By Stephen Wilkes, Kimberly Shaw Elliot and Seth Gaudreau
In uncertain times like these where the novel coronavirus or COVID-19 seems to be impacting everything, broker-dealers, investment advisory firms, and the recordkeepers that deal with retirement plan assets are well advised to review their business continuity planning. This should include considering whether their business continuity and disaster recovery plans (“BCPs”) are sufficiently flexible to address a wide range of possible effects of the pandemic in the United States and overseas, if applicable. These firms need to pay close attention to guidance from the regulators and focus on how their BCPs address these concerns. Although specific guidance may not apply directly to a specific line of business, taking a holistic approach can provide firms with an overall view of how the regulators want the entire industry to approach this pandemic.
The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (“CISA”) issued guidance identifying financial services workers as essential to continued infrastructure viability during this tumultuous time1. Governors of various states are in accord with financial services workers deemed as essential services providers.
Recordkeepers holding retirement plan assets, therefore, remain open for business. Processing that business places unfathomable strain on BCPs and creates new challenges for compliant operations. U.S. Securities and Exchange Commission (“SEC”) Chairman, Jay Clayton, recently reflected on this and the role of regulators, saying:
[T]he Commission has focused its resources on the continued orderly functioning of our securities markets—equities, fixed income securities, funds and other products―consistent with evolving health and safety directives. These efforts have centered on the continued operation of physical infrastructure, including information technology systems, and, predominantly from remote locations, continued human engagement, all the while keeping health and safety as the primary concern.2
I. Current Action Items for Service Providers
We are receiving many operational questions from our financial service clients. Broker-dealers, recordkeepers, and advisors must deal with many immediate issues, such as participant distribution matters. For example, they should be considering the following right now:
- Amend plans (and distribute Summary of Material Modifications) to allow for the $100,000 emergency hardship withdrawal. Given the challenges to document execution and obtaining signatures, the negative election process should be considered where available for voluntary submitter plans, prototype plans, and individually designed plans.
- Call centers must be properly trained and ready to discuss loans, in-service withdraws, COVID withdrawals, and the consequences of each. Supervision must be in place to avoid crossing over from “education” to “investment advice”; in other words, there must be proper administrative support for securities recommendations.
- Determine how this information will get out to participants and beneficiaries, particularly those without regular Internet access.
- Use this as an opportunity when amending plan documents to simplify loan and hardship distribution provisions.
- Use this as an opportunity to self-assess and review the overall recordkeeping agreement and implement modifications generally.
We are also fielding questions about offshore call centers. Recordkeepers must adjust to the closing of offshore call centers, as well as the potential closure of essential domestic locations, if a significant number of employees are required to quarantine or become ill with the virus. Firms should be considering:
- Migrating overseas call center functions to the United States immediately, without violating the terms of existent overseas contracts and offshore jurisdictional employment laws.
- As domestic call center infrastructure is expanded, careful consideration must be given to the securities licensing structure. The function of each call center employee may require investment adviser representative and/or registered representative qualification and registration where investment advice or effecting a securities transaction is a component of the employee’s job responsibility.
- The urgency of call center expansion will require a review and implementation of up-to-date supervisory and training procedures over the call center operation.
- Some may consider leveraging a third party broker-dealer firm with capacity to provide call center services, through an outsourcing or some form of shared services agreement.
II. Business Continuity Plans
Well thought out BCPs can help firms stabilize their operations and cope with this dramatic change of circumstances. Firms must review and follow (as well as to modify as necessary) their BCPs. Firms should ensure that they continue to follow their standard diligence process for investments (and document compliance), even if doing so may be more challenging due to employees working remotely. Firms should also confirm that all of their operations (e.g., investing, trading, investor relations, compliance, required recordkeeping) are all functioning as anticipated under their BCPs, even if such functions are occurring remotely. During and after past crises, the SEC’s Office of Compliance Inspections and Examinations, FINRA, and the CFTC have jointly and separately reviewed the BCPs of firms, especially in the event of a problem experienced during the crisis. As part of a firm’s BCPs, they should also be paying close attention to all regulatory guidance that affects their overall operations.
IV. Specific Pointers
- At this point firms should have checked their BCPs to see if they expressly address pandemics or similar health issues. BCPs should include a bullet list of foreseeable risks they are designed to address, or a list of objectives that may include providing for the safety of personnel and the protection of critical data. For BCPs that do not specifically mention them already, now is the time to add procedures for pandemics, epidemics, outbreaks, and similar health-related issues reasonably likely to impact operations.
- As part of the BCPs, firm compliance personnel need to make sure they have current contact information for all staff (including emergency contact information) and service providers.
Firms need to be able to quickly adapt and ensure that communications with employees, clients, and investors are accurate and complete. - Firms need to monitor cloud-based systems to reduce the risk of inadequate security around mobile device management, cybersecurity, data flow, multiple wireless connections, and more.
- Firms need to remind all employees that bad actors will take advantage of this outbreak and that appropriate verifications must be made before clicking on links, sending documents and, of course, transferring funds or securities.
- Firms need to review all contracts, paying particular attention to the termination, indemnification, default, and force majeure provisions to have a complete understanding of what can happen if your firm or a counterparty cannot perform due to the current crisis.
- Although there does not appear to be a clear time frame, firms should be prepared to operate under these conditions for at least the next 3–6 months.
IV. Responses from Regulators
- SEC GuidanceAlthough investment advisers are not subject to an express business continuity rule under the Investment Advisers Act of 1940 (the “Advisers Act”), business continuity plans are an integral part of an investment adviser’s fiduciary duty to clients. The SEC has been clear that, in furtherance of this fiduciary obligation, it expects an adviser to have developed a business continuity plan as part of its policies and procedures.3 The SEC is monitoring how companies are reporting the effects and risks of COVID-19 on their businesses, financial condition, and operations and is providing guidance of the staff’s current views on an ongoing basis during the pandemic. In its most recent guidance, on March 25, 2020, Topic No. 9: Coronavirus (COVID-19), the SEC s Division of Corporation Finance addressed disclosures and other securities law obligations that companies and financial industry actors should consider with respect to the effects of COVID-19.The SEC stated that “[a]ssessing the evolving effects of COVID-19 and related risks will be a facts and circumstances analysis,” and to assist companies they provided an illustrative, but not exhaustive, list of questions to consider. In regards to BCP’s the SEC offered the following questions:
- Have COVID-19-related circumstances, such as remote work arrangements, adversely affected your ability to maintain operations, including financial reporting systems, internal control over financial reporting, and disclosure controls and procedures? If so, what changes in your controls have occurred during the current period that materially affect, or are reasonably likely to materially affect, your internal control over financial reporting? What challenges do you anticipate in your ability to maintain these systems and controls?
- Have you experienced challenges in implementing your business continuity plans, or do you foresee requiring material expenditures to do so? Do you face any material resource constraints in implementing these plans.
- Will your operations be materially impacted by any constraints or other impacts on your human capital resources and productivity?
Over the past couple months, the SEC has been issuing guidance and temporary relief from various filing requirements; however, a general theme is that the SEC will need to see the process that firms used to follow the guidance and how they documented that it was necessary or appropriate for the firm to claim reliance on the relief.
The SEC has created SEC Coronavirus (COVID-19) Response, a dedicated section on its Website that addresses SEC guidance during the pandemic.
2. FINRA Guidance
Many aspects of activity taken during this crisis place firms’ systems security to the test, as well as challenge customer information protection. FINRA has already noted that, “The risk of cyber events may be increased due to use of remote offices or telework arrangements. [I]t is important that member firms remain vigilant in their surveillance against cyber threats and take steps to reduce the risk of cyber events.”4 Valuable, general guidance about cybersecurity is included in FINRA’s release. For small firms that are now rethinking their cybersecurity programs, FINRA has previously released its Cybersecurity Checklist, which still provides relevant guidance.5
There is no blanket relief to a firm’s duty to supervise. In FINRA Regulatory Notice 20-08, Pandemic-Related Business Continuity Planning, Guidance and Regulatory Relief (Mar. 9, 2020), FINRA addressed the supervisory obligations of member firms who are now faced with unprecedented operational and personal disruptions. It offers some regulatory relief and identifies areas of concern that firms may face as a result of COVID-19. It does not otherwise modify or expand FINRA’s current Business Continuity Rule (Rule 4370).
FINRA maintains a dedicated COVID-19/Coronavirus section on its Website, which contains its recent guidance, including updated FAQs to address the guidance discussed in FINRA Notice 20-08, which can be found at Frequently Asked Questions Related to Regulatory Relief Due to the Coronavirus Pandemic.
Here is a summary of FINRA’s guidance relating to BCPs, as well as our observations, much of which may be equally relevant to avisory firms:
-
- Telework Arrangements. Member firms using remote offices or telework arrangements must be sure to establish and maintain a supervisory system that is reasonably designed to supervise the activities of each associated person while working from an alternative or remote location.
Our observations
Virtual Meetings. As remote workers collaborate through virtual meetings, are they protecting customer privacy? Is customer information being discussed during calls or presented on-screen? How do you account for all attendees, and do they have the right to receive the information? Who can view PowerPoints or other online material? Can it be downloaded?
Home equipment. Are remote workers using a network that can be accessed by others? Is confidential information being left on home printers? How is trash, which may include confidential client information, being held? How is it being discarded? Are client lists safeguarded?
Electronic Signatures. Do your contracts provide for electronic delivery of documents and for electronic signatures? This can be a great benefit when business cannot be conducted in person. If your contracts provide for E-signatures, are they being processed over compliant systems? - Cybersecurity. Risk of cybersecurity events may increase during a pandemic due to the use of remote offices or telework arrangements, heightened anxiety among associated persons and confusion about the virus. In order to address this increased risk, FINRA recommends: (1) ensuring that virtual private networks and other remote access systems are properly patched with available security updates; (2) checking that system entitlements are current; (3) employing the use of multi-factor authentication for those employees who access systems remotely; and (4) reminding associated persons of the cyber risks through education that promotes heightened vigilance.Our ObservationsIncreased Security Risks. As home office and branch locations are closed, who is collecting the mail? Are checks being found and timely deposited? Are checks being sent to advisors’ homes? How are requests for distributions being processed?Communicating With Customers. FINRA is also advising firms to expect an increase in customer call volumes and online account usage during a pandemic and to therefore plan accordingly. Specifically, FINRA urges member firms to review their BCPs regarding communicating with customers and ensuring that customers have access to funds and securities. For member firms with registered representatives who are unavailable to service their clients, the member firm should place a notice on its Website notifying those customers who they may contact concerning the execution of trades, their accounts, and access to funds or securities.Call Volumes. Call centers are built for anticipated call volumes and are largely staffed with associates working from centralized, brick-and-mortar locations. With market volatility, broker-dealers are receiving record numbers of calls from their clients and their representatives. This explosive volume must be handled just as workers are sent home to work remotely. Is your firm staffed for this?
Many firms have redeployed workers from other departments to staff the customer service lines. Despite the disruption to other functions, this redeployment provides valuable training by giving employees front-line insight to the concerns of their customers. Others may have prearranged to outsource some services, whether domestically or offshore.
Regardless of how the worker is sourced, careful consideration must be given to whether each associate is properly licensed for any duties assigned to him or her. You may be reminded of basic credentials by visiting FINRA’s registration requirements at its Individual Registration page, and its Qualification Exams page.
Advertising Reviews. Good advisors do not hide from bad news and are available to their clients when needed. Are your advisors sending alerts to customers now? Have those alerts been reviewed and approved by Compliance? Can you capture and maintain a record of the advertising? Are the messages being sent to customers consistent with the firm’s carefully crafted messaging.
- Communicating With FINRA. Firms are required to provide FINRA with emergency contact information pursuant to Rule 4370. Member firms should review their emergency contacts to ensure that FINRA has a reliable means of contacting each member. If a member firm or another person cannot contact FINRA via its usual contact due to a pandemic or other significant business disruption, they should call FINRA’s Call Center at (301) 590-6500.
- Regulatory Filings and Responses to FINRA Inquiries, Matters, and Investigations. In the event of a pandemic, member firms may face challenges making timely regulatory filings (e.g., FOCUS filings, Form Custody filings, and supplemental FOCUS information pursuant to FINRA Rule 4524 (Supplemental FOCUS Information)) and responding to regulatory inquiries or investigations. FINRA is telling member firms that require extra time to respond to open inquiries, investigations, or upcoming filings should contact their risk monitoring analysts or the relevant FINRA department to seek extensions. FINRA may waive any late fees incurred by a member firm based on the member firm’s particular circumstance. In addition, if any data communications are disrupted, member firms should retain the relevant data until it can be transmitted to FINRA.Our ObservationsFOCUS Filings and Reduced Revenue. Most firms, whether brokerage firms or advisory firms, can expect reduced revenue during the market downtown. For fee-based advisory business, some fees are not deducted from plan assets, but are paid directly by the plan sponsors. If your firm has direct-billed fee arrangements, can the employer now afford the fees? How will your business survive on reduced revenue, caused by the double-hit of the effect of the market decline on asset-based fees as well as the inability of some companies to pay fees directly?Customer Complaints. Market declines are always followed by customer complaints, regardless of the cause. We are told that broker-dealers are already receiving record numbers of complaints. Who is reviewing them? Are all of these complaints being properly reported? Are standard firm practices being followed about evaluating and responding to those complaints? What impact may this have on the firm’s capital requirements? Is adequate errors and omissions insurance in place?
- Qualification Examinations and Regulatory Element Continuing Education. Any affected person who has a qualifications examination or continuing education window that is due to expire is encouraged to contact FINRA regarding an extension. Please contact FINRA’s Call Center at (301) 590-6500 with any questions, or if you require additional information.
- Military Personnel and National Guard. The declaration of an emergency in a specified area due to COVID-19 may result in some persons volunteering or being called into active military duty. FINRA Rule 1210 (Registration Requirements) provides specific relief to persons registered with FINRA who volunteer or are called into active military duty. For information on providing the required notification to FINRA, visit FINRA’s Active Military Leave Guidance Webpage.
- Form U4/Form BR and Office Relocations. FINRA has temporarily suspended the requirement to maintain an updated Form U4 regarding office employment address for registered employees who temporarily relocate because of COVID-19. Further, FINRA also suspended the requirement for member firms to submit branch office applications on Form BR for any newly opened temporary office locations or space-sharing arrangements established as a result of recent events.
FINRA is also requiring member firms to use “best efforts” to provide written notification to its FINRA Risk Monitoring Analyst as soon as possible after establishing a new temporary office or space-sharing arrangement.
- Telework Arrangements. Member firms using remote offices or telework arrangements must be sure to establish and maintain a supervisory system that is reasonably designed to supervise the activities of each associated person while working from an alternative or remote location.
V. Conclusion
Most relief provisions issued to date are limited to very specific circumstances and do not yet excuse fundamental compliance practices. While the situations we currently face are new experiences, the basic framework to respond to these challenges remains unchanged. Sound compliance practices require ongoing vigilance, continued monitoring of regulatory developments, and agile responses to changing developments. Thorough records of your effort to protect your customers are key. Firms should assume that the SEC and other regulators will examine how you have handled this situation.
- 1MEMORANDUM ON IDENTIFICATION OF ESSENTIAL CRITICAL INFRASTRUCTURE WORKERS DURING COVID-19 RESPONSE, U.S. Department of Homeland Security, March 19, 2020. Memorandum issued on March 19, 2020.
2See Public Statement of SEC Chairman Jay Clayton for FSOC Open Meeting (March 26, 2020). - 3See U.S. Securities and Exchange Commission, Final Rule: Compliance Programs of Investment Companies and Investment Advisers, Release No. IA-4439 (February 5, 2004), https://www.sec.gov/rules/final/ia-2204.htm
- 4Cybersecurity Alert: Measures to Consider as Firms Respond to the Coronavirus Pandemic (COVID-19), Information Notice 3/26/20, https://www.finra.org/rules-guidance/notices/information-notice-032620
- 5https://www.finra.org/compliance-tools/cybersecurity-checklist