By John Filar Atwood
The decision by the Supreme Court in Kokesh v. SEC, the High Court’s grant of certiorari in Liu v. SEC, and the ruling in SEC v. Gentile will not deter the SEC’s Enforcement Division from pursuing appropriate cases, according to Division Co-Director Steven Peikin. At the Practising Law Institute’s securities regulation conference, Peikin and Co-Director Stephanie Avakian said that they have not backed off from bringing any cases because of legal challenges or risks.
In 2017, the Supreme Court held in Kokesh that disgorgement is a penalty and therefore is subject to a five-year statute of limitations. In Liu, the High Court will address the question left open in Kokesh about whether the SEC can seek disgorgement as "equitable relief" for a violation of the securities laws. The Third Circuit recently reversed the district court’s decision in Gentile, finding that a penny stock bar and an "obey the law" injunction are not penalties. The court cautioned the SEC to ensure the injunctions it seeks are narrowly tailored and serve a preventive purpose.
Peikin said that although Gentile was initially a setback, the Third Circuit’s reversal was welcome. Although the decision requires properly tailored injunctive relief, the staff intends to continue to pursue "obey the law" injunctions, he noted.
King & Spalding’s Carmen Lawrence said that she was surprised by the ruling in Liu. Her prediction about which way the Supreme Court will decide is that the Court will limit the SEC’s disgorgement authority.
Peikin said that he hopes Lawrence’s prediction is wrong because disgorgement is a very important remedy for the Enforcement Division. Avakian agreed, noting that the staff has tried to keep a running tally of what Kokesh has cost the Commission in disgorgement. The current ballpark estimate is $1.1 billion, she said.
Digital assets. The co-directors also discussed areas of focus for the Division and cited digital assets and cybersecurity. In the cryptocurrency space, Avakian said that her sense is that there are fewer initial coin offerings and that entities are trying to find other exemptions for the issuance of tokens.
Avakian said the Division generally has seen two types of misconduct with initial coin offerings: straight-up frauds where issuers did not actually provide what they said they would and regulatory violations such as touting. The staff saw a drop in the regulatory violation cases in the last fiscal year, she said.
Peikin discussed the three token registration cases that the Division settled this year against Paragon Coin, AirFox, and Gladius Network. In these cases, the staff required the issuers to make a rescission offer for the issued tokens, he noted.
In an action against Block.one, the Division did not require rescission, but Peikin said that Block.one involved very unusual circumstances. The underlying tokens were fixed and non-transferable, he noted, so the staff felt that rescission did not make sense. In addition, the Block.one tokens did not lose value after the offering, he said.
Some observers have suggested that perhaps the Block.one sanctions were a little light. Peikin reiterated the Division’s procedure for determining penalties, which is to consider duration of the offer, the amount raised, efforts to target U.S. investors, and the size of penalties in other recent cases. He believes there has been a steady progression of sanctions over time and advised that if an entity creates a platform for the exchange of tokens, it is responsible for complying with the federal securities laws.
Cybersecurity. In the area of cybersecurity, Avakian discussed the division’s case against Altaba, formerly known as Yahoo!. The company failed to disclose a major data breach resulting in the unlawful acquisition of hundreds of millions of its users’ data. Altaba paid a $35 million penalty. Avakian described this as an "extreme disclosure failure," and advised that the division is not looking to pursue actions where there is a good faith effort at disclosure.
Peikin said that the Division’s cyber enforcement also involved a few risk disclosure cases this year, notably those against Facebook and Mylan. These were episodic, facts-and-circumstances cases, he said, and do not represent a trend.
Avakian added that the Facebook case was a situation where one group within the company knew of the breach, but another group was responsible for the disclosure of it. The take away from the Facebook matter is that companies should have a process in place to ensure that these two groups can come together and provide adequate disclosure.