Select COVID-19 Compliance Risks and Considerations for Broker-Dealers and Investment Advisers
October 21, 2020 – InsightIn response to the ongoing disruption caused by COVID-19, OCIE issued a Risk Alert on Aug. 12, 2020. In the Risk Alert, OCIE makes various observations and recommendations which fall into six different categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices relating to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information. In the Risk Alert, OCIE discusses these categories and how difficulties such as a remote work environment, market upheaval, and bad actors attempting to take advantage of the situation may affect investment advisers in different ways.
Protection of Investor Assets
In light of the current operating environment, OCIE has observed that some firms have modified their normal operating procedures regarding collecting and processing investor checks and transfer requests. Firms may wish to review their practices and consider disclosing to clients that checks or other documents mailed to the firm office location may experience delays in processing. Also, firms may want to consider revisions to policies and procedures regarding assistance with disbursements, including where investors are taking unusual or unscheduled withdrawals from their accounts. These policy and procedure revisions may include additional steps to validate the identity of a client and distribution instructions, as well as recommending that clients have in place a trusted contact.
Supervision of Personnel
With personnel working from home for extended periods, supervisors are likely not having the same level of oversight and interaction with personnel working remotely. In addition, firms should be cognizant of the heightened risk of fraud, limitations of onsite due diligence and other constraints in reviewing third-party managers. Furthermore, firms should be cognizant of communications occurring outside of a firm’s systems due to a remote work environment.
Fees, Expenses and Financial Transactions
Market volatility and other factors may increase financial pressures on firms, which may increase incentives for misconduct relating to fees and expenses charged to clients. OCIE references possible failures by firms relating to fee calculation errors resulting in overbilling, failures to provide breakpoints and aggregating accounts, and failures to refund prepaid fees for terminated accounts.
Investment Fraud
Due to the various travel, meeting and related restrictions, OCIE is cognizant of increased risk of fraud in conducting due diligence on investments and in determining if investments are suitable for firm clients.
Business Continuity
Due to the move by many firms to remote operations, OCIE recommends firms review compliance policies and procedures to determine if revisions are necessary. In addition, firms should consider reviewing support facilities and remote sites to determine: if additional resources and/or measures for securing servers and systems are needed; the integrity of vacated services is maintained; and remote location data is protected.
Protection of Investor and Other Sensitive Information
A remote work environment and the use of tools such as video conferencing and other electronic means of communicating may provide enhanced opportunities for the compromise of confidential customer information. OCIE notes the following concerns relating to a remote work environment: the use of personally owned devices; documents printed at remote locations; and increased phishing opportunities. In response to these increased risks, OCIE recommends that firms review their policies and procedures to consider:
- Enhancements to identity theft protection practices;
- Providing to personnel additional training regarding phishing, sharing information while working remotely, encryption and destruction of physical documents;
- Conducting heightened reviews of personnel access rights and controls as personnel may take on expanded responsibilities;
- Utilizing encryption technologies; and
- To the extent available, enhanced system access security, such as dual authentication.