The Securities and Exchange Commission (SEC) recently published its enforcement results for FY2022...
The Securities and Exchange Commission (SEC) recently published its enforcement results for FY2022. This report is a valuable compliance resource for regulated entities and General Counsels and CCOs, who can learn a great deal from the cases that the Enforcement Division pursues and where the SEC allocates its resources.
SEC Enforcement By the Numbers
The SEC brought 760 total enforcement actions in FY 2022, which was a 9 percent increase over FY 2021. These included 462 new, or “stand alone,” enforcement actions, representing a 6.5 percent increase over FY 2021.
Record-breaking penalties resulting from compliance violations were paid by regulated firms. Civil penalties totaled $4.194 billion, which was the highest on record to date. Disgorgement, at $2.245 billion, decreased by 6 percent from FY 2021. Overall, the SEC imposed $6.4 billion in penalties and disgorgement, which was the most on record in SEC history and up from $3.852 billion in FY 2021. Additionally, FY 2022 was the SEC’s second highest year ever in whistleblower awards, in terms of both the number of individuals awarded and the total dollar amounts awarded.
SEC Enforcement Trends
SEC Chair Gary Gensler emphasized that enforcement numbers tell only part of the story. The SEC’s FY 2022 enforcement fines reveal several trends that can help senior management of regulated entities boost their compliance efforts and lower their risks of enforcement penalties in FY 2023.
SEC Trends Align With Rulemaking Priorities
Many of the enforcement trends are not surprising, as they reflect areas where the SEC is pursuing regulatory changes, such as environmental, social, and governance (ESG) issues and cybersecurity. The SEC also brought several high-profile enforcement actions in the rapidly evolving crypto asset securities space. Charges included a first-of-its-kind action against crypto lending platforms for violating the registration requirements of the Investment Company Act of 1940.
With regard to cybersecurity incident responses, the SEC brought significant enforcement actions concerning failures by major firms to comply with core protection obligations including record-keeping and safeguarding customer information. Charges included having insufficient policies and procedures to protect investors from identity theft, in violation of the SEC’s Identity Theft Red Flags Rule (Regulation S-ID) and failing to protect the personal identifying information (PII) of brokerage customers.
In March, the SEC proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Among other requirements, the rules would require material cybersecurity incidents to be reported on Form 8-K within four (4) business days of discovery and updates on previously reported cyber incidents be disclosed on Forms 10-K and 10-Q. Companies would also be required to make periodic disclosures about their policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk. Now is an opportunity for Companies to review existing policies/procedures, conduct additional risk assessments, and prepare for adoption and implementation of new policies and procedures.
In terms of ESG, the SEC focused on public companies, as well as investment products and strategies. In one action, the agency charged an investment adviser with making materially misleading statements and omissions about its consideration of ESG principles in making investment decisions for certain mutual funds. In another, the SEC charged one of the world’s largest iron ore producers with allegedly making false and misleading claims to local governments, communities, and investors about the safety of its dams. The collapse of the Brumadinho dam in Brazil, which killed 270 people, caused serious environmental and social harm, and reduced the company’s market capitalization by more than $4 billion.
The SEC is still reviewing comments on a series of proposed ESG rulemakings that call for enhanced climate risk disclosures by issuers, enhanced ESG disclosures by registered funds and investment advisers, and modernized rules governing ESG-related fund names. Issuers will need to be responsive when the Final Rules are published.
SEC Requiring Independent Compliance Consultants
The SEC’s enforcement results were achieved by the tools and strategies that the agency and its staff is prioritizing. For instance, the Enforcement Division is increasingly requiring parties to retain independent compliance consultants (ICCs). In actions against several broker-dealers for failures to maintain and preserve work-related text message communications conducted on employees’ personal devices, the SEC mandated the retention of compliance consultants to, among other things, conduct comprehensive reviews of the firms’ policies and procedures relating to the retention of electronic communications found on personal devices. Fines, penalties and ICC costs for record keeping failures were significant.
The SEC emphasized that it continues to recognize meaningful cooperation, citing that assistance from cooperators can help expedite completion of investigations and bring to light important evidence. For example, the agency noted that a company whose former CEO allegedly fraudulently inflated key financial metrics and doctored internal sales records to boost the company’s valuation, was not penalized for its wrongful conduct after taking significant remedial measures.
SEC Targeting Gatekeepers
The SEC’s enforcement results reveal who may be in the agency’s crosshairs during 2023. Most notably, the SEC brought a number of enforcement actions against “gatekeepers”, such as auditors, lawyers, and transfer agents. CCOs have not been exempt either.
In one action, an auditor’s China-based affiliate was charged failing to comply with fundamental U.S. auditing requirements when auditing U.S. issuers and foreign companies listed on U.S. exchanges, allowing clients to select their own samples for testing, and having clients prepare their own audit documentation. In another action, a former general counsel of a public company settled an action for his role in an unregistered, fraudulent securities offering. According to the SEC, the attorney knew or was reckless in not knowing that there was no exemption from registration available.
SEC Prioritizing Financial Fraud and Issuer Disclosure
The SEC continues to emphasize that public company disclosure is the bedrock of the securities markets. In a press statement announcing the enforcement data, the SEC stated that it “places a high priority on pursuing issuers or their employees who make materially inaccurate disclosures, as well as auditors and their professionals who violate applicable laws and rules in connection with such disclosures.”
The Enforcement Division’s actions in this area targeted misconduct by issuers, auditors, and their employees. For instance, the SEC brought charges against a mining company for misleading investors about a technology upgrade the company claimed would reduce costs but ultimately increased costs, and for failing to properly assess whether to disclose financial risks created by their excessive discharge of mercury in Brazil. The SEC also brought an enforcement action against an audit firm and three senior-level employees for failing to properly audit a client company’s financial statements over a four-year period, when that client was improperly inflating revenues.
Next Steps for Regulated Entities
This article discusses several trends that can be gleaned from the SEC’s FY 2022 enforcement data. We recommend that entities subject to agency oversight review the enforcement results in their entirety and consult with experienced counsel about how they could be impacted in FY 2023 by failing to assess current policies/procedures against Rule changes that will be adopted and implemented during FY 2023 and later.
We encourage the management of regulated entities to regularly review what types of enforcement actions the SEC is bringing and use the information to align your firm’s compliance priorities with the agency’s evolving enforcement agenda. Continue to monitor the SEC’s Exam Priority and Deficiency notifications and Cybersecurity Breach Incident reporting to level set your firm’s threat and risk assessments.
Does Your Homeowners Insurance Provide Adequate Coverage?
Your home is likely your greatest asset, which is why it is so important to adequately protect it. Homeowners insurance protects you from the financial costs of unforeseen losses, such as theft, fire, and natural disasters, by helping you rebuild and replace possessions that were lost While the definition of “adequate” coverage depends upon a […]
Understanding the Importance of a Non-Contingent Offer
Making a non-contingent offer can dramatically increase your chances of securing a real estate transaction, particularly in competitive markets like New York City. However, buyers should understand that waiving contingencies, including those related to financing, or appraisals, also comes with significant risks. Determining your best strategy requires careful analysis of the property, the market, and […]
Fred D. Zemel Appointed Chair of Strategic Planning at Scarinci & Hollenbeck, LLC
Business Transactional Attorney Zemel to Spearhead Strategic Initiatives for Continued Growth and Innovation Little Falls, NJ – February 21, 2025 – Scarinci & Hollenbeck, LLC is pleased to announce that Partner Fred D. Zemel has been named Chair of the firm’s Strategic Planning Committee. In this role, Mr. Zemel will lead the committee in identifying, […]
Novation Agreement Process: Step-by-Step Guide for Businesses
Big changes sometimes occur during the life cycle of a contract. Cancelling a contract outright can be bad for your reputation and your bottom line. Businesses need to know how to best address a change in circumstances, while also protecting their legal rights. One option is to transfer the “benefits and the burdens” of a […]
What Is a Trade Secret? Key Elements and Legal Protections Explained
What is a trade secret and why you you protect them? Technology has made trade secret theft even easier and more prevalent. In fact, businesses lose billions of dollars every year due to trade secret theft committed by employees, competitors, and even foreign governments. But what is a trade secret? And how do you protect […]
What Is Title Insurance? Safeguarding Against Title Defects
If you are considering the purchase of a property, you may wonder — what is title insurance, do I need it, and why do I need it? Even seasoned property owners may question if the added expense and extra paperwork is really necessary, especially considering that people and entities insured by title insurance make fewer […]
No Aspect of the advertisement has been approved by the Supreme Court. Results may vary depending on your particular facts and legal circumstances.
Sign up to get the latest from our attorneys!
Explore What Matters Most to You.
Consider subscribing to our Firm Insights mailing list by clicking the button below so you can keep up to date with the firm`s latest articles covering various legal topics.
Stay informed and inspired with the latest updates, insights, and events from Scarinci Hollenbeck. Our resource library provides valuable content across a range of categories to keep you connected and ahead of the curve.
How 2022 SEC Enforcement Trends Can Boost Compliance in the New Year
Author: Scarinci Hollenbeck, LLC
The Securities and Exchange Commission (SEC) recently published its enforcement results for FY2022...
The Securities and Exchange Commission (SEC) recently published its enforcement results for FY2022. This report is a valuable compliance resource for regulated entities and General Counsels and CCOs, who can learn a great deal from the cases that the Enforcement Division pursues and where the SEC allocates its resources.
SEC Enforcement By the Numbers
The SEC brought 760 total enforcement actions in FY 2022, which was a 9 percent increase over FY 2021. These included 462 new, or “stand alone,” enforcement actions, representing a 6.5 percent increase over FY 2021.
Record-breaking penalties resulting from compliance violations were paid by regulated firms. Civil penalties totaled $4.194 billion, which was the highest on record to date. Disgorgement, at $2.245 billion, decreased by 6 percent from FY 2021. Overall, the SEC imposed $6.4 billion in penalties and disgorgement, which was the most on record in SEC history and up from $3.852 billion in FY 2021. Additionally, FY 2022 was the SEC’s second highest year ever in whistleblower awards, in terms of both the number of individuals awarded and the total dollar amounts awarded.
SEC Enforcement Trends
SEC Chair Gary Gensler emphasized that enforcement numbers tell only part of the story. The SEC’s FY 2022 enforcement fines reveal several trends that can help senior management of regulated entities boost their compliance efforts and lower their risks of enforcement penalties in FY 2023.
SEC Trends Align With Rulemaking Priorities
Many of the enforcement trends are not surprising, as they reflect areas where the SEC is pursuing regulatory changes, such as environmental, social, and governance (ESG) issues and cybersecurity. The SEC also brought several high-profile enforcement actions in the rapidly evolving crypto asset securities space. Charges included a first-of-its-kind action against crypto lending platforms for violating the registration requirements of the Investment Company Act of 1940.
With regard to cybersecurity incident responses, the SEC brought significant enforcement actions concerning failures by major firms to comply with core protection obligations including record-keeping and safeguarding customer information. Charges included having insufficient policies and procedures to protect investors from identity theft, in violation of the SEC’s Identity Theft Red Flags Rule (Regulation S-ID) and failing to protect the personal identifying information (PII) of brokerage customers.
In March, the SEC proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. Among other requirements, the rules would require material cybersecurity incidents to be reported on Form 8-K within four (4) business days of discovery and updates on previously reported cyber incidents be disclosed on Forms 10-K and 10-Q. Companies would also be required to make periodic disclosures about their policies and procedures to identify and manage cybersecurity risks, management’s role in implementing cybersecurity policies and procedures, and the board of directors’ cybersecurity expertise, if any, and its oversight of cybersecurity risk. Now is an opportunity for Companies to review existing policies/procedures, conduct additional risk assessments, and prepare for adoption and implementation of new policies and procedures.
In terms of ESG, the SEC focused on public companies, as well as investment products and strategies. In one action, the agency charged an investment adviser with making materially misleading statements and omissions about its consideration of ESG principles in making investment decisions for certain mutual funds. In another, the SEC charged one of the world’s largest iron ore producers with allegedly making false and misleading claims to local governments, communities, and investors about the safety of its dams. The collapse of the Brumadinho dam in Brazil, which killed 270 people, caused serious environmental and social harm, and reduced the company’s market capitalization by more than $4 billion.
The SEC is still reviewing comments on a series of proposed ESG rulemakings that call for enhanced climate risk disclosures by issuers, enhanced ESG disclosures by registered funds and investment advisers, and modernized rules governing ESG-related fund names. Issuers will need to be responsive when the Final Rules are published.
SEC Requiring Independent Compliance Consultants
The SEC’s enforcement results were achieved by the tools and strategies that the agency and its staff is prioritizing. For instance, the Enforcement Division is increasingly requiring parties to retain independent compliance consultants (ICCs). In actions against several broker-dealers for failures to maintain and preserve work-related text message communications conducted on employees’ personal devices, the SEC mandated the retention of compliance consultants to, among other things, conduct comprehensive reviews of the firms’ policies and procedures relating to the retention of electronic communications found on personal devices. Fines, penalties and ICC costs for record keeping failures were significant.
The SEC emphasized that it continues to recognize meaningful cooperation, citing that assistance from cooperators can help expedite completion of investigations and bring to light important evidence. For example, the agency noted that a company whose former CEO allegedly fraudulently inflated key financial metrics and doctored internal sales records to boost the company’s valuation, was not penalized for its wrongful conduct after taking significant remedial measures.
SEC Targeting Gatekeepers
The SEC’s enforcement results reveal who may be in the agency’s crosshairs during 2023. Most notably, the SEC brought a number of enforcement actions against “gatekeepers”, such as auditors, lawyers, and transfer agents. CCOs have not been exempt either.
In one action, an auditor’s China-based affiliate was charged failing to comply with fundamental U.S. auditing requirements when auditing U.S. issuers and foreign companies listed on U.S. exchanges, allowing clients to select their own samples for testing, and having clients prepare their own audit documentation. In another action, a former general counsel of a public company settled an action for his role in an unregistered, fraudulent securities offering. According to the SEC, the attorney knew or was reckless in not knowing that there was no exemption from registration available.
SEC Prioritizing Financial Fraud and Issuer Disclosure
The SEC continues to emphasize that public company disclosure is the bedrock of the securities markets. In a press statement announcing the enforcement data, the SEC stated that it “places a high priority on pursuing issuers or their employees who make materially inaccurate disclosures, as well as auditors and their professionals who violate applicable laws and rules in connection with such disclosures.”
The Enforcement Division’s actions in this area targeted misconduct by issuers, auditors, and their employees. For instance, the SEC brought charges against a mining company for misleading investors about a technology upgrade the company claimed would reduce costs but ultimately increased costs, and for failing to properly assess whether to disclose financial risks created by their excessive discharge of mercury in Brazil. The SEC also brought an enforcement action against an audit firm and three senior-level employees for failing to properly audit a client company’s financial statements over a four-year period, when that client was improperly inflating revenues.
Next Steps for Regulated Entities
This article discusses several trends that can be gleaned from the SEC’s FY 2022 enforcement data. We recommend that entities subject to agency oversight review the enforcement results in their entirety and consult with experienced counsel about how they could be impacted in FY 2023 by failing to assess current policies/procedures against Rule changes that will be adopted and implemented during FY 2023 and later.
We encourage the management of regulated entities to regularly review what types of enforcement actions the SEC is bringing and use the information to align your firm’s compliance priorities with the agency’s evolving enforcement agenda. Continue to monitor the SEC’s Exam Priority and Deficiency notifications and Cybersecurity Breach Incident reporting to level set your firm’s threat and risk assessments.
