The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently issued a risk alert addressing “Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers.” The alert is intended to share OCIE’s observations and recommendations in a number of areas of financial services compliance that, in the staff’s view, require special attention due to the current pandemic: protection of investors’ assets; supervision of personnel; practices relating to fees, expenses, and financial transactions; investment fraud; business continuity; and the protection of investor and other sensitive information.
Protection of Investors’ Assets
Citing firms’ obligation under Investment Advisers Act Rule 206(4)-2 to safeguard customer assets, the risk alert suggests that firms “consider disclosing to investors that checks or assets mailed to the Firm’s office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location.” It goes on to say, “OCIE also encourages Firms to review and make any necessary changes to their policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts, particularly COVID-19 related distributions from their retirement accounts.” Specifically, the risk alert encourages firms to “[i]mplement additional steps to validate the identity of the investor and the authenticity of disbursement instructions, including whether the person is authorized to make the request and bank account names and numbers are accurate,” and to “[r]ecommend that each investor has a trusted contact person in place, particularly for seniors and other vulnerable investors.”
Supervision of Personnel
Rule 206(4)-7 of the Advisers Act requires firms to maintain policies and procedures that are reasonably designed to prevent violations of the Advisers Act, including policies and procedures related to firms’ supervisory and compliance programs. Changes necessitated by the COVID-19 pandemic, “such as shifting to Firm-wide telework conducted from dispersed remote locations, dealing with significant market volatility and related issues, and responding to operational, technological, and other challenges,” may require parallel changes to relevant policies and procedures. OCIE suggests that “Firms may wish to modify their practices to address” the following changes:
- Supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing of third-party managers, investments, and portfolio holding companies
- Communications or transactions occurring outside of the firms’ systems due to personnel working from remote locations and using personal devices
- Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments
- The inability to perform the same level of diligence during background checks when onboarding personnel – such as obtaining fingerprint information and completing required Form U4 verifications – or to have personnel take requisite examinations
Practices Relating to Fees, Expenses and Financial Transactions
OCIE’s COVID-19 risk alert also reminds firms of the fiduciary duty they owe to their clients, and highlights potential breaches of that duty related to conflicts of interest and mistakes in calculating fees collected by firms. Specifically, OCIE observed that “the current situation may have increased the potential for misconduct,” including recommending rollovers or other changes to retirement plans, borrowing money from clients, and recommendations that clients invest in higher-cost investments that generate compensation for supervised persons.
In addition, the risk alert suggests that there is currently heightened risk of erroneous fee calculations, including advisory fee calculation errors, inaccurate calculations of tiered fees, and failures to refund prepaid fees for terminated accounts. The risk alert advises firms to “review their fees and expenses policies and procedures and consider enhancing their compliance monitoring” to mitigate these risks, and in general admonishes firms to be cognizant of risks arising from the current pandemic “when conducting due diligence on investments and in determining that the investments are in the best interests of investors.”
As part of their obligation to maintain policies and procedures that are reasonably designed to prevent violations of the Advisers Act, firms are required to create business continuity plans. “Due to the pandemic, many Firms have shifted to predominantly operating from remote sites, and these transitions may raise compliance issues and other risks that could impact protracted remote operations” which, in turn, could weaken existing business continuity measures. “For example, supervised persons may need to take on new or expanded roles in order to maintain business operations.”
In addition, “Firms’ security and support for facilities and remote sites may need to be modified or enhanced. . . . If relevant practices and approaches are not addressed in business continuity plans and/or Firms do not have built-in redundancies for key operations and key person succession plans, mission critical services to investors may be at risk.”
The risk alert “encourages Firms to review their continuity plans to address these matters, make changes to compliance policies and procedures, and provide disclosures to investors if [the Firms’] operations are materially impacted, as appropriate.”
Protection of Investor and Other Sensitive Information
Finally, OCIE’s COVID-19 risk alert reminds firms of their “obligation to protect investors’ personally identifiable information” under the Safeguards Rule of SEC Regulation S-P, especially while firm employees are communicating through videoconference or similar electronic means. Of particular concern to the staff is remote access to networks and the use of web-based applications, increased use of personally-owned devices, and “changes in controls over physical records, such as sensitive documents printed at remote locations and the absence of personnel at Firms’ offices.”
In addition, the risk alert cites increased opportunities for “phishing and other means to improperly access systems and accounts” due to these changes. “OCIE recommends that Firms pay particular attention to the risks regarding access to systems, investor data protection, and cybersecurity,” and “assess their policies and procedures” to account for these new risks.
Many of the observations and recommendations included in OCIE’s risk alert were equally relevant to pre-COVID-19 financial markets, and many simply reflect common sense compliance practice. Nonetheless, broker-dealers and investment advisers should view the risk alert as a summary of the compliance issues uppermost in the minds of OCIE’s senior staff, and as a punch list for line OCIE examiners in the next OCIE exam cycle.