SEC Resolution Demonstrates Importance of Internal Controls for Private Tech Companies
On January 28, the U.S. Securities and Exchange Commission (SEC) announced a no penalty resolution with private technology company HeadSpin, Inc., for violating the anti-fraud provisions of the Securities Exchange Act of 1934. Though private companies are not subject to all the same internal controls requirements as public companies, many high-growth companies in the technology and fintech sectors would be surprised to learn that they are subject to the SEC's anti-fraud provisions and can be subject to SEC investigations and corresponding penalties for violating those provisions. The HeadSpin settlement is a wake-up call to private technology companies and shows that waiting until an initial public offering (IPO) to implement compliance procedures and internal controls is a mistake that could carry significant legal, regulatory, and reputational consequences. We will summarize the facts surrounding the HeadSpin fraud and discuss the lessons to be gleaned from the resolution.
According to the factual allegations in the SEC's complaint, HeadSpin, founded in 2015, sells hardware and software to corporate clients around the world, either directly or through third-party resellers. From 2018 to 2020, HeadSpin, through its Chief Executive Officer (CEO), allegedly engaged in a fraudulent scheme to inflate its financial results to attract investors through increasingly high valuations. Among other things, the SEC alleges that the CEO:
- Fraudulently inflated the company's annual recurring revenue (ARR) by falsely increasing the values of deals in place with customers or improperly including in the ARR uncommitted amounts from non-binding agreements with customers
- Altered invoices to provide justifications for the inflated ARR
- Entered fabricated values into an internal tracking spreadsheet to fraudulently increase the ARR
- Falsely inflated the company's actual revenue numbers by dictating inflated revenue numbers to HeadSpin's bookkeeper, sometimes providing fake or altered invoices as documentary support
According to the SEC, HeadSpin used the inflated financial information to defraud investors in connection with a Series B financing round in the fall of 2018 and a Series C round a year later. The Series B round was successful and raised approximately $20 million at a $500 million valuation. In the company's Series C round a year later, HeadSpin was valued at $1.1 billion. The SEC complaint alleges that by manipulating financial information and reporting false ARR to potential investors in connection with their financing rounds, HeadSpin violated the antifraud provisions of Sections 10(b) and 17(a) of the Securities Exchange Act as well as Rule 10b-5, which together prohibit schemes to defraud investors or misstatements or omissions of material facts to investors. The SEC also brought an action against the CEO directly, making similar allegations of violations of the antifraud provisions, and the U.S. Department of Justice (DOJ) also brought charges of securities fraud and wire fraud against the CEO stemming from the same factual allegations.
In March 2020, following an internal investigation, the HeadSpin Board of Directors was notified about concerns regarding the accuracy of the financial information provided to investors. The company then took steps to remediate the issue. The company forced the CEO to resign, revised its valuation, and returned through recapitalization approximately 70 percent of principal to investors who had taken part in the Series B and C funding rounds. The company also hired new senior management, including a new CEO, Chief Operating Officer (COO), general counsel, and controller, expanded its board, and adopted new processes and procedures regarding financial reporting.
Implications of the HeadSpin Resolution for Private Tech Companies
The announcement of the resolution against HeadSpin provides important lessons for pre-IPO private companies, particularly those operating in high-growth areas such as the technology and fintech sectors.
Most notably, the HeadSpin resolution demonstrates the importance of adequate internal policies, procedures, and controls even for private companies in early stages of maturity. Though private companies do not have the same Sarbanes-Oxley Act (SOX) and reporting requirements as public companies, they are still subject to the anti-fraud provisions of the securities laws and can be held accountable for the financial information provided to potential investors. This is true even for non-U.S. companies that are attracting investment (i.e., offering securities) in the United States. The HeadSpin case puts an end to an enduring fallacy among private technology companies that they are not subject to SEC scrutiny and could wait until an IPO (or immediately before an IPO) to implement compliance procedures and internal controls. While the HeadSpin case does not stand for the proposition that private companies ought to have a compliance program that looks like mature, public companies, it sends an unmistakable signal that private companies would be well served to think earlier about their potential legal and regulatory risk and to develop internal controls responsive to those risks.
HeadSpin is illustrative. From 2015 to 2020, HeadSpin was on a steep upwards growth trajectory. The company was co-founded in 2015, launched in 2017, and sought Series B funding in 2018 and Series C funding in 2019. Even after the Board revised the company valuation downward in 2020, the company was still valued at $300 million just five years after its founding. But the internal controls infrastructure did not keep pace with the growth of the business. Even as the company grew into a highly valued business, the co-founder and CEO maintained sole control of the company's ARR-tracking spreadsheet. And while HeadSpin had a bookkeeper who kept the financials, the CEO appears to have dictated the inflated revenue numbers each quarter to the bookkeeper and frequently sent the financials without supporting documentation, despite the bookkeeper's regular requests for backup.
Its inadequate controls that resulted in a scheme to defraud investors notwithstanding, HeadSpin was able to avoid penalty from the SEC in large part due to the significant remediation undertaken by the company. The head of the SEC's Division of Enforcement emphasized this remediation in the SEC's announcement of the settlement, saying "[f]or companies wondering what types of remedial actions and cooperation might be credited by the Commission after a company uncovers fraud, this case offers an excellent example." As discussed above, HeadSpin undertook an internal investigation that uncovered the misconduct. The company then removed the CEO, expanded the board and senior management, modified relevant policies and procedures, and revised the company's valuation. Though these steps allowed HeadSpin to avoid an SEC penalty, they did not come without a cost. The company's valuation fell from $1.1 billion to $300 million and HeadSpin made its investors whole by repaying them for that portion of their investment above the proper valuation.
HeadSpin's extensive remediation sets a high bar for private companies that identify potential misconduct. But, by developing compliance policies and procedures and internal financial controls commensurate with a company's growth and development – and not waiting until the eve of an IPO – private companies can mitigate the significant implications felt by HeadSpin and its investors.
For other recent articles on compliance issues facing technology and fintech companies, see:
- Jeffrey Lehtman and Leah Moushey, "Straight Talk on FCPA Training for Tech and Fintech Companies"
- Jeffrey Lehtman and Marcus Childress, "Top Three FCPA Compliance Mistakes by Newly Public Tech Companies"
For more information, please contact:
The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.