SEC Issues Guidance on Fund Business Continuity Planning
On June 28, 2016, the SEC’s Division of Investment Management issued a Guidance Update titled, Business Continuity Planning for Registered Investment Companies (the “Guidance,” available here). The Guidance states that a fund complex should consider its compliance obligations under the federal securities laws when assessing its ability to continue operations during a business continuity event. The Guidance discusses various steps that the SEC staff believes a fund complex should consider to evaluate its business continuity plan (“BCP”) and the BCPs of its critical service providers to lessen business continuity risks for funds and investors.
On the same date that the Guidance was published, the SEC published a release (available here) containing proposed Rule 206(4)-4 under the Advisers Act. If adopted, Rule 206(4)-4 would require every SEC-registered investment adviser to adopt and implement a written business continuity and transition plan reasonably designed to address operational risks related to a significant disruption in the adviser’s business. The SEC Rule 206(4)-4 proposal is the subject of a separate Ropes & Gray Alert (available here).
Background. As the impetus for the Guidance, the staff cites the August 2015 business disruption caused by a systems malfunction at a third party upon which a major fund pricing agent relied. The business disruption lasted for several days and prevented the pricing agent from providing NAVs to hundreds of mutual funds, closed-end funds and ETFs. Following that event, the Guidance states, SEC staff members concluded that some funds could have been better prepared for one of their critical service providers experiencing an extended outage and, further, that the outage highlighted the need for fund complexes to have robust business continuity planning. The Guidance also states that staff reviews of business continuity practices in the wake of Hurricanes Katrina and Sandy underlie the publication of the Guidance.
Recommendations. The Guidance’s recommendations fall into two categories, with the first category applying to the fund complex, generally, and the second category applying to “critical fund service providers.” In the staff’s view, critical fund service providers are likely to include each named service provider under Rule 38a-1 (i.e., each investment adviser, principal underwriter, administrator, and transfer agent), as well as each custodian and pricing agent.
Both categories of recommendations are summarized below.
Fund Complexes “Notable Practices.” The Guidance expressly recognizes that fund complex business models vary significantly. Nevertheless, in recent discussions with fund complexes, the staff observed the following programs and preparations, which the Guidance calls “notable practices.” From the context, notable practices appear to be “measures the staff believes funds should consider,” which is the phrase used in the Guidance’s introduction, but taking account of the fund complex’s business model.
- BCPs that cover a fund complex’s facilities, technology/systems, employees and activities conducted by the adviser and any affiliated entities, as well as covering dependencies on critical services provided by other third-party service providers.
- BCP programs that involve a broad cross-section of employees from key functional areas, including senior management.
- Oversight of third-party service providers is conducted by key personnel, including the fund’s Chief Compliance Officer (“CCO”) and/or the CCO of other entities in the fund complex. The service provider oversight programs typically include both initial and ongoing due-diligence processes, including review of applicable BCPs for critical service fund providers. In conducting oversight, the fund complex typically seeks multiple sources of information, including independent control reports and, where appropriate, testing.
- BCP presentations are provided to fund trustees/directors, with CCO participation, on an annual basis and are also provided by the adviser and/or other critical service providers.
- Some form of testing of the fund complex’s BCP occurs at least annually, and the results of the complex’s tests may be shared in updates to fund boards.
- Business continuity outages, including those experienced by the fund complex or a critical third-party service provider, are monitored by the CCO and relevant staff, as well as reported to the fund board, as warranted.
Recommendations Implicating Critical Fund Service Providers. The Guidance offers the following:
- A fund complex should consider examining its critical fund service providers’ backup processes and redundancies, as well as the robustness of the providers’ contingency plans (including reliance on other critical service providers).
- A fund complex should consider how it can effectively monitor whether a critical fund service provider has experienced a significant disruption and the potential impacts on fund operations and investors. In addition, a fund complex should consider related necessary communication protocols. The protocols could include:
- Procedures for internal communications within the fund complex, as well as with a fund’s board.
- External communications plans for continuing discussions with the affected service provider, as well as other providers, as warranted, and with intermediaries, investors, regulators, and the press, as appropriate.
- Maintaining updated, accessible contact information for communications between and among various key actors.
- Providing communications that report progress and next steps, which may include website postings, to assure accessibility and broad dissemination of information.
- A fund complex should consider how the BCPs of a fund’s critical service providers relate to each other as a means to ensure that funds can continue operations or promptly resume operations during a significant business disruption.
- A fund complex should consider planning to manage the response to potential disruptions under various scenarios, whether such disruptions occur internally or at a critical third-party service provider.
* * *
The Guidance offers a range of suggestions regarding business continuity planning. The Guidance’s recommendations, of course, are not tailored to fit every complex. Nevertheless, when considered by a fund complex, the staff’s recommendations may trigger ideas or lines of inquiry that the fund complex has yet to consider. This is consistent with the Guidance’s statement that the “staff recognizes that it is not possible for a fund or fund complex to anticipate or prevent every business continuity event.”
The Guidance states that a fund complex should consider its compliance obligations under the federal securities laws when assessing its ability to continue operations during a business continuity event. However, the Guidance does not mention any specific obligations under the federal securities laws, nor does it point to any enforcement initiatives regarding when a significant business disruption effectively suspends a fund’s legal obligations. That said, the SEC’s simultaneous proposal of Rule 206(4)-4 under the Advisers Act may portend that “inadequate” business continuity planning will be the subject of future enforcement proceedings.