OCIE Issues Risk Alert Relating to COVID-19 Compliance Risk
August 12, 2020
The SEC examination staff has issued a Risk Alert highlighting select COVID-19 compliance risks and considerations for SEC-registered investment advisers and broker-dealers identified through industry outreach efforts and consultation with other regulators. OCIE’s observations and recommendations fall into six broad categories:
Protection of Investor Assets
- OCIE recommends that firms review and adjust, as necessary, supervisory and compliance policies and procedures relating to the collection and processing of client checks and transfer requests, particularly in situations where firms are not picking up mail daily, and consider disclosing to clients that checks or assets mailed to the firm’s office may experience delays in processing until personnel are able to access the office.
- Where clients are taking unusual or unscheduled withdrawals from their accounts, particularly COVID-19 related distributions pursuant to the CARES Act, OCIE recommends that firms consider implementing additional steps to validate client identity and disbursement instructions and recommending to clients (g., seniors and other vulnerable clients) that they have trusted contacts in place.
Supervision of Personnel
OCIE encourages firms to review and modify, as appropriate, supervisory and compliance policies and procedures to address, for example:
- The level of oversight and interactions with supervised persons working remotely.
- Securities recommendations in volatile market sectors or where there is heightened risk or fraud potential.
- The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing third-party managers, investments, and portfolio holding companies.
- Communications or transactions occurring outside of the firms’ systems due to personnel teleworking and using personal devices.
- Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments.
- The ability to perform due diligence and background checks when onboarding personnel.
Practices Relating to Fees, Expenses, and Financial Transactions
OCIE cautions that there may be heightened potential for misconduct or errors regarding financial conflicts of interest (e.g., relating to account rollovers, distributions, and transfers) and fees and expenses charged, including advisory fee calculation errors (e.g., overbilling due to valuation issues, not applying breakpoints or aggregating household accounts, and not refunding prepaid fees for terminated accounts).
To address these concerns, OCIE suggests firms consider enhancing their compliance monitoring by:
- Validating the accuracy of disclosures, fee and expense calculations, and investment valuations used;
- Identifying and evaluating transactions that resulted in high fees and expenses; and
- Evaluating the risks, conflicts, and disclosures associated with borrowing or taking loans from clients and other parties.
Investment Fraud
OCIE reminds firms that they should be cognizant of fraudulent offerings when conducting due diligence on investments.
Business Continuity
Noting that many firms have shifted to operating predominantly from remote sites, OCIE encourages firms to review their continuity plans, and make necessary changes or disclosures to address the unique risks and conflicts present in such remote operations.
OCIE also notes that security and support for facilities and remote sites may need to be modified or enhanced. Examples provided include whether: (i) additional resources and/or measures for securing servers and systems are needed; (ii) the integrity of vacated facilities is maintained; (iii) relocation infrastructure and support for personnel operating from remote sites is provided; and (iv) remote location data is protected.
Protection of Sensitive Client Information
OCIE cautions that the use of videoconferencing or other electronic means to communicate with clients creates vulnerabilities around the potential loss of sensitive information, including personally identifiable information (PII). OCIE recommends that firms:
- Enhance identity protection practices, such as by reminding clients to contact the firms directly by telephone for any concerns about suspicious communications and having personnel available to answer these inquiries.
- Provide personnel with additional training and reminders related to: (i) phishing and other targeted cyberattacks; (ii) sharing information while using certain remote systems (g., unsecure web-based video chat); (iii) encrypting documents and using password-protected systems; and (iv) destroying physical records at remote locations.
- Conduct heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
- Use validated encryption technologies to protect communications and data stored on all devices, including personally-owned devices.
- Ensure that remote access servers are secured effectively and kept fully patched.
- Enhance system access security, such as requiring the use of multifactor authentication.
- Address new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing firm systems.
The IAA has been holding member calls to discuss issues relating to the coronavirus crisis. Our next calls will take place on Wednesday, August 19.
Additional resources are available on our Coronavirus Response Resources web page and updates are in our online newsletter IAA Today. In addition, the IAA Exchange is available for members to discuss questions with each other.
TAGS: COVID-19, Coronavirus, Risk Alert, OCIE