Tag: SEC

Categories
Blog

On the Naughty List – Nikola and Social Media Shenanigans

We continue our exploration of Santa’s Naughty List this week before Christmas by looking at the compliance failures of Nikola Corporation (Nikola). In a Press Release, the Securities and Exchange Commission (SEC) announced that Nikola, a publicly traded company created through a special purpose acquisition company transaction, has agreed to pay $125 million to settle charges that it defrauded investors by misleading them about its products, technical advancements, and commercial prospects via a Cease and Desist Order (Order). This follows on the heels of an earlier filing against former Nikola founder and Chief Executive Officer (CEO), Trevor R. Milton (Milton), for repeatedly disseminating false and misleading information – typically by speaking directly to investors through social media – about Nikola’s products and technological accomplishments.
Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, said in the Press Release, “As the order finds, Nikola Corporation is responsible both for Milton’s allegedly misleading statements and for other alleged deceptions, all of which falsely portrayed the true state of the company’s business and technology. This misconduct — and the harm it inflicted on retail investors — merits the strong remedies today’s settlement provides.” And boy what misconduct it detailed. This matter should be studied by not only every compliance professional but also every business executive. It also points out one of the basic deficiencies of Special Purpose Acquisition Corporations (SPACs).
Nikola was created via the merger of Legacy Nikola and VectoIQ Acquisition Corp. (VectoIQ), which was formed in 2018 as a SPAC, for the purpose of effecting a business combination with one or more businesses. According to the Order, “VectoIQ and Legacy Nikola entered into a Business Combination Agreement (the “Business Combination Agreement”), as well as certain related agreements, pursuant to which Legacy Nikola would merge with a subsidiary of VectoIQ, with Legacy Nikola remaining as the surviving company and as a wholly-owned subsidiary of VectoIQ. On June 3, 2020, Legacy Nikola and VectoIQ consummated the merger contemplated by the Business Combination Agreement (the “Business Combination”), and VectoIQ changed its name to Nikola Corporation” and on June 4, 2020, Nikola’s common stock and warrants began trading on the Nasdaq Global Select Market.
What got Nikola into such SEC hot water was the mouth or rather modern-day social media postings of Milton. The Order stated, “From approximately March 2020 through September 2020, in his capacity as CEO and later as Executive Chairman of Nikola, Milton made materially false and misleading statements on numerous critical topics related to Nikola’s capabilities, technology, reservations, products, and commercial prospects.” Matt Kelly, writing in Radical Compliance, was a bit more pithy stating, “The problem was that almost every statement Milton made about Nikola’s hydrogen vehicles was, well, hot air.” According to the Order, there were multiple instances where Milton mislead investors and indeed anyone reading social media about the company.
Milton made false and misleading statements about the capabilities of Nikola’s first semi-truck prototype, the Nikola One, saying it was a working model and made a fraudulent video to back it up. He made a series of false and misleading claims about Nikola’s then-current hydrogen production capabilities, its costs to produce hydrogen, and the costs at which it obtained electricity to produce hydrogen profitably. He made false statements claiming that Nikola had engineered and already completed a prototype of an electric pickup truck, the Badger. Milton claimed that a “backlog of interest” in the vehicles were in the form of binding contracts, “the vast majority of the pre-orders were indications of interest that were cancellable at any time,” even going so far as to claim one customer had a binding order for 5,000 vehicles when no such contract existed. Finally, to top off all of Milton’s whoppers, he claimed a partnership with General Motors (GM) would generate over $4 billion in cost saving when there was no such arrangement in place.
I went into some detail in these clearly bogus claims to demonstrate why a Chief Compliance Officer (CCO) needs to have a handle on what their CEO is tweeting and social media-ing out. What steps can a CEO take? Here I will borrow once again from the Coolest Guy in Compliance.

  • Take a team approach to reviewing and publishing information about the company, so someone else can put a second set of eyes (The Eyes of Dr. T. J. Eckleburg) on what the CEO says before they hit the send button.
  • This approach should be a formal policy and procedure, fully documented so when the SEC comes knocking there will be a record.
  • A subject matter expert (SME) review on what statements about the company qualify as material information that should be disclosed in filings to the SEC.
  • Your process should also contain a mechanism to correct any misleading or erroneous statements that slip through your fully documented and operating policy and procedure.

If all of this sounds more than vaguely familiar it is because of the imbroglio surrounding Elon Musk and his use of social media. Musk was fined $30 million for his false and misleading tweets and the company was required a legal eagle to vet his tweets. All of this means this a CCO and corporate compliance program should be vigilant for this type of activity. Policies and procedures are mandatory, but they are only the starting point. This is a risk, like all other risks, it must be managed. If you set up policies and procedures but do not follow them, you could find yourself in SEC hot water as both Nikola and Milton have.
Put another way, Nikola got a Christmas present of 125 million lumps of coal. While any decision on Milton may have to wait until 2022, he will most probably be on Santa’s Naughty List for 2022.

Categories
Blog

On the Naughty List – JPMorgan and Failures for Record Keeping

We begin the week before Christmas by looking at one heck of a compliance failure (or perhaps series of compliance failures) which led JPMorgan Chase Bank, NA, J.P. Morgan Securities LLC, and J.P. Morgan Securities plc (JPMorgan) to paying some $200 million in fines and penalties to the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC). It breaks down with $125 million to the SEC and $75 million to the CFTC. While that is probably just a rounding error to JPMorgan, it will purchase many, many lumps of coal that JPMorgan will probably get from Santa this year as they clearly have been very, very naughty. Both the SEC and CFTC settled via Orders, (herein CFTC Order and SEC Order).
Matt Kelly, writing in Radical Compliance, said of the underlying facts they do “not paint a pretty picture for JP Morgan. The misconduct happened from at least January 2018 through November 2020, and even supervisors in the broker-dealer unit — the people who were supposed to enforce compliance with records-retention policies — engaged in the same bad habits.” JPMorgan received numerous subpoenas for documents from the SEC between 2018 and 2020. JPMorgan failed to comply with these subpoenas as “JPMorgan frequently did not search for records contained on the personal devices of JPMorgan employees relevant to those inquiries.” Moreover, these failures “impacted the Commission’s ability to carry out its regulatory functions and investigate potential violations of the federal securities laws across these investigations; the Commission was often deprived of timely access to evidence and potential sources of information for extended periods of time and, in some instances, permanently.”
In ongoing investigations, the SEC was provided What’s App, text messaging and emails from parties who were in contact with JPMorgan. The SEC brought this information to the attention of JPMorgan and the bank “identified other recordkeeping failures that it subsequently” reported to the SEC. The bank’s “Supervisory policies tasked supervisors with ensuring that employees completed training in the firm’s communications policies and adhered to JPMorgan’s books and recordkeeping requirements” were just as guilty of such conduct. The internal function charged with the screening and review of electronic communications, the compliance department’s e-surveillance group, “failed to implement a system of follow-up and review to determine that supervisors’ responsibility to supervise was being reasonably exercised so that the supervisors could prevent and detect employees’ violations of the books and records requirements. Even when employees used approved communications methods, including on personal phones, for business communications, JPMorgan failed to implement sufficient monitoring to assure that its recordkeeping and communications policies were being followed.” The Order concluded, “Even after the firm became aware of significant violations, the widespread recordkeeping failures and supervisory lapses continued with a significant number of JPMorgan employees failing to follow basic recordkeeping requirements.”
As a part of the remediation effort during the investigation, the Board of Director’s Audit Committee hired a consultant to help in the effort. The SEC Order broadened this initiative out further to a “Compliance Consultant” to be retained to lead a variety of remedial efforts. (This sounds suspiciously like a monitor). Some of these efforts will include:

  • A comprehensive review of JPMorgan’s supervisory, compliance, and other policies and procedures.
  • A comprehensive review of training conducted by JPMorgan to ensure personnel are complying with the requirements.
  • An assessment of the surveillance program measures implemented by JPMorgan to ensure compliance.
  • An assessment of the technological solutions that JPMorgan implements to meet the record retention requirements.
  • An assessment of the measures used by the firm to prevent the use of unauthorized communications methods for business communications by employees.
  • A review of JPMorgan’s electronic communications surveillance routines.
  • A comprehensive review of the framework to address instances of non-compliance, including (1) how JPMorgan determined which employees failed to comply, (2) the corrective action carried out, (3) an evaluation of who violated policies, (4) why and what penalties were imposed, and (5) whether penalties were handed out consistently across business lines and seniority levels.

There were also additional reporting obligations from the Compliance Consultant in the SEC Order that bear mentioning. In addition to a report at one year of the overall JPMorgan compliance program on record keeping for electronic communications; at two years the Compliance Consultant is to report on any discipline imposed on employees for violations of the record keeping policies. This includes, “written warnings, loss of any pay, bonus, or incentive compensation, or the termination of employment, with respect to any employee found to have violated JPMorgan’s policies and procedures”. JPMorgan’s Internal Audit function is also mandated to conduct an internal audit to determine compliance with the firm’s record keeping policies for electronic communications.
All of these obligations should be studied by compliance professionals for not only best practices but to determine any gaps in your company’s electronic data record keeping regime. This is critical even if you are not under the regulatory regime imposed on financial institutions or other regulated industries. The Department of Justice (DOJ) has long mandated that companies both understand and capture ephemeral communications but if your company gets into a Foreign Corrupt Practices Act (FCPA) or other similar investigation you will need to demonstrate compliance for a FCPA perspective and to then internally investigate any claims. Not much will be worse for your company than if the DOJ or SEC finds out about some FCPA-violative conduct and comes to your company and then you find out your business folks have been communicating through technology you were completely unaware of, you have no record of it and you cannot capture it.
Everyone was aware of the changes in risk when most companies went to WFH. Now are we RTO those risks have changed again. Even if you are aware of and have approved the use of Teams, Slack, Zoom or other technology to collaborate in the RTO environment; these tools are coming out with new features literally weekly that may change your risk profile. Use the JPMorgan SEC and CFTC enforcement actions as benchmarks to guide you through an assessment of your electronic record keeping program as well as key areas to enhance.
Matt Kelly and myself take a deep dive into this matter on this week’s Compliance into the Weeds, which will post Wednesday AM.

Categories
Daily Compliance News

December 20, 2021 the Brain Control Edition


In today’s edition of Daily Compliance News:

  • Brain control tech company placed on blacklist. (WaPo)
  • OSHA vaccine mandate reinstated. (NYT)
  • Corruption at the heart of college sports? (Chronicle of Higher Ed)
  • JPMorgan settles record keeping failures suite. (Reuters)
Categories
Classroom Insiders

Challenging the Disclose or Abstain Rule: Insider Trading Through the 60’s and 80’s


 
Tianjiao Lyu studied international business law at Beijing Foreign Studies University. She plans to work at the Clifford Chance Beijing office after graduating from Washington and Lee. In this episode of Classroom Insiders, Lyu talks about insider trading between the 1960s and the 1980s.
 

 
Between 1941 and 1971, the disclose or abstain rule implemented by the SEC had become so expensive that it discouraged the development of the securities market, Lyu states. As a rule, it was not very pro-business. During that time, the SEC was very aggressive in their enforcement of insider trading regulation, and won every case they brought to court about insider trading. This changed, however, when Justice Powell joined the Supreme Court.
 
“Justice Powell’s close interactions with businessmen while lawyering led him to trust in their characters,” Lyu says. “That kind of trust made him hostile to what he saw as excessive regulation, which infringe on free enterprise.” He questioned the SEC’s use of Section 25 and their attempt to expand their reach. It was Powell’s view that the SEC’s rules were unrealistically intended to guarantee investors profit in their investments.
 
Resources
Karen Woody on LinkedIn
 

Categories
Everything Compliance

Episode 91, the Year End Review Edition


Welcome to the only roundtable podcast in compliance. The entire gang was also thrilled to be honored by W3 as a top talk show in podcasting. In this episode, we have the sextet of Karen Woody, Jonathan Armstrong, Matt Kelly, Jonathan Marks, and Jay Rosen, with host Tom Fox also weighing in on this episode. We also discuss our favorite story of 2021. We end with a veritable mélange of shouts outs and rants.

1. Karen Woody reviews the increase in SEC enforcement that the regulators have told us throughout the year that is coming. Karen shouts out to starting early Emmy buzz for Ted Lasso.

2. Jay Rosen reviews the Activision imbroglio from the missteps of the CCO to the disseminations of the CEO. Rosen shouts out to civility.

3. Matt Kelly reviews the latest iteration of ransomware attacks and contrasts it with data privacy breaches from the past. Kelly shouts out to the NJ sandwich shop Hometown International, which with $35K in annual sales resulting in a $100MM market cap evaluation.

4. Jonathan Armstrong goes back to consider the long running soap opera, sage and story that is Carlos Ghosn and Nissan. Armstrong shouts out to who show true leadership in a crisis and the Spirit of Christmas.

5. Jonathan Marks reviews the increase Caremark duties for Boards of Directors coming out of the Delaware courts. Marks expands on his rant about Hall of Fame horse trainer Bob Blaffert.

6. Tom Fox reviews the year in ESG and why compliance is the most well-suited corporate function to lead a corporate ESG effort. shouts out to John Lee Dumas, who as a college senior on 9/11, knew that night he was going to war, and to all the men and women who served in combat in America’s 20-year war in Iraq and Afghanistan.   

The members of the Everything Compliance are:
•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com
The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Daily Compliance News

December 14, 2021 Dos Santos Banned Edition


In today’s edition of Daily Compliance News:

  • New language for RTO. (NYT)
  • SEC says more enforcement coming. (WSJ)
  • Isabel Dos Santos barred from US Visa. (BBC)
  • Timing of firing auditors and trouble. (WSJ)
Categories
Daily Compliance News

December 10, 2021 the SPACs and IPOs Edition


In today’s edition of Daily Compliance News:

  • SEC to level playing field between SPACs and IPOs. (WSJ)
  • Amazon fined 1.3bn Euro in Italy. (WSJ)
  • Pressure increases to remove Activision CEO from Coca-Cola Board. (NYT)
  • Corruption must be tamed in Haiti. (TheHill)
Categories
Daily Compliance News

December 9, 2021 the Crypto Goes to Congress Edition


In today’s edition of Daily Compliance News:

  • Why the Chinese failed to understand the Peng Shuai imbroglio. (NYT)
  • FATF says looks at illegal profits in climate change fight. (WSJ)
  • Crypto goes to Congress. (NYT)
  • EU looking into Microsoft/Nuance deal. (Reuters)
Categories
Compliance Into the Weeds

Ransomware Attacks and Internal Controls


Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Today, Matt and Tom take a deep dive into the difference between a privacy breach and a ransomware attack.
Some of the issues we consider are:

  • Why are privacy breaches different from ransomware attacks?
  • What is an authenticated v. unauthenticated cyber-attack?
  • Why would the SEC get involved?
  • What are the internal controls need to prevent and detect a ransomware attack? How will they be audited?
  • How can a material weakness in internal controls around ransomware lead to a financial restatement?
  • What will the SEC look at from an enforcement angle?

Resources
Matt in Radical Compliance

Categories
Daily Compliance News

December 6, 2021 a Defense of Contradictions Edition


In today’s edition of Daily Compliance News:

  • Holmes defense is one of contradictions. (WSJ)
  • Fighting the Imposter Syndrome. (FT)
  • Web3 is here. Are you ready? (NYT)
  • SEC mandates greater Chinese company transparency. (Reuters)