The U.S. Securities and Exchange Commission (SEC) on June 28, 2016, proposed new Rule 206(4)-4 (Proposed Rule) under the Investment Advisers Act of 1940 (Advisers Act). The Proposed Rule would require every SEC-registered investment adviser (adviser) to adopt, implement and annually review a written business continuity and transition plan with certain enumerated components, reasonably designed to address the risks of a significant disruption in the adviser’s operations.1 The SEC also proposed amendments to Rule 204-2 under the Advisers Act, which would require advisers to maintain copies of all business continuity and transition plans in effect during the past five years and any records related to the annual review of the plan. Comments on the Proposed Rule and proposed amendments are due on or before September 6, 2016. The Proposing Release does not include a proposed compliance date or timeframe.
On the same day, the staff of the SEC’s Division of Investment Management (Staff) issued a Guidance Update that “discusses a number of measures that the [S]taff believes funds should consider as they evaluate the robustness of their fund complex’s plan in order to mitigate business continuity risks for funds and investors.”2 Among other things, the Guidance Update emphasizes the Staff’s view that a fund complex’s business continuity plan should reflect critical service provider interrelationships and the fund complex’s planned response to significant business disruptions experienced by such service providers.
The Proposal is the fourth of five significant regulatory initiatives originally announced by SEC Chair Mary Jo White in December 2014. The SEC previously proposed rules and rule amendments that address three parts of this five-part plan – to modernize fund reporting and disclosure, address funds’ liquidity risk management practices and introduce new restrictions on funds’ use of derivatives and other transactions.3The remaining proposal relates to stress testing requirements for funds and advisers.
The Proposing Release notes that, although the SEC previously addressed business continuity planning when it required advisers to adopt compliance programs pursuant to Rule 206(4)-7 under the Advisers Act,4 the staff of the SEC has observed a range of practices with respect to the robustness of advisers’ operational risk management practices and business continuity plans.5 In particular, the Proposing Release states that the “staff has noted weaknesses in some adviser [business continuity plans] with respect to consideration of widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications plans, and review and testing.” Further, the Proposing Release highlights the importance of business continuity planning for the resiliency of the U.S. financial system and notes that “[f]ederal and state financial market and services regulators, including the Commission, have sought to highlight and address operational risks and the tools necessary to manage them.”6
In the Proposing Release, the SEC states that, because advisers owe fiduciary duties of care and loyalty to their clients, an adviser must seek to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services. Further, Section 206(4) of the Advisers Act authorizes the SEC to adopt rules designed to prevent fraudulent and deceptive conduct, and the Proposing Release indicates that the SEC “believe[s] it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”
The Proposing Release states that the Proposed Rule is “intended to help ensure that an adviser’s policies and procedures minimize material service disruptions and any potential client harm from such disruptions.” Specifically, the SEC is focused on operational risks “that may impact the ability of the adviser and its personnel to continue operations, provide services to clients and investors, or, in certain circumstances, transition the management of accounts to another adviser.” The Proposing Release discusses a number of operational risks that can arise from both internal and external events and situations, including technology or systems failures, loss of key personnel, loss of access to physical locations and facilities, loss of adviser or client data, natural disasters, cyber-attacks, terrorism and the loss of a service provider. The Proposing Release further states that operational risks can also arise when an adviser ceases or winds down its business, merges with another adviser, sells a portion of its business or commences bankruptcy proceedings. The Proposing Release provides examples of recent business continuity situations and transitions, including Hurricanes Katrina and Sandy and the 2008 financial crisis.
Proposed Rule 206(4)-4 would require advisers to adopt, implement and annually review a written business continuity and transition plan containing policies and procedures addressing: (i) business continuity following a significant business disruption; and (ii) business transition in the event the adviser is unable to continue providing investment advisory services to clients. Proposed amendments to Rule 204-2 would require an adviser to maintain copies of its current business continuity and transition plan and any such plan that was in effect within the past five years, as well as any records related to the annual review of the plan.
Business Continuity and Transition Plans
The Proposed Rule would require an adviser’s business continuity and transition plan to be based on the risks of the adviser’s operations and contain policies and procedures designed to minimize material service disruptions, including policies and procedures addressing certain specific components listed in the Proposed Rule.7 Each component enumerated in the Proposed Rule is listed below, along with additional detail from the Proposing Release as to the items and actions the SEC believes should be addressed with respect to a particular required component.
- Maintenance of critical operations and systems, and the protection, backup, and recovery of data.An adviser’s plan would be required to identify and prioritize critical functions, operations and systems (e.g., processing of portfolio securities transactions, valuation and maintenance of client accounts and delivery of funds and securities). Further, a plan should consider alternatives and redundancies to seek to maintain operations during a business disruption event and identify key personnel for short- and long-term planning purposes. A plan should also address both hard copy and electronic backups of data, include an inventory of key documents with a list of key service providers and address the risks of cyber-attacks.
- Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees. The plan should consider the geographic diversity of the adviser’s offices, remote sites and employees, as well as seek to ensure access to systems, technology and resources necessary to continue operations from a satellite office or planned remote location(s).
- Communications with clients, employees, service providers, and regulators. The plan should address how and when the adviser plans to communicate with parties involved in critical aspects of the adviser’s operations.
- Identification and assessment of third-party services critical to the operation of the adviser. This involves identifying critical services,8 determining whether a third-party provides such services and evaluating such third-party’s plan for providing ongoing service in the case of a disruption.9
- Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services. A transition plan should account for: (i) transitions in both normal and stressed conditions and should be tailored for each client type (e.g., funds, private funds and separately managed accounts); (ii) relevant contractual arrangements; and (iii) the regulatory regimes applicable to the adviser. The Proposed Rule would require that the adviser’s business continuity and transition plan include certain specific transition-related components. Each proposed component and additional detail from the Proposing Release is listed below.
- Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition. The Proposing Release emphasizes that different methods may be required for different client types.
- Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account. This information might include the identity of custodians, positions, counterparties, collateral and related records of each client.
- Information regarding the corporate governance structure of the adviser. The plan should include an organizational chart, information about the adviser’s ownership and management structure (including the identity and contact information for key personnel) and the identity of affiliates whose dissolution or distress could be material to the adviser’s business.
- Identification of material financial resources available to the adviser. Such resources might include implementation of expense reductions, and sources of funding, liquidity and capital.
- An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition. The Proposing Release highlights various potential regulatory and contractual requirements relating to the transition of advisory services (e.g., cross-border regulatory issues, client consent requirements and automatic termination clauses).
The SEC specifically requests comments relating to the adoption and implementation of business continuity and transition plans, including whether:
- all advisers should be required to comply with the Proposed Rule and/or certain components thereof;
- the SEC should issue guidance pursuant to Rule 206(4)-7 under the Advisers Act in lieu of the Proposed Rule;
- the Proposed Rule has implications for an adviser subject to other existing business continuity and/or transition planning regulations;
- the list of required components should be modified and if so, how;
- any components of other rules or regulatory guidance should be addressed;
- definitions should be provided to clarify key terms;
- more prescriptive rules or guidance should be promulgated;
- advisers should be allowed more or less flexibility as to the components of the plan; and
- to require disclosure of advisers’ plans and/or incidents to clients and/or to the SEC and if so, when and by what means.
Proposed Rule 206(4)-4(a)(2) would require an adviser to review the adequacy of its business continuity and transition plan and the effectiveness of its implementation at least annually. The Proposing Release states that such annual review “should consider any changes to the adviser’s products, services, operations, critical third-party service providers, structure, business activities, client types, location and any regulatory changes….” In addition, the SEC states that such reviews should address any weaknesses identified in connection with any testing or assessments of the plan, as well as any lessons learned or changes made or contemplated as a result of an event triggering reliance on the plan during the year.10
The proposed amendments to Rule 204-2 would require advisers to maintain copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years following the compliance date. Additionally, the amendments would require an adviser to maintain any records documenting the adviser’s annual review of its plan for at least five years after the end of the fiscal year in which the review was conducted.11
As noted above, on June 28, 2016, the Staff issued a Guidance Update regarding business continuity planning for registered investment companies (funds). In the Guidance Update, the Staff reminds funds of the compliance program requirements of Rule 38a-1 under the Investment Company Act of 1940 (Investment Company Act) and states that “[i]n the [S]taff’s view, fund complexes should consider their respective compliance obligations under the federal securities laws when assessing their ability to continue operations during a business continuity event.”12 The Staff highlights certain recent business disruptions that have affected the fund industry, including an August 2015 systems malfunction that prevented a third-party service provider from calculating certain funds’ net asset values for several days. The Guidance Update states that, following such disruption, SEC staff “outreach revealed that some funds could have been better prepared for the possibility that one of their critical service providers would suffer an extended outage.”
The Staff states that funds should have plans, policies and procedures that are tailored to the fund complex and are designed to address business continuity planning and potential disruptions in operations resulting from events involving the fund complex and third-party service providers. Additionally, the Staff states that funds should consider conducting initial and ongoing due diligence of the business continuity and disaster recovery plans of third-parties that perform critical functions. The Staff believes that critical fund service providers would include, at a minimum, each fund adviser, principal underwriter, administrator, transfer agent, custodian and pricing agent.13
The Guidance Update highlights certain “notable practices” identified by the Staff following recent outreach to fund complexes and their advisers regarding business continuity planning. Generally, the Staff notes that most funds rely on fund complex or enterprise-wide business continuity and disaster recovery plans that incorporate critical functions performed on behalf of the funds. In addition, the Guidance Update lists the following specific “notable practices” identified by the Staff:
- Plans typically cover the facilities, technology/systems, employees and activities of the adviser, its affiliates and critical third-party service providers;
- A broad cross-section of employees from key functional areas are involved in the plans (e.g., personnel from senior management, technology, information security, human resources, legal and compliance);
- Participation in third-party service provider oversight by the fund’s Chief Compliance Officer (CCO) and/or affiliates’ CCO(s). The Staff notes that service provider oversight typically comprises both initial and ongoing due diligence, including reviews of critical third-party service providers’ business continuity and disaster recovery plans;
- Annual business continuity planning presentations to the fund’s board with the CCO’s participation;
- Annual business continuity plan testing with results shared with the fund’s board; and
- Monitoring of outages by the fund’s CCO and other pertinent staff, with appropriate reporting to the fund’s board.
Additional Considerations Regarding Critical Service Providers
The Guidance Update also highlights the Staff’s view that fund complexes’ business continuity planning should address reliance on affiliates and third parties to perform critical business functions and related activities. Additionally, the Staff believes that fund boards should discuss with the fund’s adviser and other critical service providers: (i) the steps being taken to mitigate the risks associated with business disruptions; (ii) the robustness of their business continuity planning; and (iii) how the fund complex’s business continuity plan addresses the risks of business disruptions to critical third-party service providers.
The Staff encourages fund complexes to consider the following when formulating business continuity plans with respect to critical service providers:
- Back-Up Processes and Contingency Plans. Funds should consider critical service providers’ business continuity plans, including how such service providers intend to maintain operations during a disruption. The Staff also believes that funds’ plans should address the risk of service provider disruptions.
- Monitoring Incidents and Communications Protocols. Fund complexes should consider how to monitor critical service providers for disruptions and the potential impacts and appropriate communication protocols for navigating such disruptions. The Guidance Update encourages policies and procedures for internal communications within the fund complex (including with the fund’s board) and external communications with the affected service provider, other service providers, investors, regulators and others.
- Understanding the Interrelationship of Critical Service Provider Business Continuity Plans. The Guidance Update states that fund complexes should consider how critical service providers’ plans relate to each other, including redundancies and back-up procedures. Further, fund complexes should have backup procedures to successfully navigate a service provider disruption.
- Contemplating Various Scenarios. The Staff believes that fund complexes should consider how a critical service provider disruption could impact fund operations and investors, and have a plan to manage various scenarios.