In light of COVID-19, the U.S. Securities and Exchange Commission ("SEC"), recognizing that RIA Firms are facing operational, technological, commercial and other issues, has also outlined "regulatory and compliance questions and considerations" for SEC-registered Firms on these issues. The SEC's full alert on this subject is available here.
What does this mean for you? It means that the SEC will review, during an audit, whether a Firm has addressed these issues.
The SEC has recommended that RIA Firms should review the following broad categories:
- Protection of Client Information
- Protection of Client Assets
- Practices Involving Fees and Expenses
- Supervision of Personnel
- Business Continuity
Areas of Risk and Focus
1. Protection of Client Information
RIA Firms have an obligation to protect clients' personal information. In particular, Firms using videoconferencing and other electronic means to communicate while working remotely create the following issues:
- Vulnerabilities around the potential loss of sensitive information. This risk is attributed to, among other things: (1) remote access to networks and the use of web-based applications; (2) increased use of personally owned devices; (3) changes in controls over physical records, such as sensitive documents printed at remote locations; and (4) the absence of personnel at Firms' offices.
- More opportunities for fraudsters to use phishing and other means to access improperly systems and accounts by impersonating Firms' personnel, websites, and/or investors.
- The need to enhance Firms' identity protection practices.
- Providing firm personnel with additional training and reminders related to: (1) phishing and other targeted cyberattacks; (2) sharing information while using certain remote systems (g., unsecure web-based video chats; (3) encrypting documents and using password-protected systems; and (4) destroying physical records at remote locations.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally owned devices.
- Ensuring that remote access servers are secured effectively and kept fully patched.
2. Protection of Client Assets
Each Firm has a responsibility to ensure the safety of its investors' assets and to guard against theft, loss and misappropriation. Firms should update their supervisory and compliance policies and procedures to reflect any adjustments made. Firms should consider disclosing to investors that checks or assets mailed to the Firm's office location may experience delays in processing until personnel are able to access the mail or deliveries at that office.
Firms should review and make any necessary changes to their policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts, particularly COVID-19-related distributions from their retirement accounts. Thus, a Firm should consider implementing additional steps to validate the identity of the investor and the authenticity of disbursement instructions. And, a Firm may want to recommend that each client has a trusted contact person in place, particularly for seniors and other vulnerable investors.
3. Fees and Expenses
Firms have the obligation to inform clients about the cost of services and investment products, and the related compensation received by the Firms or their supervised persons. The current situation may have increased the potential for problems regarding:
- Financial conflicts of interest, such as: (1) recommending retirement plan rollovers to individual retirement accounts, workplace plan distributions, and retirement account transfers into advised accounts or investments in products that the Firms or their personnel are soliciting; (2) borrowing or taking loans from investors and clients; and (3) making recommendations that result in higher costs to clients and/or that generate greater compensation for supervised persons.
- Fees and expenses charged to investors, such as advisory fee calculation errors, including valuation issues causing over-billing of advisory fees, and inaccurate calculations of tiered fees including failure to provide breakpoints and aggregate house-hold accounts.
- Policies that: (1) validate the accuracy of Firms' disclosures, including fee and expense calculations, and the investment valuations used, and (2) identify transactions that result in high fees and expenses to clients, monitor for such trends, and evaluate whether these transactions were in the best interest of clients.
4. Supervision of Personnel
Firms are obligated to supervise their personnel, including providing oversight of supervised persons' investment and trading activities, even though telework is conducted from dispersed remote locations, notwithstanding that the Firm is responding to operational, technological and other challenges. Firms may wish to modify their practices to address:
- Supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely.
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud.
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing third-party managers, investments, and portfolio holding companies.
- Communications or transactions occurring outside of the Firms' system due to personnel working from remote locations and using personal devices.
5. Business Continuity
Firms also should consider their ability to operate critical business functions during emergency events. Many Firms have shifted to predominantly operating from remote sites, and these transitions may raise compliance issues such as:
- Firms' supervisory and compliance policies and procedures utilized under "normal operating conditions" may need to be modified or enhanced to address some of the unique risks and conflicts of interest present in remote operations.
- Firms' security and support for facilities and remote sites may need to be modified or enhanced. Firms should consider whether additional resources and/or measures for securing services and systems are needed; whether the integrity of vacated facilities is maintained; whether there is sufficient support for personnel operating from remote sites is provided; and whether remote location data is protected.
Firms should review their continuity plans to address these matters, make changes to compliance policies and procedures, and provide disclosures to clients if their operations are materially impacted.
Many complications and impediments to your business have arisen in today's environment. However, the SEC remains vigilant and is auditing RIA Firms. Thus, RIA Firms must be diligent in their legal and supervisory responsibilities.