Trending Legal Issue
SEC Issues Guidance for Registered Investment Companies, Proposes New Rule for Registered Investment Advisers, Around Business Continuity Issues Schiff Hardin’s Investment Management Group July 15, 2016
On June 28, 2016, the Securities and Exchange Commission (SEC) proposed a new rule (Proposed Rule 206(4)-4) 1 and certain rule amendments under the Investment Advisers Act of 1940 (Advisers Act). The Proposed Rule would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans (BCTP) that are reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. Concurrently, the staff of the SEC’s Division of Investment Management (the Staff) released a guidance update 2 regarding business continuity planning for registered investment companies. In both the Proposing Rule Release and in the Guidance, it is noted that having a robust business continuity plan (BCP) in place is critical to any business’ ability to continue operations during, and to recover from, a significant disruption. While there are many similarities between the Guidance and Proposed Rule 206(4)-4, there are also some differences, as discussed below.
Business Continuity Planning for Registered Investment Companies Background The Guidance states that, in the Staff’s view, fund complexes should consider their respective compliance obligations under the federal securities laws when assessing their ability to continue operations during a business continuity event. The Guidance points to a number of disruptions that have emphasized the importance of having proper BCPs in place – September 11, 2001, Hurricanes Katrina and Sandy, and the August 2015 disruption of hundreds of mutual funds and exchange-traded funds as a result of a systems malfunction at a third-party provider calculating net asset values (NAV) – and the actions that the SEC has taken to address business continuity practices after each of these events. For example, when the SEC adopted Rule 38a-1 under the Investment Company Act of 1940, as amended (the 1940 Act), the adopting release stated that “[f]unds’ or their advisers’ policies and procedures should address the 3 issues identified in the release, including BCPs.” Additionally, after Hurricanes Katrina and Sandy, the Staff issued alerts reflecting its observations of how various funds navigated these events and describing what it referred to as “notable practices.” During and after the August 2015 systems malfunction event, staff in the Division of Investment Management’s Risk and Examinations Office and the SEC’s Office of Compliance Inspections and Examinations conducted outreach with the third-party provider as well as with affected funds and determined that some of the 4 affected funds could have been better prepared for the chance that one of their “critical service providers ” would have a business disruption.
1
Release No. IA-4439: Adviser Business Continuity and Transitions Plans (the Proposing Rule Release).
2
IM Guidance Update No. 2016-04: Business Continuity Planning for Registered Investment Companies (June 2016) (the Guidance).
3
See IC-26299: Compliance Programs of Investment Companies and Investment Advisers (Dec. 17, 2003).
4
The Guidance notes that in the Staff’s view, critical fund service providers likely would include, but would not be limited to, each named service provider under Rule 38a-1 (i.e., each investment adviser, principal underwriter, administrator and transfer agent), as well as each custodian and pricing agent.
Trending Legal Issue
Fund Compliance The Guidance reiterates that the Staff understands that funds are generally externally managed and do not have employees of their own and therefore, that BCPs will usually address fund activities in conjunction with the activities of the investment adviser and other critical service providers to the fund. The Staff believes that each fund should have compliance policies and procedures as part of its Rule 38a-1 program to address business continuity planning and potential disruptions in services (either those provided internally within the fund complex or externally by a critical service provider), which could impact the fund’s ability to operate. However, the Staff recognizes there is not a “one-size fits all” approach to business continuity planning. The Staff believes that each fund should determine how to best tailor its policies, procedures, and BCPs based on the nature and scope of its business. In addition to having its own policies and procedures relating to business continuity planning, funds need to consider conducting both initial and ongoing due diligence on those critical service providers’ own BCPs. In conducting outreach after the August 2015 systems malfunction event, the Staff observed the following notable practices within fund complexes: BCPs typically cover the facilities, technology/systems, employees, and activities conducted by the adviser and any affiliated entities, as well as dependence on critical services provided by other third-party service providers. A broad cross-section of employees from key functional areas are involved in BCP programs at the fund complex, typically including, but not limited to, senior management (including officers of the fund), technology, information security, operations, human resources, communications, legal, compliance, and risk management to assist in efforts to ensure continuity and resiliency when events occur. The fund’s chief compliance officer (CCO) and/or the CCO of other entities in the fund complex typically participate in the fund complex’s third-party service provider oversight process as conducted by key personnel. Service provider oversight programs generally incorporate both initial and ongoing due diligence processes, including review of applicable business continuity and disaster recovery plans for critical providers. The fund complex typically seeks a combination of information to conduct its oversight, including, but not limited to, service provider presentations, on-site visits, questionnaires, certifications, independent control reports, and summaries of programs and testing, where appropriate, including with respect to BCPs. Although practices vary, BCP presentations are typically provided to fund boards of directors, with CCO participation, on an annual basis and are given by the adviser and/or other critical service providers. These presentations may be provided separately, as part of periodic presentations related to contractual arrangements (including as part of the annual section 15(c) process), or as part of the CCO’s annual update to the board. For many fund complexes, some form of BCP testing occurs at least annually, and the results of the fund complex’s tests are shared in updates to fund boards. Business continuity outages, including those incurred by the fund complex or a critical third-party service provider, are monitored by the CCO and other pertinent staff and reported to the fund board as warranted. Additionally, the Staff believes that funds should consider the following when developing their BCPs with respect to oversight of critical service providers: Backup Processes and Contingency Plans. Fund complexes should consider examining critical service providers’ backup processes and redundancies, the robustness of their contingency plans, including reliance on other critical service providers, and how these providers intend to maintain operations during a significant business disruption.Also, funds should understand how their own BCPs address the risk that a critical service provider could suffer a significant business disruption and how a service provider and a fund might respond under certain scenarios. Monitoring Incidents and Communications Protocols. Fund complexes should consider how they can best monitor whether a critical service provider has experienced a significant disruption (such as a cybersecurity breach or other continuity event) that could impair the service provider’s ability to provide uninterrupted services. They should also consider the potential impacts such events may have on fund operations and investors, and the communication protocols and steps that may be necessary for a fund to successfully navigate such events. These protocols may include:
Trending Legal Issue
o Policies and procedures for internal communications across a fund complex, as well as with a fund board. o External communication plans that address ongoing discussions with an affected service provider, as well as other providers as warranted, and intermediaries, investors, regulators, and the press, as appropriate. o Maintaining updated and accessible contact information for essential communications with various constituents during an event. o Providing timely communications that report progress and next steps, which may include posting updates to websites or portals to facilitate accessibility and broad dissemination of information. Understanding the Interrelationships of Critical Service Providers BCPs. Fund complexes should consider how the BCPs of critical service providers relate to each other to better ensure that funds can continue operations and/or 5 promptly resume operations during a significant business disruption. Contemplating Various Scenarios. Fund complexes should consider how a critical service provider’s disruptions could impact fund operations and investors, and generally have a plan for managing the response to potential disruptions under various scenarios, whether a disruption would occur internally or externally at a critical thirdparty service provider.
Next Steps Fund boards should discuss with the adviser and other critical service providers the steps that they are taking to mitigate the risks associated with a significant business disruption and the robustness of their business continuity planning, including how a fund’s BCP addresses the risk that a critical third-party service provider could suffer a business disruption. While this is only guidance and not a rule, funds should keep the above notable practices in mind when crafting their own BCPs and include those that are relevant to their fund complex.
Proposed Rule 206(4)-4 Background The SEC notes that it broadly addressed business continuity planning when it adopted Rule 206(4)-7 under the Advisers Act, which requires advisers to consider their fiduciary and regulatory obligations under the Advisers Act when adopting written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act. However, the SEC now believes that it would be appropriate to specify specific components that a BCP should contain as well as set forth a number of factors which advisers should consider in developing a BCP. In its observations of current practices, the SEC has found that while many advisers do have procedures and policies in place to address the risks of business disruptions, there are disparate practices through the industry and many do not 6 have robust policies and procedures. The Proposing Rule Release notes that the SEC is particularly concerned about risks that may impact the adviser’s ability (and the ability of its personnel) to continue operations, provide services to clients and investors, or, in certain circumstances, transition the management of accounts to another adviser. The Proposing Rule Release further notes that these operational risks could include, but are not limited to:
5
Here the Staff’s example is: when a fund complex relies on a third-party service provider to calculate its NAVs, it should discuss with the service provider any redundancies and backup plans that are in place in case it would experience a significant business disruption. Additionally, the fund complex should have backup procedures of its own that address the steps it would take to successfully navigate through such a disruption to mitigate any potential risks to impacted funds and investors.
6
In the Proposing Rule Release, the Staff notes that it has observed weaknesses in some adviser BCPs with respect to the consideration of widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications plans, and review and testing.
Trending Legal Issue
Technological failures with respect to systems and processes (either proprietary or provided by third-parties); The loss of adviser or client data; The loss of personnel; or Access to the adviser’s physical location and facilities. The Proposing Rule Release also notes that operational risks to an adviser include transition planning when an adviser needs to cease or wind-down operations and how to ensure that client assets are protected while doing so. In this area, the SEC points to issues that arose during the 2008 financial crisis. Finally, the Proposing Rule Release notes that while Proposed Rule 206(4)-4 would require adoption of a BCTP, an adviser could determine to maintain two separate plans – one for business continuity and one for transition planning.
Adopt and Implement Business Continuity and Transition Plans Specifically, under Proposed Rule 206(4)-4, SEC-registered advisers would be required to adopt and implement a written BCTP reasonably designed to address operational and other risks related to a significant disruption in the adviser’s operations and such plans would contain policies and procedures concerning (i) business continuity after a 7 8 significant business disruption and (ii) business transition in the event the adviser is unable to continue providing investment advisory services to clients. While the SEC acknowledges that there are key differences between each adviser, and thus that there will be differences amongst BCTPs, it believes that advisers should assess and inventory all of the components of their businesses in order to develop their BCTPs and tailor them to the specific risks that they face. Specifically, a BCTP 9 should have policies and procedures that address the following : Maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records; Pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees; Communications with clients, employees, service providers, and regulators; Identification and assessment of third-party services critical to the operation of the adviser; and Plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services. The SEC emphasizes that advisers only need to take into account the risks associated with their own operations and that it would expect significant differences between the BCTP of, for example, a large adviser with multiple locations as compared to a small adviser with a single office location.
Maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records With respect to the maintenance of critical operations and systems, an adviser’s BCTP should identify and prioritize critical functions, operations, and systems and consider alternatives and redundancies to help maintain the continuation of operations in the event of a significant business disruption. Specifically, in determining if an operation or system is “critical,” advisers should consider those that are utilized for the prompt and accurate processing of portfolio securities transactions on behalf of clients, including management, trading, allocation, clearance and settlement of each transaction. Advisers should consider operations and systems that are critical to the valuation and 7
Business continuity situations would generally include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities or key personnel.
8
Business transition situations would generally include where the adviser exits the market and is no longer able to serve its clients, including merging with another adviser, sells its business or a portion thereof, or in unusual situations, enters bankruptcy proceedings. The Proposing Rule Release notes that there may be times when an adviser is unable to serve a portion of its clients and is able to continue serving others and that the transition plan should address such a partial transition.
9
The Proposing Rule Release notes that the Proposed Rule 206(4)-4 is based on requirements for other financial services firms that the SEC believes share similar vulnerabilities as investment advisers as well as Staff observations from examinations.
Trending Legal Issue
maintenance of client accounts, access to client accounts, and the delivery of funds and securities. Lastly, advisers should determine which personnel are key to these activities such that the temporary or permanent loss of these 10 individuals would have an impact of an adviser’s ability to provide services to its clients. With respect to the protection, backup, and recovery of data, including client records, a BCTP should address both electronic and hard copies. The Proposing Rule Release notes that there are times when a significant business disruption may prevent access to electronic records (i.e., a power outage) or to hard copies (i.e., cannot access the location where the files are stored). The plan should also include an inventory of key documents (such as organizational documents, contracts, policies and procedures) as well as their location and a list of key third-party service providers without whom the adviser can’t operate. Finally, the Proposing Rule Release notes that operational and other risks associated with cyber-attacks should be considered and addressed in a BCTP.
Pre-arranged alternate physical locations of offices and/or employees BCTPs should consider the pre-arranged alternate physical location(s) of an adviser’s office(s) and/or employees. While the SEC is not dictating a specific minimum distance between the primary and backup site, the Proposing Rule Release notes that the adviser should consider whether the alternate site is in close enough proximity to the primary site that it may be impacted by whatever situation made the primary site inaccessible. Additionally, the BCTP should consider what technology, systems, and resources would be necessary for employees to continue working remotely.
Communications with clients, employees, service providers, and regulators The Proposing Rule Release notes that an effective communication plan is key during a business disruption. A BCTP should include the following, among other things: Methods, systems, backup systems, and protocols that will be used for communications; How employees are informed of a significant business disruption, How employees should communicate during the disruption, and Contingency arrangements communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel. BCTPs should also include the process by which an adviser would have prompt access to client records that include the name and relevant contact and account information for each client, as well as investors in private funds sponsored by the adviser. The process should address how clients will be notified and kept up to date on significant business disruptions that materially impact ongoing client services. With respect to service providers, a BCTP should address how a service provider will be notified of a significant business disruption at the adviser as well as how the adviser would be notified of a significant business disruption at the service provider, and how they will communicate with each other and clients, if applicable, during the disruption.
Identification and assessment of third-party services critical to the operation of the adviser The Proposing Rule Release states that a BCTP would need to include both the identification of critical third-party services, as well as the assessment of the impact of disruptions to those service providers. The identification process should examine: An adviser’s day-to-day reliance on any providers; Whether there is a backup process or a second provider could be used in the event of a disruption; Whether the providers directly contact clients or investors; and Whether the providers maintain critical records or can access personally identifiable information.
10
Here the SEC suggests that BCTPs should include both short-term arrangements and long-term arrangements for succession planning. Additionally, advisers should consider if the loss of any specific personnel would trigger contractual obligations, such as a private fund providing redemption rights if a specific investment person departs the firm.
Trending Legal Issue
The Proposing Rule Release states that at a minimum, the SEC would consider critical third-party service providers to be those that provide services related to: portfolio management; custody of client assets; trade executions and related processing and pricing, client servicing, and recordkeeping; and financial and regulatory reporting. Once identified, an adviser is required to review and assess how the third-party service providers themselves would provide for continuity in the event of a significant disruption. A preliminary inquiry would look at whether the service provider has its own BCP, and whether that BCP includes alternatives that would allow a particular service to continue to be provided even during a significant disruption that impedes the primary method of delivering the service. If there is no service provider BCP, or the service provider BCP does not include alternatives, advisers should consider their own alternatives.
Transition Plan The Proposing Rule Release also requires that a BCTP include a plan that accounts for the possible winding down of the adviser’s business or the transition of the adviser's business to others in the event that the adviser is unable to continue providing advisory services. No matter how such a transition occurs, a transition plan that assesses and 11 plans for possible impediments under various possible transition scenarios will help an adviser to act in its clients’ best interests by mitigating possible negative effects on its clients. The transition plan should address transitions that happen both in normal markets and in stressed markets. It should also consider each type of client of the adviser, as well as contractual obligations to clients, counterparties, and service providers and regulatory obligations. An adviser’s transition plan should include a number of items: Policies and procedures to safeguard, transfer, and/or distribute client assets during transition; Policies and procedures for prompt generation of client-specific information required to transition client accounts; Information regarding the corporate governance of the adviser; Identification of material financial resources available to the adviser; and An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the transition.
Annual Review Proposed Rule 206(4)-4 would require that the adequacy of the BCTP and effectiveness of its implementation be reviewed at least annually.
Recordkeeping Amendments If Proposed Rule 206(4)-4 is adopted, the SEC would amend Rule 204-2 under the Advisers Act to require SECregistered investment advisers to make and keep all BCTPs that are currently in effect or were in effect during the prior five years. Comments on Proposed Rule 206(4)-4 must be received by September 6, 2016.
11
The Proposing Rule Release notes that generally such transitions are one of the following: a sale of the adviser or substantially all of the assets and liabilities of the adviser, including the existing advisory contracts with its clients, to a new owner; the sale of specific business lines or operations; or an orderly liquidation of fund clients or termination of separately managed account relationships.
Trending Legal Issue
© 2016 Schiff Hardin LLP This publication has been prepared for the general information of clients and friends of the firm. It is not intended to provide legal advice with respect to any specific matter. Under rules applicable to the professional conduct of attorneys in various jurisdictions, it may be considered attorney advertising material. Prior results do not guarantee a similar outcome. For more information visit our Web site at www.schiffhardin.com.