The US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on August 12 highlighting compliance considerations created by the coronavirus (COVID-19) pandemic for SEC-registered investment advisers and broker-dealers (Firms). This LawFlash highlights the areas of focus in the Risk Alert and provides a checklist of considerations and actions to assist Firms in addressing COVID-19-related compliance issues.
As Firms continue their remote working arrangements for longer than initially anticipated, OCIE acknowledged that Firms have been faced with operational, technological, commercial, and other challenges relating to the pandemic, noting that such challenges have given rise to regulatory and compliance risks, including risks of firm and registered representative misconduct arising from market volatility due to COVID-19. OCIE, in consultation and coordination with other SEC departments and other regulators, identified several COVID-19-related issues, risks, and practices relevant to investment advisers and broker-dealers.
OCIE’s observations and recommendations fall into six areas of focus: (1) protection of investor assets; (2) supervision of personnel; (3) fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) protection of sensitive information. We highlight each area of focus below and we have compiled and appended to this LawFlash a checklist of specific recommendations identified by OCIE (a PDF of which is available here).
PROTECTION OF INVESTOR ASSETS
Firms have a responsibility to ensure the safety of investor assets. OCIE observed that in light of the pandemic some Firms have modified their procedures for collecting and processing checks and transfer requests. For example, some Firms no longer pick up mail daily, but investors still may mail checks to these Firms. OCIE also noted that investors may be making unusual or unscheduled withdrawals from their accounts (particularly COVID-19-related distributions from retirement accounts). As a result, OCIE noted that Firms should, among other things, add steps to ensure authentication of disbursement instructions.
SUPERVISION OF PERSONNEL
Even as Firms have shifted to telework and remote working due to COVID-19, Firms must meet their regulatory obligation to have policies and procedures in place to supervise personnel and update policies and procedures as necessary to reflect current business operations. OCIE observed that many Firms should consider changes to their business operations and oversight programs given the current shift towards remote working. OCIE also encouraged Firms to modify their supervisory policies and procedures to address related issues outlined in the appended checklist.
FEES, EXPENSES, AND FINANCIAL TRANSACTIONS
Firms have obligations to consider and disclose to investors the costs of services and products, and information related to compensation the Firm and its supervised persons receive. However, OCIE is concerned that current market volatility is increasing pressure on firms to compensate for lost revenue and is creating increased potential for misconduct as financial pressures continue to increase. OCIE focused on the potential for misconduct based on:
- Financial Conflicts of Interest. OCIE identified an increased risk of: (1) recommending rolling over retirement plan assets, IRAs, and other plan assets into advised accounts or products for which the Firm or its personnel are soliciting; (2) Firms or their personnel borrowing from investors; and (3) Firms or their personnel making recommendations of investments or products that have higher costs to investors and that will generate greater compensation for supervised persons.
- Fees and Expenses. OCIE also identified an increased risk of: (1) advisory fee calculation errors and overbilling of advisory fees; (2) inaccurate calculation of tiered fees, including failure to provide breakpoints and aggregate household accounts; and (3) failure to refund prepaid fees for terminated accounts.
OCIE recommended that Firms consider enhancing their compliance monitoring to control for these risks in various ways enumerated in the attached checklist.
As in previous times of crisis, OCIE has observed a heightened risk of fraudulent offerings that should be considered in light of COVID-19. OCIE recommended that Firms consider these risks when conducting due diligence on investments and determining what is in the best interest of investors. According to OCIE, although Firms should have a reasonable basis to believe that an investment offering is not fraudulent before recommending the offering so as not to breach the Firm’s duty of best interest on behalf of its investors, it is often the case that a Firm may have no way of knowing of a fraud until the fraud is actually uncovered. This creates a challenge for Firms seeking to adhere to their regulatory obligations. OCIE encouraged Firms and investors who suspect fraud to report it to the SEC.
OCIE reminded Firms in the Risk Alert to reevaluate their business continuity plans to determine if modification is required in light of COVID-19-related shifts to operating predominantly from remote locations. The Risk Alert noted that these transitions may raise compliance issues and other risks impacting prolonged remote operations. We encourage Firms to refer to the appended checklist to address OCIE’s recommendations related to business continuity matters.
PROTECTION OF SENSITIVE INFORMATION
OCIE observed that due to increasing remote activity during the pandemic, Firms are using more videoconferencing and other remote electronic means of communication that create a higher risk of loss of personally identifiable information (PII). Remote communications are increasing the potential opportunities for fraudsters to improperly access Firm systems and investor accounts because such electronic means of communication are more susceptible to phishing, data breaches, and targeted cyberattacks, especially if Firms use unsecure web-based video chat and other platforms that lack proper encryption and authentication processes for access.
The Risk Alert recommended that Firms review their policies and procedures (and technology) related to risks regarding system access, investor data protection, and cybersecurity. Firms may refer to the attached checklist for a more comprehensive list of recommendations related to the protection of sensitive information.
Checklist Based on OCIE Risk Alert on Select COVID-19 Compliance Risks and Considerations
PROTECTION OF INVESTOR ASSETS
Collecting and Processing Investor Checks and Transfer Requests
- Review Firm practices, and make appropriate adjustments, including to where investors mail checks (and presumably securities) to the Firm
- Update supervisory and compliance policies and procedures to reflect any adjustments to receipt and handling of checks in light of change of pickup of checks
- Consider disclosing to investors that checks or securities mailed to the Firm’s office may experience delays in processing until personnel are able to access the mail or deliveries
Disbursements to Investors
- Review and make any necessary changes to policies and procedures, to address where investors are taking unusual or unscheduled withdrawals, particularly COVID-19-related distributions from retirement accounts
- Consider additional steps to validate the identity of investors and the authenticity of disbursement instructions, including as to whether the person is authorized to make the request and the bank account names and numbers are accurate
- Consider recommending that each investor have a trusted contact person particularly for seniors and other vulnerable investors
SUPERVISION OF PERSONNEL
- Review and, as appropriate, modify supervisory and compliance policies and procedures to reflect significant changes to respond to health and economic effects of COVID-19 (e.g., shifting to Firm-wide telework conducted from dispersed remote locations, dealing with significant market volatility and related issues, and responding to operational, technological, and other challenges)
- Consider modifying Firm practices to address:
- Supervisors not having the same level of oversight and interaction with supervised persons working remotely
- Supervised persons making securities recommendations in market sectors experiencing greater volatility or having heightened risks for fraud
- Impact of limited on-site due diligence reviews and other resource constraints when reviewing of third-party managers, investments, and portfolio holding companies
- Communications or transactions occurring outside of Firm systems due to personnel working from remote locations and using personal devices
- Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments
- Inability to perform the same level of diligence during background checks when onboarding personnel (e.g., obtaining fingerprint information and completing required Form U4 verifications or to have personnel take requisite examinations)
FEES, EXPENSES, AND FINANCIAL TRANSACTIONS
- Review fees and expenses policies and procedures adopted to compensate for lost revenue and related potential for misconduct vis a vis conflicts or computation of fees and expenses and consider enhancing monitoring by:
- Validating the accuracy of disclosures, fee and expense calculations, and investment valuations
- Identifying transactions resulting in high fees and expenses to investors, monitoring for such trends, and evaluating whether these transactions are in the best interest of investors
- Evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest, as this may impair the impartiality of Firms’ recommendations (and raise FINRA Rule 3240 questions)
- Be cognizant of heightened risk of fraudulent offerings when conducting due diligence and in determining that an offering is in the best interest of investors
- Report suspected potential fraud to the SEC
- Review and, as appropriate, make changes to Firm continuity plan and related compliance policies and procedures, and disclosures to reflect material impact to operations:
- Consider whether Firm supervisory and compliance policies and procedures need to be modified to address unique risks and conflicts with remote operations (e.g., supervised persons may need to take on new roles to maintain business operations)
- Consider whether security and support for facilities and remote sites need to be modified, including (1) additional resources or measures for securing servers and systems; (2) maintenance of integrity of vacated facilities; (3) relocation infrastructure and support for personnel operating from remote sites; and (4) protection of customer and firm data at remote locations
PROTECTION OF SENSITIVE INFORMATION
Monitor risks with systems access, investor data, and cybersecurity and related policies and procedures and consider:
- Enhancements to identity protection practices (e.g., reminding investors to contact the Firm directly by telephone for any concerns about suspicious communications and for Firm personnel to be available to answer investor inquiries)
- Providing Firm personnel with additional training and reminders, and otherwise spotlighting issues, related to: (1) phishing and other targeted cyberattacks; (2) sharing information while using certain remote systems (e.g., unsecure web-based video chat); (3) encrypting documents and using password-protected systems; and (4) destroying physical records at remote locations
- Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations
- Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices
- Ensuring that remote access servers are secured effectively and kept fully patched
- Enhancing system access security, such as requiring the use of multifactor authentication
- Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing Firm systems
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
David C. Boch
Ellen G. Weinstein
G. Jeffrey Boujoukos
Timothy W. Levin
Christine M. Lombardo
John V. Ayanian
Amy Natterson Kroll
Monica L. Parry
Ignacio A. Sandoval
Steven W. Stone
Brian J. Baltz
Kyle D. Whitehead
 OCIE Risk Alert (“Risk Alert”), Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers (Aug. 12, 2020).
 See Risk Alert at 2, note 2.
 See Risk Alert at 3, note 6.
 See Risk Alert at 3, note 7.
 See Risk Alert at 4, note 10.
 We note that the focus on fees and expenses in this Risk Alert may be of particular interest to the SEC in light of Regulation Best Interest examinations in order to ensure that product offerings and descriptions, as well as product-related fees and expenses, are accurate.
 See Risk Alert at 5, note 14.
 See id.
 See Risk Alert at 6, note 18.
 See Risk Alert at 7, note 20.