The SEC’s 2024 enforcement numbers were never going to tell the whole story. Yes, the agency brought 26% fewer cases than the year before; but no one paying attention would call this a quiet year. Why? The Commission secured $8.2 billion in financial remedies, the highest total in its history.
This wasn’t a strategy shift designed to ease pressure. It was something else: a narrowing of focus, with an emphasis on deeper impact. The actions that did move forward were deliberate and, in many cases, seismic.
Terraform, Trials, and the Signal to the Market
In April, a federal jury found Terraform Labs and Do Kwon liable for one of the largest frauds involving crypto asset securities. The penalty: more than $4.5 billion. The trial outcome was swift, and the result resonated across tech, compliance, and venture finance.
It also gave the SEC what it rarely gets: an opportunity to define crypto fraud in court, not just in settlement language.
Firms working with digital assets should take note. The agency is no longer circling the space. It is choosing its moments, litigating hard, and winning.
Less Volume, Greater Pressure
In total, the SEC brought 583 enforcement actions in FY2024:
- 431 were standalone cases
- 93 were follow-on administrative actions
- 59 involved delinquent filings
All categories declined compared to 2023, continuing a trend toward more selective enforcement. But the cases that did move forward were substantial. Morgan Stanley paid $249 million in penalties over block trade disclosures. FirstEnergy was fined $100 million after a political corruption scheme involving payments to a state legislator. SAP paid nearly $100 million to settle FCPA violations involving bribery schemes in South Africa, Ghana, Indonesia, and several other countries. That resolution was part of a larger global settlement totaling over $220 million across U.S. and foreign jurisdictions.
Rather than scaling back, the SEC prioritized actions that could set precedent, signal expectations, or send a message to entire sectors. That kind of selectivity shaped the pressure firms felt throughout the year.
A Clearer Path for Cooperation
One trend became increasingly visible in 2024: the SEC is rewarding firms that act early.
Advisory firms and public companies that self-reported and demonstrated meaningful remediation often received dramatically reduced penalties. Some paid none at all. In one high-profile case involving cybersecurity failures, the SEC imposed no fine, explicitly citing the company’s cooperation and controls overhaul.
If you’re in a smaller firm, this is an operational signal worth taking seriously. Cooperation is no longer just a reputational buffer; it can fundamentally shape an enforcement outcome.
Here’s what a good plan looks like in practice:
- Conduct internal investigations before being contacted
- Preserve documents proactively, not retroactively
- Present a timeline of remediation with documented ownership
- Prepare leadership to speak clearly about process failures, not just outcomes
These are strong signals that the organization takes its responsibilities seriously.
Gatekeeper Failures and the Familiar Risks
New fraud types did not dominate the year. Some of the most damaging cases came from failures in the basics.
The SEC permanently barred the audit firm BF Borgers and its managing partner, Benjamin Borgers, after uncovering systemic fabrication of audit documentation. The misconduct affected over 1,500 SEC filings. The total penalty was $14 million: $12 million for the firm and $2 million for Borgers personally. Both were also permanently suspended from practicing before the Commission.
That wasn’t an AI-driven collapse or a crypto scam, but a traditional audit firm failing at its core function.
Other key “evergreen” risks that saw heavy enforcement attention included:
- Material misstatements in financial disclosures
- Inadequate internal controls
- Incomplete or misleading MD&A sections
- Late filings and failures to file beneficial ownership disclosures
For firms with limited compliance teams, these are areas where mistakes often begin as administrative gaps. Enforcement begins when those gaps persist without acknowledgment.
New Categories, New Cases
The SEC’s focus in 2024 extended into areas that barely registered a few years ago. Artificial intelligence, cybersecurity lapses, and manipulative behavior on social media were all enforcement priorities.
- AI exaggeration: Firms were charged for promoting non-existent AI-based trading strategies or overstating the role of machine learning in fund performance.
- Cybersecurity and disclosure: ICE and its subsidiaries were penalized for failing to inform the SEC promptly after an intrusion. The delay itself became a securities law issue.
- Romance scams and crypto traps: Two enforcement actions targeted schemes where fraudsters built fake personal relationships online, then directed individuals to illegitimate crypto trading platforms. These were the SEC’s first cases of this kind.
This category of case isn’t limited to tech firms. Anyone using AI language in investor materials, or managing sensitive client data, needs to consider whether their controls, disclosures, and review processes reflect what regulators now expect.
Proactive Initiatives That Became Themes
The SEC is setting enforcement themes and following them over multiple years; not just reacting. In 2024, several of these took shape:
Off-Channel Communications
- More than 70 firms penalized in 2024
- Over $600 million in total fines this year
- Charges expanded to include municipal advisors
The rule: preserve all communications relevant to business, regardless of device or platform. For smaller firms, this means mobile messaging, email aliases, and personal accounts all need controls or restrictions.
Marketing Rule Violations
A dozen firms were charged for issues like:
- Using hypothetical performance data in public marketing
- Failing to adopt written policies around testimonials
- Sharing misleading performance comparisons
This is a newer area of enforcement, but it’s moving fast. Disclosures and context matter more than ever, especially in digital formats.
Whistleblower Impediment Cases
The SEC issued its largest-ever standalone whistleblower protection fine: $18 million against J.P. Morgan. The violation? Contracts that appeared to discourage employees from reporting concerns directly to regulators.
Even standard NDAs or employee handbooks can become enforcement triggers if the language implies limits on whistleblower rights.
What To Do Now
Compliance teams are often stretched thin, especially at smaller firms. But the patterns from 2024 show where targeted attention can go a long way. The firms that navigated enforcement successfully this year weren’t relying on scale. They had systems that worked under pressure—internal reviews, documentation trails, and policies that matched how people actually worked.
Based on this year’s cases, a few areas are worth prioritizing:
- Messaging platforms: Know which ones your team uses, and ensure they’re monitored and archived. This includes mobile and personal devices if they’re used for business.
- Marketing and performance claims: If you’re referencing algorithms, data models, or hypothetical results, there needs to be a process for verifying accuracy and context.
- Whistleblower policies: Review employee agreements and internal reporting structures for language that could be read as limiting someone’s ability to contact the SEC.
- Cybersecurity disclosures: Have a plan in place for how cyber incidents are evaluated, reported internally, and escalated to legal or executive teams. Timelines matter.
- Internal controls and documentation: The firms that resolved cases favorably often had clear logs of what went wrong and who responded, even before the SEC got involved.
In smaller environments, a policy on paper is often outpaced by how people actually behave. Training, testing, and follow-up are what turn written procedures into real protections.
Looking Ahead
Enforcement actions this past year weren’t driven by novelty. The most important cases were the ones that clarified expectations. What counts as disclosure. What counts as oversight. What cooperation looks like when it matters.
The SEC doesn’t seem interested in expanding its footprint for the sake of volume. Instead, it’s drawing sharper lines and choosing cases that move the edges of interpretation. In practice, that means enforcement feels more focused… and also more unpredictable.
For compliance leaders, especially in firms without dedicated legal departments, the environment calls for sharper instincts and better preparation. Not everything needs to be formalized through expensive systems. But the logic of your decisions (why something was disclosed, why a communication channel was approved, why a risk wasn’t escalated) should be findable. And it should make sense.
The next wave of enforcement may involve tools or technologies that aren’t even mainstream yet. But the core of the response will stay the same: clarity, traceability, and the ability to show that someone was paying attention. For firms trying to stay ahead, the smartest move is still the simplest: act like someone’s already looking.
