Business continuity and transition plans required for investment advisors under proposed SEC rule

Authored by Jordan Goldman

The SEC proposed a new rule concerning all investment advisors in 2016. This proposed rule states that written business continuity plans (BCP) will be required for all registered investment advisors (RIA), as well as details of how advisors would transition client accounts if an advisor were to suspend operations.

The focus of the SEC is to ensure that investment advisors could continue operations and address the risks related to a significant business or operational disruption.

What is a business continuity plan?

A business continuity plan is a set of processes and procedures a firm’s employees and systems must rely on in order to maintain the business operations during time of suspension. To help the RIA be prepared to restore operations smoothly and efficiently should an event, either internal (i.e., power outage, IT failure) or external (i.e., winter storm, tornado), disrupt operations; a BCP takes into consideration the risks that the RIA may face and creates business continuity strategies to mitigate those risks.

What is a transition plan?

In the chance that a RIA is in financial distress, the advisor must either sell or terminate the business. Subsequently, the RIA must have a plan in place to transition those accounts so that the financial burden and stress is not on the investor. The SEC is looking for RIAs to evaluate their risks and potential roadblocks of being able to transfer assets under management to another RIA or entity, should a RIA not be able to continue operations. The transition plans should evaluate the plans to ensure smooth transitions would occur.

Background on the SEC proposal

Throughout the past decade, there have been an abundance of both natural (hurricanes) and manufactured (terrorist and cyber-attacks) events that could affect business operations. Those emergencies motivated the SEC to propose a set of rules guiding those entities that protect, handle and grow their investors’ money to create a written contingency plan in case such a disaster would occur. As part of a RIA’s compliance, a standard BCP may exist; however, when tested, many companies have proved to be unprepared. These plans must be customized on a per company basis in order to precisely reduce each company’s risk areas. When business is disrupted, it can cause lost revenues and extra expenses, resulting in reduced profits. Additionally, insurance does not cover all costs and cannot replace customers that defect to the competition.

The 2008 financial crisis exposed many RIAs to sudden downfalls, and identified the need for a RIA to have plans to allow for the seamless transition of client accounts and information. In the chance that the RIA is in financial distress and must either sell or terminate business, the RIA must have a plan implemented to transition those accounts so that the financial burden and stress is not on the investor for the unanticipated halt.

Key points

While the new rule has only been introduced at this point, it highlights the importance of management, board members and the audit committee to evaluate existing business continuity processes and procedures. Many organizations may not have an adequate BCP plan, or don’t actively update, test and maintain the business continuity plan.

The following are key points of the new act:

  1. Maintenance, protection, recovery and backup of key systems and data: The organization should identify and prioritize those systems that most heavily influence their business and have a process in place to be able to readily access all necessary information.
  2. Alternative locations: When the physical location of the business is compromised, there should be off-site locations where all critical company data is stored, as well as consideration of off-site (remote) access.
  3. Transition plans: In this age of technology and climate change, uncertainty is inevitable and plans should be introduced that would generate prompt transition of client-specific information due to a change of manager of accounts.
  4. Communication – internal and external: The RIA must be able to communicate protocol for the employees’ relaying their role in the plan. Not only should the protocol be communicated before, but also be conveyed in the midst of a disaster. Clients and third parties must be informed regarding how business operations will continue, the frequency and sources of information as well as when normal business operations will commence.
  5. Identify third parties your operations rely upon: Most RIAs depended on multiple third-party service providers, whether they be administrative, valuation, legal, accounting, transaction/broker, payroll, etc. RIAs should identify third-party providers, understand third party roles in their organization, and discern the effect the BCP will have on those third-party providers to ensure the RIA can maintain its ability to continue operations of the company. Additionally, RIAs must understand their data governance protocols, where their information lives, what information leaves their four walls and how that data can be recovered, if necessary.

Steps to take now

  1. Disruption considerations: Enhance the design and implementation of your BCP by developing policies and procedures to address and anticipate widespread events, including possible interruptions in key business operations and loss of key personnel for extended periods.
  2. Alternative locations: When confronted with utility (e.g., internet, phone) or location access failure, off-site recovery locations that are not affected by the same power and utility outages are crucial.
  3. Vendor relationships: Review and evaluate the IT infrastructure of service providers. Perform risk analysis of disrupted operations at service providers which can create unforeseen operational challenges.
  4. Telecommunications services and technology considerations: Using cost/risk analysis, establish and implement the best course of action for back up files, whether it is VPN, Citrix or trending cloud computing to ensure no data is lost or unavailable during the time of need.
  5. Communication plans: Create protocol to communicate with employees before, after and during business interruptions and to contact clients if the need arises and key personnel are unavailable.
  6. Transition plan: Identify any material sources of funding, liquidity, or capital the RIA would seek in times of stress and consider how the RIA would implement a reduction of expenses and other alternatives. Create transition plans to seamlessly shift client information to the proper and applicable arrangement.
  7. Regulatory and compliance: RIAs should regularly update their BCP to adapt to environmental and social changes and include new regulatory requirements.
  8. Review and testing: Many entities that have a BCP already in place do not regularly test them, and 73% that do test receive a less than adequate grade. Testing and timely remediation are integral steps to a successful BCP.