Senate Banking Committee Announces Digital Asset Agenda
Under Chair Tim Scott (R-SC), the Senate Committee on Banking, Housing and Urban Affairs has announced several policy objectives favorable to the digital asset industry. We expect the Committee to take a more favorable view of the industry during the next Congress than in years past.
In announcing the Banking Committee’s priorities for the next Congress, Chair Scott noted that will be a key focus.
Under Chair Gensler, the SEC refused to provide clarity to the cryptocurrency industry, which has forced projects overseas. Moving forward, the committee will work to build a regulatory framework that establishes a tailored pathway for the trading and custody of digital assets that will promote consumer choice, education, and protection and ensure compliance with any appropriate Bank Secrecy Act requirements. The committee will also foster an open-minded environment for new innovative financial technologies and digital asset products, like stablecoins, that promote financial inclusivity.
To that end, the Committee announced the formation of the first ever Subcommittee on Digital Assets, to be chaired by Senator Cynthia Lummis (R-WY), an outspoken supporter of cryptocurrency innovation. The Subcommittee’s jurisdiction covers a wide range of issues, including:
Digital assets, including but not limited to cryptocurrencies and stablecoins; activities of digital asset issuers, trading and lending platforms, custody providers, and other intermediaries, when such activities are related to digital assets; regulatory activities of the Department of Treasury, the Federal Reserve System, OCC, FDIC, NCUA, SEC, to the extent they directly or indirectly exercise supervisory or regulatory authority over digital assets and digital asset intermediaries; and financial literacy in digital assets.
Chairman Scott also issued a press release trumpeting President Trump’s executive order on digital assets. Further, the Committee announced a hearing on February 5 to discuss possible “debanking” of certain industries, including digital assets.
Phew! Form PF Amendments Deadline Extended (So You Can Procrastinate a Little Longer)
The SEC and CFTC have extended the compliance date for their jointly adopted amendments to Form PF (originally 12 March 2025) to 12 June 2025.
In December 2024, a number of industry associations submitted a letter to SEC and CFTC on behalf of their respective members describing certain significant technological and administrative challenges being faced by advisers required to file on new Form PF, as well as third-party vendors assisting these advisers. In the letter, these industry associations requested that the SEC and CFTC extend the compliance date for new Form PF until 12 September 2025 (or, at a minimum, until 12 June 2025), maintaining that such an extension would provide impacted industry participants with additional time to build out and test new reporting systems and work through any outstanding reporting and interpretive questions.
In granting the three-month extension until 12 June 2025, the SEC and CFTC reasoned that the extension should alleviate certain administrative and technological challenges associated with the original compliance date and that the extension would provide more time for filers to program and test for compliance with the amendments. For example, as a result of this extension, December 31 year-end filers will no longer need to report 2024 data on the new form.
For additional details about the Form PF amendments, please refer to our long-form client alert here.
FCPA Year in Review 2024
The Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) obtained over $1.28 billion in total fines and penalties related to Foreign Corrupt Practices Act (FCPA) violations in 2024, making it one of the top 10 highest grossing years with regard to enforcement penalties in the FCPA’s nearly 50-year history. Foreign governments and other branches of the U.S. government recovered an additional $400 million in global settlement amounts related to those FCPA enforcement actions. The U.S. government also announced charges against 19 individuals for FCPA and FCPA-related conduct.
Beyond the enforcement cases, the DOJ issued both new guidance and updates to existing guidance regarding its approach to corporate crime and its expectations surrounding corporate compliance efforts. The DOJ’s recent updates to its Evaluation of Corporate Compliance Program guidance focuses on (1) the risks associated with emerging technology, such as AI; (2) the resource allocation and amount of access to data by the company’s compliance functions; (3) incentivizing whistleblowers; (4) the importance of post-acquisition compliance integration; and (5) ensuring companies incorporate lessons learned from misconduct. Furthermore, the DOJ launched a new pilot program for whistleblowers to report corporate misconduct and announced incentives for individuals who voluntarily self-disclose criminal conduct.
The following is a snapshot of 2024 FCPA enforcement:
Immigration Insights Episode 8 | Decoding the RIA: The Essential Role of Fund Administrators in EB-5 Regional Center Offerings [Podcast]
In this episode of Greenberg Traurig’s Immigration Insights series, host Kate Kalmykov is joined by Jill Jones, Head of Specialty Administration/General Counsel US, JTC, to discuss the EB-5 Reform & Integrity Act of 2022; how the post-RIA fund administrator is different from pre-RIA; the value of a fund administrator in EB-5 securities offerings; and the need for construction consultants.
SEC Actions in Review: What Officers and Directors Should Know for 2025
As the regulatory landscape continues to evolve, public company officers and directors must stay abreast of the enforcement priorities and expectations of the Securities and Exchange Commission (SEC). Over the past year, the SEC has brought various enforcement actions that involve the oversight and reporting obligations of management and boards. These cases highlight potential blind spots in corporate compliance programs. This article summarizes recent enforcement actions related to director independence, cybersecurity, insider “shadow” trading, internal investigations, executive compensation beneficial ownership and insider transaction reports, and Artificial Intelligence, which despite the change in administration, public company officers and directors should view as potential areas of continued SEC focus over the upcoming year.
Director Independence
In September 2024, the SEC announced it had settled[1] charges against a director of an NYSE-listed consumer packaged goods company for violation of the proxy rules, for failure to disclose in his D&O questionnaire information about his close friendship with an executive officer, which caused the company to falsely list him as an independent director in its proxy statement.[2] This undisclosed relationship included multiple domestic and international paid vacations with the executive.[3] The director also allegedly provided confidential information to the executive about the company’s CEO search and instructed the executive to withhold information about their personal relationship to avoid the impression that the director was biased toward the executive becoming CEO of the company.[4] The director agreed to a civil penalty of $175,000, a five-year officer and director bar, and a permanent injunction from further violations of the proxy rules.
Takeaway: For directors, this case underscores the importance of being “honest, truthful, and forthright”[5] when completing D&O questionnaires and not treating them as mere formalities that are rolled forward from one year to the next. This enforcement action further shows that material misstatements and omissions in the D&O questionnaire can give rise to a direct violation of the proxy disclosure rules against the director for causing a company’s proxy statements to contain false and misleading statements. The determination of independence can be complex. However, directors are not tasked with making that determination themselves; they merely must disclose all relevant facts in their D&O questionnaires, including social relationships with management.
Cybersecurity
In October 2024, the SEC announced settlements with four issuers for misleading disclosures regarding cybersecurity risks and intrusions. [6] These cases stemmed from an ongoing investigation of companies impacted by the two-year long cyberattack against a software company, which the SEC charged a year earlier for failure to accurately convey its cybersecurity vulnerabilities and the extent of the cyberattack.[7] Each issuer charged by the SEC in October 2024 utilized this company’s software and discovered the actor likely behind the software company’s breach also had accessed their systems, but according to the SEC, their public disclosures minimized or generalized the cybersecurity incidents. Specifically, two of the issuers failed to disclose the full scope and impact of the cyberattack, including the nation-state nature of the threat actor, the duration of the malicious activities, and in one case[8] the number of compromised files and the large number of customers whose information was accessed, as well as in another case the percentage of code that was compromised.[9] The other two issuers failed to update their risk disclosures in SEC filings and instead framed cybersecurity risks and intrusions as general and not material[10] or in hypothetical terms[11] rather than disclosing the actual malicious activities and their impact on the company.
The SEC charged each issuer with violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act (which prohibit misleading statements or fraud in connection with the offering or sale of securities) and Section 13(a) of the Exchange Act and Rules 13a-1, 13a-11, 13a-13, and 13a-15(a) thereunder (rules related to required filings for public companies, including requirements that such filings include any material information to ensure filings are not misleading, and companies have internal controls and procedures over financial reporting). One of the companies also was charged with disclosure controls and procedures violations. While each issuer received credit for cooperating in the SEC investigation, the settlements included civil penalties ranging from $990,000 to $4 million.
Takeaway: When a cybersecurity breach is identified, the board and management must ensure their company’s disclosures are accurate, current, and tailored to the company’s “particular cybersecurity risks and incidents.”[12] Indeed, the SEC’s cybersecurity disclosure rules, adopted on July 26, 2023, specifically require registrants to, among other things, report on Form 8-K any cybersecurity incident deemed to be material and to disclose on Form 10-K the registrant’s processes for assessing, identifying, and managing material risks from cybersecurity threats, the material impacts of cybersecurity threats and previous incidents, and specific information relating to the role of the board and management in identifying and managing such risks.[13] As the SEC stated, “Downplaying the extent of a material cybersecurity breach is a bad strategy”[14] and, as these cases demonstrate, can subject the company to an enforcement investigation and action. Navigating cybersecurity disclosure obligations, however, especially when the breach is ongoing and the origin and impact is not fully understood, presents unique challenges for issuers. And despite the dissenting opinion in the October 2024 cybersecurity enforcement cases by two of the SEC commissioners, who believed the omitted details were not material to investors, the board and management must constantly evaluate whether their company’s cybersecurity risk disclosures, as well as the disclosed scope and impact of any material breach, are sufficiently detailed and remain accurate throughout the company’s investigation.
Insider “Shadow” Trading
In April 2024, the SEC won a jury verdict in an insider trading case based on a “shadow” insider trading theory.[15] Shadow trading involves an insider’s misappropriation of confidential information about the insider’s company to trade in securities of another company where there is a sufficient “market connection” between the two companies. In this case, the SEC alleged, and the jury found, the defendant used confidential information about a potential acquisition of the biotech company he worked for to purchase call options in a second biotech company in the belief its stock price would materially increase after the deal involving his company was publicly announced. What was novel about this case is the lack of commercial connection between the two companies and the fact that the confidential information did not directly relate to the company whose securities the defendant traded in.[16] The nexus between the two companies that served as the basis for the SEC’s insider trading charges was that they were both operating in a field where viable acquisition candidates were scarce, such that the announcement of the sale of the insider’s company was likely to drive up the stock price of the other company.
Takeaway: Officers and directors should take note of this case and, pending further judicial developments, should refrain from shadow trading when in possession of material non-public information (MNPI). Indeed, corporate insider trading policies and codes of conduct often prohibit trading in the securities of publicly-traded customers, vendors, and other commercial partners when an insider is in possession of MNPI. Further, the SEC’s success in this civil case, and the existence of criminal penalties for insider trading, creates an additional risk of criminal prosecution. In short, officers and directors should avoid becoming embroiled in allegations of shadow trading, which could be costly to defend, cause reputational damage, and lead to the imposition of significant sanctions.
Internal Investigations
The SEC has made clear that when a company fails to investigate and remediate wrongful conduct, it will hold officers and directors responsible even if they may not have been involved in the underlying violation. And when a board and management take prompt action to investigate, remediate, and self-report, the SEC will “reward [] meaningful cooperation to efficiently promote compliance” in the form of reduced charges and/or sanctions.[17]
In September 2024, the SEC brought unsettled civil fraud charges in federal court against the former CEO, former CFO, and former director and audit committee chair of a bankrupt (formerly Nasdaq-listed) software company for their roles in an alleged scheme that resulted in the company overstating and misrepresenting its revenues in connection with two public stock offerings that raised $33 million.[18] The SEC alleged that while the CEO initiated and directed the fraud, the CFO and director received a complaint from a senior company employee regarding revenue concerns about the main product disclosed in the offering materials, but other than consulting with outside counsel, they failed to investigate the employee’s concerns or correct the potential misstatements. As a result, both signed public filings that contained false and misleading statements and, in connection with the year-end audit, falsely represented to the outside auditors that they had no knowledge of any complaints regarding the company’s financial reporting. The SEC is seeking disgorgement of ill-gotten gains, civil penalties, and officer-and-director bars against each defendant. In its press release, the SEC warned, “This case should send an important signal to gatekeepers like CFOs and audit committee members that the SEC and the investing public expect responsible behavior when critical issues are brought to their attention.”[19]
In stark contrast, in December 2024 the SEC declined to impose a civil penalty in a settled administrative cease-and-desist action against a publicly-traded biotechnology company due to its self-reporting, proactive remediation, and meaningful cooperation.[20] The SEC credited the company’s board for (1) forming an independent special committee, which hired outside counsel to conduct an investigation into two anonymous complaints; (2) adopting the special committee’s remediation recommendations, including appointing an interim CEO, establishing a disclosure committee, and appointing two new independent directors; and (3) self-reporting the results of the internal investigation.[21] The SEC filed separate settled charges against the former CEO and former CFO for misleading investors about the status of FDA reviews of the company’s drug candidates related to a follow-on public offering. Among other sanctions, the CEO and CFO agreed to civil penalties, and the CEO agreed to an officer-and-director bar.[22]
Similarly, in a settled action announced in September 2024, the SEC credited a former publicly-traded technology manufacturer for conducting an internal investigation, self-reporting the investigation results, and implementing remedial measures.[23] Despite the existence of fraudulent conduct by a high-level employee, the SEC charged the issuer with only non-fraud violations of the financial reporting, books and records, and accounting control provisions of the federal securities laws and did not impose any penalty. The SEC explained in its press release that “this kind of response by a corporate entity can lead to significant benefits including, as here, no penalty.”[24] The SEC did bring civil fraud charges against the company’s finance director who perpetrated a fraud related to the company’s financial performance during a three-year period.[25]
Takeaway: When accounting errors or improper conduct are discovered or alleged, a company and its board should take prompt action. Conducting an independent investigation, undertaking prompt remediation, and being transparent with the company’s outside auditors are critical to ensuring accurate disclosures, preventing further errors and misconduct, and mitigating regulatory and legal exposure. Failing to do so will increase business and legal costs, damage the company’s reputation, and expose officers and directors to individual liability. And where appropriate, with the advice of experienced counsel, companies should evaluate the pros and cons of self-reporting, which regulators will credit as a mitigating factor when considering charges, sanctions, and settlements.
Executive Compensation
In December 2024, the SEC announced it had settled charges against an NYSE-listed fashion retail company for failing to disclose within its definitive proxy statements $979,269 worth of executive compensation related to perks and personal benefits provided to a now-former CEO for fiscal years 2019, 2020, and 2021.[26] These unreported personal benefits included expenses associated with the authorized use of chartered aircraft for personal purposes.[27] The company’s failure to disclose these benefits resulted in it underreporting the “All Other Compensation” portion of its then-CEO’s compensation by an average of 94% of the three fiscal years.[28] The SEC charged the company with violations of Sections 13(a) and 14(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-15(a), 14a-3, and 14a-9 thereunder (which prohibits companies from making false or misleading statements in proxy statements).[29] The SEC imposed a cease-and-desist order and declined to impose a civil penalty, in part due to the company’s prompt remediation and self-reporting.[30]
Takeaway: This case underscores the importance of companies having adequate processes, policies, and controls for identifying perks and personal benefits and ensuring they are included in executive compensation disclosures. SEC rules require, among other things, companies to disclose the total value of such benefits provided to named executive officers who receive at least $10,000 worth of such items in a given year. See Item 402 of Regulation S-K. Transparent disclosure not only fulfills a company’s regulatory obligations but also helps maintain public trust. Failing to fully report non-compensation benefits executives receive can lead to increased government scrutiny, reputational damage, and loss of investor confidence. And when a company falls short, prompt remediation is critical and can result in a reduction of regulatory sanctions.
Beneficial Ownership and Insider Transaction Reports
On September 25, 2024, the SEC announced charges against 23 officers, directors, and major shareholders for violating Sections 16(a), 13(d), and 13(g) of the Exchange Act, which requires reporting information concerning holdings and transactions in public company stock.[31] In addition, the SEC charged two publicly-traded companies for their failure to report these insiders’ filing delinquencies or for contributing to these insiders’ failures to file.[32] In its press release, the SEC explained the importance of complying with these reporting obligations: “To make informed investment decisions, shareholders rely on, among other things, timely reports about insider holdings and transactions and changes in potential controlling interests.”[33] The settlements included penalties ranging from $10,000 to $200,000 for individuals and $40,000 to $750,000 for companies — totaling more than $3.8 million in penalties.[34] The SEC used data analytics to identify individuals and entities with late required reports.
Takeaway: While it is unusual for the SEC to bring so many actions at once, the “SEC’s enforcement initiatives” are not surprising given the SEC’s continued focus on policing compliance.[35] The SEC continues to send a clear signal to insiders and investors that they need to “commit necessary resources to ensure these reports are filed on time” or risk enforcement action.[36] And as the SEC recently warned, “[T]hese reporting requirements apply irrespective of whether the trades were profitable and regardless of a person’s reasons for the transactions.”[37] For public companies that assist insiders in complying with these filing requirements, the SEC actions further make clear companies are not immune and must stay abreast of amendments and ensure their monitoring processes and controls are working effectively to ensure timely reporting.
Artificial Intelligence
The SEC continued its crackdown on “AI-washing” by bringing a settled enforcement action on January 14, 2025 against a restaurant services technology company due to alleged misrepresentations concerning “critical aspects of its flagship artificial intelligence [] product[.]”[38] According to the SEC, AI-washing is a deceptive tactic that consists of promoting a product or a service by overstating the role of artificial intelligence integration.[39] The product at issue in the enforcement action employed AI-assisted speech recognition technology to automate aspects of drive-thru ordering at quick-service restaurants. Among other things, the SEC accused the company of disclosing a misleading reporting rate of orders completed without human intervention using the product.[40] The company was charged with violations of Section 17(a)(2) of the Securities Act and Section 13(a) of the Exchange Act.[41] The SEC declined to impose a civil penalty based on the company’s cooperation during the Staff’s investigation and remedial efforts, with the company consenting to a cease-and-desist order.
While this most recent enforcement against AI-washing led to a cease-and-desist order, the Commission’s enforcement cases in 2024 included steep penalties for violators.[42] In an earlier enforcement action against two investment advisory companies, the SEC levied civil penalties of $400,000 for the company’s false and misleading statements concerning their purported use of artificial intelligence.[43] Specifically, the companies were alleged to have marketed to their clients (and prospective clients) that they were using AI in certain ways when they were not.[44] In the SEC’s press release, Chair Gary Gensler warned, “We’ve seen time and again that when new technologies come along, they can create buzz from investors as well as false claims by those purporting to use those new technologies. . . . Such AI washing hurts investors. . . . [P]ublic issuers making claims about their AI adoption must [] remain vigilant about [] misstatements that may be material to individuals’ investing decisions.”[45]
Takeaway: It is evident that “[a]s more and more people seek out AI-related investment opportunities,” the SEC becomes more and more committed to “polic[ing] the markets against AI-washing[.]” [46] The SEC’s emphasis, that any claims regarding AI must be substantiated with accurate information, makes it essential for companies integrating AI to have clear and accurate ways to measure and assess its AI-supported products and/or services. For directors and executives, this means carefully reviewing public disclosures and press releases related to AI technologies to ensure that all AI-related statements are supported by verifiable information. Without this verifiable information, a company opens itself up to significant penalties from enforcement actions brought pursuant to Section 17 of the Securities Act, which may also result in lost trust from shareholders around a company’s AI-related technologies.
Closing
The news for boards and management isn’t all bad; the number of SEC enforcement actions dropped significantly in 2024, and there is reason to believe that this drop may continue into 2025. In 2024, there were 583 SEC enforcement proceedings, compared to between 697 and 862 for each of the prior five years.[47] While the SEC touted record financial remedies for 2024,[48] over half of that amount came from a single case.[49] Signals from the new administration indicate reduced enforcement activity is likely to continue, given the administration’s focus on deregulation and government efficiency, which will likely lead to fewer resources available to the SEC. There also is an expectation that the SEC will avoid “regulation by enforcement” and take a “friendlier” view of certain activities that the outgoing SEC administration sought to reign in, such as with the crypto industry.[50] An additional factor pointing toward changes in enforcement approach is that the SEC is no longer able to try certain cases in administrative proceedings and instead must adjudicate such matters in federal jury trials.[51] This could result in the SEC choosing to pursue fewer actions or lesser sanctions, particularly given that it has historically been less successful in federal courts compared to in-house proceedings.[52] Nonetheless, the SEC’s enforcement actions involving public companies over the past year serve as a reminder to officers and directors of the importance of complying with their duties and obligations and ensuring strong internal controls and reporting practices. Staying ahead of compliance requirements is not just a matter of risk mitigation — it is essential for preserving shareholder trust and corporate integrity.
If you have questions about these and other SEC enforcement actions, contact the authors or your Foley & Lardner attorney.
[1] Typically with settled SEC actions, the settling party neither admits nor denies the SEC’s findings. See 17 CFR § 202.5.
[2] https://www.sec.gov/newsroom/press-releases/2024-161.
[3] See id.
[4] See id.
[5] See id.
[6] https://www.sec.gov/newsroom/press-releases/2024-174.
[7] https://www.sec.gov/newsroom/press-releases/2023-227. In July 2024, most of the SEC’s claims were dismissed; most notably, the court held that charges of internal accounting controls failures do not extend to cybersecurity deficiencies. See https://www.foley.com/insights/publications/2024/08/down-but-not-out-federal-court-curbs-sec-cybersecurity-enforcement-authority/.
[8] See https://www.sec.gov/newsroom/press-releases/2024-174.
[9] See id.
[10] See id.
[11] See id.
[12] Release Nos. 33-10459, 34-82746 (Feb. 21, 2018) (“We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents”).
[13] See Release Nos. 33-11216, 34-97989 (July 26, 2023); see also https://www.foley.com/insights/publications/2023/08/sec-adopts-new-cybersecurity-disclosure-rules/.
[14] https://www.sec.gov/newsroom/press-releases/2024-174.
[15] See https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25970; see also https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25170.
[16] https://www.foley.com/insights/publications/2024/03/sec-v-panuwat-shadow-trading-insider-trading-trial/.
[17] https://www.sec.gov/newsroom/press-releases/2023-234.
[18] https://www.sec.gov/newsroom/press-releases/2024-131.
[19] Id.
[20] https://www.sec.gov/newsroom/press-releases/2024-189.
[21] https://www.sec.gov/files/litigation/admin/2024/33-11332.pdf.
[22] https://www.sec.gov/files/litigation/admin/2024/34-101796.pdf.
[23] https://www.sec.gov/newsroom/press-releases/2024-116.
[24] Id.
[25] Id.
[26] https://www.sec.gov/newsroom/press-releases/2024-203
[27] Id.
[28] Id.
[29] Id.
[30] Id.
[31] https://www.sec.gov/newsroom/press-releases/2024-148
[32] Id.
[33] Id.
[34] Id.
[35] https://www.sec.gov/newsroom/press-releases/2023-219 (press release); https://www.sec.gov/files/33-11253-fact-sheet.pdf (fact sheet); https://www.sec.gov/files/rules/final/2023/33-11253.pdf (final rule).
[36] https://www.foley.com/insights/publications/2014/09/sec-charges-insiders-for-violations-of-section-16a/
[37] https://www.sec.gov/newsroom/press-releases/2024-148
[38] https://www.sec.gov/enforcement-litigation/administrative-proceedings/33-11352-s
[39] See https://www.sec.gov/newsroom/speeches-statements/gensler-office-hours-ai-washing-090424
[40] Id.
[41] Id.
[42] https://www.sec.gov/newsroom/press-releases/2024-36
[43] Id.
[44] Id.
[45] Id.
[46] See https://www.sec.gov/newsroom/press-releases/2024-70
[47] https://www.sec.gov/files/fy24-enforcement-statistics.pdf.
[48] https://www.sec.gov/newsroom/press-releases/2024-186.
[49] See https://www.sec.gov/enforcement-litigation/distributions-harmed-investors/sec-v-terraform-labs-pte-ltd-do-hyeong-kwon-no-23-cv-1346-jsr-sdny.
[50] https://www.nytimes.com/2024/12/04/business/trump-sec-paul-atkins.html.
[51] See https://www.foley.com/insights/publications/2024/06/us-supreme-court-rules-sec-securities-fraud-cases-federal-jury/.
[52] Id.
SEC Charges Navy Capital in AML Failures: Say What You Do and Do What You Say
The US Securities and Exchange Commission (SEC) released a press release on January 15 announcing that it had charged Navy Capital Green Management, LLC, an investment adviser, with violations of the Investment Advisers Act of 1940 related to its Anti-Money Laundering (AML) policies and procedures.
Navy Capital agreed to a settlement offer in which they did not admit or deny the SEC’s findings and agreed to pay a $150,000 civil penalty, to cease and desist from committing any further violations, and to be censured. The charges against Navy Capital emphasize the SEC’s priority in ensuring registered investment advisers (RIAs) say what they do and do what they say.
Read the SEC’s press release here.
Currently, RIAs do not have any affirmative duties under AML rules and regulations. RIAs may implement AML policies and procedures voluntarily. If an RIA does implement AML policies, then it must ensure that it follows through with its own policies and procedures.
AML-Related Charges Against Navy Capital
The SEC charged Navy Capital with making misrepresentations related to Navy Capital’s AML policies and procedures in various investor and prospective investor materials, and for and failing to ensure that its written investor materials accurately represented its AML policies and procedures. More generally, Navy Capital represented to its investors and prospective investors that it would follow certain procedures to mitigate AML risks.
The SEC’s findings were based on the relevant period of October 2018 through January 2022 when Navy Capital was registered with the SEC. Throughout this period, Navy Capital represented to its investors and prospective investors that it voluntarily maintained robust AML policies and procedures in accordance with the USA Patriot Act, even though it was not required to do so. Navy Capital published these representations in its offering memoranda, subscription booklets and agreements, due diligence questionnaires, and internal compliance manual, which was provided to prospective investors upon request.
In several of the written investor materials, Navy Capital claimed that investment into the funds would not be complete until investors satisfied all of Navy Capital’s AML requirements. However, in several separate instances described in the SEC’s order, Navy Capital approved investments — against its own policies and procedures — without (1) obtaining documents identifying an investor’s beneficial ownership, (2) investigating reported police suspicions that a foreign entity investor’s money was possibly connected to money laundering schemes, (3) resolving contradictory beneficial ownership documents, and (4) sufficiently confirming the source of funds. Also, in violation of its own policies, Navy Capital accepted funds from bank accounts not held in the name of the subscribing investor and from investors that disclosed they had zero assets.
Applicable SEC Rules
The SEC ultimately found that Navy Capital violated Section 206(4) of the Advisers Act and Rules 206(4)-7 and 206(4)-8. By way of background, Rule 206(4)-7 requires an investment adviser to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act. Rule 206(4)-8 makes it unlawful for any investment adviser of a pooled investment vehicle to “[m]ake any untrue statement of a material fact or to omit to state a material fact necessary to make the statements made, in the light of the circumstances under which they were made, not misleading, to any investor or prospective investor in the pooled investment vehicle; or [o]therwise engage in any act, practice, or course of business that is fraudulent, deceptive, or manipulative with respect to any investor or prospective investor in the pooled investment vehicle.”
The SEC held that Navy Capital misled investors about the level of risk they were taking by investing in Navy Capital’s funds.
New RIA AML Responsibilities
In August 2024, the Financial Crimes Enforcement Network (FinCEN) issued a rule that broadens the definition of “financial institution” as used in the Bank Secrecy Act to include RIAs and exempt reporting advisers (ERAs) (some exceptions apply). FinCEN’s new rule goes into effect on January 1, 2026, and will require all RIAs and ERAs under this rule to either implement an AML program, or if they already have one, to ensure their AML policies and procedures comply with the rule.
Briefly, the rule will require RIAs and ERAs to implement a risk-based and reasonably designed AML program, file certain reports with FinCEN, keep certain records, and fulfill certain other obligations applicable to financial institutions subject to the Bank Secrecy Act and FinCEN’s implementing regulations.
For more information on FinCEN’s new rule, see our recent client alert.
Key Takeaways
RIAs should note the distinction between SEC and FinCEN requirements. The SEC does not require RIAs to implement an AML policy. For SEC compliance, RIAs should ensure that they are abiding by their policies and procedures, particularly those that stand to impact funds raised from investors. However, for RIAs to comply with FinCEN rules, they will need to implement an AML policy according to the new rule by the effective date.
Additionally, although the new Administration has promised to repeal several SEC rules, the Trump Administration’s focus remains on repealing SEC rules related to environmental, social, and governance and crypto. At this time, it looks unlikely that any rules related to proper disclosure will be affected. FinCEN’s rule is also likely to be enforced. ArentFox Schiff attorneys are closely monitoring any developments that could impact the effectiveness of FinCEN’s new rule or could impact SEC compliance.
Listen to this article
SEC Rescinds SAB 121
The SEC rescinded its cryptocurrency accounting guidance, Staff Accounting Bulletin (SAB) 121, on Jan. 23, 2025. Issued in March 2022, SAB 121 required crypto custodians to record digital assets held for customers as liabilities on their balance sheets. Some industry participants and lawmakers expressed concerns that the guidance could impact regulated entities’ willingness to offer crypto custody services. In May 2024, former President Biden vetoed a bipartisan bill that would have rescinded SAB 121.
SAB 122, which formally rescinds SAB 121, directs custodians to assess potential liabilities of digital assets held, rather than requiring liabilities to be recorded for those assets. As part of the assessment, custodians must determine whether to recognize a liability related to the risk of loss under their custody arrangements. When recognizing and measuring the liability, custodians must follow the standard accounting rules of the Financial Accounting Standards Board Accounting Standards Codifications under U.S. Generally Accepted Accounting Principles or International Accounting Standards under International Financial Reporting Standards. This change may encourage banks to offer digital asset custody services, which might lead to more banks and financial institutions entering the crypto custody market.
The decision to rescind SAB 121 follows the recent appointment of acting SEC Chairman Mark Uyeda and aligns with a recent executive order from President Trump that established a working group to develop a federal framework for digital assets. The move is also consistent with the SEC’s decision, under Uyeda’s leadership, to form a crypto task force led by SEC Commissioner Hester Peirce to craft clear and practical regulatory frameworks for the industry. These developments mark a significant shift from the previous administration’s approach to crypto regulation.
To Disclose or Not to Disclose (and How Much) – That is the Question
U.S. Bank to pay multi-million-dollar settlement for failing to fully disclose cybersecurity incident.
The decision-making process involved in disclosing a cyber incident is a nuanced and delicate dance. Companies need to consider a myriad of factors, including when to disclose and how much detail to disclose to employees, customers, or regulators, such as the Securities and Exchange Commission (“SEC”).
A New York bank was recently forced to pay over $3.5 million to settle allegations that it minimized the extent of a cybersecurity incident in its SEC filings and public notices to customers. According to the SEC, the bank was negligent in making “materially misleading statements” regarding a cybersecurity incident involving the bank’s network between November 22, 2021 and December 25, 2021.
According to the SEC’s Order Instituting Cease-And-Desist Proceedings, the incident resulted in the “the encryption of data, network disruptions, and the exfiltration of the personally identifiable information (‘PII’) of approximately 1.5 million individuals, including customers, on December 3 and 4, 2021.” Specifically, a threat actor obtained “unauthorized access to [the bank]’s platform that enabled users to access [bank] applications and desktops remotely […], obtained credentials that enabled the threat actor to deploy ransomware that caused encryption on approximately 30% of [the bank]’s work stations and servers, and exfiltrated data, including customer PII, from its network.” The incident also impacted the bank’s “ability to originate, service, and close loans,” leading to the bank being forced to shut down its network for several hours, rebuild or restore servers, and reset passwords for employees. The bank was also forced to make a ransom payment in exchange for the threat actor’s promise to allow the bank to delete the exfiltrated data.
The SEC determined that the bank’s 2021 Form 10-K statement was materially misleading as the bank knew that at the time it was filed the bank had already experienced a cybersecurity attack that resulted in the exfiltration of the sensitive data of customers and employees, and had also interrupted the bank’s operations. From the SEC’s perspective, the 2021 Form 10-K statements characterized the cybersecurity attack as a hypothetical, when in fact it was not a hypothetical situation.
Additionally, the SEC found that the bank’s Customer Website Notice and 2022 Form 10-Q were misleading. The bank’s Customer Website Notice represented that there was only unauthorized access to the bank’s network, however, at the time the notice was released, it was aware that the “threat actor exfiltrated the PII of approximately 1.5 million individuals from [the bank’s] network.”
Further, when the bank filed its 2022 Form 10-Q, it stated that it had only “recently experienced a cyber incident that involved unauthorized access to our network and other customer data.” In both the Customer Website Notice and the 2022 Form 10-Q, the SEC again found that the bank misrepresented the extent of the incident. It failed to include details on the scope or consequence of the incident, particularly with regard to its awareness that exfiltration occurred, and it failed to disclose that fact to customers.
Due to these misstatements and omissions, the SEC found that the bank violated Section 17(a)(2) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-13 and 13a-15 resulting in the payment to the SEC.
What Went Wrong?
In the wake of a cyber incident, deciding, when, how and how much information to share can be a difficult decision, and waiting until a crisis happens before formulating a response can exacerbate an already challenging situation. Plans should be developed and updated regularly to address all foreseeable areas of impact – including, of course, SEC filings. Involving legal, communications, and compliance resources, whether internal or external, becomes particularly critical when regulatory disclosures come into play.
Proactive Steps To Take – Regardless of Your Industry
Cybercrime is one of the most prevalent forms of fraud, regardless of industry, and companies should consider taking the following steps to prevent both cyber incidents and SEC reporting missteps:
Ensure the company maintains robust cybersecurity measurers to protect PII and financial information
Ensure that only authorized personnel have access to sensitive data
Regularly review and update cybersecurity policies and procedures
Stay current on latest fraud trends and prevention techniques (such as AI)
Provide adequate cybersecurity incident training
Maintain clear lines of communication between the communications and legal teams
Develop and update a clear process to fully identify and comply with all applicable regulatory requirements, including a clear process to properly inform the disclosure process to ensure factual and legal accuracy
Key Takeaways
If nothing else, the recent settlement demonstrates the importance of understanding regulatory expectations when faced with a cybersecurity incident. It is critical that companies immediately investigate the root cause and impact of the incident, determine whether exfiltration has occurred, analyze the company’s reporting obligations to regulators, individuals, and customers, and quickly determine the information necessary to disclose in a Form 10-Q, 10-K, or 8-K. Companies must review their incident response plans and protocols proactively and ensure that their executive leadership and incident response teams know how to respond, including having a robust disclosure process.
President Trump Issues Executive Order on Crypto as SEC Signals Enforcement Shift
On January 23, 2025, President Trump issued an executive order entitled “Strengthening American Leadership in Digital Financial Technology,” establishing his Administration’s policy “to support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy” (the “EO”).
The EO sets out five high-level policy objectives:
protecting the lawful use of blockchain networks, participation in mining and validation, and self-custody of digital assets without unlawful censorship;
promoting dollar-backed stablecoins;
ensuring fair and open access to banking services;
providing “regulatory clarity” for digital assets based on “well-defined jurisdictional regulatory boundaries;” and
prohibiting Central Bank Digital Currencies (“CBDC”).
As an initial matter, the EO rescinds Executive Order 14067 issued by President Biden on March 9, 2022, which, among other things, placed “the highest urgency on research and development efforts into the potential design and deployment options of a United States CBDC.” The EO also rescinds the Department of the Treasury’s “Framework for International Engagement on Digital Assets,” issued on July 7, 2022. A press release regarding the framework stated that it set forth steps for international cooperation on digital assets while respecting core U.S. democratic values, protecting consumers, ensuring interoperability, and preserving the safety and soundness of the global financial system. A White House statement accompanying the EO asserts the framework “suppressed innovation and undermined U.S. economic liberty and global leadership in digital finance.”
In terms of affirmative directives, the EO accomplishes the following:
Establishes a Working Group on Digital Asset Markets to be chaired by a Special Advisor for AI and Crypto and include the Chairman of the Securities and Exchange Commission, the Chairman of the Commodity Futures Trading Commission, the Attorney General, and the Secretary of the Treasury, among seven other top officials.
Directs the Working Group to (1) identify regulations, guidance documents, and orders pertaining to the digital asset industry within 30 days, (2) submit recommendations regarding rescission, modification, or regulatory adoption of those items within 60 days, and (3) submit a report to President Trump recommending regulatory and legislative proposals to (a) establish a Federal framework for the issuance and operation of digital assets, including stablecoins, and (b) evaluate the potential creation and maintenance of a national digital asset stockpile.
Prohibits development of CBDCs, which the EO states “threaten the stability of the financial system, individual privacy, and the sovereignty of the United States,” underscoring that “any ongoing plans or initiatives at any agency related to the creation of a CBDC within the jurisdiction of the United States shall be immediately terminated, and no further actions may be taken to develop or implement such plans or initiatives.”
The accompanying White House statement highlights several key objectives of the Trump Administration in this space, including making “the United States the center of digital financial technology innovation by halting aggressive enforcement actions and regulatory overreach that have stifled crypto innovation under previous administrations,” and ensuring that “regulatory frameworks are clear” and the “growth of digital financial technology in America . . . remain[s] unhindered by restrictive regulations or unnecessary government interference.”
Also on January 23, 2025, the Securities and Exchange Commission (“SEC”) rescinded accounting guidance issued in 2022 entitled “Accounting for Obligations to Safeguard Crypto-Assets an Entity Holds for its Platform Users.” The guidance called upon certain regulated entities custodying digital assets on behalf of others to account for them as liabilities “to reflect [their] obligation to safeguard the crypto-assets held for [their] platform users.”
Two days earlier, the Commission issued a press release announcing that Acting SEC Chairman, Mark Uyeda, had launched a crypto task force “dedicated to developing a comprehensive and clear regulatory framework for crypto assets.” The press release stated that, “[t]o date, the SEC has relied primarily on enforcement actions to regulate crypto retroactively and reactively, often adopting novel and untested legal interpretations along the way. Clarity regarding who must register, and practical solutions for those seeking to register, have been elusive. The result has been confusion about what is legal, which creates an environment hostile to innovation and conducive to fraud.” It added that the task force’s focus will be to “help the Commission draw clear regulatory lines, provide realistic paths to registration, craft sensible disclosure frameworks, and deploy enforcement resources judiciously.”
These executive actions exhibit a shift from the prior Administration consistent with President Trump’s promise at the Bitcoin 2024 conference to make the U.S. the “crypto capital of the planet.” While it remains to be seen whether this will be pursued through shifts in enforcement prerogatives, rulemaking, or legislation, it appears that the crypto industry can expect a more amenable U.S. regulatory environment moving forward.
SEC Withdraws Crypto Accounting Bulletin
With little fanfare, on January 23, 2025, the US Securities and Exchange Commission (SEC) withdrew controversial Staff Accounting Bulletin 121 regarding custody of digital assets. In its place, new Staff Accounting Bulletin 122 directs registrants to Accounting Standards Codification 450-20, Loss Contingencies and International Accounting Standard 37, Provisions, Contingent Liabilities and Contingent Assets.
SAB 121 proved highly controversial, and during the last Congress both the House and Senate voted to repeal it under the Congressional Review Act. President Biden vetoed that repeal.
SAB 122 instructs SEC registrants to “continue to consider existing requirements to provide disclosures that allow investors to understand an entity’s obligation to safeguard crypto-assets held for others,” and points to other accounting literature that may be instructive. The issuance of SAB 122 and withdrawal of SAB 121 comes just days after the SEC announced a new “Crypto 2.0” initiative on its approach to digital assets.
President Trump’s Executive Order Steering Digital Assets Policy
As promised during his campaign, President Trump has taken significant steps to support the digital asset industry during his first week in office. On 23 January 2025, he signed an executive order initiating digital asset regulatory rollbacks and a new federal framework governing cryptocurrencies, stablecoins, and other digital assets (the Order).
On the same day, the Securities and Exchange Commission (SEC) rescinded the controversial Staff Accounting Bulletin 121, which required crypto custodians and banks to reflect digital assets in their custody as both an asset and a liability on their balance sheets. Earlier in the week, the SEC established Crypto 2.0, a crypto task force designed to provide paths for registration and reasonable disclosure frameworks, and to allocate enforcement resources “judiciously.”
The Order recognizes the role the digital asset industry serves in our economy and aims to support the responsible growth and use of digital assets by promoting dollar-backed stablecoins and providing regulatory clarity. The Order lays the groundwork for a regulatory shift furthering digital assets policy, focusing on the creation of “technology-neutral regulations” tailored to digital assets.
In addition to prohibiting agencies from facilitating any central bank digital currencies, the Order establishes a working group comprised of the heads of various agencies (the Working Group) and sets three deadlines:
22 February 2025: Federal agencies must report to the Special Advisor for AI and Crypto with the regulations or other agency guidance that affect the digital asset sector.
24 March 2025: Federal agencies must submit recommendations on whether to rescind or modify these regulations and guidance.
22 July 2025: The Working Group must submit a report to the President on regulatory and legislative proposals to advance digital assets policy. This report must include a proposed Federal framework for the issuance and operation of digital assets, including stablecoins, and evaluate whether establishing a national digital assets stockpile is possible.
Fifth Circuit Vacates SEC’s Approval of Nasdaq’s Diversity Rules
On December 11, 2024, the US Court of Appeals for the Fifth Circuit ruled that the Securities and Exchange Commission (SEC) lacked statutory authority to approve Nasdaq’s board diversity rules. Subject to certain exceptions, the diversity rules required, among other things, that Nasdaq-listed companies publicly disclose the demographic makeup of their boards of directors, and that boards with five or more directors include at least two “diverse” directors.
Fifth Circuit’s Ruling in Alliance for Fair Board Recruitment v. SEC
In its majority opinion, the Fifth Circuit held that the Nasdaq diversity rules were unrelated to the purpose of the Securities Exchange Act of 1934 and, as such, the SEC had no authority to approve the diversity rules. The court reasoned that US Congress enacted the Exchange Act specifically to protect investors in securities by establishing a regulatory oversight regime. Thus, the authority granted to the SEC under the Exchange Act is limited to the prevention of fraud and misrepresentation or concealment of material financial risks, and to stabilize the market from speculation-driven instability.
The SEC argued that the Exchange Act was also intended to remove barriers to the open market and promote justice and equitable trade principles, but the court held that if Congress intended to grant the SEC authority to impose such demographic regulations, the Exchange Act would have stated so explicitly.[1]
Nasdaq’s Proposed Diversity Rule
Nasdaq filed its proposed diversity rules with the SEC on December 1, 2020, and the diversity rules were approved by the SEC on August 6, 2021. The diversity rules, subject to certain exceptions, required a Nasdaq-listed company with five or more directors to:
Establish a board with at least one director who self-identifies as female and one director who self-identifies as Black or African American, Hispanic or Latinx, Asian, Native American or Alaska Native, Hawaiian or Pacific Islander, two or more races or ethnicities, or as LGBTQ+.
Submit an explanation for its lack of compliance if a company’s board does not meet such requirements.
Submit public disclosures detailing the demographic composition of its board.
What Is Next?
In a December 12, 2024, statement, Jeff Thomas, Nasdaq’s Global Head of Listings, confirmed that Nasdaq will not seek to appeal the decision, and that companies seeking Nasdaq listing or listed on the Nasdaq stock markets will not need to comply with the diversity rules. However, the SEC may seek to appeal the Fifth Circuit’s decision to the US Supreme Court, though it remains unclear whether the Supreme Court would agree to consider the case. Congress could also consider amending the Exchange Act, enabling the imposition of board diversity requirements.
Takeaways
Absent a reversal by the Supreme Court or new legislation passed by Congress, Nasdaq-listed companies will no longer be required to adhere to the requirements of the diversity rules and may establish board compositions at their discretion. However, publicly held corporations should expect ongoing scrutiny related to their diversity, equity, and inclusion initiatives generally.
[1] Loper Bright Enterprises v. Raimondo, 603 US 369 (2024).
Maria Ortega Castro also contributed to this article.