The U.S. Securities and Exchange Commission's ("SEC") Office of Compliance Inspections and Examinations ("OCIE") issued a risk alert on August 12, 2020, addressing certain compliance risks and considerations for SEC-registered broker-dealers and investment advisers during the COVID-19 pandemic.1 COVID-19 has led to considerable uncertainty among industry participants regarding how they should comply with regulatory requirements while operating in a work-from-home environment or limiting their activities to protect the health and safety of firm personnel.
In order to address some of that uncertainty, OCIE made a number of observations and suggestions that broadly address the following areas where there may be heightened risk due to conditions caused by COVID-19: (1) protection of investors' assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information.
1. Protection of Investors' Assets
OCIE observed that, due to COVID-19, a number of firms have modified their normal operating practices regarding collecting and processing investor checks and transfer requests.
Additionally, firms may no longer be picking up their mail daily. To that effect, OCIE suggested that firms update their supervisory and compliance policies and procedures to reflect any adjustments made and to consider disclosing to investors that checks or assets mailed to the firm's office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location.
In addition, OCIE encouraged firms to review and make any necessary changes to their policies and procedures regarding disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts, particularly COVID-19 related distributions from their retirement accounts. OCIE also suggested that firms consider:
- Implementing additional steps to validate the identity of the investor and the authenticity of disbursement instructions, including whether the person is authorized to make the request and bank account names and numbers are accurate; and
- Recommending that each investor has a trusted contact person in place, particularly for seniors and other vulnerable investors.
2. Supervision of Personnel
OCIE encouraged firms to closely review, and where appropriate, modify their supervisory and compliance policies and procedures as firms make changes in response to COVID-19 (e.g., due to work-from-home conditions or otherwise limited office presence, market volatility, technological and operational challenges).
Specifically, OCIE suggested that firms consider:
- Supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely.
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud.
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing of third-party managers, investments and portfolio holding companies.
- Communications or transactions occurring outside of the firms' systems due to personnel working from remote locations and using personal devices.
- Remote oversight of trading, including reviews of affiliated, cross and aberrational trading, particularly in high volume investments.
- The inability to perform the same level of diligence during background checks when onboarding personnel – such as obtaining fingerprint information and completing required Form U4 verifications – or to have personnel take requisite examinations.
3. Practices Relating to Fees, Expenses, and Financial Transactions
OCIE observed that the recent market volatility may have increased financial pressures on firms and their personnel to compensate for lost revenue, which may have potentially increased incentives for misconduct related to financial conflicts of interest and fees and expenses charged to investors, such as:
- recommending retirement plan rollovers to individual retirement accounts, workplace plan distributions and retirement account transfers into advised accounts or investments in products that firms or their personnel are soliciting;
- borrowing or taking loans from investors and clients;
- making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons, such as investments with termination fees that are switched for new investments with high up-front charges or mutual funds with higher cost share classes when lower cost share classes are available;
- advisory fee calculation errors, including valuation issues that result in over-billing of advisory fees; inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate house-hold accounts; and
- failures to refund prepaid fees for terminated accounts.
- OCIE noted that firms should review their policies and procedures and consider enhancing their compliance monitoring by:
- Validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used.
- Identifying transactions that resulted in high fees and expenses to investors, monitoring for such trends, and evaluating whether these transactions were in the best interest of investors.
- Evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest, as this may impair the impartiality of firms' recommendations. Also, if advisers seek financial assistance, this may result in an obligation to update disclosures on Form ADV Part 2.
4. Investment Fraud
OCIE staff observed that times of crisis or uncertainty can create a heightened investment fraud risk. OCIE stated that firms should be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors.
5. Business Continuity
OCIE observed that due to the pandemic, many firms have shifted to predominantly operating remotely, which may raise compliance risks. Firms may have to make changes to compliance policies and procedures or provide disclosures to investors if their operations are materially impacted. OCIE staff noted that:
- Firms' supervisory and compliance policies and procedures utilized under "normal operating conditions" may need to be modified or enhanced to address some of the unique risks and conflicts of interest present in remote operations (e.g., supervised persons taking on new or expanded roles).
- Firms' security and support for facilities and remote sites may need to be modified or enhanced. OCIE suggested that firms consider whether: (1) additional resources and/or measures for securing servers and systems are needed, (2) the integrity of vacated facilities is maintained, (3) relocation infrastructure and support for personnel operating from remote sites is provided, and (4) remote location data is protected. If relevant practices and approaches are not addressed in business continuity plans and/or firms do not have built-in redundancies for key operations and key person succession plans, mission critical services to investors may be at risk.
OCIE encouraged firms to review their continuity plans to address these matters, make changes to compliance policies and procedures, and provide disclosures to investors if their operations are materially impacted, as appropriate.
6. Protection of Investor and Other Sensitive Information
The protection of investors' personally identifiable information ("PII") generally becomes more challenging in a work-from-home environment.
According to OCIE, videoconferencing and other electronic means of communication for remote work may create vulnerabilities for sensitive information (including PII) due to such factors as: (1) remote access to networks and the use of web-based applications; (2) increased use of personally-owned devices; and (3) changes in controls over physical records, such as sensitive documents printed at remote locations and the absence of personnel at the firms' offices. These means of communication also may create more opportunities for fraudsters to use phishing and other means to improperly access systems and accounts by impersonating firm personnel, websites, and/or investors.
Accordingly, OCIE recommended that firms assess their current policies and procedures and consider:
- Enhancements to their identity protection practices (e.g., reminding investors to contact the firm directly by telephone for any concerns about suspicious communications, with firms having personnel available to answer these investor inquiries).
- Providing firm personnel with additional training and reminders, and otherwise spotlighting cyber and document security issues (e.g., those related to: phishing and other targeted cyberattacks; sharing information while using certain remote systems (e.g., unsecure web-based video chat); encrypting documents and using password-protected systems; and destroying physical records at remote location).
- Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Ensuring that remote access servers are secured effectively and kept fully patched.
- Enhancing system access security, such as requiring the use of multifactor authentication.
- Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing firms' systems.
OCIE's risk alert provides useful insight into the regulatory concerns regarding firms' activities during the COVID-19 pandemic. Firms should review the considerations addressed in the risk alert and OCIE's recommendations and carefully consider the heightened risks related to the current crisis. The work-from-home environment presents a number of unique challenges that require careful attention.
Mayer Brown has been working with firms and industry groups to develop and implement work-from-home and return-to-work plans and to engage with regulators to seek regulatory relief and guidance in light of COVID-19 conditions. If you have any questions about this Legal Update or your firm's operations during the current pandemic environment, please contact one of the authors.
1 SEC, OCIE, Risk Alert, Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (Aug. 12, 2020), https://bit.ly/2EbQRTd.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2020. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.