Memo #
32671

SEC OCIE Publishes Risk Alert on COVID-19 Compliance Risk Considerations for Broker-Dealers and Investment Advisers
| Print

[32671]

August 13, 2020 TO: ICI Members
Broker/Dealer Advisory Committee
Chief Compliance Officer Committee
Chief Information Security Officer Committee
Internal Audit Committee
Operations Committee
Technology Committee
Transfer Agent Advisory Committee SUBJECTS: Compliance
COVID-19
Investment Advisers RE: SEC OCIE Publishes Risk Alert on COVID-19 Compliance Risk Considerations for Broker-Dealers and Investment Advisers

 

As expected based upon its engagement with registrants during the pandemic, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has published a Risk Alert addressing COVID-19 compliance risks and considerations for broker-dealers and investment advisers.[1]  The Risk Alert begins by acknowledging the new operational, technological, commercial, and other challenges and issues facing SEC registrants as a result of the pandemic. It notes that, in many cases, these challenges have created important regulatory and compliance questions and considerations for registrants. As registrants have faced these challenges, OCIE has continued its operations, while working with registrants “to address the timing of its requests, availability of personnel, and other matters to minimize disruptions.” It has also actively engaged in on-going outreach to registrants to assess the impacts of the pandemic and to discuss, among other things, operations resiliency challenges. 

The Risk Alert’s purpose is to share some of OCIE’s observations with “[f]irms, investors, and the public generally”[2] in six areas: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information. OCIE’s observations in each of these areas are briefly summarized below.

Protection of Investors’ Assets

OCIE has observed that some firms have modified their normal operating practices relating to collecting and processing investor checks and transfer requests. OCIE encourages firms “to review their practices and make adjustments, where appropriate, including in situations where investors mail checks to Firms and Firms are not picking up their mail daily.” In particular, firms “may want to update their supervisory and compliance procedures to reflect any adjustments made and to consider disclosing to investors that checks or assets mailed to the Firm’s office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location.”[3] 

In addition to addressing check processing, the Risk Alert encourages registrants to make any necessary changes to their policies and procedures relating to disbursements to investors. This is particularly true where investors are taking unusual or unscheduled withdrawals from their accounts, including retirement accounts. Firms may want to consider implementing additional steps to validate the account owners’ identity and the authenticity of disbursement instruction. They may also want to recommend to investors that they have a trusted contact person in place, especially if the account owner is a senior or vulnerable investor.

Supervision of Personnel

OCIE reminds registrants that their supervisory policies and procedures should be amended as necessary to reflect the firm’s current business activities and operations. As firms respond to the challenges of the current environment by conducting operations from dispersed remote locations and address significant market volatility, OCIE encourages them to closely review and, where appropriate, modify their supervisory and compliance procedures. Areas that may need special attention include:

  • Supervisors not having the same level of oversight and interaction with supervised persons when working remotely;
  • Supervised persons making securities recommendations in market sectors that have experienced greater volatility or that may have heightened risks for fraud;
  • The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing third-party managers, investments, and portfolio holding companies;
  • Communications or transactions occurring outside of the firm’s systems due to personnel working remotely and using personal devices;
  • Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments; and
  • The inability to perform the same level of diligence during background checks when onboarding personnel.[4]

Practices Related to Fees, Expenses, and Financial Transactions

According to OCIE, “the recent market volatility and the resulting impact on investor assets and the related fees collected by Firms may have increased financial pressures on Firms and their personnel to compensate for lost revenue.” This, in turn, “may have increased the potential for misconduct” relating to, among other things, financial conflicts of interest, inaccurate fee calculations, and failures to refund fees owed to investors. Firms may want to review their fees and expenses policies and procedures and consider enhancing their compliance monitoring by, for example: (i) validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used; (ii) identifying transactions that results in high fees and expenses to investors, monitoring for such trends, and evaluating whether these transactions were in the best interest of investors; and (iii) evaluating the risks associated with borrowing from investors, clients, and other parties that create conflicts of interest.

OCIE additionally notes that, if advisers seek financial assistance, “this may result in an obligation to update” Form ADV Part 2 disclosures.

Investment Fraud

As a result of times of crisis or uncertainty creating a heightened risk of fraudulent investment offerings, OCIE encourages firms to be cognizant of these risks when conducting due diligence on investments.

Business Continuity

The Risk Alert notes that registrants’ obligation to prevent violations of the federal securities laws necessitates their ability to continue to operate critical business functions during emergency events. Firms shifting to predominantly operating from remote sites may raise compliance issues and other risks that could impact protracted remote operations. Two areas where firms may want to review their continuity plans and revise them as necessary include:

  • Firms’ supervisory and compliance policies and procedures, which may need to be modified or enhanced to address some of the unique risks and conflicts of interest present in remote operations (e.g., the supervised persons taking on new or expanded roles in order to maintain business operations may create new risks; and
  • Firms’ security and support facilities and remote sites may need to be modified or enhanced. Issues firms may want to consider are whether: (i) additional resources and/or measures for securing servers and systems are needed; (ii) the integrity of vacated facilities is maintained; (iii) relocation infrastructure and support for personnel operating from remote sites is provided; and (iv) remote location data is protected.

Protection of Investor and Sensitive Information

The final topic discussed in the Risk Alert relates to registrants’ obligation to protect investors’ personally identifiable information (PII). Firms’ increased use of videoconferencing and other electronic means to communicate while working remotely may create vulnerabilities around the potential loss of sensitive information, including PII. These vulnerabilities result from: (i) remote access to networks and the use of web-based applications; (ii) increased use of personally-owned devices; and (iii) changes in controls over physical records, such as sensitive documents printed at remote locations and the absence of personnel at firms’ offices. Also, the increased use of electronic communications provides more opportunities for fraudsters to use phishing and other means to improperly access systems and accounts by impersonating firm personnel, websites, and/or investors.

Steps firms may want to consider in response to these enhanced vulnerabilities include:

  • Enhancements to their identity protection practices, such as by reminding investors to contact firms directly by telephone for any concerns about suspicious communications and ensuring that the firm has personnel available to answer these investor inquiries;
  • Providing firm personnel with additional trainings and reminders, and otherwise spotlight issues relating to: phishing and other targeted cyberattacks; sharing information while using remote systems (e.g., unsecured web-based video chat); encrypting documents and using password-protected systems; and destroying physical records at remote locations;
  • Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles to maintain business operations;
  • Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices;
  • Ensuring that remote access services are secured effectively and kept fully patched;
  • Enhancing system access security, such as requiring the use of multifactor authentication; and
  • Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing the firm’s systems.

Conclusion

The Risk Alert concludes by providing a list of resources that may be helpful to registrants. The resources include how to report fraud to the SEC or contact OCIE as well as a list of information the SEC has published relating to COVID-19.

 

Tamara K. Salmon
Associate General Counsel

 

endnotes

[1] See Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers, OCIE Risk Alert (August 12, 2020) (“Risk Alert”), which is available at: https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf

[2] To our knowledge, this is the first time OCIE has published a Risk Alert that, in part, is directed to investors and the public generally. Notwithstanding this, the advice and suggestions in the Risk Alert are targeted to registrants.

[3] Footnotes 2 and 3 to this portion of the Risk Alert reminds readers that Rule 206(4)-2 under the Investment Advisers Act and Rule 15c3-3(k)(2) under the Securities Exchange Act require investment advisers and certain broker-dealers to promptly transmit investor checks. 

[4] Footnote 9 of the Risk Alert cites the order the SEC issued on June 26, 2020 providing temporary relief regarding some of the regulatory requirements relating to onboarding securities personnel.