SEC Staff's First "Compliance Alert" Addresses Deficiencies Found in Connection with Disaster Recovery Plans

 

 

[21288]

 

June 19, 2007

TO: TECHNOLOGY ADVISORY COMMITTEE No. 16-07 RE: SEC STAFF'S FIRST "COMPLIANCE ALERT" ADDRESSES DEFICIENCIES FOUND IN CONNECTION WITH DISASTER RECOVERY PLANS

 

The staff of the Securities and Exchange Commission has published its first ComplianceAlert [1].  This new publication is intended both to help chief compliance officers learn more about common deficiencies and weaknesses found by SEC examiners during inspections and encourage registrants to review compliance in these areas and implement improvements as warranted.  The first issue of ComplianceAlert is divided into two main sections, one applicable to investment advisers and investment companies and the other to broker-dealers.  These sections, in turn, are subdivided by type of registrant or type of deficiency.  In some instances, the ComplianceAlert also provides information on effective compliance practices found by examiners.  The contents of ComplianceAlert are briefly summarized below.

Of interest to the Technology Advisory Committee, among other issues, Section I of this issue of ComplianceAlert discusses deficiencies or weaknesses found from examining the disaster recovery plans of advisers impacted by Hurricane Katrina.  According to the ComplianceAlert, on average, firms relocated 330 miles from their original office site and they were able to resume trading and manage accounts within 32 hours of the hurricane.  Within five days of the hurricane they were able to resume general operations.  Most firms also were able to immediately access their electronically-maintained business records and client data from remote locations through the use of remote servers, laptop computers, back-up data tapes, Internet access, and online trading platforms.  Most firms kept in touch with clients via email or the firm’s website.  None of the firms reported clients having difficulty accessing their funds or initiating transactions following Hurricane Katrina.

According to the SEC staff, the provisions of the advisers’ disaster recovery plans that were effective in enabling the adviser to conduct business following the hurricane included:

• A pre-arranged remote location for short-term and possible long-term use;

• Alternate communication protocols;

• Remote access to business records and client data through appropriately secured means that ensure ongoing compliance with Regulation S-P and other confidentiality requirements;

• Temporary lodging for key staff where necessary as a result of a relocation of the firm;

• Accurate and up-to-date contact information for all third-party service providers including custodians, broker-dealers, transfer agents, pricing services, and research firms;

• Familiarity with the business continuity plans of third-party service providers;

• Contingency arrangements for the temporary or permanent loss of key personnel;

• Effective training of staff on how to fulfill essential duties in the event of a disaster, including compliance matters;

• Periodic tests, evaluations, and revision of disaster preparedness plans; and

• Sufficient insurance and financial liquidity to prevent any interruption to the performance of compliant advisory services.

 

Tamara K. Salmon
Senior Associate Counsel

endnotes

 [1] ComplianceAlert is available on the SEC’s website at: http://www.sec.gov/about/offices/ocie/complialert.htm. The SEC’s website does not indicate how often they expect to publish ComplianceAlert.