The U.S. Securities & Exchange Commission (SEC) Division of Enforcement is, as its name implies, a division solely dedicated to the Commission’s enforcement responsibilities. SEC Chair Gary Gensler emphasized the importance of enforcement at the 2021 Securities Enforcement Forum by stating that it is “one of the fundamental pillars in achieving the SEC’s mission.”
The Division of Enforcement’s results for fiscal year 2021 reflect and support that mission. A total of 697 enforcement actions were filed, including 434 new actions, which represents a 7% increase from the prior year. While 2022 statistics aren’t yet published, the SEC recently investigated and charged 16 Wall Street firms (including Goldman Sachs, Morgan Stanley, and Credit Suisse Securities) with violations, which resulted in combined penalties of more than $1.1 billion. This demonstrates the SEC’s continued commitment to its enforcement responsibilities.
What does the SEC’s zeal for oversight mean to you, a practicing accounting or finance professional, and to your organization? Simply put, it’s important for anyone serving in corporate governance roles at U.S. public companies to understand the scope of the various SEC enforcement programs and the remediation opportunities that are available to reduce potential exposure to the company and those involved in SEC investigations.
A BRIEF HISTORY OF ENFORCEMENT PROGRAMS
The SEC’s history of enforcement is demonstrated by initiatives such as eXtensible Business Reporting Language (XBRL) data tagging, the whistleblower program, Operation Broken Gate, Accounting Quality Model, Share Class Selection Disclosure Initiative, and the EPS (earnings per share) Initiative (see Figure 1). In 2009, the SEC initiated a program phasing in the mandatory use of XBRL to enhance access to and analysis of financial data by SEC staff and third parties, including investors, analysts, and journalists. The following year, in 2010, the SEC’s whistleblower program was created through the passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The purpose of the program was to incentivize individuals to report federal security law violations through monetary rewards; Dodd-Frank was expanded in 2014 to include anti-retaliation protection. This enforcement effort has successfully continued through fiscal year 2021, with the distribution of the highest awards in the program’s history (a total of $564 million to 108 whistleblowers), pushing the total payouts over the life of the program to more than $1 billion.
The next SEC initiative, called Operation Broken Gate, began in 2013. It was designed to “provide tighter oversight of individuals [the SEC] considers to be the ‘gatekeepers’ for protecting investors by helping ensure fair financial presentation and disclosure by public companies” (“Operation Broken Gate,” Strategic Finance, January 2015).
Operation Broken Gate was followed by the SEC initiative known as the Accounting Quality Model (AQM). The AQM takes public company financial reports filed with the SEC and measures how the organization’s discretionary (abnormal) accruals vary from a peer benchmark. The model then identifies potential accounting irregularities in an attempt to understand and investigate the risk factors of aggressive earnings management practices. The AQM project was feasible because the SEC was able to access the XBRL database of public company financial filings that it had established years earlier.
In 2018, the SEC revealed the Share Class Selection Disclosure Initiative in response to the numerous actions filed by the SEC in which, in the words of the Commission, “an investment adviser failed to make required disclosures relating to its selection of mutual fund share classes that paid the adviser (as a dually registered broker-dealer) or its related entities or individuals a fee pursuant to Rule 12b-1 of the Investment Company Act of 1940 (“12b-1” fee) when a lower-cost share class for the same fund was available to clients.”
Most recently, in 2020, the SEC announced its EPS Initiative. The specific details of this initiative haven’t been shared publicly, but the purpose of the program is to expand the SEC’s scope in ensuring proper financial reporting and pursuing violators. (For more, see Laura Bea Lamb, Jessie Kinsley Wright, Stasia H. Morlino, and Douglas M. Boyle, “The SEC’s EPS Initiative,” Strategic Finance, May 2022.)
COOPERATION AND REMEDIATION
The SEC encourages companies to cooperate in its investigations, noting the benefits of cooperation “can range from reduced charges and sanctions in enforcement actions to taking no enforcement action at all.” (For more details, including the types of agreements the Commission may enter into with companies or individuals.)
The SEC has four measures of cooperation: self-policing, self-reporting, remediation, and cooperation (see Figure 2). By following these four measures, a company has the potential to lessen, or potentially eliminate, its sanctions in enforcement investigations.
The timing of these four steps, which the SEC evaluates during its investigation, is of critical importance. Self-policing occurs prior to the discovery of the misconduct, as the Commission assumes that the company should have effective oversight and controls in place to prevent and detect misconduct from happening in the first place. Remediation and cooperation efforts take place when the misconduct is discovered and self-reported and continues for months—or potentially years—until the misconduct is completely resolved. Remediation is a pivotal step in the cooperation process, as these actions are taken to ensure that the misconduct never happens again.
You may be wondering what exactly “remediation” means in the eyes of the feds. The SEC’s Division of Enforcement defines remediation as “dismissing or appropriately disciplining wrongdoers, modifying and improving internal controls and procedures to prevent recurrence of the misconduct, and appropriately compensating those adversely affected.” The SEC doesn’t, however, specify what constitutes remediation nor the cases where remediation is applicable. Rather, it appears to apply remedial measures on a case-by-case basis. Occasionally, the proposed remediation comes directly from the person or company accused of malfeasance via a good faith proposal to correct the wrongdoing. In these situations, it’s up to the organization to begin remedial efforts to either reduce or eliminate additional penalties.
A review of recent cases involving remediation actions identified patterns helping to define remediation. These actions to resolve the misconduct include bringing the wrongdoing to the attention of the audit committee or those in charge of governance, termination, and legal action against those individuals both responsible for, and who failed to prevent, the wrongdoing. Those organizations or persons who are accused must show that they’re adjusting their internal controls to mitigate the specific risks cited, including the possibility of replacing or adding employees with expertise in the areas related to the wrongdoing. (For more on this topic, see Landon W. Mignardi, Scott Mascianica, and Jessica B. Magee, “Remediation: The SEC Smiles on Proactivity,” January 31, 2022.)
As you can see in Table 1, the most recent case involving remediation efforts is SEC v. HeadSpin, Inc. Headspin’s then-CEO, Manish Lachwani, was found to be fraudulently reporting the company’s annual recurring revenues (ARR) beginning in 2018 through 2020. (HeadSpin sells hardware and software to test applications; its ARR is generated through subscriptions to these services.) Additionally, the case notes that Lachwani also inflated revenues by recording customers’ pending commitments and held control of financial information against the request of the board by refusing to hire a CFO. Based on these maneuvers, which inflated the value of HeadSpin by $5.1 million in one year, investors sank millions of dollars into the company.
HeadSpin identified the wrongdoing internally and then fired Lachwani. Following these actions, the board returned investors’ money to them and lowered the company’s valuation, with balances being paid in a loan with 1% interest. HeadSpin’s board of directors hired a new executive team, including a controller, and adjusted its internal control systems appropriately.
WHEN IS REMEDIATION NECESSARY?
In cases that involve remediation, the SEC considers several factors when determining whether to lessen a company’s sanctions based on the management team’s own remedial actions. A main consideration is whether the misconduct was malicious or unintentional, along with the nature of the act(s). In the case of GWFS Equities, Inc., the company was accused of willfully neglecting to file accurate suspicious activity reports in compliance with the Bank Secrecy Act. Remediation was part of the corrective action in this case, and the company was also fined $1.5 million, which could be related to the intentional misconduct as well as the risk it posed to clients. In comparison, HeadSpin was proactive once misconduct was detected and wasn’t assessed a penalty.
A second significant consideration is the overall response to the misconduct. Specifically, how quick was the response, and how transparent was the company regarding the misconduct? Did the organization conduct its own thorough and objective investigation? For example, the SEC’s Division of Enforcement decided not to recommend charges against LendingClub Asset Management, LLC, as a result of the company self-reporting its misconduct following a review initiated by its board of directors and reimbursing approximately $1 million to investors who were adversely impacted. In a case involving Tandy Leather Factory, Inc., information regarding the misconduct was brought to the audit committee, which conducted an internal investigation. This inquiry led to a new accounting system to accurately value the company’s inventory, as well as the hiring of additional accounting personnel and adjustments to its control system.
In a case from 2018, a subsidiary of Alliance One International, Alliance One Tobacco (Kenya), was found to have violated several SEC regulations, including premature recording of revenue and inventory, improper internal controls, and failure to file reports. Yet due to the remedial efforts by the parent organization after identifying the misconduct, the SEC accepted its offer and issued a cease-and-desist order only. The company’s efforts included close communication with the SEC, hiring of counsel and forensic accounting firms by the board of directors, restatements of financial statements, accounting hires in its African region, and implementation of new internal controls.
A third consideration relates to where in the organization the misconduct occurs. In deciding the weight of penalties or the extent of remediation, the SEC considers how high up in the chain of command knowledge and participation in the misconduct occurred. In the case of Zenefits, a private software company based in San Francisco, Calif., its founder and former CEO, Parker Conrad, was named as a respondent in the case in addition to the company. While CEO, Conrad was aware that unlicensed Zenefits employees were selling insurance, and he allowed the practice to continue. Feeling the heat from state insurance regulators, Conrad later resigned from the company. As part of the remedial efforts, Zenefits replaced its top leadership, including the head of sales, created the position of chief compliance officer, and established a compliance team.
A fourth consideration involves assurances that the misconduct is unlikely to recur. For example, will internal controls be implemented to prevent and detect future misconduct? Insufficient internal controls that failed to catch millions of dollars in bogus cash advances and expense reports was the motivation in the case against Provectus Biopharmaceuticals, Inc., which resulted in remediation efforts and a cease-and-desist action. In addition to what happened in this case, other factors the SEC may consider are the timing of the misconduct in relation to a company’s initial public offering, the timing of reorganizations or acquisitions, and the harm the misconduct caused to stakeholders.
ONLY ONE PART OF THE FRAMEWORK
Remediation is just one of the four measures the SEC uses to evaluate a company’s cooperation during an enforcement investigation. As important as the remedial actions are to ensure the misconduct doesn’t happen again in the future, the other three factors—self-policing, self-reporting, and cooperation—are also considered in each case.
The SEC provides guidance on factors it considers when determining whether or not to grant leniency to companies in enforcement investigations. Although there’s a framework, there’s a lot of human discretion involved in examining the facts of each particular case, such as the nature of the misconduct, the company’s overall response, where in the organization the misconduct occurred, and what measures have been implemented to prevent it from reoccurring. The framework doesn’t address the level of cooperation required to reduce sanctions and penalties during an investigation, only the factors taken into consideration when making the determination. The outcomes can be different for companies with a similar set of facts based on varying degrees of misconduct. Therefore, it can’t be assumed that the SEC’s degree of leniency in an investigation is based merely on other cases and decisions.
Opportunities to avoid or mitigate penalties require attention to the first three measures of the SEC’s framework. Organizations need to ensure they have the proper tone at the top and that employees charged with governance value compliance and the need for proper procedures. Admitting fault isn’t easy for anyone, much less an organization in which the public is invested. But accepting responsibility is the beginning of the remediation process, to be followed by swift and appropriate action. Although accounting and finance professionals hope they never find themselves involved in an SEC enforcement investigation, it’s important that they be aware of the remediation opportunities granted to companies that cooperate.
December 2022