United States: SEC's OCIE Issues Risk Alert On COVID-19 Risks And Considerations For Broker-Dealers And Investment Advisers

Amid the disruption of the last few months, OCIE staff has consulted and coordinated with other divisions and offices at the SEC, and other regulators and industry participants, to identify issues, risks, and practices relevant to Firms in light of COVID-19, including the increased risk of misconduct arising from heightened market volatility. OCIE issued the Alert to share insight garnered from its efforts and to highlight areas where Firms may wish to tighten up or make changes to accommodate the "new normal." In particular, the Alert touches on six areas:

Protection of Investor Assets

Given changes in how Firms are having to deal with collecting and processing investor deposits, withdrawals, and transfer requests, OCIE suggests that Firms review their policies and procedures to make sure they address, for example, validating customer identity and authenticity of disbursement instructions and ensuring customers have a "trusted contact person" named, in particular, with respect to elderly investor customers. In addition, Firms may want to consider notifying customers that there may be delays in processing checks and similar functions until normal operations at the Firm's office(s) resume.

Supervision of Personnel

OCIE encourages Firms to consider how they may need to revise supervisory and compliance policies and procedures to address changes made in response to the coronavirus, such as remote telework arrangements, diminished supervisory oversight of personnel, and managing related operational and technological changes. Likewise, Firms should consider whether their current practices adequately address supervision of recommendations for securities in certain market sectors, such as the health and medical sectors, that are at a higher risk of fraud and/or heightened volatility, and whether they are sufficient to detect and prevent impermissible affiliate transactions, cross-trading, and other trading-related violations.

Fees, Expenses, and Financial Transactions

OCIE notes that the recent market volatility may incentivize Firms and their personnel to make up for lost revenues by engaging in misconduct involving, for example, financial conflicts and fee and expense charges and calculations. OCIE suggests Firms review their policies, procedures, and disclosure documents and determine if their compliance-monitoring efforts require modification to identify and stop or otherwise manage this behavior.

Investment Fraud

The Alert reminds Firms that fraudulent offerings are more frequent during crises and that Firms need to be more aware of the potential risk for such fraud when considering whether investments in various offerings are in the best interest of their clients.

Business Continuity

OCIE urges Firms to review their business-continuity plans to consider issues related to changes in operations as a result of COVID-19. For example, remote working arrangements create supervisory and compliance issues that raise different considerations than in-office work arrangements. The Alert sets forth some of these potential issues and encourages Firms to modify their policies and procedures as needed and, if necessary, to disclose material operational impacts to investors.

Protection of Sensitive Information

In many cases, Firms have changed their methods of communicating with Firm personnel and investors by, for example, using video conferencing or other online options as the primary communications tool. OCIE believes these other communication methods may create vulnerabilities with respect to protection of investor information, including personally identifiable information. In the Alert, OCIE suggests a number of factors for Firms to consider when reviewing their policies and procedures to address risks associated with access to systems, investor data protection, and cybersecurity. Enhancements to current systems and processes-such as limiting personnel access rights to confidential information in Firm systems, requiring multifactor authentication for systems access, providing additional systems-related training, and adopting encryption technology-should be implemented promptly as necessary.