United States: SEC Proposes Rule Requiring Investment Advisers To Adopt Business Continuity And Transition Plans

On June 28, 2016, the U.S. Securities and Exchange Commission (the "SEC") proposed new Rule 206(4)-4 (the "Rule") under the Investment Advisers Act of 1940 (the "Advisers Act") that would require an investment adviser registered with the SEC ("RIA") to, among other things: (i) adopt and implement business continuity and transition plans; (ii) conduct an annual review of those plans; and (iii) comply with corresponding recordkeeping requirements.1 Comments on the Rule are due on or before September 6, 2016.

Underlying the Rule is the SEC's view that an RIA's fiduciary duty obligates it to take steps to protect its clients' interests from the potential ramifications of the RIA's temporary or permanent inability to provide advisory services. In proposing the Rule, the SEC sought to protect clients of an RIA from the effects of temporary or permanent operational risks to the RIA such as natural disasters, cyber-attacks, acts of terrorism, technology failures and the departure of key personnel. The Rule also seeks to protect clients from operational risks associated with events such as a sale, asset transfer or wind-down of the RIA's operations. The SEC has acknowledged that the scope of an RIA's policies and procedures under the Rule will depend on the size and nature of an RIA's business; the Rule nonetheless establishes a set of specific elements that need to be included in an RIA's business continuity and transition plan. In setting out greater specificity for policies and procedures covering business continuity and transition plans, the SEC appears to have concluded that the requirements of Rule 206(4)-7 under the Advisers Act are not sufficient with respect to those plans.2 In this regard, the SEC noted the observations of its examination staff that existing plans undertaken in accordance with Rule 206(4)-7 are "uneven and, in some instances, may not be sufficiently robust to mitigate the potential adverse effects of a significant business disruption on clients."3

At the same time that the SEC proposed the Rule, the SEC staff published guidance related to business continuity considerations for investment companies registered under the Investment Company Act of 1940 (the "1940 Act") indicating that registered investment company complexes should evaluate their response to significant business disruptions affecting both internal operations and critical third-party service providers.4 According to the guidance, an investment company's ability to continue operations during a business continuity event should be considered part of the company's compliance obligations under 1940 Act Rule 38a-1.

Business Continuity and Transition Plans Under the Rule

Under the Rule, an RIA's business continuity and transition plan would need to include policies and procedures concerning: (i) business continuity after a significant business disruption; and (ii) business transition in the event that the RIA is unable to continue providing investment advisory services to its clients. The content of a business continuity and transition plan is to be based on the risks associated with the RIA's operations and must include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following:

  • Maintenance of critical operations and systems, and the protection, backup and recovery of data
    In its discussion of the Rule, the SEC said that in determining which operations and systems are critical, an RIA should consider those that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients (including the management, trading, allocation, clearance and settlement of such transactions), as well as those operations and systems that are material to the valuation and maintenance of clients' accounts, access to clients' accounts and the delivery of funds and securities. An RIA should also identify key personnel whose temporary or permanent loss would disrupt the RIA's ability to provide services to its clients.

    According to the SEC, an RIA's plan with respect to data protection, backup and recovery should address both hard copy and electronic backup, focusing in particular, on risks related to cyber-attacks.5 Moreover, an RIA should prepare an inventory of key documents, including the location and description of the documents, and a list of the RIA's service providers that are necessary to maintain functional operations.
  • Pre-arranged alternate physical locations of the RIA's offices and/or employees
    According to the SEC, an RIA should consider the geographic diversity of its offices or remote sites and employees, as well as access to the systems, technology and resources necessary to continue operations at different locations in the event of a disruption.
  • Communications with clients, employees, service providers and regulators
    The SEC is of the view that an RIA's communication plan should generally cover, among other things: (i) the methods, systems, backup systems and protocols that will be used for communications; (ii) the way in which employees are informed of a significant business disruption; (iii) the way in which employees should communicate during such a disruption; (iv) contingency arrangements communicating the persons who would be responsible for taking on other responsibilities in the event of loss of key personnel; and (v) employee training.

    The SEC added that an RIA should also consider when and how it is in its clients' best interests to be informed of a significant business disruption and/or its effect, how service providers will be notified of a significant business disruption at the RIA and vice versa, and under what circumstances regulators will be notified.
  • Identification and assessment of third-party services critical to the operation of the RIA
    In elaborating on this element of the Rule, the SEC noted that an RIA should identify critical functions and services provided by the RIA to its clients, and third-party vendors supporting or conducting critical functions or services for the RIA and/or on the RIA's behalf. The SEC went on to say that, in determining which service providers should be deemed critical, an RIA should consider, among other things, the day-to-day operational reliance on the service provider and the existence of a backup process or multiple providers, whether or not the service provided includes direct contact with clients or investors and whether the service provider is maintaining critical records or is able to access personally identifiable information. Once an RIA identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the RIA's operations.6
  • Transition plan
    Under the Rule, an RIA's business continuity and transition plan would need to include a specific plan of transition that accounts for the possible winding-down of the RIA's business or the transition of the RIA's business to others in the event that the RIA is unable to continue providing advisory services. The SEC's view is that an RIA's plan of transition should include: (i) policies and procedures intended to safeguard, transfer and/or distribute its clients' assets during transition; (ii) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the RIA; (iv) the identification of any material financial resources available to the RIA; and (v) an assessment of the applicable law and contractual obligations governing the RIA and its clients, including pooled investment vehicles, implicated by the RIA's transition.

According to the SEC, the degree to which an RIA's business continuity and transition plan addresses a required component under the Rule will depend upon the nature of the RIA's business, consistent with its fiduciary duty to protect its clients' interests from risks of business disruption generally. In that regard, the SEC noted that business continuity and transition plans must address all components set out in the Rule, but that plans need only take into account the risks associated with an RIA's operations, including the nature and complexity of its business, clients and key personnel.

Public Comment

The SEC has requested public comment on a number of aspects of the Rule, including, among others:

  • whether all RIAs should be subject to the Rule or only a subset of RIAs, such as an RIA with assets under management over a specific threshold;
  • whether the SEC staff should, as an alternative to the Rule, issue guidance under Advisers Act Rule 206(4)-7 addressing business continuity and transition plans;
  • whether the SEC should, instead of mandating the components of business continuity plans of RIAs, enable each RIA to determine those components;
  • whether the SEC should adopt a more prescriptive rule that resembles "Living Wills" required by the Federal Reserve Board and the Federal Deposit Insurance Corporation for large banks and systemically important non-bank entities; and
  • whether an RIA's business continuity plan should be provided to its clients, disclosed in a summary format or not be disclosed at all.

Implications for RIAs

The obligation to address business continuity considerations is not a new requirement for RIAs. Nonetheless, the Rule, if adopted in its current form, could have significant consequences. Five potential consequences are of particular note.

Potential Liability

The SEC, in proposing the Rule, noted clearly that it "would be fraudulent and deceptive [within the meaning of Section 206, the Act's antifraud provision] for an [RIA] to hold itself out as providing advisory services unless it has taken steps to protect clients' interests from being placed at risk as a result of the [RIA]'s inability (whether temporary or permanent) to provide those services."7 Thus, the Rule contemplates the possibility, among other things, that an RIA following a business continuity plan, but experiencing service disruptions following, for example, a natural disaster or other unforeseen event, could face liability for fraud under Section 206 of the Advisers Act.8

Need to Consolidate Business Continuity Requirements

The SEC has recognized that certain RIAs are "subject to other regulatory requirements as to business continuity and/or transition planning."9 The SEC in proposing the Rule cited in particular, the business continuity rules that are already mandated by FINRA10 and the CFTC,11 as well as model rules promulgated by the North American Securities Administrator Association.12 An RIA should consider consolidating all of those applicable requirements into a comprehensive plan in seeking to ensure that its business continuity plan works effectively and efficiently and meets all applicable requirements.

Disclosure

Historically, an RIA has often addressed the potential consequences of natural disasters and other unexpected service disruptions by engaging in prior planning and providing disclosures to its clients about such risks. An RIA should, when determining how to meet the Rule's terms and conditions, consider not only additional planning steps, but also the potential need for enhanced disclosures to its clients. An RIA might, for example, choose to include disclosure to its clients to the effect that despite its best efforts, business continuity and transition planning efforts cannot guarantee that all service disruptions will be prevented.

The Rule's Applicability to Different Types of RIAs

Requiring an RIA to develop and maintain transition plans marks a new obligation under SEC regulations. Under the Rule, an RIA's plan of transition would need to account for the possible winding-down of the RIA's business or the transition of the RIA's business to another RIA.13 The type of transition policy that is appropriate for an RIA will vary based on the size and nature of each RIA's business. The Rule, as proposed, would be applicable to RIAs of all sizes. When proposing the Rule, the SEC highlighted the potential ramifications of an RIA's dissolution on broader market conditions,14 suggesting that the primary focus for the transition plan requirement is an RIA with significant levels of assets under management, the dissolution of which could affect financial markets if handled unskillfully. Making clear, however, that the Rule is not limited to larger advisers, the SEC noted the importance of an RIA attending to individual (retail) clients in connection with transitions and winding-down of its affairs.

The Rule would appear to have special consequences for an RIA managing private funds not registered under the 1940 Act. The Rule would by its terms require an RIA's transition plans to include an assessment of contractual obligations governing the RIA and its clients. This requirement would seem to implicate, among other things, contractual provisions of private funds involving key persons and the removal or replacement of the general partner, which have typically been addressed through negotiated arrangements with limited partner investors. The SEC noted that an RIA will need to "consider the unique attributes of each type of the [RIA's] clients"15 and will need to analyze the types of assets that are held in each client's account16 with respect to the merger or acquisition of an RIA.

Economic Effects

The Rule requires an RIA to analyze third-party service providers' plans to maintain business continuity in the face of a significant business disruption and to review all contractual obligations and clients' attributes to prepare for a transition. Meeting this requirement could result in additional costs for RIAs. The SEC has said that an RIA should "generally consider [in connection with the Rule's requirements] alternatives for such critical services, which may include other service providers or internal functions or processes that can serve as a backup or contingency for such critical services."17 The SEC acknowledged that it may be costly for an RIA to establish backup relationships with multiple third-party service providers. In the SEC's view, however, those costs are outweighed by the need for an RIA "to address how [the RIA] will manage the loss of a critical service."18 The SEC has recognized that RIAs would likely not be in a position to absorb all the costs resulting from the Rule and that the Rule, if implemented as proposed, may result in RIAs passing these costs to clients and fund investors through higher fees.

Comments on the Rule

The unanimous approval of the Rule by the SEC's commissioners, together with the previous initiatives by the SEC and other federal regulators relating to systemic risk initiatives, illustrates that business continuity and transition plans will continue to be a focal point for regulators. For that reason RIAs may wish to comment on the Rule.

Footnotes

1 See Adviser Business Continuity and Transition Plans, Advisers Act Release No. 4439 (Jun. 28, 2016) available here.

2 Id. (SEC stating in this regard that in adopting Rule 206(4)-7 it did not "define, and prescribe means reasonably designed to prevent, such acts, practices and courses of business as are fraudulent, deceptive, or manipulative.").

3 Id.

4 See Business Continuity Planning for Registered Investment Companies, SEC Division of Investment Management, IM Guidance Update No. 2016-04 (June 2016) available here.

5 See also Cybersecurity Guidance, SEC Division of Investment Management, IM Guidance Update No. 2015-02 (April 2015) (stating that an RIA should create a strategy that is designed to prevent, detect and respond to cybersecurity threats including, among others, controlling access to various systems and data; data encryption; and data backup and retrieval) available here; National Exam Program Examination Priorities for 2016, SEC Office of Compliance Inspections and Examinations (2016) (identifying cybersecurity and regulation systems compliance and integrity as examination priorities).

6 Id. (noting that RIAs "should consider assessing whether protective cybersecurity measures are in place at relevant service provider" since RIAs rely on service providers to carry out their own operations).

7 Adviser Business Continuity and Transition Plans, supra note 1 (asserting that advanced "planning and preparation may minimize an [RIA]'s exposure to operational and other risks and, therefore, lessen the possibility of a significant disruption in its operations, and also may lessen any potential impact on the broader financial markets.").

8 Id.

9 Id. (inquiring whether the Rule would "be inconsistent with an [RIA's] obligations under other regulatory regimes.").

10 See Business Continuity Plans and Emergency Contact Information, FINRA Rule 4370 (as amended on Feb. 12, 2015) (requiring that broker-dealers' business continuity plans address certain elements, including data backup and recovery, all mission critical systems, alternate communications, alternate physical location of employees, and critical business constituents) available here.

11 See Business Continuity and Disaster Recovery, 17 CFR Part 23.603(a) (requiring swap dealers and major swap participants to establish and maintain business continuity plans that address data backup, systems maintenance, communications, geographic diversity, and third parties).

12 See NASAA Model Rule 203(a)(1)-1A (requiring state-registered advisers to have continuity and succession plans to minimize "service disruptions and client harm that could result from a sudden significant business disruption.").

13 Adviser Business Continuity and Transition Plans, supra note 1 (noting that RIAs "facing the decision to exit the market commonly do so by: (1) selling the [RIA] or substantially all of the assets and liabilities of the [RIA], including the existing advisory contracts with its clients, to a new owner; (2) selling certain business lines or operations to another [RIA]; or (3) the orderly liquidation of fund clients or termination of separately managed account relationships.").

14 Id. (providing that an RIA's insolvency or termination could have far-reaching consequences such as triggering a termination clause in a client's derivative contract or requiring regulators in multiple jurisdictions to approve certain acts such as the assignment of an advisory contract).

15 Id. (identifying the complexities associated with transferring client information of multiple clients with respect to registered investment companies and private funds compared to transferring client information of a single client with respect to separately managed accounts).

16 Id. (observing that "when transitioning accounts from one [RIA] to another, derivatives positions require special treatment in that they are typically unwound rather than transferred to the new [RIA] and that the terms of the derivatives instrument may dictate whether and how such unwinding takes place.").

17 Id.

18 Id. (noting that "it may not be feasible or may be cost prohibitive for an [RIA] to retain backup service providers, vendors, and/or systems for all critical services.")

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.