A Cautionary Tale for Startups in Regulated Industries

Past is prologue.  The global economy and financial markets are struggling under the weight of the COVID-19 crisis.  One lesson from previous financial crises is that business practices leading up to and during this crisis are far more likely to receive enforcement scrutiny from prosecutors and regulatory agencies than they might have but for the COVID-19 crisis.  Many startup companies today, all of which were founded during the longest economic expansion in United States history, may be unprepared for the coming enforcement wave; as the old saying goes, you don't appreciate the good times until you've lived through the bad. Increased enforcement will be most visible in regulated industries like financial services and FinTech, where numerous federal and state agencies have overlapping or complementary jurisdiction. Meanwhile, regulators have broadened their purviews, exemplified by the SEC’s recent actions against VC-backed private entities Theranos and Credit Karma.  Startups’ level of readiness for government inquiries spans the spectrum from ready and confident, to “they don’t know what they don’t know.”  The time is now for startups to assess their needs and take steps to prepare for this oncoming regulatory scrutiny.

(1) Experience from Previous Financial Crises.

Three Principal Varieties of Fraud.  Frauds that surfaced in the 2007-08 and 2001 crises typically fit into three broad categories: those whose misconduct predated the crisis, those precipitated by the crisis, and those occurring during the crisis.

• The first category includes frauds that began during the period of economic expansion predating the crisis, when regulation and oversight was lax, financing was plentiful, and the market was exuberant. This combination allowed frauds to flourish undetected when they otherwise might not have been viable.  Examples of such frauds include the 2000-01 implosions of small-cap stock market darlings Unify and Legato, both of which restated earnings after fraudulent revenue-recognition practices came to light.  The parallel frauds by banks and rating agencies that surfaced in 2007-08 involving mortgage-backed securities and CDOs are another example.
• The second category includes frauds involving rogue employees making wrong choices as the economy weakened and they attempted to maintain financial results and inflated stock prices. A prime example is the 2000-01 fraud conducted by marketplace software company PurchasePro, which had subsisted on capital from its initial and secondary public offerings. As the market for PurchasePro’s software dwindled, the CEO generated fake revenue through “roundtripping” transactions with business partners, wherein PurchasePro would pay the partners commissions for nonexistent customer referrals, and the partners would buy PurchasePro software licenses.
• The third category includes frauds arising during the financial crises, including investigations of entities targeting consumers with COVID-related frauds and investigations concerning crimes at entities receiving crisis-related government funds. For example, the Special Inspector General for the Troubled Asset Relief Program (TARP), created in the wake of the 2007-08 crisis to police fraud among financial institutions that received TARP funds, obtained more than 300 criminal convictions and $11 billion in penalties (recovering $900 million in 2019).  

Today, the Coronavirus Aid, Relief and Economic Security Act (CARES Act) makes hundreds of billions of dollars in relief available to small businesses. Like TARP, the CARES Act provides multiple oversight mechanisms, including a Special Inspector General for Pandemic Recovery, a Pandemic Response Accountability Committee comprised of inspectors general from across relevant agencies, and a Congressional Oversight Commission.  Because the funds available under the CARES Act are vastly greater than under TARP, there is every reason to expect CARES Act oversight will be even more aggressive, persistent, and enduring.  

(2) What can startups do now?

Action Items.  Startup companies - particularly FinTechs - may want to consider these pro-active risk mitigation measures.

• Tone at the Top: executives should espouse a compliance-first culture and a “we’re in this together” attitude, to prevent employees from making bad choices and feeling the need to “save themselves.” Compliance hotlines should be promoted in hopes that problems can be addressed internally before they’re reported publicly or to regulators.
• Effective Controls: Companies should assess controls, strengthen them where needed, and monitor compliance, particularly concerning purchasing, revenue recognition, contractor and partner dealings, and cybersecurity.
• Crisis management: Reiterate or implement crisis management policies, training employees how to handle calls or visits from government agencies or the media.
• CARES Act compliance:  If your business seeks funds under the CARES Act, involve legal and compliance from the outset, ensure you appropriately document your eligibility for funds, maintain those documents, and monitor and audit your compliance efforts. 

Implementing modifications like those listed above may help startups avoid a regulatory or enforcement inquiry, or can at least reduce the risks associated with such inquiries if they do ensue.