A new Risk Alert published by the U.S. Securities and Exchange Commission (SEC) makes it clear that registered investment advisers (RIAs) cannot simply assume their normal compliance systems and procedures will be sufficient during this extraordinary time for the U.S. and global markets.
The SEC notes that its Office of Compliance Inspections and Examinations (OCIE) has remained open and operational throughout the COVID-19 pandemic. In fact, during its work over the past six months, the OCIE has identified a number of pandemic-related issues and risks relevant to RIAs and broker/dealers (B/Ds) policed by the SEC. Additionally, the SEC says, the extended market volatility related to COVID-19 may have heightened the risks of misconduct in various areas that the staff believes merit additional attention above and beyond advisers’ normal duties.
As such, the SEC is encouraging firms to review their compliance practices—and make adjustments—wherever appropriate. As an example, the Risk Alert points to situations where investors might mail checks to firms when the firm is not picking up its mail daily.
“Firms may want to update their supervisory and compliance policies and procedures to reflect any adjustments made and to consider disclosing to investors that checks or assets mailed to the firm’s office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location,” the SEC proposes.
The OCIE’s observations and recommendations fall broadly into six categories: the protection of investors’ assets; the supervision of personnel; review of practices relating to fees, expenses and financial transactions; prevention of investment fraud; assurance of business continuity; and the protection of investor data and other sensitive information.
Some points covered in the Risk Alert are likely at this point already well-understood by advisers, especially those related to the industry’s transition to a remote-first working environment.
“Firms may wish to modify their practices to address supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely,” the Risk Alert proposes. Firms should also consider the inability to perform the same level of diligence during background checks when onboarding personnel, such as obtaining fingerprint information and completing required Form U4 verifications.
Other points are perhaps less obvious but still critical. For example, according to the Risk Alert, the recent market volatility and the resulting impact on investor assets and the related fees collected by firms may have increased financial pressures on firms and their personnel to compensate for lost revenue.
“While these incentives and related risks always exist, the current situation may have increased the potential for misconduct regarding financial conflicts of interest, such as recommending retirement plan rollovers to individual retirement accounts [IRAs] [which feature] products that the firms or their personnel are soliciting,” the Risk Alert warns. “Firms may wish to review their fees and expenses policies and procedures and consider enhancing their compliance monitoring, particularly by validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used.”
The SEC staff further recommends identifying transactions that result in higher fees and expenses to investors, monitoring for such trends and evaluating whether these transactions are in the best interest of investors. This is especially important now that the SEC’s Regulation Best Interest (Reg BI) is in full effect.
The SEC recommends that firms pay particular attention to the risks regarding access to systems, investor data protection and cybersecurity. In particular, firms should assess their policies and procedures and consider enhancements to their identity protection practices, such as by reminding investors to contact the firms directly by telephone for any concerns about suspicious communications and for firms to have personnel available to answer these investor inquiries. The Risk Alert also recommends providing firm personnel with additional training related to email phishing and other targeted cyberattacks; sharing information while using certain remote systems (e.g., unsecure web-based video chat); encrypting documents and using password-protected systems; and destroying physical records at remote locations.