Monday, August 17. 2020
The discussion focuses on the following categories:
- protection of investors’ assets
- supervision of personnel
- practices relating to fees, expenses, and financial transactions
- investment fraud
- business continuity
- the protection of investor and other sensitive information
Protection of Investor Assets
OCIE has indicated that each registered investment firm has a responsibility to protect its investors’ assets against theft, loss, and misappropriation. During these unpredictable times, OCIE encourages firms to review their practices and make changes where necessary. For example, if investors mail checks to firms and firms are not picking up their mail daily due to the pandemic, operations may need to be altered to provide more timely action. Firms may also consider updating their supervisory and compliance policies and procedures to reflect any adjustments made and to consider disclosing to investors that they may experience delays should they mail checks or assets to the firm’s office.
In addition, OCIE advises firms to make any necessary changes to their policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts. This particularly applies to COVID-19 related distributions from their retirement accounts. Considerations include:
- implementing additional steps to validate the identity of the investor and the authenticity of disbursement instructions
- recommending that each investor put a trusted contact person in place, particularly for seniors and other vulnerable investors
Supervision of Personnel
Firms generally have an obligation to supervise their personnel. This includes providing oversight of supervised persons’ investment and trading activities. A supervisory and compliance program should include policies and procedures that are tailored to a firm’s specific business activities and operations. It should also be amended as necessary to reflect the firm’s current business activities and operations.
Given the health and economic impacts of COVID-19, OCIE encourages firms to closely review and, where appropriate, modify their supervisory and compliance policies and procedures if significant changes are required to respond to the challenges of the pandemic. Such changes may include shifting to company-wide telework conducted from remote locations, dealing with significant market volatility and related issues, and responding to operational, technological, and other difficulties. Other considerations might be:
- supervisors may not have the same level of oversight and interaction with supervised persons when they are working remotely
- supervised persons may make securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud
- the impact of limited on-site due diligence reviews and other resource constraints associated with reviewing of third-party managers, investments, and portfolio holding companies
- communications or transactions occurring outside of the firm’s systems due to personnel working from remote locations and using personal devices
- remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments, may be impacted
- the inability to perform the same level of diligence during background checks when onboarding personnel – such as obtaining fingerprint information and completing required Form U4 verifications – or to have personnel take requisite examinations
Fees, Expenses, and Financial Transactions
Firms must consider and inform investors about the costs of services and investment products and the related compensation received by the firms or their supervised persons. The recent market volatility and the resulting impact on investor assets and the related fees collected by firms may have increased financial pressures to compensate for lost revenue.
OCIE reminds firms to consider financial conflicts of interest, such as:
- recommending retirement plan rollovers to individual retirement accounts, workplace plan distributions, and retirement account transfers into advised accounts or investments in products that the firms or their personnel are soliciting
- borrowing or taking loans from investors and clients
- making recommendations that result in higher costs to investors but generate greater compensation for supervised persons (such as investments with termination fees that are switched for new investments with high up-front charges or mutual funds with higher cost share classes)
In addition, firms should consider issues concerning fees and expenses charged to investors, such as:
- advisory fee calculation errors, including valuation issues that result in over-billing of advisory fees
- inaccurate calculations of tiered fees, including failure to provide breakpoints and aggregate household accounts
- failures to refund prepaid fees for terminated accounts
Firms may review their fees and expenses policies and procedures. Compliance monitoring may be enhanced, particularly through validating the accuracy of disclosures, fee and expense calculations, and investment valuations. Also, firms may wish to identify transactions that have resulted in high fees and expenses to investors, monitor these trends, and determine if these transactions were in the best interest of investors. Finally, firms should evaluate the risks associated with borrowing or taking loans from investors, clients, and other parties. These transactions may create conflicts of interest, which may in turn impair the impartiality of the firm’s recommendations. Firms are also encouraged to keep in mind that if advisers seek financial assistance, that may result in an obligation to update disclosures on Form ADV.
Periods of crisis or uncertainty can create an increased risk of investment fraud through fraudulent offerings. Firms should be cognizant of these risks and conduct due diligence on investments when determining if a particular investment is in the best interest of investors. Firms and investors who suspect fraud should contact the SEC and report it.
Certain firms are required to adopt and implement compliance policies and procedures that are reasonably designed to prevent violation of the federal securities laws. These firms should consider their ability to operate critical business functions during emergency events, such as this pandemic. Because of the pandemic, many firms have shifted to predominantly operating from remote sites. Such transitions may raise compliance issues as well as concerns about other risks that could arise from remote operations.
If proactive approaches are not addressed in business continuity plans and/or firms do not have built-in redundancies for key operations and key personnel, critical services to investors may be at risk. For example, a firm’s supervisory and compliance policies and procedures utilized under “normal operating conditions” may require modification or enhancement to address some of the unique risks and conflicts of interest present in remote operations (such as supervised persons taking on new or expanded roles in order to maintain business operations). Likewise, a firm’s security and support for facilities and remote sites may need to be modified or enhanced. Firms should evaluate, for example, whether:
- additional resources and/or measures for securing servers and systems are needed
- the integrity of vacated facilities is being maintained
- relocation infrastructure and support for personnel operating from remote sites is provided
- remote location data is protected
Protection of Sensitive Information
Firms are required to protect investors’ personally identifiable information (PII). OCIE has observed that many firms require their personnel to use videoconferencing and other electronic means to communicate while working remotely. These practices can create:
- vulnerabilities around the potential loss of PII. These risks can be due to:
- remote access to networks and the use of web-based applications
- increased use of personally-owned devices
- changes in controls over physical records, such as sensitive documents printed at remote locations
- increased opportunities for fraudsters to use phishing and other means to access systems and accounts by impersonating a firm’s personnel, websites, and/or investors
In light of these risks, OCIE recommends that firms pay particular attention to how key systems are accessed, investor data protection, and cybersecurity. In particular, firms may need to:
- improve identity protection protocols
- provide personnel with additional training and reminders related to phishing and other target cyberattacks, sharing information using remote systems, encrypting documents and using other cyber security measures, and destroying physical records at remote locations
- conduct heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations
- use validated encryption technologies to protect communications and data stored on all devices
- ensure that remote access servers are secured effectively
- enhance system access security
- address new or additional cyber-related issues related to third parties
OCIE encourages firms to remain informed regarding fraudulent activities and report them when witnessed or uncovered. This can be done here and by phone at (202) 551-4790. The SEC’s Office of Investor Education and Advocacy can also be contacted by phone at 1-800-732-0330, using this online form, or email at Help@SEC.gov.
You can also continue to check the blog here at www.novaworkssoftware.com for updates concerning the SEC’s response to the COVID-19 pandemic.