Since COVID-19 arrived, the SEC Office of Compliance, Inspections and Examinations (OCIE) has remained operational nationwide including an outreach to SEC registrants to assess the impact of the virus. From these efforts, OCIE has concluded that “SEC registrants have been faced with new operational, technological, commercial and other challenges and issues” which in many cases “have created important regulatory and compliance questions and considerations.”
In particular, OCIE identified a number of issues, risks and practices relevant to investment advisers and broker dealers (herein, the Firms). Volatility related to COVID-19 may have heightened the risks of misconduct in various areas that merit additional OCIE attention. And so, in mid-August, OCIE issued a “Risk Alert” titled “Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers.”
The Risk Alert consists of OCIE “observations and recommendations” that fall broadly into six categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity, and (6) the protection of investor and other sensitive information.
Boiling down a government document with footnotes that sometimes take up as much of the page as the content itself is not an easy task, but an abbreviated version of the OCIE Risk Alert will follow. But first, a few observations of our own.
A Risk Alert from OCIE has value, including useful recommendations. It also gives some insight into where OCIE is at these days. Ostensibly, identifying and discouraging “misconduct” ultimately protects investors, an important part of OCIE’s “mission.” However, despite this alert’s rather benign description of “observations and recommendations,” the fact that this OCIE document targets “investment advisers and broker dealers” could portend some extra and unwanted attention, such as increased enforcement efforts by OCIE.
When OCIE, or any government agency, issues an “alert,” as a first step toward compliance, our firm recommends that clients become familiar with the substance of the alert. So, following are the six “observations and recommendations” in the OCIE Risk Alert with abbreviated descriptions.
1. Protection of Investor Assets
It’s no surprise this would top the OCIE list. Relating to the collecting and processing of client checks and transfer requests the Risk Alert recommends that Firms review existing practices for any new processes and related risks. Regarding disbursements, a Firm should verify client-related requests and OCIE recommends that vulnerable investors assign a trusted contact.
2. Supervision of Personnel
With so many employees working from home, this has become a lot harder. OCIE says for some firms this may require significant changes. It recommends several actions, including:
- Conduct oversight of supervised persons’ communications.
- Conduct oversight of supervised persons’ security recommendations in volatile markets
- Consider the impact of limited on-site reviews.
- Conduct oversight of trading.
- Consider limitation of due diligence during background checks of new personnel.
3. Fees, Expenses and Financial Transactions
Due to the impact of COVID-19 on market volatility in the first quarter, OCIE believes there will be an increased incentive for Firms to engage in misconduct to mitigate the impact of lost revenue. In light of the potential for misconduct, the Risk Alert encourages Firms to review their practices and policies relating to fees and expenses, including:
- Reviewing practices for accuracy of fee calculations and investment valuations.
- Monitoring higher-fee transactions.
- Assessing conflicts related to investment recommendations and borrowings.
4. Investment Fraud
OCIE agrees that crises present opportunities for fraud. So, it encourages Firms to be attentive to fraudulent investment offerings and to make sure an investment is in the investor’s best interest.
5. Business Continuity
This also relates to compliance issues raised by operating from predominantly remote sites. The Risk Alert notes that these issues may create a need to modify or enhance compliance policies and procedures, as well as security and support for facilities and remote sites. Also, since certain firms are required to maintain a business continuity plan, the Risk Alert encourages reviewing those plans and modifying or enhancing them based on unique risks.
6. Protection of Sensitive Information
Of course, all Firms are obligated to protect investors’ “personally identifiable information.”
But, as OCIE points out, the reliance on and use of electronic and digital communication, from a dial-in phone call to video conferencing, create added risks including vulnerabilities in recordkeeping and improper access to systems and accounts. In short, hacking. So, the Risk Alert is encouraging the assessment of “systems, investor data protection and cybersecurity.”
As mentioned, while “observations and recommendations” may seem like a bit of a soft-touch approach for a “Risk Alert,” OCIE would not issue them if it did not want “investment advisers and broker dealers” to take them seriously. Getting familiar with them is a good start, but the next step is to engage the services of a company like ours, one that specializes in interpreting government recommendations and quantifying their possible impact on a specific firm’s business, be it a broker, a dealer or an investment adviser.