On June 28, 2016, the Securities and Exchange Commission (“SEC”) proposed new rule 206(4)-4 under the Investment Advisers Act of 1940 (“Advisers Act”) that would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans, and to review them at least annually.1 The SEC also proposed to amend its recordkeeping rule to require SEC-registered investment advisers to make and keep copies of all business continuity and transition plans that are currently in effect or were in effect at any time within the past five years, as well as any records documenting their annual review of the business continuity and transition plans. In addition, the SEC staff issued related guidance addressing business continuity planning for registered investment companies, including the oversight of the operational capabilities of key fund service providers.2
In the proposing release, the SEC recognized that many investment advisers may already have business continuity plans in place as part of their compliance policies and procedures.3 However, the SEC also noted that it has been the staff’s experience that the robustness of the business continuity plans is inconsistent across investment advisers.
In proposing the new rule, the SEC stated that investment advisers are fiduciaries who owe their clients a duty of care and a duty of loyalty. As part of their fiduciary duty, investment advisers are obligated to take steps to protect client interests from being placed at risk as a result of an adviser’s inability to provide advisory services. The SEC believes it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.
Proposed rule 206(4)-4 would require SEC-registered investment advisers to adopt and implement policies and procedures concerning:
- Business continuity after a significant business disruption (e.g., natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel); and
- Business transition in the event the investment adviser is unable to continue providing investment advisory services to clients (e.g., where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof, or in unusual situations, enters bankruptcy proceedings).
Under the proposed rule, the content of an adviser’s business continuity and transition plan would be based upon risks associated with the adviser’s operations. Recognizing that business models and operations vary significantly among advisers, and that the complexity and risks associated with such diverse business models and operations could be substantially different, the SEC noted that the proposed rule is designed to give advisers the flexibility to create business continuity and transition plans that accommodate such differences. Nevertheless, in proposing the new rule, the SEC said that every business continuity and transition plan must generally address operational and other risks related to a significant disruption in the adviser’s operations, and must address certain key components to the plan and prepare for such disruptions. Under the proposed rule, an adviser’s business continuity and transition plan would include policies and procedures designed to minimize material service disruptions, including those that address the following key components.
- Maintenance of critical operations and systems, and the protection, backup, and recovery of data. Advisers should generally consider critical operations and systems that are utilized for the prompt and accurate processing of portfolio securities transactions (including the management, trading, allocation, clearance, and settlement of such transactions), and those that are critical to the valuation and maintenance of client accounts, access to client accounts, and delivery of funds and securities. Advisers should also identify key personnel and make arrangements for temporary or permanent loss of such personnel. Data protection, backup, and recovery should address both hard copy and electronic backup, as appropriate. Advisers should have an inventory of key documents (e.g., organization documents, contracts, policies and procedures), including the location and description of the item, and a list of the service provider relationships that are necessary to maintaining functional operations.
- Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees. Advisers should consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations in the event of a disruption.
- Communications with clients, employees, service providers, and regulators. An adviser’s communication plan should generally cover, among other things, the methods, systems, backup systems, and protocols that will be used for communications, how clients, employees, service providers, and regulators will be informed of a significant business disruption, how employees should communicate during a disruption, how the adviser will be notified of a significant business disruption at a service provider, and contingency arrangements for communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel.
- Identification and assessment of third-party services critical to the operation of the adviser. An adviser’s business continuity and transition plan should identify critical functions and services provided by the adviser to clients, and third-party vendors supporting or conducting critical functions or services for the adviser and/or on the adviser’s behalf. Critical service providers would generally include those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping, and financial and regulatory reporting. Once an adviser identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions, and consider how this planning will affect the adviser’s operations.
- Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services. Under the proposed rule, the transition components of a business continuity and transition plan would have to include (i) policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; (ii) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the adviser; (iv) the identification of any material financial resources available to the adviser; and (v) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition.
The SEC’s proposing release seeks public comments to the new rule, which will be due 60 days after the proposal is published in the Federal Register.