In its latest effort to improve regulatory safeguards for the asset management industry, the SEC proposed a new rule at the end of June that would require SEC-registered investment advisers (RIAs) to adopt business continuity and transition plans in the event of business disruptions such as natural disasters, cyber-attacks, technology failures, terrorist attacks, and similar events. The proposed rule would make it unlawful for RIAs to provide investment advice “unless the adviser adopts and implements a written business continuity and transition plan and reviews that plan at least annually.”[1] In its press release, the SEC noted that “[the] proposed rule is designed to ensure that investment advisers have plans in place to address operational and other risks related to a significant disruption in the adviser’s operations in order to minimize client and investor harm.”[2] It is worth noting that under the Investment Advisers Act, RIAs are already required to implement policies and procedures reasonably designed to prevent violations of the Act.[3]
The SEC also remarked that there is a fiduciary element in the context of business continuity plans—as fiduciaries owning duties of care and loyalty to clients, investment advisers are “obligated to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services.”[4] However, the proposed rule takes business continuity plans past the realm of merely owing a fiduciary duty, and ventures that the failure to adopt appropriate business continuity plans is tantamount to fraud or deceit.
The proposed rule reasons that because of this fiduciary duty owed by investment advisers, “…clients are entitled to assume that advisers have taken the steps necessary to protect those interests in times of stress, whether that stress is specific to the adviser or the result of broader market and industry events,” and that “it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services.”[5]
Worded as such, and without clarification or legal support, the proposed rule appears to encourage an overbroad application of defining fraud. This could have troubling implications for investment advisers, who may be subject to enforcement actions even with an appropriate business continuity plan in place, should unforeseen circumstances render a temporary inability to provide services. Industry groups have voiced concerns that this rule is overly prescriptive and may leave advisers open to fraud, even if advisers took reasonable steps to prevent against incidents, and have suggested that the rule should instead be framed as guidance.[6]
Under the proposed rule, plans would be required to address the following: “(i) maintenance of critical operations and systems, and the protection, backup, and recovery of data; (ii) pre-arranged alternate physical locations of the advisers’ offices and employees; (iii) communications with clients, employees, service providers, and regulators; (iv) identification and assessment of third-party services critical to the operation of the adviser; and (v) transition plan that accounts for the possible winding down or transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services.”[7]