On August 12, 2020, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert that addresses several COVID-19-related issues, risks and practices related to SEC- registered investment advisors and broker-dealers. OCIE’s observations were identified as a result of outreaches to firms, as well as consultation and coordination with SEC colleagues and other regulators. The staff’s recommendations fall into the following six categories:
- Protection of investors’ assets
- Supervision of personnel
- Practices relating to fees, expenses, and financial transactions
- Investment fraud
- Business continuity
- Protection of investor and other sensitive information
Protection of Investors’ Assets
OCIE encourages firms to consider the following when reviewing their policies, procedures and controls regarding disbursements to investors: investors mailing checks to your firm and the firm does not pick up the mail daily, ii) clients taking unusual or unscheduled withdrawals from their account, iii) validation of the client’s identity and disbursement instructions, and iv) facilitating a trusted contact person for clients (especially seniors and other vulnerable investors).
Supervision of Personnel
How your firm supervises personnel including the oversight of supervised persons’ investment and trading activities may need to be amended in your policies and procedures if supervised persons are working in remote locations. Practices to consider that may need to be modified include:
- Supervisors not having the same level of oversight and interaction with personnel while working remotely;
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud (possible modification is to increase frequency of trade reviews and increase the sampling size of higher risk accounts);
- Impact of limited or non-existent on-site due diligence reviews of third-party managers, investments and portfolio holding companies (possible modification is to increase communications with third party providers checking in on the health of their companies);
- Communications or transactions occurring outside the Firms’ systems. For example, using personal devices (e.g., texting on personal devices)
Practices Relating to Fees, Expenses, and Financial Transactions
Firms may have experienced some financial pressure due to recent market volatility, which impacts client assets and fees. The SEC highlighted the following areas that may have increased potential for misconduct due to the current market environment:
- Financial conflicts of interest. For example, 1) recommending retirement plan rollovers to IRAs or alike, 2) borrowing or taking loans from investors/clients and 3) making recommendations that result in higher costs to investors and greater compensation for supervised persons (e.g., termination fees that are switched for new investments with high up-front charges or recommending a mutual fund with higher costs when there are lower cost funds available in the same category)
- Fees/expenses charged to investors such as 1) advisory fee calculation errors, 2) inaccurate calculations of tiered fees and 3) failure to refund prepaid fees for terminated accounts.
To ensure client fees and expenses are assessed accurately and appropriately, your firm should consider validating the accuracy of your disclosures and fee and expense calculations, monitoring trends where clients were assessed high fees and expenses, and evaluating risks associated with borrowing or taking loans from investors/clients.
Times of uncertainty can create a heightened risk of investment fraud. When conducting due diligence on investments, make sure you have the clients’ best interest in mind. Bad actors pitching fraudulent schemes are out there. If you suspect investment fraud, you should contact the SEC.
During a time of crisis, business continuity plans are more important than ever. As evidenced during this pandemic and among other necessary adjustments that were made to ensure business continues as usual, many financial professionals are working from remote locations. You should review your firm’s policies and procedures to determine if modifications need to be made due to unique risks and conflicts present in remote operations.
Firms should pay closer attention to securing servers and systems as needed, making sure vacated facilities remain secure, ensuring staff working remotely have adequate support and remote location data is protected. Holding team meetings to address such issues is good protocol and any material changes should be reflected in writing in the firm’s policies and procedures.
The Protection of Investor and Other Sensitive Information
As mentioned throughout this article, the COVID-19 crisis has created vulnerabilities to day-to-day operations which can greatly compromise the protection of personally identifiable information (“PII”). The following areas should be focused on when reviewing the firm’s policies and procedures:
- Remind investors to contact firms directly by telephone if they receive suspicious emails that contain an action item.
- Host training sessions with your team to cover hot topics that include, but are not limited to,: 1) phishing and other targeted cyber attacks, 2) sharing information while using remote systems (e.g., unsecured web-based applications such as video chat), 3) encrypting documents and using password-protected systems; and 4) proper destruction of physical records.
- Review personnel access rights and controls.
- Protect communications and data stored on all devices, including personal devices.
- Enhance server security and access to servers.
This SEC Risk Alert serves as a good reminder to revisit your policies, procedures and controls, especially during this pandemic, as many routines and processes have likely changed in your business and compliance operations. The areas outlined in this article can serve as a quick checklist when considering how best to manage the risks presented by this pandemic environment. Conducting a training session with your team is also a great forum to cover the hot topics raised by OCIE in the alert. As always, feel free to reach out to your Foreside consultant if you have any questions about this recent Risk Alert.