The staff of the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (staff) issued a National Exam Program Risk Alert on August 12, 2020 (Risk Alert).1 The Risk Alert is intended to share OCIE’s observations on “a number of COVID-19-related issues, risks, and practices relevant to SEC-registered investment advisers and broker-dealers” (collectively, Firms) and on COVID-19-related market volatility that potentially “heightened the risks of misconduct in various areas.” The Risk Alert groups the staff’s observations into six broad categories: protection of investor assets; supervision of personnel; practices relating to fees, expenses and financial transactions; investment fraud; business continuity; and the protection of sensitive information. While risk alerts typically disseminate observations from registrant examinations, the Risk Alert reflects OCIE’s outreach, consultation and coordination with Firms, SEC colleagues and other regulators as a result of the current pandemic.
The Risk Alert also highlights SEC resources to assist Firms during COVID-19 (particularly SEC resources related to fraudulent activities), as well as other guidance and speeches, and emphasizes that “OCIE has remained operational nationwide” throughout COVID-19.
Risk Alert
Protection of Investor Assets
Firms are required to assure the safety of investors’ assets.2 The staff observed a number of changes to existing practices by Firms during the pandemic, which were related to: the collection and processing of client checks; transfer requests; and disbursements. With regard to a Firm’s receipt of checks and transfer requests, the Risk Alert encourages Firms to: review existing practices for any new processes and related risks; enhance policies and procedures to reflect such processes; and consider whether disclosure enhancements are necessary or appropriate in light of potentially delayed processing times. With respect to client disbursements, the Risk Alert encourages Firms to enhance existing policies and procedures to ensure the appropriateness of “unusual or unscheduled withdrawals from [client] accounts, particularly COVID-19 related distributions from [client] retirement accounts.” The Risk Alert specifically states that Firms should:
- Verify client-related matters – consider additional steps to verify a client’s identity and disbursement instructions (including the client’s authorization to request a disbursement, as well as the accuracy of the bank account name and numbers used).
- Recommend adding a trusted contact – recommend that their clients have a “trusted contact” person.
Supervision of Personnel
Firms are required to supervise their personnel, including supervised persons’ investment and trading activities.3 The staff observed that Firms may be required to make “significant changes” to their operating models in light of the effects of COVID-19, including by: transitioning to a work-from-home posture; responding to issues raised by significant market volatility; and addressing technological and other operational issues. To the extent a Firm confronts one or more of these issues, the Risk Alert encourages Firms to modify existing policies and procedures to:
- Conduct oversight of supervised persons’ communications – address the appropriate level of oversight of supervised persons (including the monitoring of Firm-related communications made by supervised persons) in a work-from-home environment.
- Conduct oversight of supervised persons’ recommendations – address any risks that may arise from supervised persons making securities recommendations in one or more market sectors that have experienced “greater volatility” or have “heightened risks” for fraud.
- Consider the impact of limited on-site diligence – address constraints imposed on a Firm’s ability to conduct on-site due diligence of third-party investment managers, investments or portfolio holding companies.
- Conduct oversight of trading – address risks associated with trading (including consideration of “affiliated, cross, and aberrational trading, particularly in high volume investments”).
- Consider limitations on diligence of new personnel – address risks associated with personnel onboarding (including risks associated with limitations on pre-onboarding background checks).
Fees, Expenses and Financial Transactions
Firms are required to consider and, to the extent material, inform investors about: the costs of services provided and investment products recommended; and the related compensation to the Firm and its supervised persons.4 The staff observed that the impact of first quarter 2020 market volatility on Firms’ revenue increases the incentive for Firms to engage in misconduct to mitigate the impact of lost revenue. The Risk Alert highlights the potential for misconduct related to: financial conflicts of interest (e.g., resulting from retirement plan rollover recommendations, borrowing from investors and clients, making recommendations that result in higher investor costs and Firm compensation); and the fees and expenses charged to investors (e.g., advisory fee calculation errors, inaccurate calculation of tiered fees, failure to refund prepaid fees for terminated accounts). In light of this potential for misconduct, the Risk Alert encourages Firms to review existing practices and policies and procedures related to fees and expenses, in order to:
- Review practices for accuracy – validate the continued accuracy of “disclosures, fee and expense calculations, and the investment valuations used.”
- Monitor higher-fee transactions – identify transactions that result in investors bearing “high fees and expenses”; monitor for trends in such transactions; and evaluate whether those transactions are in the investors’ best interest.
- Assess conflicts related to investment recommendations and borrowings – evaluate the risk posed to the impartiality of a Firm’s investment recommendation and other conflicts of interest arising from borrowing from investors, clients or other parties.
Investment Fraud
The staff observed that COVID-19, like any crisis, presents an opportunity for fraudulent offerings. The staff encouraged Firms to be attentive to the risk of fraudulent investment offerings when conducting due diligence of these investments and determining whether an investment is in an investor’s best interest.
Business Continuity
Certain Firms are required to maintain a business continuity plan.5 The Risk Alert states that “many Firms have shifted to predominantly operating from remote sites” during COVID-19, which could raise compliance issues and other risks, including the need to modify or enhance:
- Compliance policies and procedures – to the extent that extended remote operations pose “unique risks and conflicts of interest” that differ from the ordinary course (e.g., new or expanded roles for supervisory personnel), Firms may need to modify or enhance their compliance policies and procedures accordingly.
- Security and support for facilities and remote sites – to the extent not already addressed in a business continuity plan, Firms should consider whether it is necessary to modify or enhance the security of: servers and systems; “integrity of vacated facilities”; and remote data sites. Firms also should consider whether personnel operating from remote sites are properly relocated and supported. The staff recognized that Firms also could have “built-in redundancies for key operations and key person succession plans” to address services critical to investors.
OCIE encourages Firms to: review their business continuity plans; modify or enhance plans in light of unique risks; and communicate any material impact on their operations to investors.
Protection of Sensitive Information
Firms are obligated to protect an investor’s personally identifiable information.6 The Risk Alert observes that forms of electronic communication (e.g., video-conferencing) that enable remote working can create risks, such as:
- Vulnerabilities in recordkeeping. The staff observed that risks could emerge due to: use of remote network access and web-based applications; increased use of personally owned devices; and “changes in controls over physical records” when personnel are not operating from the Firms’ offices and printing records remotely.
- Improper access to systems and accounts. The staff observed that phishing schemes and other “impersonating [of a] Firms’ personnel, websites, and/or investors” could rise as well.
OCIE encouraged Firms to assess “systems, investor data protection, and cybersecurity” to evaluate whether enhancements are needed to: protect investors’ identity and information by promoting use of the phone to address investor security concerns; train and remind personnel of best practices to maintain security while working remotely; “heighten[] reviews of personnel access rights and controls” as supervisory personnel roles change; improve encryption technologies (including on personally owned devices); implement remote-access server security and patching; reinforce system access security (e.g., through use of multifactor authentication); and address cyber-related issues pertaining to third-party service providers.
Implications for Firms
The Risk Alert previews a list of issues related to COVID-19 that the staff believes are impacting Firms. Accordingly, Firms may want to carefully review the Risk Alert, and consider whether corresponding changes to their existing practices, disclosures and/or supervisory and compliance policies and procedures are necessary or appropriate. While the SEC has brought actions related to fraudulent activities, the Risk Alert could signal that the SEC is considering future action if OCIE finds issues related to those identified in the Risk Alert.
COVID-19 has fundamentally altered the way that Firms conduct their business, including how their personnel work. While many of these changes to operations, supervision and system usage could be contemplated by a well-tailored business continuity plan, the Risk Alert reminds Firms to evaluate their practices, as well as the security and sustainability of extended remote working on the Firm’s critical services as the pandemic continues.
Footnotes
1) Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers, Risk Alert, Office of Compliance Inspections and Examinations (August 12, 2020). An OCIE examination could result in a no-comment letter, deficiency letter or a Firm being referred to the Division of Enforcement. An OCIE Risk Alert has “no legal force or effect: it does not alter or amend applicable law, and it creates no new or additional obligations for any person.”
2) Rule 206(4)-2 under the Investment Advisers Act of 1940 (requiring registered investment advisers (and those required to be registered) to comply with the custody rule if they are deemed to have custody over their clients’ funds or securities, in order to safeguard those assets against theft, loss, misappropriation or financial reverses of an adviser); Rule 15c3-3 under the Securities Exchange Act of 1934 (requiring SEC-registered broker-dealers to obtain and maintain possession and control of all fully paid securities and excess margin securities).
3) Advisers Act Rule 206(4)-7 (requiring SEC-registered investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act); Exchange Act Sections 15(b)(4) and 15(b)(6) and FINRA Rule 3110 (requiring FINRA member broker-dealers to establish and maintain a system to supervise the activities of each associated person, reasonably designed to achieve compliance with the applicable securities laws and regulations, including FINRA rules).
4) Advisers Act Section 206 (imposing a fiduciary duty on investment advisers); Exchange Act Rule 15l-1(a)(2)(ii) (Regulation Best Interest).
5) Advisers Act Rule 206(4)-7 (requiring advisers to implement written policies and procedures reasonably designed to prevent violation of the federal securities laws (including, as discussed in the rule’s adopting release, that a compliance program should addresses business continuity plans)); FINRA Rule 4370 (broker-dealers must create business continuity plans, including those related to an emergency or significant business disruption).
6) Regulation S-P requires Firms to maintain policies and procedures to safeguard investor records and information. Certain Firms also are required to develop and implement identity theft prevention programs in accordance with Regulation S-ID.