The Securities and Exchange Commission (“SEC”) recently proposed a new rule and rule amendments under the Investment Advisers Act of 1940 (“Advisers Act”) that would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans. The SEC’s Division of Investment Management also recently released a guidance update discussing several measures registered investment companies (“funds”) should consider as they evaluate the robustness of their business continuity plans. The full text of the proposed rule and guidance update can be found here and here.
Rule Proposals for Investment Adviser Continuity and Transition Plan Requirements
Business continuity plan requirements for investment advisers are currently addressed under the Advisers Act’s general rule on adviser compliance procedures and practices (Rule 206(4)‑7). Under the rule, advisers are required to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the federal securities laws. The rule does not specifically address business continuity planning but the rule’s adopting release stated that an adviser’s compliance policies and procedures should address business continuity plans to the extent they are relevant to an adviser. The rule does not identify critical components of a business continuity plan or discuss specific risks that advisers should consider in developing such plans. A 2013 joint advisory issued after a review of business continuity plans in the wake of Hurricane Sandy indicated that firms’ business continuity plans may not be sufficient to mitigate the potential adverse effects of business disruptions on clients. For a summary of that joint advisory please see our Client Alert available here.
Proposed New Rule 206(4)-4
The proposed new Rule 206(4)-4 would require investment advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in an investment adviser’s operations. These plans would be required to address:
- business continuity after a significant business disruption (e.g. a natural disaster, cyber-attack or system failure); and
- business transition in the event an investment adviser is unable to continue providing investment advisory services to clients (e.g. when an adviser sells it business, enters bankruptcy proceedings or merges with another adviser).
The proposed rule also states that the content of a business continuity and transition plan would be required to be based upon risks associated with the adviser’s operations and include policies and procedures designed to minimize material service disruptions, including:
- maintenance of critical operations and systems, and the protections, backup, and recovery of data, including client records;
- pre-arranged alternate physical location(s) of an adviser’s offices and employees;
- communications with clients, employees, service providers, and regulators;
- identification and assessment of third-party services critical to the operation of an adviser; and
- a plan of transition accounting for the possible winding down of an investment adviser’s business or the transition of an investment adviser’s business to others in the event the investment adviser is unable to continue providing investment advisory services.
The SEC provides advisers some flexibility to create business continuity and transition plans by recognizing that the degree to which an adviser’s plan addresses the required components may vary significantly depending on the nature of an adviser’s business.
Proposed Rule 206(4)-4 would also require investment advisers to review the adequacy of their business continuity and transition plan and the effectiveness of that plan at least annually. The SEC indicated that an adviser generally should consider any changes to the adviser’s products, services, operations and critical third-party service providers, among other factors, as well as any weaknesses that the adviser may have identified in any testing or assessments of the plan.
Proposed Amendments to Rule 204-2
The SEC also proposed to amend rule 204-2 to require advisers to maintain and preserve copies of all written business continuity and transition plans that are in effect or were in effect at any time within the past five years. The proposed rule amendments would also require advisers to maintain and preserve any records documenting the adviser’s annual review of the business continuity and transition plan required under the new proposed rule 206(4)-4.
Investment Company Business Continuity Planning
Rule 38-1 under the Investment Company Act of 1940 (the “Investment Company Act”) requires funds to adopt and implement written compliance policies and procedures. The adopting release for that rule stated that funds’ or their advisers’ policies and procedures should address business continuity plans. A 2013 joint advisory issued after a review of business continuity plans in the wake of Hurricane Sandy indicated that firms’ business continuity plans may not be sufficient to mitigate the potential adverse effects of business disruptions on clients. For a summary of that joint advisory please see our Client Alert available here. In August 2015, hundreds of mutual funds and exchange-traded funds experienced a business continuity event when a systems malfunction at a financial institution prevented it from calculating accurate NAVs for these funds. In its review of the event, the staff of the SEC believed that some funds could have been better prepared for the possibility that one of their critical service providers would suffer an extended outage and that this event highlighted the importance of robust business continuity planning for funds. The staff of the SEC believes that funds should consider how to mitigate exposures through compliance policies and procedures that address business continuity planning and potential disruptions of services provided both internally and by critical third-party service providers.
Guidance on Fund Practices
The SEC’s Division of Investment Management’s guidance update discusses a number of measures the staff believes that funds’ should consider as they evaluate the robustness of fund complexes’ business continuity plans in order to mitigate business continuity risks for funds and investors. While recognizing that fund complexes vary in activities and operations that require tailoring of policies and procedures, the staff highlights several notable practices they have observed in funds’ business continuity planning. These practices include:
- covering the facilities, technology/systems, employees and activities conducted by a fund’s adviser and any affiliated entities, as well as dependencies on critical services provided by third-parties;
- including a broad cross-section of employees in business continuity programs;
- participation of a fund’s chief compliance officer in a fund’s third-party service provider oversight process;
- business continuity plan presentations to fund boards of directors on an annual basis;
- annual testing of a fund’s business continuity plan; and
- monitoring by the chief compliance officer and other pertinent staff of business continuity outages.
Considerations Regarding Critical Service Providers
Fund complexes often outsource critical functions to third parties, such as investment advisers, principal underwriters, administrators, transfer agents, custodians and pricing agents. As a result, the staff indicated that it believes that a fund’s business continuity plan should consider conducting thorough initial and ongoing due diligence of those third parties and each of their business continuity plans. When conducting this due diligence, the staff recommends that funds consider:
- the back-up processes and contingency plans the critical service providers have in place;
- how to best monitor for significant disruptions at a service provider and the communications protocols and steps necessary to successfully navigate such events;
- the interrelationship of a fund’s critical service providers’ business continuity plans; and
- having a plan for managing the response to potential disruptions under various scenarios, whether the disruptions occur internally or at a critical third-party service provider.
In light of the rule proposal and the Division of Investment Management guidance, advisers and funds should consider reviewing their existing business continuity and transition plans, as appropriate. You may submit comments on the proposed new Advisers Act rule and amendments electronically here or by hard copy as described in the rule proposal instructions.