Expanding Your Compliance Program: Robust Compliance Management in a Post-Pandemic Era
Compliance departments were no strangers to constraints during the pandemic. They were yet another area of the investment management industry that felt the effects of the pandemic, specifically with budget and resource constraints. Many CCOs had to pivot and look for creative ways to find resources within their organization to help fill gaps caused by budget cutbacks and loss of staff. Add to that the continued flow of new regulations and the new work from home (WFH) environments many found themselves in, it is no wonder that many compliance projects were delayed.
During the pandemic, CCOs had to seek additional internal resources to help maintain their compliance programs. They often collaborated with other departments such as trading, operations, or marketing to help with testing and reviews.
Then, upon the start of the recovery, CCOs had to be selective with resources. They recognized that many tasks had been neglected during the pandemic, so they sought ways to outsource parts of their program that were tactical and time-consuming such as e-communications surveillance and Code of Ethics reporting maintenance. This way, their time could be spent getting back on track and focusing on the new regulations coming from the SEC such as the Marketing Rule.
Regulatory Focus in Post-Pandemic World
Moving into the post-pandemic world, it is important that investment managers evaluate the regulators exam priorities and ensure they have sufficient compliance resources in these areas. In August of 2020, the SEC released a Risk Alert to share several COVID-related compliance risks, focusing on the importance of protecting investor assets. For example, during the pandemic, as firms moved to a WFH protocol, cyber hackers became aware of vulnerabilities that existed at firms and increased their attempts to break into firms’ systems or otherwise gain access to client information. As you assess how your firm can effectively manage cybersecurity risks and protect your clients’ information, consider what the next six months to a year will look like at your firm. Will employees be required to return to the office full-time, or will there be a hybrid model where employees are in the office and work from home a few days a week?
If your firm intends to offer staff the option to work remotely, consider the IT controls the firm may already have in place and whether there are any opportunities to expand upon those controls. For example:
- Enhance system access security – require multi-factor authentication wherever possible.
- Discourage employees from printing any sensitive client information from home unless it is necessary to service the client’s account. In any instance where information needs to be remotely printed, employees should make sure to destroy the information in accordance with your document destruction policy.
- Send reminders to staff to make sure their home Wi-Fi is password-protected and have them sign an attestation of compliance with the firm’s information security policies.
- Conduct phishing testing and cybersecurity training for your staff or consider hiring a third-party vendor to assist with training and testing.
These are all easy steps that can be taken to help enhance your cybersecurity controls and mitigate the risks of having your clients’ information compromised.
ESG Products and Investment Strategies
ESG products and investment strategies are another hot topic for the regulators right now. In April, the SEC created a new ESG Task Force in the Division of Examinations that will be focusing on material gaps and misstatements in disclosures of climate-related risks. For investment advisers, funds and private funds that use ESG investment strategies, you can expect that the SEC will want to review your portfolio management practices for consistency with your ESG disclosures and will be looking for formal policies and procedures related to ESG investing. The SEC also issued in April a Risk Alert on ESG investing that noted the lack of compliance review and oversight of ESG investing practices. The SEC has observed compliance staff that had limited knowledge of ESG investment analyses, which they felt resulted in a less effective compliance program at these firms. If you are utilizing an ESG strategy, you will want to make sure compliance personnel are knowledgeable about ESG investing and are aware of related risks. Look to what’s already been put into effect in the EU with the Sustainable Finance Disclosure Regulation (SFDR). The SFDR imposes mandatory ESG disclosure obligations for asset managers and other financial markets participants with substantive provisions of the regulation effective from 10 March 2021, with the Level 2 disclosures applying now from July 2022.
Implementation of Form CRS and Regulation Best Interest
The SEC is focusing on the two new regulatory requirements that went into effect in 2020, Form CRS and Regulation Best Interest (Reg BI). During exams, the SEC has started focusing on whether firms have made a good faith effort to comply with the new requirements and has said the Form CRS is now the first document they will read about a firm before digging into the ADV. Now is the time to take another look at your firm’s Form CRS and ensure:
- Clear, plain-English language has been used
- Express statements are made regarding whether a firm does or does not act
- Required disclosures have not been altered
- No additional disclosures have been added beyond what is required in the form’s instructions
Since all SEC-registered investment advisers and broker-dealers with retail investors were required to file a Form CRS, they are now publicly available, and you can see how other firms approached their Form CRS.
As for Reg BI, the SEC and FINRA are evaluating specific firm procedures for compliance with the regulation and whether firms made any changes to their product offerings to ensure higher cost products have been replaced with lower cost products. They are also looking at how firms are considering costs when making recommendations, identifying and addressing conflicts of interests related to recommendations. Reg BI is a great example of how technology can help firms comply with regulatory requirements. Many firms are utilizing third-party systems to evaluate product transactions and rollovers and help document the firm’s evaluation of account recommendations.
Business Continuity Planning and Pandemic Preparedness
Business continuity is a primary focus of the SEC as it relates to the pandemic. The SEC is now reviewing firms’ business continuity plans to see if they address how the firm will respond to events such as a pandemic, including policies on permitting employees to work from home, issuing laptops to key employees so they can work remotely, and making sure the firm is able to continue communicating with employees and clients. We have also seen the SEC ask firms for a summary of the steps the firm took during the pandemic to continue servicing clients. This is an area where you can be proactive and document the firm’s response to COVID-19 before you get examined.
Now is the Time to Catch Up!
Now is the time to revisit budgets and assess whether resources need to be realigned. Consider whether an independent review of your compliance program could help your firm identify and address any new gaps and/or conflicts of interest that may exist. Move forward with projects that were tabled, and take this time to get ahead of the regulators on their top exam priorities.
If you had to modify any processes during the pandemic, you should reevaluate whether a temporary process has become permanent practice. If so, make sure to update your written policies and procedures. Now that we are well over a year out from the start of the pandemic, the regulators will expect that firms’ policies and procedures are up to date and match actual firm practices.
CSS’s team of regulatory experts is here to help optimize your compliance program. Please don’t hesitate to reach out with any questions on our compliance solutions and services to help you close any compliance gaps: firstname.lastname@example.org.