The staff at the Securities and Exchange Commission's Division of Examinations (the "Division") conducts the SEC's National Exam Program. Recently, the Division issued two Risk Alerts: (i) a Risk Alert highlighting the need for policies and procedures for safeguarding customer records and information at branch offices, and (ii) a Risk Alert summarizing the Division's observations from examinations of investment advisers and investment companies to assess preparations for transitioning from LIBOR.
Risk Alert – Safeguarding Customer Records and Information at Branch Offices (April 26, 2023)
On April 26, 2023, the Division published a Risk Alert titled Safeguarding Customer Records and Information at Branch Offices (the "Branch Office Risk Alert").1 The Branch Office Risk Alert is directed at broker-dealers and registered investment advisers to remind them of their obligations to implement at their branch offices2 policies and procedures under the Safeguards Rule of Regulation S-P (the "Safeguards Rule"). Generally, the Safeguards Rule requires investment advisers and broker-dealers to adopt written policies and procedures that address the protection of customer records and information. Specifically, the Division reminds investment advisers and broker-dealers that "[t]these written policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."
Key Takeaway: All investment advisers and broker-dealers must consider their entire organization, including branch offices, when implementing written policies and procedures for the safeguarding of customer records and information to ensure compliance with the Safeguards Rule.
The Division issued the Branch Office Alert because it observed that many firms had implemented policies and procedures for their main offices but not their branch offices. Specifically, the Division noted deficiencies in the following five areas:
Vendor Management: The Division said many firms did not require that their branch offices conduct the level of due diligence and oversight of their vendors as required by the firms' own policies and procedures and, in many instances, did not assist their branch offices in the selection of vendors, which resulted in "weak or misconfigured security settings on systems and applications."
Email Configuration: The Division noted that some firms did not manage email accounts for branch offices, allowed branch offices to obtain email services from vendors without specifying technical requirements related to security, and lacked policies and procedures to address proper email configuration. The Division found that non-existent or weak procedures for managing email configuration at branch offices resulted in account takeovers, email compromise, and the inability to perform adequate incident response.
Data Classification: The Division noted that many firms did not apply to branch offices the data classification policies and procedures that firms used to identify the location of electronically stored customer information, resulting in the failure to identify and control customer records and information.
Access Management: The Division noted that many firms did not require their branch offices to maintain the same level of password complexity, muti-factor authentication, and other controls for remote access required at the main office, resulting in breaches at the branch offices.
Technology Risk: The Division observed that many firms did not apply their technology policies and procedures for inventory, patch, and vulnerability management to their branch offices, resulting in branch offices with systems that were not up-to-date with patches, the main office not being aware of the systems in use at branch offices, and branch offices using systems no longer supported by the manufacturer. As a result, branch office systems were more prone to compromises.
Risk Alert – Observations from Examinations of Investment Advisers and Investment Companies Concerning LIBOR-Transition Preparedness (May 11, 2023)
On May 11, 2023, the Division published a Risk Alert titled Observations from Examinations of Investment Advisers and Investment Companies Concerning LIBOR-Transition Preparedness (the "LIBOR Preparedness Risk Alert").3 The LIBOR Preparedness Risk Alert is directed at registered investment advisers and investment companies to remind them that U.S. Dollar LIBOR is scheduled to be discontinued after June 30, 2023, and to summarize the Division's observations from recent exams.
Key Takeaway: All investment advisers and funds with any direct or indirect client exposure to LIBOR need to prepare for the transition away from LIBOR and should review the LIBOR Preparedness Risk Alert to consider whether any of the practices identified by the Division are appropriate for their business.
Risk Management: Firms with significant exposures are treating the LIBOR transition as an enterprise risk-governance matter, forming cross-functional working groups overseen by risk governance committees. The Division noted that "almost all examined firms" are keeping informed and engaged in industry associations by being members of the Alternative Reference Rates Committee ("ARRC") (or relying on its guidance) or by participating in LIBOR-transition-related conversations with relevant industry groups. Many firms are providing relevant personnel with internal training and guidance to ensure they are informed about the LIBOR transition and any internal policies, procedures, and guidance.
Operations: The Division noted that many firms are actively engaged with service providers, sub-advisers, and third-party managers, including working with fund administrators and pricing and data providers to understand transition readiness and using due diligence questionnaires to assess the transition preparedness of sub-advisers and third-party managers. Firms that need system updates to accommodate alternative reference rates ("ARRs") are engaged in extensive systems testing and several firms have incorporated reconciliation processes of settlement and payments to ensure that counterparties and service providers properly account for the terms and conditions of ARRs.
Portfolio Management: Many firms are using a global approach to LIBOR exposure across subsidiaries and affiliates, using third-party service providers to identify fallback provisions, considering internal controls and trading restrictions on LIBOR-linked instruments, and converting bank loans and similar instruments to ARRs (and/or urging counterparties to do so).
Fiduciary Responsibilities and Investor Communications: The Division found that firms are addressing their fiduciary duties through remediating contracts, in the case of direct client exposure, and due diligence on third-party fund managers, in the case of indirect client exposure. Firms are assessing, disclosing, and mitigating conflicts of interest that may arise with the transition, and firms with significant exposure are providing risk disclosures on the legal, operational, credit, and regulatory risks associated with the transition. The Division observed that the level of client communication and engagement varied, depending on the determination of what information clients would find meaningful and whether certain clients had greater exposure than others.
Keeping Informed About Ongoing and New Challenges: Generally, the Division found that firms are staying informed about the challenges of transitioning away from LIBOR. Specifically, the ARRC is encouraging the remediation of bank loans linked to LIBOR as soon as practicable to avoid a flood of amendments in mid-2023. Where complex overseas contracts have been identified with no fallback language and/or no ability to amend, participants are considering transitioning to synthetic LIBOR. Finally, the Division emphasized that significant operational challenges are being reported, and it recommended that firms monitor ARRC and other industry resources for guidance.
1. The Branch Office Risk Alert can be found at https://www.sec.gov/files/risk-alert-safeguarding-info-branch-offices-042623.pdf.
2. As used in this Branch Office Risk Alert, the term "branch office" applies broadly to include any location other than a firm's main office, including offices of any independent contractors through which the firm may offer investment products and services.
3. The LIBOR Preparedness Risk Alert can be found at https://www.sec.gov/files/risk-alert-libor-transition-preparedness-051123.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.