SEC Risk Alert: Six New COVID-19 Compliance Risks Explained

August 20, 2020by Marianna Shafir Esq.

Subscribe to the Smarsh Blog Digest

Subscribe to receive a weekly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

On August 12, 2020, the SEC's Office of Compliance Inspections and Examinations (OCIE) published a risk alert, identifying COVID-19 related issues relevant to investment advisors and broker-dealers.

The purpose of the risk alert is to share OCIE’s observations and challenges with the public to protect investors from Covid-19 related risks. The risk alert identifies six categories: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices related to fees, expenses and financial transactions; (4) investment fraud; (5) business continuity; and (6) the protection of the investor and other sensitive information.

Protection of investor assets

OCIE encourages firms to update their supervisory and compliance policies and procedures to reflect any changes or delays in processing mail (ex: checks) and provide notice to customers of these changes. Also, firms must provide notice of mail delays to their customers.

Firms should review and update their policies and procedures around disbursements to investors, including where investors are taking unusual or unscheduled withdrawals from their accounts. This is particularly the case for COVID-19 related distributions from their retirement accounts.

Supervision of personnel

OCIE staff highlighted firms’ supervisory obligations. A firm’s supervisory and compliance program should include policies and procedures that are tailored to its specific business activities and operations. Policies and procedures should be amended as necessary to reflect the firm’s current business activities and operations.

As firms need to make significant changes to respond to the health and economic effects of COVID-19 — such as shifting to firm-wide telework conducted from dispersed remote locations and responding to operational, technological and other challenges — OCIE encourages firms to modify their supervisory and compliance policies and procedures to address the following issues:

  • Supervisors' limited level of oversight and interaction with supervised persons when they are working remotely

  • Supervised persons making securities recommendations in market sectors that have experienced greater volatility or may have heightened risks for fraud

  • The impact of limited on-site due diligence reviews and other resource constraints associated with reviewing third-party managers, investments and portfolio holding companies

  • Communications or transactions occurring outside of the firms’ systems due to personnel working from remote locations and using personal devices

  • Remote oversight of trading, including reviews of affiliated, cross, and aberrational trading, particularly in high volume investments

  • The inability to perform the same level of diligence during background checks when onboarding personnel — such as obtaining fingerprint information and completing required Form U4 verifications — or to have personnel take requisite examinations

Fees, expenses and financial transactions

The risk alert states that recent market volatility and the resulting impact on investor assets and the related fees collected by firms may have increased financial pressures on firms and their personnel. Firms are reminded of their obligations to inform investors of "financial conflicts of interest" and "fees and expenses charged to investors."

To address these obligations, firms should:

  • Validate the accuracy of their fee and expense disclosures

  • Identify transactions that result in high fees and expenses to investors to evaluate if the transaction is in the best interest of investors

  • Evaluate the risks associated with potential conflicts of interest that may impair the impartiality of firms’ recommendations

Investment fraud

The OCIE observed that times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings. Firms should be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors. Firms and investors who suspect fraud should report it to the SEC.

Business continuity

Due to the pandemic, firms have shifted to remote sites. This transition may cause compliance risks and related issues. OCIE encourages firms to review their continuity plans to address these matters, make changes to compliance policies and procedures, and provide disclosures to investors if their operations are materially impacted, as appropriate.

Protection of sensitive information

The OCIE staff has observed that many firms require their personnel to use videoconferencing and other electronic means to communicate while working remotely. While these communication methods have allowed firms to continue their operations, these practices create issues regarding the protection of confidential client information. OCIE recommends that firms pay particular attention to the risks regarding access to systems, investor data protection and cybersecurity.

This includes additional training to employees related to phishing and cyberattacks, encrypting documents, using password-protected systems, and destroying documents printed at remote locations. Firms should also conduct heightened reviews of personnel access rights to systems, use encryption technologies on all devices (especially personally-owned devices), require the use of multi-factor authentication for access, and ensure that remote computer servers are updated and secure.

The OCIE encourages firms to remain informed regarding fraudulent activities that may affect investors’ assets and, when fraud is observed, to report such activities.

Where to focus your supervision efforts

This latest risk alert highlights regulators' continued focus on COVID-19 related risks and challenges. A common theme throughout the risk alert was for firms to amend their policies and procedures to reflect Covid-19 challenges. If you haven’t already  review your firm’s practices, policies and procedures to confirm they address the current situation.

It's important to supervise your supervisors during this time. SEC Rule 206(4)-7 requires firms to supervise their personnel, including providing oversight of supervised persons’ investment and trading activities. FINRA Rule 3110 requires broker-dealers to establish and maintain a system to supervise the activities of each associated person that is reasonably designed to achieve compliance with applicable securities laws and regulations. Strong compliance programs incorporate legal requirements and essential controls that are reviewed and updated. Supervisors should increase the level of oversight and interaction of supervised persons when they are working remotely.

Check and double-check your systems for vulnerabilities and to ensure the communications are being captured for retention. Make sure communications or transactions are not occurring outside of the firm's systems due to personnel using personal devices.

To test whether advisors are using unapproved communication channels, we recommend setting up automated keyword searches. These keywords or key phrases can be customized to allow the firm to control which words or phrases are flagged and to adjust them as the business changes or new risks emerge – such as Covid-19. You can create keywords and key phrases to flag the risk of advisors using unauthorized communication channels.

Examples include: “send to my personal email,” “respond to my Gmail account,” “text me,” and “let’s take this offline.” These common phrases are indicative of the risk of using unauthorized communication channels. Firms cannot assume advisors aren’t using their personal emails to communicate with clients.

If you haven’t already  it’s critical for investment advisors and broker-dealers to implement policies and procedures tailored to the COVID-19 pandemic and potential future pandemics. Refer to the recent risk alert to better assess your firm’s COVID-19 changes with regulators’ expectations.

Share this post!

Marianna Shafir Esq.
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.