Timothy M. Simons, CFA, CFP, CIPM, CSCP
Senior Managing Member
Focus 1 Associates LLC
June 29, 2016
On December 17, 2003, the SEC hit the investment adviser industry with the final rule for Compliance Programs of Investment Companies and Investment Advisers, effective February 5, 2004 with a compliance date of October 5, 2004.
This Rule 206(4)-7 under the Investment Advisers Act of 1940 required advisers:
to adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws, review those policies and procedures annually for their adequacy and the effectiveness of their implementation, and designate a chief compliance officer to be responsible for administering the policies and procedures.
Each adviser, in designing its policies and procedures, should first identify conflicts and other compliance factors creating risk exposure for the firm and its clients in light of the firm’s particular operations, and then design policies and procedures that address those risks. We expect that an adviser’s policies and procedures, at a minimum, should address the following issues to the extent that they are relevant to that adviser:
And the tenth listed item (out of 10) was Business Continuity plans. The only place in the Rule where they discussed the business continuity plan was in footnote 22:
We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations.
Since 2004 we have kind of used business continuity plan (“BCP”) as a catch-all phrase to include our disaster recovery plan (“DRP”) following the natural disaster or terrorist activity scenarios rather than the business succession scenario, although many DRPs include scenarios in which principals are not available. But now we also have cybersecurity risks to consider and that has become more critical as firms are hacked and client information is potentially compromised.
To get us back on track, on June 28, 2016 the SEC has proposed and put out for comment, a new Rule 206(4)-4 Investment adviser business continuity and transition plan. The proposed rule would require advisers to adopt and implement a written business continuity and transition plan, and review its adequacy and effectiveness at least annually.
The proposed rule would require an adviser’s plan to be based upon the particular risks associated with the adviser’s operations and include policies and procedures addressing the following specified components (whose discussions make up a good portion of the text of the proposal):
- maintenance of critical operations and systems and protection, backup and recovery of data;
- pre-arranged alternative physical locations of the adviser’s offices and/or employees;
- communications with clients, employees, service providers and regulators ;
- identification and assessment of third-party services critical to the operation of the adviser; and
- plan of transition that accounts for the possible winding down of the adviser’s business or the transition to others in the event the adviser is unable to continue providing advisory services.
SEC Chair Mary Jo White said in a statement, “While an adviser may not always be able to prevent significant disruptions to its operations, advance planning and preparation can help mitigate the effects of such disruptions and, in some cases, minimize the likelihood of their occurrence, which is an objective of this rule.” Chair White also indicated that the proposal is part of an effort to modernize and enhance regulatory safeguards for the asset management industry.
Although the proposal does admit that many investment advisers have taken steps to address and mitigate the risks of business disruption in the most likely scenarios, the SEC examination staff has observed advisers with “less robust planning.” It is the intent of this proposal to help ensure that an adviser’s BCP would minimize material service disruptions and any potential client harm from such disruptions.
The proposal does bring up a good point about fiduciary duty. If an adviser is unable to provide advisory services after a natural disaster, a cyber-attack, an act of terrorism, technology failures, or the departure of key personnel, its temporary inability to continue operations may put clients’ interests at risk and prevent the adviser from meeting its fiduciary duty to clients. This risk could include the risk of loss if an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or if clients are unable to access their assets or accounts. As part of its fiduciary duty to protect client interests, an adviser also should take steps to minimize operational and other risks that could lead to a significant business disruption. Hurricane Sandy was a prime example of planning for a natural disaster, when so many DRPs were confronted with conditions that many had never imagined, let alone planned for.
In addition to the proposed rule, SEC staff issued related guidance addressing business continuity planning for registered investment companies, including the oversight of the operational capabilities of key fund service providers.
I think that many if not most firms have been spending time and money on BCPs and DRPs, dealing with scenarios that they deemed most likely to confront them, as the SEC and compliance gurus have suggested that we do. Perhaps, some of us neglected to put as much emphasis on transition planning as we put on being operational within 24 hours of a likely disruption, and not so much on how we can operate in the future with some of our human assets not available to us. I think that many of us think about the ramifications of not being there to see our kids grow up, providing them with insurance and wills, but not so much thinking about the impact on the firm of us not being there.
I know as I get older and think about retirement, I wonder who people will call when I’m not there anymore. I know someone at the firm will answer the phone, but wonder if callers will notice that I’m gone. How’s that for a morbid thought? But if I’ve put all my efforts and passion into building something, I need to know that I’ve built for posterity, and the firm will survive if I get disrupted. Or maybe just enjoy being on the beach in Cancun listening to an audio book, or working in a garden in West Tennessee (also listening to an audio book).
I also think we have more than enough rules to contend with and would be happy just to get guidance bulletins from the SEC rather than new rules, but I’m one of those (even having been an SEC examiner for 12 years) that think that most advisers are trying to do the best they can for their clients, and rules just make it harder and more expensive for them to do their job.
This rule has only been proposed and the SEC is soliciting comments. Please read the proposal on the SEC’s website and make any suggestions that will make the rules better or even easier to comply with. The proposal is available for comment for 60 days.