Written by: RIA in a Box
This week the Securities and Exchange Commission (SEC) issued a release announcing the proposal of a new rule that would “require registered investment advisers to adopt and implement written business continuity and transition plans.” The rule would apply to registered investment adviser (RIA) firms registered at the federal level and comes a year after after the North American Securities Administrators Association (NASAA) released a similar model rule for investment adviser business continuity and succession planning .
Previously, we have discussed other SEC rule proposals regarding new policies and procedures and disclosure requirements including those which would require additional information about investment adviser branch offices to be disclosed . In this post, we take a closer look at the SEC's proposed rule on business continuity and transition plans which reflects the agency's continued application of the fiduciary standard in light of new and emerging risks.
Although the SEC has previously stated that it expects investment advisory firms to have robust business continuity plans in effect today as part of a firm's fiduciary obligation, this new proposed rule would formalize the requirement and provide more prescriptive guidance as to what should be included in such plans. Specifically, the new proposed rule (file no. S7-13-16 published in the Federal Register ) would require the content of an RIA firm's business continuity and transition plan to address the following components:
As RIA compliance consultants , we see many investment advisory firms already addressing many of the specific components addressed above, but as the SEC notes, this is still not the case for a significant number of investment advisory firms as outlined on pages 8 and 9 of the proposal:
##PAGE_BREAK##
While we understand that many investment advisers already have taken steps to address and mitigate the risks of business disruptions, our staff has observed a wide range of practices by advisers in addressing operational risk management. The staff frequently observes advisers managing operational and other risks through internal practices, procedures, and controls that are typically assessed by the adviser’s legal, compliance, or audit staff, and often sees independent third-party assessments performed by audit or compliance firms. However, the staff also has observed advisers with less robust planning, causing them to experience interruptions in their key business operations and inconsistently maintain communications with clients and employees during periods of stress. As discussed further below, our staff has noted weaknesses in some adviser BCPs with respect to consideration of widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications plans, and review and testing. Although disparate practices may exist in light of the varying size and complexity of registrants, to effectively mitigate such risks we are proposing to require all SEC-registered investment advisers to have plans that are reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.
In addition, pages 5 and 6 of the proposed rule release further enumerate the SEC's specific concerns:
Investment advisers today also participate in and are part of an increasingly complex financial services industry. Advisers are relying on technology to a greater extent, managing more complicated portfolios and strategies that often include complex investments, and are increasingly relying on the services of third parties such as custodians, brokers and dealers, pricing services, and technology vendors that support their operations.
Although the types of registered investment advisers and their business models may vary significantly, they generally share certain fundamental operational risks. Of particular concern to the Commission are those risks that may impact the ability of an adviser and its personnel to continue operations, provide services to clients and investors, or, in certain circumstances, transition the management of accounts to another adviser. Such operational risks include, but are not limited to, technological failures with respect to systems and processes (whether proprietary or provided by third-party vendors supporting the adviser’s activities), and the loss of adviser or client data, personnel, or access to the adviser’s physical location(s) and facilities.
And lastly, pages 9 and 10 once again frame the proposed rule as a logical application of the fiduciary standard:
Our experience indicates that clients of advisers who do not have robust plans in place to address the operational and other risks related to significant disruptions in their operations are at greater risk of harm during such a disruption than the clients of advisers who do have such plans in place.
As fiduciaries, investment advisers owe their clients a duty of care and a duty of loyalty, requiring them to put their clients’ interests above their own. As part of their fiduciary duty, advisers are obligated to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services.
This rule proposal has been long anticipated by the industry and the SEC deserves credit for attempting to create enough flexibility in the proposed rule to allow for different levels of robustness dependent upon a firm's size and operational complexity. However, given the significant costs that may be involved for firms to implement these new proposed standards, we advise all investment advisory firm principals to carefully review this rule proposal and considering submitting comments as outlined beginning on page 76 of the rule proposal.
It's also important to note that should this new rule ultimately go into effect, there will likely be increased time pressure for RIA firm principals to establish formal internal and/or third party succession plans to be prepared for unexpected life events.