COVID-19 Compliance Risks and Considerations

March 23, 2020

We hope you are staying safe and adjusting to our new normal.  The Vista360 team is doing well and we are grateful to be able to work with our clients on a remote basis.    

On August 12, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert on compliance risks and other considerations related to COVID-19.  We have summarized below OCIE’s observations and included some of our own related recommendations.

As OCIE acknowledges, COVID-19 has challenged investment advisers in many ways.  The pandemic has caused advisers to transition some or all their staff into a remote work environment with changes to roles, supervision, training and the way they communicate with clients and co-workers.  Further, COVID-19 has created increased volatility of financial markets and opportunities for fraudulent investment offerings, among other challenges.

Safekeeping of Client Assets

Custody Rule – As some or all adviser personnel are working remotely during the pandemic, OCIE has observed that advisers have altered their typical processes and promptness for collecting their mail and processing client checks and transfer requests.  As a result, advisers should consider reviewing and/or amending their Custody Policy to reflect any adjustments to their procedures and to ensure their new procedures do not result in unintended custody of client assets.  We also wanted to remind you that the SEC published a new FAQ II.2 in response to COVID-19 that provides flexibility to comply with the Custody Rule when client assets are received at the adviser’s office but adviser personnel are not able to access the mail as frequently as normal.

Finally, OCIE recommends advisers consider whether it is appropriate to disclose to clients that there may be delays in processing client checks and requests received by mail.

Identity Theft – Due to COVID-19 and certain provisions of the CARES Act which allow for early distributions from certain retirement plans without penalty, advisers may be experiencing atypical and more frequent withdrawal requests from clients.  At the same time, the unprecedented environment created by COVID-19 has created opportunities for fraudulent withdrawal requests / identity theft.  Accordingly, advisers should review their process to validate the authenticity of withdrawal requests and consider if additional steps should be incorporated.

Supervision of Personnel

As advisers adjust to the COVID-19 environment by enacting their BCPs to work remotely, implementing new or less often used technology or utilizing new ways for personnel to communicate, OCIE recommends firms review and consider modifications to their practices to address the following:

• Supervisors having less interaction with the personnel they supervise
• Communications or transactions occurring outside the firm’s technology or on personal devices
Investment personnel making securities recommendations in markets that have experienced significant volatility or have heightened risk of fraud
• Limitations in investment due diligence process due to inability to perform on-site reviews and other resource constraints
• Oversight of the trading process in remote working environment; specifically, reviews of less typical trades such as affiliated, cross and aberrational trades and trades in high volume investments
• Limitations in the new employee vetting and onboarding process

Fees, Expenses and Financial Transactions

The increased market volatility created by COVID-19 and the related impact on client investments and fees collected by advisers have created an environment with increased financial pressures for advisers to make up for lost revenue.  As a result, there is a heightened risk for misconduct related to financial conflicts of interest related to investment recommendations, overvaluation of investment portfolios and improper calculation or billing of client fees.  OCIE recommends advisers review their policies and procedures or enhance compliance monitoring by:

Validating the accuracy of their financial disclosures, advisory fee calculations and investment valuations. These are areas that we also recommend incorporating into your routine, annual testing program given OCIE’s sustained focus on financial conflicts of interest.
Reviewing transactions that resulted in high cost to the investor

The financial pressures experienced by advisers during the current environment may also lead advisers to consider taking loans from investors or clients.  OCIE recommends advisers thoroughly evaluate the risks and disclosure obligations associated with these borrowings in advance, especially the conflicts of interest in the investment process that are created.

We also recommend advisers review agreements and/or governing documents in place with clients and investors as borrowing from clients or investors may be prohibited by these agreements in certain situations.

Investment Fraud

Times of crisis or uncertainty increase the risk of fraudulent investment offerings.  The SEC has brought many actions in the past couple months to stop investment fraud seeking to capitalize on the environment created by COVID-19.  Advisers should be cognizant of these risks during their investment research/due diligence processes.

Business Continuity

Due to COVID-19, advisers have shifted to predominately operating remotely.  This transition may raise compliance issues and other risks, including:

Supervisory and compliance policies and procedures used while primarily operating within an office environment may not be appropriate for remote operations
Security and support for facilities and remote sites may need to be modified or enhanced.

OCIE encourages advisers to review their business continuity plans and policies and procedures and to address these matters.  Advisers should also consider whether any disclosures should be provided to investors or clients if their operations are materially affected.

We also recommend advisers review their business continuity plans during and after the pandemic and incorporate updates to the plan based on their experiences.  Advisers may find that the written portion of their plan focused on pandemic or infectious disease response may need significant enhancement.


Cybersecurity

The transition to a remote work environment creates additional cybersecurity risk and considerations.  These risks include, but are not limited to (a) more frequent remote access of the adviser’s network; (b) use of web-based applications; (c) increased use of videoconferencing and other less frequently used forms of communication; (d) increased use of personal devices; (e) changes to controls over physical records such as home printing; and (f) more opportunities for employees to be phished or otherwise manipulated into providing cybercriminals access to confidential information.

OCIE recommends advisers assess their policies and procedures and consider enhancements in the following areas:

Identity theft prevention practices, including reminders to investors or clients to contact the adviser via telephone over concerns about suspicious communications
Providing employees with additional training on phishing and cyber attacks, as well as firm cybersecurity practices and expectations while working remotely
Conducting reviews of employee access rights, especially if employees take on new or expanded roles during the pandemic
Utilizing encryption on all devices used for business purposes, including personal devices that are now being used in the current remote work environment
Ensuring remote network access is secure and patched
Utilizing multi-factor authentication (MFA). We recommend advisers inventory all systems where confidential information is maintained and enable MFA on any system that can be accessed via a web browser. We also reccomend utilizing MFA on the VPN connection, if possible.
Considering cyber-related issues of the adviser’s third-party vendors are also operating remotely

We also recommend reviewing the considerations we highlighted in our previous communication regarding COVID-19 cybersecurity.