(Article from Registered Funds Alert, September 2016)
For more information, please visit the Registered Funds Alert Resource Center.
As discussed in prior Alerts, the Securities and Exchange Commission is in the process of proposing a series of reforms designed to minimize certain perceived risks in the asset management industry. The most recent reform effort targets an alleged lack of adequate planning by some investment advisers to account for business disruptions. To address this concern, the SEC proposed Rule 206(4)-4 (“Proposed Rule”) and an amendment to Rule 204-2 under the Investment Advisers Act of 1940, as amended (“Advisers Act”). If adopted, the rule changes would require SEC-registered investment advisers to: (i) adopt and implement a business continuity and transition plan; (ii) review the plan at least annually; and (iii) maintain a record of the current plan and any prior iteration of the plan in effect during the preceding five years, as well as other records related the adviser’s annual review. The Proposed Rule appears to be aimed at smaller investment advisers, as larger and more sophisticated advisers likely already have business continuity measures in place. Comments on the Proposed Rule were due on September 6, 2016.
Key Components of a Business Continuity and Transition Plan
Under the Proposed Rule, a business continuity and transition plan must be reasonably designed to deal with operational risks such as cyber-attacks, system failures, natural disasters or acts of terrorism. Other operational risks may include those stemming from unexpected losses of service providers, facilities or key personnel. A business continuity and transition plan must address the following “key components” in the event of a significant disruption:
(i) maintaining critical operations and safeguarding data;
(ii) pre-arranging an alternate office location;
(iii) communicating with clients, employees, service providers and regulators;
(iv) assessing critical third-party services; and
(v) preparing a transition plan to sell, transfer or liquidate the managed assets.
Although the Proposed Rule requires all plans to address these key components, it recognizes that the degree to which a particular adviser’s plan addresses each component will vary depending on the size and complexity of that adviser’s business.
Maintaining Critical Operations and Data Protection
The Proposed Rule explains that a business continuity and transition plan should identify, prioritize and consider alternatives to critical operations in order to maintain continuity during a significant business disruption. Critical operations include those that are utilized for quickly processing transactions, delivering securities and maintaining client accounts. A plan should provide a contingency strategy for handling the temporary or permanent loss of key personnel. Additionally, data backup and recovery measures also should be incorporated into the plan, with an eye towards potential cyber-attacks and preserving key documents (e.g., organizational documents, contracts and policies and procedures).
A notable aspect of the Proposed Rule is the extent to which it uses continuity planning as a platform to discuss cybersecurity issues. The Proposed Rule posits that the impact of cybersecurity incidents can be reduced by robust business continuity planning, and states that “[a]n adviser generally should consider and address as relevant the operational and other risks related to cyber-attacks.” Language like this, interspersed throughout the Proposed Rule, appears to provide a basis for a new, independent cause of action that can be used by the SEC against advisers who fail to take sufficient steps to prevent, mitigate and respond to cyber-attacks. In any case, as we have noted in prior Alerts, advisers would be prudent to shore up their cybersecurity protocols in light of other recent SEC actions[1] and statements.[2]
Pre-Arranged Alternate Location
According to the Proposed Rule, a plan must “pre-arrange alternate physical location(s) of its office(s) and/or employees.” Advisers should take into account the geographic diversity of different locations to preempt localized disruptions. Advisers should also consider how to maintain each location’s remote access to technology and resources in order to continue with critical operations. This requirement generally applies to “extended” disruptions—consistent with past SEC guidance on this topic, enabling employees to work remotely is an appropriate plan for shorter disruptions. In the event of an “extended” issue, without providing any guidance on what period of time would constitute an “extended” period, the proposing release states that smaller advisers may be able to rely on remote access while larger advisers may need to plan to have an alternate location.[3]
Communications
Another key component of a business continuity and transition plan is that it must address communications with clients, employees, service providers and regulators. The plan should consider different communication methods, and when and how to inform clients of significant business disruptions. Moreover, the plan should consider the process of communicating with service providers about disruptions that might affect the systems of both the investment adviser and the service provider.
Critical Service Providers
A business continuity and transition plan also must identify and assess third-party services in support of critical operations. An adviser could deem certain providers to be “critical” based on a variety factors including whether the service provider has backup systems, whether the service provider has direct contact with investors and whether the service provider has access to investors’ personally identifiable information. The Proposed Rule explains that critical service providers would generally include those who offer services “related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping and financial and regulatory reporting.” The adviser should review and assess how critical service providers plan to maintain business continuity during a significant business disruption.
The distinction between critical and non-critical third-party service providers potentially puts advisers between a rock and a hard place. While the proposing release emphasizes that a business continuity and transition plan should entail robust diligence regarding critical providers, it does not elaborate on the specific protocols required for non-critical third-party service providers. The only clear guidance is that advisers should give more scrutiny to critical providers than non-critical ones. An adviser that applies a consistent, high-scrutiny approach to all providers, regardless of importance, may be left wondering whether it needs to differentiate its approach for critical providers, even if just in form, to avoid the appearance of not giving critical providers sufficient scrutiny.
Transition Plan
The final key component is a transition plan that considers how to transfer client relationships when an investment adviser exits the market or undergoes a change in ownership. Whether a transition occurs due to a merger, sale or an inability of the adviser to continue providing advisory services, a transition plan should be designed to facilitate a prompt, smooth transition in both normal and stressed market conditions. A transition plan should contain procedures for safeguarding client assets and handling client-specific information; it should also include an assessment of the applicable law and contractual obligations governing the adviser and its clients.
The Proposed Rule acknowledges that many advisers already have transition plans as a standard business practice and in compliance with parallel regulations. The concept of transition plans is of course well known to firms that are part of banking conglomerates, who have had to grapple with the concept of “living wills” in the post-financial crisis regulatory framework. However, the same concept, as applied to investment advisers, is inapt at best. Investment advisers invest assets for their clients, and follow stringent rules regarding the custody and safekeeping of those assets. A bankruptcy, sudden transition or other “black swan” event with respect to the adviser will not have any effect on the value of the assets held in client accounts. The investment management industry is robust, with several players. If an adviser were to fail, there are many others who would be ready to step in. Living wills and transition plans are particularly important to avoid government bailouts; it is difficult to imagine how a transition of an adviser could require a government bailout (indeed, after Lehman Brothers collapsed and went into bankruptcy at the onset of the financial crisis, its advisory arm was able to smoothly transition clients to Neuberger Berman without harm to investors). The Proposed Rule may serve a greater regulatory purpose for smaller advisers, which essentially would add to the category of business continuity disruptions the departure or incapacity of the adviser’s owner or a key member of a small organization. For larger advisers, who employ investment teams and likely have a multitude of personnel who are capable of stepping in to ensure uninterrupted advisory services, and are unlikely to undergo any sort of meaningful transition without careful planning, even in extreme circumstances, the requirement for a written transition plan seems to us to be driven more by the regulatory pressures on the SEC from the other members of the Financial Stability Oversight Council, which noted its recommendation for a transition planning rule for investment advisers in its April 2016 update on its review of the asset management industry, than by the existence of an actual problem that requires a solution.
Accordingly, it seems unnecessary to require large advisers to have a detailed transition plan and the Proposed Rule is unclear with respect to what would qualify as a transition event that requires a written plan for larger advisers. For example, while a founder selling his or her controlling stake in an adviser is a manifest example of a transition event, what if an adviser’s chief investment officer leaves? What about a junior portfolio manager? If the SEC insists on applying the transition plan requirement to large advisers, some guidance would be useful to assist advisers in this line-drawing exercise.
Annual Review
The Proposed Rule requires each adviser to perform a review of its business continuity and transition plan at least annually. The purpose of the review is to ensure the efficacy of the current plan and to consider whether the plan should be modified in light of changes to the adviser’s products, operations, critical third-party service providers, structure, business activities, clients, or location.
Recordkeeping
Under the proposed amendment to Rule 204-2, advisers must maintain records of their current business continuity and transition plans and any prior iterations of their plans in effect during the preceding five years. An adviser must also maintain records related to the annual review. The records may be stored electronically, but advisers must keep copies to ensure easy access to necessary information during periods of stress and to facilitate review by SEC staff to check for compliance.
Companion Guidance Update for Registered Funds
On the same date as it issued the Proposed Rule, the SEC’s Division of Investment Management published a separate Guidance Update pertaining to the business continuity plans of funds registered under the 1940 Act. Several recent system failures experienced by fund complexes served as an impetus for the SEC to issue this Guidance Update. For example, in August of 2015, a system failure of a third-party service provider resulted in clients of multiple fund complexes receiving stale pricing information over a three-day period. Although the Guidance Update did not appear to consider three days to be an “extended outage,” it noted that an extended outage could have had a far greater negative impact. In the wake of these incidents, the SEC requested information from various funds and service providers, which revealed that some fund complexes appear to be unprepared to deal with extended outages of critical service providers. Accordingly, the SEC released the Guidance Update to discuss its general continuity planning expectations for fund complexes under Rule 38a-1 of the 1940 Act.
The continuity measures espoused in the Guidance Update for registered funds are similar to those in the Proposed Rule. For instance, the Guidance Update also emphasizes the importance of safeguarding business operations against potential system failures and cyber-attacks. Additionally, the Guidance Update defines critical service providers to registered funds to include at least “each named service provider under Rule 38a-1 (i.e., each investment adviser, principal underwriter, administrator and transfer agent), as well as each custodian and pricing agent.” Overall, the Guidance Update suggests that the SEC will hold funds and their control persons to similar standards as those expressed in the Proposed Rule.
[1] E.g., R.T. Jones Capital Equities Mgmt., Inc., Order, No. 3-16827 (Sept. 22, 2015) (imposing a $75,000 civil money penalty on an investment adviser for failing to failing to adopt sufficient procedures to safeguard customer information during a data breach); Morgan Stanley Smith Barney LLC, Order, No. 3-17280 (June 8, 2016) (imposing a $1 million dollar penalty on an investment adviser for failing to safeguard customer information during a cyber-attack).
[2] Cybersecurity Guidance, IM Guidance Update, No. 2015-02 (Apr. 2015) (noting that “advisers should identify their . . . compliance obligations under federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyberattacks”). See also, e.g., Mary Jo White, Chair, SEC, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2015); Kenneth Corbin, SEC Warns More Cyber Enforcement Actions Coming, Financial Planning, Apr. 20, 2016, (Andrew Ceresney, head of the SEC’s Enforcement Division, explained, “[c]yber is obviously a focus of ours . . . we’ve brought a number of cases relating to Reg S-P and failure to have policies and procedures relating to safeguarding information . . . [t]here’ll be others coming down the pike.”).
[3] As noted below, in the Guidance Update issued in tandem with the Proposed Rule, the SEC’s Division of Investment Management apparently does not consider three days to be an extended period of time.