On June 28, 2016, the Securities and Exchange Commission (SEC) proposed new Rule 206(4)-4 under the Investment Advisers Act of 1940 (the Advisers Act). The rule would require registered investment advisers (RIAs) to adopt and implement written business continuity and transition plans “reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.”1 The SEC also proposed amendments to existing Rule 204-2 that would impose recordkeeping and other compliance requirements related to business continuity and transition plans.
Section 206(4) of the Advisers Act authorizes the SEC to adopt rules and regulations to prevent fraudulent, deceptive or manipulative practices. The Release states that “it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”2
The proposed rule and rule amendments are intended to address a wide range of practices that advisers employ with respect to business continuity, succession planning and operational transition. According to the SEC staff, an adviser’s fiduciary duty obligates it to protect its clients’ interests from the adviser’s potential inability to continue to provide advisory services during business disruptions or transitions. The proposed rule requires each RIA to assess and inventory the components of its business, including operational and other risks related to significant disruptions in the adviser’s operations, whether temporary or permanent, and to design and implement a tailored plan to prepare for and address such disruptions.
Although many RIAs already have business continuity plans,3 the plans may not include documented transition plans or address significant business transitions.4 The Release discusses operational risks that can result when an adviser ceases or winds down operations unexpectedly. To illustrate its concerns about the potential for business disruptions or transitions to interfere with an RIA’s ability to act in its clients’ best interests, the staff cites the impact of the 2008 financial crisis, when many large financial firms in distress underwent major business changes, including bankruptcies, reorganizations and acquisitions.
In August 2013, in the aftermath of Hurricane Sandy, the SEC published a National Exam Program Risk Alert (the NEP Risk Alert).5 In the NEP Risk Alert, as noted in the Release, examiners observed that the degree of specificity of advisers’ written business continuity plans varied, and that some advisers’ business continuity plans did not “adequately address and anticipate widespread events.” Among other things, the NEP Risk Alert specifically observed the following deficiencies:
- lack of geographically diverse office locations;
- lack of oversight of service providers;
- inconsistent planning around communications; and
- inadequate testing of business continuity plans.
Proposed Rule 206(4)-4 and Amended Rule 204-2
Due to the variety of practices and the lack of robust business continuity planning the SEC staff observed, the SEC proposed Rule 206(4)-4 to formally require business continuity and transition plans, including certain specified components.
Proposed Rule 206(4)-4 would prohibit an RIA from providing investment advice unless it has adopted and implemented a written business continuity transition plan that the adviser must review at least annually. The amendments to Rule 204-2, which governs RIA recordkeeping requirements, would require RIAs to maintain copies of all written business continuity and transition plans currently in effect or in effect at any time during the previous five years, as well as records documenting the adviser’s annual review of its business continuity and transition plans. As part of their annual review, RIAs should conduct and document appropriate testing of the plans.
Business Continuity Plans
The Release states that, at a minimum, an RIA’s business continuity and transition plan should address the following issues:
- maintenance of critical operations and systems, as well as the protection, backup and recovery of data;
- alternate physical office locations;
- communication plans for clients, employees, vendors and regulators;
- assessment of critical third-party service providers; and
- transition of the RIA’s business when the RIA winds down or is unable to continue to provide advisory services.
In addition to traditional business continuity concerns relating to natural disasters and other physical business interruptions, the proposed rule and rule amendments would require RIAs to have the difficult conversations related to transitions, such as retirement or loss of key personnel, bankruptcy, acquisition or the impact of financial stress at affiliated firms. The proposals also support the efforts of legal and compliance professionals who seek to engage with senior management regarding the documentation of transition plans.
When designing transition plans, in addition to considering general fiduciary duties, RIAs also must consider commitments to clients, assignment provisions in advisory contracts6 and key person and other relevant provisions in contracts, disclosures or side letters. In the process, RIAs must assess the loss of critical personnel, including traders, accountants and portfolio managers, which may be disruptive to clients, and an RIA’s plan should include both short- and long-term arrangements for replacing critical personnel. In the Release, the SEC staff specifically highlights transition risks related to custody, pooled investment vehicles and pricing, and emphasizes that some transitions occur under stress. According to the Release, advance planning and preparation may reduce RIA risks and potentially minimize resulting threats to the broader financial markets.
Under the proposed rule, an RIA’s transition plan must include:
- policies and procedures related to the safeguarding, transfer and/or distribution of client assets during transitions;
- an inventory of key documents, such as organizational documents, contracts, policies and procedures, including the location of such documents;
- details regarding the RIA’s management structure, risk management processes and financial and regulatory reporting requirements;
- material financial resources available to the RIA;
- policies and procedures relating to the prompt production of client specific information in order to transition client accounts; and
- an assessment of the applicable legal and contractual issues related to a transition.
The Release acknowledges that there will be significant differences between the business continuity and transition plans developed by large investment advisers, with multiple locations and a large number of employees, and smaller investment advisers, with single offices and fewer employees. While the Release states that RIAs must address certain key components in their business continuity and transition plans, each adviser should tailor its plan based on the complexity of its business operations, the specific risks faced and any other unique aspects of its operations.
The proposed rule will remain open for comment for 60 days after publication in the Federal Register. Notably, the SEC has asked for comments on several significant issues, including whether:
- all RIAs, or just a subset, should be required to adopt and implement business continuity and transition plans;
- plans should be required pursuant to guidance with respect to RIAs’ general compliance obligations under Rule 206(4)-7 rather than in a separate rule;
- all components of a business continuity and transition plan should be prescribed by rule;
- definitions of the required components should be specified (e.g., what kind of business disruption is deemed “significant” or renders the RIA “unable to continue providing investment advisory services,” or what constitutes sufficient distance between an RIA’s primary and backup locations); and
- advisers should be required to report business continuity and transition incidents to the SEC.
SEC Guidance Update for Registered Investment Companies
On the same date, the SEC’s Division of Investment Management published guidance on business continuity planning for registered investment companies (the Guidance).7 As noted in the Guidance, Rule 38a-1 under the Investment Company Act of 1940 requires registered funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the federal securities laws; therefore, fund complexes should consider their compliance obligations when assessing their “ability to continue operations during a business continuity event.” As with the proposed rule requirements for RIAs, the Guidance acknowledges the variety in the operations of managers of registered funds and suggests that business continuity plans should be tailored to each fund complex’s business. The Guidance notes, however, that fund and fund complexes generally share certain fundamental operational risks. The SEC staff observes that in the registered fund context, chief compliance officers, as well as fund boards and employees across key functional areas, are typically involved in business continuity planning.
The staff acknowledges that registered investment companies often employ critical third-party service providers, such as pricing services and administrators. In that regard, the staff states that registered investment companies should:
- periodically evaluate each service provider’s own business continuity plan (and assess backup processes and redundancies);
- consider how the business continuity plans of critical service providers may relate to one another in the context of each investment company’s needs and obligations; and
- understand critical service providers’ cyber-preparedness and monitor their providers for cybersecurity breaches or other disruptions that may affect the operations of the fund complex.
The Guidance also suggests that registered investment companies develop a plan related to potential breaches and disruptions at their critical service providers. Related protocols should include internal and external communications, including communications with investors, regulators and the press.