The 2016 proposed rule released by the Securities and Exchange Commission (SEC) represents significant change from the current SEC Rule 204-2 (“Advisers Act”). At this time, the rule currently states that Business Continuity Planning (BCP) is not a requirement for Registered Investment Advisors (RIAs) and is only included in policy and procedures, if needed. If you are a RIA, then you are required to implement BCP to address operational failures as well as potential significant disruptions due to possible threats (e.g. natural, human, technical). The proposed rule also requires you to implement transition planning as part of BCP objectives, which ensures that there are documented procedures in place for transitioning your responsibilities to another party if you unable or unwilling to continue offering investment advisory services to your clients.
If you are a RIA, then here are 5 key takeaways from the proposed SEC ruling:
- Adopt and implement a BCP and transition plan – These should be designed to address operational, technical, physical and other applicable risks related to a significant disruption in your business, including policies and procedures concerning:
- Business continuity after a significant business disruption; and
- Business transition in the event you are unable to continue providing investment advisory services to your clients.
- Identify and plan for an alternate physical location - The proposed rule suggests prearranging alternate physical locations. The document considers alternate locations as essential for continuing to provide services during a significant business disruption. When planning alternate locations, you should consider the geographic diversity of your offices and employees, as well as access to the internal systems, managed services and any other resources necessary to continue operations at different locations in the event of a disruption.
- Perform an annual BCP review - Under the proposed rule, you must review the adequacy of your business continuity and transition plan and the effectiveness of its implementation at least annually. The review generally should consider any changes to your products, services, operations, critical third-party service providers, structure, business activities, client types, location and any regulatory changes that might suggest a need to revise the plan.
- Customize a BCP to your organization and environment – Given that BCP requirements may be substantially different depending upon the complexity of your business operations, the flexibility of the proposed rule should allow you to tailor your business continuity and transition plans to the specific risks that your business faces at the minimum possible cost.
- Be aware that there is a risk of failure - The rule was proposed under Section 206 of the Advisers Act, an antifraud provision. Thus, should you fail to comply by not adequately implementing an adequate BCP, then you may be subject to a fraud action.
Implementation of the proposed rule may result in upfront compliance costs for smaller advisers as well as fixed costs such as annual review performance, alternate locations, training, maintaining records and continuous BCP testing. Overall, the proposed rule mirrors the worldwide trend of increased requirements for the protection of client data and assets. Going forward, RIAs should expect this trend to continue, regardless of the outcome of the proposed rule.