The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has issued a Risk Alert on the COVID-19-related risks, issues, and challenges faced by SEC-registered investment advisers and broker-dealers, including those resulting from the widespread use of telecommuting practices and pandemic-related market volatility.
OCIE recommends that firms take active steps to assess their practices in the following areas and to adjust their practices as necessary to address relevant risks:
Protection of investors’ assets
- Collecting and processing investor checks and investment transfer requests sent by mail to the firm’s offices, including the supervision of these processes and the disclosure of material facts to investors (e.g., delays resulting from the firm not picking up their mail daily)
- Processing disbursements to investors, including validating the identity of the investor as well as the authenticity and accuracy of the disbursement instructions. To that end, OCIE suggests that firms may recommend that each investor have a trusted contact in place, especially for potentially vulnerable investors, such as seniors
Supervision of personnel
- Supervision of personnel in remote environments where there is limited direct interaction with supervised persons
- Supervision of market recommendations in sectors with greater market volatility or that are otherwise at greater risk for fraud
- Conducting due diligence and oversight of third-party managers, portfolio holding companies, and investments where the firm is unable to conduct on-site visits or is otherwise resource constrained
- Supervision of communications and/or transactions made outside of the firm’s systems because of personnel working remotely and using personal devices for business purposes
- Trade surveillance, including for affiliated, cross, and aberrational trading, especially with high-volume investments
- Conducting diligence of personnel during onboarding (e.g., obtaining fingerprints) or requiring personnel to take examinations that are required for their job functions
Practices related to fees, expenses, and financial transactions
- Assessing conditions (such as poor investment performance or diminishing fees) that may increase the potential for misconduct related to financial conflicts of interest (such as recommending that clients transfer assets into advised accounts or investments the result in greater compensation for the firm or entering into loans with clients and investors), accurate calculation of fees and expenses, and failure to refund prepaid fees and expenses when a client terminates their account
- Validating the accuracy of disclosures, calculations, and valuations pertaining to fees and expenses
- Assessing transactions that resulted in high fees and expenses to investors and making sure that they are in the best interest of investors
- Diligence of investments in consideration of the potentially heightened risk of investment fraud during times of crisis and reporting of all suspected fraud to the SEC
Business continuity planning (BCP) practices
- Assessing supervisory policies and procedures applicable to “normal operating conditions” during periods of protracted remote operations
- Security of servers and systems, integrity of vacated facilities, infrastructure and support for personnel operating remotely, and protection of data in remote locations
- Redundancies for key operations and key personnel to ensure the firm’s ability to provide critical services to investors
Protection of investors' and other sensitive information
- Addressing vulnerabilities to sensitive information, including investor personally identifiable information (PII), resulting from remote operations, videoconferencing, remote access to networks, increased use of personal devices, and changes in controls over physical records
- Assessing conditions that may create additional opportunities for bad actors to commit fraud through phishing and other means.
- Practices to prevent against identity theft
- Training staff to recognize and prevent phishing and other social engineering schemes that aim to gain fraudulent and unlawful access to credentials, transaction approvals, etc.
- Provisioning of access rights and controls, particularly as personnel may take on additional responsibilities to continue operating during the pandemic
- Encryption of data and communications stored on all devices, including personal devices being used for business purposes
- Security of remote access servers, including practices to ensure they are fully patched
- Security of system access, including the use of multi-factor authentication
- Addressing information security concerns associated with third-party service providers
Throughout the COVID-19 pandemic, the SEC’s OCIE has been conducting examinations remotely and the Division of Enforcement has continued to bring enforcement cases. OCIE has also been engaging in outreach and other efforts to understand and address registrants’ resiliency challenges during the pandemic. Firms should take heed of the OCIE Risk Alert, both as an indicator of a future examination priorities and as a set of guidelines for reducing risks related to COVID-19.
Specifically, firms should:
- Enhance employee supervision to detect potential risk, compliance, and conduct-related issues resulting from the remote working environment. This includes:
- conducting additional surveillance of their firm-wide trading activity, employees’ personal trading activity, employee conduct, electronic communications, telephone conversations, etc., including ensuring their trade surveillance solution is properly calibrated to detect insider trading. ACA has developed a surveillance gap analysis checklist to assist with this review.
- ensuring their employees are adequately trained on how to identify material non-public information (MNPI) and prevent insider trading. ACA’s web-based insider trading awareness training is free until September 4 to help firms meet this need.
- Increase cybersecurity and cyber resilience. Be proactive about identifying fraudulent activity, social engineering schemes, and other efforts by bad actors to take advantage of the crisis. Ensure employees are adequately trained on these topics and kept apprised of emerging risks. ACA offers web-based cybersecurity awareness training to help firms meet this need.
- Pay attention to fee structures, expenses, and high-volume transactions, making sure to avoid actions that benefit the firm to the disadvantage of the investor.
- Review and enhance business continuity planning (BCP) practices to ensure the firm can continue to operate in compliance with its compliance policies and procedures and regulatory expectations despite the remote working environment. ACA has developed a BCP checklist to assist firms with this review.
- Protect sensitive information, including conducting vendor and third-party due diligence, enhancing cybersecurity, monitoring access controls, protecting, encrypting, and safeguarding documents, etc
- Surveillance Program Gap Analysis Checklist (Download)
- Business Continuity Planning Checklist (Download)
- Compliance Officer’s Checklist for the Next Phase of COVID-19 (Download)
- ACA's Online Insider Trading Awareness Training (Free Until September 4)
- OCIE Risk Alert Highlights Private Fund Adviser Deficiencies Related to Conflicts of Interest, Fees and Expenses, and MNPI / Code of Ethics
- COVID-19 Has Regulators Homing in on Insider Trading and Market Abuse – Is Your Surveillance Program Ready for Increased Scrutiny?
- OCIE Risk Alerts Warns of Increase in Ransomware Attacks
- SEC Examination Requests Related to COVID-19 Business Continuity and Operational Resilience
For More Information
ACA can help your firm review and address the risk areas noted in OCIE’s Risk Alert to ensure your firm continues to meet its regulatory obligations during the pandemic. For more information about this guidance, or to find out how ACA can help your firm comply, please contact your consultant or contact us below.