by T. GormanPosted on Posted in SECActions

Financial fraud actions have traditionally been a staple of SEC Enforcement. During the market crisis, however, the number of those cases waned. Following the formation of a task force focused on financial statement fraud, and a related data group, many thought the Commission would again bring more cases in this area. Now some commentators believe the SEC may be returning to this one-time priority. See, e.g., SEC Flexes Its Accounting Fraud Enforcement Muscles, Law 360 (Sept. 23, 2015). If so the recent action against retailer Stein Mart may be part of that emerging trend. In the Matter of Stein Mart, Inc., Adm. Proc. File No. 3-16826 (Sept. 22, 2015).

Stein Mart is a national retailer based in Jacksonville, Florida. The firm operates 270 retail apparel stores in 30 states. As a retailer, inventory is one of its most significant assets. That inventory, under the applicable standards, is valued at the lower of cost or market.

The company frequently marks down the price of its merchandise. Typically it uses three classifications: 1) temporary or point of sale markdowns; 2) permanent markdowns; and 3) permanent point of sale or Perm POS markdowns. Temporary markdowns represent a short term mark down to stimulate demand. Permanent markdowns are, as the name implies, permanent. They are used to clear out seasonal merchandise. The Perm POS markdowns are also permanent – the item is never returned to its original price. The manner in which the Perm POS markdowns are handled at the store differs from that of other permanent markdowns.

Traditionally, Stein Mart did mark downs by discounting the item by various percentages of the price. In 2009 the firm changed the method for taking markdowns. While typically Perm POS markdowns did not significantly impact the full year financial results, they could have an impact on quarterly inventory and the related results.

Stein Mart accounted for the reduced value of inventory subject to a temporary mark down at the time of sale. In contrast, for inventory that was permanently marked down the firm reduced the value at the time of the mark down. For Perm POS markdowns Stein Mart used the same valuation approach as for temporary mark downs which is contrary to GAAP.

Until 2011 the firm did not have adequate internal controls concerning Perm POS markdowns to discover the significance impact they had on results. In the Summer of 2011 the CFO learned about the Perm POS markdowns for the first time. After a series of internal and external consultations the CFO concluded the accounting for these mark downs was appropriate.

The next year the chair of the audit committee determined that the firm was not correctly accounting for Perm POS markdowns. The external auditors concluded that the current practice was an error. The firm subsequently restated its financial results for the first quarter of 2012, each quarter of 2011 and for the annual results for 2010. The restatement resulted in quarterly changes in pre-tax income which were material in many instances. In the process other deficiencies in controls were discovered relating to its liability for credit card rewards, the firm’s inventory retail stock ledger and the manner in which the company capitalized and amortized software. The Order alleges violations of Exchange Act Section 13(a), 13(b)(2)(A) and 13(b)(2)(B).

To resolve the matter, the firm consented to the entry of a cease and desist order based on the Sections cited in the Order. In addition, Stein Mart agreed to pay a penalty of $800,000. The Commission considered the firm’s remedial actions and cooperation in deciding to accept the offer of settlement.

by T. GormanPosted on Posted in SECActions

Cybersecurity is one of the current hot topics of discussion. Regulators here and abroad have expressed concern regarding cybersecurity. Breaches are periodically reported in the media. Now the SEC has brought its first enforcement action centered on cybersecurity. In the Matter of R.T. Jones Capital Equities Management, Inc., File No. 3-16827 (Sept. 22, 2015).

R.T. Jones is a registered investment adviser based in St. Louis, Missouri. The firm has about 8,400 client accounts and $480 million in regulatory assets under management. The firm provides investment advice to retirement plan participants under various agreements with plan administrators and sponsors. R.T. Jones uses an option called Artesys through which clients are offered a variety of model portfolios with a range of investment objectives and risk profiles.

Plan participants access Artesys through the R.T. Jones website. Investors enroll through the site by furnishing certain personal information and responding to a questionnaire. Based on that information R.T. Jones recommends a portfolio. If the client agrees the advisor provides trade instructions to the plan administrator. R.T. Jones does not control or maintain client accounts or information. It does, however, maintain information on all 100,000 plan participants which the firm obtained from the administrator. The information was stored on a third party-hosed server. It was not encrypted.

In July 2013 the firm discovered a potential cybersecurity breach at the server. R.T. Jones retained consulting firms to confirm and assess the scope of the breach. One consultant confirmed that the attack was launched from multiple IP addresses based in China. The consultants could not confirm the scope of the breach or if the personal information of the clients had been compromised. There is no indication to date that clients had suffered any financial harm from the attack.

The SEC’s Safeguard Rule, adopted in 2000, requires that every investment adviser adopt policies and procedures with certain protections. Specifically, those include: a requirement that the policies and procedures insure the security and confidentiality of customer records and information; protect against anticipated threats or hazards; and safeguard against unauthorized access. R.T. Jones failed to adopt any written policies and procedures in accord with the Rule. Thus the firm did not conduct periodic risk assessments, employ a firewall to protect the web server, encrypt client personal information or establish procedures for reporting an incident. The Order alleges violations of Rule 30(a), Regulation S-P.

Following the incident R.T. Jones appointed an information security manager to oversee data security. It also adopted and implemented a written information security policy and moved the client personal information to an internal server and encrypted it. The adviser also retained a cybersecurity firm to provide on-going advice and reports. The firm also cooperated with the staff’s investigation.

To resolve the proceeding Respondent consented to the entry of a cease and desist order based on the Rule cited in the Order and to a censure. R.T. Jones will also pay a penalty of $75,000. The Commission considered the firm’s remedial actions and cooperation in resolving the action.

Tagged with: , ,