SEC Proposes New Requirement for Business Continuity Plans for Investment Advisers

On June 28, 2016, the Securities and Exchange Commission (“SEC”) proposed a rule that would require all SEC-registered investment advisers to adopt and implement a business continuity and transition plan (“BCP”).1 The BCP would need to be reasonably designed to address operational and others risks related to possible significant disruptions in the adviser's business. According to the Proposing Release, without an adequately robust plan, the SEC believes it would be “fraudulent and deceptive” for an adviser to provide advisory services.

The SEC has previously noted that business continuity plans should be addressed in an adviser's compliance policies and procedures in accordance with rule 206(4)-7.2 In the Proposing Release, the SEC recognized that most investment advisers already have a BCP, but pointed to observed weaknesses and inconsistencies in those plans identified through the examination process.  

Proposed rule 206(4)-4 identifies the explicit requirements for what makes a BCP “reasonably designed to address operational and other risks.” The SEC acknowledges in the Proposing Release that businesses will vary and the approach to business continuity will depend on the specific attributes of each business, but nonetheless requires certain elements.

BCP Elements

The proposed rule would require SEC-registered advisers to adopt and implement written BCPs that include policies and procedures addressing (i) business continuity after a significant business disruption, and (ii) business transition if the adviser is unable to continue providing advisory services to clients. The Proposing Release includes various situations to consider in designing the BCP, such as natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or loss of a service provider, facilities, or key personnel. Transitions should address when an adviser exits the business, merges, or sells its business. The BCP should serve to minimize disruptions during any of the designated events.

The content of a BCP would be based upon the risks associated with a particular adviser's operations, and would be required to include several key elements, summarized below.

a) Policies and Procedures on the Maintenance of Critical Operations and Systems and the Protection, Backup, and Recovery of Data

An adviser's BCP would be required to include policies and procedures that address the maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records. The BCP should identify and prioritize the functions, operations, and systems critical to the adviser's business, and should consider, and possibly provide, alternatives and redundancies to promote continual operation despite a business disruption.

The Proposing Release identifies as critical operations and systems those that are used to (1) process portfolio securities transactions for clients, (2) value and maintain client accounts, (3) provide access to client accounts, and (4) deliver funds and securities. The Proposing Release also focuses heavily on the need to identify and evaluate the role of third-party service providers in performing critical functions, and emphasizes the need for advisers to evaluate the business continuity controls in place at such firms. Finally, the BCP should identify the key personnel that are integral to the business or any of the critical operations and systems. 

The Proposing Release notes that the data backup and recovery component of a BCP should include an inventory of key documents, identifying the location and description of each item. These documents should include the management structure, risk management processes, and regulatory reporting requirements in the event of a business disruption. 

The SEC also briefly addressed cybersecurity. As cybersecurity has been a hot topic, advisers are again reminded to have processes in place to respond to a cyber-attack. 

Generally, the proposed rule addresses the what that needs to be addressed, but not how each factor must be addressed, giving advisers a fair amount of latitude to design BCPs tailored to their business.  MORE