New proposed rules from the Securities and Exchange Commission (SEC) would require registered investment advisers (RIAs) to craft and implement written business continuity and transition plans.
According to the SEC, the written plans must be “reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.” Related to this, the proposal would also amend Rule 204-2 under the Advisers Act to require registrants “to make and keep all business continuity and transition plans that are currently in effect or at any time within the past five years were in effect.”
The text of the proposed rulemaking cites the urgent need for better succession planning, both for the sake of advisers and their clients. “Today, there are approximately 12,000 investment advisers registered with the Commission that collectively manage over $67 trillion in assets, an increase of over 140% in the past 10 years,” SEC writes. “The range of services provided by advisers, and the continued growth in the number of advisers and assets under management, reflect the critical role investment advisers play in our capital markets and the importance of the services they provide to approximately 30 million clients.”
It is against this backdrop that the average age of a U.S. financial advisers continues to climb, and against which advisory firms continue to get more complicated from a technology and business process standpoint.
“Of particular concern to the Commission are those risks that may impact the ability of an adviser and its personnel to continue operations, provide services to clients and investors, or, in certain circumstances, transition the management of accounts to another adviser,” SEC explains. “Such operational risks include, but are not limited to, technological failures with respect to systems and processes (whether proprietary or provided by third-party vendors supporting the adviser’s activities), and the loss of adviser or client data, personnel, or access to the adviser’s physical location(s) and facilities.”
NEXT: The need for succession planning
Advisers will certainly already understand that operational risks can arise from internal and external business continuity events, but SEC wants formalized planning for both cases.
“An internal event, such as a facility problem at an adviser’s primary office location, or an external event, such as a weather-related emergency or cyber-attack, could impact an adviser’s ongoing operations and its ability to provide client services,” officials warn. “For example, both types of events could prevent advisory personnel from accessing the adviser’s office or its systems or documents at a particular office location. Under these circumstances, an adviser and its personnel may be unable to provide services to the adviser’s clients and continue its operations while affected by the disruption, which could result in client harm.
“Similarly, operational risks can arise in the context of a transition event,” SEC adds. “If, for example, an adviser is winding down or ceasing operations during a time of stress, then an adviser’s ability to safeguard client assets could be impacted.”
In the text of the proposed rulemaking, SEC acknowledges that many advisers already have strong succession and emergency planning in place. But, the regulator warns, its staff “also has observed advisers with less robust planning, causing them to experience interruptions in their key business operations and inconsistently maintain communications with clients and employees during periods of stress.”
The SEC staff has further “noted weaknesses in some adviser business continuity plans with respect to consideration of widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications plans, and review and testing. Although disparate practices may exist in light of the varying size and complexity of registrants, to effectively mitigate such risks we are proposing to require all SEC-registered investment advisers to have plans that are reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.”
NEXT: What will actually be required?
In terms of what should be contained in “reasonable succession planning,” SEC wants to see advisers take concrete and documented steps to “minimize operational and other risks that could lead to a significant business disruption like, for example, a systems failure.”
“In order to do so, advisers should generally assess and inventory the components of their business and minimize the scope of its vulnerability to a significant business disruption,” SEC explains. “While we recognize that an adviser may not be able to prevent significant business disruptions (e.g., a natural disaster, terrorist attack, loss of service from a third-party), we believe robust planning for significant business disruptions can help to mitigate their effects and, in some cases, minimize the likelihood of their occurrence.”
Addressing any advisers skeptical about the need for such planning, SEC notes that various weather-related events have tested, on a large scale, the effectiveness of existing continuity planning. Take Hurricane Sandy, for example, which struck the East Coast in the New York and New Jersey region back in 2012.
“These events provided our examination staff the opportunity to review, observe, and assess the operations and resiliency of planning across many advisers,” SEC says. “During the aftermath of the hurricane, our examiners observed that the degree of specificity of advisers’ written continuity planning varied and that some advisers’ continuity plans did not adequately address and anticipate widespread events. In addition, with respect to alternative locations, examination staff noted that some advisers did not have geographically diverse office locations, even when they recognized that diversification would be appropriate. Additionally, they observed with respect to vendor relationships and telecommunications/technology, that certain advisers did not evaluate the continuity planning of their service providers or engage service providers to ensure their backup servers worked properly, and that some advisers reported that they did not keep updated lists of their vendors and respective contacts.
“Moreover, with respect to communications plans, the examination staff observed that some advisers inconsistently planned how to contact and deploy employees during a crisis, inconsistently maintained communications with clients and employees, and did not identify which personnel were responsible for executing and implementing the various portions of the continuity planning,” SEC concludes.
The full text of the rule, including information on how to submit formal comments, is online here.