SEC's OCIE Issues Risk Alert on COVID-19 Risks and Considerations for Broker-Dealers and Investment Advisers
The Situation: Throughout the COVID-19 pandemic, the U.S. Securities and Exchange Commission's Office of Compliance Inspections and Examinations ("OCIE") has continued to operate via off-site examinations and remote working arrangements, while also conducting outreach to SEC-registered broker-dealers and investment advisers (together, "Firms") to evaluate the impact of the coronavirus pandemic and collect information on operational resiliency challenges.
The Result: On August 12, 2020, OCIE published a risk alert on Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers ("Alert"), setting forth observations and recommendations for Firms to consider in six general categories.
Looking Ahead: Firms should review the Alert and determine, for example, where they may need to revise or enhance existing practices, policies, or procedures to accommodate for risks resulting from modified operations during the pandemic.
Amid the disruption of the last few months, OCIE staff has consulted and coordinated with other divisions and offices at the SEC, and other regulators and industry participants, to identify issues, risks, and practices relevant to Firms in light of COVID-19, including the increased risk of misconduct arising from heightened market volatility. OCIE issued the Alert to share insight garnered from its efforts and to highlight areas where Firms may wish to tighten up or make changes to accommodate the "new normal." In particular, the Alert touches on six areas:
Protection of Investor Assets
Given changes in how Firms are having to deal with collecting and processing investor deposits, withdrawals, and transfer requests, OCIE suggests that Firms review their policies and procedures to make sure they address, for example, validating customer identity and authenticity of disbursement instructions and ensuring customers have a "trusted contact person" named, in particular, with respect to elderly investor customers. In addition, Firms may want to consider notifying customers that there may be delays in processing checks and similar functions until normal operations at the Firm's office(s) resume.
Supervision of Personnel
OCIE encourages Firms to consider how they may need to revise supervisory and compliance policies and procedures to address changes made in response to the coronavirus, such as remote telework arrangements, diminished supervisory oversight of personnel, and managing related operational and technological changes. Likewise, Firms should consider whether their current practices adequately address supervision of recommendations for securities in certain market sectors, such as the health and medical sectors, that are at a higher risk of fraud and/or heightened volatility, and whether they are sufficient to detect and prevent impermissible affiliate transactions, cross-trading, and other trading-related violations.
Fees, Expenses, and Financial Transactions
OCIE notes that the recent market volatility may incentivize Firms and their personnel to make up for lost revenues by engaging in misconduct involving, for example, financial conflicts and fee and expense charges and calculations. OCIE suggests Firms review their policies, procedures, and disclosure documents and determine if their compliance-monitoring efforts require modification to identify and stop or otherwise manage this behavior.
The Alert reminds Firms that fraudulent offerings are more frequent during crises and that Firms need to be more aware of the potential risk for such fraud when considering whether investments in various offerings are in the best interest of their clients.
OCIE urges Firms to review their business-continuity plans to consider issues related to changes in operations as a result of COVID-19. For example, remote working arrangements create supervisory and compliance issues that raise different considerations than in-office work arrangements. The Alert sets forth some of these potential issues and encourages Firms to modify their policies and procedures as needed and, if necessary, to disclose material operational impacts to investors.
Protection of Sensitive Information
In many cases, Firms have changed their methods of communicating with Firm personnel and investors by, for example, using video conferencing or other online options as the primary communications tool. OCIE believes these other communication methods may create vulnerabilities with respect to protection of investor information, including personally identifiable information. In the Alert, OCIE suggests a number of factors for Firms to consider when reviewing their policies and procedures to address risks associated with access to systems, investor data protection, and cybersecurity. Enhancements to current systems and processes—such as limiting personnel access rights to confidential information in Firm systems, requiring multifactor authentication for systems access, providing additional systems-related training, and adopting encryption technology—should be implemented promptly as necessary.
Three Key Takeaways
- Firms should consider their existing compliance practices in the context of the six topic areas addressed in the Alert and determine whether any of those practices need adjustment in view of COVID-19 disruptions. Any changes should be reflected in a Firm's written policies and procedures.
- The specific issues outlined in the Alert should be reviewed and addressed, as applicable, in the likely event that these will be areas of future OCIE inspections and examinations. Firms should note that similar risk alerts have formed the basis for subsequent enforcement sweeps.
- While at the beginning of pandemic-related office closures regulators appeared to be willing to extend consideration to Firms as they struggled to transition to a remote operating structure, the Alert appears to demonstrate that OCIE staff expects Firms to closely monitor and address issues arising under the "new normal" of remote employees and operations. As the pandemic continues, it seems less likely that COVID-19 will serve as a viable excuse for many remote-operations compliance deficiencies.