The Securities and Exchange Commission (“SEC”) last week published its observations from the first five months operating the SEC’s national examination program during the ongoing COVID-19 pandemic.[i] This is the latest pronouncement by the SEC in its ongoing efforts to adapt its programs to meet the challenges of the pandemic and provide investors and regulated entities advice regarding emerging risks and operational practices. It follows on the heels of the April 24 announcement of a Cross-Divisional COVID-19 Market Monitoring Group[ii] and pandemic-related alerts by other SEC Divisions and Offices.[iii]

In a Risk Alert published on August 12, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) identified six categories of observations from a period that it acknowledged has been marked by new challenges that have raised important regulatory and compliance considerations for broker-dealers and investment advisers. The Risk Alert focused on: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information.

OCIE’s observations offer a window into the staff’s thinking on the key novel issues that have arisen during examinations conducted during this new (ab)normal. Although many of OCIE’s identified risks are fundamental components of a compliance program for retail-facing broker-dealers and investment advisers, the emphasis on these areas at the current time is likely well-served and almost certain to be a component of current remote OCIE examinations — especially with the recent announcement of OCIE’s formation of the Event and Emerging Risks Examination Team.[iv]

Protection of Investors’ Assets — Checking the Mail, Adjusting Disbursement Procedures, Updating Investors’ Trusted Contacts

Reminding firms that they have a responsibility to safeguard investor assets, OCIE encouraged firms to review their practices, as well as their formal policies and procedures, to potentially make adjustments given the new patterns of work. For example, normal practices as basic as collecting and processing investors’ checks and transfer requests may be impacted if no one is at the office to receive the mail each day.

OCIE also suggested that firms consider adjusting policies and procedures around disbursements to investors, since investors may need to take withdrawals in circumstances and times that might be outside of the norm in a non-pandemic context. For example, the Coronavirus Aid, Relief and Economic Security (CARES) Act allowed for early withdrawals from certain tax-advantaged retirement accounts during the pandemic. Given the upheavals in the labor market and the number of individuals potentially changing employment, the numbers of hard-copy “rollovers” requiring additional manual attention have likely increased at many firms.

On a related note, OCIE also pointed out that firms might consider recommending to investor clients — particularly seniors and those in other populations vulnerable to the Coronavirus — that they list on file a trusted contact person.

Supervision of Personnel — Not as Easy from Afar

OCIE observed that, as firms adjust to dramatically different work arrangements (e.g., firm-wide telework, widely dispersed teams, use of non-firm work systems), they should also review and potentially modify the supervisory and compliance structures to fit the new reality. Of course, on top of the radical changes in how work takes place, several financial markets have also experienced significant volatility, which places an even greater focus on certain aspects of firms’ supervisory responsibilities.

The Risk Alert spotlighted several realities that may merit modifications to a firm’s practices.

• Supervisors simply do not have the same level of direct oversight and interaction in a remote-work reality.
• Supervised persons may be operating in markets with greater volatility and increased risks of fraud.
• Firms may be limited in the scope of diligence they can conduct on third-party managers, particular investments, and portfolio holding companies.
• Communications and transactions may be taking place outside the firm’s own systems, as employees work remotely and use personal devices.
• Oversight of certain types of trading (e.g., affiliated-, cross-, and aberrational trading) may be more challenging, especially if done at high-volumes.
• Firms may be inhibited in the level of background checks they can perform on new personnel, and personnel may not be able to take required examinations.

For firms that may have associated persons subject to heightened supervision, the current pandemic does not necessarily relieve them of these obligations. Firms should likely continually assess how they can modify their supervision of associated persons presenting greater compliance risk.

Practices Relating to Fees, Expenses, and Financial Transactions — Beware the Drive to “Catch Back Up”

Like many businesses across the U.S. economy, and the entire world, some SEC-regulated entities may have faced significant financial hardships during the downturn caused by the pandemic. OCIE’s Risk Alert warned that certain firms and personnel may therefore feel pressure to “compensate for lost revenue.” And with those incentives comes a heightened risk of misconduct around such things as financial conflicts of interest (e.g., recommending certain accounts or products beneficial to the firm or borrowing from clients) or fees and expenses charged to investors (e.g., advisory fee calculation errors, inaccurate calculation of tiered fees, or failure to refund prepaid fees).

OCIE recommended reviewing policies and procedures around fees and expenses, as well as bolstering processes in place to ensure compliance. Such steps might include: adding validation steps to confirm the accuracy of disclosures, fee/expense calculations, and valuations; more closely monitoring and assessing high-fee transactions; and evaluating the risks around borrowing from clients and other situations that might “impair the impartiality of Firms’ recommendations.”

Investment Fraud — Be Even More Vigilant

Even in normal times, firms know to keep an eye out for frauds and to report them to the authorities. The Risk Alert added an extra word of caution: “times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings.” OCIE noted, for example, that the SEC has already suspended trading for many issuers relating to supposed COVID-19 cures, vaccines, and other false and misleading claims.

Business Continuity — Even “Normal Operating Conditions” Have Probably Changed

OCIE encouraged firms to review their business continuity plans, make any necessary changes in light of the current working realities, and potentially provide disclosures to investors if operations are materially impacted. On the one hand, policies and procedures that firms use under “normal operating conditions” may need to be modified. On the other hand, firms may need to consider a number of issues to protect mission-critical services, such as (1) additional resources for securing servers and systems, (2) maintaining vacated offices/facilities, (3) providing necessary infrastructure and support for those working from remote sites, and (4) protecting remote location data. Firms may find they need to develop new redundancies for key operations and key person succession plans.

Protection of Investor and Sensitive Information — With Great Flexibility Comes Great Responsibility

The SEC has been increasingly focused in recent years on protecting investors’ personally identifiable information. OCIE’s Risk Alert reiterated that focus in light of the many new potential vulnerabilities created from practices during the pandemic. The boom in videoconferencing and other non-traditional electronic communications, for example, means remote access to firm networks, the use of web-based third-party applications, increased use of personally owned devices, and the possibility of sensitive documents being printed or otherwise available to see in non-firm settings. The increased reliance on electronic communication also means more opportunities for phishing, impersonation, and other common methods of gaining improper access to a firm’s systems. OCIE recommended a list of considerations for firms on the topics of access to systems, investor data protection, and cybersecurity, including:

• Enhancing identity protection practices;
• Providing additional training and reminders about basic cybersecurity instincts (e.g., being wary of phishing, encrypting documents, using passwords, destroying physical records);
• Conducting heightened reviews of access rights and controls granted to particular personnel;
• Using encryption to protect communications and data;
• Securing remote access servers and keeping up with software upgrades/patches;
• Requiring multi-factor authentication and other enhanced access methods; and
• Addressing cyber-related issues of vendors, counterparties, and other third-parties that are also likely operating remotely, including when they access the firm’s own systems.

Conclusion

The last several months have certainly brought a myriad of changes to the way we live our lives, and only time will tell which, if any, changes will stick. But we can say with certainty that the SEC will continue expecting broker-dealers and investment advisers to adjust their operations — and their formal policies and procedures — to fit whatever the new normal may be. As long as personnel are advising and investing on behalf of investors from their home offices, attics, and dining room tables, firms will need to ensure firm policies and procedures fit that reality. The observations in OCIE’s recent Risk Alert are a welcome roadmap to their expectations in this new environment and a clear reminder of compliance requirements that will not be considered optional no matter the changes in the workplace.

[i] “Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers,” SEC Office of Compliance Inspections and Examinations Risk Alert, Aug. 12, 2020.

[ii] “SEC Forms Cross-Divisional COVID-19 Market Monitoring Group,” SEC Press Release, Apr. 24, 2020.

[iii] For a compilation of COVID-19 pandemic-related relief, guidance, and other announcements from various financial regulators, including the SEC, please see King & Spalding’s “COVID-19 Regulatory Roundup” web page.

[iv] “SEC Announces Creation of the Event and Emerging Risk Examination Team in the Office of Compliance Inspections and Examinations and the Appointment of Adam D. Storch as Associate Director,” SEC Press Release, Jul. 28, 2020.