On June 28, 2016, the Securities and Exchange Commission (“SEC”) proposed a rule that would require all SEC-registered investment advisers to adopt and implement a business continuity and transition plan (“BCP”).1 The BCP would need to be reasonably designed to address operational and others risks related to possible significant disruptions in the adviser's business. According to the Proposing Release, without an adequately robust plan, the SEC believes it would be “fraudulent and deceptive” for an adviser to provide advisory services.
The SEC has previously noted that business continuity plans should be addressed in an adviser's compliance policies and procedures in accordance with rule 206(4)-7.2 In the Proposing Release, the SEC recognized that most investment advisers already have a BCP, but pointed to observed weaknesses and inconsistencies in those plans identified through the examination process.
Proposed rule 206(4)-4 identifies the explicit requirements for what makes a BCP “reasonably designed to address operational and other risks.” The SEC acknowledges in the Proposing Release that businesses will vary and the approach to business continuity will depend on the specific attributes of each business, but nonetheless requires certain elements.
The proposed rule would require SEC-registered advisers to adopt and implement written BCPs that include policies and procedures addressing (i) business continuity after a significant business disruption, and (ii) business transition if the adviser is unable to continue providing advisory services to clients. The Proposing Release includes various situations to consider in designing the BCP, such as natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or loss of a service provider, facilities, or key personnel. Transitions should address when an adviser exits the business, merges, or sells its business. The BCP should serve to minimize disruptions during any of the designated events.
The content of a BCP would be based upon the risks associated with a particular adviser's operations, and would be required to include several key elements, summarized below.
a) Policies and Procedures on the Maintenance of Critical Operations and Systems and the Protection, Backup, and Recovery of Data
An adviser's BCP would be required to include policies and procedures that address the maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records. The BCP should identify and prioritize the functions, operations, and systems critical to the adviser's business, and should consider, and possibly provide, alternatives and redundancies to promote continual operation despite a business disruption.
The Proposing Release identifies as critical operations and systems those that are used to (1) process portfolio securities transactions for clients, (2) value and maintain client accounts, (3) provide access to client accounts, and (4) deliver funds and securities. The Proposing Release also focuses heavily on the need to identify and evaluate the role of third-party service providers in performing critical functions, and emphasizes the need for advisers to evaluate the business continuity controls in place at such firms. Finally, the BCP should identify the key personnel that are integral to the business or any of the critical operations and systems.
The Proposing Release notes that the data backup and recovery component of a BCP should include an inventory of key documents, identifying the location and description of each item. These documents should include the management structure, risk management processes, and regulatory reporting requirements in the event of a business disruption.
The SEC also briefly addressed cybersecurity. As cybersecurity has been a hot topic, advisers are again reminded to have processes in place to respond to a cyber-attack.
Generally, the proposed rule addresses the what that needs to be addressed, but not how each factor must be addressed, giving advisers a fair amount of latitude to design BCPs tailored to their business.
b) Pre-Arranged Alternate Physical Location(s)
A BCP would have to include a pre-arranged alternate physical location for the adviser's office and employees. An adviser could consider remote access sufficient, but that is subject to the applicable technology, systems, and resources necessary for the business to continue securely.
c) Communications with Clients, Employees, Service Providers, and Regulators
The SEC noted that communication is critical to an adviser's operations. Thus, a BCP would also need to cover how employees are informed of an event, how employees should communicate during an event, and contingencies for who will take on certain responsibilities in the absence of key personnel.
The Proposing Release explains that advisers also should consider how and when to inform clients of a disruption and its impact, and advisers would need to ensure proper access to client records and contact information during a disruption to facilitate communication.
Also, consistent with the SEC's focus on third-party service providers and the risks associated with disruptions to their business, the BCP would have to cover communications with and notifications to service providers in the event of a disruption, either at the adviser internally or at the service provider.
Lastly, the BCP would have to include provisions to accommodate contact with regulators as appropriate.
d) Identification and Assessment of Third-Party Services Critical to the Operation
For each service provider, the BCP would have to identify services provided that are critical to the adviser's operations, including providers providing portfolio management, custody, trade execution, pricing, recordkeeping, and financial and regulatory reporting.
The BCP would need to take into account the relationship with each service provider and identify ways to mitigate risks associated with disruption at the provider, including possibly creating redundancies in the necessary services. The Proposing Release identifies the pricing issues encountered this past year as a recent example. The SEC notes that advisers may need to review materials such as a summary of a service provider's BCP, due diligence questionnaire, independent report, or other certification of operational resiliency, to properly tailor the adviser's BCP to the risks posed by each service provider.
Finally, the BCP would need to include provisions addressing a possible winding down of the adviser's business or the transition of the business to others, including ways to mitigate risks in both normal and stressed conditions.
The proposed rule would require the transition plan's policies and procedures to:
- safeguard, transfer, and/or distribute client assets during transition;
- facilitate the prompt production of client information to transition each account;
- cover the corporate governance structure;
- identify any material financial resources available to the adviser; and
asses applicable legal and contractual obligations implicated by the transition.
If adopted, an adviser would be required to review the BCP and the effectiveness of its implementation at least annually. The review should consider any changes to the adviser's business and whether changes are necessary for continued adequacy and effectiveness.
In addition to proposed rule 206(4)-4, the Proposing Release also proposes amendments to the recordkeeping rule to require that the BCP be kept in accordance with an adviser's existing recordkeeping requirements. The annual review would also need to be documented and recorded.
Investment Company Guidance
The Division also issued guidance regarding funds' obligations under Investment Company Act rule 38a-1 for addressing business continuity. The guidance highlights several notable practices from staff observations such as the important role of the chief compliance officer, board involvement, annual testing, teamwork across units of the business, and the effective use of technology and service providers. However, the Division also addresses certain areas that fund complexes can improve regarding critical service providers, including more formal monitoring and communication protocols, exams of service provider back-up processes and contingencies, improved coordination of BCPs with service providers' BCPs, and an expanded menu of possible business disruptions.
* * * * *
Because the SEC has addressed BCPs before, many advisers may already be well-prepared. However, the proposed rule contains more specific requirements for BCPs than prior guidance. Accordingly, advisers should review their current BCPs to determine the changes the proposed rule would necessitate.