SEC Proposes Business Continuity and Transition Plan Rule for Investment Advisers
Client Alerts | August 22, 2016 | Hedge Funds
On June 28, 2016, the Securities and Exchange Commission (the “SEC“) proposed a new rule (the “Proposed Rule“) that would require SEC-registered investment advisers (“RIAs”) to adopt and implement written business continuity and transition plans (“Continuity Plans“) reasonably designed to address operational and other risks related to a significant disruption in the RIA’s operations.[1] Additionally, the Proposed Rule has certain annual review and record-keeping components, as summarized below.
While the SEC recognized that many RIAs already have plans in place to mitigate business disruptions, the SEC has found weaknesses in these plans, particularly with regard to widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications, and review and testing.
The comment period for the Proposed Rule is open until September 6, 2016.
Business Continuity Planning[2]
Under the Proposed Rule, an RIA’s Continuity Plan would be based upon the risks associated with the RIA’s operations and would include policies and procedures designed to minimize material service disruptions and any potential client harm from those disruptions. In particular, the Continuity Plan would be required to address:
1. maintenance of critical operations and systems, and the protection, backup, and recovery of data (including client records);
2. pre-arranged alternate physical location(s) of the RIA’s office(s) and/or employees;
3. communications with clients, employees, service providers, and regulators;and
4. identification and assessment of third-party services critical to the operation of the RIA.
Transition Planning[3]
The Proposed Rule provides that the transition planning component of the Continuity Plan would include:
1. policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
2. policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
3. information regarding the corporate governance structure of the RIA;
4. the identification of any material financial resources available to the RIA; and
5. an assessment of the applicable law and contractual obligations governing the RIA and its clients, including pooled investment vehicles, implicated by the RIA’s transition.
According to the Proposed Rule release, these proposed components are designed to help RIAs be well prepared so that they can act quickly and in their clients’ best interests if and when a transition occurs. The SEC believes that the transition plan components of an RIA’s Continuity Plan generally should account for transitions in both normal and stressed market conditions, and should consider each type of advisory client, the RIA’s contractual obligations to clients, counterparties, service providers and the relevant regulatory regimes under which the RIA operates.
Annual Review and Record Keeping Under the Proposed Rule
Under the Proposed Rule, RIAs would be required to review their Continuity Plans annually and retain records of their reviews. The Proposed Rule would also amend Rule 204-2 under the Investment Advisers Act of 1940, as amended, to require RIAs to make and keep any Continuity Plans that are currently in effect or were in effect during the last five years, as well as records of their annual reviews.
RIAs should review their current business continuity plans as the development and implementation of new Continuity Plans meeting SEC requirements may take a substantial amount of time.
________________________________________
[1] “Adviser Business Continuity and Transition Plans,” Release No. IA-4439; File No. S7-13-16 (June 28, 2016), available at: https://www.sec.gov/rules/proposed/2016/ia-4439.pdf.
[2] Business continuity planning involves implementing procedures to mitigate the operational risks arising from internal or external events, which disrupt service to RIA clients, resulting in potential harm. Such events include natural disasters, cyber-attacks, terrorism, technology failures or other physical business interruptions.
[3] Transition planning involves implementing procedures to transition clients to other RIAs should the situation arise where an RIA is winding down its operations or is no longer able to provide services. Reasons for suspension of service may be typical, such as the departure of key personnel, or the result of stress, such as bankruptcy.