SEC Fines Private Company in First Enforcement Action Resulting from Rule 701 Option Grants Investigation

The U.S. Securities and Exchange Commission brought an action against San Francisco-based Credit Karma on March 12 for issuing employee stock options without a valid registration exemption because the issuer failed to satisfy the requirements of Securities Act Rule 701. In a settled proceeding, the SEC imposed a $160,000 penalty, finding that although the company was aware of the requirements of Rule 701, it nevertheless failed to provide detailed financial information and risk disclosures to its employees as required by the rule. This is the first enforcement action to result from a sweeping SEC investigation into the Rule 701 option-granting practices of late-stage private companies begun in July 2016.

Rule 701 Overview

Under the Securities Act, an issuer cannot offer or sell securities to the public without first registering the offering with the SEC. Rule 701 provides an exemption for private companies making offers and sales of securities to employees, officers, and directors under written compensatory benefit plans (such as option and equity incentive plans).

Under Rule 701, offerings are exempt from registration requirements if total sales (not offerings) of stock during a 12-month period do not exceed the greater of:

  • $1 million
  • 15% of the issuer's total assets (measured at the most recent balance sheet date) or
  • 15% of all the outstanding securities of the class (measured at the most recent balance sheet date)

In addition, a private company issuer is currently permitted to grant only up to $5 million of equity awards (e.g., stock, stock options, restricted stock units) during any 12-month period unless certain disclosures are delivered to the employee and other service provider recipients at a reasonable time before the date of the sale of stock or exercise of the option, including:

  • A copy of the summary plan description if it is an ERISA plan
  • A summary of the plan’s material terms if it is not an ERISA plan
  • Risk factors associated with the investment and
  • Financial statements required under Regulation A, Form 1-A dated within 180 days (audited financial statements to be provided if available)

A copy of the compensatory benefit plan or contract is also required in any instance where Rule 701 securities are issued, whether the $5 million threshold is met or not.

In sum, to comply with Rule 701, if a company issues, or plans to issue, more than $5 million in options or other securities in a 12-month period, it must provide detailed financial statements and risk disclosures to all investors covered by Rule 701 in a reasonable amount of time before sale or exercise.

Background on SEC Action

Credit Karma is a privately held fintech company headquartered in San Francisco, California. Since 2011, Credit Karma has provided grants in the form of stock options to its employees as a form of compensation. Once the options vest, employees have the right to buy Credit Karma shares at a price set by its board of directors.

According to the SEC’s March 12 order, for the 12-month period from October 1, 2014, through September 30, 2015, Credit Karma issued over $13.8 million in options to its employees. From August 27, 2015, through July 18, 2016, Credit Karma employees paid the company $550,535 to exercise their options. After the company received an inquiry from the SEC regarding its Rule 701 disclosures in July 2016, Credit Karma began providing disclosure packets to its employees.

SEC Findings and Penalty

The SEC found that Credit Karma executives were aware of Rule 701 at least as early as August 2015, as evidenced by executives discussing Rule 701 and the rule being referenced in a board presentation. The SEC found that Credit Karma, despite being aware of the rule as early as August 2015, granted options, and allowed employees to exercise those options, for the next 11 months without providing the required financial information and disclosures. During this time, Credit Karma had financial and disclosure information available, according to the SEC order, but did not want to provide detailed financial information to its employees due to confidentiality concerns.

The SEC concluded that Credit Karma violated the Securities Act’s registration requirements because it offered to sell and sold its securities to employees without a valid Rule 701 exemption. As a result, Credit Karma consented to a civil penalty in the amount of $160,000 and the SEC ordered that Credit Karma cease and desist from any further registration violations.


The Credit Karma action reinforces comments from various SEC leaders that the agency is concerned whether private companies are providing to employees the disclosure mandated under Rule 701. It also demonstrates, in a broader sense, the SEC’s continued interest in ensuring that private companies in Silicon Valley have robust internal controls and governance procedures. Since launching the “Silicon Valley Initiative” in March 2016, the SEC has stressed that private companies, particularly late-stage private companies, must have effective controls. And in a headline-grabbing announcement two days after the Credit Karma filing, the SEC filed charges against Silicon Valley private company Theranos alleging that two of its officers engaged in a years-long fraud designed to dupe investors into believing that the company had a proven breakthrough technology.

The SEC action against Credit Karma also demonstrates that a company’s concerns about confidentiality do not provide a blanket excuse for avoiding Rule 701 disclosure obligations. The SEC, however, also has recognized that private companies do have legitimate confidentiality concerns when providing non-public financial information to employees, and has provided guidance about how companies may protect information while still complying with Rule 701. On November 6, 2017, the SEC’s Division of Corporation Finance issued a Compliance and Disclosure Interpretation explaining that companies may use standard electronic safeguards, such as user-specific login requirements and related measures, or physical disclosure rooms to protect the confidentiality of Rule 701 disclosures. But, the SEC warned that such safeguards should not be so burdensome that recipients cannot effectively access the disclosures, and the recipients must have ongoing access to the information. The SEC notes, for example, that they would expect that physical disclosure rooms would be accessible during ordinary business hours upon reasonable notice.

The November C&DI also addresses technical questions regarding, among other topics, how to calculate whether an offering meets the total sales requirements of the Rule 701 exemption and whether the $5 million threshold has been met, and ways in which the rule may be implicated in merger transactions. It should be noted that there are ongoing discussions with the SEC as to how Rule 701 applies to the grant of restricted stock units. The November C&DI states that a private company should provide Rule 701 disclosures a reasonable time before the RSU is granted. Read the full November 2017 C&DI.

Private companies should carefully analyze their procedures and controls for ensuring that Rule 701 disclosures are made a reasonable amount of time before options are exercised if the $5 million threshold is met, or if the company anticipates that the threshold will be met. Companies should also carefully consider the delivery method of their Rule 701 disclosures to ensure that those methods permit effective and ongoing access to the disclosure information. Finally, companies should be aware that until the SEC indicates otherwise, any Rule 701 disclosure must be made prior to the grant of RSUs.