Rule 206(4)-7 under the Investment Advisers Act of 1940 (“Investment Advisers Act) requires registered investment advisers to have in place written supervisory policies and procedures. Although the rule does not specifically indicate the areas that must be addressed in an investment adviser’s written supervisory policies and procedures, the final rule release indicated some issues that should be addressed in all investment advisers’ written supervisory policies and procedures to the extent they are relevant to the investment adviser; one of these issues is business continuity plans. As a fiduciary, an investment adviser has a responsibility to take the appropriate steps to protect the clients’ interests from risks resulting from the investment adviser’s inability to provide advisory services due to a disruption in business, like a natural disaster; therefore, all investment advisers should have a business continuity and disaster recovery plan. The business continuity and disaster recovery plan should provide guidance regarding the steps and actions that should be taken in the event of an unanticipated interruption of normal business operations. When developing a plan specific to the advisory firm, each investment adviser is encouraged to consider all of the firm’s advisory services and functions, consider any possible significant business disruptions that may occur, and determine a plan of action for each of these potential disruptions.
In October 2012, the Northeast coast was significantly impacted by the damages caused by Hurricane Sandy resulting in business disruptions and the closure of the equities and options markets on October 29 and October 30, 2012. These events prompted the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”), the Financial Industry Regulatory Authority (“FINRA”), and the Commodity Futures Trading Commission’s (“CFTC”) Division of Swap Dealers and Intermediary Oversight to jointly review the business continuity and disaster recovery planning of firms and release a staff advisory addressing some best practices and lessons learned related to business continuity and disaster recovery planning. In addition to the joint review, the SEC’s National Examination Program (“NEP”) reviewed the business continuity and disaster recovery plans of approximately 40 investment advisers in the impacted areas to assess the investment advisers’ compliance with applicable laws, rules, and regulations related to business continuity and disaster recovery plans. The SEC’s OCIE issued a Risk Alert on August 27, 2013, specifically addressing the NEP staff’s observations and lessons learned from reviewing these investment advisers’ business continuity and disaster recovery plans. The following key areas are addressed in both the SEC, FINRA, and CFTC joint advisory release and the SEC OCIE Risk Alert:
- Widespread Disruption Considerations;
- Alternate Locations Considerations;
- Vendor Relationship Considerations;
- Telecommunications Services and Technology Considerations;
- Communication Plans Considerations;
- Regulatory and Compliance Considerations; and
- Review and Testing Considerations.
The SEC has indicated that both the joint advisory release and the Risk Alert are intended to encourage firms to review their business continuity plans in order to improve responses to and reduce recovery time after significant large-scale events. These documents provide observations, identified areas of weakness, best practices, and lessons learned that investment advisers should consider when reviewing their business continuity plans.
Investment advisers should closely review the SEC Risk Alert and the joint advisory release issued by the SEC, FINRA, and CFTC and carefully consider the information that was provided in these documents when reviewing the adequacy and effectiveness of their own business continuity and disaster recovery plans. Investment advisers should use the SEC Risk Alert and the joint advisory release issued by the SEC, FINRA, and CFTC to identify weaknesses in their own plans and to implement the best practices identified in the SEC Risk Alert and the joint advisory release. If an investment adviser does not have in place a business continuity and disaster recovery plan, the information provided in the SEC Risk Alert and the joint advisory release would be a good guide for some key elements that should be addressed when developing a plan.
Having a plan in place to ensure the continuity of business for your clients under all circumstances is part of an investment adviser’s fiduciary duty to its clients. If your investment adviser needs assistance updating or developing a business continuity plan, RIA Compliance Consultants can assist you. For assistance with your business continuity and disaster recovery plan, contact your consultant if you are an existing client or click here to schedule a time to speak to one of our senior compliance consultants to see how we may assist you.
Posted by Bryan Hill
Labels: Business Continuity Plan, Compliance Program, Compliance Training, SEC, Written Policies and Procedures