The staff (“Staff”) of the SEC’s Office of Compliance Inspections and Examinations released a Risk Alert sharing its observations of COVID-19-related issues, risks and practices relevant to SEC-registered broker-dealers and investment advisers (together, “Firms”).1 The Staff’s observations and recommendations are grouped into the following six categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information.
1. Protection of Investor Assets
The Staff observed that, in light of the current environment, Firms have modified normal operating practices regarding collecting and processing investor checks and transfer requests. The Staff encourages Firms to review and adjust their practices as appropriate, including situations where investors mail checks to Firms and Firms are not picking up mail daily. According to the Risk Alert, Firms should consider updating their policies to reflect any adjustments and disclosing to investors that processing of checks or assets mailed to the Firm may be delayed.
Additionally, the Staff encourages Firms to consider policies and procedures related to disbursements to investors in light of COVID-19, including any unusual or unscheduled investor withdrawals. The Staff suggests Firms consider additional steps to validate the investor’s identity and the authenticity of disbursement instructions, and suggests Firms recommend that each investor identify a trusted contact person.
2. Supervision of Personnel
In light of the significant changes made by many Firms in response to the effects of COVID-19, such as transitioning to Firm-wide teleworking, the Staff encourages Firms to review and modify as appropriate their policies and procedures to supervise their personnel. Specifically, the Staff suggests Firms consider practices to address: (i) oversight of supervised persons working remotely; (ii) securities recommendations in market sectors with greater volatility or risk for fraud; (iii) limits on due diligence with respect to the review of third-party managers, investments and portfolio companies; (iv) communications or transactions that take place outside of the Firms’ systems due to remote working and use of personal devices; (v) remote oversight of trading, including reviews of affiliated, cross and aberrational trading; and (vi) the inability to perform adequate diligence during background checks when onboarding personnel or to have them take requisite exams.
3. Fees, Expenses and Financial Transactions
The Staff observed that the current environment may have increased the potential for misconduct regarding: (i) financial conflicts of interest, such as borrowing or taking loans from investors and clients and making investment recommendations that carry higher costs and generate greater compensation for supervised persons; and (ii) fees and expenses charged to investors, such as advisory fee calculation errors, including valuation issues that result in over-billing, inaccurate calculation of tiered fees (e.g., failure to apply breakpoints and discounts), and failure to refund prepaid fees for terminated accounts.
The Staff encourages Firms to review their fee and expense policies and consider enhancing compliance monitoring by validating the accuracy of their disclosures, fee and expense calculations, and investment valuations; identifying transactions resulting in high fees and expenses to investors, monitoring for such trends and evaluating whether these transactions are in investors’ best interests; and assessing the risks and conflicts associated with borrowing or taking loans from investors, clients and other parties. According to the Staff, advisers who sought financial assistance should assess whether they must update disclosures on Form ADV Part 2.
4. Investment Fraud
The Staff has observed a heightened risk of investment fraud through fraudulent offerings during times of crises or uncertainty and encourages Firms to consider these risks when conducting investment due diligence and determining whether investments are in investors’ best interest.
5. Business Continuity
The Staff observed that the shift to remote work during the pandemic may raise compliance issues and other risks, including the need to modify or enhance: (i) policies and procedures to address the unique risks and conflicts presented by remote operations, such as supervised persons needing to assume new or expanded roles; and (ii) security and support for facilities and remote sites, such as consideration of additional resources and/or measures to secure servers and systems, the integrity of vacated facilities, relocation infrastructure and support for personnel operating remotely, and protection of remote location data. The Staff added that mission critical services to investors may be at risk if Firms lack built-in redundancies for key operations and key person succession plans.
6. Protection of Sensitive Information
The Staff observed that the use of videoconferencing and other electronic communication methods create: (i) vulnerabilities related to the potential loss of sensitive information, including investors’ personally identifiable information attributable to remote access to networks and use of web-based applications, increased use of personally-owned devices, and changes in controls over physical records, such as sensitive documents printed at remote locations; and (ii) more opportunities for phishing attempts and other means to improperly access Firms’ systems and accounts.
The Staff encourages Firms to be cognizant of these risks and assess their policies and procedures regarding systems access, investor data protection and cybersecurity. Specifically, the Staff suggests Firms consider: enhanced identity protection practices; providing Firm personnel with additional trainings and reminders; conducting heightened reviews of personnel access rights and controls as personnel assume new or expanded roles; use of validated encryption technologies; ensuring security of remote access servers; enhancing system access security, such as requiring multifactor authentication; and addressing cyber-related issues related to third parties that may be accessing Firms’ systems remotely.
The Risk Alert highlights OCIE’s continued focus on the appropriateness and effectiveness of Firms’ policies, procedures and practices in view of the particular risks and operational challenges presented by the COVID-19 pandemic. Seward & Kissel LLP, and our compliance consulting service SKRC (Seward & Kissel Regulatory Compliance), are available to assist Firms with the review, design, implementation of policies and procedures to address the issues identified in the Risk Alert.
Seward & Kissel has established a COVID-19 Resource Center on our web site to access all relevant alerts that we distribute.