- The OCIE of the SEC highlights that responses to COVID-19 present important regulatory and compliance issues for SEC registrants, including “heightened risks of misconduct” tied to recent market volatility.
- The Risk Alert covers six areas of concern, encompassing significant aspects of an investment adviser’s or broker-dealer’s operations and responsibilities.
- While still maintaining their focus on areas of self-identified risk, SEC registrants should consider aligning their compliance functions and resources to the OCIE’s six areas of concern and properly document that alignment.
On August 12, 2020, the U.S. Securities and Exchange Commission (SEC) and Office of Compliance Inspections and Examinations (OCIE) issued its latest Risk Alert describing COVID-19-related issues, risks and practices it has identified that relate to SEC-registered investment advisers and broker-dealers. OCIE’s last Risk Alert addressed how SEC-registered investment advisers and broker-dealers (collectively, “Firms”) could limit or prevent exposure to ransomware and other information security vulnerabilities.
The latest Risk Alert discusses six areas that investment advisers, broker-dealers, investors and the general public should focus on during the current global pandemic: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses and financial transactions; (4) investment fraud; (5) business continuity; and (6) protection of investor and other sensitive information.
The OCIE’s August 12, 2020, Risk Alert focuses on observations and recommendations for Firms identified by OCIE in the months since the onset of COVID-19. While OCIE issued the Risk Alert and likely will address these areas in particular examinations this year, the Alert is a helpful roadmap for the types of matters which may trigger future investigations and enforcement actions by the SEC’s Division of Enforcement. Indeed, OCIE specifically references several recent SEC enforcement actions relating to the issues identified in the Risk Alert. The Risk Alert foreshadows how OCIE and the SEC’s Division of Enforcement will scrutinize any perceived compliance failures by Firms in these areas going forward.
Staff Observations on Categories of Focus
Protection of Investor Assets
Consistent with the SEC’s theme of protecting Main Street investors, the first OCIE observation on risk and suggested area of focus is the safeguarding of clients’ assets. Each Firm is responsible for ensuring “the safety of its investors’ assets and to guard against theft, loss and misappropriation.”1 In light of the current pandemic, OCIE observed that some Firms have changed their routine operating practices in ways that may negatively impact the protection of clients’ assets.
- Mail. OCIE encourages Firms to review their practices and make adjustments, including situations where investors may mail checks to a registrant that is not picking up its mail daily. OCIE even suggests that Firms may need to disclose to investors that checks or assets mailed to the Firm may experience delays in processing for this reason.
- Investor Disbursement. Likewise, OCIE encourages Firms to review policies and procedures concerning disbursements to investors, especially if “investors are taking unusual or unscheduled withdrawals.”2 OCIE uses the example of COVID-19-related early distributions from eligible retirement accounts. OCIE suggest that registrants take additional steps to verify an investor’s identity and the authenticity of their disbursement instructions and recommends each investor has a trusted contact person in place, particularly for investors more susceptible to fraud.
Firms have an obligation to supervise their personnel, including providing sufficient supervision of personnel’s trading and investment activities. Supervisory policies and procedures should be tailored to a Firm’s business activities and adjusted to reflect its current business operations. In the wake of COVID-19, many Firms have shifted to telework situations, causing potential challenges to supervisory programs. Accordingly, OCIE recommends Firms review and update policies and procedures in various areas to reflect current supervisory challenges, such as:
- Remote Supervision. Supervisors not having same degree of oversight and interaction with supervised personnel.
- Higher Risk Securities Recommendations. Supervised personnel providing recommendations in areas experiencing “great volatility or may have heightened risks for fraud.”3
- Impact of Limited On-Site Due Diligence and Related Resource Constraints. Firms not reviewing third-party managers, investments and portfolio companies with the same level of scrutiny as before.
- Firm Systems May Be Bypassed. Remote workforce conducting communications and transactions outside a Firm’s relevant systems.
- Remote Oversight of Securities Trading. Oversight of trading, in particular “affiliated, cross and aberrational trading,” especially in “high volume investments.”4
- Due Diligence over New Personnel. Inability to conduct same level of background checks on incoming personnel, including fingerprints and completion of Form U4 verifications as well as personnel completing required examinations.
Fees, Expenses and Financial Transactions
The Risk Alert also discussed fee and expense issues—another long-standing focus of the SEC. Firms have obligations relating to analyzing and informing investors about “the costs of services and investment products, and the related compensation received by the Firm or their supervised personnel.”5 While negative market developments can always create incentives for Firms to improperly compensate for lost revenue, OCIE warns that recent market volatility and other consequences of COVID-19 may have increased the potential for misconduct in several areas:
- Financial Conflicts of Interest. There may be increased risk related to financial conflicts of interest, such as recommending retirement plan rollovers or transfers into advised accounts or products solicited by the Firm, borrowing or taking loans from investors or clients, or making recommendations that result in higher costs for investors with greater compensation for the Firm, including investments with termination fees swapped for new investments with high up-front charges or mutual funds with higher cost share classes.
- Fees and Expenses Charged to Investors. There is potential for increased risks related to fee calculation errors resulting in overbilling of advisory fees, inaccurate calculations of tiered fees and failures to refund prepaid fees for terminated accounts.
OCIE suggests Firms review their policies and procedures, specifically relating to validating the accuracy of disclosures and fee and expense calculations and the investment valuations employed, as well as identifying and evaluating transactions that may result in higher fees and expenses to investors in relation to the best interest of the investors. OCIE also asks Firms to consider evaluating the risks related to borrowing or taking loans from investors, clients and other parties that create conflicts of interests for the Firm. And any advisers which seek financial assistance may need to update their disclosures on Form ADV Part II.
OCIE acknowledges the current crisis “creates a heightened risk of investment fraud through fraudulent offerings.” Firms should conduct appropriate investment due diligence in order to provide advice in the best interest of investors.
The Risk Alert advises Firms to focus on their ability to continue to operate critical business functions during emergency events, including the pandemic. Remote working arrangements may raise compliance issues that could impact longer term remote operations, including:
- Supervisory and Compliance Policies and Procedures. Firms may need to modify or enhance their policies and procedures to address any risks or conflicts posed by remote working arrangements. This could include new or expanded roles for supervised persons for business continuity.
- Security and Support for Facilities and Remote Sites. Firms should include built-in redundancies for key operations and key person succession plans to alleviate the risk to mission critical services to investors. OCIE recommends that Firms focus on securing servers and systems, supporting personnel working remotely and protecting both vacated facilities and remote location data. OCIE notes Firms may need to provide disclosures to investors if their operations are materially impacted.
Protection of Sensitive Information
Firms must protect investors’ personally identifiable information (PII). Cybersecurity and protection of investor information have been focal points for OCIE and the SEC for several years. Remote working arrangements can make the protection of PII more complicated or vulnerable, including through remote access to networks and use of videoconferencing and other remote communication methods. Accordingly, OCIE recommends that Firms pay particular attention to risks associated with cybersecurity and data protection in the current environment and consider:
- Enhancements to identity protection policies and providing investors with Firm resources to raise related concerns.
- Additional personnel training for addressing remote cybersecurity risks.
- Heightened review of personnel access rights and controls.
- Using validated encryption technologies, including on personally-owned devices.
- Ensuring remote access servers are secure and fully patched.
- Enhancements to system access security, such as requiring the use of multifactor authentication.
Firms should continue to ensure that their policies and procedures are sufficient given the nature of their business activities and properly implement them, particularly in light of changes to remote working arrangements and other risks related to COVID-19. OCIE examinations will continue during the pandemic, and more Firms should assess whether they are deficient in any of the areas discussed above and modify their policies and procedures accordingly.
1Alert at 2, footnote omitted.
3 Id. at 3, footnote omitted.
4 Id. at 4.
5 Id. at 4.