Bridging the Week by Gary DeWaal: November 9 - 13 and 16, 2015 (SEC Chastised; Cybersecurity; Hacking; Supervision; Compliance Outsourcing; the Cloud)

Jump to: Block Trades and EFRPs    Bridging the Week    Compliance Weeds    Cybersecurity    EMEA Regulation (sans Capital and Liquidity and UK after March 1, 2019)    Managed Money    My View    Position Limits    Supervision    Systems and Controls    Totally Irrelevant (But Is It?)    Trade Practices (including Disruptive Trading)   
Email Print
Published Date: November 15, 2015

In a week punctuated by a horrific Friday-night tragedy in Paris, far less important news dominated regulatory and legal developments for financial services firms. A New York regulator appears poised to introduce cybersecurity regulations for many types of financial institutions, while criminal complaints were filed in New York and Atlanta against major hackers of financial services firms. Separately, a federal judge in New York severely criticized the Securities and Exchange Commission over its handling of a case that caused a foreign bank to fail. As a result, the following matters are covered in this week’s edition of Bridging the Week:

Video Version:

Article Version:

Court Chastises SEC for Causing Unwarranted Collapse of Foreign Bank:

A federal judge in New York severely criticized the Securities and Exchange Commission over its handling of a lawsuit against Caledonian Bank Ltd., Caledonian Securities Ltd. (together, “Caledonian”) and others that resulted in Caledonian’s bankruptcy and liquidation.

According to the judge – the Hon. William H. Pauley III – the SEC initially filed a complaint against Caledonian, a bank and broker-dealer in the Cayman Islands, on February 6, 2015, in which it alleged that the defendants sold large quantities of worthless stock as principals (not agents for customers) without filing required registration statements with the agency. (Click here for a copy of the SEC complaint.)

After the SEC advised the Court that it had identified “recent transfers of funds” by Caledonian and another defendant – Verdmont Capital, S.A. – from certain of their US accounts, the court granted the agency’s application to freeze defendants’ assets. However, as soon as the following the day, noted the judge, counsel for Caledonian and Verdmont advised the SEC that each defendant had acted solely as a broker in the relevant transactions and not as a principal. This information was not shared with the court.

Unfortunately, a run on Caledonian began when news of the SEC’s allegations spread, “and panic ensued among depositors and investors,” said the judge. Within days, the Cayman Islands Monetary Authority placed both Caledonian entities into controllership and the bank began a process of voluntary liquidation.

It was not until May 2015, said the court, that the SEC advised it that Verdmont (and impliedly, Caledonian) had a far more limited role in the unlawful sales than previously described (Caledonian was no longer actively involved in the litigation by this time). Moreover, said the court, it turned out that other employees of the SEC – in other divisions and offices – had been aware that Verdmont had acted as a broker and not as a principal in the subject transactions at least five months prior to the filing of the SEC’s initial complaint. Unfortunately, the SEC attorneys involved in this action did not learn of this fact until the week of February 16, 2015, observed the judge.

Ultimately, the SEC filed an amended complaint that “blunted many of the harshest and categorical allegations in the original Complaint,” wrote the judge, “[b]ut here, the SEC’s failure to coordinate spawned more dire consequences than administrative inefficiency.” Caledonian was forced to liquidate.

The court criticized the SEC's investigation that prompted it to apply for the initial asset freeze order:

[t]he declarations submitted in connection with the SEC's motion to amend reveal an apparent failure to pose the appropriate inquiries to financial institutions before seeking crippling ex parte asset freezes. Prior to filing this action, the SEC asserted it had been "in frequent contact" with the legal departments of the U.S. financial institutions against whom it sought to enforce the asset freeze... However, it is not clear what questions the SEC asked to ascertain whether these assets belonged to the defendants – like Verdmont or Caledonian Bank – as opposed to their customers.

The court urged the SEC to self-reflect on its prosecution of this case and apply lessons-learned going forward:

[i]t is hard for this Court to believe that the SEC does not have systems in place to ensure that enforcement and regulatory staff are aware of investigations with common facts or the same individuals or entities … Given the high stakes in securities enforcement actions, and in the face of the workload the SEC describes as an “overwhelming burden,” a self-examination may be appropriate.

Judge Pauley’s commentary regarding Caledonian constituted the major portion of his 32-page ruling on a motion by Verdmont to summarily decide against the SEC in connection with its amended complaint. The court ruled such application was premature at this point.

My View: Sadly, this is not the first time over-zealous regulators have improperly caused the destruction of a company. After Arthur Andersen LLP – one of the top accounting firms of its time – was found guilty of obstruction of justice in 2002, following charges that it wrongfully destroyed documents in anticipation of an investigation by the Securities and Exchange Commission related to its dealings with Enron Corporation, the company gave up its licenses as certified public accountants and ceased conducting business. However, three years later, the US Supreme Court, in a unanimous verdict, overturned the firm's conviction (click here to access the Supreme Court decision). Unfortunately, the damage to Arthur Andersen was already too late to reverse, including the loss of jobs by 85,000 persons. As Judge Pauley pointed out in his decision in response to Verdmont Capital's motion, "the SEC's cannon of ethics cautions: 'The power to investigate carries with it the power to defame and destroy'." These are important principles that all regulators must consider before they pursue extraordinary relief against any corporation or individual.


Compliance Weeds: Even before the New York State Department of Financial Services adopts any measures, expectations of regulators of registrants in both the securities and futures industry has been increasing during the past year regarding what cybersecurity protections should be in place to protect customer records and information. At the beginning of 2015, the SEC said it would focus on cybersecurity compliance and controls among its 2015 examination priorities for broker-dealers and investment advisers. In September 2015, the SEC provided specific guidance on what it would look at in connection with these reviews. The SEC said it would focus on registrants’ governance and risk assessment related to cybersecurity; access rights and controls; data loss prevention; vendor management; training; and incident response. Also at the beginning of 2015, the Financial Industry Regulatory Authority published a report identifying findings from its 2014 targeted examination of firms related to their cybersecurity practices and recommended practices broker-dealers should implement to minimize the impact of cybersecurity threats. Moreover, the National Futures Association recently adopted an Interpretive Notice requiring members to implement and maintain formal, written information systems security programs by March 1, 2016. Practically, any cyber breach that compromises customer personal information could leave an SEC or CFTC registrant vulnerable to an enforcement action if it had not previously adopted a written policy and procedure reasonably designed to minimize the threat of a cyber-attack and followed such procedure – whether or not an express requirement currently exists. Registrants should therefore ensure they have implemented such a policy and are adhering to it. (For additional information on how financial service firms might help protect themselves against cyber-threats, click here to access an Advisory entitled “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP, dated June 24, 2015.)

Totally Irrelevant (But Is It?): For years I told my Derivatives Regulation students that if they only learned one thing for the semester, remember it is the Commodity Futures Trading Commission, not the Commodities Futures Trading Commission. Alas, the NYSDFS should have taken my course. They misspelled the name of the CFTC in their memorandum referencing Commodities not Commodity! How embarrassing.

My View: Implicit in the odd wording used by FINRA to describe JP Morgan’s supervisory violation is that the firm had a procedure to oversee compliance with Reg SHO. It appears, however, the procedure may not have itemized the specific steps to be taken by supervisors in carrying out their supervision. Retrospectively, many procedure manuals are not likely to provide for every step necessary to preclude a potential violation. First, drafters of procedures manuals are likely not sufficiently clairvoyant enough to consider all potential breakdowns. And second, a procedures manual that is too comprehensive and detailed will likely be unread. Indeed, FINRA seems to recognize this as it explicitly requires members solely to have written compliance policies and written supervisory procedures reasonably designed to achieve compliance with applicable FINRA rules (click here to access FINRA Rule 3130) – not perfectly designed! Too often regulators charge failure to supervise as an adjunct to other charged substantive violations. However, not every problem is a result of improper supervision. Sometimes mistakes just happen because humans are flawed. If there is any doubt about this, click here to access the article “Court Chastises SEC for Causing Unwarranted Collapse of Foreign Bank” elsewhere in this edition of Bridging the Week.

My View: Last year, Merrill Lynch, Pierce, Fenner & Smith Incorporated agreed to pay a fine of US $1.2 million to resolve charges brought by the Commodity Futures Trading Commission that, from at least January 1, 2010, through April 2013, the firm failed to employ “an adequate supervisory system” related to the processing of exchange and clearinghouse fees charged to the firm’s customers. This large fine was assessed despite Merrill apparently self-detecting its reconciliation issues and endeavoring to correct them through use of two outside consulting firms. Moreover, the CFTC acknowledged that Merrill’s unreconciled exchange and clearing fees amounted to less than $452,000 over the relevant period, compared to $318 million of total fees paid to relevant exchanges and clearinghouses (i.e., less than a .15 percent unreconciled rate). The FIA’s new publication provides sound guidance regarding steps clearing members should consider to help enhance their relevant policies and procedures and better ensure their customers are assessed correct exchange and clearing fees. However, no adopted measures are likely to ensure flawless compliance. (Click here for details regarding the CFTC action against Merrill in the article, “CFTC Fines Merrill Lynch $1.2 Million for Not Having an Adequate Supervisory System for Its Exchange and Clearinghouse Fees Reconciliation Process” in the September 1, 2014 edition of Bridging the Week.)

And more briefly:

For more information, see:

Banks Sign Relaunched ISDA Stay Protocol to Help Regulators Liquidate a Failed Bank:

Block Trade FAQs Updated by ICE Futures U.S. and ICE Futures Europe:


Broker-Dealer Self-Detects Reg SHO System Problem, Suspends Broken System and Self-Reports but Still Sanctioned by FINRA:

CFTC Extends Swap Data Reporting Relief to Certain Non-US Swap Dealers and MSPs:

Court Chastises SEC for Causing Unwarranted Collapse of Foreign Bank:

Criminal Charges Filed for Massive Cyber Hack of Banks, Brokers and Other Companies:

New York:

ESMA Chair Says Some Delays in MiFID II/MiFIR Roll-Out May Be Necessary:

ESMA Updates Final Rules on Data Reporting:

FCA Proposes Guidance on Outsourcing to the Cloud:

FIA Operations Issues Guide to Help FCMs Better Process Exchange and Clearing Fees:

ICE Futures U.S .Sanctions FCM for Failing to Record and Maintain Oral Communications in Connection With Block Trades; Other Firms Fined for Wash Sales and Position Limits Violations:

BGC Financial:
Freepoint Commodities:
Inertia Commodities:
Sean Matthews:
Christopher Mumm:

NFA Augments CFTC’s FAQs Regarding CPO Form PQR and CTA Form PR:


NYSDFS Previews Likely New Cybersecurity Regulations for Financial Institutions While Urging Coordination by Other Regulators:

Outsourcing of Compliance Functions by IAs May Be Okay but Be Mindful Says OCIE:

The information in this article is for informational purposes only and is derived from sources believed to be reliable as of November 14, 2015. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made.

Recent Commentaries




Gary DeWaal

Gary DeWaal is currently Special Counsel with Katten Muchin Rosenman LLP in its New York office focusing on financial services regulatory matters. He provides advisory services and assists with investigations and litigation.

Social Media:


Katten is a firm of first choice for clients seeking sophisticated, high-value legal services in the United States and abroad.

Our nationally recognized practices include corporate, financial services, litigation, real estate, environmental, commercial finance, insolvency and restructuring, intellectual property, and trusts and estates.

Our approximately 650 attorneys serve public and private companies, including nearly half of the Fortune 100, as well as a number of government and nonprofit organizations and individuals.

We provide full-service legal advice from locations across the United States and in London and Shanghai.


Gary DeWaal
Katten Muchin Rosenman LLP
575 Madison Avenue
New York, NY 10022-2585


Request Information »

Join Mailing List »