The Securities and Exchange Commission (the "SEC") recently proposed new Rule 206(4)-4 (the "Proposed Rule") under the Investment Advisers Act of 1940 (the "Advisers Act"), which would require registered investment advisers to adopt and implement business continuity and transition plans ("BCPs").1 At the same time, the SEC's Division of Investment Management issued a Guidance Update discussing certain elements of BCPs that registered investment companies ("funds") should consider adopting under Rule 38a-1 under the Investment Company Act of 1940.2

The Proposed Rule is the most recent installment of the five-part package of reforms outlined by SEC Chair White in late 2014.3 It likely is driven by the SEC's ongoing efforts to address systemic risk concerns that the Financial Stability Oversight Council believes are presented by asset managers.4 The Guidance Update, on the other hand, appears more closely-related to last year's event in which a major service provider experienced software failures that interrupted its ability to act as a pricing agent. It focuses on the need for a fund's BCP to account for dependencies on critical service providers and how the fund would respond to an interruption of services from such providers.

Proposed Rule

Background

Since 2003, when the SEC adopted Rule 206(4)-7, the investment adviser compliance rule, there has been a general consensus regarding the obligation of most larger advisers to adopt BCPs as a part of their compliance programs. In the adopting release to Rule 206(4)-7, the SEC listed BCPs among the issues that an adviser's policies and procedures should address, to the extent relevant. In that release, the SEC went even further and stated that an adviser's fiduciary duties to its clients include the obligation to "take steps to protect the clients' interests from being placed at risk as a result of the adviser's inability to provide advisory services after, for example, a natural disaster, or in the case of smaller firms, the death of the owner or key personnel."5

The Proposed Rule would codify the SEC's 2003 statements regarding an adviser's obligations to have a BCP, and would specify in more detail the content of advisers' BCPs. In the Proposing Release, the SEC acknowledged that many advisers have, as part of their general risk management policies and procedures, taken steps to address and mitigate risks of business disruption, but pointed to weaknesses in some BCPs the SEC staff observed after Hurricane Sandy.6

The Proposed Rule, described in more detail below, would specify elements of what the SEC believes to be more robust BCPs of advisers. Echoing its earlier statements, the SEC notes in the Proposing Release that an adviser's fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of an adviser's inability to provide services. Therefore, the SEC believes it would be "fraudulent and deceptive" for an adviser to hold itself out as providing advisory services unless it has taken steps to protect a client's interests following a disruption event.7

The SEC requested comment on all aspects of the Proposed Rule. Comments are due on or before September 6, 2016.

BCP Content

The Proposed Rule would require registered investment advisers to adopt and implement a written BCP reasonably designed to address operational and other risks related to a significant disruption in the adviser's operations, to ensure (i) business continuity after a significant business interruption and (ii) business transition if the adviser is unable to continue providing investment advisory services to its clients.8 An adviser would be required to review the adequacy and effectiveness of its BCP at least annually.9

The SEC identified certain business disruption events that should be addressed by a BCP, including natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities or key personnel. To these, the SEC added the unexpected termination of some or all of the adviser's business as a result, for example, of stressed market conditions or due to a sale of its business.

The Proposed Rule would require an adviser's BCP to be based on the risks associated with the adviser's operations and to include policies and procedures designed to minimize material disruptions of client services.10 Although the SEC acknowledged the need for an adviser to tailor its BCP to its particular circumstances, the Proposed Rule would require that a BCP include a transition plan as well as the following specific components (suggested actions outlined by the SEC in the Proposing Release are also provided below):

  • Maintenance of critical operations and systems, and the protection, backup and recovery of data, including client records. A BCP should identify and prioritize critical functions that are utilized for the prompt and accurate processing of portfolio transactions, and the valuation and maintenance of client accounts. Advisers also should identify key personnel that provide critical functions, such that the loss of such personnel would disrupt the adviser's ability to provide services to its clients. With respect to data protection, backup and recovery, a BCP should address both hard and electronic backup and include an inventory of key documents (including details of an adviser's management structure and risk management processes), including the location and description of each.
  • Pre-arranged alternative physical location(s) of the adviser's office(s) and/or employees. An adviser should consider the geographic diversity of its offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operation at different locations in the event of a disruption.11 The SEC urged advisers to consider technology that allows for secure remote-access.
  • Communications with clients, employees, service providers, and regulators. A BCP should address how the adviser will communicate to employees, clients, service providers and other persons involved in critical aspects of the adviser's operations in the event of a business disruption. A BCP also should address employee training to highlight specific roles and responsibilities following a business disruption.
  • Identifications and assessment of third-party services critical to the operation of the adviser. A BCP should identify third-party vendors supporting critical functions or services for or on behalf of the adviser. The SEC wants advisers to assess the BCPs of service providers to the extent those BCPs would affect the adviser's operations following a disruption event. In the absence of a BCP, an adviser should consider alternatives for such critical services, which may include other service providers or internal functions as contingencies.

Under the Proposed Rule, a BCP should include a plan of transition that accounts for the possible winding down or transition of the adviser's business if the adviser is unable to continue providing investment advisory services. According to the SEC, transition plans should be designed to prepare an adviser to act quickly and in its clients' best interests following a transition event. Under the Proposed Rule, a plan of transition should include the following key components:

  • Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition. A BCP should reflect the unique attributes of each type of the adviser's clients (e.g., registered investment companies, private funds and separately-managed accounts)12 and account for the different transfer and distribution methods applying to each client type. BCPs also should address special instructions applying to clients holding assets that would require special treatment.
  • Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account. Client-specific information includes, for example, the identity of custodians, positions, counterparties, collateral and related records of each client.
  • Information regarding the corporate governance structure of the adviser. A BCP should include an organizational chart and other information about the adviser's ownership and management structure, including the identity and contact information for key personnel, and the identity of affiliates (both foreign and domestic) whose dissolution or distress could lead to a change in or material impact to the adviser's business operations.
  • Identification of any material financial resources available to the adviser. For example, an adviser could identify any material source of funding, liquidity, or capital it would seek to ensure continued operations in times of stress. An adviser also could consider how it would implement a reduction of expenses following a disruption event.13
  • An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser's transition. The SEC noted that contractual obligations and the need to comply with multiple regulatory regimes could affect an adviser's ability to transition its advisory services.

Annual Review

Under the Proposed Rule, an adviser would be required to review at least annually the adequacy and effectiveness of its BCP.14 In the Proposing Release, the SEC provided guidance on the scope of such annual review, stating that the review should consider any changes to the adviser's products, services, operations, critical third-party service providers, structure, business activities, client types, location and any regulatory changes that might suggest a need to revise its BCP. The review should include an analysis of whether a BCP adequately protects clients' interests from being placed at risk and steps to mitigate such risks following a disruption event. The annual review also should address weaknesses an adviser may have identified and any lessons learned during a BCP's implementation during the previous year.

Recordkeeping

In connection with the Proposed Rule, the SEC also proposed to amend Rule 204-2 under the Advisers Act to require an adviser to maintain copies (including electronic copies) of all BCPs (including records documenting its annual review) that are in effect or were in effect at any time during the previous five years following the compliance date of the Proposed Rule.15 The SEC stated that this requirement addresses the importance that advisers retain easy access to necessary information during periods of stress. The recordkeeping requirement under the Proposed Rule tracks similar requirements under Rule 204-2 regarding an adviser's compliance policies and procedures adopted pursuant to Rule 206(4)-7.

Implications of the Proposed Rule

The Proposed Rule would impose additional and detailed regulatory requirements on advisers. The amount of the burden on an adviser – if the Proposed Rule is adopted as proposed – will turn on the extent to which the adviser has already implemented a detailed BCP. For example, advisers who also are broker-dealers already have detailed BCPs in place, and advisers that are part of larger financial institutions likely already rely, at least in part, on broader, enterprise-wide BCPs.16

Advisers also often rely on third-party service providers to meet the bulk of their operational or "back office" functions, and the SEC acknowledged that advisers would likely seek to comply with the Proposed Rule, in part, by seeking information from third-party service providers regarding their BCPs. However, advisers that rely on various large technology platforms to conduct their businesses are likely to face additional challenges in developing and maintaining BCPs under the Proposed Rule. An adviser may be unlikely to successfully negotiate changes to such platforms if it finds the platforms' BCPs to be wanting or difficult to fold into the adviser's BCP. In some cases, third-party service providers are selected by clients, and rejection of the service provider is not an available option if an adviser wants to retain the client.

Overall, it is unclear the extent to which all but the largest advisers will be able to effect meaningful changes with respect to third-party service providers. Later in this Stroock Special Bulletin, we discuss a few areas of focus for advisers to engage in discussions with their technology vendors and other service providers with respect to contractual arrangements implicating business continuity planning.

Given the compliance regime that has evolved out of Rule 206(4)-7, and the prior statements by the SEC with respect to an adviser's fiduciary obligation to protect its clients from business disruptions, one might question what the Proposed Rule is really adding to the existing regulatory framework. Client assets are usually kept separate from the adviser, and the failure of an adviser will likely simply result in the client obtaining advisory services from another adviser, without the movement of any client assets or the intervention of any bankruptcy court. When, for example, Lehman Brothers failed in 2008, its asset management business (Neuberger Berman) was spun off into a separate business. Looking further back into history, when Drexel Burnham Lambert failed in 1990, its asset manager, Burnham Management, also was spun off into a separate company.17

SEC Guidance for Funds and Their Boards

Concurrent with the issuance of the Proposing Release, the staff of the SEC's Division of Investment Management issued the Guidance Update highlighting the operational risks associated with business disruption events for funds. The Guidance Update points to the obligations of funds under Rule 38a-1 to have compliance policies and procedures, including procedures that address the risk of loss of business continuity and discusses a number of measures the SEC staff believes funds should consider as part of evaluating their business continuity preparedness, especially with respect to critical service providers.18

In the SEC staff's view, a fund should have tailored compliance policies and procedures that address business continuity planning and potential disruptions in services, whether provided by the fund's investment adviser or affiliates or by a third-party service provider. Although the SEC staff acknowledged that funds and their service providers have continued to build and improve their business continuity practices, they cited to last year's well-publicized third-party system malfunction at a service provider19 as a recent event where they believed some funds could have been better prepared to manage a business disruption event involving one of their critical service providers.

Notable BCP Practices

The Guidance Update summarized the findings of a recent outreach by the SEC staff to a number of funds and their advisers regarding BCPs generally. Instead of stating specific obligations that funds have with respect to their BCPs, the Guidance Update highlights the following "notable practices" identified by the SEC staff regarding business continuity planning by funds:

  • BCPs typically cover the facilities, technology/systems, employees and activities conducted by the fund's investment adviser and any affiliates, as well as dependencies on critical services provided by third-party service providers.
  • A broad cross-section of employees from key functional areas are involved in BCPs, typically including senior management, technology, information security, operations, human resources, communications, legal, compliance, and risk management.
  • A fund's Chief Compliance Officer ("CCO") typically participates in the fund's third-party service provider oversight process.
  • BCP presentations are typically provided to a fund's board of directors on an annual basis.20
  • For many funds, some form of BCP testing occurs at least annually, and the results of that testing may be shared in updates to fund boards.
  • Business continuity outages, including those incurred by a fund or a critical third-party service provider, are monitored by the CCO and other pertinent staff and reported to the fund's board as warranted.

BCP Considerations to Address Critical Service Providers

Because funds outsource key aspects of their operations to critical service providers, the SEC staff believes that funds should consider conducting thorough initial and ongoing due diligence of those third parties, including due diligence of their service providers' BCPs.21 The staff suggested that funds consider the following lessons learned from past business continuity events and their outreach efforts when assessing their BCPs relating to critical service providers:

  • Back-Up Processes and Contingency Plans. A fund should consider examining its critical service providers' backup processes, the robustness of the provider's contingency plans, including reliance on other critical service providers, and how these providers intend to maintain operations during a significant business disruption. Funds generally should understand how their own BCPs address the risk that a critical service provider could suffer a significant business disruption and how the provider and the fund might respond under certain scenarios.
  • Monitoring Incidents and Communications Protocols. A fund should consider how it can best monitor whether a critical service provider has experienced a significant disruption (e.g., a cybersecurity breach) that could impair the service provider's ability to provide uninterrupted services, the potential effect that disruption may have on fund operations and the communication protocols and steps that may be necessary for the fund to successfully navigate the disruption.22
  • Understanding the Interrelationship of Critical Service Provider BCPs. To better ensure that the fund can continue operations and/or promptly resume operations during a significant business disruption, a fund should consider how the BCPs of its critical service providers relate to each other. For example, funds should discuss with their service providers any redundancies and backup plans the service provider has in the event it experiences a significant business disruption. Additionally, funds should consider if they have backup procedures that address the steps that would need to be taken to successfully navigate through the service provider disruption.
  • Contemplating Various Scenarios. A fund should consider how a critical service provider disruption could impact fund operations and generally have a plan for managing the response to potential disruptions under various scenarios, whether such disruptions occur with an affiliated or third-party service provider.

Board and CCO Oversight of Fund BCPs

In the SEC staff's view, as part of a fund board's oversight function, boards generally should discuss with the fund's investment adviser and other critical service providers the steps being taken to mitigate the risks associated with business disruptions and the robustness of the service providers' business continuity planning, including how the fund's own BCP addresses the risk that a critical third-party service provider could suffer a business disruption.

The Guidance Update also seems to suggest a larger role for a fund's CCO to the extent business and operational continuity is viewed as part of the compliance function. Typically, CCOs will not have the skill sets useful to promoting well-designed technology or in assessing third-party capabilities. We have already seen the SEC bring enforcement actions against advisers that failed to have adequate cybersecurity policies, and in light of the Guidance Update, CCOs should be alert to their obligations with respect to fund BCPs.23

Technology Vendors and Other Third Party Service Providers

The Proposing Release and the Guidance Update reflect the SEC's continued recognition of maintenance and protection of technology infrastructure, including potential cyber-attacks, as a primary area of risk.24 Indeed, the weaknesses the SEC observed in advisers' BCPs with respect to telecommunications and technology were a stated impetus for the Proposed Rule.

Although the Proposing Release and the Guidance Update focus on the key components of BCPs, advisers and funds should not lose sight of the fact that the foundation of an effective BCP as it relates to technology infrastructure may be, in certain respects, dependent on the contractual relationships with their existing and future technology vendors. Indeed, many of the observations of the SEC examination staff reflected in the Proposing Release have direct relevance to vendor contracts and serve as reminders of the types of provisions advisers and funds should consider including in such contracts.

At a most basic level, vendors must be active participants in an adviser's or fund's BCP. From a contractual standpoint, this may start with an obligation for a vendor of a critical system or operation to have its own BCP and test it annually. The SEC has signaled the need for collaboration among advisers, funds and their technology vendors.25 This may translate into contract provisions providing for transparency regarding the vendors' BCPs and disaster recovery systems, as well as related obligations, including minimum requirements, physical location, annual testing and reporting, and notification of material changes. Of course, vendors might also be obligated to participate in the annual review of an adviser's or a fund's own BCP. In light of the SEC examination staff's finding regarding inadequate testing of BCPs, the existence of a BCP that is appropriate on its face may provide little protection if implemented poorly with vendors following an actual business interruption.

Similarly, an otherwise thorough BCP may provide little protection if delayed in its implementation (e.g., due to a vendor's failing to either adequately monitor its systems or provide notification of issues). As discussed above, the Proposed Rule will require an adviser's BCP to include a communication plan, and the communication plan may reflect both monitoring and notification of disruptions. Although contractual remedies may be limited, parameters regarding such monitoring and notifications may be incorporated into the vendor contract.

As another example, the Proposing Release and the Guidance Update note the importance of considering the interrelationship of vendors in creating a BCP and enhancing preparedness. Also important is the interrelationship of third-party vendor systems and an adviser's internal, proprietary systems. Mapping such interrelationship – the physical telecommunications interconnections and logical data inputs and outputs among them—can be important to the creation of a BCP. With the normal interrelation mapped, potential deviations to it necessitated by interruptions can be considered and addressed in vendor contracts. The contracts might include pre-negotiated statements of work for the provision of backup services. For example: providing for alternate data formats or forms of data transfer used by the vendor; the provision of additional services as replacement to impaired third-party or adviser-provided services; or other potential work-arounds.

In short, this may be an appropriate time for advisers and funds to take inventory of their existing vendor contracts and revisit requirements for future ones. Although certain of the takeaways may not be new, they may provide insight into the SEC's future evaluation of BCPs and the management of technology vendors and other third-party service providers.

Footnotes

1. Adviser Business Continuity and Transition Plans, 81 FR 43530 (July 5, 2016) (the "Proposing Release").

2. SEC Investment Management Guidance Update No. 2016-04, Business Continuity Planning for Registered Investment Companies (June 2016), available at https://www.sec.gov/investment/im-guidance-2016-04.pdf (the "Guidance Update").

3. Mary Jo White, Chair, SEC, Enhancing Risk Monitoring and Regulatory Safeguards for the Asset Management Industry, (Dec. 11, 2014), available at http://www.sec.gov/News/Speech/Detail/Speech/1370543677722. In addition to the Proposed Rule, over the last twelve months the SEC has issued proposals relating to (i) modernizing and enhancing reporting requirements for funds and advisers, (ii) liquidity risk management for certain funds and (iii) funds' use of derivatives. The last part of the outlined reform package—stress testing for large funds and advisers—has not yet been proposed.

4. See, e.g., Financial Stability Oversight Council, Update on Review of Asset Management Products and Activities (April 18, 2016), available at https://www.treasury.gov/initiatives/fsoc/news/Documents/FSOC%20Update%20on%20Review%20of%20Asset %20Management%20Products%20and%20Activities.pdf.

5. Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Release No. 2204 (Dec. 17, 2003) at n. 22, available at https://www.sec.gov/rules/final/ia-2204.htm.

6. National Exam Program Risk Alert, SEC Examinations of Business Continuity of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year (Aug. 27, 2013), available at https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf (the "NEP Alert").

7. Proposing Release at 43532.

8. Proposed Rule 206(4)-4(a).

9. Proposed Rule 206(4)-4(a)(2).

10. Proposed Rule 206(4)-4(b)(2).

11. The SEC noted this requirement is generally consistent with regulations adopted by other regulatory agencies. Proposing Release at 43539 n. 79 and accompanying text.

12. The SEC noted that the transfer of client information with respect to funds and private funds may be more complex than that of separately managed accounts. Id. at 43542. It is unclear, however, whether the terms of the Proposed Rule itself extend to operations of a private fund advised by the adviser (or for that matter the investors of a fund). Courts have held that a fund (rather than the investors in the fund) is the client of the adviser. See Goldstein v. SEC, 451 F.3d 873 (D.C. Cir. 2006).

13.The SEC clarified that, when considering any material financial recourses available to it, an adviser could identify any insurance coverage. Proposing Release at 43543 n. 122.

14. Proposed Rule 206(4)-4(a)(2).

15. Proposed Rule 204-2(a)(20) and (e)(1).

16. See FINRA Rule 4370 (requiring that member BCPs address certain elements, including data backup and recovery, all mission critical systems, alternate communications, alternate physical location of employees and critical business constituents (i.e., a business with which a member has an ongoing commercial relationship in support of the member's operating activities). See also NASD, Notice to Members 04–37: Business Continuity Plans (May 2004), available at https://www.finra.org/sites/default/files/NoticeDocument/p003095.pdf.

17. The only examples cited the Proposing Release of transitions that have not "been seamless or without a problem" involve the winding down of Long-Term Capital Management, L.P. in 1998 and The Reserve Fund in 2008. Proposing Release at 43536. In both of those cases, however, the immediate wind-down was of the adviser's client (a hedge fund and a money market fund, respectively), and was made difficult by the need to sell large amounts of illiquid securities held in those funds' portfolios. It is not readily apparent what, if anything, in the Proposed Rule would have even addressed this circumstances.

18. In the SEC staff's view, a fund's critical service providers likely would include, but not be limited to, each named service provider under Rule 38a-1 (i.e., the fund's investment adviser and any sub-investment adviser, principal underwriter, administrator and transfer agent), as well as the fund's custodian and any pricing agents.

19. In August 2015, The Bank of New York Mellon experienced a malfunction in one of its third-party systems provided by SunGard Data Systems Inc., and was unable to, among other things, deliver timely system-generated net asset values ("NAVs") for certain clients for several days. This malfunction resulted in the affected funds having to price their shares using stale or manually calculated NAVs.

20. These presentations may be provided separately, as part of periodic presentations related to contractual arrangements (including as part of the annual section 15(c) process for considering the renewal of investment advisory arrangements), or as part of the CCO's annual presentation to the board, as required by Rule 38a-1.

21. The SEC staff noted that funds typically seek a combination of information, including, but not limited to, service provider presentations, on-site visits, questionnaires, certifications, independent control reports and summaries of programs and testing, where appropriate, including with respect to BCPs. Guidance Update at 4.

22. Such protocols might include: (i) policies and procedures for internal communications across the fund complex (e.g., involving key function area personnel) as well as with fund boards; (ii) external communications plans that address ongoing discussions with the affected service provider (as well as other providers as warranted) and intermediaries, investors, regulators, and the press, as appropriate; (iii) maintaining updated and accessible contact information for essential communications with various constituents during an event; and (iv) providing timely communications that report progress and next steps (e.g., posting updates to websites or portals to facilitate accessibility and broad dissemination of information). Id. at 5-6.

23. See, e.g., R.T. Jones Capital Equities Mgmt., Inc., Advisers Act Rel. No. 4204 (Sept. 22, 2015).

24. Proposing Release at 43545 (BCPs "shall include policies and procedures ... that address ... maintenance of critical operations and systems, and the protection, backup, and recovery of data") and Guidance Update at 1 (noting increasing use of third-party technologies and consideration of them as part of business continuity planning). Prior SEC consideration of technology includes, for example: Regulation Systems Compliance and Integrity, Securities Exchange Act Rel. No. 73639 (Nov. 19, 2014); NEP Alert (addressing "Telecommunications Services and Technology Considerations"); SEC Investment Management Guidance Update No. 2015-02, Cybersecurity Guidance (April 2015), available at http://www.sec.gov/investment/im-guidance-2015-02.pdf and OCIE Cybersecurity Examination Sweep Summary, OCIE, National Exam Program Risk Alert, Vol. IV, Issue 4 (Feb. 3, 2015), available at http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf (providing summary observations from the examinations of 57 broker-dealers and 49 advisers conducted under OCIE's Cybersecurity Initiative). See also National Exam Program Risk Alert, OCIE Cybersecurity Initiative (April. 15, 2014), available at http://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf.

25. Proposing Release at 43534 (noting failure of advisers to engage service providers to ensure backup servers worked properly) and Guidance Update at 3 (noting "particularly the need to understand the business continuity and disaster recovery protocols of critical fund service providers" and the need for continuing diligence).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.