On June 28, 2016, the staff of the SEC’s Division of Investment Management issued a Guidance Update (the Guidance) discussing business continuity plans (BCPs) for registered investment companies (funds).1 The Guidance reviews various measures that the SEC staff believes a fund should consider when evaluating the robustness of its BCP as well as the BCPs of “critical fund service providers,” which the staff identifies as the adviser, principal underwriter, administrator, transfer agent, custodian and pricing agent.
BNYM/SunGard Incident and Lessons Learned
In emphasizing the importance of robust business continuity planning in order to migrate risks for funds and investors, the Guidance cites the August 2015 incident when Bank of New York Mellon (BNYM) experienced a malfunction in one of its third-party systems (SunGard’s InvestOne) that prevented it from calculating accurate net asset values for hundreds of mutual funds and exchange-traded funds (ETFs). The Guidance notes that the SEC staff conducted outreach to the fund industry during the course of and following the BNYM incident which revealed that “some funds could have been better prepared for the possibility that one of their critical service providers would suffer an extended outage.” The SEC staff advises that fund complexes consider how to mitigate the consequences of disruptive events, such as the BNYM incident, through compliance policies and procedures tailored to the nature and scope of the complex and that address, among other things, “potential disruptions in services (whether provided internally at the fund complex or externally by a critical third-party service provider) that could affect a fund’s ability to continue operations, such as processing shareholder transactions.” Noting that fund complexes outsource critical functions to third parties, the staff also advises that funds conduct initial and ongoing due diligence of those third parties, including assessments of such service providers’ business continuity and disaster recovery plans.
The Guidance lists several “notable practices” observed by the SEC staff in recent discussions with fund complexes (which may be understood as recommended features of BCPs), including:
- BCP coverage of facilities, technology/systems, employees, and activities of the adviser and affiliated entities, as well as dependencies on critical third-party services;
- Involvement of a broad cross-section of employees from key functional areas, including senior management, in BCPs;
- Service provider oversight by key personnel, including the Chief Compliance Officer (CCO) of the fund complex and/or the CCO of other entities in the fund complex;
- Service provider oversight methods including, but not limited to, service provider presentations, on-site visits, questionnaires, certifications, independent control reports (such as Service Organization Control (SOC) reports prepared by independent auditors) and summaries of programs and testing;
- Annual BCP presentations to the fund board (either separately, or as part of the CCO’s annual compliance report to the board or the board’s annual 15(c) contract review process);
- Annual BCP testing, with results shared with the fund board; and
- CCO monitoring of business continuity outages, with reporting to the fund board as warranted.
Additional Considerations Regarding Critical Service Providers
The Guidance identifies certain additional recommendations regarding critical service providers that fund complexes should take into account, including:
- Back-Up Processes and Contingency Plans
A fund complex should examine its critical service providers’ backup processes and redundancies, the robustness of the providers’ contingency plans, including reliance on other critical service providers, and how these providers intend to maintain operations during a significant business disruption.
A fund complex should understand how its own BCP addresses risk that a critical service provider could suffer a significant business disruption and how the provider and the fund complex might respond under certain scenarios.
- Monitoring Incidents and Communications Protocols
A fund complex should consider how to best monitor whether a critical service provider has experienced a significant disruption (such as a cybersecurity breach) that could impair the service provider’s ability to provide uninterrupted services, the potential impacts such events may have on fund operations and investors, and the appropriate communication protocols. Such protocols might include:
- Policies and procedures for internal communications across the fund complex, as well as with fund boards;
- External communications plans that address ongoing discussions with the affected service provider, as well as other providers as warranted, and intermediaries, investors, regulators, and the press, as appropriate;
- Maintaining updated and accessible contact information for essential communications with various constituents during an event; and
- Providing timely communications that report progress and next steps, which may include posting updates to websites or using other portals to broadly disseminate information.
- Understanding the Interrelationship of Critical Service Providers' BCPs
A fund complex should consider how the BCPs of its critical service providers relate to each other to better ensure that funds can continue operations and/or promptly resume operations during a significant business disruption.
- Contemplating Various Scenarios
A fund complex should generally have a plan for managing the response to potential disruptions under various scenarios, whether such disruptions occur internally or at a critical third-party service provider.
Although the SEC staff acknowledges that it is not possible for a fund complex to anticipate or prevent every business continuity event, the Guidance states that a fund complex should consider its compliance obligations under the federal securities laws when assessing its ability to continue operations during such an event. The Guidance is available at https:// www.sec.gov/investment/im-guidance-2016-04.pdf.