[Senate Hearing 115-134]
[From the U.S. Government Publishing Office]
S. Hrg. 115-134
OVERSIGHT OF THE U.S. SECURITIES AND EXCHANGE COMMISSION
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
BANKING,HOUSING,AND URBAN AFFAIRS
UNITED STATES SENATE
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
ON
RECEIVING TESTIMONY FROM THE CHAIRMAN OF THE SECURITIES AND EXCHANGE
COMMISSION REGARDING THE AGENCY'S WORK AND AGENDA
__________
SEPTEMBER 26, 2017
__________
Printed for the use of the Committee on Banking, Housing, and Urban
Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available at: http: //www.govinfo.gov /
__________
U.S. GOVERNMENT PUBLISHING OFFICE
28-283 PDF WASHINGTON : 2018
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS
MIKE CRAPO, Idaho, Chairman
RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio
BOB CORKER, Tennessee JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada JON TESTER, Montana
TIM SCOTT, South Carolina MARK R. WARNER, Virginia
BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana
DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada
Gregg Richard, Staff Director
Mark Powden, Democratic Staff Director
Elad Roisman, Chief Counsel
Michelle Mesack, Senior Counsel
Laura Swanson, Democratic Deputy Staff Director
Elisha Tuku, Democratic Chief Counsel
Dawn Ratliff, Chief Clerk
James Guiliano, Hearing Clerk
Shelvin Simmons, IT Director
Jim Crowell, Editor
(ii)
C O N T E N T S
----------
TUESDAY, SEPTEMBER 26, 2017
Page
Opening statement of Chairman Crapo.............................. 1
Opening statements, comments, or prepared statements of:
Senator Brown................................................ 2
WITNESS
Jay Clayton, Chairman, Securities and Exchange Commission........ 3
Prepared statement........................................... 37
Responses to written questions of:
Senator Scott............................................ 49
Senator Menendez......................................... 52
Senator Sasse............................................ 57
Senator Tillis........................................... 78
Senator Heitkamp......................................... 88
Senator Cortez Masto..................................... 91
(iii)
OVERSIGHT OF THE U.S. SECURITIES AND EXCHANGE COMMISSION
----------
TUESDAY, SEPTEMBER 26, 2017
U.S. Senate,
Committee on Banking, Housing, and Urban Affairs,
Washington, DC.
The Committee met at 10:02 a.m. in room SD-538, Dirksen
Senate Office Building, Hon. Mike Crapo, Chairman of the
Committee, presiding.
OPENING STATEMENT OF CHAIRMAN MIKE CRAPO
Chairman Crapo. The Committee will come to order.
Today we will receive testimony from Securities and
Exchange Commission Chairman Jay Clayton regarding the work and
agenda of the SEC.
Thank you, Mr. Chairman, for attending here today.
Oversight of the SEC is a critical function of this
Committee, and the SEC has an important three-part mission: to
protect investors; maintain fair, orderly, and efficient
markets; and facilitate capital formation. No one part of this
mission is more important than the other.
The SEC increases transparency and trust in the U.S. stock
market, providing investors with the material information they
need to make informed investment decisions. It also helps
investors participate in our markets on a fair footing so that
they can prepare for important milestones in their lives, such
as college, retirement, or other life-changing events. It is
critical that the SEC continue its important work to fulfill
this mission.
At the same time, the SEC must be cognizant that its work
may carry risks to the very markets and investors it seeks to
help. I commend you for initiating an assessment of the SEC's
cybersecurity risk profile, Mr. Chairman.
The Commission collects and stores a huge amount of public
and nonpublic data. If this data were subject to a cyber
breach, it could have severe consequences to the markets,
market participants, and to the American public.
I was disturbed to learn that the SEC suffered a cyber
breach of its EDGAR system in 2016, but did not notify the
public, or even all of its Commissioners, until it was
discovered during your recent review.
It is critical that the SEC safeguards the data it collects
and maintains, especially as the consolidated audit trail, or
CAT, becomes operational.
Through the CAT, the SEC will have access to significant
nonpublic market data and personally identifiable information,
including individuals' names, addresses, dates of birth, and
Social
Security numbers. The recent Equifax breach has highlighted the
need to protect this sensitive and valuable information. We
need to ensure that entities only collect this type of
information if and when absolutely necessary and, if it is
collected, that it is properly secured.
I am glad to see that under your leadership, Chairman
Clayton, the SEC is taking cybersecurity seriously. Other
regulators and agencies should follow your lead and delineate
their own cyber risk profiles and, if breached, they too should
disclose such events to Congress and the public.
Cyber attacks and breaches are a significant risk at all
entities, both regulators and companies. As part of your work
in the cybersecurity area, you should also review current cyber
risk disclosure guidance to ensure that investors understand
the magnitude and complexity of cyber risks at public
companies.
Along with your attention to cyber, I appreciate your focus
on the standards of conduct for investment advisers and broker-
dealers. The DOL fiduciary rule will limit investor choice,
making investing more expensive for many Americans, and
ultimately hurt the ability for people to save for retirement.
If clarification needs to be made about the standards of
conduct for broker-dealers and investment advisers, I believe
the SEC has the most expertise and is the best positioned to
establish consistent standards for all investors.
I also appreciate your focus and public discussions on the
importance of encouraging capital formation. The capital
markets are
essential to helping companies grow, facilitating job growth,
and ensuring that Americans have investment opportunities.
I am interested in hearing your ideas of how we can
encourage more companies to go public without discouraging the
availability of capital in the private market.
The Senate recently passed several bipartisan securities
bills, and we would be interested in additional ways Congress
can improve securities laws to help all Americans.
I look forward to hearing your thoughts on these issues and
on the future agenda of the Commission.
Senator Brown.
STATEMENT OF SENATOR SHERROD BROWN
Senator Brown. Thank you, Chairman Crapo. Welcome, Chair
Clayton, to our Committee for one of many visits I am sure you
will make.
Last week, as just about every adult in America was trying
to comprehend the risks that they or someone in their family
face because of the Equifax cyber breach, you disclosed the
SEC's own breach in 2016. In addition to raising serious
concerns about the integrity of the SEC's data systems, that
breach allowed hackers to obtain nonpublic information and
perhaps make illegal stock trades.
We expect that companies that hold Americans' personal and
financial data will keep that information secure and be upfront
with the public, with regulators, and with lawmakers when
breaches, in fact, occur.
Our regulatory agencies must abide by the same or, frankly,
a higher standard. So when we learn a year after the fact that
the SEC had its own breach and that it likely led to illegal
stock trades, it raises questions about why the SEC seems to
have swept this under the rug. What else are we not being told?
What other information is at risk? What are the consequences to
the American investing public and the American public
generally?
Of course, this breach took place under your predecessor,
we recognize that, but the disclosure, or the lack thereof, is
all yours. How are Main Street investors expected to have
confidence that the SEC can hold big companies accountable when
the SEC is not more immediately forthcoming?
Equifax violated the public's trust twice--first when it
failed to secure the volumes of data it collects and profits
from about Americans' financial lives, and then a second time
when it waited over a month to admit to the breach. How can you
expect companies to do the right thing when your agency has
not?
We all have to earn the public's trust every day. Right
now, the SEC needs to do more, and it needs to make sure that
the companies it regulates do better.
Doing more does not end with cybersecurity. The SEC's
investor protection mandate has never been more important.
Making sure Main Street investors are treated fairly, companies
do not abuse accounting rules, and markets are efficient and
transparent should be at the top of your list at the SEC as you
consider offering reforms and reducing disclosure.
Protecting investors and maintaining financial stability
also means that the SEC needs to finish the Dodd-Frank Title
VII derivatives rules, the incentive compensation rule, and the
rules on clawbacks and hedging equity compensation. Each of
these rulemakings will help enhance investors' and the public's
trust in our markets and the financial system.
Chair Clayton, it's been almost 5 months since your
swearing in. I expect the next 5 months will be more demanding
than the last five.
The list of your responsibilities grows. Now everyone is
watching how the SEC responds and how you personally, as
Chairman of the SEC, hold companies accountable.
Thank you.
Chairman Crapo. Thank you, Senator Brown.
Chairman Clayton, as you know, your full written testimony
has been made a part of the record. I understand that you have
asked for an extra minute for your opening statement, and you
are welcome to have that. But I do not want the Senators to
think that everybody is being granted an extra minute in their
questioning, and I encourage them to remember the time.
With that, Mr. Chairman, please proceed.
STATEMENT OF JAY CLAYTON, CHAIRMAN, SECURITIES AND EXCHANGE
COMMISSION
Mr. Clayton. Thank you for your indulgence.
Chairman Crapo, Ranking Member Brown, distinguished Members
of the Committee, thank you for the opportunity to testify
before you today about the work of the U.S. Securities and
Exchange Commission. I will attempt to be concise in my
remarks, as I know you and the American people have many
important questions regarding, among other things, our cyber
risk profile and the intrusion we disclosed last week.
I will start with a thank you. My fellow Commissioners and
the people of the agency have been incredibly welcoming to me.
I have benefited from each interaction with these dedicated
individuals.
During my four months at the Commission, I have devoted a
substantial portion of my efforts to agency operations,
including assessing whether we have the people, technology, and
office space necessary to succeed in our mission.
As discussed in more detail in my written testimony, I
believe there are four areas where additional focus and
resources are most needed: cybersecurity; retail investor
protection; market integrity, including market structure, risk,
and resiliency; and capital formation.
Specifically with regard to cybersecurity, I have been
focused on this issue, internally and externally, since my
first weeks at the Commission. As recent events demonstrate all
too well, this is an area where we need to devote significant
resources and attention to respond to market developments and
meet the expectations of the American people.
I will turn to the recently disclosed incident. In August
2017, in connection with an ongoing investigation by our
Division of Enforcement, I was notified of a possible intrusion
into our EDGAR system. In response to this information, I
immediately commenced an internal review.
Through this review and the ongoing enforcement
investigation, I was informed that the 2016 intrusion, one,
provided access to nonpublic EDGAR filing information and, two,
may have provided a basis for illicit gain through trading.
We believe the intrusion involved the exploitation of a
defect in custom software in our EDGAR system. When it was
originally discovered, our Office of Information Technology--we
refer to it as ``OIT''--took steps to remediate the defect and
reported the incident to the Department of Homeland Security.
Based on the investigation to date, OIT staff believes that the
prior remediation effort was successful. We also believe that
the intrusion did not result in unauthorized access to
personally identifiable information, jeopardize the operations
of the Commission, or result in systemic risk. I note our
review and investigation of these matters is ongoing, and it
may take substantial time to complete.
This review has two related components. The first is
focused on the 2016 intrusion itself, including efforts to
determine its scope and whether there were or are any related
vulnerabilities in our EDGAR system. Importantly, in conducting
this review, it has been a priority and a constraint to
maintain the security and operational capabilities of EDGAR.
EDGAR is a critical component of our disclosure-based market
system and accepts filings virtually continuously during the
week.
Various agency personnel, including members of the
Enforcement Division, the Office of General Counsel, and the
Office of Inspector General, have been involved in this effort.
In addition, I have formally requested that the Office of
Inspector General begin a review into, one, what led to this
intrusion; two, the scope of nonpublic information compromised;
and, three, our efforts in response. I have asked the Office of
Inspector General to provide recommendations for how the SEC
should remediate any related system or control deficiencies.
The second component of our review consists of our
investigation into trading potentially related to the
intrusion. The investigation is being conducted by our Division
of Enforcement and is ongoing.
There are limits on what I know and can discuss about the
2016 incident due to the status and nature of these reviews.
Nevertheless, this past Wednesday I directed the issuance of a
cyber risk profile statement and a press release highlighting
the 2016 intrusion. I directed this disclosure because,
although many questions remain, I believed that, one, once I
knew enough to understand that the intrusion provided access to
nonpublic EDGAR test filings and, two, that this may have
resulted in the misuse of nonpublic information for illicit
gain, it was important to make that disclosure to the American
public and Congress.
The matter involving our EDGAR system concerns me deeply. I
recognize that I am not the only one who is deeply concerned.
Rightfully, it will cause this Committee and others to increase
their focus on whether the Commission's approach to
cybersecurity appropriately addresses our cyber risk profile.
This is all the more reason it was appropriate to disclose the
intrusion now even though our review and investigation are
ongoing.
As a result of this incident, some have questioned whether
we can appropriately protect the sensitive information we
receive and whether we should receive additional data to
further our mission. This is not the time for the SEC to pull
back from our important market oversight role by limiting our
access to sensitive information. Our mission is too important
to millions of Main Street investors, issuers, and market
participants to do so. We must be vigilant, and we must do
better.
We must also recognize in both the public and private
sectors, including the SEC, there will be intrusions and that
key components of cyber risk management for organizations and
market participants generally are resilience and recovery.
Turning to policy matters, my written testimony discusses
our recent regulatory efforts in detail. I will highlight only
one item: the upcoming Regulatory Flexibility Act Agenda, a
semiannual disclosure of the Commission's near-term priorities.
I believe it is important that these agendas provide
transparency and accountability for agency matters. If they are
to meet their intended purpose, these agendas must be
streamlined to inform Congress, investors, and other interested
parties about what we intend to do and realistically expect to
do over the coming year. We intend to provide just such an
agenda.
Thank you, and thank you for your indulgence on the extra
time.
Chairman Crapo. Thank you very much, Chairman Clayton.
First, I have been long concerned with the growing data
collection requirements by our regulators. I am very concerned
also about the massive data collection that is going on in the
private sector, information about people's lives that can and,
we are seeing, has resulted in damage to them. My concerns have
only grown given the disclosed cyber breaches at the FDIC, the
IRS, the OPM, your Commission, and at other agencies. I have
mentioned many times in hearings the Consumer Financial
Protection Bureau and its massive data collection that I am
very concerned about.
In addition, the SEC itself has come under scrutiny in
recent GAO reports for its own security controls over its key
financial systems and information. The SEC and other agencies
monitor, regulate, and enforce the data safeguards in place at
regulated entities.
Given the amount of data that they collect as well as the
roles they play as the stewards of our markets, the SEC and
other Government agencies must be held to a higher standard
when it comes to cyber readiness.
A couple questions about the current cyber attack that you
are dealing with. Can you give us any more information about
the defect in the software that caused this attack? Or is this
not the time to discuss that?
Mr. Clayton. I do not have any more information about the
type of defect that led to the intrusion. There is an ongoing
investigation. We have gotten the Office of Inspector General
involved, and as relevant facts become available, we intend to
work with this Committee to ensure that you have the
information you need in your oversight role.
Chairman Crapo. And you have said this already in your
testimony generally, but what actions did you take as you found
out about this breach?
Mr. Clayton. So it is not like you find out about a breach
and you know everything on day one.
Chairman Crapo. Right.
Mr. Clayton. This came to my attention in August of this
year. I immediately instructed that an investigation take
place. Over the course of that investigation and review, it
became clear to me that this was a serious matter. When it
became clear to me that this was a serious matter, I made the
determination to take a number of steps, including ensuring
that the system was continuing to work. As I said, it is a
system that is critical to the operations of our markets and
the SEC.
Also, disclosure. I know that that is a focus for this
Committee. Let me get right to it. I decided when this was
serious that disclosure was necessary. Then the question is:
What facts do you have? We tried to gather more facts. You want
to make a clear disclosure. You do not want to make disclosure
that is misleading. I made the decision over the last past
weekend that the time had come to make disclosure. We knew
enough to make the disclosure. We were not going to learn any
more at that time, and we made the disclosure.
We have taken a number of additional steps, including
hiring outside consultants to do penetration testing, constant
reviews of our system. One of the worries in a situation like
this is when you make a public disclosure, other people try to
test and probe. You know, we are under constant attack from
nefarious actors.
So I can go through other things, but that is a high-level
summary of the steps taken.
Chairman Crapo. All right. Thank you very much.
I would like to talk about the consolidated audit trail for
just a moment. The consolidated audit trail, or CAT, is an
issue that has been important to me and many Members of the
Committee for a number of years. Once implemented, CAT will
capture customer and order event information from the time of
the order inception through execution. Such information will
also include personally identifiable information. As I
mentioned, I am concerned by the Government's collection of
such information.
Do you believe that this data must be collected? And if so,
how can you assure that it will be adequately protected?
Mr. Clayton. I do believe that data of the type we are
discussing in CAT is very valuable to our oversight role. If
you look at insider trading or monitoring of investment
managers, broker-dealers, this type of data enables us to
detect insider trading that we would not have been able to
detect in the past. It enables us to prioritize our examination
efforts. It is important.
That said, when I got to the Commission and investigated
the CAT system as a person responsible for it as opposed to
someone from the outside, I quickly made the decision that we
do not want to take sensitive data that we do not need to
further our mission, and we need to examine that data. We also
should not take any sensitive data unless we can protect it,
and I felt that way a month ago, 2 months ago. I feel that way
even more so today.
Chairman Crapo. All right. Thank you.
Senator Brown.
Senator Brown. Thanks, Mr. Chairman.
Equifax, as we know so well, waited 6 weeks to disclose its
cyber breach. The personal identifiers of 143 million Americans
were in the hands of criminals, as we know. Companies may often
say if a matter does not have a material impact on its
financial results, they do not need to disclose it to investors
and the public. Is materiality the right disclosure standard
when a company has a breach and Americans' personal information
is stolen?
Mr. Clayton. Senator, I believe materiality is the core of
our disclosure system. I believe it is the touchstone. Going to
your question about whether companies are making the right
materiality assessment, I think that is a very good question.
Senator Brown. So when it is left in the hands of the
company, with the SEC, just from that response, it does not
seem as engaged maybe in this question and this issue as we
might like. They may continue this kind of behavior.
Mr. Clayton. Companies should be disclosing more. I am not
going to talk about a specific company or a specific set of
circumstances. That is inappropriate in my position. As I look
across the landscape of disclosure--and I have been saying this
for some time--companies should be providing better disclosure
about their risk profile. Companies should be providing sooner
disclosure about intrusions that may affect shareholders'
investment decisions. And I also believe that across the
landscape of our markets, not just company by company or
regulator by regulator but across our markets, there should be
better disclosure as to the cyber risks we face.
Senator Brown. So you would totally disagree with Equifax's
decision to withhold that information for those several weeks,
citing materiality, if they were?
Mr. Clayton. Senator, I am not going to get into a
particular company's decision or nondecision.
Senator Brown. So you cannot say to this Committee that
Equifax was not wrong in withholding this information?
Irrespective of the executives that dumped their stock, forget
that for a moment. You cannot say to this Committee they were
wrong in withholding that information?
Mr. Clayton. It would be inappropriate for me to comment on
that matter, that specific matter. Let me say this about making
the decision on when to disclose: We expect people to
constantly assess--when they have notice of a cyber breach, we
expect people to constantly assess whether that breach is
material to investors and, when they determine that it is, make
appropriate disclosure promptly.
Senator Brown. Well, that is a pretty big concern. If a
company did what they did and the Chair of the SEC is not
willing to be critical of that, that is a concern to a lot of
us.
Let me move to another part of Equifax. This morning,
Equifax announced its CEO is retiring. Two weeks ago, the CIO
and the chief security officer retired. Do you think it is
appropriate, Mr. Chair, for the executives who ran the company
during the massive breach, that they get to retire and keep
their bonuses and stock awards?
Mr. Clayton. Again, Senator, that is a specific matter, a
matter that may come before the Commission, may come before me
to make decisions. It would be inappropriate for me to comment
on that specific matter.
Do I believe that if executives have profited from a high
stock price that is the result of failure to disclose other
acts that are clearly violations of our securities laws, should
there be an ability to get back those gains? Yes, I do.
Senator Brown. And you think the clawback should be ordered
by the SEC, not relying on the board, as Wells Fargo apparently
did?
Mr. Clayton. As you know, there is a pending rulemaking in
this regard, and we are looking at that.
Senator Brown. And isn't it time the SEC finished the Dodd-
Frank clawback rule?
Mr. Clayton. It is one of many mandates. I intend to finish
the mandate. There is a prioritization. I am going to be very
open with this Committee and the American people in the
Regulatory Flexibility Agenda about our priorities, and I
welcome your continued input on how we prioritize those.
Senator Brown. And you understand the American public in
case after case after case feels this Government let it down
when executives through massive incompetence, which may have
been all it was with Equifax, or fraud, if the failure to
disclose contributed to the executives dumping their stock, you
understand the American public's anger with the fact--
forgetting anybody going to
prison, I get that; but not even clawbacks for these
executives, you understand the American public's outrage about
that?
Mr. Clayton. Yes, I do.
Senator Brown. OK. Glad to hear it. Thank you.
Chairman Crapo. Thank you.
Senator Scott.
Senator Scott. Thank you, Mr. Chairman. And thank you to
Chair Clayton for being here this morning, and thank you for
your important work.
I once had to answer to the SEC as a financial
representative, and it was never fun to have you guys walk into
the office and share your valuable time with those of us in the
business. However, I do think it is important for us to
recognize the fact that the fiduciary rule has had a negative
impact on many Americans. The average South Carolinian has less
than 1 year's salary in their retirement accounts. Restricting
access to professionals in the financial industry has a
negative impact on the resources available to the average
American for retirement, and the last thing we need to do at
this point is to find ways to get experts out of the household,
which is the unintended consequence of the fiduciary rule from
my perspective.
There was a survey of 600 financial advisers. They found
that 75 percent of the professionals whose clients have
starting assets under $25,000 will take on fewer small accounts
due to increased compliance costs and legal risk under the
DOL's rule. These folks desperately need the experts to make
good, sound financial decisions.
I was pleased to see the 18-month delay, so my question to
you is: What more can you tell us about your coordination with
the DOL on the fiduciary rule and the 18-month delay?
Mr. Clayton. Yes, thank you, Senator. I want to thank
Secretary Acosta for reaching out to the SEC in this regard,
reaching out to say we should work together on this. And I
believe we should work together.
With respect to steps we have taken, I have issued a
request for updated views from investors and from industry
participants on the effects of the DOL rule and what we should
do going forward in terms of standards of conduct. We are
reviewing the information received. I have made it clear that,
based on what I know to date, there are a couple of things that
I want to make sure are reflected in any rulemaking, including
joint rulemaking, we do in this regard, including with the
State regulators:
First, that investors of the type you describe have choice,
that they are not pushed into a narrow set of circumstances as
a result of whatever steps we take;
Second, that there is clarity, that investors know the type
of person they are dealing with, and they know the obligations
owed to them;
Third, that there is consistency. If you have two different
types of accounts--a retirement account and a nonretirement
account--but you are facing the same person, there ought to be
consistency with respect to those accounts;
And, last, coordination, that we, the DOL, and the State
regulators are coordinated in how we approach this.
And I am very much looking forward to working with the
Department of Labor as we proceed.
Senator Scott. Thank you. It certainly is good to have the
SEC and the DOL working together on such an important issue.
State insurance regulators are the experts on fixed-income
annuities. How will you be involving the State regulators?
Mr. Clayton. I have been in dialogue with the State
regulators since I got on the job, and they will be part of
this effort.
Senator Scott. Excellent. I know I am running out of time,
so I do want to make two more points, one on the Chicago Stock
Exchange. The fact that we are looking at Chinese investors
trying to buy the Chicago Stock Exchange, and you pumping the
brakes on that decision I think is good. We all would like to
encourage more FDI, but we need to do it in the most
responsible way possible, so thank you for your position and
your perspective on that issue.
Another issue that seems to be really important these days
is shareholder resubmissions. Management of public companies
should be held accountable by their shareholders. A balance
between both sides ensures productivity and corporate
transparency.
That said, I wonder if the scales have not been tipped a
little bit too far. As of now, we allow for the resubmission of
shareholder proposals even if nearly 90 percent of shareholders
have already voted no in the past. That increases costs and
distracts from long-term thinking, all the while doing little
to protect investors.
How are other shareholders impacted by such a low bar for
proposal of resubmission?
Mr. Clayton. Senator, I agree with you, this is an area
that we should be continually examining because shareholder
access to management is important. There are many times where
shareholders have made proposals that have gotten traction and
have led to positive change.
That said, you identify an issue that you can have: Not
widely held and idiosyncratic views of a few shareholders cost
the other shareholders a substantial amount of time and cost
management a substantial amount of time, which is valuable time
you do not get back. And we need to continually look at that
balance in our oversight role.
Senator Scott. Thank you.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator Scott.
Senator Tester.
Senator Tester. Thank you, Mr. Chairman.
On the topic that Senator Scott just brought up with the
U.S. stock exchange potential purchase by a Chinese company, I
hope your review would come back negative in that regard. That
is just my opinion as a dirt farmer, OK?
Look, earlier this month, we learned in Montana that
360,000 people had their private information stolen when the
Equifax breach happened. To put that in perspective, that is
over 60 percent of the adults in our State, OK?
I think if the election said anything last time--and it
said many things--it said people on the ground, regular folks,
are tired of folks getting away with apparent wrongdoings. Your
answer, Chairman Clayton, to the Ranking Member that it was
inappropriate to comment on the 6-week delay, the 6-week delay
seems a little bit bizarre to me, especially if, in fact, these
folks dumped stock and tried to--why would they wait 6 weeks?
Mr. Clayton. Senator, these are good questions. They are
valid questions.
Senator Tester. Yeah.
Mr. Clayton. They are questions that the American public
should have. In my position as a person who may have to----
Senator Tester. That is why you do not want to comment,
because it is your position--you believe firmly that these
folks need to be held accountable if there is any wrongdoing,
whether they still have their position or resigned from their
position? You will, to the full extent of the law, enforce the
law?
Mr. Clayton. That is my job.
Senator Tester. Good. I would just say that what transpired
here--and I am not in your position, but 6 weeks is way, way,
way too long. And I just cannot believe that, quite frankly--
and, by the way, Mr. Chairman, I know Richard Smith resigned
today, but I hope he still comes in front of the Committee. I
hope you still can get him in front of the Committee next week,
because I think it is less spending time with his family and
more of not spending time with us. And I think that is really
important. And let me give you an example. They spent 6 weeks
announcing the breach, but his resignation was--papers were
signed yesterday. It was announced today. And so they could do
it quicker if they wanted to do it, and I hope that moving
forward we will be watching, OK?
As far as the SEC's breach, when in 2016 did that happen?
What month?
Mr. Clayton. That is part of our ongoing internal
investigation.
Senator Tester. You do not know for sure?
Mr. Clayton. I do not think we can say for sure.
Senator Tester. OK. One of the questions the Chairman asked
you is: What type of defect caused the breach? And you said you
did not know what that defect was. And it is an honest answer,
but the question is: What is stopping them from doing it again?
If you do not know what the defect is and they breached your
system, it looks to me like they can breach your system anytime
they want if you do not know what the defect is?
Mr. Clayton. I will tell you what I do know. I am told it
was a defect in a custom piece of software for our EDGAR
system. I am not a computer science expert. It has been a long
time since I have done programming. But my understanding of
this landscape, though, is the more custom software is, the
more likely it is to be vulnerable.
Senator Tester. So you were able to cut the custom portion
out that was----
Mr. Clayton. Your characterization and mine are going to be
laymen's. I think that is----
Senator Tester. All right. I got it.
Mr. Clayton.----fair enough.
Senator Tester. So you did say that you were in the process
of a review that would involve--that would determine the scope
of the breach and the response to that scope. What is your
timeline for that?
Mr. Clayton. I cannot give you a timeline. I have
experience with these kinds of investigations. One of the
things we are constrained by is, you know, you have got to pull
a lot of data to look at this, including in terms of scope.
Senator Tester. Yeah. Just let me ask you this: Do you feel
that this is an urgent matter?
Mr. Clayton. I do.
Senator Tester. So when there are not definite timelines,
it has been my experience that these things go on forever. And
I would hope that you as Chairman of the SEC will put the
screws to these folks and make sure that they are getting this
job done so we can find out what is going on. This is a big
deal.
Mr. Clayton. I will, and I have already involved the Office
of Inspector General.
Senator Tester. OK.
Mr. Clayton. Because they should be looking at this as
well.
Senator Tester. One other thing: DOL fiduciary rule. And
Senator Scott said that you were working together to harmonize
those rules. I was thinking about something else. I did not
pick that up. I just want to confirm that. Are you working with
the DOL to harmonize that fiduciary rule so that people do not
get ping-ponged back and forth between two rules?
Mr. Clayton. Yes.
Senator Tester. OK. And do you anticipate--that harmonized
rule will be out when?
Mr. Clayton. This is a priority for me. Everything cannot
be a priority. This is a priority for me.
Senator Tester. Well, you have got a lot of people that
work for you, so you can have more than one----
Mr. Clayton. Yeah, we are pushing this one. This is the top
of my list in that area of the Commission.
Senator Tester. Thank you very much.
Chairman Crapo. Thank you, Senator.
Senator Kennedy.
Senator Kennedy. Thank you, Mr. Chairman, and Mr. Chairman.
You said you found out about the SEC data breach in August
of this year?
Mr. Clayton. Yes, sir.
Senator Kennedy. When did the SEC find out about it?
Mr. Clayton. In 2016.
Senator Kennedy. Did Chairwoman White know about it?
Mr. Clayton. What happened in 2016 and who knew about it is
going to be the subject of this review that I have asked the
Office of Inspector General to--I have no belief sitting here
that Chair White knew about this.
Senator Kennedy. Well, when you found out about it in
August of 2016, how did you find out about it?
Mr. Clayton. Our Division of Enforcement had an ongoing
investigation. Information that they gained in connection with
that investigation caused them to question whether there had
been a breach of our system. And that is the time I launched an
investigation.
Senator Kennedy. And when did they raise that question?
Mr. Clayton. When did they raise that question?
Senator Kennedy. When did they raise the question that
there might have been a data breach?
Mr. Clayton. They raised it to me in August of this year.
Senator Kennedy. Did they raise it at 10 o'clock in the
morning and then call you at 11:00? Or did they know about it
for a while?
Mr. Clayton. I think they raised it promptly upon learning
about it, but, you know, again, our response to this matter is
something that I am concerned about and want to get to the
bottom of.
Senator Kennedy. Well, this bed was on fire when you laid
down in it. I am not blaming you. Did Chairwoman White tell you
about this breach when she was leaving and say, ``This is
something you need to worry about''?
Mr. Clayton. No, no. Like I said, I have no indication that
Chair White had knowledge of this breach.
Senator Kennedy. OK. Will you at some point tell us when
the SEC first learned about the breach--not when you were first
notified, but when the SEC first learned about the breach?
Mr. Clayton. Yes, I have asked the Office of Inspector
General to look into this matter. Those are questions I want to
know the answer to, because they are going to help us do better
going forward.
Senator Kennedy. OK. Is there any possibility, realistic
possibility that the SEC knew about this breach in 2016 and did
not disclose it?
Mr. Clayton. I do not want to go there. I want to wait
until the facts come out.
Senator Kennedy. OK. That is fair.
Let me ask you about the Equifax breach. After the company,
Equifax, learned about the data breach, several senior
executives sold stock. Was that insider trading?
Mr. Clayton. I am not going to comment on that specific
matter for the reasons that I have discussed.
Senator Kennedy. Are you going to investigate it?
Mr. Clayton. We do not comment on investigations, including
whether they are actually pending.
Senator Kennedy. Well, you are not going to ignore it, are
you?
Mr. Clayton. I am not ignoring this. I am not ignoring this
or other events like it.
Senator Kennedy. So I take it you are neither confirming
nor denying that there is an investigation?
Mr. Clayton. That is correct.
Senator Kennedy. OK. Well, if you decide--and I am not
suggesting----
Mr. Clayton. It has been our policy for a long time. I want
to say that, you know, the internal investigation is going on.
Senator Kennedy. Sure. I understand.
Mr. Clayton. I needed to disclose that one. I want to stick
with our policy with respect to third parties.
Senator Kennedy. It is the anti-Comey rule. I understand.
Well, let me put it this way: I am not suggesting you will
not investigate, but if you decide not to investigate, would
you let us know so we can investigate?
Mr. Clayton. I think that is a fair question.
Senator Kennedy. OK. Fair enough. And I am not accusing
anybody of anything. I am really not. But there is more than
just the data breach involved here. There is the sanctity of
our equity markets as well. And I am not accusing anybody of
anything. I think the executives are taking the position that
they knew nothing, saw nothing. This was just a coincidence.
And that may well be, but trust and verify. And I am glad to
hear that you are investigating.
Mr. Clayton. Thank you.
Senator Kennedy. I am about out of time. You know what
strikes me and I think many Americans as curious about the
credit reporting agencies? I did not hire them. I did not hire
them to collect information about me. I mean, they do not
represent me. They represent business, which I understand. But
I did not hire them to collect all this information. And now
all of a sudden my information is out there somewhere on the
dark web. And it seems to me at some point, Mr. Chairman and
Mr. Ranking Member, that that is something we need to talk
about in this Committee, is what the role the credit reporting
agencies play and to whom do they have an obligation.
Well, I am going on too long. Thank you, Mr. Chairman.
Mr. Clayton. Thank you.
Senator Kennedy. This is more interesting than practicing
law, isn't it?
Mr. Clayton. Some days.
Senator Kennedy. Yes.
Chairman Crapo. Thank you, Senator.
Senator Warner.
Senator Warner. Thank you, Mr. Chairman.
Let me, first of all, echo what Senator Kennedy has just
said, the whole notion of the credit rating agencies and the
public's ability to--we have no ability to opt-in to these
systems. We are part of these systems, whether we like it or
not. You know, I am often asked in my job on the Intelligence
Committee what I think the single greatest vulnerability our
country faces is, and I believe it is cybersecurity. And I
believe we do not have a whole-of-Government or whole-of-
society approach on cybersecurity.
In recent times we have seen Russia take unprecedented
action attacking 21 of our States' voting systems. We have seen
our social media platforms being manipulated with false
information in the first, I think, shots of disinformation and
misinformation campaigns, at least indirectly related to cyber.
I appreciate you, Mr. Chairman, coming forward with the
recognition of the EDGAR system breach. I wish it would have
been done quicker, although as has been pointed out, this is
not in isolation. We have seen OPM and a series of other
governmental breaches.
I think Equifax is a travesty. I think the fact that the
resignation of the CEO is by no means enough. I would say--and
I understand your reluctance to acknowledge whether there is an
investigation. Your colleagues at the FTC, who also have a
process in place where they normally do not reveal an ongoing
investigation, have felt that this was so serious that they
acknowledged that there was an investigation going on. And the
Equifax breach is so egregious, one, in terms of the sloppiness
of their defenses; two, in terms of the fact that this was
clearly a knowable vulnerability, they had known for months,
and if they had simply put a patch in place, we might have
precluded this. And then to add insult to injury, Equifax, when
it put up the site to direct consumers after the breach, that
site was not properly domain registered and was known to have
vulnerabilities in its site itself.
So if we do not send a very, very strong message--now, the
market has already taken I think 25 percent off its market
value. But I question whether Equifax has the right to even
continue providing these services with the level of sloppiness
and lack of attention to cybersecurity.
I would also point out--and Senator Brown raised this
question--this is not the first time. I mean, Yahoo last year,
500-million-user breach, and Yahoo did not believe that it was
material enough to even report. My investigation has shown with
9,000 public companies, we have had less than 100 companies
since 2010 feel that any level of cyber incursion was
significant enough to meet that materiality standard to notify
the public. I find that absolutely unacceptable.
I know Senator Brown asked that, but, Mr. Clayton, do you
want to make any other further comment about what the SEC might
be looking at in terms of reviewing these materiality standards
as it relates to cybersecurity?
Mr. Clayton. Yes, I do. I agree with you generally. I do
not think there has been enough disclosure around, as I said,
the risk profile of companies with respect to cybersecurity.
Where are the risks? What are the vulnerabilities? What do we
know and not know? And then if there are breaches, the
disclosure of those specific breaches. I do not think that
there has been adequate disclosure in that regard.
Senator Warner. Well, my hope would be that this would be
something--I know I am very interested in it, and I think
across both sides of the aisle, we would like to work with you
on--whether we need legislative actions or whether we work with
you as an entity.
Let me move to one other topic. I think back in 2014 you
created something called Reg. SCI, which looks at systems. I
have prodded you repeatedly with letters and other items, both
during your tenure and before your tenure, let me make clear.
And this goes to the technical and risk standards of some of
our market structures. It also includes cybersecurity.
Currently, the SCI regs only apply to stock and option
exchanges, registered clearing agencies, and certain
alternative trading systems. We have, in my view, left out dark
pools, alternative trading systems, Treasury markets, other
trading platforms. And I feel if we had much more disclosure
about what SCI--which market structures were covered, then
shareholders and others could vote with their shares and move
their transactions onto platforms who met these minimum
standards rather than having this what I believe is kind of
half coverage and half the market not coverage.
I know we are out of time, but could you address the
question of whether you will take a fresh look in terms of the
SCI regulations about expanding to other parts of market
coverage.
Mr. Clayton. I thank you for your letter, which just by
happenstance I read last night, and I agree with you that we
need to look at those other important venues in our equity
market system to see if they should be reporting on the same
basis, and also as you raised in your letter whether the public
has enough information about which entities are subject to Reg.
SCI.
Senator Warner. Mr. Chairman, I think that would be very
important that we get that information out, because then
responsible entities can vote and move to areas that have this
kind of minimum protections in place.
Thank you.
Senator Brown. [Presiding.] Senator Rounds.
Senator Rounds. Thank you, Mr. Chair.
Good morning, sir.
Mr. Clayton. Good morning.
Senator Rounds. Some of my colleagues have already raised
the issue of cyber attack against the SEC, the target of the
SEC's electronic system for filing the corporate disclosures
and reports. I know that this incident occurred before your
nomination and confirmation, but I would like to hear your
thoughts on what this incident might suggest about our
Government's broader posture with regards to cybersecurity.
I know it is difficult for any one agency to adequately
protect itself against these kinds of intrusions, and sometimes
the level of expertise necessary would help a number of
different agencies and departments. From what you currently
know about the attack that took place, do you feel like you
have adequate resources to protect yourself in the future? And
does there need to be more of a cross-cutting or interagency
effort to prevent these serious intrusions in the future?
Mr. Clayton. Senator, I do believe we need additional
resources going forward. I think that this is an area and a
data point I use to describe this to people. Let me take a step
back.
Other people in my position and in similar positions in
other agencies feel the same way I do, which is that this is a
risk to our agencies, it is a risk to the markets or the areas
of the economy that we regulate and oversee. I believe we will
need more resources going forward. If you will look at the
resources that private actors in our capital markets devote to
information technology and cybersecurity as part of that,
single actors dwarf the amount that we have available to spend
in this area. To me that just tells me we are a bit out of step
and we need to up our game.
Senator Rounds. If you take a look at the--I think the
EDGAR system is your current system that is going to remain in
place, and, basically, as indicated in your earlier testimony,
it is complex. It has been modified; it has been customized.
And based upon the information you have received, that makes it
probably a little bit more vulnerable than some other types of
larger systems that basically have a number of the patches put
together before they ever end up in the public's hands or in
agencies' hands.
You have also got another system coming on board, the CAT
system, the comprehensive audit trail, which will be coming in.
I presume the two of them will be compatible or at least
operational at the same time. When that happens, you will also
have a huge amount of information that will be found at one
location, including a lot of information about investors, their
personal information and so forth, that you will have on the
system itself.
Is it time to say time out and to make darn sure that the
new systems coming on board have been--naturally, we would do a
vetting process anyway, but is it time to actually have those
second and third opinions on this type to make sure that we
have done everything we can to protect this very valuable data
before we go online and then find out that there needs to be a
few more patches made? What are your thoughts on this process
of actually implementing the CAT system in the future?
Mr. Clayton. Two responses. One, since I got to the
Commission and learned more details about the CAT, as I said
before, it has been clear to me that we do not want to be
taking data from the CAT unless we need it and can protect it.
With respect to whether we should have a time-out, I do not
think a full time-out on the CAT makes sense. There is a lot of
data that already exists that we can be collecting that will
further our oversight and regulatory mission. But we should be
examining whether we do, indeed, need that data. We can rank
that data, we can phase in the CAT, and we should be doing--it
is not a zero-one on-off, no pun intended, but we should be
doing the kind of critical thinking that you are asking me to
do in how we bring it online and how we sequence what we do.
Senator Rounds. Do you have the resources to do that
vetting process today?
Mr. Clayton. That vetting process is a prerequisite. So if
I do not have them, that will be time-determinative on how it
comes online.
Senator Rounds. OK. Let me turn to one other subject. I
understand that certain Federal Reserve Bank capital
regulations may be inadvertently causing some liquidity
concerns in the listed options market that the SEC regulates.
Will the Securities and Exchange Commission commit to working
with interested parties on a solution and to make this a
priority?
Mr. Clayton. Liquidity in the options area----
Senator Rounds. Within the listed options market.
Mr. Clayton. It is not just important for the options
market. It is important for all of our markets. So, yes, if
there is a liquidity issue in the options market, it can affect
the cash equities market. And it is important that we focus on
it.
Senator Rounds. More than willing to work with----
Mr. Clayton. More than willing to work--it is an important
issue.
Senator Rounds. I appreciate it. Thank you, sir.
Senator Brown. Senator Warren.
Senator Warren. Thank you, Mr. Chairman. And thank you for
being here, Chairman Clayton.
In one of your first speeches as Chairman, you noted that
there has been ``a 50-percent decline in the total number of
U.S.-listed public companies over the last two decades,'' and
you said that this decline was ``a serious issue for our
markets and the country, and you wanted to encourage more
companies to go public so more ordinary investors or ``Mr. and
Mrs. 401(k),'' as you called them, could get opportunities to
invest in emerging companies. And you used this rationale for
arguing that we should review and possibly reduce the
disclosure burdens on public companies.
Now, I want to understand your thinking on this. You
compared the number of public companies today with the number
of companies in 1996 and 1997. That was your comparison point,
which, as you know, was the height of the dot-com boom. And as
you know, there was a sharp increase in the number of public
companies leading up to the 1996 and 1997 years, and then a lot
of those companies failed over the next few years, leaving Mr.
and Mrs. 401(k) losing a whole lot of money.
So when you picked 1996 and 1997 as your target years for
comparison, were you arguing that those were the ideal market
conditions for ordinary investors?
Mr. Clayton. I am happy to pick any period over the last
20--any 5- to 7-year period over the last----
Senator Warren. Well, if you are happy to pick any period,
if you pick other periods, you are not going to come up with
the same conclusion you have.
Mr. Clayton. I think I would. I think that trend has been--
--
Senator Warren. No, I do not think so. Let us talk about
the trend. But I take it what you are saying is you do not wish
to re-create the bubble that wiped out billions of dollars of
investor value 20 years ago?
Mr. Clayton. No, I definitely do not.
Senator Warren. OK. So let us look at the trends then since
the dot-com bubble popped. There has been a slight decline in
the number of public companies since then. Most of the evidence
shows that that is primarily because of an increase in mergers
and acquisitions. So if you want more public companies, then I
hope you are soon going to give a speech supporting stronger
antitrust enforcement. But let us just look at the IPOs since
that has been your focus.
You said you want to get more investors involved in
emerging companies, which is why you want to see more companies
going public. Now, in 1996, the peak of the dot-com bubble,
there were 624 IPOs with a total of $36 billion in deal volume.
From 2012 to 2016, there were about half that number of IPOs,
but the average annual deal volume was higher than it was in
1996.
In 2014, IPOs raised $96 billion, nearly triple the total
debt volume in 1996. So, in other words, in the last few years,
people are investing more money in IPOs than they did even at
the height of the dot-com boom. So if your primary focus is on
investors, not on the bankers and the deal lawyers who make
money on each of these IPOs, why do you care if there are fewer
IPOs so long as IPOs overall are attracting more investor
dollars?
Mr. Clayton. Because I believe that those IPOs--here
[indicating] is a company's growth curve. I believe those IPOs
used to happen here [indicating], and if you invested in a
portfolio of companies that were down here [indicating], as
part of your overall investment strategy and as they go up the
growth curve, you as a retail investor were better off than
getting on up here [indicating] where the company is mature and
not growing as much.
Senator Warren. Well, I appreciate that that is your point
of view, but have you looked at the data on this? Because the
data show that having fewer but bigger IPOs is better for
investors. The IPO companies now tend to have more revenue.
They tend to perform better in the long run than in the past
when there were more IPOs and more failures, which looks to me
like a positive outcome for Mr. and Mrs. 401(k).
Mr. Clayton. Well, it is a concern to me, Senator--and I
understand different people have different perspectives on
this. It is a concern to me that on the growth curve, most of
that money--I should not say most of the money. A substantial
portion of that money is private money, and those investors
have done very well, and in many cases relatively much better
than----
Senator Warren. Well, I am sorry. All I can do is look at
the data, and what the data show us is that the later--the IPOs
now are performing better for investors and less likely to wipe
investors out.
Let me just state my concern here, Chairman Clayton. You
are using the decline in IPOs to argue that there is something
wrong in the market and that our rules and regulations are
making it too hard for companies to go public. But the data
show that investors are putting more money into IPOs now than
ever before, and that those IPO companies are doing better for
investors because they are more stable before they come to
market.
Loosening the disclosure and the registration requirements
may make life a whole lot more profitable for a handful of
bankers and for corporate attorneys who just want more IPOs in
the system, but there is no evidence that it will make life
better for investors. And it is investors, not bankers and
lawyers, who you are supposed to be watching out for at the
SEC.
Mr. Clayton. I understand that.
Senator Warren. Thank you, Mr. Chairman.
Chairman Crapo. [Presiding.] Senator Schatz.
Senator Schatz. Thank you, Mr. Chairman.
Commissioner, thank you for being here. You said
materiality is the core of the system of disclosure. I agree.
You said companies should disclose more. I agree. I want to
talk a little bit about the risk of climate change and severe
weather events.
In the last 35 years, the average number of inflation-
adjusted $1 billion severe weather events was about 5 \1/2\ per
year. In the last 5 years, it has doubled. Now, I know in 2010
the SEC provided some guidance about climate disclosure, but
not much additionally has happened. So I want you to talk about
how you view climate change and its materiality, because it is
becoming increasingly clear that we cannot ignore these severe
weather events and the impact that they have on publicly traded
companies.
Mr. Clayton. I do believe--and there are a number of
industries where, if there are patterns and changes in weather
events, these type of things--those developments do have
impacts on companies that should be disclosed. And they have
impacts in many ways, the weather events, the recurrence of
them. You know, are we experiencing increased loss? This is
something that--trends in increased loss, that is something
investors should know about.
Regulatory responses to those events. If there are
regulatory responses to those events that are going to affect
those companies, those companies should discuss them. I believe
that.
Senator Schatz. Do you think the SEC is doing enough to
require this disclosure?
Mr. Clayton. We have issued guidance around this. We have
guidance in a number of areas. I regularly--I cannot say every
day, but on a fairly regular basis--discuss with the Division
of Corporation Finance whether our guidance in this area,
whether our guidance in the cybersecurity area, whether our
guidance in other areas should be updated, emphasized, or, you
know, otherwise changed.
Senator Schatz. OK. I understand you are in conversation.
What is your current thinking about this?
Mr. Clayton. My current thinking is that the guidance is
good. That is my current thinking, but we should continue to
look at it. Senator, I agree with you that there are industries
that need to pay close attention to these trends.
Senator Schatz. Let me give you a specific example, if you
would not mind. Valero Energy's 10-K filing for 2016 states, ``
. . . some scientists have concluded that increasing
concentrations of greenhouse gas emissions in the Earth's
atmosphere may produce climate changes that have significant
physical effects, such as increased frequency and severity of
storms, droughts and floods, and other climate events. If any
such effects were to occur, it is uncertain if they would have
an adverse effect on our financial condition and operations.''
At the end of August of 2017, Hurricane Harvey, one of the
strongest Atlantic storms in history, shuttered over 20 percent
of the U.S. oil refinery industry, including five refineries
owned by Valero. These refineries usually produce 1.1 million
barrels a day, which is a third of Valero's total capacity. A
week after the hurricane, Valero's refineries were not back
online.
Does it seem like Hurricane Harvey had a material adverse
effect on Valero's financial condition?
Mr. Clayton. I do not know the numbers, but it would not
surprise me if an event of that type would have an adverse
effect on a company's financial condition.
Senator Schatz. Do you think that the SEC is doing enough
to require disclosure from some of these companies? It seems to
me that part of the problem is politics, that people do not
want to--not for you, but for these companies, they do not want
to weigh into something that is the subject of some
controversy. And the other problem is that just institutionally
the SEC measures risk that can be measured, that is customarily
measured, and that this is a relatively new risk that people
are, scientists are essentially stipulating to, and that the
systems in the SEC and elsewhere in the financial services
industry everywhere is actually not equipped to evaluate this.
And so what we do is we book it at zero. We assume it does not
exist because it is difficult to assess. When you assess
political risk, regulatory risk, other risks that may be
material, you have a way to get at that. But climate risk in
the financial context is new, and so I would just ask that--
2010 is actually a long time ago when it comes to our thinking
about climate, and it is certainly a long time ago when it
comes to the fiscal impact both on the public and the private
sector when it comes to severe
weather.
So I do not think that 2010 guidance suffices, and I would
just encourage you to maintain an open mind in this space and
devote some staff time to articulating how we are going to
quantify the adverse impacts of climate change on the industry.
Mr. Clayton. I will.
Senator Schatz. Thank you.
Chairman Crapo. Thank you.
Senator Perdue.
Senator Perdue. Good morning, Mr. Clayton. Thank you for
being here.
I have got a concern, basically a reservation with the fact
that SEC staff today do not have to abide by some of the same
stringent security protocols that other users of the CAT
database are required to abide by. The GAO has previously
identified a few weaknesses related to the SEC's cybersecurity
protocols. Can you give us an update on how you are addressing
those concerns that the SEC has raised at this point and also
the other safeguards around the NMS plan as well?
Mr. Clayton. OK. Senator, I want to make this clear. With
respect to the CAT, we are not going to take the data unless we
need it and unless we can protect it. And with respect to your
specific question about whether our security protocols for
individuals are not as stringent as they should be, I do not
have an answer to that right now, but I----
Senator Perdue. Do you agree with that conclusion? I know
you are new on the job.
Mr. Clayton. But they should be.
Senator Perdue. But do you have a position yet, do you know
yet whether they are, whether you agree with the GAO's
conclusion on that?
Mr. Clayton. I do not have a position on that now, but I
think that we should be mindful of any guidance from the GAO
as----
Senator Perdue. But you are looking at it today.
Mr. Clayton. Yes.
Senator Perdue. And will you come back to this Committee on
that when you get more information, when you have a conclusion?
Mr. Clayton. I am happy to.
Senator Perdue. Great. The second part is the same sort of
concern. Under the JOBS Act, companies with revenues under $1
billion are permitted to confidentially file IPO and secondary
offering statements that would not be released to the public
until 15 days before the road shows. Recently, under your
leadership this ability has been extended to companies of all
sizes. In your view, can you describe the advantages of a
confidential filing how to improve our increasingly more
complicated IPO process?
Mr. Clayton. The confidential filing process greatly aids
companies when they are transitioning to public companies, and
we want companies to transition to public companies. They are
better companies. When they have public company financial
statements, when they go through the process of the SEC
disclosure process, they do become better companies.
Letting the world see all of your financials and all of
your strategies and all of your risks long before you go public
causes some companies to pull back from that.
I am very comfortable and, in fact, think it is a great
idea that we allow companies to confidentially submit that
information so that it can be reviewed, we can comment on it,
we can tell them where they need to improve; and then with
plenty of time for investors to assess that information, make
it public before the IPO. I think it is a very smart move that
in no way lessens investor protection and actually increases
the number of opportunities investors have.
Senator Perdue. Thank you. I just have one last quick
question. The conflict minerals rule, I know that is under
review right now. Can you give us an update on how you guys are
looking at that right now?
Mr. Clayton. Well, there was a court determination that
part of the rule had a First Amendment issue with it. The rule
is on the books. We have issued no-action guidance in how to
comply with the rule in the interim. We are now reviewing the
rule, the no-action guidance, in light of the court case. That
is where it stands.
Senator Perdue. OK. Thank you.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you, Senator.
Senator Van Hollen.
Senator Van Hollen. Thank you, Mr. Chairman. Thank you for
your testimony.
I want to pick up on some of the questions that Senator
Brown asked regarding materiality. You indicated that you
thought that the triggering event for disclosure would be
whether there had been a material change in the circumstances
of the company, right?
Mr. Clayton. Yeah, that is generally----
Senator Van Hollen. Right. And I understand you do not want
to get into the Equifax situation, but you would agree--I am
not talking about any company--that if, in fact, there was a
material change, it would be wrong for executives of that
company to then knowingly trade stock before they had made any
disclosure, right?
Mr. Clayton. Yes, sir.
Senator Van Hollen. OK. So I want to get to what
materiality means, because I do not believe the SEC has any
definition, at least in the context of a cybersecurity breach.
Is that right?
Mr. Clayton. I think the general definition of
``materiality'' does apply to the cyber context.
Senator Van Hollen. No, I do not mean that the concept does
not apply, but there is no standard or definition of how to
apply the concept of materiality to a cyber breach. So, for
example, the SEC does not say if a cyber breach would result in
the disclosure of, you know, X amount of information about
customers and that could lead to a significant change in the
value of a company, the SEC does not itself have that?
Mr. Clayton. That is correct. There is no prescriptive
disclosure of this many people for this long--we do not have
that type of----
Senator Van Hollen. So it is kind of you know it when you
see it. Is that the idea?
Mr. Clayton. That is correct.
Senator Van Hollen. But does the SEC bring these kind of
materiality cases for failure or violation of 8-K disclosure?
Mr. Clayton. We do.
Senator Van Hollen. OK. Well, let me ask you, if you agree
that it is wrong for people to knowingly trade on information
that is material but has not been disclosed, would you agree
that once a company has decided something is material, that
their executives should not be trading that stock, between the
time they decided it is material and the time they actually
file a disclosure to the public, which is now a 4-day period,
potentially?
Mr. Clayton. I am going to be very careful. I think what
you are asking is a control issue. Should there be a control in
place to ensure that when a decision has been made at a company
that there has been a material event and there is going to be a
disclosure, that the company has in place a control to prevent
people----
Senator Van Hollen. Yes, that is exactly what I am
suggesting. Wouldn't that make sense?
Mr. Clayton. I think it is a very good question and a fair
question. Whether that is an area--whether that is an area that
goes into insider trading or whether it goes into a control
failure is something that we need to----
Senator Van Hollen. I understand. It seems to me there
should be a presumption that once a company has decided there
has been a material change and before they disclose that to the
public, there should be just a rule that executives do not
trade that stock. Doesn't that make sense in terms of
protecting the markets?
Mr. Clayton. Having a--I am going to--I do not want to
comment on any specific company, and----
Senator Van Hollen. No; I understand. I am not asking about
a particular company.
Mr. Clayton. Most companies have insider trading policies.
Having a thoughtful insider trading policy with controls of the
type you are suggesting is an important part of good corporate
hygiene.
Senator Van Hollen. Well, let me look. I am working with--
Congresswoman Maloney on the House side has a proposal. We are
working on it with her. But there is a whole question about
when you determine materiality. Right? We were talking about
that. But it seems like a no-brainer that once a company has
determined that there has been a material change and before
they have notified the public, which they have 4 days to do,
you would require them not to sell stock. Why isn't that just
obvious?
Mr. Clayton. I like the concept. When I was in the private
sector, I put the concept into insider trading policies that,
for example, a general counsel would be somebody that a set of
executives had to clear all trades with. Those are types of
things--those are types of----
Senator Van Hollen. Let me just say, so there was a study
done back in September 2015 by Alma Cohen at Harvard Law
School, Robert Jackson at Columbia Law School, Joshua Mitts,
and others have done studies that showed what they called the
8-K trading gap, which is that executives have made money
during this 4-day period, or whatever time elapses between a
decision that some material change has been made and
disclosure. Do you agree that it is wrong for executives to be
making money during that period based on information they have
about materiality?
Mr. Clayton. Absolutely.
Senator Van Hollen. Right. So should there not be a general
rule that once the corporation has made a decision that
something is material, that they not be allowed--their
executives not be allowed to trade during that period?
Mr. Clayton. I like the concept. I have incorporated the--
--
Senator Van Hollen. OK. We will look forward to working
with you on this----
Mr. Clayton. We can work on this. We can definitely work on
it.
Senator Van Hollen.----because we are working on a bill.
Thank you.
Chairman Crapo. Thank you.
Senator Shelby.
Senator Shelby. Mr. Chairman, sorry I had to leave the
hearing, but we all have some other things.
Chairman Clayton, welcome. I did not have a chance to do
this. Welcome to the Committee. I missed a lot of the
testimony, but I hope this has not been one of the questions.
During your confirmation hearing, you agreed with my
longstanding belief that a cost-benefit analysis for rulemaking
was appropriate at the SEC. I believe it is appropriate at all
agencies. And I appreciate your leadership on this issue.
What is the SEC doing or trying to do to come forth with a
meaningful cost-benefit analysis rule? Because rules cost
money. Sometimes they are really necessary. You know, we need
them. Sometimes it is an overkill. But we all know and you know
in your other life that--I do not believe enough work has been
done in the cost-benefit analysis, and we are talking about
securities in your area right now. Go ahead.
Mr. Clayton. Senator, I agree with you that cost-benefit
analysis is very important in rulemaking, and it is important
in rulemaking not just in should we have the rule or not have
the rule. If we have the rule, how should it be crafted? What
are we getting for this component as opposed to the cost of
that component? It is not just yes or no, but it is how we
craft the rule and, importantly, you know, what people are
going to do to demonstrate compliance. And are we getting the
best compliance requiring them to demonstrate it that way?
We want, you know, the best compliance, but we want it to
be done in the most efficient way to get there, and I very much
believe that.
Senator Shelby. Where are you and what are you doing--I
know you have not been at the SEC too long, and we are glad to
see you there. But what do you expect to do as far as setting
the tone and the standards down there?
Mr. Clayton. This is an area that is of--I do not----
Senator Shelby. It is a complicated area.
Mr. Clayton. It is a--I like it because it is complicated.
Senator Shelby. It is.
Mr. Clayton. And I like sitting with our economists, and I
have enjoyed sitting with them and discussing exactly these
things,
including around some of the pending rulemakings that we have.
So this is a focus. We brought on a new chief economist. I am
very happy to have him on board. So this is an area that is of
interest to me, and I agree with you in this area.
Senator Shelby. I was not here earlier, but it is my
understanding that the trend of fewer IPOs was mentioned, you
know, which a lot of us do not like because that seems like the
economy is not doing as it should. What is your thought on that
without rehashing everything that has been gone over there? And
what is the trend and what is the data there? What is the
information?
Mr. Clayton. People focus on IPO or no IPO. IPO is the
water coming into the bathtub. There are going to be reasons
things are going out of the bathtub. But I want a bigger
bathtub. I want a bigger bathtub because I want people to have
more choice. And I do not want--it is very difficult for retail
investors, either directly by buying stock or indirectly
through mutual funds, to have access to investment
opportunities outside of the public capital markets. So on
balance, I would like a larger public capital market because I
would like retail investors to have more access to those
choices.
Senator Shelby. We have in this country, some people
believe, $4 to $5 trillion in capital, I will just use the
term, ``lying around,'' looking for a better investment. Look
at the savings accounts. You know, people are not getting much
there. The dividends, the money markets, you know, you name it.
How can we put a lot of that money to work for the economy? I
know this is not your total--you are not Secretary of the
Treasury, but what you do and what your colleagues do at the
SEC does feed right into our economic growth.
Mr. Clayton. My aim is more and better investment
opportunities, but I want to also be clear. A focus for me has
been retail investor fraud, because while I want to get more
and better investment opportunities, tamping out those repeat
actors who prey on----
Senator Shelby. Get rid of them, absolutely.
Mr. Clayton. And that is as important, if not more
important, than increasing the number of opportunities. And so
we have got to do both.
Senator Shelby. Bring some confidence back to the retail--
the little person, right?
Mr. Clayton. Yes, absolutely.
Senator Shelby. Thank you. And we like what you are doing
at the SEC. Thank you.
Mr. Clayton. Thank you, Senator.
Chairman Crapo. Thank you.
Senator Heitkamp.
Senator Heitkamp. Thank you, Mr. Chairman, and thank you,
Mr. Clayton. Before I start with questions, I think you and I
had a long conversation about a bill that Senator Heller and I
had that would create a full-time small business advocate
within the SEC. You have moved expeditiously to do that, and so
I want to acknowledge that help and to tell you how critically
important it is that we have that outreach, because what you
are trying to do, in your exchange with Senator Warren, is
really build that opportunity and see that next new startup
that could, in fact, result in General Motors or Microsoft or
whatever comes along. With that said--and I think they all
started in a garage or they all started with a great idea.
I want to just kind of walk through some of the thinking
that people in my State have. You know, they think about
gambling, and they think about Las Vegas, and a lot of them
think that what you do is about gambling. And they think that
if they go to Las Vegas, there is a whole regulatory body that,
if someone cheats, they are going to get caught and the game is
fair. And if they cheat--or if somebody is rigging the system,
they have some level of confidence that they are going to go to
jail.
I think if you took, you know, gambling, straight up
gambling--right?--and you used those same kind of guidelines or
at least benchmarks that people feel about the equity markets,
I think Las Vegas gets, you know, probably an A, A- minus for
soundness and security and fairness. And I do not know you get
an A or an A-minus. I think the equity markets, as best you
could do, you are probably at a C. And if we do not respond to
this and if we do not respond to the issues that have been
raised across the table here on what happens when the public
out there sees executives trading after a material event--and
they would not use that language. They would say, ``Here it is
again.'' You know, ``They make money and we lose money. We
would have had shares. Had we known it, we would have sold our
shares. But now we are worth 25 percent less in our 401(k) if
we held that share.''
Tell me what we are going to do to convince my retail
purchaser, which you just talked about, that what you are going
to do is unrig this system and get it back to a level of
confidence that the equity markets are fair.
Mr. Clayton. I can tell you that I know the people at the
Commission and I look at those people when we make decisions.
You know, people make fun of it or do not make fun of it, Mr.
and Mrs. 401(k). That is how I look at what I am doing. And
that is in the markets, I mean, I know that what they want to
know is that we are--we have their back, that we are policing
the large public companies, that we are looking at what the
executive is doing, that if they are taking unfair advantage of
information in that 4-day window that Senator Heller mentioned,
that that is not appropriate and we are going to do something
about it.
As far as retail folks go, I am also really worried about
the amount of retail fraud. I will tell you that the amount of
retail fraud I see every day in terms of the enforcement
actions that we see disgusts me, and we just--you know, it has
been in the works for some time. We just implemented a new
retail fraud unit because, like you, I believe that if the Main
Street investor does not think we have their back, we are not
doing our job.
Senator Heitkamp. Well, I think----
Mr. Clayton. That is how I feel.
Senator Heitkamp. It is not if the Main Street investor
thinks that you do not have--they do not really believe you
have their back.
Mr. Clayton. Well, I want to----
Senator Heitkamp. There has just been too much history
here. And to act boldly and to act directly is absolutely what
is essential to bring back that confidence. And if it is all
behind the curtain, pay no attention, we are studying it, we
are studying it, people go, yeah, they will study it until the
next time it happens. Then they will study it again. And we are
never protected because we do not have access to that
information, and we lose money, because when that becomes--when
the public knows, guess what happens? That stock tanks, and I
take the loss while the executives walk away with the big
payoff.
It just is not a formula for success, and I honestly
believe people trust the regulators at Las Vegas to make sure
that that slot machine is fair more than they trust you to make
sure that when they buy an equity on your markets that they are
treated appropriately.
Mr. Clayton. If that is the case, I want to change it.
Senator Heitkamp. Well, I think you need to really focus,
because I believe it is the case.
Mr. Clayton. OK.
Chairman Crapo. Thank you.
Senator Cotton.
Senator Cotton. Thank you, Mr. Chairman. And, Mr. Chairman,
welcome to the Committee.
Mr. Clayton. Thank you.
Senator Cotton. I want to focus on some of the challenges
that overregulation is putting on smaller businesses and
smaller investors. You may be aware of a small business in
Arkansas that we call Walmart, somewhat large now. There was a
time, though, when it was kind of small. It continues to
provide lots of great jobs for Arkansans, to provide their
groceries and their kids' toys and their clothes and everything
else under the sun.
I have in my hand from 1970 a Walmart IPO document. Pretty
thin, huh? Twenty-six pages--20 if you exclude the financials.
It is Walmart's IPO from 1970.
I have in my hand the Snap IPO document from just last
year--247 pages, 10 times the size of Walmart's IPO.
I think this explains one of the reasons why we have so
many fewer IPOs than we once did, especially for smaller firms.
I do not think you can attribute it simply to the dot-com boom
from 20 years ago. After all, other developed countries have
seen a 50-percent increase in listed companies over the same
time period, and the types of those IPOs have changed as well.
Many small-cap IPOs have declined significantly here or gone
overseas. That means ultimately that small investors, the kind
of people that invested in Walmart based on this--a document
that any high school-educated person with a bit of business
sense could understand and became pretty wealthy on it over the
years. As Walmart grew and their stock split and they grew and
their stock split--no longer have access to these kind of
small-cap growth companies. They go increasingly into the
private market. They benefit only the most affluent Americans.
So without saying that private markets are bad, could you
please give us a list of the steps that you are taking or you
intend to take that are going to encourage more initial public
offerings in this country?
Mr. Clayton. So we have already taken a couple of steps.
One is to allow more confidential filings, which under the JOBS
Act has proven to be an encouragement for people to consider
the public offering process.
We have reduced the need to file financial statements that
will not end up being part of the public disclosure package to
reduce the burden on companies seeking to go public or
otherwise using the public markets.
The confidential filing process does extend for a period of
time, which allows companies to get secondary liquidity, which
also encourages them to go public. That is another aspect of
it.
On the agenda is our review of S-K, the broad disclosure
package, to try and modernize and enhance it. I want the
disclosure package to be just as good and provide just as much
investor protection, but I want it to be more accessible. It
needs to be more accessible. We cannot have documents that can
only be read by lawyers.
Senator Cotton. Do you think anybody reads a document that
long and makes an investment decision on it besides a lawyer?
Mr. Clayton. Very few.
Senator Cotton. Do you think lawyers even read it?
[Laughter.]
Mr. Clayton. Lawyers do crazy things.
Senator Cotton. I know lots of small mom-and-pop investors
in Arkansas since 1970 have read this document, and they made a
lot of money off of it, and they provide a lot of jobs and a
lot of affordable price/quality goods, so I am glad to hear you
are taking those steps.
A related story I want to tell and get your response to,
the president of a small broker-dealer in central Arkansas,
really not much more than just a family-owned firm, they have
got six people, said that he would not start that firm today
given the regulatory burden he faces. One example he gives is
that Dodd-Frank expanded the Public Company Accounting
Oversight Board oversight to include annual audits for all
broker-dealers registered with the SEC, so that means that his
six-person firm now is held to the exact same auditing
standards as a company the size of Walmart or Apple or Google
or anything else. That means his costs have skyrocketed, and he
does not think the quality of those audits are any better. This
is just one more example, although in a different space, of the
cost of overregulation.
Do you think it would be appropriate to have some kind of
threshold to exempt these smallest firms from that kind of
regulation, much as we have different standards for community
banks? If so, what kind of threshold might you consider?
Mr. Clayton. Senator, I had a view, and it has been
affirmed by my time at the Commission, that one-size-fits-all
does not work in a lot of areas. It probably does not work in
that area.
Now, I also do not think that it should be you are either
in or you are out; you know, you are either in regulation or
you are out. Once you decide that one size does not fit all,
the real question becomes: How do we scale it? Where do we put
those steps? That is how I intend to approach regulation in
some of these areas.
Said another way, if we have one-size-fits-all in some of
these areas, we are only going to get one size.
Senator Cotton. I agree, and I appreciate that. This looks
at another area in which I think that just because Walmart
needs to use a giant accounting firm under existing law out of
New York or Dallas or Chicago does not mean a six-person
broker-dealer firm in central Arkansas cannot use a very
competent, qualified auditing firm from Conway or Searcy or
Bryant or what have you.
Thank you.
Mr. Clayton. Thank you.
Chairman Crapo. Thank you.
Senator Donnelly.
Senator Donnelly. Thank you, Mr. Chairman. Thank you, Mr.
Chairman.
I understand the SEC is currently reviewing the proposed
acquisition of the Chicago Stock Exchange by a Chinese company.
I do not expect you to comment on the specific transaction, but
can you please generally describe the review process within the
SEC?
Mr. Clayton. Yes, sir. The review process within the SEC is
actually styled as a rulemaking, and there was 240 days for a
division of the Commission, subject to delegated authority from
the Commission, to review the application. That was approved.
An approval like that provides the Commission with an
opportunity to review the approval. The Commission took that
opportunity, and we are reviewing the decision.
Senator Donnelly. In light of recent high-profile cyber
breaches, including at Equifax and the SEC, are you at all
concerned that the ownership and control of an American
exchange by a foreign entity could expose our markets to new
risks and vulnerabilities?
Mr. Clayton. I am not going to comment on the specific
matter before the Commission at this time. It is a matter that
I am going to be deciding on, so it would be inappropriate. But
I am aware of the various issues raised by commentators.
Senator Donnelly. So I am not asking you specifically in
regards to this company. I am asking you as an overall policy.
Does that concern you at all about a foreign entity that could
possibly expose our markets to new risks and vulnerabilities?
Mr. Clayton. Senator, absolutely. Not just a foreign owner,
but state actor intrusions and state actor monitoring of our
financial markets is an issue that troubles me.
Senator Donnelly. As the SEC continues reviewing financial
disclosure requirements under Regulation S-K, I hope you will
consider whether corporations should disclose country-by-
country employment data. It helps investors determine when
companies employ American workers and better understand where
outsourcing and offshoring has occurred.
Are you willing to consider a country-by-country employment
disclosure as part of the SEC's broader review?
Mr. Clayton. I am willing to consider the S-K guidance on--
and the rest of S-K in terms of providing a more accessible
disclosure package for investors, including in areas of
employment.
Senator Donnelly. I want to go back to an area you and I
have talked about before, actually this spring, and that is,
stock buybacks. At your confirmation hearing, we discussed my
concerns with the flurry of stock buybacks at large
corporations, often conducted mainly with the goal of
increasing stock prices to impress Wall Street investors. I
think that short-term thinking has come at the expense of long-
term investments and innovation that would have benefited our
country. And we have seen it again in recent times where a
company chose to use some of the funds that were going to be
used for stock buybacks to actually make an acquisition. And
their stock was immediately hammered in large measure because
it was not going to be the buyback. It was actually just trying
to add to the business. And if you look long term, that does
not make sense.
But former Chair White publicly stated last year the SEC
was looking into when and how often companies should tell
investors about share repurchase programs. She was presumably
referring to the SEC's concept release to solicit the public's
views on financial disclosure requirements and Regulation S-K.
Currently, stock repurchases are reported quarterly. Do you
think companies should be required to disclose stock buybacks
more frequently than once every quarter?
Mr. Clayton. I am not going to comment specifically on
something that, you know, we are reviewing. I am concerned, as
you and I have discussed, I am concerned about this issue and
any abuse of stock buybacks. I recognize they have a lot of
value in certain circumstances. They are a way to return
capital--many well-functioning companies see it as an efficient
way to return capital to shareholders. Many investors engage
with companies and, you know, we want investor engagement with
companies, engage with companies and push for stock buybacks.
Now, you know, we can determine whether their motives are--
we cannot determine in the abstract whether their motives are
pure or long term or short term, but there are a lot of
considerations that go into this. But as you and I have
discussed, one thing that does trouble me is if these stock
buybacks are motivated not by the long-term interest of the
company but some short-term interest. And I am looking at
disclosure in this area in that light.
Senator Donnelly. And I will finish by saying if you take a
look at what is going on with hedge funds and others, I think
you will find that much of their efforts regarding stock
buybacks have nothing to do with company development or
strengthening but simply taking as much out as quickly as
possible.
Thank you, Mr. Chairman.
Chairman Crapo. Thank you.
Senator Reed.
Senator Reed. Thank you very much, Mr. Chairman. And thank
you, Chairman Clayton, for joining us today.
In general, do you think investors understand the
cybersecurity risk that the companies face that they invest in?
And put another way, can companies do a better job, should they
do a better job disclosing the risk in their disclosure
documents?
Mr. Clayton. No, I do not think the general level of
understanding in the market is where I would like it to be, and
I do not think the disclosure is where it should be.
Senator Reed. And through your regulatory authority at the
SEC, you could shape that disclosure. Are you working on that?
Mr. Clayton. I am.
Senator Reed. Thank you.
There is also a kind of theory I have that, having watched
the agency over several decades in this cybersecurity world it
is expensive to stay ahead with technology software, and as a
result, when Dodd-Frank was being written, I put in language
that allows the SEC to deposit up to $50 million a year in a
reserve fund for cybersecurity and other tools.
First, are you funding this? Are you accessing this source
from registration fees?
Mr. Clayton. The $50 million? We want and need the $50
million for IT.
Senator Reed. And you physically are taking it and
depositing it?
Mr. Clayton. We are using it.
Senator Reed. OK.
Mr. Clayton. It is part of our budget going forward.
Senator Reed. And there was in our legislative process a
$100 million limit put on the fund. So you are prepared to go
up to $100 million?
Mr. Clayton. Let me say this, Senator: I think we need to
spend more money. When I got to the Commission, I made some
assessments. We went with a flat budget for the next fiscal
year. I will not be asking for a flat budget for fiscal year
2019. We are going to need more money in the area of
cybersecurity and IT generally, and I intend to as for it.
Senator Reed. Well, I appreciate that because, again, money
is not the solution to every problem, but it is usually part of
every solution. So you have got to have it. You have a
mechanism with this reserve fund to take it right from the
registration fees. It does not have to go through OMB or
anyplace else. And there is a $100 million limit. At that point
you cannot take any more. So I would urge you to aggressively
do that.
The other thing I would urge you to do is to resist any
attempts to take away this fund because the Administration has
proposed in 2018 that the fund be eliminated, that your ability
to access these monies be gone. I think given the current
situation with cybersecurity, you have to have the money, and I
hope you agree.
Mr. Clayton. Senator, I agree that the purpose of the fund
including to be able to make longer-term commitments than year
on year to cybersecurity is a very good idea.
Senator Reed. Thank you.
Let me just quickly go back to the point that Senator
Donnelly was making about stock repurchases. You make a very
thoughtful point about stepping back and looking at it in terms
of the long run benefits to shareholders and to the investing
public, not the quick in and out. And, you know, you went back
and forth about using money for a stock buyback rather than
purchases.
I have heard of instances where companies were actually
conducting stock repurchases while their pension plans were
underfunded. Are you aware of any situations?
Mr. Clayton. I am not aware of any specific situation.
Senator Reed. Would that be something that you would want
to look at in terms of the propriety of doing a stock
repurchase when, you know, a commitment that has been made to
employees is not fulfilled?
Mr. Clayton. It is a very interesting question. I want to
be responsive. I have not thought about that particular
question. I would say, though, if what you were doing--what
somebody is doing from a governance perspective--this may be a
broader issue, but if what somebody is doing from a governance
perspective is putting a funding obligation at jeopardy by
buying back equity, you know, that is a serious consideration
for a board of directors.
Senator Reed. Would you have authority to stop the
practice, either by rule or----
Mr. Clayton. I am not sure, Senator. I would need to look
into that.
Senator Reed. You know, Mr. Chairman, I think these are
issues that deserve close review and study. I do not think
there is--at this point jumping to a conclusion is not the way
to approach it. But I think these are the types of issues that
you should be considering because, again, I think we are both
committed to the long-term profitability and effectiveness of
these companies, not the short-run in and out. So thank you,
Mr. Chairman.
Mr. Clayton. Thank you.
Chairman Crapo. Senator Cortez Masto.
Senator Cortez Masto. Thank you, Mr. Chair. Chairman
Clayton, good to see you again.
Mr. Clayton. Good to see you.
Senator Cortez Masto. Excuse me, I did not get to hear your
opening. I am juggling two committees at the same time. But
with your indulgence, I want to kind of follow up on the
previous hearing that we had and your confirmation hearing and
just follow up on some of the questions we had and just see
where you are today with those.
Beginning in 2009, as we were dealing with the peak of the
foreclosure crisis, the SEC Chair at the time expanded the
authority to issue investigative subpoenas to about a dozen or
so senior officials in your Enforcement Division. Before that
time, Commissioners themselves had to vote on each and every
subpoena, and it slowed the enforcement down to a crawl.
Before your tenure, Acting Chairman Piwowar initiated a
review of whether the SEC should revert to the prior burdensome
process for issuing subpoenas. When I asked you about this at
your confirmation hearing, you said you needed to discuss this
with other Commissioners and SEC staff before commenting. Now
that you have been there 4 months, have you made a decision?
Mr. Clayton. I have. I have.
Senator Cortez Masto. And what is the decision?
Mr. Clayton. There was a time, as you noted, that formal
order authority rested with the Commissioners and the
Commissioners had to vote on it. That was transitioned to the
Director of the Division of Enforcement for efficiency reasons,
as you cite. Later on, it was put out to the regional offices,
and they had the ability to have formal order authority to open
an investigation.
It was pulled back to now the co-Directors of the Division
of Enforcement, Stephanie Avakian and Steve Peikin. I have sat
with them and discussed this with them, with an eye toward
whether there was any kind of slowing down in the ability to
open matters. They are totally comfortable that there is not.
One or both of them are available. I have probed on this,
whether there was any urgency, whether funds would be leaving
the country or other reasons for having formal order authority
out at the regional offices. I am comfortable that there is not
one, and I am comfortable that there is a benefit having that
authority resting with the two of them.
Senator Cortez Masto. And their staff.
Mr. Clayton. Well, their staff supports them, but----
Senator Cortez Masto. Right.
Mr. Clayton. They, of course, get the information. Having
it with them enables them to more efficiently manage the
Enforcement Division across the offices and makes sure that we
do not have, for example, somebody in San Francisco opening a
case in Miami.
Senator Cortez Masto. So it has reverted back. So you have
pulled it back essentially.
Mr. Clayton. No, we are not fully back. We are not back at
the Commission. We are at the Division of Enforcement level,
and I am very comfortable that that is where it belongs.
Senator Cortez Masto. Right, and so that is essentially
staff that has that authority.
Mr. Clayton. Staff has the authority.
Senator Cortez Masto. Right, so it is still--you pulled it
back a little bit, but still gave the staff the authority, so
it is not back at Commission level.
Mr. Clayton. Correct, and I am very comfortable that they
are doing a good job.
Senator Cortez Masto. OK. I appreciate that.
And then in our private meeting in the office and at your
confirmation hearing, you stated your belief that individual
accountability has a greater deterrent effect across the market
and one tool to hold individuals accountable is the so-called
Yates memo that was put out by the previous Administration,
that my understanding current Attorney General Sessions and
Deputy Attorney General Rosenstein are looking at right now.
They are looking at rescinding it or weakening its directives
to prosecutors.
In your view, is this memo consistent with what you have
told me in this Committee and you have emphasized in your
speeches about the need to hold individual corporate executives
responsible for corporate misconduct?
Mr. Clayton. Senator, that is my view, that individual
accountability, particularly in a corporate context, has a
greater deterrent effect than simply corporate accountability.
Senator Cortez Masto. And so have you thought about what
you would do if DOJ, who is your partner in prosecution,
rescinds the Yates memo? How would you handle that?
Mr. Clayton. We coordinate with DOJ in these matters, but I
do not think that--let me--I am comfortable that the way our
Division of Enforcement is now approaching these matters and
looking at individual accountability is correct, and that that
is going to continue.
Senator Cortez Masto. OK. So that is still your emphasis
and concern?
Mr. Clayton. Yes.
Senator Cortez Masto. OK. Thank you.
As a lawyer in private practice, you criticized aggressive
enforcement of the Foreign Corrupt Practices Act for placing
significant costs on U.S. companies, and President Trump
himself criticized the FCPA when he was a businessman,
basically saying it created competitive disadvantage for U.S.
companies when they are not able to bribe foreign governments.
Mr. Clayton. That is actually not what I said.
Senator Cortez Masto. That is what President Trump said.
Mr. Clayton. OK.
Senator Cortez Masto. When he was a businessman. This world
view now appears to be permeating law enforcement. One analysis
found that as of September 1st, the Trump administration has
brought only three of these enforcement actions, and the two
from the SEC, each had roots in Obama administration
investigations. And what is curious is at this point in time
during the same time during the Obama administration, 25 cases
had been filed, and 17 by the Bush administration. Can you tell
me, is the SEC slowing down Foreign Corrupt Practices Act
investigations and prosecutions? Or can you explain these
numbers to me, why they are so low?
Mr. Clayton. No, we are not slowing them down. And I want
to go back to the 2011 article that I participated in writing.
What I was saying was we need to think about whether we are
doing this alone around the world and getting our partners in
other countries on board, and our partners in other countries
have come on board, and--not everywhere, but in some places,
and that actually makes it easier to pursue this type of
behavior and actually have an effect in doing so.
Senator Cortez Masto. So what you are saying is our
partners in other countries now have had an epiphany and they
are all cooperating and following the law?
Mr. Clayton. Not in every country, but the prosecutors in
similar securities authorities in other countries have upped
their game substantially.
Senator Cortez Masto. OK. I notice my time is up. Thank you
very much.
Senator Shelby. [Presiding.] Senator Sasse.
Senator Sasse. Chair Clayton, thank you for being here. I
would like to discuss the history of cybersecurity breaches at
the SEC. Can you tell me how many cybersecurity breaches there
have been historically at the Commission?
Mr. Clayton. I do not have that data with me today,
Senator.
Senator Sasse. And who----
Mr. Clayton. And defining what a breach is is----
Senator Sasse. Who would know? Who in your organization
reports to you that has responsibility for this?
Mr. Clayton. The Office of Information Technology is the
office within the SEC that has overall responsibility. Since
getting to the Commission, I have been reviewing how we handle
these matters from an oversight perspective, including
establishing a cybersecurity working group to get at these
issues, including how we share information about breaches,
attempted intrusions, risks across the Commission. As I
testified earlier, these are areas that we need to bring focus
to.
Senator Sasse. And who heads that office? And how senior
are they? Are they a direct report to you, or who do they
report through?
Mr. Clayton. The head of the Office of Information
Technology is Pam Dyson, and she is a direct report to me and
also to our Office of the Chief Operating Officer.
Senator Sasse. And how many direct reports do you have?
Mr. Clayton. Precise number? It is between 20 and 25.
Senator Sasse. Got you. Is this the first breach at the SEC
that you think could have facilitated the trading of inside
information?
Mr. Clayton. Senator, I cannot tell you with 100 percent
certainty that this is the only breach that we have had. I am
not in a position to tell you that.
Senator Sasse. OK. The SEC statement has argued that, ``The
intrusion did not result in the unauthorized access to
personally identifiable information, did not jeopardize the
operations of the Commission, or result in systemic risk.'' Do
you think there has been any breach at the SEC that compromised
personally identifiable information in the past?
Mr. Clayton. So based on what we know now about the breach,
the 2016 breach that I disclosed, we do not think there was
personally identifiable information given the file type or
where it houses, you know, a systemic risk. So I want to make
that clear. That is based on what we know today. An
investigation is ongoing.
In terms of whether there has been a breach at the SEC
where personally identifiable information was accessed, to my
knowledge today, I do not know of any. But I cannot--in this
area, I cannot give you a 100 percent certainty that that has
not happened.
Senator Sasse. OK. I want to ask a parallel question. So in
this case, we do not think there was personally identifiable
information, and you do not think that there ever has been
historically. In this case, the SEC has a statement that says
it did not jeopardize operations of the Commission.
Historically, do we know of any breaches that have ever
jeopardized operations at the SEC?
Mr. Clayton. I know of no historic breaches that have
jeopardized operations, but it is an area that is of concern to
me. We do provide services that are essential to the
functioning of the marketplace.
Senator Sasse. Agreed.
Mr. Clayton. And a denial-of-service attack at the SEC in
one of those areas would have material effects across our
market system.
Senator Sasse. I share your concern, and I believe you to
be greatly concerned about this. I was presiding over the
Senate the last hour and a bit, so I did not get to hear the
beginning of your testimony, and I know you have covered some
of this information. Instead of trying to have you sort of
repeat parts of it and pieces of it that may need to consult
with Ms. Dyson and whatever other consultants you have on the
project, I will send you an extensive list of QFRs, if that is
OK. And so instead of staying here--but could I get your
commitment that we will get a quick response to that list? And
I want to acknowledge in advance that a lot of it is technical
and long, but we would love--I think this Committee and the
Senate would love to partner with you in trying to upgrade our
cybersecurity. You do oversee critical functions of the
Government and public trust in financial markets, and I think
that we probably need more urgency on this, and I think this
branch would love to partner with your branch. But we will send
you a long list, but I would like your commitment that we will
get a quick response, please.
Mr. Clayton. I think it is entirely appropriate, and you
have my commitment.
Senator Sasse. Thank you, sir.
Senator Sasse. Thank you, Chairman.
Senator Shelby. Senator Brown.
Senator Brown. Thank you, Mr. Chairman. I am not asking for
a second round, just one question to wrap up, and thank you for
your indulgence.
In a recent speech, SEC Commissioner Piwowar suggested that
companies that go public should be permitted to require that
shareholders resolve claims in arbitration and not in the
courts. That would be what we call ``forced arbitration.'' As
you know, Mr. Chairman, this is contrary to corporate
governance best practice and contrary to the SEC's stated views
on this issue.
My question is: Will you continue to support SEC practice
that preserves shareholders' rights to go to court and to
reject mandatory arbitration requirements for companies going
public?
Mr. Clayton. Senator, I am not going to prejudge that
issue, but I do understand that this is also a State law issue,
and in many States you are not permitted to have mandatory
arbitration. But I am not going to categorically say that, you
know, you would never have a situation where something other
than accessing State law remedies for a particular or several
particular items is off the table. But I am very cognizant--I
am very cognizant--that the ability to go to court is something
that is of great value to shareholders.
Senator Brown. And it is the SEC's view on this issue
today, as you know.
Mr. Clayton. I do not think the SEC has articulated a
definitive view on this issue.
Senator Brown, we have done so in the context of particular
requests in the past. There have been requests in the past, and
there is a long history there that I am happy to discuss with
your staff, but I do not think the SEC has articulated a firm
view on this issue in the past.
Senator Shelby. Mr. Chairman, I was told by the staff that
the questions for the record that will be propounded to you are
due next Tuesday. I know that is not long, but you are a pretty
diligent man. You will get it in.
Thank you for your appearance before the Committee today,
and we wish you well in your job. Thank you.
Mr. Clayton. Thank you, Senator Shelby.
Senator Shelby. The hearing is adjourned.
[Whereupon, at 11:55 a.m., the hearing was adjourned.]
[Prepared statements, responses to written questions, and
additional material supplied for the record follow:]
PREPARED STATEMENT OF JAY CLAYTON
Chairman, Securities and Exchange Commission
September 26, 2017
Chairman Crapo, Ranking Member Brown, distinguished senators of the
Committee, thank you for the opportunity to testify before you today
about the work of the U.S. Securities and Exchange Commission (SEC or
Commission).\1\
---------------------------------------------------------------------------
\1\ The views expressed in this testimony are those of the Chairman
of the Securities and Exchange Commission and do not necessarily
represent the views of the President, the full Commission, or any
Commissioner.
---------------------------------------------------------------------------
It is an honor to testify before this Committee for the first time
since my confirmation. Since joining the SEC, my experience has
strongly reinforced my view that our talented and committed staff is
fundamental to the agency's effectiveness. The SEC's mission to protect
investors, maintain fair, orderly and efficient markets and facilitate
capital formation is deeply engrained throughout our offices and
divisions. I also want to thank Commissioners Stein and Piwowar for
their valuable counsel and guidance to me as well as for their
unwavering commitment to the Commission.
With a workforce of about 4,600 staff in Washington and across our
11 regional offices, the SEC oversees, among other things (1)
approximately $72 trillion in securities trading annually on U.S.
equity markets; (2) the disclosures of over 8,100 public companies, of
which 4,300 are exchange listed; and (3) the activities of over 26,000
registered entities, including investment advisers, broker-dealers,
transfer agents, securities exchanges, clearing agencies, mutual funds,
exchange traded funds, the Financial Industry Regulatory Authority
(FINRA) and the Municipal Securities Rulemaking Board (MSRB), among
others. We also engage and interact with the investing public on a
daily basis through a number of activities ranging from our investor
education programs to alerts on our SEC.gov portal. Additionally, on a
typical day, investors and other market participants view disclosure
documents filed on our EDGAR system more than 50 million times.
In a July speech, I outlined the principles that should chart the
course for the SEC moving forward. The principles reflect my
interactions with the men and women of the Commission staff.
These guiding principles are as follows:
1) The SEC's tripartite mission is its touchstone;
2) Our analysis starts and ends with the long-term interests of the
Main Street investor;
3) The SEC's historic approach to regulation is sound;
4) Regulatory actions drive change, and change can have lasting
effects;
5) As markets evolve, so must the SEC;
6) Effective rulemaking does not end with rule adoption;
7) The costs of a rule now often include the cost of demonstrating
compliance; and
8) Coordination is key.\2\
---------------------------------------------------------------------------
\2\ Remarks at the Economic Club of New York (July 12, 2017),
available at https://www.sec.gov/news/speech/remarks-economic-club-new-
york.
While I will not go into great detail on all of the principles
here, I would like to highlight the second principle, which is
particularly important to me--that our analysis starts and ends with
the long-term interests of the Main Street investor; or as I call them,
``Mr. and Ms. 401(k).'' At a time when greater responsibility is
shifting to Main Street investors to save for their own retirement, I
am confident that this is the correct metric for our analysis of
success in meeting our tripartite mission. If Mr. and Ms. 401(k) are
able to invest in a better future, then the SEC is serving them and our
markets well.
Cybersecurity
Cybersecurity is an area that is vitally important to the SEC, our
markets and me personally. The prominence of this issue and the
heightened focus the agency has on it is the result of various factors,
including (1) the increased use of and dependence on data and
electronic communications, (2) the greater complexity of technologies
present in the financial marketplace and (3) the continually evolving
threats from a variety of sources. Cybersecurity touches the daily
lives of virtually all Americans, whether it is our accounts with
financial services firms, the companies we invest in or the markets
through which we trade.
Last week, I issued a press release and statement that discussed
(1) the Commission's cyber risk profile, (2) reviewed our approach to
oversight and enforcement and (3) disclosed a 2016 intrusion that I
recently discovered may have led to illicit trading.\3\ The statement
was part of an ongoing assessment of the SEC's cybersecurity risk
profile and preparedness that I initiated upon joining the Commission
in May. The initiative has various components, including the formation
of a senior-level cybersecurity working group to coordinate information
sharing, risk and threat monitoring, incident response and other cross-
divisional and interagency efforts and an assessment of reporting and
escalation procedures.
---------------------------------------------------------------------------
\3\ Statement on Cybersecurity (Sept. 20, 2017), available at
https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20.
---------------------------------------------------------------------------
I will now discuss the 2016 intrusion. In August 2017, in
connection with an ongoing investigation by our Division of
Enforcement, I was notified of a possible intrusion into our EDGAR
system. In response to this information, I immediately
commenced an internal review. Through this review and the ongoing
enforcement investigation, I was informed that the 2016 intrusion into
the test filing component of our EDGAR system provided access to
nonpublic EDGAR filing information and may have provided a basis for
illicit gain through trading.
We believe the 2016 intrusion involved the exploitation of a defect
in custom software in the EDGAR system. When it was originally
discovered, the SEC Office of Information Technology (OIT) staff took
steps to remediate the defect in custom software code and reported the
incident to the Department of Homeland Security's United States
Computer Emergency Readiness Team (US-CERT). Based on the investigation
to date, OIT staff believes that the prior remediation effort was
successful. We also believe that the intrusion did not result in
unauthorized access to personally identifiable information, jeopardize
the operations of the Commission or result in systemic risk. Our review
and investigation of these matters, however, as well as the extent and
impact of the intrusion and related illicit activity, is ongoing and
may take substantial time to complete.
Our review and investigation of this matter consists of two related
components. The first component has been focused on the 2016 intrusion
itself, including efforts to determine its scope and whether there were
or are any related vulnerabilities in our EDGAR system. Importantly, in
conducting this review and related forensic analysis, it has been a
priority and a constraint to maintain the security and operational
capabilities of EDGAR, which is a critical component of our disclosure-
based market system and accepts filings virtually continuously during
the week.
Various agency personnel, including members of the Enforcement
Division, the Office of General Counsel and the Office of the Inspector
General (OIG) have been involved in this effort. In addition, I have
formally requested that the OIG begin a review into what led to the
intrusion, the scope of nonpublic information compromised and our
efforts in response. I have also asked the OIG to provide
recommendations for how the SEC should remediate any related system or
control deficiencies. We also are pursuing and considering other
measures that may enhance our investigative, remediation and prevention
efforts.
The second component of our review and investigation consists of
our investigation into trading potentially related to the intrusion.
This investigation is being conducted by our Division of Enforcement
and is ongoing.
There are limits on what I know and can discuss about the 2016
incident due to the status (ongoing and incomplete) and nature
(enforcement) of these reviews and investigations. Nevertheless, I
directed the issuance of the press release and statement this past
Wednesday. I made this disclosure because I believed that, once I knew
enough to understand that the 2016 intrusion provided access to
nonpublic EDGAR test filings and that this may have resulted in the
misuse of nonpublic information for illicit gain, it was important to
disclose the incident and our cyber risk profile more generally to the
American public and Congress.\4\
---------------------------------------------------------------------------
\4\ Press Release 2017-170, SEC Chairman Clayton Issues Statement
on Cybersecurity: Discloses the Commission's Cyber Risk Profile,
Discusses Intrusions at the Commission, and Reviews the Commission's
Approach to Oversight and Enforcement (Sept. 20, 2017), available at
https://www.sec.gov/news/press-release/2017-170.
---------------------------------------------------------------------------
Looking forward, I have authorized the immediate hiring of
additional staff to aid in our efforts to protect the security of the
agency's network, systems and data. I also directed the staff to
enhance our escalation protocols for cybersecurity incidents in order
to enable greater agency-wide visibility and understanding of potential
cyber vulnerabilities and attacks. This matter involving our EDGAR
system concerns me deeply.
I recognize that I am not the only one who is deeply concerned.
Rightfully, it
will cause this Committee and others to increase their focus on whether
the
Commission's approach to cybersecurity appropriately addresses our
cyber risk profile. This is all the more reason it was appropriate to
disclose the 2016 intrusion now even though our review and
investigation are ongoing. We must remain on top of evolving threats
when it comes to securing our own networks and systems against
intrusion. This is especially true when protecting systems dealing with
sensitive market and other data involving personally identifiable
information. This means regularly evaluating progress, pursuing
improvements and making it a priority to invest sufficient resources so
our systems keep up with the fast-changing threat environment.
Other initiatives resulting from the general cybersecurity review
we initiated in May are ongoing or will commence shortly. These include
internal and inter-agency incident response exercises and continued
interaction on cybersecurity efforts with other Government agencies and
committees, including the Department of Homeland Security, the
Government Accountability Office and the Financial and Banking
Information Infrastructure Committee.
Despite the attention given to widely publicized cyber-related
incidents experienced by the Commission and others, I still am not
confident that the Main Street investor has received a sufficient
package of information from issuers, intermediaries and other market
participants to understand the substantial risks resulting from
cybersecurity and related issues. As a general matter, it is critical
that investors be informed about the threats that issuers and other
market participants face.
To be sure, we are continuing to examine whether public companies
are taking appropriate action to inform investors, including after a
breach has occurred, and we will investigate issuers that mislead
investors about material cybersecurity risks or data breaches. As is
noted in my July speech and on various other occasions, I would like to
see more and better disclosure in this area.
Cybersecurity must be more than a firm-by-firm or agency-by-agency
effort. Active and open communication between and among regulators and
the private sector also is critical to ensuring the Nation's financial
system is robust and effectively protected. Information sharing and
coordination are essential for regulators to anticipate potential cyber
threats and respond to a major cyberattack, should one arise. The SEC
is therefore working closely with fellow financial regulators to
improve our ability to receive critical information and alerts, react
to cyber threats and harmonize regulatory approaches.
Overall, by promoting effective cybersecurity practices in
connection with both the Commission's internal operations and its
external regulatory oversight efforts, it is our objective to
contribute substantively to a financial market system that recognizes
and addresses cybersecurity risks and, in circumstances in which these
risks materialize, exhibits strong mitigation and resiliency.
Regulatory Agenda
We have been hard at work developing our regulatory agenda,
consistent with the eight principles outlined above. As you know, we
have a number of statutorily mandated items that we need to address,
and we are considering how to advance those while also pursuing other
initiatives that are central to the fulfillment of our statutory
mission. Mandated rulemakings include those required by both the Fixing
America's Surface Transportation (FAST) Act and the Dodd-Frank Wall-
Street Reform and Consumer Protection Act. In the coming weeks and
months, I expect the SEC's near-term rulemaking objectives to be fully
reflected in our upcoming Regulatory Flexibility Act Agenda. As a
general matter, I believe it is important that these publicly available
agendas provide the necessary transparency and accountability for
agency matters. If these plans are to meet their intended purpose, they
must be streamlined to inform Congress, investors, issuers and other
interested parties about what the SEC actually intends--and
realistically expects--to accomplish over the coming year.
Putting together a rulemaking agenda has not slowed work to fulfill
the SEC's mission. As you know, Commissioners Michael Piwowar and Kara
Stein advanced a number of important matters before I came on board,
including moving to a two-business-day standard settlement cycle--or
T+2.
I would like to now highlight several of the SEC's accomplishments
since I joined my fellow Commissioners and the women and men of the SEC
in May.
Facilitating Capital Formation
The U.S. capital markets have long been the deepest, most dynamic
and most liquid in the world. They provide businesses with the
opportunity to grow, create jobs and furnish diverse investment
opportunities for investors, including retail investors, pension funds
and other retirement accounts. Our markets also have long
provided the United States economy with a competitive advantage and
American Main Street investors with better investment opportunities
than comparable investors in other jurisdictions. We should be striving
to maintain and enhance these complementary positions, including being
mindful of emerging trends and related risks.
In this regard, I continue to be troubled by the negative trend in
the number of public companies--fewer companies are choosing to go
public in their growth phase or at all and, consequently and
significantly, there are fewer investment opportunities for Main Street
investors. It is clear to me that our public capital markets are
relatively less attractive to growing businesses than in the past.
Based on my review and discussions with Commission staff and others,
the reporting, compliance and oversight dynamic between private and
public markets appears out of sync. Costs--ranging from direct
compliance costs to the consumption of management and employee
bandwidth--for public companies, particularly smaller and medium-sized
companies, far outstrip those of comparable private companies. Thus,
many companies with the choice of going public may be incentivized to
stay private or stay private longer.
I view Mr. and Ms. 401(k) as bearing a potentially significant cost
as a result of the shrinking number of public companies. I expect this
dynamic, if not addressed, will lead to fewer opportunities for Main
Street investors to invest directly in high quality companies. To be
clear, it is not fewer opportunities to invest in IPOs themselves that
troubles me. But without IPOs of growing companies, we have a shrinking
and generally more mature portfolio of public companies. This is a
significant concern. A shrinking proportion of public companies,
particularly smaller and medium-sized companies, has costs beyond
investment choices, including that there will be less publicly
available information about the operations and performance of companies
that are important to our economy.
I believe a key to restoring vibrancy in our public markets is a
recognition that a one size regulatory structure does not fit all.
Fortunately, this is not just a theory--through Congress's enactment
of, and the SEC's work on, the Jumpstart Our Business Startups (JOBS)
Act, there is an ecosystem displaying that a scaled disclosure and
regulatory system provides incentives for companies to conduct public
offerings while maintaining the world's most robust investor
protections. To be clear, this does not mean that we would sacrifice or
limit the core principles of our public disclosure regime and other
essential investor protections for the sake of accelerating public
issuances. It is clear to me that companies that go through the U.S.
IPO process emerge as better companies, with better disclosure. We want
to encourage and preserve that dynamic. Overall, the SEC will strive
for efficiency in our processes to encourage more companies to consider
going public, which will result in more choices for investors, job
creation and a stronger U.S. economy.
To this end, the SEC, through the Division of Corporation Finance
(Corporation Finance), is undertaking efforts to promote capital
formation, especially in our public markets. Corporation Finance
recently announced that it would accept voluntary draft registration
statement submissions for certain securities offerings, including for
initial public offerings and offerings within 1 year of an IPO, for
review by the staff on a nonpublic basis.\5\ This expanded policy
builds on the confidential submission process established in response
to the JOBS Act. We believe this approach provides a meaningful benefit
to companies and investors, and a number of companies have already
pursued this path.
---------------------------------------------------------------------------
\5\ Draft Registration Statement Processing Procedures Expanded,
Division of Corporation Finance Announcement (June 29, 2017)
[Supplemented August 17, 2017], available at https://www.sec.gov/
corpfin/announcement/draft-registration-statement-processing-
procedures-expanded.
---------------------------------------------------------------------------
Corporation Finance also issued guidance clarifying that companies
may omit from draft registration statements interim financial
information that otherwise will not be required when a company files
its registration statement.\6\ This guidance should enable a company to
reduce costs associated with preparing financial information that
ultimately would not be included in its filing. To be clear, this
guidance saves costs, but investors continue to benefit from the full
array of financial information required when a company publicly files
its registration statement.
---------------------------------------------------------------------------
\6\ See Securities Act Forms Compliance and Disclosure
Interpretation 101.04 and 101.05, available at https://www.sec.gov/
divisions/corpfin/guidance/safinterp.htm.
---------------------------------------------------------------------------
Corporation Finance is also considering whether there are other
areas in which interpretive guidance could assist companies without
reducing investor protections, and whether enhancements can be made to
staff processes to further benefit companies and investors.
Additionally, we are taking steps to fill the position of Advocate for
Small Business Capital Formation (Advocate) and form the Office of the
Advocate for Small Business Capital Formation (Office) and the Advisory
Committee on Small Business Capital Formation (Advisory Committee), as
required by Congress in the SEC Small Business Advocate Act of 2016.
Among other statutorily mandated functions, the Advocate will identify
areas in which small businesses and small business investors would
benefit from changes in Commission regulations or self-regulatory
organization (SRO) rules. The Advocate also will work to identify
problems that small businesses have securing access to capital,
including any unique challenges to minority- and women-owned
businesses.
We recently announced the application process for selecting the
Advocate, which will cast a wide net that will encourage people with
expertise and interest in facilitating capital formation throughout the
country to apply. I anticipate that the Commission will select the
Advocate in the coming months which will allow him or her to continue
the agency's work through the Office and the Advisory Committee to
facilitate capital formation for small businesses across the country.
Much work remains to be done in this area, but I am pleased with
the staff's efforts to provide additional opportunities for issuers and
investors alike.
Disclosure Effectiveness
I expect that the Commission will move forward in the near term on
a number of additional initiatives aimed at promoting capital
formation. For example, the Commission will soon consider a rule
proposal required by the FAST Act to modernize and simplify the
disclosure requirements in Regulation S-K in a manner that reduces
costs and burdens on companies while still providing for the disclosure
of all required material information.
The staff is also developing recommendations to finalize rule
amendments that would eliminate redundant, overlapping, outdated or
superseded disclosure requirements. In addition, the staff is
developing recommendations for the Commission on final rule amendments
to the ``smaller reporting company'' definition, which would expand the
number of issuers eligible to provide scaled disclosures.
Further, the agency is continuing our initiative to modernize and
simplify our disclosure requirements generally. We have a number of
projects underway related to that effort, including, among others:
(1) Considering changes to the rules in Regulation S-X related to
requirements for financial statements for entities other than the
issuer; and
(2) Updating industry-specific disclosure requirements, such as the
property disclosure requirements for mining companies and preparing
recommendations for proposed rules to modernize bank holding company
disclosures.
CEO Pay Ratio Disclosure
Corporation Finance also is examining existing disclosure rules,
with an eye toward easing compliance burdens while maintaining the
mandated disclosure. To be clear, the SEC is required to implement
rulemakings mandated by statute in accordance with applicable law,
including the pay ratio disclosure rule adopted pursuant to Section
953(b) of the Dodd-Frank Act. This rule was adopted on August 5, 2015,
and will continue to be implemented on schedule.
In response to questions about the pay ratio rule, the Commission
recently approved interpretative guidance to assist companies in their
compliance efforts.\7\ Specifically, the interpretative guidance
clarifies the disclosure rules mandated by Congress in a way that is
true to the mandate and, to the extent practicable, allows companies to
use operational data and otherwise readily available information to
produce the disclosures. Additionally, the staff issued guidance which
includes examples illustrating how reasonable estimates and statistical
methodologies may be used. The staff will continue to monitor the
rollout of the rule, in particular for whether unanticipated costs or
difficulties have arisen.
---------------------------------------------------------------------------
\7\ Press Release 2017-172, SEC Adopts Interpretative Guidance on
Pay Ratio Rule (Sept. 21, 2017), available at https://www.sec.gov/news/
press-release/2017-172.
---------------------------------------------------------------------------
Standards of Conduct for Investment Advisers and Broker-Dealers
I have made clear in public statements that I am focused on the
standards of conduct that investment professionals must follow in
providing advice to Main Street investors. The extensive study of the
subject to date illustrates the complexity of the issue and the fast-
changing nature of our markets, including the evolving manner in which
personalized investment advice is provided. Main Street investors
should have access to high-quality, affordable investment advice and a
diverse range of investment products without sacrificing the
protections of the securities laws.
Since my confirmation, the Department of Labor's (DOL's) fiduciary
rule has partially taken effect. Staff conversations with investors and
firms, prior to the DOL's proposed extension, as well as various press
reports, indicate that broker-dealers are considering, and some have
started taking, a variety of actions to comply with the DOL Rule,
including: (1) increasing compliance resources and efforts (e.g.,
disclosure, documentation and training, in particular, with respect to
costs and rollover recommendations); (2) increasing the use of robo-
advice; and (3) reevaluating and changing the types of products and
accounts (and related fees) offered to retirement investors, focusing
particularly on products or accounts that would address the compliance
requirements driven by the Best Interest Contract Exemption (e.g.,
shifting some or all of their retirement accounts to level-fee advisory
accounts).
Further, staff understands mutual fund complexes are considering
various approaches to accommodate broker-dealers' efforts to level
compensation across similar types of products in response to the DOL
Rule. These approaches include, for example: (1) issuing ``clean
shares'' that do not have any sales loads, charges or other asset-based
fees for sales or distribution (thus allowing brokers to set their own
commissions that would be paid directly by investors);\8\ and (2)
issuing ``T-shares''--or ``transaction shares''--that have uniform
sales charges across all fund categories.
---------------------------------------------------------------------------
\8\ Related to this effort, on January 11, 2017, the Division of
Investment Management issued interpretive guidance to Capital Group
clarifying that Section 22(d) of the Investment Company Act of 1940
does not prevent a broker acting in an agency capacity from charging
its customers a commission for transacting in ``clean shares'' of a
registered investment company. Capital Group used the term ``clean
shares'' to refer to a class of fund shares without any front-end load,
deferred sales charge or other asset-based fee for sales or
distribution. Capital Group, SEC Staff Letter (Jan. 11, 2017),
available at https://www.sec.gov/divisions/investment/noaction/2017/
capital-group-011117-22d.htm.
---------------------------------------------------------------------------
While the SEC and the DOL have different statutory mandates,
rulemaking processes and jurisdictions, actions taken by one regarding
standards of conduct are going to have a significant effect on the
other's regulated entities and the marketplace. In other words, effects
of the DOL rule extend well beyond the DOL's jurisdiction, and vice
versa. It is important that we understand these effects and work
closely and constructively with DOL to implement appropriate standards
of conduct for financial professionals who provide advice to retail
investors. We are engaging expeditiously and constructively with our
colleagues at the DOL to best serve the interests of investors.
As for Commission action related to standards of conduct, the SEC
has been reviewing this area for some time. In recognition of the vast
changes in the marketplace since the SEC last solicited information 4
years ago, on June 1, 2017, I issued a statement seeking public input
on standards of conduct for investment advisers and broker-dealers.\9\
In it, I articulated some key principles--clarity, consistency and
coordination--that I expect to guide our approach. Specifically, our
standards should be clear and comprehensible to the average investor,
consistent across retirement and nonretirement assets and coordinated
with other regulatory entities, including the DOL and State insurance
regulators.
---------------------------------------------------------------------------
\9\ Public Comments from Retail Investors and Other Interested
Parties on Standards of Conduct for Investment Advisers and Broker-
Dealers (June 1, 2017), available at https://www.sec.gov/news/public-
statement/statement-chairman-clayton-2017-05-31.
---------------------------------------------------------------------------
I also hope that my June 2017 statement will shape constructively
the conversation on this important matter, so that we can properly
tailor an approach or package of approaches that we believe will best
address the issues identified. To date, we have received over 150
comments from investors and the industry, expressing a range of views.
I also have personally met with various Main Street investor and
industry groups and have found those conversations beneficial.
The Commission and its staff have extensive experience regulating
broker-dealers and investment advisers, and we are reviewing the
information interested parties have submitted. I look forward to
continuing to work with my fellow Commissioners and the SEC staff as we
evaluate our next steps on this important topic.
Equity, Fixed Income and Security-Based Swap Markets
The SEC has a responsibility to ensure that our securities markets
provide vibrant, efficient and fair mechanisms for facilitating the
transfer of capital. In the decade plus since the adoption of
Regulation NMS, technological advancements and innovations and
commercial developments have led to significant changes in the way our
trading markets operate. Generally speaking, our securities markets
continue to be highly efficient and resilient. That said, it is
imperative that we continuously examine and reassess our regulatory
market structure. There are a few specific market structure issues and
initiatives that I would like to now highlight.
Several recent Commission rulemaking proposals have been aimed at
enhancing transparency in the market structure space. In July of last
year, the Commission proposed amendments to Rule 606 of Regulation NMS
that would require broker-dealers to disclose standardized information
on their handling of large orders, both in response to customer
requests and on a quarterly, aggregated basis. This proposal would also
enhance existing broker-dealer order routing disclosure requirements
for smaller orders.
In November 2015, the Commission proposed amendments to Regulation
ATS to impose new transparency requirements on alternative trading
systems (ATSs) that facilitate transactions in NMS stocks. That
proposal would also greatly increase the Commission's active oversight
over the design and operation of such ATSs.
Both of these transparency-focused rulemaking proposals, which the
Commission released prior to my Chairmanship, have received broad
support from commenters. I support both initiatives, and I have asked
the Commission staff to prepare final rulemaking recommendations for
the Commission's consideration.
Just as investors look for material information upon which to base
their investment decisions, the Commission uses data to support and
enhance our oversight function, including in our analysis of market
structure, as well as for investigations, examinations and market
analyses and reconstructions. The SROs also use data in carrying out
their regulatory responsibilities.
Currently, trading activity in stocks is tracked through a number
of systems. No single system tracks the orders that are routed and
executed across multiple trading venues. As the Committee is aware,
pursuant to Commission rule and the CAT National Market System (NMS)
Plan, a Consolidated Audit Trail, or CAT, is currently being developed
by a CAT plan processor (Thesys) and the securities exchanges and
FINRA. The CAT is intended to provide these SROs and the Commission
with consolidated cross-market data that is more complete, accurate,
accessible and timely than the data currently available to regulators.
Of paramount concern to the Commission is the protection of
sensitive CAT data. I appreciate that security issues are particularly
acute with respect to a data repository that contains comprehensive
information on trading activity in the securities markets, especially
in light of recent events. I am therefore focused on issues of data
security with respect to CAT. I have made this point clear to both
Thesys and the SROs, and will continue to do so. I expect that the
roll-out of the various components of CAT data reporting, the first
phase of which is scheduled to take effect on November 15, 2017
(wherein the SROs will report data to the central repository), will
reflect an ongoing assessment of the sensitivity of the data reported
and related security concerns and protections.
Among the defenses built into the CAT NMS Plan are requirements for
the plan processor to develop a comprehensive information security
program that addresses the security and confidentiality of all
information within the CAT data repository and associated operational
risks. And the SROs, which have direct oversight of the plan processor,
are obligated to monitor the information security program to ensure
that it is consistent with the highest industry standards for the
protection of data. For the subset of data that may be extracted from
the CAT data repository, the SROs and the SEC have independent
obligations to protect any such data. With respect to the SEC
specifically, we have committed to review periodically the
effectiveness of our confidentiality and data use procedures in
connection with our access to the CAT.
Other components of the Commission's analysis of market structure
are two pilot programs--one currently in force, and the other being
developed by Commission staff. The Tick Size Pilot, which began in
October 2016, is testing the impact of wider tick sizes on the trading
of stocks of certain smaller capitalization companies. Preliminary
analyses of the pilot data indicate that the impact of the wider tick
sizes on market quality has been mixed. For many covered securities,
quoted spreads and depth of book have increased, and volatility has
decreased. At the end of this month, trading center data will become
publicly available and enable more robust analysis of the pilot data.
I have also asked the Commission staff to develop a proposal for a
pilot program that would test how adjustments to the access fee cap
under Rule 610 of Regulation NMS would affect equities trading. The
Equity Market Structure Advisory Committee (EMSAC) recommended a pilot
program of this type. I am supportive of this type of pilot program
because it should provide the Commission, as well as market
participants and the public, with more data to assess how transaction-
based fees and rebates affect order routing behavior, execution quality
and market quality. I expect that the Commission will consider a
transaction fee pilot proposal of this nature in the near future.
More generally, I believe that a thoughtful and methodical, data
driven approach to market structure will help us fulfill our mission to
protect investors, maintain fair, orderly and efficient markets and
facilitate capital formation. Pilot programs such as the ones I just
described allow us to evaluate whether adjustments to our market
structure are necessary or appropriate, and if so, how to appropriately
tailor them. At the same time, I also recognize that pilot programs--
whether in the form of Commission or SRO initiatives--cannot simply
live on in perpetuity. Once pilots have achieved their purpose in terms
of providing the Commission and SROs with adequate data for reasoned
decisionmaking, they should either be wound down or, when appropriate,
made permanent.
Overall, as the Commission has evaluated equity market structure,
the EMSAC has been a valuable and helpful resource to the Commission in
providing expert advice and recommendations. Specifically, in addition
to an access fee pilot recommendation, the EMSAC has provided the
Commission with six thoughtful recommendations relating to NMS plan
governance, SROs' proposals requiring technology changes, limit-up/
limit-down mechanisms, market wide circuit breakers, the market opening
and Regulation NMS Rules 605 and 606. The Commission recently extended
the term for the EMSAC until early 2018, which will enable the EMSAC to
continue to provide us with input as we consider market structure
initiatives, including the contemplated transaction fee pilot proposal.
Separately, as I have stated previously, I believe that the time is
right for the Commission to broaden its review of market structure to
include our fixed income markets. The fixed income markets are critical
to our economy and, increasingly, Main Street investors, yet less
attention has been paid to their efficiency, transparency and
effectiveness relative to the equity markets. We are in the process of
establishing the Fixed Income Market Structure Advisory Committee
(FIMSAC). We hope to have the first FIMSAC meeting as soon as December
of this year.
Finally, with respect to the regulatory regime for swaps and
security-based swaps, Commodity Futures Trading Commission (CFTC)
Chairman Christopher Giancarlo and I started talking soon after I
joined the Commission. At our very first meeting, we discussed ways in
which we could harmonize our respective rules and regulations. SEC and
CFTC staff have been meeting to identify initial areas of focus, and it
is my hope that the continued coordination will result in real
regulatory efficiencies.
Enforcement
I am committed to the responsibility of safeguarding our capital
markets and American investors with energy and purpose and ensuring
that there is no room for bad actors therein. Through the dedication
and expertise of our Division of Enforcement (Enforcement) staff and
its leadership, we are able to root out fraud and shady practices
effectively and with unwavering purpose. Enforcement is focused on
protecting all investors--without favor for account size, geography or
other measures of priority--and that is clear from recent enforcement
actions targeting pump and dump schemes, insider trading and a boiler
room on Long Island ripping off seniors' hard earned retirement
savings. Successful enforcement actions impose meaningful sanctions on
securities law violators, result in penalties and disgorgement of ill-
gotten gains that can be returned to harmed investors and deter
wrongdoing.
While a vigorous enforcement program is at the heart of the
Commission's work to protect investors and maintain the integrity of
the securities markets, the SEC's enforcement program also plays an
important part in ensuring that investors and other market participants
have access to material information to make informed investment
decisions. The SEC has brought significant enforcement actions against
issuers that committed reporting and disclosure violations.
Comprehensive, accurate and timely financial reporting is the bedrock
upon which our markets are based and Enforcement remains focused on
pursuing violations in this area.
Our actions against parties who engage in insider trading also help
promote investor confidence. Trading on material, nonpublic information
undermines the fairness and integrity of the securities markets and
creates an unlevel playing field. The SEC is committed to taking action
against those who breach their duties--and subvert our markets--in
pursuit of personal gain, having charged more than 700 defendants in
civil insider trading cases since fiscal year 2010.
Through these efforts to root out financial fraud, insider trading
and other misconduct in the securities industry, Enforcement serves a
critical role in helping the Commission fulfill its tripartite mission.
Moving forward, the SEC will continue to focus resources--including
data collection and analysis, which has greatly enhanced our ability to
detect unlawful behavior--on key areas where misconduct harms investors
and impairs market integrity. In particular, I have asked the Division
of Enforcement to evaluate regularly whether we are focusing
appropriately on retail investor fraud and investment professional
misconduct, insider trading, market manipulation, accounting fraud and
cyber matters. I believe our Main Street investors would want us to
focus on these areas.
Examinations
Another critical tool for the SEC to meet its mission is our
national examination program, led by our Office of Compliance
Inspections and Examinations (OCIE). Commission staff conduct risk-
based examinations of registered entities, including broker-dealers,
investment advisers, investment companies, municipal advisors, national
securities exchanges, clearing agencies, transfer agents and FINRA,
among others. Our examination staff work closely with staff members in
our regulatory divisions to provide input on policy and regulatory
issues and initiatives and also are in regular communication with
Enforcement staff to discuss trends and observations and provide
referrals.
Our examination program is one of many areas where we have doubled
down on our focus on doing more with our limited resources. In this
regard, I note that registered investment advisers now manage more than
$70 trillion in assets, which is more than triple 2001 levels. In light
of this trend, in 2016, the SEC reassigned approximately 100 OCIE staff
to the investment adviser examination unit. As a result of this shift
and the introduction of various enhancements to OCIE processes,
advancements in OCIE's use of technology and other efficiencies, the
SEC is on track to deliver a 30 percent increase in the number of
investment adviser examinations this fiscal year--to approximately 15
percent of all investment advisers.\10\
---------------------------------------------------------------------------
\10\ In fiscal year 2016, OCIE completed nearly 1,450 investment
adviser exams, more than it had completed in any of the prior seven
fiscal years and 20 percent more investment adviser exams than it
completed in fiscal year 2015. In fiscal year 2017, OCIE completed more
than 2,000 investment adviser exams, a significant increase over fiscal
year 2016.
---------------------------------------------------------------------------
While this has been a very positive step, more needs to be done to
continue to increase investment adviser examination coverage levels,
while at the same time being careful to avoid decreasing examination
quality. To that end, the SEC will continue to explore additional
efficiencies and improvements to our risk-based examination program.
One way to achieve this is through the continued leveraging of data
analysis. We have developed tools that scan an array of data fields to
help us analyze and identify potentially problematic activities and
firms. This allows us to make better decisions concerning which firms
to examine and appropriately scope those examinations, among other
things. I expect that for at least the next several years we will need
to do more to increase the agency's examination coverage of investment
advisers in light of continuing changes in the markets.
In the coming fiscal year, OCIE also plans to increase the number
of inspections to assess compliance with Commission rules, such as
Regulation Systems Compliance and Integrity (Regulation SCI), to ensure
that the cybersecurity infrastructure that is critical to the U.S.
securities markets is effective.
Agency Operations
I have devoted a significant portion of my first 4 months as
Chairman to developing a deeper understanding of the agency's internal
operations and management. I have come to appreciate more directly what
I had witnessed from my years in private practice--the knowledge,
expertise and professionalism of the SEC staff. It has been a top
priority for me to engage with, and understand the perspectives of, the
SEC's workforce.
I am particularly excited to report that the SEC staff's engagement
and morale are high, thanks in significant part to the leadership and
efforts of division and office directors, supervisors and staff.
Setting a new record for the agency this year, nearly 80 percent of the
eligible workforce shared their views by completing the Office of
Personnel Management's Federal Employee Viewpoint Survey in May and
June of 2017.
This year's survey results showed notable increases in employee
engagement, overall satisfaction and leader effectiveness indices.
These are critical indicators for our organization because our diverse
workforce is our most valuable asset. It is only through the hard work
of our employees that we are able to accomplish our mission.
Since 2012, the SEC's rating on the Partnership for Public Service
``Best Places to Work'' has improved by 20 percentage points, from 56
percent to 76 percent and last year we were ranked 6th among 27 mid-
sized agencies. In fact, this success has earned us distinction as a
role model for other Federal agencies. In April 2017, the House
Oversight and Government Reform Committee invited the SEC's Chief Human
Capital Officer to testify on the agency's survey results as the ``most
improved'' mid-sized Federal agency.\11\ We aim to continue building
upon these 2017 results in the years to come.
---------------------------------------------------------------------------
\11\ April 6, 2017, testimony on ``The Best and Worst Places to
Work in the Federal Government'' by Chief Human Capital Officer Lacey
Dingman before the U.S. House of Representatives Subcommittee on
Government Operations can be found at https://oversight.house.gov/wp-
content/uploads/2017/04/Dingman_SEC_Testimony.pdf.
---------------------------------------------------------------------------
Efficiencies and Resource Needs
I take very seriously the SEC's responsibility to ensure that the
SEC is a good steward of the funds Congress entrusts to our use, and
maximizes the value of those funds to the American investor. We are
engaged in ongoing efforts to find efficiencies in internal operations,
including through automation, streamlined internal processes and better
use of data. We will continue to develop and leverage our capabilities
for risk analysis to inform our decisionmaking, including how most
efficiently to use staff resources. Given the pace of change in today's
capital markets, it is more important than ever that agency operations
be nimble so we can direct resources where they are needed most.
For example, with congressional approval, the SEC in June 2017
combined the agency's various EDGAR filer support functions into one
EDGAR Program Office. As this Committee knows and as discussed above,
the EDGAR system is central to the agency's mission and critical to the
functioning of the capital markets. On a typical day, investors and
other market participants view or download more than 50 million
disclosure documents filed on EDGAR. This new office also will
coordinate and rationalize the agency's enhancements and investments
related to EDGAR, including modifications to conform with changes to
Commission rules, and will help consolidate the agency's filer support
functions.
Other internal improvement initiatives include combining the
agency's various communications-related functions, crafting proposals
for Commission consideration to convert paper filings into electronic
formats and exploring ways to better apply and schedule examination
staff resources toward significant risks to investors. We will continue
to explore opportunities for efficiencies and cost savings in the
months to come.
The agency's efforts to streamline operations are reflected in the
SEC's budget requests over the next 2 years. The President's request
for fiscal year 2018 is for $1.602 billion for SEC operations, which
holds the SEC budget at essentially the same level it has been in
fiscal years 2016 and 2017. This request reflects savings and
efficiencies in progress throughout the SEC, sufficient to offset
required cost increases, and continues investments in technology, as
described further below.
It is important to note that the SEC collects transaction fees that
offset the annual appropriation to the Commission. Whatever amount
Congress appropriates to the agency will, by law, be fully offset by
transaction fees, and will not impact the deficit or the funding
available for other agencies. The current transaction fee rate is just
over two cents ($0.02) for every $1,000.00 in covered securities sales.
Fiscal Year 2019 Authorization Request
For fiscal year 2019, the SEC's authorization request totals
approximately $1.7 billion for SEC operations. I do not make a request
for additional funds lightly, especially in a tight budgetary
environment. But after an evaluation of the SEC's capabilities and
needs, I believe this request is necessary for the SEC to continue the
effective pursuit of our tripartite mission.
This request would allow the agency to lift the hiring freeze
implemented at the start of fiscal year 2017 and recruit professionals
with key skills and market expertise such as electronic trading,
cybersecurity, retail investor fraud, investment adviser oversight and
market analysis. The agency anticipates a need to hire such
individuals in key positions to effectively carry out our core mission.
The request seeks additional funds for development, modernization and
enhancement of information technology systems, including additional
investments in protecting the security of the SEC's network and
systems. These funds, coupled with those from the SEC Reserve Fund,
would allow the continued implementation of a number of key multi-year
technology initiatives, discussed further below, which will enhance the
SEC's ability to collect, analyze and act on large amounts of data.
Leveraging Technology
Advances in technology have driven significant changes in
securities markets. Today, companies support human decisionmaking with
automated algorithms, which ingest massive amounts of unstructured data
to make trading decisions. Investors are using innovative platforms to
conduct transactions and research investments. Firms solicit investors
through sophisticated, multichannel communications.
In recent years we have seen an extraordinary increase in the
volume and velocity of data available to the securities industry,
investors and the SEC. The ever-increasing volume of data demands
advanced analytics tools and best-in-class infrastructure that is
dynamic, scalable and secure. Similarly, demand from the public for SEC
information has never been higher. Last year, SEC.gov received 10.4
billion page views--double from just 2 years ago--and the public
downloaded more than 2.6 petabytes of data. The information the SEC
provides is driving the marketplace, and helping companies attract
funding, grow and create jobs.
All of these shifts require the SEC to expand our own technology
capabilities and increase our efficiency. The SEC's budget requests
seek the resources needed to stay on top of these critical developments
and promote our mission in an evolving landscape. The Commission has
made progress in modernizing our technology systems, with the benefits
of increasing our use of data analytics, increasing program
effectiveness and streamlining operations.
The $234 million that the SEC plans to spend on information
technology in fiscal year 2018 is quite modest, by way of comparison,
to the amounts that the major Wall Street firms spend on their own
information technology systems. For example, in 2016 one large
financial institution alone spent more than $9.5 billion on technology
firm-wide, with $3 billion of that dedicated to new initiatives.
Another large financial institution spent $6.6 billion in 2016 on
technology initiatives.
The fiscal year 2018 and fiscal year 2019 budget proposals would
support a number of key information technology initiatives, such as:
(1) Increasing investments in information security to address, as a
top priority, the ability to monitor and avoid advanced
persistent threats, and to improve risk management and
monitoring;
(2) Expanding data analytics tools to integrate and analyze the
large and ever-increasing volume of financial data we receive,
enabling us to detect potential fraud or suspicious behavior
earlier and allocate resources more effectively;
(3) Improving our examination program through advanced risk
assessment and surveillance tools that help identify high-risk
areas for further examination;
(4) Enhancing additional systems that support our enforcement
program, including applying sophisticated algorithms that
foster the detection of potential insider trading and
manipulation;
(5) Streamlining public access to our EDGAR electronic filing
system; and
(6) Investing further in business processes automation and
enhancements, including the retirement of legacy systems, which
will drive cost efficiencies and improve security across the
agency.
Leasing
An important component of the SEC's funding needs over the next 2
years is to support the leasing of office space. The current leases for
the SEC's headquarters buildings (Station Place I, II and III) will
expire in fiscal years 2019, 2020 and 2021, respectively. In addition
to the funds requested to support our operations, the SEC is requesting
funds in fiscal year 2018 necessary to participate in the General
Services Administration's (GSA's) competitive procurement process for a
successor lease for the SEC's headquarters. In accordance with its
standard process, GSA has requested that the agency set aside the funds
that might become necessary to cover construction and related costs
should the SEC need to move from its current building.\12\ None of
these funds would be used for the operations of the SEC, and the agency
has proposed appropriation language that provides a mechanism whereby
any unused portion of these funds would be refunded to fee payers.
---------------------------------------------------------------------------
\12\ According to GSA's schedule, a new lease would be awarded in
fiscal year 2018.
---------------------------------------------------------------------------
Similarly, in fiscal year 2019, funds will be required for the GSA
procurement of a new lease for the SEC's New York Regional Office, for
which the current lease is set to expire in 2021. As with the SEC's
headquarters lease procurement, GSA requires that the SEC set aside
funds for potential construction and related costs in the event that
the competitive acquisition process might result in the SEC needing to
move to a new building. None of these funds would be used for the
operation of the SEC, and any unused portion would be refunded to fee
payers.
Conclusion
My aim for today's testimony is to provide a window into the scope
of the SEC's daily work to advance our mission of protecting investors,
maintaining fair, orderly and efficient markets and facilitating
capital formation. In closing, I want each of you--and all of your
constituents, including, in particular, Main Street investors--to know
that the SEC is open for business. We want to serve you and hear from
you. Whether it be through providing educational resources and investor
alerts on investor.gov, supporting small businesses and other issuers
seeking to raise capital or vigorously enforcing the securities laws,
SEC staff and division and office
leadership stand ready and willing to engage with any and all who we
can assist, and who can inform us, on issues consistent with our
tripartite mission.
I thank this Committee and its Members, especially the Chairman and
Ranking Member, for their continued support of the SEC and its staff,
and I look forward to answering any questions you may have.
RESPONSE TO WRITTEN QUESTIONS OF SENATOR SCOTT FROM JAY CLAYTON
Q.1. I think it's important for us to recognize the fact that
the Department of Labor's (DOL) fiduciary rule has had a
negative impact on many Americans. The average South Carolinian
has less than 1 year's salary in their retirement accounts.
Restricting access to professionals in the financial industry
has a negative impact on the resources available to the average
American for retirement. The last thing we need to do at this
point is to find ways to get financial advisory experts out of
the household, which is the unintended consequence of the
fiduciary rule in my perspective.
A July 2017 Harper Polling survey of 600 financial advisers
found that 75 percent of the professionals whose clients have
starting assets under $25,000 will take on fewer small accounts
due to increased compliance costs and legal risks under the
DOL's rule. These folks desperately need financial experts to
make good, sound financial decisions. I was pleased to see the
DOL's 18-month delay in the rule's full implementation.
What more can you tell me about your coordination with the
DOL on the fiduciary rule?
A.1. Secretary Acosta and his staff at the DOL have already
been engaged in a productive dialogue with me and my staff on
this issue. I anticipate that our interactions will continue or
increase and become more substantive as the SEC moves forward
with its rulemaking process. Our goal here is to get the rules
right for Mr. & Ms. 401(k), the types of people cited in your
question, and I believe a focus on four key attributes--
clarity, consistency, coordination and choice--will best
position us to do so. It will be difficult to achieve these
objectives in our rulemaking without meaningful cooperation
with the DOL.
Q.2. If the second part of the DOL's fiduciary rule takes
effect on July 1, 2019, as proposed, will the Commission have
enough time to have its own rule in effect by then? If not,
what steps will you take to accelerate your own process or work
with DOL on a joint schedule, so the two rules do not take
effect at different times?
A.2. We are working on a rule proposal, and we plan to engage
expeditiously and constructively with our colleagues at the
DOL. In response to my June 1 statement and request for comment
regarding standards of conduct for investment advisers and
broker-dealers (the June Statement), we have received over 150
comments from investors and the industry. This is a complex
issue and commenters discussed a range of topics including
disclosure, the standard of conduct for broker-dealers, and the
impact of the DOL rule. Assessing these comments will assist us
in evaluating the range of potential actions. While I have made
it clear to staff that this is one of my top priorities, and
staff are moving forward accordingly, the complexity of the
issue and the potential for significant impacts on investors
and market participants means that we need to engage in a
thorough process, with full consideration of the potential
economic effects of our actions.
Q.3. State insurance regulators are the experts on fixed income
annuities. How will you be involving State regulators in your
work on the fiduciary rule?
A.3. I appreciate the role of State insurance regulators and
their expertise with respect to fixed income annuities. The
National Association of Insurance Commissioners (NAIC)
submitted a letter in response to my June Statement. That
letter, among other things, discussed NAIC model regulations
and noted that the NAIC is considering potential changes to its
model suitability rules to potentially include a best interest
standard of care. The staff and I will keep that letter and the
NAIC's views in mind as we consider issues surrounding
standards of conduct for investment advisers and broker-
dealers, and will be in contact with NAIC personnel as well as
State insurance regulators as we move forward.
Q.4. Many States have moved forward with their own fiduciary
standards, creating a patchwork of rules and regulations for
investors and financial advisors. What can the SEC do to find a
solution to this growing concern?
A.4. Our markets are diverse and expansive and many financial
advisors and other participants operate across State lines. I
believe that consistency in the standards of conduct for
investment professionals nationwide is important for the proper
functioning of our markets, and that the best way to achieve
that is for the Commission to move forward expeditiously with
its rulemaking process in cooperation with the Department of
Labor.
Q.5. The fact that we're looking at Chinese investors trying to
buy the Chicago Stock Exchange and you pumping the brakes on
that decision--I think it's good. We all would like to
encourage more FDI, but we need to do it in the most
responsible way possible. Thank you for your position and
perspective on that issue.
Can you describe the actions that led to a Commission
review of this transaction?
A.5. On August 9, 2017, the Commission's Division of Trading
and Markets (the Division) approved the proposed rule change
filed by the Chicago Stock Exchange regarding the acquisition.
The Division issued this approval order pursuant to delegated
authority, and the Division's approval order was subsequently
stayed pursuant to Exchange Act Section 4A and Rule 431 of the
Commission's Rules of Practice, which provide for Commission
review of actions made pursuant to delegated authority. At this
time, the Commission continues to review the delegated action,
and the Division's approval order remains stayed. Since August
9, the Commission has received 43 comments on the proposed rule
change. Because this remains an open matter that is actively
under consideration by the Commission, I am not in a position
to comment further on what future action the Commission might
take.
Q.6. What criteria do Commissioners or Commission staff
evaluate when reviewing transactions like this one?
A.6. In evaluating a proposed rule change filed by a national
securities exchange, the Commission carefully evaluates whether
the proposed rule change is consistent with the requirements of
the Exchange Act and the applicable rules thereunder. The
Exchange Act contains a number of relevant provisions,
including the requirement under Exchange Act Section 6(b)(5)
that the rules of a national securities exchange be designed to
promote just and equitable principles of trade, to remove
impediments to and perfect the mechanism of a free and open
market and a national market system, and, in general, to
protect investors and the public interest.
Q.7. Management at public companies should be held accountable
by their shareholders. A balance between both sides ensures
productivity and corporate transparency. That said, I wonder if
the scales have not been tipped a little bit too far. As of
now, we allow for the resubmission of shareholder proposals
even if nearly 90 percent of shareholders have voted no in the
past. That creates costs and distracts from long-term thinking,
all the while doing little to protect investors.
How are other shareholders impacted by such a low bar for
proposal resubmissions?
A.7. Shareholder proposals play an important role in corporate
governance, but they are not without cost. The evaluation of
and submission to shareholders of these proposals, including
the discussion and recommendation in the proxy statement,
requires board and management time, which imposes a cost to
shareholders in addition to the out of pocket costs related to
the proxy process. You are correct, when shareholder proposals
with little chance of garnering meaningful shareholder support
are resubmitted, these costs are borne by all shareholders, not
just the shareholders who submit them or voted in favor of
them.
Q.8. Will the SEC revisit its past recommendation to raise such
thresholds?
A.8. I am mindful of concerns that have been raised about the
shareholder proposal rule, including resubmission thresholds,
and this area will be closely monitored during the upcoming
proxy season. We have issued a Staff Legal Bulletin providing
staff guidance on shareholder proposals, and I expect that we
will be doing so again shortly. In thinking about any potential
revisions in this area, the Commission would need to carefully
balance shareholders' ability to submit proposals with the time
and costs borne by companies and other shareholders to respond
to those proposals.
Q.9. Do you believe the shareholder proposal system today is
working as it was originally intended to, or can it be reformed
for the benefit of all investors?
A.9. Shareholder proposals serve as an important accountability
function and can lead to positive change. Nevertheless, I
expect there may be ways to minimize unnecessary costs borne by
shareholders in the ``quiet'' majority without compromising the
important role of shareholder proposals. The resubmission
thresholds may be one area in which these costs could be
reduced without unnecessarily limiting shareholders' ability to
submit proposals.
Q.10. What is your view on making public company disclosures
more comprehensible and useful for layman investors?
A.10. Investors must have access to information about potential
investments that is easily accessible and meaningful. In that
regard, I believe there are ways we can update our disclosure
requirements to make disclosures more useful for investors and
to reduce burdens on companies. We took a step in that
direction on October 11, 2017, when the Commission proposed
amendments to Regulation S-K that are intended to modernize and
simplify certain disclosure requirements in Regulation S-K and
related rules and forms in a manner that reduces the costs and
burdens on registrants while continuing to provide all material
information to investors. The amendments are also intended to
improve the readability and navigability of the Commission's
disclosure documents and discourage repetition and disclosure
of immaterial information.
We also focused on the presentation and delivery of
disclosure in the Regulation S-K concept release the Commission
issued in April 2016. The concept release recognized that the
presentation and delivery of information may play a significant
role in investors' ability to access and use important
disclosure. It also sought input on how our rules can
facilitate the readability and navigability of disclosure
documents.
Q.11. Do you believe that proxy advisory firms are doing an
adequate job of disclosing to their clients material conflicts
of interest in light of the 2014 SEC guidance on the subject?
A.11. The staff issued a Staff Legal Bulletin in 2014 to
provide guidance to investment advisers about their
responsibilities in voting client proxies and retaining proxy
advisory firms. The bulletin also provided guidance on the
availability and requirements of two exemptions to the proxy
rules often relied upon by proxy advisory firms. The staff
continues to monitor developments in this area.
Q.12. Companies often identify conflicts of interest or
significant errors that proxy advisory firms have made in their
recommendations--do you believe that the SEC would benefit if
issuers or other market participants brought these concerns to
the attention of the Commission?
A.12. The Commission is interested in the effective and
efficient operation of the U.S. proxy system and welcomes
outreach from issuers or other market participants. To this
end, the staff actively seeks input in this area and regularly
meets with, among others, industry groups, including several
representing corporate issuers, and will continue to monitor
developments and consider further action if needed.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM JAY
CLAYTON
Q.1. In your testimony before the Committee last week, you
emphasized your commitment to enforcement actions and a strong
enforcement division. As I mentioned during your confirmation
hearing, I was alarmed to learn of Commissioner Piwowar's steps
earlier this year to rein in the enforcement division by
revoking subpoena authority from 20 enforcement officials and
limiting it to the division director. As you know, this was a
significant reversal from post-crisis policy which empowered
senior enforcement attorneys to quickly escalate informal
inquiries to formal investigations.
Can you please describe in detail the enforcement
division's current procedures regarding subpoena authority?
A.1. The Federal securities laws authorize the Commission, or
any officer designated by the Commission, to issue subpoenas
requiring a witness to provide documents and testimony under
oath. The Commission itself has the power to designate members
of the staff to act as officers of the Commission in an
investigation by issuing a Formal Order of Investigation
(formal order). The formal order serves two important
functions. First, it directs that a nonpublic investigation be
conducted, and second, it designates specific staff members to
act as officers for purposes of the investigation and empowers
them to administer oaths and affirmations, subpoena witnesses,
compel their attendance, take evidence and require the
production of documents and other materials.
Although Commission staff in the Enforcement Division may
in some circumstances obtain information without the need for a
subpoena, performing a complete investigation will often
require a
formal order. For example, banks will not produce the account
records typically needed in a Ponzi scheme investigation
without a
subpoena. In an insider trading investigation, subpoenas will
be needed to obtain any relevant phone call records from
telephone companies. Witnesses may refuse to testify unless
they are subpoenaed.
Enforcement Division staff may seek to have a formal order
issued through one of two methods: pursuant to authority
delegated by the Commission to the Division Co-Directors, or by
recommending that the Commission issue the formal order.
Commission staff seeking a formal order through the delegated
authority process prepares a memorandum to the Co-Directors
that provides information concerning the matter and addresses
the need for a formal order.
To obtain a formal order directly from the Commission,
Enforcement staff prepares a memorandum to the Commission to
recommend that the Commission issue a formal order. The
memorandum includes the same types of information that is
provided to the Co-Directors through the delegated authority
method.
I have discussed the delegation of formal order authority
with the Co-Directors of the Enforcement Division, and I am
comfortable that there are benefits to having that authority
resting with the two of them, including that it enables them to
more efficiently and effectively manage the nationwide
Enforcement program. I do not believe that limiting the
authority to the Enforcement Division Co-Directors has
negatively affected the Commission's ability to protect
investors and deter misconduct. Rather, my initial sense is
that the current scope of delegation enhances investor
protection as it provides for a more effective allocation of
limited resources by the leadership of the Enforcement
Division. I will continue to consult with the Enforcement
Division Co-Directors to ensure that the procedures surrounding
delegated subpoena power do not adversely impact the
Enforcement Division's ability to fulfill its mission,
including protecting investors.
Q.2. On September 21, 2017, the SEC issued interpretive
guidance to companies regarding compliance with the pay ratio
disclosure
requirement mandated by Section 953(b) of Dodd-Frank. In the
guidance, the SEC provides companies considerable flexibility
in determining the median employee and calculating employee
compensation.
Please explain the specific rationale the SEC relied on to
justify these flexibilities.
A.2. The pay ratio rule, as adopted, affords significant
flexibility to registrants in determining the appropriate
methodologies to identify the median employee and in
calculating the median employee's annual total compensation.
The guidance is intended to clarify the ways that registrants
may use the flexibility that is already part of the rule.
Specifically, the interpretative guidance clarifies the
disclosure rules mandated by Congress in a way that is true to
the mandate and, to the extent practicable, allows companies to
use operational data and otherwise readily available
information to produce the disclosures. Additionally, the staff
issued guidance which includes examples illustrating how
reasonable estimates and statistical methodologies may be used.
Q.3. In light of the sweeping good faith efforts flexibility
provided to companies by the guidance, what assurances can you
provide that the SEC will take enforcement actions against
companies that fail to provide disclosures in compliance with
the requirements of the pay ratio disclosure rule?
A.3. As with all new rules adopted by the Commission, we will
closely monitor implementation of the pay ratio rule.
Specifically, I expect that a review of the pay ratio
disclosures will be part of the selective filing review process
conducted by the Division of Corporation Finance.
Q.4. At a forum in September, you stated that you do not think
it is necessary for Congress to codify insider trading law.
Please explain the rationale for this conclusion.
A.4. The Commission's record of holding persons accountable for
insider trading remains as strong as ever. We have charged more
than 450 individuals with insider trading in the past 5 years,
including more than 140 individuals in the past 18 months
alone.
In my view, the Commission is well positioned to punish
insider trading and does not need further legislation defining
insider trading. Proponents of a law defining insider trading
cite clarity as an objective and a benefit. While such an
approach likely would provide greater clarity in some
circumstances, I am concerned that legislation would generate
ancillary litigation over its meaning and application in other
circumstances and that aspects of the body of law that has been
built up over time would be reinterpreted. In addition, I am
concerned that clarity may provide nefarious actors with the
substantive equivalent of a legislative safe harbor for what
turns out to be clearly abusive conduct. My views in this
regard are informed by many factors including my discussions
with the staff and my experience with statutory regimes outside
the United States.
Please do not take this answer as an indication that I do
not believe we should be focused on or look to do more in this
space. I have been very impressed with the knowledge and
dedication of our staff in this area, including the market
abuse unit in the Division of Enforcement. My interactions with
them have led me to believe that additional efforts and
resources, including possible legislative efforts, should be
applied to detection and deterrence in this area. Further, I
believe those efforts and resources should reflect the fact
that insider trading and other market abuses have become
increasingly international and cyber-based.
Q.5. As you know, the New York Stock Exchange, among other
international exchanges, requires listed companies to have an
internal audit function within the first year of joining the
NYSE. Public companies, however, do not typically disclose to
investors whether they have an independent internal audit
function. What is the SEC's current position on whether public
companies should be required to disclose to shareholders
whether they have an independent internal audit function?
A.5. In 2013, the Commission expressed its belief that an
internal audit function can assist companies in meeting their
Exchange Act obligations to devise and maintain a system of
internal accounting controls. In 2015, the Commission issued a
concept release that sought public comment on audit committee
reporting requirements. In that release, the Commission
expressed an interest in understanding whether changes should
be made to required disclosures about audit committees
regarding oversight of the audit and the auditor relationship.
The Commission specifically asked whether audit committees
should provide disclosure about their oversight of the internal
audit function. The Commission also asked whether to require
disclosures about meetings the audit committee has had with the
internal auditor. The staff is considering the extensive
feedback we received in response to the request for comment.
Q.6. I remain concerned that the current lack of transparency
around short selling enables manipulative trading behaviors
that harm growing companies and discourages long-term
investment. I raised this concern to former SEC Chair Mary Jo
White in a letter in January 2017. In my view, the current lack
of transparency of short positions has a trifold impact on the
securities market--it deprives investors of information
critical to making meaningful investment decisions; it denies
issuers of insights into trading activity and inhibits their
ability to interface with investors; and it withholds crucial
information from the market, ultimately impeding efficiencies
and diluting transparency. There are currently two petitions
for rulemaking pending before the SEC requesting that it
promulgate rules to require disclosure of short positions in
parity with the existing required disclosure of long positions
(File No. 4-689 and File No. 4-691).
Does the SEC plan to act on these pending rulemaking
petitions, or consider any alternative options, in order to
ensure fair disclosure of short positions?
In your opinion, should the SEC implement a disclosure
regime for short positions that would make this behavior more
transparent and ultimately mitigate the effects of manipulative
trading strategies?
A.6. The Commission has considered the question of disclosure
of short positions for a number of years.\1\
---------------------------------------------------------------------------
\1\ For instance, in 2014 the Commission's Division of Economic and
Risk Analysis conducted a comprehensive study analyzing the
feasibility, costs, and benefits of real-time short position reporting.
See ``Short Sale Position and Transaction Reporting,'' June 5, 2014,
DERA study as required by Section 417 of the Dodd-Frank Wall Street
Reform and Consumer Protection Act.
---------------------------------------------------------------------------
Currently, each self-regulatory organization (SRO)
publishes on its website aggregate daily short selling volume
in each individual equity security listed on its exchange. The
SROs also publish on their websites information regarding
individual short sale transactions in all exchange-listed
equity securities on a 1-month delayed basis. Additionally, the
SROs publish statistics on short interest in securities that
trade on their markets twice a month. Moreover, the Commission
publishes on its website fails-to-deliver information for all
equity securities twice a month (available at: https://
www.sec.gov/answers/shortsalevolume.htm).
I also note that our Division of Enforcement is focused on
identifying and pursuing cases that involve inappropriate short
selling. Recently, the Commission has brought enforcement cases
against market participants when they prompted the issuance of
American Depositary Receipts (ADRs) without possessing the
underlying foreign shares, thus creating opportunities for
potential market abuse, including short selling.\2\ And, the
Commission has charged financial institutions with violating
the SEC's Regulation SHO by improperly providing locates--a
representation that the firm has borrowed, arranged to borrow
or reasonably believes it could borrow securities to settle a
short sale--to customers where the firm had not performed an
adequate review of the securities to be located or had systems
improperly programmed to rely on stale locate information.\3\
---------------------------------------------------------------------------
\2\ Press Release 2017-144, Banca IMI to Pay $35 Million for
Improper Handling of ADRs in Continuing SEC Crackdown (Aug. 18, 2017),
available at https://www.sec.gov/news/press-release/2017-144; Press
Release 2017-6, ITG Paying $24 Million for Improper Handling of ADRs
(Jan. 12, 2017), available at https://www.sec.gov/news/pressrelease/
2017-6.html.
\3\ See, e.g., Press Release 2016-9, SEC Charges Goldman Sachs with
Improper Securities Lending Practices (Jan. 14, 2016), available at
https://www.sec.gov/news/pressrelease/2016-9.html; Press Release 2015-
105, Merrill Lynch Admits Using Inaccurate Data for Short Sale Orders,
Agrees to $11 Million Settlement (June 1, 2015), available at https://
www.sec.gov/news/pressrelease/2015-105.html.
---------------------------------------------------------------------------
The Commission continues to consider whether the current
approach to transparency and reporting is appropriate and
whether additional reporting of short sale transactions may be
warranted. I have engaged with the staff, including the staff
of the Division of Enforcement, on this and they are monitoring
the issues. That said, I recognize that markets evolve and
staff should be regularly asking whether our reporting regime
for short selling appropriately reflects the potential for
illicit practices. In that context, the Commission also takes
into account feedback from all market participants, including
the petitions from Nasdaq, Inc., and NYSE Group Inc., as well
as comments from the public concerning these petitions.
Q.7. Recently, certain hedge funds have challenged the
legitimacy of a drug patent while simultaneously shorting a
biopharmaceutical company's stock. In so doing, they increase
the value of their short position by publicizing numerous
patent challenges and provoking fear in the marketplace,
ultimately driving down the stock prices of these smaller
companies.
Does the SEC plan to investigate potential abuses of
securities laws whereby market participants target patents held
by biopharmaceutical companies and short their stock?
A.7. The use of the patent challenge process (the ``inter
partes review'' or ``IPR'') as an investment strategy is a
recent development and its impact on the capital markets
remains to be seen. We understand that the process, which
allows the filer to challenge the legitimacy of a patent,
includes a series of procedural requirements that may serve as
deterrents for abusive challenges. For example, the claimant
typically must publicly specify the grounds for unpatentability
and explain the relevance of evidence relied upon. Further, a
petitioning party can be sanctioned by the U.S. Patent and
Trademark Office for abuse of any improper use of the IPR
process. In addition, we understand that there are several fees
associated with an IPR, including a $9,000 fee simply for
requesting a review.
Because the use of the IPR is such a recent phenomenon,
Commission staff continues to study the space and assess
whether additional action, such as heightened disclosure
requirements, may be useful or appropriate to expose
potentially fraudulent or manipulative trading behavior. But,
the Commission has the authority to address potential
misconduct related to market manipulation, which includes
fraudulent conduct designed to deceive investors by
artificially affecting the market for a security. Manipulation
can involve a range of misconduct, including: spreading false
or misleading
information about a company or rigging quotes, prices or trades
to create a false or deceptive picture of the demand for a
security.
The Federal securities laws also contain requirements that
apply to the short sale of securities.\4\ Where the
Commission's Enforcement Division becomes aware of facts that
suggest a possible violation of the Federal securities laws, it
may investigate the conduct and, in appropriate cases where
there is sufficient evidence of a violation, the Commission may
bring enforcement actions against the wrongdoers. The
Commission takes the possibility of manipulation, including
potentially manipulative short selling, in our markets
seriously. While short selling can provide the market with
important benefits such as market liquidity and pricing
efficiency, the Commission has brought cases against persons
that violate the Commission's short sales rules or otherwise
engage in abusive short selling.
---------------------------------------------------------------------------
\4\ For example, under Exchange Act Rule 10b-21 it is a violation
for a party to submit an order for a short sale of a security if the
party deceives a broker dealer, a registered clearing agency or a
purchaser about the party's intention or ability to deliver the
security by the settlement date and the party fails to deliver the
security on or before the settlement date.
---------------------------------------------------------------------------
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR SASSE FROM JAY CLAYTON
Q.1. Understanding that this investigation is ongoing, I'd like
to discuss the details of the breach of the SEC's EDGAR system.
LOn what specific date did the EDGAR breach occur?
LWhen did the SEC first identify the breach and how
long were the hackers in the SEC's system?
LWhen did the SEC first ascertain that this breach
could have allowed the hackers to trade on nonpublic
information?
LWhy did it take so long for the SEC to determine
that this breach could have allowed for the trading on
nonpublic information?
LWho was informed of this breach inside the SEC and
outside of the organization in 2016? For example, were
the Commissioners or then-SEC Chair White informed?
What about the SEC's then-Chief Operating Officer? Why
or why not?
LDoes the SEC have any indication that the identity
of the hackers could be nation-state hackers?
LIt has been reported that the DHS in January found
key vulnerabilities in the SEC's cybersecurity
protections. Has the SEC fully addressed these
vulnerabilities or does the SEC
intend to do so? If the SEC already addressed these
vulnerabilities, when did it do so? If not, when will
the SEC address these vulnerabilities?
LHas the DHS found any further vulnerabilities after
that January report?
LIn July, the GAO released a report that highlighted
areas where the SEC could improve its treatment of
cybersecurity issues. Does the SEC intend to fully
comply with the GAO report's recommendations? If so, on
what timeline?
LWhat, if any, other law enforcement agencies is the
SEC working with on this breach?
LI'd like to discuss the history of cybersecurity
breaches at the SEC.
LHow many material cybersecurity breaches have there
been at the SEC?
LIs this the first breach at the SEC that could have
facilitated the trading of inside information?
LThe SEC's statement announcing the EDGAR breach
said that ``the intrusion did not result in
unauthorized access to personally identifiable
information, jeopardize the operations of the
Commission, or result in system risk.'' Has there been
a breach at the SEC that compromised personally
identifiable information?
LHas there been a breach at the SEC that jeopardized
the SEC's operations?
LAre you concerned that a breach at the SEC could
jeopardize the SEC's operations? If so, please describe
the consequences of such a breach.
LHas there been a breach at the SEC that resulted in
systemic risk?
LAre you concerned that hackers could pose a
national security or systemic risk by accessing the
live markets and shutting down trading, deleting trade
information, or otherwise sparking a major crisis? If
so, please describe the consequences of such a breach.
LPlease provide an overview of the steps that the
SEC has taken to avoid a breach that would endanger
national security, cause systemic risk, or jeopardize
the SEC's operations.
A.1. In my September 20th press release and statement on
cybersecurity, which was part of an ongoing assessment of the
Commission's cybersecurity risk profile and preparedness that I
initiated upon joining the Commission in May, and in my recent
testimony before this Committee and before the House Committee
on Financial Services, I noted that I was notified in August
2017 of a possible 2016 intrusion into our EDGAR system. In
response to this information, which I learned in connection
with an ongoing investigation by our Division of Enforcement, I
immediately
commenced an internal review of the 2016 intrusion. Through
this review and the ongoing enforcement investigation, I was
informed that the 2016 intrusion into the test filing component
of our EDGAR system provided access to nonpublic EDGAR filing
information and may have provided a basis for illicit gain
through trading. After the initial disclosure of the intrusion
on September 20th and my testimony before the Committee, I was
informed that the ongoing staff investigation determined that
an EDGAR test filing accessed by third parties as a result of
the 2016 intrusion contained the names, dates of birth and
social security numbers of two individuals. This determination
was based on forensic data analysis conducted since my
September 20th disclosure of the intrusion, which relied on the
latest information available at that time.\1\
---------------------------------------------------------------------------
\1\ See Press Release 2017-170, SEC Chairman Clayton Issues
Statement on Cybersecurity: Discloses the Commission's Cyber Risk
Profile, Discusses Intrusions at the Commission, and Reviews the
Commission's Approach to Oversight and Enforcement (Sept. 20, 2017),
available at https://www.sec.gov/news/press-release/2017-170; see also
Statement on Cybersecurity (Sept. 20, 2017), available at https://
www.sec.gov/news/public-statement/statement-clayton-2017-09-20; see
also Press Release 2017-186, SEC Chairman Clayton Provides Update on
Review of 2016 Cyber Intrusion Involving the EDGAR System (Oct. 2,
2017), available at https://www.sec.gov/news/press-release/2017-186.
---------------------------------------------------------------------------
Based on what we know to date, we believe the 2016
intrusion involved the exploitation of a defect in custom
software in the EDGAR system. When it was originally
discovered, the SEC's Office of Information Technology (OIT)
staff took steps to remediate the defect in custom software
code and reported the incident to the Department of Homeland
Security's (DHS's) U.S. Computer Emergency Readiness Team (US-
CERT). Based on the investigation to date, OIT staff believes
that the prior remediation effort was successful.
In my October 4, 2017 testimony before the House Committee
on Financial Services, I noted that we have multiple ongoing
work streams concerning the 2016 incident and our steps to
improve the cybersecurity risk profile of our EDGAR system and
of the agency's systems more broadly.\2\ These work streams
include:
---------------------------------------------------------------------------
\2\ See Testimony on Examining the SEC's Agenda, Operation, and
Budget, House Comm. on Fin. Serv. (Oct. 4, 2017), available at https://
www.sec.gov/news/testimony/testimony-examining-secs-agenda-operation-
and-budget.
1. LThe review of the 2016 EDGAR intrusion by the Office of
Inspector General. Staff have been instructed to
---------------------------------------------------------------------------
provide their full cooperation with this effort;
2. LThe investigation by the Division of Enforcement into the
potential illicit trading resulting from the 2016 EDGAR
intrusion;
3. LA focused review of and, as necessary or appropriate,
uplift of the EDGAR system. The EDGAR system has been
undergoing modernization efforts. The agency has added,
and expects to continue to add, additional resources to
these efforts, which are expected to include outside
consultants, and will increase the focus on
cybersecurity matters;
4. LThe more general assessment and uplift of the agency's
cybersecurity risk profile and efforts that were
initiated shortly after my arrival at the Commission
this past May, including, without limitation, the
identification and review of all systems, current and
planned (e.g., the Consolidated Audit Trail or CAT),
that hold market sensitive data or personally
identifiable information; and
5. LThe agency's internal review of the 2016 EDGAR intrusion
to determine, among other things, the procedures
followed in response to the intrusion. This review is
being overseen by the Office of the General Counsel and
has an interdisciplinary investigative team that
includes personnel from regional offices and will
involve outside technology consultants.
There are limits on what I know and can discuss about the
2016 incident due to the status (ongoing and incomplete) and
nature (enforcement) of our reviews and investigations. Each of
these efforts is moving forward and, as is the nature of
matters of this type, will require substantial time and effort
to complete. Nevertheless, I directed the issuance of my
September 20th press release and statement on cybersecurity
because I believed that, once I knew enough to understand that
the 2016 intrusion provided access to nonpublic EDGAR test
filings and that this may have resulted in the misuse of
nonpublic information for illicit gain, it was important to
disclose the incident and our cybersecurity risk profile more
generally to the American public and Congress. I will make sure
to keep the Committee informed of the ultimate findings and
conclusions of our internal review into the 2016 intrusion.
Cybersecurity must be more than a firm-by-firm or agency-
by-agency effort. Active and open communication between and
among regulators and the private sector also is critical to
ensuring the Nation's financial system is robust and
effectively protected. Information sharing and coordination are
essential for regulators to anticipate potential cyber threats
and respond to a major cyberattack, should one arise. The SEC
is therefore working closely with fellow financial regulators
to improve our ability to receive critical information and
alerts, react to cyber threats and harmonize regulatory
approaches.
We view our interaction with other Government agencies and
committees, including DHS, Government Accountability Office
(GAO) and the Financial and Banking Information Infrastructure
Committee, as an important part of our cybersecurity efforts.
For example, we work closely with GAO to address
vulnerabilities in our IT and critical system infrastructure.
Our most recent GAO audit report was issued on July 27, 2017.
To date, SEC staff have worked to implement all eleven IT
security recommendations that were open as of the start of
fiscal year 2017 and have either completed or are working to
address all of the recommendations issued as part of the GAO's
most recent report. We have prioritized these recommendations
and will continue to track them until GAO is satisfied with our
implementation of the recommendations. Likewise, with regard to
DHS, our Security Operations Center is required to report
incidents to DHS as they occur pursuant to Federal directives
and did so report the 2016 EDGAR intrusion.
I am deeply concerned by the risks posed by cyber threat
actors across the financial sector. Of paramount concern to the
Commission with respect to its internal systems is the
protection of nonpublic information, including personally
identifiable information and information that is market
sensitive; these issues are important to other regulatory
agencies and market participants as well. Denial of service is
another significant risk faced by regulatory agencies and
market participants. As explained in my testimony before the
House Committee on Financial Services, it is for these reasons
that I have instituted a wide-scale review of both EDGAR and
the overall cybersecurity risk profile of agency systems, and
that we have continued to make cybersecurity considerations a
priority in our outward-facing regulatory efforts.
In my recent testimony before the Committee, I stated that,
despite the attention given to widely publicized cyber-related
incidents experienced by the Commission and others, I still am
not confident that the Main Street investor has received a
sufficient package of information from issuers, intermediaries
and other market participants to understand the substantial
risks resulting from cybersecurity and related issues. As a
general matter, it is critical that investors be informed about
the threats that issuers and other market participants face.
The SEC will continue to examine whether public companies
are taking appropriate action to inform investors, including
after a breach has occurred, and we will investigate issuers
that mislead investors about material cybersecurity risks or
data breaches. As I have noted previously on various occasions,
I would like to see more and better disclosure in this area.\3\
---------------------------------------------------------------------------
\3\ See Remarks at the Economic Club of New York (July 12, 2017),
available at https://www.sec.gov/news/speech/remarks-economic-club-new-
york.
---------------------------------------------------------------------------
Overall, by promoting effective cybersecurity practices in
connection with both the Commission's internal operations and
its external regulatory oversight efforts, it is our objective
to contribute substantively to a financial market system that
recognizes and addresses cybersecurity risks and, in
circumstances in which these risks materialize, exhibits strong
mitigation and resiliency.
Q.2. I'd like to discuss how the SEC's structure impacts your
ability to manage the agency.
How many direct reports does the SEC Chairman have?
A.2. The SEC has 22 division and office heads who report to me
as Chairman. In addition, the Commission is hiring a Director
for a new Office of the Advocate for Small Business Capital
Formation, which is being established pursuant to statute.
Q.3. During your hearing last week, you said that the Office of
Information Technology headed by Pam Dyson ``is the office
within the SEC that has overall responsibility'' for
cybersecurity. You also said that Pam Dyson ``is a direct
report to me and also to our Office of the Operating Officer.''
Can you please elaborate on the cybersecurity duties of the
Office of Information Technology and how that dual reporting
structure works?
A.3. Pamela Dyson serves as the Chief Information Officer and
the Director of the Office of Information Technology. As the
Chief Information Officer, Ms. Dyson's role is compliant with
the mandate within the Clinger Cohen Act of 1996 that requires
the Chief Information Office to report directly to the head of
the Agency. In this capacity, Ms. Dyson serves as senior
technology advisor to the Office of the Chairman. Ms. Dyson
also receives day-to-day direction from the Chief Operating
Officer.
As the Director of the Office of Information Technology,
Ms. Dyson oversees and supports the Commission and staff in all
aspects of the Commission's information technology program.
This includes application development, data management
operations, infrastructure operations and engineering, user
support, IT program management, capital planning, and
enterprise architecture. The Office of Information Technology
also includes the agency's information security staff, which is
headed by the Chief Information Security Officer.
Q.4. In March 2011, a Boston Consulting Group study \4\
authorized by the SEC argued that the ``large number of direct
reports generally creates a management challenge for the
Chairman.'' Do you agree?
---------------------------------------------------------------------------
\4\ https://www.sec.gov/news/studies/2011/967study.pdf.
A.4. I recognize that the management reporting structure of the
Commission has more direct reports to the Chairman than would
be expected in a commercial organization of similar size.
Based on my time as Chairman thus far, I have not viewed
the reporting structure as a material impediment to effective
management of the agency. I am mindful of the substantial
scale, diversity and importance of market and operational
activity that the Commission is charged with overseeing on a
continuous basis and, in response, establishing an effective
day-to-day management and reporting environment. To provide
more specific context, I meet on a weekly basis with all the
division and office heads as a group, as well as one-on-one
meetings on a regular basis. These one-on-one meetings
generally occur more frequently with Division heads and in
cases where an Office or Division is addressing a time
sensitive or significant issue, and I have encouraged Office
and Division heads to contact me promptly if any such issues
arise. It is important to note that the staff in my immediate
office, including the Chief of Staff, Deputy Chief of Staff,
Chief Counsel and Managing Executive, play an important role in
assisting me with overseeing the activities of the various
Divisions and Offices. I also meet with my fellow Commissioners
on a regular basis and, in those meetings, seek their input on
organizational structure as well as staff reporting and
performance.
That said, I believe it is important that we continually
reevaluate the SEC's operations and organizational structure to
look for opportunities to improve efficiency, identify cost
savings or streamline or consolidate operations where
warranted, including in response to changes in the markets and
activities we oversee. We also should be evaluating how to more
effectively share information across our Divisions and Offices,
including risk information. I am committed to these areas of
self-assessment. One example where this self-assessment has
resulted in a specific initiative is the formation of the EDGAR
Program Office in June 2017 to better coordinate the agency's
efforts to enhance this important system and support filers. A
more recent example is the announcement of a new position, the
Chief Risk Officer, whose responsibilities will include
identifying, monitoring and mitigating risks across our
Divisions and Offices. We will continue to explore and pursue
such opportunities as they emerge.
Q.5. Has the SEC Chairman's large number of direct reports
hindered your ability to focus on cybersecurity while still
focusing enough on the other responsibilities within your
purview?
A.5. I do not believe the number of Divisions and Offices
reporting to me has hindered my ability to focus on this
critical issue. As I mentioned in my testimony, in May 2017, I
initiated a general assessment of our internal cybersecurity
risk profile and the SEC's approach to cybersecurity from a
regulatory and oversight perspective. Components of this
initiative build on prior agency efforts in this area and
include establishing a senior-level cybersecurity working group
to coordinate information sharing, risk monitoring and incident
response efforts throughout the agency. We also have a number
of efforts underway to review and, as necessary, uplift our
EDGAR system as well as systems that hold market sensitive data
or personally identifiable information. I believe these
efforts, which in certain cases are expected to involve outside
consultants are important steps in improving our cybersecurity
risk profile.
Q.6. What would be the ideal number of direct reports for your
position considering the management challenges that stem from
having a large number of direct reports? Please set aside
whether altering the number of direct reports would require
legislative
authorization.
What are ways that your office can streamline the SEC's
reporting structure to eliminate duplicative reporting and
unnecessary strain on your resources? For example, does the BCG
study contain any praiseworthy recommendations that the SEC has
not yet acted upon? Do any of these changes require legislative
authorization?
A.6. The SEC's statutory mandate is very broad in scope and
diversity of activity. It includes oversight of approximately
$72 trillion in securities trading annually on U.S. equity
markets; the disclosures of over 8,100 public companies, of
which 4,300 are exchange listed; and the activities of over
26,000 registered entities, including investment advisers,
broker-dealers, transfer agents, securities exchanges, clearing
agencies, mutual funds, exchange traded funds, the Financial
Industry Regulatory Authority (FINRA) and the Municipal
Securities Rulemaking Board (MSRB), among others. We also
engage and interact with the investing public on a daily basis
through a number of activities ranging from our investor
education programs to alerts on our SEC.gov portal.
The SEC's organizational structure, and the number of
divisions and offices reporting to the Chairman, has been
developed over time to reflect the many different aspects of
this broad mission. At this point, I do not have any specific
plans to materially adjust the number of divisions and offices
or their specific responsibilities. As discussed above,
together with the staff in my immediate office and with the
advice of my fellow Commissioners, I have implemented a senior
management reporting structure that reflects the anticipated
day-to-day realities of the Commission's operations. However, I
do believe it is imperative that the agency continue to seek
out any opportunities to improve the agency's efficiency and
effectiveness, including through organizational reforms and in
response to changes in the marketplace, and I am committed to
do so.
With respect to the 2011 BCG Study, I agree that it
contained a number of very helpful recommendations for
improving the agency's operations. The SEC in August 2017
provided a report to Congress, highlighting the various actions
that the agency has taken in response. To date, the agency has
taken action to address all but one of the recommendations,
which is still in progress.
The SEC's August 2017 status report also notes one
recommendation that was completed but is subject to
congressional action. This recommendation was for the SEC to
seek flexibility from Congress on the structure of the four
offices mandated by the Dodd-Frank Act (the Office of Municipal
Securities, Office of Credit Ratings, Office of the Investor
Advocate and Office of Minority and Women Inclusion) to report
to the Chairman. The BCG Report concluded that the SEC should
seek a revision to the Dodd-Frank Act to give the agency
flexibility to determine the reporting lines for these offices.
In 2011, the SEC put forth this legislative recommendation to
the Congress, and then-Chairman Mary Schapiro also called
attention to this recommendation in September 2011 testimony
before the House Committee on Financial Services.
Q.7. I'd like to discuss the cybersecurity risks associated
with the Consolidated Audit Trail (CAT) which has been called
the ``Fort Knox of Wall Street.''\5\
---------------------------------------------------------------------------
\5\ See https://www.cnbc.com/2017/09/21/heres-what-really-
terrifies-wall-street-about-the-sec-
hack.html?view=story&%24DEVICE%24=native-android-mobile.
---------------------------------------------------------------------------
What value do you see in fully implementing the CAT?
A.7. The U.S. securities markets have become substantially more
automated, dispersed and complex in recent years. Trading
activity in stocks and options is tracked through a number of
systems, and no single system tracks the orders that are routed
and executed across multiple trading venues. This patchwork
approach can hinder the ability of regulators to look across
our markets in pursuit of their mission. In short, to address
more efficiently and effectively specific issues that span
multiple markets and trading venues (e.g., the actions of a
sophisticated market manipulation scheme) and system wide
events (e.g., a ``flash crash'' or similar market event), we
need access to consolidated information. The CAT is intended to
provide the self-regulatory organizations (SROs) and the
Commission with consolidated cross-market data that is more
complete, accurate, accessible and timely than the data
currently available. When fully implemented, the CAT should
provide regulators with access to comprehensive information
about all orders and trades in exchange-listed securities
across the U.S. markets. The CAT is expected to track the life
of an order, from origination with a particular customer,
through routing, modification, cancellation or execution. As a
result, the CAT should provide a much more efficient and
effective means to identify, investigate and pursue market
misconduct, perform timely market analyses and event
reconstructions, and develop well-informed policy initiatives.
Q.8. Would a breach of the CAT jeopardize the operations of the
Commission? If so, how?
LWould a breach of the CAT result in a systemic risk
to our economy? If so, how?
LAre you worried that a breach of the CAT could
compromise the confidential investment strategies of
trading firms, particularly if the trade information
could be reverse engineered?
LAre you worried that a breach of the CAT would
cause some broker-dealers to reduce trading to protect
their confidential trading strategies?
A.8. The CAT repository is expected to contain comprehensive
information on trading activity in the securities markets, and
the Commission understands that this information is highly
sensitive and that security issues with respect to such a
system are particularly acute. Making sure there are
appropriate mechanisms in place to protect the security and
confidentiality of CAT data is of paramount concern both to the
Commission and the SROs. The CAT national market system plan
(CAT NMS Plan) calls for the CAT repository to store extensive
information on all orders in exchange-listed securities,
including customer identification information (which is
expected to include personally identifiable information (PII)).
This information will provide regulators with prompt
access to the trading activity of individual market
participants. While this information should greatly enhance the
ability of regulators to effectively oversee the modern
securities markets, its unauthorized access and use could cause
substantial harm. For example, a breach of CAT security could
compromise the confidential investment strategies of trading
firms and, if sufficiently large, could undermine regulatory
operations or have a systemic impact. Therefore, it is
important that the design, roll-out and ongoing operation of
the various components of CAT data reporting reflect an ongoing
assessment of the sensitivity of the data reported and related
security concerns and protections.
Due to the importance of maintaining the security of CAT
data, the CAT NMS Plan approved by the Commission requires the
SROs to ensure that the CAT repository meets rigorous data
security requirements, including those regarding connectivity
and data transfer, encryption, storage, access and PII. The
Plan Processor, as defined by the CAT NMS Plan, must develop a
comprehensive information security program that addresses the
security and confidentiality of all information within the CAT
data repository and associated operational risks, and that
includes all relevant standards from the NIST Cybersecurity
Framework. The CAT NMS Plan also requires regular security
audits performed by a qualified third-party auditor. The SROs,
which have direct oversight of the Plan Processor, are
obligated to monitor the information security program to ensure
that it is consistent with the highest industry standards for
the protection of data, and are required to implement
comparable information security policies and procedures with
respect to their handling of CAT data. Moreover, the
Commission, in approving the CAT NMS Plan, committed to
implementing policies and procedures relating to the
Commission's handling of CAT data that are comparable to the
standards applicable to the SROs, which are required to be
comparable to the standards applicable to the CAT repository,
and the Commission will periodically review the effectiveness
of these policies and procedures.
Q.9. In the event of a full breach of the CAT, how many
Americans would have their information exposed under the SEC's
current plans for the CAT? If you do not have a precise number,
please provide the agency's best estimate.
A.9. It is difficult to ascertain with certainty how many
Americans would have their information exposed if there was a
full breach of the CAT, but, assuming all orders result in the
reporting of PII to the CAT, it would be a very large number,
certainly in the millions. Approximately 43.3 million
households have either a brokerage account or an IRA.
Accordingly, as discussed above, the Commission required that
the CAT NMS Plan--which sets forth the minimum requirements the
SROs must follow as they build the CAT--be designed to minimize
the risk of a breach that could result in access to customer
PII.
Q.10. Does the SEC intend to collect the PII of all retail
investors, including those that engage in only limited trading?
LWhat percentage of the PII stored in the CAT does
the SEC expect will be operationally useful to the
CAT's purpose, instead of being dormant in the CAT and
never accessed?
LHas the SEC explored alternatives to maintaining
PII in the CAT? For example, would the SEC be able to
fulfill its policy aims by requesting PII from
individuals only when it is necessary for the SEC to
fulfill its oversight duties?
LHas or will the SEC determine what CAT-related
information it can review without storing it in the
CAT? For example, could the SEC merely require
registrants to maintain and provide certain information
to the SEC upon request, as opposed to keeping it in
the CAT? Will you commit to ensuring that such
information is omitted from the CAT?
A.10. I expect that the Commission will only retrieve sensitive
data stored in the CAT repository to the extent necessary to
address a specific regulatory purpose. It is not my objective
to regularly retrieve from the CAT repository PII of retail
investors that engage in normal trading practices. Further, I
expect that the Commission will implement and follow data
security procedures that appropriately address the sensitive
nature of the information.
In approving the CAT NMS Plan, the Commission committed
that its policies and procedures would impose security
obligations on the Commission and its personnel that are
comparable to the standards applicable to the SROs, and in turn
the CAT repository. In addition, the Commission employs an
agency-wide cybersecurity detection, protection and prevention
program for the protection of agency operations and assets.
This program includes cybersecurity protocols and controls,
network protections, system monitoring and detection processes,
vendor risk management processes, and regular cybersecurity and
privacy training for employees.
However, the CAT NMS Plan calls for the CAT repository
itself to collect PII of all retail investors with brokerage
accounts. This PII is already stored on the systems of other
market participants, including retail investors' broker-
dealers. The SROs and the Plan Processor have informed us that
consistent with the CAT NMS Plan, this information will be
subject to heightened security protocols and standards; for
example, PII must be stored in a database that is physically
separate from the transactional database, access to PII must
follow a role-based access model and any login system that is
able to access PII must be further secured via multi-factor
authentication. The CAT NMS Plan also requires the Plan
Processor to adhere to the NIST Risk Management framework and
to implement baseline security controls identified in NIST.
It has been 5 years since the Commission adopted the CAT
rule--Rule 613 of Regulation NMS. Our markets have evolved
since then, and will continue to do so. The Commission should
continue to evaluate the use of the CAT--including with respect
to the types of data maintained in the CAT and the types of
data accessed by the Commission--in light of current market
realities and the important regulatory objectives served by the
CAT. I also believe it is important that the SROs and the Plan
Processor continuously evaluate the approach to the collection,
retention, and protection of PII and other sensitive data in
light of developments in the various areas including
cybersecurity, market structure and regulatory needs; and in
that regard, I note that the CAT NMS Plan requires that the
Chief Compliance Officer of the CAT to regularly review the
CAT's information security program. I have asked the staff of
the Commission to conduct such an evaluation with regards to
the need for PII and expect that the SROs and the Plan
Processor engage in a similar exercise.
Q.11. In light of the EDGAR breach and the reasonable
presumption that the CAT will be a target of a cyberattack,
would it be prudent to extensively improve the security of the
CAT before partially rolling out the CAT?
My understanding is that the CAT will only be partially
rolled out in November 15, 2017. Which elements of the CAT will
the SEC implement and which elements of the CAT will the SEC
delay implementing?
How long will it take for the SEC to complete this review
of the data inside the CAT? If the SEC cannot complete this
review by November 15, 2017, do you commit to delaying the
first phase of the CAT implementation?
A.11. Protecting the information in the CAT repository is of
paramount concern. I expect that the CAT will be a target for
cyberattacks by sophisticated actors. As discussed above, the
CAT NMS Plan imposes security requirements on the CAT
repository and the SROs.
The 2016 intrusion into the Commission's EDGAR system is
currently under investigation, as I noted in my earlier public
statements, and I have taken a number of steps designed to
strengthen the Commission's cybersecurity risk profile and
evaluate our cybersecurity risk governance structure, including
initiating the identification and review of systems that hold
market sensitive data or PII and the enhancement of escalation
protocols for cybersecurity incidents in order to enable
greater agency-wide visibility and understanding of potential
cyber vulnerabilities and attacks. The Commission also now has
a senior-level cybersecurity working group, we are in the
process of hiring additional staff, including a Chief Risk
Officer, and outside technology consultants, and we have a
number of additional cybersecurity initiatives underway.
The first phase of CAT implementation (i.e., reporting by
SROs) will only include transaction data and not the submission
of
customer information or PII to the CAT repository. Both the
Commission and the SROs must be confident the appropriate
security measures are in place before CAT becomes operational.
Regarding the Commission's use of the CAT, as discussed
above, I expect that the Commission will only retrieve
sensitive data stored in the CAT repository to the extent
necessary to address a specific regulatory purpose. It is not
my objective to regularly retrieve from the CAT repository PII
of retail investors that engage in normal trading practices.
Further, I expect that the Commission will implement and follow
data security procedures that appropriately address the
sensitive nature of the information.
Q.12. In your Senate Banking testimony last week you said ``we
don't want to be taking data [for] the CAT unless we need it
and can protect it.'' What standards will the SEC follow to
determine if a particular data set is absolutely needed for the
CAT?
What standards will the SEC follow to determine if the SEC
can protect the information inside the CAT?
A.12. I take very seriously the obligation to maintain the
security and confidentiality of CAT data. As discussed above, I
expect that the Commission will only retrieve sensitive data
stored in the CAT repository to the extent necessary to address
a specific regulatory purpose. Further, before retrieving such
data, I expect the Commission will implement and follow data
security procedures that appropriately address the sensitive
nature of the information and, as a result, I expect that the
Commission would not be regularly retrieving PII of retail
investors that engage in normal trading practices. With regard
to specific standards, in approving the CAT NMS Plan, the
Commission committed that its policies and procedures would
impose security obligations on the Commission and its personnel
that are comparable to the standards applicable to the SROs and
in turn the CAT repository. In addition, the Commission is
subject to information security policies and procedures
developed in accordance with Federal directives and NIST
standards that prohibit the unauthorized disclosure or
inappropriate use of confidential data.
Q.13. My understanding is that Thesys will be the CAT's plan
processor. Will it be subject to Regulation SCI? Why or why
not? If not, what cybersecurity standards or principles will
Thesys be subject to and how will Thesys be held accountable in
the event of lax cybersecurity processes?
A.13. The CAT repository, which collects and maintains the CAT
data, is a facility of each SRO. The SROs are ``SCI Entities,''
and the CAT system is an SCI system. As a result, the CAT
repository is subject to the requirements of Regulation SCI.
The CAT NMS Plan states that data security standards of the CAT
System shall, at a minimum, satisfy all applicable regulations
regarding database security, including provisions of Regulation
SCI. The SROs are responsible for ensuring that the CAT
repository as operated by Thesys complies with Regulation SCI,
including the establishment, maintenance and enforcement of
written policies and procedures reasonably designed to ensure
that the CAT system has levels of capacity, integrity,
resiliency, availability, and security adequate to maintain its
operational capability.
Q.14. How many people will be able to access the CAT?
Will a background check be conducted on everyone who can
access the CAT?
A.14. As noted above, the CAT NMS Plan requires the SROs and
Plan Processor to have policies and procedures to ensure that
only authorized regulatory personnel are able to access the CAT
data for regulatory purposes, and the Commission committed to
applying comparable standards to its own use of CAT data.
The CAT NMS Plan requires the Plan Processor to conduct
background checks (e.g., fingerprint-based) for all of its
employees and contractors. Each SRO will also conduct
background checks (including fingerprinting) of its employees
and contractors that will use the CAT system. All Commission
employees must have undergone a background check and
fingerprinting prior to their joining the Commission. However,
not all Commission employees will have access to the CAT. In
fact, a cross-divisional steering committee of senior staff has
been tasked with designing policies and procedures regarding
Commission access to, use of, and protection of CAT data, and
the major focus of these internal policies and procedures
addresses which Commission staff will be authorized to access
CAT data and under what circumstances.
Q.15. What, if any, steps is the SEC taking to ensure that
information in the CAT is compartmentalized, so that a breach
will not provide a hacker complete access to information sets?
For example, will a hacker be able to gain access to an
individual's full name and social security number or a firm's
complete trading activity within a dataset?
What, if any, other steps is the SEC taking to prevent a
hacker from being able to reverse engineer a trading firm's
proprietary trading strategies using the information contained
in the CAT?
A.15. PII requires a heightened level of protection. As such,
the CAT NMS Plan requires that PII be stored in a database that
is physically separate from the transactional database. I
believe appropriate compartmentalization, or separation of a
customer's PII from the same customer's transactional data, can
enhance security. The SEC will continue to encourage the SROs
and the Plan Processor to explore compartmentalization
strategies that will support critical regulatory uses of CAT
and also minimize the risk that an unauthorized person could
access an individual's PII or trading strategies. In addition,
as noted above, I have asked the staff of the Commission to
conduct such an evaluation with regards to the need for PII and
expect that the SROs and the Plan Processor engage in a similar
exercise.
Q.16. I'd like to inquire more about Regulation SCI.
In response to questions for the record from Senator Tillis
during your confirmation process you stated that `` . . . we
should be mindful that cybersecurity risks are continuously
evolving, and regulation in this area should take into account
its dynamic nature, including that, in such circumstances,
specific requirements may be appropriate but also have the risk
of becoming outdated.'' To that end, could Regulation SCI
create some cybersecurity risk by introducing an incentive for
companies to focus more on complying with the regulation,
instead of leveraging private sector resources to implement
innovative cybersecurity techniques? If so, what steps is the
SEC taking to mitigate this risk?
A.16. The heart of Regulation SCI is its requirement that SCI
entities have reasonably designed policies and procedures to
ensure that their core systems will function effectively in
times of stress and be resistant to threats, including
cybersecurity threats. Under Regulation SCI, the Commission
does not mandate a specific set of standards with which an SCI
entity must comply. In adopting Regulation SCI, the Commission
understood that information technology and cybersecurity
threats continue to evolve, and thus did not seek to hardcode a
set of specific standards into the rule that could become
outdated. Rather, the rule takes a risk-based approach and
requires the SCI entities themselves to assess the relative
riskiness and criticality of each of their systems and requires
each SCI entity to develop appropriately tailored policies and
procedures. Thus, an SCI entity can select the industry
standards it believes to be appropriate for its policies and
procedures and is also able to customize these policies and
procedures for its own particular systems, so long as its
policies and procedures remain reasonably designed in light of
the importance of a given system. In addition, the rule
requires SCI entities to periodically review their policies and
procedures to ensure that they continue to be appropriate as
technology and threats change.
Q.17. Are you considering the possibility of requiring that
more entities comply with Regulation SCI? If so, what policy
considerations will you take into account when evaluating this
question?
A.17. In its adoption of Regulation SCI in 2014, the Commission
applied the requirements of the rule to those entities it
determined could, at that time because of their role in the
U.S. securities markets and/or their level of trading activity,
have the potential to pose the most significant risk in the
event of a systems issue. Thus, Regulation SCI applies today
to, among others, the stock and options exchanges, alternative
trading systems (ATSs) that trade NMS and non-NMS stocks
exceeding specified volume thresholds, FINRA, the MSRB and
registered clearing agencies. When it adopted Regulation SCI,
the Commission noted that a measured
approach was appropriate for imposing the mandatory
requirements of Regulation SCI given the potential costs of
compliance.
I believe that we should continue to evaluate what
entities, because of their importance to the securities markets
or investors, should be subject to Regulation SCI and have
discussed this matter with the staff. The staff believes that
extensions of Regulation SCI would need to be appropriately
calibrated to reflect the business models and risks of
additional entities, as well as their existing regulatory
regimes. They believe certain aspects of the current rule may
be inapplicable to other types of market participants, and
there may also be different types of concerns that are not
applicable to the current group of ``SCI entities'' and thus
are not addressed in Regulation SCI today. Whether or not
Regulation SCI or a Regulation SCI-type regulatory framework is
appropriate for other types of market participants, it is clear
that information technology and cybersecurity threats are of
increasing importance in our securities markets today, and I
have instructed that staff that they should continue to
evaluate whether the current SCI framework is appropriate.
Q.18. Is there sufficient transparency over if a market center
is complying with Regulation SCI or is required to comply with
Regulation SCI? What policy considerations will you take into
account when evaluating this question?
A.18. Regulation SCI applies to ``SCI entities,'' which include
self-regulatory organizations (including national securities
exchanges, registered clearing agencies, registered securities
associations, and the MSRB) and ATSs that trade NMS and non-NMS
stocks exceeding specified volume thresholds. There is no
publicly available list of all entities subject to Regulation
SCI, as discussed below. I have asked staff to examine this
issue, including considering whether the Commission should
publish a list of entities that file Form SCI with the
Commission on a periodic basis or, alternatively, whether
entities subject to Regulation SCI (e.g., certain ATSs) should
be required to disclose that status on a periodic basis.
That said, it is possible for market participants and the
public to identify the entities that fall into nearly all of
these categories through publicly available information. For
example, a list of national securities exchanges and registered
clearing agencies was included in the Regulation SCI adopting
release, and a current list of self-regulatory organizations
can be found on the Commission's website (https://www.sec.gov/
rules/sro.shtml). In addition, in the Regulation SCI adopting
release, the Commission stated that FINRA is the only
registered national securities association, and it identified
SIAC and Nasdaq as the plan processors subject to Regulation
SCI. Further, the Commission noted then that only one entity
met the definition of exempt clearing agency (Omgeo Matching
Services-US, LLC); subsequently, two additional entities have
become exempt clearing agencies subject to Regulation SCI
(Bloomberg STP and SS&C Technologies).
Unlike the entities discussed above, which are subject to
Regulation SCI because of their regulatory status, the
determination of whether an ATS is subject to Regulation SCI is
based on the ATS exceeding certain volume thresholds over a
prescribed period.
Accordingly, a determination regarding which ATSs are SCI ATSs
is not static, as volume levels often change over time. While
there is no publicly available list of ATSs that are subject to
Regulation SCI, nothing prevents an SCI ATS from publicizing
its status as an SCI entity.
Q.19. How will the SEC ensure that any cybersecurity disclosure
guidelines for public companies require only timely and
material disclosure instead of that which is extraneous and
untimely?
A.19. The Commission's disclosure rules and regulations are a
combination of prescriptive and principles-based requirements.
Disclosure Guidance: Topic No. 2--Cybersecurity, issued by the
Division of Corporation Finance in 2011, advised public
companies that, although there were no specific line item
requirements for cybersecurity and related issues, the existing
rules and regulations do apply to these issues if they
represent a material risk to a company's risk profile, business
or financial statements. As such, companies are expected to
provide timely and material disclosure about their
cybersecurity to investors. The guidance reminded companies
that the decisions to disclose should be based on their own
facts and circumstances and that disclosure should not be
generic or boilerplate. The guidance also reiterated principles
of materiality in U.S. Supreme Court case precedent that
information is considered material if there is a substantial
likelihood that a reasonable investor would consider it
important in making an investment decision, or if the
information would significantly alter the total mix of
information made available.
I have asked the Division of Corporation Finance to review
the 2011 staff guidance and consider whether, and if so, how,
it might be updated to provide companies with more guidance on
their disclosure obligations.
Q.20. What standard will the SEC follow in the future to
determine if and when to disclose a cybersecurity event at the
SEC? Will that standard be comparable to the standards that
companies must follow to disclose their cybersecurity events?
A.20. The scope and timing of disclosures of this type depend
on facts and circumstances that vary from event to event and it
is important to note that the considerations that apply to the
Commission may be substantially different from those that apply
to a public company. For example, unlike a public company, the
Commission may be charged with investigating and ultimately
filing an enforcement action against the individuals that
attack its systems. That said, with regard to the recently
disclosed 2016 EDGAR intrusion, which first came to my
attention in August 2017, I specifically directed the public
disclosure of the intrusion, as well as our ongoing efforts in
response, once I knew enough to understand that nonpublic
information may have been used for illicit gain and that
competing considerations, including disclosing the existence of
the ongoing Division of Enforcement investigation, were not of
sufficient importance to necessitate a delay in the public
disclosure. Should the Commission be subject to significant
cybersecurity events in the future, I expect that we would
conduct a similar analysis regarding public disclosure in light
of our mission.
I also note that the SEC will continue to report certain
cybersecurity incidents to the Department of Homeland Security
pursuant to the Federal Information Security Modernization Act
of 2014 (FISMA) and the US-CERT Federal Incident Notification
Guidelines.
Q.21. In response to my questions for the record during your
confirmation hearing, you stated that disclosures should
achieve ``their important investor protection objectives in an
effective and efficient manner'' and promised to engage with
the SEC Commissioners and SEC staff on the Disclosure
Effectiveness Initiative. Please provide an update on your
efforts to this end.
A.21. The Commission and the staff continue to move forward
with the Disclosure Effectiveness Initiative and to date the
Commission has issued six releases as part of the initiative.
These releases include (1) a request for comment on financial
disclosure requirements in Regulation S-X for entities other
than the registrant, (2) a concept release on the business and
financial disclosure requirements in Regulation S-K, (3) a
proposal to revise property disclosure requirements and related
guidance for mining registrants, (4) a proposal to eliminate
redundant, overlapping, outdated or superseded disclosure
requirements, (5) a request for comment on Regulation S-K
disclosure requirements related to management, security holders
and corporate governance matters and (6) a request for comment
on bank holding company disclosures.
The staff is currently developing recommendations to
finalize rule amendments that would eliminate redundant,
overlapping, outdated or superseded disclosure requirements and
proposals to revise Regulation S-X rules related to financial
statements for entities other than the issuer. The staff is
also developing recommendations to update and modernize
industry-specific disclosure requirements, such as the property
disclosure requirements for mining companies and bank holding
company disclosures.
In addition, on October 11, 2017, the Commission proposed
amendments to Regulation S-K to modernize and simplify
disclosure requirements for public companies, investment
advisers and investment companies. The proposal was mandated by
the Fixing America's Surface Transportation (FAST) Act and
would make adjustments to update, streamline or otherwise
improve the Commission's disclosure framework.
Q.22. During your confirmation process, I asked you the
following question for the record:
In light of the SEC's mission to `protect investors, maintain
fair, orderly, and efficient markets, and facilitate capital
formation,' I'd like to ask you about the SEC's rulemaking
schedule. What factors should dictate the SEC's rulemaking
schedule? Does the SEC's rulemaking schedule reflect the right
balance between focusing on these three missions? If not, how
would you change it?
In response you stated that it would be premature to assess
this question because you have not had a chance to discuss this
issue inside the SEC. Now that you have been confirmed as
Chair, how would you answer this question?
A.22. The Commission recently approved publication of an agenda
of rulemaking actions pursuant to the Regulatory Flexibility
Act that reflects my priorities. That agenda will be published
as part of the Unified Agenda of Regulatory and Deregulatory
Actions. As a general matter, I believe it is important that
these publicly available agendas provide the necessary
transparency and accountability for agency matters. If these
plans are to meet their intended purpose, they must be written
in a way that informs Congress, investors, issuers and other
interested parties about what the SEC actually intends--and
realistically expects--to accomplish over the coming year.
I developed the current regulatory agenda consistent with
the eight principles that I outlined in a speech before the
Economic Club of New York on July 12, 2017, and reiterated in
my testimony before the Committee. Among other things, the
agenda reflects my belief that our mission must focus on the
long-term interests of the Main Street investor, and that
investors must have access to information about potential
investments that is easily accessible and meaningful. At the
same time, I believe that the Commission must recognize the
practical costs of demonstrating compliance with its rules, and
that rules must be designed to ensure that Main Street
investors have access to a range of investment choices. In
addition, we have a number of statutorily mandated items that
we need to address, and we are considering how to advance those
while also pursuing other initiatives that are central to the
pursuit of our statutory mission.
Q.23. During your confirmation process, I asked you the
following question for the record:
Many argue that despite the JOBS Act, Reg. A+ is still
prohibitively costly for smaller firms. Only around 44 firms
qualified for Reg. A+ during its first year,\6\ compared to
33,429 who used Reg. D in 2014.\7\ I've been told that few if
any investors in my State find it worthwhile to use Reg. A+. Is
Reg. A+ currently workable for most smaller firms? As SEC
Chair, will you examine how the SEC can make Reg. A+ easier to
use for smaller firms, and advocate for such changes?
---------------------------------------------------------------------------
\6\ https://www.crowdfundinsider.com/2016/07/87745-looking-
regulation-one-year-later/ (cited by https://www.mercatus.org/system/
files/peirce_reframing_ch11.pdf, p. 278.
\7\ https://www.mercatus.org/system/files/
peirce_reframing_ch11.pdf, p. 278. See also https://
www.nextgencrowdfunding.com/static/uploads/2016/10/03/
NextGenCrowdfundingReg
A+WhitePaper_October62016.pdf.
In response you said that you ``have not yet had the
opportunity to engage with the Commissioners and the SEC staff
regarding Regulation A+'' but would study ``this issue,
including the potential impacts of any potential reform
options.'' Now that you have been confirmed as Chair, how would
---------------------------------------------------------------------------
you answer this question?
A.23. Prior to the adoption of the JOBS Act amendments to
Regulation A, offerings made pursuant that exemption were rare
in comparison to offerings conducted pursuant to other
Securities Act exemptions or on a registered basis. The release
proposing amendments to Regulation A noted that there were 19
Regulation A offerings filed, and one Regulation A offering
qualified, in 2011. Since effectiveness of the amendments to
Regulation A, in the period from June 2015 through September
2017, companies have sought to raise approximately $5 billion
in nearly 250 offerings pursuant to Regulation A, including up
to $3.5 billion in over 150 offerings qualified by the
Commission. As of the end of September 2017, 69 companies have
reported raising approximately $611 million pursuant to
Regulation A, as amended.
While the data suggests that the amendments to Regulation A
have increased the utility of the exemption, we plan to assess
the rule on an ongoing basis. For example, Commission staff
will study and submit a report to the Commission no later than
5 years following adoption of the Regulation A amendments on
the impact of the amended rules on capital formation and
investor protection. Additionally, Section 3(b)(5) of the
Securities Act requires the Commission to review the $50
million offering limit every 2 years. The next review is
required to take place not later than April 2018.
Q.24. During your confirmation process, I asked you if anything
needed ``to be done to improve the use of cost-benefit analysis
at the SEC? In response you said `` . . . I believe
retrospective review can be appropriate and important, and
certain rules may merit re-evaluation over time,'' including
``the prior analysis itself . . . '' You promised to
``discuss[] this issue--what has been learned from past
economic assessment exercises that can inform future efforts--
with the staff and my fellow Commissioners.''
Do you intend to implement a process for regulatory
retrospective review? If so, please detail how the regulatory
review process will occur. If not, please explain why.
A.24. In my testimony before the Committee, I outlined eight
guiding principles that I believe should chart the course for
the SEC moving forward. Several of these principles focus
specifically on our rulemaking process. For example, I
emphasized that effective rulemaking does not end with rule
adoption and that the costs of a rule now often include the
cost of demonstrating compliance. These principles of effective
rulemaking should, in my view, include retrospective reviews of
Commission rules based on input from investors and other market
participants about where the rules are, or are not, functioning
as intended.
As with economic analysis in the course of rulemaking, a
focused post-implementation review of rules improves the
regulatory process and helps us assess whether our rules are
accomplishing their intended goals. The Commission has, in a
number of recent adopting releases, directed staff to conduct
post-implementation reviews of the impacts of new rules. For
example, in adopting recent amendments to the securities
transaction settlement cycle, the Commission directed staff to
examine the impact of shortening the settlement cycle to T+2 as
well as factors that could facilitate a move to a shorter
settlement cycle in the future. The Commission directed staff
to conduct similar reviews in the adopting releases for
Regulation Crowdfunding and recent amendments to Regulation A.
As we move forward with developing new policy recommendations,
I have instructed staff to consider whether, as a part of
adopting new rules, the Commission should require additional
studies.
In addition to these targeted areas, the Commission and its
staff have formal and informal processes for identifying
existing rules for review and for conducting those reviews to
assess the rules'
continued utility and effectiveness in light of continuing
evolution in the securities markets and changes in the
securities laws. For
example, in accordance with current statutory requirements, we
conduct 10-year retrospective rule reviews under the Regulatory
Flexibility Act (RFA) on an annual basis. Along with formal
processes, the Commission and its staff frequently receive and
consider suggestions to review existing rules through various
types of communications from a wide variety of constituencies.
Likewise, the Commission and staff frequently discuss the need
to revisit existing rules through public engagement, including
advisory committees, roundtables, town hall meetings, speeches,
conferences, and other meetings.
Q.25. During your confirmation process I asked you if
``policymakers [should] be concerned about the public SIP as a
single point of failure.'' In response you said ``I am not in a
position to comment meaningfully on specific aspects of the
SIP, including the types and severity of risks.''
Now that you have been confirmed as Chair, how would you
answer this question?
A.25. The consolidated market data provided by the SIPs is
extremely important to the securities markets. Because of this,
the SIPs are considered ``critical SCI systems'' under
Regulation SCI. As a result, these systems are subject to
heightened standards under Regulation SCI designed to ensure
the capacity, integrity, resiliency, availability and security
of those systems.
Our staff has worked with the SIPs on their efforts to
improve their systems resiliency. For example, in response to
the Nasdaq SIP outage in 2013, the SIPs subsequently enhanced
their disaster recovery sites and systems to establish a hot/
warm backup process. This backup process provides for a
failover from the primary to the fully redundant backup SIP
sites with a 10-minute or less recovery time. In addition, at
their primary sites, the SIPs have secondary backup servers
running in parallel to the primary servers, allowing exchanges
immediate re-connectivity in the event of a disruption to the
primary server that does not require failover to the disaster
recovery site. The SIPs also established more rigorous review
processes around technology change procedures to minimize
technological malfunctions and errors. In addition, the SIPs
implemented improvements to system capacity (the SIPs have
system availability requirements of at least 99.98 percent) and
controls around critical systems, such as managing inbound and
outbound message traffic.
Q.26. During your confirmation process in March, I sent you a
letter requesting that during your tenure as SEC Chairman, you
pay attention to how to ``promote the creation and sustaining
of new firms, including by facilitating access to forms of
equity for smaller firms.'' This is in addition to your
important efforts to increase the number of IPOs and improve
the public markets. This task has become even more important in
light of finding from the Economic Innovation Group \8\ that
economic growth is largely clustered in the most prosperous
areas, instead of evenly distributed across areas like the
Great Plains and the Midwest. What's more, our economy is more
generally facing declining startup rates.\9\
---------------------------------------------------------------------------
\8\ See https://www.axios.com/americas-fractured-economic-well-
being-2488460340.html and http://eig.org/dci.
\9\ See https://www.axios.com/declining-startup-rates-
2453945620.html and http://eig.org/dynamism.
LAre you concerned about the uneven geographic
distribution of growth, particularly relating to new
firms? Why or why not? ? Would increasing access to
equity and crowdfunded debt improve the geographic
---------------------------------------------------------------------------
distribution of new firms?
LWould increasing access to equity and crowdfunded
debt promote the creation and sustainability of new
firms? If so, what kind of firms would this help the
most?
LIn what instances does data show that new and
smaller firms tend to rely upon access to equity or
crowdfunded debt instead of a generic bank loan? For
example, would a particular type of firm have
difficulty securing a traditional loan or do all firms
have difficulty securing loans within a particular size
bracket?
LWhat are the biggest hurdles new and smaller firms
have--regulatory or otherwise--in accessing equity and
crowdfunded debt?
LIs the SEC comprehensively reviewing how to address
these problems, including but not limited to potential
ways to improve Regulation A+, Regulation D, and
crowdfunding, along with any helpful new means of
accessing capital, such as a safe harbor for smaller
equity raises?
A.26. I am committed to each tenet of the SEC's three-part
mission, including facilitating capital formation for all
businesses across our country. I want American businesses to be
able to raise the money they need to grow and create jobs, and
I believe that we need to enhance the ability of every American
to participate in investment opportunities.
In the exempt market, we have seen that businesses are
taking advantage of the new capital raising avenues available
as a result of the JOBS Act. Early signs indicate that
Regulation A may offer a potentially viable public offering on-
ramp for smaller issuers as an alternative to a traditional
registered IPO and offer either an alternative or a complement
to other exempt offerings. The initial evidence shows that the
Regulation Crowdfunding exemption, effective as of May 16,
2016, is being used primarily by small pre-revenue growth
businesses as an initial foray into capital raising through a
securities offering.
Although the JOBS Act rules have been implemented, our work
is far from done. Data shows that the geographic distribution
of issuers using these exemptions is uneven, with some States
accounting for a more significant presence than others. For
example, many Regulation A offerings were made by issuers with
a business location in California, Washington, DC, Virginia,
Florida, or Texas. A significant number of issuers conducting
offerings in reliance on Regulation Crowdfunding similarly were
located in California, Texas or New York. As we continue to
evaluate capital formation options, we are seeking to engage
with businesses across the country, including those within the
Great Plains and the Midwest.
It is important for us to hear directly from businesses to
understand what they see as the biggest hurdles and impediments
to financing within their industry and geographic region. To
advance this objective, we plan to hold the annual Government-
Small Business Forum in Austin, Texas in November 2017 rather
than Washington, DC, the traditional forum location, in order
to get input from a different region of the country. As an
example of outreach in geographic areas where some of the newer
exemptions have not been used as frequently, the Director of
the Division of Corporation Finance and I recently participated
on a panel at the Montana High Jobs Summit. The purpose of our
participation was to explain the use of the various approaches
to small business capital formation and to get feedback from
market participants.
As the exempt market continues to grow and evolve, the
Commission and its staff continue to monitor developments,
gather and examine data and assess the effectiveness of these
new exemptions, taking into account feedback provided by
businesses and investors across the country. To this end, the
staff will be conducting a look-back review of the impact of
Regulation Crowdfunding on capital formation and investor
protection no later than 3 years after effectiveness of the
rules. In addition, the Commission will review the offering
threshold limitations in Regulation A in 2018, as mandated by
the JOBS Act.
We are also taking a step back and looking at the entire
framework of exemptions. A concern that we frequently hear--and
one that resonates with me based on my experience--is that
there are too many exemptions and that each exemption has a
framework that is complex and difficult to navigate without an
experienced securities law attorney. We understand these
concerns and are thinking about ways to rationalize the
framework of exemptions so that there is a harmonized and
simplified approach that makes it easier for small businesses
to raise capital while still providing appropriate investor
protections. In rationalizing the framework of exemptions, we
need to think about avoiding both gaps and duplication among
the different types of exemptions.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR TILLIS FROM JAY
CLAYTON
Q.1. Last time you were before the Banking Committee, we
discussed how the SEC and our regulatory regime has made it
less attractive for medium-sized companies, companies that are
in their growth phase, to enter the public markets. Now that
you have had an opportunity to view this issue from a different
lens, can you give me specific ideas of how I can help you in
our joint capital formation endeavors? Whether it is
legislative suggestions or otherwise?
A.1. Capital formation is a priority for me. I am focused on
ways to do that not only through rulemaking, but through
identifying ways that the process can be made more efficient
for an issuer, not only to become a public company but to
remain a public company. Any effort that we undertake should
take care not to reduce the amount of material information that
investors receive. To this end, the Division of Corporation
Finance began accepting certain draft registration statements
for review by staff on a nonpublic basis. The Division also
issued guidance to clarify that companies may omit from draft
registration statements interim financial information that
otherwise will not be required when a company files its
registration statement.
As for rulemaking, the Commission recently voted to propose
rules to implement a mandate under the FAST Act. Collectively,
the FAST Act proposals can reduce costs for issuers and make
the process of becoming a public company more efficient. We are
continuing our review of the disclosure system, including
recommendations to finalize rule amendments that would
eliminate redundant, overlapping, outdated or superseded
disclosure requirements. In addition, the staff is developing
recommendations for the Commission on final rule amendments to
the ``smaller reporting company'' definition, which would
expand the number of issuers eligible to provide scaled
disclosures.
As we continue to review, and identify changes that should
be made, we will consider the resources required and will reach
out if we need legislative assistance.
Q.2. I have asked you previously about the notion of having the
SEC conduct a retrospective review of its existing rules and
regulations. Can you provide me with your updated thoughts on
formalizing a process to do this? We have a process for other
regulators, can you provide me with your thoughts on putting a
process in place for the SEC via a statutory requirement?
A.2. In my testimony before the Committee, I outlined eight
principles that will guide my SEC Chairmanship. Several of
these principles focus specifically on our rulemaking process.
For example, I emphasized that effective rulemaking does not
end with rule adoption and that the costs of a rule now often
include the cost of demonstrating compliance. These principles
of effective rulemaking should, in my view, include
retrospective reviews of Commission rules based on input from
investors and other market participants about where the rules
are, or are not, functioning as intended.
As with economic analysis in the course of rulemaking, a
focused post-implementation review of rules improves the
regulatory process and helps us assess whether our rules are
accomplishing their intended goals. The Commission has, in a
number of recent adopting releases, directed staff to conduct
post-implementation reviews of the impacts of new rules. For
example, in adopting recent amendments to the securities
transaction settlement cycle, the Commission directed staff to
examine the impact of shortening the settlement cycle to T+2 as
well as factors that could facilitate a move to a shorter
settlement cycle in the future. The Commission directed staff
to conduct similar reviews in the adopting releases for
Regulation Crowdfunding and recent amendments to Regulation A.
As we move forward with developing new policy recommendations,
I have instructed staff to consider whether, as a part of
adopting new rules, the Commission should require additional
studies.
In this regard, the Commission and its staff currently have
formal and informal processes for identifying existing rules
for review and for conducting those reviews to assess the
rules' continued
utility and effectiveness in light of continuing evolution in
the
securities markets and changes in the securities laws and
regulatory priorities. For example, in accordance with current
statutory requirements, we conduct 10-year retrospective rule
reviews. Specifically, the Regulatory Flexibility Act (RFA)
requires the Commission to review within 10 years of
publication each final rule that has a significant economic
impact upon a substantial number of small entities. Since 1981,
the Commission has reviewed not only rules that had a
significant impact on a substantial number of small entities
when adopted, but included other final rules that it published
for notice and comment. The Commission's RFA reviews,
therefore, cover a broader scope of rules than that required
under the RFA. The RFA directs that the review of each rule
cover: (1) the continued need for the rule; (2) the nature of
complaints or comments received concerning the rule from the
public; (3) the complexity of the rule; (4) the extent to which
the rule overlaps, duplicates or conflicts with other Federal
rules, and, to the extent feasible, with State and local
governmental rules; and (5) the length of time since the rule
has been evaluated or the degree to which technology, economic
conditions or other factors have changed in the area affected
by the rule.
Along with formal processes, the Commission and its staff
frequently receive and consider suggestions to review existing
rules through various types of communications from a wide
variety of constituencies. Likewise, the Commission and staff
frequently discuss the current impacts of past regulation and
consider the need to revisit existing rules through public
engagement, including advisory committees, roundtables, town
hall meetings, speeches, conferences and other meetings.
Q.3. We have had some dialogue regarding the European Union's
Markets in Financial Instruments Directive II (MiFID II), and I
appreciate your response from September 14th on this issue.
There are increased concerns that exchanges are now
concerned about a dark trading workaround and that equities
underdogs will need to utilize a ``Plan B'' option to grow
their market share post-MiFID II. This coupled with the Edgar
system hack--to me--are issues that squeeze medium-sized
companies that are making the decision to not enter the public
markets. Can you provide me with your thoughts on this?
A.3. The ``dark trading workaround'' refers to a concern raised
by some EU exchanges (or U.S. corporations that own EU
exchanges) that MiFID II may create an uneven playing field
between EU exchanges and other EU multilateral trading venues,
on the one hand, and EU systematic internalisers (SIs) (a
category of EU investment firms created under MIFID I and
modified under MIFID II), on the other hand. Some EU trading
venues have argued that MiFID II may provide SIs with several
advantages, including not counting SI transactions toward the
EU MiFIR dark trading limits, not requiring SIs to publish the
size associated with their quotations and the ability to quote
in smaller tick sizes than other EU trading venues. Some EU
trading venues argue that each of these could provide
incentives to trade with SIs.
Q.4. If I am a company concerned about analyst coverage and
price volatility, it seems like a simple decision to not enter
the public markets. As coverage falls, liquidity falls,
volatility goes up, and valuation ratios go down. A McKinsey
study said that banks would spend $1.2 BB less on mass-
producing research and tailor more of it to specific audiences.
During the recent response that I received from you on
MiFID II, you suggested that you share my goal of reaching a
resolution on this issue to minimize disruptions and that you
are prioritizing cooperation with our European counterparts to
reach a solution that avoids a disorderly transition.
Do you plan to waive the rules to allow brokers to receive
direct payments for research from investors who are subject to
MiFID II? If so, do you view this as a short-term or long-term
solution? Can you elaborate on what efforts are underway at the
SEC to address this issue? Do you have a timeframe for making a
decision?
A.4. On October 26, 2017, staff in the Division of Investment
Management issued a letter stating that they would not
recommend enforcement action under the Investment Advisers Act
of 1940 against a broker-dealer that provides investment
advisory research services to an investment manager that is
required under MiFID II to pay separately for such research
services. In the letter, the staff indicated that this relief
would last for 30 months from the implementation of MiFID II.
This temporary period is intended to provide the staff with
sufficient time to better understand the evolution of business
practices after the implementation of MiFID II and take
appropriate action, if necessary, in the future.
Q.5. What are the economic consequence of U.S. brokers
following EU standards? How does MiFID II and the potential
importation of EU rules mesh with broader administrative policy
of not importing foreign standards? I understand this is a
delicate issue, but it seems to me that we should be focused on
impressing upon the EU regulators the potential negative
consequences of this rule on the United States; moreover, I
think that we should be concerned with how this rule may impact
the ability of smaller issuers to attract research and how this
may impact their ability grow and succeed in the public
markets. I understand that the SEC is engaged with the relevant
EU regulators regarding the unintended consequences of the
MiFID II directive, but can you elaborate on these
conversations and whether there will be joint relief, relief
from the United States, relief from the European Union, or
otherwise?
A.5. SEC staff has been actively engaged in various forms of
outreach with key stakeholders, including industry groups and
individual market participants, to better understand the
potential
economic impacts of MiFID II on current U.S. business models. I
share your views on the importance of U.S. issuers' ability to
attract research, especially smaller and mid-cap companies.
MiFID II presents unique challenges to U.S. broker-dealers. SEC
staff no-action relief addresses potential issues raised by the
industry regarding the negative impact that MiFID II could have
on these market participants, among others.
SEC staff has discussed with our European counterparts the
impact of MiFID II's research provisions on the U.S.-EU cross-
border research market, the U.S. regulatory framework for
research payments and affected U.S. market participants'
ability to comply with the U.S. securities laws. The EC has
issued FAQs related to the application of MiFID II's research
provisions to non-EU firms, which are an important adjunct to
the Commission's efforts to provide effective relief. SEC staff
will continue to engage with industry stakeholders and our
European counterparts as MiFID II comes into effect and its
impacts may be better understood.
Q.6. MiFID II is another example of the conflicts we see with
many rules that either have joint regulators or when an
international regulator issues a directive without studying the
unintended consequences of its impact to other jurisdictions.
Is this something you will be working on at the SEC to help
harmonizing rulemakings where you hold jurisdiction?
A.6. The SEC staff regularly communicates with foreign
counterparts, including those in the European Union, regarding
developments that could potentially impact U.S. issuers, market
intermediaries and other market participants. SEC staff has
ongoing bilateral dialogues with key regulatory counterparts
that can serve as mechanisms for identifying and discussing
common issues of regulatory concern, as well as current
regulatory reform efforts and their impact. With respect to the
European Union, the SEC's partners in these bilateral dialogues
include the EC and ESMA. In addition, SEC staff communicates
frequently with the FCA and markets regulators in Europe and
elsewhere. For example, the SEC participates in the Joint U.S.-
EU Financial Regulatory Forum led by the U.S. Treasury. This
forum seeks to enable regulatory cooperation as early as
practicable in our respective lawmaking and rulemaking
processes, with the general operational objective to improve
transparency, reduce uncertainty, identify potential cross-
border implementation issues, work toward avoiding regulatory
arbitrage and toward compatibility, as appropriate, of each
other's standards and, when relevant, promote domestic
implementation consistent with international standards.
Q.7. It appears as if the larger European asset managers will
be paying for research out of P&L, and others may follow suit
for competitive reasons. This could overflow to the United
States. As such, whatever action the SEC takes will need to
account for paying for research out of P&L. How is the SEC
prepared to address this and how is the SEC prepared to deal
with the notion that U.S. asset managers may feel as if they
need to emulate the European Union asset managers for
competitiveness reasons?
A.7. In the letter mentioned above, staff in the Division of
Investment Management provided relief where an investment
manager subject to MiFID II is required to make separate
payments for investment advisory research services. This relief
would apply where an investment manager subject to MiFID II
pays for such research out of its own money, a separate
research payment account or some combination of the two. As the
staff stated in the letter, their intent was to address
concerns that have arisen in light of the adoption of MiFID II
while preserving choice in maintaining the Commission's long-
standing approach to access to research. At the same time, in
considering approaches to address these various concerns, the
staff was mindful of the possibility that inaction could lead
to a disruption in the availability of important research. The
staff therefore sought to preserve the status quo in the U.S.
market while any market changes resulting from MiFID II take
shape. That said, I am also aware that certain U.S. investment
managers are dissatisfied with the status quo, in that some
broker-dealers may refuse to accept hard dollar payments from
investment managers in exchange for research despite that the
U.S. investment manager might prefer to make a hard dollar
payment rather than using order flow.
Because this is an important, complex and evolving issue,
in the press release accompanying the letter, the staff
requested comment to assist in better understanding the
evolution of business practices after the implementation of
MiFID II in order to take appropriate action, if necessary, in
the future.
Q.8. You have previously suggested that we need to look for
ways to regulate a dynamic and evolving set of risks when it
comes to cybersecurity. What options are you now considering
with your staff and fellow Commissioners?
What is the SEC doing now to promote IT modernization? What
new regulations do you foresee promulgating?
A.8. Over the past several fiscal years, the Office of
Information Technology has been leading an effort to modernize
the SEC's technological infrastructure. Among other things, the
SEC is developing a comprehensive IT Modernization Plan to:
1) LPrioritize the modernization of high-risk high value
assets with an emphasis on the enhancement of security
and privacy controls;
2) LExpedite the retirement of legacy systems;
3) LSeek to leverage enterprise-wide acquisition vehicles to
gain cost efficiency and effectiveness; and
4) LImprove user experience and increase user interface
capabilities.
The Commission's IT modernization efforts closely adhere to
several OMB mandates and Federal frameworks, including OMB
Circular A-130, Managing Information as a Strategic Resource,
the Federal Information Security Management Act of 2002 and the
Federal IT Acquisition Reform Act. The Commission's efforts
also leverage the guidance and recommendations outlined in the
2017 Draft Report to the President on Federal IT Modernization.
Promoting effective cybersecurity practices by market
participants is critical to all three elements of the SEC's
mission. The Commission incorporates cybersecurity
considerations in its disclosure and supervisory programs,
including in the context of the Commission's review of public
company disclosures, its oversight of critical market
technology infrastructure and its oversight of other regulated
entities, including broker-dealers, investment advisers and
investment companies.
Despite the attention given to widely publicized cyber-
related incidents experienced by the Commission and others, I
still am not confident that the Main Street investor has
received a sufficient package of information from issuers,
intermediaries and other
market participants to understand the substantial risks
resulting from cybersecurity and related issues. As a general
matter, it is critical that investors be informed about the
threats that issuers and other market participants face.
To be sure, we are continuing to examine whether public
companies are taking appropriate action to inform investors,
including after a breach has occurred, and we will investigate
issuers that mislead investors about material cybersecurity
risks or data breaches. As is noted in my July speech and on
various other occasions, I would like to see more and better
disclosure in this area.
Cybersecurity must be more than a firm-by-firm or agency-
by-agency effort. Active and open communication between and
among regulators and the private sector also is critical to
ensuring the Nation's financial system is robust and
effectively protected. Information sharing and coordination are
essential for regulators to anticipate potential cyber threats
and respond to a major cyberattack, should one arise. The SEC
is therefore working closely with fellow financial regulators
to improve our ability to receive critical information and
alerts, react to cyber threats and harmonize regulatory
approaches.
Q.9. Can you talk a little about the cyber risks and threats
within the context of equity market structure? What are we
missing with regard to the current structure of Reg. NMS? Just
a few years ago, there was a trading outage at an exchange and
there were subsequent reforms that were announced, and I know
that Regulation SCI is on the books. I suppose the question
today is, what are you doing to ensure that Regulation NMS
accounts for the dynamic risks that are posed today, and what
do we need to do better from an infrastructure and resiliency
standpoint to ensure that our public markets are as secure as
possible and are the least vulnerable as possible to a cyber-
attack? Also, from a market data perspective, as you know there
are public and private market data feeds--do you view one of
those as being more vulnerable than the other from a cyber-
attack perspective?
A.9. The infrastructure underpinning the securities markets has
become increasingly reliant on technology and subject to ever-
changing operational risks and cyber threats. To help address
this, the SEC adopted Regulation SCI in 2014 to strengthen the
technology infrastructure of the U.S. securities markets by
imposing
requirements on key market participants intended to reduce the
occurrence of systems issues, improve resiliency when systems
problems do occur, and enhance the SEC's oversight and
enforcement in these areas. Regulation SCI applies to ``SCI
entities,'' which include stock and options exchanges, FINRA,
the MSRB, significant alternative trading systems, the clearing
agencies, and the systems that generate consolidated market
data.
Regulation SCI addresses information technology operational
risks broadly, and includes a focus on the cybersecurity risks
of SCI entities. Among other things, Regulation SCI requires
SCI entities to establish, maintain and enforce policies and
procedures reasonably designed to ensure that their core
systems are sufficiently secure to maintain operational
capability. If the SCI entity maintains any other systems that,
if breached, would be reasonably likely to pose a security
threat to its SCI systems, then those other systems are subject
to the same security standards as SCI systems. Although
Regulation SCI does not mandate that specific security
standards be followed, the industry standards referenced in
staff guidance, such as those issued by NIST, cover many areas,
including cyber risk governance and risk management.
Regulation SCI also requires SCI entities to immediately
notify the Commission, and provide specified updates, upon any
responsible SCI personnel having a reasonable basis to conclude
that a systems intrusion has occurred. Affected market
participants generally are to be notified as well. In addition,
SCI entities must (1) have policies and procedures for regular
reviews and testing of core systems to identify, among other
things, vulnerabilities posed by internal or external threats,
(2) periodically review the effectiveness of the policies and
procedures and take prompt action to remedy any deficiencies,
(3) conduct annual objective reviews for compliance with
Regulation SCI and (4) conduct penetration testing at least
every 3 years.
In adopting Regulation SCI, the Commission focused on the
most critical market infrastructure in the securities markets.
However, the Commission and its staff continue to evaluate the
risks posed by the technology of other market participants and
how the markets may be made even more resilient against IT and
cybersecurity risks.
With respect to market data, because of its importance to
the securities markets, market data systems of SCI entities are
subject to Regulation SCI's requirements. This includes both
the consolidated market data feeds, as well as proprietary
market data feeds provided by exchanges. Given the critical
nature of the consolidated market data feeds, those systems are
included in the definition of ``critical SCI systems'' and are
held to the highest standards.
Q.10. Is the SEC looking to leverage artificial intelligence
technology to help fight financial fraud?
A.10. Machine Learning methods are being applied by the
Commission in various areas. Topic modeling and cluster
analysis techniques are producing groups of ``like'' documents
and disclosures that identify both common and outlier behaviors
among market participants. These analyses are able to more
quickly identify latent trends in large amounts of unstructured
financial information that may warrant further scrutiny by
Enforcement staff. Quantitative staff in the SEC's Division of
Economic and Risk Analysis leverage knowledge from these
collaborations to train ``supervised'' Machine Learning
algorithms. From a fraud detection perspective, these
successive algorithms can be applied to new data as it is
generated, for example from new SEC filings. When new data
arrives, the trained ``machine'' will predict the current
likelihood of possible fraud based on what it learned
constituted possible fraud from past data.
The SEC's Enforcement Division also utilizes analytical
tools and data to proactively identify potential misconduct and
streamline investigations. For example, the Enforcement
Division's Market Abuse Unit has an Analysis & Detection Center
(A&D Center), which is staffed by 10 specialists who have
industry experience in areas such as manual and algorithmic
trading, trading operations, data analytics and market
structure. A key tool for the A&D Center is a database of
historical trading data, so called ``Bluesheet'' data, which is
trading data that SEC staff request from broker-dealers during
their investigations. The A&D Center uses a system called
Advanced Relational Trading Enforcement Metric Investigation
System, or ``ARTEMIS,'' to analyze this trade data. ARTEMIS
combines the historical bluesheet data with other data sources,
such as historical prices and information about different types
of market moving events. Based on conduct identified through
ARTEMIS, the Commission has been able to pursue complex insider
trading and market manipulation schemes; since September 2014,
the Commission has brought 17 cases using these types of tools.
The SEC's National Examination Program also has been
developing and deploying a variety of analytics over the last
several years, including those that use artificial intelligence
technology. Many of these projects are still in their initial
phases, but they complement the ongoing analytical work in the
examination program. Specifically, staff has evaluated and
created various risk models based on Machine Learning and
predicative analytics. The analytical tools being developed and
deployed enhance the identification of registrants and areas of
focus for risk-based examinations by maximizing the use of data
and information available to the Commission. In addition, staff
has developed a trade data analytic tool called the National
Exam Analytics Tool, which allows examiners to leverage
statistical analytics to identify outlier and anomalous trading
events. Staff has also created applications that leverage
dashboard technology sitting atop various risk models,
including predictive models, to help staff analyze and select
examination targets.
Q.11. How has the SEC been monitoring the early stage use of
block chain or distributed ledger technology in capital
markets? Does the SEC feel that this technology represents the
future of capital markets infrastructure and if so, how will
the SEC be updating its policies? For example, in a block chain
environment, entities in foreign jurisdictions may maintain
copies of the ledger and may verify transactions occurring
between U.S. counterparties--how will the SEC maintain
regulatory oversight in these types of scenarios?
A.11. The Commission's staff has been monitoring the use of
blockchain or distributed ledger technology (DLT) in the
capital markets in a number of ways:
1) LDistributed Ledger Technology Working Group: In late
2013, the Commission established the DLT Working Group,
which is tasked with building expertise in DLT,
identifying emerging risk areas and coordinating
efforts among the SEC's divisions and offices. DLT
Working Group members from all areas of the Commission
also assist in coordinating with Federal, State, local
and international law enforcement and regulatory
partners and liaising with industry participants.
2) LSEC FinTech Forum: The SEC hosted a forum to discuss
innovation in the financial services industry in
November 2016, at SEC headquarters in Washington, DC.
Forum panels discussed issues such as blockchain
technology, automated
investment advice or robo-advisers, online marketplace
lending and crowdfunding and how they may impact
investors.
3) LInvestor Advisory Committee: On October 12, 2017, the
Commission's Investor Advisory Committee met to
discuss, among other things, blockchain and other
distributed ledger technology and implications for
securities markets.
4) LSEC Staff Participation in Third-Party Forums: Members of
the DLT Working Group regularly participate in various
forums hosted and attended by entrepreneurs, attorneys,
academics, other professionals and interested parties.
5) LDedicated Email Address for Related Inquiries: In
connection with our July 2017 Report relating to The
DAO, we established a new email address--
[email protected] directed interested parties to
send their questions concerning the use of DLT and
other FinTech developments in the securities industry
to that address. SEC staff members have been dedicated
to monitoring that email box and responding to
inquiries.
6) LRecent Creation of Cyber Unit in the Division of
Enforcement: In September 2017, we created a Cyber Unit
within the Division of Enforcement that will focus
Enforcement's substantial cyber-related expertise on
targeting cyber-related misconduct, including
violations involving distributed ledger technology and
initial coin offerings.
7) LTips, Complaints, and Referrals: The Commission welcomes
the public to raise concerns about any aspect of the
capital markets through our Tips, Complaints, and
Referrals Portal, available through SEC.gov and
Investor.gov.
Technological innovations in the financial industry have the
potential to transform how the securities industry operates--
promising new ways to place, clear and settle trades and novel
means to issue securities, raise capital and advise investor
clients. It is too early to assess the impact recent
technological advancements, such as DLT, will have on our
capital markets, but we have observed that existing players are
embracing the technology to deliver services to investors and
the markets.
For example, the Division of Corporation Finance declared
effective a shelf registration statement covering the issuance
of equity and debt that may be offered as traditional
securities, digital securities or both. In December 2016, the
company sold both traditional and digital securities through a
rights offering to existing security holders. The following
characteristics distinguished the digital securities from the
traditional securities included in the offering:
1) LThe digital securities are traded on an ATS.
2) LThe digital securities have a shorter settlement period
than traditional securities.
3) LThe digital securities will be held directly by security
holders as record holder in a digital wallet held at a
broker-dealer
authorized to provide investors with access to the
digital
securities, while traditional securities are typically
held in ``street name.''
Right now, our policy has not changed. As in the past, we
will apply existing laws to the use of new technologies in the
securities industry. We believe we have the authority,
flexibility and resources to do so in a manner that strikes the
appropriate balance between encouraging innovation and
protecting investors.
For example, in our July 2017 report on The DAO, we
explained that existing laws govern the offer and sale of
securities regardless of their form. The test for what is a
``security'' is flexible and will depend on the facts and
circumstances, including the economic realities of the
transaction. The DAO Report demonstrates that even an
instrument that operates on distributed ledger technology can
meet the definition of security. Where purchasers invest money
in a common enterprise with a reasonable expectation of profits
to be derived from the entrepreneurial or managerial efforts of
others, then our jurisdiction is invoked. Where appropriate, we
will file enforcement actions against those who violate the
Federal securities laws. Our message in the Report was clear:
those that offer and sell securities in the United States and
those who facilitate their resale will be subject to the
Federal securities laws.
Of course, where policy changes or revision of rules are
appropriate and necessary to fulfill our mission, we will take
that course of action.
In the case of investigating and prosecuting violations
involving conduct or persons outside the United States, we
regularly seek the cooperation of foreign jurisdictions with
whom we have a Memoranda of Understanding and other agreements,
overseen by our Office of International Affairs.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR HEITKAMP FROM JAY
CLAYTON
Q.1. The Financial Accounting Standards Board (FASB) issued the
final current expected credit loss (CECL) standard in June
2016. The FASB's new credit loss model comes in response to the
financial crisis and was intended to protect banks, their
customers and investors against a future downturn. The CECL
model makes fundamental changes to accounting standards and its
adoption could have a variety of impacts on financial
institutions.
Given the substantial change to long-standing accounting
rules and the potential consequential impact that the
accounting standards will have on how banks make credit
decisions--from the
duration of loans, to the pro-cyclical effects on banks during
a downturn, to the cost of credit to borrowers--should the SEC
engage in its own review of this FASB rule?
A.1. The FASB is an independent standard setter focused on
developing accounting standards for financial reporting that
provides
investors with the information they need to make informed
investment decisions. When setting standards, the FASB states
that it weighs whether the expected improvement in the quality
of the information provided to users justifies the cost of
preparing and providing that information. Better information in
turn could change what capital allocation decisions should be
made or what actions should be taken by management, but the
FASB does not seek to influence the outcome of those decisions.
I believe that it is entirely appropriate for the FASB to focus
on the quality of the information provided to investors to
ensure continued investor confidence in the accuracy and
quality of reported information, which is critical to capital
formation.
The FASB's project that led to the issuance of CECL has its
origins in the financial crisis, where some market participants
believed the existing ``incurred loss'' model resulted in the
untimely and delayed recognition of credit losses, and
ultimately, lower levels of loan loss reserves than otherwise
may have been anticipated. Accordingly, the FASB's stated
objective for issuing CECL was to provide users of financial
statements with ``more decision-useful information about the
credit risk inherent in financial assets and the change in
expected credit losses occurring during the period.'' As
opposed to the ``incurred loss'' model, the CECL approach is
intended to more closely align an entity's financial reporting
with management's estimate of expected credit losses which,
even today, are informed by and incorporated into the entity's
underwriting, servicing and collateral management practices. In
other words, it is intended to provide investors with reporting
that is more closely aligned with managements' assessment of
the issuer's financial condition.
Achieving consensus on the financial reporting standard for
credit losses was a substantial undertaking. The FASB's
extensive outreach activities prior to finalizing the standard
included meeting with over 200 users of financial statements
and holding more than 85 meetings and workshops with preparers,
including field work at 25 company locations to get direct
input. Feedback provided to the FASB during the standard
setting process included, among other things, concerns with how
the new standard will impact loan duration, cost of credit to
borrowers and the potential pro-cyclical effects on banks. It
is my understanding that the FASB considered all feedback
received and included amendments in the final standard to
address many of the concerns raised by stakeholders.
The Commission staff has actively monitored the standard
setting process and continues to monitor implementation
activities undertaken by stakeholders and the FASB. In
particular, staff has actively monitored the FASB's Transition
Resource Group for Credit Losses (TRG), whose members include
financial statement preparers (including community banks and
credit unions), auditors, users and financial services
regulators, and has encouraged banks to bring questions about
the accounting standard before the TRG for discussion. In
short, the staff has been and will continue to
assess whether CECL is having its intended effect of aligning
reporting with management's analysis and whether there are any
unintended negative consequences, including those discussed in
the next question.
Q.2. Has the SEC engaged in discussions with the Federal
Reserve about the potential impacts that the new CECL standards
will have on the Comprehensive Capital and Review (CCAR)
process?
A.2. While the FASB establishes accounting standards for the
benefit of investors, prudential regulators also use the
information generated by financial reporting for their own
regulatory purposes, including in setting capital standards for
financial institutions. There is a long history of engagement
between the SEC and the prudential regulators on accounting
issues, particularly in areas where the needs of investors and
the supervisory needs of the prudential regulators have
diverged to some extent.
The SEC staff has been engaged in ongoing discussions with
the banking regulators regarding the potential effects of the
new CECL standard. We are aware that the regulatory capital
requirements are currently being analyzed by the appropriate
banking regulators and other supervisory bodies in connection
with the changing accounting standards. For example, the Basel
Committee on Banking Supervision, which provides a forum for
regulator cooperation on banking supervisory matters, recently
issued transition guidance with respect to the impact of
accounting changes on regulatory capital. The Basel Committee
has indicated that it will monitor the effect of the new
standard's impact on capital, including a quantitative impact
assessment.
Additionally, the U.S. Treasury has recommended that the
potential impact of the new standard on banks' capital levels
be carefully reviewed by U.S. prudential regulators with a view
toward harmonizing the application of the standard with
regulators' supervisory efforts.\1\ Finally, the Commission's
Chief Accountant has expressed his encouragement and support
for this review to ensure regulatory requirements are updated,
if necessary, to account for the impact of any change resulting
from the new standard.\2\
---------------------------------------------------------------------------
\1\ See U.S. Department of Treasury, A Financial System that
Creates Economic Opportunities--Banking and Credit Unions (June 2017),
available at https://www.treasury.gov/press-center/press-releases/
Documents/A%20Financial%20System.pdf.
\2\ Wesley R. Bricker, Chief Accountant, U.S. Securities and
Exchange Commission, Remarks Before the AICPA National Conference on
Banks & Savings Institutions: Advancing High-Quality Financial
Reporting in Our Financial and Capital Markets (Sept. 11, 2017),
available at https://www.sec.gov/news/speech/speech-bricker-2017-09-
011.
---------------------------------------------------------------------------
I believe that these reviews are entirely appropriate and
necessary--when an accounting standard is changed in a way that
provides investors with better information, but that gives rise
to unwarranted results under bank capital rules, it may be
necessary to modify other rules (e.g., the bank capital rules)
to eliminate that unwarranted result. SEC staff will continue
to engage with the prudential regulators on this issue and
provide any assistance they require as they undertake their
process for reviewing their standards.
Q.3. Are you concerned that the CECL standards could create
incentives to keep banks from lending in an economic downturn
(an impact that could be amplified by stress testing
requirements) and slow a recovery?
A.3. While financial institutions are still evaluating the
effect of the new standard, some have indicated that the new
requirement to immediately recognize expected losses, instead
of deferring losses until ``incurred'' (as under the existing
standard), could adversely impact an entity's ability to lend
in an economic downturn or slow an economic recovery. I am
concerned by these issues. But I would also be concerned if
financial reporting standards were not providing investors with
relevant, reliable and timely information about a financial
institution's credit risk and its change in expected credit
losses.
Many of the concerns expressed by banks appear to me to be
the result of the interaction of the new CECL standard with
existing regulatory capital requirements. I support the ongoing
efforts by the appropriate banking regulators and other
supervisory bodies to analyze the regulatory capital
requirements in connection with the changing accounting
standards.
------
RESPONSE TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM JAY
CLAYTON
Q.1. Can you elaborate on the changes made to the Securities
and Exchange Commission's (SEC) delegated subpoena power that
you described during the question and answer period of your
testimony?
A.1. The Federal securities laws authorize the Commission, or
any officer designated by the Commission, to issue subpoenas
requiring a witness to provide documents and testimony under
oath. The Commission itself has the power to designate members
of the staff to act as officers of the Commission in an
investigation by issuing a Formal Order of Investigation
(formal order). The formal order serves two important
functions. First, it directs that a nonpublic investigation be
conducted, and second, it designates specific staff members to
act as officers for purposes of the investigation and empowers
them to administer oaths and affirmations, subpoena witnesses,
compel their attendance, take evidence and require the
production of documents and other materials. Once a formal
order issues, staff in the Enforcement Division who are named
as officers in the formal order can issue subpoenas for
documents and testimony.
In the wake of the financial crisis, the Commission, by
rule, delegated the authority to issue formal orders to the
Director of the Enforcement Division. This authority was then
sub-delegated by the Chairman of the Commission to additional
senior officers in the Enforcement Division. This sub-
delegation to the Division's senior officers was removed before
I joined the Commission, but the Commission's rule delegating
authority to the Enforcement Division's Co-Directors remains in
place.
I have discussed the delegation of formal order authority
with the Co-Directors of the Enforcement Division, and I am
comfortable that there are benefits to having that authority
resting with the two of them, including that it enables them to
more efficiently and effectively manage the nationwide
Enforcement program. I do not believe that limiting the
authority to the Enforcement Division Co-Directors has
negatively affected the Commission's ability to protect
investors and deter misconduct. Rather, following consultation
with the Co-Directors, I believe at this time that the current
scope of delegation enhances investor protection as it provides
for a more effective allocation of limited resources by the
leadership of the Enforcement Division.
Q.2. Please describe what specific steps you have taken during
your tenure, or that you intend to take, to increase individual
accountability for wrongdoers at offending firms subject to
enforcement actions from the SEC.
A.2. As I stated at my confirmation hearing, I strongly believe
in the deterrent effect of enforcement proceedings that include
individual accountability. I firmly believe that individual
accountability drives behavior more than corporate
accountability. Bad actors undermine the hard-earned confidence
that is essential to the efficient operation of our capital
markets and there is zero room for them in our capital markets.
The Commission considers individual liability in every
case; it is a core principle of our enforcement program and
holding individuals accountable for wrongdoing is a priority
for me. To date, the Commission's publicly announced
enforcement actions and investigations have borne out the
premium I place on individual accountability. As Chairman, I
will continue to support the Enforcement Division's efforts to
hold individuals accountable when it is appropriate to do so
under the facts and the law. In this regard, it is important to
note that, while no two matters involving individuals and
corporations are the same, on balance and across a large sample
of matters, pursuing a greater number of individuals may
require more resources (including time) and may lead to lower
aggregate fines and collections as individuals generally have
fewer resources than corporations. However, I believe the
beneficial effects--mostly significantly deterrence and removal
of bad actors--weigh in favor of pursuing individual
accountability where the facts warrant.
Q.3. I am deeply concerned about the cyber breach of the SEC's
EDGAR system, and the hacking of sensitive, nonpublic and
market-moving corporate information. But in addition to the
EDGAR breach, I'm concerned about potential other
vulnerabilities at the SEC. For example, the SEC has a ``Tips,
Complaints and Referrals'' public-facing portal, where
potential whistleblowers may go to report illegal behavior. If
this data was compromised, it could serve as a roadmap of
potential sensitive investigations of SEC-regulated entities,
and could expose confidential whistleblowers to serious harm
and retaliation. How confident are you that the SEC's
whistleblower portal is secure? And do you need further
resources from Congress or support from the Administration to
ensure that this repository of sensitive information is
protected?
A.3. The Tips, Complaints and Referrals (TCR) system is an
integral element of the SEC's whistleblower program. The
whistleblower program alerts the SEC to possible fraud and
other violations earlier than might otherwise be possible and
helps to minimize harm to investors. To better protect
whistleblower data,
several security improvements were applied to the TCR system in
fiscal year 2017, and the staff continues to evaluate the
safety and soundness of the security protocols surrounding the
system. The staff believes the improvements made in fiscal year
2017, together with other improvements that the SEC expects to
implement, will augment and improve the security of the TCR
system. As I said in my confirmation hearing and in my written
testimony before the Committee and the House Financial Services
Committee, cybersecurity is an area that is vitally important
to the SEC, our markets and me personally, and I commit to
studying and evaluating whether additional support or resources
are needed from Congress or the Administration.
Q.4. In the statement you released on September 20th regarding
cybersecurity, you noted that the SEC was, ``in the process of
implementing the National Institute of Standards and Technology
Framework for Improving Critical Infrastructure
Cybersecurity.''\1\ These standards are meant to provide ``best
practices'' for the roles and responsibilities of agency
officials in carrying out the SEC's information security
objectives, including training efforts. Please describe why the
Commission is still ``in the process'' of implementing the NIST
Framework. This is particularly pressing since this framework
was first proposed in February 2014, meaning the SEC has had
three and a half years to implement it. When is your timeline
for completing implementation? Can you speak to whether, if the
SEC had fully implemented this framework by 2016, could the
EDGAR hack have been prevented?
---------------------------------------------------------------------------
\1\ https://www.sec.gov/news/public-statement/statement-clayton-
2017-09-20.
A.4. All Federal agencies, including the SEC, have been
required to follow the NIST Risk Management Framework (RMF), a
framework to improve information security and strengthen risk
management processes.\2\ The NIST Cybersecurity Framework (CSF)
was created in 2014 as a voluntary framework of industry
standards and best practices to help private sector
organizations manage cybersecurity risk. On May 11, 2017, the
President issued Executive Order 13800 (Strengthening the
Cybersecurity of Federal Networks and Critical Infrastructure)
that, for the first time, required implementation of the CSF
for all Executive departments and agencies.\3\ Because the CSF
introduces entirely new cybersecurity nomenclatures, outcomes
and metrics for organizations, successful implementation is a
significant undertaking that entails top-to-bottom review and
redesign of all aspects of an agency's cybersecurity program
and significant staff training to educate staff on the new
framework. Implementation also necessitates that agencies first
understand how best to leverage the RMF alongside the newer
CSF, which has key differences.
---------------------------------------------------------------------------
\2\ https://csrc.nist.gov/projects/risk-management/risk-management-
framework-(rmf)-overview.
\3\ https://www.whitehouse.gov/the-press-office/2017/05/11/
Presidential-executive-order-strengthening-cybersecurity-federal.
---------------------------------------------------------------------------
The SEC began work to implement the CSF shortly after the
May 2017 Executive Order. We have submitted an implementation
plan to the Department of Homeland Security, and its successful
implementation is a priority. I support adoption of the CSF
because I believe that it will provide both technical and
nontechnical personnel with a heightened understanding of the
risk and vulnerabilities associated with agency systems, which
is vital to ensure security protections are implemented
commensurate with risk. It is important to note that I have
also initiated a general assessment and uplift of our
cybersecurity risk profile, including the identification and
review of all systems that hold market sensitive data or
personally identifiable information. It is my aim and
expectation that this exercise will provide valuable context in
the SEC's continued efforts to implement the CSF.
Q.5. Chair Clayton, at your confirmation hearing, I asked you
for your thoughts on financial companies' use of mandatory pre-
dispute arbitration clauses--or what's commonly known as
``forced arbitration clauses,'' which prohibit consumers and
investors from banding together in court and force them to ``go
it alone'' in a system tilted to the benefit of large
corporations. Your response to my question at your confirmation
hearing, and to my questions for the record, indicated that you
needed to learn more about this issue and consult with SEC
staff before offering an opinion. Now that you've had 4 months
on the job, are you willing to commit to have the SEC staff
study the use of forced arbitration clauses by companies within
the SEC's jurisdiction?
A.5. The prospect of prohibiting, limiting, or conditioning the
use of mandatory pre-dispute arbitration agreements raises a
number of complex issues, including potential effects on: (1)
retail investor choice; (2) forum access; (3) finality and
appellate rights; (4) development of legal precedent; (5) time
to resolution and cost of resolution; and (6) identification
and removal of wrongdoers. To help better understand the
concerns surrounding mandatory pre-dispute arbitration
agreements, the Commission has solicited public comment about
the ability of retail customers to bring claims against their
financial professionals \4\ and has received letters
reflecting, among other things, deeply held but disparate
opinions on this issue.
---------------------------------------------------------------------------
\4\ See Duties of Brokers, Dealers, and Investment Advisers,
Exchange Act Release No. 69013 (Mar. 1, 2013), 78 FR 14848, 14853 (Mar.
7, 2013). The Commission also made available email boxes with respect
to various provisions of the Dodd-Frank Act, including Section 921
(Authority to Restrict Mandatory Pre-Dispute Arbitration). See Public
Comments on SEC Regulatory Initiatives Under the Dodd-Frank Act,
available at http://www.sec.gov/spotlight/regreformcom
ments.shtml. Additionally, on June 1 of this year, I issued a statement
requesting public comments on standards of conduct for investment
advisers and broker-dealers. See Public Statement by Chairman Jay
Clayton, ``Public Comments from Retail Investors and Other Interested
Parties on Standards of Conduct for Investment Advisers and Broker-
Dealers'' (June 1, 2017) available at https://www.sec.gov/news/public-
statement/statement-chairman-clayton-2017-05-31.
---------------------------------------------------------------------------
Because of the potential impact of any changes to current
practice, as well as the strong views on both sides of this
debate, I believe further information, data, and analysis would
be beneficial to assist in determining whether and if so, how,
to address the use of mandatory pre-dispute arbitration
agreements. To that end, I have asked the staff to undertake
additional information gathering on this issue. I have asked
the staff to then brief me in the coming months.
[all]