SEC proposes rule 206(4)-4
Adviser business continuity and transition plans
The Securities and Exchange Commission (SEC) proposed a new rule under the Investment Advisers Act of 1940 (Advisers Act). If adopted, it would have a significant impact on the investment management industry, including investment advisers and service providers to the industry.
The Adviser Business Continuity and Transition Plans Rule (the Rule) would require the industry’s 12,000+ registered investment advisers to adopt and implement written business continuity and transition plans, reasonably designed to address operational risks related to significant disruption in the adviser’s operations. In conjunction with the proposal, the SEC’s Division of Investment Management also issued guidance addressing the business continuity planning for registered investment companies (funds), including the oversight of the operational capabilities of fund service providers by the fund complex’s sponsor, chief compliance officer, and boards.
Building upon the trend seen in the banking and securities sectors, the Rule shows that financial services regulators continue to apply pressure on covered organizations to further mitigate risks of service disruption. SEC chair White indicated that the Rule is the SEC’s latest effort to modernize and enhance regulatory safeguards for the investment management industry.
The Rule would require an adviser’s plan to include written policies and procedures addressing:
- Maintenance of critical operations, systems, and data protection
- Pre-arranged alternative physical locations
- Communication plans
- Review of third-party service providers
- Transition plans in the event the advisor needs to wind down operations
Advisers would be able to tailor the detail of their plans based on the complexity of their business operations and the risks presented by their particular business models and activities.
It’s more prescriptive. Unlike previous guidance,1 the Rule would be more prescriptive in its requirements. Plans would need to be more comprehensive in scope and address the key components noted earlier. Plans will need to have the agility and sustainability to adapt to evolving issues. Organizations will also need to evaluate plans at least annually and be able to demonstrate effectiveness. This may require greater levels of assurance over capabilities especially with respect to the use of third parties, driving the development of new scenario planning, attestations or plan testing techniques that incorporate service providers along with the business.
Third-party oversight. Oversight of third parties is a repeated focus under the Rule. Adviser organizations often rely on an interconnected web of third parties including custodial services, pricing vendors, transfer agents, broker-dealers, administrators, portfolio accountants, sub-advisers, and technology providers. Advisers need to assess relevant risks within this ecosystem known as the “extended enterprise,” including financial, operational, and security risks. Advisers should design adequate, risk-based migration strategies across the third-party lifecycle. Since third parties also rely on service providers, understanding critical “fourth parties” in the extended enterprise will be necessary. Advisers will also need to evaluate whether their providers’ plans can ensure service continuity during a significant disruption or establish contingencies.
Data security. Due to the evolving threats to key data, such as customer records, advisers will need to have appropriate controls in place to protect, backup, and recover information. Advisers will also need to gain assurance on data security capabilities at third-party service providers.
Effective communication plans. Advisers would need to have a documented, actionable communication plan to interact with clients, employees, service providers, and regulators during a disruption event. Stakeholders must understand their specific roles and responsibilities in carrying out the plan.
Moving toward “resiliency.” While the investment management industry has increased its focus on protection against threats such as cyber attacks, many organizations do not adequately stress-test or scope their plans, therefore providing little confidence in actual results. Advisers should focus on moving toward an approach focused on resiliency that includes:
- Clearly defined recovery capabilities
- Using data to help protect potential disruptions
- Using severity thresholds and systems to make proactive decisions during business disruptions
Advisers and funds should review the Rule and SEC staff guidance to assess the potential impact on their business and consider responding to the SEC’s requested comments by September 6, 2016. Next, take appropriate actions to assess strategies for addressing the requirements which would include the following measures:
- Assign ownership and overall governance for the program
- Assess relevant risk including impact and likelihood of disruption; determine severity threshold
- Benchmark existing continuity plan against the requirements
- Create transition plan
- Compile a list of third-party service providers and their critical service providers (fourth parties); assess relevant risks; design due diligence and ongoing oversight practices
- Develop a testing strategy and schedule to validate program effectiveness
- Enable a change control process to create a dynamic program which can adapt to ongoing changes
Deloitte has the deep industry knowledge, tools, and experience necessary to guide advisers through the multiple operational and risk dimensions posed by the Rule. Our wide range of existing solutions and experience align across the various disciplines called upon by the Rule, including:
- Regulatory and compliance assistance
- Business resiliency
- Transition planning
- Extended enterprise risk management
We are prepared to support our clients across each aspect of implementation including strategy, assessments of existing capabilities,