The SEC has issued guidance that stresses that the board of directors (Board) needs to mitigate operational risks related to significant business disruptions through proper business continuity planning.
The SEC observed the following notable practices in recent discussions with fund complexes about business continuity planning:
- Business continuity plans (“BCPs”) typically cover the facilities, technology/systems, employees, and activities conducted by the investment adviser and any affiliated entities, as well as dependencies on critical services provided by other third-party service providers. In the SEC’s view, critical fund service providers likely would include, but would not necessarily be limited to, the investment adviser, principal underwriter, administrator, and transfer agent, as well as each custodian and pricing agent.
- The fund’s Chief Compliance Officer (CCO) and/or the CCO of other entities in the fund complex typically participate in the fund complex’s third-party service provider oversight process as conducted by key personnel.
- Service provider oversight programs generally incorporate both initial and ongoing due diligence processes, including review of applicable business continuity and disaster recovery plans for critical providers.
- The fund complex typically seeks a combination of information to conduct its oversight, including, but not limited to, service provider presentations, on-site visits, questionnaires, certifications, independent control reports, and summaries of programs and testing, where appropriate, including with respect to BCPs.
- BCP presentations are typically provided to fund boards of directors, with CCO participation, on an annual basis and are given by the adviser and/or other critical service providers.
- Business continuity outages, including those incurred by the fund complex or a critical third-party service provider, are monitored by the CCO and other pertinent staff and reported to the fund board as warranted.
In the SEC’s view, a fund complex’s BCP should contemplate arrangements with third-party service providers, and consider the following lessons learned from past business continuity events and the SEC’s outreach efforts, when formulating fund complex BCPs as they relate to critical service providers.
- Back-Up Processes and Contingency Plans. The SEC believes that fund complexes should consider examining critical service providers’ backup processes and redundancies; the robustness of the provider’s contingency plans, including reliance on other critical service providers; and how these providers intend to maintain operations during a significant business disruption.
- Monitoring Incidents and Communications Protocols. The SEC believes that fund complexes should consider how they can best monitor whether a critical service provider has experienced a significant disruption (such as a cybersecurity breach or other continuity event) that could impair the service provider’s ability to provide uninterrupted services, the potential impacts such events may have on fund operations and investors, and the communication protocols and steps that may be necessary for the fund complex to successfully navigate such events.
- Understanding the Interrelationship of Critical Service Provider BCPs. The SEC believes that fund complexes should consider how the BCPs of a fund’s critical service providers relate to each other to better ensure that funds can continue operations and/or promptly resume operations during a significant business disruption.
- Contemplating Various Scenarios. The SEC believes that fund complexes should consider how a critical service provider disruption could impact fund operations and investors, and generally have a plan for managing the response to potential disruptions under various scenarios, whether such disruptions occur internally or at a critical third-party service provider.
Rule 38a-1 under the Investment Company Act of 1940 requires funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violation of the federal securities laws. In the SEC’s view, fund complexes should consider their respective compliance obligations under the federal securities laws when assessing their ability to continue operations during a business continuity event. Because fund complexes increasingly use technologies and services provided by third parties to conduct daily fund operations, the SEC believes such dependencies and arrangements should be considered as part of comprehensive business continuity planning.
Mutual funds are generally externally managed and do not have employees of their own; they typically are organized by their primary investment advisers (also known as the funds’ sponsors), who often manage a number of funds within a fund complex and coordinate the activities of other fund service providers. Due to this structure, business continuity planning generally is conducted at the fund complex level, and typically business continuity plans address fund activities in conjunction with the activities of the primary investment adviser and other service providers that are part of the fund complex.
Business continuity planning is critical to a fund complex’s (or any business entity’s) ability to continue operations during, and recover from, a significant business disruption. The development of policies and procedures reasonably designed to ensure that an entity’s critical functions and business activities can continue to operate in the face of a significant business disruption has long been considered an essential aspect of operational risk management.
Fund complexes should consider how to mitigate exposures through compliance policies and procedures that address business continuity planning and potential disruptions in services (whether provided internally at the fund complex or externally by a critical third-party service provider) that could affect a fund’s ability to continue operations, such as processing shareholder transactions. Because fund complexes vary in activities and operations, their policies, procedures, and plans generally should be tailored based on the nature and scope of their business. Additionally, because fund complexes also outsource critical functions to third parties, consideration should be given to conducting thorough initial and ongoing due diligence of those third parties, including due diligence of their service providers’ business continuity and disaster recovery plans.
Investment advisers of fund complexes, CCOs, and the fund board play a key role in the selection and ongoing oversight of critical fund service providers. Key business functions and related activities may be performed by an affiliate of the fund complex, a third-party service provider, or some combination thereof.
The SEC believes that funds will be better prepared to deal with business continuity events, if and when they occur, if fund complexes consider the robustness of their BCPs, as well as those of their critical third-party service providers. The SEC also believes that fund complexes’ preparedness likely would be enhanced if they consider their service providers’ interrelationships to one another and how the fund complex will respond to significant business disruptions that may impact their internal operations and/or a critical third-party service provider of the fund. The SEC recognizes that it is not possible for a fund or fund complex to anticipate or prevent every business continuity event. However, appropriate planning includes consideration of these issues and various scenarios in advance of a significant business disruption.