The Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert (the “Alert”) regarding its findings and observations during the COVID-19 pandemic. The Alert pertains to both SEC registered investment advisers and broker-dealers and covers the SEC’s interactions with firms, investors, and the general public since March of this year.
The primary categories addressed within the Alert are:
- Asset protection
- Employee supervision
- Fees, expenses, and transaction practices
- Business Continuity practices
- Data security and protection
Investor Assets
Both broker-dealers and investment advisers have a duty to protect client assets. As fraudulent activity has increased during the pandemic, firms should take precautions to protect customer assets. For investment advisers this obligation falls under the Adviser’s Act Custody Rule 206(4)-2 and for broker-dealers it’s Rule 15c3-3 of the Exchange Act. Both of these rules require that a firm properly authenticate customer transactions and movement of funds. This can be achieved by:
- Validating customer identity when a distribution request is received and authenticate the disbursement instructions
- Ensuring that each client has a trusted contract person on file in case additional verification may be needed if a client demonstrates reduced mental capacity or appears vulnerable
Personnel Supervision
Rule 206(4)-7 of the Advisers Act and FINRA Rule 3110(b) require registrants to maintain and implement effective written supervisory procedures as part of their compliance programs. Now that most firms are in a remote work environment, supervising employees effectively is more challenging for both supervisors as well as employees in the rank and file. Firms may need to modify their supervisory practices to include:
- How supervision occurs during a remote work environment
- The effect of increased fraud and volatile markets on the investment decision making process
- Limits on due diligence reviews caused by lack of onsite visits
- Employees use of personal systems and devices for firm communications or transactions
- Remote oversight of firm trading activities
- Remote on-boarding of personnel and limitations of the process
Fees, Expenses, and Financial Transactions
OCIE is concerned about the potential for employee or firm misconduct regarding certain high risk areas such as the calculation of fees, expenses, and use of higher cost transactions. Recent market volatility may provide a financial incentive for firms or employees to take advantage of customers by putting them in higher cost products or valuing assets in a way to increase fees collected. To prevent this, firms should proactively monitor for:
- Financial conflicts of interest between the firm, employees, and customers
- Review and monitor fees and expenses charged to clients to reduce errors and overbilling
- Validate the accuracy of client disclosures regarding fees and expenses
- Review transaction trends to identify those transactions in higher cost products that may not have benefited the client
- Review any loans taken to ensure proper disclosures in Form ADV Part 2
Business Continuity
Every firm has implemented its Business Continuity Plan (BCP) at some point during the COVID-19 pandemic. Many firms are still operating remotely, but some are back in the office depending on geographic location and risk factors. Successful implementation of the BCP depends on constant monitoring of the risks posed by operating critical business systems remotely. Firms should consider the following risks when reviewing and updating BCPs:
- Unique risks of protracted, long-term remote work by a large volume of staff
- How employee roles have expanded or changed during the remote work period
- Resource levels regarding the security of servers and systems
- Maintaining the integrity of vacated office space
- Relocation support levels for key personnel
- Built-in redundancies for key systems and succession plans for key personnel
Data Security
The risks surrounding the collection and maintenance of personally identifiable information (PII) are always a factor in the financial industry. SEC registrants need to take extra care of customer data when that data is being accessed and collected remotely. OCIE expressed concern regarding how customer data is being shared via videoconferencing or other electronic means. Expect OCIE to closely review the following risks regarding data security:
- Vulnerabilities around the loss of PII via web-based applications, personally owned devices, changes in controls over physical records and printing in remote locations
- Phishing schemes used to impersonate personnel, websites, and investors
OCIE mentioned several ways firms may enhance and update controls around data security, such as:
- Remind investors to contact the firm if any communications appear suspect
- Provide additional training to firm employees on phishing, cybersecurity, information sharing, etc. while working remotely
- Perform heightened reviews of system access rights and controls
- Utilize encryption to protect communications on all devices, including those personally owned
- Secure remote access servers and keep them patched as needed
- Utilize multi-factor authentication for system security
- Know the risks of third party providers
It’s clear the SEC acknowledges that the remote work environment for registrants will likely last for longer than was expected. The SEC staff itself continues to operate remotely even with its exams still ongoing. The Alert serves as a good reminder of the best practices both advisers and broker-dealers should be taking to ensure compliance success in a remote world that will meet current SEC expectations.
