March 20, 2020 - Securities Group News: Investment Advisors, Is Your Business Continuity Plan Effective In The Novel Coronavirus World?
By: Anthony R. Leone
The Novel Coronavirus (COVID-19) has affected the daily lives of millions and has impacted some to a far greater extent. The virus is affecting every business and industry—especially those businesses connected with the financial markets. For investment advisors, no greater case can be made to demonstrate the importance of having an effective business continuity plan in place. Whether you lack a plan, or have an existing plan that is old or obsolete, it’s never too late to put an effective plan in place. In addition to regulatory considerations, careful reflection in times like these suggest that having a business continuity plan will provide some degree of peace of mind for principals and clients alike and further free mental bandwidth to assess extreme market volatility and address client angst. Below is a refresher on current regulatory requirements and guidelines for both advisors registered with the SEC and those advisors registered in Massachusetts and Connecticut. In addition, we offer five critical considerations in evaluating or implementing a business continuity plan in light of COVID-19.
While there are no specific federal requirements concerning business continuity plans, Rule 206(4)-7 of the Investment Advisers Act of 1940 (the “Act”) has long been interpreted to implicitly require advisors to implement a business continuity plan. Rule 206(4)-7 specifically requires that advisors have in place “written policies and procedures reasonably designed to prevent violation” of the Act. Importantly the Act also requires yearly testing of said policies and procedures. In 2016, the SEC proposed, but did not adopt Rule 206(4)-4 (the “Proposed Rule”), which would have specifically mandated the adoption of business continuity plans. Again, while never enacted, the Proposed Rule provides prudent guidance for implementing an effective business continuity plan. In particular, the Proposed Rule would have required a business continuity plan which included provisions concerning: (1) maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records; (2) alternative physical office locations; (3) consideration of communication systems with clients, employees, service providers, and regulators; (4) assessment of critical third-parties; and (5) transition of the advisory business.
Like the SEC, neither Massachusetts nor Connecticut have direct regulations on the books. However, both states have issued guidance identifying business continuity plans as “best practices” and “important.” Massachusetts has even gone as far to comment that it is “gathering data and information on how best to address this topic . . . .”1 More broadly, the North American Securities Administrators Association (“NASAA”) has published its model rule for suggested implementation by states. Similar to the SEC’s proposed rule, the NASAA rule requires “[t]he protection, backup, and recovery of books and records . . . [a]lternate means of communications with customers, key personnel, employees, vendors, service providers (including third-party custodians), and regulators, including, but not limited to, providing notice of a significant business interruption or the death or unavailability of key personnel or other disruptions or cessation of business activities . . . [o]ffice relocation in the event of temporary or permanent loss of a principal place of business . . . [a]ssignment of duties to qualified responsible persons in the event of the death or unavailability of key personnel [and] [o]therwise minimizing service disruptions and client harm that could result from a sudden significant business interruption.”
With SEC and state guidance in mind, we believe that the first step in developing or refining a business continuity plan is to think honestly about the size and complexity of your advisory practice. Obviously, what will be appropriate for a large advisor with offices in multiple locations will not be appropriate or necessary for the thousands of sole proprietors working from a home office. An advisor refining or implementing a business continuity plan, regardless of size and complexity, should at a minimum consider the following issues:
- Where will I work If I’m unable to work at my primary office? Consider the ability to transition your business to a secure off-site location. Further consider that this site might be a home (a non-issue for many investment advisors who operate out of home offices) in the event of a shelter-in-place order or lockdown situation. In such a situation, total reliance on physical files, if located elsewhere, to manage client relationships would significantly disrupt the advisor’s business in the event that access to these files is restricted or prohibited.
- What technology systems do I have in place to ensure secure trading capabilities? All advisors would be well served to evaluate the use of cloud options or VPN to ensure access to client and trading data during disruptive events. In particular, when evaluating these options, careful attention must be given to the security of these systems, as well as periodic testing of bandwidth capabilities and procurement of sufficient number of licenses (if necessary) to handle potential office wide closures.
- Do I have a feasible communication plan? While email and phone systems are taken for granted, an advisor should consider the ability to contact employees, clients, third-party providers, and regulators, by means other than its primary systems. For example, is a land line available? Can your employees tether to a wireless hotspot to send emails in the event that your internet is disrupted? Is this system encrypted or otherwise secure?
- Do I have back-up plans if my third-party service providers “go dark” for any reason? Recently, as a result of volatility caused by coronavirus news, major custodians and other providers have experienced service issues. Such third-party system failures should be considered as advisors now increasingly (and critically) rely on third-parties, including robo advisors, to manage subsets of client portfolios—not to mention use of third-parties to custody client assets. As a result it is essential for advisors to review and evaluate the latency of its service providers during times of crises.
- If I’m unable to continue operations, do I have in place a transition plan? While not necessarily prompted by crises such as coronavirus, a well thought out business continuity plan should also include provisions concerning protocol in the event of a sale of the business, whether by design or by financial hardship of the advisor, including key considerations of client consent and the transition of client and third-party contracts.
These items, in addition to others that may arise based on the size and complexity of the advisor’s business, should be assessed and refined annually. Such review will ensure both a familiarity and comfort with the effectiveness of proscribed action in times of need, but also to ensure continued compliance with any new laws and regulations which may have changed. The bottom line is that it is certain COVID-19 has already, or will in the future, cause advisors to operate through secondary systems, and it is also likely that the continuing impact may prompt the SEC and states to revisit the need for specific regulations addressing business continuity plans informed by the Novel Coronavirus crisis. For now, even in the midst of this crisis, it is important for investment advisors to revise business continuity plans as necessary, or draft one as a way to address potential issues.