Compliance Risks & Considerations for Investment Advisers & Brokers
“Risk comes from not knowing what you’re doing.”
– Warren Buffett
On August 12, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert. This alert addresses operational and other challenges for broker-dealers and investment advisers resulting from the public and private sector response to COVID-19. It also includes associated compliance and risk management issues. The OCIE risk alert and considerations fell into the following six areas.
Protecting Investor Assets
OCIE reminded firms of their responsibility to ensure the safety of investors’ assets. OCIE encouraged firms to review their practices, update their policies and procedures, and consider disclosing to investors that checks or assets mailed to the firm may experience delays in processing. OCIE also encouraged firms to review their policies and procedures around disbursements to investors. This includes unusual or unscheduled withdrawals from accounts (including COVID-19 related distributions from retirement accounts).
Supervision of Personnel
OCIE noted that firms have an obligation to supervise their personnel, including oversight of investment and trading activities. It also encouraged firms to modify their policies and procedures to reflect changes to business activities and operations made in response to COVID-19.
OCIE cited the following:
- The level of oversight and interaction with supervised persons working remotely.
- Securities recommendations made in market sectors that have experienced greater volatility or that may have higher risks of fraud.
- The impact of limited on-site due diligence reviews of third-party service providers.
- Communications or transactions occurring outside of the firm’s systems due to personnel working from remote locations and on personal devices.
- Remote oversight of trading, including reviews of affiliated, cross and aberrational trading.
- The inability to conduct the same level of due diligence during background checks when onboarding personnel, or to have personnel take requisite exams.
Practices Relating to Fees, Expenses, and Financial Transactions
OCIE noted that recent market volatility may increase financial pressures on firms to compensate for lost revenue.
OCIE also recognized the associated financial conflicts of interest, such as:
- Recommending retirement plan rollovers to advised accounts or investments in products solicited by the firms or their personnel,
- Borrowing from or lending to investors and clients, making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons,
- Resolution of advisory fee errors,
- Inaccurate calculation of tiered fees (e.g., breakpoints), and
- Failures to refund prepaid fees for terminated accounts.
OCIE suggested that firms may want to consider enhanced compliance monitoring by: (i) validating the accuracy of their disclosures, fee and expense calculations, and investment valuations; (ii) identifying transactions that resulted in high fees and expenses to investors and evaluating whether these transactions were in the best interests of investors; and (iii) evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest.
OCIE reminded firms that when conducting due diligence on investments and determining whether investments are in the best interest of investors, firms should be cognizant of the heightened risk of investment fraud during times of crisis or uncertainty.
OCIE noted that firms should consider their ability to operate critical business functions during emergency events. Due to the pandemic, many firms have operated predominantly from remote sites, or virtually which may raise compliance issues and other risks, including:
- Supervised persons may need to take on new or expanded roles to maintain business operations.
- Firms’ security and support for remote sites and virtual operations may need to be modified or enhanced to consider whether additional resources and/or measures for securing servers and systems are needed, the integrity of vacated facilities is maintained, relocation infrastructure and support for personnel operating from remote sites is maintained, and remote location data is protected.
Protection of Sensitive Information
OCIE reminded firms of their obligation to protect investors’ personally identifiable information (PII) and observed that many firms allow their personnel to use video conferencing and other electronic means to communicate while working remotely. It was noted that these communication methods can create vulnerabilities around the potential loss of sensitive information, including PII, as the result of remote access to networks, the use of web-based applications, increased use of personally-owned devices, and changes in controls over physical records, including sensitive documents printed at remote locations.
In light of these risks, OCIE recommended that firms consider:
- Enhancements to their identity protection practices.
- Providing firm personnel with additional training/reminders of phishing and other targeted cyberattacks, encrypting documents and using password-protected systems, and destroying physical records at remote locations.
- Conducting heightened reviews of personnel access rights and controls.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Enhancing system access security, such as requiring multi-factor authentication.
- Addressing new or additional cyber-related issues relating to third parties.
The Risk Alert reflects OCIE’s view of potential compliance issues and other risks presented by changes in firms’ operations resulting from the COVID-19 pandemic. It is very likely that these issues will be reviewed in future OCIE examinations. For more information, please contact Steve King, John Grady or one of the Practus attorneys with whom you work.