On August 12, 2020, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission (“SEC”) published a risk alert (“Risk Alert”) identifying a number of COVID-19 related issues relevant to SEC-registered investment advisers and broker-dealers (collectively, “Firms”).1 OCIE had previously announced that it was actively engaged in ongoing outreach and having discussions with Firms to assess the impacts of COVID-19 on their businesses, including challenges to operational resiliency and the effectiveness of Firms’ business continuity plans.2 The Risk Alert outlines risks and practices that OCIE identified through its industry outreach, as well as consultation and coordination with other regulators. OCIE’s observations and recommendations fall into the following broad categories: (1) protection of investors’ assets, (2) supervision of personnel, (3) practices relating to fees, expenses, and financial transactions, (4) investment fraud, (5) business continuity, and (6) the protection of investor and other sensitive information. We summarize these below.
Protection of Investor Assets
OCIE observed that certain Firms have modified their normal operating procedures around collecting and processing investor checks and transfer requests in light of the current environment. OCIE encourages Firms to review their practices and make adjustments to their policies and procedures where appropriate, including in situations where investors mail checks to Firms and Firms are not picking up their mail daily. OCIE also recommends that Firms consider disclosing to investors that, for example, checks or assets mailed to the Firm’s physical office location may experience delays in processing. Finally, OCIE encourages Firms to review and make any necessary changes to their policies and procedures around disbursements to investors, including (i) implementing additional steps to validate the identity of the investor and the authenticity of disbursement instructions and (ii) recommending that each investor has a trusted contact person in place, particularly for seniors and other vulnerable investors.
Supervision of Personnel
OCIE encourages Firms to closely review, and, where appropriate, modify their practices and policies and procedures to address the following issues:
- Supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely.
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or that may have heightened risks for fraud.
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing third-party managers, investments, and portfolio holding companies.
- Communications or transactions occurring outside of Firms’ systems due to personnel working from remote locations and using personal devices.
- Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments.
- The inability to perform the same level of diligence during background checks when onboarding personnel or to have personnel take requisite examinations.
Fees, Expenses, and Financial Transactions
The Risk Alert states that recent market volatility, and the resulting impact on investor assets and fees collected by Firms, may have increased financial pressures on Firms and their personnel. OCIE cautions that, as a result, there may be heightened potential for misconduct regarding:
- Financial conflicts of interest, such as: (1) recommending retirement plan rollovers into advised accounts or investments in products that the Firms or their personnel are soliciting; (2) borrowing or taking loans from investors and clients; and (3) making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons.
- Fees and expenses charged to investors, such as: (1) advisory fee calculation errors, including valuation issues that result in the overbilling of advisory fees; (2) inaccurate calculations of tiered fees; and (3) failures to refund prepaid fees for terminated accounts.
The Risk Alert suggests that Firms review their fees and expenses policies and procedures and consider enhancements to their compliance monitoring, including (i) validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used, (ii) identifying and monitoring transactions that resulted in high fees and expenses to investors and evaluating whether those transactions were in the best interest of investors, and (iii) evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest. If advisers seek financial assistance, this may result in an obligation to update disclosures on Form ADV Part 2.
OCIE observed that times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings. The Risk Alert cautions that Firms should be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors, and that any suspected fraud should be reported to the SEC.
OCIE observed that many Firms have shifted to predominantly operating from remote sites. The Risk Alert states that this transition may raise compliance and other risks that could impact protracted remote operations and could place critical services to investors at risk. For example, the Risk Alert suggests that Firms’ supervisory and compliance policies and procedures utilized under “normal operating conditions” may need to be modified or enhanced to address some of the unique risks and conflicts of interest present in remote operations, and that Firms’ security and support for facilities and remote sites may need to be modified or enhanced. OCIE encourages Firms to review their continuity plans, make changes to compliance policies and procedures, and provide disclosures to investors if their operations are materially impacted, as appropriate.
Protection of Sensitive Information
OCIE observed that many Firms require their personnel to use videoconferencing and other electronic means to communicate while working remotely. The Risk Alert cautions that these practices can create vulnerabilities around the potential loss of sensitive information, including investors’ personally identifiable information and increased opportunity for fraudsters to use phishing and other means to improperly access systems and accounts. OCIE recommends that Firms review their compliance policies and procedures and consider the following modifications:
- Making enhancements to identity protection practices.
- Providing Firm personnel with additional trainings and reminders, and otherwise spotlighting issues related to cybersecurity.
- Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Ensuring that remote access servers are secured effectively and kept fully patched.
- Enhancing system access security, such as requiring the use of multifactor authentication.
- Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing Firms’ systems.
The Risk Alert encourages Firms to remain informed regarding fraudulent activities that may affect investors’ assets and to report any such fraud to the SEC.