On August 12, 2020, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert addressing certain COVID19-related compliance risks and considerations for SEC-registered investment advisers and broker-dealers (collectively, Firms).
Through its continuing exams and outreach efforts, OCIE has identified operational resiliency challenges that many Firms face due to COVID19. In addition, OCIE notes the "market volatility related to COVID19 may have heightened the risks of misconduct in various areas that the staff believe merit additional attention."
OCIE's observations and recommendations in this Risk Alert fall into six broad categories: (1) protection of investors' assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information.
Protection of Investor Assets. The ongoing pandemic has led some Firms to modify their normal operating practices, including procedures around collecting and processing investor checks and transfer requests. OCIE recommends Firms review their practices and make adjustments where appropriate. OCIE highlights several actions Firms may want to consider to help ensure the safety of investor assets, including the following:
- In situations where investors may mail checks to Firms but Firms are not picking up their mail daily, Firms may want to update their supervisory and compliance policies and procedures to reflect any adjustments made and disclose to investors the possibility of delays in processing checks or other assets mailed to the Firm.
- Firms may also want to review and update their policies and procedures around disbursements to investors, particularly where investors are taking unusual or unscheduled withdrawals from their accounts, such as COVID19-related distributions from retirement accounts. Specifically, Firms may want to consider (1) implementing additional steps to confirm the investor's identity and the validity of disbursement instructions, including whether the person is authorized to make such requests and the accuracy of bank account names and numbers; and (2) recommending that each investor has an additional contact person in place, particularly when the investor is a senior or otherwise vulnerable.
Supervision of Personnel. OCIE has observed many Firms making significant operational changes to respond to the health and economic impacts of COVID19, such as shifting to Firm-wide telework conducted from various remote locations, dealing with significant market volatility and attendant issues, and responding to challenges including operational and technological issues that may arise. Again,
OCIE recommends Firms review and amend their supervisory and compliance policies as appropriate to reflect the Firm's current business activities and operations. Firms may want to modify their practices to address the following:
- Supervised persons making securities recommendations in market sectors that may be at heightened risk for fraud or may have experienced greater volatility. Supervisors not having the same level of oversight and interaction with their supervised persons while working remotely.
- Personnel working from remote locations and using personal devices may lead to communications or transactions occurring outside the Firm's systems.
- Risks related to remote trading oversight, including reviews of affiliated, cross, and aberrational trading, particularly in high-volume investments.
- The impact of resource constraints and limited opportunities for onsite due diligence reviews associated with reviewing service providers such as third-party managers, investments, and portfolio holding companies.
- The inability to have personnel take the requisite examinations or for Firms to perform the same level of diligence during background checks when onboarding new personnel, such as obtaining fingerprint information and completing the required Form U4 verifications.
Fees, Expenses, and Financial Transactions. Recent market volatility has affected investor assets and the related fees collected by Firms, which may increase financial pressures on Firms and their personnel to compensate for lost revenue. This may increase the potential for misconduct in two main areas:
- Financial conflicts of interest, including (1) borrowing or taking loans from investors and clients; (2) recommending workplace plan distributions, retirement plan rollovers to individual retirement accounts, and retirement account transfers into accounts advised by the Firm or investments in products that the Firm or their personnel are soliciting; and (3) making recommendations that result in higher investor costs and that generate greater compensation for supervised persons, such as switching investments with termination fees for new investments with high up-front charges or recommending mutual funds with higher cost-share classes when lower cost-share classes are available.
- Calculating investor fees and expenses, including (1) errors when calculating advisory fees, including valuation issues that result in over-billing of advisory fees; (2) inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate household accounts; and (3) failures to refund prepaid fees for terminated accounts.
Firms may want to review their policies surrounding fees and expenses and consider enhancing their compliance monitoring, particularly by:
- Validating the accuracy of fee and expense calculations, use of investment valuations, and disclosures.
- Identifying transactions that resulted in high fees and expenses to investors, monitoring trends surrounding such transactions, and evaluating whether these transactions were in the best interest of investors.
- Evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest, because this risks the impartiality of the Firm's recommendations. OCIE also notes that advisers who seek financial assistance may be obligated to update their disclosures on Form ADV Part 2.
Investment Fraud. OCIE has observed that the risk of fraudulent offerings increases in times of crisis or uncertainty. Firms should keep these risks in mind when conducting due diligence on investments and when determining whether investments are in the best interest of investors.
OCIE reminds Firms or investors that if they suspect fraud, they should contact the SEC and report the potential fraud.
Business Continuity. Firms should consider their ability to continue to operate their critical business functions during emergency events. Due to the ongoing COVID19 pandemic, many Firms have shifted to predominantly operating from remote locations. These transitions may raise compliance issues and other risks that could impact protracted remote operations.
OCIE recommends Firms review their continuity plans, make any necessary changes to compliance policies and procedures, and provide appropriate disclosures to investors if their operations are materially impacted. OCIE highlights the following considerations:
- As noted above, Firms may need to revise their supervisory or compliance policies and procedures. Policies that are used under normal operating conditions may be insufficient to handle the unique risks and conflicts of interest that arise due to remote operations. For example, supervised persons may need to take on new or expanded roles for the Firm to maintain business operations, which may create new risks that are not typically present.
- Firms may need to modify their security and support for facilities and remote sites. Firms should consider potential issues, including whether they (1) need additional resources and/or measures for securing servers and systems; (2) maintain the integrity of vacated facilities; (3) provide relocation infrastructure and support for personnel operating from remote sites; and (4) protect remote location data. Critical investor services may be put at risk if relevant practices and approaches are not addressed in business continuity plans and/or if Firms do not have built-in redundancies for key operations and key person succession plans.
Protection of Sensitive Information. OCIE has observed many Firms requiring personnel to use videoconferencing and other electronic means to communicate while working remotely. These communication methods allow Firms to continue their operations, but also create issues such as the following:
- Potential loss of sensitive information, including investors' personally identifiable information. These risks are related to, among other things, (1) remote access to Firm networks and the use of web-based applications; (2) increased use of personal devices; and (3) changes in controls over physical records, such as printing sensitive documents at remote locations and the absence of personnel at Firms' office locations.
- Increased opportunities for fraudsters to use phishing and other means to improperly access systems and accounts by impersonating Firms' personnel, websites, and/or investors.
OCIE recommends that Firms remain vigilant to risks involving access to systems, protection of investor data, and cybersecurity. This is an area of ongoing focus for OCIE, which recently released a Risk Alert warning SEC registrants about the observed apparent increase in the sophistication of cybersecurity attacks on SEC registrants. In particular, OCIE recommends that Firms assess their policies and procedures and consider the following:
- Enhancements to identity protection practices. This may include reminding investors to contact Firms directly by telephone for any concerns about suspicious communications and Firms making personnel available to answer such investor inquiries.
- Providing Firm personnel with additional trainings and reminders, and otherwise spotlighting issues, related to (1) phishing and other targeted cyberattacks; (2) sharing information while using certain remote systems (g., unsecure web-based video chat); (3) encrypting documents and using password-protected systems; and (4) destroying physical records at remote locations.
- Conducting heightened reviews of personnel access rights and controls as such personnel take on new or expanded roles to maintain Firms' business operations.
- Using validated encryption technologies to protect communications and data stored on all devices, including personal devices. Ensuring that remote access servers are secured effectively and kept fully patched. Enhancing security surrounding system access, such as requiring the use of multifactor authentication.
- Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing Firm systems.
OCIE recommends Firms remain informed about fraudulent activities that may affect investors' assets and to report observed fraud. The Risk Alert includes links to several resources to investigate and report fraud and resources regarding the SEC's response to COVID19 and related activities.
Firms should consider OCIE's guidance and assess their compliance policies and procedures accordingly. Firms should also document any steps taken to evaluate and address these concerns or other concerns related to the ongoing COVID19 pandemic.