June 28, 2016: The U.S. Securities and Exchange Commission (“SEC”) announced a proposed new rule to require advisers to formally develop business continuity and transition plans. Proposed Rule 206(4)-4 under the Investment Advisers Act and amendments to Rule 204-2 under the Act are now under consideration during the registrant comment period. Under the proposed rule, it would be unlawful for an SEC-registered investment adviser to provide investment advice unless the adviser adopts and implements a written business continuity and transition plan and reviews that plan at least annually.
At first blush this appears to be somewhat redundant insofar as the Compliance Programs Rule 206(4)-7 requires SEC-registered investment advisers to have Business Continuity Plans (“BCPs”) in place as part of their compliance policies and procedures. After 12 years of Office of Compliance Inspections and Examinations (“OCIE”) scrutiny, SEC staff finds the robustness of adviser BCPs to be inconsistent with the adviser’s fiduciary duty.
In some respects, the SEC feels compelled to install Rule 206(4)-4 insofar as FINRA Rule 4370 and NASAA Rule 203(a)-1A currently require extensive business continuity and transition policy responses.
Proposed Rule Requirements
The proposed rule would require SEC-registered advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. These plans would include policies and procedures concerning: (a) business continuity after a significant business disruption; and (b) business transition in the event the investment adviser is unable to continue providing investment advisory services to clients. Business continuity situations generally include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel. Business transitions generally include situations where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof, or in unusual situations, enters bankruptcy proceedings.
Under the proposal, advisers will be required to assess and inventory all components of their businesses to develop their business continuity and transition plans to address the specific risks which confront their particular business models.
At a minimum policy and procedure will need to address:
- Maintenance of critical operations and systems, and the protection, backup, and recovery of data;
- Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
- Communications with clients, employees, service providers, and regulators;
- Identification and assessment of third-party services critical to the operation of the adviser; and
- Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services.
Relative to the rule requirement to provide “uninterrupted advisory services to clients in a compliant manner after a disaster”, the SEC provides recommended policy provisions including (a) a pre-arranged remote location for short-term and possible long-term use; (b) alternate communication protocols to contact staff and clients; (c) remote access to business records and client data through appropriately secured means; (d) temporary lodging for key staff where necessary and effective training of staff on how to fulfill essential duties in the event of a disaster; (e) maintaining accurate and up-to-date contact information for all third-party service providers and familiarity with the BCPs of those providers; (f) contingency arrangements for loss of key personnel; (g) periodic testing, evaluation and revision of the plan; and (h) maintaining sufficient insurance and financial liquidity to prevent any interruption of the performance of compliant advisory services.
Additionally, the proposed rule would require business continuity and transition plans to include policies and procedures as to “the maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records. With respect to maintaining critical operations/systems, an adviser’s plan generally should identify and prioritize critical functions, operations, and systems and consider alternatives and redundancies to help maintain the continuation of operations in the event of a significant business disruption”. The proposal extensively cites the Interagency Joint Report on Efforts of the Private Sector to Implement the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (Apr. 2006) which identifies three new business continuity objectives that have special importance in the post-September 11th risk environment. The paper addresses reasonable recovery time objectives and identifies specific risk-based recovery standards in order “to assure that there will be a relatively consistent degree of preparedness across” the industry and also identifies four sound practices to ensure the resilience of the U.S. financial system, which focus on minimizing the immediate systemic effects of a wide-scale disruption on critical financial markets.[1]
When advisers are evaluating which operations and systems are critical, the SEC directs advisers to consider those aspects of the business model “that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients, including the management, trading, allocation, clearance and settlement of such transactions.”
Advisers should also consider operations and systems that are critical to the valuation and maintenance of client accounts, access to client accounts, and the delivery of funds and securities. This typically will include identification and assessment of third-party services that support certain functions, as activities conducted may involve systems and processes that the adviser controls and others that may be wholly or partially dependent on third-party vendors.
When assessing key man risk, advisers should identify which key personnel either provide critical functions to the adviser or support critical operations or systems of the adviser such that the temporary or permanent loss of those individuals would disrupt the adviser’s ability to provide services to its clients.
Other Policy and Procedure Considerations
Proposed Rule 206(4)-4 sets forth additional considerations, as noted below:
- Data Access: Business continuity and transition plans should recognize that significant business disruptions may prevent access to electronic copies of data (g., power or internet outage) and hard copies of data (e.g., cannot access building where data is located). Such a plan should also recognize the important role electronic records can play in carrying out the adviser’s plan of transition in a timely manner.
- Data Backup and Recovery: Relative to data backup and recovery, a business continuity and transition plan should include an inventory of key documents (g., organizational documents, contracts, policies and procedures), including the location and description of the item, and a list of the adviser’s service provider relationships that are necessary to maintain functional operations. This documentation generally should include details of the adviser’s management structure, risk management processes, and financial and regulatory reporting requirements. Such documentation should make it easy for an adviser and its employees to access important operations/systems, documents, and relationships during a significant business disruption.
- Data Protection: With respect to data protection, backup and recovery, one type of potentially significant business disruption is a cyber-attack. An adviser should consider and address as relevant the operational and other risks related to cyber-attacks.
- Alternate Location: Business continuity and transition plans should include pre-arranged alternate physical location(s) of its office(s) and/or employees. As SEC staff members have frequently indicated, alternate or remote locations are essential for an adviser to continue providing services during a significant business disruption. Accordingly, when developing business continuity and transition plans, advisers generally should consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations in the event of a disruption.
- Communication: The adviser’s communication plan should cover the methods, systems, backup systems, and protocols that will be used for communications, how employees are informed of a significant business disruption, how employees should communicate during such a disruption, and contingency arrangements stating who would be responsible for taking on other responsibilities in the event of loss of key personnel. Business continuity and transition plans should also address employee training, so that in the event of a significant business disruption, employees understand their specific roles and responsibilities and are able to carry out the adviser’s plan.
- Client Notification: Business continuity and transition plans must reference circumstances and procedures whereby it is in the clients’ best interests to be informed of a significant business disruption and/or its impact. Business continuity and transition plans should include the process by which the adviser would have prompt access to client records that include the name and relevant contact and account information for each client as well as investors in private funds sponsored by the investment adviser. These plans generally should include how clients will be made aware of and updated about a significant business disruption that materially impacts ongoing client services (g., periodic updates to websites and customer service lines) and, when applicable, how clients will be contacted and advised if account access is impacted during such a disruption.
- Regulatory Contact: Business continuity and transition plans should include contact information for relevant regulators, and identify the personnel responsible for notifying, as well as under what circumstances it would notify, such regulators of a significant business disruption.
- Service Provider Communication: The adviser’s communication plan with its service providers should include, among other things, how the service provider will be notified of a significant business disruption at the adviser as well as how the adviser will be notified of a significant business disruption at a service provider, and how the entities will communicate with one another and clients or investors (where applicable) during a disruption.
- Critical Providers: Identification and assessment of third-party services critical to the operation of the adviser. The business continuity and transition plan will be required to identify and assess third party services critical to the operation of the adviser. To the extent critical services are outsourced to third-parties, the SEC believes that an adviser should be prepared for significant business disruptions that could impair its ability to act in its clients’ best interests by having a business continuity and transition plan that addresses the critical services provided to it by such third parties. Business continuity and transition plans must “identify critical functions and services provided by the adviser to its clients, and third-party vendors supporting or conducting critical functions or services for the adviser and/or on the adviser’s behalf. An adviser generally should consider a variety of factors when identifying and prioritizing which service providers should be deemed critical, such as the day-to-day operational reliance on the service provider and the existence of a backup process or multiple providers, whether or not the service provided includes direct contact with clients or investors, and whether the service provider is maintaining critical records or able to access personally identifiable information”. Once the adviser identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the adviser’s operations.
Elements Specific to the Transition Plan
Under the proposed rule, an adviser’s business continuity and transition plan would have to include a plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services. Advisers facing the decision to exit the market commonly do so by: (a) selling the adviser or substantially all of the assets and liabilities of the adviser, including the existing advisory contracts with its clients, to a new owner; (b) selling certain business lines or operations to another adviser; or (c) the orderly liquidation of fund clients or termination of separately managed account relationships.
The adviser’s plan must account for transitions in both normal and stressed market conditions, and should consider each type of advisory client, the adviser’s contractual obligations to clients, counterparties, and service providers, and the relevant regulatory regimes under which the adviser operates. Under the proposed rule, the transition components of a business continuity and transition plan would have to include the following:
- Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
- Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
- Information regarding the corporate governance structure of the adviser;
- The identification of any material financial resources available to the adviser; and
- An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition.
In addition to contractual obligations to its clients and vendors, an adviser that provides other services to entities, such as to another adviser, must consider its contractual obligations as a service provider to those other entities as it prepares the transition plan.
Furthermore, the SEC proposal references the fiduciary duty of advisers to preserve the safety of client assets. In the SEC’s view, the ability to promptly produce and transfer the information necessary for the ongoing management of client assets is fundamental to an adviser acting in the best interests of its clients.
The adviser’s policies and procedures addressing how the adviser intends to safeguard, transfer and/or distribute client assets in the event of a transition should consider the unique attributes of each type of advisory clients (e.g., registered investment companies, private funds, separately managed accounts) and how the adviser plans to transfer accurate client information to other advisers or their service providers.
Finally, the transition plan should also contain policies and procedures that would facilitate the prompt generation of any client-specific information necessary to transition a client account, such as the identity of custodians, positions, counterparties, collateral, and related records of each client.
Recordkeeping Amendments to Rule 204-2
The proposed amendments would require advisers to maintain copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years following the compliance date. The rationale underlying this requirement is similar to the SEC’s record retention rule, wherein the SEC will require advisers to maintain a copy of the plan currently in effect because they believe that it is important for advisers to have easy access to necessary information during periods of stress (or examination).
The proposed rule would also require advisers to keep any records documenting their annual review.
A Shot across the Bow
Contrary to the pre-existing BCP provisions in Rule 206(4)-7, the Commission has noted that failure to comply with this rule (as proposed) would entail a breach of fiduciary duty insofar as “an adviser’s fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services and, thus, it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken such steps.”
Some elements of this proposed rule are merely a codification of current best practices, i.e., most business continuity and transition policy and procedure requirements may already be referenced in current plans. However, as referenced in recent enforcement actions (e.g., cyber security) where strict liability appears to be the enforcement doctrine, advisers will not get credit if catastrophe strikes and the BCP does not perform pursuant to rule requirement. Proposed Rule 206(4)-4 is 96 pages in length and encompasses significant and nuanced disruption scenarios in equal measure.
Follow this link to read the full proposal: https://www.sec.gov/rules/proposed/2016/ia-4439.pdf. Comments are due on or before September 6, 2016.
[1] https://www.sec.gov/news/press/studies/2006/soundpractices.pdf