01 September 2020
Main Contributor: Elizabeth Cope, CPA, CSCP, CIPM, CEO & Lead Consultant
On August 12th the SEC issued a Risk Alert outlining observations from exams and risks in light of the COVID-19 work from home environment. The Commission outlined six (6) areas of concern for firms to review and adjust policies and procedures as necessary, focusing on operational, technological, commercial and other challenges identified. Below we highlight the SEC’s comments and concerns and include our suggestions in orange. When approaching new testing, we suggest performing reviews and testing based on the risk level at your firm in order to address the most important issues to your firm without getting too overwhelmed at the volume of tasks. If, for example, only a small number of employees use personal devices, then testing can be minimal and less frequent than a firm with 100% personal device usage.
Protection of Investors’ Assets
The staff noted that some processes and procedures had to change due to the work from home environment, including collecting and processing of investors’ checks. We suggest keeping communication open with your clients, so they understand if any processes have changed and document the temporary or permanent changes you implemented due to COVID in your annual review. The SEC urges advisors to pay attention to unusual or unscheduled withdrawals from their accounts. Some SEC suggestions include:
- Implement additional steps to validate the identity of the investor
- When not a standing letter of authorization (already confirmed and set up), implement a policy to always confirm the identify of your client.
- Obtain a trusted contact for seniors and other vulnerable investors
- A trusted contact is simply someone the adviser can contact if they suspect their client is impaired or the victim of elder abuse. A trusted contact does not have investment authority. Often the custodian will have this information and you can confirm with the client as opposed to requesting the data twice.
Supervision of Personnel
In the work-from-home environment, supervisors are experiencing an increased burden of how to supervise, document and ensure workflow progress when their teams are fragmented. Technology and training are two important pieces to remote supervision that can be utilized when employees are not face-to-face. The SEC detailed their concerns in the risk alert:
1. Supervisors not having the same level of oversight and interaction with supervised persons when they are working remotely.
- Regular check-ins can help keep employees engaged and gives a higher level of remote supervision. Increasing the frequency of training can also help supplement your supervision when working remotely. We suggest keeping the training department-specific and remind employees of policies that impact them directly, which also helps to keep employees engaged. Tap into other colleagues to check in with their employees and, of course, document your training efforts to support your compliance program.
2. Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud.
- Ensure your portfolio managers and advisors are staying within a client’s IPS or strategy mandate by reviewing holdings or trades in times of market volatility. When an investment is made that strays from stated guidelines, ensure documentation is maintained on suitability and client conversations. We also suggest a documented, random review of guidelines and holdings to confirm compliance.
3. The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing of third-party managers, investments, and portfolio holding companies.
- First and foremost, inquire with your key vendors and third-party managers about their ability to adapt during the pandemic. If they have access to your client data, obtain reasonable assurances that the information is secure, and no security breaches have taken place. While on-site visits may not be possible, due diligence reviews can be conducted remotely by requesting a video conference call. Lastly, update your DDQs and add a few questions about their COVID/work from home process and challenges.
4. Communications or transactions occurring outside of the Firms’ systems due to personnel working from remote locations and using personal devices.
- If you are not archiving certain systems like LinkedIn, Microsoft Teams or even text messages and your employees are using those systems for business communication you should train employees on appropriate means of business communication or archive the communications. Regular e-mail reminders can also help. If an employee receives business communication through a non-archived system, they can copy and paste the communication into their email and continue the conversation through this method.
5. Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments.
- Depending on the amount of trading at your firm, consider reviews of daily or weekly trades. Excel is a great tool for dissecting a trade blotter, but regular reviews of trading will also reveal patterns. Again, document completed reviews to support your compliance program.
6. The inability to perform the same level of diligence during background checks when on-boarding personnel – such as obtaining fingerprint information and completing required verification for Form U4 – or to have personnel take requisite examinations.
- Each jurisdiction is different with where they are with COVID precautions so check in and see what they suggest. Background checks and U4 checks are still a great due diligence tool.
Practices Relating to Fees, Expenses, and Financial Transactions
Fees and expenses are a repeat offender for advisors so it’s no surprise to see fees and expense detailed in this risk alert too. The SEC outlines a few action items for advisers to consider.
- Validating the accuracy of their disclosures, fee and expense calculations, and the investment valuations used.
- In the process of your annual review, ensure your ADV Part 2A, Form CRS and advisory agreements, are consistently disclosing fees and expenses. A great exercise is to review your agreements and compare fees to client invoices to ensure consistency.
- Identifying transactions that resulted in high fees and expenses to investors, monitoring for such trends, and evaluating whether these transactions were in the best interest of investors.
- Best execution does not have to be complicated. Reviewing a sample of trades for commissions and execution price for same trades/same day is fairly simple these days with excel and considering the number of retail brokers no longer charging commissions. Pull in your portfolio management team to discuss the results and document your findings.
- Evaluating the risks associated with borrowing or taking loans from investors, clients, and other parties that create conflicts of interest, as this may impair the impartiality of Firms’ recommendations. Also, if advisers seek financial assistance, this may result in an obligation to update disclosures on Form ADV Part 2.
- Taking loans from investor or clients can bring additional scrutiny to your firm so make sure you take time to think through any conflicts and disclose those conflicts in your ADV Part 2 and possibly your Form CRS. We suggest a memo outlining the business decision and rationale for taking the loan and why (or why not) disclosure was necessary. You want to make sure investors/clients have the full picture about your firm before they decide to invest with you. Also, refer to this blog post for more information on the PPP Loan and SEC’s FAQ regarding disclosures.
When markets become volatile, fraud tends to increase. You want to make sure your due diligence on investments takes into consideration the heightened market risks and the rationale is documented.
- Firms’ supervisory and compliance policies and procedures utilized under “normal operating conditions” may need to be modified or enhanced to address some of the unique risks and conflicts of interest present in remote operations. For example, supervised persons may need to take on new or expanded roles in order to maintain business operations. These and other changes in operations may create new risks that are not typically present.
- This is a great time to review your policies and procedures and document what has changed since the work-from-home environment. It’s acceptable if policies have changed (even if temporary), however, be sure to document the changes and train employees on the change in process. Consider who is supervising the employee and make sure client information is safe and not at risk of exposure. Many firms have moved to the cloud during this time so don’t forget to update your Cyber-security Plan and ensure proper safety features are enabled such as dual factor authentication and security notifications.
- Firms’ security and support for facilities and remote sites may need to be modified or enhanced. Relevant issues that Firms should consider include, for example, whether: (1) additional resources and/or measures for securing servers and systems are needed, (2) the integrity of vacated facilities is maintained, (3) relocation infrastructure and support for personnel operating from remote sites is provided, and (4) remote location data is protected. If relevant practices and approaches are not addressed in business continuity plans and/or Firms do not have built-in redundancies for key operations and key person succession plans, mission critical services to investors may be at risk.
- Work with IT to ensure your services are properly monitored and protected. Make sure office spaces and server rooms are locked and secure until employees are back in the office and only people who need access to the space can gain access. Make sure employees remotely are doing so in a secured fashion (i.e. VPN). If employees have hard copy records at their work from home environment make sure they have the tools and understand the policies for protecting that information (i.e. keep in locked file cabinets, shred when not using)
Protection of Investor and Other Sensitive Information
Advisers should remain vigilant about frauds relating to the sensitive information they maintain of their clients. With employees working from home new risks are exposed like the security of employees’ systems and printing information at home, among other things. The SEC identified some specific issues we help you with below.
- Enhancements to their identity protection practices, such as by reminding investors to contact the Firms directly by telephone for any concerns about suspicious communications and for Firms to have personnel available to answer these investor inquiries.
- Train your employees to understand the risks your clients face and reinforce the need for safety and confirmation of identities. Your employees are part of the front line in identifying PII fraud. Provide your clients a source of contact.
- Providing Firm personnel with additional training and reminders, and otherwise spotlighting issues, related to: (1) phishing and other targeted cyber attacks; (2) sharing information while using certain remote systems (e.g., unsecured web-based video chat); (3) encrypting documents and using password-protected systems; and (4) destroying physical records at remote locations.
- Document any training and consider sending regular e-mail reminders on hot topics to keep employees engaged and constantly aware. We recommend regular phishing simulation tests. This is the most common form used for cyber-attacks and there are many vendors that offer affordable solutions. Maintain policies that require encryption when sending and sharing information that includes sensitive information. If hard copy records are kept at home, make sure the employees are protecting that information by keeping a clean desk, locking in a file cabinet and shredding if no longer a required record.
- Conducting heightened reviews of personnel access rights and controls as individuals take on new or expanded roles in order to maintain business operations.
- Employees should only have access to data on a need to know basis. Restricting access to folders and servers can add additional protections for clients and the firm. Work with IT to set up a review of access rights and logs, looking for anything unusual or atypical and document these reviews.
- Using validated encryption technologies to protect communications and data stored on all devices, including personally owned devices.
- Most firms have software in place to send sensitive information in an encrypted form when delivering electronically. This is a repeat to what has already been mentioned before, but just make sure employees are reminded of the firm’s policies. If employees are using personally owned devices, have them reviewed by IT to make they are appropriately protected (i.e. hard drive encrypted).
- Ensuring that remote access servers are secured effectively and kept fully patched.
- Set a calendar reminder to check in with IT at least quarterly to make sure patches are up to date. If you use third party services providers for your IT solutions, request a report to evidence the patches were successful.
- Enhancing system access security, such as requiring the use of multi-factor authentication.
- We recommend that anytime a cloud-based solution is utilized that you firm require multi-factor authentication. In fact, many software applications provide this as an option.
- Addressing new or additional cyber-related issues related to third parties, which may also be operating remotely when accessing Firms’ systems.
- As mentioned above, add a COVID/work-from-home specific section to your due diligence to capture what other firms you work with are doing during the work-from-home era.
With many companies announcing work-from-home until well into 2021, it’s important to augment your annual review and policies to capture the risks, mitigate conflicts and test for compliance. The SEC’s Risk Alert gives us some good best practices and serves as a reminder that we have to stay vigilant in times of change. Employees need reminders and a little training can go a long way. If you have any questions or need advice on policies let us know, we are here for you!