OCIE Issues Risk Alert About Compliance in the COVID-19 Era

Steve KingLegal Insights

Image of SEC Seal on their Building

Compliance Risks & Considerations for Investment Advisers & Brokers

Practus attorney Steve king Author block

 “Risk comes from not knowing what you’re doing.”  

   – Warren Buffett  

 

On August 12, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert. This alert addresses operational and other challenges for broker-dealers and investment advisers resulting from the public and private sector response to COVID-19. It also includes associated compliance and risk management issues. The OCIE risk alert and considerations fell into the following six areas. 

Image of SEC Seal on their Building

Protecting Investor Assets

OCIE reminded firms of their responsibility to ensure the safety of investors’ assets. OCIE encouraged firms to review their practices, update their policies and procedures, and consider disclosing to investors that checks or assets mailed to the firm may experience delays in processing. OCIE also encouraged firms to review their policies and procedures around disbursements to investors. This includes unusual or unscheduled withdrawals from accounts (including COVID-19 related distributions from retirement accounts).  

Supervision of Personnel

OCIE noted that firms have an obligation to supervise their personnel, including oversight of investment and trading activities. It also encouraged firms to modify their policies and procedures to reflect changes to business activities and operations made in response to COVID-19. 

OCIE cited the following:

  • The level of oversight and interaction with supervised persons working remotely.
  • Securities recommendations made in market sectors that have experienced greater volatility or that may have higher risks of fraud.
  • The impact of limited on-site due diligence reviews of third-party service providers.
  • Communications or transactions occurring outside of the firm’s systems due to personnel working from remote locations and on personal devices.
  • Remote oversight of trading, including reviews of affiliated, cross and aberrational trading.
  • The inability to conduct the same level of due diligence during background checks when onboarding personnel, or to have personnel take requisite exams.

Practices Relating to Fees, Expenses, and Financial Transactions

OCIE noted that recent market volatility may increase financial pressures on firms to compensate for lost revenue. 

OCIE also recognized the associated financial conflicts of interest, such as: 

  • Recommending retirement plan rollovers to advised accounts or investments in products solicited by the firms or their personnel, 
  • Borrowing from or lending to investors and clients, making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons,
  • Resolution of advisory fee errors,
  • Inaccurate calculation of tiered fees (e.g., breakpoints), and 
  • Failures to refund prepaid fees for terminated accounts.

PRACTUS NOTE: Recommendations to roll over a retirement plan into an advised account or into a product solicited by the firm are subject to Regulation Best Interest (in the case of a broker-dealer) and to an investment adviser’s fiduciary duty.  Firms should ensure that they have adopted compliance policies and procedures to ensure that such recommendations do not violate Regulation Best Interest or result in the breach of an investment adviser’s fiduciary duty.

OCIE suggested that firms may want to consider enhanced compliance monitoring by: (i) validating the accuracy of their disclosures, fee and expense calculations, and investment valuations; (ii) identifying transactions that resulted in high fees and expenses to investors and evaluating whether these transactions were in the best interests of investors; and (iii) evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest.

Investment Fraud

OCIE reminded firms that when conducting due diligence on investments and determining whether investments are in the best interest of investors, firms should be cognizant of the heightened risk of investment fraud during times of crisis or uncertainty.

Business Continuity

OCIE noted that firms should consider their ability to operate critical business functions during emergency events. Due to the pandemic, many firms have operated predominantly from remote sites, or virtually which may raise compliance issues and other risks, including:

  • Supervised persons may need to take on new or expanded roles to maintain business operations.
  • Firms’ security and support for remote sites and virtual operations may need to be modified or enhanced to consider whether additional resources and/or measures for securing servers and systems are needed, the integrity of vacated facilities is maintained, relocation infrastructure and support for personnel operating from remote sites is maintained, and remote location data is protected.

Protection of Sensitive Information

OCIE reminded firms of their obligation to protect investors’ personally identifiable information (PII) and observed that many firms allow their personnel to use video conferencing and other electronic means to communicate while working remotely.  It was noted that these communication methods can create vulnerabilities around the potential loss of sensitive information, including PII, as the result of remote access to networks,  the use of web-based applications, increased use of personally-owned devices, and changes in controls over physical records, including sensitive documents printed at remote locations.  

In light of these risks, OCIE recommended that firms consider:

  • Enhancements to their identity protection practices.
  • Providing firm personnel with additional training/reminders of phishing and other targeted cyberattacks, encrypting documents and using password-protected systems, and destroying physical records at remote locations.
  • Conducting heightened reviews of personnel access rights and controls.
  • Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
  • Enhancing system access security, such as requiring multi-factor authentication.
  • Addressing new or additional cyber-related issues relating to third parties.

PRACTUS NOTE: Although not specifically mentioned in the Risk Alert, in addition to information security concerns, the use of personally-owned devices may create record-keeping challenges that are not present when individuals are using firm-maintained hardware and applications.  Many firms may prohibit the use of personally-owned devices in normal circumstances to address this issue.  However, in the present environment, it may be more difficult to prohibit such use.  We recommend that firms examine how they are capturing records that are required to be maintained that have been created or stored on personally-owned devices, and modify their practices and compliance policies and procedures as appropriate.

Conclusion

The Risk Alert reflects OCIE’s view of potential compliance issues and other risks presented by changes in firms’ operations resulting from the COVID-19 pandemic.  It is very likely that these issues will be reviewed in future OCIE examinations.   For more information, please contact Steve KingJohn Grady or one of the Practus attorneys with whom you work.