In March 2020, at the outset of the COVID-19 pandemic, the U.S. Securities and Exchange Commission’s (“SEC”) Division of Enforcement issued a public statement that emphasized the importance of maintaining market integrity and following corporate controls and procedures during the COVID-19 crisis, which we have previously addressed.
Since that time, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has, unsurprisingly, continued to conduct off-site examinations of and seek information from SEC-registered broker-dealers and investment advisers operational resiliency challenges. As a result of these efforts, OCIE published a risk alert last week on Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (“Alert”), which sets forth observations and recommendations for broker-dealers and investment advisers to consider in six general categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices related to fees, expenses, and financial transactions; (4) protection against investment fraud; (5) business continuity procedures; and (6) protection of investor information.
Protection of Investors’ Assets
The purpose of the Alert is, in part, to remind broker-dealers and investment advisers of their existing obligations to ensure the safety of client assets; namely, to guard against theft, loss, and misappropriation, and to process investors’ checks without undue delay. The Alert asks such entities to assess whether, due to the COVID-19 pandemic, changes need to be made to existing supervisory and compliance policies in order to ensure that obligations to protect investors’ assets are satisfied.
Specifically, OCIE recommends that broker-dealers and investment advisers:
- Review and make any necessary changes to policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts due to the current environment;
- Update policies and procedures to reflect any changes to payment processing practices;
- Implement additional security practices to validate the identity of an investor and authenticity of disbursement instructions; and
- Disclose to clients and investors that physical checks or other assets mailed to the office of the broker-dealer or investment adviser may be subject to delayed processing.
Supervision of Personnel
The COVID-19 pandemic has created a particularly challenging environment to supervise personnel as many, if not most, employees are working remotely. The Alert reminds broker-dealers and investment advisers to assess their internal controls and procedures to account for the unusual risks posed by the COVID-19 crisis and ensure that personnel are properly supervised. Specifically, OCIE encourages them to assess whether policy and procedural modifications are needed to address remote work and the diminished ability to have supervisory oversight of personnel.
Further, work in certain market sectors, such as healthcare, is at a higher risk for market volatility and potential fraud. Special scrutiny regarding employee access to material non-public information (“MNPI”) in these sectors is appropriate. Policies should be evaluated to determine whether they are sufficient to detect likely insider trading issues, such as trading on MNPI, impermissible affiliate transactions, and cross-trading.
OCIE recommends that broker-dealers and investment advisers:
- Review the adequacy of existing monitoring protocols for investments, trading, and communications of employees working remotely, particularly where communications or transactions may be occurring via personal devices;
- Ensure sufficient monitoring of securities recommendations, particularly in volatile market sectors that pose a heightened fraud risk;
- Provide written guidance to all officers, directors, and employees reminding them of monitoring protocols and emphasizes the importance of their obligations to keep MNPI that they may have access to confidential, particularly in a remote work environment; and
- Review due diligence and verification practices for new hires and third-party managers in light of on-site review limitations.
Practices Relating to Fees, Expenses, and Financial Transactions
As OCIE recognizes, recent market volatility may incentivize broker-dealers, investment advisers, and their employees to attempt to make up for lost revenues by engaging in potential misconduct, particularly with regard to conflicts of interest and charges for fees and expenses.
OCIE recommends that broker-dealers and investment advisers:
- Increase monitoring and validation procedures related to the accuracy of disclosures, fee and expense calculations, and investment valuations;
- Increase scrutiny of recommendations and transactions that result in high fees or expenses to customers, such as termination fees or high up-front charges, to determine if such recommendations are compliant with applicable investor requirements;
- Identify and monitor transactions that may create conflicts of interest, such as borrowing from investors or recommending retirement plan transfers into advised accounts or investments in products that the entity is soliciting.
With market uncertainty and volatility, there is a heightened risk of investment fraud. With the COVID-19 pandemic, OCIE advises broker-dealers and investment advisers to be particularly cognizant of these risks when conducting due diligence on investments and in determining whether particular offerings are in the best interests of their clients.
OCIE recommends that broker-dealers and investment advisers review their business continuity plans to consider issues related to operational changes and disruptions as a result of the COVID-19 pandemic.
OCIE advises that broker-dealers and investment advisers:
- Review business continuity plans to ensure that the unique risks of protracted remote operations are addressed, including with key person succession plans and redundancy plans for critical infrastructure and operations;
- Update supervisory and compliance policies and procedures to account for the risks posed by a remote work environment;
- Enhance security procedures for company networks and data; and
- Provide adequate disclosures to clients if and when operations are materially impacted.
Protection of Investor and Other Sensitive Information
OCIE is particularly concerned with ensuring broker-dealers and investment advisers have proper safeguards to protect investor records and information, including clients’ personally identifiable information (“PII”), as such entities rely more on video conferencing tools and employees use personal devices. OCIE believes that the communication methods that have become part of the “new normal” in the COVID-19 environment create vulnerabilities with respect to the protection of investor and other sensitive information.
In order to address risks related to the protection of investor information, OCIE recommends that broker-dealers and investment advisers:
- Enhance current systems and processes, including limiting personnel access rights to confidential information in company systems, requiring multifactor authentication for systems access, providing additional systems-related training for personnel, and adopting encryption technology to protect remote communications and data;
- Remind clients to contact the entity directly regarding any account inquiries or other suspicious communications; and
- Provide personnel with additional training on issues such as cybersecurity, phishing, and information sharing on remote systems.
Conclusion and Recommendations
The Alert makes clear that OCIE is particularly concerned with risks related to the safekeeping of investor assets, protracted remote operations and work, and market volatility. The six specific issues outlined in the Alert are likely areas of focus for future OCIE inspections and examinations. Historically, risk alerts such as these have been the basis for later SEC enforcement sweeps.
In light of specific guidance from the SEC, broker-dealers and investment advisers should be especially careful and proactive about addressing potential deficiencies that are likely to arise from the COVID-19 work environment, particularly with remote employees and operations. In light of this guidance, we advise broker-dealers and investment advisers to consider reviewing and assessing the effectiveness internal policies, controls, and procedures to ensure they are sufficiently specific to address the risks listed by OCIE and COVID-19 disruptions. Modifications should be reflected in written policies and procedures as appropriate.
Broker-dealers and investment advisers should provide written guidance to all officers, directors, and employees to remind them of company policies and their obligations. Regular compliance training continues to be important. Such entities should implement or otherwise continue regular compliance training via video conferencing or other means to address the specific risks posed by the COVID-19 pandemic, remote work environment, and expected increased scrutiny on areas addressed in the Alert.