- lack of geographically diverse office locations;
- lack of oversight of service providers;
- inconsistent planning around communications; and
- inadequate testing of business continuity plans.
Due to the variety of practices and the lack of robust business continuity planning the SEC staff observed, the SEC proposed Rule 206(4)-4 to formally require business continuity and transition plans, including certain specified components.
Proposed Rule 206(4)-4 would prohibit an RIA from providing investment advice unless it has adopted and implemented a written business continuity transition plan that the adviser must review at least annually. The amendments to Rule 204-2, which governs RIA recordkeeping requirements, would require RIAs to maintain copies of all written business continuity and transition plans currently in effect or in effect at any time during the previous five years, as well as records documenting the adviser’s annual review of its business continuity and transition plans. As part of their annual review, RIAs should conduct and document appropriate testing of the plans.
- maintenance of critical operations and systems, as well as the protection, backup and recovery of data;
- alternate physical office locations;
- communication plans for clients, employees, vendors and regulators;
- assessment of critical third-party service providers; and
- transition of the RIA’s business when the RIA winds down or is unable to continue to provide advisory services.
In addition to traditional business continuity concerns relating to natural disasters and other physical business interruptions, the proposed rule and rule amendments would require RIAs to have the difficult conversations related to transitions, such as retirement or loss of key personnel, bankruptcy, acquisition or the impact of financial stress at affiliated firms. The proposals also support the efforts of legal and compliance professionals who seek to engage with senior management regarding the documentation of transition plans.
- policies and procedures related to the safeguarding, transfer and/or distribution of client assets during transitions;
- an inventory of key documents, such as organizational documents, contracts, policies and procedures, including the location of such documents;
- details regarding the RIA’s management structure, risk management processes and financial and regulatory reporting requirements;
- material financial resources available to the RIA;
- policies and procedures relating to the prompt production of client specific information in order to transition client accounts; and
- an assessment of the applicable legal and contractual issues related to a transition.
The proposed rule will remain open for comment for 60 days after publication in the Federal Register. Notably, the SEC has asked for comments on several significant issues, including whether:
- all RIAs, or just a subset, should be required to adopt and implement business continuity and transition plans;
- plans should be required pursuant to guidance with respect to RIAs’ general compliance obligations under Rule 206(4)-7 rather than in a separate rule;
- all components of a business continuity and transition plan should be prescribed by rule;
- definitions of the required components should be specified (e.g., what kind of business disruption is deemed “significant” or renders the RIA “unable to continue providing investment advisory services,” or what constitutes sufficient distance between an RIA’s primary and backup locations); and
- advisers should be required to report business continuity and transition incidents to the SEC.
- periodically evaluate each service provider’s own business continuity plan (and assess backup processes and redundancies);
- consider how the business continuity plans of critical service providers may relate to one another in the context of each investment company’s needs and obligations; and
- understand critical service providers’ cyber-preparedness and monitor their providers for cybersecurity breaches or other disruptions that may affect the operations of the fund complex.
1 “Adviser Business Continuity and Transition Plans,” Advisers Act Release No. 4439 (June 28, 2016) (the Release), available at: https://www.sec.gov/rules/proposed/2016/ia-4439.pdf.
2 Although the proposals address requirements only for RIAs, all investment advisers, including those exempt from registration, are subject to the Advisers Act anti-fraud provisions and therefore should consider the staff’s guidance when designing and implementing business continuity and transition plans as a matter of best practice and fiduciary duty.
3 In the 2003 release adopting Rule 206(4)-7 under the Advisers Act, the SEC staff identified ten areas adviser compliance programs should address, including business continuity. “Final Rule: Compliance Programs of Investment Companies and Investment Advisers,” Advisers Act Release No. 2204 (December 17, 2003) (the Compliance Program Release), available at: https://www.sec.gov/rules/final/ia-2204.htm.
4 The Compliance Program Release referred to risks associated with an adviser ceasing operations.
5 “NEP Risk Alert: SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year” (August 27, 2013), available at https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf.
6 Required by Advisers Act Section 205(a)(2).
7 “IM Guidance Update: Business Continuity Planning for Registered Investment Companies” (June 2016), available at: https://www.sec.gov/investment/im-guidance-2016-04.pdf.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
|Laurin Blumenthal Kleiman
+1 212 839 5525
|Jonathan B. Miller
+1 212 839 5385
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.