Business Continuity and Transition Planning for Asset Managers

New York Washington, D.C. Los Angeles Palo Alto London Paris Frankfurt Tokyo Hong Kong Beijing Melbourne Sydney www.sullcrom.com July 7, 2016 Business Continuity and Transition Planning for Asset Managers SEC Proposes Rule for All Registered Investment Advisers; Staff Issues Guidance Update for Registered Investment Companies SUMMARY On June 28, 2016, the SEC proposed new Rule 206(4)-4 and amendments to Rule 204-2 under the Investment Advisers Act of 1940 that would require all SEC-registered investment advisers to formally adopt and implement business continuity and transition plans (or BCTPs). Under the proposed rule (the “BCTP Proposal”), BCTPs must be “reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations” and would include steps for dealing with cyberattacks, physical dislocations and the unexpected loss of critical service providers or key personnel, among other things. In principle—and as the proposing release itself frequently notes—the BCTP Proposal would not necessarily require a dramatic expansion in operational risk management practices, especially for large investment advisers with sophisticated clients whose due diligence already focuses on these practices. Even these advisers, however, will need to undertake a careful review of the requirements and expectations associated with the BCTP Proposal and the changes that could be needed at their firms. Furthermore, the BCTP Proposal requests comment on a number of questions, including whether BCTPs should be publicly disclosed, should require reporting of relevant incidents to the SEC or should be subject to stress-testing. Such provisions in a final rule could affect the character and practical significance of the BCTP. Comments on the BCTP Proposal are due by September 6, 2016. -2- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 Also on June 28, the SEC’s Division of Investment Management provided a related guidance update on business continuity planning for registered investment companies (the “Guidance Update”), which is summarized below. BACKGROUND OF THE BCTP PROPOSAL Since 2003, SEC guidance has been that a registered investment adviser’s compliance program should include a business continuity plan (or BCP) “to the extent that [it is] relevant to that adviser.”1 Citing experience with the effects of Hurricane Sandy in 2012, however, the SEC concluded that “business continuity planning among investment advisers can be uneven” and “inconsistent,” in part because earlier guidance “did not . . . identify critical components of a BCP or discuss specific issues or areas that advisers should consider in developing such plans.”2 Intended to fill this perceived gap, the BCTP Proposal mixes elements of traditional regulation of investment advisers under the Advisers Act with a more modern outlook on prevention, mitigation and containment of potentially market-disrupting financial distress. In making the BCTP Proposal, the SEC relies on an expansive interpretation of the anti-fraud provisions of the Advisers Act—and even of precedents that have themselves expansively interpreted those provisions—to conclude that (i) “[a]s part of their fiduciary duty, advisers are obligated to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services” and (ii) “it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”3 The primary harm at which the BCTP Proposal is aimed is “client harm,” rather than threats to financial stability per se.4 On the other hand, the timing of the BCTP Proposal—which has been on the SEC’s regulatory agenda in some form since at least 2014 and is one of several asset management-related initiatives currently underway—is not coincidental.5 Numbers of investment advisers and their assets under management have continued to grow, potentially amplifying any underlying problems with business continuity planning. In addition to weather events such as Hurricane Sandy, initial SEC examinations of many previously unregistered private fund advisers have now been completed providing additional data on industry practices.6 These developments have occurred during an active and ongoing debate about the systemic risks (if any) posed by the activities of investment advisers and fund complexes, and the circumstances (if any) under which they might generate or transmit financial distress.7 More recently, cybersecurity has become a watchword throughout the entire financial services industry.8 The influence of each of these factors is seen in the BCTP Proposal to some degree.9 The BCTP Proposal, if adopted, would be only one of several business continuity-related rules or initiatives applicable to different types of financial services companies, including investment advisers and -3- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 affiliated broker-dealers or banking organizations.10 The potential interactions between these regulatory regimes are considered briefly in “Observations” below. DETAILS OF THE BCTP PROPOSAL The BCTP Proposal defines a business continuity and transition plan (BCTP) as “policies and procedures reasonably designed to address operational and other risks related to a significant disruption in the [adviser’s] operations.”11 A BCTP must include policies and procedures addressing “[b]usiness continuity after a significant business disruption”—including, among other things, “natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel”—and “[b]usiness transition in the event the [adviser] is unable to continue providing investment advisory services to clients.”12 Although the BCTP Proposal and this memorandum generally refer to the BCTP as a single plan, the BCTP Proposal clarifies that the business continuity plan (BCP) elements and transition plan (TP) elements may be memorialized in separate documents.13 The BCTP Proposal would also introduce a requirement to review at least annually the adequacy of the BCTP and the effectiveness of its implementation, and to maintain associated records. The BCTP Proposal states repeatedly that the BCTP requirement is intended to be flexible: the BCTP “need only take into account the risks associated with [an adviser’s] particular operations, including the nature and complexity of the adviser’s business, its clients, and its key personnel.”14 BUSINESS CONTINUITY PLAN ELEMENTS The BCTP Proposal identifies four policies and procedures, with suggested sub-components, that an adviser must include in the BCP portion of its BCTP:15 1. maintenance of critical operations and systems and the protection, backup and recovery of data, including client records;16  identification and prioritization of critical functions, operations and systems;  consideration of alternatives and redundancies to help maintain the continuation of operations in the case of a significant business disruption;  identification of operations and systems used for portfolio securities transactions;  identification of third-party services that support critical functions and key personnel who either provide critical functions or support critical operations or systems;  addressing the hard copy and electronic backup of data, including an inventory of key documents; and  consideration of the operational and other risks related to cyberattacks, including an identification of the adviser’s compliance obligations under the federal securities laws and the relationship between those obligations and the adviser’s ability to prevent, detect and respond to potential cyberattacks. -4- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 2. pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;  attention to the geographic diversity of adviser offices and employees; and  consideration of the access that each location offers to systems, technology and resources in the event of a significant disruption. 3. communications with clients, employees, service providers and regulators; and  identification of the methods, systems, backup systems and protocols that will be used for communications;  contemplation of how employees are to be informed of a significant disruption;  consideration of how employees should communicate during such a disruption;  contemplation of how, in the event of a loss of personnel, contingency arrangements will be communicated; and  discussion of how and when clients are to be made aware of and updated about any significant business disruptions. 4. identification and assessment of third-party services critical to the operation of the adviser.  identification of those service providers upon which the adviser has a heavy day-to-day operational reliance or upon which the adviser relies to provide a direct service to clients or investors, especially those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping and financial and regulatory reporting;  review of whether critical third-party service providers have internal or external backup processes; and  consideration of whether critical third-party service providers have their own BCPs in place. TRANSITION PLANS The TP portion of an adviser’s BCTP: (i) must “include a plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services”; (ii) “generally should account for transitions in both normal and stressed market conditions”; and (iii) “generally should consider each type of advisory client, the adviser’s contractual obligations to clients, counterparties, and service providers, and the relevant regulatory regimes under which the adviser operates.”17 -5- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 The BCTP Proposal identifies five elements that an adviser must include in the TP portion of its BCTP: 1. policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; 2. policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; 3. information regarding the corporate governance structure of the adviser; 4. the identification of any material financial resources available to the adviser;18 and 5. an assessment of the applicable law and contractual obligations governing the adviser and its client. The BCTP Proposal explicitly states that the TP is not intended to be a “living will” similar to what is required under the Dodd-Frank Act of certain large financial institutions.19 To the contrary, the BCTP Proposal states that “advisers routinely transition client accounts without a significant impact to themselves, their clients, or the financial markets” because of “the agency relationship of advisers” and qualified custodian requirements, but notes that additional “advance planning” in this area may nonetheless “benefit advisers and their clients.”20 DIVISION OF INVESTMENT MANAGEMENT GUIDANCE UPDATE The Guidance Update issued by the staff of the SEC’s Division of Investment Management “underscores the importance of mitigating operational risks related to significant business disruptions, particularly through proper business continuity planning for registered investment companies.”21 Similarly to the BCTP Proposal, the Guidance Update provides that “[b]ecause fund complexes vary in activities and operations, [the staff] believes that their policies, procedures, and plans generally should be tailored based on the nature and scope of their business.”22 The staff found that business continuity planning is typically conducted at the fund complex level, which includes funds, their primary adviser and other affiliated service providers to the funds, and called for “thorough and ongoing due diligence” of not only the fund complex, but also critical service providers23 and those critical service providers’ own BCPs. In the Guidance Update, the staff noted various practice trends from its discussions with fund complexes in relation to BCPs, including the following:  BCPs generally cover facilities, technology and related systems, employees, adviser and affiliate activities, and dependence on critical third-party service providers;  adoption and implementation of BCPs typically involves coordination and collaboration among a broad range of employees from key functional areas;  the Chief Compliance Officer (CCO) of the fund complex tends to participate in oversight of third-party service providers both initially upon engagement and on an ongoing basis, including review of the BCPs of critical third-party service providers; -6- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016  BCP presentations are usually provided to fund boards on an annual basis by the fund’s adviser and involve the CCO’s participation; some funds also conduct periodic BCP testing and share test results with the fund board; and  disruptive events impacting business continuity are normally monitored by the CCO and needed personnel and reported, when needed, to the fund board. The Guidance Update provides that, especially as it relates to critical service providers, a fund complex should consider the following in designing its BCP:  backup processes and contingency plans of critical service providers;  best methods to monitor (and communicate) whether critical service providers have experienced a disruptive event;  interrelationships of critical service providers’ BCPs with the fund complex’s BCP; and  hypothetical disruptive events and the impact such events could have on critical service providers and the fund. On the role of fund boards in the BCP process, the Guidance Update states that “to assist fund boards in providing appropriate oversight, boards generally should discuss with the fund’s adviser and other critical (affiliated and/or third-party) service providers the steps being taken to mitigate the risks associated with business disruptions and the robustness of their business continuity planning.”24 OBSERVATIONS For some advisers with robust business continuity planning, the BCTP Proposal could potentially require modest changes to existing practices. Clearly, however, that will not be the case for all, or even most, advisers. In addition, advisers may wish to consider the following open questions in, or developments that could result from, the BCTP Proposal:  Practical Effect of Ability to Tailor BCTPs. As noted above, the BCTP Proposal states that a BCTP “need only take into account the risks associated with [an adviser’s] particular operations, including the nature and complexity of the adviser’s business, its clients, and its key personnel.”25 This indication of flexibility, and the absence of more prescriptive guidance, are likely to be welcome in concept. Because most advisers will have some level of most of the risks mentioned in the BCTP Proposal, the BCTP should presumably focus on material risks. Judgments of materiality can be susceptible to second-guessing by regulators or others, however, especially with the benefit of hindsight. Furthermore, although the BCTP Proposal frequently seems to imply that business continuity planning is typically most critical for actively managed investment strategies that offer frequent pricing and redemptions, it is unclear whether this is the SEC’s intended message or, for that matter, how a manager should factor the liquidity, pricing, redemption rights or other terms of its products into the designing and drafting of its own BCTP.  Possibility of Safe Harbor. The BCTP Proposal notes that, whether or not a final rule retains the degree of flexibility suggested in the BCTP Proposal, the SEC could specify certain “safe harbor” provisions for one or more elements of the BCTP.26 Such safe harbor provisions may be appealing, but could also be difficult to craft given the wide variety of advisers and their business structures and investment strategies. Commenters who wish to advocate for safe harbor provisions might nonetheless emphasize the need for any such provisions not to become de facto requirements in examinations or other settings. -7- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016  Diligence of Service Providers. Diligence of service providers may be expected to increase as a result of a BCTP requirement. While such diligence is already common and often extensive, it may not always proceed as systematically as the BCTP Proposal appears to contemplate (that is, evaluating the BCP of a provider, then making a judgment whether to identify and diligence backup providers based on the perceived soundness of the primary provider’s BCP).  Diligence by Investors. Diligence by investors may be likely to increase in many circumstances as a result of a BCTP requirement; the common knowledge that each adviser must have a BCTP may make business continuity and transition planning even more likely to be included in investor diligence of advisers.  Relationship to Succession Planning. “Transition plan” is sometimes used interchangeably with “succession plan,” that is, the plan for transferring control or leadership within a firm that will continue as a going concern. As information relating to succession planning tends to be treated as highly confidential within a firm, advisers may be interested in how to construe the statement in the BCTP Proposal that “an adviser’s business continuity and transition plan generally should include short-term arrangements, such as which specific individuals would satisfy the role(s) of key personnel when unavailable, and long-term arrangements regarding succession planning and how an adviser will replace key personnel.”27 It would represent a significant break from past practice if advisers were to be required to share senior-level succession-planning information throughout their compliance departments or with the SEC, and such a requirement will likely be resisted by commenters during the comment process.  Coordination with Affiliated Broker-Dealers or Banking Organizations. The BCTP is intended to include an assessment of “whether and how issues at an affiliate may affect the advisory entity.”28 Taking an expansive view of this issue, the BCTP Proposal further explains that “[a]n advisory entity may be adversely affected by an affiliate’s distress if, for example, the adviser and distressed affiliate share systems, personnel, sources of financing, or similar names.”29 Affiliates that are large banking organizations, in particular, may themselves be subject to various recovery or resolution-planning regimes that may involve operations of, or contingency plans for, material advisory affiliates. Thus, while the BCTP is not a “living will,” a BCTP within a banking organization will need to be designed and documented in a manner that is consistent with the banking organization’s broader regulatory framework.  Open Questions on SEC or Public Reporting. As noted above, the BCTP Proposal requests comment on a number of questions, including whether BCTPs should be publicly disclosed or should require filing with, or reporting of relevant incidents to, the SEC. Certain passages of the BCTP Proposal appear to reflect a disinclination to require public disclosure of BCTPs, noting that “such information could be considered proprietary by some advisers and the public disclosure of [BCTPs] may make advisers more vulnerable to attacks from third parties, such as cybersecurity attacks.”30 We expect that view to be endorsed by advisers during the comment process. There is less said about the prospect of incident reporting to the SEC. If advisers were required to report “incidents,” however, it could have a fundamental effect on the design and drafting of BCTPs (and would also presumably depend on the SEC’s providing further guidance on what is an “incident” and how an incident would be reported). This point is also likely to be a subject of comment.  Role of Disclosure. As noted above, one articulated legal basis for the BCTP Proposal is that it would be deceptive for an adviser not to have a BCTP. It is not clear to what extent this theory should hold in the case of, for example, a private fund or account sold only to highly sophisticated investors who have previously received comprehensive disclosure about the operational risks faced by the adviser and the potential consequences of those risks. The other articulated legal basis for the BCTP Proposal is that having a BCTP is required by an adviser’s fiduciary duty. Whether or not this is a correct statement of the law, the extent to which an investor has effectively provided informed consent to the level, and therefore cost, of the adviser’s business continuity and transition protections -8- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 would seem to be important. This is a point not expressly considered in the BCTP Proposal that could receive elaboration through the comment process and in any resulting final rule.  Registered Funds and Boards. Sponsors of registered funds should review their BCPs and practices, including those relating to critical service providers, in light of the Guidance Update, and consider whether changes may be appropriate. Fund boards may wish to: (i) take account of the statement in the Guidance Update concerning discussions with critical service providers that the SEC staff believe boards “generally” should have to assist them “in providing appropriate oversight”; and (ii) ensure that the minutes of their meetings document that such discussions have taken place.31 * * * Copyright © Sullivan & Cromwell LLP 2016 -9- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 ENDNOTES 1 See SEC Investment Management Guidance Update: No. 2016-04, SEC (June 2016), at 9-10 (“Guidance Update”). 2 See Adviser Business Continuity and Transition Plans, Investment Advisers Act Release No. IA- 4439 (June 28, 2016), 81 FR 43530, 43534 (July 5, 2016), available here (the “Proposing Release”). 3 Id. at 43532. 4 Id. at 43537. 5 See Speech of Chair Mary Jo White, Enhancing Risk Monitoring and Regulatory Safeguards for the Asset Management Industry, SEC (December 11, 2014), https://www.sec.gov/News/Speech/Detail/Speech/1370543677722; see also Use of Derivatives by Registered Investment Companies and Business Development Companies, Securities Act Release No. IC-31933, SEC (December 11, 2015), http://www.sec.gov/rules/proposed/2015/ic- 31933.pdf; see also Use of Derivatives by Registered Investment Companies and Business Development Companies, SULLIVAN & CROMWELL LLP (December 18, 2015), https://www.sullcrom.com/siteFiles/Publications/SC_Publication_Use_of_Derivatives_by_Register ed_Investment_Companies.pdf. 6 The SEC also indicated that the BCTP Proposal has been informed by business continuity planning requirements for “other financial services firms” with “similar vulnerabilities as investment advisers.” See Proposing Release at 43537, footnote 62. 7 See Notice Seeking Comment on Asset Management Products and Activities No. FSOC-2014- 0001 (Dec. 24, 2014), 79 FR 77488 (Dec. 24, 2014), available here. 8 See Speech of Chair Mary Jo White, The Fund Director in 2016: Keynote Address at the Mutual Fund Directors Forum 2016 Policy Conference, SEC (March 29, 2016) (“In our ever connected, ever more digitized world, cybersecurity is an area of the utmost importance and it is the shared responsibility of all regulators and market participants to safeguard the broader financial system, as well as particular funds, firms and other components of our market infrastructure.”). 9 See Proposing Release at 43536; see also id. at 43539. 10 North American Securities Administrators Association approved Model Rule 203(a)-1A addressing BCPs in 2015 and released interpretive guidance through a series of broad questions and instructions (see, for example, “[c]onsider these items and whether there will be a different plan of action for each item depending on whether the interruption if short-term or long-term: . . . communications with regulators, clients and employees”), http://www.nasaa.org/wpcontent/uploads/2011/07/NASAA-Model-Rule-on-Business-Continuity-and-Succession-Planningwith-gu....pdf. The SEC’s Proposing and Adopting Release for Regulation Systems Compliance and Integrity (“Reg. SCI”) provides guidance and commentary on the additional explicit requirements of BCPs unique to Reg. SCI, such as the requirement that a BCP must be “reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems;” https://www.sec.gov/rules/final/2014/34-73639.pdf. The CFTC’s Rule 603(a) and FINRA’s Rule 4370 also impose similar requirements for business continuity planning. The BCTP Proposal indicated that “investment advisers that are also registered as broker-dealers” must satisfy FINRA’s rule in addition to the BCTP Proposal. See Proposing Release at 43533. 11 See Proposing Release at 43556. 12 Id. at 43537. 13 Id. at 43536. -10- Business Continuity and Transition Planning for Asset ManagersJuly 7, 2016 ENDNOTES (CONTINUED) 14 Id. at 43538. 15 The SEC also identified certain provisions of disaster recovery plans it found effective in minimizing downtime following a significant disruptive event, such as a natural disaster, that include: “(i) a pre-arranged remote location for short-term and possible long-term use; (ii) alternate communication protocols to contact staff and clients; (iii) remote access to business records and client data through appropriately secured means; (iv) temporary lodging for key staff where necessary and effective training of staff on how to fulfill essential duties in the event of a disaster; (v) maintaining accurate and up-to-date contact information for all third-party service providers and familiarity with the BCPs of those providers; (vi) contingency arrangements for loss of key personnel; (vii) periodic testing, evaluation and revision of the plan; and (viii) maintaining sufficient insurance and financial liquidity to prevent any interruption of the performance of compliant advisory services.” Id. at 43537. 16 Advisers should consider whether operations and systems are utilized “for prompt and accurate processing of portfolio securities transactions on behalf of clients, including the management, trading, allocation, clearance and settlement of such transactions” as well as whether operations and systems are “critical to the valuation and maintenance of client accounts, access to client accounts, and the delivery of funds and securities” in determining whether such operations and systems are “critical.” Id. at 43538. 17 Id. at 43541-43542. 18 In assessing the “material financial resources available,” the BCTP Proposal indicates that advisers could satisfy this requirement by identifying material sources of capital or liquidity that could be drawn upon in times of stress or by analyzing the effect of any needed reduction of expenses. Id. at 43543. 19 Id. at 43535, footnote 40. 20 Id. at 43535. 21 See Guidance Update at 1. 22 Id. at 3. 23 The Guidance Update indicated that critical service providers include, but are not limited to, named service providers under Rule 38a-1 under the Investment Company Act of 1940 (obligating funds to adopt and implement written compliance policies and procedures), which include advisers, principal underwriters, administrators and transfer agents, and custodians and pricing agents. Id. at 4. 24 Id. at 6. 25 See Proposing Release at 43538. 26 Id. at 43543. 27 Id. at 43539 (emphasis added). 28 Id. at 43542. 29 Id. 30 Id. at 43550. 31 See Guidance Update at 6. -11- Business Continuity and Transition Planning for Asset Managers July 7, 2016 SC1:4163889.2H ABOUT SULLIVAN & CROMWELL LLP Sullivan & Cromwell LLP is a global law firm that advises on major domestic and cross-border M&A, finance, corporate and real estate transactions, significant litigation and corporate investigations, and complex restructuring, regulatory, tax and estate planning matters. Founded in 1879, Sullivan & Cromwell LLP has more than 800 lawyers on four continents, with four offices in the United States, including its headquarters in New York, three offices in Europe, two in Australia and three in Asia. CONTACTING SULLIVAN & CROMWELL LLP This publication is provided by Sullivan & Cromwell LLP as a service to clients and colleagues. The information contained in this publication should not be construed as legal advice. Questions regarding the matters discussed in this publication may be directed to any of our lawyers listed below, or to any other Sullivan & Cromwell LLP lawyer with whom you have consulted in the past on similar matters. If you have not received this publication directly from us, you may obtain a copy of any past or future related publications from Stefanie S. Trilling (+1-212-558-4752; [email protected]) in our New York office. CONTACTS New York John E. Baumgardner Jr. +1-212-558-3866 [email protected] Whitney A. Chatterjee +1-212-558-4883 [email protected] Donald R. Crawshaw +1-212-558-4016 [email protected] William G. Farrar +1-212-558-4940 [email protected] David J. Gilberg +1-212-558-4680 [email protected] Joseph A. Hearn +1-212-558-4457 [email protected] Frederick Wertheim +1-212-558-4974 [email protected] Washington, D.C. Eric J. Kadel, Jr. +1-202-956-7640 [email protected] Paul J. McElroy +1-202-956-7550 [email protected]