Breakdown of OCIE’s COVID-19 Compliance Risks Alert
The SEC’s “Office of Compliance Inspections and Examinations (“OCIE”) issued an Alert today regarding “Select COVID-19 Compliance Risks for Investment Advisers and Broker-Dealers.”
OCIE shared observations regarding six broad categories:
- protection of investors’ assets;
- supervision of personnel;
- practices relating to fees, expenses, and financial transactions;
- investment fraud;
- business continuity; and
- the protection of investor and other sensitive information.
The observations centered on oversight and controls, encouraging enhanced monitoring, additional training, and modifying and enhancing updates to policies and procedures. A major theme involves risks associated with remote personnel and remote locations, and the need for enhanced security measures. One example is enhancing security and support for facilities, including the integrity of vacated facilities.
The staff reminds firms of the obligation to protect investor personally identifiable information (“PII”), including potential vulnerabilities from videoconferencing while working remotely, use of web-based applications, increased use of personal devices and controls over records and sensitive documents, and remote access when working remotely. The staff encouraged firms to pay particular attention to risks regarding access to systems, as well as taking additional steps to validate the identify of the investor and authenticity of disbursement instructions.
OCIE noted the impact of limited on-site due diligence reviews, communications outside a firm’s systems, market volatility and potential for increased misconduct. Other notable recommendations included:
- Modifying or enhancing existing policies to reflect current (changed) practices
- Enhancing monitoring regarding accuracy of fees and expense allocations
- Reminding investors to contact the firm by telephone about suspicious communications
- Providing additional training
- Conducting heightened reviews of access rights and controls
- Using encryption and multifactor authentication technologies
- Addressing cyber related issues related to third parties, also operating remotely
- And encouraging enhanced due diligence related to investment risks during times of crises or uncertainty.
The Risk Alert highlights examples of ways firms may wish to modify or enhance their procedures, enhance supervision and training, and steps to take to enhance protection of client assets and sensitive information.