OCIE Risk Alert: How to Avoid Regulatory Backlash During Prolonged Periods of Remote WorkAnchin AlertAugust 27, 2020
In its most recent Risk Alert, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) provided guidance on best practices during the prolonged periods of remote work that many firms are experiencing during the COVID-19 pandemic. In the alert, OCIE recognized that SEC registrants are now facing unprecedented operational, technological, and commercial challenges and issues resulting from the unfamiliar landscape of remote work. The alert identifies the most prominent vulnerabilities that firms and SEC registrants are facing as well as best practices for avoiding them, and groups them into six categories: (1) protection of investors' assets; (2) supervision of personnel; (3) practices relating to fees, expenses and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of investor and other sensitive information.
1. Protection of Investors’ Assets
OCIE indicated that due to the current period of increased remote work, firms may have modified their normal practices and, for example, not be attending to their mail on a daily basis. Firms may find that their clients are making unscheduled withdrawals from accounts, particularly pandemic-related distributions from retirement accounts. This adds difficulty to the responsibility firms have to protect investors’ assets. Recommendations firms should consider include:
- Modifying their policies and procedures with respect to the handling of correspondence and notifying investors of possible delays due to remote work, and other disruptions to normal operations;
- Implementing additional steps to validate investors’ identities, and the authenticity of disbursement instructions; and
- Recommending that each investor has a trusted contact person in place, specifically for vulnerable investors like senior citizens.
2. Supervision of Personnel
OCIE also noted that with a dispersed workforce, firms may be facing difficulties meeting their regulatory obligation to properly supervise personnel and maintain updated policies and procedures to reflect current business operations. To combat these difficulties, firms may:
- Modify their practices to improve and maintain proper supervisory oversight and interaction with subordinates;
- Evaluate and modify policies and procedures to ensure adequate supervision and monitoring of communications or transactions occurring outside of the firm’s systems;
- Be conscious of, and monitor the distribution of, investment recommendations in particularly volatile markets with a greater risk of fraud; and
- Develop alternative procedures to make up for the lack of on-site and in-person due diligence reviews.
3. Practices Relating to Fees, Expenses and Financial Transactions
OCIE believes that market volatility increases the pressure on firms to compensate for lost revenue, and can increase the potential for misconduct. To ensure appropriate business practices from the top-down, they indicated that firms should:
- Review fee and expense policies;
- Enhance compliance monitoring by validating the accuracy of disclosures, fee and expense calculations, etc.; and
- Identify and monitor transactions that resulted in high fees and expenses to investors; and evaluate the risks associated with borrowing or taking loans from investors.
4. Investment Fraud
OCIE’s Risk Alert highlighted that times of uncertainty create a heightened risk of investment fraud through fraudulent offerings. In order to prevent exposure to fraudulent schemes, firms and investors alike should:
- Be cognizant of, and vigilant in identifying, these risks when conducting due diligence, and
- Report suspected fraud to the SEC.
5. Business Continuity
Since many firms have shifted to primarily remote work operations during the pandemic, OCIE acknowledged that it may be exceptionally difficult to uphold the duty to adopt and implement compliance policies and procedures that are reasonably designed to prevent violation of federal securities laws. Because transitions to remote work were, in many cases, abrupt, OCIE noted that those shifts in business practices may have caused unforeseen problems in business continuity. Therefore, firms should consider:
- Reviewing business continuity plans to address these responsibilities;
- Making changes to compliance policies and procedures so that the firm may continue to operate effectively during events such as the pandemic; and
- Alerting investors if operations are materially affected.
6. Protection of Investor and Other Sensitive Information
As electronic means of communication become predominant, OCIE expressed concern that firms are more susceptible to security breaches with respect to sensitive information including personally identifiable information (PII). In the interest of upholding their obligation to protect such information, firms should:
- Enhance identity protection practices;
- Increase the frequency and intensity of firm-wide trainings about phishing, sharing of information, securing computers and other devices, encrypting documents, and destroying physical records from home and/or other remote locations; and
- Frequently re-visit and re-consider personnel access rights and controls.
While OCIE’s Risk Alerts are not rules, regulations or official statements of the SEC, advisors can reduce the risks of landing in regulatory hot water by considering these suggestions, and remaining vigilant in upholding their duties to investors. Please reach out to David Horton, your Anchin Relationship Partner or our colleagues at Redpoint Cybersecurity with any questions you may have.