Model Business Continuity Rule for Investment Advisers

dilbert-Disaster-Recovery

There is no explicit requirement that an adviser or fund manager have a disaster recovery plan. But any manager trying to fund-raise knows that investors will ask about its business continuity plan.

The SEC sort of requires SEC registered investment advisers to have a business continuity plan. It’s an easy one to miss in Rule 206(4)-7.

Oh, you don’t see anything about business continuity in the rule? It’s not in the rule, it’s in the Release for Rule 206(4)-7:

We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. [SEC Release No. IA-2204]

State -level adviser regulators have stepped up and rolled out a model rule for state securities regulators.

NASAA’s model rule and guidance are intended to ensure that smaller advisers fulfill their responsibilities to protect their clients and mitigate any client harm in the event of a significant interruption to the adviser’s business. The NASAA membership adopted the model rule at NASAA’s Public Policy Conference on April 13.

Every investment adviser shall establish, implement, and maintain written procedures relating to a Business Continuity and Succession Plan. The plan shall be based upon the facts and circumstances of the investment adviser’s business model including the size of the firm, type(s) of services provided, and the number of locations of the investment adviser. The plan shall provide for at least the following:

1. The protection, backup, and recovery of books and records.
2. Alternate means of communications with customers, key personnel, employees, vendors, service providers (including third-party custodians),and regulators, including, but not limited to, providing notice of a significant business interruption or the death or unavailability of key personnel or other disruptions or cessation of business activities.
3. Office relocation in the event of temporary or permanent loss of a principal place of business.
4. Assignment of duties to qualified responsible persons in the event of the death or unavailability of key personnel.
5. Otherwise minimizing service disruptions and client harm that could result from a sudden significant business interruption.

There is another 18 pages of guidance to help an adviser craft a plan that meets the rule.

Of course, this is not imposed on advisers or fund managers registered with the Securities and Exchange Commission. But I bet you would find it to be a useful tool in evaluating your firm’s business continuity plan.

Sources:

How Good Is Your Business Continuity Plan?

compliance and hurricane sandy

The Securities and Exchange Commission wants it to be better.

In the aftermath of Hurricane Sandy, the Securities and Exchange Commission joined the Commodity Futures Trading Commission and the Financial Industry Regulatory Authority in issuing a joint staff advisory on business continuity and disaster recovery planning.

The advisory follows a review by the regulators after Hurricane Sandy closed U.S. equity and options markets for two days in October 2012. Many firms had a hard time dealing with such a widespread area of severe impact.

When considering alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.) firms should consider the implications of a region wide disruption. Firms are encouraged to consider geographic diversity when determining the physical location of alternative sites. An alternative site, particularly a system back-up location, in close proximity to the primary site may not sufficiently protect the firm from the effects of a region wide event. Firms should consider whether their primary site and alternative sites rely on the same critical utility services, such as electricity, transportation and telecommunications.

That is a somewhat achievable goal for big firms, but not one for smaller firms.

The alert ignores that reality of the physical location of people, their homes, and their families. It would be great to have a fully redundant backup site located a thousand miles away from the main location. But you’re not going to be able to quickly get people there in the event of such a widespread event.

Not only are businesses affected by a disaster, but so are homes. Many (most?) employees are not going to abandon their families, stuck with limited access to power, food, and other needs.

Of course, firms need a solid business continuity and disaster recovery plan. It should be tested and evaluated regularly. A firm needs to plan for small disruptions and big disruptions. Small disruptions are more likely and need to be well addressed.

It’s much harder to have a bullet-proof plan for an event like Sandy that disrupts power to huge parts of the urban center, knocks out power to a huge swath of residential areas, floods office buildings, floods thousands of homes, disrupts transportation, and does so over hundreds of miles.

References:

Investment Advisers and Business Continuity Plans

When an investment adviser is designing its policies and procedures you need to identify the risks for their firm so they address those risks. A big risk is missing an applicable requirement under the regulatory scheme. So you sit down with the regulations and tie them to your specific policies and procedures.

An easy one to miss is the requirement for having a business continuity plan. It’s in Rule 206(4)-7.

Oh, you don’t see anything about business continuity in the rule? It’s not in the rule, it’s in the Release for Rule 206(4)-7:

We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. [SEC Release No. IA-2204]

There is not much in the release to help you understand what is required, but there are two good places to help you.

One is to look at an intragency paper published by The Federal Reserve Board, the Office of the Comptroller of the Currency and the Securities and Exchange Commission on business continuity objectives. They lay out four broad sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets:

  1. Identify clearing and settlement activities in support of critical financial markets.
  2. Determine appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets.
  3. Maintain sufficient geographically dispersed resources to meet recovery and resumption objectives.
  4. Routinely use or test recovery and resumption arrangements.

The other source (more practical source) is the disaster recovery requirements of broker/dealers. FINRA Rule 4370 is their emergency preparedness rule. They have a template for small introducing firms to help start designing a plan.

Sources:

Workplace Challenges of Pandemics

h1n1-virus

The reality of an influenza pandemic has now reached the American workplace. The Swine Flu H1N1 Influenza seems to have been overblown and is now ebbing. There were only two confirmed deaths. It appears that H1N1 is neither particularly contagious or deadly. In comparison, the H5N1 virus (the Avian Flu) is very deadly with an almost 50% mortality rate. Fortunately, the H5N1 virus is not contagious and is very difficult to spread.

Even though H1N1 did not turn into a pandemic, it is a good time to address your workplace plans for pandemics.

Employers need to to implement responses that protect their healthy employees, guard the privacy of sick employees, and comply with applicable national, state, and local law requirements. It is essential that employers do not permit overexcited media coverage to push them into taking actions that may be illegal or frightening to their employees.

The first step is to encourage healthy behavior by your employees:

  • Cover your nose and mouth with a tissue when you cough or sneeze. Throw the tissue in the trash after you use it.
  • Wash your hands often with soap and water, especially after you cough or sneeze.
  • Avoid touching your eyes, nose or mouth. Germs spread that way.
  • Stay home if you get sick. Limit contact with others to keep from infecting them.

In planning for a pandemic, you need to be careful if you decide to survey your employees about factors that may cause them to miss work in the event of a pandemic. You can trip over health privacy issues and ADA limitations. The EEOC made an ADA-Compliant Pre-Pandemic Employee Survey:

Directions: Answer “yes” to the whole question without specifying the reason or reasons that apply to you. Simply check “yes” or “no” at the bottom.In the event of a pandemic, would you be unable to come to work because of any of the following reasons:

  • If schools or day-care centers were closed, you would need to care for a child;
  • If other services were unavailable, you would need to care for other dependents;
  • If public transport were sporadic or unavailable, you would be unable to travel to work, and/or;
  • If you or a member of your household fall into one of the categories identified by CDC as being at high risk for serious complications from the pandemic influenza virus, you would be advised by public health authorities not to come to work (e.g., pregnant women; persons with compromised immune systems due to cancer, HIV, history of organ transplant or other medical conditions; persons less than 65 years of age with underlying chronic conditions; or persons over 65).

Answer: YES __________ NO __________

It’s time to give some thought about what your workplace would to in the event there is a pandemic.

References:

The image is the H1N1 influenza virus, taken in the CDC Influenza Laboratory.