SEC Proposes New BCP Rule and Issues Guidance
Introduction
On June 28, 2016, the Securities and Exchange Commission (the “SEC”) released a proposed rule (the “Proposed Rule”) that would require registered investment advisers (“RIAs”) to adopt written business continuity and transition plans (“BCPs”) designed to address operational failures and other potentially significant disruptions (the “Proposing Release”).[1] On the same day that the Proposed Rule was released, the SEC Division of Investment Management released a Guidance Update (the “IM Guidance”) intended to provide guidance for registered funds’ BCPs.
According to the Proposing Release, the SEC promulgated the Proposed Rule to address risks, both internal and external, that may affect an RIA’s ability to operate, service clients and investors, and transition account management to another RIA[2] in what it considers an increasingly complex financial services industry. This Alert highlights the components of the Proposed Rule—which affect RIAs—and the notable practices the IM Guidance outlines to implement an adequate BCP—which affect the registered fund industry.
Background
In the Proposing Release, the SEC notes that RIAs face fundamental internal and external operational risks, including the risk of a cybersecurity attack, which the SEC believes may ultimately result in technology failures and the loss of adviser, client, and personnel data. The SEC indicates that if an RIA does not adequately safeguard against such risks, the RIA may be in breach of its fiduciary duty to protect its clients’ interests. In formulating the Proposed Rule, the SEC cited examinations of RIA’s BCPS, including examinations related to assessing how RIAs responded to natural disasters such as Hurricane Sandy, and concluded that while some RIAs are currently adequately prepared, others are less prepared.[3]
The Proposing Release and IM Guidance also may have been prompted in part by the SunGard Data Systems Inc. (“SunGard”) net asset value (“NAV”) operating system disruption that occurred the last week of August, 2015. At the time of the event, The Bank of New York Mellon Corporation (“BNY Mellon”) priced mutual fund and exchange-traded fund NAVs using Sungard’s InvestOne product. On Saturday, August 23, SunGard conducted an operating system change for the InvestOne platform at BNY Mellon. During this process, the primary and back-up systems became corrupted for 1,200 client funds and classes. BNY Mellon was forced to resort to alternate means to calculate the NAVs.
SEC’s Proposed BCP Rule for Investment Advisers
The Proposed Rule would require RIAs to adopt and implement BCPs designed to prepare RIAs for a significant business interruption, such as a natural disaster, act of terrorism, or cyber attack. Notably, the Proposed Rule merely provides examples of what may constitute a significant business disruption, but does not provide a definition.[4]Some examples of significant business disruptions listed in the Proposing Release include systems failure, natural disaster, terrorist attack, loss of service from a third party, power or internet outage, lack of access to a building where data is located, and cyber attack. In addition, the Proposed Rule would require RIAs to have a business transition plan in place should the RIA be unable or unwilling to provide investment advisory services to its clients.
The Proposed Rule would require RIAs’ BCPs to address the following five components, as explained further below:
- Maintain critical operations and systems and ensure protection, backup, and recovery of data.
- Prearrange alternate physical location(s) of the RIA’s office(s) and/or employees.
- Establish a plan to communicate with clients, employees, service providers, and regulators.
- Identify and assess third-party services critical to the operation of the adviser.
- Establish a plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others if the adviser is unable or unwilling to continue providing advisory services.
(1) Maintain critical operations and systems and ensure protection, backup, and recovery of data.
This component emphasizes the importance of protecting critical information. To determine what constitutes a critical operation or system, the Proposing Release advises that RIAs consider operations and systems that are (a) employed for portfolio securities transactions, and (b) critical to the valuation of, maintenance of, and access to client accounts, as well as the delivery of funds and securities. The Proposing Release notes that such operations and services may be provided by third parties, which would require that RIAs identify the third parties supporting these functions. The Proposing Release indicates that RIAs should also determine personnel who are key to supporting a critical operation or system by considering whether the loss of any individuals, either temporarily or permanently, would disrupt the RIA’s ability to service a critical operation or system. Further, the Proposed Release suggests maintaining both hard and electronic copies of information, consistent with current SEC rules covering maintenance of books and records, in the event access to electronic copies fail. It also proposes that records be preserved in a way that protects information from cyber attacks.[5]
(2) Prearrange alternate physical location(s) of the RIA’s office(s) and/or employees.
To protect both operations and employees, the Proposing Release suggests prearranging alternate physical locations. This focus on geographically diverse backup capabilities is driven by the possibility of external events and potential infrastructure failure. While the SEC acknowledges that it may not be necessary to have an alternate physical location a specified distance away from the primary location, the SEC does advise that RIAs establish either a satellite office far enough away from the primary location or a remote site in another geographic region should the primary site be affected by an external event or infrastructure failure.
(3) Establish a plan to communicate with clients, employees, service providers, and regulators.
This component of the Proposed Rule emphasizes the importance of ensuring communication with employees, clients, and third-party service providers. By having a plan in place that provides for communication with all critical parties involved in the RIA’s operations, the Proposing Release states that a BCP would be more likely to be executed properly.[6]The Proposing Release indicates that a BCP should address how, and under what circumstances, clients and third-party service providers will be informed of a significant business disruption.[7]
(4) Identify and assess third-party services critical to the operation of the adviser.
In the Proposing Release, the SEC asserts that because RIAs often outsource aspects of their operations to third-party service providers, a BCP must address the critical services provided by these third parties. To do this, the SEC indicates that an RIA should carefully consider what services are truly critical[8] and how those services will be maintained should there be a significant disruption that affects the third party’s operations. Ultimately, the Proposing Release suggests that if a third-party service provider does not have its own BCP in place, the RIA should consider alternative sources for those services.
(5) Establish a plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others if the adviser is unable or unwilling to continue providing advisory services.
The SEC proposes that BCPs contain a transition plan to account for the possibility that an RIA may wind down its business or transition the RIA’s business to another RIA in the event the original RIA is no longer able or willing to provide advisory services. The Proposed Rule states that the transition component of a BCP should account for transitions under both normal and stressed market conditions. To be sufficient, the Proposing Release explains that this plan must (a) address safeguarding client assets, (b) include policies to facilitate generation of client-specific information necessary to transition an account, (c) include information about the corporate governance structure of the RIA, (d) identify material financial resources available to the RIA, and (e) assess the contractual obligations implicated by the RIA’s transition.
Potential Consequences of the Proposed Rule
While the Proposed Rule would require that a BCP address all five of these components, the SEC stated that it recognizes that the complexity of BCPs may be substantially different depending on an RIA’s business. Specifically, the Proposing Release indicates that a BCP may be tailored differently for a smaller adviser than for a large adviser.
Despite this acknowledgment, it is clear that implementation of the Proposed Rule would result in more significant compliance costs for smaller advisers. In addition to initial compliance costs, because the Proposed Rule includes annual review and recordkeeping requirements, both small and large advisers will be subject to fixed costs associated with conducting such reviews, maintaining required records and ongoing BCP testing. Moreover, the Proposed Rule would add on to the growing amount of regulatory requirements to which RIAs are subject, further increasing the barriers to entry in the asset management industry.
Notably and controversially, the Proposed Rule was promulgated under Section 206 of the Advisers Act, an antifraud provision. Thus, if adopted, an RIA’s failure to comply with the Proposed Rule by not implementing an adequate BCP may result in a fraud action, among other potential consequences. The Investment Company Institute (“ICI”) filed a comment letter in response to the Proposed Rule on August 23, 2016, and while the ICI generally supports the Proposed Rule, it suggested adopting guidance instead of a rule. The ICI also took particular issue with BCP violations rising to the level of fraud or deceit. The ICI further expressed concern that BCP violations stemming from the same conduct may lead to enforcement actions under both current Rule 206(4)-7, which requires RIAs to consider their fiduciary and regulatory obligations under the Advisers Act and to adopt and implement written compliance and policies reasonably designed to prevent violations of the Advisers Act, as well as Proposed Rule 206(4)-4, which makes it unlawful for RIAs to provide investment advice unless the RIA adopts and implements a written BCP and reviews the plan at least annually.
IM Guidance Update: Registered Fund Oversight of Third-Party Service Providers
On June 28, 2016, the same day that the Proposed Rule was released, the Division of Investment Management released IM Guidance Update 2016-04, underscoring the Staff’s emphasis on operational risks facing the registered fund industry. Pursuant to Rule 38a-1 under the Investment Company Act of 1940, registered funds must adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the federal securities laws, though there is no explicit requirement that registered funds must adopt BCPs. In the IM Guidance, the Staff indicates that the obligation under Rule 38a-1 to adopt and implement written compliance policies and procedures may encompass planning in the event of a significant business disruption or disaster.
In the wake of the SunGard pricing failure, as discussed above, the Staff concluded that some funds could have been better prepared. Because funds do not typically have employees of their own and usually outsource critical services to third-party service providers, the Staff emphasized the importance of funds’ BCPs to address failure with these third-party service providers. The Staff observed that a fund’s Chief Compliance Officer (“CCO”) typically participates in oversight and due diligence of the third-party service providers. The Staff also observed that a fund’s board of directors typically receives BCP presentations at least annually, either as part of the Section 15(c) process or as part of the CCO’s annual report to the board of directors. Because CCOs and boards of directors play a key role in a fund complex’s BCP review, the Staff compiled a list of “notable practices” funds should consider when adopting and developing BCPs in the IM Guidance. Among these notable practices are understanding the back-up processes and contingency plans of critical service providers, understanding the interplay of the third-party service providers’ BCP with the registered fund’s own BCP, and considering how a fund complex determines whether a third-party service provider has experienced a significant business disruption and how to successfully navigate such events.
It is important to note that the IM Guidance document provides informal Staff guidance, and does not have the force and effect of a rule. However, it is instructive because it provides insights on the Staff’s views regarding business continuity matters that may be relevant to funds’ operations, and further it demonstrates that the Staff is focused on ensuring that registered funds’ have robust BCPs in place. Accordingly, registered funds, boards of directors, and CCOs may want to review and revisit existing BCPs for the funds and their service providers to assess the extent to which they are consistent with the updated guidance provided by the Staff. Further, investment advisers should review the Proposed Rule for adviser BCPs and consider submitting comments on the SEC’s proposal. K&L Gates is available to answer any specific questions you may have and is prepared to assist you on BCP matters.
Notes:
[1] The Proposed Rule would amend Rule 204-2 of the Investment Advisers Act of 1940 (the “Advisers Act”), which currently requires that an RIA’s policies and procedures include BCPs if they are relevant and does not specifically require BCPs. Further, Proposed Rule 206-4 prohibits RIAs from providing investment advice unless a BCP is adopted, is reviewed at least annually, and contains adequate content.
[2] Other regulatory bodies, such as the Financial Industry Regulatory Authority (“FINRA”) and the Commodity Futures Trading Commission (“CFTC”), require their regulated entities to have BCPs in place. The FINRA BCP requirement applies to broker-dealers, and the CFTC BCP requirement applies to swap dealers and swap participants.
[3] The Proposing Release notes that because the asset management industry is highly competitive, some RIAs are motivated to ensure proper risk management is in place to avoid failures that may result in reputational damage.
[4] In the Request for Comment section, the SEC acknowledges that it does not provide a definition of significant business disruption and inquires whether it should.
[5] The SEC Staff (the “Staff”) released Cybersecurity Guidance in an IM Guidance Update in April 2015, which expanded on RIAs’ compliance obligations to prevent cyber attacks under the federal securities laws.
[6] The SEC specifically emphasizes the importance of employee training and access to employees in the event of a disruption. Without employees taking the appropriate steps to carry out a BCP (or even knowing, in the first instance, that a BCP should be used), BCPs are less likely to be successfully implemented.
[7] Likewise, a BCP should include how an RIA will be informed of a significant business disruption at a third-party service provider.
[8] The Staff states that it would consider critical service providers to be those who provide portfolio management services; custody of client assets services; trade execution and related processing, pricing, client servicing, and recordkeeping; and financial and regulatory reporting.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.