SEC Proposes New Rule Requiring Investment Advisers to Adopt Business Continuity and Transition Plans

CLIENT PUBLICATION INVESTMENT FUNDS | July 7, 2016 SEC Proposes New Rule Requiring Investment Advisers to Adopt Business Continuity and Transition Plans and Issues Guidance on Business Continuity Plans for Registered Investment Companies A rule proposed by the US Securities and Exchange Commission under the Investment Advisers Act of 1940 would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans and review them at least annually.1 While nearly all firms already maintain business continuity plans, the proposal suggests baseline requirements that the SEC would expect for such plans. And the proposal’s requirement that the plans address “transition”—meaning sale or dissolution—of the investment adviser’s business is entirely new. In a companion release, the SEC also issued guidance to registered investment companies regarding components of their business continuity plans.2 Public comments on the proposal are due with the agency 60 days from the proposal’s publication in the Federal Register. The Investment Company Act guidance is not a rule, so is effective automatically. Background The SEC believes that, as part of an investment adviser’s fiduciary duty owed to its clients, the firm is obligated to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services. This was articulated previously in connection with the agency’s adoption of its general compliance rules for investment advisers in 2003 (Rule 206(4)-7 for registered investment advisers and Rule 38a-1 under the Investment Company Act of 1940 for registered investment companies). The agency also emphasized the importance of business continuity plans (BCPs) following the September 11, 2001 terrorist attacks, Hurricanes Katrina and Sandy and as part of its recent cyber examinations. The current rulemaking, however, is more than a roundup of 15 years of BCP learning. It also has to be understood in context. SEC Chair Mary Jo White is on a mission to complete the ambitious rulemaking agenda she outlined in December 2014, in which she promised enhanced data reporting by asset managers, liquidity and derivatives rules 3 for registered investment companies and asset manager transition planning and stress testing. With the current 1 The SEC Proposing Release is available at https://www.sec.gov/rules/proposed/2016/ia-4439.pdf 2 The BCP Guidance is available at http://www.sec.gov/investment/im-guidance-2016-04.pdf 3 Chair White’s December 2014 speech is available at https://www.sec.gov/News/Speech/Detail/Speech/1370543677722 2 rulemaking ticking off transition planning, and four previous proposals put out between May 2015 and June 20164 , only a stress testing proposal remains outstanding. Also, hanging over all of this is the ongoing interplay between the SEC and the banking regulators. Transition planning reflects a common playbook and clearly owes its genesis to the “living wills” required of banks in the post Dodd-Frank era. Proposed Requirements The proposed rule would require SEC-registered investment advisers to adopt and implement written policies and procedures designed to address operational and other risks related to a significant disruption in the adviser’s operations. The plan would be required to include:  Business continuity after a significant business disruption such as a natural disaster, act of terrorism, cyberattack, equipment or system failure, or unexpected loss of a service provider, facilities or key personnel; and  Business transition in the event the investment adviser is unable to continue providing investment advisory services to clients as a result of its exit from the market, including when it merges with another adviser, sells its business or dissolves. Acknowledging the differences of business models among advisers, the SEC notes that plans should be tailored to the specific risks an adviser’s business faces and that size and complexity of firms will drive different outcomes. But the rule proposal includes a laundry list of components that the SEC expects to see, among them: Maintenance of Critical Operations and Systems, and the Protection, Backup and Recovery of Data, Including Client Records.  Advisers should identify and prioritize critical functions, operations and systems that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients, including the management, trading, allocation, clearance and settlement of transactions, and those that are critical to the valuation and maintenance of client accounts, access to client accounts and the delivery of funds and securities. This typically will include identification and assessment of third-party service providers that may support some of these functions. 4 See the following Client Publications for further information on those proposals: SEC Issues Proposed Investment Company Reporting Rules (May 2015) http://www.shearman.com/~/media/Files/NewsInsights/Publications/2015/05/SEC-Issues-Proposed-Investment-Company-Reporting-Rules-IF- 052915.pdf SEC Issues Proposed Investment Adviser Reporting and Disclosure (May 2015) http://www.shearman.com/~/media/Files/NewsInsights/Publications/2015/05/SEC-Issues-Proposed-Investment-Adviser-Reporting-and-DisclosureRules-IF052915.pdf Significant SEC Rulemaking to Address Liquidity of Mutual Fund Portfolios (October 2015) http://www.shearman.com/~/media/Files/NewsInsights/Publications/2015/10/Significant-SEC-Rulemaking-to-Address-Liquidity-of-Mutual-FundPortfolios-IF-100215.pdf SEC Proposes New Derivatives Rules for Registered Funds (January 2016) http://www.shearman.com/~/media/Files/NewsInsights/Publications/2016/01/SEC-Proposes-New-Derivatives-Rules-for-Registered-Funds-andBDCs-AM-011116.pdf 3  Advisers should identify key personnel and create contingency plans for temporary or permanent loss of personnel.  With respect to data protection, backup and recovery, a business continuity and transition plan generally should address both hard copy and electronic backup and recognize that significant business disruptions may prevent access to either kind of data.  Advisers should keep an inventory of key documents (e.g., organizational documents, contracts, policies and procedures), including the location and description of the item, and a list of the adviser’s service provider relationships necessary to maintaining functional operations.  Advisers should consider and address relevant operational and other risks related to cyber-attacks. Pre-arranged Alternate Physical Location(s) of the Adviser’s Office(s) and/or Employees. The proposed rule would require advisers to consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology and resources necessary to continue operations at different locations in the event of a disruption. To the extent an adviser recognizes that a significant business disruption could limit access to its primary or only office, the SEC release indicates that the adviser needs to consider a satellite office or plan for a remote site in another location. Communications with Clients, Employees, Service Providers and Regulators. An adviser’s communication plan generally should cover, among other things, the following items:  the methods, systems, backup systems and protocols that will be used for communications;  how clients, employees, service providers and regulators will be informed of a significant business disruption;  how employees should communicate during a disruption;  how the adviser will be notified of a significant business disruption at a service provider;  contingency arrangements for communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel; and  how clients will be made aware of and updated about a significant business disruption that materially impacts ongoing client services (e.g., periodic updates to websites and customer service lines) and, when applicable, how clients will be contacted and advised if account access is impacted during such a disruption. Identification and assessment of third-party services critical to the operation of the adviser. An adviser’s business continuity and transition plan should identify:  critical functions and services provided by the adviser to clients; and  third-party vendors supporting or conducting critical functions or services for the adviser and/or on the adviser’s behalf. 4 Critical service providers generally include those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping and financial and regulatory reporting. Once an adviser identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions, and consider how this planning will affect the adviser’s operations. Plan of Transition that Accounts for the Possible Winding Down of the Adviser’s Business or the Transition of the Adviser’s Business to others in the Event the Adviser is Unable to Continue Providing Advisory Services. Under the proposed rule, the transition components of a business continuity and transition plan would include:  policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;  policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;  information regarding the corporate governance structure of the adviser;  the identification of any material financial resources available to the adviser; and  an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition. Recordkeeping The proposed amendments would require SEC-registered advisers to maintain copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years after the compliance date. The proposed rule also would require that advisers keep any records documenting their annual review. SEC Guidance Update Regarding Business Continuity Planning for Registered Investment Companies In addition to the proposed rule, the SEC’s Division of Investment Management released a guidance update on business continuity planning for registered investment companies. The guidance stresses that the BCP should be tailored to meet the specific nature and scope of each individual fund, and that a “one-size fits all” plan would not meet the SEC standard of appropriate planning. The guidance provides examples of what the SEC determines to be notable industry practices, including:  Identification and coverage of the facilities, technology/systems, employees and activities conducted by the adviser and any affiliated entities, as well as dependencies on critical services provided by other third-party service providers.  Including a broad cross-section of employees from key functional areas of the Fund complex to assist in efforts to ensure continuity and resiliency when disrupting events occur. This broad cross-section of employees generally 5 include senior management (including officers of the fund), technology, information security, operations, human resources, communications, legal, compliance and risk management.  Oversight of the fund complex’s third-party service providers as conducted by key personnel, typically including the fund’s chief compliance officer (CCO) and/or the CCO of other entities in the fund complex. This oversight can include service provider presentations, on-site visits, questionnaires, certifications, independent control reports and summaries of programs and testing, where appropriate, including with respect to BCPs.  Annual presentations of BCPs by investment advisers and other critical service providers, with CCO participation, to the fund’s board of directors. These presentations may be provided separately, as part of periodic presentations related to contractual arrangements (including as part of the annual section 15(c) process), or as part of the CCO’s annual update to the board.  Annual testing of the BCPs, with the results being shared in updates to fund boards.  Monitoring of business continuity outages, including those incurred by the fund complex or a critical third-party service provider, by the CCO and other pertinent staff and reporting them to the fund board as warranted. Considerations Regarding Critical Service Providers. The guidance provides that the fund’s BCP should not only consider the fund’s primary investment adviser but also any third-party service providers to which the fund may outsource critical functions (including those named under rule 38a-1—each investment adviser, principal underwriter, administrator and transfer agent—as well as each custodian and pricing agent). A comprehensive plan would include thorough initial and ongoing due diligence of those third parties, including diligence of the service providers’ business continuity and disaster recovery plans. The SEC believes that funds should consider how they can best monitor whether a critical service provider has experienced a significant disruption (such as a cyber-security breach or other continuity event) that could impair the service provider’s ability to provide uninterrupted services, the potential impacts such events may have on fund operations and investors and the communication protocols and steps that may be necessary for the fund complex to successfully navigate such events. The guidance suggests these protocols might include implementing comprehensive communication plans within the fund complex (involving senior management, legal, compliance, risk management, technology, information security, operations, human resources, communications staff and the fund board of directors) and with its critical service providers, and providing timely communications that report progress and next steps, such as posting updates to websites or portals to facilitate accessibility and broad dissemination of information. 6 To assist fund boards in providing appropriate oversight, the SEC believes that fund boards should discuss with the fund’s adviser and other critical service providers the steps they have taken to mitigate the risks associated with business disruptions and the robustness of their business continuity planning, including how the fund’s own BCP addresses the risk that a critical third-party service provider could suffer a business disruption. CONTACTS Azam H. Aziz New York +1.212.848.8154 [email protected] Donna M. Parisi New York +1.212.848.7367 [email protected] Geoffrey B. Goldman New York +1.212.848.4867 [email protected] John Adams London +44.20.7655.5740 [email protected] John W. Finley III New York +1.212.848.4346 [email protected] Laura S. Friedrich New York +1.212.848.7411 [email protected] Lorna Xin Chen Hong Kong +852.2978.8001 [email protected] Nathan J. Greene New York +1.212.848.4668 [email protected] Paul S. Schreiber New York +1.212.848.8920 [email protected] John D. Reiss New York +1.212.848.7669 [email protected] Patrick D. Sweeney New York +1.212.848.4411 [email protected] Thomas M. Majewski New York +1.212.848.7182 [email protected] ABU DHABI | BEIJING | BRUSSELS | DUBAI | FRANKFURT | HONG KONG | LONDON | MENLO PARK | MILAN | NEW YORK PARIS | ROME | SAN FRANCISCO | SÃO PAULO | SAUDI ARABIA* | SHANGHAI | SINGAPORE | TOKYO | TORONTO | WASHINGTON, DC This memorandum is intended only as a general discussion of these issues. It should not be regarded as legal advice. We would be pleased to provide additional details or advice about specific situations if desired. 599 LEXINGTON AVENUE | NEW YORK | NY | 10022-6069 Copyright © 2016 Shearman & Sterling LLP. Shearman & Sterling LLP is a limited liability partnership organized under the laws of the State of Delaware, with an affiliated limited liability partnership organized for the practice of law in the United Kingdom and Italy and an affiliated partnership organized for the practice of law in Hong Kong. *Dr. Sultan Almasoud & Partners in association with Shearman & Sterling LLP