On August 12, 2020, the SEC Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert that identifies potential issues related to the COVID-19 pandemic for SEC-registered investment advisers and broker-dealers and includes recommendations for addressing these risks. This Alert is the first to target the specific risks to adviser and broker-dealer compliance posed by the COVID-19 crisis, which, in OCIE’s view, stem from two factors brought on by the pandemic; namely, the shift to telework and market volatility. As identified by OCIE, these risks arise in the following areas:
- Protection of Investor Assets. OCIE notes that the pandemic has caused some firms to alter their usual practices for collecting and processing investor checks and transfer requests, and encourages firms to consider (i) updating their supervisory and compliance policies and procedures to account for any such changes; and (ii) disclosing to investors that the processing of checks or other assets sent to the firm by mail may be delayed. OCIE also advises firms to be vigilant and review their policies and procedures with respect to unusual or unscheduled withdrawals from client accounts, especially COVID-19 related distributions from retirement accounts. This issue lies at the heart of the SEC’s current focus on protecting retail or “Main Street” investors, and will therefore almost certainly continue to be an area of particular scrutiny for OCIE. To address this risk, OCIE recommends that firms consider putting in place additional steps to verify the identity of the requesting investor and the authenticity of disbursement instructions (including relevant bank account information) and recommending that clients designate a trusted contact.
- Supervision of Personnel.The Alert takes note of the challenges that teleworking during the pandemic poses to firms’ obligations to supervise personnel. Accordingly, OCIE advises firms to consider modifying their practices to address: supervisors’ reduced oversight and interaction with employees working remotely; supervised persons’ recommendations in industries that have experienced volatility or increased potential for COVID-19-related fraud; limited ability to conduct on-site and other due diligence reviews of third party managers, investments and portfolio holding companies; communications on employees’ personal devices; remote oversight of trading; and obstacles to diligence and background checks for new employees, such as fingerprints and U4 verifications.
- Fees, Expenses and Financial Transactions. Following up on OCIE’s June 23, 2020 Risk Alert concerning misallocation of fees and expenses and disclosure of conflicts of interest by advisers to private funds, the August 12, 2020 Risk Alert notes the risk of misconduct in this area as a result of the pandemic-related market volatility and its negative impact on fees charged by firms. In OCIE’s view, these factors heighten the risk of financial conflicts of interest and improper fees and expenses in order to “compensate for lost revenue.”OCIE therefore advises firms to review their policies and procedures and compliance monitoring with respect to these issues.
- Investment Fraud. Noting that OCIE staff has “observed that times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings,” OCIE advises firms to be mindful of these risks in performing due diligence on investments and making determinations about whether investments are in clients’ best interests.
- Business Continuity. OCIE notes that the shift to working remotely may impair firms’ ability to maintain critical business functions in emergencies, and therefore, that their supervisory and compliance policies and procedures, as well as their security and support for facilities and remote sites, may need to be modified and/or enhanced. For example, supervised persons may need to take on expanded roles, and additional resources may be needed for securing servers and systems.
- Protection of Sensitive Information. Firms are required by the Safeguards Rule of Regulation S-P and the Identity Theft Red Flags Rule of Regulation S-ID to protect investors’ personally identifiable information (PII). OCIE cautions that employees’ use of videoconferencing to communicate while working remotely has created a heightened risk of loss of PII and opportunities for fraudsters to engage in phishing or other schemes to access systems and accounts by impersonating firms’ personnel, websites, and/or investors. OCIE therefore recommends that firms be especially attentive to these risks and consider, among other measures, enhancing their identity protection practices, providing additional trainings and reminders to personnel, conducting heightened reviews of personnel access rights and controls, and addressing cyber-related issues with respect to third parties that may also be operating remotely when accessing firms’ systems.
The August 12, 2020 Risk Alert makes clear OCIE’s view that the pandemic, the resulting financial uncertainty, and the new teleworking landscape create increased risks for advisers and broker-dealers of misconduct, supervisory failures, and cyber fraud. Given that OCIE routinely refers findings from its examinations to the SEC Division of Enforcement for investigation, and potentially, enforcement action, advisers and broker-dealers should promptly ensure that their policies and procedures take into account the pandemic-related risks that the August 12 Risk Alert flags, as applicable. They should also be prepared to demonstrate to OCIE staff that their policies and procedures are tailored specifically to the nature, size and extent of their businesses and remote operations, and that relevant personnel have been made aware of any pandemic-related modifications to them.