The Securities and Exchange Commission published a press release Friday afternoon that compliance professionals should welcome: news that a tech startup mired in financial fraud will not pay any monetary penalties, thanks to the company’s extensive cooperation and remediation.
We rarely see an announcement like this, where the SEC’s principal point is to discuss its decision not to sanction a company. On the other hand, corporate compliance and legal teams have long clamored for exactly that window into regulator’s thinking — and now we have such a glimpse, so the least we can do is look closely.
The startup in question is Headspin Inc., a Silicon Valley tech startup whose software helps businesses test how their apps will operate on different mobile devices and networks around the world. Headspin was founded in 2015 by Manish Lachwani, who then ran the business as CEO from 2015 until the board fired him in 2020.
What happened? As outlined in the SEC’s settlement order against Headspin, Lachwani engaged in a long-running scheme to manipulate Headspin’s financial reporting. The SEC says he falsified invoices, recorded promises from potential customers as booked revenue, and inflated those booked revenue figures anyway.
All of this, the SEC says, was to inflate Headspin’s financial metric known as annual recurring revenue (ARR), so that Lachwani could make Headspin look more impressive than it actually was — and therefore get a better valuation while soliciting money from private investors. By 2019 Headspin was valued at $1.1 billion, and 29 investors had bought into the business at that inflated price.
In early 2020, however, everything unraveled. The board received an internal report of Lachwani’s misconduct, fired him, and wrote the value of Headspin back down to $300 million. The SEC subsequently charged Lachwani with running an $80 million fraud scheme. That case is still winding its way through federal court.
Headspin itself, however, apparently did an impressive enough job of cleaning up the mess that the SEC decided not to impose any penalties against the company itself. So let’s talk about that.
Segregation of Duties Failure
That was the fundamental problem here: Lachwani had far more control over sales and financial reporting than was proper.
For example, according to the SEC, Lachwani entered fabricated revenue amounts into Headspin’s ARR-tracking spreadsheet “that he alone controlled.” He fabricated whole invoices, too, with improper amounts included on them. He dictated false revenue numbers to Headspin’s bookkeeper, without supporting documentation. When the bookkeeper asked for such documentation, Lachwani ignored those requests.
This paragraph from the SEC order captures everything nicely:
HeadSpin’s CEO was able to carry out his fraudulent scheme for years because he controlled and managed all the key aspects of HeadSpin’s financials and sales operations, and he kept HeadSpin employees in those different departments isolated from each other. For instance, virtually all the information provided to HeadSpin’s bookkeeper, including the supporting documentation for claimed revenue amounts, flowed through HeadSpin’s CEO.
Let’s disentangle two threads here. When Lachwani allegedly engaged in deliberate acts of fraud, that was his fault. But tolerating a system of internal control so flawed, that a CEO could engage in fraud — that is the board’s fault. That is why this complaint against Headspin exists at all.
For example, why would the board of a company making tens of millions in annual revenue rely on a single spreadsheet for critical revenue estimates? (Management estimates and fraud; we’ve talked about this, people.) When the bookkeeper asked Lachwani for more documentation, and Lachwani ignored those requests, why didn’t the board act then?
My point is that if the SEC is praising Headspin for its actions after the misconduct came to light, those actions must really be something notable; because the board’s actions before everything came to light were not good at all.
We have only a few glimpses into what those remedial actions actually were. According to the criminal indictment against Lachwani, in March 2020 a Headspin employee raised concerns to the board that the company was making false statements to investors. The SEC says the board then launched an investigation, fired Lachwani within two months, and wrote down the value of the business by 70 percent.
Since that time, the board has taken other steps, too:
- hiring new senior management, including a new CEO, COO, GC, and controller;
- expanding its board; and
- adopting new processes and procedures to improve transparency and accuracy of deal reporting and associated revenues.
A somewhat vague description of the remediation that won such praise from the SEC, but enough to go on. The newly constituted board took all the steps that any thoughtful board should have taken from the start.
“For companies wondering what types of remedial actions and cooperation might be credited by the Commission after a company uncovers fraud, this case offers an excellent example,” Gurbir Grewal, director of the SEC’s Division of Enforcement, said in a statement. “HeadSpin’s remediation and cooperation included not just its internal investigation and revised valuation, but also repaying harmed investors and improving its governance — all of which were factors that counseled against the imposition of a penalty in this case.”
A Few Other Thoughts
First, any compliance officer or chief audit executive could take this settlement to your board as yet another example of why boards must engage fully and vigorously in oversight of internal control. You could use the Headspin case as an example of what not to do (“look at the mess that happened, because internal control was weak from the start”); or as evidence of how to proceed if disaster has already happened (“look at the favorable treatment they received once they started acting responsibly”).
Second, some people may be wondering, “Is this Headspin scandal just a junior varsity Theranos scandal?” Well, yes and no. We do have a CEO with enormous power, like Theranos and Elizabeth Holmes; and in both cases we see that CEO deceive investors to inflate the value of the company.
One significant difference, however, is that Holmes’ investors and board directors were primarily rich people and old men, wowed by a young blonde telling a great story about transforming the business of blood testing. Headspin, in contrast, was pursuing the more mundane business of app testing; and it raised plenty of dollars from venture capital firms that should have known better.
We also have to ask one last question. Why did the SEC use this case to talk up the benefits of cooperation and remediation, and why now?
That is, why did the Enforcement Division use the example of a private company? Does the agency really have no examples of remediation and cooperation from public companies, when those companies are the bread and butter of its oversight?
I can’t help but notice that recently the SEC floated the idea of requiring more disclosure from privately held firms, under the theory that those private firms have many more “true” investors: people who invest in pension funds, mutual funds, funds of funds, and so forth, and each individual counts as an investor in the private company.
If the SEC wanted to showcase the fraud risks that exist in private company world, to bolster the SEC argument that therefore the agency needs more visibility into said world — well, that example might look a lot like the Headspin case the SEC just offered.
Food for thought.