Observations on OCIE’s Risk Alert for COVID-19 Compliance Risks and Considerations

On August 12, 2020, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert (the Alert) providing certain observations about COVID-19-related issues, risks, and practices relevant to SEC-registered investment advisers and broker-dealers.¹  

The SEC staff’s observations on COVID-19-specific compliance risks generally are consistent with issues on which the investment industry was already focused, and the staff’s recommendations reflect policies and procedures already adopted by many firms. Sidley has provided guidance with respect to COVID-19 compliance considerations in the past² and we encourage you to review these resources as you continue evaluating your firm’s compliance program in light of today’s unique challenges.

This Sidley Update summarizes the Alert’s observations and recommendations and offers practical tips to develop and enhance existing policies and disclosures to address risks attendant to working remotely and during a time of increased market volatility.

Overview

In the Alert, OCIE addresses six broad categories of observations and recommendations: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information.

The Alert reminds market participants of OCIE’s careful evaluation of both investment advisers’ and broker-dealers’ operational responses to the pandemic. We expect that the issues noted in the Alert will be areas of focus in future exam inquiries and enforcement actions.

Protection of Investor Assets

The staff observed that in many cases, advisers and broker-dealers have both modified their procedures for collecting and processing investor requests by mail and have been unable to pick up mail on a daily basis. To protect clients’ assets and to guard against theft, loss, and misappropriation, OCIE recommends that firms (1) review and adjust, as necessary, supervisory and compliance policies and procedures relating to the collection and processing of client checks and transfer requests and (2) consider implementing additional steps to validate client identity and disbursement instructions and recommending to clients (particularly seniors and other vulnerable clients) that they have trusted contacts in place.

Practical Tips/Action Items:

• Establish an internal plan or engage an external service to retrieve mail from the office on a periodic basis.
• Consider notifying clients that checks or assets mailed to the firm’s office may experience delays in processing and, as appropriate, reminding clients of alternative methods to deposit assets.
• Advisers should review the SEC FAQs about custody rule compliance during COVID-19, specifically Question II.1 regarding inadvertent receipt of client securities when an adviser’s personnel may be unable to access mail or deliveries and Question VII.4 regarding custody of certain privately issued securities that are evidenced by physical certificates.³
• Broker-dealers should consider, given the circumstances and provisions of the Coronavirus Aid, Relief, and Economic Security Act, the need to update procedures for monitoring for the potential exploitation of seniors and other individuals.

Supervision of Personnel

Advisers and broker-dealers have an obligation to reasonably supervise their personnel. This obligation applies regardless of whether employees work in the office or from home. As many firms continue to adjust to remote work and deal with significant market volatility and related issues, OCIE encourages these firms to closely review and, as necessary, modify their supervisory and compliance policies and procedures to address the following potential challenges:

1. supervisors not having the same level of oversight and interaction with supervised persons when they work remotely
2. supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud
3. due diligence and other resource constraints associated with reviewing third-party managers, investments, and portfolio holding companies remotely or with limited on-site access
4. communications or transactions occurring outside of the firms’ systems due to personnel working from remote locations and using personal devices
5. remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high-volume investments
6. the difficulties in performing the same level of diligence during background checks when onboarding personnel or having personnel take necessary examinations

Practical Tips/Action Items:

• Conduct employee trainings on the approved methods of business communication and firm software.
• Consider running additional testing to confirm adherence to trading policies.
• Adjust due diligence practices to address the practical limits of remote reviews (i.e., adjust the type or frequency of reporting). 
• Consider whether communications are being appropriately captured and monitored, including methods of communication that were not typically used prior to the COVID-19 pandemic.
• Have broker-dealers continue to monitor Financial Industry Regulatory Authority guidance regarding requirements to update Form BRs and Form U4s and to conduct inspections of certain office locations.

Fees, Expenses, and Financial Transactions

OCIE expressed concern that recent market volatility could increase the risk of conflicts of interest and improper fee generation because certain firms may feel increased pressure to generate additional revenue. The staff encourages both investment advisers and broker-dealers to ensure that they have sufficient compliance monitoring and adequate policies and procedures to address and prevent these issues.

Practical Tips/Action Items:

• Assess conflicts of interest continually.
• Review valuation practices for consistency and fairness. Confirm that valuation issues have not resulted in overbilling, higher asset-based advisory fees, or inflated portfolio performance returns.
• Validate the accuracy of disclosures and fee and expense calculations.
• Consider whether adjustments should be made to policies or procedures related to the suitability of investments.
• Identify transactions that resulted in high fees and expenses to investors, monitoring for such trends, and evaluate whether these transactions were in the best interest of clients.
• If an investment adviser or broker-dealer is considering borrowing or taking loans from investors or clients, the firm should evaluate the risks and potential conflicts associated with taking financial assistance and how those risks or potential conflicts can be appropriately ameliorated or disclosed.
• If an investment adviser received financial assistance, from the government or otherwise, the adviser may be required to update its Form ADV Part 2.⁴

Investment Fraud

OCIE noted that times of financial uncertainty can lead to a higher risk of fraud and/or fraudulent offerings. OCIE reminded advisers and broker-dealers that they should be mindful of these risks, especially when conducting due diligence on investments.

Business Continuity

Both advisers and broker-dealers are required to have business continuity plans that are reasonably designed to allow the firm to operate during periods of disruption. [See “Business continuity planning: preparing for pandemics and other significant business disruptions”] Before COVID-19, many firms’ business continuity plans did not contemplate the challenges of a pandemic or extended periods of remote work. In the Alert, OCIE encouraged firms to review and update their business continuity plans to address appropriately compliance and technological issues that could affect protracted remote operations, including these:

1. risks associated with supervised persons taking on new or expanded roles in order to maintain business operations 
2. technological and infrastructure issues (e.g., securing servers and systems, maintaining the integrity of vacated facilities, relocating infrastructure and support for remote personnel and protecting data stored or created remotely)

OCIE stressed that if relevant practices and approaches are not addressed in business continuity plans and/or firms do not have built-in redundancies for key operations and key person succession plans, mission-critical services to investors may be at risk. These risks may be particularly acute when personnel are working from home, as it may be less likely that their residences are supported by backup service providers. 

Practical Tips/Action Items:

• Review remote access elements of business continuity plan.
• Consider conducting technical assessments and stress tests to identify any deficiencies.
• Consider providing critical employees with personal hotspots serviced by a second service provider, backup generators at their homes, or space at alternative locations where they can work should they be unable to work from their residence.

Protection of Sensitive Information

OCIE reminded investment advisers and broker-dealers of their obligations related to cybersecurity and data protection, including their obligation to protect investors’ personally identifiable information (PII). OCIE also highlighted a number of risks associated with technologies commonly leveraged to accomplish remote work, such as remote access, that may provide additional opportunities for bad actors to improperly access a firm’s systems. OCIE encouraged firms to review and, if necessary, modify any compliance policies and procedures that are designed to protect PII. The Alert’s recommendations echo recommendations made in past OCIE alerts and reports on the ransomware and cybersecurity.⁵

Practical Tips/Action Items:

• Provide personnel with additional cybersecurity training and reminders.
• Consider enhancing system access security, such as requiring the use of multifactor authentication.
• Consider using validated encryption technologies to protect communications and data stored on all devices, including personally owned devices.
• Consider whether policies or procedures should be modified due to the increased likelihood that personnel may be working in shared or less secured environments.

¹SEC OCIE Risk Alert: Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (Aug. 12, 2020)

²Compliance Program COVID Effects — 10 Areas for Thought and Consideration and Return to the Workplace:
Considerations for Investment Managers

³https://www.sec.gov/divisions/investment/custody_faq_030510.htm

⁴See Division of Investment Management Coronavirus (COVID-19) Response FAQs, Question II.4 (posted April 27, 2020).

⁵SEC OCIE Risk Alert: Cybersecurity: Ransomware Alert (July 10, 2020) and SEC OCIE Report: Cybersecurity and Resiliency Observations (Jan. 27, 2020)