OCIE's COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers

On August 12, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published an alert to share observations regarding a number of COVID-19-related issues, risks and practices relevant to SEC-registered investment advisers and broker-dealers (collectively, “firms”) and identified heightened risks of misconduct in various areas. The following six categories were highlighted:

Protection of Investors’ Assets 

In light of the current environment, the staff observed that some firms changed their normal practices for collecting and processing investor checks and transfer requests. Firms should consider updating policies and procedures to reflect adjustments made to current practices and to disclose to investors any potential processing delays caused by lack of to access the mail or deliveries at offices. Firms should also reassess their policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts, particularly COVID-19 related distributions from their retirement accounts.

Supervision of Personnel

Firms are obligated to provide oversight of supervised persons’ investment and trading activities. They should consider amending policies and procedures to reflect current business activities and operations, such as shifting to a remote working environment, dealing with significant market volatility and related issues, and responding to operational, technological and other challenges. Firms should reevaluate their practices regarding reduced level of interaction with supervised persons, remote oversight of supervised persons and their related activities, confirming supervised persons are only using approved methods of communications.  In addition, firms should be cognizant of limited on-site due diligence related to new investment opportunities as well as onboarding of new hires.

Practices Relating to Fees, Expenses and Financial Transactions

The recent market volatility and the resulting impact on investor assets and the related fees collected by firms may increase the financial pressure on firms and their personnel to compensate for lost revenue.  This may result in misconduct including financial conflicts of interest and inaccurate fees and expenses charged to investors. Firms should review their policies and procedures and enhance compliance monitoring related to the calculation of fees, expenses and investment valuations.

Investment Fraud

Heightened risk of fraudulent offerings increase during uncertain times. Firms should consider these risks when reviewing investments and determining whether investments are in the best interest of investors. Firms are reminded to contact the SEC to report any potential fraud detected.

Business Continuity

Due to the pandemic, many firms have shifted to remote working. Firms may need to modify or enhance policies and procedures to address the unique risks and conflicts of interest present in prolonged remote operations including securing servers and systems, maintaining the integrity of vacated facilities, relocating infrastructure and providing support for personnel operating from remote sites and protection of data for remote locations. Firms are encouraged to review their continuity plans to address these matters, make changes to compliance policies and procedures and provide disclosures to investors if their operations are materially impacted, as appropriate.

Protection of Investor and Other Sensitive Information

Many firms require employees to use videoconferencing and other electronic means to communicate while working remotely. These practices create vulnerabilities around the potential loss of sensitive information, including personally identifiable information. Firms should review their policies and procedures addressing identity protection practices; cyber related trainings; heightened reviews of personnel access rights and controls; use of validated encryption technologies to protect communications and data stored on all devices (including personal devices); security of remote access servers; system access security (i.e., use of multifactor authentication) and new or additional cyber-related issues related to third parties which may also be operating remotely when accessing firms’ systems.

For further information and examples of best practices provided by the SEC, you can find the entire report here.