2023 was another active year for U.S. Securities and Exchange Commission (SEC) enforcement, encompassing a wide range of violations against individuals and firms of all sizes.
Understanding 2023 enforcement actions along with the agency’s 2024 enforcement priorities will help firms better assess and anticipate regulatory expectations—and set the stage for better compliance.
2023 SEC enforcement had substantive breadth and depth, with actions that addressed a wide range of violations and violators including individuals and companies large and small. And with the agency's 2022-2026 Strategic Plan promising a sustained focus on investor protection, a robust regulatory framework and evolving technology and rule sets, firms should be ready for another year of extensive SEC action and enforcement.
2023 SEC Enforcement
In 2023, SEC enforcement actions covered a variety of topics, such as compliance programs, disclosures, conflicts of interest, investment recommendations, market and credit risks, derivatives and leverage, environmental, social, and governance (ESG) factors, and new technologies.
There were 784 total enforcement actions in the SEC’s fiscal year 2023, a 3 percent increase from 2022, including:
- 501 new, or "stand alone," enforcement actions
- 162 "follow-on" administrative proceedings seeking to bar or suspend individuals based on criminal convictions, civil injunctions, or other orders.
- 121 actions against issuers allegedly delinquent in required filings
The SEC’s Division of Enforcement filed settled charges and imposed penalties against firms and individuals across a broad range of securities law violations, including:
- Violations of recordkeeping requirements
- Abusive trading practices including insider trading, front-running and market manipulation
- Misleading investors about AML compliance program and failing to disclose risks posed by the program’s significant deficiencies
- Failures by insiders and major shareholders to file required SEC forms in a timely manner
- Violations of the Marketing Rule
- Failure to provide complete and accurate securities trading information to the SEC
- Failure to file ownership reports that company insiders are required to file regarding their holdings of company stock
- Violations of whistleblower protection rules
- Misleading statements and failure to disclose surrounding ESG-related issues
- Failure to obtain required disclosures and fraud in the public finance sector
- Fraud and unregistered offerings in the crypto space
- Audit and quality control failures
Fines for books and records failures were assessed in excess of a staggering $1.5 billion. In remarks before the 2023 Securities Enforcement Forum, SEC Chair Gary Gensler noted “Since the 1930s, recordkeeping obligations have been vital to market integrity and the SEC’s oversight. At a fundamental level, failures in recordkeeping—like those involving off-channel communications—obstruct such market integrity.”
2024 SEC Examination Priorities
The SEC Division of Examinations 2024 Examination Priorities outline the agency's strategic approach, direction and priorities for the upcoming year for various market participants. These priorities contain the Division’s assessment of key risks, issues, and policy matters stemming from market and regulatory developments, examination information, and sources including tips, complaints, referrals and coordination with other SEC divisions and other regulators.
For investment advisers, the agency will examine how investment advisers, especially those who advise private and registered funds, manage their compliance programs, fiduciary duties, disclosures, conflicts of interest, and investment recommendations. Priorities will also include the continued impact of the COVID-19 pandemic, the change from LIBOR, the application of ESG factors, and the use of new technology.
The Division will monitor how registered funds, especially mutual funds and ETFs, manage their compliance programs, disclosures, liquidity and valuation practices, fees and expenses, and conflicts of interest. Additional priorities will include oversight and governance of registered funds, management of market and credit risks, the use of derivatives and leverage, and compliance with the new fund of funds rule.
For broker-dealers, top priorities include compliance with Regulation Best Interest (Reg BI) and the use of Form CRS, as well as the financial responsibility rules, trading practices, market access, best execution, payment for order flow, and cybersecurity. The Division will also examine sales practices, suitability, and disclosures, especially those surrounding complex or structured products, crypto-asset securities, or ESG-related products.
Other market participants
The Division will examine the compliance programs, risk management, operational resilience, and cybersecurity of other market participants, including self-regulatory organizations, clearing agencies, municipal advisors, security-based swap dealers, transfer agents, and national securities exchanges, focusing on oversight and governance as well as the protection of customer assets and data.
Genser and the SEC continue to encourage meaningful cooperation from market participants who are involved in or aware of potential violations of securities laws. As noted by Gensler in his remarks before the 2023 Securities Enforcement Forum “Further, process is about meaningful cooperation. I’m talking about more than showing up for testimony or producing documents under subpoena. It means going above and beyond to self-report, cooperate, and remediate.”
With expectations high for another year of regulatory scrutiny, there are key areas compliance executives can focus on to close out 2023 strong and meet the expectations of the SEC and other regulators in 2024. These areas include risk assessments, vendor due diligence, preparing for the annual compliance review and optimizing compliance technology.
Be ready for proactive compliance in 2024! Watch an on-demand webinar featuring practical year-end guidance.
In the webinar Practical Steps to Strategic Year-End Compliance, Paul Murdock and James Hartmann from MCG Consulting share tips for evaluating core elements of the compliance program to flag issues and make adjustments, laying the foundation for effective compliance in the year ahead.
When asked if organizations should conduct a formal Risk Assessment, the answer from Paul and James was a resounding yes. James notes that most firms don't have one, but really need one! In fact, for Registered Investment Advisers, it's an implied aspect of SEC Rule 206(4)-7, as outlined in the Risk Alert Investment Advisers: Assessing Risks, Scoping Examinations, and Requesting Documents.
Rule 206(4)-7 requires each registered adviser to review policies and procedures annually to determine both adequacy and the effectiveness of implementation. The Risk Alert reminds firms that they should take inventory of compliance risks and conflicts of interest that form the basis for policies and procedures and make notations regarding changes made to the inventory. James explained that the Risk Alert outlines typical focus areas and requests for information. That means that the RIA is expected to have responses to those request areas, so long as they are germane—and having a written risk assessment is germane to all RIAs. Read about Compliance Pitfalls for Newly Registered Investment Advisers.
According to Paul, the basic elements of a Risk Assessment include:
- An inventory of risks that is mapped to the firm's Policy manual
- A description of the inherent risks controlled by the specific Policy
- An inherent risk rating (or at least a residual risk rating, but both are recommended)
- A list of the controls in production to control for each specific risk
The culture of the firm is the ultimate efficacy test. When there is a material breach within the firm is it handled expediently and according to policy?
It’s easy to talk about the need for a culture of compliance in theory, but much harder to put it into practice in a way that’s pragmatic—and that can be evidenced to regulators. Watch the webinar Beyond Wishful Thinking: How to Create a Thriving Culture of Compliance to learn more.
Vendor Due Diligence
You can delegate, but you can’t abdicate….so, supervise with care.
James reminded firms that the regulators have intensifying their focus on vendor due diligence, and that compliance programs should increase attention on the area accordingly. Due diligence should be conducted at on-boarding and on a regular basis for the vendors that support clients and the firm. eComms are a high-risk area these days, but other areas of concerns include cyber risk and IT risk. Criteria that should be evaluated during the due diligence process include resources for implementation, verification, and ongoing system monitoring, service and support, and certifications and audits including SOC-2.
Annual Compliance Reviews
Paul and James pointed out that in nearly all enforcement actions, the risks were not on the internal radar of any reporting prepared for a management committee or Board of Directors, let along mis-characterized as low/medium/high. A comprehensive annual review should identify risks and allow for mitigation before the regulators find them first.
Paul and James recommend that year over year firms document reviews and draft the report with monthly, quarterly and ad hoc updates. At year end, most firms will only need to make minor adjustments since the bulk of the annual review has already been written. They also reminded firms that a written report is required, along with solid documentation of the source data that makes up the report’s observations and recommendations. Those observations and recommendations can and should be both regulatory driven and indicative of year over year changes in the firm's business. Controls should be updated and amended based on the findings of the annual compliance review. If the annual compliance review leads to no year over year control enhancements, that's a definite flag that regulators are going to want to look info.
Paul and James also addressed a common question about outsourcing the annual review. Using a third party for the annual compliance review is not required, but there are circumstances where it can be advantageous to a firm. A third party can bring a fresh perspective that helps uncover gaps and blind spots. An outside resource can also help alleviate time and capacity restraints and bring an independent and objective voice to the table.
The regulatory environment is continuously evolving, and compliance teams must be nimble to keep pace. A set it and forget it approach to compliance technology is a surefire way to miss or underestimate risk.
Paul and James recommend that alongside of their annual review of policies and procedures, compliance teams evaluate how they are set in their system as well. Compliance technology that is regularly updated and enhanced and knowledgeable and responsive customer support can also help with this endeavor.
MCO can help you streamline compliance across your organization and be ready to stand up to regulatory scrutiny. Contact us today for a demo to see MyComplianceOffice in action.