This alert addresses recent guidance (“Guidance”) by the staff of the Securities and Exchange Commission Division of Investment Management on business continuity planning for registered investment companies. The Guidance emphasizes the importance of mitigating operational risks of significant business disruptions through proper business continuity planning for registered investment companies. It is being offered concurrently with the issuance by the SEC of a proposed new rule and rule amendments addressing business continuity plans (BCP) of registered investment advisers. The proposed rules for investment advisers are discussed in a separate alert available here.
The Guidance reflects the staff’s concerns about the ability of fund complexes to ensure comprehensive business planning and continuity given their increasing use of technologies and services provided by third parties to conduct daily fund operations. Accordingly, the Guidance discusses measures that the staff believes funds should consider as they evaluate their BCPs in light of the existing requirements including Rule 38a-1 under the Investment Company Act of 1940 (“1940 Act”).
The Guidance states that fund complexes should ensure that their compliance policies and procedures address business continuity planning and potential disruptions in services provided internally and externally by critical third-party service providers, such as in the area of processing shareholder transactions. Additionally, according to the Guidance, fund complexes should conduct thorough initial and ongoing due diligence of third parties to which fund complexes outsource any of their functions, including due diligence of their service providers’ BCPs. Critical fund service providers include each named service provider under Rule 38a-1 (i.e., each investment adviser, principal underwriter, administrator, and transfer agent), as well as each custodian and pricing agent.
The Guidance lists some of the notable practices observed by the staff in BCPs of some of the registered fund complexes, including:
- Covering the facilities, technology/systems, employees, activities and services providers of the adviser;
- Involvement of a broad cross-section of employees from key functional areas;
- The chief compliance officer (CCO) typically participating in the fund complex’s third-party service provider oversight process;
- BCP presentations by the adviser and other critical service providers are typically provided to fund boards of directors, with CCO participation, on an annual basis;
- Some form of annual BCP testing, with the results shared in updates to fund boards; and
- Business continuity outages being monitored by the CCO and reported to the fund board.
The Guidance invites fund complexes to consider how they can best assess and monitor whether a critical service provider has experienced a significant disruption (such as a cybersecurity breach or other continuity event), the potential impacts these events may have on fund operations and investors, and the communication protocols and steps that may be necessary for the fund complex to successfully navigate these events. These protocols and steps may include policies and procedures for internal communications across the fund complex (e.g., involving senior management, legal, compliance, risk management, technology, information security, operations, human resources, and communications staff), as well as with fund boards; a consideration of back up processes of critical service providers; and scenario analyses of such service providers’ potential disruptions. According to the Guidance, it is also important to consider how the BCPs of a fund’s critical service providers relate to each other to better ensure that funds can continue operations and/or promptly resume operations during a significant business disruption.
Boards may consider discussing the Guidance with their investment adviser and fund CCOs to determine the status of fund complex BCPs and any gaps related to the Guidance. Boards may also want to review with their counsel the current BCP reporting framework and any enhancements needed in light of the Guidance.