Adviser Business Continuity and Transition Plans, 43530-43556 [2016-15675]

Download as PDF 43530 Proposed Rules Federal Register Vol. 81, No. 128 Tuesday, July 5, 2016 This section of the FEDERAL REGISTER contains notices to the public of the proposed issuance of rules and regulations. The purpose of these notices is to give interested persons an opportunity to participate in the rule making prior to the adoption of the final rules. Dated: June 22, 2016. Melvin L. Watt, Director, Federal Housing Finance Agency. [FR Doc. 2016–15596 Filed 7–1–16; 8:45 am] BILLING CODE 8070–01–P SECURITIES AND EXCHANGE COMMISSION FEDERAL HOUSING FINANCE AGENCY 17 CFR Part 275 12 CFR Part 1232 [Release No. IA–4439; File No. S7–13–16] RIN 2590–AA42 RIN 3235–AL62 Incentive-Based Compensation Arrangements Adviser Business Continuity and Transition Plans AGENCY: Agency. Notice of Proposed Rulemaking and Request for Comment; Correction. ACTION: This document corrects a typographical error to the ‘‘Dated:’’ line of the Federal Housing Finance Agency’s (FHFA) signatory block of the Notice of Proposed Rulemaking and Request for Comment (Proposed Rule) issued jointly by the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, Federal Deposit Corporation, National Credit Union Administration, FHFA, and the U.S. Securities Exchange Commission. The Proposed Rule was published in the Federal Register on Friday, June 10, 2016 (FR Doc. 2016– 11788; 81 FR 37669), and concerned Incentive-based Compensation Arrangements. SUMMARY: sradovich on DSK3GDR082PROD with PROPOSALS FOR FURTHER INFORMATION CONTACT: Mary Pat Fox, Manager, Executive Compensation Branch, (202) 649–3215; or Lindsay Simmons, Assistant General Counsel, (202) 649–3066, Federal Housing Finance Agency, 400 7th Street SW., Washington, DC 20219. The telephone number for the Telecommunications Device for the Hearing Impaired is (800) 877–8339. Need for Correction In the Federal Register of Friday, June 10, 2016, FR Doc. 2016–11788, on page 37838, in the third column, the ‘‘Dated:’’ line of the Federal Housing Finance Agency signatory block is corrected to read as ‘‘April 26, 2016.’’ VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 Securities and Exchange Commission. ACTION: Proposed rule. AGENCY: Federal Housing Finance The Securities and Exchange Commission (‘‘Commission’’ or ‘‘SEC’’) is proposing a new rule and rule amendments under the Investment Advisers Act of 1940 (‘‘Advisers Act’’). The proposed rule would require SECregistered investment advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. The proposal would also amend rule 204–2 under the Advisers Act to require SEC-registered investment advisers to make and keep all business continuity and transition plans that are currently in effect or at any time within the past five years were in effect. DATES: Comments should be received on or before September 6, 2016. ADDRESSES: Comments may be submitted by any of the following methods: SUMMARY: Electronic Comments • Use the Commission’s Internet comment form (https://www.sec.gov/ rules/proposed.shtml); or • Send an email to rule-comments@ sec.gov. Please include File Number S7– 13–16 on the subject line; or • Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments. Paper Comments • Send paper comments to Brent J. Fields, Secretary, Securities and PO 00000 Frm 00001 Fmt 4702 Sfmt 4702 Exchange Commission, 100 F Street NE., Washington, DC 20549–1090. All submissions should refer to File Number S7–13–16. This file number should be included on the subject line if email is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s Internet Web site (https://www.sec.gov/rules/ proposed.shtml). Comments are also available for Web site viewing and printing in the Commission’s Public Reference Room, 100 F Street NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on the Commission’s Web site. To ensure direct electronic receipt of such notifications, sign up through the ‘‘Stay Connected’’ option at www.sec.gov to receive notifications by email. FOR FURTHER INFORMATION CONTACT: Andrea Ottomanelli Magovern, Senior Counsel, Zeena Abdul-Rahman, Senior Counsel, John Foley, Senior Counsel, or Alpa Patel, Branch Chief, at (202) 5516787 or IArules@sec.gov, Investment Adviser Rulemaking Office, Division of Investment Management, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549–8549. SUPPLEMENTARY INFORMATION: The Commission is proposing for public comment new rule 206(4)–4 [17 CFR 275. 206(4)–4] and amendments to rule 204–2 [17 CFR 275.204–2] under the Advisers Act [15 U.S.C. 80b]. Table of Contents I. Adviser Business Continuity and Transition Plans A. Introduction B. Background 1. Business Continuity Planning 2. Transition Planning C. Discussion 1. Adopt and Implement Business Continuity and Transition Plans 2. Annual Review 3. Recordkeeping E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules II. Economic Analysis A. Introduction B. Economic Baseline C. Benefits and Costs and Effects on Efficiency, Competition, and Capital Formation 1. Benefits 2. Costs 3. Effects on Efficiency, Competition, and Capital Formation D. Reasonable Alternatives 1. Require Public Availability of Business Continuity and Transition Plans 2. Require Business Continuity Plans and/ or Transition Plans, but Do Not Specify Required Components 3. Require Specific Mechanisms for Addressing Certain Risks in Every Plan 4. Vary the Requirements of the Proposed Rule for Different Subsets of Registered Advisers E. Request for Comment III. Paperwork Reduction Act A. The Proposed Rules 1. Rule 206(4)–4 2. Rule 204–2 B. Request for Comment IV. Initial Regulatory Flexibility Analysis A. Reasons for and Objectives of the Proposed Actions B. Legal Basis C. Small Entities Subject to the Rule and Rule Amendments D. Projected Reporting, Recordkeeping and Other Compliance Requirements 1. Rule 206(4)–4 2. Rule 204–2 E. Duplicative, Overlapping, or Conflicting Federal Rules F. Significant Alternatives G. Solicitation of Comments V. Consideration of Impact on the Economy VI. Statutory Authority sradovich on DSK3GDR082PROD with PROPOSALS I. Adviser Business Continuity and Transition Plans A. Introduction Today, there are approximately 12,000 investment advisers registered with the Commission that collectively manage over $67 trillion in assets, an increase of over 140% in the past 10 years.1 Advisers manage assets for, and provide investment advice to, a wide variety of clients, including individuals, charitable organizations, endowments, retirement plans, and various pooled investment vehicles such as mutual funds and private funds. Investors turn to advisers for a variety of services such as helping them to identify financial goals (including investing for a child’s education or preparing for retirement), analyzing an existing financial portfolio, determining an appropriate asset allocation, and providing portfolio management or investment recommendations to help achieve financial goals. Advisers also play an 1 Based on data from the Commission’s Investment Adviser Registration Depository (‘‘IARD’’) as of January 4, 2016. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 important role in counseling and advising clients on complex financial instruments and investments, and in providing advice and guidance on weathering changing market conditions. The range of services provided by advisers, and the continued growth in the number of advisers and assets under management, reflect the critical role investment advisers play in our capital markets and the importance of the services they provide to approximately 30 million clients.2 Investment advisers today also participate in and are part of an increasingly complex financial services industry. Advisers are relying on technology to a greater extent, managing more complicated portfolios and strategies that often include complex investments, and are increasingly relying on the services of third parties such as custodians, brokers and dealers, pricing services, and technology vendors 3 that support their operations.4 Although the types of registered investment advisers and their business models may vary significantly, they generally share certain fundamental operational risks. Of particular concern to the Commission are those risks that may impact the ability of an adviser and its personnel to continue operations, provide services to clients and investors, or, in certain circumstances, transition the management of accounts to another adviser. Such operational risks include, but are not limited to, technological failures with respect to systems and processes (whether proprietary or provided by third-party vendors supporting the adviser’s activities), and the loss of adviser or client data, personnel, or access to the adviser’s physical location(s) and facilities. Operational risks can arise from internal and external business continuity events. An internal event, such as a facility problem at an adviser’s primary office location, or an external event, such as a weather-related emergency or cyber-attack, could impact an adviser’s ongoing operations and its ability to provide client services. For 2 Id. 3 We use the terms ‘‘vendor’’ and ‘‘service provider’’ interchangeably throughout this release. 4 There has been an increase in the diversity of investment portfolios, strategies, and securities types, the complexity of portfolio management and operations, and the interconnectedness and interdependencies of the financial industry. See generally, Global Association of Risk Professionals (GARP), Risk Principles for Asset Managers, Prepared by the GARP Buy Side Risk Managers Forum (Sept. 2015) (‘‘Risk Principles for Asset Managers’’) at Section 5: Operational Risk Principles, available at https://go.garp.org/l/39542/ 2015-09-30/315zdc/39542/90066/BSRMF_Risk_ Principles_2015.pdf. PO 00000 Frm 00002 Fmt 4702 Sfmt 4702 43531 example, both types of events could prevent advisory personnel from accessing the adviser’s office or its systems or documents at a particular office location. Under these circumstances, an adviser and its personnel may be unable to provide services to the adviser’s clients and continue its operations while affected by the disruption, which could result in client harm.5 Similarly, operational risks can arise in the context of a transition event. If, for example, an adviser is winding down or ceasing operations during a time of stress, then an adviser’s ability to safeguard client assets could be impacted. We understand that many investment advisers, like other financial services firms, already have taken critical steps to address and mitigate the risks of business disruptions, regardless of the source, as a prudent business measure.6 Industry participants have also stated that the highly competitive environment in which advisers operate encourages proper risk management and contributes to advisers’ attentiveness to operational risks.7 Advisers may recognize the 5 As discussed in Section I.B.1. of this release, if an adviser is unable to provide services to its clients, its clients’ interests may be at risk. This risk could include the risk of loss if, for example, an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or if clients are unable to access their assets or accounts. 6 See infra notes 26–27 and accompanying text (discussing compliance policies and procedures required by rule 206(4)–7 under the Advisers Act); see also Comment Letter of BlackRock, Inc. to the Financial Stability Oversight Council’s (‘‘FSOC’’) Notice Seeking Comment on Asset Management Products and Activities (‘‘FSOC Notice’’) (Mar. 25, 2015) (‘‘BlackRock FSOC Comment Letter’’) at 10 (‘‘In the normal course of business, asset managers implement measures to mitigate the impact of potentially disruptive events through operational risk management programs, including maintaining business continuity plans . . . and technology disaster recovery plans . . . .’’); Comment Letter of Investment Company Institute to FSOC Notice (Mar. 25, 2015) (‘‘ICI FSOC Comment Letter’’) at 69 (noting that ‘‘funds and key service providers to the industry have robust plans and strategies in place to facilitate the continuation or resumption of business operations in the event of an emergency, regardless of the cause’’); Comment Letter of Vanguard to FSOC Notice (Mar. 25, 2015) (‘‘Vanguard FSOC Comment Letter’’) at 23 (‘‘The purpose of business continuity plans is to develop alternative ways to carry out normal business functions without access to facilities, systems, and/ or key third-party providers of goods or services to the funds or its adviser.’’). 7 See, e.g., Comment Letter of Fidelity Investments to FSOC Notice (Mar. 25, 2015) (‘‘Fidelity FSOC Comment Letter’’) at 22 (‘‘It is not correct to imply that competitive pressures push managers toward less risk management; in fact those pressures push funds to improve their risk management practices.’’); BlackRock FSOC Comment Letter at 63 (‘‘The asset management industry is highly competitive and there are numerous competitors across asset classes and investment strategies.’’); ICI FSOC Comment Letter E:\FR\FM\05JYP1.SGM Continued 05JYP1 43532 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS potential for significant reputational damage and other costs associated with such risks.8 For many advisers, the management of operational risks is part of the normal course of business to mitigate issues that could negatively impact client relationships and the management of client assets (including potential losses).9 Deterioration in client relationships or financial losses could cause clients to move their accounts to another adviser or other financial services firm, and if done on a large scale, prompt the adviser to transition its business through a sale or other means or to wind down its operations and exit the market. While we understand that many investment advisers already have taken steps to address and mitigate the risks of business disruptions,10 our staff has observed a wide range of practices by advisers in addressing operational risk management. The staff frequently observes advisers managing operational and other risks through internal practices, procedures, and controls that are typically assessed by the adviser’s legal, compliance, or audit staff, and often sees independent third-party assessments performed by audit or compliance firms.11 However, the staff at 61 (‘‘Regulated fund investors have considerable choice. The industry is highly competitive, with up to several hundred funds available within each investment category. Along with investment performance, the quality of shareholder services is a highly important factor in attracting and retaining fund investors.’’). 8 See, e.g., BlackRock FSOC Comment Letter at 55 (‘‘Issues related to operational and business continuity risk can be costly and/or harm an asset manager’s reputation with its clients.’’); Comment Letter of Managed Funds Association to FSOC Notice (Mar. 25, 2015) (‘‘MFA FSOC Comment Letter’’) at 45 (‘‘It is in every manager’s self-interest to have appropriate plans in place to handle emergencies.’’). 9 See, e.g., BlackRock FSOC Comment Letter at 10 (‘‘In the normal course of business, asset managers implement measures to mitigate the impact of potentially disruptive events through operational risk management programs, including maintaining business continuity plans . . . .’’); Fidelity FSOC Comment Letter at 32 (‘‘Fidelity devotes significant time and resources to ensuring that we can provide the services our clients expect even in exigent circumstances.’’). 10 See, e.g., Comment Letter of Securities Industry and Financial Markets Association and the Investment Adviser Association to FSOC Notice (Mar. 25, 2015) (‘‘SIMFA/IAA FSOC Comment Letter’’) at 43 (‘‘Of potentially more significant interest, asset managers are keenly focused on business continuity planning, disaster recovery, data protection, and cybersecurity issues—not just because of regulatory requirements . . . but also as a business imperative.’’). 11 We recognize that some asset management firms have well-established sophisticated enterprise risk management (‘‘ERM’’) practices built upon widely followed frameworks. See, e.g., SIMFA/IAA FSOC Comment Letter at 42–43. The letter notes that in larger more sophisticated asset managers, operational risks can be addressed by an ERM framework such as the Committee of Sponsoring VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 also has observed advisers with less robust planning, causing them to experience interruptions in their key business operations and inconsistently maintain communications with clients and employees during periods of stress.12 As discussed further below, our staff has noted weaknesses in some adviser BCPs with respect to consideration of widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications plans, and review and testing.13 Although disparate practices may exist in light of the varying size and complexity of registrants, to effectively mitigate such risks we are proposing to require all SEC-registered investment advisers to have plans that are reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. As described in more detail below, we are concerned about the adequacy of some advisers’ plans to address operational and other risks associated with business resiliency. Our experience indicates that clients of advisers who do not have robust plans in place to address the operational and other risks related to significant disruptions in their operations are at greater risk of harm during such a disruption than the clients of advisers who do have such plans in place. As fiduciaries, investment advisers owe their clients a duty of care and a duty of loyalty, requiring them to put their clients’ interests above their own.14 As part of their fiduciary duty, advisers are obligated to take steps to protect client Organizations (‘‘COSO’’) framework that works to identify key risk elements within the firm and how those elements are monitored and risks mitigated. See COSO, Enterprise Risk Management— Integrated Framework (Sept. 2004), available at https://www.coso.org/Publications/ERM/COSO_ ERM_ExecutiveSummary.pdf. We understand that investment advisers with ERM programs typically consider business continuity as part of their broader management of operational risks. Accordingly, we believe that an adviser’s business continuity and transition plan under the proposed rule could be a part of the adviser’s existing ERM program. 12 See NEP Risk Alert, infra note 30, at 3. 13 See NEP Risk Alert, infra note 30; see also infra notes 31–35 and accompanying text. 14 See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180, 191, 194 (1963) (noting that the Advisers Act ‘‘reflects a congressional recognition ‘of the delicate fiduciary nature of an investment advisory relationship’’’ and stating that ‘‘[c]ourts have imposed on a fiduciary an affirmative duty of ‘utmost good faith, and full and fair disclosure of all material facts,’ as well as an affirmative obligation ‘to employ reasonable care to avoid misleading’ his clients’’ (citations omitted)); Transamerica Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 17 (1979) (noting that the Advisers Act’s ‘‘legislative history leaves no doubt that Congress intended to impose enforceable fiduciary obligations’’). PO 00000 Frm 00003 Fmt 4702 Sfmt 4702 interests from being placed at risk as a result of the adviser’s inability to provide advisory services.15 Section 206(4) of the Advisers Act authorizes the Commission to adopt rules and regulations that ‘‘define, and prescribe means reasonably designed to prevent, such acts, practices, and courses of business as are fraudulent, deceptive, or manipulative.’’ Because an adviser’s fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services, clients are entitled to assume that advisers have taken the steps necessary to protect those interests in times of stress, whether that stress is specific to the adviser or the result of broader market and industry events. We believe it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients’ interests from being placed at risk as a result of the adviser’s inability (whether temporary or permanent) to provide those services. Accordingly, we believe advisers should be required to establish strong operational policies and procedures that manage the risks associated with business continuity and transitions. These policies and procedures should increase the likelihood that advisers are as prepared as possible to continue operations during times of stress and that they have taken steps to minimize risks that could lead to disruptions in their operations. These policies and procedures also should increase the likelihood that clients are not harmed in the event of a significant disruption in their adviser’s operations. Therefore, today we are proposing to require SECregistered advisers to adopt and implement written business continuity and transition plans that include certain specific components, and to maintain relevant records of those plans, in order to facilitate robust business continuity and transition planning across all SECregistered advisers. B. Background 1. Business Continuity Planning The rapid recovery and resumption of the financial markets and the activities that support them underpins the resiliency of the U.S. financial system.16 15 See Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Rel. No. 2204 (Dec. 17, 2003) [68 FR 74714 (Dec. 24, 2003)] (‘‘Compliance Program Adopting Release’’) at n.22 (noting this fiduciary obligation in the context of BCPs). 16 See Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Securities Exchange Act Rel. No. 47638 E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS Business continuity planning is a critical activity that supports resiliency and one that financial services firms, including investment advisers, generally should engage in to address the inherent risks they face in serving their clients’ needs. Federal and state financial market and services regulators, including the Commission, have sought to highlight and address operational risks and the tools necessary to manage them, including fulsome business continuity planning for many financial industry participants.17 For example, the Financial Industry Regulatory Authority (‘‘FINRA’’) requires broker-dealers to establish business continuity plans (‘‘BCPs’’) reasonably designed to meet existing customer obligations and address relationships with other broker-dealers and counterparties.18 Additionally, the (Apr. 7, 2003) [68 FR 17809 (Apr. 11, 2003)] (‘‘Interagency Paper’’); cf. infra note 21 and accompanying text. 17 See Regulation Systems Compliance and Integrity, Securities Exchange Act Rel. No. 73639 (Nov. 19, 2014) [79 FR 72251 (Dec. 5, 2014)] (‘‘Regulation SCI Adopting Release’’); see also Policy Statement: Business Continuity Planning for Trading Markets, Securities Exchange Act Rel. No. 48545 (Sept. 25, 2003). In addition, we note that banks are subject to the Federal Financial Institutions Examination Council’s (‘‘FFIEC’’) business continuity guidelines, which state that financial institutions should develop comprehensive BCPs and that ‘‘[t]he goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations.’’ See FFIEC, IT Examination Handbook, Business Continuity Planning (Feb. 2015) (‘‘FFIEC Handbook’’), available at https:// ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_ BusinessContinuityPlanning.pdf; see also Board of Governors of the Federal Reserve System, Supervisory Letter SR 15–3 (Feb. 6, 2015), available at https://www.federalreserve.gov/bankinforeg/ srletters/sr1503.htm. The FFIEC is an ‘‘interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).’’ See FFIEC, available at https:// www.ffiec.gov. 18 See FINRA Rule 4370 (requiring that member BCPs address certain elements, including data backup and recovery, all mission critical systems, alternate communications, alternate physical location of employees, and critical business constituent (i.e., a business with which a member firm has an ongoing commercial relationship in support of the member’s operating activities), bank and counter-party impact); see also NASD, Notice to Members 04–37: Business Continuity Plans (May 2004), available at https://www.finra.org/sites/ default/files/NoticeDocument/p003095.pdf. We note that investment advisers that are also registered as broker-dealers would have to comply with FINRA’s rule as well as the proposed rule. However, as noted herein, we have modeled much of the proposed rule, including the required components of a business continuity and transition plan, on BCP requirements for other financial VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 Commodity Futures Trading Commission (‘‘CFTC’’) has adopted regulations that require swap dealers and major swap participants to establish and maintain BCPs that are designed to enable the regulated entity ‘‘to continue or to resume any operations by the next business day with minimal disturbance to its counterparties and the market.’’ 19 The North American Securities Administrator Association (‘‘NASAA’’) also recently adopted a model rule that, if adopted in a particular state, would require investment advisers registered in that state to have business continuity and succession plans in place that minimize ‘‘service disruptions and client harm that could result from a sudden significant business disruption.’’ 20 In addition, we recently adopted rules to strengthen the technology infrastructure of the U.S. securities markets by adopting Regulation Systems Compliance and Integrity, or Regulation SCI, which applies to, among other things, self-regulatory organizations, certain alternative trading systems, and certain exempt clearing agencies.21 Specifically, Regulation SCI is designed to reduce the occurrence of systems issues and improve resiliency for key market participants when these problems do occur, and requires, among other things, relevant entities to have and test business continuity and disaster recovery plans. While these regulations and those of other regulatory services firms that we believe share similar vulnerabilities as investment advisers. See infra notes 61–62 and accompanying text. 19 See 17 CFR 23.603(a). Relevant BCPs must be designed to recover all documentation and data required to be maintained by applicable law and regulation, and are required to include certain required components that are related to, among other things, data backup, systems maintenance, communications, geographic diversity, and third parties. See infra notes 62, 71, 79, and 86. 20 See NASAA Model Rule 203(a)–1A (stating that all plans should provide for backup of books and records, alternate means of communication, office relocations, assignment of duties to qualified persons in the event of death or unavailability of key personnel, and otherwise minimizing service disruption and client harm); see also Mark Schoeff Jr., State Regulators to Require Continuity Plans, Investment News, (Apr. 22, 2015), available at https://www.investmentnews.com/article/20150422/ FREE/150429965/state-regulators-to-requirecontinuity-plans. 21 See Regulation SCI Adopting Release, supra note 17. Among other things, Regulation SCI requires SCI entities to establish and test business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical systems in the event of a wide-scale disruption. See 17 CFR 242.1001(a)(2)(v). Further, Regulation SCI sets forth business continuity and disaster recovery plan testing requirements for SCI entities. See 17 CFR 242.1004. PO 00000 Frm 00004 Fmt 4702 Sfmt 4702 43533 bodies address different entities, they generally highlight similar principles of business continuity planning, including the need to address critical systems, data backup, communications, alternate and/or geographically diverse locations, and third-party relationships. Regulatory authorities have also acted collectively and in consultation with each other to address operational risks in light of the interconnectedness and interdependency of financial market participants. For example, the Commission, along with the Board of Governors of the Federal Reserve System (‘‘Federal Reserve’’) and the Office of the Comptroller of the Currency, issued the Interagency Paper on Sound Practices to Strengthen the Resilience of the Financial System, which sets forth business continuity objectives for all financial firms and the U.S. financial system as a whole.22 More recently, FSOC issued a request for public comment on, among other things, operational risks and transition planning as it relates to the asset management industry.23 22 See Interagency Paper, supra note 16. The objectives discussed in the paper include (i) rapid recovery and timely resumption of critical operations following a wide-scale disruption; (ii) rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and (iii) a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. The paper also sets forth four sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets, including (i) identifying clearing and settlement activities in support of critical financial markets, (ii) determining appropriate recovery and resumption objectives, (iii) maintaining sufficient geographically dispersed resources to meet such objectives, and (iv) routinely using or testing recovery and resumption arrangements. See id. In addition, in 2012–2013, the Commission’s Office of Compliance Inspections and Examinations (‘‘OCIE’’), along with FINRA and the CFTC, jointly reviewed a number of firms’ business continuity and disaster recovery planning and published their joint observations on best practices and lessons learned. See Joint Review of Business Continuity and Disaster Recovery of Firms by the Commission’s National Examination Program, CFTC’s Division of Swap Dealers and Intermediary Oversight and FINRA (Aug. 16, 2013) (‘‘Joint Review of Business Continuity’’), available at https://www.sec.gov/about/offices/ocie/joint observations-bcps08072013.pdf. Financial services industry participants have also been pro-active in addressing resiliency issues. See, e.g., Financial Services Sector Coordinating Council (established to coordinate infrastructure and homeland security activities within the financial services industry comprised on financial trade associations, financial utilities and financial firms), available at https://www.fsscc.org. 23 See FSOC Notice (Dec. 24, 2014) [79 FR 77488 (Dec. 24, 2014)], available at https://www.treasury. gov/initiatives/fsoc/rulemaking/Documents/Notice %20Seeking%20Comment%20on%20Asset%20 Management%20Products%20and%20 E:\FR\FM\05JYP1.SGM Continued 05JYP1 43534 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS The Commission addressed business continuity planning with respect to investment advisers in a general way when it adopted rule 206(4)–7 under the Advisers Act (‘‘Compliance Program Rule’’). Under the rule, advisers are required to consider their fiduciary and regulatory obligations under the Advisers Act, and adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act.24 At the time it adopted the rule, the Commission was concerned that not all advisers had adopted adequate compliance programs and as a result, clients and investors were being harmed.25 In the release adopting the Compliance Program Rule, the Commission stated that an adviser’s compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser.26 The Commission did not, however, identify critical components of a BCP or discuss specific issues or areas that advisers should consider in developing such plans. As discussed above, an adviser’s fiduciary obligations require it to take steps to protect its clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory Activities.pdf; see also FSOC, Update on Review of Asset Management Products and Activities (Apr. 18, 2016), available at https://www.treasury.gov/ initiatives/fsoc/news/Documents/FSOC%20Update %20on%20Review%20of%20Asset%20 Management%20Products%20and%20 Activities.pdf. Although our rulemaking proposal is independent of FSOC, several commenters responding to the FSOC Notice discussed operational risks and transition issues related to investment advisers, and we have considered and discussed relevant comments throughout this release. Comments submitted in response to the FSOC Notice are available at https://www. regulations.gov/#!docketBrowser;rpp=25;po=0;dct= PS;D=FSOC-2014-0001. 24 See rule 206(4)–7; Compliance Program Adopting Release, supra note 15, at section II.A.1. Rule 206(4)–7 makes it unlawful for advisers to provide investment advice unless they adopt and implement written compliance policies and procedures reasonably designed to prevent violations by the adviser and its supervised persons of the Advisers Act and rules thereunder. 25 The Commission noted that it and state securities authorities had recently discovered unlawful conduct involving a number of advisers, broker-dealers, and other service providers where personnel of these entities engaged in, or actively assisted others in engaging in, inappropriate market timing, late trading of fund shares, and the misuse of material, nonpublic information about fund portfolios. The Commission noted that these personnel had breached their fiduciary obligations to the funds involved and their shareholders by placing their own interests or the interests of the fund adviser ahead of the interests of fund shareholders. See Compliance Program Adopting Release, supra note 15, at section I. 26 Id. The Commission identified ten areas adviser compliance programs should address, including BCPs. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 services.27 This fiduciary duty fosters trust between the client and its adviser, such that the client relies on the adviser to act in its best interests and safeguard its assets as appropriate, even during times of stress.28 If an adviser is unable to provide advisory services after, for example, a natural disaster, a cyberattack, an act of terrorism, technology failures, or the departure of key personnel, its temporary inability to continue operations may put clients’ interests at risk and prevent it from meeting its fiduciary duty to clients. This risk could include the risk of loss if, for example, an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or if clients are unable to access their assets or accounts. As part of its fiduciary duty to protect client interests, an adviser also should take steps to minimize operational and other risks that could lead to a significant business disruption like, for example, a systems failure. In order to do so, advisers should generally assess and inventory the components of their business and minimize the scope of its vulnerability to a significant business disruption. While we recognize that an adviser may not be able to prevent significant business disruptions (e.g., a natural disaster, terrorist attack, loss of service from a third-party), we believe robust planning for significant business disruptions can help to mitigate their effects and, in some cases, minimize the likelihood of their occurrence. Various weather-related events have tested, on a large scale, the effectiveness of existing BCP components of advisers’ compliance programs.29 In addition, these events provided our examination staff the opportunity to review, observe, and assess the operations and resiliency of BCPs across many advisers. The examination staff followed these id. at n.22. The Commission also has stated that ‘‘clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations.’’ Id. 28 See generally SEC v. Capital Gains Research Bureau, Inc., supra note 14 at 191 (‘‘A fiduciary owes its clients more than mere honesty and good faith alone. ’’); Investment Adviser Association, What is an Investment Adviser?, available at https:// www.investmentadviser.org/eweb/ dynamicpage.aspx?webcode=whatisia (noting that because advisers owe a fiduciary duty to their clients, they ‘‘[stand] in a special relationship of trust and confidence with [their] clients’’ and that such fiduciary duty generally includes the duty to place the clients’ interests first ‘‘at all times’’). 29 For example, Hurricane Katrina in 2005 and, as discussed in this release, Hurricane Sandy in 2012 presented challenges to advisers affected by those storms. PO 00000 27 See Frm 00005 Fmt 4702 Sfmt 4702 reviews by issuing public reports of their findings and effective practices.30 Hurricane Sandy broadly impacted the industry and its operations because of the duration and point of impact of the storm, which affected parts of New York, New Jersey, and the surrounding areas, where numerous financial services providers (both markets and participants) are concentrated. In the aftermath of the hurricane, examiners observed that the degree of specificity of advisers’ written BCPs varied and that some advisers’ BCPs did not ‘‘adequately address and anticipate widespread events.’’ 31 In addition, with respect to alternative locations, examination staff noted that some advisers did not have geographically diverse office locations, even when they recognized that diversification would be appropriate.32 Additionally, they observed with respect to vendor relationships and telecommunications/ technology, that certain advisers did not evaluate the BCPs of their service providers or engage service providers to ensure their backup servers worked properly, and that some advisers reported that they did not keep updated lists of their vendors and respective contacts.33 Moreover, with respect to communications plans, the examination staff observed that some advisers inconsistently planned how to contact and deploy employees during a crisis, inconsistently maintained communications with clients and employees, and did not identify which personnel were responsible for executing and implementing the various portions of the BCP.34 Finally, with respect to review and testing, our examination staff reported that some advisers ‘‘inadequately tested their BCPs relative to their advisory businesses.’’ 35 These observations illustrate our experience that business continuity planning among investment advisers 30 See National Exam Program Risk Alert, SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year (Aug. 27, 2013) (‘‘NEP Risk Alert’’), available at https:// www.sec.gov/about/offices/ocie/businesscontinuity-plans-risk-alert.pdf. The examination was part of a joint review by the SEC’s OCIE, FINRA and the CFTC of relevant firms’ business continuity and disaster recovery planning in the wake of Hurricane Sandy. Together, these entities issued a joint statement setting forth best practices and lessons learned as a result of their review. See Joint Review of Business Continuity, supra note 22; see also SEC Compliance Alert (June 2007) (‘‘Compliance Alert’’), available at https:// www.sec.gov/about/offices/ocie/complialert.htm. 31 See NEP Risk Alert, supra note 30, at 3. 32 See NEP Risk Alert, supra note 30, at 4. 33 See NEP Risk Alert, supra note 30, at 4–5. 34 See NEP Risk Alert, supra note 30, at 6. 35 See NEP Risk Alert, supra note 30, at 7. E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules can be uneven and, in some instances, may not be sufficiently robust to mitigate the potential adverse effects of a significant business disruption on clients. Additionally, the operational complexity of advisers has increased over the years and many advisers’ operations are highly dependent on technology, including investment processes (e.g., trading, risk management operations) and client services.36 It is critical for investment advisers to focus on resiliency so that they can continue to provide services to their clients when events impact the availability of systems, facilities, and staff. The ability to recover such systems, including third-party vendor provided platforms and services, and business operations in a timeframe that meets business requirements is important to mitigating the consequences of disruptive events.37 Based on the staff’s observations from examinations, and the ever-growing complexity of, and risks to, operations, we are concerned that some advisers may not have robust BCPs. When a client entrusts an adviser to manage its assets, the client does so with the expectation that the adviser will act in its best interests and safeguard its assets as appropriate, even in times of stress. We believe that without robust business continuity planning, an adviser’s clients may be placed at risk in times of stress. Accordingly, to facilitate such robust planning across all SEC-registered advisers, we are proposing to require that these advisers address certain components in their business continuity and transition plans. sradovich on DSK3GDR082PROD with PROPOSALS 2. Transition Planning Operational risks are not limited to affecting the day-to-day operations of an adviser, but can lead to a financial services firm having to cease or winddown operations while also considering how to safeguard client or investor assets. The 2008 financial crisis 36 See, e.g., Blackrock, The Role of Technology Within Asset Management (Aug. 2014), at 1, available at https://www.blackrock.com/corporate/ en-us/literature/whitepaper/viewpoint-assetmanagement-technology-aug-2014.pdf (‘‘Asset managers require systems to facilitate the maintenance of data and flow of information in the investment process, such as trading counterparties and custodians. Technology provides the unseen ‘plumbing’ that ensures information flows smoothly throughout the ecosystem.’’). The paper also notes that a robust asset management process requires both experienced professionals and technology, and that integrated investment technology enhances the quality of large volumes of data, supports consistent investment workflows and enables timely communications for both internal functions and with external parties. 37 See, e.g., infra note 90. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 demonstrated that providers of financial services are at risk of having to exit the market unexpectedly and having to do so quickly.38 As with traditional business continuity planning, regardless of whether the risk is internal or external to the firm, a reasonably designed plan assessing various risks related to a business transition (e.g., operational and other risks related to transitioning client assets) and how to react to transition events should ameliorate the impact of transitions on clients.39 After the financial crisis, Congress addressed the need for this type of advance planning for certain institutions in the Dodd-Frank Wall Street Reform and Consumer Protection Act, which mandated regulations that require certain financial institutions to plan for ‘‘rapid and orderly resolution in the event of material financial distress or failure.’’40 In the normal course of business, it is our understanding that advisers routinely transition client accounts without a significant impact to themselves, their clients, or the financial markets.41 We believe that 38 See Financial Crisis Inquiry Commission, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States (Jan. 2011) at 22–23, available at https:// www.gpo.gov/fdsys/pkg/GPO-FCIC/pdf/GPOFCIC.pdf (‘‘In January 2008, Bank of America announced it would acquire the ailing lender Countrywide. . . . Bear Stearns . . . was bought by JP Morgan with government assistance in the spring. Before the summer was over, Fannie Mae and Freddie Mac would be put into conservatorship. Then, in September, Lehman Brothers failed and the remaining investment banks, Merrill Lynch, Goldman Sachs, and Morgan Stanley, struggled as they lost the market’s confidence. AIG . . . was rescued by the government. Finally, many commercial banks and thrifts . . . teetered. IndyMac had already failed over the summer; in September, Washington Mutual became the largest bank failure in U.S. history. In October, Wachovia struck a deal to be acquired by Wells Fargo.’’). Several of the financial services firms mentioned in this report included asset management subsidiaries. 39 Both transition planning and business continuity planning relate to instances where an adviser may be unable to provide advisory services and where advance planning for those instances would benefit advisers and their clients. We note that in the Compliance Program Adopting Release, the Commission noted the risks to advisory clients if an adviser ceased operations. See Compliance Program Adopting Release, supra note 15. 40 See section 165(d) of the Dodd-Frank Act [12 U.S.C. 5365]; see also Resolution Plans Required, 76 FR 67323 (Nov. 1, 2011) (‘‘Resolution Plans’’). We are not proposing that advisers adopt resolution plans or ‘‘living wills’’ similar to that which certain financial institutions must now adopt under FDIC and Federal Reserve rules because investment advisers do not interact with the government in the same way as banks. For example, advisers do not accept insured ‘‘deposits,’’ do not have access to the Federal Reserve discount window, and do not use their own balance sheets when trading client assets. 41 See, e.g., BlackRock FSOC Comment Letter (noting that ‘‘[t]ransitioning the management of client assets from one manager to another regularly PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 43535 much of this is largely attributable to the agency relationship of advisers managing the assets on behalf of their clients and the regulatory framework supporting this relationship whereby advisory client assets for which the adviser has custody are required to be held at a qualified custodian, such as a bank or broker-dealer.42 Because client assets custodied by an adviser must be held at a qualified custodian and segregated from the adviser’s assets, we have observed that transitioning accounts from one adviser to another can largely be a streamlined process that in many cases may not involve the physical movement or sale of assets.43 Pooled investment vehicle clients generally have the ability to terminate the advisory contract of the adviser or remove the governing body that may provide advisory services (e.g., general partner or managing member) and appoint a new adviser or governing body if they so desire, while separate account clients can generally terminate the advisory contract and appoint a new adviser to manage their assets, all while their assets are typically maintained at a qualified custodian.44 In addition, we are aware of instances of non-routine disruptions at large advisory businesses that have resulted in transitions to new advisers or new ownership without appearing to have a significant adverse impact on clients, fund investors, or the financial occurs in the normal course of business’’ and listing 19 previous examples of advisers or funds exiting the market without great market impact); SIMFA/ IAA FSOC Comment Letter (noting that ‘‘managers and funds routinely enter and exit the asset management industry’’ and citing an Investment Company Institute paper to note that, in 2013, ‘‘48 mutual fund sponsors left the business without any impact or distress’’); Comment Letter of PIMCO to FSOC Notice (Mar. 25, 2015); Vanguard FSOC Comment Letter. In addition, we understand that specialized transition managers exist to manage assets during a transition from one adviser to another. See, e.g., BlackRock FSOC Comment Letter at 66. 42 See rule 206(4)–2 under the Advisers Act. The use of custodians that traditionally provide those services provide protection for client assets from the adverse effects of stress at an adviser. We also note that approximately 96.7% of SEC-registered advisers are not related to the custodians that hold client assets. Based on data from the Commission’s IARD as of January 4, 2016. 43 Client assets are not part of the adviser’s balance sheet. Client assets are not subject to the liquidation or potential bankruptcy process of an asset manager and are not subject to the adviser’s creditors. 44 We note that to the extent a new adviser does not have a relationship with the same custodian used by the previous adviser, assets may need to be transferred to a different custodian. Additionally, we note that complications could arise with respect to the transfer of shareholder records when transitioning client accounts to another adviser. E:\FR\FM\05JYP1.SGM 05JYP1 43536 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS markets.45 Advisers routinely enter and exit the market and are capable of transferring client assets to another adviser or distributing such assets back to the client without negatively impacting the client.46 Cases of advisory firms experiencing transition events are often caused by a rapid decrease in assets under management, which can occur for a variety of reasons, including poor performance or an event causing reputational harm.47 To help ensure that a transition is as seamless as possible, an adviser must be aware of the impediments that should be addressed to minimize potential client impact. We are also aware of transitions involving funds under stress that have not been seamless or without problem.48 For example, in one instance, an adviser’s proprietary system used on behalf of a fund client had limitations on the pricing of fund shares that could not be efficiently modified to accommodate certain events, which in turn impeded the processing of fund redemption transactions and the reconciliation, liquidation, and transfer of investor accounts on a timely basis.49 45 For example, although a unique situation, advisory firm Neuberger Berman spun out of Lehman Brothers during the 2008 financial crisis into a private company. See also infra note 52 (discussing the circumstances of the Neuberger Berman sale). 46 See supra note 41. 47 See, e.g., Trevor Hunnicutt, F-Squared Files for Bankruptcy, Investment News (July 8, 2015) (‘‘FSquared Article’’), available at https:// www.investmentnews.com/article/20150708/FREE/ 150709926/f-squared-files-for-bankruptcy (noting that after settling charges with the SEC for false performance claims, F-squared started losing assets under management); Christine Dugas & Sandra Block Strong, Strong Capital, Founder to Pay $140M in Settlement, USA Today (May 20, 2004), available at https://usatoday30.usatoday.com/money/perfi/ funds/2004-05-20-strong-settle_x.htm (noting that after Strong Capital Management (‘‘Strong’’) and its founder settled charges with the SEC for allowing and engaging in undisclosed frequent trading in Strong mutual funds, Strong funds had a ‘‘net outflow of investor assets totaling $4.9 billion’’); see also In the Matter of F-Squared Investments, Inc., Advisers Act Rel. No. 3988 (Dec. 22, 2014) (settled enforcement action); In the Matter of Strong Capital Management, et al., Securities Exchange Act Rel. No. 49741 (May 20, 2004) (settled enforcement action); infra note 60. 48 See, e.g., BlackRock FSOC Comment Letter (citing to the wind-down of Long-Term Capital Management in 2000 and Reserve Primary Fund in 2008 and noting that regulatory intervention was necessary for the funds involved). 49 See In the Matter of The Reserve Fund, et al., Investment Company Act Rel. No. 28386 (Sept. 22, 2008) (finding that the temporary suspension of the right of redemption and postponement of payment for shares which had been submitted for redemption but for which payment had not been made was necessary for the protection of shareholders); see also The Reserve Delays Primary Fund Distributions, MFWire.com (Oct. 14, 2008), available at https://www.mfwire.com/ article.asp?storyID=19638&bhcp=1 (‘‘The process of determining accurately the number of shares each investor held in the Primary Fund has proven to be VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 In addition, while maintaining assets with a custodian may ease the transfer of those assets, the adviser may have important or private information concerning its clients or their strategies and goals that would need to be transitioned securely and efficiently.50 Moreover, the 2008 financial crisis illustrated that one firm’s distress may at times have a broader impact on the financial markets and overall economy.51 Advisers could be impacted by broader market events in a number of ways that could affect an adviser’s ability to continue operations and possibly lead to a transition event. For example, advisers are often owned by or affiliated with other financial services firms who themselves may be in distress. An adviser may be affected by such distress to the extent the distress negatively impacts the adviser’s reputation, if it relies on a distressed affiliate for certain systems or services, or if it is an asset that a distressed parent sells.52 Under circumstances such as these, we are concerned about the adviser’s ability to continue to act in the clients’ best interests. Proper planning and preparation for possible distress and other significant disruptions in an adviser’s operations is essential so that, if an entity has to exit the market, it can do so in an orderly manner, with minimal or no impact on its clients. As discussed above, an adviser’s fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of the adviser’s inability to provide advisory services and, thus, it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken such steps.53 Such advance planning and preparation may minimize an adviser’s exposure to operational and other risks and, therefore, lessen the possibility of a extremely complex and could not be completed in the originally anticipated time frame.’’); The Reserve Furnishes More Details On Primary Fund Redemptions, MFWire.com (Oct. 16, 2008), available at https://www.mfwire.com/ article.asp?storyID=19656&bhcp=1 (‘‘[W]e have been working diligently to enhance our existing software and add new programs to hasten the distribution process.’’). 50 See generally Regulation S–P, 17 CFR 248 (establishing general requirements and restrictions on a financial institutions’ ability to disclose nonpublic personal information about consumers, including clients, to nonaffiliated third parties and exceptions associated therewith). 51 See generally Joint Report, infra note 72. 52 See, e.g., Lehman Brothers selling its asset management arm after declaring bankruptcy. Sam Mamudi, Neuberger Berman Sold to Private Equity, Market Watch (Sept. 29, 2008), available at https:// www.marketwatch.com/story/neuberger-bermansold-to-private-equity-for-215-billion. 53 See supra section I.A; see also section 206(4) of the Advisers Act. PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 significant disruption in its operations, and also may lessen any potential impact on the broader financial markets. Accordingly, and as discussed in more detail below, we believe that SECregistered advisers should be required to adopt and implement a written business continuity and transition plan that is tailored to the risks associated with the adviser’s operations and includes certain components, reflecting its critical role as an agent for its clients. C. Discussion We believe it is appropriate at this time to propose a rule requiring SECregistered advisers to adopt and implement a business continuity and transition plan54 that is reasonably designed to address operational and other risks related to a significant disruption in an adviser’s operations and that addresses certain specified components.55 We recognize that, pursuant to the Compliance Program Rule, most SEC-registered investment advisers may already have BCPs in place as part of their compliance policies and procedures 56 and that those plans (or other plans) may also address transition planning.57 However, it has been our staff’s experience that the robustness of these BCPs is inconsistent across investment advisers. We believe that requiring a business 54 We recognize that business continuity planning and transition planning address different circumstances (i.e. one addresses the continuation of a business while the other addresses the winding down of a business). See infra note 60 and accompanying text. However, both business continuity planning and transition planning pertain to instances where an adviser may be unable to provide advisory services and where advance planning for those instances would benefit advisers and their clients. In this release and in proposed rule 206(4)–4, we refer to an adviser adopting ‘‘a’’ business continuity and transition plan. The proposed rule would not require an adviser to consolidate all of the components described in proposed rule 206(4)–4 into one document. An adviser may maintain separate plans that address the components identified in proposed rule 206(4)– 4. 55 We note that the Commission has explicitly required BCPs in other contexts, and that FINRA has adopted specific rules on BCPs for brokerdealers. See Regulation SCI Adopting Release, supra note 17; FINRA Rule 4370. Further, NASAA has also issued a model rule for states to apply to state-registered advisers, which tend to be smaller in scale and size than advisers registered with the Commission. See NASAA Model Rule 203(a)–1A. 56 See, e.g., BlackRock FSOC Comment Letter at 10 (noting that asset managers maintain BCPs); Fidelity FSOC Comment Letter at 32–33 (discussing BCPs). 57 We understand that in practice, adviser BCPs focus on risks from events that would limit or impact normal operations, such as natural disasters or systems failures, but also can address transition planning. See supra note 39 (discussing the Compliance Program Adopting Release and language therein regarding risks to clients if an adviser ceases operations). E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules to clients. Business continuity situations generally include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel. Business transitions generally include situations where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof,59 or in unusual situations, enters bankruptcy proceedings.60 The proposed rule is intended to help ensure that an adviser’s policies and procedures minimize material service disruptions and any potential client harm from such disruptions. Advisers should keep this focus at the forefront when reviewing their business operations and developing their policies and procedures. Accordingly, the proposed rule would require an SECregistered adviser’s business continuity and transition plan to include policies and procedures designed to minimize material service disruptions, including policies and procedures that address certain specific components. We recognize that advisers’ business models and operations vary, but we believe that every business continuity and transition plan must generally address operational and other risks related to a significant disruption in the adviser’s operations and must address certain key components to plan and prepare for such disruptions.61 While we believe 1. Adopt and Implement Business Continuity and Transition Plans The proposed rule would require SEC-registered advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations.58 These plans would include policies and procedures concerning (1) business continuity after a significant business disruption, and (2) business transition in the event the investment adviser is unable to continue providing investment advisory services sradovich on DSK3GDR082PROD with PROPOSALS continuity and transition plan that addresses operational and other risks by rule and specifying certain components of such a plan will facilitate the adoption and implementation of robust plans by all SEC-registered investment advisers that address critical areas and that should be effective and workable during a significant disruption in an adviser’s operations. Moreover, we believe requiring such plans will benefit advisory clients because advisers will likely be better prepared to deal with business continuity and transition events if and when they occur and will better mitigate risks attendant with their operations and business practices, thereby reducing the likelihood of client harm as the result of a significant disruption in an adviser’s operations. We are proposing new rule 206(4)–4 under the Advisers Act and amendments to rule 204–2 under the Advisers Act. Under rule 206(4)–4, it would be unlawful for an SEC-registered investment adviser to provide investment advice unless the adviser adopts and implements a written business continuity and transition plan and reviews that plan at least annually. The proposed amendments to rule 204– 2 would require those advisers to make and keep copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years, as well as any records documenting the adviser’s annual review of its business continuity and transition plan. 59 See proposed rule 206(4)–4(b). We note with respect to business transitions that there may be circumstances where an adviser is unable to provide advisory services for only a portion of its business, but is able to continue providing services with respect to another portion of its business, and thus, only exits a particular market. An adviser’s business continuity and transition plan generally should address the possibility of such a partial transition. Cf. infra note 60 and accompanying text (discussing business transitions generally). 60 For example, in 2015, F-Squared Investments, Inc. filed for bankruptcy and arranged for its investment strategies to be managed by another adviser. See F-Squared Article, supra note 47. In addition, in 2005, funds managed by Strong were acquired by Wells Fargo & Company and the ‘‘legal entities comprising the Strong . . . complex were subsequently liquidated.’’ See BlackRock FSOC Comment Letter at 62–63 (discussing the Strong transition); see also Press Release, Wells Fargo Agrees to Acquire $34 Billion in Assets Under Management From Strong Financial Corporation, Wells Fargo (May 26, 2004), available at https:// www.wellscap.com/docs/press_releases/ 5.26.04.pdf. 61 See supra notes 30–35 and accompanying text (discussing certain key elements of BCPs). Other regulatory bodies and organizations also have recognized key elements of business continuity plans. See 17 CFR 23.603 (setting forth essential components of BCPs for swap dealers and major swap participants); FINRA Rule 4370 (setting forth minimum elements that a business continuity plan should address); NASAA Model Rule 203(a)–1A (stating certain elements the plan should address); 58 See proposed rule 206(4)–4. We note that adviser BCPs are also often referred to as business continuity and disaster recovery plans; however, we have chosen to use the term ‘‘business continuity and transition plan’’ to refer to plans required under the proposed rule. We believe, however, that such plans would encompass disaster recovery planning because any robust BCP would need to plan for the recovery of its business operations and systems in order to be able to continue providing services to clients. See proposed rule 206(4)–4(b)(2)(i) (requiring business continuity and transition plans to include maintenance of critical operations and systems, and the protection, backup, and recovery of data). VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 43537 advisers should generally assess and inventory all of the components of their businesses in order to develop their business continuity and transition plans and tailor their plans to the specific risks their businesses face, we also believe that identifying these key components should facilitate the adoption and implementation of robust BCPs by all SEC-registered investment advisers. Under the proposed rule, the content of an SEC-registered adviser’s business continuity and transition plan would be based upon risks associated with the adviser’s operations and would include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following: 62 (1) Maintenance of critical operations and systems, and the protection, backup, and recovery of data; 63 (2) pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees; 64 (3) communications with clients, employees, service providers, and regulators; 65 (4) identification and assessment of third-party services critical to the operation of the adviser; 66 and (5) plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the FFIEC Handbook, supra note 17, at G–1 (discussing components of effective BCPs). 62 We have modeled the proposed rule on BCP requirements for other financial services firms that we believe share similar vulnerabilities as investment advisers, as well as our staff’s examinations experiences, which have highlighted a number of best practices as well as a number of areas for improvement specific to investment advisers. For example, to assist advisers in considering their own business continuity issues, the examination staff previously identified a number of ‘‘lessons learned’’ from its examinations of advisers that were affected by Hurricane Katrina. See Compliance Alert, supra note 30. The staff noted certain provisions in disaster recovery plans that appeared to be effective in allowing an adviser to provide ‘‘uninterrupted advisory services to clients in a compliant manner after a disaster’’ including (i) a pre-arranged remote location for short-term and possible long-term use; (ii) alternate communication protocols to contact staff and clients; (iii) remote access to business records and client data through appropriately secured means; (iv) temporary lodging for key staff where necessary and effective training of staff on how to fulfill essential duties in the event of a disaster; (v) maintaining accurate and up-to-date contact information for all third-party service providers and familiarity with the BCPs of those providers; (vi) contingency arrangements for loss of key personnel; (vii) periodic testing, evaluation and revision of the plan; and (viii) maintaining sufficient insurance and financial liquidity to prevent any interruption of the performance of compliant advisory services. 63 See proposed rule 206(4)–4(b)(2)(i). 64 See proposed rule 206(4)–4(b)(2)(ii). 65 See proposed rule 206(4)–4(b)(2)(iii). 66 See proposed rule 206(4)–4(b)(2)(iv). E:\FR\FM\05JYP1.SGM 05JYP1 43538 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS event the adviser is unable to continue providing advisory services.67 While each SEC-registered adviser’s business continuity and transition plan must address the components set forth in the proposed rule, we recognize that the degree to which an adviser’s plan addresses a required component will depend upon the nature of each particular adviser’s business. We also recognize that business models and operations vary significantly among advisers.68 The proposed rule thus would require that the plan be reasonably designed to address the operational and other risks of an adviser and thus advisers need only take into account the risks associated with its particular operations, including the nature and complexity of the adviser’s business, its clients, and its key personnel.69 For example, we believe that the business continuity and transition plan of a large adviser with multiple locations, offices, or business lines likely would differ significantly from that of a small adviser with a single office or only a few investment professionals and employees. Additionally, we believe that the business continuity and transition plan of an adviser with a complex internal technology infrastructure likely would differ from that of an adviser that primarily uses an outsourced model.70 The complexity and risks associated with these diverse business models could be substantially different, and our proposed rule is designed to give advisers the flexibility to create business 67 As discussed more below, the plan of transition would have to include (1) policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; (2) information regarding the corporate governance of the adviser; (3) the identification of any material financial resources available to the adviser; (4) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; and (5) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition. See proposed rule 206(4)– 4(b)(2)(v). 68 See Comment Letter of Wellington Management Group LLP to FSOC Notice (Mar. 25, 2015) at 2 (‘‘The unique characteristics of today’s asset management industry (agency and advice based: Low barriers to entry: High substitutability among managers: And highly competitive) result in a large number of asset management firms that are organized in a variety of models.’’). 69 See, e.g., BlackRock FSOC Comment Letter at 9 (noting that ‘‘understanding the differences in operating models is crucial’’ in assessing the potential operational risk of an asset manager). 70 Id. at 71. A larger adviser may conduct (insource) some or all middle and back office functions (e.g., securities administration, accounting, and recordkeeping) internally. Whereas in an outsourced model, the asset management firm hires third-party providers to perform various middle and back office functions. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 continuity and transition plans that accommodate such differences. a. Maintenance of Critical Operations and Systems, and the Protection, Backup, and Recovery of Data, Including Client Records The proposed rule would require advisers’ business continuity and transition plans to include policies and procedures on the maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records.71 With respect to maintaining critical operations/systems, an adviser’s plan generally should identify and prioritize critical functions, operations, and systems and consider alternatives and redundancies to help maintain the 71 We note that Regulation SCI also includes requirements regarding the maintenance of systems. Rule 1001(a) requires each SCI entity to establish, maintain, and enforce policies and procedures that are reasonably designed to ensure that its ‘‘SCI systems’’ have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Moreover, rule 1001(a)(2)(v) also requires that these policies and procedures include business continuity and disaster recovery plans that are reasonably designed to achieve two-hour resumption of ‘‘critical SCI systems’’ following a wide-scale disruption. 17 CFR 242.1001. We note that in the Regulation SCI Adopting Release, the Commission stated that it would monitor and evaluate the implementation of Regulation SCI, the risks posed by systems of other market participants, and the continued evolution of the securities markets, and in the future may consider extending the types of requirements in Regulation SCI to other market participants, including investment advisers. See Regulation SCI Adopting Release, supra note 17, at 72259. We note that the proposed rule would not apply Regulation SCI to investment advisers. Rather, the Commission is proposing this rule in light of the specific operations and businesses of investment advisers and the risks they present. In addition to Regulation SCI, we note, as discussed above, that our staff has previously highlighted the importance of access to business records and client data as well as backup servers and other telecommunications services in the context of business continuity planning. See supra notes 30 and 33, and accompanying text. We also note that other regulatory bodies and organizations have stressed the importance of critical systems and data protection in the context of BCPs. See, e.g., 17 CFR 23.603(b)(1), (4) and (6) (requiring BCPs to include identification of documents, data, facilities and infrastructure, as well as backup or copying of documents and data, essential to operations, and procedures for and the maintenance of backup facilities, systems and infrastructure); FINRA Rule 4370(c)(1) and (2) (requiring BCPs to address data backup and recovery (both hard copy and electronic) as well as mission critical systems); NASAA Model Rule 203(a)–1A(1) (stating that BCPs should provide for ‘‘protection, backup and recovery of books and records’’); SIFMA, Business Continuity Planning Expanded Practices Guidelines (Apr. 2011) (‘‘SIFMA Guidelines’’) at 27 and 32, available at https://www.sifma.org/uploadedfiles/ services/bcp/sifma-bc-practices-guidelines2011– 04.pdf (noting that businesses should ensure ‘‘the functionality and availability of critical business applications’’ and ‘‘that redundant copies of vital records’’ are securely stored and available during an emergency). PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 continuation of operations in the event of a significant business disruption.72 When evaluating which operations and systems are critical, advisers generally should consider those that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients, including the management, trading, allocation, clearance and settlement of such transactions. Advisers generally should also consider operations and systems that are critical to the valuation and maintenance of client accounts, access to client accounts, and the delivery of funds and securities. This typically will include identification and assessment of third-party services that support certain functions, as activities conducted may involve systems and processes that the adviser controls and others that may be wholly or partially dependent on thirdparty vendors, which we address below. Advisers generally also should identify which key personnel either provide critical functions to the adviser or support critical operations or systems of the adviser such that the temporary or permanent loss of those individuals would disrupt the adviser’s ability to provide services to its clients. We believe that by considering alternatives and redundancies for critical operations and systems in advance of significant business disruptions, an adviser will be able to prioritize, recover, and resume key aspects of its business in a timely manner and consequently be better able to act in its clients’ best interests and continue providing services to its clients during such a disruption.73 For 72 Following the publication of the Interagency Paper, the Commission, together with the Federal Reserve and the Office of the Comptroller of the Currency, issued a joint report that discussed the industry’s efforts to implement the recommendations contained in the Interagency Paper (‘‘Joint Report’’). The Joint Report notes that the Interagency Paper addresses reasonable recovery time objectives and identifies specific riskbased recovery standards in order ‘‘to assure that there will be a relatively consistent degree of preparedness across’’ the industry. See Joint Report on Efforts of the Private Sector to Implement the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (Apr. 2006) at 3, available at https://www.sec.gov/news/ press/studies/2006/soundpractices.pdf; see also MFA FSOC Comment Letter at 45 (citing to the MFA’s recommendations to hedge fund managers that they design and implement business continuity/disaster recovery plans ‘‘reasonably designed to: (1) Identify and prioritize critical business functions. . .’’). 73 Investment advisers should also generally consider in their business continuity planning circumstances in which a service provider (including another investment adviser that provides operations or systems to the adviser) is permanently unable to provide the adviser with critical operations or systems. See, e.g, Financial Conduct Authority, Outsourcing in the Asset Management Industry: Thematic Project Findings Report (Nov. E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS example, if most securities operations functions (post-trade processing, corporate actions, reconciliation, etc.) are handled internally by the adviser,74 then the adviser’s plans should address the backup systems or other alternative processes or procedures that will be used or followed in the event of a business disruption where standard operations may not be available. Additionally, we believe that contingency plans with respect to key personnel generally should address both the temporary or permanent loss of such personnel. For example, loss of key personnel could result from an employee’s sudden departure from the adviser or could be due to a weather related event that renders the employee temporarily unavailable. Accordingly, an adviser’s business continuity and transition plan generally should include short-term arrangements, such as which specific individuals would satisfy the role(s) of key personnel when unavailable, and long-term arrangements regarding succession planning and how an adviser will replace key personnel.75 With respect to data protection, backup, and recovery, a business continuity and transition plan generally should address both hard copy and electronic backup, as appropriate.76 A 2013) (‘‘FCA Paper’’), available at https:// www.fca.org.uk/static/documents/thematicreviews/tr13–10.pdf (‘‘Based on our initial assessment of asset managers last year, we concluded that firms in the sample were unprepared for a failure of their service provider.’’). The FCA Paper suggested that asset managers should review their own outsourcing arrangements and where appropriate (i) ‘‘enhance their contingency plans for the failure of a service provider providing critical activities, taking into account industry-led guiding principles where applicable’’ and (ii) ‘‘assess the effectiveness of their oversight arrangements to oversee critical activities outsourced to a service provider, making sure the required expertise is in place.’’ 74 As discussed above, investment advisers that are also registered broker-dealers will be subject to both the proposed rule and FINRA’s rule 4370 regarding BCPs. While we believe the two rules are largely complementary, we note that SEC-registered advisers would have to comply with the requirements of proposed rule 206(4)-4 with respect to their advisory functions. See supra note 18. 75 An adviser should also consider whether the departure of key personnel may trigger contractual obligations with clients, investors, or counterparties. For example, private funds clients may contain redemption rights for its investors upon the departure of specified investment personnel. 76 This proposed requirement would be consistent with the existing requirement for SECregistered investment advisers to maintain specific books and records relating to its investment advisory business. See rule 204–2(a) and (g). The ‘‘books and record’’ rule requires advisers to have procedures: to reasonably protect electronic records from loss, alteration, or destruction; to limit access to electronic records; and to assure that electronic records that are created from hard copy are complete, true, and legible. See rule 204–2(g)(3). VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 reasonably designed business continuity and transition plan generally should recognize that significant business disruptions may prevent access to electronic copies of data (e.g., power or internet outage) and hard copies of data (e.g., cannot access building where data is located). Such a plan should also recognize the important role electronic records can play in carrying out the adviser’s plan of transition in a timely manner. Additionally, in connection with data backup and recovery, a business continuity and transition plan generally should include an inventory of key documents (e.g., organizational documents, contracts, policies and procedures), including the location and description of the item, and a list of the adviser’s service providers relationships that are necessary to maintaining functional operations. This documentation generally should include details of the adviser’s management structure, risk management processes, and financial and regulatory reporting requirements. We believe such documentation would make it easier for an adviser and its employees to access important operations/systems, documents, and relationships during a significant business disruption. Finally, we note with respect to data protection, backup and recovery, one type of potentially significant business disruption is a cyber-attack. An adviser generally should consider and address as relevant the operational and other risks related to cyber-attacks.77 We 77 Our staff recently highlighted a number of measures for advisers to consider in the context of cybersecurity and noted that ‘‘advisers should identify their . . . compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.’’ See Cybersecurity Guidance, IM Guidance Update (Apr. 2015), available at https://www.sec.gov/investment/ im-guidance-2015–02.pdf. In March 2014, the Commission hosted a roundtable on cybersecurity, which highlighted the Commission’s focus on cybersecurity-related issues and a number of Commission actions relating to cybersecurity. The Commission is also focused on cybersecurity risk issues related to investment advisers, including data protection and identity theft vulnerabilities. See Chair Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2014), available at https://www.sec.gov/News/PublicStmt/ Detail/PublicStmt/1370541286468; see also Identity Theft Red Flags Rules, Securities Exchange Act Rel. No. 69359 (Apr. 10, 2013); see also Cybersecurity Roundtable, SEC, available at https://www.sec.gov/ spotlight/cybersecurity-roundtable.shtml (providing information on the roundtable). We also note that the National Institute of Standards and Technology (‘‘NIST’’) has issued a framework for improving cybersecurity and that it recently sought comment on this framework. See NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), available at https://www.nist.gov/ cyberframework/upload/cybersecurity-framework021214.pdf; NIST, Cybersecurity Framework— PO 00000 Frm 00010 Fmt 4702 Sfmt 4702 43539 believe exposure to compliance and operational risks that may be caused by cybersecurity incidents can be mitigated by addressing such risks in the context of business continuity planning.78 b. Pre-Arranged Alternate Physical Location(s) The proposed new rule would also require an adviser’s business continuity and transition plan to include prearranged alternate physical location(s) of its office(s) and/or employees. As our staff has indicated a number of times, alternate or remote locations are essential for an adviser to continue providing services during a significant business disruption.79 Accordingly, when developing business continuity and transition plans, advisers generally should consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations in the event of a disruption.80 For example, an adviser Overview, available at https://www.nist.gov/ cyberframework/# (discussing requests for comment on the cybersecurity framework). 78 We recognize that advisers also may have additional policies and procedures to address compliance and operational risks related to cybersecurity incidents. 79 See supra notes 30 and 32, and accompanying text; see also Regulation SCI Adopting Release, supra note 17 (requiring an SCI entity’s business continuity and disaster recovery plan to include ‘‘geographically diverse’’ backup and recovery capabilities). We note that other regulatory bodies and organizations have also recognized the importance of alternate sites and geographic diversity in business continuity planning. See, e.g., 17 CFR 23.603(b)(5) (requiring backup facilities, infrastructure and alternative staffing in geographically separate areas); FINRA Rule 4370(c)(6) (requiring BCPs to address ‘‘alternate physical location of employees’’); NASAA Model Rule 203(a)–1A(3) (stating that BCPs should provide for ‘‘office relocation in the event of temporary or permanent loss of a principal place of business’’); FFIEC Handbook, supra note 17, at G14 (stating that a ‘‘BCP should address site relocation for short-, medium-, and long-term disaster and disruption scenarios’’); Interagency Paper, supra note 16 (noting that backup sites should not rely on the same infrastructure components used by the primary site, should not be impaired by a widescale evacuation at or the inaccessibility of staff that service the primary site, and should consider staffing needs at the backup site if the firm relies on the same labor pool for both its primary and back up sites). 80 We are not proposing to require that an adviser’s business continuity and transition plan include an alternative location at a specified distance away from its primary location because we believe, as discussed above, that an adviser’s plan should be tailored to its particular operations and that, while a specified distance may be appropriate for one adviser’s alternate location, it may not be appropriate for all advisers. Nonetheless, we believe advisers generally should consider whether their alternative locations are in such close proximity to each other or to its primary location that they may be sharing common infrastructure providers and E:\FR\FM\05JYP1.SGM Continued 05JYP1 43540 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules may recognize that a significant business disruption could limit access to its primary or only office for an extended period of time and, therefore, establish a satellite office or plan to use a remote site in another location or geographic region and may also allow remote access by employees so the adviser could continue to have access to the facilities, systems, and personnel necessary to carry on its business.81 sradovich on DSK3GDR082PROD with PROPOSALS c. Communications With Clients, Employees, Service Providers, and Regulators Under the proposed rule, a business continuity and transition plan would also need to address communications with clients, employees, service providers, and regulators. We believe that communication plans are an essential element of effective business continuity and transition plans and generally should cover communications with parties involved in the critical aspects of the adviser’s operations.82 For example, if an adviser’s employees are unaware that a disruption has occurred and the adviser’s business continuity and transition plan has been activated, the plan will likely fail. An adviser’s communication plan generally should cover, among other things, the methods, systems, backup systems, and protocols that will be used for communications, how employees are informed of a significant business disruption, how employees should communicate during such a disruption, and contingency arrangements communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel.83 Adviser business continuity and transition plans thus, that the alternative locations would be similarly affected by an external event. 81 An adviser should consider the technology, systems, and resources necessary for employees working remotely to continue to securely conduct the adviser’s business. 82 As discussed above, our staff has previously noted the important role that communication plans can play in business continuity planning. See supra notes 30 and 34 and accompanying text. Additionally, we note that other regulatory bodies and organizations have focused on communications in the context of BCPs. See, e.g., 17 CFR 23.603(b)(3) (requiring BCPs to include communication plans with respect to employees, vendors, and regulatory authorities); FINRA Rule 4370(c)(4), (5), and (9) (requiring BCPs to address communications with customers, employees and regulators); NASAA Model Rule 203(a)–1A(2) (stating that BCPs should provide for alternate communications with ‘‘customers, key personnel, employees, vendors, service provides. . .and regulators. . . .’’); FFIEC Handbook, supra note 17, at G–4 (stating that ‘‘[c]ommunication is a critical aspect of a BCP and should include communication with employees, . . . regulators, vendors/suppliers (detailed contact information), [and] customers (notification procedures) . . . .’’). 83 See supra section I.C.1.a. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 generally should also address employee training, so that in the event of a significant business disruption employees understand their specific roles and responsibilities and are able to carry out the adviser’s plan. Moreover, advisers should consider when and how it is in their clients’ best interests to be informed of a significant business disruption and/or its impact. Accordingly, with respect to clients, a business continuity and transition plan generally should include the process by which the adviser would have prompt access to client records that include the name and relevant contact and account information for each client as well as investors in private funds sponsored by the investment adviser.84 These plans generally should include how clients will be made aware of and updated about a significant business disruption that materially impacts ongoing client services (e.g., periodic updates to Web sites and customer service lines) and, when applicable, how clients will be contacted and advised if account access is impacted during such a disruption. Similarly, an adviser’s communication plan with its service providers generally should include, among other things, how the service provider will be notified of a significant business disruption at the adviser as well as how the adviser will be notified of a significant business disruption at a service provider, and how the entities will communicate with one another and clients or investors (where applicable) 85 during a disruption. With respect to communications with the adviser’s regulators, the adviser’s business continuity and transition plan generally should include the contact information for relevant regulator(s), and identify the personnel responsible for notifying, as well as under what circumstances it 84 For a private fund to qualify for the exclusion from the definition of ‘‘investment company’’ in either section 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (‘‘Investment Company Act’’) or rely on various offering exemptions under the Securities Act of 1933, the private fund is already required to have a reasonable belief regarding certain qualification information with regard to its beneficial owners that are U.S. persons. See, e.g., 17 CFR 270.2a51–1(h), 17 CFR 230.501(a). While the private fund may not be required to have such detailed information about non-U.S. person beneficial owners, we understand it generally has contact information readily available. 85 For example, pooled investment vehicles generally rely on their investment advisers to arrange for and interact with fund service providers. If an adviser to an investment company, for example, outsources certain back office functions, such as transfer agency to a third-party vendor, its business continuity and transition plan should address coordination of communications with the transfer agent to investors in the fund, as well as with intermediaries servicing investors who also are beneficial owners of the fund. PO 00000 Frm 00011 Fmt 4702 Sfmt 4702 would notify, such regulator(s) of a significant business disruption. d. Identification and Assessment of Third-Party Services Critical to the Operation of the Adviser The proposed rule would require an adviser’s business continuity and transition plan to include the identification and assessment of thirdparty services critical to the operation of the adviser.86 We understand advisers frequently outsource certain functions or aspects of their operations or use third-parties’ systems or vendors for their middle and back office functions in order to permit the adviser to focus on front office core functions, such as portfolio management and trading.87 To the extent critical services are outsourced to third-parties, we believe that an adviser generally should be prepared for significant business disruptions that could impair its ability to act in its clients’ best interests by having a business continuity and transition plan that addresses the critical services provided to it by such third parties.88 In this regard, an adviser’s business continuity and transition plan should identify critical functions and services provided by the adviser to its clients, and third-party vendors supporting or conducting critical functions or services for the adviser and/or on the adviser’s behalf.89 An adviser generally should 86 We note that Regulation SCI includes specific requirements with respect to the resumption of ‘‘critical SCI systems,’’ differentiating these systems from other systems covered by the regulation. See 17 CFR 242.1000 and 242.1001(a)(2)(v) of Regulation SCI. In addition, as discussed above, our staff has previously noted the importance of addressing third-party relationships in the context of BCPs. See supra notes 30 and 33, and accompanying text. Additionally, we note that other regulatory bodies and organizations have noted that BCPs should address third-party relationships. See, e.g., 17 CFR 23.603(b)(7) (requiring ‘‘identification of potential business interruptions encountered by third parties that are necessary to continued operations’’ and ‘‘a plan to minimize the impact’’); FINRA Rule 4370(c)(7) (requiring BCPs to address ‘‘critical business constituent, bank, and counterparty impact’’); SIFMA Guidelines, supra note 71, at 30 (stating that BCPs should include internal and external business partners and that firms should be familiar with the BCPs and risks of those partners). 87 For example, we frequently see middle office functions such as administration of the front office and trades and related transactions, including securities operations and processing (confirmation, routing, matching, and settlement trades), pricing/ valuation, reconciliation (both cash and positions), and post trade compliance and reporting, outsourced to third parties. 88 The nature of advisory business is such that advisers typically depend on a number of thirdparty service providers and systems vendors (e.g., broker-dealers, custodians, etc.) in providing services to their clients. 89 The Joint Report noted that, notwithstanding the use of a service provider to perform various E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS consider a variety of factors when identifying and prioritizing which service providers should be deemed critical, such as the day-to-day operational reliance on the service provider and the existence of a backup process or multiple providers, whether or not the service provided includes direct contact with clients or investors, and whether the service provider is maintaining critical records or able to access personally identifiable information, among other things. We would generally consider critical service providers to at least include those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping, and financial and regulatory reporting. Once an adviser identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the adviser’s operations.90 For example, if an activities, a firm ‘‘cannot shift responsibility for compliance and risk management to the service provider. . . . Should a service provider not have the appropriate level of resilience, a financial institution would be required to move to a provider that can demonstrate an appropriate level of resilience.’’ See Joint Report, supra note 72 at 6. We also encourage advisers to be familiar with the terms of their contracts with critical service providers, including any provisions regarding the termination or assignment of the contract and any notice requirements related to those provisions. 90 In late August 2015, Bank of New York Mellon (‘‘BNY Mellon’’), a service provider that provides custodial and administrative services to mutual funds, closed-end funds, and exchange-traded funds, experienced a breakdown in one of its thirdparty systems (SunGard’s InvestOne) used to calculate numerous client funds’ net asset values (‘‘NAVs’’). As a result of this breakdown, BNY Mellon was unable to deliver timely systemgenerated NAVs to certain clients for several days, which resulted in certain clients pricing their shares using stale or manually calculated NAVs and certain ETFs using stale baskets. Once the automated system was restored, ETF baskets were updated and certain funds had to review the NAVs used while the automated system was down and make any necessary corrections. See, e.g., Stephen Foley, BNY Mellon Close to Resolving Software Glitch, Financial Times (Aug. 31, 2015), available at https://www.ft.com/intl/cms/s/0/47d5860a-4f2b11e5-b029-b9d50a74fd14.html; Jessica Toonkel & Tim McLaughlin, BNY Mellon Pricing Glitch Affects Billions of Dollars of Funds, Reuters (Aug. 26, 2015), available at https://www.reuters.com/article/ bnymellon-funds-nav-idUSL1N1111QY20150826; Barrington Partners White Paper, An Extraordinary Week: Shared Experiences from Inside the Fund Accounting System Failure of 2015 (Nov. 2015), available at https://www.mfdf.org/images/uploads/ blog_files/SharedExperiencefromFASystem Failure2015.pdf; Transcript of the BNY Mellon Teleconference Hosted by Gerald Hassell on the Sungard Issue, available at https:// www.bnymellon.com/_global-assets/pdf/events/ transcript-of-bny-mellon-teleconference-onsungard-issue.pdf. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 adviser’s business continuity and transition plan contemplates that it will rely on a particular service provider for a critical service, the adviser generally should be aware of whether the service provider has a BCP and if that BCP provides alternatives, including backup plans, to allow it to continue providing critical services during a significant business disruption. If the service provider does not have a BCP or if its BCP does not provide for such alternatives, the adviser generally should consider alternatives for such critical services, which may include other service providers or internal functions or processes that can serve as a backup or contingency for such critical services.91 We also recognize that advisers often play a key role in identifying, arranging for, and overseeing other service providers for certain of their clients as part of their sponsoring roles. For example, an adviser may arrange for a particular administrator or pricing vendor for a registered investment company client or private fund client.92 Accordingly, we believe an adviser should generally review and assess how the critical service providers it arranges and/or oversees for its clients plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect its clients’ operations.93 We understand that many advisers currently take a variety of steps to understand the operational and other risks of their service providers and those of certain clients’ critical service providers,94 such as reviewing a summary of a service provider’s BCP, 91 We recognize that it may not be feasible or may be cost prohibitive for an adviser to retain backup service providers, vendors, and/or systems for all critical services. In such cases, an adviser should consider backup plans, functions and/or processes to address how it will manage the loss of a critical service. 92 See supra note 85. 93 See, e.g., supra note 89. 94 See, e.g., BlackRock FSOC Comment Letter; see also Risk Principles for Asset Managers, supra note 4, at 19 (‘‘The increased level of outsourcing to third party service providers has changed not only their outsourcing risk profile but such significant changes to an organization’s business model can lead to many process and control changes and could therefore increase the exposure to other (operational) risk areas (e.g., country risk and service provider oversight)’’); cf. rule 38a–1(a)(2) (requiring registered investment company boards to approve policies and procedures that provide for the oversight of compliance by the fund’s investment adviser and certain other named service providers). Such approval must be based on a finding that the policies and procedures are reasonably designed to prevent violations of the federal securities laws by the fund, the investment adviser and the other named service providers. See id. PO 00000 Frm 00012 Fmt 4702 Sfmt 4702 43541 due diligence questionnaires, an assurance report on controls by an independent party,95 certifications or other information regarding a provider’s operational resiliency or implementation of compliance policies, procedures, and controls relating to its systems, results of any testing, and conducting onsite visits. Factors such as the significance of the service provider to advisory operations, the type of service provided, and the adviser’s ability to require or request actions of its service providers will impact the steps that advisers should consider taking. e. Transition Plan Under the proposed rule, an adviser’s business continuity and transition plan would have to include a plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services.96 Advisers facing the decision to exit the market commonly do so by: (1) Selling the adviser or substantially all of the assets and liabilities of the adviser, including the existing advisory contracts with its clients, to a new owner; (2) selling certain business lines or operations to 95 See Investment Company Institute, Financial Intermediary Controls and Compliance Assessment Engagements (Dec. 2015) at 8, available at https:// www.ici.org/pdf/ppr_15_ficca.pdf (identifying a financial intermediary’s ‘‘Business Continuity/ Disaster Recovery Program’’ as one of 17 areas of focus that ‘‘should be addressed on an annual basis as part of the financial intermediary’s controls and compliance engagements.’’); see also AICPA, Reporting on Controls at a Service Organization (2015), available at https://www.aicpa.org/Research/ Standards/AuditAttest/DownloadableDocuments/ AT-00801.pdf. Many advisers review SSAE 16 reports that are prepared by an independent public accountant in accordance with the American Institute of CPAs’ Auditing Standards Boards’ Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization. These reports provide assurances that the service provider has established a system of internal controls, that the internal controls are suitably designed to achieve specified objectives, and that the internal controls are operating effectively. 96 Cf. FINRA Rule 4370(c)(10) (requiring BCPs to address ‘‘[h]ow the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business’’); NASAA Model Rule 203(a)–1A(4) (stating that BCPs should provide for the ‘‘[a]ssignment of duties to qualified responsible persons in the event of the death or unavailability of key personnel’’). Transition of an adviser’s business to others generally would, for example, include a situation where the adviser is a sole proprietor who is no longer able to provide advisory services and is, therefore, transferring its business to another person/firm or winding down operations entirely. Such succession/transition planning generally should be accounted for in the context of an adviser’s plan of transition. E:\FR\FM\05JYP1.SGM 05JYP1 43542 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS another adviser; 97 or (3) the orderly liquidation of fund clients or termination of separately managed account relationships.98 Regardless of the method an adviser chooses to effect a transition, we believe that assessing and planning for potential impediments associated with that method should help an adviser act in its clients’ best interests by seeking to mitigate potentially negative effects on its clients and investors.99 We believe that a plan of transition generally should account for transitions in both normal and stressed market conditions,100 and generally should consider each type of advisory client, the adviser’s contractual obligations to clients, counterparties, and service providers, and the relevant regulatory regimes under which the adviser operates.101 Under the proposed rule, the transition components of a business continuity and transition plan would have to include (1) policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; (2) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (3) information regarding the corporate governance structure of the adviser; (4) the identification of any material financial resources available to the adviser; and (5) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s 97 See supra note 59 (discussing partial transitions of an adviser’s business). 98 See, e.g., Prudential Financial Inc. 2014 Resolution Plan: Public Section (June 30, 2014), available at https://www.federalreserve.gov/ bankinforeg/resolution-plans/prudential-fin-1g20140701.pdf; American International Group, Inc. Resolution Plan Section 1: Public Section (July 1, 2014), available at https://www.federalreserve.gov/ bankinforeg/resolution-plans/aig-1g-20140701.pdf. These two nonbank financial companies have been designated ‘‘systemically’’ important by FSOC and also have investment adviser subsidiaries. The publicly-available summaries of their resolution plans filed with the Federal Reserve indicate that they would seek to either sell their advisory businesses or seek Chapter 11 bankruptcy proceedings for their advisory entities. 99 An adviser may also wish to consider in the context of its transition plan, if and when it would be appropriate to use a transition manager. A transition manager facilitates and coordinates ‘‘the transition of asset management from one manager to another, or from one asset class or investment strategy to another.’’ See supra note 41. 100 See supra notes 38–39 and accompanying text (discussing the 2008 financial crisis and transition planning generally). 101 In addition to contractual obligations to its clients and vendors, an adviser that provides other services to entities, such as to another adviser, generally should consider its contractual obligations as a service provider to those other entities as it plans for a transition event. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 transition. Each of the proposed required components of an adviser’s transition plan is designed to help an adviser be well prepared for a transition so that it can act quickly and in its clients’ best interests if and when a transition occurs. We believe that preserving the safety of client assets and the ability to promptly produce and transfer the information necessary for the ongoing management of client assets is fundamental to an adviser acting in the best interests of its clients. The adviser’s policies and procedures addressing how the adviser intends to safeguard, transfer and/or distribute client assets in the event of a transition generally should consider the unique attributes of each type of the adviser’s clients (e.g., registered investment companies, private funds, separately managed accounts) and how the adviser plans to transfer accurate client information to other advisers or their service providers. For example, the transfer of client information with respect to registered investment companies and private funds may be more complex than that of separately managed accounts because registered investment companies and private funds typically have multiple investors, whereas separately managed accounts typically have only one investor. It is our understanding that the methods for safeguarding, transferring, and/or distributing client assets may vary by client type and that the best method for one client might not be the best method for another.102 Thus, we believe an adviser’s policies and procedures should appropriately account for the different methods in which it plans to safeguard, transfer, and/or distribute assets of its different types of clients. Additionally, if a client account holds assets that would require special instruction or treatment in the event of transition, an adviser’s policies and procedures generally should address such instruction or treatment.103 Further, the transition plan should also contain policies and procedures 102 For example, if the adviser manages registered investment companies, the investment companies’ board(s) may determine that the best method for transferring the assets of these funds is to reorganize them into funds managed by a new adviser. Separately managed accounts, however, would not be reorganized, but may have other considerations unique to them, such as whether a new custodian would be necessary for a new adviser. 103 For example, it is our understanding that when transitioning accounts from one adviser to another, derivatives positions require special treatment in that they are typically unwound rather than transferred to the new adviser and that the terms of the derivatives instrument may dictate whether and how such unwinding takes place. PO 00000 Frm 00013 Fmt 4702 Sfmt 4702 that would facilitate the prompt generation of any client-specific information necessary to transition a client account, such as the identity of custodians, positions, counterparties, collateral, and related records of each client. Similar to the need to have accurate and accessible client information in the event of a business continuity scenario, we believe that this information is necessary to effect a smooth transition of the management of client accounts. We believe senior executives at an investment adviser generally, and especially in times of stress, should be able to quickly identify the important decision-makers within the organization and understand the inter-relationships between the adviser and any affiliated entities to be able to assess whether and how issues at an affiliate may affect the advisory entity. For example, an adviser that uses an affiliate as a qualified custodian may face additional issues if the transition event is related to that affiliate’s operations. We believe that this information is necessary if the adviser needs to assess the manner in which it can exit the market with minimal adverse effect on its clients or to take steps necessary to protect itself from issues that may stem from an affiliated entity. Accordingly, with respect to the adviser’s corporate governance structure, the transition component of a business continuity and transition plan generally should include an organizational chart and other information about the adviser’s ownership and management structure, including the identity and contact information for key personnel, and the identity of affiliates (both foreign and domestic) whose dissolution or distress could lead to a change in or material impact to the adviser’s business operations.104 Registered investment advisers manage a variety of products and security types, with investments in and investors from various jurisdictions and are subject to a variety of contractual and legal obligations and regulatory regimes. An adviser’s ability to seamlessly transition advisory services could be impacted by its or its clients’ contractual obligations or the various regulatory regimes under which the adviser or its advisory client may be subject. For example, an adviser’s insolvency or termination may trigger a termination clause in a client’s 104 An advisory entity may be adversely affected by an affiliate’s distress if, for example, the adviser and distressed affiliate share systems, personnel, sources of financing, or similar names. E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS derivative contract.105 Also, the board and shareholders of a registered investment company must approve an advisory contract with any new adviser 106 and the Advisers Act requires advisory contracts to include a provision that a contract cannot be assigned without client consent.107 Other regulatory regimes may require regulatory approval for certain acts,108 which may be further complicated by the need for cross-border cooperation if the adviser operates in multiple jurisdictions 109 or the adviser’s pooled investment vehicle clients are domiciled 105 Some ISDA contracts include the default provision allowing for the counterparty to terminate a contract upon the change of advisers. 106 Section 15(a) of the Investment Company Act states that ‘‘[i]t shall be unlawful for any person to serve or act as investment adviser of a registered investment company except pursuant to a written contact, which . . . has been approved by the vote of a majority of the outstanding securities of such registered company . . . .’’ Additionally, section 15(c) of the Investment Company Act states that ‘‘it shall be unlawful for any registered investment company having a board of directors to enter into . . . any contract or agreement, written or oral, whereby a person undertakes regularly to serve or act as investment adviser of . . . such company, unless the terms of such contract or agreement and any renewal thereof have been approved by the vote of a majority of directors, who are not parties to such contract or agreement or interested persons of any such party, cast in person at a meeting called for the purpose of voting on such approval.’’ But see, e.g., rule 15a–4 under the Investment Company Act (allowing funds, in certain circumstances, to enter into interim advisory agreements without an in-person board meeting and without the fund’s shareholders first approving the agreement); see generally JP Morgan Chase/Bear Stearns Asset Management, SEC Staff No-Action Letter (July 14, 2008) (providing staff no-action relief following the US-government-brokered emergency sale of Bear Stearns Companies Inc. to JP Morgan Chase & Co., to allow Bear Stearns Asset Management to continue to serve as investment adviser to its funds without prior in-person approval by the funds’ board of directors due to the extraordinary circumstances surrounding the sale of its parent company). 107 Section 205(a)(2) of the Advisers Act requires any investment advisory contract to contain a provision indicating ‘‘that no assignment of such contract shall be made by the investment adviser without the consent of the other party to the contract.’’ Section 202(a)(1) of the Advisers Act defines ‘‘assignment,’’ for purposes of the Advisers Act, to include ‘‘any direct or indirect transfer or hypothecation of an investment advisory contract by the assignor or of a controlling block of the assignor’s outstanding voting securities by a security holder of the assignor. . . .’’ 108 See, e.g., Third Avenue Trust and Third Avenue Management LLC, Investment Company Act Rel. No. 31943 (Dec. 16, 2015) (Notice and Temporary Order) (permitting the suspension of the right of redemption of Third Avenue Trust’s outstanding redeemable securities). 109 For example, as of January 4, 2016, the number of foreign registrations of SEC-registered investment advisers was 2,279, representing 1,051 SEC-registered investment advisers, some of which were registered in multiple foreign jurisdictions. Additionally, there were 780 foreign investment advisers registered with the Commission as of that same date. Based on data from IARD. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 in different jurisdictions.110 Accordingly, we are proposing that an adviser’s transition plan include an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition. Finally, we believe it is important for an adviser to have considered in advance its strategy for either avoiding or facilitating a transition of its business and client accounts in the event the adviser is in material financial distress such that its ability to continue providing advisory services to its clients or otherwise acting in its clients’ best interests could be impacted or undermined.111 Accordingly, the proposed rule requires that the adviser’s plan of transition consider any material financial resources available to the adviser. For example, the adviser could identify any material sources of funding, liquidity, or capital it would seek in times of stress in order to continue operating 112 or consider how it would implement a reduction of expenses or other alternatives. f. Request for Comment We seek comment on the proposed requirement to adopt and implement a business continuity and transition plan, and the proposed components of that plan. • Should we require all SECregistered advisers to adopt and implement business continuity and transition plans? Or should we identify only a subset of SEC-registered advisers that must implement such plans? Which advisers should be in such a subset (e.g., large advisers with assets under management over a specific threshold, advisers affiliated with financial institutions, etc.) and why? 110 When evaluating options for Long-Term Capital Management, L.P. during its collapse, the effects of the fund filing for bankruptcy were not clear because the fund was managed by an advisory entity domiciled in Delaware and located in Connecticut, while the fund itself was domiciled in the Cayman Islands, where the rights of its counterparties to liquidate collateral under the U.S. Bankruptcy Code would have been delayed because the fund would have likely had to seek bankruptcy protection in the Cayman Islands courts, under Cayman law. See Report of The President’s Working Group on Financial Markets, Hedge Funds, Leverage, and the Lessons of Long-Term Capital Management (Apr. 28, 1999), available at https:// www.treasury.gov/resource-center/fin-mkts/ Documents/hedgfund.pdf. 111 We note that, in certain circumstances, an adviser is required to ‘‘disclose any financial condition that is reasonably likely to impair [the adviser’s] ability to meet contractual commitments to clients.’’ See Form ADV, Part 2, Item 18. 112 When considering any material financial resources available to it, the adviser also could identify any insurance coverage. PO 00000 Frm 00014 Fmt 4702 Sfmt 4702 43543 • Rather than adopting the proposed rule, should the Commission issue guidance under rule 206(4)–7 under the Advisers Act addressing business continuity and transition plans? If so, should that guidance set forth possible elements of such a plan? • What, if any, implications will the proposed rule have for investment advisers that are also subject to other regulatory requirements as to business continuity and/or transition planning (e.g., FINRA or CFTC rules on BCPs)? For example, would the proposed rule be inconsistent with an adviser’s obligations under other regulatory requirements? • Should we require business continuity and transition plans to include each of the proposed components? Alternatively, should the rule require advisers to have a business continuity and transition plan, and specify certain components of a plan in the form of a safe harbor provision? Or, should the rule not specify required components of a plan and instead allow advisers to determine the appropriate components of their plans? Are there any components we should remove from the proposed list of required components? Are there any components we should add or expand upon? For example, with respect to a pre-arranged alternate physical location(s) of the adviser’s office(s) and/or employees, should we require that an adviser’s business continuity and transition plan include an alternate location at a specified distance away from its primary location? Should we require an adviser’s communication plan to extend to investors in certain types of pooled investment vehicles? If so, which specific types of pooled investment vehicles and how should the term ‘‘investors’’ be defined for each type of pooled investment vehicle? Should we require an adviser to have policies and procedures that address the identification, assessment, and review of critical third-party vendors that the adviser arranges or oversees for its clients? • Are there any components of the NASAA model rule or guidance, or other rules or guidance addressing BCPs, that we have not addressed in the proposed rule that we should address? Should advisers with certain types of clients, including for example advisers to registered investment companies or sponsors of wrap programs, be required to undergo additional obligations with regard to adopting and implementing a business continuity and transition plan? What additional steps should such advisers be required to take with respect E:\FR\FM\05JYP1.SGM 05JYP1 sradovich on DSK3GDR082PROD with PROPOSALS 43544 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules to such clients and/or such clients’ service providers? • Are each of the proposed components of a business continuity and transition plan clear or should we provide additional information and/or definitions for any of the components? If so, what additional information or definitions are needed? For example, should we provide a definition of ‘‘significant business disruption,’’ ‘‘unable to continue providing investment advisory services,’’ or ‘‘pooled investment vehicle’’? Alternatively, should we require investment advisers to define certain terms, like ‘‘significant business disruption’’ or ‘‘unable to continue providing investment advisory services,’’ within their plans? • Should all advisers be required to include each of the proposed components in a business continuity and transition plan or should certain advisers be exempt from including certain components? If certain advisers should be exempt, why? For example, should only certain advisers be required to adopt and implement the transition plan component of the proposed rule or is there a subset of investment advisers with operations so limited that the adoption and implementation of a transition plan (or certain components of the transition plan requirement) would not be beneficial? If so, what criteria could be used to identify this subset of advisers? Are there alternative or streamlined measures that these advisers could take to facilitate an orderly transition in the event of a significant disruption to the adviser’s operations? If these advisers did not have transition plans, should they be required to disclose the absence of such plan? • With respect to each of the proposed components of a business continuity and transition plan, we have provided information as to the items and/or actions that we believe generally should be encompassed within a particular component. Is there additional information that we should provide, or any information that we should exclude or modify, regarding any of the proposed components of a plan? Alternatively, instead of permitting advisers the flexibility to draft their plans based on the complexity of their businesses, should we require advisers to address each component in a prescriptive manner by requiring specific mechanisms for addressing particular risks? • Should we adopt a more prescriptive rule that calls for a more specific transition plan similar to the ‘‘Living Wills’’ required by the Federal VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 Reserve Board and the FDIC for large banks and systemically important nonbank entities? 113 If so why, and what specifically should the rule require? • As part of the proposed rule, should we require advisers to provide disclosure to their clients about their business continuity and transition plans? If so, what should be the format of such disclosure (e.g., summary of plan, copy of plan)? When or how frequently should this disclosure be provided? Should we require advisers to disclose to their clients incidents where they relied on or activated their business continuity and transition plans? If so, what should be the format of such disclosure? What types of incidents should be disclosed or not disclosed? • As part of the proposed rule, should we require advisers to report to the Commission incidents where they rely on their business continuity and transition plans? If so, under what circumstances should advisers be required to report to the Commission and how should advisers report this information? When should the required reporting occur? • Should we require advisers to file their business continuity and transition plans, or a summary thereof, with the Commission? Should these filings be made available to the public? Why or why not? Are business continuity and transition plans considered proprietary to an adviser such that disclosing its plan to the public (either through a Commission filing or through disclosure to a client) creates additional risk exposure to the adviser? 2. Annual Review Under the proposed rule, each adviser would be required to review the adequacy of its business continuity and transition plan and the effectiveness of its implementation at least annually. The review generally should consider any changes to the adviser’s products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory changes that might suggest a need to revise the plan. The annual review provision is designed to require advisers to evaluate 113 These resolution plans require, among other things: (1) Information regarding the manner and extent to which any insured depository institution affiliated with the company is adequately protected from risks arising from the activities of any nonbank subsidiaries of the company; (2) full descriptions of the ownership structure, assets, liabilities, and contractual obligations of the company; and (3) identification of the cross-guarantees tied to different securities, identification of the major counterparties, and a process for determining to whom the collateral of the company is pledged. See Resolution Plans, supra note 40. PO 00000 Frm 00015 Fmt 4702 Sfmt 4702 periodically whether their business continuity and transition plans continue to, or would, work as designed and whether changes are needed for continued adequacy and effectiveness. For example, the review generally should include an analysis of whether a business continuity and transition plan adequately protects client interests from being placed at risk and to mitigate such risks in the event the adviser experiences a significant disruption in its operations. In addition, annual reviews generally should address weaknesses an adviser may have identified in any testing it has done or assessments that have been performed to address the adequacy and effectiveness of its business continuity and transition plan, as well as any lessons learned if an event required the plan to be carried out during the previous year, including any changes made or contemplated as a result of the event. • Should we require that business continuity and transition plans be reviewed at least annually, as proposed? Should we expressly require reviews of business continuity and transition plans to be documented in writing? Should we require more frequent or less frequent review of business continuity and transition plans? In addition to annual review, should we require that advisers review their plans when specific events occur? For example, should we require plans be reviewed when an adviser has an event that causes it to rely on its plan? Should we require plans be reviewed based on changes to the adviser’s operations or processes, changes in the ownership or business structure of the adviser, compliance or audit recommendations, lessons learned from testing or disruption events, and/or regulatory developments? • Should we require advisers to report to the Commission regarding the annual review of their business continuity and transition plans? If so, what should be the format of the report? • Should we explicitly require advisers to annually review the business continuity and transition plans of their third-party service providers that provide critical services to the adviser and its clients? If so, how should these reviews be conducted? What types of documentation could be requested to perform these reviews? • Should we specifically require advisers to periodically test their business continuity and transition plans or certain material components thereof to assess whether the plans are adequate and effective? If so, how should such testing be conducted? What should be E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules included in the scope of such review? How often should such testing be required? 3. Recordkeeping The proposed amendments would require SEC-registered advisers to maintain copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years after the compliance date. We are requiring an adviser to maintain a copy of the plan currently in effect because we believe that it is important that advisers have easy access to necessary information during periods of stress. The proposed rule would also require that advisers keep any records documenting their annual review.114 Our rules permit advisers to maintain these records electronically.115 These proposed new recordkeeping requirements will assist our examination staff in evaluating an adviser’s compliance with the new rule, including evaluating whether the adviser’s business continuity and transition plan includes all required components. These proposed requirements track the recordkeeping requirements under rule 204–2 regarding an adviser’s compliance policies and procedures. We request comment on the proposed recordkeeping requirements. • Should we require advisers to maintain copies of their business continuity and transition plans that are in effect or were in effect at any time during the last five years, as proposed? If not, what, if any, recordkeeping requirements should we adopt with respect to business continuity and transition plans? Is five years an appropriate retention period? Should it be longer or shorter? Why? • Should we require advisers to keep any records documenting their annual review of their business continuity and transition plans, as proposed? sradovich on DSK3GDR082PROD with PROPOSALS II. Economic Analysis A. Introduction The Commission is sensitive to the potential economic effects of proposed rule 206(4)–4 and the proposed amendments to rule 204–2. These effects include benefits and costs to SEC-registered advisers, clients, and fund investors as well as broader implications for market efficiency, 114 Pursuant to rule 204–2(e)(1) of the Advisers Act, advisers would have to maintain any records documenting their annual review in an easily accessible place for at least five years after the end of the fiscal year in which the review was conducted, the first two years in an appropriate office of the investment adviser. 115 See rule 204–2(g) under the Advisers Act. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 competition, and capital formation.116 The economic effects of the proposed rule are discussed below in the context of the primary goals of the proposed regulation. We have sought, where possible, to quantify the costs, benefits, and effects on efficiency, competition, and capital formation expected to result from the proposed regulations. However, as discussed below, in certain cases, we were unable to quantify the economic effects because we lack the information necessary to provide reasonable estimates, such as the extent to which some advisers already have business continuity or transition plans that would satisfy some or all of the requirements of the proposed rule, the likelihood of business disruptions, and the share of costs arising from the proposed rule that advisers will pass through to its clients. Therefore, some of the discussions below are qualitative in nature. Under the proposed rule, the content of an SEC-registered adviser’s business continuity and transition plan shall be based upon risks associated with the adviser’s operations and shall include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following: (1) Maintenance of critical operations and systems, and the protection, backup, and recovery of data; (2) pre-arranged alternate physical location(s) of the adviser’s office(s) and/ or employees; (3) communications with clients, employees, service providers, and regulators; (4) identification and assessment of third-party services critical to the operation of the adviser; and (5) plan of transition that accounts for the possible winding down of the adviser’s business or the transition of the adviser’s business to others in the event the adviser is unable to continue providing advisory services. The proposed rule also requires that each SEC-registered adviser review, no less frequently than annually, the adequacy of its business continuity and transition plan and the effectiveness of its implementation. In addition, the proposed amendments to rule 204–2 under the Advisers Act requires these advisers to make and keep records of all business continuity and transition plans 116 The Commission recognizes that there are other entities that could be affected by the proposed rule. For example, vendors might have to adapt to meet the new demands of their clients under the proposed rule and that could change the nature of those product/service markets, which in turn could have further economic effects on advisers and their clients and investors. However, the effects of the rulemaking on such entities are uncertain and difficult to predict given they are not direct effects of the proposed rule. PO 00000 Frm 00016 Fmt 4702 Sfmt 4702 43545 that are in effect or were in effect at any time within the past five years. The goal of these proposals is to require that all advisers have sufficiently robust plans to mitigate the potential adverse effects of significant business disruptions or transition events. Specifically, the proposed rule requires SEC-registered advisers to adopt plans reasonably designed to protect clients and fund investors from the risk that, in the wake of a significant business disruption or transition event, advisers are unable to provide services and continue operations. Such disruptions may put clients’ and investors’ interests at risk if, for example, an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or its clients are unable to access their assets or accounts. Because clients and investors should be averse to these outcomes, one might expect all advisers to already have plans in place to minimize the risks posed by significant business disruptions or business transitions without being legally required to do so. It appears, however, that, in the context of business continuity and transition plans, market pressures do not fully align the interests of all advisers with those of their clients and fund investors, as staff has observed that some advisers have adopted plans that may not be sufficiently robust in light of the operational and other risks specific to their businesses. Our staff’s observations that business continuity and transition plans are not uniformly robust suggest that both advisers and their clients may not fully take into account, or internalize, the potential benefits of comprehensive business continuity and transition plans as well as the potential costs of operating without them. There are several possible reasons for this misalignment. As an initial matter, the types of business disruptions addressed by this proposal are infrequent, and are not necessarily publicly observable when they do occur; this may make it difficult for market participants to fully internalize the ramifications of those events. For example, an adviser that underestimates the likelihood of a significant disruption or the harm it could cause to the viability of its business may not believe the cost of a more robust business continuity plan is justified. Furthermore, because many advisers may have never experienced a significant business disruption, they might not properly assess whether their existing plans are sufficiently robust. And while some clients and investors may recognize the benefits of business E:\FR\FM\05JYP1.SGM 05JYP1 sradovich on DSK3GDR082PROD with PROPOSALS 43546 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules continuity planning and demand it of their advisers, others may not fully understand these benefits due to the rarity of significant disruptions. In addition, staff observations resulting from specific SEC examinations are generally not made public, so any examination findings identified with respect to one adviser’s plan will generally provide no guidance to other advisers, or to their clients and investors, as to what robust plans might contain. Although Commission staff has published alerts identifying overall observed weaknesses in advisers’ business continuity plans, those alerts provide aggregated, non-specific information that may not inform advisers or their clients and investors of the expected content of robust plans.117 Moreover, it is possible that some advisers may not review those alerts and therefore do not adjust their business continuity plans in response to the identified strengths and weaknesses; similarly, many clients and investors, particularly smaller or retail investors, may not review the alerts and thus do not exert pressure on their advisers to address in their own plans the general weaknesses identified by the Commission.118 Furthermore, advisers generally do not make their business continuity plans (or transition plans) public, though based on Commission staff’s experience, we understand that most will provide a summary of those plans or other information related to their operational and other risks to clients and investors upon request. Clients and investors that request, review, and comment on these plans are more likely to exert some degree of pressure on their advisers regarding the content of their plans, thereby leading to more robust plans. Thus, the composition of an adviser’s client base may impact the current state of its business continuity and transition plans and may lead to the heterogeneity in the quality of such plans that our staff has observed across advisers. The Commission believes, based on staff experience, that larger institutional clients and investors, compared to smaller or retail clients and investors, are more likely to engage in extensive due diligence processes that involve such review of existing plans. The content of business continuity and transition plans for advisers with larger institutional clients and investors may 117 See, e.g., NEP Risk Alert, supra note 30. note that, based on staff experience, large institutional clients often have rigorous due diligence processes that evaluate an adviser’s operational and other risks, while smaller retail clients may not engage in such a thorough review of operational and other risks. 118 We VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 therefore be more likely to reflect such client or investor input than plans of advisers with only smaller, retail clients or investors. In addition, because plans are not generally public, advisers cannot compare their own plans with those of other advisers to assess the relative strengths and weaknesses of their plans and therefore do not have the opportunity to craft or revise their own plans with the knowledge of how others in the industry are addressing the same issues. These factors, combined with the absence of any specified requirements for components of business continuity plans (or transition plans) in existing regulation, may have contributed to staff’s observations that such plans are not uniformly robust. Advisers also may not fully internalize the benefits of transition planning. For example, it is possible that advisers do not necessarily have adequate incentives to ensure that a business transition takes into account all of the various components of a robust plan set forth in the proposed rule, given that an adviser no longer receives fees after that transition. In addition, transition events, like business disruptions, are relatively rare; accordingly, advisers may not properly assess the likelihood of such events, the potential consequences of failing to adequately prepare, or the benefits of ensuring a smooth transition. To address the issues identified above, the proposed rule requires advisers to assess the operational and other risks associated with its business operations and identifies components that must be addressed in business continuity and transition plans. The rule aims to address the lack of uniformly robust plans previously observed by staff and requires each SECregistered investment adviser to adopt and implement a written business continuity and transition plan based upon the risks associated with the adviser’s operations. B. Economic Baseline The investment adviser regulatory regime currently in effect serves as the economic baseline against which the benefits and costs, as well as the impact on efficiency, competition, and capital formation of the proposed rule are discussed. As of January 4, 2016, there were 11,956 SEC-registered investment advisers with approximately $67 trillion in regulatory assets under management. In this market, which has been described as being highly competitive,119 advisers are likely to compete on, among other things, fees PO 00000 119 See supra section I.A and note 7. Frm 00017 Fmt 4702 Sfmt 4702 charged to clients, returns or performance, and the level of services provided to meet client needs. The proposed rule would affect all SEC-registered investment advisers, as well as each adviser’s clients (including registered funds, private funds, and individual separately managed accounts) and the investors in fund clients. Currently, Commission guidance indicates that an SECregistered adviser’s compliance policies and procedures should include business continuity planning to the extent it is relevant to the adviser’s business. The content of those BCPs, however, is not addressed by current Commission rules, and may not specifically include policies and procedures regarding business transitions. As noted previously, our staff has noticed variation in the business continuity and/or transition plans that they have seen during examinations. Some advisers, pursuant to the Compliance Program Rule or as a prudent business practice, have adopted plans which may be consistent with the new requirements being proposed, while others have not. Accordingly, the benefits and costs to a given adviser, client, or fund investor will depend on the current state of the adviser’s business continuity and transition plan. C. Benefits and Costs and Effects on Efficiency, Competition, and Capital Formation Taking into account the goals of the proposed rule and the economic baseline, as discussed above, this section explores the benefits and costs of the proposed rule, as well as the potential effects of the proposed rule on efficiency, competition, and capital formation. 1. Benefits Clients and investors in funds managed by SEC-registered advisers, advisers themselves, and the financial markets as a whole may benefit from the proposed rule. In general, we cannot quantify the total benefits to the affected parties because we lack data on certain factors relevant to such an analysis, such as investor preferences and the likelihood of business disruptions. For example, without knowing how risk averse clients are to investing via advisers without robust BCPs, we cannot quantify the benefits they might derive from improvements in those BCPs. Similarly, it is difficult to estimate the probability of the types of business disruptions addressed by the proposed rule, which precludes precisely estimating the ex-ante costs of inadequate plans under the economic E:\FR\FM\05JYP1.SGM 05JYP1 sradovich on DSK3GDR082PROD with PROPOSALS Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules baseline. However, we discuss the expected benefits qualitatively below. We anticipate that clients and investors in funds managed by registered advisers will benefit from the proposed rule. Requiring SEC-registered advisers to adopt and implement business continuity and transition plans will likely reduce the risk that investors and advisory clients will be harmed or affected in the event a business continuity or transition issue actually occurs. For example, advanced planning to address issues in the event of a disruption may reduce the risk that advisory accounts might be left unmanaged or that clients do not have access to their funds during an adviser’s business interruption or transition, or at least shortens the time of such a disruption. As discussed above, whether it is due to prudent business practices or adherence to the Commission guidance in the Compliance Program Rule, some advisers may already have robust business continuity and transition plans in place that are consistent with the new requirements being proposed. The incremental benefits of the proposed rule to those advisers’ clients and investors would likely be less than the benefit to the clients and investors of an adviser without such strong operational controls. The proposed rule will also benefit registered advisers by requiring their business continuity and transition plans to include policies and procedures that address certain specific components, which should help the advisers better prepare for significant disruptions in their operations. While Commission guidance indicates that an SECregistered adviser’s compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser, the Commission has not previously specified what such a BCP should address. To the extent registered advisers have not already adopted and implemented robust BCPs that are consistent with the new requirements being proposed, requiring them to review the risks associated with their operations and plan for significant business disruptions or transitions should encourage them to enhance their ongoing efforts to mitigate risks attendant with their operations and business practices and may help them be better prepared to address business continuity and transition events if and when they occur. Finally, the proposed rule and the planning it requires of advisers could have ancillary benefits for the broader financial markets. For example, consider an adviser with significant VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 assets under management who trades actively enough to be considered a liquidity provider in a particular market. If this adviser were to suffer a significant business disruption event that prevented it from participating in that market for several days, then the liquidity of the market could be negatively affected.120 While a business continuity and transition plan would not be able to completely prevent such a disruption, it may decrease the adviser’s recovery time and hence the disruption’s impact on the market. 2. Costs As with the benefits, costs of the proposed rule will be shared by advisers and their clients and fund investors. Generally, advisers will incur the direct costs associated with developing and maintaining robust business continuity and transition plans, though some of those costs may ultimately be passed through to their clients and fund investors. These costs are discussed in more detail below. a. Costs to Advisers Proposed rule 206(4)–4 likely will result in an SEC-registered adviser incurring one-time and ongoing operational costs, described in detail below, to adopt and implement a business continuity and transition plan that is reasonably designed to address the operational and other risks related to a significant disruption in the adviser’s operations. As an initial matter, it is difficult to determine the estimated costs for advisers with precision because of the variation in existing BCPs and the extent to which such plans will need to be revised to be compliant with the proposed rule. Because Commission guidance indicates that SEC-registered advisers’ compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser, the nature of an adviser’s existing BCP will also greatly affect the initial costs the adviser would expend to comply with the proposed rule. Advisers whose current BCPs are closely aligned with the requirements of the proposed rule would likely incur lower initial compliance costs relative to advisers whose current BCPs are not closely aligned with the rule’s requirements, while all advisers would incur ongoing costs pertaining to the 120 See, e.g., George O. Aragon & Philip E. Strahan, Hedge funds as liquidity providers: Evidence from the Lehman bankruptcy, J. Financ. Econ., Vol. 103, Issue 3 (Mar. 2012) at 570–587 (concluding that ‘‘the market liquidity of stocks held by Lehman’s hedge-fund clients fell more during the [2008 financial] crises than otherwise similar stocks not held by these funds.’’) PO 00000 Frm 00018 Fmt 4702 Sfmt 4702 43547 annual review and recordkeeping components of the proposed rule. 121 In addition, because the proposed rule requires an SEC-registered adviser’s plan to be based on the particular risks attendant to that adviser’s operations, the initial and ongoing costs imposed by the rule would vary significantly among firms depending on the complexity of the adviser’s operations. A number of factors pertaining to an adviser’s business model can affect the complexity of the adviser’s operations. Those factors include the adviser’s assets under management, number of employees, number of offices, number and types of clients (e.g., high net worth individuals, private funds, or registered investment companies), types of advisory activities, other business activities or lines of business which may affect the adviser’s advisory business, types of investment strategies pursued, and the extent of reliance on service providers (in-sourced vs. out-sourced models). The flexibility of the proposed rule should allow advisers to tailor their business continuity and transition plans to the specific risks their businesses face at the minimum possible cost. The Commission believes that certain of the above factors may be correlated with the adviser’s amount of assets under management. For example, an adviser with a large amount of assets under management is more likely to have more employees, multiple locations, offices, numbers and types of clients, and types of business activities than an adviser with fewer assets under management.122 Accordingly, we 121 The costs estimates provided in this section include total costs for developing and maintaining both business continuity plans and transition plans. We recognize, however, that the portion of these costs attributable to business continuity plans will likely be greater than that attributable to the transition plans, as business continuity plans generally contemplate acquiring and maintaining, for example, more infrastructure, such as secondary storage capabilities, than transition plans and is more likely to involve retaining third-party vendors to assist with the development or maintaining of that infrastructure. Accordingly, the current state of an adviser’s business continuity plans may have more effect on the costs to individual advisers than the current state of the adviser’s transition plans. 122 With regard to employee size, SEC-registered advisers with less than $100 million in assets under management have an average of 28 employees and a median of 4 employees, while SEC-registered advisers with over $1 billion in assets under management have an average of 180 employees and a median of 31 employees. Based on data from IARD as of January 4, 2016. With regard to the number of offices maintained by advisers, only 23% of SEC-registered advisers with less than $100 million in assets under management maintain more than one office, while 47% of SEC-registered advisers with over $1 billion in assets maintain one or more offices and 11% of these larger advisers maintain 5 or more offices. Based on data from IARD as of January 4, 2016. E:\FR\FM\05JYP1.SGM 05JYP1 43548 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules believe that advisers with larger amounts of assets under management are generally more likely to have more complex business operations and may therefore need to expend more resources on adopting, implementing, and maintaining a business continuity and transition plan than advisers with fewer assets under management.123 sradovich on DSK3GDR082PROD with PROPOSALS i. One-time Costs As noted above, the one-time costs associated with developing and implementing the policies and procedures associated with a business continuity and transition plan will vary significantly among firms depending on the nature and complexity of the adviser’s operations and the current state of their systems and processes. Under the proposed rule, SEC-registered advisers need only take into account the risks associated with their particular operations. For example, smaller advisers that do not have a large number or different types of clients or do not maintain numerous offices with numerous employees may not need complex systems if their operations result in risks that are easy to address. On the other hand, a larger adviser with a large number and diverse set of clients, including large registered investment companies, with global offices and thousands of employees may need more complicated and expensive systems and technology. To the extent that adviser size does correlate with operational complexity, SEC examination staff has observed that larger advisers have typically already devoted significant resources to establish systems or technological solutions that address operational and other risks related to business continuity. Based on our staff’s experience, we generally estimate that the one-time costs necessary to adopt and implement a business continuity and transition plan would range from approximately $30,000 to $1.5 million 124 per SEC123 There are notable exceptions: for example, a small adviser with a technology intensive investment strategy may nevertheless have a complex operational risk profile, which could require a more complex business continuity and transition plan. 124 These estimates are based on the aggregated low-end of the range and the high-end of the range, respectively, of mostly internal costs detailed in the PRA section below and the external costs associated with integrating and implementing the plan. Specifically, these estimates are based on the following calculations, which are described in greater detail in notes 125 through 129: $12,515 low-end estimated internal cost to adviser for developing policies and procedures + $4,000 low-end estimated cost to adviser for external professional fees for developing policies and procedures + $1,000 low-end estimated cost to VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 registered adviser, depending on the facts and circumstances of a particular adviser’s operations and the adequacy of its existing plan. These estimated costs include internal and external costs, explained in more detail below, attributable to the following activities: (1) Mostly internal costs associated with developing policies and procedures related to each required component of the business continuity and transition plan; and (2) external costs associated with integrating and implementing the policies and procedures as described above (including establishing or upgrading current systems and processes to comply with the proposed rule). We anticipate that developing policies and procedures designed to minimize material service disruptions, including those related to each required component of the business continuity and transition plan will largely be done internally because it will require an evaluation of the adviser’s business operations most suited to be conducted by in-house employees familiar with the intricacies of the business operations. These costs are quantified and discussed in more detail in the PRA section below, but in summary, we estimate that this initial one-time cost will range from approximately $17,000 to $170,000, depending on the facts and circumstances of a particular adviser’s operations and the comprehensiveness of their existing plan.125 With respect to integration and implementation of the policies and procedures described above, an adviser may incur external costs to upgrade systems and processes. The external costs incurred by an adviser to meet the required components of the proposed adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $5,000 low-end estimated cost to adviser for a prearranged alternative physical location + $0 low-end estimated cost to adviser for a plan of communication + $5,000 low-end estimated cost for third-party oversight = $27,515. $147,310 high-end estimated internal cost to adviser for developing policies and procedures + $20,000 high-end estimated cost to adviser for external professional fees for developing policies and procedures + $750,000 high-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $500,000 high-end estimated cost to adviser for a prearranged alternative physical location + $5,000 high-end estimated cost to adviser for a plan of communication + $50,000 high-end estimated cost for third-party oversight = $1,472,310. See infra, notes 125 through 129. 125 See infra section III.A.1. This estimate is based on the following calculations: $12,515 internal cost to representative smaller adviser + $4,000 in external professional fees for representative smaller adviser = $16,515. $147,310 internal cost to representative larger adviser + $20,000 in external professional fees for representative larger adviser = $167,310. PO 00000 Frm 00019 Fmt 4702 Sfmt 4702 rule would be directly affected by the current state of the adviser’s existing systems and processes. For example, the proposed rule specifies that an adviser must address the maintenance of critical operations and systems and the protection, backup, and recovery of data. While our staff observes that most advisers already have systems in place to address the protection, backup, and recovery of data, an adviser that does not already have a system in place would incur the costs associated with implementing an operational solution to protecting its data.126 Also, the proposed rule specifies that an adviser’s plan include a pre-arranged alternative physical location of its office(s) and/or employees. While many advisers already have back-up locations identified as a co-location in times of business disruptions and equipped their employees to telework if they are unable to travel to the primary office location, an adviser that has not adequately addressed this component of the proposed rule would incur costs to do so in light of the proposed rule.127 The proposed rule also requires that the adviser address how it will communicate with clients, employees, service providers, and regulators in the event of a business disruption. While advisers have communication tools as part of its general business operations that enable it to communicate to its stakeholders (i.e., email, phone, etc.), some advisers may have formal, more sophisticated communication infrastructure already in place.128 The 126 We estimate an adviser could spend between $1,000 and $750,000 to address the maintenance of critical operations and systems, and the protection, backup and recovery of data. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. For example, smaller advisers may address data backup and recovery by outsourcing storage to a service provider through cloud software, while a large adviser dealing with large amounts of data may find it more cost effective to purchase data servers dedicated to the adviser. 127 We estimate that an adviser could spend between $5,000 and $500,000 to address having a prearranged alternative physical location. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. For example, a smaller adviser with minimal employees may be able to function by enabling its employees to telework and access the adviser’s systems remotely instead of requiring formal meeting space. Larger advisers with many employees, on the other hand, may need to rent office space on a temporary basis or establish colocations where employees necessary to the operations of an adviser may congregate. 128 We estimate that an adviser could spend between almost nothing to up to $5,000 to address having a plan of communication with its stakeholders. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. For example, a small adviser with minimal employees could manually email or telephone its stakeholders, E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS proposed rule further requires advisers to engage in an assessment of critical third-party vendors, including assessing how service providers will maintain business continuity when faced with significant business disruption. While some advisers currently have robust vendor management programs that take steps to evaluate the resiliency of vendors, including reviewing information regarding their BCPs, due diligence questionnaires or assurance control reports from an independent party, and onsite visits, some advisers do not and will need to incur costs to enhance their review of critical thirdparty vendors.129 Aggregating our estimates for the various components of the rule, we estimate that SEC-registered advisers may spend between approximately $11,000 and $1.3 million in additional, initial costs to upgrade systems and processes to comply with the proposed rule depending on the complexity of their operations and the current state of their systems and processes, as described above.130 whereas a large adviser with many employees or clients could choose to use an automated system to trigger a pre-programmed communication plan. 129 We estimate that an adviser could spend between $5,000 and $50,000 to address the requirement for third-party oversight. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. As discussed in section I, many advisers may choose to use in-house personnel to conduct due diligence of critical service providers, while others may choose to pay others to conduct such due diligence on their behalf. 130 These estimates are based on the aggregated low-end of the range and the high-end of the range, respectively, of mostly internal costs detailed in the PRA section below and the external costs associated with integrating and implementing the plan. Specifically, these estimates are based on the following calculations: $1,000 low-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $5,000 low-end estimated cost to adviser for a prearranged alternative physical location + $0 lowend estimated cost to adviser for a plan of communication + $5,000 low-end estimated cost for third-party oversight = $11,000. $750,000 high-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $500,000 high-end estimated cost to adviser for a prearranged alternative physical location + $5,000 high-end estimated cost to adviser for a plan of communication + $50,000 high-end estimated cost for third-party oversight = $1,305,000. See supra, notes 125 through 129. These estimates include the assumption that large advisers will incur more costs than smaller advisers based on their operational risk profile. Because these estimates do not take into account our staff observations that larger advisers generally already have more robust business continuity plans in place compared to smaller advisers, we believe our estimates may overstate the costs to be incurred by advisers. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 ii. Ongoing Costs In addition to the one-time initial costs described above, each registered adviser would also incur ongoing costs as a result of the proposed rule related to the adviser’s review of the adequacy of its business continuity and transition plan and the effectiveness of its implementation. This would involve internal costs associated with updating policies and procedures to reflect changes in an adviser’s operational risk profile and costs of compliance and reporting associated with maintaining the plan, but would also include external costs associated with maintaining and upgrading systems, maintaining alternate work locations, and responding to regulatory changes that require revision of the adviser’s business continuity and transition plan.131 As discussed in the PRA section below, based on staff experience, we estimate that each adviser, in addition to the initial costs described above, would incur ongoing plan-related cost of approximately 25% of the adviser’s initial costs in adopting and implementing a business continuity and transition plan. Accordingly, we estimate that an SEC-registered adviser would incur ongoing annual costs associated with the proposed rule that would range from $7,500 to $375,000.132 In addition, the proposed amendments to rule 204–2 would require registered advisers to maintain records related to the current plan and any plan in effect in the previous five years, as well as any records documenting the annual review of the plan required by the rule. As described in more detail in the PRA section below, we estimate that such advisers will spend approximately $150 each year on an ongoing basis to meet this requirement. b. Costs to Clients and Investors Some of the costs incurred by advisers as a result of the proposed rule may ultimately be passed on from advisers to clients and fund investors through higher fees. The extent to which costs are transferred to clients and investors depends on several factors, including the supply and demand for adviser services. On the demand side, the extent to which clients and investors respond to fee changes is a function of how highly they value a given adviser’s 131 See supra section I.C.2 for more details on annual review requirements. 132 This estimate is based on the following calculations: .25 × $30,000 = $7,500 and .25 × $1.5 million = $375,000. See supra note 124 and accompanying text (discussing total initial costs ranging from approximately $30,000 to $1.5 million). PO 00000 Frm 00020 Fmt 4702 Sfmt 4702 43549 services; the proposed rule may increase this valuation if investors value business continuity and transition plans and hence increase the demand for adviser services at a given fee, but the exact nature of this potential shift and its impact on fees is unknown.133 On the supply side, if advisers take investor fee sensitivity into account, under many plausible competition scenarios in an adviser’s market segment, it is likely at least some of the cost increases of the proposed rule will be passed on to clients and investors. However, if advisers incur costs associated with changing fees, advisers may not pass on the costs of the proposed rules until they cross some significant threshold. Since we do not have data or other information concerning individual investor fee sensitivities, how advisers take these into account, or the extent to which advisers prefer to keep fees constant, the potential shift in the supply of advisory service and its impact on fees is unknown. 3. Effects on Efficiency, Competition, and Capital Formation The Commission has also considered the effects of the proposed rules on efficiency, competition, and capital formation. With respect to efficiency, to the extent that a disruption were to prevent an adviser from executing trades for several days, investors would be unable to make any changes in their investment choices, leading to a potentially inefficient allocation of their capital during this period. To the extent that the proposed rules decrease the recovery time of a disruption for an adviser that many market participants are relying on when conducting their business, they could promote efficient pricing of risk and thus efficient capital allocation during such an event. The proposed rule also could affect competition in the advisory industry. As discussed above, the costs of adopting plans that meet the requirements of the proposed rule will vary depending on an adviser’s operations and the extent to which they have already implemented business continuity and transition plans consistent with the rule. To the extent that, in a given market segment, advisers with high adoption costs compete for clients and investors against advisers with low adoption costs, the proposed rule will disproportionally affect the high adoption cost advisers. If some of these advisers are only marginally 133 See, e.g., John Haslem, Mutual Fund Heterogeneity and Fee Dispersion, J. Wealth. Manag., Vol. 18, No. 1 (Summer 2015) at 41–48, who argues that because preferences differ across investors, fee sensitivity also varies across investors. E:\FR\FM\05JYP1.SGM 05JYP1 43550 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules profitable, they may exit that market segment. Similarly, the proposed rule could, on the margin, raise the barrier to entry for an adviser that otherwise would have entered a given market segment. If the rule results in either adviser exits or increased barriers to entry, reduced competitive pressures could result in increased fees for clients and investors. Finally, the proposed rule may have a small but positive impact on capital formation. Ex-ante, reducing risks to clients and investors associated with business disruptions and transition events could increase such clients’ and investors’ willingness to invest via advisers, which could be beneficial to capital formation if advisers are more skilled than those clients or investors at identifying sound investment opportunities. In addition, to the extent that the rules reduce any risk premium in assets associated with business disruptions and transition events as discussed above, more robust business continuity and transition plans could promote capital formation. sradovich on DSK3GDR082PROD with PROPOSALS D. Reasonable Alternatives In formulating our proposal, we have considered various reasonable alternatives to certain individual elements of proposed new rule 206(4)– 4 and the proposed amendments to rule 204–2. Those alternatives are discussed below. We have also requested comments relating to certain specific aspects of these alternatives, as noted above. 1. Require Public Availability of Business Continuity and Transition Plans First, the Commission could require that SEC-registered advisers publicly disclose a summary of the plans required by the proposed rule in their Form ADVs, and either additionally or as an alternative, provide their business continuity and transition plans to clients upon request. In addition, as an alternative to the recordkeeping requirement, we could require registered advisers to file their business continuity and transition plans (or a portion or summary thereof) with the Commission. Disclosing the plans or a summary of those plans, and the operational and other risks addressed by such plans, could help investors evaluate and compare the operational and other risks associated with particular advisers. If investors could choose among advisers in part based on the level of operational and other risk advisers were willing to bear, advisers might be further incentivized to plan for business VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 disruption events. However, we understand that such information could be considered proprietary by some advisers and the public disclosure of business continuity and transition plans may make advisers more vulnerable to attacks from third parties, such as cybersecurity attacks that target the contingency plans laid out in an adviser’s business continuity and transition plan. Furthermore, advisers would incur additional monetary costs associated with the disclosure of the plans. Such costs associated would vary depending on the type of disclosure required (e.g., filing with the Commission, publication on the adviser’s Web site, making the plans available upon request, etc.) and whether the adviser currently makes its plans available to clients. In addition, instead of requiring certain components for business continuity plans for all advisers, as in the proposed rule, the Commission could continue imposing only the obligation generally set forth as guidance under the Compliance Program Rule but require public disclosure of any business continuity plans adopted pursuant to that rule. As noted above, the proposed rule’s enhanced requirements for business continuity plans impose costs compared to the existing baseline, depending on an adviser’s current business continuity plans, so this alternative would avoid the costs associated with complying with the proposed rule. Still, advisers would incur other costs related to disclosure of the existing business continuity plans, as noted above, including the direct monetary costs of publishing or providing the plans, as well as indirect costs such as those associated with revealing the proprietary or sensitive business information identified above. Further, as discussed above, the nonpublic nature of existing business continuity plans may be a contributing factor to the lack of uniformly robust plans observed by Commission examiners. However, given the other factors discussed above that may also contribute to the lack of sufficiently robust plans among all advisers, the Commission preliminarily believes that only requiring public disclosure of existing business continuity plans without specifying certain components that plans must contain may not fully address its concerns that all advisers have not established sufficiently robust business continuity plans. At the same time, the Commission preliminarily believes that requiring business plans to address the components identified in the proposed rule while not mandating PO 00000 Frm 00021 Fmt 4702 Sfmt 4702 that such plans also be publicly disclosed will result in more uniformly robust plans that address the Commission’s concerns. 2. Require Business Continuity Plans and/or Transition Plans, But Do Not Specify Required Components The Commission could also specifically require advisers to adopt business continuity plans and/or transition plans but be silent as to the required components that such plans must contain to address business disruptions and/or transition events.134 The proposed rule requires advisers to adopt and implement a business continuity and transition plan with policies and procedures reasonably designed to address operational and other risks related to a significant disruption in an adviser’s operations (including policies and procedures concerning business transition), while also identifying specific components that such a plan must address. If, as an alternative, the Commission required business continuity and transition plans but did not identify any specific components the plans must address, registered advisers would have complete flexibility in determining how to best prepare for and respond to business disruptions and transition events. For example, it is possible that certain required components for business continuity and transition plans identified in the proposed rule are less relevant to some advisers, but all advisers would be required to address each of the components under the proposed rule. In contrast, an alternative that did not require specific components be addressed would enable advisers to tailor the plans to their specific business needs, which could potentially result in cost and time-savings compared to the proposed approach. However, based on the Commission’s experience with not providing specific components a plan should address in the context of business disruptions, under rule 206(4)–7, the Commission is concerned that some registered advisers may not implement sufficiently robust plans to best protect the interests of their clients and investors during a business disruption or transition event if the Commission does not specify 134 The Commission could take different approaches for business disruptions and transition events. For example, the Commission could either retain the currently proposed approach of specifying certain components for addressing business disruptions or impose more specific mechanisms for addressing certain risks associated with business disruptions, as explained below, while not specifying either the components or the specific mechanisms for addressing transition events. E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules certain components. In contrast, the Commission preliminarily believes that the current proposed approach strikes an appropriate balance between specifying certain components of business continuity and transition planning that must be addressed while still providing advisers with flexibility in how to address each of those components and any other operational and other risks that may be relevant to the adviser’s operations. In addition, the Commission preliminarily believes that advisers will achieve certain efficiencies in simultaneously addressing both business disruptions and transition events under the proposed approach, which may mitigate additional costs imposed by the proposed approach. sradovich on DSK3GDR082PROD with PROPOSALS 3. Require Specific Mechanisms for Addressing Certain Risks in Every Plan As discussed above, we are proposing a rule that requires SEC-registered advisers to address certain general components, but permits them the flexibility to draft their business continuity and transition plans based on the risks associated with their particular operations. We could alternatively include in the rule prescriptive requirements mandating precisely how registered advisers must address certain specified risks related to either business disruptions or transition events, or both.135 Specific, mandatory requirements could potentially reduce confusion as to exactly how these advisers are expected to address business disruptions and/or transition events. However, as discussed above, we recognize that advisers’ business models and operations vary and that the manner in which each adviser’s business continuity and transition plan addresses a required element will depend upon the nature and complexity of the adviser’s business. Therefore, a prescriptive onesize-fits-all rule mandating how all advisers must address certain specified risks, including risks a particular business model and operation would not be exposed to, could be inefficient and cause some advisers to incur unnecessary costs by requiring them to address requirements that are not relevant to their specific business. In addition, a prescriptive rule provides less flexibility for registered advisers to 135 As noted above, the Commission could vary its approach for business continuity and transition plans. Specifically, for both business continuity plans and transition plans, the Commission could either (1) retain the more flexible component-based approach currently proposed, (2) mandate specific requirements for addressing business disruptions/ transition events, or (3) only require ‘‘reasonably designed’’ plans without specifying particular components. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 address new issues as they arise, particularly concerning changes in technology, again potentially leading to inefficient constraints on how registered advisers prepare for and address various risks. Therefore, we preliminarily believe our proposed approach strikes an appropriate balance between requiring that each adviser have a business continuity and transition plan that addresses certain required components we believe will help SECregistered advisers to appropriately plan for significant business disruptions and transition events while, at the same time, allowing each adviser the necessary flexibility in creating a business continuity and transition plan to take into account the adviser’s own unique operations, the nature and complexity of its business, its clients, and its key personnel. 4. Vary the Requirements of the Proposed Rule for Different Subsets of Registered Advisers Additionally, instead of requiring that all SEC-registered advisers adopt and implement the business continuity and transition plans with the same exact components, we could vary those requirements by adviser. For example, the Commission could provide that various requirements of the rule only apply to a subset of registered advisers (e.g., advisers over a certain asset threshold, advisers that are engaged in activities that the Commission deems to be risky, advisers that are affiliated with other financial industry participants, such as broker-dealers or banks, etc.), or it could provide that certain advisers (such as smaller advisers) are exempted from the rule entirely. As we have discussed above, different types of advisers have different types of operational and other risks and it is possible that requiring every adviser to address each of the risks identified in the proposed rule, even those that may be less likely for certain advisers, could result in unnecessary costs for those advisers. However, the overall purpose of the proposed rule is to provide enhanced protection to clients and investors by requiring all registered advisers to establish sufficiently robust plans, and tailoring the rule to require different components for different types of advisers may result in the interests of some clients and investors not being adequately protected. Specifically, it is possible that, when distinguishing different ‘‘types’’ of advisers, any boundaries drawn would be imperfect and any groups of advisers identified by such a rule would themselves not be homogenous, resulting in under or over- PO 00000 Frm 00022 Fmt 4702 Sfmt 4702 43551 inclusive groups. This could result in some clients and investors not receiving adequate protections, while still imposing unnecessary costs on others. In contrast, the proposed rule allows advisers the flexibility to address each required component to the degree that reflects the nature of each particular adviser’s business. Accordingly, the Commission believes that the proposed rule strikes an appropriate balance in providing that protection while minimizing the costs of compliance to advisers in ways that would not undermine the Commission’s regulatory goals. E. Request for Comment We request comment on our assumptions regarding the costs and benefits of the proposed rule. We request comment on whether the proposed rule, if adopted, would impose a burden on competition. We also request comment on whether the proposed rule, if adopted, would promote efficiency, competition, and capital formation. Commenters are requested to provide empirical data to support their views. In addition to our general request for comment on the costs and benefits of the proposed amendments, we request the following specific comment on certain aspects of our economic analysis. • To what extent would advisers and their clients and investors benefit from business continuity and transition plans that are required to contain certain specific components? Please explain. • Would advisers, and their clients and investors, benefit more from requiring plans to address certain risks in a specified manner, rather than providing for flexibility as in the proposed rule? • Do commenters expect that advisers would incur costs in addition to, or that differ from, the costs we outlined above for both one-time and ongoing costs? Please explain. • Would any of the effects and costs of the proposed rule be large enough to affect the behavior of investment advisers or their clients? For example: Æ Do commenters expect that some advisers may choose to exit the market rather than incur the costs associated with compliance? If so, what segment of the investment adviser market is this mostly likely to be seen in and how many exiting advisers should we expect? Please explain. Æ Will the costs to clients, in the form of increased fees, result in some clients no longer employing the services of advisers? If so, what types of clients would be most likely to take such actions? Please explain. E:\FR\FM\05JYP1.SGM 05JYP1 43552 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules • Do commenters believe that the alternatives the Commission considered are appropriate? Are there other reasonable alternatives that the Commission should consider? If so, please provide additional alternatives and how their costs and benefits would compare to the proposal. • Do commenters believe that the analysis of the associated costs and benefits of the alternatives is accurate? If not, please provide more accurate costs and benefits, including any data or statistics that supports those costs and benefits. sradovich on DSK3GDR082PROD with PROPOSALS III. Paperwork Reduction Act The proposed rule and rule amendments under the Advisers Act contain ‘‘collections of information’’ within the meaning of the Paperwork Reduction Act of 1995 (‘‘PRA’’).136 The title for the new collection of information is ‘‘Rule 206(4)–4.’’ In addition, the proposed amendments to rule 204–2 would impact the currently approved collection of information titled ‘‘Rule 204–2,’’ under OMB control number 3235–0278. These collections of information are mandatory for all investment advisers registered with the Commission. The Commission is submitting these collections of information to the OMB for review in accordance with 44 U.S.C. 3507 (d) and 5 CFR 1320.11. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. The collection of information under rule 206(4)–4 is designed to increase the likelihood that advisers are as prepared as possible to continue operations on an ongoing basis and to meet client expectations and legal obligations in the event of a significant disruption to their operations. The respondents are investment advisers registered with the Commission. Responses provided to the Commission in the context of its examination and oversight program are generally kept confidential.137 The collection of information under rule 204–2 is necessary for the Commission staff to use in its examination and oversight program. The respondents are investment advisers registered with us. Responses provided to the Commission in the context of its examination and oversight program are generally kept confidential.138 The records that an adviser must keep in 136 44 U.S.C. 3501 through 3521. section 210(b) of the Advisers Act. 138 See section 210(b) of the Advisers Act. 137 See VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 accordance with the proposed rule must be retained for at least five years.139 A. The Proposed Rules 1. Rule 206(4)–4 As discussed in section II, we estimate that each adviser would include one-time initial costs to adopt and implement a written business continuity and transition plan, as well as ongoing plan-related costs. There are currently approximately 11,956 investment advisers registered with us.140 We estimate that advisers will spend between 50 to 500 hours to initially adopt and implement a business continuity and transition plan depending on the nature of an adviser’s current business continuity plan and the complexity of its operations. This range is comprised of our estimates that a representative smaller adviser (defined in this PRA as advisers with less than $100 million in assets under management) would spend 50 hours on this initial effort at a cost of $12,515,141 a representative mid-sized adviser (defined in this PRA as advisers with at least $100 million in assets under management but less than $1 billion) would spend 250 hours on this initial effort at a cost of $70,045,142 and a representative larger adviser (defined in this PRA as advisers with at least $1 billion in assets under management) would spend 500 hours on this initial effort at a cost of $147,310.143 As proposed rule 204–2(a)(20). is the number of investment advisers registered with us on our IARD System as of January 4, 2016. 141 This estimate is based on the following calculations: 25 hours × $288 (hourly rate for a compliance manager) = $7,200; 20 hours × $127 (hourly rate for an operations specialist) = $2,540; 5 hours × $555 (hourly rate for a deputy general counsel) = $2,775. $7,200 + $2,540 + 2,775 = $12,515. The hourly wages used are from SIFMA’s Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. 142 This estimate is based on the following calculations: 75 hours × $288 (hourly rate for a compliance manager) = $21,600; 60 hours × $127 (hourly rate for an operations specialist) = $7,620; 15 hours × $555 (hourly rate for a deputy general counsel) = $8,325; 50 hours × $264 (hourly rate for a senior systems analyst) = $13,200; 50 hours × $386 (hourly rate for an attorney) = $19,300. $21,600 + $7,620 + $8,325 + $13,200 + $19,300 = $70,045. The hourly wages used are from SIFMA’s Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. 143 This estimate is based on the following calculations: 100 hours × $288 (hourly rate for a compliance manager) = $28,800; 80 hours × $127 (hourly rate for an operations specialist) = $10,160; PO 00000 139 See 140 This Frm 00023 Fmt 4702 Sfmt 4702 discussed in section II, exact costs for any given adviser would depend on the facts and circumstances of the adviser’s operations and the comprehensiveness of its existing plan. Aggregating the estimates above for all advisers, however, yields a total industry-wide initial hourly burden of 3,404,600 144 (as monetized, is equivalent to a one-time aggregate burden of approximately $974.6 million).145 Amortized over a three-year period, this would be an annual hourly burden of 95 per adviser146 (as monetized, is equivalent to an annual amortized burden per adviser of $27,172).147 We also anticipate that some advisers may consult with outside legal counsel and/or other outside professionals to assist in drafting policies and procedures and/or to assist in evaluating particular components of a plan. We estimate that the costs associated with such an engagement would include fees for approximately 10 hours for smaller firms, 30 hours for a mid-sized firm, and 50 hours for a larger firm, at an average rate of $400 per hour (estimated hourly rate for outside legal services).148 Consequently, for a smaller firm we estimate a total of $4,000 in outside fees 20 hours × $555 (hourly rate for a deputy general counsel) = $11,100; 65 hours × $264 (hourly rate for a senior systems analyst) = $17,160; 65 hours × $386 (hourly rate for an attorney) = $25,090; 30 hours × $410 (hourly rate for a computer operations department manager) = $12,300; 30 hours × $271 (hourly rate for a financial reporting manager) = $8,130; 40 hours × $340 (hourly rate for a senior operations manager) = $13,600; 30 hours × $255 (hourly rate for a senior business analyst) = $7,650; 40 hours × $333 (hourly rate for a senior risk management specialist) = $13,320. $28,800 + $10,160 + $11,100 + $17,160 + $25,090 + $12,300 + $8,130 + $13,600 + $7,650 + $13,320 = $147,310. The hourly wages used are from SIFMA’s Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. 144 This estimate is based on the following calculations: (2,032 smaller advisers × 50 hours) + (6,636 mid-sized advisers × 250 hours) + (3,288 larger advisers × 500 hours) = 3,404,600 hours. 145 This estimate is based on the following calculation: (2,032 smaller advisers × $12,515) + (6,636 mid-sized advisers × $70,045) + (3,288 larger advisers × $147,310) = $974.6 million. 146 This estimate is based on the following calculations: 3,404,600 hours/3 years = 1,134,867 hours per year. 1,134,867 hours/11,956 advisers = 95 hours per year per adviser. 147 This estimate is based on the following calculations: $974.6 million/3 years = $324.87 million per year. $324.87 million/11,956 advisers = $27,172 per year per adviser. 148 We recognize that the costs of retaining outside professionals may vary depending on the nature of the professional services, but for purposes of this PRA analysis we estimate that such costs would be similar to the costs of outside legal services. E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules sradovich on DSK3GDR082PROD with PROPOSALS for each smaller firm,149 $12,000 for each medium firm,150 and $20,000 for each larger firm.151 Aggregating these estimates for all advisers, yields a total industry wide initial cost burden of $153.5 million attributable to engaging outside legal services for assistance in initially drafting and implementing the BCP.152 Amortized over a three-year period, this would be an initial annual cost burden per adviser of $4,282.153 In addition to the initial burden, an adviser would incur ongoing, annual costs associated with its business continuity and transition plan, including the adviser annually reviewing the adequacy of its business continuity and transition plan and the effectiveness of its implementation. Based on staff experience, we estimate these ongoing costs would total approximately 25% of an adviser’s initial costs. Accordingly, we estimate that a representative smaller adviser would spend 12.5 hours annually on this effort internally (as monetized, is equivalent to an annual burden of $3,129) while incurring outside costs of $1,000,154 a representative mid-sized adviser would spend 62.5 hours annually on this effort internally (as monetized, is equivalent to an annual burden of $17,511) while incurring outside costs of $3,000,155 and a representative larger adviser would spend 125 hours annually on this effort internally (as monetized, is equivalent to an annual burden of $36,828) while incurring outside costs of $5,000.156 Aggregating the estimates above for all advisers yields a total industry-wide ongoing annual burden of approximately 851,150 hours (as monetized, is equivalent to an annual burden of $243.65 million) 157 plus outside costs of $38.4 million.158 This translates to an annual burden per adviser of 71.2 hours (as monetized, is equivalent to an annual burden of $20,379) and $3,212.159 149 This estimate is based on the following calculation: 10 hours × $400 = $4,000. 150 This estimate is based on the following calculation: 30 hours × $400 = $12,000. 151 This estimate is based on the following calculation: 50 hours × $400 = $20,000. 152 This estimate is based on the following calculation: ($4,000 per smaller adviser × 2,032 smaller advisers) + ($12,000 per mid-sized adviser × 6,636 mid-sized advisers) + ($20,000 per larger adviser × 3,288 larger advisers) = $153.5 million. 153 This estimate is based on the following calculations: $153.5 million/3 years = $51.2 million per year. $51.2 million/11,956 advisers = $4,282 per adviser. 154 This estimate is based on the following calculations: 0.25 × 50 hours = 12.5 hours. 0.25 × $12,515 = $3,129. 0.25 × $4,000 = $1,000. 155 This estimate is based on the following calculations: 0.25 × 250 hours = 62.5 hours. 0.25 × $70,045 = $17,511. 0.25 × $12,000 = $3,000. 156 This estimate is based on the following calculations: 0.25 × 500 hours = 125 hours. 0.25 × $147,310 = $36,828. 0.25 × $20,000 = $5,000. 157 This estimate is based on the following calculations: (2,032 smaller advisers × 12.5 hours) + (6,636 mid-sized advisers × 62.5 hours) + (3,288 larger advisers × 125 hours) = 851,150 hours. (2,032 smaller advisers × $3,129) + (6,636 mid-sized advisers × $17,511) + (3,288 larger advisers × $36,828) = $243.65 million. 158 This estimate is based on the following calculation: (2,032 smaller advisers × $1,000) + (6,636 mid-sized advisers × $3,000) + (3,288 larger advisers × $5,000) = $38.4 million. 159 This estimate is based on the following calculations: 851,150 hours/11,956 advisers = 71.2 hours per adviser. $243.65 million/11,956 advisers = $20,379 per adviser. $38.4 million/11,956 advisers = $3,212 per adviser. 160 See supra note 140 and accompanying text. 161 This estimate is based on the following calculations: (11,956 advisers ¥ 10,946 advisers) * 181.45 hours = 183,265 hours; 183,265 hours + 1,986,152 hours = 2,169,417 hours. 162 This estimate is based on the following calculation: 181.45 existing hours + 2 new hours = 183.45 hours. 163 This estimate is based on the following calculation: 11,956 advisers × 2 hours = 23,912 hours. 164 This estimate is based on the following calculation: 11,956 advisers × 183.45 hours = 2,193,328 hours. VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 2. Rule 204–2 The currently-approved total annual burden estimate for rule 204–2 is 1,986,152 hours. This burden estimate was based on estimates that 10,946 advisers were subject to the rule, and each of these advisers spends an average of 181.45 hours preparing and preserving records in accordance with the rule. Based on updated data as of January 4, 2016, there are 11,956 registered investment advisers.160 This increase in the number of registered investment advisers increases the total burden hours of current rule 204–2 from 1,986,152 to 2,169,417, an increase of 183,265 hours.161 The proposed amendments to rule 204–2 would require a registered investment adviser to maintain copies of the written business continuity and transition plans drafted under proposed rule 206(4)–4. In addition, the proposed amendments would require a registered investment adviser to retain copies of any records documenting the adviser’s annual review of its policies and procedures under proposed rule 206(4)– 4. Based on staff experience, we estimate that the proposed amendments to rule 204–2 would increase each registered investment adviser’s average annual collection burden under rule 204–2 by 2 hours, from 181.45 hours to 183.45 hours,162 and would thus increase the annual aggregate burden for rule 204–2 by 23,912 hours,163 from 2,169,417 hours to 2,193,328 hours.164 As PO 00000 Frm 00024 Fmt 4702 Sfmt 4702 43553 monetized, the estimated burden for each registered investment adviser’s average annual burden under rule 204– 2 would increase by approximately $150,165 which would increase the estimated monetized aggregate annual burden for rule 204–2 by $1,793,325, from $162,706,275 to $164,499,600.166 We estimate that there are no external costs associated with this collection of information under the proposed amendments to rule 204–2. B. Request for Comment We request comment on whether our estimates for burden hours and any external costs as described above are reasonable. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (1) Evaluate whether the proposed collections of information are necessary for the proper performance of the function of the Commission, including whether the information will have practical utility; (2) evaluate the accuracy of the Commission’s estimate of the burden of the proposed collections of information; (3) determine whether there are ways to enhance the quality, utility, and clarity of the information to be collected; and (4) determine whether there are ways to minimize the burden of the collections of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology. The agency has submitted the proposed collection of information to OMB for approval. Persons wishing to submit comments on the collection of information requirements of the proposed amendments should direct them to the Office of Management and Budget, Attention Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Washington, DC 20503, and should send a copy to Brent J. Fields, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549–1090, with reference to File No. S7–13–16. OMB is required to make a decision concerning the collections of information between 30 and 60 days after publication of this release; therefore, a comment to OMB is 165 This estimate is based on the following calculation: 2 hours × $75 (hourly rate for an administrative assistant) = $150. The hourly wage used is from SIFMA’s Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. 166 This estimate is based on the following calculations: 2,169,417 hours × $75 = $162,706,275. 2,193,328 hours × $75 = $164,499,600. $164,499,600¥$162,706,275 = $1,793,325. E:\FR\FM\05JYP1.SGM 05JYP1 43554 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules best assured of having its full effect if OMB receives it within 30 days after publication of this release. Requests for materials submitted to OMB by the Commission with regard to these collections of information should be in writing, refer to File No. S7–13–16, and be submitted to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE., Washington, DC 20549–2736. sradovich on DSK3GDR082PROD with PROPOSALS IV. Initial Regulatory Flexibility Analysis The Commission has prepared the following Initial Regulatory Flexibility Analysis (‘‘IRFA’’) in accordance with section 3(a) of the Regulatory Flexibility Act 167 regarding our proposed rule 206(4)–4 and proposed amendments to rule 204–2. A. Reasons for and Objectives of the Proposed Actions Based on staff observations, we are concerned about the adequacy of some advisers’ plans to address operational and other risks associated with business resiliency. Establishing strong operational controls that manage these risks, including the risks associated with business continuity and transition, are important practices and should increase the likelihood that advisers are as prepared as possible to continue operations on an ongoing basis and to meet client expectations and legal obligations in the event of a significant disruption in their operations. Accordingly, proposed rule 206(4)–4 would require SEC-registered advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. We also are proposing specific components be included in such plans in order to address certain disparate practices the staff has previously observed during examinations and to facilitate robust business continuity and transition planning across all SECregistered advisers. In addition, the proposed rule would require advisers to review their business continuity and transition plans at least annually in order to ensure that advisers are examining the continued adequacy and effectiveness of their plans on an ongoing basis. The proposed amendments to rule 204–2 would require advisers to make and keep all business continuity and transition plans that are in effect or were in effect at any time within the past five 167 5 U.S.C. 603(a). VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 years. The proposed amendments would help advisers have easy access to necessary information during periods of stress. B. Legal Basis Proposed rule 206(4)–4 is designed to address certain disparate practices our staff has previously observed during its examinations and to facilitate robust business continuity and transition planning across all SEC-registered advisers. The Commission is proposing new rule 206(4)–4 and amendments to rule 204–2 under the rulemaking authority set forth in sections 204, 206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b–4(b), 80b-6(4), and 80b-11(a)]. C. Small Entities Subject to the Rule and Rule Amendments In developing these proposals, we have considered their potential impact on small entities that would be subject to proposed new rule 206(4)–4 and the proposed amendments to rule 204–2. The proposed new rule and the proposed amendments would affect all advisers registered with the Commission, including certain small entities. Under Commission rules, for the purposes of the Advisers Act and the Regulatory Flexibility Act, an investment adviser generally is a small entity if it: (1) Has assets under management having a total value of less than $25 million; (2) did not have total assets of $5 million or more on the last day of the most recent fiscal year; and (3) does not control, is not controlled by, and is not under common control with another investment adviser that has assets under management of $25 million or more, or any person (other than a natural person) that had total assets of $5 million or more on the last day of its most recent fiscal year.168 The proposed new rule and the proposed amendments would not apply to most advisers that are small entities (‘‘small advisers’’) because small advisers are generally registered with one or more state securities authorities instead of with the Commission.169 Based on IARD data, however, we estimate that as of January 4, 2016, approximately 515 small advisers are registered with the Commission.170 Because these small advisers are registered, they, like all SEC-registered investment advisers, would all be subject to proposed new rule 206(4)–4 0–7(a) under the Advisers Act. section 203A of the Advisers Act, prohibiting most small advisers from registering with the Commission. 170 Based on SEC-registered investment adviser responses to Form ADV, Item 5.F and Item 12. PO 00000 168 Rule 169 See Frm 00025 Fmt 4702 Sfmt 4702 and the proposed amendments to rule 204–2. D. Projected Reporting, Recordkeeping and Other Compliance Requirements Proposed new rule 206(4)–4 and the proposed amendments to rule 204–2 would impose certain recordkeeping and other compliance requirements on all Commission-registered advisers, including Commission-registered small advisers. Proposed rule 206(4)–4 would require advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations. The proposed amendments to rule 204–2 would require advisers to make and keep all business continuity and transition plans that are in effect or were in effect at any time within the past five years. 1. Rule 206(4)–4 As discussed in section II, we estimated that each adviser would incur one-time costs to adopt and implement a written business continuity and transition plan, as well as ongoing planrelated costs. As noted above, there are currently approximately 515 small advisers registered with the Commission. We estimate that each small adviser would incur an average initial burden of 50 hours associated with adopting and implementing a written business continuity and transition plan at a cost of $12,515.171 Aggregating the estimated burden for all small advisers yields a total initial hourly burden of 25,750 172 (as monetized, is equivalent to a one-time aggregate burden of approximately $6,445,225).173 Amortized over a threeyear period, this would be an annual hourly burden of 16.7 per small adviser 174 (as monetized, is equivalent to an annual amortized burden per small adviser of $4,172).175 Our staff also anticipates that some small advisers may consult with outside legal counsel and/or other outside professionals to assist in drafting policies and procedures and/or to provide assistance in evaluating 171 See supra note 141 (discussing the estimated initial cost burden associated with a representative smaller adviser). 172 This estimate is based on the following calculation: 515 small advisers × 50 hours = 25,750 hours. 173 This estimate is based on the following calculation: 515 small advisers × $12,515 = $6,445,225. 174 This estimate is based on the following calculation: 50 hours/3 years = 16.7 hours per year. 175 This estimate is based on the following calculations: $12,515/3 years = $4,172 per year. E:\FR\FM\05JYP1.SGM 05JYP1 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules particular components of a plan. We estimate that the costs associated with such an engagement would include fees for approximately 10 hours for small firms at a rate of $400 per hour.176 Consequently, for a representative smaller firm we estimate a total of $4,000 in outside fees.177 Amortized over a three-year period, this would be an annual burden per small adviser of $1,333.178 Accordingly, we estimate that the total annual initial burden on 515 small advisers for adopting and implementing a written business continuity and transition plan would be $686,495.179 In addition to the initial burden, a small adviser would incur ongoing, annual costs associated with its business continuity and transition plan, including the adviser annually reviewing the adequacy of its business continuity plan and the effectiveness of its implementation. Based on staff experience, we estimate that these ongoing costs would total approximately 25% of a small adviser’s initial costs. Accordingly, we estimate that each small adviser would spend 12.5 hours annually on this effort internally while incurring outside costs of $1,000.180 Aggregating the estimates above for 515 small advisers yields a total ongoing annual burden on small advisers of approximately 6,438 hours 181 plus outside costs of $515,000.182 2. Rule 204–2 The currently-approved annual aggregate information collection burden under rule 204–2 is 1,986,152 hours. This approved annual aggregate burden was based on estimates that 10,946 advisers were subject to the rule, of which 478 were small advisers, and each of these advisers spends an average of 181.45 hours preparing and preserving records in accordance with the rule. Based upon updated data as of January 4, 2016, there are 11,956 registered investment advisers,183 of which 515 are small advisers.184 The 176 See supra note 148 and accompanying text. estimate is based on the following calculation: 10 hours × $400 per hour = $4,000. 178 This estimate is based on the following calculation: $4,000/3 years = $1,333 per year. 179 This estimate is based on the following calculations: 515 small advisers × $1,333 = $686,495. 180 This estimate is based on the following calculations: 0.25 × 50 hours = 12.5 hours. 0.25 × $4,000 = $1,000. 181 This estimate is based on the following calculation: 12.5 hours × 515 advisers = 6,438 hours. 182 This estimate is based on the following calculation: $1,000 × 515 advisers—$515,000. 183 See supra note 140 and accompanying text. 184 See supra note 170 and accompanying text. sradovich on DSK3GDR082PROD with PROPOSALS 177 This VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 increase in the number of registered small advisers increases the total burden hours of current rule 204–2 on small advisers from 86,733 hours to 93,447 hours, an increase of 6,714 hours.185 The proposed amendments to rule 204–2 would require a registered investment adviser to maintain copies of the written business continuity and transition plans drafted under proposed rule 206(4)–4. In addition, the proposed amendments would require a registered investment adviser to retain copies of any records documenting the adviser’s annual review of its policies and procedures under proposed rule 206(4)– 4. Based on staff experience, we estimate that the proposed amendments to rule 204–2 would increase each registered investment adviser’s average annual collection burden under rule 204–2 by 2 hours, from 181.45 hours to 183.45 hours,186 and would thus increase the annual aggregate burden for rule 204–2 by 1,030 hours,187 from 93,447 hours to 94,477 hours.188 As monetized, the estimated burden for each registered investment adviser’s average annual burden under rule 204–2 would increase by approximately $150,189 which would increase the estimated monetized aggregate annual burden for rule 204–2 by $77,250, from $7,008,525 to $7,085,775.190 We estimate that there are no external costs associated with this collection of information under the proposed amendments to rule 204–2. E. Duplicative, Overlapping, or Conflicting Federal Rules We believe there are no federal rules that duplicate, overlap, or conflict with proposed new rule 206(4)–4 and the proposed amendments to rule 204–2. The written business continuity and 185 This estimate is based on the following calculations: 515 small advisers × 181.45 hours = 93,447 hours. 478 small advisers × 181.45 hours = 86,733 hours. 93,447 ¥ 86,733 = 6,714. 186 This estimate is based on the following calculation: 181.45 existing hours + 2 new hours = 183.45 hours. 187 This estimate is based on the following calculation: 515 small advisers × 2 hours = 1,030 hours. 188 This estimate is based on the following calculation: 515 small advisers × 183.45 hours = 94,477 hours. 189 This estimate is based on the following calculation: 2 hours × $75 (hourly rate for an administrative assistant) = $150. The hourly wage used is from SIFMA’s Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. 190 This estimate is based on the following calculations: 93,447 hours × $75 = $7,008,525. 94,477 hours × $75 = $7,085,775. $7,085,775 ¥ $7,008,525 = $77,250. PO 00000 Frm 00026 Fmt 4702 Sfmt 4702 43555 transition plans that would be required by the proposed new rule would include certain policies and procedures already generally required by other rules under the federal securities laws, but the proposed new rule would not require these policies and procedures to be duplicated. Some of the records an adviser would be required to maintain under the proposed amendments to rule 204–2 also may be required records under the general recordkeeping provisions of rule 204–2 of the Advisers Act, but such overlap would be limited and the Commission would not require the adviser to maintain duplicate copies. F. Significant Alternatives In formulating our proposal, we have considered various reasonable alternatives to the individual elements of proposed new rule 206(4)–4 and the proposed amendments to rule 204–2, specifically as they relate to accomplishing our stated objectives while minimizing any significant economic impact on small entities. The alternatives most relevant to small advisers are discussed below. We have also requested comment relating to certain specific aspects of these and other alternatives above.191 The Commission considered exempting small advisers from the proposal entirely. The Commission also considered setting forth different business continuity and transition plan requirements for small advisers. However, because small advisers generally face the same types of transition and business continuity issues as larger advisers, although on a smaller scale, we believe small advisers should be subject to the proposed rule to the same extent as larger advisers and be allowed to tailor their business continuity and transition plans to the scope of their business. The proposed rule allows each adviser the necessary flexibility in creating a business continuity and transition plan to take into account the adviser’s own unique operations, the nature and complexity of its business, its clients, and its key personnel, and we believe that such flexibility may result in small advisers incurring less costs to comply.192 G. Solicitation of Comments We encourage written comments on matters discussed in this IRFA. We solicit comment on the number of small entities subject to the proposed rule and 191 See supra section I.C.1.f. supra section III.A.1, discussing the lower estimated cost burdens, both initial and ongoing, associated with smaller advisers as compared to larger advisers. 192 See E:\FR\FM\05JYP1.SGM 05JYP1 43556 Federal Register / Vol. 81, No. 128 / Tuesday, July 5, 2016 / Proposed Rules whether the proposed rule discussed in this release could have an effect on small entities that has not been considered. We request that commenters describe the nature of any impact on small entities and provide empirical data to support the extent of such impact. V. Consideration of Impact on the Economy For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, or ‘‘SBREFA,’’ 193 we must advise OMB whether a proposed regulation constitutes a ‘‘major’’ rule. Under SBREFA, a rule is considered ‘‘major’’ where, if adopted, it results in or is likely to result in (1) an annual effect on the economy of $100 million or more; (2) a major increase in costs or prices for consumers or individual industries; or (3) significant adverse effects on competition, investment or innovation. We request comment on the potential impact of the proposed rule on the economy on an annual basis. Commenters are requested to provide empirical data and other factual support for their views to the extent possible. VI. Statutory Authority The Commission is proposing new rule 206(4)–4 and amendments to rule 204–2 under the rulemaking authority set forth in sections 204, 206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b–4, 80b–6(4), and 80b–11(a)]. List of Subjects in 17 CFR Part 275 Investment advisers, Reporting and recordkeeping requirements. Text of Proposed Rule Amendments For reasons set out in the preamble, title 17, chapter II of the Code of Federal Regulations is proposed to be amended as follows: PART 275—RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940 1. The authority citation for part 275 continues to read, in part, as follows: ■ Authority: 15 U.S.C. 80b–2(a)(11)(G), 80b– 2(a)(11)(H), 80b–2(a)(17), 80b–3, 80b–4, 80b– 4a, 80b–6(4), 80b–6a, and 80b–11, unless otherwise noted. sradovich on DSK3GDR082PROD with PROPOSALS * * * * * Section 275.204–2 is also issued under 15 U.S.C. 80b–6. * * * * * ■ 2. Section 275.204–2 is amended by: ■ a. Reserving paragraph (a)(19); ■ b. Adding paragraph (a)(20); and 193 Public Law 104–121, Title II, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C., 15 U.S.C. and as a note to 5 U.S.C. 601). VerDate Sep<11>2014 17:18 Jul 01, 2016 Jkt 238001 c. Revising paragraph (e)(1). The addition and revision read as follows: ■ § 275.204–2 Books and records to be maintained by investment advisers. (a) * * * (20)(i) A copy of the investment adviser’s business continuity and transition plan formulated pursuant to § 275.206(4)–4 that is in effect, or at any time within the past five years was in effect; (ii) Any records documenting the investment adviser’s annual review of the business continuity and transition plan conducted pursuant to § 275.206(4)–4(b). * * * * * (e)(1) All books and records required to be made under the provisions of paragraphs (a) through (c)(1)(i), and (c)(2) of this section (except for books and records required to be made under the provisions of paragraphs (a)(11), (a)(12)(i), (a)(12)(iii), (a)(13)(ii), (a)(13)(iii), (a)(16), (a)(17)(i), and (a)(20)(i) of this section), shall be maintained and preserved in an easily accessible place for a period of not less than five years, from the end of the fiscal year during which the last entry was made on such record, the first two years in an appropriate office of the investment adviser. * * * * * ■ 3. Section 275.206(4)–4 is added to read as follows: § 275.206(4)–4 Investment adviser business continuity and transition plan. (a) Prohibition. If you are an investment adviser registered or required to be registered under section 203 of the Act (15 U.S.C. 80b–3), it shall be unlawful within the meaning of section 206 of the Act (15. U.S.C. 80b– 6) for you to provide investment advice to your clients unless you: (1) Business continuity and transition plan. Adopt and implement a written business continuity and transition plan; and (2) Annual review. Review, no less frequently than annually, the adequacy of the business continuity and transition plan and the effectiveness of its implementation. (b) Content of business continuity and transition plan. (1) For purposes of this section, the term business continuity and transition plan means policies and procedures reasonably designed to address operational and other risks related to a significant disruption in the investment adviser’s operations, including policies and procedures concerning: PO 00000 Frm 00027 Fmt 4702 Sfmt 9990 (i) Business continuity after a significant business disruption; and (ii) Business transition in the event the investment adviser is unable to continue providing investment advisory services to clients. (2) The content of a business continuity and transition plan shall be based upon risks associated with the adviser’s operations and shall include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following: (i) Maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records; (ii) Pre-arranged alternate physical location(s) of the adviser’s office(s) and/ or employees; (iii) Communications with clients, employees, service providers, and regulators; (iv) Identification and assessment of third-party services critical to the operation of the adviser; and (v) Plan of transition that accounts for the possible winding down of the investment adviser’s business or the transition of the investment adviser’s business to others in the event the investment adviser is unable to continue providing investment advisory services, that includes the following: (A) Policies and procedures intended to safeguard, transfer, and/or distribute client assets during transition; (B) Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (C) Information regarding the corporate governance structure of the adviser; (D) Identification of any material financial resources available to the adviser; and (E) An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser’s transition. By the Commission. Dated: June 28, 2016. Brent J. Fields, Secretary. [FR Doc. 2016–15675 Filed 7–1–16; 8:45 am] BILLING CODE 8011–01–P E:\FR\FM\05JYP1.SGM 05JYP1

Agencies

[Federal Register Volume 81, Number 128 (Tuesday, July 5, 2016)]
[Proposed Rules]
[Pages 43530-43556]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-15675]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 275

[Release No. IA-4439; File No. S7-13-16]
RIN 3235-AL62


Adviser Business Continuity and Transition Plans

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'' or 
``SEC'') is proposing a new rule and rule amendments under the 
Investment Advisers Act of 1940 (``Advisers Act''). The proposed rule 
would require SEC-registered investment advisers to adopt and implement 
written business continuity and transition plans reasonably designed to 
address operational and other risks related to a significant disruption 
in the investment adviser's operations. The proposal would also amend 
rule 204-2 under the Advisers Act to require SEC-registered investment 
advisers to make and keep all business continuity and transition plans 
that are currently in effect or at any time within the past five years 
were in effect.

DATES: Comments should be received on or before September 6, 2016.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (https://www.sec.gov/rules/proposed.shtml); or
     Send an email to rule-comments@sec.gov. Please include 
File Number S7-13-16 on the subject line; or
     Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments to Brent J. Fields, Secretary, 
Securities and Exchange Commission, 100 F Street NE., Washington, DC 
20549-1090.

All submissions should refer to File Number S7-13-16. This file number 
should be included on the subject line if email is used. To help us 
process and review your comments more efficiently, please use only one 
method. The Commission will post all comments on the Commission's 
Internet Web site (https://www.sec.gov/rules/proposed.shtml). Comments 
are also available for Web site viewing and printing in the 
Commission's Public Reference Room, 100 F Street NE., Washington, DC 
20549, on official business days between the hours of 10 a.m. and 3 
p.m. All comments received will be posted without change; we do not 
edit personal identifying information from submissions. You should 
submit only information that you wish to make available publicly.
    Studies, memoranda, or other substantive items may be added by the 
Commission or staff to the comment file during this rulemaking. A 
notification of the inclusion in the comment file of any such materials 
will be made available on the Commission's Web site. To ensure direct 
electronic receipt of such notifications, sign up through the ``Stay 
Connected'' option at www.sec.gov to receive notifications by email.

FOR FURTHER INFORMATION CONTACT: Andrea Ottomanelli Magovern, Senior 
Counsel, Zeena Abdul-Rahman, Senior Counsel, John Foley, Senior 
Counsel, or Alpa Patel, Branch Chief, at (202) 551- 6787 or 
IArules@sec.gov, Investment Adviser Rulemaking Office, Division of 
Investment Management, Securities and Exchange Commission, 100 F Street 
NE., Washington, DC 20549-8549.

SUPPLEMENTARY INFORMATION: The Commission is proposing for public 
comment new rule 206(4)-4 [17 CFR 275. 206(4)-4] and amendments to rule 
204-2 [17 CFR 275.204-2] under the Advisers Act [15 U.S.C. 80b].

Table of Contents

I. Adviser Business Continuity and Transition Plans
    A. Introduction
    B. Background
    1. Business Continuity Planning
    2. Transition Planning
    C. Discussion
    1. Adopt and Implement Business Continuity and Transition Plans
    2. Annual Review
    3. Recordkeeping

[[Page 43531]]

II. Economic Analysis
    A. Introduction
    B. Economic Baseline
    C. Benefits and Costs and Effects on Efficiency, Competition, 
and Capital Formation
    1. Benefits
    2. Costs
    3. Effects on Efficiency, Competition, and Capital Formation
    D. Reasonable Alternatives
    1. Require Public Availability of Business Continuity and 
Transition Plans
    2. Require Business Continuity Plans and/or Transition Plans, 
but Do Not Specify Required Components
    3. Require Specific Mechanisms for Addressing Certain Risks in 
Every Plan
    4. Vary the Requirements of the Proposed Rule for Different 
Subsets of Registered Advisers
    E. Request for Comment
III. Paperwork Reduction Act
    A. The Proposed Rules
    1. Rule 206(4)-4
    2. Rule 204-2
    B. Request for Comment
IV. Initial Regulatory Flexibility Analysis
    A. Reasons for and Objectives of the Proposed Actions
    B. Legal Basis
    C. Small Entities Subject to the Rule and Rule Amendments
    D. Projected Reporting, Recordkeeping and Other Compliance 
Requirements
    1. Rule 206(4)-4
    2. Rule 204-2
    E. Duplicative, Overlapping, or Conflicting Federal Rules
    F. Significant Alternatives
    G. Solicitation of Comments
V. Consideration of Impact on the Economy
VI. Statutory Authority

I. Adviser Business Continuity and Transition Plans

A. Introduction

    Today, there are approximately 12,000 investment advisers 
registered with the Commission that collectively manage over $67 
trillion in assets, an increase of over 140% in the past 10 years.\1\ 
Advisers manage assets for, and provide investment advice to, a wide 
variety of clients, including individuals, charitable organizations, 
endowments, retirement plans, and various pooled investment vehicles 
such as mutual funds and private funds. Investors turn to advisers for 
a variety of services such as helping them to identify financial goals 
(including investing for a child's education or preparing for 
retirement), analyzing an existing financial portfolio, determining an 
appropriate asset allocation, and providing portfolio management or 
investment recommendations to help achieve financial goals. Advisers 
also play an important role in counseling and advising clients on 
complex financial instruments and investments, and in providing advice 
and guidance on weathering changing market conditions. The range of 
services provided by advisers, and the continued growth in the number 
of advisers and assets under management, reflect the critical role 
investment advisers play in our capital markets and the importance of 
the services they provide to approximately 30 million clients.\2\
---------------------------------------------------------------------------

    \1\ Based on data from the Commission's Investment Adviser 
Registration Depository (``IARD'') as of January 4, 2016.
    \2\ Id.
---------------------------------------------------------------------------

    Investment advisers today also participate in and are part of an 
increasingly complex financial services industry. Advisers are relying 
on technology to a greater extent, managing more complicated portfolios 
and strategies that often include complex investments, and are 
increasingly relying on the services of third parties such as 
custodians, brokers and dealers, pricing services, and technology 
vendors \3\ that support their operations.\4\
---------------------------------------------------------------------------

    \3\ We use the terms ``vendor'' and ``service provider'' 
interchangeably throughout this release.
    \4\ There has been an increase in the diversity of investment 
portfolios, strategies, and securities types, the complexity of 
portfolio management and operations, and the interconnectedness and 
interdependencies of the financial industry. See generally, Global 
Association of Risk Professionals (GARP), Risk Principles for Asset 
Managers, Prepared by the GARP Buy Side Risk Managers Forum (Sept. 
2015) (``Risk Principles for Asset Managers'') at Section 5: 
Operational Risk Principles, available at https://go.garp.org/l/39542/2015-09-30/315zdc/39542/90066/BSRMF_Risk_Principles_2015.pdf.
---------------------------------------------------------------------------

    Although the types of registered investment advisers and their 
business models may vary significantly, they generally share certain 
fundamental operational risks. Of particular concern to the Commission 
are those risks that may impact the ability of an adviser and its 
personnel to continue operations, provide services to clients and 
investors, or, in certain circumstances, transition the management of 
accounts to another adviser. Such operational risks include, but are 
not limited to, technological failures with respect to systems and 
processes (whether proprietary or provided by third-party vendors 
supporting the adviser's activities), and the loss of adviser or client 
data, personnel, or access to the adviser's physical location(s) and 
facilities.
    Operational risks can arise from internal and external business 
continuity events. An internal event, such as a facility problem at an 
adviser's primary office location, or an external event, such as a 
weather-related emergency or cyber-attack, could impact an adviser's 
ongoing operations and its ability to provide client services. For 
example, both types of events could prevent advisory personnel from 
accessing the adviser's office or its systems or documents at a 
particular office location. Under these circumstances, an adviser and 
its personnel may be unable to provide services to the adviser's 
clients and continue its operations while affected by the disruption, 
which could result in client harm.\5\ Similarly, operational risks can 
arise in the context of a transition event. If, for example, an adviser 
is winding down or ceasing operations during a time of stress, then an 
adviser's ability to safeguard client assets could be impacted.
---------------------------------------------------------------------------

    \5\ As discussed in Section I.B.1. of this release, if an 
adviser is unable to provide services to its clients, its clients' 
interests may be at risk. This risk could include the risk of loss 
if, for example, an adviser lacks the ability to make trades in a 
portfolio, is unable to receive or implement directions from 
clients, or if clients are unable to access their assets or 
accounts.
---------------------------------------------------------------------------

    We understand that many investment advisers, like other financial 
services firms, already have taken critical steps to address and 
mitigate the risks of business disruptions, regardless of the source, 
as a prudent business measure.\6\ Industry participants have also 
stated that the highly competitive environment in which advisers 
operate encourages proper risk management and contributes to advisers' 
attentiveness to operational risks.\7\ Advisers may recognize the

[[Page 43532]]

potential for significant reputational damage and other costs 
associated with such risks.\8\ For many advisers, the management of 
operational risks is part of the normal course of business to mitigate 
issues that could negatively impact client relationships and the 
management of client assets (including potential losses).\9\ 
Deterioration in client relationships or financial losses could cause 
clients to move their accounts to another adviser or other financial 
services firm, and if done on a large scale, prompt the adviser to 
transition its business through a sale or other means or to wind down 
its operations and exit the market.
---------------------------------------------------------------------------

    \6\ See infra notes 26-27 and accompanying text (discussing 
compliance policies and procedures required by rule 206(4)-7 under 
the Advisers Act); see also Comment Letter of BlackRock, Inc. to the 
Financial Stability Oversight Council's (``FSOC'') Notice Seeking 
Comment on Asset Management Products and Activities (``FSOC 
Notice'') (Mar. 25, 2015) (``BlackRock FSOC Comment Letter'') at 10 
(``In the normal course of business, asset managers implement 
measures to mitigate the impact of potentially disruptive events 
through operational risk management programs, including maintaining 
business continuity plans . . . and technology disaster recovery 
plans . . . .''); Comment Letter of Investment Company Institute to 
FSOC Notice (Mar. 25, 2015) (``ICI FSOC Comment Letter'') at 69 
(noting that ``funds and key service providers to the industry have 
robust plans and strategies in place to facilitate the continuation 
or resumption of business operations in the event of an emergency, 
regardless of the cause''); Comment Letter of Vanguard to FSOC 
Notice (Mar. 25, 2015) (``Vanguard FSOC Comment Letter'') at 23 
(``The purpose of business continuity plans is to develop 
alternative ways to carry out normal business functions without 
access to facilities, systems, and/or key third-party providers of 
goods or services to the funds or its adviser.'').
    \7\ See, e.g., Comment Letter of Fidelity Investments to FSOC 
Notice (Mar. 25, 2015) (``Fidelity FSOC Comment Letter'') at 22 
(``It is not correct to imply that competitive pressures push 
managers toward less risk management; in fact those pressures push 
funds to improve their risk management practices.''); BlackRock FSOC 
Comment Letter at 63 (``The asset management industry is highly 
competitive and there are numerous competitors across asset classes 
and investment strategies.''); ICI FSOC Comment Letter at 61 
(``Regulated fund investors have considerable choice. The industry 
is highly competitive, with up to several hundred funds available 
within each investment category. Along with investment performance, 
the quality of shareholder services is a highly important factor in 
attracting and retaining fund investors.'').
    \8\ See, e.g., BlackRock FSOC Comment Letter at 55 (``Issues 
related to operational and business continuity risk can be costly 
and/or harm an asset manager's reputation with its clients.''); 
Comment Letter of Managed Funds Association to FSOC Notice (Mar. 25, 
2015) (``MFA FSOC Comment Letter'') at 45 (``It is in every 
manager's self-interest to have appropriate plans in place to handle 
emergencies.'').
    \9\ See, e.g., BlackRock FSOC Comment Letter at 10 (``In the 
normal course of business, asset managers implement measures to 
mitigate the impact of potentially disruptive events through 
operational risk management programs, including maintaining business 
continuity plans . . . .''); Fidelity FSOC Comment Letter at 32 
(``Fidelity devotes significant time and resources to ensuring that 
we can provide the services our clients expect even in exigent 
circumstances.'').
---------------------------------------------------------------------------

    While we understand that many investment advisers already have 
taken steps to address and mitigate the risks of business 
disruptions,\10\ our staff has observed a wide range of practices by 
advisers in addressing operational risk management. The staff 
frequently observes advisers managing operational and other risks 
through internal practices, procedures, and controls that are typically 
assessed by the adviser's legal, compliance, or audit staff, and often 
sees independent third-party assessments performed by audit or 
compliance firms.\11\ However, the staff also has observed advisers 
with less robust planning, causing them to experience interruptions in 
their key business operations and inconsistently maintain 
communications with clients and employees during periods of stress.\12\ 
As discussed further below, our staff has noted weaknesses in some 
adviser BCPs with respect to consideration of widespread disruptions, 
alternate locations, vendor relationships, telecommunications and 
technology, communications plans, and review and testing.\13\ Although 
disparate practices may exist in light of the varying size and 
complexity of registrants, to effectively mitigate such risks we are 
proposing to require all SEC-registered investment advisers to have 
plans that are reasonably designed to address operational and other 
risks related to a significant disruption in the investment adviser's 
operations.
---------------------------------------------------------------------------

    \10\ See, e.g., Comment Letter of Securities Industry and 
Financial Markets Association and the Investment Adviser Association 
to FSOC Notice (Mar. 25, 2015) (``SIMFA/IAA FSOC Comment Letter'') 
at 43 (``Of potentially more significant interest, asset managers 
are keenly focused on business continuity planning, disaster 
recovery, data protection, and cybersecurity issues--not just 
because of regulatory requirements . . . but also as a business 
imperative.'').
    \11\ We recognize that some asset management firms have well-
established sophisticated enterprise risk management (``ERM'') 
practices built upon widely followed frameworks. See, e.g., SIMFA/
IAA FSOC Comment Letter at 42-43. The letter notes that in larger 
more sophisticated asset managers, operational risks can be 
addressed by an ERM framework such as the Committee of Sponsoring 
Organizations (``COSO'') framework that works to identify key risk 
elements within the firm and how those elements are monitored and 
risks mitigated. See COSO, Enterprise Risk Management--Integrated 
Framework (Sept. 2004), available at https://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf. We understand that 
investment advisers with ERM programs typically consider business 
continuity as part of their broader management of operational risks. 
Accordingly, we believe that an adviser's business continuity and 
transition plan under the proposed rule could be a part of the 
adviser's existing ERM program.
    \12\ See NEP Risk Alert, infra note 30, at 3.
    \13\ See NEP Risk Alert, infra note 30; see also infra notes 31-
35 and accompanying text.
---------------------------------------------------------------------------

    As described in more detail below, we are concerned about the 
adequacy of some advisers' plans to address operational and other risks 
associated with business resiliency. Our experience indicates that 
clients of advisers who do not have robust plans in place to address 
the operational and other risks related to significant disruptions in 
their operations are at greater risk of harm during such a disruption 
than the clients of advisers who do have such plans in place. As 
fiduciaries, investment advisers owe their clients a duty of care and a 
duty of loyalty, requiring them to put their clients' interests above 
their own.\14\ As part of their fiduciary duty, advisers are obligated 
to take steps to protect client interests from being placed at risk as 
a result of the adviser's inability to provide advisory services.\15\
---------------------------------------------------------------------------

    \14\ See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 
180, 191, 194 (1963) (noting that the Advisers Act ``reflects a 
congressional recognition `of the delicate fiduciary nature of an 
investment advisory relationship''' and stating that ``[c]ourts have 
imposed on a fiduciary an affirmative duty of `utmost good faith, 
and full and fair disclosure of all material facts,' as well as an 
affirmative obligation `to employ reasonable care to avoid 
misleading' his clients'' (citations omitted)); Transamerica 
Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 17 (1979) (noting 
that the Advisers Act's ``legislative history leaves no doubt that 
Congress intended to impose enforceable fiduciary obligations'').
    \15\ See Compliance Programs of Investment Companies and 
Investment Advisers, Advisers Act Rel. No. 2204 (Dec. 17, 2003) [68 
FR 74714 (Dec. 24, 2003)] (``Compliance Program Adopting Release'') 
at n.22 (noting this fiduciary obligation in the context of BCPs).
---------------------------------------------------------------------------

    Section 206(4) of the Advisers Act authorizes the Commission to 
adopt rules and regulations that ``define, and prescribe means 
reasonably designed to prevent, such acts, practices, and courses of 
business as are fraudulent, deceptive, or manipulative.'' Because an 
adviser's fiduciary duty obligates it to take steps to protect client 
interests from being placed at risk as a result of the adviser's 
inability to provide advisory services, clients are entitled to assume 
that advisers have taken the steps necessary to protect those interests 
in times of stress, whether that stress is specific to the adviser or 
the result of broader market and industry events. We believe it would 
be fraudulent and deceptive for an adviser to hold itself out as 
providing advisory services unless it has taken steps to protect 
clients' interests from being placed at risk as a result of the 
adviser's inability (whether temporary or permanent) to provide those 
services.
    Accordingly, we believe advisers should be required to establish 
strong operational policies and procedures that manage the risks 
associated with business continuity and transitions. These policies and 
procedures should increase the likelihood that advisers are as prepared 
as possible to continue operations during times of stress and that they 
have taken steps to minimize risks that could lead to disruptions in 
their operations. These policies and procedures also should increase 
the likelihood that clients are not harmed in the event of a 
significant disruption in their adviser's operations. Therefore, today 
we are proposing to require SEC-registered advisers to adopt and 
implement written business continuity and transition plans that include 
certain specific components, and to maintain relevant records of those 
plans, in order to facilitate robust business continuity and transition 
planning across all SEC-registered advisers.

B. Background

1. Business Continuity Planning
    The rapid recovery and resumption of the financial markets and the 
activities that support them underpins the resiliency of the U.S. 
financial system.\16\

[[Page 43533]]

Business continuity planning is a critical activity that supports 
resiliency and one that financial services firms, including investment 
advisers, generally should engage in to address the inherent risks they 
face in serving their clients' needs. Federal and state financial 
market and services regulators, including the Commission, have sought 
to highlight and address operational risks and the tools necessary to 
manage them, including fulsome business continuity planning for many 
financial industry participants.\17\
---------------------------------------------------------------------------

    \16\ See Interagency Paper on Sound Practices to Strengthen the 
Resilience of the U.S. Financial System, Securities Exchange Act 
Rel. No. 47638 (Apr. 7, 2003) [68 FR 17809 (Apr. 11, 2003)] 
(``Interagency Paper''); cf. infra note 21 and accompanying text.
    \17\ See Regulation Systems Compliance and Integrity, Securities 
Exchange Act Rel. No. 73639 (Nov. 19, 2014) [79 FR 72251 (Dec. 5, 
2014)] (``Regulation SCI Adopting Release''); see also Policy 
Statement: Business Continuity Planning for Trading Markets, 
Securities Exchange Act Rel. No. 48545 (Sept. 25, 2003). In 
addition, we note that banks are subject to the Federal Financial 
Institutions Examination Council's (``FFIEC'') business continuity 
guidelines, which state that financial institutions should develop 
comprehensive BCPs and that ``[t]he goal of the BCP should be to 
minimize financial losses to the institution, serve customers and 
financial markets with minimal disruptions, and mitigate the 
negative effects of disruptions on business operations.'' See FFIEC, 
IT Examination Handbook, Business Continuity Planning (Feb. 2015) 
(``FFIEC Handbook''), available at https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf; see also 
Board of Governors of the Federal Reserve System, Supervisory Letter 
SR 15-3 (Feb. 6, 2015), available at https://www.federalreserve.gov/bankinforeg/srletters/sr1503.htm. The FFIEC is an ``interagency body 
empowered to prescribe uniform principles, standards, and report 
forms for the federal examination of financial institutions by the 
Board of Governors of the Federal Reserve System (FRB), the Federal 
Deposit Insurance Corporation (FDIC), the National Credit Union 
Administration (NCUA), the Office of the Comptroller of the Currency 
(OCC), and the Consumer Financial Protection Bureau (CFPB).'' See 
FFIEC, available at https://www.ffiec.gov.
---------------------------------------------------------------------------

    For example, the Financial Industry Regulatory Authority 
(``FINRA'') requires broker-dealers to establish business continuity 
plans (``BCPs'') reasonably designed to meet existing customer 
obligations and address relationships with other broker-dealers and 
counterparties.\18\ Additionally, the Commodity Futures Trading 
Commission (``CFTC'') has adopted regulations that require swap dealers 
and major swap participants to establish and maintain BCPs that are 
designed to enable the regulated entity ``to continue or to resume any 
operations by the next business day with minimal disturbance to its 
counterparties and the market.'' \19\ The North American Securities 
Administrator Association (``NASAA'') also recently adopted a model 
rule that, if adopted in a particular state, would require investment 
advisers registered in that state to have business continuity and 
succession plans in place that minimize ``service disruptions and 
client harm that could result from a sudden significant business 
disruption.'' \20\
---------------------------------------------------------------------------

    \18\ See FINRA Rule 4370 (requiring that member BCPs address 
certain elements, including data backup and recovery, all mission 
critical systems, alternate communications, alternate physical 
location of employees, and critical business constituent (i.e., a 
business with which a member firm has an ongoing commercial 
relationship in support of the member's operating activities), bank 
and counter-party impact); see also NASD, Notice to Members 04-37: 
Business Continuity Plans (May 2004), available at https://www.finra.org/sites/default/files/NoticeDocument/p003095.pdf. We 
note that investment advisers that are also registered as broker-
dealers would have to comply with FINRA's rule as well as the 
proposed rule. However, as noted herein, we have modeled much of the 
proposed rule, including the required components of a business 
continuity and transition plan, on BCP requirements for other 
financial services firms that we believe share similar 
vulnerabilities as investment advisers. See infra notes 61-62 and 
accompanying text.
    \19\ See 17 CFR 23.603(a). Relevant BCPs must be designed to 
recover all documentation and data required to be maintained by 
applicable law and regulation, and are required to include certain 
required components that are related to, among other things, data 
backup, systems maintenance, communications, geographic diversity, 
and third parties. See infra notes 62, 71, 79, and 86.
    \20\ See NASAA Model Rule 203(a)-1A (stating that all plans 
should provide for backup of books and records, alternate means of 
communication, office relocations, assignment of duties to qualified 
persons in the event of death or unavailability of key personnel, 
and otherwise minimizing service disruption and client harm); see 
also Mark Schoeff Jr., State Regulators to Require Continuity Plans, 
Investment News, (Apr. 22, 2015), available at https://www.investmentnews.com/article/20150422/FREE/150429965/state-regulators-to-require-continuity-plans.
---------------------------------------------------------------------------

    In addition, we recently adopted rules to strengthen the technology 
infrastructure of the U.S. securities markets by adopting Regulation 
Systems Compliance and Integrity, or Regulation SCI, which applies to, 
among other things, self-regulatory organizations, certain alternative 
trading systems, and certain exempt clearing agencies.\21\ 
Specifically, Regulation SCI is designed to reduce the occurrence of 
systems issues and improve resiliency for key market participants when 
these problems do occur, and requires, among other things, relevant 
entities to have and test business continuity and disaster recovery 
plans. While these regulations and those of other regulatory bodies 
address different entities, they generally highlight similar principles 
of business continuity planning, including the need to address critical 
systems, data backup, communications, alternate and/or geographically 
diverse locations, and third-party relationships.
---------------------------------------------------------------------------

    \21\ See Regulation SCI Adopting Release, supra note 17. Among 
other things, Regulation SCI requires SCI entities to establish and 
test business continuity and disaster recovery plans that include 
maintaining backup and recovery capabilities sufficiently resilient 
and geographically diverse and that are reasonably designed to 
achieve next business day resumption of trading and two-hour 
resumption of critical systems in the event of a wide-scale 
disruption. See 17 CFR 242.1001(a)(2)(v). Further, Regulation SCI 
sets forth business continuity and disaster recovery plan testing 
requirements for SCI entities. See 17 CFR 242.1004.
---------------------------------------------------------------------------

    Regulatory authorities have also acted collectively and in 
consultation with each other to address operational risks in light of 
the interconnectedness and interdependency of financial market 
participants. For example, the Commission, along with the Board of 
Governors of the Federal Reserve System (``Federal Reserve'') and the 
Office of the Comptroller of the Currency, issued the Interagency Paper 
on Sound Practices to Strengthen the Resilience of the Financial 
System, which sets forth business continuity objectives for all 
financial firms and the U.S. financial system as a whole.\22\ More 
recently, FSOC issued a request for public comment on, among other 
things, operational risks and transition planning as it relates to the 
asset management industry.\23\
---------------------------------------------------------------------------

    \22\ See Interagency Paper, supra note 16. The objectives 
discussed in the paper include (i) rapid recovery and timely 
resumption of critical operations following a wide-scale disruption; 
(ii) rapid recovery and timely resumption of critical operations 
following the loss or inaccessibility of staff in at least one major 
operating location; and (iii) a high level of confidence, through 
ongoing use or robust testing, that critical internal and external 
continuity arrangements are effective and compatible. The paper also 
sets forth four sound practices for core clearing and settlement 
organizations and firms that play significant roles in critical 
financial markets, including (i) identifying clearing and settlement 
activities in support of critical financial markets, (ii) 
determining appropriate recovery and resumption objectives, (iii) 
maintaining sufficient geographically dispersed resources to meet 
such objectives, and (iv) routinely using or testing recovery and 
resumption arrangements. See id. In addition, in 2012-2013, the 
Commission's Office of Compliance Inspections and Examinations 
(``OCIE''), along with FINRA and the CFTC, jointly reviewed a number 
of firms' business continuity and disaster recovery planning and 
published their joint observations on best practices and lessons 
learned. See Joint Review of Business Continuity and Disaster 
Recovery of Firms by the Commission's National Examination Program, 
CFTC's Division of Swap Dealers and Intermediary Oversight and FINRA 
(Aug. 16, 2013) (``Joint Review of Business Continuity''), available 
at https://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf.
    Financial services industry participants have also been pro-
active in addressing resiliency issues. See, e.g., Financial 
Services Sector Coordinating Council (established to coordinate 
infrastructure and homeland security activities within the financial 
services industry comprised on financial trade associations, 
financial utilities and financial firms), available at https://www.fsscc.org.
    \23\ See FSOC Notice (Dec. 24, 2014) [79 FR 77488 (Dec. 24, 
2014)], available at https://www.treasury.gov/initiatives/fsoc/rulemaking/Documents/Notice%20Seeking%20Comment%20on%20Asset%20Management%20Products%20and%20Activities.pdf; see also FSOC, Update on Review of Asset 
Management Products and Activities (Apr. 18, 2016), available at 
https://www.treasury.gov/initiatives/fsoc/news/Documents/FSOC%20Update%20on%20Review%20of%20Asset%20Management%20Products%20and%20Activities.pdf. Although our rulemaking proposal is independent 
of FSOC, several commenters responding to the FSOC Notice discussed 
operational risks and transition issues related to investment 
advisers, and we have considered and discussed relevant comments 
throughout this release. Comments submitted in response to the FSOC 
Notice are available at https://www.regulations.gov/#!docketBrowser;rpp=25;po=0;dct=PS;D=FSOC-2014-0001.

---------------------------------------------------------------------------

[[Page 43534]]

    The Commission addressed business continuity planning with respect 
to investment advisers in a general way when it adopted rule 206(4)-7 
under the Advisers Act (``Compliance Program Rule''). Under the rule, 
advisers are required to consider their fiduciary and regulatory 
obligations under the Advisers Act, and adopt and implement written 
compliance policies and procedures reasonably designed to prevent 
violations of the Advisers Act.\24\ At the time it adopted the rule, 
the Commission was concerned that not all advisers had adopted adequate 
compliance programs and as a result, clients and investors were being 
harmed.\25\ In the release adopting the Compliance Program Rule, the 
Commission stated that an adviser's compliance policies and procedures 
should address BCPs to the extent that they are relevant to an 
adviser.\26\ The Commission did not, however, identify critical 
components of a BCP or discuss specific issues or areas that advisers 
should consider in developing such plans.
---------------------------------------------------------------------------

    \24\ See rule 206(4)-7; Compliance Program Adopting Release, 
supra note 15, at section II.A.1. Rule 206(4)-7 makes it unlawful 
for advisers to provide investment advice unless they adopt and 
implement written compliance policies and procedures reasonably 
designed to prevent violations by the adviser and its supervised 
persons of the Advisers Act and rules thereunder.
    \25\ The Commission noted that it and state securities 
authorities had recently discovered unlawful conduct involving a 
number of advisers, broker-dealers, and other service providers 
where personnel of these entities engaged in, or actively assisted 
others in engaging in, inappropriate market timing, late trading of 
fund shares, and the misuse of material, nonpublic information about 
fund portfolios. The Commission noted that these personnel had 
breached their fiduciary obligations to the funds involved and their 
shareholders by placing their own interests or the interests of the 
fund adviser ahead of the interests of fund shareholders. See 
Compliance Program Adopting Release, supra note 15, at section I.
    \26\ Id. The Commission identified ten areas adviser compliance 
programs should address, including BCPs.
---------------------------------------------------------------------------

    As discussed above, an adviser's fiduciary obligations require it 
to take steps to protect its clients' interests from being placed at 
risk as a result of the adviser's inability to provide advisory 
services.\27\ This fiduciary duty fosters trust between the client and 
its adviser, such that the client relies on the adviser to act in its 
best interests and safeguard its assets as appropriate, even during 
times of stress.\28\ If an adviser is unable to provide advisory 
services after, for example, a natural disaster, a cyber-attack, an act 
of terrorism, technology failures, or the departure of key personnel, 
its temporary inability to continue operations may put clients' 
interests at risk and prevent it from meeting its fiduciary duty to 
clients. This risk could include the risk of loss if, for example, an 
adviser lacks the ability to make trades in a portfolio, is unable to 
receive or implement directions from clients, or if clients are unable 
to access their assets or accounts. As part of its fiduciary duty to 
protect client interests, an adviser also should take steps to minimize 
operational and other risks that could lead to a significant business 
disruption like, for example, a systems failure. In order to do so, 
advisers should generally assess and inventory the components of their 
business and minimize the scope of its vulnerability to a significant 
business disruption. While we recognize that an adviser may not be able 
to prevent significant business disruptions (e.g., a natural disaster, 
terrorist attack, loss of service from a third-party), we believe 
robust planning for significant business disruptions can help to 
mitigate their effects and, in some cases, minimize the likelihood of 
their occurrence.
---------------------------------------------------------------------------

    \27\ See id. at n.22. The Commission also has stated that 
``clients of an adviser that is engaged in the active management of 
their assets would ordinarily be placed at risk if the adviser 
ceased operations.'' Id.
    \28\ See generally SEC v. Capital Gains Research Bureau, Inc., 
supra note 14 at 191 (``A fiduciary owes its clients more than mere 
honesty and good faith alone. ''); Investment Adviser Association, 
What is an Investment Adviser?, available at https://www.investmentadviser.org/eweb/dynamicpage.aspx?webcode=whatisia 
(noting that because advisers owe a fiduciary duty to their clients, 
they ``[stand] in a special relationship of trust and confidence 
with [their] clients'' and that such fiduciary duty generally 
includes the duty to place the clients' interests first ``at all 
times'').
---------------------------------------------------------------------------

    Various weather-related events have tested, on a large scale, the 
effectiveness of existing BCP components of advisers' compliance 
programs.\29\ In addition, these events provided our examination staff 
the opportunity to review, observe, and assess the operations and 
resiliency of BCPs across many advisers. The examination staff followed 
these reviews by issuing public reports of their findings and effective 
practices.\30\
---------------------------------------------------------------------------

    \29\ For example, Hurricane Katrina in 2005 and, as discussed in 
this release, Hurricane Sandy in 2012 presented challenges to 
advisers affected by those storms.
    \30\ See National Exam Program Risk Alert, SEC Examinations of 
Business Continuity Plans of Certain Advisers Following Operational 
Disruptions Caused by Weather-Related Events Last Year (Aug. 27, 
2013) (``NEP Risk Alert''), available at https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf. The 
examination was part of a joint review by the SEC's OCIE, FINRA and 
the CFTC of relevant firms' business continuity and disaster 
recovery planning in the wake of Hurricane Sandy. Together, these 
entities issued a joint statement setting forth best practices and 
lessons learned as a result of their review. See Joint Review of 
Business Continuity, supra note 22; see also SEC Compliance Alert 
(June 2007) (``Compliance Alert''), available at https://www.sec.gov/about/offices/ocie/complialert.htm.
---------------------------------------------------------------------------

    Hurricane Sandy broadly impacted the industry and its operations 
because of the duration and point of impact of the storm, which 
affected parts of New York, New Jersey, and the surrounding areas, 
where numerous financial services providers (both markets and 
participants) are concentrated. In the aftermath of the hurricane, 
examiners observed that the degree of specificity of advisers' written 
BCPs varied and that some advisers' BCPs did not ``adequately address 
and anticipate widespread events.'' \31\ In addition, with respect to 
alternative locations, examination staff noted that some advisers did 
not have geographically diverse office locations, even when they 
recognized that diversification would be appropriate.\32\ Additionally, 
they observed with respect to vendor relationships and 
telecommunications/technology, that certain advisers did not evaluate 
the BCPs of their service providers or engage service providers to 
ensure their backup servers worked properly, and that some advisers 
reported that they did not keep updated lists of their vendors and 
respective contacts.\33\ Moreover, with respect to communications 
plans, the examination staff observed that some advisers inconsistently 
planned how to contact and deploy employees during a crisis, 
inconsistently maintained communications with clients and employees, 
and did not identify which personnel were responsible for executing and 
implementing the various portions of the BCP.\34\ Finally, with respect 
to review and testing, our examination staff reported that some 
advisers ``inadequately tested their BCPs relative to their advisory 
businesses.'' \35\ These observations illustrate our experience that 
business continuity planning among investment advisers

[[Page 43535]]

can be uneven and, in some instances, may not be sufficiently robust to 
mitigate the potential adverse effects of a significant business 
disruption on clients.
---------------------------------------------------------------------------

    \31\ See NEP Risk Alert, supra note 30, at 3.
    \32\ See NEP Risk Alert, supra note 30, at 4.
    \33\ See NEP Risk Alert, supra note 30, at 4-5.
    \34\ See NEP Risk Alert, supra note 30, at 6.
    \35\ See NEP Risk Alert, supra note 30, at 7.
---------------------------------------------------------------------------

    Additionally, the operational complexity of advisers has increased 
over the years and many advisers' operations are highly dependent on 
technology, including investment processes (e.g., trading, risk 
management operations) and client services.\36\ It is critical for 
investment advisers to focus on resiliency so that they can continue to 
provide services to their clients when events impact the availability 
of systems, facilities, and staff. The ability to recover such systems, 
including third-party vendor provided platforms and services, and 
business operations in a timeframe that meets business requirements is 
important to mitigating the consequences of disruptive events.\37\
---------------------------------------------------------------------------

    \36\ See, e.g., Blackrock, The Role of Technology Within Asset 
Management (Aug. 2014), at 1, available at https://www.blackrock.com/corporate/en-us/literature/whitepaper/viewpoint-asset-management-technology-aug-2014.pdf (``Asset managers require systems to 
facilitate the maintenance of data and flow of information in the 
investment process, such as trading counterparties and custodians. 
Technology provides the unseen `plumbing' that ensures information 
flows smoothly throughout the ecosystem.''). The paper also notes 
that a robust asset management process requires both experienced 
professionals and technology, and that integrated investment 
technology enhances the quality of large volumes of data, supports 
consistent investment workflows and enables timely communications 
for both internal functions and with external parties.
    \37\ See, e.g., infra note 90.
---------------------------------------------------------------------------

    Based on the staff's observations from examinations, and the ever-
growing complexity of, and risks to, operations, we are concerned that 
some advisers may not have robust BCPs. When a client entrusts an 
adviser to manage its assets, the client does so with the expectation 
that the adviser will act in its best interests and safeguard its 
assets as appropriate, even in times of stress. We believe that without 
robust business continuity planning, an adviser's clients may be placed 
at risk in times of stress. Accordingly, to facilitate such robust 
planning across all SEC-registered advisers, we are proposing to 
require that these advisers address certain components in their 
business continuity and transition plans.
2. Transition Planning
    Operational risks are not limited to affecting the day-to-day 
operations of an adviser, but can lead to a financial services firm 
having to cease or wind-down operations while also considering how to 
safeguard client or investor assets. The 2008 financial crisis 
demonstrated that providers of financial services are at risk of having 
to exit the market unexpectedly and having to do so quickly.\38\ As 
with traditional business continuity planning, regardless of whether 
the risk is internal or external to the firm, a reasonably designed 
plan assessing various risks related to a business transition (e.g., 
operational and other risks related to transitioning client assets) and 
how to react to transition events should ameliorate the impact of 
transitions on clients.\39\ After the financial crisis, Congress 
addressed the need for this type of advance planning for certain 
institutions in the Dodd-Frank Wall Street Reform and Consumer 
Protection Act, which mandated regulations that require certain 
financial institutions to plan for ``rapid and orderly resolution in 
the event of material financial distress or failure.''\40\
---------------------------------------------------------------------------

    \38\ See Financial Crisis Inquiry Commission, Final Report of 
the National Commission on the Causes of the Financial and Economic 
Crisis in the United States (Jan. 2011) at 22-23, available at 
https://www.gpo.gov/fdsys/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf (``In 
January 2008, Bank of America announced it would acquire the ailing 
lender Countrywide. . . . Bear Stearns . . . was bought by JP Morgan 
with government assistance in the spring. Before the summer was 
over, Fannie Mae and Freddie Mac would be put into conservatorship. 
Then, in September, Lehman Brothers failed and the remaining 
investment banks, Merrill Lynch, Goldman Sachs, and Morgan Stanley, 
struggled as they lost the market's confidence. AIG . . . was 
rescued by the government. Finally, many commercial banks and 
thrifts . . . teetered. IndyMac had already failed over the summer; 
in September, Washington Mutual became the largest bank failure in 
U.S. history. In October, Wachovia struck a deal to be acquired by 
Wells Fargo.''). Several of the financial services firms mentioned 
in this report included asset management subsidiaries.
    \39\ Both transition planning and business continuity planning 
relate to instances where an adviser may be unable to provide 
advisory services and where advance planning for those instances 
would benefit advisers and their clients. We note that in the 
Compliance Program Adopting Release, the Commission noted the risks 
to advisory clients if an adviser ceased operations. See Compliance 
Program Adopting Release, supra note 15.
    \40\ See section 165(d) of the Dodd-Frank Act [12 U.S.C. 5365]; 
see also Resolution Plans Required, 76 FR 67323 (Nov. 1, 2011) 
(``Resolution Plans''). We are not proposing that advisers adopt 
resolution plans or ``living wills'' similar to that which certain 
financial institutions must now adopt under FDIC and Federal Reserve 
rules because investment advisers do not interact with the 
government in the same way as banks. For example, advisers do not 
accept insured ``deposits,'' do not have access to the Federal 
Reserve discount window, and do not use their own balance sheets 
when trading client assets.
---------------------------------------------------------------------------

    In the normal course of business, it is our understanding that 
advisers routinely transition client accounts without a significant 
impact to themselves, their clients, or the financial markets.\41\ We 
believe that much of this is largely attributable to the agency 
relationship of advisers managing the assets on behalf of their clients 
and the regulatory framework supporting this relationship whereby 
advisory client assets for which the adviser has custody are required 
to be held at a qualified custodian, such as a bank or broker-
dealer.\42\ Because client assets custodied by an adviser must be held 
at a qualified custodian and segregated from the adviser's assets, we 
have observed that transitioning accounts from one adviser to another 
can largely be a streamlined process that in many cases may not involve 
the physical movement or sale of assets.\43\ Pooled investment vehicle 
clients generally have the ability to terminate the advisory contract 
of the adviser or remove the governing body that may provide advisory 
services (e.g., general partner or managing member) and appoint a new 
adviser or governing body if they so desire, while separate account 
clients can generally terminate the advisory contract and appoint a new 
adviser to manage their assets, all while their assets are typically 
maintained at a qualified custodian.\44\
---------------------------------------------------------------------------

    \41\ See, e.g., BlackRock FSOC Comment Letter (noting that 
``[t]ransitioning the management of client assets from one manager 
to another regularly occurs in the normal course of business'' and 
listing 19 previous examples of advisers or funds exiting the market 
without great market impact); SIMFA/IAA FSOC Comment Letter (noting 
that ``managers and funds routinely enter and exit the asset 
management industry'' and citing an Investment Company Institute 
paper to note that, in 2013, ``48 mutual fund sponsors left the 
business without any impact or distress''); Comment Letter of PIMCO 
to FSOC Notice (Mar. 25, 2015); Vanguard FSOC Comment Letter. In 
addition, we understand that specialized transition managers exist 
to manage assets during a transition from one adviser to another. 
See, e.g., BlackRock FSOC Comment Letter at 66.
    \42\ See rule 206(4)-2 under the Advisers Act. The use of 
custodians that traditionally provide those services provide 
protection for client assets from the adverse effects of stress at 
an adviser. We also note that approximately 96.7% of SEC-registered 
advisers are not related to the custodians that hold client assets. 
Based on data from the Commission's IARD as of January 4, 2016.
    \43\ Client assets are not part of the adviser's balance sheet. 
Client assets are not subject to the liquidation or potential 
bankruptcy process of an asset manager and are not subject to the 
adviser's creditors.
    \44\ We note that to the extent a new adviser does not have a 
relationship with the same custodian used by the previous adviser, 
assets may need to be transferred to a different custodian. 
Additionally, we note that complications could arise with respect to 
the transfer of shareholder records when transitioning client 
accounts to another adviser.
---------------------------------------------------------------------------

    In addition, we are aware of instances of non-routine disruptions 
at large advisory businesses that have resulted in transitions to new 
advisers or new ownership without appearing to have a significant 
adverse impact on clients, fund investors, or the financial

[[Page 43536]]

markets.\45\ Advisers routinely enter and exit the market and are 
capable of transferring client assets to another adviser or 
distributing such assets back to the client without negatively 
impacting the client.\46\ Cases of advisory firms experiencing 
transition events are often caused by a rapid decrease in assets under 
management, which can occur for a variety of reasons, including poor 
performance or an event causing reputational harm.\47\ To help ensure 
that a transition is as seamless as possible, an adviser must be aware 
of the impediments that should be addressed to minimize potential 
client impact.
---------------------------------------------------------------------------

    \45\ For example, although a unique situation, advisory firm 
Neuberger Berman spun out of Lehman Brothers during the 2008 
financial crisis into a private company. See also infra note 52 
(discussing the circumstances of the Neuberger Berman sale).
    \46\ See supra note 41.
    \47\ See, e.g., Trevor Hunnicutt, F-Squared Files for 
Bankruptcy, Investment News (July 8, 2015) (``F-Squared Article''), 
available at https://www.investmentnews.com/article/20150708/FREE/150709926/f-squared-files-for-bankruptcy (noting that after settling 
charges with the SEC for false performance claims, F-squared started 
losing assets under management); Christine Dugas & Sandra Block 
Strong, Strong Capital, Founder to Pay $140M in Settlement, USA 
Today (May 20, 2004), available at https://usatoday30.usatoday.com/money/perfi/funds/2004-05-20-strong-settle_x.htm (noting that after 
Strong Capital Management (``Strong'') and its founder settled 
charges with the SEC for allowing and engaging in undisclosed 
frequent trading in Strong mutual funds, Strong funds had a ``net 
outflow of investor assets totaling $4.9 billion''); see also In the 
Matter of F-Squared Investments, Inc., Advisers Act Rel. No. 3988 
(Dec. 22, 2014) (settled enforcement action); In the Matter of 
Strong Capital Management, et al., Securities Exchange Act Rel. No. 
49741 (May 20, 2004) (settled enforcement action); infra note 60.
---------------------------------------------------------------------------

    We are also aware of transitions involving funds under stress that 
have not been seamless or without problem.\48\ For example, in one 
instance, an adviser's proprietary system used on behalf of a fund 
client had limitations on the pricing of fund shares that could not be 
efficiently modified to accommodate certain events, which in turn 
impeded the processing of fund redemption transactions and the 
reconciliation, liquidation, and transfer of investor accounts on a 
timely basis.\49\ In addition, while maintaining assets with a 
custodian may ease the transfer of those assets, the adviser may have 
important or private information concerning its clients or their 
strategies and goals that would need to be transitioned securely and 
efficiently.\50\
---------------------------------------------------------------------------

    \48\ See, e.g., BlackRock FSOC Comment Letter (citing to the 
wind-down of Long-Term Capital Management in 2000 and Reserve 
Primary Fund in 2008 and noting that regulatory intervention was 
necessary for the funds involved).
    \49\ See In the Matter of The Reserve Fund, et al., Investment 
Company Act Rel. No. 28386 (Sept. 22, 2008) (finding that the 
temporary suspension of the right of redemption and postponement of 
payment for shares which had been submitted for redemption but for 
which payment had not been made was necessary for the protection of 
shareholders); see also The Reserve Delays Primary Fund 
Distributions, MFWire.com (Oct. 14, 2008), available at https://www.mfwire.com/article.asp?storyID=19638&bhcp=1 (``The process of 
determining accurately the number of shares each investor held in 
the Primary Fund has proven to be extremely complex and could not be 
completed in the originally anticipated time frame.''); The Reserve 
Furnishes More Details On Primary Fund Redemptions, MFWire.com (Oct. 
16, 2008), available at https://www.mfwire.com/article.asp?storyID=19656&bhcp=1 (``[W]e have been working 
diligently to enhance our existing software and add new programs to 
hasten the distribution process.'').
    \50\ See generally Regulation S-P, 17 CFR 248 (establishing 
general requirements and restrictions on a financial institutions' 
ability to disclose nonpublic personal information about consumers, 
including clients, to nonaffiliated third parties and exceptions 
associated therewith).
---------------------------------------------------------------------------

    Moreover, the 2008 financial crisis illustrated that one firm's 
distress may at times have a broader impact on the financial markets 
and overall economy.\51\ Advisers could be impacted by broader market 
events in a number of ways that could affect an adviser's ability to 
continue operations and possibly lead to a transition event. For 
example, advisers are often owned by or affiliated with other financial 
services firms who themselves may be in distress. An adviser may be 
affected by such distress to the extent the distress negatively impacts 
the adviser's reputation, if it relies on a distressed affiliate for 
certain systems or services, or if it is an asset that a distressed 
parent sells.\52\ Under circumstances such as these, we are concerned 
about the adviser's ability to continue to act in the clients' best 
interests.
---------------------------------------------------------------------------

    \51\ See generally Joint Report, infra note 72.
    \52\ See, e.g., Lehman Brothers selling its asset management arm 
after declaring bankruptcy. Sam Mamudi, Neuberger Berman Sold to 
Private Equity, Market Watch (Sept. 29, 2008), available at https://www.marketwatch.com/story/neuberger-berman-sold-to-private-equity-for-215-billion.
---------------------------------------------------------------------------

    Proper planning and preparation for possible distress and other 
significant disruptions in an adviser's operations is essential so 
that, if an entity has to exit the market, it can do so in an orderly 
manner, with minimal or no impact on its clients. As discussed above, 
an adviser's fiduciary duty obligates it to take steps to protect 
client interests from being placed at risk as a result of the adviser's 
inability to provide advisory services and, thus, it would be 
fraudulent and deceptive for an adviser to hold itself out as providing 
advisory services unless it has taken such steps.\53\ Such advance 
planning and preparation may minimize an adviser's exposure to 
operational and other risks and, therefore, lessen the possibility of a 
significant disruption in its operations, and also may lessen any 
potential impact on the broader financial markets. Accordingly, and as 
discussed in more detail below, we believe that SEC-registered advisers 
should be required to adopt and implement a written business continuity 
and transition plan that is tailored to the risks associated with the 
adviser's operations and includes certain components, reflecting its 
critical role as an agent for its clients.
---------------------------------------------------------------------------

    \53\ See supra section I.A; see also section 206(4) of the 
Advisers Act.
---------------------------------------------------------------------------

C. Discussion

    We believe it is appropriate at this time to propose a rule 
requiring SEC-registered advisers to adopt and implement a business 
continuity and transition plan\54\ that is reasonably designed to 
address operational and other risks related to a significant disruption 
in an adviser's operations and that addresses certain specified 
components.\55\ We recognize that, pursuant to the Compliance Program 
Rule, most SEC-registered investment advisers may already have BCPs in 
place as part of their compliance policies and procedures \56\ and that 
those plans (or other plans) may also address transition planning.\57\ 
However, it has been our staff's experience that the robustness of 
these BCPs is inconsistent across investment advisers. We believe that 
requiring a business

[[Page 43537]]

continuity and transition plan that addresses operational and other 
risks by rule and specifying certain components of such a plan will 
facilitate the adoption and implementation of robust plans by all SEC-
registered investment advisers that address critical areas and that 
should be effective and workable during a significant disruption in an 
adviser's operations. Moreover, we believe requiring such plans will 
benefit advisory clients because advisers will likely be better 
prepared to deal with business continuity and transition events if and 
when they occur and will better mitigate risks attendant with their 
operations and business practices, thereby reducing the likelihood of 
client harm as the result of a significant disruption in an adviser's 
operations.
---------------------------------------------------------------------------

    \54\ We recognize that business continuity planning and 
transition planning address different circumstances (i.e. one 
addresses the continuation of a business while the other addresses 
the winding down of a business). See infra note 60 and accompanying 
text. However, both business continuity planning and transition 
planning pertain to instances where an adviser may be unable to 
provide advisory services and where advance planning for those 
instances would benefit advisers and their clients. In this release 
and in proposed rule 206(4)-4, we refer to an adviser adopting ``a'' 
business continuity and transition plan. The proposed rule would not 
require an adviser to consolidate all of the components described in 
proposed rule 206(4)-4 into one document. An adviser may maintain 
separate plans that address the components identified in proposed 
rule 206(4)-4.
    \55\ We note that the Commission has explicitly required BCPs in 
other contexts, and that FINRA has adopted specific rules on BCPs 
for broker-dealers. See Regulation SCI Adopting Release, supra note 
17; FINRA Rule 4370. Further, NASAA has also issued a model rule for 
states to apply to state-registered advisers, which tend to be 
smaller in scale and size than advisers registered with the 
Commission. See NASAA Model Rule 203(a)-1A.
    \56\ See, e.g., BlackRock FSOC Comment Letter at 10 (noting that 
asset managers maintain BCPs); Fidelity FSOC Comment Letter at 32-33 
(discussing BCPs).
    \57\ We understand that in practice, adviser BCPs focus on risks 
from events that would limit or impact normal operations, such as 
natural disasters or systems failures, but also can address 
transition planning. See supra note 39 (discussing the Compliance 
Program Adopting Release and language therein regarding risks to 
clients if an adviser ceases operations).
---------------------------------------------------------------------------

    We are proposing new rule 206(4)-4 under the Advisers Act and 
amendments to rule 204-2 under the Advisers Act. Under rule 206(4)-4, 
it would be unlawful for an SEC-registered investment adviser to 
provide investment advice unless the adviser adopts and implements a 
written business continuity and transition plan and reviews that plan 
at least annually. The proposed amendments to rule 204-2 would require 
those advisers to make and keep copies of all written business 
continuity and transition plans that are in effect or were in effect at 
any time during the last five years, as well as any records documenting 
the adviser's annual review of its business continuity and transition 
plan.
1. Adopt and Implement Business Continuity and Transition Plans
    The proposed rule would require SEC-registered advisers to adopt 
and implement written business continuity and transition plans 
reasonably designed to address operational and other risks related to a 
significant disruption in the investment adviser's operations.\58\ 
These plans would include policies and procedures concerning (1) 
business continuity after a significant business disruption, and (2) 
business transition in the event the investment adviser is unable to 
continue providing investment advisory services to clients. Business 
continuity situations generally include natural disasters, acts of 
terrorism, cyber-attacks, equipment or system failures, or unexpected 
loss of a service provider, facilities, or key personnel. Business 
transitions generally include situations where the adviser exits the 
market and thus is no longer able to serve its clients, including when 
it merges with another adviser, sells its business or a portion 
thereof,\59\ or in unusual situations, enters bankruptcy 
proceedings.\60\
---------------------------------------------------------------------------

    \58\ See proposed rule 206(4)-4. We note that adviser BCPs are 
also often referred to as business continuity and disaster recovery 
plans; however, we have chosen to use the term ``business continuity 
and transition plan'' to refer to plans required under the proposed 
rule. We believe, however, that such plans would encompass disaster 
recovery planning because any robust BCP would need to plan for the 
recovery of its business operations and systems in order to be able 
to continue providing services to clients. See proposed rule 206(4)-
4(b)(2)(i) (requiring business continuity and transition plans to 
include maintenance of critical operations and systems, and the 
protection, backup, and recovery of data).
    \59\ See proposed rule 206(4)-4(b). We note with respect to 
business transitions that there may be circumstances where an 
adviser is unable to provide advisory services for only a portion of 
its business, but is able to continue providing services with 
respect to another portion of its business, and thus, only exits a 
particular market. An adviser's business continuity and transition 
plan generally should address the possibility of such a partial 
transition. Cf. infra note 60 and accompanying text (discussing 
business transitions generally).
    \60\ For example, in 2015, F-Squared Investments, Inc. filed for 
bankruptcy and arranged for its investment strategies to be managed 
by another adviser. See F-Squared Article, supra note 47. In 
addition, in 2005, funds managed by Strong were acquired by Wells 
Fargo & Company and the ``legal entities comprising the Strong . . . 
complex were subsequently liquidated.'' See BlackRock FSOC Comment 
Letter at 62-63 (discussing the Strong transition); see also Press 
Release, Wells Fargo Agrees to Acquire $34 Billion in Assets Under 
Management From Strong Financial Corporation, Wells Fargo (May 26, 
2004), available at https://www.wellscap.com/docs/press_releases/5.26.04.pdf.
---------------------------------------------------------------------------

    The proposed rule is intended to help ensure that an adviser's 
policies and procedures minimize material service disruptions and any 
potential client harm from such disruptions. Advisers should keep this 
focus at the forefront when reviewing their business operations and 
developing their policies and procedures. Accordingly, the proposed 
rule would require an SEC-registered adviser's business continuity and 
transition plan to include policies and procedures designed to minimize 
material service disruptions, including policies and procedures that 
address certain specific components. We recognize that advisers' 
business models and operations vary, but we believe that every business 
continuity and transition plan must generally address operational and 
other risks related to a significant disruption in the adviser's 
operations and must address certain key components to plan and prepare 
for such disruptions.\61\ While we believe advisers should generally 
assess and inventory all of the components of their businesses in order 
to develop their business continuity and transition plans and tailor 
their plans to the specific risks their businesses face, we also 
believe that identifying these key components should facilitate the 
adoption and implementation of robust BCPs by all SEC-registered 
investment advisers.
---------------------------------------------------------------------------

    \61\ See supra notes 30-35 and accompanying text (discussing 
certain key elements of BCPs). Other regulatory bodies and 
organizations also have recognized key elements of business 
continuity plans. See 17 CFR 23.603 (setting forth essential 
components of BCPs for swap dealers and major swap participants); 
FINRA Rule 4370 (setting forth minimum elements that a business 
continuity plan should address); NASAA Model Rule 203(a)-1A (stating 
certain elements the plan should address); FFIEC Handbook, supra 
note 17, at G-1 (discussing components of effective BCPs).
---------------------------------------------------------------------------

    Under the proposed rule, the content of an SEC-registered adviser's 
business continuity and transition plan would be based upon risks 
associated with the adviser's operations and would include policies and 
procedures designed to minimize material service disruptions, including 
policies and procedures that address the following: \62\ (1) 
Maintenance of critical operations and systems, and the protection, 
backup, and recovery of data; \63\ (2) pre-arranged alternate physical 
location(s) of the adviser's office(s) and/or employees; \64\ (3) 
communications with clients, employees, service providers, and 
regulators; \65\ (4) identification and assessment of third-party 
services critical to the operation of the adviser; \66\ and (5) plan of 
transition that accounts for the possible winding down of the adviser's 
business or the transition of the adviser's business to others in the

[[Page 43538]]

event the adviser is unable to continue providing advisory 
services.\67\
---------------------------------------------------------------------------

    \62\ We have modeled the proposed rule on BCP requirements for 
other financial services firms that we believe share similar 
vulnerabilities as investment advisers, as well as our staff's 
examinations experiences, which have highlighted a number of best 
practices as well as a number of areas for improvement specific to 
investment advisers. For example, to assist advisers in considering 
their own business continuity issues, the examination staff 
previously identified a number of ``lessons learned'' from its 
examinations of advisers that were affected by Hurricane Katrina. 
See Compliance Alert, supra note 30. The staff noted certain 
provisions in disaster recovery plans that appeared to be effective 
in allowing an adviser to provide ``uninterrupted advisory services 
to clients in a compliant manner after a disaster'' including (i) a 
pre-arranged remote location for short-term and possible long-term 
use; (ii) alternate communication protocols to contact staff and 
clients; (iii) remote access to business records and client data 
through appropriately secured means; (iv) temporary lodging for key 
staff where necessary and effective training of staff on how to 
fulfill essential duties in the event of a disaster; (v) maintaining 
accurate and up-to-date contact information for all third-party 
service providers and familiarity with the BCPs of those providers; 
(vi) contingency arrangements for loss of key personnel; (vii) 
periodic testing, evaluation and revision of the plan; and (viii) 
maintaining sufficient insurance and financial liquidity to prevent 
any interruption of the performance of compliant advisory services.
    \63\ See proposed rule 206(4)-4(b)(2)(i).
    \64\ See proposed rule 206(4)-4(b)(2)(ii).
    \65\ See proposed rule 206(4)-4(b)(2)(iii).
    \66\ See proposed rule 206(4)-4(b)(2)(iv).
    \67\ As discussed more below, the plan of transition would have 
to include (1) policies and procedures intended to safeguard, 
transfer and/or distribute client assets during transition; (2) 
information regarding the corporate governance of the adviser; (3) 
the identification of any material financial resources available to 
the adviser; (4) policies and procedures facilitating the prompt 
generation of any client-specific information necessary to 
transition each client account; and (5) an assessment of the 
applicable law and contractual obligations governing the adviser and 
its clients, including pooled investment vehicles, implicated by the 
adviser's transition. See proposed rule 206(4)-4(b)(2)(v).
---------------------------------------------------------------------------

    While each SEC-registered adviser's business continuity and 
transition plan must address the components set forth in the proposed 
rule, we recognize that the degree to which an adviser's plan addresses 
a required component will depend upon the nature of each particular 
adviser's business. We also recognize that business models and 
operations vary significantly among advisers.\68\ The proposed rule 
thus would require that the plan be reasonably designed to address the 
operational and other risks of an adviser and thus advisers need only 
take into account the risks associated with its particular operations, 
including the nature and complexity of the adviser's business, its 
clients, and its key personnel.\69\ For example, we believe that the 
business continuity and transition plan of a large adviser with 
multiple locations, offices, or business lines likely would differ 
significantly from that of a small adviser with a single office or only 
a few investment professionals and employees. Additionally, we believe 
that the business continuity and transition plan of an adviser with a 
complex internal technology infrastructure likely would differ from 
that of an adviser that primarily uses an outsourced model.\70\ The 
complexity and risks associated with these diverse business models 
could be substantially different, and our proposed rule is designed to 
give advisers the flexibility to create business continuity and 
transition plans that accommodate such differences.
---------------------------------------------------------------------------

    \68\ See Comment Letter of Wellington Management Group LLP to 
FSOC Notice (Mar. 25, 2015) at 2 (``The unique characteristics of 
today's asset management industry (agency and advice based: Low 
barriers to entry: High substitutability among managers: And highly 
competitive) result in a large number of asset management firms that 
are organized in a variety of models.'').
    \69\ See, e.g., BlackRock FSOC Comment Letter at 9 (noting that 
``understanding the differences in operating models is crucial'' in 
assessing the potential operational risk of an asset manager).
    \70\ Id. at 71. A larger adviser may conduct (insource) some or 
all middle and back office functions (e.g., securities 
administration, accounting, and recordkeeping) internally. Whereas 
in an outsourced model, the asset management firm hires third-party 
providers to perform various middle and back office functions.
---------------------------------------------------------------------------

a. Maintenance of Critical Operations and Systems, and the Protection, 
Backup, and Recovery of Data, Including Client Records
    The proposed rule would require advisers' business continuity and 
transition plans to include policies and procedures on the maintenance 
of critical operations and systems, and the protection, backup, and 
recovery of data, including client records.\71\ With respect to 
maintaining critical operations/systems, an adviser's plan generally 
should identify and prioritize critical functions, operations, and 
systems and consider alternatives and redundancies to help maintain the 
continuation of operations in the event of a significant business 
disruption.\72\ When evaluating which operations and systems are 
critical, advisers generally should consider those that are utilized 
for prompt and accurate processing of portfolio securities transactions 
on behalf of clients, including the management, trading, allocation, 
clearance and settlement of such transactions. Advisers generally 
should also consider operations and systems that are critical to the 
valuation and maintenance of client accounts, access to client 
accounts, and the delivery of funds and securities. This typically will 
include identification and assessment of third-party services that 
support certain functions, as activities conducted may involve systems 
and processes that the adviser controls and others that may be wholly 
or partially dependent on third-party vendors, which we address below. 
Advisers generally also should identify which key personnel either 
provide critical functions to the adviser or support critical 
operations or systems of the adviser such that the temporary or 
permanent loss of those individuals would disrupt the adviser's ability 
to provide services to its clients.
---------------------------------------------------------------------------

    \71\ We note that Regulation SCI also includes requirements 
regarding the maintenance of systems. Rule 1001(a) requires each SCI 
entity to establish, maintain, and enforce policies and procedures 
that are reasonably designed to ensure that its ``SCI systems'' have 
levels of capacity, integrity, resiliency, availability, and 
security, adequate to maintain the SCI entity's operational 
capability and promote the maintenance of fair and orderly markets. 
Moreover, rule 1001(a)(2)(v) also requires that these policies and 
procedures include business continuity and disaster recovery plans 
that are reasonably designed to achieve two-hour resumption of 
``critical SCI systems'' following a wide-scale disruption. 17 CFR 
242.1001. We note that in the Regulation SCI Adopting Release, the 
Commission stated that it would monitor and evaluate the 
implementation of Regulation SCI, the risks posed by systems of 
other market participants, and the continued evolution of the 
securities markets, and in the future may consider extending the 
types of requirements in Regulation SCI to other market 
participants, including investment advisers. See Regulation SCI 
Adopting Release, supra note 17, at 72259. We note that the proposed 
rule would not apply Regulation SCI to investment advisers. Rather, 
the Commission is proposing this rule in light of the specific 
operations and businesses of investment advisers and the risks they 
present.
     In addition to Regulation SCI, we note, as discussed above, 
that our staff has previously highlighted the importance of access 
to business records and client data as well as backup servers and 
other telecommunications services in the context of business 
continuity planning. See supra notes 30 and 33, and accompanying 
text. We also note that other regulatory bodies and organizations 
have stressed the importance of critical systems and data protection 
in the context of BCPs. See, e.g., 17 CFR 23.603(b)(1), (4) and (6) 
(requiring BCPs to include identification of documents, data, 
facilities and infrastructure, as well as backup or copying of 
documents and data, essential to operations, and procedures for and 
the maintenance of backup facilities, systems and infrastructure); 
FINRA Rule 4370(c)(1) and (2) (requiring BCPs to address data backup 
and recovery (both hard copy and electronic) as well as mission 
critical systems); NASAA Model Rule 203(a)-1A(1) (stating that BCPs 
should provide for ``protection, backup and recovery of books and 
records''); SIFMA, Business Continuity Planning Expanded Practices 
Guidelines (Apr. 2011) (``SIFMA Guidelines'') at 27 and 32, 
available at https://www.sifma.org/uploadedfiles/services/bcp/sifma-bc-practices-guidelines2011-04.pdf (noting that businesses should 
ensure ``the functionality and availability of critical business 
applications'' and ``that redundant copies of vital records'' are 
securely stored and available during an emergency).
    \72\ Following the publication of the Interagency Paper, the 
Commission, together with the Federal Reserve and the Office of the 
Comptroller of the Currency, issued a joint report that discussed 
the industry's efforts to implement the recommendations contained in 
the Interagency Paper (``Joint Report''). The Joint Report notes 
that the Interagency Paper addresses reasonable recovery time 
objectives and identifies specific risk-based recovery standards in 
order ``to assure that there will be a relatively consistent degree 
of preparedness across'' the industry. See Joint Report on Efforts 
of the Private Sector to Implement the Interagency Paper on Sound 
Practices to Strengthen the Resilience of the U.S. Financial System 
(Apr. 2006) at 3, available at https://www.sec.gov/news/press/studies/2006/soundpractices.pdf; see also MFA FSOC Comment Letter at 
45 (citing to the MFA's recommendations to hedge fund managers that 
they design and implement business continuity/disaster recovery 
plans ``reasonably designed to: (1) Identify and prioritize critical 
business functions. . .'').
---------------------------------------------------------------------------

    We believe that by considering alternatives and redundancies for 
critical operations and systems in advance of significant business 
disruptions, an adviser will be able to prioritize, recover, and resume 
key aspects of its business in a timely manner and consequently be 
better able to act in its clients' best interests and continue 
providing services to its clients during such a disruption.\73\ For

[[Page 43539]]

example, if most securities operations functions (post-trade 
processing, corporate actions, reconciliation, etc.) are handled 
internally by the adviser,\74\ then the adviser's plans should address 
the backup systems or other alternative processes or procedures that 
will be used or followed in the event of a business disruption where 
standard operations may not be available. Additionally, we believe that 
contingency plans with respect to key personnel generally should 
address both the temporary or permanent loss of such personnel. For 
example, loss of key personnel could result from an employee's sudden 
departure from the adviser or could be due to a weather related event 
that renders the employee temporarily unavailable. Accordingly, an 
adviser's business continuity and transition plan generally should 
include short-term arrangements, such as which specific individuals 
would satisfy the role(s) of key personnel when unavailable, and long-
term arrangements regarding succession planning and how an adviser will 
replace key personnel.\75\
---------------------------------------------------------------------------

    \73\ Investment advisers should also generally consider in their 
business continuity planning circumstances in which a service 
provider (including another investment adviser that provides 
operations or systems to the adviser) is permanently unable to 
provide the adviser with critical operations or systems. See, e.g, 
Financial Conduct Authority, Outsourcing in the Asset Management 
Industry: Thematic Project Findings Report (Nov. 2013) (``FCA 
Paper''), available at https://www.fca.org.uk/static/documents/thematic-reviews/tr13-10.pdf (``Based on our initial assessment of 
asset managers last year, we concluded that firms in the sample were 
unprepared for a failure of their service provider.''). The FCA 
Paper suggested that asset managers should review their own 
outsourcing arrangements and where appropriate (i) ``enhance their 
contingency plans for the failure of a service provider providing 
critical activities, taking into account industry-led guiding 
principles where applicable'' and (ii) ``assess the effectiveness of 
their oversight arrangements to oversee critical activities 
outsourced to a service provider, making sure the required expertise 
is in place.''
    \74\ As discussed above, investment advisers that are also 
registered broker-dealers will be subject to both the proposed rule 
and FINRA's rule 4370 regarding BCPs. While we believe the two rules 
are largely complementary, we note that SEC-registered advisers 
would have to comply with the requirements of proposed rule 206(4)-4 
with respect to their advisory functions. See supra note 18.
    \75\ An adviser should also consider whether the departure of 
key personnel may trigger contractual obligations with clients, 
investors, or counterparties. For example, private funds clients may 
contain redemption rights for its investors upon the departure of 
specified investment personnel.
---------------------------------------------------------------------------

    With respect to data protection, backup, and recovery, a business 
continuity and transition plan generally should address both hard copy 
and electronic backup, as appropriate.\76\ A reasonably designed 
business continuity and transition plan generally should recognize that 
significant business disruptions may prevent access to electronic 
copies of data (e.g., power or internet outage) and hard copies of data 
(e.g., cannot access building where data is located). Such a plan 
should also recognize the important role electronic records can play in 
carrying out the adviser's plan of transition in a timely manner.
---------------------------------------------------------------------------

    \76\ This proposed requirement would be consistent with the 
existing requirement for SEC-registered investment advisers to 
maintain specific books and records relating to its investment 
advisory business. See rule 204-2(a) and (g). The ``books and 
record'' rule requires advisers to have procedures: to reasonably 
protect electronic records from loss, alteration, or destruction; to 
limit access to electronic records; and to assure that electronic 
records that are created from hard copy are complete, true, and 
legible. See rule 204-2(g)(3).
---------------------------------------------------------------------------

    Additionally, in connection with data backup and recovery, a 
business continuity and transition plan generally should include an 
inventory of key documents (e.g., organizational documents, contracts, 
policies and procedures), including the location and description of the 
item, and a list of the adviser's service providers relationships that 
are necessary to maintaining functional operations. This documentation 
generally should include details of the adviser's management structure, 
risk management processes, and financial and regulatory reporting 
requirements. We believe such documentation would make it easier for an 
adviser and its employees to access important operations/systems, 
documents, and relationships during a significant business disruption.
    Finally, we note with respect to data protection, backup and 
recovery, one type of potentially significant business disruption is a 
cyber-attack. An adviser generally should consider and address as 
relevant the operational and other risks related to cyber-attacks.\77\ 
We believe exposure to compliance and operational risks that may be 
caused by cybersecurity incidents can be mitigated by addressing such 
risks in the context of business continuity planning.\78\
---------------------------------------------------------------------------

    \77\ Our staff recently highlighted a number of measures for 
advisers to consider in the context of cybersecurity and noted that 
``advisers should identify their . . . compliance obligations under 
the federal securities laws and take into account these obligations 
when assessing their ability to prevent, detect and respond to cyber 
attacks.'' See Cybersecurity Guidance, IM Guidance Update (Apr. 
2015), available at https://www.sec.gov/investment/im-guidance-2015-02.pdf. In March 2014, the Commission hosted a roundtable on 
cybersecurity, which highlighted the Commission's focus on 
cybersecurity-related issues and a number of Commission actions 
relating to cybersecurity. The Commission is also focused on 
cybersecurity risk issues related to investment advisers, including 
data protection and identity theft vulnerabilities. See Chair Mary 
Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 
26, 2014), available at https://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468; see also Identity Theft Red Flags Rules, 
Securities Exchange Act Rel. No. 69359 (Apr. 10, 2013); see also 
Cybersecurity Roundtable, SEC, available at https://www.sec.gov/spotlight/cybersecurity-roundtable.shtml (providing information on 
the roundtable). We also note that the National Institute of 
Standards and Technology (``NIST'') has issued a framework for 
improving cybersecurity and that it recently sought comment on this 
framework. See NIST, Framework for Improving Critical Infrastructure 
Cybersecurity (Feb. 12, 2014), available at https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf; NIST, 
Cybersecurity Framework--Overview, available at https://www.nist.gov/cyberframework/# (discussing requests for comment on the 
cybersecurity framework).
    \78\ We recognize that advisers also may have additional 
policies and procedures to address compliance and operational risks 
related to cybersecurity incidents.
---------------------------------------------------------------------------

b. Pre-Arranged Alternate Physical Location(s)
    The proposed new rule would also require an adviser's business 
continuity and transition plan to include pre-arranged alternate 
physical location(s) of its office(s) and/or employees. As our staff 
has indicated a number of times, alternate or remote locations are 
essential for an adviser to continue providing services during a 
significant business disruption.\79\ Accordingly, when developing 
business continuity and transition plans, advisers generally should 
consider the geographic diversity of their offices or remote sites and 
employees, as well as access to the systems, technology, and resources 
necessary to continue operations at different locations in the event of 
a disruption.\80\ For example, an adviser

[[Page 43540]]

may recognize that a significant business disruption could limit access 
to its primary or only office for an extended period of time and, 
therefore, establish a satellite office or plan to use a remote site in 
another location or geographic region and may also allow remote access 
by employees so the adviser could continue to have access to the 
facilities, systems, and personnel necessary to carry on its 
business.\81\
---------------------------------------------------------------------------

    \79\ See supra notes 30 and 32, and accompanying text; see also 
Regulation SCI Adopting Release, supra note 17 (requiring an SCI 
entity's business continuity and disaster recovery plan to include 
``geographically diverse'' backup and recovery capabilities). We 
note that other regulatory bodies and organizations have also 
recognized the importance of alternate sites and geographic 
diversity in business continuity planning. See, e.g., 17 CFR 
23.603(b)(5) (requiring backup facilities, infrastructure and 
alternative staffing in geographically separate areas); FINRA Rule 
4370(c)(6) (requiring BCPs to address ``alternate physical location 
of employees''); NASAA Model Rule 203(a)-1A(3) (stating that BCPs 
should provide for ``office relocation in the event of temporary or 
permanent loss of a principal place of business''); FFIEC Handbook, 
supra note 17, at G14 (stating that a ``BCP should address site 
relocation for short-, medium-, and long-term disaster and 
disruption scenarios''); Interagency Paper, supra note 16 (noting 
that backup sites should not rely on the same infrastructure 
components used by the primary site, should not be impaired by a 
wide-scale evacuation at or the inaccessibility of staff that 
service the primary site, and should consider staffing needs at the 
backup site if the firm relies on the same labor pool for both its 
primary and back up sites).
    \80\ We are not proposing to require that an adviser's business 
continuity and transition plan include an alternative location at a 
specified distance away from its primary location because we 
believe, as discussed above, that an adviser's plan should be 
tailored to its particular operations and that, while a specified 
distance may be appropriate for one adviser's alternate location, it 
may not be appropriate for all advisers. Nonetheless, we believe 
advisers generally should consider whether their alternative 
locations are in such close proximity to each other or to its 
primary location that they may be sharing common infrastructure 
providers and thus, that the alternative locations would be 
similarly affected by an external event.
    \81\ An adviser should consider the technology, systems, and 
resources necessary for employees working remotely to continue to 
securely conduct the adviser's business.
---------------------------------------------------------------------------

c. Communications With Clients, Employees, Service Providers, and 
Regulators
    Under the proposed rule, a business continuity and transition plan 
would also need to address communications with clients, employees, 
service providers, and regulators. We believe that communication plans 
are an essential element of effective business continuity and 
transition plans and generally should cover communications with parties 
involved in the critical aspects of the adviser's operations.\82\ For 
example, if an adviser's employees are unaware that a disruption has 
occurred and the adviser's business continuity and transition plan has 
been activated, the plan will likely fail. An adviser's communication 
plan generally should cover, among other things, the methods, systems, 
backup systems, and protocols that will be used for communications, how 
employees are informed of a significant business disruption, how 
employees should communicate during such a disruption, and contingency 
arrangements communicating who would be responsible for taking on other 
responsibilities in the event of loss of key personnel.\83\ Adviser 
business continuity and transition plans generally should also address 
employee training, so that in the event of a significant business 
disruption employees understand their specific roles and 
responsibilities and are able to carry out the adviser's plan.
---------------------------------------------------------------------------

    \82\ As discussed above, our staff has previously noted the 
important role that communication plans can play in business 
continuity planning. See supra notes 30 and 34 and accompanying 
text. Additionally, we note that other regulatory bodies and 
organizations have focused on communications in the context of BCPs. 
See, e.g., 17 CFR 23.603(b)(3) (requiring BCPs to include 
communication plans with respect to employees, vendors, and 
regulatory authorities); FINRA Rule 4370(c)(4), (5), and (9) 
(requiring BCPs to address communications with customers, employees 
and regulators); NASAA Model Rule 203(a)-1A(2) (stating that BCPs 
should provide for alternate communications with ``customers, key 
personnel, employees, vendors, service provides. . .and regulators. 
. . .''); FFIEC Handbook, supra note 17, at G-4 (stating that 
``[c]ommunication is a critical aspect of a BCP and should include 
communication with employees, . . . regulators, vendors/suppliers 
(detailed contact information), [and] customers (notification 
procedures) . . . .'').
    \83\ See supra section I.C.1.a.
---------------------------------------------------------------------------

    Moreover, advisers should consider when and how it is in their 
clients' best interests to be informed of a significant business 
disruption and/or its impact. Accordingly, with respect to clients, a 
business continuity and transition plan generally should include the 
process by which the adviser would have prompt access to client records 
that include the name and relevant contact and account information for 
each client as well as investors in private funds sponsored by the 
investment adviser.\84\ These plans generally should include how 
clients will be made aware of and updated about a significant business 
disruption that materially impacts ongoing client services (e.g., 
periodic updates to Web sites and customer service lines) and, when 
applicable, how clients will be contacted and advised if account access 
is impacted during such a disruption.
---------------------------------------------------------------------------

    \84\ For a private fund to qualify for the exclusion from the 
definition of ``investment company'' in either section 3(c)(1) or 
3(c)(7) of the Investment Company Act of 1940 (``Investment Company 
Act'') or rely on various offering exemptions under the Securities 
Act of 1933, the private fund is already required to have a 
reasonable belief regarding certain qualification information with 
regard to its beneficial owners that are U.S. persons. See, e.g., 17 
CFR 270.2a51-1(h), 17 CFR 230.501(a). While the private fund may not 
be required to have such detailed information about non-U.S. person 
beneficial owners, we understand it generally has contact 
information readily available.
---------------------------------------------------------------------------

    Similarly, an adviser's communication plan with its service 
providers generally should include, among other things, how the service 
provider will be notified of a significant business disruption at the 
adviser as well as how the adviser will be notified of a significant 
business disruption at a service provider, and how the entities will 
communicate with one another and clients or investors (where 
applicable) \85\ during a disruption. With respect to communications 
with the adviser's regulators, the adviser's business continuity and 
transition plan generally should include the contact information for 
relevant regulator(s), and identify the personnel responsible for 
notifying, as well as under what circumstances it would notify, such 
regulator(s) of a significant business disruption.
---------------------------------------------------------------------------

    \85\ For example, pooled investment vehicles generally rely on 
their investment advisers to arrange for and interact with fund 
service providers. If an adviser to an investment company, for 
example, outsources certain back office functions, such as transfer 
agency to a third-party vendor, its business continuity and 
transition plan should address coordination of communications with 
the transfer agent to investors in the fund, as well as with 
intermediaries servicing investors who also are beneficial owners of 
the fund.
---------------------------------------------------------------------------

d. Identification and Assessment of Third-Party Services Critical to 
the Operation of the Adviser
    The proposed rule would require an adviser's business continuity 
and transition plan to include the identification and assessment of 
third-party services critical to the operation of the adviser.\86\ We 
understand advisers frequently outsource certain functions or aspects 
of their operations or use third-parties' systems or vendors for their 
middle and back office functions in order to permit the adviser to 
focus on front office core functions, such as portfolio management and 
trading.\87\ To the extent critical services are outsourced to third-
parties, we believe that an adviser generally should be prepared for 
significant business disruptions that could impair its ability to act 
in its clients' best interests by having a business continuity and 
transition plan that addresses the critical services provided to it by 
such third parties.\88\
---------------------------------------------------------------------------

    \86\ We note that Regulation SCI includes specific requirements 
with respect to the resumption of ``critical SCI systems,'' 
differentiating these systems from other systems covered by the 
regulation. See 17 CFR 242.1000 and 242.1001(a)(2)(v) of Regulation 
SCI. In addition, as discussed above, our staff has previously noted 
the importance of addressing third-party relationships in the 
context of BCPs. See supra notes 30 and 33, and accompanying text. 
Additionally, we note that other regulatory bodies and organizations 
have noted that BCPs should address third-party relationships. See, 
e.g., 17 CFR 23.603(b)(7) (requiring ``identification of potential 
business interruptions encountered by third parties that are 
necessary to continued operations'' and ``a plan to minimize the 
impact''); FINRA Rule 4370(c)(7) (requiring BCPs to address 
``critical business constituent, bank, and counterparty impact''); 
SIFMA Guidelines, supra note 71, at 30 (stating that BCPs should 
include internal and external business partners and that firms 
should be familiar with the BCPs and risks of those partners).
    \87\ For example, we frequently see middle office functions such 
as administration of the front office and trades and related 
transactions, including securities operations and processing 
(confirmation, routing, matching, and settlement trades), pricing/
valuation, reconciliation (both cash and positions), and post trade 
compliance and reporting, outsourced to third parties.
    \88\ The nature of advisory business is such that advisers 
typically depend on a number of third-party service providers and 
systems vendors (e.g., broker-dealers, custodians, etc.) in 
providing services to their clients.
---------------------------------------------------------------------------

    In this regard, an adviser's business continuity and transition 
plan should identify critical functions and services provided by the 
adviser to its clients, and third-party vendors supporting or 
conducting critical functions or services for the adviser and/or on the 
adviser's behalf.\89\ An adviser generally should

[[Page 43541]]

consider a variety of factors when identifying and prioritizing which 
service providers should be deemed critical, such as the day-to-day 
operational reliance on the service provider and the existence of a 
backup process or multiple providers, whether or not the service 
provided includes direct contact with clients or investors, and whether 
the service provider is maintaining critical records or able to access 
personally identifiable information, among other things. We would 
generally consider critical service providers to at least include those 
providing services related to portfolio management, the custody of 
client assets, trade execution and related processing, pricing, client 
servicing and/or recordkeeping, and financial and regulatory reporting.
---------------------------------------------------------------------------

    \89\ The Joint Report noted that, notwithstanding the use of a 
service provider to perform various activities, a firm ``cannot 
shift responsibility for compliance and risk management to the 
service provider. . . . Should a service provider not have the 
appropriate level of resilience, a financial institution would be 
required to move to a provider that can demonstrate an appropriate 
level of resilience.'' See Joint Report, supra note 72 at 6.
     We also encourage advisers to be familiar with the terms of 
their contracts with critical service providers, including any 
provisions regarding the termination or assignment of the contract 
and any notice requirements related to those provisions.
---------------------------------------------------------------------------

    Once an adviser identifies its critical service providers, it 
should review and assess how these service providers plan to maintain 
business continuity when faced with significant business disruptions 
and consider how this planning will affect the adviser's 
operations.\90\ For example, if an adviser's business continuity and 
transition plan contemplates that it will rely on a particular service 
provider for a critical service, the adviser generally should be aware 
of whether the service provider has a BCP and if that BCP provides 
alternatives, including backup plans, to allow it to continue providing 
critical services during a significant business disruption. If the 
service provider does not have a BCP or if its BCP does not provide for 
such alternatives, the adviser generally should consider alternatives 
for such critical services, which may include other service providers 
or internal functions or processes that can serve as a backup or 
contingency for such critical services.\91\
---------------------------------------------------------------------------

    \90\ In late August 2015, Bank of New York Mellon (``BNY 
Mellon''), a service provider that provides custodial and 
administrative services to mutual funds, closed-end funds, and 
exchange-traded funds, experienced a breakdown in one of its third-
party systems (SunGard's InvestOne) used to calculate numerous 
client funds' net asset values (``NAVs''). As a result of this 
breakdown, BNY Mellon was unable to deliver timely system-generated 
NAVs to certain clients for several days, which resulted in certain 
clients pricing their shares using stale or manually calculated NAVs 
and certain ETFs using stale baskets. Once the automated system was 
restored, ETF baskets were updated and certain funds had to review 
the NAVs used while the automated system was down and make any 
necessary corrections. See, e.g., Stephen Foley, BNY Mellon Close to 
Resolving Software Glitch, Financial Times (Aug. 31, 2015), 
available at https://www.ft.com/intl/cms/s/0/47d5860a-4f2b-11e5-b029-b9d50a74fd14.html; Jessica Toonkel & Tim McLaughlin, BNY Mellon 
Pricing Glitch Affects Billions of Dollars of Funds, Reuters (Aug. 
26, 2015), available at https://www.reuters.com/article/bnymellon-funds-nav-idUSL1N1111QY20150826; Barrington Partners White Paper, An 
Extraordinary Week: Shared Experiences from Inside the Fund 
Accounting System Failure of 2015 (Nov. 2015), available at https://www.mfdf.org/images/uploads/blog_files/SharedExperiencefromFASystemFailure2015.pdf; Transcript of the BNY 
Mellon Teleconference Hosted by Gerald Hassell on the Sungard Issue, 
available at https://www.bnymellon.com/_global-assets/pdf/events/transcript-of-bny-mellon-teleconference-on-sungard-issue.pdf.
    \91\ We recognize that it may not be feasible or may be cost 
prohibitive for an adviser to retain backup service providers, 
vendors, and/or systems for all critical services. In such cases, an 
adviser should consider backup plans, functions and/or processes to 
address how it will manage the loss of a critical service.
---------------------------------------------------------------------------

    We also recognize that advisers often play a key role in 
identifying, arranging for, and overseeing other service providers for 
certain of their clients as part of their sponsoring roles. For 
example, an adviser may arrange for a particular administrator or 
pricing vendor for a registered investment company client or private 
fund client.\92\ Accordingly, we believe an adviser should generally 
review and assess how the critical service providers it arranges and/or 
oversees for its clients plan to maintain business continuity when 
faced with significant business disruptions and consider how this 
planning will affect its clients' operations.\93\
---------------------------------------------------------------------------

    \92\ See supra note 85.
    \93\ See, e.g., supra note 89.
---------------------------------------------------------------------------

    We understand that many advisers currently take a variety of steps 
to understand the operational and other risks of their service 
providers and those of certain clients' critical service providers,\94\ 
such as reviewing a summary of a service provider's BCP, due diligence 
questionnaires, an assurance report on controls by an independent 
party,\95\ certifications or other information regarding a provider's 
operational resiliency or implementation of compliance policies, 
procedures, and controls relating to its systems, results of any 
testing, and conducting onsite visits. Factors such as the significance 
of the service provider to advisory operations, the type of service 
provided, and the adviser's ability to require or request actions of 
its service providers will impact the steps that advisers should 
consider taking.
---------------------------------------------------------------------------

    \94\ See, e.g., BlackRock FSOC Comment Letter; see also Risk 
Principles for Asset Managers, supra note 4, at 19 (``The increased 
level of outsourcing to third party service providers has changed 
not only their outsourcing risk profile but such significant changes 
to an organization's business model can lead to many process and 
control changes and could therefore increase the exposure to other 
(operational) risk areas (e.g., country risk and service provider 
oversight)''); cf. rule 38a-1(a)(2) (requiring registered investment 
company boards to approve policies and procedures that provide for 
the oversight of compliance by the fund's investment adviser and 
certain other named service providers). Such approval must be based 
on a finding that the policies and procedures are reasonably 
designed to prevent violations of the federal securities laws by the 
fund, the investment adviser and the other named service providers. 
See id.
    \95\ See Investment Company Institute, Financial Intermediary 
Controls and Compliance Assessment Engagements (Dec. 2015) at 8, 
available at https://www.ici.org/pdf/ppr_15_ficca.pdf (identifying a 
financial intermediary's ``Business Continuity/Disaster Recovery 
Program'' as one of 17 areas of focus that ``should be addressed on 
an annual basis as part of the financial intermediary's controls and 
compliance engagements.''); see also AICPA, Reporting on Controls at 
a Service Organization (2015), available at https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf. 
Many advisers review SSAE 16 reports that are prepared by an 
independent public accountant in accordance with the American 
Institute of CPAs' Auditing Standards Boards' Statement on Standards 
for Attestation Engagements No. 16, Reporting on Controls at a 
Service Organization. These reports provide assurances that the 
service provider has established a system of internal controls, that 
the internal controls are suitably designed to achieve specified 
objectives, and that the internal controls are operating 
effectively.
---------------------------------------------------------------------------

e. Transition Plan
    Under the proposed rule, an adviser's business continuity and 
transition plan would have to include a plan of transition that 
accounts for the possible winding down of the adviser's business or the 
transition of the adviser's business to others in the event the adviser 
is unable to continue providing advisory services.\96\ Advisers facing 
the decision to exit the market commonly do so by: (1) Selling the 
adviser or substantially all of the assets and liabilities of the 
adviser, including the existing advisory contracts with its clients, to 
a new owner; (2) selling certain business lines or operations to

[[Page 43542]]

another adviser; \97\ or (3) the orderly liquidation of fund clients or 
termination of separately managed account relationships.\98\ Regardless 
of the method an adviser chooses to effect a transition, we believe 
that assessing and planning for potential impediments associated with 
that method should help an adviser act in its clients' best interests 
by seeking to mitigate potentially negative effects on its clients and 
investors.\99\
---------------------------------------------------------------------------

    \96\ Cf. FINRA Rule 4370(c)(10) (requiring BCPs to address 
``[h]ow the member will assure customers' prompt access to their 
funds and securities in the event that the member determines that it 
is unable to continue its business''); NASAA Model Rule 203(a)-1A(4) 
(stating that BCPs should provide for the ``[a]ssignment of duties 
to qualified responsible persons in the event of the death or 
unavailability of key personnel''). Transition of an adviser's 
business to others generally would, for example, include a situation 
where the adviser is a sole proprietor who is no longer able to 
provide advisory services and is, therefore, transferring its 
business to another person/firm or winding down operations entirely. 
Such succession/transition planning generally should be accounted 
for in the context of an adviser's plan of transition.
    \97\ See supra note 59 (discussing partial transitions of an 
adviser's business).
    \98\ See, e.g., Prudential Financial Inc. 2014 Resolution Plan: 
Public Section (June 30, 2014), available at https://www.federalreserve.gov/bankinforeg/resolution-plans/prudential-fin-1g-20140701.pdf; American International Group, Inc. Resolution Plan 
Section 1: Public Section (July 1, 2014), available at https://www.federalreserve.gov/bankinforeg/resolution-plans/aig-1g-20140701.pdf. These two nonbank financial companies have been 
designated ``systemically'' important by FSOC and also have 
investment adviser subsidiaries. The publicly-available summaries of 
their resolution plans filed with the Federal Reserve indicate that 
they would seek to either sell their advisory businesses or seek 
Chapter 11 bankruptcy proceedings for their advisory entities.
    \99\ An adviser may also wish to consider in the context of its 
transition plan, if and when it would be appropriate to use a 
transition manager. A transition manager facilitates and coordinates 
``the transition of asset management from one manager to another, or 
from one asset class or investment strategy to another.'' See supra 
note 41.
---------------------------------------------------------------------------

    We believe that a plan of transition generally should account for 
transitions in both normal and stressed market conditions,\100\ and 
generally should consider each type of advisory client, the adviser's 
contractual obligations to clients, counterparties, and service 
providers, and the relevant regulatory regimes under which the adviser 
operates.\101\ Under the proposed rule, the transition components of a 
business continuity and transition plan would have to include (1) 
policies and procedures intended to safeguard, transfer and/or 
distribute client assets during transition; (2) policies and procedures 
facilitating the prompt generation of any client-specific information 
necessary to transition each client account; (3) information regarding 
the corporate governance structure of the adviser; (4) the 
identification of any material financial resources available to the 
adviser; and (5) an assessment of the applicable law and contractual 
obligations governing the adviser and its clients, including pooled 
investment vehicles, implicated by the adviser's transition. Each of 
the proposed required components of an adviser's transition plan is 
designed to help an adviser be well prepared for a transition so that 
it can act quickly and in its clients' best interests if and when a 
transition occurs.
---------------------------------------------------------------------------

    \100\ See supra notes 38-39 and accompanying text (discussing 
the 2008 financial crisis and transition planning generally).
    \101\ In addition to contractual obligations to its clients and 
vendors, an adviser that provides other services to entities, such 
as to another adviser, generally should consider its contractual 
obligations as a service provider to those other entities as it 
plans for a transition event.
---------------------------------------------------------------------------

    We believe that preserving the safety of client assets and the 
ability to promptly produce and transfer the information necessary for 
the ongoing management of client assets is fundamental to an adviser 
acting in the best interests of its clients. The adviser's policies and 
procedures addressing how the adviser intends to safeguard, transfer 
and/or distribute client assets in the event of a transition generally 
should consider the unique attributes of each type of the adviser's 
clients (e.g., registered investment companies, private funds, 
separately managed accounts) and how the adviser plans to transfer 
accurate client information to other advisers or their service 
providers. For example, the transfer of client information with respect 
to registered investment companies and private funds may be more 
complex than that of separately managed accounts because registered 
investment companies and private funds typically have multiple 
investors, whereas separately managed accounts typically have only one 
investor.
    It is our understanding that the methods for safeguarding, 
transferring, and/or distributing client assets may vary by client type 
and that the best method for one client might not be the best method 
for another.\102\ Thus, we believe an adviser's policies and procedures 
should appropriately account for the different methods in which it 
plans to safeguard, transfer, and/or distribute assets of its different 
types of clients. Additionally, if a client account holds assets that 
would require special instruction or treatment in the event of 
transition, an adviser's policies and procedures generally should 
address such instruction or treatment.\103\
---------------------------------------------------------------------------

    \102\ For example, if the adviser manages registered investment 
companies, the investment companies' board(s) may determine that the 
best method for transferring the assets of these funds is to 
reorganize them into funds managed by a new adviser. Separately 
managed accounts, however, would not be reorganized, but may have 
other considerations unique to them, such as whether a new custodian 
would be necessary for a new adviser.
    \103\ For example, it is our understanding that when 
transitioning accounts from one adviser to another, derivatives 
positions require special treatment in that they are typically 
unwound rather than transferred to the new adviser and that the 
terms of the derivatives instrument may dictate whether and how such 
unwinding takes place.
---------------------------------------------------------------------------

    Further, the transition plan should also contain policies and 
procedures that would facilitate the prompt generation of any client-
specific information necessary to transition a client account, such as 
the identity of custodians, positions, counterparties, collateral, and 
related records of each client. Similar to the need to have accurate 
and accessible client information in the event of a business continuity 
scenario, we believe that this information is necessary to effect a 
smooth transition of the management of client accounts.
    We believe senior executives at an investment adviser generally, 
and especially in times of stress, should be able to quickly identify 
the important decision-makers within the organization and understand 
the inter-relationships between the adviser and any affiliated entities 
to be able to assess whether and how issues at an affiliate may affect 
the advisory entity. For example, an adviser that uses an affiliate as 
a qualified custodian may face additional issues if the transition 
event is related to that affiliate's operations. We believe that this 
information is necessary if the adviser needs to assess the manner in 
which it can exit the market with minimal adverse effect on its clients 
or to take steps necessary to protect itself from issues that may stem 
from an affiliated entity. Accordingly, with respect to the adviser's 
corporate governance structure, the transition component of a business 
continuity and transition plan generally should include an 
organizational chart and other information about the adviser's 
ownership and management structure, including the identity and contact 
information for key personnel, and the identity of affiliates (both 
foreign and domestic) whose dissolution or distress could lead to a 
change in or material impact to the adviser's business operations.\104\
---------------------------------------------------------------------------

    \104\ An advisory entity may be adversely affected by an 
affiliate's distress if, for example, the adviser and distressed 
affiliate share systems, personnel, sources of financing, or similar 
names.
---------------------------------------------------------------------------

    Registered investment advisers manage a variety of products and 
security types, with investments in and investors from various 
jurisdictions and are subject to a variety of contractual and legal 
obligations and regulatory regimes. An adviser's ability to seamlessly 
transition advisory services could be impacted by its or its clients' 
contractual obligations or the various regulatory regimes under which 
the adviser or its advisory client may be subject. For example, an 
adviser's insolvency or termination may trigger a termination clause in 
a client's

[[Page 43543]]

derivative contract.\105\ Also, the board and shareholders of a 
registered investment company must approve an advisory contract with 
any new adviser \106\ and the Advisers Act requires advisory contracts 
to include a provision that a contract cannot be assigned without 
client consent.\107\ Other regulatory regimes may require regulatory 
approval for certain acts,\108\ which may be further complicated by the 
need for cross-border cooperation if the adviser operates in multiple 
jurisdictions \109\ or the adviser's pooled investment vehicle clients 
are domiciled in different jurisdictions.\110\ Accordingly, we are 
proposing that an adviser's transition plan include an assessment of 
the applicable law and contractual obligations governing the adviser 
and its clients, including pooled investment vehicles, implicated by 
the adviser's transition.
---------------------------------------------------------------------------

    \105\ Some ISDA contracts include the default provision allowing 
for the counterparty to terminate a contract upon the change of 
advisers.
    \106\ Section 15(a) of the Investment Company Act states that 
``[i]t shall be unlawful for any person to serve or act as 
investment adviser of a registered investment company except 
pursuant to a written contact, which . . . has been approved by the 
vote of a majority of the outstanding securities of such registered 
company . . . .'' Additionally, section 15(c) of the Investment 
Company Act states that ``it shall be unlawful for any registered 
investment company having a board of directors to enter into . . . 
any contract or agreement, written or oral, whereby a person 
undertakes regularly to serve or act as investment adviser of . . . 
such company, unless the terms of such contract or agreement and any 
renewal thereof have been approved by the vote of a majority of 
directors, who are not parties to such contract or agreement or 
interested persons of any such party, cast in person at a meeting 
called for the purpose of voting on such approval.'' But see, e.g., 
rule 15a-4 under the Investment Company Act (allowing funds, in 
certain circumstances, to enter into interim advisory agreements 
without an in-person board meeting and without the fund's 
shareholders first approving the agreement); see generally JP Morgan 
Chase/Bear Stearns Asset Management, SEC Staff No-Action Letter 
(July 14, 2008) (providing staff no-action relief following the US-
government-brokered emergency sale of Bear Stearns Companies Inc. to 
JP Morgan Chase & Co., to allow Bear Stearns Asset Management to 
continue to serve as investment adviser to its funds without prior 
in-person approval by the funds' board of directors due to the 
extraordinary circumstances surrounding the sale of its parent 
company).
    \107\ Section 205(a)(2) of the Advisers Act requires any 
investment advisory contract to contain a provision indicating 
``that no assignment of such contract shall be made by the 
investment adviser without the consent of the other party to the 
contract.'' Section 202(a)(1) of the Advisers Act defines 
``assignment,'' for purposes of the Advisers Act, to include ``any 
direct or indirect transfer or hypothecation of an investment 
advisory contract by the assignor or of a controlling block of the 
assignor's outstanding voting securities by a security holder of the 
assignor. . . .''
    \108\ See, e.g., Third Avenue Trust and Third Avenue Management 
LLC, Investment Company Act Rel. No. 31943 (Dec. 16, 2015) (Notice 
and Temporary Order) (permitting the suspension of the right of 
redemption of Third Avenue Trust's outstanding redeemable 
securities).
    \109\ For example, as of January 4, 2016, the number of foreign 
registrations of SEC-registered investment advisers was 2,279, 
representing 1,051 SEC-registered investment advisers, some of which 
were registered in multiple foreign jurisdictions. Additionally, 
there were 780 foreign investment advisers registered with the 
Commission as of that same date. Based on data from IARD.
    \110\ When evaluating options for Long-Term Capital Management, 
L.P. during its collapse, the effects of the fund filing for 
bankruptcy were not clear because the fund was managed by an 
advisory entity domiciled in Delaware and located in Connecticut, 
while the fund itself was domiciled in the Cayman Islands, where the 
rights of its counterparties to liquidate collateral under the U.S. 
Bankruptcy Code would have been delayed because the fund would have 
likely had to seek bankruptcy protection in the Cayman Islands 
courts, under Cayman law. See Report of The President's Working 
Group on Financial Markets, Hedge Funds, Leverage, and the Lessons 
of Long-Term Capital Management (Apr. 28, 1999), available at 
https://www.treasury.gov/resource-center/fin-mkts/Documents/hedgfund.pdf.
---------------------------------------------------------------------------

    Finally, we believe it is important for an adviser to have 
considered in advance its strategy for either avoiding or facilitating 
a transition of its business and client accounts in the event the 
adviser is in material financial distress such that its ability to 
continue providing advisory services to its clients or otherwise acting 
in its clients' best interests could be impacted or undermined.\111\ 
Accordingly, the proposed rule requires that the adviser's plan of 
transition consider any material financial resources available to the 
adviser. For example, the adviser could identify any material sources 
of funding, liquidity, or capital it would seek in times of stress in 
order to continue operating \112\ or consider how it would implement a 
reduction of expenses or other alternatives.
---------------------------------------------------------------------------

    \111\ We note that, in certain circumstances, an adviser is 
required to ``disclose any financial condition that is reasonably 
likely to impair [the adviser's] ability to meet contractual 
commitments to clients.'' See Form ADV, Part 2, Item 18.
    \112\ When considering any material financial resources 
available to it, the adviser also could identify any insurance 
coverage.
---------------------------------------------------------------------------

f. Request for Comment
    We seek comment on the proposed requirement to adopt and implement 
a business continuity and transition plan, and the proposed components 
of that plan.
     Should we require all SEC-registered advisers to adopt and 
implement business continuity and transition plans? Or should we 
identify only a subset of SEC-registered advisers that must implement 
such plans? Which advisers should be in such a subset (e.g., large 
advisers with assets under management over a specific threshold, 
advisers affiliated with financial institutions, etc.) and why?
     Rather than adopting the proposed rule, should the 
Commission issue guidance under rule 206(4)-7 under the Advisers Act 
addressing business continuity and transition plans? If so, should that 
guidance set forth possible elements of such a plan?
     What, if any, implications will the proposed rule have for 
investment advisers that are also subject to other regulatory 
requirements as to business continuity and/or transition planning 
(e.g., FINRA or CFTC rules on BCPs)? For example, would the proposed 
rule be inconsistent with an adviser's obligations under other 
regulatory requirements?
     Should we require business continuity and transition plans 
to include each of the proposed components? Alternatively, should the 
rule require advisers to have a business continuity and transition 
plan, and specify certain components of a plan in the form of a safe 
harbor provision? Or, should the rule not specify required components 
of a plan and instead allow advisers to determine the appropriate 
components of their plans? Are there any components we should remove 
from the proposed list of required components? Are there any components 
we should add or expand upon? For example, with respect to a pre-
arranged alternate physical location(s) of the adviser's office(s) and/
or employees, should we require that an adviser's business continuity 
and transition plan include an alternate location at a specified 
distance away from its primary location? Should we require an adviser's 
communication plan to extend to investors in certain types of pooled 
investment vehicles? If so, which specific types of pooled investment 
vehicles and how should the term ``investors'' be defined for each type 
of pooled investment vehicle? Should we require an adviser to have 
policies and procedures that address the identification, assessment, 
and review of critical third-party vendors that the adviser arranges or 
oversees for its clients?
     Are there any components of the NASAA model rule or 
guidance, or other rules or guidance addressing BCPs, that we have not 
addressed in the proposed rule that we should address? Should advisers 
with certain types of clients, including for example advisers to 
registered investment companies or sponsors of wrap programs, be 
required to undergo additional obligations with regard to adopting and 
implementing a business continuity and transition plan? What additional 
steps should such advisers be required to take with respect

[[Page 43544]]

to such clients and/or such clients' service providers?
     Are each of the proposed components of a business 
continuity and transition plan clear or should we provide additional 
information and/or definitions for any of the components? If so, what 
additional information or definitions are needed? For example, should 
we provide a definition of ``significant business disruption,'' 
``unable to continue providing investment advisory services,'' or 
``pooled investment vehicle''? Alternatively, should we require 
investment advisers to define certain terms, like ``significant 
business disruption'' or ``unable to continue providing investment 
advisory services,'' within their plans?
     Should all advisers be required to include each of the 
proposed components in a business continuity and transition plan or 
should certain advisers be exempt from including certain components? If 
certain advisers should be exempt, why? For example, should only 
certain advisers be required to adopt and implement the transition plan 
component of the proposed rule or is there a subset of investment 
advisers with operations so limited that the adoption and 
implementation of a transition plan (or certain components of the 
transition plan requirement) would not be beneficial? If so, what 
criteria could be used to identify this subset of advisers? Are there 
alternative or streamlined measures that these advisers could take to 
facilitate an orderly transition in the event of a significant 
disruption to the adviser's operations? If these advisers did not have 
transition plans, should they be required to disclose the absence of 
such plan?
     With respect to each of the proposed components of a 
business continuity and transition plan, we have provided information 
as to the items and/or actions that we believe generally should be 
encompassed within a particular component. Is there additional 
information that we should provide, or any information that we should 
exclude or modify, regarding any of the proposed components of a plan? 
Alternatively, instead of permitting advisers the flexibility to draft 
their plans based on the complexity of their businesses, should we 
require advisers to address each component in a prescriptive manner by 
requiring specific mechanisms for addressing particular risks?
     Should we adopt a more prescriptive rule that calls for a 
more specific transition plan similar to the ``Living Wills'' required 
by the Federal Reserve Board and the FDIC for large banks and 
systemically important non-bank entities? \113\ If so why, and what 
specifically should the rule require?
---------------------------------------------------------------------------

    \113\ These resolution plans require, among other things: (1) 
Information regarding the manner and extent to which any insured 
depository institution affiliated with the company is adequately 
protected from risks arising from the activities of any nonbank 
subsidiaries of the company; (2) full descriptions of the ownership 
structure, assets, liabilities, and contractual obligations of the 
company; and (3) identification of the cross-guarantees tied to 
different securities, identification of the major counterparties, 
and a process for determining to whom the collateral of the company 
is pledged. See Resolution Plans, supra note 40.
---------------------------------------------------------------------------

     As part of the proposed rule, should we require advisers 
to provide disclosure to their clients about their business continuity 
and transition plans? If so, what should be the format of such 
disclosure (e.g., summary of plan, copy of plan)? When or how 
frequently should this disclosure be provided? Should we require 
advisers to disclose to their clients incidents where they relied on or 
activated their business continuity and transition plans? If so, what 
should be the format of such disclosure? What types of incidents should 
be disclosed or not disclosed?
     As part of the proposed rule, should we require advisers 
to report to the Commission incidents where they rely on their business 
continuity and transition plans? If so, under what circumstances should 
advisers be required to report to the Commission and how should 
advisers report this information? When should the required reporting 
occur?
     Should we require advisers to file their business 
continuity and transition plans, or a summary thereof, with the 
Commission? Should these filings be made available to the public? Why 
or why not? Are business continuity and transition plans considered 
proprietary to an adviser such that disclosing its plan to the public 
(either through a Commission filing or through disclosure to a client) 
creates additional risk exposure to the adviser?
2. Annual Review
    Under the proposed rule, each adviser would be required to review 
the adequacy of its business continuity and transition plan and the 
effectiveness of its implementation at least annually. The review 
generally should consider any changes to the adviser's products, 
services, operations, critical third-party service providers, 
structure, business activities, client types, location, and any 
regulatory changes that might suggest a need to revise the plan.
    The annual review provision is designed to require advisers to 
evaluate periodically whether their business continuity and transition 
plans continue to, or would, work as designed and whether changes are 
needed for continued adequacy and effectiveness. For example, the 
review generally should include an analysis of whether a business 
continuity and transition plan adequately protects client interests 
from being placed at risk and to mitigate such risks in the event the 
adviser experiences a significant disruption in its operations. In 
addition, annual reviews generally should address weaknesses an adviser 
may have identified in any testing it has done or assessments that have 
been performed to address the adequacy and effectiveness of its 
business continuity and transition plan, as well as any lessons learned 
if an event required the plan to be carried out during the previous 
year, including any changes made or contemplated as a result of the 
event.
     Should we require that business continuity and transition 
plans be reviewed at least annually, as proposed? Should we expressly 
require reviews of business continuity and transition plans to be 
documented in writing? Should we require more frequent or less frequent 
review of business continuity and transition plans? In addition to 
annual review, should we require that advisers review their plans when 
specific events occur? For example, should we require plans be reviewed 
when an adviser has an event that causes it to rely on its plan? Should 
we require plans be reviewed based on changes to the adviser's 
operations or processes, changes in the ownership or business structure 
of the adviser, compliance or audit recommendations, lessons learned 
from testing or disruption events, and/or regulatory developments?
     Should we require advisers to report to the Commission 
regarding the annual review of their business continuity and transition 
plans? If so, what should be the format of the report?
     Should we explicitly require advisers to annually review 
the business continuity and transition plans of their third-party 
service providers that provide critical services to the adviser and its 
clients? If so, how should these reviews be conducted? What types of 
documentation could be requested to perform these reviews?
     Should we specifically require advisers to periodically 
test their business continuity and transition plans or certain material 
components thereof to assess whether the plans are adequate and 
effective? If so, how should such testing be conducted? What should be

[[Page 43545]]

included in the scope of such review? How often should such testing be 
required?
3. Recordkeeping
    The proposed amendments would require SEC-registered advisers to 
maintain copies of all written business continuity and transition plans 
that are in effect or were in effect at any time during the last five 
years after the compliance date. We are requiring an adviser to 
maintain a copy of the plan currently in effect because we believe that 
it is important that advisers have easy access to necessary information 
during periods of stress. The proposed rule would also require that 
advisers keep any records documenting their annual review.\114\ Our 
rules permit advisers to maintain these records electronically.\115\ 
These proposed new recordkeeping requirements will assist our 
examination staff in evaluating an adviser's compliance with the new 
rule, including evaluating whether the adviser's business continuity 
and transition plan includes all required components. These proposed 
requirements track the recordkeeping requirements under rule 204-2 
regarding an adviser's compliance policies and procedures.
---------------------------------------------------------------------------

    \114\ Pursuant to rule 204-2(e)(1) of the Advisers Act, advisers 
would have to maintain any records documenting their annual review 
in an easily accessible place for at least five years after the end 
of the fiscal year in which the review was conducted, the first two 
years in an appropriate office of the investment adviser.
    \115\ See rule 204-2(g) under the Advisers Act.
---------------------------------------------------------------------------

    We request comment on the proposed recordkeeping requirements.
     Should we require advisers to maintain copies of their 
business continuity and transition plans that are in effect or were in 
effect at any time during the last five years, as proposed? If not, 
what, if any, recordkeeping requirements should we adopt with respect 
to business continuity and transition plans? Is five years an 
appropriate retention period? Should it be longer or shorter? Why?
     Should we require advisers to keep any records documenting 
their annual review of their business continuity and transition plans, 
as proposed?

II. Economic Analysis

A. Introduction

    The Commission is sensitive to the potential economic effects of 
proposed rule 206(4)-4 and the proposed amendments to rule 204-2. These 
effects include benefits and costs to SEC-registered advisers, clients, 
and fund investors as well as broader implications for market 
efficiency, competition, and capital formation.\116\ The economic 
effects of the proposed rule are discussed below in the context of the 
primary goals of the proposed regulation.
---------------------------------------------------------------------------

    \116\ The Commission recognizes that there are other entities 
that could be affected by the proposed rule. For example, vendors 
might have to adapt to meet the new demands of their clients under 
the proposed rule and that could change the nature of those product/
service markets, which in turn could have further economic effects 
on advisers and their clients and investors. However, the effects of 
the rulemaking on such entities are uncertain and difficult to 
predict given they are not direct effects of the proposed rule.
---------------------------------------------------------------------------

    We have sought, where possible, to quantify the costs, benefits, 
and effects on efficiency, competition, and capital formation expected 
to result from the proposed regulations. However, as discussed below, 
in certain cases, we were unable to quantify the economic effects 
because we lack the information necessary to provide reasonable 
estimates, such as the extent to which some advisers already have 
business continuity or transition plans that would satisfy some or all 
of the requirements of the proposed rule, the likelihood of business 
disruptions, and the share of costs arising from the proposed rule that 
advisers will pass through to its clients. Therefore, some of the 
discussions below are qualitative in nature.
    Under the proposed rule, the content of an SEC-registered adviser's 
business continuity and transition plan shall be based upon risks 
associated with the adviser's operations and shall include policies and 
procedures designed to minimize material service disruptions, including 
policies and procedures that address the following: (1) Maintenance of 
critical operations and systems, and the protection, backup, and 
recovery of data; (2) pre-arranged alternate physical location(s) of 
the adviser's office(s) and/or employees; (3) communications with 
clients, employees, service providers, and regulators; (4) 
identification and assessment of third-party services critical to the 
operation of the adviser; and (5) plan of transition that accounts for 
the possible winding down of the adviser's business or the transition 
of the adviser's business to others in the event the adviser is unable 
to continue providing advisory services. The proposed rule also 
requires that each SEC-registered adviser review, no less frequently 
than annually, the adequacy of its business continuity and transition 
plan and the effectiveness of its implementation. In addition, the 
proposed amendments to rule 204-2 under the Advisers Act requires these 
advisers to make and keep records of all business continuity and 
transition plans that are in effect or were in effect at any time 
within the past five years.
    The goal of these proposals is to require that all advisers have 
sufficiently robust plans to mitigate the potential adverse effects of 
significant business disruptions or transition events. Specifically, 
the proposed rule requires SEC-registered advisers to adopt plans 
reasonably designed to protect clients and fund investors from the risk 
that, in the wake of a significant business disruption or transition 
event, advisers are unable to provide services and continue operations. 
Such disruptions may put clients' and investors' interests at risk if, 
for example, an adviser lacks the ability to make trades in a 
portfolio, is unable to receive or implement directions from clients, 
or its clients are unable to access their assets or accounts.
    Because clients and investors should be averse to these outcomes, 
one might expect all advisers to already have plans in place to 
minimize the risks posed by significant business disruptions or 
business transitions without being legally required to do so. It 
appears, however, that, in the context of business continuity and 
transition plans, market pressures do not fully align the interests of 
all advisers with those of their clients and fund investors, as staff 
has observed that some advisers have adopted plans that may not be 
sufficiently robust in light of the operational and other risks 
specific to their businesses. Our staff's observations that business 
continuity and transition plans are not uniformly robust suggest that 
both advisers and their clients may not fully take into account, or 
internalize, the potential benefits of comprehensive business 
continuity and transition plans as well as the potential costs of 
operating without them.
    There are several possible reasons for this misalignment. As an 
initial matter, the types of business disruptions addressed by this 
proposal are infrequent, and are not necessarily publicly observable 
when they do occur; this may make it difficult for market participants 
to fully internalize the ramifications of those events. For example, an 
adviser that underestimates the likelihood of a significant disruption 
or the harm it could cause to the viability of its business may not 
believe the cost of a more robust business continuity plan is 
justified. Furthermore, because many advisers may have never 
experienced a significant business disruption, they might not properly 
assess whether their existing plans are sufficiently robust. And while 
some clients and investors may recognize the benefits of business

[[Page 43546]]

continuity planning and demand it of their advisers, others may not 
fully understand these benefits due to the rarity of significant 
disruptions.
    In addition, staff observations resulting from specific SEC 
examinations are generally not made public, so any examination findings 
identified with respect to one adviser's plan will generally provide no 
guidance to other advisers, or to their clients and investors, as to 
what robust plans might contain. Although Commission staff has 
published alerts identifying overall observed weaknesses in advisers' 
business continuity plans, those alerts provide aggregated, non-
specific information that may not inform advisers or their clients and 
investors of the expected content of robust plans.\117\ Moreover, it is 
possible that some advisers may not review those alerts and therefore 
do not adjust their business continuity plans in response to the 
identified strengths and weaknesses; similarly, many clients and 
investors, particularly smaller or retail investors, may not review the 
alerts and thus do not exert pressure on their advisers to address in 
their own plans the general weaknesses identified by the 
Commission.\118\
---------------------------------------------------------------------------

    \117\ See, e.g., NEP Risk Alert, supra note 30.
    \118\ We note that, based on staff experience, large 
institutional clients often have rigorous due diligence processes 
that evaluate an adviser's operational and other risks, while 
smaller retail clients may not engage in such a thorough review of 
operational and other risks.
---------------------------------------------------------------------------

    Furthermore, advisers generally do not make their business 
continuity plans (or transition plans) public, though based on 
Commission staff's experience, we understand that most will provide a 
summary of those plans or other information related to their 
operational and other risks to clients and investors upon request. 
Clients and investors that request, review, and comment on these plans 
are more likely to exert some degree of pressure on their advisers 
regarding the content of their plans, thereby leading to more robust 
plans. Thus, the composition of an adviser's client base may impact the 
current state of its business continuity and transition plans and may 
lead to the heterogeneity in the quality of such plans that our staff 
has observed across advisers. The Commission believes, based on staff 
experience, that larger institutional clients and investors, compared 
to smaller or retail clients and investors, are more likely to engage 
in extensive due diligence processes that involve such review of 
existing plans. The content of business continuity and transition plans 
for advisers with larger institutional clients and investors may 
therefore be more likely to reflect such client or investor input than 
plans of advisers with only smaller, retail clients or investors. In 
addition, because plans are not generally public, advisers cannot 
compare their own plans with those of other advisers to assess the 
relative strengths and weaknesses of their plans and therefore do not 
have the opportunity to craft or revise their own plans with the 
knowledge of how others in the industry are addressing the same issues. 
These factors, combined with the absence of any specified requirements 
for components of business continuity plans (or transition plans) in 
existing regulation, may have contributed to staff's observations that 
such plans are not uniformly robust.
    Advisers also may not fully internalize the benefits of transition 
planning. For example, it is possible that advisers do not necessarily 
have adequate incentives to ensure that a business transition takes 
into account all of the various components of a robust plan set forth 
in the proposed rule, given that an adviser no longer receives fees 
after that transition. In addition, transition events, like business 
disruptions, are relatively rare; accordingly, advisers may not 
properly assess the likelihood of such events, the potential 
consequences of failing to adequately prepare, or the benefits of 
ensuring a smooth transition.
    To address the issues identified above, the proposed rule requires 
advisers to assess the operational and other risks associated with its 
business operations and identifies components that must be addressed in 
business continuity and transition plans. The rule aims to address the 
lack of uniformly robust plans previously observed by staff and 
requires each SEC-registered investment adviser to adopt and implement 
a written business continuity and transition plan based upon the risks 
associated with the adviser's operations.

B. Economic Baseline

    The investment adviser regulatory regime currently in effect serves 
as the economic baseline against which the benefits and costs, as well 
as the impact on efficiency, competition, and capital formation of the 
proposed rule are discussed. As of January 4, 2016, there were 11,956 
SEC-registered investment advisers with approximately $67 trillion in 
regulatory assets under management. In this market, which has been 
described as being highly competitive,\119\ advisers are likely to 
compete on, among other things, fees charged to clients, returns or 
performance, and the level of services provided to meet client needs.
---------------------------------------------------------------------------

    \119\ See supra section I.A and note 7.
---------------------------------------------------------------------------

    The proposed rule would affect all SEC-registered investment 
advisers, as well as each adviser's clients (including registered 
funds, private funds, and individual separately managed accounts) and 
the investors in fund clients. Currently, Commission guidance indicates 
that an SEC-registered adviser's compliance policies and procedures 
should include business continuity planning to the extent it is 
relevant to the adviser's business. The content of those BCPs, however, 
is not addressed by current Commission rules, and may not specifically 
include policies and procedures regarding business transitions.
    As noted previously, our staff has noticed variation in the 
business continuity and/or transition plans that they have seen during 
examinations. Some advisers, pursuant to the Compliance Program Rule or 
as a prudent business practice, have adopted plans which may be 
consistent with the new requirements being proposed, while others have 
not. Accordingly, the benefits and costs to a given adviser, client, or 
fund investor will depend on the current state of the adviser's 
business continuity and transition plan.

C. Benefits and Costs and Effects on Efficiency, Competition, and 
Capital Formation

    Taking into account the goals of the proposed rule and the economic 
baseline, as discussed above, this section explores the benefits and 
costs of the proposed rule, as well as the potential effects of the 
proposed rule on efficiency, competition, and capital formation.
1. Benefits
    Clients and investors in funds managed by SEC-registered advisers, 
advisers themselves, and the financial markets as a whole may benefit 
from the proposed rule. In general, we cannot quantify the total 
benefits to the affected parties because we lack data on certain 
factors relevant to such an analysis, such as investor preferences and 
the likelihood of business disruptions. For example, without knowing 
how risk averse clients are to investing via advisers without robust 
BCPs, we cannot quantify the benefits they might derive from 
improvements in those BCPs. Similarly, it is difficult to estimate the 
probability of the types of business disruptions addressed by the 
proposed rule, which precludes precisely estimating the ex-ante costs 
of inadequate plans under the economic

[[Page 43547]]

baseline. However, we discuss the expected benefits qualitatively 
below.
    We anticipate that clients and investors in funds managed by 
registered advisers will benefit from the proposed rule. Requiring SEC-
registered advisers to adopt and implement business continuity and 
transition plans will likely reduce the risk that investors and 
advisory clients will be harmed or affected in the event a business 
continuity or transition issue actually occurs. For example, advanced 
planning to address issues in the event of a disruption may reduce the 
risk that advisory accounts might be left unmanaged or that clients do 
not have access to their funds during an adviser's business 
interruption or transition, or at least shortens the time of such a 
disruption. As discussed above, whether it is due to prudent business 
practices or adherence to the Commission guidance in the Compliance 
Program Rule, some advisers may already have robust business continuity 
and transition plans in place that are consistent with the new 
requirements being proposed. The incremental benefits of the proposed 
rule to those advisers' clients and investors would likely be less than 
the benefit to the clients and investors of an adviser without such 
strong operational controls.
    The proposed rule will also benefit registered advisers by 
requiring their business continuity and transition plans to include 
policies and procedures that address certain specific components, which 
should help the advisers better prepare for significant disruptions in 
their operations. While Commission guidance indicates that an SEC-
registered adviser's compliance policies and procedures should address 
BCPs to the extent that they are relevant to an adviser, the Commission 
has not previously specified what such a BCP should address. To the 
extent registered advisers have not already adopted and implemented 
robust BCPs that are consistent with the new requirements being 
proposed, requiring them to review the risks associated with their 
operations and plan for significant business disruptions or transitions 
should encourage them to enhance their ongoing efforts to mitigate 
risks attendant with their operations and business practices and may 
help them be better prepared to address business continuity and 
transition events if and when they occur.
    Finally, the proposed rule and the planning it requires of advisers 
could have ancillary benefits for the broader financial markets. For 
example, consider an adviser with significant assets under management 
who trades actively enough to be considered a liquidity provider in a 
particular market. If this adviser were to suffer a significant 
business disruption event that prevented it from participating in that 
market for several days, then the liquidity of the market could be 
negatively affected.\120\ While a business continuity and transition 
plan would not be able to completely prevent such a disruption, it may 
decrease the adviser's recovery time and hence the disruption's impact 
on the market.
---------------------------------------------------------------------------

    \120\ See, e.g., George O. Aragon & Philip E. Strahan, Hedge 
funds as liquidity providers: Evidence from the Lehman bankruptcy, 
J. Financ. Econ., Vol. 103, Issue 3 (Mar. 2012) at 570-587 
(concluding that ``the market liquidity of stocks held by Lehman's 
hedge-fund clients fell more during the [2008 financial] crises than 
otherwise similar stocks not held by these funds.'')
---------------------------------------------------------------------------

2. Costs
    As with the benefits, costs of the proposed rule will be shared by 
advisers and their clients and fund investors. Generally, advisers will 
incur the direct costs associated with developing and maintaining 
robust business continuity and transition plans, though some of those 
costs may ultimately be passed through to their clients and fund 
investors. These costs are discussed in more detail below.
a. Costs to Advisers
    Proposed rule 206(4)-4 likely will result in an SEC-registered 
adviser incurring one-time and ongoing operational costs, described in 
detail below, to adopt and implement a business continuity and 
transition plan that is reasonably designed to address the operational 
and other risks related to a significant disruption in the adviser's 
operations. As an initial matter, it is difficult to determine the 
estimated costs for advisers with precision because of the variation in 
existing BCPs and the extent to which such plans will need to be 
revised to be compliant with the proposed rule. Because Commission 
guidance indicates that SEC-registered advisers' compliance policies 
and procedures should address BCPs to the extent that they are relevant 
to an adviser, the nature of an adviser's existing BCP will also 
greatly affect the initial costs the adviser would expend to comply 
with the proposed rule. Advisers whose current BCPs are closely aligned 
with the requirements of the proposed rule would likely incur lower 
initial compliance costs relative to advisers whose current BCPs are 
not closely aligned with the rule's requirements, while all advisers 
would incur ongoing costs pertaining to the annual review and 
recordkeeping components of the proposed rule. \121\
---------------------------------------------------------------------------

    \121\ The costs estimates provided in this section include total 
costs for developing and maintaining both business continuity plans 
and transition plans. We recognize, however, that the portion of 
these costs attributable to business continuity plans will likely be 
greater than that attributable to the transition plans, as business 
continuity plans generally contemplate acquiring and maintaining, 
for example, more infrastructure, such as secondary storage 
capabilities, than transition plans and is more likely to involve 
retaining third-party vendors to assist with the development or 
maintaining of that infrastructure. Accordingly, the current state 
of an adviser's business continuity plans may have more effect on 
the costs to individual advisers than the current state of the 
adviser's transition plans.
---------------------------------------------------------------------------

    In addition, because the proposed rule requires an SEC-registered 
adviser's plan to be based on the particular risks attendant to that 
adviser's operations, the initial and ongoing costs imposed by the rule 
would vary significantly among firms depending on the complexity of the 
adviser's operations. A number of factors pertaining to an adviser's 
business model can affect the complexity of the adviser's operations. 
Those factors include the adviser's assets under management, number of 
employees, number of offices, number and types of clients (e.g., high 
net worth individuals, private funds, or registered investment 
companies), types of advisory activities, other business activities or 
lines of business which may affect the adviser's advisory business, 
types of investment strategies pursued, and the extent of reliance on 
service providers (in-sourced vs. out-sourced models). The flexibility 
of the proposed rule should allow advisers to tailor their business 
continuity and transition plans to the specific risks their businesses 
face at the minimum possible cost.
    The Commission believes that certain of the above factors may be 
correlated with the adviser's amount of assets under management. For 
example, an adviser with a large amount of assets under management is 
more likely to have more employees, multiple locations, offices, 
numbers and types of clients, and types of business activities than an 
adviser with fewer assets under management.\122\ Accordingly, we

[[Page 43548]]

believe that advisers with larger amounts of assets under management 
are generally more likely to have more complex business operations and 
may therefore need to expend more resources on adopting, implementing, 
and maintaining a business continuity and transition plan than advisers 
with fewer assets under management.\123\
---------------------------------------------------------------------------

    \122\ With regard to employee size, SEC-registered advisers with 
less than $100 million in assets under management have an average of 
28 employees and a median of 4 employees, while SEC-registered 
advisers with over $1 billion in assets under management have an 
average of 180 employees and a median of 31 employees. Based on data 
from IARD as of January 4, 2016. With regard to the number of 
offices maintained by advisers, only 23% of SEC-registered advisers 
with less than $100 million in assets under management maintain more 
than one office, while 47% of SEC-registered advisers with over $1 
billion in assets maintain one or more offices and 11% of these 
larger advisers maintain 5 or more offices. Based on data from IARD 
as of January 4, 2016.
    \123\ There are notable exceptions: for example, a small adviser 
with a technology intensive investment strategy may nevertheless 
have a complex operational risk profile, which could require a more 
complex business continuity and transition plan.
---------------------------------------------------------------------------

i. One-time Costs
    As noted above, the one-time costs associated with developing and 
implementing the policies and procedures associated with a business 
continuity and transition plan will vary significantly among firms 
depending on the nature and complexity of the adviser's operations and 
the current state of their systems and processes. Under the proposed 
rule, SEC-registered advisers need only take into account the risks 
associated with their particular operations. For example, smaller 
advisers that do not have a large number or different types of clients 
or do not maintain numerous offices with numerous employees may not 
need complex systems if their operations result in risks that are easy 
to address. On the other hand, a larger adviser with a large number and 
diverse set of clients, including large registered investment 
companies, with global offices and thousands of employees may need more 
complicated and expensive systems and technology. To the extent that 
adviser size does correlate with operational complexity, SEC 
examination staff has observed that larger advisers have typically 
already devoted significant resources to establish systems or 
technological solutions that address operational and other risks 
related to business continuity.
    Based on our staff's experience, we generally estimate that the 
one-time costs necessary to adopt and implement a business continuity 
and transition plan would range from approximately $30,000 to $1.5 
million \124\ per SEC-registered adviser, depending on the facts and 
circumstances of a particular adviser's operations and the adequacy of 
its existing plan. These estimated costs include internal and external 
costs, explained in more detail below, attributable to the following 
activities: (1) Mostly internal costs associated with developing 
policies and procedures related to each required component of the 
business continuity and transition plan; and (2) external costs 
associated with integrating and implementing the policies and 
procedures as described above (including establishing or upgrading 
current systems and processes to comply with the proposed rule).
---------------------------------------------------------------------------

    \124\ These estimates are based on the aggregated low-end of the 
range and the high-end of the range, respectively, of mostly 
internal costs detailed in the PRA section below and the external 
costs associated with integrating and implementing the plan. 
Specifically, these estimates are based on the following 
calculations, which are described in greater detail in notes 125 
through 129:
     $12,515 low-end estimated internal cost to adviser for 
developing policies and procedures + $4,000 low-end estimated cost 
to adviser for external professional fees for developing policies 
and procedures + $1,000 low-end estimated cost to adviser for 
maintenance of critical operations and systems and the protection, 
backup and recovery of data + $5,000 low-end estimated cost to 
adviser for a prearranged alternative physical location + $0 low-end 
estimated cost to adviser for a plan of communication + $5,000 low-
end estimated cost for third-party oversight = $27,515.
     $147,310 high-end estimated internal cost to adviser for 
developing policies and procedures + $20,000 high-end estimated cost 
to adviser for external professional fees for developing policies 
and procedures + $750,000 high-end estimated cost to adviser for 
maintenance of critical operations and systems and the protection, 
backup and recovery of data + $500,000 high-end estimated cost to 
adviser for a prearranged alternative physical location + $5,000 
high-end estimated cost to adviser for a plan of communication + 
$50,000 high-end estimated cost for third-party oversight = 
$1,472,310.
     See infra, notes 125 through 129.
---------------------------------------------------------------------------

    We anticipate that developing policies and procedures designed to 
minimize material service disruptions, including those related to each 
required component of the business continuity and transition plan will 
largely be done internally because it will require an evaluation of the 
adviser's business operations most suited to be conducted by in-house 
employees familiar with the intricacies of the business operations. 
These costs are quantified and discussed in more detail in the PRA 
section below, but in summary, we estimate that this initial one-time 
cost will range from approximately $17,000 to $170,000, depending on 
the facts and circumstances of a particular adviser's operations and 
the comprehensiveness of their existing plan.\125\
---------------------------------------------------------------------------

    \125\ See infra section III.A.1. This estimate is based on the 
following calculations: $12,515 internal cost to representative 
smaller adviser + $4,000 in external professional fees for 
representative smaller adviser = $16,515. $147,310 internal cost to 
representative larger adviser + $20,000 in external professional 
fees for representative larger adviser = $167,310.
---------------------------------------------------------------------------

    With respect to integration and implementation of the policies and 
procedures described above, an adviser may incur external costs to 
upgrade systems and processes. The external costs incurred by an 
adviser to meet the required components of the proposed rule would be 
directly affected by the current state of the adviser's existing 
systems and processes. For example, the proposed rule specifies that an 
adviser must address the maintenance of critical operations and systems 
and the protection, backup, and recovery of data. While our staff 
observes that most advisers already have systems in place to address 
the protection, backup, and recovery of data, an adviser that does not 
already have a system in place would incur the costs associated with 
implementing an operational solution to protecting its data.\126\ Also, 
the proposed rule specifies that an adviser's plan include a pre-
arranged alternative physical location of its office(s) and/or 
employees. While many advisers already have back-up locations 
identified as a co-location in times of business disruptions and 
equipped their employees to telework if they are unable to travel to 
the primary office location, an adviser that has not adequately 
addressed this component of the proposed rule would incur costs to do 
so in light of the proposed rule.\127\
---------------------------------------------------------------------------

    \126\ We estimate an adviser could spend between $1,000 and 
$750,000 to address the maintenance of critical operations and 
systems, and the protection, backup and recovery of data. The wide 
range is attributable to the varying methods in which advisers may 
address this component of the proposed rule. For example, smaller 
advisers may address data backup and recovery by outsourcing storage 
to a service provider through cloud software, while a large adviser 
dealing with large amounts of data may find it more cost effective 
to purchase data servers dedicated to the adviser.
    \127\ We estimate that an adviser could spend between $5,000 and 
$500,000 to address having a prearranged alternative physical 
location. The wide range is attributable to the varying methods in 
which advisers may address this component of the proposed rule. For 
example, a smaller adviser with minimal employees may be able to 
function by enabling its employees to telework and access the 
adviser's systems remotely instead of requiring formal meeting 
space. Larger advisers with many employees, on the other hand, may 
need to rent office space on a temporary basis or establish co-
locations where employees necessary to the operations of an adviser 
may congregate.
---------------------------------------------------------------------------

    The proposed rule also requires that the adviser address how it 
will communicate with clients, employees, service providers, and 
regulators in the event of a business disruption. While advisers have 
communication tools as part of its general business operations that 
enable it to communicate to its stakeholders (i.e., email, phone, 
etc.), some advisers may have formal, more sophisticated communication 
infrastructure already in place.\128\ The

[[Page 43549]]

proposed rule further requires advisers to engage in an assessment of 
critical third-party vendors, including assessing how service providers 
will maintain business continuity when faced with significant business 
disruption. While some advisers currently have robust vendor management 
programs that take steps to evaluate the resiliency of vendors, 
including reviewing information regarding their BCPs, due diligence 
questionnaires or assurance control reports from an independent party, 
and onsite visits, some advisers do not and will need to incur costs to 
enhance their review of critical third-party vendors.\129\
---------------------------------------------------------------------------

    \128\ We estimate that an adviser could spend between almost 
nothing to up to $5,000 to address having a plan of communication 
with its stakeholders. The wide range is attributable to the varying 
methods in which advisers may address this component of the proposed 
rule. For example, a small adviser with minimal employees could 
manually email or telephone its stakeholders, whereas a large 
adviser with many employees or clients could choose to use an 
automated system to trigger a pre-programmed communication plan.
    \129\ We estimate that an adviser could spend between $5,000 and 
$50,000 to address the requirement for third-party oversight. The 
wide range is attributable to the varying methods in which advisers 
may address this component of the proposed rule. As discussed in 
section I, many advisers may choose to use in-house personnel to 
conduct due diligence of critical service providers, while others 
may choose to pay others to conduct such due diligence on their 
behalf.
---------------------------------------------------------------------------

    Aggregating our estimates for the various components of the rule, 
we estimate that SEC-registered advisers may spend between 
approximately $11,000 and $1.3 million in additional, initial costs to 
upgrade systems and processes to comply with the proposed rule 
depending on the complexity of their operations and the current state 
of their systems and processes, as described above.\130\
---------------------------------------------------------------------------

    \130\ These estimates are based on the aggregated low-end of the 
range and the high-end of the range, respectively, of mostly 
internal costs detailed in the PRA section below and the external 
costs associated with integrating and implementing the plan. 
Specifically, these estimates are based on the following 
calculations:
     $1,000 low-end estimated cost to adviser for maintenance of 
critical operations and systems and the protection, backup and 
recovery of data + $5,000 low-end estimated cost to adviser for a 
prearranged alternative physical location + $0 low-end estimated 
cost to adviser for a plan of communication + $5,000 low-end 
estimated cost for third-party oversight = $11,000.
     $750,000 high-end estimated cost to adviser for maintenance of 
critical operations and systems and the protection, backup and 
recovery of data + $500,000 high-end estimated cost to adviser for a 
prearranged alternative physical location + $5,000 high-end 
estimated cost to adviser for a plan of communication + $50,000 
high-end estimated cost for third-party oversight = $1,305,000.
    See supra, notes 125 through 129.
    These estimates include the assumption that large advisers will 
incur more costs than smaller advisers based on their operational 
risk profile. Because these estimates do not take into account our 
staff observations that larger advisers generally already have more 
robust business continuity plans in place compared to smaller 
advisers, we believe our estimates may overstate the costs to be 
incurred by advisers.
---------------------------------------------------------------------------

ii. Ongoing Costs
    In addition to the one-time initial costs described above, each 
registered adviser would also incur ongoing costs as a result of the 
proposed rule related to the adviser's review of the adequacy of its 
business continuity and transition plan and the effectiveness of its 
implementation. This would involve internal costs associated with 
updating policies and procedures to reflect changes in an adviser's 
operational risk profile and costs of compliance and reporting 
associated with maintaining the plan, but would also include external 
costs associated with maintaining and upgrading systems, maintaining 
alternate work locations, and responding to regulatory changes that 
require revision of the adviser's business continuity and transition 
plan.\131\ As discussed in the PRA section below, based on staff 
experience, we estimate that each adviser, in addition to the initial 
costs described above, would incur ongoing plan-related cost of 
approximately 25% of the adviser's initial costs in adopting and 
implementing a business continuity and transition plan. Accordingly, we 
estimate that an SEC-registered adviser would incur ongoing annual 
costs associated with the proposed rule that would range from $7,500 to 
$375,000.\132\
---------------------------------------------------------------------------

    \131\ See supra section I.C.2 for more details on annual review 
requirements.
    \132\ This estimate is based on the following calculations: .25 
x $30,000 = $7,500 and .25 x $1.5 million = $375,000. See supra note 
124 and accompanying text (discussing total initial costs ranging 
from approximately $30,000 to $1.5 million).
---------------------------------------------------------------------------

    In addition, the proposed amendments to rule 204-2 would require 
registered advisers to maintain records related to the current plan and 
any plan in effect in the previous five years, as well as any records 
documenting the annual review of the plan required by the rule. As 
described in more detail in the PRA section below, we estimate that 
such advisers will spend approximately $150 each year on an ongoing 
basis to meet this requirement.
b. Costs to Clients and Investors
    Some of the costs incurred by advisers as a result of the proposed 
rule may ultimately be passed on from advisers to clients and fund 
investors through higher fees. The extent to which costs are 
transferred to clients and investors depends on several factors, 
including the supply and demand for adviser services. On the demand 
side, the extent to which clients and investors respond to fee changes 
is a function of how highly they value a given adviser's services; the 
proposed rule may increase this valuation if investors value business 
continuity and transition plans and hence increase the demand for 
adviser services at a given fee, but the exact nature of this potential 
shift and its impact on fees is unknown.\133\ On the supply side, if 
advisers take investor fee sensitivity into account, under many 
plausible competition scenarios in an adviser's market segment, it is 
likely at least some of the cost increases of the proposed rule will be 
passed on to clients and investors. However, if advisers incur costs 
associated with changing fees, advisers may not pass on the costs of 
the proposed rules until they cross some significant threshold. Since 
we do not have data or other information concerning individual investor 
fee sensitivities, how advisers take these into account, or the extent 
to which advisers prefer to keep fees constant, the potential shift in 
the supply of advisory service and its impact on fees is unknown.
---------------------------------------------------------------------------

    \133\ See, e.g., John Haslem, Mutual Fund Heterogeneity and Fee 
Dispersion, J. Wealth. Manag., Vol. 18, No. 1 (Summer 2015) at 41-
48, who argues that because preferences differ across investors, fee 
sensitivity also varies across investors.
---------------------------------------------------------------------------

3. Effects on Efficiency, Competition, and Capital Formation
    The Commission has also considered the effects of the proposed 
rules on efficiency, competition, and capital formation. With respect 
to efficiency, to the extent that a disruption were to prevent an 
adviser from executing trades for several days, investors would be 
unable to make any changes in their investment choices, leading to a 
potentially inefficient allocation of their capital during this period. 
To the extent that the proposed rules decrease the recovery time of a 
disruption for an adviser that many market participants are relying on 
when conducting their business, they could promote efficient pricing of 
risk and thus efficient capital allocation during such an event.
    The proposed rule also could affect competition in the advisory 
industry. As discussed above, the costs of adopting plans that meet the 
requirements of the proposed rule will vary depending on an adviser's 
operations and the extent to which they have already implemented 
business continuity and transition plans consistent with the rule. To 
the extent that, in a given market segment, advisers with high adoption 
costs compete for clients and investors against advisers with low 
adoption costs, the proposed rule will disproportionally affect the 
high adoption cost advisers. If some of these advisers are only 
marginally

[[Page 43550]]

profitable, they may exit that market segment. Similarly, the proposed 
rule could, on the margin, raise the barrier to entry for an adviser 
that otherwise would have entered a given market segment. If the rule 
results in either adviser exits or increased barriers to entry, reduced 
competitive pressures could result in increased fees for clients and 
investors.
    Finally, the proposed rule may have a small but positive impact on 
capital formation. Ex-ante, reducing risks to clients and investors 
associated with business disruptions and transition events could 
increase such clients' and investors' willingness to invest via 
advisers, which could be beneficial to capital formation if advisers 
are more skilled than those clients or investors at identifying sound 
investment opportunities. In addition, to the extent that the rules 
reduce any risk premium in assets associated with business disruptions 
and transition events as discussed above, more robust business 
continuity and transition plans could promote capital formation.

D. Reasonable Alternatives

    In formulating our proposal, we have considered various reasonable 
alternatives to certain individual elements of proposed new rule 
206(4)-4 and the proposed amendments to rule 204-2. Those alternatives 
are discussed below. We have also requested comments relating to 
certain specific aspects of these alternatives, as noted above.
1. Require Public Availability of Business Continuity and Transition 
Plans
    First, the Commission could require that SEC-registered advisers 
publicly disclose a summary of the plans required by the proposed rule 
in their Form ADVs, and either additionally or as an alternative, 
provide their business continuity and transition plans to clients upon 
request. In addition, as an alternative to the recordkeeping 
requirement, we could require registered advisers to file their 
business continuity and transition plans (or a portion or summary 
thereof) with the Commission.
    Disclosing the plans or a summary of those plans, and the 
operational and other risks addressed by such plans, could help 
investors evaluate and compare the operational and other risks 
associated with particular advisers. If investors could choose among 
advisers in part based on the level of operational and other risk 
advisers were willing to bear, advisers might be further incentivized 
to plan for business disruption events. However, we understand that 
such information could be considered proprietary by some advisers and 
the public disclosure of business continuity and transition plans may 
make advisers more vulnerable to attacks from third parties, such as 
cybersecurity attacks that target the contingency plans laid out in an 
adviser's business continuity and transition plan. Furthermore, 
advisers would incur additional monetary costs associated with the 
disclosure of the plans. Such costs associated would vary depending on 
the type of disclosure required (e.g., filing with the Commission, 
publication on the adviser's Web site, making the plans available upon 
request, etc.) and whether the adviser currently makes its plans 
available to clients.
    In addition, instead of requiring certain components for business 
continuity plans for all advisers, as in the proposed rule, the 
Commission could continue imposing only the obligation generally set 
forth as guidance under the Compliance Program Rule but require public 
disclosure of any business continuity plans adopted pursuant to that 
rule. As noted above, the proposed rule's enhanced requirements for 
business continuity plans impose costs compared to the existing 
baseline, depending on an adviser's current business continuity plans, 
so this alternative would avoid the costs associated with complying 
with the proposed rule. Still, advisers would incur other costs related 
to disclosure of the existing business continuity plans, as noted 
above, including the direct monetary costs of publishing or providing 
the plans, as well as indirect costs such as those associated with 
revealing the proprietary or sensitive business information identified 
above.
    Further, as discussed above, the non-public nature of existing 
business continuity plans may be a contributing factor to the lack of 
uniformly robust plans observed by Commission examiners. However, given 
the other factors discussed above that may also contribute to the lack 
of sufficiently robust plans among all advisers, the Commission 
preliminarily believes that only requiring public disclosure of 
existing business continuity plans without specifying certain 
components that plans must contain may not fully address its concerns 
that all advisers have not established sufficiently robust business 
continuity plans. At the same time, the Commission preliminarily 
believes that requiring business plans to address the components 
identified in the proposed rule while not mandating that such plans 
also be publicly disclosed will result in more uniformly robust plans 
that address the Commission's concerns.
2. Require Business Continuity Plans and/or Transition Plans, But Do 
Not Specify Required Components
    The Commission could also specifically require advisers to adopt 
business continuity plans and/or transition plans but be silent as to 
the required components that such plans must contain to address 
business disruptions and/or transition events.\134\ The proposed rule 
requires advisers to adopt and implement a business continuity and 
transition plan with policies and procedures reasonably designed to 
address operational and other risks related to a significant disruption 
in an adviser's operations (including policies and procedures 
concerning business transition), while also identifying specific 
components that such a plan must address. If, as an alternative, the 
Commission required business continuity and transition plans but did 
not identify any specific components the plans must address, registered 
advisers would have complete flexibility in determining how to best 
prepare for and respond to business disruptions and transition events. 
For example, it is possible that certain required components for 
business continuity and transition plans identified in the proposed 
rule are less relevant to some advisers, but all advisers would be 
required to address each of the components under the proposed rule. In 
contrast, an alternative that did not require specific components be 
addressed would enable advisers to tailor the plans to their specific 
business needs, which could potentially result in cost and time-savings 
compared to the proposed approach.
---------------------------------------------------------------------------

    \134\ The Commission could take different approaches for 
business disruptions and transition events. For example, the 
Commission could either retain the currently proposed approach of 
specifying certain components for addressing business disruptions or 
impose more specific mechanisms for addressing certain risks 
associated with business disruptions, as explained below, while not 
specifying either the components or the specific mechanisms for 
addressing transition events.
---------------------------------------------------------------------------

    However, based on the Commission's experience with not providing 
specific components a plan should address in the context of business 
disruptions, under rule 206(4)-7, the Commission is concerned that some 
registered advisers may not implement sufficiently robust plans to best 
protect the interests of their clients and investors during a business 
disruption or transition event if the Commission does not specify

[[Page 43551]]

certain components. In contrast, the Commission preliminarily believes 
that the current proposed approach strikes an appropriate balance 
between specifying certain components of business continuity and 
transition planning that must be addressed while still providing 
advisers with flexibility in how to address each of those components 
and any other operational and other risks that may be relevant to the 
adviser's operations. In addition, the Commission preliminarily 
believes that advisers will achieve certain efficiencies in 
simultaneously addressing both business disruptions and transition 
events under the proposed approach, which may mitigate additional costs 
imposed by the proposed approach.
3. Require Specific Mechanisms for Addressing Certain Risks in Every 
Plan
    As discussed above, we are proposing a rule that requires SEC-
registered advisers to address certain general components, but permits 
them the flexibility to draft their business continuity and transition 
plans based on the risks associated with their particular operations. 
We could alternatively include in the rule prescriptive requirements 
mandating precisely how registered advisers must address certain 
specified risks related to either business disruptions or transition 
events, or both.\135\
---------------------------------------------------------------------------

    \135\ As noted above, the Commission could vary its approach for 
business continuity and transition plans. Specifically, for both 
business continuity plans and transition plans, the Commission could 
either (1) retain the more flexible component-based approach 
currently proposed, (2) mandate specific requirements for addressing 
business disruptions/transition events, or (3) only require 
``reasonably designed'' plans without specifying particular 
components.
---------------------------------------------------------------------------

    Specific, mandatory requirements could potentially reduce confusion 
as to exactly how these advisers are expected to address business 
disruptions and/or transition events. However, as discussed above, we 
recognize that advisers' business models and operations vary and that 
the manner in which each adviser's business continuity and transition 
plan addresses a required element will depend upon the nature and 
complexity of the adviser's business. Therefore, a prescriptive one-
size-fits-all rule mandating how all advisers must address certain 
specified risks, including risks a particular business model and 
operation would not be exposed to, could be inefficient and cause some 
advisers to incur unnecessary costs by requiring them to address 
requirements that are not relevant to their specific business. In 
addition, a prescriptive rule provides less flexibility for registered 
advisers to address new issues as they arise, particularly concerning 
changes in technology, again potentially leading to inefficient 
constraints on how registered advisers prepare for and address various 
risks. Therefore, we preliminarily believe our proposed approach 
strikes an appropriate balance between requiring that each adviser have 
a business continuity and transition plan that addresses certain 
required components we believe will help SEC-registered advisers to 
appropriately plan for significant business disruptions and transition 
events while, at the same time, allowing each adviser the necessary 
flexibility in creating a business continuity and transition plan to 
take into account the adviser's own unique operations, the nature and 
complexity of its business, its clients, and its key personnel.
4. Vary the Requirements of the Proposed Rule for Different Subsets of 
Registered Advisers
    Additionally, instead of requiring that all SEC-registered advisers 
adopt and implement the business continuity and transition plans with 
the same exact components, we could vary those requirements by adviser. 
For example, the Commission could provide that various requirements of 
the rule only apply to a subset of registered advisers (e.g., advisers 
over a certain asset threshold, advisers that are engaged in activities 
that the Commission deems to be risky, advisers that are affiliated 
with other financial industry participants, such as broker-dealers or 
banks, etc.), or it could provide that certain advisers (such as 
smaller advisers) are exempted from the rule entirely. As we have 
discussed above, different types of advisers have different types of 
operational and other risks and it is possible that requiring every 
adviser to address each of the risks identified in the proposed rule, 
even those that may be less likely for certain advisers, could result 
in unnecessary costs for those advisers.
    However, the overall purpose of the proposed rule is to provide 
enhanced protection to clients and investors by requiring all 
registered advisers to establish sufficiently robust plans, and 
tailoring the rule to require different components for different types 
of advisers may result in the interests of some clients and investors 
not being adequately protected. Specifically, it is possible that, when 
distinguishing different ``types'' of advisers, any boundaries drawn 
would be imperfect and any groups of advisers identified by such a rule 
would themselves not be homogenous, resulting in under or over-
inclusive groups. This could result in some clients and investors not 
receiving adequate protections, while still imposing unnecessary costs 
on others. In contrast, the proposed rule allows advisers the 
flexibility to address each required component to the degree that 
reflects the nature of each particular adviser's business. Accordingly, 
the Commission believes that the proposed rule strikes an appropriate 
balance in providing that protection while minimizing the costs of 
compliance to advisers in ways that would not undermine the 
Commission's regulatory goals.

E. Request for Comment

    We request comment on our assumptions regarding the costs and 
benefits of the proposed rule. We request comment on whether the 
proposed rule, if adopted, would impose a burden on competition. We 
also request comment on whether the proposed rule, if adopted, would 
promote efficiency, competition, and capital formation. Commenters are 
requested to provide empirical data to support their views. In addition 
to our general request for comment on the costs and benefits of the 
proposed amendments, we request the following specific comment on 
certain aspects of our economic analysis.
     To what extent would advisers and their clients and 
investors benefit from business continuity and transition plans that 
are required to contain certain specific components? Please explain.
     Would advisers, and their clients and investors, benefit 
more from requiring plans to address certain risks in a specified 
manner, rather than providing for flexibility as in the proposed rule?
     Do commenters expect that advisers would incur costs in 
addition to, or that differ from, the costs we outlined above for both 
one-time and ongoing costs? Please explain.
     Would any of the effects and costs of the proposed rule be 
large enough to affect the behavior of investment advisers or their 
clients? For example:
    [cir] Do commenters expect that some advisers may choose to exit 
the market rather than incur the costs associated with compliance? If 
so, what segment of the investment adviser market is this mostly likely 
to be seen in and how many exiting advisers should we expect? Please 
explain.
    [cir] Will the costs to clients, in the form of increased fees, 
result in some clients no longer employing the services of advisers? If 
so, what types of clients would be most likely to take such actions? 
Please explain.

[[Page 43552]]

     Do commenters believe that the alternatives the Commission 
considered are appropriate? Are there other reasonable alternatives 
that the Commission should consider? If so, please provide additional 
alternatives and how their costs and benefits would compare to the 
proposal.
     Do commenters believe that the analysis of the associated 
costs and benefits of the alternatives is accurate? If not, please 
provide more accurate costs and benefits, including any data or 
statistics that supports those costs and benefits.

III. Paperwork Reduction Act

    The proposed rule and rule amendments under the Advisers Act 
contain ``collections of information'' within the meaning of the 
Paperwork Reduction Act of 1995 (``PRA'').\136\ The title for the new 
collection of information is ``Rule 206(4)-4.'' In addition, the 
proposed amendments to rule 204-2 would impact the currently approved 
collection of information titled ``Rule 204-2,'' under OMB control 
number 3235-0278. These collections of information are mandatory for 
all investment advisers registered with the Commission. The Commission 
is submitting these collections of information to the OMB for review in 
accordance with 44 U.S.C. 3507 (d) and 5 CFR 1320.11. An agency may not 
conduct or sponsor, and a person is not required to respond to, a 
collection of information unless it displays a currently valid control 
number.
---------------------------------------------------------------------------

    \136\ 44 U.S.C. 3501 through 3521.
---------------------------------------------------------------------------

    The collection of information under rule 206(4)-4 is designed to 
increase the likelihood that advisers are as prepared as possible to 
continue operations on an ongoing basis and to meet client expectations 
and legal obligations in the event of a significant disruption to their 
operations. The respondents are investment advisers registered with the 
Commission. Responses provided to the Commission in the context of its 
examination and oversight program are generally kept confidential.\137\
---------------------------------------------------------------------------

    \137\ See section 210(b) of the Advisers Act.
---------------------------------------------------------------------------

    The collection of information under rule 204-2 is necessary for the 
Commission staff to use in its examination and oversight program. The 
respondents are investment advisers registered with us. Responses 
provided to the Commission in the context of its examination and 
oversight program are generally kept confidential.\138\ The records 
that an adviser must keep in accordance with the proposed rule must be 
retained for at least five years.\139\
---------------------------------------------------------------------------

    \138\ See section 210(b) of the Advisers Act.
    \139\ See proposed rule 204-2(a)(20).
---------------------------------------------------------------------------

A. The Proposed Rules

1. Rule 206(4)-4
    As discussed in section II, we estimate that each adviser would 
include one-time initial costs to adopt and implement a written 
business continuity and transition plan, as well as ongoing plan-
related costs. There are currently approximately 11,956 investment 
advisers registered with us.\140\ We estimate that advisers will spend 
between 50 to 500 hours to initially adopt and implement a business 
continuity and transition plan depending on the nature of an adviser's 
current business continuity plan and the complexity of its operations. 
This range is comprised of our estimates that a representative smaller 
adviser (defined in this PRA as advisers with less than $100 million in 
assets under management) would spend 50 hours on this initial effort at 
a cost of $12,515,\141\ a representative mid-sized adviser (defined in 
this PRA as advisers with at least $100 million in assets under 
management but less than $1 billion) would spend 250 hours on this 
initial effort at a cost of $70,045,\142\ and a representative larger 
adviser (defined in this PRA as advisers with at least $1 billion in 
assets under management) would spend 500 hours on this initial effort 
at a cost of $147,310.\143\ As discussed in section II, exact costs for 
any given adviser would depend on the facts and circumstances of the 
adviser's operations and the comprehensiveness of its existing plan. 
Aggregating the estimates above for all advisers, however, yields a 
total industry-wide initial hourly burden of 3,404,600 \144\ (as 
monetized, is equivalent to a one-time aggregate burden of 
approximately $974.6 million).\145\ Amortized over a three-year period, 
this would be an annual hourly burden of 95 per adviser\146\ (as 
monetized, is equivalent to an annual amortized burden per adviser of 
$27,172).\147\
---------------------------------------------------------------------------

    \140\ This is the number of investment advisers registered with 
us on our IARD System as of January 4, 2016.
    \141\ This estimate is based on the following calculations: 25 
hours x $288 (hourly rate for a compliance manager) = $7,200; 20 
hours x $127 (hourly rate for an operations specialist) = $2,540; 5 
hours x $555 (hourly rate for a deputy general counsel) = $2,775. 
$7,200 + $2,540 + 2,775 = $12,515. The hourly wages used are from 
SIFMA's Management & Professional Earnings in the Securities 
Industry 2013, modified to account for an 1800-hour work-year and 
inflation (as of January 2016) and multiplied by 5.35 to account for 
bonuses, firm size, employee benefits, and overhead.
    \142\ This estimate is based on the following calculations: 75 
hours x $288 (hourly rate for a compliance manager) = $21,600; 60 
hours x $127 (hourly rate for an operations specialist) = $7,620; 15 
hours x $555 (hourly rate for a deputy general counsel) = $8,325; 50 
hours x $264 (hourly rate for a senior systems analyst) = $13,200; 
50 hours x $386 (hourly rate for an attorney) = $19,300. $21,600 + 
$7,620 + $8,325 + $13,200 + $19,300 = $70,045. The hourly wages used 
are from SIFMA's Management & Professional Earnings in the 
Securities Industry 2013, modified to account for an 1800-hour work-
year and inflation (as of January 2016) and multiplied by 5.35 to 
account for bonuses, firm size, employee benefits, and overhead.
    \143\ This estimate is based on the following calculations: 100 
hours x $288 (hourly rate for a compliance manager) = $28,800; 80 
hours x $127 (hourly rate for an operations specialist) = $10,160; 
20 hours x $555 (hourly rate for a deputy general counsel) = 
$11,100; 65 hours x $264 (hourly rate for a senior systems analyst) 
= $17,160; 65 hours x $386 (hourly rate for an attorney) = $25,090; 
30 hours x $410 (hourly rate for a computer operations department 
manager) = $12,300; 30 hours x $271 (hourly rate for a financial 
reporting manager) = $8,130; 40 hours x $340 (hourly rate for a 
senior operations manager) = $13,600; 30 hours x $255 (hourly rate 
for a senior business analyst) = $7,650; 40 hours x $333 (hourly 
rate for a senior risk management specialist) = $13,320. $28,800 + 
$10,160 + $11,100 + $17,160 + $25,090 + $12,300 + $8,130 + $13,600 + 
$7,650 + $13,320 = $147,310. The hourly wages used are from SIFMA's 
Management & Professional Earnings in the Securities Industry 2013, 
modified to account for an 1800-hour work-year and inflation (as of 
January 2016) and multiplied by 5.35 to account for bonuses, firm 
size, employee benefits, and overhead.
    \144\ This estimate is based on the following calculations: 
(2,032 smaller advisers x 50 hours) + (6,636 mid-sized advisers x 
250 hours) + (3,288 larger advisers x 500 hours) = 3,404,600 hours.
    \145\ This estimate is based on the following calculation: 
(2,032 smaller advisers x $12,515) + (6,636 mid-sized advisers x 
$70,045) + (3,288 larger advisers x $147,310) = $974.6 million.
    \146\ This estimate is based on the following calculations: 
3,404,600 hours/3 years = 1,134,867 hours per year. 1,134,867 hours/
11,956 advisers = 95 hours per year per adviser.
    \147\ This estimate is based on the following calculations: 
$974.6 million/3 years = $324.87 million per year. $324.87 million/
11,956 advisers = $27,172 per year per adviser.
---------------------------------------------------------------------------

    We also anticipate that some advisers may consult with outside 
legal counsel and/or other outside professionals to assist in drafting 
policies and procedures and/or to assist in evaluating particular 
components of a plan. We estimate that the costs associated with such 
an engagement would include fees for approximately 10 hours for smaller 
firms, 30 hours for a mid-sized firm, and 50 hours for a larger firm, 
at an average rate of $400 per hour (estimated hourly rate for outside 
legal services).\148\ Consequently, for a smaller firm we estimate a 
total of $4,000 in outside fees

[[Page 43553]]

for each smaller firm,\149\ $12,000 for each medium firm,\150\ and 
$20,000 for each larger firm.\151\ Aggregating these estimates for all 
advisers, yields a total industry wide initial cost burden of $153.5 
million attributable to engaging outside legal services for assistance 
in initially drafting and implementing the BCP.\152\ Amortized over a 
three-year period, this would be an initial annual cost burden per 
adviser of $4,282.\153\
---------------------------------------------------------------------------

    \148\ We recognize that the costs of retaining outside 
professionals may vary depending on the nature of the professional 
services, but for purposes of this PRA analysis we estimate that 
such costs would be similar to the costs of outside legal services.
    \149\ This estimate is based on the following calculation: 10 
hours x $400 = $4,000.
    \150\ This estimate is based on the following calculation: 30 
hours x $400 = $12,000.
    \151\ This estimate is based on the following calculation: 50 
hours x $400 = $20,000.
    \152\ This estimate is based on the following calculation: 
($4,000 per smaller adviser x 2,032 smaller advisers) + ($12,000 per 
mid-sized adviser x 6,636 mid-sized advisers) + ($20,000 per larger 
adviser x 3,288 larger advisers) = $153.5 million.
    \153\ This estimate is based on the following calculations: 
$153.5 million/3 years = $51.2 million per year. $51.2 million/
11,956 advisers = $4,282 per adviser.
---------------------------------------------------------------------------

    In addition to the initial burden, an adviser would incur ongoing, 
annual costs associated with its business continuity and transition 
plan, including the adviser annually reviewing the adequacy of its 
business continuity and transition plan and the effectiveness of its 
implementation. Based on staff experience, we estimate these ongoing 
costs would total approximately 25% of an adviser's initial costs. 
Accordingly, we estimate that a representative smaller adviser would 
spend 12.5 hours annually on this effort internally (as monetized, is 
equivalent to an annual burden of $3,129) while incurring outside costs 
of $1,000,\154\ a representative mid-sized adviser would spend 62.5 
hours annually on this effort internally (as monetized, is equivalent 
to an annual burden of $17,511) while incurring outside costs of 
$3,000,\155\ and a representative larger adviser would spend 125 hours 
annually on this effort internally (as monetized, is equivalent to an 
annual burden of $36,828) while incurring outside costs of $5,000.\156\ 
Aggregating the estimates above for all advisers yields a total 
industry-wide ongoing annual burden of approximately 851,150 hours (as 
monetized, is equivalent to an annual burden of $243.65 million) \157\ 
plus outside costs of $38.4 million.\158\ This translates to an annual 
burden per adviser of 71.2 hours (as monetized, is equivalent to an 
annual burden of $20,379) and $3,212.\159\
---------------------------------------------------------------------------

    \154\ This estimate is based on the following calculations: 0.25 
x 50 hours = 12.5 hours. 0.25 x $12,515 = $3,129. 0.25 x $4,000 = 
$1,000.
    \155\ This estimate is based on the following calculations: 0.25 
x 250 hours = 62.5 hours. 0.25 x $70,045 = $17,511. 0.25 x $12,000 = 
$3,000.
    \156\ This estimate is based on the following calculations: 0.25 
x 500 hours = 125 hours. 0.25 x $147,310 = $36,828. 0.25 x $20,000 = 
$5,000.
    \157\ This estimate is based on the following calculations: 
(2,032 smaller advisers x 12.5 hours) + (6,636 mid-sized advisers x 
62.5 hours) + (3,288 larger advisers x 125 hours) = 851,150 hours. 
(2,032 smaller advisers x $3,129) + (6,636 mid-sized advisers x 
$17,511) + (3,288 larger advisers x $36,828) = $243.65 million.
    \158\ This estimate is based on the following calculation: 
(2,032 smaller advisers x $1,000) + (6,636 mid-sized advisers x 
$3,000) + (3,288 larger advisers x $5,000) = $38.4 million.
    \159\ This estimate is based on the following calculations: 
851,150 hours/11,956 advisers = 71.2 hours per adviser. $243.65 
million/11,956 advisers = $20,379 per adviser. $38.4 million/11,956 
advisers = $3,212 per adviser.
---------------------------------------------------------------------------

2. Rule 204-2
    The currently-approved total annual burden estimate for rule 204-2 
is 1,986,152 hours. This burden estimate was based on estimates that 
10,946 advisers were subject to the rule, and each of these advisers 
spends an average of 181.45 hours preparing and preserving records in 
accordance with the rule. Based on updated data as of January 4, 2016, 
there are 11,956 registered investment advisers.\160\ This increase in 
the number of registered investment advisers increases the total burden 
hours of current rule 204-2 from 1,986,152 to 2,169,417, an increase of 
183,265 hours.\161\
---------------------------------------------------------------------------

    \160\ See supra note 140 and accompanying text.
    \161\ This estimate is based on the following calculations: 
(11,956 advisers - 10,946 advisers) * 181.45 hours = 183,265 hours; 
183,265 hours + 1,986,152 hours = 2,169,417 hours.
---------------------------------------------------------------------------

    The proposed amendments to rule 204-2 would require a registered 
investment adviser to maintain copies of the written business 
continuity and transition plans drafted under proposed rule 206(4)-4. 
In addition, the proposed amendments would require a registered 
investment adviser to retain copies of any records documenting the 
adviser's annual review of its policies and procedures under proposed 
rule 206(4)-4.
    Based on staff experience, we estimate that the proposed amendments 
to rule 204-2 would increase each registered investment adviser's 
average annual collection burden under rule 204-2 by 2 hours, from 
181.45 hours to 183.45 hours,\162\ and would thus increase the annual 
aggregate burden for rule 204-2 by 23,912 hours,\163\ from 2,169,417 
hours to 2,193,328 hours.\164\ As monetized, the estimated burden for 
each registered investment adviser's average annual burden under rule 
204-2 would increase by approximately $150,\165\ which would increase 
the estimated monetized aggregate annual burden for rule 204-2 by 
$1,793,325, from $162,706,275 to $164,499,600.\166\ We estimate that 
there are no external costs associated with this collection of 
information under the proposed amendments to rule 204-2.
---------------------------------------------------------------------------

    \162\ This estimate is based on the following calculation: 
181.45 existing hours + 2 new hours = 183.45 hours.
    \163\ This estimate is based on the following calculation: 
11,956 advisers x 2 hours = 23,912 hours.
    \164\ This estimate is based on the following calculation: 
11,956 advisers x 183.45 hours = 2,193,328 hours.
    \165\ This estimate is based on the following calculation: 2 
hours x $75 (hourly rate for an administrative assistant) = $150. 
The hourly wage used is from SIFMA's Management & Professional 
Earnings in the Securities Industry 2013, modified to account for an 
1800-hour work-year and inflation (as of January 2016) and 
multiplied by 5.35 to account for bonuses, firm size, employee 
benefits, and overhead.
    \166\ This estimate is based on the following calculations: 
2,169,417 hours x $75 = $162,706,275. 2,193,328 hours x $75 = 
$164,499,600. $164,499,600-$162,706,275 = $1,793,325.
---------------------------------------------------------------------------

B. Request for Comment

    We request comment on whether our estimates for burden hours and 
any external costs as described above are reasonable. Pursuant to 44 
U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (1) 
Evaluate whether the proposed collections of information are necessary 
for the proper performance of the function of the Commission, including 
whether the information will have practical utility; (2) evaluate the 
accuracy of the Commission's estimate of the burden of the proposed 
collections of information; (3) determine whether there are ways to 
enhance the quality, utility, and clarity of the information to be 
collected; and (4) determine whether there are ways to minimize the 
burden of the collections of information on those who are to respond, 
including through the use of automated collection techniques or other 
forms of information technology.
    The agency has submitted the proposed collection of information to 
OMB for approval. Persons wishing to submit comments on the collection 
of information requirements of the proposed amendments should direct 
them to the Office of Management and Budget, Attention Desk Officer for 
the Securities and Exchange Commission, Office of Information and 
Regulatory Affairs, Washington, DC 20503, and should send a copy to 
Brent J. Fields, Secretary, Securities and Exchange Commission, 100 F 
Street NE., Washington, DC 20549-1090, with reference to File No. S7-
13-16. OMB is required to make a decision concerning the collections of 
information between 30 and 60 days after publication of this release; 
therefore, a comment to OMB is

[[Page 43554]]

best assured of having its full effect if OMB receives it within 30 
days after publication of this release. Requests for materials 
submitted to OMB by the Commission with regard to these collections of 
information should be in writing, refer to File No. S7-13-16, and be 
submitted to the Securities and Exchange Commission, Office of FOIA 
Services, 100 F Street NE., Washington, DC 20549-2736.

IV. Initial Regulatory Flexibility Analysis

    The Commission has prepared the following Initial Regulatory 
Flexibility Analysis (``IRFA'') in accordance with section 3(a) of the 
Regulatory Flexibility Act \167\ regarding our proposed rule 206(4)-4 
and proposed amendments to rule 204-2.
---------------------------------------------------------------------------

    \167\ 5 U.S.C. 603(a).
---------------------------------------------------------------------------

A. Reasons for and Objectives of the Proposed Actions

    Based on staff observations, we are concerned about the adequacy of 
some advisers' plans to address operational and other risks associated 
with business resiliency. Establishing strong operational controls that 
manage these risks, including the risks associated with business 
continuity and transition, are important practices and should increase 
the likelihood that advisers are as prepared as possible to continue 
operations on an ongoing basis and to meet client expectations and 
legal obligations in the event of a significant disruption in their 
operations. Accordingly, proposed rule 206(4)-4 would require SEC-
registered advisers to adopt and implement written business continuity 
and transition plans reasonably designed to address operational and 
other risks related to a significant disruption in the investment 
adviser's operations.
    We also are proposing specific components be included in such plans 
in order to address certain disparate practices the staff has 
previously observed during examinations and to facilitate robust 
business continuity and transition planning across all SEC-registered 
advisers. In addition, the proposed rule would require advisers to 
review their business continuity and transition plans at least annually 
in order to ensure that advisers are examining the continued adequacy 
and effectiveness of their plans on an ongoing basis.
    The proposed amendments to rule 204-2 would require advisers to 
make and keep all business continuity and transition plans that are in 
effect or were in effect at any time within the past five years. The 
proposed amendments would help advisers have easy access to necessary 
information during periods of stress.

B. Legal Basis

    Proposed rule 206(4)-4 is designed to address certain disparate 
practices our staff has previously observed during its examinations and 
to facilitate robust business continuity and transition planning across 
all SEC-registered advisers.
    The Commission is proposing new rule 206(4)-4 and amendments to 
rule 204-2 under the rulemaking authority set forth in sections 204, 
206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b-4(b), 80b-6(4), 
and 80b-11(a)].

C. Small Entities Subject to the Rule and Rule Amendments

    In developing these proposals, we have considered their potential 
impact on small entities that would be subject to proposed new rule 
206(4)-4 and the proposed amendments to rule 204-2. The proposed new 
rule and the proposed amendments would affect all advisers registered 
with the Commission, including certain small entities. Under Commission 
rules, for the purposes of the Advisers Act and the Regulatory 
Flexibility Act, an investment adviser generally is a small entity if 
it: (1) Has assets under management having a total value of less than 
$25 million; (2) did not have total assets of $5 million or more on the 
last day of the most recent fiscal year; and (3) does not control, is 
not controlled by, and is not under common control with another 
investment adviser that has assets under management of $25 million or 
more, or any person (other than a natural person) that had total assets 
of $5 million or more on the last day of its most recent fiscal 
year.\168\
---------------------------------------------------------------------------

    \168\ Rule 0-7(a) under the Advisers Act.
---------------------------------------------------------------------------

    The proposed new rule and the proposed amendments would not apply 
to most advisers that are small entities (``small advisers'') because 
small advisers are generally registered with one or more state 
securities authorities instead of with the Commission.\169\ Based on 
IARD data, however, we estimate that as of January 4, 2016, 
approximately 515 small advisers are registered with the 
Commission.\170\ Because these small advisers are registered, they, 
like all SEC-registered investment advisers, would all be subject to 
proposed new rule 206(4)-4 and the proposed amendments to rule 204-2.
---------------------------------------------------------------------------

    \169\ See section 203A of the Advisers Act, prohibiting most 
small advisers from registering with the Commission.
    \170\ Based on SEC-registered investment adviser responses to 
Form ADV, Item 5.F and Item 12.
---------------------------------------------------------------------------

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

    Proposed new rule 206(4)-4 and the proposed amendments to rule 204-
2 would impose certain recordkeeping and other compliance requirements 
on all Commission-registered advisers, including Commission-registered 
small advisers. Proposed rule 206(4)-4 would require advisers to adopt 
and implement written business continuity and transition plans 
reasonably designed to address operational and other risks related to a 
significant disruption in the investment adviser's operations. The 
proposed amendments to rule 204-2 would require advisers to make and 
keep all business continuity and transition plans that are in effect or 
were in effect at any time within the past five years.
1. Rule 206(4)-4
    As discussed in section II, we estimated that each adviser would 
incur one-time costs to adopt and implement a written business 
continuity and transition plan, as well as ongoing plan-related costs. 
As noted above, there are currently approximately 515 small advisers 
registered with the Commission. We estimate that each small adviser 
would incur an average initial burden of 50 hours associated with 
adopting and implementing a written business continuity and transition 
plan at a cost of $12,515.\171\ Aggregating the estimated burden for 
all small advisers yields a total initial hourly burden of 25,750 \172\ 
(as monetized, is equivalent to a one-time aggregate burden of 
approximately $6,445,225).\173\ Amortized over a three-year period, 
this would be an annual hourly burden of 16.7 per small adviser \174\ 
(as monetized, is equivalent to an annual amortized burden per small 
adviser of $4,172).\175\
---------------------------------------------------------------------------

    \171\ See supra note 141 (discussing the estimated initial cost 
burden associated with a representative smaller adviser).
    \172\ This estimate is based on the following calculation: 515 
small advisers x 50 hours = 25,750 hours.
    \173\ This estimate is based on the following calculation: 515 
small advisers x $12,515 = $6,445,225.
    \174\ This estimate is based on the following calculation: 50 
hours/3 years = 16.7 hours per year.
    \175\ This estimate is based on the following calculations: 
$12,515/3 years = $4,172 per year.
---------------------------------------------------------------------------

    Our staff also anticipates that some small advisers may consult 
with outside legal counsel and/or other outside professionals to assist 
in drafting policies and procedures and/or to provide assistance in 
evaluating

[[Page 43555]]

particular components of a plan. We estimate that the costs associated 
with such an engagement would include fees for approximately 10 hours 
for small firms at a rate of $400 per hour.\176\ Consequently, for a 
representative smaller firm we estimate a total of $4,000 in outside 
fees.\177\ Amortized over a three-year period, this would be an annual 
burden per small adviser of $1,333.\178\ Accordingly, we estimate that 
the total annual initial burden on 515 small advisers for adopting and 
implementing a written business continuity and transition plan would be 
$686,495.\179\
---------------------------------------------------------------------------

    \176\ See supra note 148 and accompanying text.
    \177\ This estimate is based on the following calculation: 10 
hours x $400 per hour = $4,000.
    \178\ This estimate is based on the following calculation: 
$4,000/3 years = $1,333 per year.
    \179\ This estimate is based on the following calculations: 515 
small advisers x $1,333 = $686,495.
---------------------------------------------------------------------------

    In addition to the initial burden, a small adviser would incur 
ongoing, annual costs associated with its business continuity and 
transition plan, including the adviser annually reviewing the adequacy 
of its business continuity plan and the effectiveness of its 
implementation. Based on staff experience, we estimate that these 
ongoing costs would total approximately 25% of a small adviser's 
initial costs. Accordingly, we estimate that each small adviser would 
spend 12.5 hours annually on this effort internally while incurring 
outside costs of $1,000.\180\ Aggregating the estimates above for 515 
small advisers yields a total ongoing annual burden on small advisers 
of approximately 6,438 hours \181\ plus outside costs of $515,000.\182\
---------------------------------------------------------------------------

    \180\ This estimate is based on the following calculations: 0.25 
x 50 hours = 12.5 hours. 0.25 x $4,000 = $1,000.
    \181\ This estimate is based on the following calculation: 12.5 
hours x 515 advisers = 6,438 hours.
    \182\ This estimate is based on the following calculation: 
$1,000 x 515 advisers--$515,000.
---------------------------------------------------------------------------

2. Rule 204-2
    The currently-approved annual aggregate information collection 
burden under rule 204-2 is 1,986,152 hours. This approved annual 
aggregate burden was based on estimates that 10,946 advisers were 
subject to the rule, of which 478 were small advisers, and each of 
these advisers spends an average of 181.45 hours preparing and 
preserving records in accordance with the rule. Based upon updated data 
as of January 4, 2016, there are 11,956 registered investment 
advisers,\183\ of which 515 are small advisers.\184\ The increase in 
the number of registered small advisers increases the total burden 
hours of current rule 204-2 on small advisers from 86,733 hours to 
93,447 hours, an increase of 6,714 hours.\185\
---------------------------------------------------------------------------

    \183\ See supra note 140 and accompanying text.
    \184\ See supra note 170 and accompanying text.
    \185\ This estimate is based on the following calculations: 515 
small advisers x 181.45 hours = 93,447 hours. 478 small advisers x 
181.45 hours = 86,733 hours. 93,447 - 86,733 = 6,714.
---------------------------------------------------------------------------

    The proposed amendments to rule 204-2 would require a registered 
investment adviser to maintain copies of the written business 
continuity and transition plans drafted under proposed rule 206(4)-4. 
In addition, the proposed amendments would require a registered 
investment adviser to retain copies of any records documenting the 
adviser's annual review of its policies and procedures under proposed 
rule 206(4)-4.
    Based on staff experience, we estimate that the proposed amendments 
to rule 204-2 would increase each registered investment adviser's 
average annual collection burden under rule 204-2 by 2 hours, from 
181.45 hours to 183.45 hours,\186\ and would thus increase the annual 
aggregate burden for rule 204-2 by 1,030 hours,\187\ from 93,447 hours 
to 94,477 hours.\188\ As monetized, the estimated burden for each 
registered investment adviser's average annual burden under rule 204-2 
would increase by approximately $150,\189\ which would increase the 
estimated monetized aggregate annual burden for rule 204-2 by $77,250, 
from $7,008,525 to $7,085,775.\190\ We estimate that there are no 
external costs associated with this collection of information under the 
proposed amendments to rule 204-2.
---------------------------------------------------------------------------

    \186\ This estimate is based on the following calculation: 
181.45 existing hours + 2 new hours = 183.45 hours.
    \187\ This estimate is based on the following calculation: 515 
small advisers x 2 hours = 1,030 hours.
    \188\ This estimate is based on the following calculation: 515 
small advisers x 183.45 hours = 94,477 hours.
    \189\ This estimate is based on the following calculation: 2 
hours x $75 (hourly rate for an administrative assistant) = $150. 
The hourly wage used is from SIFMA's Management & Professional 
Earnings in the Securities Industry 2013, modified to account for an 
1800-hour work-year and inflation (as of January 2016) and 
multiplied by 5.35 to account for bonuses, firm size, employee 
benefits, and overhead.
    \190\ This estimate is based on the following calculations: 
93,447 hours x $75 = $7,008,525. 94,477 hours x $75 = $7,085,775. 
$7,085,775 - $7,008,525 = $77,250.
---------------------------------------------------------------------------

E. Duplicative, Overlapping, or Conflicting Federal Rules

    We believe there are no federal rules that duplicate, overlap, or 
conflict with proposed new rule 206(4)-4 and the proposed amendments to 
rule 204-2. The written business continuity and transition plans that 
would be required by the proposed new rule would include certain 
policies and procedures already generally required by other rules under 
the federal securities laws, but the proposed new rule would not 
require these policies and procedures to be duplicated. Some of the 
records an adviser would be required to maintain under the proposed 
amendments to rule 204-2 also may be required records under the general 
recordkeeping provisions of rule 204-2 of the Advisers Act, but such 
overlap would be limited and the Commission would not require the 
adviser to maintain duplicate copies.

F. Significant Alternatives

    In formulating our proposal, we have considered various reasonable 
alternatives to the individual elements of proposed new rule 206(4)-4 
and the proposed amendments to rule 204-2, specifically as they relate 
to accomplishing our stated objectives while minimizing any significant 
economic impact on small entities. The alternatives most relevant to 
small advisers are discussed below. We have also requested comment 
relating to certain specific aspects of these and other alternatives 
above.\191\
---------------------------------------------------------------------------

    \191\ See supra section I.C.1.f.
---------------------------------------------------------------------------

    The Commission considered exempting small advisers from the 
proposal entirely. The Commission also considered setting forth 
different business continuity and transition plan requirements for 
small advisers. However, because small advisers generally face the same 
types of transition and business continuity issues as larger advisers, 
although on a smaller scale, we believe small advisers should be 
subject to the proposed rule to the same extent as larger advisers and 
be allowed to tailor their business continuity and transition plans to 
the scope of their business. The proposed rule allows each adviser the 
necessary flexibility in creating a business continuity and transition 
plan to take into account the adviser's own unique operations, the 
nature and complexity of its business, its clients, and its key 
personnel, and we believe that such flexibility may result in small 
advisers incurring less costs to comply.\192\
---------------------------------------------------------------------------

    \192\ See supra section III.A.1, discussing the lower estimated 
cost burdens, both initial and ongoing, associated with smaller 
advisers as compared to larger advisers.
---------------------------------------------------------------------------

G. Solicitation of Comments

    We encourage written comments on matters discussed in this IRFA. We 
solicit comment on the number of small entities subject to the proposed 
rule and

[[Page 43556]]

whether the proposed rule discussed in this release could have an 
effect on small entities that has not been considered. We request that 
commenters describe the nature of any impact on small entities and 
provide empirical data to support the extent of such impact.

V. Consideration of Impact on the Economy

    For purposes of the Small Business Regulatory Enforcement Fairness 
Act of 1996, or ``SBREFA,'' \193\ we must advise OMB whether a proposed 
regulation constitutes a ``major'' rule. Under SBREFA, a rule is 
considered ``major'' where, if adopted, it results in or is likely to 
result in (1) an annual effect on the economy of $100 million or more; 
(2) a major increase in costs or prices for consumers or individual 
industries; or (3) significant adverse effects on competition, 
investment or innovation.
---------------------------------------------------------------------------

    \193\ Public Law 104-121, Title II, 110 Stat. 857 (1996) 
(codified in various sections of 5 U.S.C., 15 U.S.C. and as a note 
to 5 U.S.C. 601).
---------------------------------------------------------------------------

    We request comment on the potential impact of the proposed rule on 
the economy on an annual basis. Commenters are requested to provide 
empirical data and other factual support for their views to the extent 
possible.

VI. Statutory Authority

    The Commission is proposing new rule 206(4)-4 and amendments to 
rule 204-2 under the rulemaking authority set forth in sections 204, 
206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b-4, 80b-6(4), and 
80b-11(a)].

List of Subjects in 17 CFR Part 275

    Investment advisers, Reporting and recordkeeping requirements.

Text of Proposed Rule Amendments

    For reasons set out in the preamble, title 17, chapter II of the 
Code of Federal Regulations is proposed to be amended as follows:

PART 275--RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940

0
1. The authority citation for part 275 continues to read, in part, as 
follows:

    Authority: 15 U.S.C. 80b-2(a)(11)(G), 80b-2(a)(11)(H), 80b-
2(a)(17), 80b-3, 80b-4, 80b-4a, 80b-6(4), 80b-6a, and 80b-11, unless 
otherwise noted.
* * * * *
    Section 275.204-2 is also issued under 15 U.S.C. 80b-6.
* * * * *
0
2. Section 275.204-2 is amended by:
0
a. Reserving paragraph (a)(19);
0
b. Adding paragraph (a)(20); and
0
c. Revising paragraph (e)(1).
    The addition and revision read as follows:


Sec.  275.204-2  Books and records to be maintained by investment 
advisers.

    (a) * * *
    (20)(i) A copy of the investment adviser's business continuity and 
transition plan formulated pursuant to Sec.  275.206(4)-4 that is in 
effect, or at any time within the past five years was in effect;
    (ii) Any records documenting the investment adviser's annual review 
of the business continuity and transition plan conducted pursuant to 
Sec.  275.206(4)-4(b).
* * * * *
    (e)(1) All books and records required to be made under the 
provisions of paragraphs (a) through (c)(1)(i), and (c)(2) of this 
section (except for books and records required to be made under the 
provisions of paragraphs (a)(11), (a)(12)(i), (a)(12)(iii), 
(a)(13)(ii), (a)(13)(iii), (a)(16), (a)(17)(i), and (a)(20)(i) of this 
section), shall be maintained and preserved in an easily accessible 
place for a period of not less than five years, from the end of the 
fiscal year during which the last entry was made on such record, the 
first two years in an appropriate office of the investment adviser.
* * * * *
0
3. Section 275.206(4)-4 is added to read as follows:


Sec.  275.206(4)-4  Investment adviser business continuity and 
transition plan.

    (a) Prohibition. If you are an investment adviser registered or 
required to be registered under section 203 of the Act (15 U.S.C. 80b-
3), it shall be unlawful within the meaning of section 206 of the Act 
(15. U.S.C. 80b-6) for you to provide investment advice to your clients 
unless you:
    (1) Business continuity and transition plan. Adopt and implement a 
written business continuity and transition plan; and
    (2) Annual review. Review, no less frequently than annually, the 
adequacy of the business continuity and transition plan and the 
effectiveness of its implementation.
    (b) Content of business continuity and transition plan. (1) For 
purposes of this section, the term business continuity and transition 
plan means policies and procedures reasonably designed to address 
operational and other risks related to a significant disruption in the 
investment adviser's operations, including policies and procedures 
concerning:
    (i) Business continuity after a significant business disruption; 
and
    (ii) Business transition in the event the investment adviser is 
unable to continue providing investment advisory services to clients.
    (2) The content of a business continuity and transition plan shall 
be based upon risks associated with the adviser's operations and shall 
include policies and procedures designed to minimize material service 
disruptions, including policies and procedures that address the 
following:
    (i) Maintenance of critical operations and systems, and the 
protection, backup, and recovery of data, including client records;
    (ii) Pre-arranged alternate physical location(s) of the adviser's 
office(s) and/or employees;
    (iii) Communications with clients, employees, service providers, 
and regulators;
    (iv) Identification and assessment of third-party services critical 
to the operation of the adviser; and
    (v) Plan of transition that accounts for the possible winding down 
of the investment adviser's business or the transition of the 
investment adviser's business to others in the event the investment 
adviser is unable to continue providing investment advisory services, 
that includes the following:
    (A) Policies and procedures intended to safeguard, transfer, and/or 
distribute client assets during transition;
    (B) Policies and procedures facilitating the prompt generation of 
any client-specific information necessary to transition each client 
account;
    (C) Information regarding the corporate governance structure of the 
adviser;
    (D) Identification of any material financial resources available to 
the adviser; and
    (E) An assessment of the applicable law and contractual obligations 
governing the adviser and its clients, including pooled investment 
vehicles, implicated by the adviser's transition.

    By the Commission.

    Dated: June 28, 2016.
Brent J. Fields,
Secretary.
[FR Doc. 2016-15675 Filed 7-1-16; 8:45 am]
 BILLING CODE 8011-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.