The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (the SEC) issued a risk alert (the risk alert) on August 12, 2020, highlighting COVID-19 pandemic-related risks and considerations for broker-dealers and investment advisers. As OCIE notes in the risk alert, the COVID-19 pandemic has required firms to operate remotely for an extended period and has resulted in an increase in fraudulent activity due to heightened market volatility. These conditions create new stresses on broker-dealers’ and investment advisers’ compliance obligations and efforts. OCIE identified six compliance areas that require more nuanced focus: (1) protection of investors’ assets; (2) supervision of personnel; (3) fee, expense, and financial transaction practices; (4) investment fraud; (5) business continuity; and (6) protection of investor and other sensitive information.

1. Protection of Investors’ Assets

The federal securities laws require broker-dealers and investment advisers to ensure the safety of investors’ assets and to guard against theft, loss, and misappropriation.[1] OCIE has observed a number of changes in market participants’ behaviors as a result of the COVID-19 pandemic, namely procedures and practices for collecting and processing client checks and transfer requests sent via the U.S. Postal Service. Further, OCIE noted that withdrawals from retirement accounts will likely increase.

Firms should be cognizant of these changes and review their practices, policies, and procedures, as well as employee trainings accordingly, especially as they relate to check handling.[2] Additionally, firms should have a process to authenticate and verify a client’s identity and fund disbursement instructions.[3]

2. Supervision of Personnel

It is well established that broker-dealers and investment advisers have an obligation to proactively supervise their personnel, including by overseeing their investment and trading activities, and firm policies and procedures should be tailored to the firm’s business activities and operations.[4] OCIE notes that in response to the COVID-19 pandemic, firms have implemented widespread if not universal remote working while also navigating the myriad issues associated with ongoing market volatility. OCIE suggests that in this context firms should modify their practices to address the following concerns and challenges:

• Remote Supervision: Supervisors do not have the same level of physical and proximity oversight and interaction with supervised persons in remote working environments.
• Securities Recommendations: Supervised persons may be making securities recommendations in market sectors that have experienced greater volatility or have a heightened risk of fraud.
• Limited On-Site Diligence Reviews: On-site due diligence reviews are limited and other resources are constrained with respect to the review of third-party managers, investments, and portfolio holding companies.
• Off-System Communications: Communications or transactions may occur outside of firms’ surveilled and monitored information technology systems as work is performed from remote locations and on personal devices.
• Remote Oversight of Trading: Trading oversight must be conducted remotely, including timely reviews of affiliated, cross, and aberrational trading, particularly in high volume investments.

3. Fees, Expenses, and Financial Transactions

Broker-dealers and investment advisers have disclosure obligations regarding the fees they charge and conflicts of interest.[5] OCIE notes that the COVID-19 pandemic has potentially increased misconduct opportunities regarding financial conflicts of interest and adherence to risk, fee, and expense disclosure obligations, which can be exacerbated by volatile market conditions. OCIE suggests that firms consider enhancing their compliance monitoring, policies, and procedures as noted below:

• Validation: Ensure consistent accurate and timely validation of disclosures and expense calculations.
• High Fee or Expense Transactions: Identify, track, and review the appropriateness of transactions that result in high fees and expenses to investors.
• Loans From Investors: Evaluate the risks associated with borrowing from investors, clients, and other parties that create conflicts of interest.[6]

4. Investment Fraud

OCIE and SEC Enforcement staff have observed instances of alleged investment fraud arising during the COVID-19 pandemic, and the SEC has halted trading and/or taken enforcement action. OCIE warns firms to be aware of these risks and to affirmatively report any potential fraud to the SEC. Further, firms should be mindful of their SAR reporting obligations and ensure that all conduct that warrants a filing is being flagged and timely reports are being submitted. 

5. Business Continuity

Business continuity and disaster recovery should be a primary focus for broker-dealers, investment advisers, and other businesses as they have migrated to remote working environments.[7] OCIE expects firms to be mindful of compliance and operational risks and potential impacts to operations and to take steps to mitigate such risks.

Particularly with respect to physical and cybersecurity, OCIE guides firms to consider whether:

• Additional resources and/or measures for securing servers and systems are needed.
• The integrity and security of vacant facilities is maintained.
• Relocation infrastructure and support for personnel operating from remote sites is necessary.
• Remote location data is protected.

Further, firms should be prepared to provide disclosures to clients in the event the firm’s operations are materially affected. Firms that use third-party service providers should be actively coordinating with service providers to verify ensure capacity, security, and continuity. 

6. Protection of Sensitive Information

Pursuant to the federal securities laws,[8] broker-dealers and investment advisers are obligated to protect investors’ personally identifiable information (PII). OCIE notes that the increase in videoconferencing and other electronic communications may compromise PII and other sensitive information and create increased opportunities for nefarious actors to access clients’ information. To mitigate these risks, OCIE recommends that firms review their policies and procedures and consider enhancing identity protection practices, providing trainings on cyberattacks for supervised personnel, and using heightened cybersecurity measures such as multifactor authentication for access rights and other encryption protections for data.

Conclusion

OCIE’s risk alert is the most recent indication that the SEC, along with other regulators like FINRA and the Commodity Futures Trading Commission, is constantly monitoring the potential increased risks to investors, capital formation, and the financial markets during these. The risk alert highlights various risks and concerns that OCIE has identified for broker-dealers and investment advisers as the pandemic lingers. Now, and always, firms should remain proactively focused on identifying, monitoring, assessing, and mitigating risks to their clients and operations. In addition, firms should be actively coordinating with regulators and third-party service providers, where applicable, in their efforts to identify and ameliorate issues. 

Please contact experienced securities regulatory counsel with any questions about these developments and their applications to an individual or business.

Endnotes

[1] Rule 206(4)-2 (the Custody Rule) under the Investment Advisers Act of 1940 (the Advisers Act) requires advisers with custody of client funds or securities to safeguard those assets against theft, loss, or misappropriation. Rule 15c3-3 under the Securities Exchange Act of 1934 (the Exchange Act) requires broker-dealers to obtain and maintain possession and control of all fully paid securities and excess margin securities.

[2] Investment advisers and broker-dealers have an obligation to promptly transmit investor checks. See the Custody Rule and Rule 15c3-3(k)(2) under the Exchange Act, respectively.

[3] OCIE also recommends that firms consider recommending that clients have a trusted contact person in place, particularly for seniors and other vulnerable investors. See Rule 2165 of the Financial Industry Regulatory Authority (FINRA) (FINRA exploitation rule) and FINRA Rule 4512(a)(1)(F) (FINRA trusted contacted person rule).

[4] Rule 206(4)-7 under the Advisers Act requires advisers to adopt and implement written policies and procedures designed to prevent violations of the Advisers Act. Section 203(e)(6) of the Advisers Act authorizes the SEC to institute proceedings relating to the supervision of personnel. FINRA Rule 3110 requires broker-dealers to establish and maintain a system to supervise the activities of each associated person.

[5] For investment advisers, Section 206 of the Advisers Act imposes a fiduciary duty. See also Commission Interpretation Regarding Standard of Conduct for Investment Advisers, Inv. Adv. Rel. No. 5248 (July 12, 2019) (explaining that advisers’ fiduciary duties require them, among other things, to act in clients’ best interests). For broker-dealers, Regulation Best Interest requires that recommendations of securities transactions and investment strategies made to retail customers must be in the best interests of the customer and must not place the broker-dealer’s interests ahead of the customer’s.

[6] OCIE also notes that if investment advisers seek financial assistance, such as through the Payroll Protection Program under the Coronavirus Aid, Relief, and Economic Security Act, they may have an obligation to update their Form ADV Part 2.

[7] OCIE notes in Note 16 of the risk alert that the SEC has stated that “an investment adviser’s compliance policies and procedures should generally address business continuity plans.” For its member broker-dealers, FINRA Rule 4370 requires a written business continuity plan, which has taken on distinct importance during the COVID-19 pandemic. See also OCIE Statement on Operations and Exams - Health, Safety, Investor Protection and Continued Operations are our Priorities (Mar. 23, 2020) (explaining that in ongoing examinations, OCIE staff will work with firms to assess the impact of COVID-19 on their operational resiliency, including the implementation and effectiveness of business continuity plans); OCIE, Cybersecurity: Ransomware Alert (July 10, 2020) (discussing the “an apparent increase in sophistication of ransomware attacks on . . . broker-dealers, investment advisers, and investment companies”) as well as our additional discussion of OCIE’s alert; and FINRA, Regulatory Notice 20-08, Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief (requesting that broker-dealers evaluate their compliance with FINRA Rule 4370 requiting the creation, maintenance, and updating of business continuity plans with procedures addressing emergency or significant business disruption events).

[8] See Regulation S-P and Regulation S-ID.

[View source.]