New York, NY

Thank you, Meredith [Cross], for that kind introduction. It is an honor to be with you here today. I must begin with my standard disclaimer that the views I represent are my own views and not necessarily those of the Commission or my fellow Commissioners.

It is hard to believe that 2019 is almost over. When I think back on the year, one defining theme is broken windows. Why is 2019 the “Year of the Broken Window”? I live in an condominium building with a lobby that has three sides of floor to ceiling windows. Three times this year, I have come down into the lobby to find one of these large windows broken. The first time was the routine, upset resident taking a soul-satisfying, hand-crushing whack at a window. The second two incidents though were a bit less commonplace. One morning, I came down around 7 a.m. to find a van nose-first in the lobby. Rather than rounding the semicircular driveway in front of the building, the van headed straight into the lobby. Texting while driving? Medical emergency? Brake failure? I am not sure which, but I did feel bad for the driver, who, although apparently uninjured, was obviously unhappy. Misery loves company, however, and this driver got company. A couple months later, I once again came down in the morning to find a shattered window. No vehicle this time. It had already been cleared out of the lobby. From the condo rumor mill, I gleaned that an early morning car chase had ended with one of the vehicles in my building’s lobby.

Two cars in the front lobby of one building in a year is starting to look like a statistic we should measure. Three broken lobby windows certainly cry out for measurement. Indeed, if broken lobby windows were enforcement cases, we at the Commission would count them and then issue press releases and reports, and journalists and academics would write all sorts of catchy articles based on those delicious statistics. But just as one cannot derive much of a pattern from the three broken windows in my lobby in 2019, one ought to be wary of drawing conclusions from our enforcement statistics. After all, if one of the crashes had happened a few months later, in 2020 instead of 2019, it would look like only one lobby crash per year, even though the two crashes would have been only several months apart. Chopping up enforcement statistics annually is also somewhat arbitrary.

More fundamentally, simply measuring broken windows would mask the important distinction between the erratic driver and distressed neighbor cases. Indeed, even the two car-in-lobby incidents were materially different from one another in important ways, including how the crash happened. Looking only at the numbers would not reveal these important differences. No matter how you slice them, the annual broken window stats are mildly interesting, but really do not tell us much. Each broken window has its own special story.

So, too, each enforcement case is unique, and its import is not easily reduced to a number. Even the penalty numbers cannot tell us much about a case’s importance. Some relatively low dollar cases have been very meaningful to our securities markets, perhaps because of the ancillary relief, such as undertakings to pay back harmed investors or to hire an independent compliance consultant. The case we brought recently against Options Clearing Corporation, for example, did not involve a huge fine compared to many other contemporaneous cases, but included important undertakings to address a number of longstanding issues.[1] On the other hand, some high-dollar cases are misleading in their impact; for example, sometimes a large Foreign Corrupt Practices Act penalty merely amplifies a parallel criminal case.[2]

I have been a vocal skeptic of armchair analyses of our enforcement program that draw grand conclusions merely by counting cases and tallying penalties. Once again, as we are getting close to that special time of the year when the SEC releases its annual enforcement statistics, I urge everyone to take with a grain of salt these analyses of the SEC’s enforcement program. Our enforcement program is not a set of data points. Instead, our program consists of the judgments made by a group of hard-working, experienced, bright attorneys, accountants, economists, paralegals, data analysts, computer experts, and support staff dedicated to safeguarding the integrity of our markets.

The SEC’s Enforcement Division has approximately 1,400 employees and contractors.[3] The Commission annually receives around 20,000 tips, complaints, and referrals, and this number continues to grow each year.[4] Our staff finds other violations on its own, and we get self-reports. Matters take a long time to investigate and develop into an enforcement action. In a report released last month, the SEC’s Office of Inspector General (“OIG”) reported that for fiscal year 2018, “the average number of months between opening a matter under inquiry or investigation and commencing an enforcement action was 25 months.”[5] Given all these numbers, basic math makes clear that we at the Commission do not have the resources to tackle every potential securities law violation. We would not even want to do so, as it would tie the securities markets in such knots that legitimate business could not get done. We strive to spend our limited staff resources wisely and in the most efficient and effective ways possible.

Of course, the cases we bring matter, but so do the careful decisions to drop cases that lack sufficient merit to devote Commission resources to them. If every matter our staff opened for investigation led to a settled or litigated action, it would be hard to argue that our enforcement program is properly calibrated to serve and protect American investors. Instead, we make difficult, sometimes agonizingly difficult, decisions about which cases to carry forward and which to leave behind. Two recent cases come to mind for me. In both instances, I voted no because, although the conduct was terrible, I did not believe it fell clearly within our jurisdiction. I am one of the decision-makers at the Commission, but every person in our enforcement chain is called on to exercise discretion. To assess our enforcement program, it is more enlightening to look at the wisdom of the enforcement choices we make, not the numbers.

How can we make our enforcement program even better than it is? Over the past nearly two years, I have thought a lot about this question as I read the enforcement recommendations sent to my office and talk with our enforcement staff. The SEC’s enforcement program effectively serves American investors and the capital markets that underpin the broader economy. There is, however, always room for improvement. Therefore, in my remaining time with you this morning, I will suggest several avenues for improvement. Some of these themes are familiar, but they are ones that merit being raised with you. I welcome feedback on these suggestions from this room full of seasoned lawyers.

My first recommendation begins with the premise that to strengthen the SEC’s enforcement program, the Commission should be on the lookout for rules that need to be written, eliminated, or rewritten. By modernizing our rules, we can focus our enforcement resources on violations that we believe to be harmful to investors and markets. A case we brought last year to enforce the ban on testimonials under our investment adviser advertising rules made me wonder why we prohibit that kind of marketing.[6] The advertising rule was violated when a radio host— reading a pre-written, pre-vetted ad on air—supplemented it with a brief mention of his own positive experience with the adviser. That ad-libbing was enough to constitute a violation of the advertising rule. Ought we really to be spending enforcement resources to ensure that radio personalities keep mum about their positive advisory experiences? After all, testimonials are extremely common for other products and services because people considering making a purchase or hiring a professional want to hear about the experiences of other people who have tried the product or worked with the professional. The internet has opened up a whole new forum for testimonials, and their prevalence has fostered a healthy skepticism among target audiences of testimonials. I doubt I am alone in scouring reviews when I am looking to hire a professional. Modern reality begs us to ask whether shielding investors from hearing from other investors is still necessary.

Additional changes to the advertising rule, which include the testimonial ban, also might be warranted. The SEC promulgated the advertising rule, which includes the testimonial ban, in 1961, which, if Wikipedia is to be believed, was also the year that Brian Epstein discovered the Beatles.[7] It is not surprising, therefore, that a proposal to modernize the rule was placed on the agenda for tomorrow’s open meeting. Rather than enforcing anachronistic rules, we should rewrite them and instead devote enforcement resources to the problems of today, of which, I can assure you, there are many.

One place we see problems is the micro-cap segment of the market. The many cases we see involving fraudulent micro-cap stock promotions have me asking what we can do to strengthen the rules to make it harder and less attractive for bad actors to perpetrate pump-and-dumps. The Commission voted recently to propose amendments to Exchange Act Rule 15c2-11, a rule three decades younger than the advertising rule, but an old rule nonetheless.[8] This rule requires broker-dealers seeking to publish quotations in a security in the over-the-counter market to review basic information about the security’s issuer before doing so. Other broker-dealers can rely, or “piggyback,” on the work of the initial broker-dealer. In practice, many issuers’ securities trade even though there is a dearth of current public information. As you can imagine, the information void can become a breeding ground for bad individuals who prey on retail investors.

Enforcement actions are an important way to protect retail investors in the micro-cap space, but by amending Rule 15c2-11, the Commission may be able to take a preemptive whack at some of the bad conduct. Initial commentary in response to our proposal is admittedly not very supportive. Encapsulating early sentiment, one commentator wrote, “This is a terrible proposal, one that will destroy wealth and value for savvy investors who spend extensive time researching and gleaning information from OTC-traded companies, even if those companies do not report to the SEC.”[9] Admittedly, getting the balance right is difficult. As we finalize the rule, we need to make sure that it hinders fraudsters without killing the market for micro-cap stocks. I look forward to further commentary to assist us in properly designing the rule to achieve our objective of ensuring that retail investors can get the information they need to make decisions without imposing undue costs on broker-dealers, issuers, or investors.

Another rulemaking endeavor that might help address concerns associated with the sale of micro-cap stocks is the modernization of our transfer agent rules. The SEC first adopted its transfer agent rules in 1977,[10] and in the 40 intervening years, the rules have remained virtually unchanged, but not because they have been functioning perfectly. Even if they were perfect once, technological and other changes during those years have affected the transfer agent industry. Four years ago, we issued a concept release to get the public’s input on how to change the rules.[11] The Commission’s December 2015 concept release outlined possible heightened requirements regarding the transfer and issuance of restricted securities, including requiring transfer agents – if they suspect potential wrongdoing – to stop the transfer of securities to those who may facilitate illegal distributions.[12] Again, we have to be careful not to impose duties on transfer agents that would dissuade them from serving small issuers, but appropriate documentation and legal opinion requirements, for example, could help prevent illegal distributions. I am hopeful that, drawing on the comments we received, we can soon propose rules that would hold transfer agents to well-tailored standards for our modern markets, equip transfer agents to play a role in improving the integrity of our markets, and allow for competition on a clearly delineated, level playing field.

By establishing an appropriate regulatory framework where none exists, rulemaking can provide companies and individuals a practical path for complying with the rules. In the absence of rulemaking, these would-be good actors are forced to discern the path from a murky mishmash of staff no-action letters and enforcement actions. Two examples come to mind. First, there is no appropriate framework for finders, who—incidental to their primary business—assist in matching potential investors with issuers and get paid for successful introductions. As of today, such finders are regulated as broker-dealers, an ill-fitting framework for people seeking to make a few connections between investors and companies in need of capital. The result, as noted by the SEC’s Advisory Committee on Small and Emerging Companies, is that “[t]here is significant uncertainty in the marketplace about what activities require broker-dealer registration.”[13] Because the rules do not make sense, many finders, whether they know it or not, are not operating legally. A more tailored framework would address investor protection concerns, but would not prohibit legitimate activities.

Given my “Crypto Mom” nickname, you had to expect one of my examples to be crypto-related, so here it is. I am concerned about how the SEC has regulated this space, because I believe our lack of a workable regulatory framework has hindered innovation and growth.[14] The only guidance out of the SEC is a parade of enforcement actions and a set of staff guidance documents and staff no-action letters. For example, the SEC’s web page “Spotlight on Initial Coin Offerings (ICOs),” has an “ICO Updates” section that is headlined by enforcement actions brought by the Commission.[15] Only when you click through to “More” do you see other materials. Of particular concern is that these enforcement actions and guidance pieces, taken together, offer no clear path for a functioning token network to emerge. Instead, I support creating a non-exclusive safe harbor period within which a token network could blossom without the full weight of the securities laws crushing it before it becomes functional.[16] By allowing legitimate projects to get their tokens into the hands of a broad set of developers and network users without fear of enforcement, we also would allow the SEC’s Enforcement Division to focus its resources on the fraudulent actors in the realm of crypto offerings.

My second recommendation to improve the SEC’s enforcement program is focusing more on compliance and less on enforcement as a way to solve the problems we find. Through the great work of the SEC’s Office of Compliance, Inspections, and Examinations (“OCIE”), and its director Pete Driscoll, we can assist registrants who are working hard to comply with a complex, ever-growing set of rules. It is not OCIE’s raison d’être to make enforcement referrals. To return to the broken windows in my lobby, getting the windows fixed as expeditiously as possible mattered a lot more to me than seeing window-crashers prosecuted. What they had done wrong was clear, but if my building manager wanted to handle the window repair without involving the police, fine by me. Similarly, when our OCIE staff discovers a problem, even one where investors have been harmed, it might well conclude that the best course is overseeing a process by which investors are repaid and compliance systems are shored up to prevent a recurrence of the problem. An exam team that identifies and helps correct issues has a “win” on its scorecard. This approach will not result in OCIE or the Commission receiving fanfare or higher enforcement statistics, but that should never be the point—the point is better compliance for registrants. If an enforcement action does not contribute to better investor protection or greater integrity in the marketplace, then what is the point, particularly given that enforcement actions are very costly for the SEC and the people we charge? There is a place—an important one—for enforcement, but it is not our only tool, and depending on the facts and circumstances, it may not be our best tool. Resolving issues through OCIE can raise difficult due process, accountability, and transparency questions, so we need to keep an open door to hear any concerns.

Registrants have a number of avenues for raising concerns. The first is an examination hotline, which OCIE and our Inspector General jointly operate.[17] To raise more general questions and concerns, firms can attend one of the outreach events OCIE periodically holds.[18] Earlier this year, I attended a meeting of the SEC’s Risk Mitigation Forum held by our Fort Worth Office. This forum is the brain child of Marshall Gandy, who serves as our Co-National Associate Director of the Investment Adviser/Investment Company examination program. The purpose of the forum is to allow SEC staff and representatives of financial services firms to meet and to discuss risk areas they are seeing. I was impressed at the candid, honest, and mutually respectful nature of the discussion. I found the forum extremely helpful in thinking through my views on certain compliance issues.

My third recommendation for us to improve our enforcement program is to be sensitive to the far-reaching implications of the actions we take. The potential loss of individual privacy, for example, deserves consideration. Ever-improving technology has made it easier and easier for governments to collect and analyze information about what their citizens are doing. Given the difficulty of detecting many securities violations, it is tempting to collect and process as much information as possible about what is happening in the markets. Effective data analysis has assisted us in uncovering insider trading and cherry-picking schemes. But sometimes data collection efforts come at the expense of the privacy of the people who participate in our markets. The Consolidated Audit Trail project is the example that comes immediately to mind. The so-called CAT, once it is fully operational, will track all trading activity in the equity and options markets. Originally conceived as a tool to unravel the mysterious causes of market events like the Flash Crash, the CAT is now just as often cited for its potential use as an enforcement tool. This massive surveillance program provides too much information and power to government regulators, and by compiling all this data in one place, sets the stage for potential abuse either by regulators or cybercriminals.

In realms of life other than the financial one, many people rightly object to government monitoring of the activities of citizens who are not suspected of wrongdoing. Shouldn’t similar concerns for people’s rights to go about their private lives without constant government surveillance apply to personal trading? The American Civil Liberties Union raised these concerns in connection with a similar monitoring program proposed—and later shelved—by FINRA a few years ago: “Ordinary individual investors should be able to carry out their financial business without the government looking over their shoulder . . . . Limiting overbroad information collection prevents government overreach and protects ordinary individuals from being caught up in expensive and potential[ly] devastating government investigations.”[19] If we are to be an effective regulator, we must collect some data, but we must be more sensitive to the trade-offs than we have been to date. I would rather have an enforcement program that respects the liberty and privacy of American investors, even if it comes at the cost of lost enforcement opportunities, than an enforcement program that has a hundred-percent success rate at catching wrongdoers.

Another implication of our enforcement program to which we need to be more sensitive is the effect enforcement actions have on third parties. We at the Commission embrace the third-party deterrent message that enforcement actions convey, but we generally fail to realize how muted that message is. The terms of a settled enforcement action, for example, may turn on considerations that will not be obviously determinative to someone reading the facts set forth in the settlement order. I am thinking of one recent enforcement action that generated quite a buzz in the crypto world because some thought its penalty was too low relative to the amount raised in the offering.[20] Yet, there were some underlying facts that might have argued for the opposite conclusion—that the penalty was too high.

My final recommendation to improve the SEC’s enforcement program involves all of you in this room and your clients. Specifically, we all need to acknowledge the valuable role self-regulation can play in preventing and detecting problems. I am not talking here about self-regulatory organizations, with which the financial regulatory landscape is replete. These entities are important, but their regulatory role is so tied to the authority we grant them that they are more aptly described as “quasi-governmental.” I am talking about grassroots self-regulation. In the old days, traders on the floor used to physically block bad actors from getting their orders filled. I am not a proponent of physical violence, and such self-regulation can quickly become anticompetitive. There is room, however, for people in the industry taking their duties to their customers and their commitment to the integrity of the markets seriously and calling out colleagues and competitors for failing to do so.

The SEC is not the only set of people capable of delineating right from wrong in the securities markets. In fact, the judgments of what is right and wrong embodied in many of our rules and enforcement actions are often detached from what normal people would judge to be right and wrong. Thus, an unauthorized radio endorsement spawns an enforcement action, and a slight departure from the SEC’s preferred wording for a conflict disclosure is fraud. When regulation consists of a complex, somewhat arbitrary set of rules that only makes literal and moral sense to the regulators, the regulated lose the impetus, and to some extent the ability, to make their own judgments about what is right and wrong. The result is dangerous since it suppresses the industry’s inclination to regulate itself. Growing up, we all knew parents who so strictly enforced an arbitrary set of rules that their kids, although adept at appearing compliant, did not learn to exercise any independent judgment about what was right or wrong. More effective parents set some basic parameters, but allowed the children to make their own choices so that they could learn to discern right from wrong. The parent-child analogy is not right for the regulator-regulated relationship, but sometimes we, like the overly strict parent, with our regulatory micro-management squash the ability and inclination of regulated persons to exercise their own moral and professional judgment.

In closing, thank you for your attention today, particularly since I understand that you do not get any continuing legal education credit for having listened to me. I hope the rest of 2019 is full of peace, safety, and prosperity. To this end, I recommend that you stay clear of my condominium lobby. If time permits, I would be happy to take a few questions from the audience.