Memo #
30010

July 7 Member Call to Discuss: SEC Business Continuity and Transition Planning Proposal for Advisers and SEC Staff Business Continuity Planning Guidance to Fund Complexes
| Print

[30010]

July 5, 2016

TO: BANK, TRUST AND RETIREMENT ADVISORY COMMITTEE No. 18-16
BROKER/DEALER ADVISORY COMMITTEE No. 20-16
CHIEF COMPLIANCE OFFICER COMMITTEE No. 12-16
CHIEF RISK OFFICER COMMITTEE No. 14-16
COMPLIANCE ADVISORY COMMITTEE No. 4-16
INVESTMENT ADVISERS COMMITTEE No. 9-16
INVESTMENT COMPANY DIRECTORS No. 19-16
OPERATIONS COMMITTEE No. 12-16
SEC RULES COMMITTEE No. 29-16
SECURITIES OPERATIONS ADVISORY COMMITTEE
SMALL FUNDS COMMITTEE No. 17-16
TECHNOLOGY COMMITTEE No. 9-16
TRANSFER AGENT ADVISORY COMMITTEE No. 25-16 RE: JULY 7 MEMBER CALL TO DISCUSS: SEC BUSINESS CONTINUITY AND TRANSITION PLANNING PROPOSAL FOR ADVISERS AND SEC STAFF BUSINESS CONTINUITY PLANNING GUIDANCE TO FUND COMPLEXES

 

The SEC recently issued a proposed rule that would require SEC-registered investment advisers (“advisers”) to adopt business continuity and transition plans. [1] SEC Chair White first discussed this initiative as part of a broader five-part package of reforms intended to enhance and strengthen the SEC’s regulation of the asset management industry in December 2014. [2]

The Release notes advisers’ increasing reliance on technology and third parties that support their operations. The proposed rule is designed to ensure that advisers have plans in place to address operational and other risks related to a significant disruption in the advisers’ operations, in order to minimize client harm. The proposed rule would require advisers to (i) adopt and implement written business continuity and transition plans addressing several components, and (ii) review the adequacy and effectiveness of those plans at least annually. The Proposal also includes related changes to the recordkeeping rule for advisers.

On the same day the SEC issued the Proposal, the SEC staff issued guidance addressing business continuity risks for registered fund complexes. [3]

On July 7 at 2:00 pm (ET), we will hold a 1-hour member call to discuss the Proposal. The dial-in information is: Number: 888-282-9645; Participant passcode: 1801663. Please do not share this dial-in information outside your firm.

Comments on the Proposal are due by September 6.

I. Summary of the Proposal

A. Background

To date, advisers’ business continuity plan (“BCP”) obligations have not been expressly articulated in a specific rule under the Investment Advisers Act. Rather, the SEC has stated that an adviser’s compliance policies and procedures should address BCPs to the extent that they are relevant to the adviser. [4] Since then, the SEC staff has communicated its views regarding advisers’ BCPs through examinations and published observations. [5] The Release opines that advisers’ current BCPs vary in quality, and the SEC views the proposed rule as a way of facilitating adoption of robust plans industrywide.

Currently, advisers have no obligations with respect to transition planning. The topic has taken on increased prominence since the 2008 crisis, and the Dodd-Frank Act mandated regulations requiring certain financial institutions (not including investment advisers) to submit “resolution plans” for their “rapid and orderly resolution in the event of material financial distress or failure… .” [6] Other regulatory bodies have posed questions regarding the asset management industry’s resolvability and transition planning. [7] The Release notes that transitions of client assets from one adviser to another are often routine and orderly, but nevertheless expresses concern that disorderly transitions could be harmful to clients and potentially financial markets.

B. Proposed Advisers Act Rule 206(4)-4

The proposed rule would require an adviser to adopt and implement a written business continuity [8] and transition [9] plan and review it at least annually. [10] An adviser’s plan must be “reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations,” and must include policies and procedures concerning business continuity and business transition. The plan’s content would be “based upon risks associated with the adviser’s operations” and would be “designed to minimize material service disruptions.” More specifically, the plan must address:

  • maintenance of critical operations and systems, and the protection, backup, and recovery of data; [11]
  • pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees; [12]
  • communications with clients, employees, service providers, and regulators; [13]
  • identification and assessment of critical third-party services; [14] and
  • a transition plan that accounts for the possible winding down or transition of the adviser’s business to others if the adviser is unable to continue providing advisory services.

The Release states that this transition plan requirement should account for transitions in normal and stressed conditions, and should consider each type of advisory client. Specifically, this transition plan would include:

  • policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; [15]
  • policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; [16]
  • information regarding the corporate governance of the adviser; [17]
  • identification of any material financial resources available to the adviser; [18]
  • an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition. [19]

C. Proposed Amendments to Advisers Act Rule 204-2 (Books and Records)

The proposed amendments to Rule 204-2 would require an adviser to make and keep copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years, as well as any records documenting the adviser’s annual review of its plan.

II. Summary of SEC Staff Guidance Update

The Guidance Update “underscores the importance of mitigating operational risks related to significant business disruptions, particularly through proper business continuity planning for registered investment companies.” [20] It notes that dependencies on technology and arrangements with third parties should be considered as part of a fund complex’s BCP, and points to external events (e.g., Hurricanes Katrina and Sandy) and idiosyncratic service provider events (e.g., the inability of a service provider to calculate timely and accurate NAVs for certain funds in 2015) in support.

The Guidance Update, informed by staff outreach and lessons learned through past experience and examinations, then discusses a number of measures that the SEC staff believes funds should consider as they evaluate the robustness of their complex-wide BCPs, including the following:

  • Fund Compliance: Fund complexes, through their policies and procedures, should consider how to mitigate exposures to potential service disruptions. Because fund complexes outsource critical functions to third parties, they should consider conducting initial and ongoing due diligence of those third parties, including on their BCPs.
  • Notable Fund Complex Practices: The staff noticed in its outreach that most fund complexes’ BCPs incorporate critical functions performed on behalf of funds. The staff believes that critical fund service providers likely would include the adviser, principal underwriter, administrator, transfer agent, custodian, and pricing agent. The staff observed the following notable practices:
  • Broad coverage of plans (facilities, technology/systems, employees, and activities of the adviser and affiliated entities, as well as dependencies on critical third party services)
  • Broad cross-section of employee involvement in BCPs
  • Service provider oversight programs that involve initial and ongoing due diligence, conducted by key personnel and involving CCOs
  • Annual BCP presentations to fund boards (either separately, or as part of the CCO’s annual compliance report to the board or the board’s annual advisory contract review process)
  • Annual BCP testing (with results shared with the fund board)
  • Monitoring of outages by the CCO and key personnel (with fund board reporting as warranted)
  • Additional Considerations Regarding Critical Service Providers: Recognizing that key business functions may be performed by affiliated and unaffiliated entities, a fund complex’s BCP should consider the following:
  • Examination of critical service providers’ backup processes and redundancies, and consideration of how the fund complex would respond to significant business disruptions of these service providers
  • How best to monitor significant disruptions at critical service providers, along with the communications protocols needed to navigate such events
  • How the BCPs of critical service providers interrelate
  • How a significant disruption at a critical service provider could impact fund operations, and how the fund would respond
  • Board Involvement: A fund board generally should discuss with the fund adviser and other key service providers their BCPs and the steps they take to mitigate disruption risks, along with how the fund complex’s BCP addresses risks of third party service provider disruptions.

 

Matthew Thornton
Assistant General Counsel

endnotes

[1] Adviser Business Continuity and Transition Plans, SEC Release No. IA-4439 (June 28, 2016)(the “Proposal” or the “Release”), available at www.sec.gov/rules/proposed/2016/ia-4439.pdf.

[2] Enhancing Risk Monitoring and Regulatory Safeguards for the Asset Management Industry, Speech by SEC Chair Mary Jo White at The New York Times Dealbook Opportunities for Tomorrow Conference, New York, NY (Dec. 11, 2014), available at www.sec.gov/News/Speech/Detail/Speech/1370543677722#.VIoGhTHF884. In addition to this Proposal, the SEC has issued proposals relating to (i) enhanced reporting requirements for registered investment companies and advisers; (ii) liquidity risk management for open-end funds; and (iii) funds’ use of derivatives. Stress testing requirements for large funds and advisers is the only part of the reform package not yet issued.

[3] Business Continuity Planning for Registered Investment Companies, SEC Division of Investment Management Guidance Update (June 2016)(“Guidance Update”), available at www.sec.gov/investment/im-guidance-2016-04.pdf.

[4] Compliance Programs of Investment Companies and Investment Advisers, SEC Release No. IA-2204, 68 FR 74714, 74716 (Dec. 24, 2003) (“Compliance Rules Release”), available at www.sec.gov/rules/final/ia-2204.pdf.

[5] See, e.g., National Exam Program Risk Alert, SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year (Aug. 27, 2013), available at www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf.

[6] Section 165(d) of the Dodd-Frank Act. The SEC distinguishes between this legislative mandate and its Proposal, stating, “We are not proposing that advisers adopt resolution plans or ‘living wills’ similar to that which certain financial institutions must now adopt under FDIC and Federal Reserve rules because investment advisers do not interact with the government in the same way as banks. For example, advisers do not accept insured ‘deposits,’ do not have access to the Federal Reserve discount window, and do not use their own balance sheets when trading client assets.” Release at n.40.

[7] See, e.g., Financial Stability Oversight Council, Update on Review of Asset Management Products and Activities (April 18, 2016), available at: www.treasury.gov/initiatives/fsoc/news/Documents/FSOC%20Update%20on%20Review%20of%20Asset%20Management%20Products%20and%20Activities.pdf. (“The Council has evaluated and continues to examine potential challenges and risks to financial stability that may arise in a resolution or liquidation of an entity in the asset management industry, particularly in circumstances of market stress, or involving an entity with a high degree of complexity and multi-jurisdictional operations.”)

[8] “Business continuity situations generally include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel.” Release at 25.

[9] “Business transitions generally include situations where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof, or in unusual situations, enters bankruptcy proceedings.” Release at 25-26.

[10] “The [annual] review generally should consider any changes to the adviser’s products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory changes that might suggest a need to revise the plan.” Release at 50. The Release also notes that annual reviews should address any weaknesses identified during the previous year.

[11] The Release states that an adviser’s plan generally should: identify and prioritize critical functions, operations, and systems and consider alternatives and redundancies; identify key personnel that provide critical functions to, or support critical operations or systems of, the adviser and address their temporary or permanent loss; address both hard copy and electronic backup of data; include an inventory of key documents and a list of the adviser’s service provider relationships necessary to maintaining functional operations; and consider and address the operational and other risks related to cyber-attacks.

[12] The Release states that an adviser generally should consider geographic diversity of its offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations. The SEC does not specify, either in the proposed rule text or Release, how far away the alternate location must be, but states that “advisers generally should consider whether their alternative locations are in such close proximity to each other or to its primary location that they may be sharing common infrastructure providers and thus, that the alternative locations would be similarly affected by an external event.” Release at n.80.

[13] The Release states that the plan generally should cover: the methods and protocols to be used for employee communications, how employees are informed of a significant business disruption, how employees should communicate during a disruption, and contingency arrangements assigning responsibilities if key personnel are lost; employee training; how clients will be made aware of and updated about a significant business disruption; how advisers and service providers will notify one another of a significant business disruption; and how and under what circumstances the adviser would notify relevant regulator(s) of a significant business disruption.

[14] “We would generally consider critical service providers to at least include those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping, and financial and regulatory reporting.” Release at 38. The Release states that an adviser should be aware of critical service providers’ BCPs, and if necessary, consider alternative service providers as a backup. In addition to reviews of BCP summaries, the Release notes that assessments could include due diligence questionnaires; an assurance report on controls by an independent party; certifications or other information regarding a provider’s operational resiliency or implementation of compliance policies, procedures, and controls relating to its systems; results of any testing; and onsite visits.

[15] The Release notes that derivatives positions could require special treatment (e.g., they may need to be unwound rather than transferred).

[16] The Release notes that this could include the identity of custodians, positions, counterparties, collateral, and related records, and that this might be more complex for private and registered fund clients, because they typically have multiple investors.

[17] This “generally should include an organizational chart and other information about the adviser’s ownership and management structure, including the identity and contact information for key personnel, and the identity of affiliates (both foreign and domestic) whose dissolution or distress could lead to a change in or material impact to the adviser’s business operations.” Release at 43-44.

[18] By way of example, the Release suggests that “the adviser could identify any material sources of funding, liquidity, or capital it would seek in times of stress in order to continue operating or consider how it would implement a reduction of expenses or other alternatives.” Release at 45-46.

[19] The Release provides as examples (i) the possibility that an adviser’s insolvency or termination could trigger a termination clause in a client’s derivatives contract, and (ii) the Investment Company Act and Investment Advisers Act requirements relating to approvals and assignments of advisory contracts.

[20] Guidance Update at 1. The Guidance Update recognizes that fund BCP is conducted at the complex level (i.e., by fund service providers), rather than by the fund itself. It cites the Compliance Rules Release (see supra, note 4), which stated that funds’ or their advisers’ policies and procedures should address the issues identified in the Release, including BCPs.