On June 28, 2016, the Securities and Exchange Commission (the “SEC”) proposed new Rule 206(4)-4 (the “BCP Rule”) under the Investment Advisers Act of 1940, as amended (the “Advisers Act”), which would require SEC-registered investment advisers (“Advisers”) to adopt and implement written business continuity and transition plans reasonably designed to address risks related to a significant disruption in an Adviser’s operations.1 We note that the concept of developing a business continuity plan is not new, as it was addressed generally when the SEC adopted Rule 206(4)-7 under the Advisers Act in 2003.2 When Rule 206(4)-7 was adopted, the SEC stated that an Adviser’s compliance policies and procedures should address business continuity plans to the extent they are relevant to the Adviser. However, the SEC did not discuss any specific requirements for such a plan.
Under the BCP Rule, it would be unlawful for an Adviser to provide investment advice unless the Adviser adopts and implements a written business continuity and transition plan and reviews that plan on at least an annual basis.3 Advisers would be required to design a business continuity plan that reflects how they intend to maintain internal systems and protect sensitive client information, assets and data in the event of a significant operational or other disruption. Business continuity disruptions include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities or key personnel.
The BCP Rule would also require Advisers to develop a transition plan in the event the Adviser is unable to continue providing investment advisory services to clients including during the winding down of the Adviser’s business (whether or not as a result of an operational disruption), when an Adviser exits the market (i.e., dissolution, a sale of its business or pursuant to a merger with another adviser) or as a result of the Adviser entering bankruptcy.
If the BCP Rule is enacted as currently proposed, an Adviser would be required to create and implement business continuity and transition policies and procedures designed to minimize material service disruptions that may arise based on the particular risks associated with such Adviser’s operations. These policies and procedures would be required to address, at a minimum:
- the maintenance of critical operations and systems and the protection, backup and recovery of data, including client records;
- pre-arranged alternative physical locations of an Adviser’s office and/or employees;
- communications with clients, personnel, service providers and regulators;
- an inventory of key documents, such as organizational documents, contracts, policies and procedures, including the location of such documents;
- the identification and assessment of third-party services critical to the operations of the Adviser; and
- the plan for the transition of accounts in the event the Adviser winds down or transitions its business or is otherwise unable to continue providing advisory services.
In addition, an Adviser’s policies and procedures relating to a transition would be required to address, at a minimum:
- the safeguarding, transfer and/or distribution of client assets during a transition;
- information regarding the Adviser’s management and entity structure and risk management processes;
- identification of any material financial resources available to the Adviser;
- the prompt production of client-specific information in order to transition client accounts; and
- an assessment of the applicable legal and contractual issues related to a transition, including financial and regulatory reporting requirements.
While the BCP Rule would require that such business continuity and transition plans be reasonably designed to address general industry and business risks, it would allow each Adviser to tailor the detail of its plan based on the nature and complexity of the Adviser’s business, its clients and its personnel, as well as the specifics of its structure and operations.
Additionally, the BCP Rule is the first specific SEC-proposed rule to address the risk of cybersecurity breaches and disruptions to Advisers. This is not surprising in light of the SEC Division of Investment Management’s Cybersecurity Guidance Update from April 20154 as well as the prominent inclusion of cybersecurity as an area of focus in the SEC’s Office of Compliance and Inspections Examination Priorities for 2016 bulletin.5
The comment period for the BCP Rule ends on September 6, 2016. If you have any questions about this topic, please contact a member of our Investment Management practice group.
1 The SEC Proposing Release is available at https://www.sec.gov/rules/proposed/2016/ia-4439.pdf.
2 Rule 206(4)-7 of the Advisers Act requires Advisers to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act.
3 The SEC also proposed corresponding amendments to Rule 204-2 under the Advisers Act requiring Advisers to make and keep all business continuity and transition plans that are currently in effect or at any time within the past five years were in effect (including records documenting the Adviser’s annual review of its plan).