On June 27, the staff of the Securities and Exchange Commission’s (Commission or SEC) Division of Investment Management (IM) issued a Guidance Update on business continuity planning for registered investment companies (funds).1 The Guidance Update provides the staff’s view on what funds should consider as they assess their ability to continue operations after a significant business disruption. Recognizing that funds cannot anticipate or prevent all business continuity events, the staff stated that business continuity planning can help funds mitigate “the impact of significant business disruptions on operations and in servicing investors, as well as in complying with the federal securities laws throughout business continuity events.”
Citing Rule 38a-1 under the Investment Company Act of 1940, which requires funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violation of the federal securities laws, the staff reminded funds of the legal obligation to include business continuity plans (BCPs) in their compliance programs. In his remarks to the Investment Company Institute’s 2016 Mutual Funds and Investment Management Conference, David Grim, the Director of IM, encouraged fund complexes to “consider having a detailed playbook for responding to various scenarios, whether those disruptions occur internally or at a key service provider.” “If history teaches us one thing,” he said, “it is that once a crisis strikes, it is already too late to begin formulating a response.”2 In IM’s view, critical or key service providers include the service providers listed in Rule 38a-1 (i.e., the adviser, principal underwriter, administrator and transfer agent), as well as the custodians and pricing agents.
As noted in the Guidance Update, ever since September 11, 2001, and the business and operational disruptions caused by Hurricanes Katrina and Sandy, the Commission has issued alerts setting forth best practices and lessons learned. The Guidance Update uses the events of August 2015—when a breakdown in one of its third-party systems prevented a major financial institution from calculating the NAVs of hundreds of funds—to underscore the importance of robust business continuity planning and the need to understand the disaster recovery protocols of critical fund service providers. During and after the August 2015 systems malfunction, IM’s Risk and Examinations Office and the Commission’s Office of Compliance Inspections and Examinations identified lapses in some funds’ preparedness for such a breakdown.
Recently, IM reached out to fund complexes and their advisers regarding business continuity planning. During these discussions, the staff noted that because most funds outsource their critical functions to third parties, they should consider conducting initial and ongoing due diligence of those providers’ business continuity and disaster recovery plans. The Guidance Update is a compilation of “notable practices” the staff observed during these discussions. These “notable practices” in funds’ BCPs cover:
- Facilities, technology/systems, employees and activities conducted by the adviser, any affiliates and critical third-party service providers;
- Broad cross-section of employees from key functional areas including senior management, technology, information security, operations, human resources, communications, legal, compliance and risk management;
- Participation by the funds’ chief compliance officer (CCO) and/or the CCOs of other entities in the fund complex in the third-party service provider oversight process conducted by other personnel, incorporating both initial and ongoing due diligence processes;
- Annual presentations to fund’s board of directors by the adviser and/or other critical service providers, separately or as part of the annual section 15(c) process, with the CCO’s participation;
- Annual testing of the BCP with updates to the fund’s board of directors; and
- Monitoring of business continuity outages by the CCO or critical third-party service provider with reports to the fund’s board of directors as warranted.
In addition, the Guidance Update suggested that the business continuity plans of funds contemplate the following with respect to key service providers:
- Back-up process and contingency plans;
- Monitoring incidents and communications protocols, such as a cybersecurity breach;3
- Understanding the interrelationships among the business continuity plans of key service providers; and
- Contemplating various scenarios.
The Guidance Update complements the issuance of a rule proposal under the Investment Advisers Act of 1940 that would require SEC-registered investment advisers to adopt and implement business continuity decisions and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.4
It is clear from the Guidance Update that the Commission is expecting a greater effort by funds and advisers in the area of business continuity planning. Legal and compliance officers should review this Guidance Update and consider the robustness of their playbooks as well as the business continuity and disaster recovery plans of their affiliates and critical third-party service providers. In this context, a comprehensive and diligent examination should be conducted to determine what additional measures need to be included in a fund’s BCP to mitigate the impact of significant business disruptions on operations as well as compliance with federal securities laws.