On August 12, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert, warning investment advisors and broker-dealers of the continued challenges to protect investors from COVID-19 related risks. Given the ongoing challenges related to the global pandemic, OCIE felt it was necessary to share its observations and recommendations with the public. The Risk Alert identifies six broad categories of challenges: (1) protection of investors’ assets; (2) supervision of personnel; (3) practices related to fees, expenses, and financial transactions; (4) investment fraud; (5) business continuity; and (6) protection of investor and other sensitive information.
Protection of Investor Assets
Firms should update their supervisory and compliance policies and procedures to reflect changes or delays in processing of mail (including checks, notices, etc.) sent to the firm due to COVID-19 related restrictions, including giving notice to clients of these changes. Firms are also encouraged to update their policies regarding disbursements to investors and firms should pay attention to any unusual or unscheduled withdrawals from accounts. OCIE encourages firms to take additional steps to validate the identity of the investor regarding any withdrawals or distributions (and that senior investors have a trusted contact person in place).
Supervision of Personnel
Firms are reminded to amend their practices, in part, to address:
- Supervisors’ limited level of oversight of supervised persons while working remotely, including remote oversight of trading and reviews of affiliated or cross trading in high volume investments;
- limited on-site due diligence reviews associated with reviewing of third-party managers, investments and portfolio holding companies; and
- communications or transactions occurring outside of the firms’ systems and the use of personal devices due to a remote work environment.
Fees, Expenses and Financial Transactions
OCIE states that the COVID-19 pandemic has “increased the potential for misconduct” due to “increased financial pressures on Firms and their personnel to compensate for lost revenue”. Firms are reminded of their obligations to inform investors of the following:
- Financial conflicts of interest – making recommendations for the purchase or sale of financial products that result in higher costs to investors. For instance, the purchase of new investments with high up-front costs or the purchase of mutual fund share classes with higher costs when lower cost share classes could be recommended.
- Fees and expenses charged to investors – improper valuation issues which results in over-billing of advisory fees; failure to provide breakpoints or to aggregate household accounts; and failures to refund prepaid fees for terminated accounts.
Firms should validate the accuracy of their fee and expense disclosures, identify transactions that result in high fees and expenses to investors to evaluate if the transaction is in the investor’s best interest, and evaluate potential conflicts of interest arising from recommendations to investors.
OCIE staff encourages everyone to have heightened scrutiny in “conducting due diligence on investments and in determining that the investments are in the best interest of investors”, as the COVID-19 pandemic has created “a heightened risk of investment fraud through fraudulent offerings”. OCIE points out that the SEC has suspended trading in several stocks due to false and misleading claims of having curative therapeutics for COVID-19 and firms and investors who suspect fraud should immediately report it to the SEC.
In light of COVID-19, firms should reconsider their policies and procedures that are “reasonably designed to prevent violation of the federal securities laws”. Most firms are currently operating from remote locations, which gives rise to compliance risks and related issues. Firms should review their supervisory and compliance procedures in order to address “the unique risks and conflicts of interest present in remote operations”. Firms are also encouraged to:
- Secure computer servers and systems as needed;
- Maintain the integrity of vacated facilities;
- Support any relocation infrastructure and personnel working from remote sites; and
- Maintain protection of remote location data.
OCIE encourages firms to review their continuity plans and provide the appropriate updated disclosures, if necessary, to regulators and investors.
Protection of Sensitive Information
Firms are primarily using electronic means to communicate with clients, including videoconferencing, while personnel work remotely. These practices allow firms to continue to function, but create issues regarding the protection of confidential client information. OCIE reminds firms that the potential loss of confidential information may be caused by:
- Remote access to networks and the use of web-based applications, allowing more opportunities for improper access to the firms’ systems and client accounts;
- Increased use of personally owned devices by employees;
- Changes in control over records, such as confidential documents printed remotely.
OCIE encourages firms to focus on access to systems, protection of investor data and overall cybersecurity. This includes additional training to employees related to phishing and cyberattacks, encrypting documents and using password-protected systems, and destroying documents printed at remote locations. Firms should also conduct heightened reviews of personnel access rights to systems, use encryption technologies on all devices (especially personally-owned devices), require the use of multi-factor authentication for access, and ensure that remote computer servers are updated and secure.
As the pandemic continues and working remotely remains the best alternative, OCIE wants firms to remain vigilant regarding fraudulent activities that may affect both the firms and their clients. The entire Risk Alert can be found here.
 Securities Exchange Commission, Office of Compliance Inspections and Examinations, Risk Alert (Aug. 12, 2020) available at https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf.