Last week, the Office of Compliance Inspections and Examinations of the United States Securities and Exchange Commission (OCIE) issued a Risk Alert which outlines new compliance risks stemming from the global pandemic. The SEC and OCIE have remained operational and have continued to initiate examinations, including routine examinations of investment advisers.
The Risk Alert describes several areas of concern for firms navigating the effects of COVID-19. Key takeaways from OCIE’s report are below:
- Ensure investor assets are protected: Many firms have made operational or procedural changes around processing investor checks and transfer requests as part of their COVID-19 response. These alterations should be reflected in compliance policies and procedures and be properly communicated to clients in a timely manner. These changes may include:
- The frequency of, and procedures for, processing mail from investors and
- Handling of investor disbursements, especially withdrawals from retirement accounts which may be related to the impact of COVID-19.
Firms may need to take extra steps to validate disbursement instructions and make sure certain clients, such as clients with diminished capacity, have an authorized contact person in place in case questionable requests for disbursements are made.
- Adopt additional supervisory policies and procedures, as needed: Amid operational changes, such as teleworking or reduced office hours, firms must continue to properly supervise authorized persons conducting trading activities. Policies and procedures in this area may need to be significantly modified to address situations like:
- Supervisors having less consistent or no in-person contact with supervised employees;
- Supervised employees making recommendations on securities which are experiencing greater market volatility due to COVID-19; and
- Communications or transactions occurring on employees’ personal devices, not on the firm’s network.
- Be aware of potential misconduct related to fees and expenses: Recent shifts and increased volatility in capital markets may increase compliance risks as firms try to make up for lost revenue. These risks have increased in areas such as:
- Conflicts of interest around fees and expenses; for example, borrowing or taking loans from investors and
- Errors when charging clients and investors. This may come up through fee calculation errors and miscalculating tiered fees.
Firms should consider reviewing and updating fee and expense policies and procedures. Items to evaluate include:
- Identifying and analyzing trends of high fees for certain transaction types, and determining if this fee structure is in the best interest of the investor and
- Reviewing the firm’s disclosures, fee and expense calculations, and valuations for accuracy and revising as deemed necessary.
- Beware of investment fraud and conduct proper due diligence on potential investments: If you become aware of a potentially fraudulent investment, contact the SEC to report the possible scam.
- Adopt policies and procedures to support business continuity: Firms should have policies and procedures in place to ensure critical business functions can continue in the event of an emergency. This is particularly relevant now that many firms are conducting operations remotely as a result of the pandemic. Some revisions to policies and procedures should be made to account for this change, such as:
- Modifying provisions related to “normal operating conditions” which may include expanding the roles of supervisory persons to maintain business operations; and
- Taking additional steps to secure business servers and systems or enhancing maintenance procedures for business offices not currently occupied.
- Address information security vulnerabilities created by remote operations: Working remotely creates many opportunities for cybercriminals and scammers to exploit clients’ or employees’ personally identifiable information (PII). Firms should take steps to minimize information security risks by:
- Properly training personnel on how to recognize and avoid phishing attempts;
- Ensuring remote servers and employees’ personal devices are secure and that systems require multi-factor authentication; and
- Conducting ongoing review of employees’ network access rights and changing access rights as needed.
WHAT DOES THIS MEAN FOR ME?
The coronavirus pandemic creates additional compliance risks and firms must be vigilant in their review and implementation of policies and procedures, business practices, and operations to protect clients and prevent compliance issues. Fairview will continue to inform you about emerging compliance risks, as they arise.
If you have questions about business continuity planning, revising compliance policies and procedures, or other response measures for firms during the pandemic, Fairview can help; contact us today for more information.