The Securities & Exchange Commission recently issued a Risk Alert to share some of the observations that the Office of Compliance Inspections & Examinations (OCIE) have seen during the COVID-19 pandemic. The observations fell into six broad categories:
- Protection of investors’ assets
- Supervision of personnel
- Practices relating to fees, expenses and financial transactions
- Investment fraud
- Business continuity
- Protection of investor and other sensitive information
Protection of Investors’ Assets
With many offices altering their in-office schedules and working from remote locations, OCIE has seen instances where client checks mailed to the physical office have been delayed in processing. OCIE encourages firms to review current practices and make adjustments, where necessary, when it is apparent that check processing times are delayed. Firms may need to modify their supervisory procedures to reflect the potential delays in processing as well as review their Business Continuity Plans and incorporating new procedures to minimize the overall impact on clients. Firms may also want to consider notifying clients of potential delays should it be necessary to work remotely for extended periods of time.
OCIE also cautions firms to take extra caution when clients are requesting funds from their accounts, including retirement accounts. Additional validation steps when identifying the client and the authenticity of the disbursement requests should be considered. Its also a good idea to verify the bank/account number if a wiring instruction is given.
Finally, OCIE recommends that clients identify, in writing, a Trusted Contact especially in the case of senior investors and others that may be deemed “vulnerable” to scams. FINRA, as some of you know, implemented the Trusted Contact Person Rule a few years ago and it has been met with widespread approval from the industry. You can read more about the Rule here.
Supervision of Personnel
Supervision of your firm’s personnel is one of the most important obligations you have in protecting investors. OCIE again recommends that firms review their policies and procedures and make necessary adjustments to account for the business and operational circumstances caused by COVID-19. This includes factors such as ”not having the same level of oversight and interaction” with supervised personnel, and increased market volatility. Additionally, firms need to be cognizant of the increased risk that an associated person may communicate or transact business outside the Firm’s network from their remote locations and/or personal devices.
Fees, Expenses and Financial Transactions
Fees and their disclosure to clients are always of paramount concern to OCIE and the Risk Alert highlights the areas they have seen where rogue advisers have, for example, overcharged clients on their quarterly/monthly fees or failed to refund unearned fees when a client terminates the advisory relationship.
OCIE recommends that firms validate the accuracy of their disclosures and fee calculations and the market valuations used to calculate those fees. Additionally, in challenging economic times, firms should carefully look for signs that one of their representatives is borrowing money from or loaning money to clients.
Finally, if your firm has sought and received financial assistance during these economic times, it may be necessary to disclose such assistance in the firm’s ADV Part 2.
The OCIE staff has seen an increase in the instances of fraudulent offerings. Firms should do their due diligence on offerings made available to their clients and report any suspected cases of fraud to the SEC.
Firms must have written supervisory procedures to detect and prevent violations of federal securities laws. Within the scope of these procedures, firms should have a Business Continuity Plan (BCP) that facilitates the continuation of normal operations during crisis situations. Clearly, the COVID-19 pandemic is one of those situations and firms should review their BCP to ensure that it covers not only pandemics but also addresses some of the unique risks that are presented by working remotely.
It is also a good time to test your offsite security and support facilities and make modifications to your BCP, as necessary.
Protection of Sensitive Information
OCIE has seen instances where the client’s Personally Identifiable Information (“PII”) is potentially compromised during COVID-19. With employees working remotely, it is necessary to access firm networks from remote locations that don’t have secure networks. Further, PII can be compromised when employees don’t securely dispose of printed account/client information at their remote location after this information is no longer needed. An increase in the number of phishing scams is prevalent now with the increase in teleworking.
Firms should have Cybersecurity Policies in place that address these risks and the mitigation process. Review these policies and determine if there are areas that present a high risk of PII being accessed without authorization. Work with your IT consultant to upgrade your existing technology with better encryption. Make sure updated patches to secured networks are in place and consider use of multi-factor authentication.