Compliance Risks & Considerations for Investment Advisers & Brokers
“Risk comes from not knowing what you’re doing.”– Warren Buffett On August 12, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert. This alert addresses operational and other challenges for broker-dealers and investment advisers resulting from the public and private sector response to COVID-19. It also includes associated compliance and risk management issues. The OCIE risk alert and considerations fell into the following six areas.
Protecting Investor AssetsOCIE reminded firms of their responsibility to ensure the safety of investors’ assets. OCIE encouraged firms to review their practices, update their policies and procedures, and consider disclosing to investors that checks or assets mailed to the firm may experience delays in processing. OCIE also encouraged firms to review their policies and procedures around disbursements to investors. This includes unusual or unscheduled withdrawals from accounts (including COVID-19 related distributions from retirement accounts).
Supervision of PersonnelOCIE noted that firms have an obligation to supervise their personnel, including oversight of investment and trading activities. It also encouraged firms to modify their policies and procedures to reflect changes to business activities and operations made in response to COVID-19.
OCIE cited the following:
- The level of oversight and interaction with supervised persons working remotely.
- Securities recommendations made in market sectors that have experienced greater volatility or that may have higher risks of fraud.
- The impact of limited on-site due diligence reviews of third-party service providers.
- Communications or transactions occurring outside of the firm’s systems due to personnel working from remote locations and on personal devices.
- Remote oversight of trading, including reviews of affiliated, cross and aberrational trading.
- The inability to conduct the same level of due diligence during background checks when onboarding personnel, or to have personnel take requisite exams.
Practices Relating to Fees, Expenses, and Financial TransactionsOCIE noted that recent market volatility may increase financial pressures on firms to compensate for lost revenue.
OCIE also recognized the associated financial conflicts of interest, such as:
- Recommending retirement plan rollovers to advised accounts or investments in products solicited by the firms or their personnel,
- Borrowing from or lending to investors and clients, making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons,
- Resolution of advisory fee errors,
- Inaccurate calculation of tiered fees (e.g., breakpoints), and
- Failures to refund prepaid fees for terminated accounts.
OCIE suggested that firms may want to consider enhanced compliance monitoring by: (i) validating the accuracy of their disclosures, fee and expense calculations, and investment valuations; (ii) identifying transactions that resulted in high fees and expenses to investors and evaluating whether these transactions were in the best interests of investors; and (iii) evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest.
Investment FraudOCIE reminded firms that when conducting due diligence on investments and determining whether investments are in the best interest of investors, firms should be cognizant of the heightened risk of investment fraud during times of crisis or uncertainty.
Business ContinuityOCIE noted that firms should consider their ability to operate critical business functions during emergency events. Due to the pandemic, many firms have operated predominantly from remote sites, or virtually which may raise compliance issues and other risks, including:
- Supervised persons may need to take on new or expanded roles to maintain business operations.
- Firms’ security and support for remote sites and virtual operations may need to be modified or enhanced to consider whether additional resources and/or measures for securing servers and systems are needed, the integrity of vacated facilities is maintained, relocation infrastructure and support for personnel operating from remote sites is maintained, and remote location data is protected.
Protection of Sensitive InformationOCIE reminded firms of their obligation to protect investors’ personally identifiable information (PII) and observed that many firms allow their personnel to use video conferencing and other electronic means to communicate while working remotely. It was noted that these communication methods can create vulnerabilities around the potential loss of sensitive information, including PII, as the result of remote access to networks, the use of web-based applications, increased use of personally-owned devices, and changes in controls over physical records, including sensitive documents printed at remote locations.
In light of these risks, OCIE recommended that firms consider:
- Enhancements to their identity protection practices.
- Providing firm personnel with additional training/reminders of phishing and other targeted cyberattacks, encrypting documents and using password-protected systems, and destroying physical records at remote locations.
- Conducting heightened reviews of personnel access rights and controls.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Enhancing system access security, such as requiring multi-factor authentication.
- Addressing new or additional cyber-related issues relating to third parties.