The Office of Compliance Inspections and Examinations (the “OCIE”) of the U.S. Securities and Exchange Commission (the “SEC”) published a risk alert on Aug. 12 titled Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (the “risk alert”), which identified certain areas of risk related to the impact of COVID-19 on SEC-registered investment advisers and broker-dealers (collectively, “firms”) and the OCIE’s observations and recommendations thereto. These areas of risk—and the OCIE’s related observations and recommendations—were devised in conjunction with the OCIE’s continued consultation with SEC registrants and other regulators regarding the impact of COVID-19 on the investment industry.
The risk alert presents the OCIE’s observations and recommendations related to these areas of risk in six broad categories: (i) protection of investors’ assets; (ii) supervision of personnel; (iii) practices relating to fees, expenses, and financial transactions; (iv) investment fraud; (v) business continuity; and (vi) the protection of investor and other sensitive information.
Protection of Investors’ Assets
The risk alert addresses the new challenges a firm may face in fulfilling its obligations to ensure the safety of its investors’ assets given the ongoing impact of COVID-19 on operations. Specifically, the OCIE noted that firms should review their policies and procedures regarding (i) the collection and processing of investor checks and transfer requests and (ii) disbursements to investors.
With remote work arrangements becoming the new norm for many firms, there is an increased likelihood that investor checks and transfer requests that are sent to a firm via physical mail are not being collected and processed on a daily basis. In response, the OCIE encouraged firms to review their practices and to make appropriate adjustments to address such scenarios. Additionally, should adjustments be made, the OCIE recommended that firms update their supervisory and compliance policies and procedures to reflect such adjustments and to consider disclosing to investors that checks or assets sent to the firm via physical mail may experience delays in collection and processing due to the aforementioned changes to office operations, especially in light of a firm’s obligation to promptly transmit investor checks under the Investment Advisers Act of 1940 (the “Advisers Act”) and the Securities Exchange Act of 1934 (the “Exchange Act”).
In addition to policies and procedures related to investor checks and transfer requests, the OCIE encouraged firms to review policies and procedures related to disbursements to investors, especially given the increased likelihood of unusual or unscheduled withdrawals from accounts due to the economic impacts of COVID-19. In particular, the OCIE recommended that firms consider: (i) implementing additional safeguards to validate the identity of an investor and the authenticity of any disbursement instructions received and (ii) recommending that investors have a trusted contact in place, especially in the case of seniors or other vulnerable investors.
Supervision of Personnel
The risk alert should serve as a reminder to firms of their obligation to supervise personnel and that a firm’s supervisory and compliance program should include policies and procedures that are applicable to the firm’s particular business activities and operations, which policies and procedures should be updated as necessary to reflect the firm’s then-current business activities and operations. COVID-19 has had a tremendous impact on many firms’ business activities and operations, especially in connection with the transition to remote-work environments. Firms should review and amend their supervisory and compliance programs in response to this impact. Specifically, the OCIE recommended that firms amend their supervisory and compliance programs to address: (i) the decrease in the level of oversight of and interaction with supervised personnel that supervisors face due to remote-work environments; (ii) supervised personnel recommending investments in market sectors that have experienced greater volatility or may have heightened risks for fraud; (iii) greater constraints on performing on-site due diligence reviews and other resource constraints in connection with reviewing third-party managers, investments, and portfolio holding companies; (iv) communications or transactions occurring outside of a firm’s network due to the use of personally-owned devices and remote-work environments; (v) general oversight of trading, including reviews of affiliated, cross, and aberrational trading, in remote-work environments; and (vi) the inability to perform the usual level of diligence during background checks of new personnel, such as requiring personnel to take requisite examinations, obtaining fingerprint information, and completing the requisite Form U4 verifications. Additionally, the OCIE noted that increased market volatility caused by COVID-19—and the resulting increase in the propensity for fraudulent activity—presents additional challenges that should be addressed in connection with a firm’s review of its supervisory and compliance programs.
Practices Relating to Fees, Expenses, and Financial Transactions
In an effort to remind firms of their obligations related to considering the costs of services and investment products and the related compensation received by firms and their personnel and informing investors thereof, the risk alert highlights areas that may have increased potential for misconduct due to the increased market volatility caused by COVID-19 and the financial pressures faced by firms and their personnel. These areas include (i) financial conflicts of interest and (ii) fees and expenses charged to investors. Specifically, with regard to financial conflicts of interests, the OCIE noted the heightened potential for misconduct related to the following: (i) recommending retirement plan rollovers to individual retirement accounts, workplace plan distributions, and retirement account transfers into advised accounts or investment products that the Firms of their personnel are soliciting; (ii) borrowing or taking loans from investors and clients; and (iii) making recommendations that result in higher costs to investors and that generate higher amounts of compensation for supervised persons. With regard to fees and expenses charged to investors, the OCIE noted the heightened potential for misconduct related to the following: (i) advisory fee calculation errors, including those resulting in over-billing; (ii) inaccurate calculations of tiered fees; and (iii) failures to refund prepaid fees for terminated accounts.
The OCIE recommended that firms review their fees and expense policies and procedures to address the above potential for misconduct by: (i) validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used; (ii) identifying transactions that resulted in high fees and expenses to investors, monitoring for such trends, and evaluating whether these transactions were in the best interest of investors; and (iii) evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interests.
The risk alert notes that times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings; the COVID-19 pandemic is no different. The OCIE encouraged firms to be aware of such risks when conducting due diligence on investments and in determining if investments are in the best interest of investors. The OCIE reminded firms that any suspected fraud should be reported to the SEC.
The risk alert notes that certain firms have an obligation to adopt and implement compliance policies and procedures reasonably designed to prevent violation of the federal securities laws. Part of this process should include giving consideration to a firm’s ability to operate critical business functions during emergency events, such as the COVID-19 pandemic. As iterated throughout this alert, the transition to remote work environments may raise compliance issues and other risks that could impact long-term remote operations. These compliance issues and other risks include: (i) the necessity to modify or enhance a firm’s supervisory and compliance policies and procedures to address some of the unique risks and conflicts of interests inherent in remote-work environments, such as supervised personnel taking on new or expanded roles in order to maintain business operations, and (ii) the necessity to modify or enhance a firm’s facilities and remote-work sites, such as by devoting additional resources to securing servers and systems or relocating infrastructure and support for personnel working from remote sites. The OCIE encouraged firms to review their continuity plans to address these matters, make changes to compliance policies and procedures, and provide disclosures to investors if their operations are materially impacted.
Protection of Investor and Other Sensitive Information
Remote work environments have caused an increase in the use of videoconferencing and other electronic means by firms and their personnel to communicate and maintain business operations. Firms should, however, consider the impact the use of these technologies may have on their obligations to protect investors’ personal identifiable information (“PII”). Specifically, the OCIE noted that these practices have created (i) vulnerabilities around the potential loss of sensitive information, including PII, due to remote access to networks, the use of web-based applications, increased use of personally owned devices, and changes in controls over physical records; and (ii) increase opportunities for fraudsters to use phishing and other means to improperly assess systems and accounts by impersonating firms’ personnel, websites, or investors.
The OCIE recommended that firms assess their policies and procedures related to protecting investor data and cybersecurity and consider the following: (i) enhancing their identity protection practices; (ii) providing firm personnel with additional training and reminders regarding phishing, cyberattacks, sharing information using remote systems, document encryption, password-protection, and destroying physical records at remote locations; (iii) conducting heightened reviews of personnel access rights and controls; (iv) using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices; (v) ensuring that remote access servers are secured effectively; (vi) enhancing system access security; and (vii) addressing new or additional cyber-related issues related to third parties.
In conclusion, the OCIE reiterated that the firms should remain vigilant about potential fraudulent activities involving investors’ assets, report such activities and continue to stay informed about the SEC’s response to COVID-19 and related items.