A CD or not a CD, That is the Question… That the Auditors Should Have Answered
You’re the Man—Government Targets Individuals in FCPA Cases
Matchmaker, Matchmaker Make me a… 506(b) Private Placement Investment
“You Know How to Whistle Don’t You?”—Whistleblowers Gain Even More Protection
Return of the Cyborg—FTC and SEC Oversight of Cybersecurity Ramps Up
A headline-grabbing SEC enforcement action last week against BDO USA and several of its national partners may lead audit firms to insist on more audit committee-led investigations when questionable transactions are identified. On September 9, the SEC announced an enforcement action against national audit firm BDO USA and five of its partners, including charges against the national director of accounting and national SEC practice director. To settle the matter, BDO was forced to admit wrongdoing, and agreed to pay over $2 million and institute remedial undertakings. Four BDO partners agreed to be barred from practicing before the SEC for various lengths of time, ranging from one to three years, and each agreed to pay monetary penalties. A fifth partner agreed to pay a penalty and cease and deist from various violations, but was not barred from practice.
Underlying the SEC’s allegations is a tabloid-ready tale of a conspiracy, led by former convicted felon Wilber Huff, to secretly control General Employment Services, Inc. (“GEE”), the company audited by BDO. Huff allegedly found the perfect front person to be CEO–Stephen Pence, who was both a U.S. Attorney when Huff pled guilty to fraud several years earlier and the former lieutenant governor of Kentucky. In a separate complaint against Pence, the SEC claims that in exchange for acting as the front man for the business, Pence was paid $500,000 and given a Cadillac Escalade worth about $50,000. The SEC claims that to conceal embezzlement by Huff and other co-conspirators from GEE, the company recorded a bank CD on its books. The SEC’s detailed Orders against BDO and its five partners allege that after encountering red flags about whether the $2.3 million bank CD existed, as well as other indications of fraudulent related party transactions, BDO demanded the GEE audit committee hire counsel to conduct an independent investigation before BDO would issue a clean audit opinion. Instead of undertaking an investigation, GEE replaced Pence with a new CEO, and admitted to BDO that “inappropriate actions [had been] taken,” but promised that such actions would stop. Although internal BDO emails acknowledged that the auditors still had not received adequate explanations for the red flags, BDO withdrew its demand for an investigation and issued its audit opinion. Several months after BDO issued its unqualified opinion, one of Huff’s co-conspirators in the scheme was indicted, becoming the first of two individuals charged criminally in connection with the matter.
SEC enforcement actions against senior leadership of audit firms are quite unusual, and the case also marks the first time that an audit firm has had to admit wrongdoing as part of an SEC settlement. Already, the BDO case is reverberating among the top leadership of national audit firms, as it is being read as further evidence of the SEC’s increasingly tough line against gatekeepers such as auditors. In a conference call with reporters when the case was filed, SEC enforcement chief Andrew Ceresney said that “the message of this case [is] that audit firms need, when they see red flags, to ensure that they receive reasonable and coherent answers…. before they sign off” on the audit.
The Bottom Line: Once outside auditors raise serious questions about a transaction or about management’s integrity, they may require an independent investigation to answer those questions and provide reassurance that the issue is not more widespread. In such situations, companies facing skeptical auditors may well decide to proactively initiate an independent investigation before the auditors force them to do so.
The government has increasingly focused its FCPA enforcement firepower on individuals. On August 31, a Russian official living in Maryland pled guilty to conspiracy to commit money laundering in connection with arranging $2 million in corrupt payments intended to influence the award of Russian nuclear energy contracts. Similarly, the SEC recently settled charges with a former executive of SAP SE, alleging he bribed Panamanian officials to procure sales of software licenses. Earlier this summer, the DOJ accepted the guilty pleas of two former executives of Lois Berger International, who admitted to violating the FCPA by facilitating payments intended to bribe foreign officials to award construction management contracts to the company in India, Indonesia and Vietnam. The SEC also sanctioned two former employees of Oregon-based defense contractor FLIR Systems Inc. for bribing Saudi officials in an effort to secure a government contract to provide thermal binoculars. The SEC found the employees took Saudi government officials on a lavish 20-day world tour with stops in Casablanca, Paris, Dubai, Beirut, and New York City.
The trend of targeting individuals is expected to continue. U.S. Deputy Attorney General Sally Yates recently issued guidance to federal prosecutors prioritizing the prosecution of individuals engaged in corporate misconduct. The memorandum specifies that corporations must provide all relevant facts relating to all individuals responsible for the alleged wrongdoing in order to qualify for any cooperation credit. The memorandum also directs prosecutors to focus on individual misconduct from the inception of the investigation, and provides that no corporation should protect individuals from liability absent extraordinary circumstances. Moreover, the memorandum instructs DOJ criminal prosecutors to work with civil DOJ attorneys to help bring civil charges against individuals where sufficient evidence of criminal wrongdoing is not found.
Of course, despite the increased emphasis on individuals, the government also continues to bring FCPA charges against corporations. BNY Mellon recently paid $14.8 million to settle SEC charges alleging the company improperly provided student internships to family members of foreign officials affiliated with a Middle Eastern sovereign wealth fund. Notably, the SEC took the position that the internships met the “anything of value” requirement even though one of the interns was unpaid. The SEC also recently announced Mead Johnson Nutrition Company paid $12 million to settle charges that its Chinese subsidiary made payments to improperly influence health care professionals at government-owned hospitals to recommend the company’s infant formula to new or expectant parents.
But on the good news front, over the last several years, the DOJ and SEC have demonstrated willingness to credit companies for having strong FCPA compliance programs when determining what penalties to levy against them. For example, the SEC cited Goodyear Tire and Rubber Company’s prompt remedial efforts in the form of drastic improvements to its compliance program as a reason for imposing a lighter penalty than it otherwise may have.
The Bottom Line:The best offense is a good defense. As we have counseled for some time, companies doing business overseas should invest in developing robust compliance systems tailored to the risks particular to the markets where they operate. Companies should keep careful records of their efforts, so that should the government come calling, they can demonstrate a culture of compliance. This will not only ensure that employees know the rules, it will help companies lessen penalties or avoid liability altogether.
The SEC has given the go-ahead to a venture capital firm’s plan to conduct 506(b) private placements online. On August 5, 2015, the Commission issued a no-action letter to Citizen VC, Inc., saying the firm’s proposed online platform pairing investors with portfolio companies does not amount to a general solicitation within the meaning of Rule 502(c) of Regulation D. The SEC emphasized that the proposed platform enabled the venture capital firm to establish the necessary “substantive relationship[s]” with prospective investors because the online system asked probing questions of investors, allowing the venture firm to evaluate investor sophistication, financial circumstance, and ability to appreciate risk.
The letter represents the SEC’s continuing movement toward the lessening of traditional requirements around raising capital using private placements. In 2014, the SEC promulgated Rule 506(c), allowing issuers to publically solicit private placements so long as they verified that all investors were accredited. There have been relatively few Rule 506(c) offerings to date, however, in part because companies found the verification requirements too onerous.
The Bottom Line: Under the new guidance, businesses should find it easier to match investors to investments via the internet, so long as they are careful to observe the guardrails spelled out in the Citizen VC no-action letter. In addition to observing the new guidance, businesses need to avoid taking transaction‑based compensation on any deals so as not to be labeled broker-dealers under Exchange Act Section 15(a).
The SEC recently issued guidance specifying that whistleblowers do not first have to take their concerns to the SEC in order to be covered by the SEC’s anti-retaliation rule. The guidance clarifies that those whistleblowers who first report issues internally are likewise eligible for whistleblower protections. Though the guidance provides additional protections for whistleblowers, it also clarifies that whistleblowers will not receive greater protections by bypassing internal reporting and taking their concerns directly to the SEC.
Interpretation of this rule has also been at issue in private litigation. Last week, a Second Circuit panel reversed the dismissal of a whistleblower’s anti-retaliation claim against his former employer, the marketing firm Neo@Oglivy LLC. The whistleblower was terminated after reporting suspected securities law violations internally, but before bringing his concerns to the government. The court held the rule was sufficiently ambiguous to oblige the court to defer to the SEC’s interpretation that whistleblowers who only report internally are protected by the rule. The decision conflicts with the Fifth Circuit’s 2013 ruling that the rule only applies to whistleblowers who report to the SEC.
The SEC’s new guidance follows a number of recent whistleblower anti-retaliation cases brought by the Commission. The SEC announced the first anti-retaliation whistleblower award in April, when it awarded over $600,000 to a former Paradigm Capital Management Inc. employee. The award represented 30% of the company’s penalty for retaliating against the whistleblower for reporting to the Commission. This trend also encompasses so-called “pretaliation” cases. Earlier this year, the SEC brought a whistleblower enforcement action against KBR, Inc., alleging that a confidentiality agreement barring employees from disclosing the contents of an internal investigation interview violated whistleblower anti-retaliation laws because it could have given employees the impression that they were prohibited from reporting illegal activity to the government. More recently, Barnes & Noble Inc. disclosed in its September 15 10-Q filing that the company is in the process of negotiating a settlement with the SEC regarding its historical use of certain provisions in employee confidentiality agreements.
The Bottom Line: To minimize risk, it is important that everyone in an organization who may encounter potential whistleblowers understands the anti-retaliation rules, observes the company’s relevant policies and procedures, and has appropriate legal guidance. This is particularly true of managers and human resources professionals. Companies should also proactively review their standard non‑disclosure and separation agreements to ensure they do not run afoul of the guidance in the KBR action.
The government appears to be increasing its enforcement efforts regarding cybersecurity risks. A three-judge panel of the U.S Court of Appeals for the Third Circuit recently held the FTC may bring a claim that a company’s allegedly inadequate data security practices constitute an “unfair” business practice in violation of Section 5 of the Federal Trade Commission Act, despite the absence of formal rulemaking.
In addition to the FTC, the SEC has signaled that it is closely monitoring public companies’ disclosures about their cybersecurity. Although the SEC’s last formal guidance on cybersecurity disclosure issues for public companies was in 2011, since then it has held a major roundtable on the issue, and has issued specific cybersecurity guidance to registered advisers following an examination sweep. The SEC’s enforcement division also has launched investigations following major breaches, focused on whether the companies adequately disclosed risks of a cyber attack, had proper internal controls, and provided adequate disclosure following the breach. Following one of those investigations, into the breach of Target Corporation in 2013, the SEC concluded its investigation without charges, according to Target’s August 25, 2015 10‑Q filing
Although the SEC has yet to bring an enforcement action against a public company for sub-par cyber disclosures, the enforcement division did recently bring a major case against 32 individuals who illegally profited by over $100 million by hacking into news wires and stealing advance copies of companies’ earnings releases. This action highlights the varied ways that cyber vulnerabilities can be used to harm public companies and investors, and demonstrates the SEC’s resolve to investigate and bring enforcement cases in the cyber space.
The Bottom Line: Recently, SEC Commissioner Luis Aguilar declared that “cybersecurity is one of the defining issues of our time.” With the FTC and the SEC each seeking to expand their reach in this area, companies should focus extra attention on ensuring that their organizations maintain the most up-to-date defenses against cyber criminals, and that any public disclosures before or after a breach incident are fully accurate.