Accept All Cookies
Citing the ongoing risk of terrorist and cyber-attacks, the 2008 financial crisis, and Hurricanes Katrina and Sandy, the Securities and Exchange Commission (“SEC”) has issued proposed rules under the Investment Advisers Act of 1940 (“Advisers Act”) that would require investment advisers to establish business continuity and transition plans to be utilized in the event of a data loss, system failure, or other significant business disruption. The proposed rules for investment advisers, similar to business continuity plan (“BCP”) rules already mandated by the Financial Industry Regulatory Authority (“FINRA”), the Commodity Futures Trading Commission (“CFTC”), and the National Futures Association (“NFA”), would require that such plans be risk-based, documented in written policies and procedures, and reviewed at least annually. The proposed rules would also amend the existing books and records requirements to impose new recordkeeping obligations relating to business continuity and transition plans. If approved, they would convert what is currently an industry best practice to a requirement for all SEC-registered investment advisers.
Public comments on the proposed rules must be submitted no later than 60 days from its publication in the Federal Register.
The SEC’s proposal would implement a new Advisers Act Rule 206(4)-4 that would require investment advisers to adopt and implement written policies and procedures that address both business continuity after a significant business disruption, and business transition in the event the investment adviser is unable to continue providing investment advisory services to clients. The content of a business continuity and transition plan would need to be customized to address the risks associated with an investment adviser’s operations and designed to minimize “material service disruptions.” This would include:
Further, the transition plan component would be required to include:
The proposed rules would also require investment advisers to review, at least annually, the adequacy of the business continuing and transition plan and the effectiveness of its implementation.
The SEC estimates the one-time internal and external costs necessary to adopt and implement a business continuity and transition plan would range from approximately $30,000 to $1.5 million, depending on the facts and circumstances of a particular investment adviser’s operations and the adequacy of its existing plans. It also estimates that ongoing costs associated with the proposed rules would range from approximately $7,500 to $375,000 each year.
The SEC’s proposal would amend existing Advisers Act Rule 204-2 to require investment advisers to maintain copies of any business continuity and transition plan that is currently in effect, or that was in effect within the past five years. Investment advisers would also have to maintain for five years all records documenting its annual review of its business continuity and transition plan. For the first two years of such period, these records will have to be maintained on-site in the investment adviser’s offices.
Alongside the proposed rules, the SEC’s Division of Investment Management issued guidance to registered investment companies regarding business continuity planning. The guidance stated that the ability to continue operations during a business continuity event should be considered part of a fund’s compliance obligations under Rule 38a-1 of the Investment Company Act of 1940. It also stressed that a BCP should consider not just the vulnerabilities of a fund’s primary investment adviser, but also those of the various third-party service providers that are part of a fund complex. As a result, conducting thorough initial and ongoing due diligence of those third parties, including due diligence of their respective business continuity and disaster recovery plans, should be part of a comprehensive BCP. The guidance also provided, as an example of best practices, that a fund’s chief compliance officer should personally participate in the BCP assessment process.
In its comments to the proposed rules, the SEC emphasized that an investment adviser’s business continuity and transition plan must be customized to the risks associated with the investment adviser’s operations. This means that plans will need to be risk-based and designed to address an investment adviser’s specific business operations—a generic “one size fits all” plan will not be sufficient. The SEC is clearly concerned about the ability of investment advisers to service clients in the wake of data loss or facility destruction following a natural or man-made disaster. The proposed rules, coupled with the SEC’s parallel guidance to investment companies, illustrate that business continuity and transition plans will be a focus for regulators going forward. Investment advisers, including their compliance officers and risk managers, will want to make the implementation of such plans, and the ongoing due diligence, compliance, and disclosure obligations that follow, a top priority.
1 See Securities and Exchange Commission, Proposed Rule, Adviser Business Continuity and Transition Plans, 17 CFR Part 275 (June 28, 2016), http://www.sec.gov/news/pressrelease/2016-133.html [hereinafter, “proposed rules”].
2 See FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information), available at http://www.finra.org/industry/business-continuity-planning.
3 See 17 CFR Part 23.603 (Business continuity and disaster recovery).
4 See NFA Compliance Rule 2-38 (Business Continuity and Disaster Recovery Plan), available at https://www.nfa.futures.org/nfamanual/NFAManual.aspx?RuleID=RULE%202-38&Section=4. In addition, the NFA has published a questionnaire to assist its members in adopting written business continuity and disaster recovery plans tailored to their operations, available at http://www.nfa.futures.org/NFA-compliance/publication-library/self-exam-questionnaire-appendix-b.pdf.
5 See Securities and Exchange Commission, Division of Investment Management, Guidance Update, Business Continuity Planning for Registered Investment Companies (June 2016), https://www.sec.gov/investment/im-guidance-2016-04.pdf.
6 Rule 38a-1 requires funds to adopt and implement written compliance policies and procedures reasonably designed to prevent violation of the federal securities laws.