The SEC’s Office of Compliance and Inspections and Examinations (OCIE), recently, issued an alert to broker-dealers and registered investment advisors regarding its concerns over activities in the industry concerning the challenges encountered by COVID-19.
As part of its efforts, the OCIE made certain recommendations concerning:
- investor asset protection;
- personnel supervision;
- fees, expenses, and financial transactions policies;
- investment fraud;
- business continuity plans; and
- sensitive information protection.
Below, we share some of these observations in greater detail:
Protection Of Investor Assets
Firms may want to consider:
- Implementing additional steps to validate the identity of the investor and the authenticity of disbursement instructions, including whether the person is authorized to make the request and bank account names and numbers are accurate;
- Recommending that each investor has a trusted contact person in place, particularly for seniors and other vulnerable investors;
- Reviewing practices, and make adjustments, where appropriate, in situations where investors mail checks to firms and firms are not picking up their mail daily. Firms may want to update their supervisory and compliance policies and procedures to reflect any adjustments made and to consider disclosing to investors that checks or assets mailed to the firm’s office location may experience delays in processing.
Supervision Of Personnel
Firms may wish to modify their practices to address:
- Supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely.
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud.
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing of third-party managers, investments, and portfolio holding companies.
- Communications or transactions occurring outside of the firms’ systems due to personnel working from remote locations and using personal devices.
- Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments.
- The inability to perform the same level of diligence during background checks when onboarding personnel – such as obtaining fingerprint information and completing required Form U4 verifications – or to have personnel take requisite examinations.
Fees, Expenses, And Financial Transactions
Firms may wish to review their fees and expenses policies and procedures and consider enhancing their compliance monitoring, particularly by:
- Validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used.
- Identifying transactions that resulted in high fees and expenses to investors, monitoring for such trends, and evaluating whether these transactions were in the best interest of investors.
- Evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest, as this may impair the impartiality of firms’ recommendations. Also, if advisers seek financial assistance, this may result in an obligation to update disclosures on Form ADV Part 2.
- Be cognizant that times of crisis or uncertainty can create a heightened risk of investment fraud and consider these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors.
- Review their supervisory and compliance policies and procedures utilized under “normal operating conditions” to address some of the unique risks and conflicts of interest present in remote operations. For example, supervised persons may need to take on new or expanded roles in order to maintain business operations. These and other changes in operations may create new risks that are not typically present.
- Review security and support for facilities and remote sites that may need to be modified or enhanced. Relevant issues that Firms should consider include, for example, whether: (1) additional resources and/or measures for securing servers and systems, (2) the integrity of vacated facilities is maintained, (3) relocation infrastructure and support for personnel operating from remote sites is provided, and (4) remote location data is protected.
Protection Of Sensitive Information
Firms should assess their policies and procedures and consider:
- Enhancements to their identity protection practices, such as by reminding investors to contact the firms directly by telephone for any concerns about suspicious communications and for firms to have personnel available to answer these investor inquiries.
- Providing firm personnel with additional trainings and reminders, and otherwise spotlighting issues, related to: (1) phishing and other targeted cyberattacks; (2) sharing information while using certain remote systems (e.g., unsecure web-based video chat); (3) encrypting documents and using password-protected systems; and (4) destroying physical records at remote locations.
- Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Ensuring that remote access servers are secured effectively and kept fully patched.
- Enhancing system access security, such as requiring the use of multifactor authentication.
- Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing firms’ systems.