stock. Macaleer is also charged with causing the sale of over 22,000 shares of SMS stock from his children’s trust and Uniform Gift to Minors Act accounts. The defendants sold their stock at prices ranging from $35 to $ 41.875 per share. After public disclosure of this information, the stock price dropped to $27 per share.

As they typically do, the charges include alleged violations of Section 10(b) of the Exchange Act and Section 17(a) of the Securities Act.  As to Section 17(a), the complaint didn’t specify Section 17(a)(1) (which is scienter-based) or Sections 17(a)(2) or (3) (which are negligence-based).  The complaint, filed in the Eastern District of Pennsylvania, was settled as to Hyde.  The other defendants litigated, and filed a motion to dismiss that was denied in August 1992.

It’s hard to know what happened over the next 18 months, but the SEC appears to have slowly tired of the fight.  In February 1994, the Commission dismissed all charges against Kelly, and replaced the complaint against Shared Medical Systems with a cease-and-desist order as to Section 13(a) of the Exchange Act (negligence-based) and related rules.  An amended complaint reinstated the insider trading claims against Macaleer and dropped claims that he had aided and abetted the company’s accounting violations.  Macaleer moved to dismiss again, and lost again in May 1994.

By June, it was all over.  Macaleer settled, in at least two interesting ways.  First, the final litigation release noted he “admitted, that, while in possession of [material, nonpublic] information, Macaleer sold SMS stock and thereby avoided losses he otherwise would have incurred.”  It’s not shocking that the final settlement would include an admission of liability after this extensive litigation, but that was unusual in that pre-Mary Jo White era.  Second, though, the fraud charges were gone.  Macaleer admitted only to violations of Section 17(a)(3), not Section 10(b) or Section 17(a)(1).

I don’t think that has happened in an insider trading case before or since.  It’s really quite remarkable that Macaleer was able to back the SEC down that way.  But his lawyers at Wilmer, Cutler & Pickering were not amateurs: Art Mathews, a giant of the era who died four years later, Andy Weissman, who recently retired, and Kenneth Chernof, now at Arnold & Porter.  I would love to know of other instances where an insider trading case was settled on similar terms.  Lexis tells me there aren’t any, but maybe I’m missing some.

Texas Supreme Court Applies Absolute Privilege to Statements in FCPA Investigations

Posted in FCPA, Investigations

You may remember the 2013 Texas Court of Appeals case involving Shell Oil Company and Robert Writt.  We covered it here, and it left FCPA internal investigations based in Texas in an awkward spot.  To recap very briefly, in 2007 the Justice Department asked Shell to conduct an investigation into potential FCPA violations, and the company did.  The investigation pointed at least one finger at former employee Writt as a bad actor, and Shell reported that finding to DOJ.  Writt was never charged with wrongdoing, and sued Shell for libel.  The key question for the court: were Shell’s statements to DOJ subject to a conditional privilege or an absolute privilege?  Cases involving conditional privilege frequently proceed to discovery, because they depend on factual questions surrounding the good faith basis for the statements at issue.  Cases involving absolute privilege can often be handled at the motion-to-dismiss stage.  If the statements are absolutely privileged, not much is left for discovery.  The Court of Appeals thought Shell’s statements about Writt were only conditionally privileged, and reversed the trial court’s grant of summary judgment to Shell.  On May 15, the Texas Supreme Court reversed again.

Facts Surrounding the Investigation

I tend to think that cases like this one (and maybe all cases) are decided by how the facts are characterized.  Here’s how the Texas Supreme Court described them:  In July 2007, the Justice Department sent Shell a letter explaining that it had become aware that Shell had engaged another company, Panalpina, “to provide freight forwarding and other services . . . and that certain of those services may violate the [FCPA].”  In its letter, the DOJ requested that Shell meet with it to discuss Shell’s engagement of Panalpina. At the meeting Shell agreed to conduct an internal investigation into its dealings with Panalpina and to report its findings to the DOJ, with the understanding that the report would be treated as confidential. The investigation was to be done pursuant to a plan approved by DOJ, and Shell agreed to produce additional documents and information. DOJ subsequently identified several individuals as potential persons of interest regarding its investigation and requested Shell to produce information related to them. One of these was a Shell employee named Robert Writt.

Shell hired outside counsel and investigators to assist in the investigation, and Writt was interviewed several times about his knowledge of possible illegal payments made by Panalpina. In February 2009, Shell provided the investigators’ findings and its report to the DOJ. Among other matters, the report set out that the impetus for it was the meeting between Shell and DOJ representatives regarding allegations of criminal violations. The report also contained information, analyses, and conclusions as to Shell’s relationship with, and Writt’s actions as they related to, Panalpina. The report stated that Writt was aware of “several red flags” concerning Panalpina’s customs clearance process and that he provided inconsistent information about his knowledge of Panalpina’s questionable acts. In addition to providing the report to the DOJ, Shell terminated Writt’s employment. In its termination letter, Shell stated that Writt’s conduct was a “significant, substantial and unacceptable” violation of Shell’s General Business Principles and Code of Conduct.  Writt then sued for defamation and wrongful termination

How the Investigation Was Resolved

While Shell’s motion for summary judgment in the defamation suit was pending, DOJ filed an information charging Shell with conspiracy to violate the FCPA and aiding and abetting the making of false books and records. Shell and the DOJ then executed a Deferred Prosecution Agreement — frequently used in FCPA cases.

In the Agreement, the DOJ acknowledged that Shell had (1) cooperated in the DOJ’s investigation, (2) agreed to cooperate in any ongoing investigation, and (3) agreed to pay a monetary penalty. Shell’s willingness to conduct an internal investigation, admit misconduct, and cooperate with the investigation was an important factor in the DOJ’s decision to offer Shell the opportunity to enter into the Deferred Prosecution Agreement. The terms of the DPA, which are more favorable than the criminal penalties that could have resulted from an FCPA prosecution, required Shell to continue to cooperate with the DOJ and other law enforcement agencies, pay a $30 million criminal fine, and implement an extensive FCPA compliance and reporting program. The DPA provides that if Shell fully complies with its terms, then the criminal charges will be dropped. But if Shell fails to abide by the DPA’s terms, DOJ will resume the prosecution.

Which Kind of Privilege?

But coming back to the defamation case, were Shell’s statements about Writt conditionally or absolutely privileged?  Shell argued that because its statements were made in serious contemplation of a judicial proceeding, and not on the bare possibility that a proceeding might occur, an absolute privilege should apply.  The Supreme Court analogized Shell’s position before the Justice Department in 2007 to that of Brian McNamee in Clemens v. McNamee, 608 F. Supp. 2d 811, 824-25 (S.D. Tex. 2009).  During the course of the investigation described in that case, McNamee was told by the Assistant United States Attorney, FBI agents, and IRS agents conducting the investigation that his status as a witness would be reconsidered if he failed to cooperate with the investigation, which included being interviewed by the Mitchell Commission. Id. at 824. All of McNamee’s interviews with the Mitchell Commission were arranged and attended by Assistant United States Attorneys or other government agents. Id. Although McNamee cooperated with the investigation and offered information voluntarily, he was for all practical purposes compelled to make his statements to the commission. Id. at 825. The court concluded that to classify McNamee’s statements as only conditionally privileged would have caused great harm to the administration of government and the government’s ability to ensure justice was served.  Id. at 825-26.

What It Means

Similarly, in some sense Shell had a choice about making a full report to the Justice Department when it “asked” the company to conduct an internal investigation into the Panalpina matter.  But it didn’t really have a choice.  It could have told DOJ prosecutors to pound sand, and it also could have signed on for an indictment of the company and massive fines.  The court understood this, and also understood the context of how FCPA investigations are resolved these days.  Specifically, “[f]ederal prosecutors and the U.S. Sentencing Guidelines ‘place a high premium on self-reporting, along with cooperation and remedial efforts, in determining the appropriate resolution of FCPA matter.”  Shell didn’t really speak freely when making its statements to the Justice Department.  It was already being ground up in the judicial process, even if that process looks a bit different than many traditional prosecutions do.  So the statements were absolutely privileged.

This case will make investigations that require reports to the government a lot less risky for companies that conduct them.  And tougher for employees who want to sue for defamation.

Vivek Ranadivé and Wisconsin IA Both Big into Cherrypicking, According to Sources

Posted in Investment Advisers

Here’s a thing I think I know about billionaires:  They’ve made piles and piles of money doing something someone somewhere surely advised them not to do because it was a dumb idea.  Then later, actually dumb ideas come along and the billionaires are not dissuaded because they have a billion dollars and who’s going to tell them what to do now?  Which is why I was very excited late last year when Sacramento Kings owner Vivek Ranadivé proposed that his team play only four players on defense, keeping one back to cherrypick easy baskets.  Never mind that it’s hard enough to play defense with five NBA players, or, as Barry Petchesky suggested, “you’d probably have DeMarcus Cousins and Rudy Gay get into a fistfight over who got to hang out under the opponent’s basket.”  I just want to see somebody try it, and it’s too bad that the Kings didn’t actually employ this strategy.  Maybe their experimentation in the D League will bubble up into something I can watch with my own eyes . . . .

In the meantime, do you know who else is big into cherrypicking?  According to the SEC, Wisconsin-based investment adviser Welhouse & Associates.  On Monday the SEC sued the firm and its principal Mark Welhouse for allegedly “improperly allocating to his personal and business accounts certain options trades that appreciated in value during the course of a trading day while allocating to his clients other trades that depreciated in value.”  That is, a different kind of cherrypicking.

The SEC’s order assumes some knowledge about how cherrypicking works.  Here’s what I think is a fair description of what the order alleges:  On any particular day, Welhouse & Associates and Mark Welhouse (together here, “Welhouse”) made proprietary trades for itself and trades for its advisory clients.  Often these were options trades in an S&P 500 exchange-traded fund called SPY that would change in value over the course of the day.  Importantly, these trades did not have to be allocated to a particular account until later in the afternoon, and Welhouse generally allocated them after 2:00 p.m. or 3:00 p.m.

All of this is fine as far as it goes, but the SEC didn’t love how Welhouse allocated these trades when measured against how it said it would allocate the trades.  In several instances, the SEC alleges, Welhouse said it would allocate the SPY trades on a pro rata basis among client accounts and Welhouse proprietary accounts:

  • Mark Welhouse stated, apparently in testimony before the SEC staff, that he allocated all trades pro rata across all accounts for a particular model (including pro rata across Mr. Welhouse’s own accounts and his clients’ accounts that were on the same model);
  • He also said that Welhouse’s January 2012 Form ADV Part 2A’s reference to fair and equitable trade allocation is a reference to Mr. Welhouse’s pro rata allocation across a model.
  • Welhouse’s firm brochures on Form ADV said Welhouse did not trade for its own account at all.
  • Welhouse’s written policies and procedures for trade allocation state: (1) “[a]ll clients are assigned to a model portfolio. . .”; and (2) “[w]hen a trade is put on the trade is purchased by the model portfolio and automatically allocated to the clients account” on a pro rata basis.

In fact, the SEC alleges, Welhouse did not allocate SPY options trades pro rata.  Once the trades went up or down, Welhouse allocated a disproportionate number of profitable SPY options trades to favored accounts (accounts belonging to Mr. Welhouse or another person with the last name Welhouse), while allocating unprofitable SPY options trades to client accounts.  The Commission has accused Welhouse of violating the antifraud provision of the Exchange Act and the Advisers Act, and claims the firm reaped $442,000 in ill-gotten gains from these undisclosed allocations.

Two weird things about this case: First, the testimony Mark Welhouse gave apparently occurred without a court reporter present.  Instead, he “was interviewed by the Commission staff on January 28, 2014. Mr. Welhouse agreed that the interview could be recorded, and the staff recorded the interview.”  Like with a tape recorder?  An iPhone?  It’s not unlawful, but it’s an odd procedure.  The order doesn’t make clear whether this interview was on the phone or in person.  It doesn’t sound like an attorney for Welhouse was present, but it’s hard to tell.  Did the staff just call him on the phone and then ask if they could record the call?  He might have said things he otherwise would not have if the setting had been more formal administrative testimony.

Second, Welhouse & Associates is registered with the State of Wisconsin as investment adviser, not with the SEC.  It’s on the hook for violations of the antifraud provisions no matter where it’s registered, but it seems a little odd that the SEC is handling this case and not the Wisconsin Department of Financial Institutions.

Do Investment Advisers Automatically Have Fiduciary Duties to Their Clients?

Posted in Investment Advisers

I always thought they did.  But on Friday I read this sentence: “An investment advisor-client relationship is not a de jure fiduciary relationship.”  It sort of jumped out at me, because for a long time I’ve assumed that an investment adviser was a fiduciary to its clients.  But I was directed to a case, William L. Thorp Revocable Trust v. Ameritas Inv. Corp., 57 F. Supp. 3d 508, 524 (E.D.N.C. 2014), and there it was in black and white.

Judge Dever, the opinion’s author, is widely regarded as a very careful judge, so I was eager to see where he found authority for this flat statement.  He cited a North Carolina Business Court case, Silverdeer, LLC v. Berton, 2013 NCBC 24 (N.C. Super. Ct. 2013), which struggled a bit with the question.  The Silverdeer plaintiffs, who wanted to demonstrate a fiduciary relationship between themselves and one of the defendants, didn’t cite any cases supporting the notion that there was one.  Instead, they merely cited “N.C. Gen. Stat. § 78C et seq. for the proposition that an investment advisor owes a duty of disclosure to his clients, which they argue in turn creates a de jure fiduciary relationship.”

Of course, if they’d wanted to cite a case in support of such a relationship, they didn’t need to go any farther than the U.S. Supreme Court.  Fifty-two years ago the Court held in SEC v. Capital Gains Research, Inc., 375 U.S. 180, 191-92 (1963), that Section 206 of the Advisers Act imposes fiduciary duties on investment advisers by operation of law.  The relevant provisions of Section 206 read:

“It shall be unlawful for any investment adviser, by use of the mails or any means or instrumentality of interstate commerce, directly or indirectly – (1) to employ any device, scheme, or artifice to defraud any client or prospective client; (2) to engage in any transaction, practice, or course of business which operates as a fraud or deceit upon any client or prospective client.”

As the Court put it:

The broad proscription against “any . . . practice . . . which operates . . . as a fraud or deceit upon any client or prospective client” remained in the bill from beginning to end. And the Committee Reports indicate a desire to preserve “the personalized character of the services of investment advisers,” and to eliminate conflicts of interest between the investment adviser and the clients as safeguards both to “unsophisticated investors” and to “bona fide investment counsel.”  The Investment Advisers Act of 1940 thus reflects a congressional recognition “of the delicate fiduciary nature of an investment advisory relationship,” as well as a congressional intent to eliminate, or at least to expose, all conflicts of interest which might incline an investment adviser – consciously or unconsciously – to render advice which was not disinterested.

Thorp Revocable Trust and Silverdeer allow for the possibility that an investment adviser may have a fiduciary relationship with its client “when one party figuratively holds all the cards — all the financial power or technical information, for example . . . .”  Thorp Revocable Trust, 57 F. Supp. 3d at 524.

Those two cases are focused on North Carolina law, and investment advisers are subject to a dual federal-state regulatory structure in which larger advisers register with the SEC, and the smaller ones with the states (generally).  I suppose it’s possible that federally-registered advisers might bear fiduciary duties to their clients while state-registered ones do not necessarily.  But I have never even considered that possibility and have never read about such a distinction.

Here’s how a leading treatise puts it:

These fiduciary duties apply to all advisers, including both those that provide individualized discretionary management and those that provide impersonal advice through publications or otherwise. The SEC has held that an investment adviser owed a fiduciary duty to its client when the client agreement required the adviser “to act as an investment adviser” even though the client did not in fact expect to receive investment advice from the adviser.

James E. Anderson, Robert G. Bagnall & Marianne K. Smythe, Investment Advisers: Law and Compliance § 9.02[1] (2015).

If you can shed light on this, I’d be happy to hear thoughts.


UPDATE: June 29 — Belmont v. MB Investment Partners, Inc., 708 F.3d 470 (3d Cir. 2013), digs into this issue pretty deeply, including the federal-state distinctions, and notes that states generally defer to federal law in this area.


FIN4 May Have Embarked on a Risky Hacking/Insider Trading Strategy

Posted in Cybersecurity, FINRA, Insider Trading

I haven’t yet turned to a life of crime, so far be it from me to criticize actual criminals’ profit-maximizing strategies.  It’s easy for me to nitpick, but I’m not the one strapping on my mask and trying to earn a (dis)honest dollar every day.  But have a look at this Reuters story from Tuesday.

In it, we learn that the SEC and the Secret Service are investigating a sophisticated computer hacking group known as “FIN4” that allegedly “has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs.”  Apparently their plan is to harvest this information and then trade on it.  Nobody knows where FIN4 is from.  They could be overseas, but supposedly their English is flawless and they have a deep knowledge of how financial markets work, so maybe they’re in the United States.  At one level, a little terrifying!

But this group hasn’t devised a complex, superpowered algorithm to steal information.  Instead, it’s allegedly stealing information the (sort of) old fashioned way: through social engineering.  The Reuters story explains that FIN4 “used fake Microsoft Outlook login pages to trick attorneys, executives and consultants into surrendering their user names and passwords.”  In at least one case, “the hackers used a confidential document, containing significant information that they had already procured, to entice people discussing that matter into giving their email credentials.”

I have two main thoughts.  First, sound information handling practices, and appropriate wariness among professionals using email, still go a long way toward securing confidential data within organizations.  It’s often not the most technologically advanced tactics that yield the worst data breaches.  Second, FIN4 has embarked on a complex money-making plan.  There may be many uses of this information, but one of them seems to be trading securities in the public markets.  That’s not as simple as it seems.  If you’re doing that, you’re on the grid and can’t really hide.  FINRA sees all of those trades and it isn’t that hard for regulators to find out who is making them.  When the Consolidated Audit Trail comes online,* it will be substantially easier and faster. In the meantime, broker-dealers are obligated to identify who their customers are.  If those people have electronic connections to the ones involved in the hacking, those links could be enough for the SEC to get an asset freeze before profits are siphoned overseas.

What FIN4 is allegedly doing is scary, but they haven’t yet built a criminal ATM.


* Speaking of the Consolidated Audit Trail, when is that thing coming online?

Tom Brady Better Off as a Famous Quarterback than a Registered Representative

Posted in FINRA

And this is true for any number of reasons!  There’s the money, the supermodel wife, the buddy trips to the Kentucky Derby . . . .  All pretty obvious.  But there’s another reason, too.  As an NFL quarterback, Brady works under the structure of an organization with occasional governance issues and a loosely drafted collective bargaining agreement.  If he were a registered representative working for a broker-dealer, he’d be under FINRA’s umbrella, and his status with that self-regulatory organization would be in severe jeopardy.

But let’s back up for a minute.  Surely you’re aware of Deflategate.  It is maybe my favorite sports scandal of all time.  In it, Brady allegedly ordered the deflation of footballs in last season’s AFC Championship game against the Colts so he could grip them better and thereby gain an unfair advantage.  The Patriots beat the Colts 45-7 in that game.  Many people have written many things about Deflategate.  The scandal is ludicrous and incredible.  I love it.  Possibly to distract from another scandal, the league promised to investigate thoroughly, and hired the Paul Weiss law firm to do that.

In the resulting 139-page report, we learned that Brady declined to turn over his personal cell phone to investigators.  The lawyers in charge of that investigation don’t come from a world where subpoenas and discovery requests are routinely ignored.  Fortunately for Brady, the league’s collective bargaining agreement only seems to care to the extent that the refusal amounted to “conduct detrimental to the integrity of and public confidence in the National Football League.”  Did it?  Maybe!  People on the radio sure like to talk about whether it did.

Now, if Brady had been a registered representative in Foxboro, Massachusetts and not the NFL wonderboy, in a FINRA investigation he would have been subject to FINRA Rule 8210.  That rule says, in part, that he would be required “to provide information orally, in writing, or electronically . . . and to testify at a location specified by FINRA staff . . . .”  Also, “No member or [associated] person shall fail to provide information or testimony or to permit an inspection and copying of books, records, or accounts pursuant to this Rule.”  In egregious cases FINRA can bar registered representatives permanently for not complying.

If only Tom Brady had a securities license, we might know all the answers to Deflategate and whether the Colts could have overcome that 38 point deficit with properly inflated footballs.  If only . . . .