On June 28, 2016, the U.S. Securities and Exchange Commission (the "SEC") proposed new Rule 206(4)-4 (the "Rule") under the Investment Advisers Act of 1940 (the "Advisers Act") that would require an investment adviser registered with the SEC ("RIA") to, among other things: (i) adopt and implement business continuity and transition plans; (ii) conduct an annual review of those plans; and (iii) comply with corresponding recordkeeping requirements.1 Comments on the Rule are due on or before September 6, 2016.

Underlying the Rule is the SEC's view that an RIA's fiduciary duty obligates it to take steps to protect its clients' interests from the potential ramifications of the RIA's temporary or permanent inability to provide advisory services. In proposing the Rule, the SEC sought to protect clients of an RIA from the effects of temporary or permanent operational risks to the RIA such as natural disasters, cyber-attacks, acts of terrorism, technology failures and the departure of key personnel. The Rule also seeks to protect clients from operational risks associated with events such as a sale, asset transfer or wind-down of the RIA's operations. The SEC has acknowledged that the scope of an RIA's policies and procedures under the Rule will depend on the size and nature of an RIA's business; the Rule nonetheless establishes a set of specific elements that need to be included in an RIA's business continuity and transition plan. In setting out greater specificity for policies and procedures covering business continuity and transition plans, the SEC appears to have concluded that the requirements of Rule 206(4)-7 under the Advisers Act are not sufficient with respect to those plans.2 In this regard, the SEC noted the observations of its examination staff that existing plans undertaken in accordance with Rule 206(4)-7 are "uneven and, in some instances, may not be sufficiently robust to mitigate the potential adverse effects of a significant business disruption on clients."3

At the same time that the SEC proposed the Rule, the SEC staff published guidance related to business continuity considerations for investment companies registered under the Investment Company Act of 1940 (the "1940 Act") indicating that registered investment company complexes should evaluate their response to significant business disruptions affecting both internal operations and critical third-party service providers.4 According to the guidance, an investment company's ability to continue operations during a business continuity event should be considered part of the company's compliance obligations under 1940 Act Rule 38a-1.

Business Continuity and Transition Plans Under the Rule

Under the Rule, an RIA's business continuity and transition plan would need to include policies and procedures concerning: (i) business continuity after a significant business disruption; and (ii) business transition in the event that the RIA is unable to continue providing investment advisory services to its clients. The content of a business continuity and transition plan is to be based on the risks associated with the RIA's operations and must include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following:

  • Maintenance of critical operations and systems, and the protection, backup and recovery of data
    In its discussion of the Rule, the SEC said that in determining which operations and systems are critical, an RIA should consider those that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients (including the management, trading, allocation, clearance and settlement of such transactions), as well as those operations and systems that are material to the valuation and maintenance of clients' accounts, access to clients' accounts and the delivery of funds and securities. An RIA should also identify key personnel whose temporary or permanent loss would disrupt the RIA's ability to provide services to its clients.

    According to the SEC, an RIA's plan with respect to data protection, backup and recovery should address both hard copy and electronic backup, focusing in particular, on risks related to cyber-attacks.5 Moreover, an RIA should prepare an inventory of key documents, including the location and description of the documents, and a list of the RIA's service providers that are necessary to maintain functional operations.
  • Pre-arranged alternate physical locations of the RIA's offices and/or employees
    According to the SEC, an RIA should consider the geographic diversity of its offices or remote sites and employees, as well as access to the systems, technology and resources necessary to continue operations at different locations in the event of a disruption.
  • Communications with clients, employees, service providers and regulators
    The SEC is of the view that an RIA's communication plan should generally cover, among other things: (i) the methods, systems, backup systems and protocols that will be used for communications; (ii) the way in which employees are informed of a significant business disruption; (iii) the way in which employees should communicate during such a disruption; (iv) contingency arrangements communicating the persons who would be responsible for taking on other responsibilities in the event of loss of key personnel; and (v) employee training.

    The SEC added that an RIA should also consider when and how it is in its clients' best interests to be informed of a significant business disruption and/or its effect, how service providers will be notified of a significant business disruption at the RIA and vice versa, and under what circumstances regulators will be notified.
  • Identification and assessment of third-party services critical to the operation of the RIA
    In elaborating on this element of the Rule, the SEC noted that an RIA should identify critical functions and services provided by the RIA to its clients, and third-party vendors supporting or conducting critical functions or services for the RIA and/or on the RIA's behalf. The SEC went on to say that, in determining which service providers should be deemed critical, an RIA should consider, among other things, the day-to-day operational reliance on the service provider and the existence of a backup process or multiple providers, whether or not the service provided includes direct contact with clients or investors and whether the service provider is maintaining critical records or is able to access personally identifiable information. Once an RIA identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the RIA's operations.6
  • Transition plan
    Under the Rule, an RIA's business continuity and transition plan would need to include a specific plan of transition that accounts for the possible winding-down of the RIA's business or the transition of the RIA's business to others in the event that the RIA is unable to continue providing advisory services. The SEC's view is that an RIA's plan of transition should include: (i) policies and procedures intended to safeguard, transfer and/or distribute its clients' assets during transition; (ii) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (iii) information regarding the corporate governance structure of the RIA; (iv) the identification of any material financial resources available to the RIA; and (v) an assessment of the applicable law and contractual obligations governing the RIA and its clients, including pooled investment vehicles, implicated by the RIA's transition.

According to the SEC, the degree to which an RIA's business continuity and transition plan addresses a required component under the Rule will depend upon the nature of the RIA's business, consistent with its fiduciary duty to protect its clients' interests from risks of business disruption generally. In that regard, the SEC noted that business continuity and transition plans must address all components set out in the Rule, but that plans need only take into account the risks associated with an RIA's operations, including the nature and complexity of its business, clients and key personnel.

Public Comment

The SEC has requested public comment on a number of aspects of the Rule, including, among others:

  • whether all RIAs should be subject to the Rule or only a subset of RIAs, such as an RIA with assets under management over a specific threshold;
  • whether the SEC staff should, as an alternative to the Rule, issue guidance under Advisers Act Rule 206(4)-7 addressing business continuity and transition plans;
  • whether the SEC should, instead of mandating the components of business continuity plans of RIAs, enable each RIA to determine those components;
  • whether the SEC should adopt a more prescriptive rule that resembles "Living Wills" required by the Federal Reserve Board and the Federal Deposit Insurance Corporation for large banks and systemically important non-bank entities; and
  • whether an RIA's business continuity plan should be provided to its clients, disclosed in a summary format or not be disclosed at all.

Implications for RIAs

The obligation to address business continuity considerations is not a new requirement for RIAs. Nonetheless, the Rule, if adopted in its current form, could have significant consequences. Five potential consequences are of particular note.

Potential Liability

The SEC, in proposing the Rule, noted clearly that it "would be fraudulent and deceptive [within the meaning of Section 206, the Act's antifraud provision] for an [RIA] to hold itself out as providing advisory services unless it has taken steps to protect clients' interests from being placed at risk as a result of the [RIA]'s inability (whether temporary or permanent) to provide those services."7 Thus, the Rule contemplates the possibility, among other things, that an RIA following a business continuity plan, but experiencing service disruptions following, for example, a natural disaster or other unforeseen event, could face liability for fraud under Section 206 of the Advisers Act.8

Need to Consolidate Business Continuity Requirements

The SEC has recognized that certain RIAs are "subject to other regulatory requirements as to business continuity and/or transition planning."9 The SEC in proposing the Rule cited in particular, the business continuity rules that are already mandated by FINRA10 and the CFTC,11 as well as model rules promulgated by the North American Securities Administrator Association.12 An RIA should consider consolidating all of those applicable requirements into a comprehensive plan in seeking to ensure that its business continuity plan works effectively and efficiently and meets all applicable requirements.

Disclosure

Historically, an RIA has often addressed the potential consequences of natural disasters and other unexpected service disruptions by engaging in prior planning and providing disclosures to its clients about such risks. An RIA should, when determining how to meet the Rule's terms and conditions, consider not only additional planning steps, but also the potential need for enhanced disclosures to its clients. An RIA might, for example, choose to include disclosure to its clients to the effect that despite its best efforts, business continuity and transition planning efforts cannot guarantee that all service disruptions will be prevented.

The Rule's Applicability to Different Types of RIAs

Requiring an RIA to develop and maintain transition plans marks a new obligation under SEC regulations. Under the Rule, an RIA's plan of transition would need to account for the possible winding-down of the RIA's business or the transition of the RIA's business to another RIA.13 The type of transition policy that is appropriate for an RIA will vary based on the size and nature of each RIA's business. The Rule, as proposed, would be applicable to RIAs of all sizes. When proposing the Rule, the SEC highlighted the potential ramifications of an RIA's dissolution on broader market conditions,14 suggesting that the primary focus for the transition plan requirement is an RIA with significant levels of assets under management, the dissolution of which could affect financial markets if handled unskillfully. Making clear, however, that the Rule is not limited to larger advisers, the SEC noted the importance of an RIA attending to individual (retail) clients in connection with transitions and winding-down of its affairs.

The Rule would appear to have special consequences for an RIA managing private funds not registered under the 1940 Act. The Rule would by its terms require an RIA's transition plans to include an assessment of contractual obligations governing the RIA and its clients. This requirement would seem to implicate, among other things, contractual provisions of private funds involving key persons and the removal or replacement of the general partner, which have typically been addressed through negotiated arrangements with limited partner investors. The SEC noted that an RIA will need to "consider the unique attributes of each type of the [RIA's] clients"15 and will need to analyze the types of assets that are held in each client's account16 with respect to the merger or acquisition of an RIA.

Economic Effects

The Rule requires an RIA to analyze third-party service providers' plans to maintain business continuity in the face of a significant business disruption and to review all contractual obligations and clients' attributes to prepare for a transition. Meeting this requirement could result in additional costs for RIAs. The SEC has said that an RIA should "generally consider [in connection with the Rule's requirements] alternatives for such critical services, which may include other service providers or internal functions or processes that can serve as a backup or contingency for such critical services."17 The SEC acknowledged that it may be costly for an RIA to establish backup relationships with multiple third-party service providers. In the SEC's view, however, those costs are outweighed by the need for an RIA "to address how [the RIA] will manage the loss of a critical service."18 The SEC has recognized that RIAs would likely not be in a position to absorb all the costs resulting from the Rule and that the Rule, if implemented as proposed, may result in RIAs passing these costs to clients and fund investors through higher fees.

Comments on the Rule

The unanimous approval of the Rule by the SEC's commissioners, together with the previous initiatives by the SEC and other federal regulators relating to systemic risk initiatives, illustrates that business continuity and transition plans will continue to be a focal point for regulators. For that reason RIAs may wish to comment on the Rule.

Footnotes

1 See Adviser Business Continuity and Transition Plans, Advisers Act Release No. 4439 (Jun. 28, 2016) available here.

2 Id. (SEC stating in this regard that in adopting Rule 206(4)-7 it did not "define, and prescribe means reasonably designed to prevent, such acts, practices and courses of business as are fraudulent, deceptive, or manipulative.").

3 Id.

4 See Business Continuity Planning for Registered Investment Companies, SEC Division of Investment Management, IM Guidance Update No. 2016-04 (June 2016) available here.

5 See also Cybersecurity Guidance, SEC Division of Investment Management, IM Guidance Update No. 2015-02 (April 2015) (stating that an RIA should create a strategy that is designed to prevent, detect and respond to cybersecurity threats including, among others, controlling access to various systems and data; data encryption; and data backup and retrieval) available here; National Exam Program Examination Priorities for 2016, SEC Office of Compliance Inspections and Examinations (2016) (identifying cybersecurity and regulation systems compliance and integrity as examination priorities).

6 Id. (noting that RIAs "should consider assessing whether protective cybersecurity measures are in place at relevant service provider" since RIAs rely on service providers to carry out their own operations).

7 Adviser Business Continuity and Transition Plans, supra note 1 (asserting that advanced "planning and preparation may minimize an [RIA]'s exposure to operational and other risks and, therefore, lessen the possibility of a significant disruption in its operations, and also may lessen any potential impact on the broader financial markets.").

8 Id.

9 Id. (inquiring whether the Rule would "be inconsistent with an [RIA's] obligations under other regulatory regimes.").

10 See Business Continuity Plans and Emergency Contact Information, FINRA Rule 4370 (as amended on Feb. 12, 2015) (requiring that broker-dealers' business continuity plans address certain elements, including data backup and recovery, all mission critical systems, alternate communications, alternate physical location of employees, and critical business constituents) available here.

11 See Business Continuity and Disaster Recovery, 17 CFR Part 23.603(a) (requiring swap dealers and major swap participants to establish and maintain business continuity plans that address data backup, systems maintenance, communications, geographic diversity, and third parties).

12 See NASAA Model Rule 203(a)(1)-1A (requiring state-registered advisers to have continuity and succession plans to minimize "service disruptions and client harm that could result from a sudden significant business disruption.").

13 Adviser Business Continuity and Transition Plans, supra note 1 (noting that RIAs "facing the decision to exit the market commonly do so by: (1) selling the [RIA] or substantially all of the assets and liabilities of the [RIA], including the existing advisory contracts with its clients, to a new owner; (2) selling certain business lines or operations to another [RIA]; or (3) the orderly liquidation of fund clients or termination of separately managed account relationships.").

14 Id. (providing that an RIA's insolvency or termination could have far-reaching consequences such as triggering a termination clause in a client's derivative contract or requiring regulators in multiple jurisdictions to approve certain acts such as the assignment of an advisory contract).

15 Id. (identifying the complexities associated with transferring client information of multiple clients with respect to registered investment companies and private funds compared to transferring client information of a single client with respect to separately managed accounts).

16 Id. (observing that "when transitioning accounts from one [RIA] to another, derivatives positions require special treatment in that they are typically unwound rather than transferred to the new [RIA] and that the terms of the derivatives instrument may dictate whether and how such unwinding takes place.").

17 Id.

18 Id. (noting that "it may not be feasible or may be cost prohibitive for an [RIA] to retain backup service providers, vendors, and/or systems for all critical services.")

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.