On August 12, 2020, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) has published a risk alert, identifying COVID-19 related issues relevant to investment advisors and broker-dealers.
The purpose of the risk alert is to share OCIE’s observations and challenges with the public to protect investors from Covid-19 related risks. The risk alert identifies six categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices related to fees, expenses and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of the investor and other sensitive information.
Protection of investor assets
OCIE encourages firms to update their supervisory and compliance policies and procedures to reflect any changes or delays in processing mail (ex: checks) and provide notice to customers of these changes. Also, firms must provide notice of mail delays to their customers.
Firms should review and update their policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts. This is particularly the case for COVID-19 related distributions from their retirement accounts.
Supervision of personnel
OCIE staff highlighted firms’ supervisory obligations. A firm’s supervisory and compliance program should include policies and procedures that are tailored to its specific business activities and operations. Policies and procedures should be amended as necessary to reflect the firm’s current business activities and operations.
As firms need to make significant changes to respond to the health and economic effects of COVID-19 — such as shifting to firm-wide telework conducted from dispersed remote locations and responding to operational, technological and other challenges — OCIE encourages firms to modify their supervisory and compliance policies and procedures to address the following issues:
- Supervisors’ limited level of oversight and interaction with supervised persons when they are working remotely
- Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing third-party managers, investments and portfolio holding companies
- Communications or transactions occurring outside of the firms’ systems due to personnel working from remote locations and using personal devices
- Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments
- The inability to perform the same level of diligence during background checks when onboarding personnel — such as obtaining fingerprint information and completing required Form U4 verifications — or to have personnel take requisite examinations
Fees, expenses and financial transactions
The risk alert states that recent market volatility and the resulting impact on investor assets and the related fees collected by firms may have increased financial pressures on firms and their personnel. Firms are reminded of their obligations to inform investors of “financial conflicts of interest” and “fees and expenses charged to investors.”
To address these obligations, firms should:
- Validate the accuracy of their fee and expense disclosures
- Identify transactions that result in high fees and expenses to investors to evaluate if the transaction is in the best interest of investors
- Evaluate the risks associated with potential conflicts of interest that may impair the impartiality of firms’ recommendations
The OCIE observed that times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings. Firms should be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors. Firms and investors who suspect fraud should report it to the SEC.
Due to the pandemic, firms have shifted to remote sites. This transition may cause compliance risks and related issues. OCIE encourages firms to review their continuity plans to address these matters, make changes to compliance policies and procedures, and provide disclosures to investors if their operations are materially impacted, as appropriate.
Protection of sensitive information
The OCIE staff has observed that many firms require their personnel to use videoconferencing and other electronic means to communicate while working remotely. While these communication methods have allowed firms to continue their operations, these practices create issues regarding the protection of confidential client information. OCIE recommends that firms pay particular attention to the risks regarding access to systems, investor data protection and cybersecurity.
This includes additional training to employees related to phishing and cyberattacks, encrypting documents, using password-protected systems, and destroying documents printed at remote locations. Firms should also conduct heightened reviews of personnel access rights to systems, use encryption technologies on all devices (especially personally-owned devices), require the use of multi-factor authentication for access, and ensure that remote computer servers are updated and secure.
The OCIE encourages firms to remain informed regarding fraudulent activities that may affect investors’ assets and, when fraud is observed, to report such activities.
Where to focus your supervision efforts
This latest risk alert highlights regulators’ continued focus on COVID-19 related risks and challenges. A common theme throughout the risk alert was for firms to amend their policies and procedures to reflect Covid-19 challenges. If you haven’t already — review your firm’s practices, policies and procedures to confirm they address the current situation.
It’s important to supervise your supervisors during this time. SEC Rule 206(4)-7 requires firms to supervise their personnel, including providing oversight of supervised persons’ investment and trading activities. FINRA Rule 3110 requires broker-dealers to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations. Strong compliance programs incorporate legal requirements and essential controls that are reviewed and updated. Supervisors should increase the level of oversight and interaction of supervised persons when they are working remotely.
Check and double-check your systems for vulnerabilities and to ensure the communications are being captured for retention. Make sure communications or transactions are not occurring outside of the firm’s systems due to personnel using personal devices.
To test whether advisors are using unapproved communication channels, we recommend setting up automated keyword searches. These keywords or key phrases can be customized to allow the firm to control which words or phrases are flagged and to adjust them as the business changes or new risks emerge – such as Covid-19. You can create keywords and key phrases to flag the risk of advisors using unauthorized communication channels.
Examples include: “send to my personal email,” “respond to my Gmail account,” “text me,” and “let’s take this offline.” These common phrases are indicative of the risk of using unauthorized communication channels. Firms cannot assume advisors aren’t using their personal emails to communicate with clients.
If you haven’t already — it’s critical for investment advisors and broker-dealers to implement policies and procedures tailored to the COVID-19 pandemic and potential future pandemics. Refer to the recent risk alert to better assess your firm’s COVID-19 changes with regulators’ expectations.
Author: Marianna Shafir Esq. Corporate Counsel, Regulatory Advisor at Smarsh
Marianna Shafir, Regulatory Advisor at Smarsh, is responsible for regulatory affairs worldwide. With her expertise in financial services industry, compliance and eDiscovery, Marianna counsels Smarsh clients on meeting regulatory obligations, leveraging technology and guidance on best practices related to electronic communications supervision. Prior to joining Smarsh, Marianna worked for BNY Mellon and Invesco where she was an instrumental member on compliance teams.Marianna has also served as an adjunct professor at New York Career Institute where she taught Law Office Management and Real Estate Law. She earned her Juris Doctorate from Nova Southeastern University. She is a frequent speaker at industry conferences and a contributor to various online publications.
At LS Consultancy, we offer a complete solution with a range of cost effective, regulatory compliance and marketing products and solutions including pre-publication advice on advertising or campaigns, at any stage – although in our experience, earlier is usually better. We can look at concepts, imagery and/or copy – or just discuss an idea or answer a question.