On June 28, 2016, the Securities and Exchange Commission (SEC) proposed new Rule 206(4)-4 under the Investment Advisers Act of 1940 (Advisers Act) that would require registered investment advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in their operations. The SEC also proposed to amend Rule 204-2 under the Advisers Act to require registered investment advisers to make and keep all business continuity and transition plans that are currently in effect or that were in effect at any time within the past five years. The full text of the proposed rule and rule amendments can be found here.
The proposal would formalize a longstanding implicit expectation of the SEC staff. In the release dated December 17, 2003, which adopted Advisers Act Rule 206(4)-7 (the "Compliance Program Rule"), the SEC stated that it expected that an adviser's compliance policies and procedures, at a minimum, should address a number of issues which included business continuity plans. In June 2007, the SEC's examinations staff issued a compliance alert which identified a number of "lessons learned" from the staff's examinations of advisers located in Louisiana and Mississippi that implemented their disaster recovery plans as a result of being affected by Hurricane Katrina. More recently, on August 27, 2013, the SEC issued guidance following the impact of Hurricane Sandy on parts of New York, New Jersey, and the surrounding areas, which provided the SEC's examination staff with the opportunity to review, observe, and assess the operations and resiliency of business continuity plans across many advisers.
In its prior written guidance, the SEC did not identify critical components of advisers' business continuity plans or discuss specific issues or areas that advisers should consider in developing one. Under proposed new Rule 206(4)-4, the content of an SEC-registered adviser's business continuity and transition plan would be based upon risks associated with the adviser's operations and would be required to include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following areas:
- maintenance of critical operations and systems, and the protection, backup, and recovery of data;
- pre-arranged alternate physical location(s) of the adviser's office(s) and/or employees;
- communications with clients, employees, service providers, and regulators;
- identification and assessment of third-party services critical to the operation of the adviser; and
- a plan of transition that accounts for the possible winding down of the adviser's business or the transition of the adviser's business to others in the event that the adviser is unable to continue providing advisory services.
Under proposed new Rule 206(4)-4, the business transition components of a business continuity and transition plan would be required to include:
- policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
- policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
- information regarding the corporate governance structure of the adviser, including an organizational chart and other information about the adviser's ownership and management structure, such as the identity and contact information for key personnel, and the identity of affiliates (both foreign and domestic) whose dissolution or distress could lead to a change in, or material impact to, the adviser's business operations;
- the identification of any material financial resources available to the adviser; and
- an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser's transition.
For purposes of the proposed rule, business continuity situations generally would include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or the unexpected loss of a service provider, facilities, or key personnel. Business transitions generally would include situations where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof, or enters bankruptcy proceedings. The proposed rule would require that the plan be reasonably designed (the same standard as under the Compliance Program Rule) to address the operational and other risks of each particular adviser, and thus an adviser would need only take into account the risks associated with its particular operations, including the nature and complexity of the adviser's business, its clients, and its key personnel.
Under proposed new Rule 206(4)-4, each registered adviser would be required to review the adequacy of its business continuity and transition plan, and the effectiveness of its implementation, at least annually. The SEC stated in the proposal that the review generally should consider any changes to the adviser's products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory changes that might suggest a need to revise the business continuity and transition plan. The proposed amendments to Advisers Act Rule 204-2 would require registered advisers to maintain records documenting the adviser's annual review of its business continuity and transition plan.
The SEC invited comments on a number of specific areas discussed in the proposal, including:
- whether the rule should contain a "look through" provision requiring an adviser's communication plan to extend to investors in certain types of pooled investment vehicles, and if so, which specific types of pooled investment vehicles would be included and how the term "investors" would be defined for each type of pooled investment vehicle;
- whether the rule should require advisers to file their business continuity and transition plans, or a summary thereof, with the SEC, and if so, whether these filings should be made available to the public; and
- whether the rule should require advisers to disclose to the SEC and/or their own clients incidents where they relied on or activated their business continuity and transition plans.
Any comments on the proposed rule should be received on or before September 6, 2016.