OCIE Risk Alert: Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers

COVID Produces New Adviser Hybrid Business Model

For most registered investment advisers, business continuity implementation in the COVID era entails some element of an employee work from home arrangement. As investment advisers approach month seven of COVID business continuity implementation, it is prudent to consider the ramifications attendant to long term business continuity implementation.  Working from home is on the verge of becoming a quasi-permanent feature of investment adviser business models and therefore the SEC is directing advisers to evaluate compliance risk sets related to the remote work configuration.

Quasi permanent or work from home forever? Tech companies Twitter and Facebook recently captured headlines with announcements about permanent work from home arrangements (Google has deferred the decision to return to campus until July 2021). However, perhaps more significant than tech leaning into COVID is the news forthcoming from a 94-year-old company based in the Ohio heartland … Nationwide Insurance … that the company is permanently closing five regional offices. The company ascribes the decision to substantially improved and sustained operational efficiencies attendant to the work-from-home arrangement allowing thousands of employees to permanently ditch time consuming and often expensive commutes in favor of home offices.  According to Global Workplace Analytics, a typical employer can save about $11,000 a year for every person who works remotely half of the time.[1] And workers can bank between $2,500 and $4,000 a year working remotely half of the time. These savings will likely compel advisers to opt for the hybrid business model whereby employees divide their time between remote and onsite office arrangements. The years-long trend of fee compression experienced by the adviser industry should also provide a catalyst to this evolution.

SEC Risk Alert

On August 12, 2020, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (”OCIE”) issued yet another Risk Alert: “Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers.” The Risk Alert advises that the Commission is taking registrant COVID preparation and coping capabilities quite seriously. To the extent that remote work configurations inherent in BCP implementation become quasi-permanent or permanent for advisers, they will become more highly scrutinized by the SEC relative to adherence to the fiduciary standard and Rule 206(4)-7 compliance.

OCIE has been executing its National Exam Program remotely during the pandemic. Examiners have identified significant operational, technological, commercial, and related challenges confronting adviser businesses over the past six months. In many cases, these issues have created important regulatory and compliance considerations, emerging as COVID risk influencers.

SEC examiners have identified a number of COVID-19 risk influencers adversely affecting adviser risk management protocol, particularly with regard to internal controls. COVID risk influencers (e.g., remote working arrangements, family illness, market volatility and elevated network reliability) have adversely impacted the risk management capabilities of some advisers by degrading internal controls to the point that policy efficacy is jeopardized.  Furthermore, market volatility related to COVID-19 has exacerbated the risks of fraud and misconduct that the Commission believes merit risk management attention.

OCIE’s Risk Alert observations and recommendations fall broadly into six categories:

1. Protection of investor assets
2. Supervision of personnel
3. Practices relating to fees, expenses, and financial transactions
4. Investment fraud
5. Business continuity
6. Protection of investor and other sensitive information

Advisers must bear in mind the need to disclose to regulators and clients any material amendments to risk management protocol resulting from enterprise COVID response. Firms should be aware that disclosure requirements can apply to a broad range of evolving business risks, even in the absence of a specific line-item requirement in relevant regulations and rules. Additionally, the SEC notes that “a number of existing rules or regulations require disclosure about the known or reasonably likely effects of and the types of risks presented by COVID-19” and “disclosure of these risks and COVID-19-related effects may be necessary or appropriate in management’s discussion and analysis, the business section, risk factors, legal proceedings, disclosure controls and procedures, internal control over financial reporting, and financial statements.”

Protecting Investors is Paramount

The fiduciary standard and attendant rule promulgation require investment advisers to prudently identify and mitigate risks specific to investor protection. Custody, cash movement, and related internal controls must be scrutinized.

Custody

The SEC has observed that modified office protocol has placed some advisers in non-compliant status with the fiduciary standard, especially when the adviser retains custody of client assets. Advisers that collect and process investor checks and/or advisers that execute client fund transfer requests may retain custody of client assets. Advisers experiencing delays in processing due to full or partial lockdowns of their primary offices resulting in delayed mail pick-up and unattended drop-off sites could jeopardize compliance with the custody rule which requires prompt processing of investor funds. OCIE directs advisers to update supervisory and compliance policies and procedures to reflect modified business practices that have been implemented post lockdown. Additional custody rule implications should be evaluated, including disclosure and surprise custody audits.

Cash Disbursements

Continuing the theme of client protection pursuant to the fiduciary standard, OCIE directs firms to review policies and procedures attendant to client cash disbursements.  Cyber threat vectors have been lit up by phishing events whereby a security breach successfully circumvents internal controls designed to forestall unauthorized client disbursements initiated by cyber criminals. The Commission urges advisers to scrutinize scenarios where investors are taking unusual or unscheduled withdrawals from their accounts, particularly for withdrawals enabled by newly relaxed restrictions on COVID-19 related retirement account distributions.

Control Considerations

The Risk Alert recommends controls for advisers to consider:

• Recommend/verify trusted person contacts, especially for senior investors. Withdrawals and Loans from Retirement Accounts for COVID-19 Expenses – The Coronavirus Aid, Relief and Economic Security (CARES) Act allows eligible participants in certain tax-advantaged retirement plans to take early distributions of up to $100,000 during this calendar year without being subject to early withdrawal penalties and with an expanded window for paying the income tax they owe on the amounts they withdraw.
• Implement steps to validate the identity of the investor and the authenticity of disbursement instructions, including whether the person is authorized to make the request and bank account names and numbers are accurate.

Supervision

Rule 206(4)-7 requires advisers to adapt to changes in their risk profile introduced by COVID risk influencers. When pivoting to a partial or firm-wide telework arrangement conducted from dispersed remote locations, the adviser is substantially modifying its business model which requires the firm to evaluate newly introduced or substantially altered risk sets (e.g., privacy, cybersecurity, employee supervision) which challenge the enterprise. Rule 203(e)(6) authorizes the Commission to sanction advisers that have failed to reasonably supervise employees.

For example, new risk sets will certainly entail issues attendant to ongoing supervision of employees that no longer have physical contact with supervisors. This condition flexes both the adviser network and adviser personnel whereby the latter are now originating and responding to (e.g., opening attachments) substantially more electronic communications while using mobile and quasi-mobile devices. This COVID risk influencer elevates the risk of malicious software introduction due to phishing whereby fraudsters assume the identity of a vendor, business colleague, or client. 

OCIE directs firms to scrub procedures and internal controls across the compliance program with the objective of validating policy efficacy in the COVID era, paying particular attention to supervisory controls which may be marginalized under remote work arrangements.

Policies in the following areas deserve heightened attention:

• Best Execution – employees making securities recommendations and/or trading in market sectors that have experienced significant price/liquidity volatility.
• Third Party Oversight – postponed or cancelled onsite due diligence reviews and other resource constraints which marginalize third-party manager and key vendor due diligence.
• Books and Records – retention of all client transactions and written client correspondence (adherence to prohibition on client texting) due to personnel working from remote locations and using personal devices.

Fees and Expenses

In an era of ongoing advisory fee compression, OCIE observes that COVID has slackened new business accruing to advisers thereby placing pressure upon firms to generate new fee-based business and/or to push new expenses to clients.  Firms must review fee and expense policies and procedures with a particular focus on vetting new expense allocations to clients and testing adviser fee assessments, particularly with regard to fee breakpoints and partial billing periods. 

OCIE urges advisers to enhance compliance monitoring and internal control testing by:

• Validating the accuracy of disclosures pertaining to fees, expenses, and investment valuation methodologies.
• Identifying transactions that result in incremental fee/expense allocations to investors and evaluating whether these transactions are in the best interest of investors.  
• Engaging in forensic testing over longer periods to ensure Rule 206(4)-7 compliance to the extent that enhanced monitoring of fees/expenses and investment suitability metrics reveal compliance violations or a problematic pattern of exception reporting.
• Evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest, as this may impair the impartiality of investment recommendations. 
• Evaluating disclosure obligations attendant to financial assistance, including PPP loans.

Investment Fraud

Periods of political or economic crisis and uncertainty will escalate the risk of investment fraud through fraudulent offerings.  Firms should be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors. Firms have an obligation to provide advice that is in the best interest of each investor, which requires a reasonable understanding of both the investor and the proposed investment.  The SEC has suspended trading for several securities issuers due to false and misleading claims (e.g., purporting to have cures, vaccines, or curative drugs for COVID-19 infections, or access to personal protective equipment, testing, or other preventatives such as hand sanitizers).

Business Continuity Planning

Firms working remotely face emerging compliance risks, including:

• The need to modify policy to address unique risks and conflicts of interest which become evident in remote operations.  For example, some employees may be required to take on new or expanded roles in order to sustain business operations, thereby flexing current supervisory policy.
• Changes in operational protocol may create new risks which must be posted to the risk matrix and mapped to policy, procedure, and internal control protocol. For example, security and support for facilities and remote sites may need to be modified or enhanced due to higher than expected utilization.
• The need for additional resources and/or measures for securing servers and systems.
• The integrity of vacated facilities is maintained.

Protection of Sensitive Information

The Safeguards Rule under Regulation S-P requires investment advisers to adopt written policies and procedures to address administrative, technical, and physical safeguards for the protection of client records and information.  Regulation S-ID: Identity Theft Red Flags requires certain firms to develop and implement a written identity theft prevention policy. Firms have an obligation to protect investors’ personally identifiable information (“PII”). OCIE has identified COVID risk influencers manifest in advisers’ increased use of web-based communication services as follows:

• Vulnerabilities around the potential loss of sensitive information due to (1) remote access to networks and the use of web-based applications; (2) increased use of personally-owned devices; and (3) changes in controls over physical records, such as sensitive documents printed at remote locations and the absence of personnel at principal offices. 
• Nonsecure procedures are utilized when adviser personnel access non-public electronic resources from external locations, wherein data security protections are often compromised by, among other things, the remote access methods used.
• Advisers that engaged in lockdown without removing hardware, devices, and physical files retaining PII must continue to protect and safeguard the information pursuant to privacy rules and attendant SEC guidance.
• To the extent supervision of employees has pivoted to remote work configuration, effective supervision of PII policies designed to protect and safeguard client information has become vulnerable. 

OCIE recommends that with regard to information protection protocol and COVID risk influencers, firms should focus upon risks related to system access, investor data protection, and cybersecurity.  In particular, firms should assess their policies and procedures and consider: 

• Enhancing identity protection practices, such as by reminding investors to contact firms directly by telephone for any concerns about suspicious communications and for firms to have personnel available to answer these investor inquiries. 
• Providing personnel with additional trainings and reminders, and otherwise spotlighting issues, related to:  (1) phishing and other targeted cyberattacks; (2) sharing information while using certain remote systems (e.g., unsecure web-based video chat); (3) encrypting documents and using password-protected systems; and (4) destroying physical records at remote locations.
• Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations. 
• Using validated encryption technologies to protect communications and data stored on all devices, including personally owned devices.
• Ensuring that remote access servers are secured effectively and kept fully patched.
• Enhancing system access security, such as requiring the use of multifactor authentication.
• Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing firm data.

Targeted COVID Risk Management Guidance and Regulatory Relief

In March 2020, the SEC stated its intent to provide specific regulatory assistance and guidance to affected entities.  The Commission’s efforts have included:

• Notifying issuers that their responses to COVID-19 may constitute material disclosures that investors will consider in their “mix” of information, when making investment decisions.
• Reminding issuers to work with their audit committees to ensure that financial reporting accounts for the new circumstances.
• Granting relief for issuers and public funds that intend to/must hold virtual annual meetings.
• Conditionally extending the deadline for certain regulatory filings and disclosures.

To date, the SEC has not explicitly indicated its intent to rescind any of the referenced relief.  However, the Risk Alert clearly provides a heads-up to investment advisers … the Commission is extremely vigilant in monitoring adviser risk management capabilities during the COVID era.  This vigilance is particularly focused on adviser business continuity implementation policies and procedures. Transition from temporary to permanent remote work arrangements introduces new risk sets to be identified, disclosed, and mitigated.  Advisers should expect OCIE examinations to increasingly focus on the “onsite/remote work from home” adviser model hybrid.  This scrutiny should compel advisers to conduct a COVID gap analysis to identify policies, procedures, and internal controls ripe for deletion, addition, or modification to evolve the risk-based compliance program.

Business Impact

The OCIE COVID-19 Risk Alert understandably focuses on regulatory risk. Investment advisers, however, do not have the luxury of considering regulatory risk in a vacuum. Effective risk management demands a 360-degree view of the business where the regulatory framework is but one slice of the complete view. Everything hinges on people – doing the right thing, knowing what IS the right thing to do, leveraging technology and other resources, collaborating to serve clients and solve problems … the list is endless. The key is people and understanding how they work best. Some people are not cut out for remote work, while some deliverables can only by achieved when fueled by the energy that comes from in-person collaboration and problem solving. Regulatory risk is vital, but it can only be managed in concert with enterprise risk management efforts. When the business is managed by leaders who are creative, collaborative, and communicative, the odds of reducing regulatory risk rise.

More Information

Download a copy of the OCIE Risk Alert here: https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf.

---

[1] https://globalworkplaceanalytics.com/telecommuting-statistics