On June 28, 2016, the Securities and Exchange Commission (SEC) proposed a new rule and rule amendments (the “Proposed Rules”) under the Investment Advisers Act of 1940 (“Advisers Act”). The proposed new rule, Rule 206(4)-4, would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans (BCP) reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. The SEC staff also issued related guidance on business continuity planning for registered investment companies addressed in a separate alert available here.
Currently, Rule 206(4)-7 under the Advisers Act (the “Compliance Program Rule”) requires an SEC-registered adviser to adopt compliance policies and procedures reasonably designed to prevent violations of the Advisers Act. Similarly, Rule 38a-1 under the Investment Company Act of 1940 requires mutual funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violation of the federal securities laws. The SEC has not previously identified in these rules critical components of a BCP or discussed specific issues or areas that advisers should consider in developing such plans; however, in the release adopting the Compliance Program Rule, the SEC indicated that an adviser’s compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser. As a result, many investment advisers adopted BCPs as part of their compliance policies and procedures; however, in the SEC’s experience, these BCPs varied in the extent of their adequacy to address operational and other risks associated with business resiliency and their ability to address operational and other risks related to significant disruptions in the adviser’s operations.1
What is a Business Continuity and Transition Plan?
The Proposed Rules define a “business continuity and transition plan” as policies and procedures reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations, including policies and procedures concerning: (i) business continuity after a significant business disruption; and (ii) business transition in the event the investment adviser is unable to continue providing investment advisory services to clients.
This definition is consistent with the SEC’s earlier approach to BCPs, generally, as plans addressing the obligation of an adviser to take steps to protect clients' interests from being placed at risk as a result of the adviser's inability to provide advisory services after a natural disaster or the death of the owner or key personnel. The Proposed Rules, however, arguably take a much broader approach by including a variety of other risks within this obligation, such as cybersecurity risk, previously addressed by the SEC as potentially separate matters. According to the SEC, if an adviser is unable to provide advisory services after, for example, a natural disaster, a cyber-attack, an act of terrorism, technology failures, or the departure of key personnel, its temporary inability to continue operations may put clients’ interests at risk and prevent it from meeting its fiduciary duty to clients. Thus, by arguably broadening its approach to the universe of risks that should be addressed in a BCP, the SEC potentially places a higher burden on the advisers to design their BCPs to anticipate all material risks that may become applicable or be responsible for a violation of their fiduciary duties to clients.
What Should be in a BCP if Proposed Rules are Adopted?
The Proposed Rules impose specific requirements on BCPs, each of which is separately addressed below using the detailed guidance contained in the proposing release.
Maintenance of critical operations and systems, and the protection, backup, and recovery of data.
A BCP should generally identify and prioritize the following critical functions, operations, and systems (and consider alternatives and redundancies where appropriate):
- Operations relating to management, trading, allocation, clearance and settlement of portfolio securities transactions and other operations and systems that are critical to the valuation and maintenance of client accounts, access to client accounts, and the delivery of funds and securities;
- Key personnel that either provide critical functions to the adviser or support critical operations or systems of the adviser, and contingency plans addressing both the temporary or permanent loss of the personnel;
- A recognition that significant business disruptions may prevent access to electronic copies of data and hard copies of data and a recognition of the importance of the role of the electronic records in carrying out the adviser’s plan of transition in a timely manner;
- An inventory of key documents, including the location and description of the item;
- A list of the adviser’s service providers relationships that are necessary to maintaining functional operations;
- Details of the adviser’s management structure, risk management processes, and financial and regulatory reporting requirements; and
- An assessment of the operational and other risks related to cyber-attacks.
Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees
Advisers should consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations in the event of a disruption.
Communications with clients, employees, service providers, and regulators
An adviser’s communication plan should cover, among other things:
- The methods, systems, backup systems, and protocols that will be used for communications;
- How employees are informed of, and how they should communicate during a significant business disruption;
- Contingency arrangements communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel;
- Employee training, so that in the event of a significant business disruption employees understand their specific roles and responsibilities and are able to carry out the adviser’s plan;
- When and how it is in the adviser’s clients’ best interests to be informed of a significant business disruption and/or its impact, including the process by which the adviser would have prompt access to client records that include the name and relevant contact and account information for each client as well as investors in private funds sponsored by the investment adviser;
- How the service provider will be notified of a significant business disruption at the adviser as well as how the adviser will be notified of a significant business disruption at a service provider; and
- The contact information for relevant regulator(s), and the personnel responsible for notifying, as well as the circumstances requiring personnel to notify regulator(s) of a significant business disruption.
Identification and assessment of third-party services critical to the operation of the adviser
An adviser’s BCP should identify critical functions and services provided by the adviser to its clients, and third-party vendors supporting or conducting critical functions or services for the adviser and/or on the adviser’s behalf. The proposing release states that critical service providers would at least include those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping, and financial and regulatory reporting. Factors such as the significance of the service provider to advisory operations, the type of service provided, and the adviser’s ability to require or request actions of its service providers will impact the steps that advisers should consider taking in respect of the service providers.
Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services
A plan of transition generally should account for transitions in both normal and stressed market conditions, and should consider each type of advisory client, the adviser’s contractual obligations to clients, counterparties, and service providers, and the relevant regulatory regimes under which the adviser operates. The Proposed Rules specifically require that the plan includes:
- Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
- Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
- Information regarding the corporate governance of the adviser;
- The identification of any material financial resources available to the adviser; and
- An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition.
The Proposed Rules require investment advisers to review their BCPs and the effectiveness of their implementation at least annually. Further, the Proposed Rules amend Rule 204-2 under the Advisers Act, also known as the “record keeping rule,” to require SEC-registered investment advisers to make and keep all BCPs that are currently in effect or at any time within the past five years were in effect.
Given the detailed requirements of the Proposed Rules, including as interpreted by the proposing release, it is likely that most registered advisers would have to revisit and revise their BCPs if the rules are adopted. Certain larger advisers’ BCPs may already be substantially compliant with many aspects of the Proposed Rules. Smaller advisers, though, may have more work to do to bring their BCPs into compliance with the rules.
The SEC believes that investment advisers will have to develop and update their BCPs using largely internal resources because it will require evaluations most suited to be conducted by in-house employees familiar with the intricacies of the business operations. The SEC estimates the initial one-time cost of this internal process will be substantial and will range from approximately $17,000 to $170,000, depending on the facts and circumstances of a particular adviser’s operations and their existing plan, although the SEC acknowledges that advisers will also have to use their outside counsel.
Advisers will also likely incur additional costs, including external costs to upgrade systems and processes, enhance communications processes with various parties and engage in an assessment of critical third-party vendors. While some advisers already addressed these aspects of their BCPs, many advisers would still need to develop robust service provider management programs that take steps to evaluate the resiliency of their operations, with such steps potentially including reviewing the service provider BCPs, requiring them to complete due diligence questionnaires or obtain assurance control reports from an independent party, and/or conducting onsite visits. The SEC estimates that SEC-registered advisers may spend between approximately $11,000 and $1.3 million in these additional initial costs to upgrade systems and processes depending on the complexity of their operations and the current state of their BCPs.
Request for Comment
The SEC requested comments on a variety of topics including potential changes to the Proposed Rules that would further increase compliance obligations of investment advisers. Such topics include:
- Whether advisers with certain types of clients, including advisers to registered investment companies, pooled investment vehicles or sponsors of wrap programs, should be required to undergo additional obligations with regard to adopting and implementing a BCP that would be relevant for such clients;
- Whether the SEC should require advisers to report to the SEC incidents where they rely on their BCPs; and
- Whether advisers should file their BCPs with the SEC.
Comments on the Proposed Rules are due by September 3, 2016.