What Investment Advisers Need to Know About the SEC Proposed Business Continuity and Transitions Plan Rule
The Securities and Exchange Commission (SEC) recently proposed Rule 206(4)-4, which would require investment advisors to enact business continuity plans (BCPs) and transition or succession plans. This rule would aid advisers in maintaining the continuity of services in the occurrence of a business disruption.
Recently our Director of BCP, Lisa Smith, spoke on a webinar with speakers from Arthur Bell CPAs that examined internal, external and transition-related risks to business continuity, mitigation strategy best practices and points highlighted by the SEC within the rule.
Rather watch a video? Scroll down and listen to the full webinar replay.
Potential Risks to Business Operations
The SEC stresses that investment advisers need to assess not only external threats, but also internal threats to accurately ascertain their own risk from a holistic standpoint. This evaluation is critical to identifying the risk impact to specific capabilities and operations, as well as, how they will affect the firm’s employees, clients and third-parties. Advisers should take a proactive and organized approach to creating risk mitigation programs for employee activity, as well as, required systems (e.g. email and Internet). Risk mitigation programs should include documentation of processes, segregation of responsibilities, critical tools (think cross-training), etc.
There are four primary areas the SEC highlighted within the rule regarding business continuity:
Maintenance of critical operations and systems, and the protection, backup and recovery of data;
Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
Communications with clients, employees, service providers and regulators; and
Identification and assessment of third-party services critical to the operation of the adviser.
The majority of external threats occur unexpectedly and without caveat (e.g. natural disasters, pandemic and external cyber threats). Investment advisers need to allocate sufficient resources vital to preserving continuity based on the projected risk of disruptive events. Additionally, firms must develop BCPs scaled to their individual business operations and complexities. Adviser’s BCPs should clearly define the critical business functions, estimated recovery time, means of accessibility and determine where and how employees will work if they cannot access the office.
It is imperative to remember that BCPs are not a one size fits all, must be reviewed at least annually and considered a living document.
Transition-Related Risks & Plans
Transition-related risks include market impact events (e.g. 2008 financial crisis), rapid reduction in assets under management (AUM), organizational change, sales and mergers, and bankruptcy proceedings. Another form of transition-related risk is not based on fact, but reputation. Examples of reputational risks are counterparty, operational, regulatory and fraud.
Transition-related points addressed in the SEC’s rule include:
Policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
Information regarding the corporate governance structure of the adviser;
Identification of any material financial resources available to the adviser; and
Assessment of the applicable law and contractual obligations governing the adviser and its clients
To efficiently address these points, transition plans need to protect client assets and information, allocate funds to support the transition and outline details associated with the firm’s corporate governance structure. Advisors should be prepared to offer operating capital should an incident occur; however, if the firm does not have sufficient funds, they need to outline a plan for obtaining external funding.
In summary, the overall purpose of Rule 206(4)-4 is to ensure that advisers can continue to operate efficiently and deliver client services when an unexpected event occurs. It’s important to remember that although no contingency plan will eliminate all risk resulting from an unexpected service interruption, preemptively planning can minimize the severity of damages following an incident.