[Federal Register Volume 81, Number 128 (Tuesday, July 5, 2016)]
[Proposed Rules]
[Pages 43530-43556]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-15675]
=======================================================================
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Part 275
[Release No. IA-4439; File No. S7-13-16]
RIN 3235-AL62
Adviser Business Continuity and Transition Plans
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is proposing a new rule and rule amendments under the
Investment Advisers Act of 1940 (``Advisers Act''). The proposed rule
would require SEC-registered investment advisers to adopt and implement
written business continuity and transition plans reasonably designed to
address operational and other risks related to a significant disruption
in the investment adviser's operations. The proposal would also amend
rule 204-2 under the Advisers Act to require SEC-registered investment
advisers to make and keep all business continuity and transition plans
that are currently in effect or at any time within the past five years
were in effect.
DATES: Comments should be received on or before September 6, 2016.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's Internet comment form (http://www.sec.gov/rules/proposed.shtml); or
Send an email to [email protected]. Please include
File Number S7-13-16 on the subject line; or
Use the Federal eRulemaking Portal (http://www.regulations.gov). Follow the instructions for submitting comments.
Paper Comments
Send paper comments to Brent J. Fields, Secretary,
Securities and Exchange Commission, 100 F Street NE., Washington, DC
20549-1090.
All submissions should refer to File Number S7-13-16. This file number
should be included on the subject line if email is used. To help us
process and review your comments more efficiently, please use only one
method. The Commission will post all comments on the Commission's
Internet Web site (http://www.sec.gov/rules/proposed.shtml). Comments
are also available for Web site viewing and printing in the
Commission's Public Reference Room, 100 F Street NE., Washington, DC
20549, on official business days between the hours of 10 a.m. and 3
p.m. All comments received will be posted without change; we do not
edit personal identifying information from submissions. You should
submit only information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's Web site. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Andrea Ottomanelli Magovern, Senior
Counsel, Zeena Abdul-Rahman, Senior Counsel, John Foley, Senior
Counsel, or Alpa Patel, Branch Chief, at (202) 551- 6787 or
[email protected], Investment Adviser Rulemaking Office, Division of
Investment Management, Securities and Exchange Commission, 100 F Street
NE., Washington, DC 20549-8549.
SUPPLEMENTARY INFORMATION: The Commission is proposing for public
comment new rule 206(4)-4 [17 CFR 275. 206(4)-4] and amendments to rule
204-2 [17 CFR 275.204-2] under the Advisers Act [15 U.S.C. 80b].
Table of Contents
I. Adviser Business Continuity and Transition Plans
A. Introduction
B. Background
1. Business Continuity Planning
2. Transition Planning
C. Discussion
1. Adopt and Implement Business Continuity and Transition Plans
2. Annual Review
3. Recordkeeping
[[Page 43531]]
II. Economic Analysis
A. Introduction
B. Economic Baseline
C. Benefits and Costs and Effects on Efficiency, Competition,
and Capital Formation
1. Benefits
2. Costs
3. Effects on Efficiency, Competition, and Capital Formation
D. Reasonable Alternatives
1. Require Public Availability of Business Continuity and
Transition Plans
2. Require Business Continuity Plans and/or Transition Plans,
but Do Not Specify Required Components
3. Require Specific Mechanisms for Addressing Certain Risks in
Every Plan
4. Vary the Requirements of the Proposed Rule for Different
Subsets of Registered Advisers
E. Request for Comment
III. Paperwork Reduction Act
A. The Proposed Rules
1. Rule 206(4)-4
2. Rule 204-2
B. Request for Comment
IV. Initial Regulatory Flexibility Analysis
A. Reasons for and Objectives of the Proposed Actions
B. Legal Basis
C. Small Entities Subject to the Rule and Rule Amendments
D. Projected Reporting, Recordkeeping and Other Compliance
Requirements
1. Rule 206(4)-4
2. Rule 204-2
E. Duplicative, Overlapping, or Conflicting Federal Rules
F. Significant Alternatives
G. Solicitation of Comments
V. Consideration of Impact on the Economy
VI. Statutory Authority
I. Adviser Business Continuity and Transition Plans
A. Introduction
Today, there are approximately 12,000 investment advisers
registered with the Commission that collectively manage over $67
trillion in assets, an increase of over 140% in the past 10 years.\1\
Advisers manage assets for, and provide investment advice to, a wide
variety of clients, including individuals, charitable organizations,
endowments, retirement plans, and various pooled investment vehicles
such as mutual funds and private funds. Investors turn to advisers for
a variety of services such as helping them to identify financial goals
(including investing for a child's education or preparing for
retirement), analyzing an existing financial portfolio, determining an
appropriate asset allocation, and providing portfolio management or
investment recommendations to help achieve financial goals. Advisers
also play an important role in counseling and advising clients on
complex financial instruments and investments, and in providing advice
and guidance on weathering changing market conditions. The range of
services provided by advisers, and the continued growth in the number
of advisers and assets under management, reflect the critical role
investment advisers play in our capital markets and the importance of
the services they provide to approximately 30 million clients.\2\
---------------------------------------------------------------------------
\1\ Based on data from the Commission's Investment Adviser
Registration Depository (``IARD'') as of January 4, 2016.
\2\ Id.
---------------------------------------------------------------------------
Investment advisers today also participate in and are part of an
increasingly complex financial services industry. Advisers are relying
on technology to a greater extent, managing more complicated portfolios
and strategies that often include complex investments, and are
increasingly relying on the services of third parties such as
custodians, brokers and dealers, pricing services, and technology
vendors \3\ that support their operations.\4\
---------------------------------------------------------------------------
\3\ We use the terms ``vendor'' and ``service provider''
interchangeably throughout this release.
\4\ There has been an increase in the diversity of investment
portfolios, strategies, and securities types, the complexity of
portfolio management and operations, and the interconnectedness and
interdependencies of the financial industry. See generally, Global
Association of Risk Professionals (GARP), Risk Principles for Asset
Managers, Prepared by the GARP Buy Side Risk Managers Forum (Sept.
2015) (``Risk Principles for Asset Managers'') at Section 5:
Operational Risk Principles, available at http://go.garp.org/l/39542/2015-09-30/315zdc/39542/90066/BSRMF_Risk_Principles_2015.pdf.
---------------------------------------------------------------------------
Although the types of registered investment advisers and their
business models may vary significantly, they generally share certain
fundamental operational risks. Of particular concern to the Commission
are those risks that may impact the ability of an adviser and its
personnel to continue operations, provide services to clients and
investors, or, in certain circumstances, transition the management of
accounts to another adviser. Such operational risks include, but are
not limited to, technological failures with respect to systems and
processes (whether proprietary or provided by third-party vendors
supporting the adviser's activities), and the loss of adviser or client
data, personnel, or access to the adviser's physical location(s) and
facilities.
Operational risks can arise from internal and external business
continuity events. An internal event, such as a facility problem at an
adviser's primary office location, or an external event, such as a
weather-related emergency or cyber-attack, could impact an adviser's
ongoing operations and its ability to provide client services. For
example, both types of events could prevent advisory personnel from
accessing the adviser's office or its systems or documents at a
particular office location. Under these circumstances, an adviser and
its personnel may be unable to provide services to the adviser's
clients and continue its operations while affected by the disruption,
which could result in client harm.\5\ Similarly, operational risks can
arise in the context of a transition event. If, for example, an adviser
is winding down or ceasing operations during a time of stress, then an
adviser's ability to safeguard client assets could be impacted.
---------------------------------------------------------------------------
\5\ As discussed in Section I.B.1. of this release, if an
adviser is unable to provide services to its clients, its clients'
interests may be at risk. This risk could include the risk of loss
if, for example, an adviser lacks the ability to make trades in a
portfolio, is unable to receive or implement directions from
clients, or if clients are unable to access their assets or
accounts.
---------------------------------------------------------------------------
We understand that many investment advisers, like other financial
services firms, already have taken critical steps to address and
mitigate the risks of business disruptions, regardless of the source,
as a prudent business measure.\6\ Industry participants have also
stated that the highly competitive environment in which advisers
operate encourages proper risk management and contributes to advisers'
attentiveness to operational risks.\7\ Advisers may recognize the
[[Page 43532]]
potential for significant reputational damage and other costs
associated with such risks.\8\ For many advisers, the management of
operational risks is part of the normal course of business to mitigate
issues that could negatively impact client relationships and the
management of client assets (including potential losses).\9\
Deterioration in client relationships or financial losses could cause
clients to move their accounts to another adviser or other financial
services firm, and if done on a large scale, prompt the adviser to
transition its business through a sale or other means or to wind down
its operations and exit the market.
---------------------------------------------------------------------------
\6\ See infra notes 26-27 and accompanying text (discussing
compliance policies and procedures required by rule 206(4)-7 under
the Advisers Act); see also Comment Letter of BlackRock, Inc. to the
Financial Stability Oversight Council's (``FSOC'') Notice Seeking
Comment on Asset Management Products and Activities (``FSOC
Notice'') (Mar. 25, 2015) (``BlackRock FSOC Comment Letter'') at 10
(``In the normal course of business, asset managers implement
measures to mitigate the impact of potentially disruptive events
through operational risk management programs, including maintaining
business continuity plans . . . and technology disaster recovery
plans . . . .''); Comment Letter of Investment Company Institute to
FSOC Notice (Mar. 25, 2015) (``ICI FSOC Comment Letter'') at 69
(noting that ``funds and key service providers to the industry have
robust plans and strategies in place to facilitate the continuation
or resumption of business operations in the event of an emergency,
regardless of the cause''); Comment Letter of Vanguard to FSOC
Notice (Mar. 25, 2015) (``Vanguard FSOC Comment Letter'') at 23
(``The purpose of business continuity plans is to develop
alternative ways to carry out normal business functions without
access to facilities, systems, and/or key third-party providers of
goods or services to the funds or its adviser.'').
\7\ See, e.g., Comment Letter of Fidelity Investments to FSOC
Notice (Mar. 25, 2015) (``Fidelity FSOC Comment Letter'') at 22
(``It is not correct to imply that competitive pressures push
managers toward less risk management; in fact those pressures push
funds to improve their risk management practices.''); BlackRock FSOC
Comment Letter at 63 (``The asset management industry is highly
competitive and there are numerous competitors across asset classes
and investment strategies.''); ICI FSOC Comment Letter at 61
(``Regulated fund investors have considerable choice. The industry
is highly competitive, with up to several hundred funds available
within each investment category. Along with investment performance,
the quality of shareholder services is a highly important factor in
attracting and retaining fund investors.'').
\8\ See, e.g., BlackRock FSOC Comment Letter at 55 (``Issues
related to operational and business continuity risk can be costly
and/or harm an asset manager's reputation with its clients.'');
Comment Letter of Managed Funds Association to FSOC Notice (Mar. 25,
2015) (``MFA FSOC Comment Letter'') at 45 (``It is in every
manager's self-interest to have appropriate plans in place to handle
emergencies.'').
\9\ See, e.g., BlackRock FSOC Comment Letter at 10 (``In the
normal course of business, asset managers implement measures to
mitigate the impact of potentially disruptive events through
operational risk management programs, including maintaining business
continuity plans . . . .''); Fidelity FSOC Comment Letter at 32
(``Fidelity devotes significant time and resources to ensuring that
we can provide the services our clients expect even in exigent
circumstances.'').
---------------------------------------------------------------------------
While we understand that many investment advisers already have
taken steps to address and mitigate the risks of business
disruptions,\10\ our staff has observed a wide range of practices by
advisers in addressing operational risk management. The staff
frequently observes advisers managing operational and other risks
through internal practices, procedures, and controls that are typically
assessed by the adviser's legal, compliance, or audit staff, and often
sees independent third-party assessments performed by audit or
compliance firms.\11\ However, the staff also has observed advisers
with less robust planning, causing them to experience interruptions in
their key business operations and inconsistently maintain
communications with clients and employees during periods of stress.\12\
As discussed further below, our staff has noted weaknesses in some
adviser BCPs with respect to consideration of widespread disruptions,
alternate locations, vendor relationships, telecommunications and
technology, communications plans, and review and testing.\13\ Although
disparate practices may exist in light of the varying size and
complexity of registrants, to effectively mitigate such risks we are
proposing to require all SEC-registered investment advisers to have
plans that are reasonably designed to address operational and other
risks related to a significant disruption in the investment adviser's
operations.
---------------------------------------------------------------------------
\10\ See, e.g., Comment Letter of Securities Industry and
Financial Markets Association and the Investment Adviser Association
to FSOC Notice (Mar. 25, 2015) (``SIMFA/IAA FSOC Comment Letter'')
at 43 (``Of potentially more significant interest, asset managers
are keenly focused on business continuity planning, disaster
recovery, data protection, and cybersecurity issues--not just
because of regulatory requirements . . . but also as a business
imperative.'').
\11\ We recognize that some asset management firms have well-
established sophisticated enterprise risk management (``ERM'')
practices built upon widely followed frameworks. See, e.g., SIMFA/
IAA FSOC Comment Letter at 42-43. The letter notes that in larger
more sophisticated asset managers, operational risks can be
addressed by an ERM framework such as the Committee of Sponsoring
Organizations (``COSO'') framework that works to identify key risk
elements within the firm and how those elements are monitored and
risks mitigated. See COSO, Enterprise Risk Management--Integrated
Framework (Sept. 2004), available at http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf. We understand that
investment advisers with ERM programs typically consider business
continuity as part of their broader management of operational risks.
Accordingly, we believe that an adviser's business continuity and
transition plan under the proposed rule could be a part of the
adviser's existing ERM program.
\12\ See NEP Risk Alert, infra note 30, at 3.
\13\ See NEP Risk Alert, infra note 30; see also infra notes 31-
35 and accompanying text.
---------------------------------------------------------------------------
As described in more detail below, we are concerned about the
adequacy of some advisers' plans to address operational and other risks
associated with business resiliency. Our experience indicates that
clients of advisers who do not have robust plans in place to address
the operational and other risks related to significant disruptions in
their operations are at greater risk of harm during such a disruption
than the clients of advisers who do have such plans in place. As
fiduciaries, investment advisers owe their clients a duty of care and a
duty of loyalty, requiring them to put their clients' interests above
their own.\14\ As part of their fiduciary duty, advisers are obligated
to take steps to protect client interests from being placed at risk as
a result of the adviser's inability to provide advisory services.\15\
---------------------------------------------------------------------------
\14\ See SEC v. Capital Gains Research Bureau, Inc., 375 U.S.
180, 191, 194 (1963) (noting that the Advisers Act ``reflects a
congressional recognition `of the delicate fiduciary nature of an
investment advisory relationship''' and stating that ``[c]ourts have
imposed on a fiduciary an affirmative duty of `utmost good faith,
and full and fair disclosure of all material facts,' as well as an
affirmative obligation `to employ reasonable care to avoid
misleading' his clients'' (citations omitted)); Transamerica
Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 17 (1979) (noting
that the Advisers Act's ``legislative history leaves no doubt that
Congress intended to impose enforceable fiduciary obligations'').
\15\ See Compliance Programs of Investment Companies and
Investment Advisers, Advisers Act Rel. No. 2204 (Dec. 17, 2003) [68
FR 74714 (Dec. 24, 2003)] (``Compliance Program Adopting Release'')
at n.22 (noting this fiduciary obligation in the context of BCPs).
---------------------------------------------------------------------------
Section 206(4) of the Advisers Act authorizes the Commission to
adopt rules and regulations that ``define, and prescribe means
reasonably designed to prevent, such acts, practices, and courses of
business as are fraudulent, deceptive, or manipulative.'' Because an
adviser's fiduciary duty obligates it to take steps to protect client
interests from being placed at risk as a result of the adviser's
inability to provide advisory services, clients are entitled to assume
that advisers have taken the steps necessary to protect those interests
in times of stress, whether that stress is specific to the adviser or
the result of broader market and industry events. We believe it would
be fraudulent and deceptive for an adviser to hold itself out as
providing advisory services unless it has taken steps to protect
clients' interests from being placed at risk as a result of the
adviser's inability (whether temporary or permanent) to provide those
services.
Accordingly, we believe advisers should be required to establish
strong operational policies and procedures that manage the risks
associated with business continuity and transitions. These policies and
procedures should increase the likelihood that advisers are as prepared
as possible to continue operations during times of stress and that they
have taken steps to minimize risks that could lead to disruptions in
their operations. These policies and procedures also should increase
the likelihood that clients are not harmed in the event of a
significant disruption in their adviser's operations. Therefore, today
we are proposing to require SEC-registered advisers to adopt and
implement written business continuity and transition plans that include
certain specific components, and to maintain relevant records of those
plans, in order to facilitate robust business continuity and transition
planning across all SEC-registered advisers.
B. Background
1. Business Continuity Planning
The rapid recovery and resumption of the financial markets and the
activities that support them underpins the resiliency of the U.S.
financial system.\16\
[[Page 43533]]
Business continuity planning is a critical activity that supports
resiliency and one that financial services firms, including investment
advisers, generally should engage in to address the inherent risks they
face in serving their clients' needs. Federal and state financial
market and services regulators, including the Commission, have sought
to highlight and address operational risks and the tools necessary to
manage them, including fulsome business continuity planning for many
financial industry participants.\17\
---------------------------------------------------------------------------
\16\ See Interagency Paper on Sound Practices to Strengthen the
Resilience of the U.S. Financial System, Securities Exchange Act
Rel. No. 47638 (Apr. 7, 2003) [68 FR 17809 (Apr. 11, 2003)]
(``Interagency Paper''); cf. infra note 21 and accompanying text.
\17\ See Regulation Systems Compliance and Integrity, Securities
Exchange Act Rel. No. 73639 (Nov. 19, 2014) [79 FR 72251 (Dec. 5,
2014)] (``Regulation SCI Adopting Release''); see also Policy
Statement: Business Continuity Planning for Trading Markets,
Securities Exchange Act Rel. No. 48545 (Sept. 25, 2003). In
addition, we note that banks are subject to the Federal Financial
Institutions Examination Council's (``FFIEC'') business continuity
guidelines, which state that financial institutions should develop
comprehensive BCPs and that ``[t]he goal of the BCP should be to
minimize financial losses to the institution, serve customers and
financial markets with minimal disruptions, and mitigate the
negative effects of disruptions on business operations.'' See FFIEC,
IT Examination Handbook, Business Continuity Planning (Feb. 2015)
(``FFIEC Handbook''), available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf; see also
Board of Governors of the Federal Reserve System, Supervisory Letter
SR 15-3 (Feb. 6, 2015), available at http://www.federalreserve.gov/bankinforeg/srletters/sr1503.htm. The FFIEC is an ``interagency body
empowered to prescribe uniform principles, standards, and report
forms for the federal examination of financial institutions by the
Board of Governors of the Federal Reserve System (FRB), the Federal
Deposit Insurance Corporation (FDIC), the National Credit Union
Administration (NCUA), the Office of the Comptroller of the Currency
(OCC), and the Consumer Financial Protection Bureau (CFPB).'' See
FFIEC, available at https://www.ffiec.gov.
---------------------------------------------------------------------------
For example, the Financial Industry Regulatory Authority
(``FINRA'') requires broker-dealers to establish business continuity
plans (``BCPs'') reasonably designed to meet existing customer
obligations and address relationships with other broker-dealers and
counterparties.\18\ Additionally, the Commodity Futures Trading
Commission (``CFTC'') has adopted regulations that require swap dealers
and major swap participants to establish and maintain BCPs that are
designed to enable the regulated entity ``to continue or to resume any
operations by the next business day with minimal disturbance to its
counterparties and the market.'' \19\ The North American Securities
Administrator Association (``NASAA'') also recently adopted a model
rule that, if adopted in a particular state, would require investment
advisers registered in that state to have business continuity and
succession plans in place that minimize ``service disruptions and
client harm that could result from a sudden significant business
disruption.'' \20\
---------------------------------------------------------------------------
\18\ See FINRA Rule 4370 (requiring that member BCPs address
certain elements, including data backup and recovery, all mission
critical systems, alternate communications, alternate physical
location of employees, and critical business constituent (i.e., a
business with which a member firm has an ongoing commercial
relationship in support of the member's operating activities), bank
and counter-party impact); see also NASD, Notice to Members 04-37:
Business Continuity Plans (May 2004), available at https://www.finra.org/sites/default/files/NoticeDocument/p003095.pdf. We
note that investment advisers that are also registered as broker-
dealers would have to comply with FINRA's rule as well as the
proposed rule. However, as noted herein, we have modeled much of the
proposed rule, including the required components of a business
continuity and transition plan, on BCP requirements for other
financial services firms that we believe share similar
vulnerabilities as investment advisers. See infra notes 61-62 and
accompanying text.
\19\ See 17 CFR 23.603(a). Relevant BCPs must be designed to
recover all documentation and data required to be maintained by
applicable law and regulation, and are required to include certain
required components that are related to, among other things, data
backup, systems maintenance, communications, geographic diversity,
and third parties. See infra notes 62, 71, 79, and 86.
\20\ See NASAA Model Rule 203(a)-1A (stating that all plans
should provide for backup of books and records, alternate means of
communication, office relocations, assignment of duties to qualified
persons in the event of death or unavailability of key personnel,
and otherwise minimizing service disruption and client harm); see
also Mark Schoeff Jr., State Regulators to Require Continuity Plans,
Investment News, (Apr. 22, 2015), available at http://www.investmentnews.com/article/20150422/FREE/150429965/state-regulators-to-require-continuity-plans.
---------------------------------------------------------------------------
In addition, we recently adopted rules to strengthen the technology
infrastructure of the U.S. securities markets by adopting Regulation
Systems Compliance and Integrity, or Regulation SCI, which applies to,
among other things, self-regulatory organizations, certain alternative
trading systems, and certain exempt clearing agencies.\21\
Specifically, Regulation SCI is designed to reduce the occurrence of
systems issues and improve resiliency for key market participants when
these problems do occur, and requires, among other things, relevant
entities to have and test business continuity and disaster recovery
plans. While these regulations and those of other regulatory bodies
address different entities, they generally highlight similar principles
of business continuity planning, including the need to address critical
systems, data backup, communications, alternate and/or geographically
diverse locations, and third-party relationships.
---------------------------------------------------------------------------
\21\ See Regulation SCI Adopting Release, supra note 17. Among
other things, Regulation SCI requires SCI entities to establish and
test business continuity and disaster recovery plans that include
maintaining backup and recovery capabilities sufficiently resilient
and geographically diverse and that are reasonably designed to
achieve next business day resumption of trading and two-hour
resumption of critical systems in the event of a wide-scale
disruption. See 17 CFR 242.1001(a)(2)(v). Further, Regulation SCI
sets forth business continuity and disaster recovery plan testing
requirements for SCI entities. See 17 CFR 242.1004.
---------------------------------------------------------------------------
Regulatory authorities have also acted collectively and in
consultation with each other to address operational risks in light of
the interconnectedness and interdependency of financial market
participants. For example, the Commission, along with the Board of
Governors of the Federal Reserve System (``Federal Reserve'') and the
Office of the Comptroller of the Currency, issued the Interagency Paper
on Sound Practices to Strengthen the Resilience of the Financial
System, which sets forth business continuity objectives for all
financial firms and the U.S. financial system as a whole.\22\ More
recently, FSOC issued a request for public comment on, among other
things, operational risks and transition planning as it relates to the
asset management industry.\23\
---------------------------------------------------------------------------
\22\ See Interagency Paper, supra note 16. The objectives
discussed in the paper include (i) rapid recovery and timely
resumption of critical operations following a wide-scale disruption;
(ii) rapid recovery and timely resumption of critical operations
following the loss or inaccessibility of staff in at least one major
operating location; and (iii) a high level of confidence, through
ongoing use or robust testing, that critical internal and external
continuity arrangements are effective and compatible. The paper also
sets forth four sound practices for core clearing and settlement
organizations and firms that play significant roles in critical
financial markets, including (i) identifying clearing and settlement
activities in support of critical financial markets, (ii)
determining appropriate recovery and resumption objectives, (iii)
maintaining sufficient geographically dispersed resources to meet
such objectives, and (iv) routinely using or testing recovery and
resumption arrangements. See id. In addition, in 2012-2013, the
Commission's Office of Compliance Inspections and Examinations
(``OCIE''), along with FINRA and the CFTC, jointly reviewed a number
of firms' business continuity and disaster recovery planning and
published their joint observations on best practices and lessons
learned. See Joint Review of Business Continuity and Disaster
Recovery of Firms by the Commission's National Examination Program,
CFTC's Division of Swap Dealers and Intermediary Oversight and FINRA
(Aug. 16, 2013) (``Joint Review of Business Continuity''), available
at https://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf.
Financial services industry participants have also been pro-
active in addressing resiliency issues. See, e.g., Financial
Services Sector Coordinating Council (established to coordinate
infrastructure and homeland security activities within the financial
services industry comprised on financial trade associations,
financial utilities and financial firms), available at https://www.fsscc.org.
\23\ See FSOC Notice (Dec. 24, 2014) [79 FR 77488 (Dec. 24,
2014)], available at http://www.treasury.gov/initiatives/fsoc/rulemaking/Documents/Notice%20Seeking%20Comment%20on%20Asset%20Management%20Products%20and%20Activities.pdf; see also FSOC, Update on Review of Asset
Management Products and Activities (Apr. 18, 2016), available at
https://www.treasury.gov/initiatives/fsoc/news/Documents/FSOC%20Update%20on%20Review%20of%20Asset%20Management%20Products%20and%20Activities.pdf. Although our rulemaking proposal is independent
of FSOC, several commenters responding to the FSOC Notice discussed
operational risks and transition issues related to investment
advisers, and we have considered and discussed relevant comments
throughout this release. Comments submitted in response to the FSOC
Notice are available at https://www.regulations.gov/#!docketBrowser;rpp=25;po=0;dct=PS;D=FSOC-2014-0001.
---------------------------------------------------------------------------
[[Page 43534]]
The Commission addressed business continuity planning with respect
to investment advisers in a general way when it adopted rule 206(4)-7
under the Advisers Act (``Compliance Program Rule''). Under the rule,
advisers are required to consider their fiduciary and regulatory
obligations under the Advisers Act, and adopt and implement written
compliance policies and procedures reasonably designed to prevent
violations of the Advisers Act.\24\ At the time it adopted the rule,
the Commission was concerned that not all advisers had adopted adequate
compliance programs and as a result, clients and investors were being
harmed.\25\ In the release adopting the Compliance Program Rule, the
Commission stated that an adviser's compliance policies and procedures
should address BCPs to the extent that they are relevant to an
adviser.\26\ The Commission did not, however, identify critical
components of a BCP or discuss specific issues or areas that advisers
should consider in developing such plans.
---------------------------------------------------------------------------
\24\ See rule 206(4)-7; Compliance Program Adopting Release,
supra note 15, at section II.A.1. Rule 206(4)-7 makes it unlawful
for advisers to provide investment advice unless they adopt and
implement written compliance policies and procedures reasonably
designed to prevent violations by the adviser and its supervised
persons of the Advisers Act and rules thereunder.
\25\ The Commission noted that it and state securities
authorities had recently discovered unlawful conduct involving a
number of advisers, broker-dealers, and other service providers
where personnel of these entities engaged in, or actively assisted
others in engaging in, inappropriate market timing, late trading of
fund shares, and the misuse of material, nonpublic information about
fund portfolios. The Commission noted that these personnel had
breached their fiduciary obligations to the funds involved and their
shareholders by placing their own interests or the interests of the
fund adviser ahead of the interests of fund shareholders. See
Compliance Program Adopting Release, supra note 15, at section I.
\26\ Id. The Commission identified ten areas adviser compliance
programs should address, including BCPs.
---------------------------------------------------------------------------
As discussed above, an adviser's fiduciary obligations require it
to take steps to protect its clients' interests from being placed at
risk as a result of the adviser's inability to provide advisory
services.\27\ This fiduciary duty fosters trust between the client and
its adviser, such that the client relies on the adviser to act in its
best interests and safeguard its assets as appropriate, even during
times of stress.\28\ If an adviser is unable to provide advisory
services after, for example, a natural disaster, a cyber-attack, an act
of terrorism, technology failures, or the departure of key personnel,
its temporary inability to continue operations may put clients'
interests at risk and prevent it from meeting its fiduciary duty to
clients. This risk could include the risk of loss if, for example, an
adviser lacks the ability to make trades in a portfolio, is unable to
receive or implement directions from clients, or if clients are unable
to access their assets or accounts. As part of its fiduciary duty to
protect client interests, an adviser also should take steps to minimize
operational and other risks that could lead to a significant business
disruption like, for example, a systems failure. In order to do so,
advisers should generally assess and inventory the components of their
business and minimize the scope of its vulnerability to a significant
business disruption. While we recognize that an adviser may not be able
to prevent significant business disruptions (e.g., a natural disaster,
terrorist attack, loss of service from a third-party), we believe
robust planning for significant business disruptions can help to
mitigate their effects and, in some cases, minimize the likelihood of
their occurrence.
---------------------------------------------------------------------------
\27\ See id. at n.22. The Commission also has stated that
``clients of an adviser that is engaged in the active management of
their assets would ordinarily be placed at risk if the adviser
ceased operations.'' Id.
\28\ See generally SEC v. Capital Gains Research Bureau, Inc.,
supra note 14 at 191 (``A fiduciary owes its clients more than mere
honesty and good faith alone. ''); Investment Adviser Association,
What is an Investment Adviser?, available at http://www.investmentadviser.org/eweb/dynamicpage.aspx?webcode=whatisia
(noting that because advisers owe a fiduciary duty to their clients,
they ``[stand] in a special relationship of trust and confidence
with [their] clients'' and that such fiduciary duty generally
includes the duty to place the clients' interests first ``at all
times'').
---------------------------------------------------------------------------
Various weather-related events have tested, on a large scale, the
effectiveness of existing BCP components of advisers' compliance
programs.\29\ In addition, these events provided our examination staff
the opportunity to review, observe, and assess the operations and
resiliency of BCPs across many advisers. The examination staff followed
these reviews by issuing public reports of their findings and effective
practices.\30\
---------------------------------------------------------------------------
\29\ For example, Hurricane Katrina in 2005 and, as discussed in
this release, Hurricane Sandy in 2012 presented challenges to
advisers affected by those storms.
\30\ See National Exam Program Risk Alert, SEC Examinations of
Business Continuity Plans of Certain Advisers Following Operational
Disruptions Caused by Weather-Related Events Last Year (Aug. 27,
2013) (``NEP Risk Alert''), available at https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf. The
examination was part of a joint review by the SEC's OCIE, FINRA and
the CFTC of relevant firms' business continuity and disaster
recovery planning in the wake of Hurricane Sandy. Together, these
entities issued a joint statement setting forth best practices and
lessons learned as a result of their review. See Joint Review of
Business Continuity, supra note 22; see also SEC Compliance Alert
(June 2007) (``Compliance Alert''), available at https://www.sec.gov/about/offices/ocie/complialert.htm.
---------------------------------------------------------------------------
Hurricane Sandy broadly impacted the industry and its operations
because of the duration and point of impact of the storm, which
affected parts of New York, New Jersey, and the surrounding areas,
where numerous financial services providers (both markets and
participants) are concentrated. In the aftermath of the hurricane,
examiners observed that the degree of specificity of advisers' written
BCPs varied and that some advisers' BCPs did not ``adequately address
and anticipate widespread events.'' \31\ In addition, with respect to
alternative locations, examination staff noted that some advisers did
not have geographically diverse office locations, even when they
recognized that diversification would be appropriate.\32\ Additionally,
they observed with respect to vendor relationships and
telecommunications/technology, that certain advisers did not evaluate
the BCPs of their service providers or engage service providers to
ensure their backup servers worked properly, and that some advisers
reported that they did not keep updated lists of their vendors and
respective contacts.\33\ Moreover, with respect to communications
plans, the examination staff observed that some advisers inconsistently
planned how to contact and deploy employees during a crisis,
inconsistently maintained communications with clients and employees,
and did not identify which personnel were responsible for executing and
implementing the various portions of the BCP.\34\ Finally, with respect
to review and testing, our examination staff reported that some
advisers ``inadequately tested their BCPs relative to their advisory
businesses.'' \35\ These observations illustrate our experience that
business continuity planning among investment advisers
[[Page 43535]]
can be uneven and, in some instances, may not be sufficiently robust to
mitigate the potential adverse effects of a significant business
disruption on clients.
---------------------------------------------------------------------------
\31\ See NEP Risk Alert, supra note 30, at 3.
\32\ See NEP Risk Alert, supra note 30, at 4.
\33\ See NEP Risk Alert, supra note 30, at 4-5.
\34\ See NEP Risk Alert, supra note 30, at 6.
\35\ See NEP Risk Alert, supra note 30, at 7.
---------------------------------------------------------------------------
Additionally, the operational complexity of advisers has increased
over the years and many advisers' operations are highly dependent on
technology, including investment processes (e.g., trading, risk
management operations) and client services.\36\ It is critical for
investment advisers to focus on resiliency so that they can continue to
provide services to their clients when events impact the availability
of systems, facilities, and staff. The ability to recover such systems,
including third-party vendor provided platforms and services, and
business operations in a timeframe that meets business requirements is
important to mitigating the consequences of disruptive events.\37\
---------------------------------------------------------------------------
\36\ See, e.g., Blackrock, The Role of Technology Within Asset
Management (Aug. 2014), at 1, available at http://www.blackrock.com/corporate/en-us/literature/whitepaper/viewpoint-asset-management-technology-aug-2014.pdf (``Asset managers require systems to
facilitate the maintenance of data and flow of information in the
investment process, such as trading counterparties and custodians.
Technology provides the unseen `plumbing' that ensures information
flows smoothly throughout the ecosystem.''). The paper also notes
that a robust asset management process requires both experienced
professionals and technology, and that integrated investment
technology enhances the quality of large volumes of data, supports
consistent investment workflows and enables timely communications
for both internal functions and with external parties.
\37\ See, e.g., infra note 90.
---------------------------------------------------------------------------
Based on the staff's observations from examinations, and the ever-
growing complexity of, and risks to, operations, we are concerned that
some advisers may not have robust BCPs. When a client entrusts an
adviser to manage its assets, the client does so with the expectation
that the adviser will act in its best interests and safeguard its
assets as appropriate, even in times of stress. We believe that without
robust business continuity planning, an adviser's clients may be placed
at risk in times of stress. Accordingly, to facilitate such robust
planning across all SEC-registered advisers, we are proposing to
require that these advisers address certain components in their
business continuity and transition plans.
2. Transition Planning
Operational risks are not limited to affecting the day-to-day
operations of an adviser, but can lead to a financial services firm
having to cease or wind-down operations while also considering how to
safeguard client or investor assets. The 2008 financial crisis
demonstrated that providers of financial services are at risk of having
to exit the market unexpectedly and having to do so quickly.\38\ As
with traditional business continuity planning, regardless of whether
the risk is internal or external to the firm, a reasonably designed
plan assessing various risks related to a business transition (e.g.,
operational and other risks related to transitioning client assets) and
how to react to transition events should ameliorate the impact of
transitions on clients.\39\ After the financial crisis, Congress
addressed the need for this type of advance planning for certain
institutions in the Dodd-Frank Wall Street Reform and Consumer
Protection Act, which mandated regulations that require certain
financial institutions to plan for ``rapid and orderly resolution in
the event of material financial distress or failure.''\40\
---------------------------------------------------------------------------
\38\ See Financial Crisis Inquiry Commission, Final Report of
the National Commission on the Causes of the Financial and Economic
Crisis in the United States (Jan. 2011) at 22-23, available at
https://www.gpo.gov/fdsys/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf (``In
January 2008, Bank of America announced it would acquire the ailing
lender Countrywide. . . . Bear Stearns . . . was bought by JP Morgan
with government assistance in the spring. Before the summer was
over, Fannie Mae and Freddie Mac would be put into conservatorship.
Then, in September, Lehman Brothers failed and the remaining
investment banks, Merrill Lynch, Goldman Sachs, and Morgan Stanley,
struggled as they lost the market's confidence. AIG . . . was
rescued by the government. Finally, many commercial banks and
thrifts . . . teetered. IndyMac had already failed over the summer;
in September, Washington Mutual became the largest bank failure in
U.S. history. In October, Wachovia struck a deal to be acquired by
Wells Fargo.''). Several of the financial services firms mentioned
in this report included asset management subsidiaries.
\39\ Both transition planning and business continuity planning
relate to instances where an adviser may be unable to provide
advisory services and where advance planning for those instances
would benefit advisers and their clients. We note that in the
Compliance Program Adopting Release, the Commission noted the risks
to advisory clients if an adviser ceased operations. See Compliance
Program Adopting Release, supra note 15.
\40\ See section 165(d) of the Dodd-Frank Act [12 U.S.C. 5365];
see also Resolution Plans Required, 76 FR 67323 (Nov. 1, 2011)
(``Resolution Plans''). We are not proposing that advisers adopt
resolution plans or ``living wills'' similar to that which certain
financial institutions must now adopt under FDIC and Federal Reserve
rules because investment advisers do not interact with the
government in the same way as banks. For example, advisers do not
accept insured ``deposits,'' do not have access to the Federal
Reserve discount window, and do not use their own balance sheets
when trading client assets.
---------------------------------------------------------------------------
In the normal course of business, it is our understanding that
advisers routinely transition client accounts without a significant
impact to themselves, their clients, or the financial markets.\41\ We
believe that much of this is largely attributable to the agency
relationship of advisers managing the assets on behalf of their clients
and the regulatory framework supporting this relationship whereby
advisory client assets for which the adviser has custody are required
to be held at a qualified custodian, such as a bank or broker-
dealer.\42\ Because client assets custodied by an adviser must be held
at a qualified custodian and segregated from the adviser's assets, we
have observed that transitioning accounts from one adviser to another
can largely be a streamlined process that in many cases may not involve
the physical movement or sale of assets.\43\ Pooled investment vehicle
clients generally have the ability to terminate the advisory contract
of the adviser or remove the governing body that may provide advisory
services (e.g., general partner or managing member) and appoint a new
adviser or governing body if they so desire, while separate account
clients can generally terminate the advisory contract and appoint a new
adviser to manage their assets, all while their assets are typically
maintained at a qualified custodian.\44\
---------------------------------------------------------------------------
\41\ See, e.g., BlackRock FSOC Comment Letter (noting that
``[t]ransitioning the management of client assets from one manager
to another regularly occurs in the normal course of business'' and
listing 19 previous examples of advisers or funds exiting the market
without great market impact); SIMFA/IAA FSOC Comment Letter (noting
that ``managers and funds routinely enter and exit the asset
management industry'' and citing an Investment Company Institute
paper to note that, in 2013, ``48 mutual fund sponsors left the
business without any impact or distress''); Comment Letter of PIMCO
to FSOC Notice (Mar. 25, 2015); Vanguard FSOC Comment Letter. In
addition, we understand that specialized transition managers exist
to manage assets during a transition from one adviser to another.
See, e.g., BlackRock FSOC Comment Letter at 66.
\42\ See rule 206(4)-2 under the Advisers Act. The use of
custodians that traditionally provide those services provide
protection for client assets from the adverse effects of stress at
an adviser. We also note that approximately 96.7% of SEC-registered
advisers are not related to the custodians that hold client assets.
Based on data from the Commission's IARD as of January 4, 2016.
\43\ Client assets are not part of the adviser's balance sheet.
Client assets are not subject to the liquidation or potential
bankruptcy process of an asset manager and are not subject to the
adviser's creditors.
\44\ We note that to the extent a new adviser does not have a
relationship with the same custodian used by the previous adviser,
assets may need to be transferred to a different custodian.
Additionally, we note that complications could arise with respect to
the transfer of shareholder records when transitioning client
accounts to another adviser.
---------------------------------------------------------------------------
In addition, we are aware of instances of non-routine disruptions
at large advisory businesses that have resulted in transitions to new
advisers or new ownership without appearing to have a significant
adverse impact on clients, fund investors, or the financial
[[Page 43536]]
markets.\45\ Advisers routinely enter and exit the market and are
capable of transferring client assets to another adviser or
distributing such assets back to the client without negatively
impacting the client.\46\ Cases of advisory firms experiencing
transition events are often caused by a rapid decrease in assets under
management, which can occur for a variety of reasons, including poor
performance or an event causing reputational harm.\47\ To help ensure
that a transition is as seamless as possible, an adviser must be aware
of the impediments that should be addressed to minimize potential
client impact.
---------------------------------------------------------------------------
\45\ For example, although a unique situation, advisory firm
Neuberger Berman spun out of Lehman Brothers during the 2008
financial crisis into a private company. See also infra note 52
(discussing the circumstances of the Neuberger Berman sale).
\46\ See supra note 41.
\47\ See, e.g., Trevor Hunnicutt, F-Squared Files for
Bankruptcy, Investment News (July 8, 2015) (``F-Squared Article''),
available at http://www.investmentnews.com/article/20150708/FREE/150709926/f-squared-files-for-bankruptcy (noting that after settling
charges with the SEC for false performance claims, F-squared started
losing assets under management); Christine Dugas & Sandra Block
Strong, Strong Capital, Founder to Pay $140M in Settlement, USA
Today (May 20, 2004), available at http://usatoday30.usatoday.com/money/perfi/funds/2004-05-20-strong-settle_x.htm (noting that after
Strong Capital Management (``Strong'') and its founder settled
charges with the SEC for allowing and engaging in undisclosed
frequent trading in Strong mutual funds, Strong funds had a ``net
outflow of investor assets totaling $4.9 billion''); see also In the
Matter of F-Squared Investments, Inc., Advisers Act Rel. No. 3988
(Dec. 22, 2014) (settled enforcement action); In the Matter of
Strong Capital Management, et al., Securities Exchange Act Rel. No.
49741 (May 20, 2004) (settled enforcement action); infra note 60.
---------------------------------------------------------------------------
We are also aware of transitions involving funds under stress that
have not been seamless or without problem.\48\ For example, in one
instance, an adviser's proprietary system used on behalf of a fund
client had limitations on the pricing of fund shares that could not be
efficiently modified to accommodate certain events, which in turn
impeded the processing of fund redemption transactions and the
reconciliation, liquidation, and transfer of investor accounts on a
timely basis.\49\ In addition, while maintaining assets with a
custodian may ease the transfer of those assets, the adviser may have
important or private information concerning its clients or their
strategies and goals that would need to be transitioned securely and
efficiently.\50\
---------------------------------------------------------------------------
\48\ See, e.g., BlackRock FSOC Comment Letter (citing to the
wind-down of Long-Term Capital Management in 2000 and Reserve
Primary Fund in 2008 and noting that regulatory intervention was
necessary for the funds involved).
\49\ See In the Matter of The Reserve Fund, et al., Investment
Company Act Rel. No. 28386 (Sept. 22, 2008) (finding that the
temporary suspension of the right of redemption and postponement of
payment for shares which had been submitted for redemption but for
which payment had not been made was necessary for the protection of
shareholders); see also The Reserve Delays Primary Fund
Distributions, MFWire.com (Oct. 14, 2008), available at http://www.mfwire.com/article.asp?storyID=19638&bhcp=1 (``The process of
determining accurately the number of shares each investor held in
the Primary Fund has proven to be extremely complex and could not be
completed in the originally anticipated time frame.''); The Reserve
Furnishes More Details On Primary Fund Redemptions, MFWire.com (Oct.
16, 2008), available at http://www.mfwire.com/article.asp?storyID=19656&bhcp=1 (``[W]e have been working
diligently to enhance our existing software and add new programs to
hasten the distribution process.'').
\50\ See generally Regulation S-P, 17 CFR 248 (establishing
general requirements and restrictions on a financial institutions'
ability to disclose nonpublic personal information about consumers,
including clients, to nonaffiliated third parties and exceptions
associated therewith).
---------------------------------------------------------------------------
Moreover, the 2008 financial crisis illustrated that one firm's
distress may at times have a broader impact on the financial markets
and overall economy.\51\ Advisers could be impacted by broader market
events in a number of ways that could affect an adviser's ability to
continue operations and possibly lead to a transition event. For
example, advisers are often owned by or affiliated with other financial
services firms who themselves may be in distress. An adviser may be
affected by such distress to the extent the distress negatively impacts
the adviser's reputation, if it relies on a distressed affiliate for
certain systems or services, or if it is an asset that a distressed
parent sells.\52\ Under circumstances such as these, we are concerned
about the adviser's ability to continue to act in the clients' best
interests.
---------------------------------------------------------------------------
\51\ See generally Joint Report, infra note 72.
\52\ See, e.g., Lehman Brothers selling its asset management arm
after declaring bankruptcy. Sam Mamudi, Neuberger Berman Sold to
Private Equity, Market Watch (Sept. 29, 2008), available at http://www.marketwatch.com/story/neuberger-berman-sold-to-private-equity-for-215-billion.
---------------------------------------------------------------------------
Proper planning and preparation for possible distress and other
significant disruptions in an adviser's operations is essential so
that, if an entity has to exit the market, it can do so in an orderly
manner, with minimal or no impact on its clients. As discussed above,
an adviser's fiduciary duty obligates it to take steps to protect
client interests from being placed at risk as a result of the adviser's
inability to provide advisory services and, thus, it would be
fraudulent and deceptive for an adviser to hold itself out as providing
advisory services unless it has taken such steps.\53\ Such advance
planning and preparation may minimize an adviser's exposure to
operational and other risks and, therefore, lessen the possibility of a
significant disruption in its operations, and also may lessen any
potential impact on the broader financial markets. Accordingly, and as
discussed in more detail below, we believe that SEC-registered advisers
should be required to adopt and implement a written business continuity
and transition plan that is tailored to the risks associated with the
adviser's operations and includes certain components, reflecting its
critical role as an agent for its clients.
---------------------------------------------------------------------------
\53\ See supra section I.A; see also section 206(4) of the
Advisers Act.
---------------------------------------------------------------------------
C. Discussion
We believe it is appropriate at this time to propose a rule
requiring SEC-registered advisers to adopt and implement a business
continuity and transition plan\54\ that is reasonably designed to
address operational and other risks related to a significant disruption
in an adviser's operations and that addresses certain specified
components.\55\ We recognize that, pursuant to the Compliance Program
Rule, most SEC-registered investment advisers may already have BCPs in
place as part of their compliance policies and procedures \56\ and that
those plans (or other plans) may also address transition planning.\57\
However, it has been our staff's experience that the robustness of
these BCPs is inconsistent across investment advisers. We believe that
requiring a business
[[Page 43537]]
continuity and transition plan that addresses operational and other
risks by rule and specifying certain components of such a plan will
facilitate the adoption and implementation of robust plans by all SEC-
registered investment advisers that address critical areas and that
should be effective and workable during a significant disruption in an
adviser's operations. Moreover, we believe requiring such plans will
benefit advisory clients because advisers will likely be better
prepared to deal with business continuity and transition events if and
when they occur and will better mitigate risks attendant with their
operations and business practices, thereby reducing the likelihood of
client harm as the result of a significant disruption in an adviser's
operations.
---------------------------------------------------------------------------
\54\ We recognize that business continuity planning and
transition planning address different circumstances (i.e. one
addresses the continuation of a business while the other addresses
the winding down of a business). See infra note 60 and accompanying
text. However, both business continuity planning and transition
planning pertain to instances where an adviser may be unable to
provide advisory services and where advance planning for those
instances would benefit advisers and their clients. In this release
and in proposed rule 206(4)-4, we refer to an adviser adopting ``a''
business continuity and transition plan. The proposed rule would not
require an adviser to consolidate all of the components described in
proposed rule 206(4)-4 into one document. An adviser may maintain
separate plans that address the components identified in proposed
rule 206(4)-4.
\55\ We note that the Commission has explicitly required BCPs in
other contexts, and that FINRA has adopted specific rules on BCPs
for broker-dealers. See Regulation SCI Adopting Release, supra note
17; FINRA Rule 4370. Further, NASAA has also issued a model rule for
states to apply to state-registered advisers, which tend to be
smaller in scale and size than advisers registered with the
Commission. See NASAA Model Rule 203(a)-1A.
\56\ See, e.g., BlackRock FSOC Comment Letter at 10 (noting that
asset managers maintain BCPs); Fidelity FSOC Comment Letter at 32-33
(discussing BCPs).
\57\ We understand that in practice, adviser BCPs focus on risks
from events that would limit or impact normal operations, such as
natural disasters or systems failures, but also can address
transition planning. See supra note 39 (discussing the Compliance
Program Adopting Release and language therein regarding risks to
clients if an adviser ceases operations).
---------------------------------------------------------------------------
We are proposing new rule 206(4)-4 under the Advisers Act and
amendments to rule 204-2 under the Advisers Act. Under rule 206(4)-4,
it would be unlawful for an SEC-registered investment adviser to
provide investment advice unless the adviser adopts and implements a
written business continuity and transition plan and reviews that plan
at least annually. The proposed amendments to rule 204-2 would require
those advisers to make and keep copies of all written business
continuity and transition plans that are in effect or were in effect at
any time during the last five years, as well as any records documenting
the adviser's annual review of its business continuity and transition
plan.
1. Adopt and Implement Business Continuity and Transition Plans
The proposed rule would require SEC-registered advisers to adopt
and implement written business continuity and transition plans
reasonably designed to address operational and other risks related to a
significant disruption in the investment adviser's operations.\58\
These plans would include policies and procedures concerning (1)
business continuity after a significant business disruption, and (2)
business transition in the event the investment adviser is unable to
continue providing investment advisory services to clients. Business
continuity situations generally include natural disasters, acts of
terrorism, cyber-attacks, equipment or system failures, or unexpected
loss of a service provider, facilities, or key personnel. Business
transitions generally include situations where the adviser exits the
market and thus is no longer able to serve its clients, including when
it merges with another adviser, sells its business or a portion
thereof,\59\ or in unusual situations, enters bankruptcy
proceedings.\60\
---------------------------------------------------------------------------
\58\ See proposed rule 206(4)-4. We note that adviser BCPs are
also often referred to as business continuity and disaster recovery
plans; however, we have chosen to use the term ``business continuity
and transition plan'' to refer to plans required under the proposed
rule. We believe, however, that such plans would encompass disaster
recovery planning because any robust BCP would need to plan for the
recovery of its business operations and systems in order to be able
to continue providing services to clients. See proposed rule 206(4)-
4(b)(2)(i) (requiring business continuity and transition plans to
include maintenance of critical operations and systems, and the
protection, backup, and recovery of data).
\59\ See proposed rule 206(4)-4(b). We note with respect to
business transitions that there may be circumstances where an
adviser is unable to provide advisory services for only a portion of
its business, but is able to continue providing services with
respect to another portion of its business, and thus, only exits a
particular market. An adviser's business continuity and transition
plan generally should address the possibility of such a partial
transition. Cf. infra note 60 and accompanying text (discussing
business transitions generally).
\60\ For example, in 2015, F-Squared Investments, Inc. filed for
bankruptcy and arranged for its investment strategies to be managed
by another adviser. See F-Squared Article, supra note 47. In
addition, in 2005, funds managed by Strong were acquired by Wells
Fargo & Company and the ``legal entities comprising the Strong . . .
complex were subsequently liquidated.'' See BlackRock FSOC Comment
Letter at 62-63 (discussing the Strong transition); see also Press
Release, Wells Fargo Agrees to Acquire $34 Billion in Assets Under
Management From Strong Financial Corporation, Wells Fargo (May 26,
2004), available at http://www.wellscap.com/docs/press_releases/5.26.04.pdf.
---------------------------------------------------------------------------
The proposed rule is intended to help ensure that an adviser's
policies and procedures minimize material service disruptions and any
potential client harm from such disruptions. Advisers should keep this
focus at the forefront when reviewing their business operations and
developing their policies and procedures. Accordingly, the proposed
rule would require an SEC-registered adviser's business continuity and
transition plan to include policies and procedures designed to minimize
material service disruptions, including policies and procedures that
address certain specific components. We recognize that advisers'
business models and operations vary, but we believe that every business
continuity and transition plan must generally address operational and
other risks related to a significant disruption in the adviser's
operations and must address certain key components to plan and prepare
for such disruptions.\61\ While we believe advisers should generally
assess and inventory all of the components of their businesses in order
to develop their business continuity and transition plans and tailor
their plans to the specific risks their businesses face, we also
believe that identifying these key components should facilitate the
adoption and implementation of robust BCPs by all SEC-registered
investment advisers.
---------------------------------------------------------------------------
\61\ See supra notes 30-35 and accompanying text (discussing
certain key elements of BCPs). Other regulatory bodies and
organizations also have recognized key elements of business
continuity plans. See 17 CFR 23.603 (setting forth essential
components of BCPs for swap dealers and major swap participants);
FINRA Rule 4370 (setting forth minimum elements that a business
continuity plan should address); NASAA Model Rule 203(a)-1A (stating
certain elements the plan should address); FFIEC Handbook, supra
note 17, at G-1 (discussing components of effective BCPs).
---------------------------------------------------------------------------
Under the proposed rule, the content of an SEC-registered adviser's
business continuity and transition plan would be based upon risks
associated with the adviser's operations and would include policies and
procedures designed to minimize material service disruptions, including
policies and procedures that address the following: \62\ (1)
Maintenance of critical operations and systems, and the protection,
backup, and recovery of data; \63\ (2) pre-arranged alternate physical
location(s) of the adviser's office(s) and/or employees; \64\ (3)
communications with clients, employees, service providers, and
regulators; \65\ (4) identification and assessment of third-party
services critical to the operation of the adviser; \66\ and (5) plan of
transition that accounts for the possible winding down of the adviser's
business or the transition of the adviser's business to others in the
[[Page 43538]]
event the adviser is unable to continue providing advisory
services.\67\
---------------------------------------------------------------------------
\62\ We have modeled the proposed rule on BCP requirements for
other financial services firms that we believe share similar
vulnerabilities as investment advisers, as well as our staff's
examinations experiences, which have highlighted a number of best
practices as well as a number of areas for improvement specific to
investment advisers. For example, to assist advisers in considering
their own business continuity issues, the examination staff
previously identified a number of ``lessons learned'' from its
examinations of advisers that were affected by Hurricane Katrina.
See Compliance Alert, supra note 30. The staff noted certain
provisions in disaster recovery plans that appeared to be effective
in allowing an adviser to provide ``uninterrupted advisory services
to clients in a compliant manner after a disaster'' including (i) a
pre-arranged remote location for short-term and possible long-term
use; (ii) alternate communication protocols to contact staff and
clients; (iii) remote access to business records and client data
through appropriately secured means; (iv) temporary lodging for key
staff where necessary and effective training of staff on how to
fulfill essential duties in the event of a disaster; (v) maintaining
accurate and up-to-date contact information for all third-party
service providers and familiarity with the BCPs of those providers;
(vi) contingency arrangements for loss of key personnel; (vii)
periodic testing, evaluation and revision of the plan; and (viii)
maintaining sufficient insurance and financial liquidity to prevent
any interruption of the performance of compliant advisory services.
\63\ See proposed rule 206(4)-4(b)(2)(i).
\64\ See proposed rule 206(4)-4(b)(2)(ii).
\65\ See proposed rule 206(4)-4(b)(2)(iii).
\66\ See proposed rule 206(4)-4(b)(2)(iv).
\67\ As discussed more below, the plan of transition would have
to include (1) policies and procedures intended to safeguard,
transfer and/or distribute client assets during transition; (2)
information regarding the corporate governance of the adviser; (3)
the identification of any material financial resources available to
the adviser; (4) policies and procedures facilitating the prompt
generation of any client-specific information necessary to
transition each client account; and (5) an assessment of the
applicable law and contractual obligations governing the adviser and
its clients, including pooled investment vehicles, implicated by the
adviser's transition. See proposed rule 206(4)-4(b)(2)(v).
---------------------------------------------------------------------------
While each SEC-registered adviser's business continuity and
transition plan must address the components set forth in the proposed
rule, we recognize that the degree to which an adviser's plan addresses
a required component will depend upon the nature of each particular
adviser's business. We also recognize that business models and
operations vary significantly among advisers.\68\ The proposed rule
thus would require that the plan be reasonably designed to address the
operational and other risks of an adviser and thus advisers need only
take into account the risks associated with its particular operations,
including the nature and complexity of the adviser's business, its
clients, and its key personnel.\69\ For example, we believe that the
business continuity and transition plan of a large adviser with
multiple locations, offices, or business lines likely would differ
significantly from that of a small adviser with a single office or only
a few investment professionals and employees. Additionally, we believe
that the business continuity and transition plan of an adviser with a
complex internal technology infrastructure likely would differ from
that of an adviser that primarily uses an outsourced model.\70\ The
complexity and risks associated with these diverse business models
could be substantially different, and our proposed rule is designed to
give advisers the flexibility to create business continuity and
transition plans that accommodate such differences.
---------------------------------------------------------------------------
\68\ See Comment Letter of Wellington Management Group LLP to
FSOC Notice (Mar. 25, 2015) at 2 (``The unique characteristics of
today's asset management industry (agency and advice based: Low
barriers to entry: High substitutability among managers: And highly
competitive) result in a large number of asset management firms that
are organized in a variety of models.'').
\69\ See, e.g., BlackRock FSOC Comment Letter at 9 (noting that
``understanding the differences in operating models is crucial'' in
assessing the potential operational risk of an asset manager).
\70\ Id. at 71. A larger adviser may conduct (insource) some or
all middle and back office functions (e.g., securities
administration, accounting, and recordkeeping) internally. Whereas
in an outsourced model, the asset management firm hires third-party
providers to perform various middle and back office functions.
---------------------------------------------------------------------------
a. Maintenance of Critical Operations and Systems, and the Protection,
Backup, and Recovery of Data, Including Client Records
The proposed rule would require advisers' business continuity and
transition plans to include policies and procedures on the maintenance
of critical operations and systems, and the protection, backup, and
recovery of data, including client records.\71\ With respect to
maintaining critical operations/systems, an adviser's plan generally
should identify and prioritize critical functions, operations, and
systems and consider alternatives and redundancies to help maintain the
continuation of operations in the event of a significant business
disruption.\72\ When evaluating which operations and systems are
critical, advisers generally should consider those that are utilized
for prompt and accurate processing of portfolio securities transactions
on behalf of clients, including the management, trading, allocation,
clearance and settlement of such transactions. Advisers generally
should also consider operations and systems that are critical to the
valuation and maintenance of client accounts, access to client
accounts, and the delivery of funds and securities. This typically will
include identification and assessment of third-party services that
support certain functions, as activities conducted may involve systems
and processes that the adviser controls and others that may be wholly
or partially dependent on third-party vendors, which we address below.
Advisers generally also should identify which key personnel either
provide critical functions to the adviser or support critical
operations or systems of the adviser such that the temporary or
permanent loss of those individuals would disrupt the adviser's ability
to provide services to its clients.
---------------------------------------------------------------------------
\71\ We note that Regulation SCI also includes requirements
regarding the maintenance of systems. Rule 1001(a) requires each SCI
entity to establish, maintain, and enforce policies and procedures
that are reasonably designed to ensure that its ``SCI systems'' have
levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity's operational
capability and promote the maintenance of fair and orderly markets.
Moreover, rule 1001(a)(2)(v) also requires that these policies and
procedures include business continuity and disaster recovery plans
that are reasonably designed to achieve two-hour resumption of
``critical SCI systems'' following a wide-scale disruption. 17 CFR
242.1001. We note that in the Regulation SCI Adopting Release, the
Commission stated that it would monitor and evaluate the
implementation of Regulation SCI, the risks posed by systems of
other market participants, and the continued evolution of the
securities markets, and in the future may consider extending the
types of requirements in Regulation SCI to other market
participants, including investment advisers. See Regulation SCI
Adopting Release, supra note 17, at 72259. We note that the proposed
rule would not apply Regulation SCI to investment advisers. Rather,
the Commission is proposing this rule in light of the specific
operations and businesses of investment advisers and the risks they
present.
In addition to Regulation SCI, we note, as discussed above,
that our staff has previously highlighted the importance of access
to business records and client data as well as backup servers and
other telecommunications services in the context of business
continuity planning. See supra notes 30 and 33, and accompanying
text. We also note that other regulatory bodies and organizations
have stressed the importance of critical systems and data protection
in the context of BCPs. See, e.g., 17 CFR 23.603(b)(1), (4) and (6)
(requiring BCPs to include identification of documents, data,
facilities and infrastructure, as well as backup or copying of
documents and data, essential to operations, and procedures for and
the maintenance of backup facilities, systems and infrastructure);
FINRA Rule 4370(c)(1) and (2) (requiring BCPs to address data backup
and recovery (both hard copy and electronic) as well as mission
critical systems); NASAA Model Rule 203(a)-1A(1) (stating that BCPs
should provide for ``protection, backup and recovery of books and
records''); SIFMA, Business Continuity Planning Expanded Practices
Guidelines (Apr. 2011) (``SIFMA Guidelines'') at 27 and 32,
available at http://www.sifma.org/uploadedfiles/services/bcp/sifma-bc-practices-guidelines2011-04.pdf (noting that businesses should
ensure ``the functionality and availability of critical business
applications'' and ``that redundant copies of vital records'' are
securely stored and available during an emergency).
\72\ Following the publication of the Interagency Paper, the
Commission, together with the Federal Reserve and the Office of the
Comptroller of the Currency, issued a joint report that discussed
the industry's efforts to implement the recommendations contained in
the Interagency Paper (``Joint Report''). The Joint Report notes
that the Interagency Paper addresses reasonable recovery time
objectives and identifies specific risk-based recovery standards in
order ``to assure that there will be a relatively consistent degree
of preparedness across'' the industry. See Joint Report on Efforts
of the Private Sector to Implement the Interagency Paper on Sound
Practices to Strengthen the Resilience of the U.S. Financial System
(Apr. 2006) at 3, available at https://www.sec.gov/news/press/studies/2006/soundpractices.pdf; see also MFA FSOC Comment Letter at
45 (citing to the MFA's recommendations to hedge fund managers that
they design and implement business continuity/disaster recovery
plans ``reasonably designed to: (1) Identify and prioritize critical
business functions. . .'').
---------------------------------------------------------------------------
We believe that by considering alternatives and redundancies for
critical operations and systems in advance of significant business
disruptions, an adviser will be able to prioritize, recover, and resume
key aspects of its business in a timely manner and consequently be
better able to act in its clients' best interests and continue
providing services to its clients during such a disruption.\73\ For
[[Page 43539]]
example, if most securities operations functions (post-trade
processing, corporate actions, reconciliation, etc.) are handled
internally by the adviser,\74\ then the adviser's plans should address
the backup systems or other alternative processes or procedures that
will be used or followed in the event of a business disruption where
standard operations may not be available. Additionally, we believe that
contingency plans with respect to key personnel generally should
address both the temporary or permanent loss of such personnel. For
example, loss of key personnel could result from an employee's sudden
departure from the adviser or could be due to a weather related event
that renders the employee temporarily unavailable. Accordingly, an
adviser's business continuity and transition plan generally should
include short-term arrangements, such as which specific individuals
would satisfy the role(s) of key personnel when unavailable, and long-
term arrangements regarding succession planning and how an adviser will
replace key personnel.\75\
---------------------------------------------------------------------------
\73\ Investment advisers should also generally consider in their
business continuity planning circumstances in which a service
provider (including another investment adviser that provides
operations or systems to the adviser) is permanently unable to
provide the adviser with critical operations or systems. See, e.g,
Financial Conduct Authority, Outsourcing in the Asset Management
Industry: Thematic Project Findings Report (Nov. 2013) (``FCA
Paper''), available at http://www.fca.org.uk/static/documents/thematic-reviews/tr13-10.pdf (``Based on our initial assessment of
asset managers last year, we concluded that firms in the sample were
unprepared for a failure of their service provider.''). The FCA
Paper suggested that asset managers should review their own
outsourcing arrangements and where appropriate (i) ``enhance their
contingency plans for the failure of a service provider providing
critical activities, taking into account industry-led guiding
principles where applicable'' and (ii) ``assess the effectiveness of
their oversight arrangements to oversee critical activities
outsourced to a service provider, making sure the required expertise
is in place.''
\74\ As discussed above, investment advisers that are also
registered broker-dealers will be subject to both the proposed rule
and FINRA's rule 4370 regarding BCPs. While we believe the two rules
are largely complementary, we note that SEC-registered advisers
would have to comply with the requirements of proposed rule 206(4)-4
with respect to their advisory functions. See supra note 18.
\75\ An adviser should also consider whether the departure of
key personnel may trigger contractual obligations with clients,
investors, or counterparties. For example, private funds clients may
contain redemption rights for its investors upon the departure of
specified investment personnel.
---------------------------------------------------------------------------
With respect to data protection, backup, and recovery, a business
continuity and transition plan generally should address both hard copy
and electronic backup, as appropriate.\76\ A reasonably designed
business continuity and transition plan generally should recognize that
significant business disruptions may prevent access to electronic
copies of data (e.g., power or internet outage) and hard copies of data
(e.g., cannot access building where data is located). Such a plan
should also recognize the important role electronic records can play in
carrying out the adviser's plan of transition in a timely manner.
---------------------------------------------------------------------------
\76\ This proposed requirement would be consistent with the
existing requirement for SEC-registered investment advisers to
maintain specific books and records relating to its investment
advisory business. See rule 204-2(a) and (g). The ``books and
record'' rule requires advisers to have procedures: to reasonably
protect electronic records from loss, alteration, or destruction; to
limit access to electronic records; and to assure that electronic
records that are created from hard copy are complete, true, and
legible. See rule 204-2(g)(3).
---------------------------------------------------------------------------
Additionally, in connection with data backup and recovery, a
business continuity and transition plan generally should include an
inventory of key documents (e.g., organizational documents, contracts,
policies and procedures), including the location and description of the
item, and a list of the adviser's service providers relationships that
are necessary to maintaining functional operations. This documentation
generally should include details of the adviser's management structure,
risk management processes, and financial and regulatory reporting
requirements. We believe such documentation would make it easier for an
adviser and its employees to access important operations/systems,
documents, and relationships during a significant business disruption.
Finally, we note with respect to data protection, backup and
recovery, one type of potentially significant business disruption is a
cyber-attack. An adviser generally should consider and address as
relevant the operational and other risks related to cyber-attacks.\77\
We believe exposure to compliance and operational risks that may be
caused by cybersecurity incidents can be mitigated by addressing such
risks in the context of business continuity planning.\78\
---------------------------------------------------------------------------
\77\ Our staff recently highlighted a number of measures for
advisers to consider in the context of cybersecurity and noted that
``advisers should identify their . . . compliance obligations under
the federal securities laws and take into account these obligations
when assessing their ability to prevent, detect and respond to cyber
attacks.'' See Cybersecurity Guidance, IM Guidance Update (Apr.
2015), available at http://www.sec.gov/investment/im-guidance-2015-02.pdf. In March 2014, the Commission hosted a roundtable on
cybersecurity, which highlighted the Commission's focus on
cybersecurity-related issues and a number of Commission actions
relating to cybersecurity. The Commission is also focused on
cybersecurity risk issues related to investment advisers, including
data protection and identity theft vulnerabilities. See Chair Mary
Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar.
26, 2014), available at http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468; see also Identity Theft Red Flags Rules,
Securities Exchange Act Rel. No. 69359 (Apr. 10, 2013); see also
Cybersecurity Roundtable, SEC, available at http://www.sec.gov/spotlight/cybersecurity-roundtable.shtml (providing information on
the roundtable). We also note that the National Institute of
Standards and Technology (``NIST'') has issued a framework for
improving cybersecurity and that it recently sought comment on this
framework. See NIST, Framework for Improving Critical Infrastructure
Cybersecurity (Feb. 12, 2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf; NIST,
Cybersecurity Framework--Overview, available at http://www.nist.gov/cyberframework/# (discussing requests for comment on the
cybersecurity framework).
\78\ We recognize that advisers also may have additional
policies and procedures to address compliance and operational risks
related to cybersecurity incidents.
---------------------------------------------------------------------------
b. Pre-Arranged Alternate Physical Location(s)
The proposed new rule would also require an adviser's business
continuity and transition plan to include pre-arranged alternate
physical location(s) of its office(s) and/or employees. As our staff
has indicated a number of times, alternate or remote locations are
essential for an adviser to continue providing services during a
significant business disruption.\79\ Accordingly, when developing
business continuity and transition plans, advisers generally should
consider the geographic diversity of their offices or remote sites and
employees, as well as access to the systems, technology, and resources
necessary to continue operations at different locations in the event of
a disruption.\80\ For example, an adviser
[[Page 43540]]
may recognize that a significant business disruption could limit access
to its primary or only office for an extended period of time and,
therefore, establish a satellite office or plan to use a remote site in
another location or geographic region and may also allow remote access
by employees so the adviser could continue to have access to the
facilities, systems, and personnel necessary to carry on its
business.\81\
---------------------------------------------------------------------------
\79\ See supra notes 30 and 32, and accompanying text; see also
Regulation SCI Adopting Release, supra note 17 (requiring an SCI
entity's business continuity and disaster recovery plan to include
``geographically diverse'' backup and recovery capabilities). We
note that other regulatory bodies and organizations have also
recognized the importance of alternate sites and geographic
diversity in business continuity planning. See, e.g., 17 CFR
23.603(b)(5) (requiring backup facilities, infrastructure and
alternative staffing in geographically separate areas); FINRA Rule
4370(c)(6) (requiring BCPs to address ``alternate physical location
of employees''); NASAA Model Rule 203(a)-1A(3) (stating that BCPs
should provide for ``office relocation in the event of temporary or
permanent loss of a principal place of business''); FFIEC Handbook,
supra note 17, at G14 (stating that a ``BCP should address site
relocation for short-, medium-, and long-term disaster and
disruption scenarios''); Interagency Paper, supra note 16 (noting
that backup sites should not rely on the same infrastructure
components used by the primary site, should not be impaired by a
wide-scale evacuation at or the inaccessibility of staff that
service the primary site, and should consider staffing needs at the
backup site if the firm relies on the same labor pool for both its
primary and back up sites).
\80\ We are not proposing to require that an adviser's business
continuity and transition plan include an alternative location at a
specified distance away from its primary location because we
believe, as discussed above, that an adviser's plan should be
tailored to its particular operations and that, while a specified
distance may be appropriate for one adviser's alternate location, it
may not be appropriate for all advisers. Nonetheless, we believe
advisers generally should consider whether their alternative
locations are in such close proximity to each other or to its
primary location that they may be sharing common infrastructure
providers and thus, that the alternative locations would be
similarly affected by an external event.
\81\ An adviser should consider the technology, systems, and
resources necessary for employees working remotely to continue to
securely conduct the adviser's business.
---------------------------------------------------------------------------
c. Communications With Clients, Employees, Service Providers, and
Regulators
Under the proposed rule, a business continuity and transition plan
would also need to address communications with clients, employees,
service providers, and regulators. We believe that communication plans
are an essential element of effective business continuity and
transition plans and generally should cover communications with parties
involved in the critical aspects of the adviser's operations.\82\ For
example, if an adviser's employees are unaware that a disruption has
occurred and the adviser's business continuity and transition plan has
been activated, the plan will likely fail. An adviser's communication
plan generally should cover, among other things, the methods, systems,
backup systems, and protocols that will be used for communications, how
employees are informed of a significant business disruption, how
employees should communicate during such a disruption, and contingency
arrangements communicating who would be responsible for taking on other
responsibilities in the event of loss of key personnel.\83\ Adviser
business continuity and transition plans generally should also address
employee training, so that in the event of a significant business
disruption employees understand their specific roles and
responsibilities and are able to carry out the adviser's plan.
---------------------------------------------------------------------------
\82\ As discussed above, our staff has previously noted the
important role that communication plans can play in business
continuity planning. See supra notes 30 and 34 and accompanying
text. Additionally, we note that other regulatory bodies and
organizations have focused on communications in the context of BCPs.
See, e.g., 17 CFR 23.603(b)(3) (requiring BCPs to include
communication plans with respect to employees, vendors, and
regulatory authorities); FINRA Rule 4370(c)(4), (5), and (9)
(requiring BCPs to address communications with customers, employees
and regulators); NASAA Model Rule 203(a)-1A(2) (stating that BCPs
should provide for alternate communications with ``customers, key
personnel, employees, vendors, service provides. . .and regulators.
. . .''); FFIEC Handbook, supra note 17, at G-4 (stating that
``[c]ommunication is a critical aspect of a BCP and should include
communication with employees, . . . regulators, vendors/suppliers
(detailed contact information), [and] customers (notification
procedures) . . . .'').
\83\ See supra section I.C.1.a.
---------------------------------------------------------------------------
Moreover, advisers should consider when and how it is in their
clients' best interests to be informed of a significant business
disruption and/or its impact. Accordingly, with respect to clients, a
business continuity and transition plan generally should include the
process by which the adviser would have prompt access to client records
that include the name and relevant contact and account information for
each client as well as investors in private funds sponsored by the
investment adviser.\84\ These plans generally should include how
clients will be made aware of and updated about a significant business
disruption that materially impacts ongoing client services (e.g.,
periodic updates to Web sites and customer service lines) and, when
applicable, how clients will be contacted and advised if account access
is impacted during such a disruption.
---------------------------------------------------------------------------
\84\ For a private fund to qualify for the exclusion from the
definition of ``investment company'' in either section 3(c)(1) or
3(c)(7) of the Investment Company Act of 1940 (``Investment Company
Act'') or rely on various offering exemptions under the Securities
Act of 1933, the private fund is already required to have a
reasonable belief regarding certain qualification information with
regard to its beneficial owners that are U.S. persons. See, e.g., 17
CFR 270.2a51-1(h), 17 CFR 230.501(a). While the private fund may not
be required to have such detailed information about non-U.S. person
beneficial owners, we understand it generally has contact
information readily available.
---------------------------------------------------------------------------
Similarly, an adviser's communication plan with its service
providers generally should include, among other things, how the service
provider will be notified of a significant business disruption at the
adviser as well as how the adviser will be notified of a significant
business disruption at a service provider, and how the entities will
communicate with one another and clients or investors (where
applicable) \85\ during a disruption. With respect to communications
with the adviser's regulators, the adviser's business continuity and
transition plan generally should include the contact information for
relevant regulator(s), and identify the personnel responsible for
notifying, as well as under what circumstances it would notify, such
regulator(s) of a significant business disruption.
---------------------------------------------------------------------------
\85\ For example, pooled investment vehicles generally rely on
their investment advisers to arrange for and interact with fund
service providers. If an adviser to an investment company, for
example, outsources certain back office functions, such as transfer
agency to a third-party vendor, its business continuity and
transition plan should address coordination of communications with
the transfer agent to investors in the fund, as well as with
intermediaries servicing investors who also are beneficial owners of
the fund.
---------------------------------------------------------------------------
d. Identification and Assessment of Third-Party Services Critical to
the Operation of the Adviser
The proposed rule would require an adviser's business continuity
and transition plan to include the identification and assessment of
third-party services critical to the operation of the adviser.\86\ We
understand advisers frequently outsource certain functions or aspects
of their operations or use third-parties' systems or vendors for their
middle and back office functions in order to permit the adviser to
focus on front office core functions, such as portfolio management and
trading.\87\ To the extent critical services are outsourced to third-
parties, we believe that an adviser generally should be prepared for
significant business disruptions that could impair its ability to act
in its clients' best interests by having a business continuity and
transition plan that addresses the critical services provided to it by
such third parties.\88\
---------------------------------------------------------------------------
\86\ We note that Regulation SCI includes specific requirements
with respect to the resumption of ``critical SCI systems,''
differentiating these systems from other systems covered by the
regulation. See 17 CFR 242.1000 and 242.1001(a)(2)(v) of Regulation
SCI. In addition, as discussed above, our staff has previously noted
the importance of addressing third-party relationships in the
context of BCPs. See supra notes 30 and 33, and accompanying text.
Additionally, we note that other regulatory bodies and organizations
have noted that BCPs should address third-party relationships. See,
e.g., 17 CFR 23.603(b)(7) (requiring ``identification of potential
business interruptions encountered by third parties that are
necessary to continued operations'' and ``a plan to minimize the
impact''); FINRA Rule 4370(c)(7) (requiring BCPs to address
``critical business constituent, bank, and counterparty impact'');
SIFMA Guidelines, supra note 71, at 30 (stating that BCPs should
include internal and external business partners and that firms
should be familiar with the BCPs and risks of those partners).
\87\ For example, we frequently see middle office functions such
as administration of the front office and trades and related
transactions, including securities operations and processing
(confirmation, routing, matching, and settlement trades), pricing/
valuation, reconciliation (both cash and positions), and post trade
compliance and reporting, outsourced to third parties.
\88\ The nature of advisory business is such that advisers
typically depend on a number of third-party service providers and
systems vendors (e.g., broker-dealers, custodians, etc.) in
providing services to their clients.
---------------------------------------------------------------------------
In this regard, an adviser's business continuity and transition
plan should identify critical functions and services provided by the
adviser to its clients, and third-party vendors supporting or
conducting critical functions or services for the adviser and/or on the
adviser's behalf.\89\ An adviser generally should
[[Page 43541]]
consider a variety of factors when identifying and prioritizing which
service providers should be deemed critical, such as the day-to-day
operational reliance on the service provider and the existence of a
backup process or multiple providers, whether or not the service
provided includes direct contact with clients or investors, and whether
the service provider is maintaining critical records or able to access
personally identifiable information, among other things. We would
generally consider critical service providers to at least include those
providing services related to portfolio management, the custody of
client assets, trade execution and related processing, pricing, client
servicing and/or recordkeeping, and financial and regulatory reporting.
---------------------------------------------------------------------------
\89\ The Joint Report noted that, notwithstanding the use of a
service provider to perform various activities, a firm ``cannot
shift responsibility for compliance and risk management to the
service provider. . . . Should a service provider not have the
appropriate level of resilience, a financial institution would be
required to move to a provider that can demonstrate an appropriate
level of resilience.'' See Joint Report, supra note 72 at 6.
We also encourage advisers to be familiar with the terms of
their contracts with critical service providers, including any
provisions regarding the termination or assignment of the contract
and any notice requirements related to those provisions.
---------------------------------------------------------------------------
Once an adviser identifies its critical service providers, it
should review and assess how these service providers plan to maintain
business continuity when faced with significant business disruptions
and consider how this planning will affect the adviser's
operations.\90\ For example, if an adviser's business continuity and
transition plan contemplates that it will rely on a particular service
provider for a critical service, the adviser generally should be aware
of whether the service provider has a BCP and if that BCP provides
alternatives, including backup plans, to allow it to continue providing
critical services during a significant business disruption. If the
service provider does not have a BCP or if its BCP does not provide for
such alternatives, the adviser generally should consider alternatives
for such critical services, which may include other service providers
or internal functions or processes that can serve as a backup or
contingency for such critical services.\91\
---------------------------------------------------------------------------
\90\ In late August 2015, Bank of New York Mellon (``BNY
Mellon''), a service provider that provides custodial and
administrative services to mutual funds, closed-end funds, and
exchange-traded funds, experienced a breakdown in one of its third-
party systems (SunGard's InvestOne) used to calculate numerous
client funds' net asset values (``NAVs''). As a result of this
breakdown, BNY Mellon was unable to deliver timely system-generated
NAVs to certain clients for several days, which resulted in certain
clients pricing their shares using stale or manually calculated NAVs
and certain ETFs using stale baskets. Once the automated system was
restored, ETF baskets were updated and certain funds had to review
the NAVs used while the automated system was down and make any
necessary corrections. See, e.g., Stephen Foley, BNY Mellon Close to
Resolving Software Glitch, Financial Times (Aug. 31, 2015),
available at http://www.ft.com/intl/cms/s/0/47d5860a-4f2b-11e5-b029-b9d50a74fd14.html; Jessica Toonkel & Tim McLaughlin, BNY Mellon
Pricing Glitch Affects Billions of Dollars of Funds, Reuters (Aug.
26, 2015), available at http://www.reuters.com/article/bnymellon-funds-nav-idUSL1N1111QY20150826; Barrington Partners White Paper, An
Extraordinary Week: Shared Experiences from Inside the Fund
Accounting System Failure of 2015 (Nov. 2015), available at http://www.mfdf.org/images/uploads/blog_files/SharedExperiencefromFASystemFailure2015.pdf; Transcript of the BNY
Mellon Teleconference Hosted by Gerald Hassell on the Sungard Issue,
available at https://www.bnymellon.com/_global-assets/pdf/events/transcript-of-bny-mellon-teleconference-on-sungard-issue.pdf.
\91\ We recognize that it may not be feasible or may be cost
prohibitive for an adviser to retain backup service providers,
vendors, and/or systems for all critical services. In such cases, an
adviser should consider backup plans, functions and/or processes to
address how it will manage the loss of a critical service.
---------------------------------------------------------------------------
We also recognize that advisers often play a key role in
identifying, arranging for, and overseeing other service providers for
certain of their clients as part of their sponsoring roles. For
example, an adviser may arrange for a particular administrator or
pricing vendor for a registered investment company client or private
fund client.\92\ Accordingly, we believe an adviser should generally
review and assess how the critical service providers it arranges and/or
oversees for its clients plan to maintain business continuity when
faced with significant business disruptions and consider how this
planning will affect its clients' operations.\93\
---------------------------------------------------------------------------
\92\ See supra note 85.
\93\ See, e.g., supra note 89.
---------------------------------------------------------------------------
We understand that many advisers currently take a variety of steps
to understand the operational and other risks of their service
providers and those of certain clients' critical service providers,\94\
such as reviewing a summary of a service provider's BCP, due diligence
questionnaires, an assurance report on controls by an independent
party,\95\ certifications or other information regarding a provider's
operational resiliency or implementation of compliance policies,
procedures, and controls relating to its systems, results of any
testing, and conducting onsite visits. Factors such as the significance
of the service provider to advisory operations, the type of service
provided, and the adviser's ability to require or request actions of
its service providers will impact the steps that advisers should
consider taking.
---------------------------------------------------------------------------
\94\ See, e.g., BlackRock FSOC Comment Letter; see also Risk
Principles for Asset Managers, supra note 4, at 19 (``The increased
level of outsourcing to third party service providers has changed
not only their outsourcing risk profile but such significant changes
to an organization's business model can lead to many process and
control changes and could therefore increase the exposure to other
(operational) risk areas (e.g., country risk and service provider
oversight)''); cf. rule 38a-1(a)(2) (requiring registered investment
company boards to approve policies and procedures that provide for
the oversight of compliance by the fund's investment adviser and
certain other named service providers). Such approval must be based
on a finding that the policies and procedures are reasonably
designed to prevent violations of the federal securities laws by the
fund, the investment adviser and the other named service providers.
See id.
\95\ See Investment Company Institute, Financial Intermediary
Controls and Compliance Assessment Engagements (Dec. 2015) at 8,
available at https://www.ici.org/pdf/ppr_15_ficca.pdf (identifying a
financial intermediary's ``Business Continuity/Disaster Recovery
Program'' as one of 17 areas of focus that ``should be addressed on
an annual basis as part of the financial intermediary's controls and
compliance engagements.''); see also AICPA, Reporting on Controls at
a Service Organization (2015), available at http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf.
Many advisers review SSAE 16 reports that are prepared by an
independent public accountant in accordance with the American
Institute of CPAs' Auditing Standards Boards' Statement on Standards
for Attestation Engagements No. 16, Reporting on Controls at a
Service Organization. These reports provide assurances that the
service provider has established a system of internal controls, that
the internal controls are suitably designed to achieve specified
objectives, and that the internal controls are operating
effectively.
---------------------------------------------------------------------------
e. Transition Plan
Under the proposed rule, an adviser's business continuity and
transition plan would have to include a plan of transition that
accounts for the possible winding down of the adviser's business or the
transition of the adviser's business to others in the event the adviser
is unable to continue providing advisory services.\96\ Advisers facing
the decision to exit the market commonly do so by: (1) Selling the
adviser or substantially all of the assets and liabilities of the
adviser, including the existing advisory contracts with its clients, to
a new owner; (2) selling certain business lines or operations to
[[Page 43542]]
another adviser; \97\ or (3) the orderly liquidation of fund clients or
termination of separately managed account relationships.\98\ Regardless
of the method an adviser chooses to effect a transition, we believe
that assessing and planning for potential impediments associated with
that method should help an adviser act in its clients' best interests
by seeking to mitigate potentially negative effects on its clients and
investors.\99\
---------------------------------------------------------------------------
\96\ Cf. FINRA Rule 4370(c)(10) (requiring BCPs to address
``[h]ow the member will assure customers' prompt access to their
funds and securities in the event that the member determines that it
is unable to continue its business''); NASAA Model Rule 203(a)-1A(4)
(stating that BCPs should provide for the ``[a]ssignment of duties
to qualified responsible persons in the event of the death or
unavailability of key personnel''). Transition of an adviser's
business to others generally would, for example, include a situation
where the adviser is a sole proprietor who is no longer able to
provide advisory services and is, therefore, transferring its
business to another person/firm or winding down operations entirely.
Such succession/transition planning generally should be accounted
for in the context of an adviser's plan of transition.
\97\ See supra note 59 (discussing partial transitions of an
adviser's business).
\98\ See, e.g., Prudential Financial Inc. 2014 Resolution Plan:
Public Section (June 30, 2014), available at http://www.federalreserve.gov/bankinforeg/resolution-plans/prudential-fin-1g-20140701.pdf; American International Group, Inc. Resolution Plan
Section 1: Public Section (July 1, 2014), available at http://www.federalreserve.gov/bankinforeg/resolution-plans/aig-1g-20140701.pdf. These two nonbank financial companies have been
designated ``systemically'' important by FSOC and also have
investment adviser subsidiaries. The publicly-available summaries of
their resolution plans filed with the Federal Reserve indicate that
they would seek to either sell their advisory businesses or seek
Chapter 11 bankruptcy proceedings for their advisory entities.
\99\ An adviser may also wish to consider in the context of its
transition plan, if and when it would be appropriate to use a
transition manager. A transition manager facilitates and coordinates
``the transition of asset management from one manager to another, or
from one asset class or investment strategy to another.'' See supra
note 41.
---------------------------------------------------------------------------
We believe that a plan of transition generally should account for
transitions in both normal and stressed market conditions,\100\ and
generally should consider each type of advisory client, the adviser's
contractual obligations to clients, counterparties, and service
providers, and the relevant regulatory regimes under which the adviser
operates.\101\ Under the proposed rule, the transition components of a
business continuity and transition plan would have to include (1)
policies and procedures intended to safeguard, transfer and/or
distribute client assets during transition; (2) policies and procedures
facilitating the prompt generation of any client-specific information
necessary to transition each client account; (3) information regarding
the corporate governance structure of the adviser; (4) the
identification of any material financial resources available to the
adviser; and (5) an assessment of the applicable law and contractual
obligations governing the adviser and its clients, including pooled
investment vehicles, implicated by the adviser's transition. Each of
the proposed required components of an adviser's transition plan is
designed to help an adviser be well prepared for a transition so that
it can act quickly and in its clients' best interests if and when a
transition occurs.
---------------------------------------------------------------------------
\100\ See supra notes 38-39 and accompanying text (discussing
the 2008 financial crisis and transition planning generally).
\101\ In addition to contractual obligations to its clients and
vendors, an adviser that provides other services to entities, such
as to another adviser, generally should consider its contractual
obligations as a service provider to those other entities as it
plans for a transition event.
---------------------------------------------------------------------------
We believe that preserving the safety of client assets and the
ability to promptly produce and transfer the information necessary for
the ongoing management of client assets is fundamental to an adviser
acting in the best interests of its clients. The adviser's policies and
procedures addressing how the adviser intends to safeguard, transfer
and/or distribute client assets in the event of a transition generally
should consider the unique attributes of each type of the adviser's
clients (e.g., registered investment companies, private funds,
separately managed accounts) and how the adviser plans to transfer
accurate client information to other advisers or their service
providers. For example, the transfer of client information with respect
to registered investment companies and private funds may be more
complex than that of separately managed accounts because registered
investment companies and private funds typically have multiple
investors, whereas separately managed accounts typically have only one
investor.
It is our understanding that the methods for safeguarding,
transferring, and/or distributing client assets may vary by client type
and that the best method for one client might not be the best method
for another.\102\ Thus, we believe an adviser's policies and procedures
should appropriately account for the different methods in which it
plans to safeguard, transfer, and/or distribute assets of its different
types of clients. Additionally, if a client account holds assets that
would require special instruction or treatment in the event of
transition, an adviser's policies and procedures generally should
address such instruction or treatment.\103\
---------------------------------------------------------------------------
\102\ For example, if the adviser manages registered investment
companies, the investment companies' board(s) may determine that the
best method for transferring the assets of these funds is to
reorganize them into funds managed by a new adviser. Separately
managed accounts, however, would not be reorganized, but may have
other considerations unique to them, such as whether a new custodian
would be necessary for a new adviser.
\103\ For example, it is our understanding that when
transitioning accounts from one adviser to another, derivatives
positions require special treatment in that they are typically
unwound rather than transferred to the new adviser and that the
terms of the derivatives instrument may dictate whether and how such
unwinding takes place.
---------------------------------------------------------------------------
Further, the transition plan should also contain policies and
procedures that would facilitate the prompt generation of any client-
specific information necessary to transition a client account, such as
the identity of custodians, positions, counterparties, collateral, and
related records of each client. Similar to the need to have accurate
and accessible client information in the event of a business continuity
scenario, we believe that this information is necessary to effect a
smooth transition of the management of client accounts.
We believe senior executives at an investment adviser generally,
and especially in times of stress, should be able to quickly identify
the important decision-makers within the organization and understand
the inter-relationships between the adviser and any affiliated entities
to be able to assess whether and how issues at an affiliate may affect
the advisory entity. For example, an adviser that uses an affiliate as
a qualified custodian may face additional issues if the transition
event is related to that affiliate's operations. We believe that this
information is necessary if the adviser needs to assess the manner in
which it can exit the market with minimal adverse effect on its clients
or to take steps necessary to protect itself from issues that may stem
from an affiliated entity. Accordingly, with respect to the adviser's
corporate governance structure, the transition component of a business
continuity and transition plan generally should include an
organizational chart and other information about the adviser's
ownership and management structure, including the identity and contact
information for key personnel, and the identity of affiliates (both
foreign and domestic) whose dissolution or distress could lead to a
change in or material impact to the adviser's business operations.\104\
---------------------------------------------------------------------------
\104\ An advisory entity may be adversely affected by an
affiliate's distress if, for example, the adviser and distressed
affiliate share systems, personnel, sources of financing, or similar
names.
---------------------------------------------------------------------------
Registered investment advisers manage a variety of products and
security types, with investments in and investors from various
jurisdictions and are subject to a variety of contractual and legal
obligations and regulatory regimes. An adviser's ability to seamlessly
transition advisory services could be impacted by its or its clients'
contractual obligations or the various regulatory regimes under which
the adviser or its advisory client may be subject. For example, an
adviser's insolvency or termination may trigger a termination clause in
a client's
[[Page 43543]]
derivative contract.\105\ Also, the board and shareholders of a
registered investment company must approve an advisory contract with
any new adviser \106\ and the Advisers Act requires advisory contracts
to include a provision that a contract cannot be assigned without
client consent.\107\ Other regulatory regimes may require regulatory
approval for certain acts,\108\ which may be further complicated by the
need for cross-border cooperation if the adviser operates in multiple
jurisdictions \109\ or the adviser's pooled investment vehicle clients
are domiciled in different jurisdictions.\110\ Accordingly, we are
proposing that an adviser's transition plan include an assessment of
the applicable law and contractual obligations governing the adviser
and its clients, including pooled investment vehicles, implicated by
the adviser's transition.
---------------------------------------------------------------------------
\105\ Some ISDA contracts include the default provision allowing
for the counterparty to terminate a contract upon the change of
advisers.
\106\ Section 15(a) of the Investment Company Act states that
``[i]t shall be unlawful for any person to serve or act as
investment adviser of a registered investment company except
pursuant to a written contact, which . . . has been approved by the
vote of a majority of the outstanding securities of such registered
company . . . .'' Additionally, section 15(c) of the Investment
Company Act states that ``it shall be unlawful for any registered
investment company having a board of directors to enter into . . .
any contract or agreement, written or oral, whereby a person
undertakes regularly to serve or act as investment adviser of . . .
such company, unless the terms of such contract or agreement and any
renewal thereof have been approved by the vote of a majority of
directors, who are not parties to such contract or agreement or
interested persons of any such party, cast in person at a meeting
called for the purpose of voting on such approval.'' But see, e.g.,
rule 15a-4 under the Investment Company Act (allowing funds, in
certain circumstances, to enter into interim advisory agreements
without an in-person board meeting and without the fund's
shareholders first approving the agreement); see generally JP Morgan
Chase/Bear Stearns Asset Management, SEC Staff No-Action Letter
(July 14, 2008) (providing staff no-action relief following the US-
government-brokered emergency sale of Bear Stearns Companies Inc. to
JP Morgan Chase & Co., to allow Bear Stearns Asset Management to
continue to serve as investment adviser to its funds without prior
in-person approval by the funds' board of directors due to the
extraordinary circumstances surrounding the sale of its parent
company).
\107\ Section 205(a)(2) of the Advisers Act requires any
investment advisory contract to contain a provision indicating
``that no assignment of such contract shall be made by the
investment adviser without the consent of the other party to the
contract.'' Section 202(a)(1) of the Advisers Act defines
``assignment,'' for purposes of the Advisers Act, to include ``any
direct or indirect transfer or hypothecation of an investment
advisory contract by the assignor or of a controlling block of the
assignor's outstanding voting securities by a security holder of the
assignor. . . .''
\108\ See, e.g., Third Avenue Trust and Third Avenue Management
LLC, Investment Company Act Rel. No. 31943 (Dec. 16, 2015) (Notice
and Temporary Order) (permitting the suspension of the right of
redemption of Third Avenue Trust's outstanding redeemable
securities).
\109\ For example, as of January 4, 2016, the number of foreign
registrations of SEC-registered investment advisers was 2,279,
representing 1,051 SEC-registered investment advisers, some of which
were registered in multiple foreign jurisdictions. Additionally,
there were 780 foreign investment advisers registered with the
Commission as of that same date. Based on data from IARD.
\110\ When evaluating options for Long-Term Capital Management,
L.P. during its collapse, the effects of the fund filing for
bankruptcy were not clear because the fund was managed by an
advisory entity domiciled in Delaware and located in Connecticut,
while the fund itself was domiciled in the Cayman Islands, where the
rights of its counterparties to liquidate collateral under the U.S.
Bankruptcy Code would have been delayed because the fund would have
likely had to seek bankruptcy protection in the Cayman Islands
courts, under Cayman law. See Report of The President's Working
Group on Financial Markets, Hedge Funds, Leverage, and the Lessons
of Long-Term Capital Management (Apr. 28, 1999), available at
https://www.treasury.gov/resource-center/fin-mkts/Documents/hedgfund.pdf.
---------------------------------------------------------------------------
Finally, we believe it is important for an adviser to have
considered in advance its strategy for either avoiding or facilitating
a transition of its business and client accounts in the event the
adviser is in material financial distress such that its ability to
continue providing advisory services to its clients or otherwise acting
in its clients' best interests could be impacted or undermined.\111\
Accordingly, the proposed rule requires that the adviser's plan of
transition consider any material financial resources available to the
adviser. For example, the adviser could identify any material sources
of funding, liquidity, or capital it would seek in times of stress in
order to continue operating \112\ or consider how it would implement a
reduction of expenses or other alternatives.
---------------------------------------------------------------------------
\111\ We note that, in certain circumstances, an adviser is
required to ``disclose any financial condition that is reasonably
likely to impair [the adviser's] ability to meet contractual
commitments to clients.'' See Form ADV, Part 2, Item 18.
\112\ When considering any material financial resources
available to it, the adviser also could identify any insurance
coverage.
---------------------------------------------------------------------------
f. Request for Comment
We seek comment on the proposed requirement to adopt and implement
a business continuity and transition plan, and the proposed components
of that plan.
Should we require all SEC-registered advisers to adopt and
implement business continuity and transition plans? Or should we
identify only a subset of SEC-registered advisers that must implement
such plans? Which advisers should be in such a subset (e.g., large
advisers with assets under management over a specific threshold,
advisers affiliated with financial institutions, etc.) and why?
Rather than adopting the proposed rule, should the
Commission issue guidance under rule 206(4)-7 under the Advisers Act
addressing business continuity and transition plans? If so, should that
guidance set forth possible elements of such a plan?
What, if any, implications will the proposed rule have for
investment advisers that are also subject to other regulatory
requirements as to business continuity and/or transition planning
(e.g., FINRA or CFTC rules on BCPs)? For example, would the proposed
rule be inconsistent with an adviser's obligations under other
regulatory requirements?
Should we require business continuity and transition plans
to include each of the proposed components? Alternatively, should the
rule require advisers to have a business continuity and transition
plan, and specify certain components of a plan in the form of a safe
harbor provision? Or, should the rule not specify required components
of a plan and instead allow advisers to determine the appropriate
components of their plans? Are there any components we should remove
from the proposed list of required components? Are there any components
we should add or expand upon? For example, with respect to a pre-
arranged alternate physical location(s) of the adviser's office(s) and/
or employees, should we require that an adviser's business continuity
and transition plan include an alternate location at a specified
distance away from its primary location? Should we require an adviser's
communication plan to extend to investors in certain types of pooled
investment vehicles? If so, which specific types of pooled investment
vehicles and how should the term ``investors'' be defined for each type
of pooled investment vehicle? Should we require an adviser to have
policies and procedures that address the identification, assessment,
and review of critical third-party vendors that the adviser arranges or
oversees for its clients?
Are there any components of the NASAA model rule or
guidance, or other rules or guidance addressing BCPs, that we have not
addressed in the proposed rule that we should address? Should advisers
with certain types of clients, including for example advisers to
registered investment companies or sponsors of wrap programs, be
required to undergo additional obligations with regard to adopting and
implementing a business continuity and transition plan? What additional
steps should such advisers be required to take with respect
[[Page 43544]]
to such clients and/or such clients' service providers?
Are each of the proposed components of a business
continuity and transition plan clear or should we provide additional
information and/or definitions for any of the components? If so, what
additional information or definitions are needed? For example, should
we provide a definition of ``significant business disruption,''
``unable to continue providing investment advisory services,'' or
``pooled investment vehicle''? Alternatively, should we require
investment advisers to define certain terms, like ``significant
business disruption'' or ``unable to continue providing investment
advisory services,'' within their plans?
Should all advisers be required to include each of the
proposed components in a business continuity and transition plan or
should certain advisers be exempt from including certain components? If
certain advisers should be exempt, why? For example, should only
certain advisers be required to adopt and implement the transition plan
component of the proposed rule or is there a subset of investment
advisers with operations so limited that the adoption and
implementation of a transition plan (or certain components of the
transition plan requirement) would not be beneficial? If so, what
criteria could be used to identify this subset of advisers? Are there
alternative or streamlined measures that these advisers could take to
facilitate an orderly transition in the event of a significant
disruption to the adviser's operations? If these advisers did not have
transition plans, should they be required to disclose the absence of
such plan?
With respect to each of the proposed components of a
business continuity and transition plan, we have provided information
as to the items and/or actions that we believe generally should be
encompassed within a particular component. Is there additional
information that we should provide, or any information that we should
exclude or modify, regarding any of the proposed components of a plan?
Alternatively, instead of permitting advisers the flexibility to draft
their plans based on the complexity of their businesses, should we
require advisers to address each component in a prescriptive manner by
requiring specific mechanisms for addressing particular risks?
Should we adopt a more prescriptive rule that calls for a
more specific transition plan similar to the ``Living Wills'' required
by the Federal Reserve Board and the FDIC for large banks and
systemically important non-bank entities? \113\ If so why, and what
specifically should the rule require?
---------------------------------------------------------------------------
\113\ These resolution plans require, among other things: (1)
Information regarding the manner and extent to which any insured
depository institution affiliated with the company is adequately
protected from risks arising from the activities of any nonbank
subsidiaries of the company; (2) full descriptions of the ownership
structure, assets, liabilities, and contractual obligations of the
company; and (3) identification of the cross-guarantees tied to
different securities, identification of the major counterparties,
and a process for determining to whom the collateral of the company
is pledged. See Resolution Plans, supra note 40.
---------------------------------------------------------------------------
As part of the proposed rule, should we require advisers
to provide disclosure to their clients about their business continuity
and transition plans? If so, what should be the format of such
disclosure (e.g., summary of plan, copy of plan)? When or how
frequently should this disclosure be provided? Should we require
advisers to disclose to their clients incidents where they relied on or
activated their business continuity and transition plans? If so, what
should be the format of such disclosure? What types of incidents should
be disclosed or not disclosed?
As part of the proposed rule, should we require advisers
to report to the Commission incidents where they rely on their business
continuity and transition plans? If so, under what circumstances should
advisers be required to report to the Commission and how should
advisers report this information? When should the required reporting
occur?
Should we require advisers to file their business
continuity and transition plans, or a summary thereof, with the
Commission? Should these filings be made available to the public? Why
or why not? Are business continuity and transition plans considered
proprietary to an adviser such that disclosing its plan to the public
(either through a Commission filing or through disclosure to a client)
creates additional risk exposure to the adviser?
2. Annual Review
Under the proposed rule, each adviser would be required to review
the adequacy of its business continuity and transition plan and the
effectiveness of its implementation at least annually. The review
generally should consider any changes to the adviser's products,
services, operations, critical third-party service providers,
structure, business activities, client types, location, and any
regulatory changes that might suggest a need to revise the plan.
The annual review provision is designed to require advisers to
evaluate periodically whether their business continuity and transition
plans continue to, or would, work as designed and whether changes are
needed for continued adequacy and effectiveness. For example, the
review generally should include an analysis of whether a business
continuity and transition plan adequately protects client interests
from being placed at risk and to mitigate such risks in the event the
adviser experiences a significant disruption in its operations. In
addition, annual reviews generally should address weaknesses an adviser
may have identified in any testing it has done or assessments that have
been performed to address the adequacy and effectiveness of its
business continuity and transition plan, as well as any lessons learned
if an event required the plan to be carried out during the previous
year, including any changes made or contemplated as a result of the
event.
Should we require that business continuity and transition
plans be reviewed at least annually, as proposed? Should we expressly
require reviews of business continuity and transition plans to be
documented in writing? Should we require more frequent or less frequent
review of business continuity and transition plans? In addition to
annual review, should we require that advisers review their plans when
specific events occur? For example, should we require plans be reviewed
when an adviser has an event that causes it to rely on its plan? Should
we require plans be reviewed based on changes to the adviser's
operations or processes, changes in the ownership or business structure
of the adviser, compliance or audit recommendations, lessons learned
from testing or disruption events, and/or regulatory developments?
Should we require advisers to report to the Commission
regarding the annual review of their business continuity and transition
plans? If so, what should be the format of the report?
Should we explicitly require advisers to annually review
the business continuity and transition plans of their third-party
service providers that provide critical services to the adviser and its
clients? If so, how should these reviews be conducted? What types of
documentation could be requested to perform these reviews?
Should we specifically require advisers to periodically
test their business continuity and transition plans or certain material
components thereof to assess whether the plans are adequate and
effective? If so, how should such testing be conducted? What should be
[[Page 43545]]
included in the scope of such review? How often should such testing be
required?
3. Recordkeeping
The proposed amendments would require SEC-registered advisers to
maintain copies of all written business continuity and transition plans
that are in effect or were in effect at any time during the last five
years after the compliance date. We are requiring an adviser to
maintain a copy of the plan currently in effect because we believe that
it is important that advisers have easy access to necessary information
during periods of stress. The proposed rule would also require that
advisers keep any records documenting their annual review.\114\ Our
rules permit advisers to maintain these records electronically.\115\
These proposed new recordkeeping requirements will assist our
examination staff in evaluating an adviser's compliance with the new
rule, including evaluating whether the adviser's business continuity
and transition plan includes all required components. These proposed
requirements track the recordkeeping requirements under rule 204-2
regarding an adviser's compliance policies and procedures.
---------------------------------------------------------------------------
\114\ Pursuant to rule 204-2(e)(1) of the Advisers Act, advisers
would have to maintain any records documenting their annual review
in an easily accessible place for at least five years after the end
of the fiscal year in which the review was conducted, the first two
years in an appropriate office of the investment adviser.
\115\ See rule 204-2(g) under the Advisers Act.
---------------------------------------------------------------------------
We request comment on the proposed recordkeeping requirements.
Should we require advisers to maintain copies of their
business continuity and transition plans that are in effect or were in
effect at any time during the last five years, as proposed? If not,
what, if any, recordkeeping requirements should we adopt with respect
to business continuity and transition plans? Is five years an
appropriate retention period? Should it be longer or shorter? Why?
Should we require advisers to keep any records documenting
their annual review of their business continuity and transition plans,
as proposed?
II. Economic Analysis
A. Introduction
The Commission is sensitive to the potential economic effects of
proposed rule 206(4)-4 and the proposed amendments to rule 204-2. These
effects include benefits and costs to SEC-registered advisers, clients,
and fund investors as well as broader implications for market
efficiency, competition, and capital formation.\116\ The economic
effects of the proposed rule are discussed below in the context of the
primary goals of the proposed regulation.
---------------------------------------------------------------------------
\116\ The Commission recognizes that there are other entities
that could be affected by the proposed rule. For example, vendors
might have to adapt to meet the new demands of their clients under
the proposed rule and that could change the nature of those product/
service markets, which in turn could have further economic effects
on advisers and their clients and investors. However, the effects of
the rulemaking on such entities are uncertain and difficult to
predict given they are not direct effects of the proposed rule.
---------------------------------------------------------------------------
We have sought, where possible, to quantify the costs, benefits,
and effects on efficiency, competition, and capital formation expected
to result from the proposed regulations. However, as discussed below,
in certain cases, we were unable to quantify the economic effects
because we lack the information necessary to provide reasonable
estimates, such as the extent to which some advisers already have
business continuity or transition plans that would satisfy some or all
of the requirements of the proposed rule, the likelihood of business
disruptions, and the share of costs arising from the proposed rule that
advisers will pass through to its clients. Therefore, some of the
discussions below are qualitative in nature.
Under the proposed rule, the content of an SEC-registered adviser's
business continuity and transition plan shall be based upon risks
associated with the adviser's operations and shall include policies and
procedures designed to minimize material service disruptions, including
policies and procedures that address the following: (1) Maintenance of
critical operations and systems, and the protection, backup, and
recovery of data; (2) pre-arranged alternate physical location(s) of
the adviser's office(s) and/or employees; (3) communications with
clients, employees, service providers, and regulators; (4)
identification and assessment of third-party services critical to the
operation of the adviser; and (5) plan of transition that accounts for
the possible winding down of the adviser's business or the transition
of the adviser's business to others in the event the adviser is unable
to continue providing advisory services. The proposed rule also
requires that each SEC-registered adviser review, no less frequently
than annually, the adequacy of its business continuity and transition
plan and the effectiveness of its implementation. In addition, the
proposed amendments to rule 204-2 under the Advisers Act requires these
advisers to make and keep records of all business continuity and
transition plans that are in effect or were in effect at any time
within the past five years.
The goal of these proposals is to require that all advisers have
sufficiently robust plans to mitigate the potential adverse effects of
significant business disruptions or transition events. Specifically,
the proposed rule requires SEC-registered advisers to adopt plans
reasonably designed to protect clients and fund investors from the risk
that, in the wake of a significant business disruption or transition
event, advisers are unable to provide services and continue operations.
Such disruptions may put clients' and investors' interests at risk if,
for example, an adviser lacks the ability to make trades in a
portfolio, is unable to receive or implement directions from clients,
or its clients are unable to access their assets or accounts.
Because clients and investors should be averse to these outcomes,
one might expect all advisers to already have plans in place to
minimize the risks posed by significant business disruptions or
business transitions without being legally required to do so. It
appears, however, that, in the context of business continuity and
transition plans, market pressures do not fully align the interests of
all advisers with those of their clients and fund investors, as staff
has observed that some advisers have adopted plans that may not be
sufficiently robust in light of the operational and other risks
specific to their businesses. Our staff's observations that business
continuity and transition plans are not uniformly robust suggest that
both advisers and their clients may not fully take into account, or
internalize, the potential benefits of comprehensive business
continuity and transition plans as well as the potential costs of
operating without them.
There are several possible reasons for this misalignment. As an
initial matter, the types of business disruptions addressed by this
proposal are infrequent, and are not necessarily publicly observable
when they do occur; this may make it difficult for market participants
to fully internalize the ramifications of those events. For example, an
adviser that underestimates the likelihood of a significant disruption
or the harm it could cause to the viability of its business may not
believe the cost of a more robust business continuity plan is
justified. Furthermore, because many advisers may have never
experienced a significant business disruption, they might not properly
assess whether their existing plans are sufficiently robust. And while
some clients and investors may recognize the benefits of business
[[Page 43546]]
continuity planning and demand it of their advisers, others may not
fully understand these benefits due to the rarity of significant
disruptions.
In addition, staff observations resulting from specific SEC
examinations are generally not made public, so any examination findings
identified with respect to one adviser's plan will generally provide no
guidance to other advisers, or to their clients and investors, as to
what robust plans might contain. Although Commission staff has
published alerts identifying overall observed weaknesses in advisers'
business continuity plans, those alerts provide aggregated, non-
specific information that may not inform advisers or their clients and
investors of the expected content of robust plans.\117\ Moreover, it is
possible that some advisers may not review those alerts and therefore
do not adjust their business continuity plans in response to the
identified strengths and weaknesses; similarly, many clients and
investors, particularly smaller or retail investors, may not review the
alerts and thus do not exert pressure on their advisers to address in
their own plans the general weaknesses identified by the
Commission.\118\
---------------------------------------------------------------------------
\117\ See, e.g., NEP Risk Alert, supra note 30.
\118\ We note that, based on staff experience, large
institutional clients often have rigorous due diligence processes
that evaluate an adviser's operational and other risks, while
smaller retail clients may not engage in such a thorough review of
operational and other risks.
---------------------------------------------------------------------------
Furthermore, advisers generally do not make their business
continuity plans (or transition plans) public, though based on
Commission staff's experience, we understand that most will provide a
summary of those plans or other information related to their
operational and other risks to clients and investors upon request.
Clients and investors that request, review, and comment on these plans
are more likely to exert some degree of pressure on their advisers
regarding the content of their plans, thereby leading to more robust
plans. Thus, the composition of an adviser's client base may impact the
current state of its business continuity and transition plans and may
lead to the heterogeneity in the quality of such plans that our staff
has observed across advisers. The Commission believes, based on staff
experience, that larger institutional clients and investors, compared
to smaller or retail clients and investors, are more likely to engage
in extensive due diligence processes that involve such review of
existing plans. The content of business continuity and transition plans
for advisers with larger institutional clients and investors may
therefore be more likely to reflect such client or investor input than
plans of advisers with only smaller, retail clients or investors. In
addition, because plans are not generally public, advisers cannot
compare their own plans with those of other advisers to assess the
relative strengths and weaknesses of their plans and therefore do not
have the opportunity to craft or revise their own plans with the
knowledge of how others in the industry are addressing the same issues.
These factors, combined with the absence of any specified requirements
for components of business continuity plans (or transition plans) in
existing regulation, may have contributed to staff's observations that
such plans are not uniformly robust.
Advisers also may not fully internalize the benefits of transition
planning. For example, it is possible that advisers do not necessarily
have adequate incentives to ensure that a business transition takes
into account all of the various components of a robust plan set forth
in the proposed rule, given that an adviser no longer receives fees
after that transition. In addition, transition events, like business
disruptions, are relatively rare; accordingly, advisers may not
properly assess the likelihood of such events, the potential
consequences of failing to adequately prepare, or the benefits of
ensuring a smooth transition.
To address the issues identified above, the proposed rule requires
advisers to assess the operational and other risks associated with its
business operations and identifies components that must be addressed in
business continuity and transition plans. The rule aims to address the
lack of uniformly robust plans previously observed by staff and
requires each SEC-registered investment adviser to adopt and implement
a written business continuity and transition plan based upon the risks
associated with the adviser's operations.
B. Economic Baseline
The investment adviser regulatory regime currently in effect serves
as the economic baseline against which the benefits and costs, as well
as the impact on efficiency, competition, and capital formation of the
proposed rule are discussed. As of January 4, 2016, there were 11,956
SEC-registered investment advisers with approximately $67 trillion in
regulatory assets under management. In this market, which has been
described as being highly competitive,\119\ advisers are likely to
compete on, among other things, fees charged to clients, returns or
performance, and the level of services provided to meet client needs.
---------------------------------------------------------------------------
\119\ See supra section I.A and note 7.
---------------------------------------------------------------------------
The proposed rule would affect all SEC-registered investment
advisers, as well as each adviser's clients (including registered
funds, private funds, and individual separately managed accounts) and
the investors in fund clients. Currently, Commission guidance indicates
that an SEC-registered adviser's compliance policies and procedures
should include business continuity planning to the extent it is
relevant to the adviser's business. The content of those BCPs, however,
is not addressed by current Commission rules, and may not specifically
include policies and procedures regarding business transitions.
As noted previously, our staff has noticed variation in the
business continuity and/or transition plans that they have seen during
examinations. Some advisers, pursuant to the Compliance Program Rule or
as a prudent business practice, have adopted plans which may be
consistent with the new requirements being proposed, while others have
not. Accordingly, the benefits and costs to a given adviser, client, or
fund investor will depend on the current state of the adviser's
business continuity and transition plan.
C. Benefits and Costs and Effects on Efficiency, Competition, and
Capital Formation
Taking into account the goals of the proposed rule and the economic
baseline, as discussed above, this section explores the benefits and
costs of the proposed rule, as well as the potential effects of the
proposed rule on efficiency, competition, and capital formation.
1. Benefits
Clients and investors in funds managed by SEC-registered advisers,
advisers themselves, and the financial markets as a whole may benefit
from the proposed rule. In general, we cannot quantify the total
benefits to the affected parties because we lack data on certain
factors relevant to such an analysis, such as investor preferences and
the likelihood of business disruptions. For example, without knowing
how risk averse clients are to investing via advisers without robust
BCPs, we cannot quantify the benefits they might derive from
improvements in those BCPs. Similarly, it is difficult to estimate the
probability of the types of business disruptions addressed by the
proposed rule, which precludes precisely estimating the ex-ante costs
of inadequate plans under the economic
[[Page 43547]]
baseline. However, we discuss the expected benefits qualitatively
below.
We anticipate that clients and investors in funds managed by
registered advisers will benefit from the proposed rule. Requiring SEC-
registered advisers to adopt and implement business continuity and
transition plans will likely reduce the risk that investors and
advisory clients will be harmed or affected in the event a business
continuity or transition issue actually occurs. For example, advanced
planning to address issues in the event of a disruption may reduce the
risk that advisory accounts might be left unmanaged or that clients do
not have access to their funds during an adviser's business
interruption or transition, or at least shortens the time of such a
disruption. As discussed above, whether it is due to prudent business
practices or adherence to the Commission guidance in the Compliance
Program Rule, some advisers may already have robust business continuity
and transition plans in place that are consistent with the new
requirements being proposed. The incremental benefits of the proposed
rule to those advisers' clients and investors would likely be less than
the benefit to the clients and investors of an adviser without such
strong operational controls.
The proposed rule will also benefit registered advisers by
requiring their business continuity and transition plans to include
policies and procedures that address certain specific components, which
should help the advisers better prepare for significant disruptions in
their operations. While Commission guidance indicates that an SEC-
registered adviser's compliance policies and procedures should address
BCPs to the extent that they are relevant to an adviser, the Commission
has not previously specified what such a BCP should address. To the
extent registered advisers have not already adopted and implemented
robust BCPs that are consistent with the new requirements being
proposed, requiring them to review the risks associated with their
operations and plan for significant business disruptions or transitions
should encourage them to enhance their ongoing efforts to mitigate
risks attendant with their operations and business practices and may
help them be better prepared to address business continuity and
transition events if and when they occur.
Finally, the proposed rule and the planning it requires of advisers
could have ancillary benefits for the broader financial markets. For
example, consider an adviser with significant assets under management
who trades actively enough to be considered a liquidity provider in a
particular market. If this adviser were to suffer a significant
business disruption event that prevented it from participating in that
market for several days, then the liquidity of the market could be
negatively affected.\120\ While a business continuity and transition
plan would not be able to completely prevent such a disruption, it may
decrease the adviser's recovery time and hence the disruption's impact
on the market.
---------------------------------------------------------------------------
\120\ See, e.g., George O. Aragon & Philip E. Strahan, Hedge
funds as liquidity providers: Evidence from the Lehman bankruptcy,
J. Financ. Econ., Vol. 103, Issue 3 (Mar. 2012) at 570-587
(concluding that ``the market liquidity of stocks held by Lehman's
hedge-fund clients fell more during the [2008 financial] crises than
otherwise similar stocks not held by these funds.'')
---------------------------------------------------------------------------
2. Costs
As with the benefits, costs of the proposed rule will be shared by
advisers and their clients and fund investors. Generally, advisers will
incur the direct costs associated with developing and maintaining
robust business continuity and transition plans, though some of those
costs may ultimately be passed through to their clients and fund
investors. These costs are discussed in more detail below.
a. Costs to Advisers
Proposed rule 206(4)-4 likely will result in an SEC-registered
adviser incurring one-time and ongoing operational costs, described in
detail below, to adopt and implement a business continuity and
transition plan that is reasonably designed to address the operational
and other risks related to a significant disruption in the adviser's
operations. As an initial matter, it is difficult to determine the
estimated costs for advisers with precision because of the variation in
existing BCPs and the extent to which such plans will need to be
revised to be compliant with the proposed rule. Because Commission
guidance indicates that SEC-registered advisers' compliance policies
and procedures should address BCPs to the extent that they are relevant
to an adviser, the nature of an adviser's existing BCP will also
greatly affect the initial costs the adviser would expend to comply
with the proposed rule. Advisers whose current BCPs are closely aligned
with the requirements of the proposed rule would likely incur lower
initial compliance costs relative to advisers whose current BCPs are
not closely aligned with the rule's requirements, while all advisers
would incur ongoing costs pertaining to the annual review and
recordkeeping components of the proposed rule. \121\
---------------------------------------------------------------------------
\121\ The costs estimates provided in this section include total
costs for developing and maintaining both business continuity plans
and transition plans. We recognize, however, that the portion of
these costs attributable to business continuity plans will likely be
greater than that attributable to the transition plans, as business
continuity plans generally contemplate acquiring and maintaining,
for example, more infrastructure, such as secondary storage
capabilities, than transition plans and is more likely to involve
retaining third-party vendors to assist with the development or
maintaining of that infrastructure. Accordingly, the current state
of an adviser's business continuity plans may have more effect on
the costs to individual advisers than the current state of the
adviser's transition plans.
---------------------------------------------------------------------------
In addition, because the proposed rule requires an SEC-registered
adviser's plan to be based on the particular risks attendant to that
adviser's operations, the initial and ongoing costs imposed by the rule
would vary significantly among firms depending on the complexity of the
adviser's operations. A number of factors pertaining to an adviser's
business model can affect the complexity of the adviser's operations.
Those factors include the adviser's assets under management, number of
employees, number of offices, number and types of clients (e.g., high
net worth individuals, private funds, or registered investment
companies), types of advisory activities, other business activities or
lines of business which may affect the adviser's advisory business,
types of investment strategies pursued, and the extent of reliance on
service providers (in-sourced vs. out-sourced models). The flexibility
of the proposed rule should allow advisers to tailor their business
continuity and transition plans to the specific risks their businesses
face at the minimum possible cost.
The Commission believes that certain of the above factors may be
correlated with the adviser's amount of assets under management. For
example, an adviser with a large amount of assets under management is
more likely to have more employees, multiple locations, offices,
numbers and types of clients, and types of business activities than an
adviser with fewer assets under management.\122\ Accordingly, we
[[Page 43548]]
believe that advisers with larger amounts of assets under management
are generally more likely to have more complex business operations and
may therefore need to expend more resources on adopting, implementing,
and maintaining a business continuity and transition plan than advisers
with fewer assets under management.\123\
---------------------------------------------------------------------------
\122\ With regard to employee size, SEC-registered advisers with
less than $100 million in assets under management have an average of
28 employees and a median of 4 employees, while SEC-registered
advisers with over $1 billion in assets under management have an
average of 180 employees and a median of 31 employees. Based on data
from IARD as of January 4, 2016. With regard to the number of
offices maintained by advisers, only 23% of SEC-registered advisers
with less than $100 million in assets under management maintain more
than one office, while 47% of SEC-registered advisers with over $1
billion in assets maintain one or more offices and 11% of these
larger advisers maintain 5 or more offices. Based on data from IARD
as of January 4, 2016.
\123\ There are notable exceptions: for example, a small adviser
with a technology intensive investment strategy may nevertheless
have a complex operational risk profile, which could require a more
complex business continuity and transition plan.
---------------------------------------------------------------------------
i. One-time Costs
As noted above, the one-time costs associated with developing and
implementing the policies and procedures associated with a business
continuity and transition plan will vary significantly among firms
depending on the nature and complexity of the adviser's operations and
the current state of their systems and processes. Under the proposed
rule, SEC-registered advisers need only take into account the risks
associated with their particular operations. For example, smaller
advisers that do not have a large number or different types of clients
or do not maintain numerous offices with numerous employees may not
need complex systems if their operations result in risks that are easy
to address. On the other hand, a larger adviser with a large number and
diverse set of clients, including large registered investment
companies, with global offices and thousands of employees may need more
complicated and expensive systems and technology. To the extent that
adviser size does correlate with operational complexity, SEC
examination staff has observed that larger advisers have typically
already devoted significant resources to establish systems or
technological solutions that address operational and other risks
related to business continuity.
Based on our staff's experience, we generally estimate that the
one-time costs necessary to adopt and implement a business continuity
and transition plan would range from approximately $30,000 to $1.5
million \124\ per SEC-registered adviser, depending on the facts and
circumstances of a particular adviser's operations and the adequacy of
its existing plan. These estimated costs include internal and external
costs, explained in more detail below, attributable to the following
activities: (1) Mostly internal costs associated with developing
policies and procedures related to each required component of the
business continuity and transition plan; and (2) external costs
associated with integrating and implementing the policies and
procedures as described above (including establishing or upgrading
current systems and processes to comply with the proposed rule).
---------------------------------------------------------------------------
\124\ These estimates are based on the aggregated low-end of the
range and the high-end of the range, respectively, of mostly
internal costs detailed in the PRA section below and the external
costs associated with integrating and implementing the plan.
Specifically, these estimates are based on the following
calculations, which are described in greater detail in notes 125
through 129:
$12,515 low-end estimated internal cost to adviser for
developing policies and procedures + $4,000 low-end estimated cost
to adviser for external professional fees for developing policies
and procedures + $1,000 low-end estimated cost to adviser for
maintenance of critical operations and systems and the protection,
backup and recovery of data + $5,000 low-end estimated cost to
adviser for a prearranged alternative physical location + $0 low-end
estimated cost to adviser for a plan of communication + $5,000 low-
end estimated cost for third-party oversight = $27,515.
$147,310 high-end estimated internal cost to adviser for
developing policies and procedures + $20,000 high-end estimated cost
to adviser for external professional fees for developing policies
and procedures + $750,000 high-end estimated cost to adviser for
maintenance of critical operations and systems and the protection,
backup and recovery of data + $500,000 high-end estimated cost to
adviser for a prearranged alternative physical location + $5,000
high-end estimated cost to adviser for a plan of communication +
$50,000 high-end estimated cost for third-party oversight =
$1,472,310.
See infra, notes 125 through 129.
---------------------------------------------------------------------------
We anticipate that developing policies and procedures designed to
minimize material service disruptions, including those related to each
required component of the business continuity and transition plan will
largely be done internally because it will require an evaluation of the
adviser's business operations most suited to be conducted by in-house
employees familiar with the intricacies of the business operations.
These costs are quantified and discussed in more detail in the PRA
section below, but in summary, we estimate that this initial one-time
cost will range from approximately $17,000 to $170,000, depending on
the facts and circumstances of a particular adviser's operations and
the comprehensiveness of their existing plan.\125\
---------------------------------------------------------------------------
\125\ See infra section III.A.1. This estimate is based on the
following calculations: $12,515 internal cost to representative
smaller adviser + $4,000 in external professional fees for
representative smaller adviser = $16,515. $147,310 internal cost to
representative larger adviser + $20,000 in external professional
fees for representative larger adviser = $167,310.
---------------------------------------------------------------------------
With respect to integration and implementation of the policies and
procedures described above, an adviser may incur external costs to
upgrade systems and processes. The external costs incurred by an
adviser to meet the required components of the proposed rule would be
directly affected by the current state of the adviser's existing
systems and processes. For example, the proposed rule specifies that an
adviser must address the maintenance of critical operations and systems
and the protection, backup, and recovery of data. While our staff
observes that most advisers already have systems in place to address
the protection, backup, and recovery of data, an adviser that does not
already have a system in place would incur the costs associated with
implementing an operational solution to protecting its data.\126\ Also,
the proposed rule specifies that an adviser's plan include a pre-
arranged alternative physical location of its office(s) and/or
employees. While many advisers already have back-up locations
identified as a co-location in times of business disruptions and
equipped their employees to telework if they are unable to travel to
the primary office location, an adviser that has not adequately
addressed this component of the proposed rule would incur costs to do
so in light of the proposed rule.\127\
---------------------------------------------------------------------------
\126\ We estimate an adviser could spend between $1,000 and
$750,000 to address the maintenance of critical operations and
systems, and the protection, backup and recovery of data. The wide
range is attributable to the varying methods in which advisers may
address this component of the proposed rule. For example, smaller
advisers may address data backup and recovery by outsourcing storage
to a service provider through cloud software, while a large adviser
dealing with large amounts of data may find it more cost effective
to purchase data servers dedicated to the adviser.
\127\ We estimate that an adviser could spend between $5,000 and
$500,000 to address having a prearranged alternative physical
location. The wide range is attributable to the varying methods in
which advisers may address this component of the proposed rule. For
example, a smaller adviser with minimal employees may be able to
function by enabling its employees to telework and access the
adviser's systems remotely instead of requiring formal meeting
space. Larger advisers with many employees, on the other hand, may
need to rent office space on a temporary basis or establish co-
locations where employees necessary to the operations of an adviser
may congregate.
---------------------------------------------------------------------------
The proposed rule also requires that the adviser address how it
will communicate with clients, employees, service providers, and
regulators in the event of a business disruption. While advisers have
communication tools as part of its general business operations that
enable it to communicate to its stakeholders (i.e., email, phone,
etc.), some advisers may have formal, more sophisticated communication
infrastructure already in place.\128\ The
[[Page 43549]]
proposed rule further requires advisers to engage in an assessment of
critical third-party vendors, including assessing how service providers
will maintain business continuity when faced with significant business
disruption. While some advisers currently have robust vendor management
programs that take steps to evaluate the resiliency of vendors,
including reviewing information regarding their BCPs, due diligence
questionnaires or assurance control reports from an independent party,
and onsite visits, some advisers do not and will need to incur costs to
enhance their review of critical third-party vendors.\129\
---------------------------------------------------------------------------
\128\ We estimate that an adviser could spend between almost
nothing to up to $5,000 to address having a plan of communication
with its stakeholders. The wide range is attributable to the varying
methods in which advisers may address this component of the proposed
rule. For example, a small adviser with minimal employees could
manually email or telephone its stakeholders, whereas a large
adviser with many employees or clients could choose to use an
automated system to trigger a pre-programmed communication plan.
\129\ We estimate that an adviser could spend between $5,000 and
$50,000 to address the requirement for third-party oversight. The
wide range is attributable to the varying methods in which advisers
may address this component of the proposed rule. As discussed in
section I, many advisers may choose to use in-house personnel to
conduct due diligence of critical service providers, while others
may choose to pay others to conduct such due diligence on their
behalf.
---------------------------------------------------------------------------
Aggregating our estimates for the various components of the rule,
we estimate that SEC-registered advisers may spend between
approximately $11,000 and $1.3 million in additional, initial costs to
upgrade systems and processes to comply with the proposed rule
depending on the complexity of their operations and the current state
of their systems and processes, as described above.\130\
---------------------------------------------------------------------------
\130\ These estimates are based on the aggregated low-end of the
range and the high-end of the range, respectively, of mostly
internal costs detailed in the PRA section below and the external
costs associated with integrating and implementing the plan.
Specifically, these estimates are based on the following
calculations:
$1,000 low-end estimated cost to adviser for maintenance of
critical operations and systems and the protection, backup and
recovery of data + $5,000 low-end estimated cost to adviser for a
prearranged alternative physical location + $0 low-end estimated
cost to adviser for a plan of communication + $5,000 low-end
estimated cost for third-party oversight = $11,000.
$750,000 high-end estimated cost to adviser for maintenance of
critical operations and systems and the protection, backup and
recovery of data + $500,000 high-end estimated cost to adviser for a
prearranged alternative physical location + $5,000 high-end
estimated cost to adviser for a plan of communication + $50,000
high-end estimated cost for third-party oversight = $1,305,000.
See supra, notes 125 through 129.
These estimates include the assumption that large advisers will
incur more costs than smaller advisers based on their operational
risk profile. Because these estimates do not take into account our
staff observations that larger advisers generally already have more
robust business continuity plans in place compared to smaller
advisers, we believe our estimates may overstate the costs to be
incurred by advisers.
---------------------------------------------------------------------------
ii. Ongoing Costs
In addition to the one-time initial costs described above, each
registered adviser would also incur ongoing costs as a result of the
proposed rule related to the adviser's review of the adequacy of its
business continuity and transition plan and the effectiveness of its
implementation. This would involve internal costs associated with
updating policies and procedures to reflect changes in an adviser's
operational risk profile and costs of compliance and reporting
associated with maintaining the plan, but would also include external
costs associated with maintaining and upgrading systems, maintaining
alternate work locations, and responding to regulatory changes that
require revision of the adviser's business continuity and transition
plan.\131\ As discussed in the PRA section below, based on staff
experience, we estimate that each adviser, in addition to the initial
costs described above, would incur ongoing plan-related cost of
approximately 25% of the adviser's initial costs in adopting and
implementing a business continuity and transition plan. Accordingly, we
estimate that an SEC-registered adviser would incur ongoing annual
costs associated with the proposed rule that would range from $7,500 to
$375,000.\132\
---------------------------------------------------------------------------
\131\ See supra section I.C.2 for more details on annual review
requirements.
\132\ This estimate is based on the following calculations: .25
x $30,000 = $7,500 and .25 x $1.5 million = $375,000. See supra note
124 and accompanying text (discussing total initial costs ranging
from approximately $30,000 to $1.5 million).
---------------------------------------------------------------------------
In addition, the proposed amendments to rule 204-2 would require
registered advisers to maintain records related to the current plan and
any plan in effect in the previous five years, as well as any records
documenting the annual review of the plan required by the rule. As
described in more detail in the PRA section below, we estimate that
such advisers will spend approximately $150 each year on an ongoing
basis to meet this requirement.
b. Costs to Clients and Investors
Some of the costs incurred by advisers as a result of the proposed
rule may ultimately be passed on from advisers to clients and fund
investors through higher fees. The extent to which costs are
transferred to clients and investors depends on several factors,
including the supply and demand for adviser services. On the demand
side, the extent to which clients and investors respond to fee changes
is a function of how highly they value a given adviser's services; the
proposed rule may increase this valuation if investors value business
continuity and transition plans and hence increase the demand for
adviser services at a given fee, but the exact nature of this potential
shift and its impact on fees is unknown.\133\ On the supply side, if
advisers take investor fee sensitivity into account, under many
plausible competition scenarios in an adviser's market segment, it is
likely at least some of the cost increases of the proposed rule will be
passed on to clients and investors. However, if advisers incur costs
associated with changing fees, advisers may not pass on the costs of
the proposed rules until they cross some significant threshold. Since
we do not have data or other information concerning individual investor
fee sensitivities, how advisers take these into account, or the extent
to which advisers prefer to keep fees constant, the potential shift in
the supply of advisory service and its impact on fees is unknown.
---------------------------------------------------------------------------
\133\ See, e.g., John Haslem, Mutual Fund Heterogeneity and Fee
Dispersion, J. Wealth. Manag., Vol. 18, No. 1 (Summer 2015) at 41-
48, who argues that because preferences differ across investors, fee
sensitivity also varies across investors.
---------------------------------------------------------------------------
3. Effects on Efficiency, Competition, and Capital Formation
The Commission has also considered the effects of the proposed
rules on efficiency, competition, and capital formation. With respect
to efficiency, to the extent that a disruption were to prevent an
adviser from executing trades for several days, investors would be
unable to make any changes in their investment choices, leading to a
potentially inefficient allocation of their capital during this period.
To the extent that the proposed rules decrease the recovery time of a
disruption for an adviser that many market participants are relying on
when conducting their business, they could promote efficient pricing of
risk and thus efficient capital allocation during such an event.
The proposed rule also could affect competition in the advisory
industry. As discussed above, the costs of adopting plans that meet the
requirements of the proposed rule will vary depending on an adviser's
operations and the extent to which they have already implemented
business continuity and transition plans consistent with the rule. To
the extent that, in a given market segment, advisers with high adoption
costs compete for clients and investors against advisers with low
adoption costs, the proposed rule will disproportionally affect the
high adoption cost advisers. If some of these advisers are only
marginally
[[Page 43550]]
profitable, they may exit that market segment. Similarly, the proposed
rule could, on the margin, raise the barrier to entry for an adviser
that otherwise would have entered a given market segment. If the rule
results in either adviser exits or increased barriers to entry, reduced
competitive pressures could result in increased fees for clients and
investors.
Finally, the proposed rule may have a small but positive impact on
capital formation. Ex-ante, reducing risks to clients and investors
associated with business disruptions and transition events could
increase such clients' and investors' willingness to invest via
advisers, which could be beneficial to capital formation if advisers
are more skilled than those clients or investors at identifying sound
investment opportunities. In addition, to the extent that the rules
reduce any risk premium in assets associated with business disruptions
and transition events as discussed above, more robust business
continuity and transition plans could promote capital formation.
D. Reasonable Alternatives
In formulating our proposal, we have considered various reasonable
alternatives to certain individual elements of proposed new rule
206(4)-4 and the proposed amendments to rule 204-2. Those alternatives
are discussed below. We have also requested comments relating to
certain specific aspects of these alternatives, as noted above.
1. Require Public Availability of Business Continuity and Transition
Plans
First, the Commission could require that SEC-registered advisers
publicly disclose a summary of the plans required by the proposed rule
in their Form ADVs, and either additionally or as an alternative,
provide their business continuity and transition plans to clients upon
request. In addition, as an alternative to the recordkeeping
requirement, we could require registered advisers to file their
business continuity and transition plans (or a portion or summary
thereof) with the Commission.
Disclosing the plans or a summary of those plans, and the
operational and other risks addressed by such plans, could help
investors evaluate and compare the operational and other risks
associated with particular advisers. If investors could choose among
advisers in part based on the level of operational and other risk
advisers were willing to bear, advisers might be further incentivized
to plan for business disruption events. However, we understand that
such information could be considered proprietary by some advisers and
the public disclosure of business continuity and transition plans may
make advisers more vulnerable to attacks from third parties, such as
cybersecurity attacks that target the contingency plans laid out in an
adviser's business continuity and transition plan. Furthermore,
advisers would incur additional monetary costs associated with the
disclosure of the plans. Such costs associated would vary depending on
the type of disclosure required (e.g., filing with the Commission,
publication on the adviser's Web site, making the plans available upon
request, etc.) and whether the adviser currently makes its plans
available to clients.
In addition, instead of requiring certain components for business
continuity plans for all advisers, as in the proposed rule, the
Commission could continue imposing only the obligation generally set
forth as guidance under the Compliance Program Rule but require public
disclosure of any business continuity plans adopted pursuant to that
rule. As noted above, the proposed rule's enhanced requirements for
business continuity plans impose costs compared to the existing
baseline, depending on an adviser's current business continuity plans,
so this alternative would avoid the costs associated with complying
with the proposed rule. Still, advisers would incur other costs related
to disclosure of the existing business continuity plans, as noted
above, including the direct monetary costs of publishing or providing
the plans, as well as indirect costs such as those associated with
revealing the proprietary or sensitive business information identified
above.
Further, as discussed above, the non-public nature of existing
business continuity plans may be a contributing factor to the lack of
uniformly robust plans observed by Commission examiners. However, given
the other factors discussed above that may also contribute to the lack
of sufficiently robust plans among all advisers, the Commission
preliminarily believes that only requiring public disclosure of
existing business continuity plans without specifying certain
components that plans must contain may not fully address its concerns
that all advisers have not established sufficiently robust business
continuity plans. At the same time, the Commission preliminarily
believes that requiring business plans to address the components
identified in the proposed rule while not mandating that such plans
also be publicly disclosed will result in more uniformly robust plans
that address the Commission's concerns.
2. Require Business Continuity Plans and/or Transition Plans, But Do
Not Specify Required Components
The Commission could also specifically require advisers to adopt
business continuity plans and/or transition plans but be silent as to
the required components that such plans must contain to address
business disruptions and/or transition events.\134\ The proposed rule
requires advisers to adopt and implement a business continuity and
transition plan with policies and procedures reasonably designed to
address operational and other risks related to a significant disruption
in an adviser's operations (including policies and procedures
concerning business transition), while also identifying specific
components that such a plan must address. If, as an alternative, the
Commission required business continuity and transition plans but did
not identify any specific components the plans must address, registered
advisers would have complete flexibility in determining how to best
prepare for and respond to business disruptions and transition events.
For example, it is possible that certain required components for
business continuity and transition plans identified in the proposed
rule are less relevant to some advisers, but all advisers would be
required to address each of the components under the proposed rule. In
contrast, an alternative that did not require specific components be
addressed would enable advisers to tailor the plans to their specific
business needs, which could potentially result in cost and time-savings
compared to the proposed approach.
---------------------------------------------------------------------------
\134\ The Commission could take different approaches for
business disruptions and transition events. For example, the
Commission could either retain the currently proposed approach of
specifying certain components for addressing business disruptions or
impose more specific mechanisms for addressing certain risks
associated with business disruptions, as explained below, while not
specifying either the components or the specific mechanisms for
addressing transition events.
---------------------------------------------------------------------------
However, based on the Commission's experience with not providing
specific components a plan should address in the context of business
disruptions, under rule 206(4)-7, the Commission is concerned that some
registered advisers may not implement sufficiently robust plans to best
protect the interests of their clients and investors during a business
disruption or transition event if the Commission does not specify
[[Page 43551]]
certain components. In contrast, the Commission preliminarily believes
that the current proposed approach strikes an appropriate balance
between specifying certain components of business continuity and
transition planning that must be addressed while still providing
advisers with flexibility in how to address each of those components
and any other operational and other risks that may be relevant to the
adviser's operations. In addition, the Commission preliminarily
believes that advisers will achieve certain efficiencies in
simultaneously addressing both business disruptions and transition
events under the proposed approach, which may mitigate additional costs
imposed by the proposed approach.
3. Require Specific Mechanisms for Addressing Certain Risks in Every
Plan
As discussed above, we are proposing a rule that requires SEC-
registered advisers to address certain general components, but permits
them the flexibility to draft their business continuity and transition
plans based on the risks associated with their particular operations.
We could alternatively include in the rule prescriptive requirements
mandating precisely how registered advisers must address certain
specified risks related to either business disruptions or transition
events, or both.\135\
---------------------------------------------------------------------------
\135\ As noted above, the Commission could vary its approach for
business continuity and transition plans. Specifically, for both
business continuity plans and transition plans, the Commission could
either (1) retain the more flexible component-based approach
currently proposed, (2) mandate specific requirements for addressing
business disruptions/transition events, or (3) only require
``reasonably designed'' plans without specifying particular
components.
---------------------------------------------------------------------------
Specific, mandatory requirements could potentially reduce confusion
as to exactly how these advisers are expected to address business
disruptions and/or transition events. However, as discussed above, we
recognize that advisers' business models and operations vary and that
the manner in which each adviser's business continuity and transition
plan addresses a required element will depend upon the nature and
complexity of the adviser's business. Therefore, a prescriptive one-
size-fits-all rule mandating how all advisers must address certain
specified risks, including risks a particular business model and
operation would not be exposed to, could be inefficient and cause some
advisers to incur unnecessary costs by requiring them to address
requirements that are not relevant to their specific business. In
addition, a prescriptive rule provides less flexibility for registered
advisers to address new issues as they arise, particularly concerning
changes in technology, again potentially leading to inefficient
constraints on how registered advisers prepare for and address various
risks. Therefore, we preliminarily believe our proposed approach
strikes an appropriate balance between requiring that each adviser have
a business continuity and transition plan that addresses certain
required components we believe will help SEC-registered advisers to
appropriately plan for significant business disruptions and transition
events while, at the same time, allowing each adviser the necessary
flexibility in creating a business continuity and transition plan to
take into account the adviser's own unique operations, the nature and
complexity of its business, its clients, and its key personnel.
4. Vary the Requirements of the Proposed Rule for Different Subsets of
Registered Advisers
Additionally, instead of requiring that all SEC-registered advisers
adopt and implement the business continuity and transition plans with
the same exact components, we could vary those requirements by adviser.
For example, the Commission could provide that various requirements of
the rule only apply to a subset of registered advisers (e.g., advisers
over a certain asset threshold, advisers that are engaged in activities
that the Commission deems to be risky, advisers that are affiliated
with other financial industry participants, such as broker-dealers or
banks, etc.), or it could provide that certain advisers (such as
smaller advisers) are exempted from the rule entirely. As we have
discussed above, different types of advisers have different types of
operational and other risks and it is possible that requiring every
adviser to address each of the risks identified in the proposed rule,
even those that may be less likely for certain advisers, could result
in unnecessary costs for those advisers.
However, the overall purpose of the proposed rule is to provide
enhanced protection to clients and investors by requiring all
registered advisers to establish sufficiently robust plans, and
tailoring the rule to require different components for different types
of advisers may result in the interests of some clients and investors
not being adequately protected. Specifically, it is possible that, when
distinguishing different ``types'' of advisers, any boundaries drawn
would be imperfect and any groups of advisers identified by such a rule
would themselves not be homogenous, resulting in under or over-
inclusive groups. This could result in some clients and investors not
receiving adequate protections, while still imposing unnecessary costs
on others. In contrast, the proposed rule allows advisers the
flexibility to address each required component to the degree that
reflects the nature of each particular adviser's business. Accordingly,
the Commission believes that the proposed rule strikes an appropriate
balance in providing that protection while minimizing the costs of
compliance to advisers in ways that would not undermine the
Commission's regulatory goals.
E. Request for Comment
We request comment on our assumptions regarding the costs and
benefits of the proposed rule. We request comment on whether the
proposed rule, if adopted, would impose a burden on competition. We
also request comment on whether the proposed rule, if adopted, would
promote efficiency, competition, and capital formation. Commenters are
requested to provide empirical data to support their views. In addition
to our general request for comment on the costs and benefits of the
proposed amendments, we request the following specific comment on
certain aspects of our economic analysis.
To what extent would advisers and their clients and
investors benefit from business continuity and transition plans that
are required to contain certain specific components? Please explain.
Would advisers, and their clients and investors, benefit
more from requiring plans to address certain risks in a specified
manner, rather than providing for flexibility as in the proposed rule?
Do commenters expect that advisers would incur costs in
addition to, or that differ from, the costs we outlined above for both
one-time and ongoing costs? Please explain.
Would any of the effects and costs of the proposed rule be
large enough to affect the behavior of investment advisers or their
clients? For example:
[cir] Do commenters expect that some advisers may choose to exit
the market rather than incur the costs associated with compliance? If
so, what segment of the investment adviser market is this mostly likely
to be seen in and how many exiting advisers should we expect? Please
explain.
[cir] Will the costs to clients, in the form of increased fees,
result in some clients no longer employing the services of advisers? If
so, what types of clients would be most likely to take such actions?
Please explain.
[[Page 43552]]
Do commenters believe that the alternatives the Commission
considered are appropriate? Are there other reasonable alternatives
that the Commission should consider? If so, please provide additional
alternatives and how their costs and benefits would compare to the
proposal.
Do commenters believe that the analysis of the associated
costs and benefits of the alternatives is accurate? If not, please
provide more accurate costs and benefits, including any data or
statistics that supports those costs and benefits.
III. Paperwork Reduction Act
The proposed rule and rule amendments under the Advisers Act
contain ``collections of information'' within the meaning of the
Paperwork Reduction Act of 1995 (``PRA'').\136\ The title for the new
collection of information is ``Rule 206(4)-4.'' In addition, the
proposed amendments to rule 204-2 would impact the currently approved
collection of information titled ``Rule 204-2,'' under OMB control
number 3235-0278. These collections of information are mandatory for
all investment advisers registered with the Commission. The Commission
is submitting these collections of information to the OMB for review in
accordance with 44 U.S.C. 3507 (d) and 5 CFR 1320.11. An agency may not
conduct or sponsor, and a person is not required to respond to, a
collection of information unless it displays a currently valid control
number.
---------------------------------------------------------------------------
\136\ 44 U.S.C. 3501 through 3521.
---------------------------------------------------------------------------
The collection of information under rule 206(4)-4 is designed to
increase the likelihood that advisers are as prepared as possible to
continue operations on an ongoing basis and to meet client expectations
and legal obligations in the event of a significant disruption to their
operations. The respondents are investment advisers registered with the
Commission. Responses provided to the Commission in the context of its
examination and oversight program are generally kept confidential.\137\
---------------------------------------------------------------------------
\137\ See section 210(b) of the Advisers Act.
---------------------------------------------------------------------------
The collection of information under rule 204-2 is necessary for the
Commission staff to use in its examination and oversight program. The
respondents are investment advisers registered with us. Responses
provided to the Commission in the context of its examination and
oversight program are generally kept confidential.\138\ The records
that an adviser must keep in accordance with the proposed rule must be
retained for at least five years.\139\
---------------------------------------------------------------------------
\138\ See section 210(b) of the Advisers Act.
\139\ See proposed rule 204-2(a)(20).
---------------------------------------------------------------------------
A. The Proposed Rules
1. Rule 206(4)-4
As discussed in section II, we estimate that each adviser would
include one-time initial costs to adopt and implement a written
business continuity and transition plan, as well as ongoing plan-
related costs. There are currently approximately 11,956 investment
advisers registered with us.\140\ We estimate that advisers will spend
between 50 to 500 hours to initially adopt and implement a business
continuity and transition plan depending on the nature of an adviser's
current business continuity plan and the complexity of its operations.
This range is comprised of our estimates that a representative smaller
adviser (defined in this PRA as advisers with less than $100 million in
assets under management) would spend 50 hours on this initial effort at
a cost of $12,515,\141\ a representative mid-sized adviser (defined in
this PRA as advisers with at least $100 million in assets under
management but less than $1 billion) would spend 250 hours on this
initial effort at a cost of $70,045,\142\ and a representative larger
adviser (defined in this PRA as advisers with at least $1 billion in
assets under management) would spend 500 hours on this initial effort
at a cost of $147,310.\143\ As discussed in section II, exact costs for
any given adviser would depend on the facts and circumstances of the
adviser's operations and the comprehensiveness of its existing plan.
Aggregating the estimates above for all advisers, however, yields a
total industry-wide initial hourly burden of 3,404,600 \144\ (as
monetized, is equivalent to a one-time aggregate burden of
approximately $974.6 million).\145\ Amortized over a three-year period,
this would be an annual hourly burden of 95 per adviser\146\ (as
monetized, is equivalent to an annual amortized burden per adviser of
$27,172).\147\
---------------------------------------------------------------------------
\140\ This is the number of investment advisers registered with
us on our IARD System as of January 4, 2016.
\141\ This estimate is based on the following calculations: 25
hours x $288 (hourly rate for a compliance manager) = $7,200; 20
hours x $127 (hourly rate for an operations specialist) = $2,540; 5
hours x $555 (hourly rate for a deputy general counsel) = $2,775.
$7,200 + $2,540 + 2,775 = $12,515. The hourly wages used are from
SIFMA's Management & Professional Earnings in the Securities
Industry 2013, modified to account for an 1800-hour work-year and
inflation (as of January 2016) and multiplied by 5.35 to account for
bonuses, firm size, employee benefits, and overhead.
\142\ This estimate is based on the following calculations: 75
hours x $288 (hourly rate for a compliance manager) = $21,600; 60
hours x $127 (hourly rate for an operations specialist) = $7,620; 15
hours x $555 (hourly rate for a deputy general counsel) = $8,325; 50
hours x $264 (hourly rate for a senior systems analyst) = $13,200;
50 hours x $386 (hourly rate for an attorney) = $19,300. $21,600 +
$7,620 + $8,325 + $13,200 + $19,300 = $70,045. The hourly wages used
are from SIFMA's Management & Professional Earnings in the
Securities Industry 2013, modified to account for an 1800-hour work-
year and inflation (as of January 2016) and multiplied by 5.35 to
account for bonuses, firm size, employee benefits, and overhead.
\143\ This estimate is based on the following calculations: 100
hours x $288 (hourly rate for a compliance manager) = $28,800; 80
hours x $127 (hourly rate for an operations specialist) = $10,160;
20 hours x $555 (hourly rate for a deputy general counsel) =
$11,100; 65 hours x $264 (hourly rate for a senior systems analyst)
= $17,160; 65 hours x $386 (hourly rate for an attorney) = $25,090;
30 hours x $410 (hourly rate for a computer operations department
manager) = $12,300; 30 hours x $271 (hourly rate for a financial
reporting manager) = $8,130; 40 hours x $340 (hourly rate for a
senior operations manager) = $13,600; 30 hours x $255 (hourly rate
for a senior business analyst) = $7,650; 40 hours x $333 (hourly
rate for a senior risk management specialist) = $13,320. $28,800 +
$10,160 + $11,100 + $17,160 + $25,090 + $12,300 + $8,130 + $13,600 +
$7,650 + $13,320 = $147,310. The hourly wages used are from SIFMA's
Management & Professional Earnings in the Securities Industry 2013,
modified to account for an 1800-hour work-year and inflation (as of
January 2016) and multiplied by 5.35 to account for bonuses, firm
size, employee benefits, and overhead.
\144\ This estimate is based on the following calculations:
(2,032 smaller advisers x 50 hours) + (6,636 mid-sized advisers x
250 hours) + (3,288 larger advisers x 500 hours) = 3,404,600 hours.
\145\ This estimate is based on the following calculation:
(2,032 smaller advisers x $12,515) + (6,636 mid-sized advisers x
$70,045) + (3,288 larger advisers x $147,310) = $974.6 million.
\146\ This estimate is based on the following calculations:
3,404,600 hours/3 years = 1,134,867 hours per year. 1,134,867 hours/
11,956 advisers = 95 hours per year per adviser.
\147\ This estimate is based on the following calculations:
$974.6 million/3 years = $324.87 million per year. $324.87 million/
11,956 advisers = $27,172 per year per adviser.
---------------------------------------------------------------------------
We also anticipate that some advisers may consult with outside
legal counsel and/or other outside professionals to assist in drafting
policies and procedures and/or to assist in evaluating particular
components of a plan. We estimate that the costs associated with such
an engagement would include fees for approximately 10 hours for smaller
firms, 30 hours for a mid-sized firm, and 50 hours for a larger firm,
at an average rate of $400 per hour (estimated hourly rate for outside
legal services).\148\ Consequently, for a smaller firm we estimate a
total of $4,000 in outside fees
[[Page 43553]]
for each smaller firm,\149\ $12,000 for each medium firm,\150\ and
$20,000 for each larger firm.\151\ Aggregating these estimates for all
advisers, yields a total industry wide initial cost burden of $153.5
million attributable to engaging outside legal services for assistance
in initially drafting and implementing the BCP.\152\ Amortized over a
three-year period, this would be an initial annual cost burden per
adviser of $4,282.\153\
---------------------------------------------------------------------------
\148\ We recognize that the costs of retaining outside
professionals may vary depending on the nature of the professional
services, but for purposes of this PRA analysis we estimate that
such costs would be similar to the costs of outside legal services.
\149\ This estimate is based on the following calculation: 10
hours x $400 = $4,000.
\150\ This estimate is based on the following calculation: 30
hours x $400 = $12,000.
\151\ This estimate is based on the following calculation: 50
hours x $400 = $20,000.
\152\ This estimate is based on the following calculation:
($4,000 per smaller adviser x 2,032 smaller advisers) + ($12,000 per
mid-sized adviser x 6,636 mid-sized advisers) + ($20,000 per larger
adviser x 3,288 larger advisers) = $153.5 million.
\153\ This estimate is based on the following calculations:
$153.5 million/3 years = $51.2 million per year. $51.2 million/
11,956 advisers = $4,282 per adviser.
---------------------------------------------------------------------------
In addition to the initial burden, an adviser would incur ongoing,
annual costs associated with its business continuity and transition
plan, including the adviser annually reviewing the adequacy of its
business continuity and transition plan and the effectiveness of its
implementation. Based on staff experience, we estimate these ongoing
costs would total approximately 25% of an adviser's initial costs.
Accordingly, we estimate that a representative smaller adviser would
spend 12.5 hours annually on this effort internally (as monetized, is
equivalent to an annual burden of $3,129) while incurring outside costs
of $1,000,\154\ a representative mid-sized adviser would spend 62.5
hours annually on this effort internally (as monetized, is equivalent
to an annual burden of $17,511) while incurring outside costs of
$3,000,\155\ and a representative larger adviser would spend 125 hours
annually on this effort internally (as monetized, is equivalent to an
annual burden of $36,828) while incurring outside costs of $5,000.\156\
Aggregating the estimates above for all advisers yields a total
industry-wide ongoing annual burden of approximately 851,150 hours (as
monetized, is equivalent to an annual burden of $243.65 million) \157\
plus outside costs of $38.4 million.\158\ This translates to an annual
burden per adviser of 71.2 hours (as monetized, is equivalent to an
annual burden of $20,379) and $3,212.\159\
---------------------------------------------------------------------------
\154\ This estimate is based on the following calculations: 0.25
x 50 hours = 12.5 hours. 0.25 x $12,515 = $3,129. 0.25 x $4,000 =
$1,000.
\155\ This estimate is based on the following calculations: 0.25
x 250 hours = 62.5 hours. 0.25 x $70,045 = $17,511. 0.25 x $12,000 =
$3,000.
\156\ This estimate is based on the following calculations: 0.25
x 500 hours = 125 hours. 0.25 x $147,310 = $36,828. 0.25 x $20,000 =
$5,000.
\157\ This estimate is based on the following calculations:
(2,032 smaller advisers x 12.5 hours) + (6,636 mid-sized advisers x
62.5 hours) + (3,288 larger advisers x 125 hours) = 851,150 hours.
(2,032 smaller advisers x $3,129) + (6,636 mid-sized advisers x
$17,511) + (3,288 larger advisers x $36,828) = $243.65 million.
\158\ This estimate is based on the following calculation:
(2,032 smaller advisers x $1,000) + (6,636 mid-sized advisers x
$3,000) + (3,288 larger advisers x $5,000) = $38.4 million.
\159\ This estimate is based on the following calculations:
851,150 hours/11,956 advisers = 71.2 hours per adviser. $243.65
million/11,956 advisers = $20,379 per adviser. $38.4 million/11,956
advisers = $3,212 per adviser.
---------------------------------------------------------------------------
2. Rule 204-2
The currently-approved total annual burden estimate for rule 204-2
is 1,986,152 hours. This burden estimate was based on estimates that
10,946 advisers were subject to the rule, and each of these advisers
spends an average of 181.45 hours preparing and preserving records in
accordance with the rule. Based on updated data as of January 4, 2016,
there are 11,956 registered investment advisers.\160\ This increase in
the number of registered investment advisers increases the total burden
hours of current rule 204-2 from 1,986,152 to 2,169,417, an increase of
183,265 hours.\161\
---------------------------------------------------------------------------
\160\ See supra note 140 and accompanying text.
\161\ This estimate is based on the following calculations:
(11,956 advisers - 10,946 advisers) * 181.45 hours = 183,265 hours;
183,265 hours + 1,986,152 hours = 2,169,417 hours.
---------------------------------------------------------------------------
The proposed amendments to rule 204-2 would require a registered
investment adviser to maintain copies of the written business
continuity and transition plans drafted under proposed rule 206(4)-4.
In addition, the proposed amendments would require a registered
investment adviser to retain copies of any records documenting the
adviser's annual review of its policies and procedures under proposed
rule 206(4)-4.
Based on staff experience, we estimate that the proposed amendments
to rule 204-2 would increase each registered investment adviser's
average annual collection burden under rule 204-2 by 2 hours, from
181.45 hours to 183.45 hours,\162\ and would thus increase the annual
aggregate burden for rule 204-2 by 23,912 hours,\163\ from 2,169,417
hours to 2,193,328 hours.\164\ As monetized, the estimated burden for
each registered investment adviser's average annual burden under rule
204-2 would increase by approximately $150,\165\ which would increase
the estimated monetized aggregate annual burden for rule 204-2 by
$1,793,325, from $162,706,275 to $164,499,600.\166\ We estimate that
there are no external costs associated with this collection of
information under the proposed amendments to rule 204-2.
---------------------------------------------------------------------------
\162\ This estimate is based on the following calculation:
181.45 existing hours + 2 new hours = 183.45 hours.
\163\ This estimate is based on the following calculation:
11,956 advisers x 2 hours = 23,912 hours.
\164\ This estimate is based on the following calculation:
11,956 advisers x 183.45 hours = 2,193,328 hours.
\165\ This estimate is based on the following calculation: 2
hours x $75 (hourly rate for an administrative assistant) = $150.
The hourly wage used is from SIFMA's Management & Professional
Earnings in the Securities Industry 2013, modified to account for an
1800-hour work-year and inflation (as of January 2016) and
multiplied by 5.35 to account for bonuses, firm size, employee
benefits, and overhead.
\166\ This estimate is based on the following calculations:
2,169,417 hours x $75 = $162,706,275. 2,193,328 hours x $75 =
$164,499,600. $164,499,600-$162,706,275 = $1,793,325.
---------------------------------------------------------------------------
B. Request for Comment
We request comment on whether our estimates for burden hours and
any external costs as described above are reasonable. Pursuant to 44
U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (1)
Evaluate whether the proposed collections of information are necessary
for the proper performance of the function of the Commission, including
whether the information will have practical utility; (2) evaluate the
accuracy of the Commission's estimate of the burden of the proposed
collections of information; (3) determine whether there are ways to
enhance the quality, utility, and clarity of the information to be
collected; and (4) determine whether there are ways to minimize the
burden of the collections of information on those who are to respond,
including through the use of automated collection techniques or other
forms of information technology.
The agency has submitted the proposed collection of information to
OMB for approval. Persons wishing to submit comments on the collection
of information requirements of the proposed amendments should direct
them to the Office of Management and Budget, Attention Desk Officer for
the Securities and Exchange Commission, Office of Information and
Regulatory Affairs, Washington, DC 20503, and should send a copy to
Brent J. Fields, Secretary, Securities and Exchange Commission, 100 F
Street NE., Washington, DC 20549-1090, with reference to File No. S7-
13-16. OMB is required to make a decision concerning the collections of
information between 30 and 60 days after publication of this release;
therefore, a comment to OMB is
[[Page 43554]]
best assured of having its full effect if OMB receives it within 30
days after publication of this release. Requests for materials
submitted to OMB by the Commission with regard to these collections of
information should be in writing, refer to File No. S7-13-16, and be
submitted to the Securities and Exchange Commission, Office of FOIA
Services, 100 F Street NE., Washington, DC 20549-2736.
IV. Initial Regulatory Flexibility Analysis
The Commission has prepared the following Initial Regulatory
Flexibility Analysis (``IRFA'') in accordance with section 3(a) of the
Regulatory Flexibility Act \167\ regarding our proposed rule 206(4)-4
and proposed amendments to rule 204-2.
---------------------------------------------------------------------------
\167\ 5 U.S.C. 603(a).
---------------------------------------------------------------------------
A. Reasons for and Objectives of the Proposed Actions
Based on staff observations, we are concerned about the adequacy of
some advisers' plans to address operational and other risks associated
with business resiliency. Establishing strong operational controls that
manage these risks, including the risks associated with business
continuity and transition, are important practices and should increase
the likelihood that advisers are as prepared as possible to continue
operations on an ongoing basis and to meet client expectations and
legal obligations in the event of a significant disruption in their
operations. Accordingly, proposed rule 206(4)-4 would require SEC-
registered advisers to adopt and implement written business continuity
and transition plans reasonably designed to address operational and
other risks related to a significant disruption in the investment
adviser's operations.
We also are proposing specific components be included in such plans
in order to address certain disparate practices the staff has
previously observed during examinations and to facilitate robust
business continuity and transition planning across all SEC-registered
advisers. In addition, the proposed rule would require advisers to
review their business continuity and transition plans at least annually
in order to ensure that advisers are examining the continued adequacy
and effectiveness of their plans on an ongoing basis.
The proposed amendments to rule 204-2 would require advisers to
make and keep all business continuity and transition plans that are in
effect or were in effect at any time within the past five years. The
proposed amendments would help advisers have easy access to necessary
information during periods of stress.
B. Legal Basis
Proposed rule 206(4)-4 is designed to address certain disparate
practices our staff has previously observed during its examinations and
to facilitate robust business continuity and transition planning across
all SEC-registered advisers.
The Commission is proposing new rule 206(4)-4 and amendments to
rule 204-2 under the rulemaking authority set forth in sections 204,
206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b-4(b), 80b-6(4),
and 80b-11(a)].
C. Small Entities Subject to the Rule and Rule Amendments
In developing these proposals, we have considered their potential
impact on small entities that would be subject to proposed new rule
206(4)-4 and the proposed amendments to rule 204-2. The proposed new
rule and the proposed amendments would affect all advisers registered
with the Commission, including certain small entities. Under Commission
rules, for the purposes of the Advisers Act and the Regulatory
Flexibility Act, an investment adviser generally is a small entity if
it: (1) Has assets under management having a total value of less than
$25 million; (2) did not have total assets of $5 million or more on the
last day of the most recent fiscal year; and (3) does not control, is
not controlled by, and is not under common control with another
investment adviser that has assets under management of $25 million or
more, or any person (other than a natural person) that had total assets
of $5 million or more on the last day of its most recent fiscal
year.\168\
---------------------------------------------------------------------------
\168\ Rule 0-7(a) under the Advisers Act.
---------------------------------------------------------------------------
The proposed new rule and the proposed amendments would not apply
to most advisers that are small entities (``small advisers'') because
small advisers are generally registered with one or more state
securities authorities instead of with the Commission.\169\ Based on
IARD data, however, we estimate that as of January 4, 2016,
approximately 515 small advisers are registered with the
Commission.\170\ Because these small advisers are registered, they,
like all SEC-registered investment advisers, would all be subject to
proposed new rule 206(4)-4 and the proposed amendments to rule 204-2.
---------------------------------------------------------------------------
\169\ See section 203A of the Advisers Act, prohibiting most
small advisers from registering with the Commission.
\170\ Based on SEC-registered investment adviser responses to
Form ADV, Item 5.F and Item 12.
---------------------------------------------------------------------------
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
Proposed new rule 206(4)-4 and the proposed amendments to rule 204-
2 would impose certain recordkeeping and other compliance requirements
on all Commission-registered advisers, including Commission-registered
small advisers. Proposed rule 206(4)-4 would require advisers to adopt
and implement written business continuity and transition plans
reasonably designed to address operational and other risks related to a
significant disruption in the investment adviser's operations. The
proposed amendments to rule 204-2 would require advisers to make and
keep all business continuity and transition plans that are in effect or
were in effect at any time within the past five years.
1. Rule 206(4)-4
As discussed in section II, we estimated that each adviser would
incur one-time costs to adopt and implement a written business
continuity and transition plan, as well as ongoing plan-related costs.
As noted above, there are currently approximately 515 small advisers
registered with the Commission. We estimate that each small adviser
would incur an average initial burden of 50 hours associated with
adopting and implementing a written business continuity and transition
plan at a cost of $12,515.\171\ Aggregating the estimated burden for
all small advisers yields a total initial hourly burden of 25,750 \172\
(as monetized, is equivalent to a one-time aggregate burden of
approximately $6,445,225).\173\ Amortized over a three-year period,
this would be an annual hourly burden of 16.7 per small adviser \174\
(as monetized, is equivalent to an annual amortized burden per small
adviser of $4,172).\175\
---------------------------------------------------------------------------
\171\ See supra note 141 (discussing the estimated initial cost
burden associated with a representative smaller adviser).
\172\ This estimate is based on the following calculation: 515
small advisers x 50 hours = 25,750 hours.
\173\ This estimate is based on the following calculation: 515
small advisers x $12,515 = $6,445,225.
\174\ This estimate is based on the following calculation: 50
hours/3 years = 16.7 hours per year.
\175\ This estimate is based on the following calculations:
$12,515/3 years = $4,172 per year.
---------------------------------------------------------------------------
Our staff also anticipates that some small advisers may consult
with outside legal counsel and/or other outside professionals to assist
in drafting policies and procedures and/or to provide assistance in
evaluating
[[Page 43555]]
particular components of a plan. We estimate that the costs associated
with such an engagement would include fees for approximately 10 hours
for small firms at a rate of $400 per hour.\176\ Consequently, for a
representative smaller firm we estimate a total of $4,000 in outside
fees.\177\ Amortized over a three-year period, this would be an annual
burden per small adviser of $1,333.\178\ Accordingly, we estimate that
the total annual initial burden on 515 small advisers for adopting and
implementing a written business continuity and transition plan would be
$686,495.\179\
---------------------------------------------------------------------------
\176\ See supra note 148 and accompanying text.
\177\ This estimate is based on the following calculation: 10
hours x $400 per hour = $4,000.
\178\ This estimate is based on the following calculation:
$4,000/3 years = $1,333 per year.
\179\ This estimate is based on the following calculations: 515
small advisers x $1,333 = $686,495.
---------------------------------------------------------------------------
In addition to the initial burden, a small adviser would incur
ongoing, annual costs associated with its business continuity and
transition plan, including the adviser annually reviewing the adequacy
of its business continuity plan and the effectiveness of its
implementation. Based on staff experience, we estimate that these
ongoing costs would total approximately 25% of a small adviser's
initial costs. Accordingly, we estimate that each small adviser would
spend 12.5 hours annually on this effort internally while incurring
outside costs of $1,000.\180\ Aggregating the estimates above for 515
small advisers yields a total ongoing annual burden on small advisers
of approximately 6,438 hours \181\ plus outside costs of $515,000.\182\
---------------------------------------------------------------------------
\180\ This estimate is based on the following calculations: 0.25
x 50 hours = 12.5 hours. 0.25 x $4,000 = $1,000.
\181\ This estimate is based on the following calculation: 12.5
hours x 515 advisers = 6,438 hours.
\182\ This estimate is based on the following calculation:
$1,000 x 515 advisers--$515,000.
---------------------------------------------------------------------------
2. Rule 204-2
The currently-approved annual aggregate information collection
burden under rule 204-2 is 1,986,152 hours. This approved annual
aggregate burden was based on estimates that 10,946 advisers were
subject to the rule, of which 478 were small advisers, and each of
these advisers spends an average of 181.45 hours preparing and
preserving records in accordance with the rule. Based upon updated data
as of January 4, 2016, there are 11,956 registered investment
advisers,\183\ of which 515 are small advisers.\184\ The increase in
the number of registered small advisers increases the total burden
hours of current rule 204-2 on small advisers from 86,733 hours to
93,447 hours, an increase of 6,714 hours.\185\
---------------------------------------------------------------------------
\183\ See supra note 140 and accompanying text.
\184\ See supra note 170 and accompanying text.
\185\ This estimate is based on the following calculations: 515
small advisers x 181.45 hours = 93,447 hours. 478 small advisers x
181.45 hours = 86,733 hours. 93,447 - 86,733 = 6,714.
---------------------------------------------------------------------------
The proposed amendments to rule 204-2 would require a registered
investment adviser to maintain copies of the written business
continuity and transition plans drafted under proposed rule 206(4)-4.
In addition, the proposed amendments would require a registered
investment adviser to retain copies of any records documenting the
adviser's annual review of its policies and procedures under proposed
rule 206(4)-4.
Based on staff experience, we estimate that the proposed amendments
to rule 204-2 would increase each registered investment adviser's
average annual collection burden under rule 204-2 by 2 hours, from
181.45 hours to 183.45 hours,\186\ and would thus increase the annual
aggregate burden for rule 204-2 by 1,030 hours,\187\ from 93,447 hours
to 94,477 hours.\188\ As monetized, the estimated burden for each
registered investment adviser's average annual burden under rule 204-2
would increase by approximately $150,\189\ which would increase the
estimated monetized aggregate annual burden for rule 204-2 by $77,250,
from $7,008,525 to $7,085,775.\190\ We estimate that there are no
external costs associated with this collection of information under the
proposed amendments to rule 204-2.
---------------------------------------------------------------------------
\186\ This estimate is based on the following calculation:
181.45 existing hours + 2 new hours = 183.45 hours.
\187\ This estimate is based on the following calculation: 515
small advisers x 2 hours = 1,030 hours.
\188\ This estimate is based on the following calculation: 515
small advisers x 183.45 hours = 94,477 hours.
\189\ This estimate is based on the following calculation: 2
hours x $75 (hourly rate for an administrative assistant) = $150.
The hourly wage used is from SIFMA's Management & Professional
Earnings in the Securities Industry 2013, modified to account for an
1800-hour work-year and inflation (as of January 2016) and
multiplied by 5.35 to account for bonuses, firm size, employee
benefits, and overhead.
\190\ This estimate is based on the following calculations:
93,447 hours x $75 = $7,008,525. 94,477 hours x $75 = $7,085,775.
$7,085,775 - $7,008,525 = $77,250.
---------------------------------------------------------------------------
E. Duplicative, Overlapping, or Conflicting Federal Rules
We believe there are no federal rules that duplicate, overlap, or
conflict with proposed new rule 206(4)-4 and the proposed amendments to
rule 204-2. The written business continuity and transition plans that
would be required by the proposed new rule would include certain
policies and procedures already generally required by other rules under
the federal securities laws, but the proposed new rule would not
require these policies and procedures to be duplicated. Some of the
records an adviser would be required to maintain under the proposed
amendments to rule 204-2 also may be required records under the general
recordkeeping provisions of rule 204-2 of the Advisers Act, but such
overlap would be limited and the Commission would not require the
adviser to maintain duplicate copies.
F. Significant Alternatives
In formulating our proposal, we have considered various reasonable
alternatives to the individual elements of proposed new rule 206(4)-4
and the proposed amendments to rule 204-2, specifically as they relate
to accomplishing our stated objectives while minimizing any significant
economic impact on small entities. The alternatives most relevant to
small advisers are discussed below. We have also requested comment
relating to certain specific aspects of these and other alternatives
above.\191\
---------------------------------------------------------------------------
\191\ See supra section I.C.1.f.
---------------------------------------------------------------------------
The Commission considered exempting small advisers from the
proposal entirely. The Commission also considered setting forth
different business continuity and transition plan requirements for
small advisers. However, because small advisers generally face the same
types of transition and business continuity issues as larger advisers,
although on a smaller scale, we believe small advisers should be
subject to the proposed rule to the same extent as larger advisers and
be allowed to tailor their business continuity and transition plans to
the scope of their business. The proposed rule allows each adviser the
necessary flexibility in creating a business continuity and transition
plan to take into account the adviser's own unique operations, the
nature and complexity of its business, its clients, and its key
personnel, and we believe that such flexibility may result in small
advisers incurring less costs to comply.\192\
---------------------------------------------------------------------------
\192\ See supra section III.A.1, discussing the lower estimated
cost burdens, both initial and ongoing, associated with smaller
advisers as compared to larger advisers.
---------------------------------------------------------------------------
G. Solicitation of Comments
We encourage written comments on matters discussed in this IRFA. We
solicit comment on the number of small entities subject to the proposed
rule and
[[Page 43556]]
whether the proposed rule discussed in this release could have an
effect on small entities that has not been considered. We request that
commenters describe the nature of any impact on small entities and
provide empirical data to support the extent of such impact.
V. Consideration of Impact on the Economy
For purposes of the Small Business Regulatory Enforcement Fairness
Act of 1996, or ``SBREFA,'' \193\ we must advise OMB whether a proposed
regulation constitutes a ``major'' rule. Under SBREFA, a rule is
considered ``major'' where, if adopted, it results in or is likely to
result in (1) an annual effect on the economy of $100 million or more;
(2) a major increase in costs or prices for consumers or individual
industries; or (3) significant adverse effects on competition,
investment or innovation.
---------------------------------------------------------------------------
\193\ Public Law 104-121, Title II, 110 Stat. 857 (1996)
(codified in various sections of 5 U.S.C., 15 U.S.C. and as a note
to 5 U.S.C. 601).
---------------------------------------------------------------------------
We request comment on the potential impact of the proposed rule on
the economy on an annual basis. Commenters are requested to provide
empirical data and other factual support for their views to the extent
possible.
VI. Statutory Authority
The Commission is proposing new rule 206(4)-4 and amendments to
rule 204-2 under the rulemaking authority set forth in sections 204,
206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b-4, 80b-6(4), and
80b-11(a)].
List of Subjects in 17 CFR Part 275
Investment advisers, Reporting and recordkeeping requirements.
Text of Proposed Rule Amendments
For reasons set out in the preamble, title 17, chapter II of the
Code of Federal Regulations is proposed to be amended as follows:
PART 275--RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940
0
1. The authority citation for part 275 continues to read, in part, as
follows:
Authority: 15 U.S.C. 80b-2(a)(11)(G), 80b-2(a)(11)(H), 80b-
2(a)(17), 80b-3, 80b-4, 80b-4a, 80b-6(4), 80b-6a, and 80b-11, unless
otherwise noted.
* * * * *
Section 275.204-2 is also issued under 15 U.S.C. 80b-6.
* * * * *
0
2. Section 275.204-2 is amended by:
0
a. Reserving paragraph (a)(19);
0
b. Adding paragraph (a)(20); and
0
c. Revising paragraph (e)(1).
The addition and revision read as follows:
Sec. 275.204-2 Books and records to be maintained by investment
advisers.
(a) * * *
(20)(i) A copy of the investment adviser's business continuity and
transition plan formulated pursuant to Sec. 275.206(4)-4 that is in
effect, or at any time within the past five years was in effect;
(ii) Any records documenting the investment adviser's annual review
of the business continuity and transition plan conducted pursuant to
Sec. 275.206(4)-4(b).
* * * * *
(e)(1) All books and records required to be made under the
provisions of paragraphs (a) through (c)(1)(i), and (c)(2) of this
section (except for books and records required to be made under the
provisions of paragraphs (a)(11), (a)(12)(i), (a)(12)(iii),
(a)(13)(ii), (a)(13)(iii), (a)(16), (a)(17)(i), and (a)(20)(i) of this
section), shall be maintained and preserved in an easily accessible
place for a period of not less than five years, from the end of the
fiscal year during which the last entry was made on such record, the
first two years in an appropriate office of the investment adviser.
* * * * *
0
3. Section 275.206(4)-4 is added to read as follows:
Sec. 275.206(4)-4 Investment adviser business continuity and
transition plan.
(a) Prohibition. If you are an investment adviser registered or
required to be registered under section 203 of the Act (15 U.S.C. 80b-
3), it shall be unlawful within the meaning of section 206 of the Act
(15. U.S.C. 80b-6) for you to provide investment advice to your clients
unless you:
(1) Business continuity and transition plan. Adopt and implement a
written business continuity and transition plan; and
(2) Annual review. Review, no less frequently than annually, the
adequacy of the business continuity and transition plan and the
effectiveness of its implementation.
(b) Content of business continuity and transition plan. (1) For
purposes of this section, the term business continuity and transition
plan means policies and procedures reasonably designed to address
operational and other risks related to a significant disruption in the
investment adviser's operations, including policies and procedures
concerning:
(i) Business continuity after a significant business disruption;
and
(ii) Business transition in the event the investment adviser is
unable to continue providing investment advisory services to clients.
(2) The content of a business continuity and transition plan shall
be based upon risks associated with the adviser's operations and shall
include policies and procedures designed to minimize material service
disruptions, including policies and procedures that address the
following:
(i) Maintenance of critical operations and systems, and the
protection, backup, and recovery of data, including client records;
(ii) Pre-arranged alternate physical location(s) of the adviser's
office(s) and/or employees;
(iii) Communications with clients, employees, service providers,
and regulators;
(iv) Identification and assessment of third-party services critical
to the operation of the adviser; and
(v) Plan of transition that accounts for the possible winding down
of the investment adviser's business or the transition of the
investment adviser's business to others in the event the investment
adviser is unable to continue providing investment advisory services,
that includes the following:
(A) Policies and procedures intended to safeguard, transfer, and/or
distribute client assets during transition;
(B) Policies and procedures facilitating the prompt generation of
any client-specific information necessary to transition each client
account;
(C) Information regarding the corporate governance structure of the
adviser;
(D) Identification of any material financial resources available to
the adviser; and
(E) An assessment of the applicable law and contractual obligations
governing the adviser and its clients, including pooled investment
vehicles, implicated by the adviser's transition.
By the Commission.
Dated: June 28, 2016.
Brent J. Fields,
Secretary.
[FR Doc. 2016-15675 Filed 7-1-16; 8:45 am]
BILLING CODE 8011-01-P