Disaster Recovery – Compliance Building

How Good Is Your Business Continuity and Transition Plan?

The Securities and Exchange Commission had indicated that it was going to tackle operational issues at investment advisers. It just released a proposed rule on business continuity and transition plans for registered investment advisers. The proposed rule would require SEC-registered investment advisers to have written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.

SEC Seal 2

First some stats. According to the release:

“[T]here are approximately 12,000 investment advisers registered with the Commission that collectively manage over $67 trillion in assets, an increase of over 140% in the past 10 years.” – Based on data from IARD as of 1/4/2016

The SEC is proposing a new Rule 206(4)-4 that makes it unlawful for registered investment advisers to provide investment advice unless it has a written business continuity plan and transition plan that is reviewed at least annually.

The easy one is business continuity planning requirement. That requirement was tucked into the release for Rule 206(4)-7. It should not come as a surprise to fund managers and investment advisers that they should have a continuity plan. The SEC has found many BCPs are inconsistent and lacking robustness across those 12,000 advisers.

The SEC is requiring that a BCP have at least the following elements:

maintenance of critical operations and systems, and the protection, backup, and recovery of data
pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees;
communications with clients, employees, service providers, and regulators;
identification and assessment of third-party services critical to the operation of the adviser.

The transition plan is a bit trickier and much more vague. Frankly, in my opinion, I don’t think the two should be included in the same rule.

The transition plan covers a broad swath of possibilities. The pool of registered investment advisers is very broad, from small retail investment advisers, large financial services companies and private fund managers. The SEC alludes to the “resolution plans” in Dodd-Frank, a/k/a the living wills.

These are the five elements the SEC is looking for in the transition plan:

policies and procedures intended to safeguard, transfer and/or distribute client assets during transition;
policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account;
information regarding the corporate governance structure of the adviser;
the identification of any material financial resources available to the adviser; and
an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition.

I think the transition plan is very important for a small retail adviser that is reliant on a single person. I think it’s a bit tougher to see how this would work for a medium-sized or larger private fund manager that is not reliant on a single person or a few people to safeguard and manage the fund assets.

Hopefully, the SEC will carve out the transition plan to a separate rule for a longer and more thoughtful rule-making process.

The business continuity part of the rule is no-brainer. Frankly it’s long over due to have been elevated from a paragraph in s rule release to a its own rule.

Sources:

Model Business Continuity Rule for Investment Advisers

dilbert-Disaster-Recovery

There is no explicit requirement that an adviser or fund manager have a disaster recovery plan. But any manager trying to fund-raise knows that investors will ask about its business continuity plan.

The SEC sort of requires SEC registered investment advisers to have a business continuity plan. It’s an easy one to miss in Rule 206(4)-7.

Oh, you don’t see anything about business continuity in the rule? It’s not in the rule, it’s in the Release for Rule 206(4)-7:

We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. [SEC Release No. IA-2204]

State -level adviser regulators have stepped up and rolled out a model rule for state securities regulators.

NASAA’s model rule and guidance are intended to ensure that smaller advisers fulfill their responsibilities to protect their clients and mitigate any client harm in the event of a significant interruption to the adviser’s business. The NASAA membership adopted the model rule at NASAA’s Public Policy Conference on April 13.

Every investment adviser shall establish, implement, and maintain written procedures relating to a Business Continuity and Succession Plan. The plan shall be based upon the facts and circumstances of the investment adviser’s business model including the size of the firm, type(s) of services provided, and the number of locations of the investment adviser. The plan shall provide for at least the following:

1. The protection, backup, and recovery of books and records.
2. Alternate means of communications with customers, key personnel, employees, vendors, service providers (including third-party custodians),and regulators, including, but not limited to, providing notice of a significant business interruption or the death or unavailability of key personnel or other disruptions or cessation of business activities.
3. Office relocation in the event of temporary or permanent loss of a principal place of business.
4. Assignment of duties to qualified responsible persons in the event of the death or unavailability of key personnel.
5. Otherwise minimizing service disruptions and client harm that could result from a sudden significant business interruption.

There is another 18 pages of guidance to help an adviser craft a plan that meets the rule.

Of course, this is not imposed on advisers or fund managers registered with the Securities and Exchange Commission. But I bet you would find it to be a useful tool in evaluating your firm’s business continuity plan.

Sources:

NASAA Model Rule on Business Continuity and Succession Planning Model Rule 203(a)-1A or 2002 Rule 411(c)-1A
NASAA Adopts Model Business Continuity Rule for Advisers by John M. Jascob, J.D. in Jim Hamilton’s World of Securities Regulation
Investment Advisers and Business Continuity Plans

How Good Is Your Business Continuity Plan?

compliance and hurricane sandy

The Securities and Exchange Commission wants it to be better.

In the aftermath of Hurricane Sandy, the Securities and Exchange Commission joined the Commodity Futures Trading Commission and the Financial Industry Regulatory Authority in issuing a joint staff advisory on business continuity and disaster recovery planning.

The advisory follows a review by the regulators after Hurricane Sandy closed U.S. equity and options markets for two days in October 2012. Many firms had a hard time dealing with such a widespread area of severe impact.

When considering alternative locations (i.e., back-up data centers, back-up sites for operations, remote locations, etc.) firms should consider the implications of a region wide disruption. Firms are encouraged to consider geographic diversity when determining the physical location of alternative sites. An alternative site, particularly a system back-up location, in close proximity to the primary site may not sufficiently protect the firm from the effects of a region wide event. Firms should consider whether their primary site and alternative sites rely on the same critical utility services, such as electricity, transportation and telecommunications.

That is a somewhat achievable goal for big firms, but not one for smaller firms.

The alert ignores that reality of the physical location of people, their homes, and their families. It would be great to have a fully redundant backup site located a thousand miles away from the main location. But you’re not going to be able to quickly get people there in the event of such a widespread event.

Not only are businesses affected by a disaster, but so are homes. Many (most?) employees are not going to abandon their families, stuck with limited access to power, food, and other needs.

Of course, firms need a solid business continuity and disaster recovery plan. It should be tested and evaluated regularly. A firm needs to plan for small disruptions and big disruptions. Small disruptions are more likely and need to be well addressed.

It’s much harder to have a bullet-proof plan for an event like Sandy that disrupts power to huge parts of the urban center, knocks out power to a huge swath of residential areas, floods office buildings, floods thousands of homes, disrupts transportation, and does so over hundreds of miles.

References:

Sandy and Disaster Preparedness

Disaster recovery is an important, though not explicitly mandatory, component of compliance program. The Securities and Exchange Commission alludes to this in the release for the compliance rule. It’s also a key part of personal plan. I’m learning that first hand.

My family is spending its third day without power. Fun and exciting at first, it has become troublesome. A shower by candlelight is much less romantic when doing so to get ready for work. Fortunately, it’s warm in Boston so the lack of heat is not a problem.

There are many worse off than me and we escaped unscathed, other than the little wire connecting our house to the world. My hearts go out to those battling much worse damage.

Technical Problems

Sometimes things just go wrong. No matter how hard you try (or don’t) you need to expect the unexpected. Software and systems inevitable break and go down. And when a system goes down, it will inevitably go down at the least convenient time.

The key is testing, redundancy, and back-up. You can’t prepare for all of the potential problems. But you can prepare for some.

My latest technical problem happened right here. Something went wrong with the code that runs this website. Technical support offered some mumbo jumbo on what I could do. I only know just enough html and css to get myself in trouble. I tried a few things, but they each failed to work. I was in way over my head.

I could have spent hours and hours poring through the error logs and files. Or I could have hired someone who knew what they were doing to help out. I don’t have the time or money to do that.

That left me with one choice. Nuke it and start over. Fortunately, I have a system that runs regular back ups. And it worked.

The website’s design is still a mess. The problem appears to have resided somewhere in the old design. That can be fixed eventually. The key is that the data is still intact.

Lesson Learned. Prepare, back-up, and test. I think there is even an SEC rule on the topic.

I end with a recent cartoon from Saturday Morning Breakfast Cereal on the stock market, blame, and reward.

Earthquakes, Hurricanes, and Disaster Recovery

Monday’s East Coast earthquake was far from a disaster. I just thought I had too much coffee, until I heard others in the hallway say “Do you feel that?” Then I realized the shaking was not just because I was over-caffeinated.

Even though significant earthquakes are rare on the East Coast, hurricanes are not. Irene, the first big hurricane of the season is also approaching the East Coast.

Perhaps these are some good reminders to blow the dust off your disaster recovery plan. As a registered investment adviser, you need to have a plan. Each of the thousands (hundreds?) of private fund managers getting ready to register as investment advisers with the Securities and Exchange Commission will need a plan.

It’s easy to miss the requirement for having a business continuity plan. It’s in Rule 206(4)-7. Oh, you don’t see anything about business continuity in the rule? It’s not in the rule, it’s in the Release for Rule 206(4)-7:

Sources:

Investment Advisers and Business Continuity Plans – prior post on Compliance Building
SEC Release No. IA-2204

Image of 20111 VA Earthquake is by Frank Paynter

Investment Advisers and Business Continuity Plans

When an investment adviser is designing its policies and procedures you need to identify the risks for their firm so they address those risks. A big risk is missing an applicable requirement under the regulatory scheme. So you sit down with the regulations and tie them to your specific policies and procedures.

An easy one to miss is the requirement for having a business continuity plan. It’s in Rule 206(4)-7.

Oh, you don’t see anything about business continuity in the rule? It’s not in the rule, it’s in the Release for Rule 206(4)-7:

There is not much in the release to help you understand what is required, but there are two good places to help you.

One is to look at an intragency paper published by The Federal Reserve Board, the Office of the Comptroller of the Currency and the Securities and Exchange Commission on business continuity objectives. They lay out four broad sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets:

Identify clearing and settlement activities in support of critical financial markets.
Determine appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets.
Maintain sufficient geographically dispersed resources to meet recovery and resumption objectives.
Routinely use or test recovery and resumption arrangements.

The other source (more practical source) is the disaster recovery requirements of broker/dealers. FINRA Rule 4370 is their emergency preparedness rule. They have a template for small introducing firms to help start designing a plan.

Sources:

SEC Release No. IA-2204
Rule 206(4)-7
FINRA Rule 4370
Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System SEC Release No. 34-47638
Investment Adviser Business Continuity Planning by Scott P. Tarra
Business Continuity Plans (Disaster Recovery Plans) by in Hedge Fund Law Blog

Swine Flu, Disaster Recovery, and Compliance

One aspect of a compliance program is disaster recovery. Investors want to know that your operations can be up and running if something goes wrong. Although first thoughts go to an extraordinary event like the World Trade Center attacks, the problem is more likely to be something less dramatic.

From today’s headlines, it may be time to look at your disaster recovery plans in case of a pandemic. If Swine Flu keeps most of your workforce at home, what do you do?

But first you should decide whether you need to worry about the Swine Flu. The culprit is an unusual new virus known as A/H1N1, which is a form of swine flu that has made its way from pigs into humans. This is an entirely new hybrid strain composed of pig, bird and human viruses. As to whether it risks becoming a pandemic, that depends on the severity of the effects and how easily it is transmitted.

Over 1,500 Mexicans have been afflicted with symptoms that may be the result of this new virus. But it is not yet confirmed whether the cause of most of these cases was A/H1N1 or commonplace strains of influenza. Five American states—California, Texas, Kansas, Ohio and New York—have confirmed mild cases of A/H1N1. So too has Canada, Britain, Israel and New Zealand. One theory is that college students have been bringing the virus back to the U.S. after college spring break in Mexico.

On the very good side of things, reports indicate that the Mexican swine flu virus is susceptible to the most widely stockpiled flu antiviral drugs, Tamiflu and its relatives. If the effects are severe and it is very contagious, tools are available to fight it.

You can judge whether you should be alarmed at the Swine Flu outbreak. (I am not.) But you should take this as an opportunity to test your disaster recovery plan and make sure you can still be up and running if your workforce is not in the office.

And just to be safe, don’t kiss pigs.

See:

An Unwelcome Mexican Wave from The Economist
Swine Flu: What You Need to Know from New Scientist
Europe Urges Citizens to Avoid U.S. and Mexico Travel from the New York Times
Update Your Pandemic Plan NOW by Roberta J. Witty of Gartner
The FBIIC/FSSCC Pandemic Flu Exercise of 2007, a large-scale testing of business pandemic plans (.pdf)
PandemicFlu.gov – One-stop access to U.S. government avian and pandemic flu information
CDC/DHS Press Conference; WHO pandemic alert level; Epidemiology Update from the Center for Biosecurity

Image is from Cute Overload: Mmmmm, snoutlicioussss Thanks to Niki Black for pointing it out: Swine Flu Transmission solved from Twitter