Mar. 31, 2023
March 31, 2023 The Supplemental Standards of Ethical Conduct (Ethics Rules) are important to the integrity of the Commission. Recent ethics lapses by members of Congress (https://www.nytimes.com/interactive/2022/09/13/us/politics/congress-stock-trading-investigation.html), Federal Judges (https://www.wsj.com/articles/federal-judges-brokers-traded-stocks-of-litigants-during-cases-walmart-pfizer-11634306192), and Federal Reserve officials (https://www.washingtonpost.com/us-policy/2022/02/18/federal-reserve-trading-rules/) highlights the need for strict regulations on investments made by government officials with access to non-public information or conflicts of interest. That the SEC has stricter rules than Congress, the Federal Judiciary, and the Federal Reserve is commendable. Though it does not (and cannot) state this in the release, these ethical breaches are likely behind the proposal to amend the existing Ethics Rules. However, despite good intentions, some of the proposed amendments are ill-advised and do not pass a cost-benefit test. Furthermore, the economic analysis contained in the proposal is woefully inadequate and does not conform to the Current Guidance on Economic Analysis in SEC Rulemakings (available here: https://www.sec.gov/divisions/riskfin/rsfi_guidance_econ_analy_secrulemaking.pdf). The Commission proposes to prohibit employee ownership of Financial Industry Sector Funds. This is a good policy choice from an optics standpoint. (Again, see the recent ethics breaches by officials in Congress, the Judiciary, and the Fed.) It is worth noting, however, that if an SEC employee or official wished to trade on nonpublic information about a financial entity, trading a financial industry sector fund would be a really inefficient way to do it. OEC should provide data from Enforcement on the number of times theyve brought an insider trading case that involved the purchase of mutual funds or ETFs. This would give some idea of the scope of the problem here. Is it worth prohibiting investments in a class of funds to eliminate a likely negligible risk of using those funds to trade on nonpublic information? (For optics reasons: Yes. For economic reasons: Doubtful.) The Commission notes that the primary cost of this amendment would be that employees and their family members would be required to divest of certain funds, but then states that We do not have sufficient information to quantify the total effects associated with such divestment. This statement is demonstrably false. As part of their Ethics obligations, all Commission staff are required to upload complete brokerage and retirement account statements for themselves and their family members to the Personal Trading Compliance System. These statements contain detailed information - including quantity and dollar amount - on asset holdings, including Financial Industry Sector Funds (if any). Thus, the Commission has in its internal systems the data that would allow it to estimate with high precision the dollar amount of total assets that would require divestment. The Guidance on Economic Analysis requires the Commission to quantify costs where feasible. Quantification in this case is sur ely infeasible, but not for the reasons the Commission states. A more accurate statement is that the data are unstructured, requiring manual collection and tabulation, and the Commission lacks the resources to engage in such an exercise. Alas, the APA and the Courts generally do not accept \"we didnt have time\" as a legitimate excuse for failure to quantify. A more compelling rationale is that these data contain sensitive PII, and it would be inappropriate to use these data for this purpose. I conclude that the prohibition on ownership of Financial Industry Sector Funds is justified, but the Commission has not made a sufficient justification in its proposal. More concerning is the proposal to collect covered securities transactions and holdings data directly from financial institutions through a third-party automated electronic system. The Commissions justification for this proposal is that the current system is burdensome and prone to human error, yet they provide no evidence of any failures of the current system. Nevertheless, let us stipulate that these statements are accurate, and that the proposed amendments would enhance the integrity of Commission operations by allowing more effective OEC oversight of member and employee activity through improved data accuracy and completeness and independent verification of employee holdings and transactions. The Commission identifies no significant economic costs, only costs of setting up and maintaining the necessary system s. I have seen the Commission propose many rules that were all cost and no benefit, but I have never seen one that is all benefit and no cost, as this one seemingly is. Perhaps that is telling us something. In 2011, the Thrift Savings Plan was hacked, revealing PII (including social security numbers) of 123,201 account holders. In addition to SSNs, stolen information included financial account numbers and routing numbers. (Source: https://www.washingtonpost.com/blogs/federal-eye/post/tsp-discloses-hacking-of-accounts/2012/05/25/gJQAsM4kpU_blog.html) In 2014, the Office of Personnel Management was hacked twice. Stolen information included Form SF-86 (security/background check) for any current, former, or prospective federal employee who went through a background check after the year 2000, as well as 5.6 million sets of fingerprints. In all, 22.1 million records were affected. (Source: https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/) In 2015, newswire services that regularly release corporate news at scheduled times (e.g., earnings announcements) were hacked, allowing a small set of traders to trade on material information before it was made public. Some of the same individuals went on to hack the SECs EDGAR system in 2016, trading on at least 157 earnings releases before they were made public and earning at least $4.1 million in profits. (Source: https://www.sec.gov/news/press-release/2019-1) More recently, the SEC won an insider trading case against an individual who hacked into Donnelley and Toppin Merrill between 2018 and 2020 to steal and trade on non-public earnings data prior to public release. (Source: https://www.justice.gov/usao-ma/pr/russian-businessman-found-guilty-90-million-hack-trade-conspiracy) Based on this limited set of anecdotes, the Commission is fully aware of the threat of cyberattacks and stolen data, and that they are more common than any of us would like to believe. Indeed, just two weeks ago on March 15, the Commission proposed rules on Regulation S-P (privacy of consumer financial information and safeguarding customer information), Regulation SCI, and Cybersecurity risk management for broker-dealers, clearing agencies, exchanges, data repositories, etc. The Commission also reopened the comment period for cybersecurity risk management for Investment Advisers, Investment Companies, and BDCs. Given this awareness of cybersecurity risk and the active cybersecurity rulemaking agenda for registrants, it is curious that cybersecurity risk does not merit a single mention in the Ethics proposal. Indeed, there is no mention of the following terms: \"cybersecurity\", \"hack\", \"theft\", \"stolen\", \"PII\". However, the following terms are mentioned two or three tim es: \"burdensome\", \"human error\", \"integrity\", \"accuracy\", \"perception of improper use of nonpublic information\". Economics teaches us that there are always tradeoffs, that there is no free lunch. This is the first lesson on day one of Econ 101. We would all like to have more leisure time and more income, but in a world of scarce resources we cannot have both. We would all like a fully automated ethics compliance system that eliminates compliance burdens and protects against cybersecurity risks, but in today's world we cannot have both. Under the current system, the process is burdensome and error-prone. The proposed system reduces and/or eliminates these costs, but introduces cybersecurity risks and the threat of stolen information and financial assets. Both are costs, and it is important to keep in mind that less of one means more of the other. There are 4,500 Commission employees, and a conservative estimate is that the average employee has at least $100,000 in brokerage and non-TSP retirement accounts. If there is even a small probability of a cybersecurity attack in any given year, this proposal almost surely does not pass the cost-benefit test.