IA BRIEF-SEC identifies compliance side effects from operating during COVID-19

NEW YORK (Thomson Reuters Regulatory Intelligence) – *To read more by the Thomson Reuters Regulatory Intelligence team click here: bit.ly/TR-RegIntel

A man types on a computer keyboard in front of the displayed cyber code in this illustration.

As investment advisers continue to develop new ways to cope with COVID-19, “new challenges may arise from the solutions,” U.S. compliance professionals were told at a recent U.S. Securities and Exchange Commission outreach seminar.

“This is an evolving situation and we will remain cognizant of the reality on the ground,” Peter Driscoll, director of the SEC’s Office of Compliance Inspections and Examinations, told the event last month.

The COVID-19 pandemic has forced investment advisers to follow local stay-at-home mandates while continuing to offer advisory services to their clients. Many firms were required to quickly adapt to new processes and online tools and implement pre-existing business continuity or disaster plans.

But in the pandemic new compliance considerations may be required, including implementing processes such as remote due diligence for service providers and sub-advisers and revising technology to address business or compliance needs, Driscoll said.

A review of the risks highlighted by Driscoll[go-ri.tr.com/JWBXzv] and other speakers at the event can help prepare for upcoming exams and help manage an advisory’s compliance program during the pandemic.


The role of due diligence may be more important during the COVID-19 pandemic, as firms have been forced to rely more on third parties to help them continue offering advisory services as they work remotely. Any vendor risk management program now needs a particular focus on pandemic compliance risks.

Not only is the process different, but the products or services acquired via third parties may also be new, and diligence priorities may need revising. For example, the initial and ongoing due diligence for electronic-signature and document systems and online conferencing software must now be a high priority and will mostly continue throughout the pandemic.

Firms must consider the ability to access and use the systems remotely, training on the systems, ease of use by the representatives and the level of security protocols. Generally, third-party security protocols must be equal or higher than that of the adviser.

Besides due diligence, a firm’s vendor-risk management program will address topics including vendor inventory, monitoring and the re-evaluation of the vendors.

Due-diligence performed remotely can be complicated by stay-at-home orders and displaced third-party staff. This is especially true when it comes to the due diligence of sub-advisers. The selection and level of due diligence of sub-advisers must mirror the process pre-pandemic, but work within the current limitations.

Most likely, firms seeking to develop an alternative strategy can turn to electronic document software and online conferencing tools to help perform the diligence reviews.

For exam purposes, a firm that uses sub-advisers may create a written plan in conjunction with their established policies and procedures to explain how certain activities are performed during the pandemic. This may be the best way to show how the firm met its fiduciary responsibilities when selecting sub-advisers.

Generally speaking, the role of compliance in the process of engaging vendors has grown in importance. During an outreach-seminar panel focused on conflicts of interest, Jeannie Lewis, senior compliance counsel at William Blair & Co., reinforced the importance of compliance having a role in contract negotiations with third parties. Such participation and oversight can not only help identify conflicts of interest, it also allows the compliance department to initiate a due-diligence process before the relationship is formally established.


Technology adoped to continue business operations and and serve clients remotely, however essential, can be an immense risk to the firm’s ability to protect its most private client information if not managed properly.

The biggest risk with the use of new and remote technology may be cyber-crime, a notion confirmed by the SEC’s head of investment management, Dalia Blass. During a panel, she stated that the threat of cybersecurity issues has increased with tele-work and her team is currently looking at ways to help registrants.

Advisers have been forced to use remote servers, mobile devices for business and new communication software while working from home without direct supervision.

Employees working from home, where they are less subject to the protections and behavioral checks at the physical office, can often lose awareness of the risks associated with typical behavior.

In response, the SEC released a risk alert[go-ri.tr.com/kybXwT] in August identifying and warning that the use of electronic communication tools has increased the opportunities for fraudsters to use phishing and other means to improperly access systems and accounts by impersonating firms’ personnel, websites and/or investors.

The SEC this year also has released risk alerts concerning the increased risk of ransomware[go-ri.tr.com/EsurIR] and credential stuffing[go-ri.tr.com/nRIxIK] during the COVID-19 pandemic.

In addition to the cyber risks, the rapid adoption of technologies to meet pandemic needs may have presented a rather steep learning curve for both the user and supervisor.

Therefore, firms able to identify training opportunities and ensure supervision during the work-at-home periods will be best prepared to protect client information and avoid problems in upcoming SEC examinations.

(Jason Wallace is a senior editor for Thomson Reuters Regulatory Intelligence.)

This article was produced by Thomson Reuters Regulatory Intelligence – bit.ly/TR-RegIntel – and initially posted on Dec. 7. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters

Source Article