The 2024 fiscal year (“FY24”) for the U.S. Securities and Exchange Commission (“SEC” or “Commission”) concluded with a deluge of year-end actions. Over the past year, we saw increased use of enforcement sweeps, significant changes in administrative law doctrine, and a continued willingness by the SEC to advance novel theories, often in litigated actions. In this alert, we analyze these key themes from FY24 and summarize several notable actions from August and September, including:
- An Exchange Act settlement indicating tolerance of trading BTC and ETH;
- An enforcement action against a former FTX auditor;
- A director charged for undisclosed conflicts of interest;
- The first custody rule action against a crypto-focused investment adviser;
- An action against a prominent asset manager arising from longstanding disclosure failures;
- An action arising from an adviser’s obtaining MNPI through an ad hoc creditors committee;
- An enforcement action against the operator of a crypto lending product; and
- The approval of a PCAOB rule amendment lowering scienter thresholds for associated person liability.
I. Key Themes in SEC Enforcement From FY24
A. Broadening Utilization of Sweeps
Sweeps, investigations where the SEC’s Division of Enforcement (the “Division”) investigates multiple market participants for similar conduct typically in a single investigative file, have long been a tool in the SEC’s toolbox. In recent years, the Division has increasingly relied on sweeps and deployed them across a broader range of enforcement areas. In the past year, we saw sweeps addressing wide swaths of the Division’s remit to bring cases involving, among other things, the Adviser’s Act Marketing Rule,[1] Form 13F filing requirements, beneficial ownership reporting, whistleblower protections, and, of course, off-channel communications.
The increased, and increasing, use of sweeps carries other meaningful implications. As actions within a given enforcement area are increasingly filed in bursts, forecasting enforcement trends can be more difficult. Orders in these actions can often contain useful signals about the conduct that the SEC staff expects to see going forward. Frequently though, a market participant is already part of a sweep when the first order is issued with these insights. Respondents also often have less flexibility when negotiating a resolution that will be instituted as part of a sweep.
Enforcement sweeps allow the Division to investigate more efficiently and to amplify the message of an enforcement action by filing numerous, identical actions at once. As a result, the use of sweeps may continue into the next administration.
B. Continued Use of Novel Legal Theories
Over the past year, the SEC continued to advance novel theories across a wide variety of enforcement areas, yielding mixed results. While novel issues and fact patterns are constantly arising and being addressed in turn, the past year saw the SEC advance several theories that represented meaningful expansions of long-held legal principles.
The SEC’s “shadow” insider trading theory, which the SEC successfully litigated in SEC v. Panuwat this April, is perhaps the most notable example of the SEC’s embrace of a new theory.[2] Panuwat was the first case where the misappropriation theory of insider trading was applied to extend liability to an insider’s trading in the securities of another similar, but distinct, company, on the basis that a sufficient “market connection” existed between the two firms.[3] While the Panuwat outcome (pending a different result on appeal) validated the SEC’s shadow trading theory, it leaves many questions unanswered. Most fundamentally, it remains unclear how market participants should evaluate whether any two securities have a sufficient “market connection” such that information related to one security is material to the other.
Unlike the SEC’s success in Panuwat, some other novel theories stumbled. For example, U.S. District Judge Paul Engelmayer of the Southern District of New York dismissed the SEC’s claim in the SolarWinds action based on an assertion that SolarWinds’ failure to secure its “key assets”—its network environment, source code, and products—prior to a series of cyberattacks in late 2020 constituted a violation of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (“Exchange Act”), frequently referred to as the internal accounting controls provision.[4] SolarWinds was the first application of the internal accounting controls provision in the cybersecurity context, and drew significant attention from the defense bar. The SEC’s approach in SolarWinds also drew criticism from Commissioners Hester M. Peirce and Mark T. Uyeda, who described the internal accounting controls provision as having become the Commission’s “own Swiss Army statute.”[5]
C. The End of Chevron and the Looming Impact of Loper Bright and Corner Post
On June 28 and July 1, the Supreme Court issued a pair of decisions in Loper Bright Enterprises v. Raimondo[6] and Corner Post, Inc. v. Board of Governors of the Federal Reserve System,[7] respectively, which will reshape the SEC’s exercise of its authority in important ways. Loper Bright directly overruled Chevron U.S.A. Inc. v. Natural Resource Defense Council, Inc., which lent its name to the concept of Chevron deference. 467 U.S. 837 (1984). Chevron deference was the 40-year old governing framework which instructed courts to defer to administrative agencies’ interpretations of their governing statutes when Congress had not spoken to the precise question at issue. Corner Post, in turn, lowered the procedural bars to bringing fresh challenges to even decades-old regulations by allowing a plaintiff to bring a claim when they are actually injured by a final agency action, essentially opening the door for new entities to form, become regulated and injured by a final agency action, and bring a suit challenging that action.
The combined effect of the decisions will likely be an increase in both the frequency and success of challenges to final agency actions across the board, including final rules proposed and adopted by the SEC. They may also spur a general deregulatory effect given the essentially limitless opportunities for challenges to final agency actions. On the one hand, in the post-Chevron world, the SEC—and agencies generally—may take longer to bring any particular action or promulgate a rule, solicit additional input from regulated entities to stave off would-be challengers, and pare back the scope of rules so they might better withstand judicial scrutiny. On the other hand, the SEC and other agencies may seek to employ their examination and enforcement authority to make policy through one-off resolutions with individual firms such that the limitations of agency rulemaking may prompt even greater rulemaking-by-enforcement.
In recent months we have seen a slowdown in new rulemaking and an uptick in novel enforcement. These legal developments will impact agency actions for the foreseeable future.
II. Notable Year-End Actions From September 2024
In addition to the key themes and takeaways, we have also briefly summarized several noteworthy enforcement actions from the final months of FY24.
A. eToro Settles Section 15(a) Charges; May Continue BTC/BCH/ETH Trading
On September 12, the SEC settled charges with eToro USA LLC (“eToro”) arising from eToro allegedly operating as an unregistered broker and clearing agency in connection with its online trading platform.[8] As early as 2020, eToro offered customers the ability to trade various crypto assets, some of which the SEC considered securities, through its online trading platform. Under the terms of the settlement, eToro must pay a $1.5 million penalty and liquidate or transfer to its customers any remaining crypto assets within 187 days of the Order, with the notable exceptions of three crypto assets: Bitcoin (“BTC”); Bitcoin Cash (“BCH”); and Ether (“ETH”). In addition to permitting future trading of BTC, BCH, and ETH, the SEC has also permitted eToro customers to utilize eToro’s trading platform to sell all other crypto assets within 180 days of the SEC’s Order.
While statements made by former SEC officials and other regulatory action taken by the SEC have suggested that the agency would not treat BTC and ETH as securities, this is the first enforcement action to explicitly permit an unregistered entity to facilitate transactions in those assets.[9]
B. FTX Auditor Charged with Negligence and Auditor Independence Violations
On September 17, Prager Metis CPAs, LLC (“Prager”) and its California professional services firm, Prager Metis CPAs LLP, settled two actions arising out of their alleged misconduct in performing compliance audits for former client and defunct crypto asset trading platform FTX.[10] The first action, against Prager directly, charges Prager with negligence-based fraud arising from their failure to, among other things, adequately assess whether it had the competency and resources to audit FTX. The second action, against both Prager and its California branch, arises from the SEC’s September 29, 2023 charging of both entities with violating auditor independence rules and aiding and abetting FTX’s violations of federal securities laws. To settle the charges, the Prager entities agreed to pay over $1.9 million in penalties and disgorgement.
These actions are the latest in the extensive fallout arising from the November 2022 collapse of FTX, with the most recent previous action being the July 1 action filed against Silvergate Capital Corporation and three of its senior officers.[11] The SEC’s negligence-based fraud action against Prager focuses on Prager’s failure to ensure it could audit FTX while complying with Generally Accepted Auditing Standards (“GAAS”). Per the SEC, Prager’s failure to adhere to GAAS resulted in Prager’s failing to properly assess the nature of FTX’s relationship with its affiliated trading firm, Alameda Research LLC, and the attendant risk this relationship posed to FTX’s business. The previously-filed auditor independence actions focus on the Prager entities’ inclusion of indemnification provisions in their engagement letters with clients, which governed over 200 audits, reviews, and exams.
Click here to read a recent Willkie Client Alert discussing the action against Silvergate Capital Corporation in greater detail.
C. Independent Director Charged For Concealing Close Friendship With Executive
On September 30, the SEC settled charges against James R. Craigie, an independent director and former CEO of Church & Dwight Co. Inc. (“Church & Dwight”), for allegedly concealing his close personal friendship with a high-ranking Church & Dwight executive who was being considered as a successor to the company’s current CEO.[12] Craigie’s concealing of his personal relationship with the executive caused Church & Dwight to misrepresent Craigie’s independence from the company in multiple proxy statements.
Standalone actions against independent directors are relatively rare. Craigie, who was appointed as an independent director of Church & Dwight in 2019, had maintained a close personal relationship with the executive since at least 2017. Craigie and the executive, together with their spouses, regularly vacationed together both domestically and internationally, with Craigie paying over $100,000 during this time for the executive and his spouse to travel on these vacations. Craigie did not extend this courtesy to other Church & Dwight executives. Craigie also disclosed details regarding the CEO succession process to the executive, despite the board of directors requesting that the succession process remain confidential. Finally, when requested to provide recommendations on external CEO candidates, Craigie, again without disclosing the nature of his relationships, suggested a former colleague of the Church & Dwight executive who Craigie and the executive had also vacationed internationally with.
Without admitting or denying the allegations, Craigie has agreed to pay a $175,000 civil penalty and accept a five-year officer-and-director bar.
D. SEC Brings First Custody Rule Action Against Crypto Adviser
On September 3, the SEC settled charges against Galois Capital Management LLC (“Galois”) for violations of Advisers Act custody rules.[13] Galois is a registered investment adviser for a private fund that primarily invested in crypto assets. This action is the first action against a crypto-focused investment adviser addressing violations of the custody rules.
The SEC’s Order states that Galois allegedly failed to ensure that certain crypto assets held by the private fund it advised were held with a qualified custodian in violation of Advisers Act Rule 206(4)-2. Approximately half of the fund’s assets under management were lost in November 2022 during the FTX collapse. Additionally, the SEC found that Galois violated Advisers Act Rule 206(4)-8 for allegedly misleading certain investors that redemption requests required at least five business days’ notice before the end of the month, while allowing other investors to redeem with fewer days’ notice. Galois, which withdrew its registration after the FTX collapse, agreed to pay a $225,000 civil penalty, to be distributed to the fund’s harmed investors.
E. Carl Icahn and Affiliated Firm Charged For Failing to Disclose Collateral Pledges
On August 19, the SEC brought settled actions against Carl Icahn and his publicly traded company, Icahn Enterprises L.P. (“IEP”), for failing to disclose Icahn’s pledges of IEP securities as collateral to secure dozens of personal margin loans with multiple lenders.[14]
Icahn, who is IEP’s controlling shareholder, pledged over half of IEP’s outstanding securities as collateral to secure personal margin loans worth billions of dollars. IEP failed to disclose Icahn’s pledges on its Form 10-K, violating Section 13(a) of the Exchange Act, while Icahn failed to disclose his pledges on his Schedule 13D, violating Section 13(d) of the Exchange Act. IEP and Icahn agreed to pay $1.5 million and $500,000 in civil penalties, respectively, to settle the charges.
The SEC’s Orders indicate that Icahn and IEP’s pledging disclosure deficiencies persisted for nearly 30 years, although the enforcement actions only concern Icahn and IEP’s liability for disclosure failures from December 31, 2018 forward. Icahn previously disclosed pledges of IEP depositary units as collateral for personal margin loans in 1995, 2003, and 2005, but failed to disclose the number of units pledged or the terms of any agreements. Notably, Icahn also disclosed his various margin loan agreements to his advisors, but this did not relieve him of liability given Section 13(d) violations do not require scienter and do not contain an exculpatory provision for such reliance on external advisors.
F. Asset Manager Charged For Improper Quarantining of MNPI
On September 30, the SEC filed settled charges against Marathon Asset Management LP (“Marathon”) for failing to establish, maintain, and enforce policies and procedures reasonably designed to address specific risks associated with Marathon’s receipt of material non-public information (“MNPI”) vis-à-vis its participation in ad hoc creditors committees.[15] The action is part of an emerging trend of enforcement activity directed at investment advisers which participate in—and periodically obtain MNPI through—ad hoc lending committees, including through external financial advisers.
Per the SEC’s Order, Marathon regularly participated in ad hoc creditors committees as a result of its managing assets across several strategies, including private credit, leveraged loans, and real estate. Marathon also engaged in trading of collateralized mortgage obligations (“CMOs”).
In the instant action, Marathon began building a position in corporate bonds issued by “Issuer 1” as early March 2020, with Marathon’s position reaching a notional value of approximately €35 million by August 2020. Around this time, a group of Marathon analysts determined that Issuer 1 was experiencing financial distress that could impact Issuer 1’s ability to remain current on its debt payments, including on bonds held by Marathon, and began exploring forming an ad hoc creditors committee. Marathon retained “Adviser A” to serve as the primary liaison between the members of the ad hoc committee and Issuer 1. Adviser A entered into a non-disclosure agreement (“NDA”) with Issuer 1 and began receiving Issuer 1’s MNPI. Marathon did not sign an NDA with Issuer 1, while certain members of the ad hoc committee did.
Marathon began receiving reports and other written materials from Adviser A regarding Issuer 1. Adviser A provided separate materials to Marathon and the ad hoc committee members which had executed an NDA with Issuer 1. Neither the ad hoc committee nor Marathon received any representations from Adviser A regarding its handling of MNPI from Issuer 1. The SEC also reports there was no evidence that Marathon conducted any due diligence regarding Adviser A’s handling of Issuer 1’s MNPI.
As mentioned above, Marathon maintained an active CMO trading business, including trading in CMOs which contained Issuer 1’s bonds. Marathon did not institute a trading restriction on Issuer 1’s securities and bonds until November 5. Leading up to November 5, Marathon accumulated an additional €94 million in Issuer 1’s bonds. Further, the group of Marathon analysts that had initially identified Marathon’s financial woes consulted with a Marathon trader regarding a trading strategy for Marathon CMOs, resulting in the sale of over €22 million in credit default swaps referencing Issuer 1’s bonds.
While Marathon maintained written policies and procedures providing general guidance regarding the handling of MNPI, it did not maintain written policies and procedures designed for evaluating and properly handling MNPI derived from Marathon’s participation in ad hoc creditors’ committees. Marathon also lacked written policies and procedures designed to evaluate an external adviser’s handling of MNPI, or for obtaining representations from external advisers regarding their handling of MNPI.
To settle the charges, Marathon agreed to pay a civil penalty of $1.5 million.
G. SEC Charges Crypto Asset Lending Firm With Unregistered Offers and Sale
On August 26, the SEC settled charges with Plutus Lending LLC (d/b/a Abra) for the unregistered offers and sales of Abra’s retail crypto asset lending product, Abra Earn, and for operating as an unregistered investment company.[16] Abra Earn, which has been effectively wound down as of the time of the Complaint, allowed investors to tender their crypto assets to Abra in exchange for Abra’s promise to pay a variable interest rate. As part of the settlement, Abra has agreed to be enjoined from future violations of Sections 5(a) and (c) of the Securities Act of 1933 and Section 7(b) of the Investment Company Act of 1940, and will pay a civil penalty to be determined by the Court. This action is the latest in a string of enforcement actions against crypto lending platforms over the last several years.
H. SEC Approves PCAOB Rule 3502 Amendment; Lowers Scienter Threshold for Liability
On August 20, the SEC approved a proposed amendment from the Public Company Accounting Oversight Board (“PCAOB”) to Rule 3502, lowering the scienter threshold from recklessness to negligence for associated persons[17] who directly and substantially contribute to a registered firm’s primary violation of the laws, rules, and standards enforced by the PCAOB.[18] The SEC also adopted two other PCAOB proposals which: (1) update audit standards regarding general responsibilities of auditors; and (2) update guidance regarding auditors’ responsibilities when auditors utilize technology-assisted analysis in conducting an audit.
Rule 3502 provides grounds for establishing secondary liability for associated persons who directly and substantially contribute to a registered firm’s violations of the laws, rules, and standards enforced by the PCAOB. Previously, associated persons needed to be at least reckless in their substantial contribution to a registered firm’s violation in order to be held liable, while the registered firm itself needed to only be negligent to be liable for the primary violation. Rule 3502’s amendment removes this incongruity by lowering the secondary liability threshold to negligence.
The amendment lessens the level of scienter that the PCAOB must establish in bringing secondary liability actions against associated persons, which may result in an uptick in enforcement actions against individual auditors. PCAOB enforcement activity has increased in recent years, though actions against individuals did decline in 2023.[19]
The amendment to Rule 3502 became effective on October 19, 2024.
Click here to download this article.
[1] The Marketing Rule refers to Rule 206(4)-1 of the Investment Advisers Act of 1940 (“Advisers Act”).
[2] No. 1:21-cv-06322-WHO (N.D. Cal. 2021).
[3] A more detailed breakdown of the key facts and legal arguments raised in Panuwat are available in another Willkie Client Alert, available here.
[4] SEC v. SolarWinds Corp., No. 1:23-cv-09518 (S.D.N.Y. Jul. 18, 2024). Click here and here to read previous Willkie Client Alerts addressing the SolarWinds dismissal opinion, as well as four recently settled actions against current or former issuers affected by the SolarWinds cyber incident, respectively.
[5] Statement of Commissioners Hester M. Peirce and Mark T. Uyeda, Hey, Look, There’s a Hoof Cleaner! Statement on R.R. Donnelly & Sons Co., U.S. SECURITIES AND EXCHANGE COMMISSION (Jun. 18, 2024), available here. See also Statement of Commissioners Hester M. Peirce and Mark T. Uyeda, The SEC’s Swiss Army Statute: Statement on Charter Communications, Inc., U.S. SECURITIES AND EXCHANGE COMMISSION (Nov. 14, 2023), available here.
[6] No. 22-451.
[7] No. 22-1008.
[8] The SEC’s Order is available here.
[9] See, e.g., William Hinman, Director, Division of Corporation Finance, Digital Asset Transactions: When Howey Met Gary (Plastic) (Jun. 14, 2018), available here; Order Granting Accelerated Approval of Proposed Rule Changes, as Modified by Amendments Thereto, to List and Trade Bitcoin-Based Commodity-Based Trust Shares and Trust Units, Securities and Exchange Commission (Jan. 10, 2024), available here; Order Granting Accelerated Approval of Proposed Rule Changes, as Modified by Amendments Thereto, to List and Trade Shares of Ether-Based Exchange-Traded Products, Securities and Exchange Commission (May 23, 2024), available here.
[10] The SEC’s Unopposed Motion for Entry of Final Judgments is available here.
[11] The SEC alleged that the bank, which ceased operations after the collapse of its customer FTX, made misleading statements relating to its compliance program, financial soundness, and transaction monitoring. The SEC’s Complaint is available here.
[12] The SEC’s Order is available here.
[13] The SEC’s Order is available here.
[14] The SEC’s Orders against Icahn and IEP are available here and here, respectively.
[15] The SEC’s Order is available here.
[16] The SEC’s Complaint is available here.
[17] Per 17 CFR § 202.140, an “associated person” is a person associated with a registered public accounting firm.
[18] The SEC’s Order adopting the PCAOB’s proposed amendment to Rule 3502 is available here.
[19] See PCAOB Enforcement Activity 2023 Year in Review, Cornerstone Research, at 1 (2024), available here (finding the PCAOB brought 13 actions against firms and 22 actions against individuals per year, on average, between 2018 and 2022, while bringing 34 actions against firms and 19 against individuals in 2023).
