United States: SEC Proposes Rule Requiring Investment Advisers To Adopt Business Continuity And Transition Plans

On June 28, 2016, the U.S. Securities and Exchange Commission (the "SEC") proposed new Rule 206(4)-4 (the "Rule") under the Investment Advisers Act of 1940 (the "Advisers Act") that would require an investment adviser registered with the SEC ("RIA") to, among other things: (i) adopt and implement business continuity and transition plans; (ii) conduct an annual review of those plans; and (iii) comply with corresponding recordkeeping requirements.1 Comments on the Rule are due on or before September 6, 2016.

Underlying the Rule is the SEC's view that an RIA's fiduciary duty obligates it to take steps to protect its clients' interests from the potential ramifications of the RIA's temporary or permanent inability to provide advisory services. In proposing the Rule, the SEC sought to protect clients of an RIA from the effects of temporary or permanent operational risks to the RIA such as natural disasters, cyber-attacks, acts of terrorism, technology failures and the departure of key personnel. The Rule also seeks to protect clients from operational risks associated with events such as a sale, asset transfer or wind-down of the RIA's operations. The SEC has acknowledged that the scope of an RIA's policies and procedures under the Rule will depend on the size and nature of an RIA's business; the Rule nonetheless establishes a set of specific elements that need to be included in an RIA's business continuity and transition plan. In setting out greater specificity for policies and procedures covering business continuity and transition plans, the SEC appears to have concluded that the requirements of Rule 206(4)-7 under the Advisers Act are not sufficient with respect to those plans.2 In this regard, the SEC noted the observations of its examination staff that existing plans undertaken in accordance with Rule 206(4)-7 are "uneven and, in some instances, may not be sufficiently robust to mitigate the potential adverse effects of a significant business disruption on clients."3

At the same time that the SEC proposed the Rule, the SEC staff published guidance related to business continuity considerations for investment companies registered under the Investment Company Act of 1940 (the "1940 Act") indicating that registered investment company complexes should evaluate their response to significant business disruptions affecting both internal operations and critical third-party service providers.4 According to the guidance, an investment company's ability to continue operations during a business continuity event should be considered part of the company's compliance obligations under 1940 Act Rule 38a-1.

Business Continuity and Transition Plans Under the Rule

Under the Rule, an RIA's business continuity and transition plan would need to include policies and procedures concerning: (i) business continuity after a significant business disruption; and (ii) business transition in the event that the RIA is unable to continue providing investment advisory services to its clients. The content of a business continuity and transition plan is to be based on the risks associated with the RIA's operations and must include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following:

  • Maintenance of critical operations and systems, and the protection, backup and recovery of data
    In its discussion of the Rule, the SEC said that in determining which operations and systems are critical, an RIA should consider those that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients (including the management, trading, allocation, clearance and settlement of such transactions), as well as those operations and systems that are material to the valuation and maintenance of clients' accounts, access to clients' accounts and the delivery of funds and securities. An RIA should also identify key personnel whose temporary or permanent loss would disrupt the RIA's ability to provide services to its clients.

    According to the SEC, an RIA's plan with respect to data protection, backup and recovery should address both hard copy and electronic backup, focusing in particular, on risks related to cyber-attacks.5 Moreover, an RIA should prepare an inventory of key documents, including the location and description of the documents, and a list of the RIA's service providers that are necessary to maintain functional operations.
  • Pre-arranged alternate physical locations of the RIA's offices and/or employees
    According to the SEC, an RIA should consider the geographic diversity of its offices or remote sites and employees, as well as access to the systems, technology and resources necessary to continue operations at different locations in the event of a disruption.
  • Communications with clients, employees, service providers and regulators
    The SEC is of the view that an RIA's communication plan should generally cover, among other things: (i) the methods, systems, backup systems and protocols that will be used for communications; (ii) the way in which employees are informed of a significant business disruption; (iii) the way in which employees should communicate during such a disruption; (iv) contingency arrangements communicating the persons who would be responsible for taking on other responsibilities in the event of loss of key personnel; and (v) employee training.

    The SEC added that an RIA should also consider when and how it is in its clients' best interests to be informed of a significant business disruption and/or its effect, how service providers will be notified of a significant business disruption at the RIA and vice versa, and under what circumstances regulators will be notified.
  • Identification and assessment of third-party services critical to the operation of the RIA
    In elaborating on this element of the Rule, the SEC noted that an RIA should identify critical functions and services provided by the RIA to its clients, and third-party vendors supporting or conducting critical functions or services for the RIA and/or on the RIA's behalf. The SEC went on to say that, in determining which service providers should be deemed critical, an RIA should consider, among other things, the day-to-day operational reliance on the service provider and the existence of a backup process or multiple providers, whether or not the service provided includes direct contact with clients or investors and whether the service provider is maintaining critical records or is able to access personally identifiable information. Once an RIA identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the RIA's operations.6
  • Transition plan
    Under the Rule, an RIA's business continuity and transition plan would need to include a specific plan of transition that accounts for the possible winding-down of the RIA's business or the transition of the RIA's business to others in the event that the RIA is unable to continue providing advisory services. The SEC's view is that an RIA's plan of transition should include: (i) policies and procedures intended to safeguard, transfer and/or distribute its clients' assets during transition; (ii) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the RIA; (iv) the identification of any material financial resources available to the RIA; and (v) an assessment of the applicable law and contractual obligations governing the RIA and its clients, including pooled investment vehicles, implicated by the RIA's transition.

According to the SEC, the degree to which an RIA's business continuity and transition plan addresses a required component under the Rule will depend upon the nature of the RIA's business, consistent with its fiduciary duty to protect its clients' interests from risks of business disruption generally. In that regard, the SEC noted that business continuity and transition plans must address all components set out in the Rule, but that plans need only take into account the risks associated with an RIA's operations, including the nature and complexity of its business, clients and key personnel.

Public Comment

The SEC has requested public comment on a number of aspects of the Rule, including, among others:

  • whether all RIAs should be subject to the Rule or only a subset of RIAs, such as an RIA with assets under management over a specific threshold;
  • whether the SEC staff should, as an alternative to the Rule, issue guidance under Advisers Act Rule 206(4)-7 addressing business continuity and transition plans;
  • whether the SEC should, instead of mandating the components of business continuity plans of RIAs, enable each RIA to determine those components;
  • whether the SEC should adopt a more prescriptive rule that resembles "Living Wills" required by the Federal Reserve Board and the Federal Deposit Insurance Corporation for large banks and systemically important non-bank entities; and
  • whether an RIA's business continuity plan should be provided to its clients, disclosed in a summary format or not be disclosed at all.

Implications for RIAs

The obligation to address business continuity considerations is not a new requirement for RIAs. Nonetheless, the Rule, if adopted in its current form, could have significant consequences. Five potential consequences are of particular note.

Potential Liability

The SEC, in proposing the Rule, noted clearly that it "would be fraudulent and deceptive [within the meaning of Section 206, the Act's antifraud provision] for an [RIA] to hold itself out as providing advisory services unless it has taken steps to protect clients' interests from being placed at risk as a result of the [RIA]'s inability (whether temporary or permanent) to provide those services."7 Thus, the Rule contemplates the possibility, among other things, that an RIA following a business continuity plan, but experiencing service disruptions following, for example, a natural disaster or other unforeseen event, could face liability for fraud under Section 206 of the Advisers Act.8

Need to Consolidate Business Continuity Requirements

The SEC has recognized that certain RIAs are "subject to other regulatory requirements as to business continuity and/or transition planning."9 The SEC in proposing the Rule cited in particular, the business continuity rules that are already mandated by FINRA10 and the CFTC,11 as well as model rules promulgated by the North American Securities Administrator Association.12 An RIA should consider consolidating all of those applicable requirements into a comprehensive plan in seeking to ensure that its business continuity plan works effectively and efficiently and meets all applicable requirements.

Disclosure

Historically, an RIA has often addressed the potential consequences of natural disasters and other unexpected service disruptions by engaging in prior planning and providing disclosures to its clients about such risks. An RIA should, when determining how to meet the Rule's terms and conditions, consider not only additional planning steps, but also the potential need for enhanced disclosures to its clients. An RIA might, for example, choose to include disclosure to its clients to the effect that despite its best efforts, business continuity and transition planning efforts cannot guarantee that all service disruptions will be prevented.

The Rule's Applicability to Different Types of RIAs

Requiring an RIA to develop and maintain transition plans marks a new obligation under SEC regulations. Under the Rule, an RIA's plan of transition would need to account for the possible winding-down of the RIA's business or the transition of the RIA's business to another RIA.13 The type of transition policy that is appropriate for an RIA will vary based on the size and nature of each RIA's business. The Rule, as proposed, would be applicable to RIAs of all sizes. When proposing the Rule, the SEC highlighted the potential ramifications of an RIA's dissolution on broader market conditions,14 suggesting that the primary focus for the transition plan requirement is an RIA with significant levels of assets under management, the dissolution of which could affect financial markets if handled unskillfully. Making clear, however, that the Rule is not limited to larger advisers, the SEC noted the importance of an RIA attending to individual (retail) clients in connection with transitions and winding-down of its affairs.

The Rule would appear to have special consequences for an RIA managing private funds not registered under the 1940 Act. The Rule would by its terms require an RIA's transition plans to include an assessment of contractual obligations governing the RIA and its clients. This requirement would seem to implicate, among other things, contractual provisions of private funds involving key persons and the removal or replacement of the general partner, which have typically been addressed through negotiated arrangements with limited partner investors. The SEC noted that an RIA will need to "consider the unique attributes of each type of the [RIA's] clients"15 and will need to analyze the types of assets that are held in each client's account16 with respect to the merger or acquisition of an RIA.

Economic Effects

The Rule requires an RIA to analyze third-party service providers' plans to maintain business continuity in the face of a significant business disruption and to review all contractual obligations and clients' attributes to prepare for a transition. Meeting this requirement could result in additional costs for RIAs. The SEC has said that an RIA should "generally consider [in connection with the Rule's requirements] alternatives for such critical services, which may include other service providers or internal functions or processes that can serve as a backup or contingency for such critical services."17 The SEC acknowledged that it may be costly for an RIA to establish backup relationships with multiple third-party service providers. In the SEC's view, however, those costs are outweighed by the need for an RIA "to address how [the RIA] will manage the loss of a critical service."18 The SEC has recognized that RIAs would likely not be in a position to absorb all the costs resulting from the Rule and that the Rule, if implemented as proposed, may result in RIAs passing these costs to clients and fund investors through higher fees.

Comments on the Rule

The unanimous approval of the Rule by the SEC's commissioners, together with the previous initiatives by the SEC and other federal regulators relating to systemic risk initiatives, illustrates that business continuity and transition plans will continue to be a focal point for regulators. For that reason RIAs may wish to comment on the Rule.

Footnotes

1 See Adviser Business Continuity and Transition Plans, Advisers Act Release No. 4439 (Jun. 28, 2016) available here.

2 Id. (SEC stating in this regard that in adopting Rule 206(4)-7 it did not "define, and prescribe means reasonably designed to prevent, such acts, practices and courses of business as are fraudulent, deceptive, or manipulative.").

3 Id.

4 See Business Continuity Planning for Registered Investment Companies, SEC Division of Investment Management, IM Guidance Update No. 2016-04 (June 2016) available here.

5 See also Cybersecurity Guidance, SEC Division of Investment Management, IM Guidance Update No. 2015-02 (April 2015) (stating that an RIA should create a strategy that is designed to prevent, detect and respond to cybersecurity threats including, among others, controlling access to various systems and data; data encryption; and data backup and retrieval) available here; National Exam Program Examination Priorities for 2016, SEC Office of Compliance Inspections and Examinations (2016) (identifying cybersecurity and regulation systems compliance and integrity as examination priorities).

6 Id. (noting that RIAs "should consider assessing whether protective cybersecurity measures are in place at relevant service provider" since RIAs rely on service providers to carry out their own operations).

7 Adviser Business Continuity and Transition Plans, supra note 1 (asserting that advanced "planning and preparation may minimize an [RIA]'s exposure to operational and other risks and, therefore, lessen the possibility of a significant disruption in its operations, and also may lessen any potential impact on the broader financial markets.").

8 Id.

9 Id. (inquiring whether the Rule would "be inconsistent with an [RIA's] obligations under other regulatory regimes.").

10 See Business Continuity Plans and Emergency Contact Information, FINRA Rule 4370 (as amended on Feb. 12, 2015) (requiring that broker-dealers' business continuity plans address certain elements, including data backup and recovery, all mission critical systems, alternate communications, alternate physical location of employees, and critical business constituents) available here.

11 See Business Continuity and Disaster Recovery, 17 CFR Part 23.603(a) (requiring swap dealers and major swap participants to establish and maintain business continuity plans that address data backup, systems maintenance, communications, geographic diversity, and third parties).

12 See NASAA Model Rule 203(a)(1)-1A (requiring state-registered advisers to have continuity and succession plans to minimize "service disruptions and client harm that could result from a sudden significant business disruption.").

13 Adviser Business Continuity and Transition Plans, supra note 1 (noting that RIAs "facing the decision to exit the market commonly do so by: (1) selling the [RIA] or substantially all of the assets and liabilities of the [RIA], including the existing advisory contracts with its clients, to a new owner; (2) selling certain business lines or operations to another [RIA]; or (3) the orderly liquidation of fund clients or termination of separately managed account relationships.").

14 Id. (providing that an RIA's insolvency or termination could have far-reaching consequences such as triggering a termination clause in a client's derivative contract or requiring regulators in multiple jurisdictions to approve certain acts such as the assignment of an advisory contract).

15 Id. (identifying the complexities associated with transferring client information of multiple clients with respect to registered investment companies and private funds compared to transferring client information of a single client with respect to separately managed accounts).

16 Id. (observing that "when transitioning accounts from one [RIA] to another, derivatives positions require special treatment in that they are typically unwound rather than transferred to the new [RIA] and that the terms of the derivatives instrument may dictate whether and how such unwinding takes place.").

17 Id.

18 Id. (noting that "it may not be feasible or may be cost prohibitive for an [RIA] to retain backup service providers, vendors, and/or systems for all critical services.")

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions