On June 28, the Securities and Exchange Commission proposed Rule 206(4)-4, which would formally require SEC-registered advisors to adopt written business continuity plans (BCPs). Currently, the Investment Advisers Act of 1940 does not explicitly require RIAs to adopt BCPs. Rule 206(4)-7 requires RIAs to adopt and implement written policies and procedures reasonably designed to prevent violations of the Advisers Act. In a footnote to a release of Dec. 17, 2003, the SEC explained that advisors’ fiduciary duty includes protecting clients from “risk as a result of the advisor’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel.”
The SEC’s Office of Compliance Inspections and Examinations reiterated the same concern in an August 2013 Risk Alert that advised that RIAs’ responsibilities to maintain books and records under Rule 204-2 include the requirement to maintain electronic storage media “so as to reasonably safeguard them from loss, alteration or destruction.”
Under proposed Rule 206(4)-4, it would be unlawful for an RIA to provide investment advice if it does not adopt a BCP and review it annually. A proposed amendment to Rule 204-2 would also require RIAs to make and keep copies of BCPs that are in effect or were in effect at any time during the last five years, as well as any records documenting the RIA’s annual review of its BCP.
1. General Requirements. Proposed Rule 206(4)-4 requires the BCP to address business continuity after a significant business disruption, and business transition in the event the RIA is unable to continue providing services to clients (e.g., natural disasters, acts of terrorism, cyberattacks, equipment or system failures, unexpected loss of a service provider, facilities or key personnel). It must also include plans for an RIA to sell its business, a portion of its business or merge with another advisor.
The BCP needs to address maintenance of critical operations and systems, and protection, backup and recovery of data, including client records. The BCP should identify and prioritize critical functions, operations and systems, and consider alternatives and redundancies to continue operations in the event of a significant business disruption.
Additionally, the BCP must include an inventory of key documents, including their location, and a list of service providers necessary to maintain functional operations.
2. Personnel. Under the proposed rule, the BCP should identify personnel who provide critical functions or support critical operations and systems such that the loss of those individuals would disrupt the RIA’s ability to service its clients. The proposed rule also requires the BCP to include a pre-arranged alternate physical location for the RIA’s office and employees, and must address communications with clients, employees, service providers and regulators. An RIA’s communication plan should generally cover the methods, systems, backup systems and protocols that will be used for communications, including how employees will be notified of a disruption and communicate with each other throughout, and who would be responsible for taking on lost team members’ responsibilities.
3. Transition. BCPs adopted under the proposed rule would also need to address the potential winding down or transfer of the RIA’s business to another advisor. Transition components should include: policies and procedures to safeguard, transfer or distribute client assets during transition; policies and procedures facilitating the prompt generation of any client-specific information necessary to transition client accounts; information regarding the corporate governance structure of the RIA; identification of any material financial resources available to the RIA; and an assessment of the applicable law and contractual obligations governing the RIA and its clients, including pooled investment vehicles implicated by the RIA’s transition.
4. Annual Review. The proposed rule would require RIAs to review their BCPs at least once annually, to maintain copies for five years, and to maintain all documentation related to the annual review in accordance with Rule 204-2(e)(1).
— Read Big RIAs May Face Stress Tests on ThinkAdvisor.