Blog Article

SEC RIA Cybersecurity Risk Alert Flags COVID-19 Compliance Risks

Aug 13, 2020

On August 12, 2020 the SEC Office of Compliance Inspections and Examinations issued an RIA risk alert highlighting COVID-19 RIA compliance considerations.

On August 12, 2020, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released a new risk alert with information highlighting select COVID-19 compliance risks and considerations for SEC-registered investment advisers (“RIA”) identified through industry outreach efforts and consultation with other regulators. Due to COVID-19, OCIE recognized “SEC registrants have been faced with new operational, technological, commercial, and other challenges and issues. In many cases, these challenges and issues have created important regulatory and compliance questions and considerations for SEC registrants.”

According to the risk alert, the SEC staff’s observations and recommendations fall into the following six key categories:

  1. Protection of investors’ assets
  2. Supervision of personnel
  3. Practices relating to fees, expenses, and financial transactions
  4. Investment fraud
  5. Business continuity
  6. Protection of investor and other sensitive information
  • Protection of Investor Assets
    • Each Firm has a responsibility to ensure the safety of its investors’ assets and to guard against theft, loss, and misappropriation. In light of the current environment, the staff has observed that some Firms have modified their normal operating practices regarding collecting and processing investor checks and transfer requests. OCIE encourages Firms to review their practices, and make adjustments, where appropriate, including in situations where investors mail checks to Firms and Firms are not picking up their mail daily. Firms may want to update their supervisory and compliance policies and procedures to reflect any adjustments made and to consider disclosing to investors that checks or assets mailed to the Firm’s office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location.
    • OCIE also encourages Firms to review and make any necessary changes to their policies and
      procedures around disbursements to investors, including where investors are taking unusual or
      unscheduled withdrawals from their accounts, particularly COVID-19 related distributions from
      their retirement accounts.
  • Supervision of Personnel
    • Firms have an obligation to supervise their personnel, including providing oversight of supervised persons’ investment and trading activities. A Firm’s supervisory and compliance program should include policies and procedures that are tailored to its specific business activities and operations and should be amended as necessary to reflect the Firm’s current business activities and operations.
    • As Firms need to make significant changes to respond to the health and economic effects of COVID-19 – such as shifting to Firm-wide telework conducted from dispersed remote locations, dealing with significant market volatility and related issues, and responding to operational, technological, and other challenges – OCIE encourages Firms to closely review and, where appropriate, modify their supervisory and compliance policies and procedures.
  • Fees, Expenses, and Financial Transactions
      • Firms have obligations relating to considering and informing investors about the costs of services and investment products, and the related compensation received by the Firms or their supervised persons. The recent market volatility and the resulting impact on investor assets and the related fees collected by Firms may have increased financial pressures on Firms and their personnel to compensate for lost revenue. While these incentives and related risks always exist, the current situation may have increased the potential for misconduct regarding:
        • Financial conflicts of interest, such as:
          • (1) recommending retirement plan rollovers to individual retirement accounts, workplace plan distributions, and retirement account transfers into advised accounts or investments in products that the Firms or their personnel are soliciting;
          • (2) borrowing or taking loans from investors and clients; and
          • (3) making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons, such as investments with termination fees that are switched for new investments with high up-front charges or mutual funds with higher cost share classes when lower cost share classes are available.
        • Fees and expenses charged to investors, such as:
          • (1) advisory fee calculation errors, including valuation issues that result in over-billing of advisory fees;
          • (2) inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate household accounts; and (3) failures to refund prepaid fees for terminated accounts.
  • Investment Fraud
    • The staff has observed that times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings. Firms should be cognizant of these risks when
      conducting due diligence on investments and in determining that the investments are in the best
      interest of investors. Firms and investors who suspect fraud should contact the SEC and report
      the potential fraud.
  • Business Continuity
    • Certain firms are required to adopt and implement compliance policies and procedures that are reasonably designed to prevent violation of the federal securities laws. As part of this process, Firms should consider their ability to operate critical business functions during emergency events. Due to the pandemic, many Firms have shifted to predominantly operating from remote sites, and these transitions may raise compliance issues and other risks that could impact protracted remote operations.
  • Protection of Sensitive Information
    • Firms have an obligation to protect investors’ personally identifiable information (“PII”). The staff has observed that many Firms require their personnel to use videoconferencing and other electronic means to communicate while working remotely. While these communication methods have allowed Firms to continue their operations, these practices create:
      • Vulnerabilities around the potential loss of sensitive information, including PII. These risks are attributed to, among other things:
        • (1) remote access to networks and the use of web-based applications;
        • (2) increased use of personally-owned devices; and
        • (3) changes in controls over physical records, such as sensitive documents printed at remote locations and the absence of personnel at Firms’ offices.
      • More opportunities for fraudsters to use phishing and other means to improperly access
        systems and accounts by impersonating Firms’ personnel, websites, and/or investors.

This latest risk alert continues to highlight the SEC’s continued focus on COVID-19-related compliance issues for investment advisers. As such, we highly recommend that the Chief Compliance Officer (“CCO”) and all advisory firm principals carefully review this latest SEC RIA compliance risk alert and the attached resources. OCIE encourages all firms to remain vigilant against fraudulent activity and bad actors. Failure to address, establish and implement proper policies and procedures could lead to not only regulatory compliance issues, but even broader business issues.

Be sure to check back soon as we continue to provide updates on relevant RIA regulatory compliance focus areas.