SEC Proposes New Rules on Preparing for a Business Disruption
Early last week, the SEC proposed rules which would require SEC-registered investment advisers &ldquoldquo;to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s activities.” The proposal would also amend Rule 204-2 under the Advisers Act to require such advisers to establish and retain all business continuity and transition plans that are currently in effect or were in effect at any time within the past five years. This brings the U.S. regulations closer to the current requirements of the UK’s Financial Conduct Authority (“FCA”) to establish, implement and maintain an adequate business continuity policy.
It is well known that, as fiduciaries, investment advisers owe their clients a duty of care and a duty of loyalty, requiring them to put their clients’ interests above their own. This sentiment is embodied in the FCA’s Principles for Businesses, but until now did not have a formal counterpart in regulation in the U.S. It has long been expected by the SEC staff that, because an adviser’s fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services, clients are entitled to assume that advisers have taken the steps necessary to protect those interests in times of stress, whether that stress is specific to the adviser or the result of broader market and industry events. Nonetheless, in a step towards changing the assumption to fact, in the proposed rules, the SEC has stated that “it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”
The SEC noted that many investment advisers have taken critical steps to address and mitigate the risks of business disruptions, regardless of the source, as a prudent business measure, and that advisers have managed operational and other risks through internal practices, procedures, and controls, and have typically engaged legal, compliance, or audit staff to assist with their assessment. The SEC has also seen independent assessments performed by third-party audit or compliance firms.
However, the SEC also cited the fact that its examination staff has observed numerous advisers with less robust planning which has caused them to experience interruptions in their key business operations and created inconsistencies in maintaining communications with clients and employees during periods of stress. Based on these findings, the SEC is proposing to require advisers adopt and implement written business continuity and transition plans that include certain specific components, and to maintain relevant records of those plans, in order to facilitate robust business continuity and transition planning across all SEC-registered advisers. Comparatively, while the FCA has long indicated specific components to be included in such plans, these remain as non-mandatory guidance provided that the core requirement to establish, implement and maintain an adequate business continuity policy is met. Thus, FCA authorised firms which are also SEC-registered should review their business continuity and transition plans in light of the proposed rules issued by the SEC.
Business continuity situations generally include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel. Business transitions generally include situations where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof or in unusual situations, enters bankruptcy proceedings, or where there is a Key Man event. Some advisers have already implemented some form of business continuity or disaster recovery procedures. Similarly, in the normal course of business, some advisers have adopted procedures to allow them to routinely transition client accounts without a significant impact to themselves, their clients, or the financial markets. However, the SEC staff noted that many advisers have failed to consider what would happen if the adviser is impacted by broader market events which might affect their ability to continue operations and possibly lead to a transition event. The SEC noted that “operational risks are not limited to affecting the day-to-day operations of an adviser, but can lead to a financial services firm having to cease or wind-down operations while also considering how to safeguard client or investor assets.” Proper planning and preparation for possible distress and other significant disruptions in an adviser’s operations is essential to ensure that, if an entity must exit the market for whatever reason, it will do so in an orderly manner with minimal or no impact on its clients.
Under the proposed rule, the content of an SEC-registered adviser's business continuity and transition plan would be based upon risks associated with their operations. It would include policies and procedures designed to minimise material service disruptions and address the following:
Maintenance of critical operations and systems, and the protection, backup, and recovery of data
An adviser’s plan generally should identify and prioritize critical functions, operations, and systems, considering alternatives and redundancies to help maintain the continuation of operations in the event of a significant business disruption. With respect to data protection, backup, and recovery, a business continuity and transition plan generally should address both hard copy and electronic backup, and generally should include an inventory of key documents (e.g., organisational documents, contracts, policies and procedures), including the location and description of the item and a list of the adviser’s service provider relationships that are necessary to maintaining functional operations. This documentation generally should include details of the adviser’s management structure, risk management processes, and financial and regulatory reporting requirements. Lastly, an adviser generally should consider and address as relevant the operational and other risks related to cyber-attacks.
Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees
An adviser’s plan generally should consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations in the event of a disruption.
Communications with clients, employees, service providers, and regulators
A business continuity and transition plan would also need to address communications with clients, employees, service providers, and regulators. Communication plans generally should cover, among other things, the methods, systems, backup systems, and protocols that will be used for communications, how employees are informed of a significant business disruption, how employees should communicate during such a disruption, and contingency arrangements communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel. It should also address employee training so that, in the event of a significant business disruption, employees understand their specific roles and responsibilities and are able to carry out the adviser’s plan.
Identification and assessment of third-party services critical to the operation of the adviser
The plan should include the identification and assessment of third-party services critical to the operation of the adviser. The adviser generally should be prepared for significant business disruptions that could impair its ability to act in its clients’ best interests by having a business continuity and transition plan that addresses the critical services provided to it by such third parties. In addition, the adviser should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the adviser’s operation. The adviser should also generally review and assess how the critical service providers it arranges and/or oversees for its clients plan to maintain business continuity when faced with significant disruptions to their own businesses and consider how this planning will affect its clients’ operations.
Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services
A business continuity and transition plan would have to account for the possible winding down or transition to others of the adviser’s business in the event of being unable to continue providing advisory services. The plan of transition generally should account for transitions in both normal and stressed market conditions, consider each type of client, the adviser’s contractual obligations to clients, counterparties, and service providers, and the relevant regulatory regimes under which the adviser operates.
Under the proposed rule, the transition components of a business continuity and transition plan would have to include (i) policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; (ii) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the adviser; (iv) the identification of any material financial resources available to the adviser; and (v) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition.
In addition, under Rule 206(4)-4, it would be unlawful for an SEC-registered investment adviser to provide investment advice unless the adviser adopts and implements a written business continuity and transition plan and reviews that plan at least annually. It would also require advisers’ business continuity and transition plans to include policies and procedures on the maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records.
The proposed rule is designed to give advisers the flexibility to create business continuity and transition plans that accommodate for their individual businesses, while providing guidance on specific topics that the SEC expects firms to address.
SEC Issues Order Approving Increase in Qualified Client Threshold
Section 205(a)(1) of the Investment Advisers Act of 1940 (“Advisers Act”) generally prohibits an investment adviser from entering into, extending, renewing, or performing any investment advisory contract that provides for compensation to the adviser based on a share of capital gains on, or capital appreciation of, the funds of a client (also known as performance compensation or performance fees). However, the SEC has exempted advisory contracts with “Qualified Clients”. Qualified Clients are those persons who the SEC has judged to not need the protection of the prohibition on incentive compensation. Qualified Clients are determined on the basis of such factors as financial sophistication, net worth, knowledge of and experience in financial matters, amount of assets under management, and the relationship with a registered investment adviser, among others.
To assist advisers in determining whether a client is a Qualified Client, the SEC has provided thresholds with regard to the amount of assets under management with the adviser, as well as the net worth of the client. Under the Dodd-Frank Act, the SEC was mandated to review these thresholds every five years to and to make any necessary adjustments to the thresholds to account for inflation. On June 14, 2016 the SEC determined to leave the dollar amount of assets under management unchanged at $1,000,000. However, they determined to raise the net worth test from $2,000,000 to $2,100,000 in response to the effects of inflation. The new thresholds are in effect as of August 15, 2016.
Therefore, post August 15, 2016, any advisers entering into advisory contracts with clients which contemplate the charging of a performance fee should ensure that they are using the new net worth amount in determining whether or not a client is a Qualified Client.
ACA recommends that SEC registered firms assess their current policies and procedures in light of these updates. If you would like an independent review of your firm's policies and procedures around business continuity and transition plans, or have questions regarding the Qualified Client thresholds and would like more information on how ACA can assist your firm with its regulatory and compliance needs, please contact Brett Niehaus, Consultant (firstname.lastname@example.org) or Lynne Carreiro, Managing Director (email@example.com) by email or by phone +44 (0) 207 042 0500.