As COVID-19 continues to disrupt routine operations, OCIE reminds broker-dealers and investment advisers of their ongoing obligations.

On August 12, 2020, the US Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert titled Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (Alert). The Alert highlights certain key areas of increased risk that SEC-registered broker dealers and investment advisers (Firms) have been subject to in the wake of the disruptions caused by the COVID-19 pandemic. OCIE is particularly concerned with risks related to the safekeeping of investor assets and risks associated with protracted remote operations, telework arrangements, technological challenges, market volatility, and the financial pressure on Firms and individuals to compensate for lost revenue.

The Alert reminds investment advisers and broker-dealers of their existing obligations and provides suggestions and best practices that Firms should consider implementing in the present COVID-19 environment.

Protection of Investors’ Assets

Firms are obligated are obligated to ensure the safety of client assets; to guard against theft, loss, and misappropriation; and to process investors’ checks without undue delay. Firms should assess whether, in the present environment, changes to existing practices need to be made to protect client assets (e.g., safeguarding the receipt and disbursement of client funds).

OCIE recommends the following:

• Review protocols to ensure client payments are secured, especially when physical mail is no longer regularly picked up or processed
• Disclose to clients and investors that physical checks or assets mailed to the Firm’s offices may be subject to delayed processing
• Update supervisory and compliance policies and procedures to reflect any changes to payment processing practices
• Update compliance policies and procedures to reflect any changes to disbursements to investors, especially if they involve unusual withdrawals or unscheduled COVID-19-related retirement distributions
• Implement enhanced customer identity validation and account security measures to prevent unauthorized transactions
• Ensure that clients (especially seniors and other vulnerable individuals) have designated a trusted person to be contacted by the Firm in the event of suspected financial exploitation or fraud

Supervision of Personnel

Firms are obligated to supervise their employees and monitor supervised persons’ investment and trading activities. The shift to remote work environments and increased market volatility as a result of the COVID-19 pandemic highlight the need to revisit existing policies and procedures to ensure they adequately address current business operations.

OCIE recommends the following:

• Review adequacy of existing monitoring protocols with respect to the investment and trading activities and communications of remote employees, particularly communications or transactions occurring outside of the Firm’s system (e.g., using personal devices)
• Ensure adequate monitoring of securities recommendations by supervised persons, especially if the recommendations involve volatile market sectors or sectors that pose a heightened fraud risk
• Review diligence and monitoring capabilities with respect to third-party managers, investments, and portfolio holding companies in light of on-site review limitations
• Review adequacy of due diligence and verification practices with respect to onboarding new hires

Practices Relating to Fees, Expenses, and Financial Transactions

Firms are obligated to consider and inform investors about the costs of investment products and services offered, as well as conflicts of interest that may impact Firm recommendations. The current economic environment may put pressure on Firms and supervised persons to replace lost revenues or take advantage of vulnerable investors.

OCIE recommends the following:

• Review policies and procedures related to fees and expenses and consider enhancing compliance monitoring to prevent potential misconduct
• Validate the accuracy of disclosures, fee and expense calculations, and investment valuations
• Identify (and monitor for) recommendations and transactions that result in high fees or expenses to customers, and determine if such transactions are compliant with applicable requirements
• Identify (and monitor for) transactions that may impair impartiality or create conflicts of interest, such as taking loans from investors, customers, and other parties or recommending retirement plan transfers into advised accounts or investments in products that are not in the client’s best interest

Investment Fraud

Firms should recognize that times of crisis or uncertainty can lead to a heightened risk of investment fraud and be particularly sensitive when conducting due diligence in connection with securities offerings and determining whether particular transactions are in the best interests of investors.  

OCIE recommends the following:

• Monitor for the heightened risk of investment fraud, such as fraudulent offerings or false and misleading claims by issuers
• Report any suspected securities fraud to the SEC

Business Continuity

Firms are obligated to create and maintain written business continuity plans that include procedures to maintain critical business functions in case of emergency or disruption.

OCIE recommends the following:

• Review business continuity plans to address the unique risks and potential conflicts of interest engendered by protracted remote operations
• Update supervisory and compliance policies and procedures as needed to account for the risks posed by remote operation
• Enhance security during remote operations to ensure the security of vacated physical sites, computer networks, and Firm data (including remote location data)
• Maintain adequate redundancy plans for critical infrastructures and operations
• Maintain key person succession plans
• Provide adequate disclosures to clients if operations are materially impacted

Protection of Investor and Other Sensitive Information

Firms are obligated to adopt written policies and procedures to address administrative, technical, and physical safeguards for the protection of investor records and information, including clients’ personally identifiable information (PII).

OCIE recommends the following:

• Enhance cybersecurity measures to account for risks engendered by remote operations to prevent unauthorized system access or compromise of clients’ PII
• Address vulnerabilities related to remote access to networks, the use of web-based communications applications, the increased use of personally owned devices, and changes in controls over physical records, for example, by using validated encryption technologies to protect remote communications and data
• Review system access rights and controls and enhance system access security, for example, by using multifactor authentication
• Remind clients to contact the Firm directly regarding account inquiries or to report suspicious communications
• Provide Firm personnel with additional training on issues impacting investor information and assets, such as cybersecurity, phishing, information sharing on remote systems, data encryption, and physical document disposal