By John Filar Atwood
In its 2020 interactions with broker-dealers and investment advisers, the SEC’s Office of Compliance and Inspections (OCIE) has observed a number of operational, technological, and other challenges brought on by the pandemic. OCIE has issued a risk alert in which it outlines many of those issues and offers recommendations on how firms can begin to address them.
The staff observations concern the protection of investors’ assets, supervision of personnel, and practices relating to fees, expenses, and financial transactions. The risk alert also addresses investment fraud, business continuity, and the protection of investor and other sensitive information.
Protection of investor assets. OCIE noted that each firm must ensure the safety of its investors’ assets and guard against theft, loss, and misappropriation. In the current environment, the staff observed that some firms have modified their normal operating practices regarding collecting and processing investor checks and transfer requests.
OCIE recommended that firms review their practices, and make adjustments, where appropriate, including in situations where investors mail checks to firms and firms are not picking up their mail daily. According to OCIE, firms may want to notify investors that checks or assets mailed to the firm’s office location may experience delays in processing until personnel are able to access the mail or deliveries at that office location.
OCIE also encouraged firms to make any necessary changes to their procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts, particularly COVID-19 related distributions from their retirement accounts. OCIE said that firms may want to consider implementing additional steps to validate the identity of the investor and the authenticity of disbursement instructions, including whether bank account names and numbers are accurate.
Supervision of personnel. A firm’s personnel supervisory and compliance program should include procedures that are tailored to its specific business activities. OCIE said that as firms need to make significant changes to respond to the health and economic effects of COVID-19, such as shifting to firm-wide telework conducted from dispersed locations, firms should modify their supervisory procedures as needed.
Among the issues that need to be addressed are: (1) supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely; (2) supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud; (3) the impact of limited on-site due diligence reviews and other resource constraints associated with reviewing of third-party managers, investments, and portfolio holding companies; (4) communications or transactions occurring outside of the firms’ systems due to personnel working from remote locations and using personal devices; (5) remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments, and (6) the inability to perform the same level of diligence during background checks when onboarding personnel, such as obtaining fingerprint information and completing required Form U4 verifications, or to have personnel take requisite examinations.
Fees, expenses, and financial transactions. OCIE noted that the recent market volatility and the resulting impact on investor assets and the related fees collected by firms may have increased financial pressures on firms and their personnel to compensate for lost revenue. While these incentives and related risks always exist, according to OCIE, the current situation may have increased the potential for misconduct.
OCIE advised firms to be aware of financial conflicts of interest, such as: (1) recommending retirement plan rollovers to individual retirement accounts, workplace plan distributions, and retirement account transfers into advised accounts or investments in products that the firms or their personnel are soliciting; (2) borrowing or taking loans from investors and clients; and (3) making recommendations that result in higher costs to investors and that generate greater compensation for supervised persons, such as investments with termination fees that are switched for new investments with high up-front charges or mutual funds with higher cost share classes when lower cost share classes are available.
OCIE also recommended that firms monitor fees and expenses charged to investors, such as: (1) advisory fee calculation errors, including valuation issues that result in over-billing of advisory fees; (2) inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate house-hold accounts; and (3) failures to refund prepaid fees for terminated accounts.
Business continuity. OCIE advised that firms consider their ability to operate critical business functions during emergency events. Due to the pandemic, OCIE observed that many firms have shifted to predominantly operating from remote sites, and indicated these transitions may raise compliance issues and other risks that could impact protracted remote operations.
OCIE noted that remote operations may require supervised persons to take on new or expanded roles in order to maintain business operations. This could create new risks that are not typically present, OCIE said.
OCIE recommended that firms review their security and support for facilities and remote sites. According to OCIE, issues to be considered include whether: (1) additional resources and/or measures for securing servers and systems are needed; (2) the integrity of vacated facilities is maintained; (3) relocation infrastructure and support for personnel operating from remote sites is provided; and (4) remote location data is protected.
In OCIE’s view, if relevant practices are not addressed in business continuity plans and/or firms do not have built-in redundancies for key operations and key person succession plans, mission critical services to investors may be at risk.
Protection of sensitive information. On this issue, OCIE noted that firms have an obligation to protect investors’ personally identifiable information (PII). The staff has observed that many firms require their personnel to use videoconferencing and other electronic means to communicate while working remotely, which creates certain risks.
Among other things, OCIE believes these practices create vulnerabilities around the potential loss of sensitive information, including PII. They also provide more opportunities for fraudsters to use phishing and other means to improperly access systems and accounts by impersonating firms’ personnel, websites, and/or investors.
OCIE recommended that firms pay particular attention to the risks regarding access to systems, investor data protection, and cybersecurity. OCIE suggested that firms consider enhancements to their identity protection practices, conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations, and using validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.