On August 12, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert identifying COVID-19-related compliance issues, risks, and practices relevant to investment advisers and broker-dealers observed by OCIE through the Staff’s industry outreach amidst the pandemic.
In light of recent market volatility, remote working environments, and risks related to COVID-19, OCIE recommended that firms consider the following measures:
- Protection of Investors’ Assets. Review practices for collecting and processing investor checks and transfer requests and, as appropriate, adjust compliance policies and procedures to reflect any modified practices; consider disclosing to investors that checks or other submissions to the firm’s office may be subject to delayed processing; consider changes to disbursement policies, procedures, and practices to implement additional validation steps; ensure that each investor has designated an authorized and trusted contact person.
- Supervision of Personnel. Review and, where appropriate, modify practices and related compliance policies and procedures related to personnel supervision to address, among other things, supervisors not having the same level of oversight and interaction with supervised persons when working remotely; consider heightened supervision of persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud; consider the sufficiency of processes for remote oversight of trading activity.
- Fees, Expenses, and Financial Transactions. Review policies and procedures and consider implementing enhanced compliance monitoring to mitigate the potential for misconduct or errors, including as to financial conflicts of interest (e.g., making recommendations that result in higher costs to investors that generate greater compensation for supervised persons), fee and expense calculations (e.g., advisory fee overbilling), and investment valuations.
- Investment Fraud. Recognize that times of crisis or uncertainty create a heighted risk of investment fraud and be cognizant of these risks when assessing investments; report suspected fraud to the SEC.
- Business Continuity. Assess the operation of critical business functions during emergency events; evaluate remote operating capabilities; consider modifications or enhancements to compliance policies and procedures and business continuity plans to address the unique risks and conflicts present in remote operating environments; consider whether additional protective measures are needed to secure critical servers, systems, and data; as appropriate, disclose to investors if operations are materially impacted by events and circumstances.
- Protection of Sensitive Information. Assess for vulnerabilities involving the protection of sensitive data, including personally identifiable information, from remote work environments and the use of videoconferencing and other electronic means of communication; implement enhanced monitoring to protect against unauthorized access to systems in light of increased phishing attempts; consider enhancements to identity protection practices; provide firm personnel with additional training and reminders; conduct heightened reviews of personnel access rights and controls; use validated encryption technologies to protect communications and data.
OCIE encouraged firms to remain informed regarding fraudulent activities that may affect investors’ assets and, when fraud is observed, to report such activities. The Risk Alert also included links to a number of SEC resources to assist and educate firms and investors.
The Risk Alert is available here.