Adviser Business Continuity and Transition Plans, 43530-43556 [2016-15675]
Download as PDFAgencies
[Federal Register Volume 81, Number 128 (Tuesday, July 5, 2016)] [Proposed Rules] [Pages 43530-43556] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2016-15675] ======================================================================= ----------------------------------------------------------------------- SECURITIES AND EXCHANGE COMMISSION 17 CFR Part 275 [Release No. IA-4439; File No. S7-13-16] RIN 3235-AL62 Adviser Business Continuity and Transition Plans AGENCY: Securities and Exchange Commission. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: The Securities and Exchange Commission (``Commission'' or ``SEC'') is proposing a new rule and rule amendments under the Investment Advisers Act of 1940 (``Advisers Act''). The proposed rule would require SEC-registered investment advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations. The proposal would also amend rule 204-2 under the Advisers Act to require SEC-registered investment advisers to make and keep all business continuity and transition plans that are currently in effect or at any time within the past five years were in effect. DATES: Comments should be received on or before September 6, 2016. ADDRESSES: Comments may be submitted by any of the following methods: Electronic CommentsUse the Commission's Internet comment form (https://www.sec.gov/rules/proposed.shtml); or Send an email to rule-comments@sec.gov. Please include File Number S7-13-16 on the subject line; or Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments. Paper Comments Send paper comments to Brent J. Fields, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-1090. All submissions should refer to File Number S7-13-16. This file number should be included on the subject line if email is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site (https://www.sec.gov/rules/proposed.shtml). Comments are also available for Web site viewing and printing in the Commission's Public Reference Room, 100 F Street NE., Washington, DC 20549, on official business days between the hours of 10 a.m. and 3 p.m. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly. Studies, memoranda, or other substantive items may be added by the Commission or staff to the comment file during this rulemaking. A notification of the inclusion in the comment file of any such materials will be made available on the Commission's Web site. To ensure direct electronic receipt of such notifications, sign up through the ``Stay Connected'' option at www.sec.gov to receive notifications by email. FOR FURTHER INFORMATION CONTACT: Andrea Ottomanelli Magovern, Senior Counsel, Zeena Abdul-Rahman, Senior Counsel, John Foley, Senior Counsel, or Alpa Patel, Branch Chief, at (202) 551- 6787 or IArules@sec.gov, Investment Adviser Rulemaking Office, Division of Investment Management, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-8549. SUPPLEMENTARY INFORMATION: The Commission is proposing for public comment new rule 206(4)-4 [17 CFR 275. 206(4)-4] and amendments to rule 204-2 [17 CFR 275.204-2] under the Advisers Act [15 U.S.C. 80b]. Table of Contents I. Adviser Business Continuity and Transition Plans A. Introduction B. Background 1. Business Continuity Planning 2. Transition Planning C. Discussion 1. Adopt and Implement Business Continuity and Transition Plans 2. Annual Review 3. Recordkeeping [[Page 43531]] II. Economic Analysis A. Introduction B. Economic Baseline C. Benefits and Costs and Effects on Efficiency, Competition, and Capital Formation 1. Benefits 2. Costs 3. Effects on Efficiency, Competition, and Capital Formation D. Reasonable Alternatives 1. Require Public Availability of Business Continuity and Transition Plans 2. Require Business Continuity Plans and/or Transition Plans, but Do Not Specify Required Components 3. Require Specific Mechanisms for Addressing Certain Risks in Every Plan 4. Vary the Requirements of the Proposed Rule for Different Subsets of Registered Advisers E. Request for Comment III. Paperwork Reduction Act A. The Proposed Rules 1. Rule 206(4)-4 2. Rule 204-2 B. Request for Comment IV. Initial Regulatory Flexibility Analysis A. Reasons for and Objectives of the Proposed Actions B. Legal Basis C. Small Entities Subject to the Rule and Rule Amendments D. Projected Reporting, Recordkeeping and Other Compliance Requirements 1. Rule 206(4)-4 2. Rule 204-2 E. Duplicative, Overlapping, or Conflicting Federal Rules F. Significant Alternatives G. Solicitation of Comments V. Consideration of Impact on the Economy VI. Statutory Authority I. Adviser Business Continuity and Transition Plans A. Introduction Today, there are approximately 12,000 investment advisers registered with the Commission that collectively manage over $67 trillion in assets, an increase of over 140% in the past 10 years.\1\ Advisers manage assets for, and provide investment advice to, a wide variety of clients, including individuals, charitable organizations, endowments, retirement plans, and various pooled investment vehicles such as mutual funds and private funds. Investors turn to advisers for a variety of services such as helping them to identify financial goals (including investing for a child's education or preparing for retirement), analyzing an existing financial portfolio, determining an appropriate asset allocation, and providing portfolio management or investment recommendations to help achieve financial goals. Advisers also play an important role in counseling and advising clients on complex financial instruments and investments, and in providing advice and guidance on weathering changing market conditions. The range of services provided by advisers, and the continued growth in the number of advisers and assets under management, reflect the critical role investment advisers play in our capital markets and the importance of the services they provide to approximately 30 million clients.\2\ --------------------------------------------------------------------------- \1\ Based on data from the Commission's Investment Adviser Registration Depository (``IARD'') as of January 4, 2016. \2\ Id. --------------------------------------------------------------------------- Investment advisers today also participate in and are part of an increasingly complex financial services industry. Advisers are relying on technology to a greater extent, managing more complicated portfolios and strategies that often include complex investments, and are increasingly relying on the services of third parties such as custodians, brokers and dealers, pricing services, and technology vendors \3\ that support their operations.\4\ --------------------------------------------------------------------------- \3\ We use the terms ``vendor'' and ``service provider'' interchangeably throughout this release. \4\ There has been an increase in the diversity of investment portfolios, strategies, and securities types, the complexity of portfolio management and operations, and the interconnectedness and interdependencies of the financial industry. See generally, Global Association of Risk Professionals (GARP), Risk Principles for Asset Managers, Prepared by the GARP Buy Side Risk Managers Forum (Sept. 2015) (``Risk Principles for Asset Managers'') at Section 5: Operational Risk Principles, available at https://go.garp.org/l/39542/2015-09-30/315zdc/39542/90066/BSRMF_Risk_Principles_2015.pdf. --------------------------------------------------------------------------- Although the types of registered investment advisers and their business models may vary significantly, they generally share certain fundamental operational risks. Of particular concern to the Commission are those risks that may impact the ability of an adviser and its personnel to continue operations, provide services to clients and investors, or, in certain circumstances, transition the management of accounts to another adviser. Such operational risks include, but are not limited to, technological failures with respect to systems and processes (whether proprietary or provided by third-party vendors supporting the adviser's activities), and the loss of adviser or client data, personnel, or access to the adviser's physical location(s) and facilities. Operational risks can arise from internal and external business continuity events. An internal event, such as a facility problem at an adviser's primary office location, or an external event, such as a weather-related emergency or cyber-attack, could impact an adviser's ongoing operations and its ability to provide client services. For example, both types of events could prevent advisory personnel from accessing the adviser's office or its systems or documents at a particular office location. Under these circumstances, an adviser and its personnel may be unable to provide services to the adviser's clients and continue its operations while affected by the disruption, which could result in client harm.\5\ Similarly, operational risks can arise in the context of a transition event. If, for example, an adviser is winding down or ceasing operations during a time of stress, then an adviser's ability to safeguard client assets could be impacted. --------------------------------------------------------------------------- \5\ As discussed in Section I.B.1. of this release, if an adviser is unable to provide services to its clients, its clients' interests may be at risk. This risk could include the risk of loss if, for example, an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or if clients are unable to access their assets or accounts. --------------------------------------------------------------------------- We understand that many investment advisers, like other financial services firms, already have taken critical steps to address and mitigate the risks of business disruptions, regardless of the source, as a prudent business measure.\6\ Industry participants have also stated that the highly competitive environment in which advisers operate encourages proper risk management and contributes to advisers' attentiveness to operational risks.\7\ Advisers may recognize the [[Page 43532]] potential for significant reputational damage and other costs associated with such risks.\8\ For many advisers, the management of operational risks is part of the normal course of business to mitigate issues that could negatively impact client relationships and the management of client assets (including potential losses).\9\ Deterioration in client relationships or financial losses could cause clients to move their accounts to another adviser or other financial services firm, and if done on a large scale, prompt the adviser to transition its business through a sale or other means or to wind down its operations and exit the market. --------------------------------------------------------------------------- \6\ See infra notes 26-27 and accompanying text (discussing compliance policies and procedures required by rule 206(4)-7 under the Advisers Act); see also Comment Letter of BlackRock, Inc. to the Financial Stability Oversight Council's (``FSOC'') Notice Seeking Comment on Asset Management Products and Activities (``FSOC Notice'') (Mar. 25, 2015) (``BlackRock FSOC Comment Letter'') at 10 (``In the normal course of business, asset managers implement measures to mitigate the impact of potentially disruptive events through operational risk management programs, including maintaining business continuity plans . . . and technology disaster recovery plans . . . .''); Comment Letter of Investment Company Institute to FSOC Notice (Mar. 25, 2015) (``ICI FSOC Comment Letter'') at 69 (noting that ``funds and key service providers to the industry have robust plans and strategies in place to facilitate the continuation or resumption of business operations in the event of an emergency, regardless of the cause''); Comment Letter of Vanguard to FSOC Notice (Mar. 25, 2015) (``Vanguard FSOC Comment Letter'') at 23 (``The purpose of business continuity plans is to develop alternative ways to carry out normal business functions without access to facilities, systems, and/or key third-party providers of goods or services to the funds or its adviser.''). \7\ See, e.g., Comment Letter of Fidelity Investments to FSOC Notice (Mar. 25, 2015) (``Fidelity FSOC Comment Letter'') at 22 (``It is not correct to imply that competitive pressures push managers toward less risk management; in fact those pressures push funds to improve their risk management practices.''); BlackRock FSOC Comment Letter at 63 (``The asset management industry is highly competitive and there are numerous competitors across asset classes and investment strategies.''); ICI FSOC Comment Letter at 61 (``Regulated fund investors have considerable choice. The industry is highly competitive, with up to several hundred funds available within each investment category. Along with investment performance, the quality of shareholder services is a highly important factor in attracting and retaining fund investors.''). \8\ See, e.g., BlackRock FSOC Comment Letter at 55 (``Issues related to operational and business continuity risk can be costly and/or harm an asset manager's reputation with its clients.''); Comment Letter of Managed Funds Association to FSOC Notice (Mar. 25, 2015) (``MFA FSOC Comment Letter'') at 45 (``It is in every manager's self-interest to have appropriate plans in place to handle emergencies.''). \9\ See, e.g., BlackRock FSOC Comment Letter at 10 (``In the normal course of business, asset managers implement measures to mitigate the impact of potentially disruptive events through operational risk management programs, including maintaining business continuity plans . . . .''); Fidelity FSOC Comment Letter at 32 (``Fidelity devotes significant time and resources to ensuring that we can provide the services our clients expect even in exigent circumstances.''). --------------------------------------------------------------------------- While we understand that many investment advisers already have taken steps to address and mitigate the risks of business disruptions,\10\ our staff has observed a wide range of practices by advisers in addressing operational risk management. The staff frequently observes advisers managing operational and other risks through internal practices, procedures, and controls that are typically assessed by the adviser's legal, compliance, or audit staff, and often sees independent third-party assessments performed by audit or compliance firms.\11\ However, the staff also has observed advisers with less robust planning, causing them to experience interruptions in their key business operations and inconsistently maintain communications with clients and employees during periods of stress.\12\ As discussed further below, our staff has noted weaknesses in some adviser BCPs with respect to consideration of widespread disruptions, alternate locations, vendor relationships, telecommunications and technology, communications plans, and review and testing.\13\ Although disparate practices may exist in light of the varying size and complexity of registrants, to effectively mitigate such risks we are proposing to require all SEC-registered investment advisers to have plans that are reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations. --------------------------------------------------------------------------- \10\ See, e.g., Comment Letter of Securities Industry and Financial Markets Association and the Investment Adviser Association to FSOC Notice (Mar. 25, 2015) (``SIMFA/IAA FSOC Comment Letter'') at 43 (``Of potentially more significant interest, asset managers are keenly focused on business continuity planning, disaster recovery, data protection, and cybersecurity issues--not just because of regulatory requirements . . . but also as a business imperative.''). \11\ We recognize that some asset management firms have well- established sophisticated enterprise risk management (``ERM'') practices built upon widely followed frameworks. See, e.g., SIMFA/ IAA FSOC Comment Letter at 42-43. The letter notes that in larger more sophisticated asset managers, operational risks can be addressed by an ERM framework such as the Committee of Sponsoring Organizations (``COSO'') framework that works to identify key risk elements within the firm and how those elements are monitored and risks mitigated. See COSO, Enterprise Risk Management--Integrated Framework (Sept. 2004), available at https://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf. We understand that investment advisers with ERM programs typically consider business continuity as part of their broader management of operational risks. Accordingly, we believe that an adviser's business continuity and transition plan under the proposed rule could be a part of the adviser's existing ERM program. \12\ See NEP Risk Alert, infra note 30, at 3. \13\ See NEP Risk Alert, infra note 30; see also infra notes 31- 35 and accompanying text. --------------------------------------------------------------------------- As described in more detail below, we are concerned about the adequacy of some advisers' plans to address operational and other risks associated with business resiliency. Our experience indicates that clients of advisers who do not have robust plans in place to address the operational and other risks related to significant disruptions in their operations are at greater risk of harm during such a disruption than the clients of advisers who do have such plans in place. As fiduciaries, investment advisers owe their clients a duty of care and a duty of loyalty, requiring them to put their clients' interests above their own.\14\ As part of their fiduciary duty, advisers are obligated to take steps to protect client interests from being placed at risk as a result of the adviser's inability to provide advisory services.\15\ --------------------------------------------------------------------------- \14\ See SEC v. Capital Gains Research Bureau, Inc., 375 U.S. 180, 191, 194 (1963) (noting that the Advisers Act ``reflects a congressional recognition `of the delicate fiduciary nature of an investment advisory relationship''' and stating that ``[c]ourts have imposed on a fiduciary an affirmative duty of `utmost good faith, and full and fair disclosure of all material facts,' as well as an affirmative obligation `to employ reasonable care to avoid misleading' his clients'' (citations omitted)); Transamerica Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 17 (1979) (noting that the Advisers Act's ``legislative history leaves no doubt that Congress intended to impose enforceable fiduciary obligations''). \15\ See Compliance Programs of Investment Companies and Investment Advisers, Advisers Act Rel. No. 2204 (Dec. 17, 2003) [68 FR 74714 (Dec. 24, 2003)] (``Compliance Program Adopting Release'') at n.22 (noting this fiduciary obligation in the context of BCPs). --------------------------------------------------------------------------- Section 206(4) of the Advisers Act authorizes the Commission to adopt rules and regulations that ``define, and prescribe means reasonably designed to prevent, such acts, practices, and courses of business as are fraudulent, deceptive, or manipulative.'' Because an adviser's fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of the adviser's inability to provide advisory services, clients are entitled to assume that advisers have taken the steps necessary to protect those interests in times of stress, whether that stress is specific to the adviser or the result of broader market and industry events. We believe it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients' interests from being placed at risk as a result of the adviser's inability (whether temporary or permanent) to provide those services. Accordingly, we believe advisers should be required to establish strong operational policies and procedures that manage the risks associated with business continuity and transitions. These policies and procedures should increase the likelihood that advisers are as prepared as possible to continue operations during times of stress and that they have taken steps to minimize risks that could lead to disruptions in their operations. These policies and procedures also should increase the likelihood that clients are not harmed in the event of a significant disruption in their adviser's operations. Therefore, today we are proposing to require SEC-registered advisers to adopt and implement written business continuity and transition plans that include certain specific components, and to maintain relevant records of those plans, in order to facilitate robust business continuity and transition planning across all SEC-registered advisers. B. Background 1. Business Continuity Planning The rapid recovery and resumption of the financial markets and the activities that support them underpins the resiliency of the U.S. financial system.\16\ [[Page 43533]] Business continuity planning is a critical activity that supports resiliency and one that financial services firms, including investment advisers, generally should engage in to address the inherent risks they face in serving their clients' needs. Federal and state financial market and services regulators, including the Commission, have sought to highlight and address operational risks and the tools necessary to manage them, including fulsome business continuity planning for many financial industry participants.\17\ --------------------------------------------------------------------------- \16\ See Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Securities Exchange Act Rel. No. 47638 (Apr. 7, 2003) [68 FR 17809 (Apr. 11, 2003)] (``Interagency Paper''); cf. infra note 21 and accompanying text. \17\ See Regulation Systems Compliance and Integrity, Securities Exchange Act Rel. No. 73639 (Nov. 19, 2014) [79 FR 72251 (Dec. 5, 2014)] (``Regulation SCI Adopting Release''); see also Policy Statement: Business Continuity Planning for Trading Markets, Securities Exchange Act Rel. No. 48545 (Sept. 25, 2003). In addition, we note that banks are subject to the Federal Financial Institutions Examination Council's (``FFIEC'') business continuity guidelines, which state that financial institutions should develop comprehensive BCPs and that ``[t]he goal of the BCP should be to minimize financial losses to the institution, serve customers and financial markets with minimal disruptions, and mitigate the negative effects of disruptions on business operations.'' See FFIEC, IT Examination Handbook, Business Continuity Planning (Feb. 2015) (``FFIEC Handbook''), available at https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf; see also Board of Governors of the Federal Reserve System, Supervisory Letter SR 15-3 (Feb. 6, 2015), available at https://www.federalreserve.gov/bankinforeg/srletters/sr1503.htm. The FFIEC is an ``interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).'' See FFIEC, available at https://www.ffiec.gov. --------------------------------------------------------------------------- For example, the Financial Industry Regulatory Authority (``FINRA'') requires broker-dealers to establish business continuity plans (``BCPs'') reasonably designed to meet existing customer obligations and address relationships with other broker-dealers and counterparties.\18\ Additionally, the Commodity Futures Trading Commission (``CFTC'') has adopted regulations that require swap dealers and major swap participants to establish and maintain BCPs that are designed to enable the regulated entity ``to continue or to resume any operations by the next business day with minimal disturbance to its counterparties and the market.'' \19\ The North American Securities Administrator Association (``NASAA'') also recently adopted a model rule that, if adopted in a particular state, would require investment advisers registered in that state to have business continuity and succession plans in place that minimize ``service disruptions and client harm that could result from a sudden significant business disruption.'' \20\ --------------------------------------------------------------------------- \18\ See FINRA Rule 4370 (requiring that member BCPs address certain elements, including data backup and recovery, all mission critical systems, alternate communications, alternate physical location of employees, and critical business constituent (i.e., a business with which a member firm has an ongoing commercial relationship in support of the member's operating activities), bank and counter-party impact); see also NASD, Notice to Members 04-37: Business Continuity Plans (May 2004), available at https://www.finra.org/sites/default/files/NoticeDocument/p003095.pdf. We note that investment advisers that are also registered as broker- dealers would have to comply with FINRA's rule as well as the proposed rule. However, as noted herein, we have modeled much of the proposed rule, including the required components of a business continuity and transition plan, on BCP requirements for other financial services firms that we believe share similar vulnerabilities as investment advisers. See infra notes 61-62 and accompanying text. \19\ See 17 CFR 23.603(a). Relevant BCPs must be designed to recover all documentation and data required to be maintained by applicable law and regulation, and are required to include certain required components that are related to, among other things, data backup, systems maintenance, communications, geographic diversity, and third parties. See infra notes 62, 71, 79, and 86. \20\ See NASAA Model Rule 203(a)-1A (stating that all plans should provide for backup of books and records, alternate means of communication, office relocations, assignment of duties to qualified persons in the event of death or unavailability of key personnel, and otherwise minimizing service disruption and client harm); see also Mark Schoeff Jr., State Regulators to Require Continuity Plans, Investment News, (Apr. 22, 2015), available at https://www.investmentnews.com/article/20150422/FREE/150429965/state-regulators-to-require-continuity-plans. --------------------------------------------------------------------------- In addition, we recently adopted rules to strengthen the technology infrastructure of the U.S. securities markets by adopting Regulation Systems Compliance and Integrity, or Regulation SCI, which applies to, among other things, self-regulatory organizations, certain alternative trading systems, and certain exempt clearing agencies.\21\ Specifically, Regulation SCI is designed to reduce the occurrence of systems issues and improve resiliency for key market participants when these problems do occur, and requires, among other things, relevant entities to have and test business continuity and disaster recovery plans. While these regulations and those of other regulatory bodies address different entities, they generally highlight similar principles of business continuity planning, including the need to address critical systems, data backup, communications, alternate and/or geographically diverse locations, and third-party relationships. --------------------------------------------------------------------------- \21\ See Regulation SCI Adopting Release, supra note 17. Among other things, Regulation SCI requires SCI entities to establish and test business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical systems in the event of a wide-scale disruption. See 17 CFR 242.1001(a)(2)(v). Further, Regulation SCI sets forth business continuity and disaster recovery plan testing requirements for SCI entities. See 17 CFR 242.1004. --------------------------------------------------------------------------- Regulatory authorities have also acted collectively and in consultation with each other to address operational risks in light of the interconnectedness and interdependency of financial market participants. For example, the Commission, along with the Board of Governors of the Federal Reserve System (``Federal Reserve'') and the Office of the Comptroller of the Currency, issued the Interagency Paper on Sound Practices to Strengthen the Resilience of the Financial System, which sets forth business continuity objectives for all financial firms and the U.S. financial system as a whole.\22\ More recently, FSOC issued a request for public comment on, among other things, operational risks and transition planning as it relates to the asset management industry.\23\ --------------------------------------------------------------------------- \22\ See Interagency Paper, supra note 16. The objectives discussed in the paper include (i) rapid recovery and timely resumption of critical operations following a wide-scale disruption; (ii) rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and (iii) a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. The paper also sets forth four sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets, including (i) identifying clearing and settlement activities in support of critical financial markets, (ii) determining appropriate recovery and resumption objectives, (iii) maintaining sufficient geographically dispersed resources to meet such objectives, and (iv) routinely using or testing recovery and resumption arrangements. See id. In addition, in 2012-2013, the Commission's Office of Compliance Inspections and Examinations (``OCIE''), along with FINRA and the CFTC, jointly reviewed a number of firms' business continuity and disaster recovery planning and published their joint observations on best practices and lessons learned. See Joint Review of Business Continuity and Disaster Recovery of Firms by the Commission's National Examination Program, CFTC's Division of Swap Dealers and Intermediary Oversight and FINRA (Aug. 16, 2013) (``Joint Review of Business Continuity''), available at https://www.sec.gov/about/offices/ocie/jointobservations-bcps08072013.pdf. Financial services industry participants have also been pro- active in addressing resiliency issues. See, e.g., Financial Services Sector Coordinating Council (established to coordinate infrastructure and homeland security activities within the financial services industry comprised on financial trade associations, financial utilities and financial firms), available at https://www.fsscc.org. \23\ See FSOC Notice (Dec. 24, 2014) [79 FR 77488 (Dec. 24, 2014)], available at https://www.treasury.gov/initiatives/fsoc/rulemaking/Documents/Notice%20Seeking%20Comment%20on%20Asset%20Management%20Products%20and%20Activities.pdf; see also FSOC, Update on Review of Asset Management Products and Activities (Apr. 18, 2016), available at https://www.treasury.gov/initiatives/fsoc/news/Documents/FSOC%20Update%20on%20Review%20of%20Asset%20Management%20Products%20and%20Activities.pdf. Although our rulemaking proposal is independent of FSOC, several commenters responding to the FSOC Notice discussed operational risks and transition issues related to investment advisers, and we have considered and discussed relevant comments throughout this release. Comments submitted in response to the FSOC Notice are available at https://www.regulations.gov/#!docketBrowser;rpp=25;po=0;dct=PS;D=FSOC-2014-0001. --------------------------------------------------------------------------- [[Page 43534]] The Commission addressed business continuity planning with respect to investment advisers in a general way when it adopted rule 206(4)-7 under the Advisers Act (``Compliance Program Rule''). Under the rule, advisers are required to consider their fiduciary and regulatory obligations under the Advisers Act, and adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Advisers Act.\24\ At the time it adopted the rule, the Commission was concerned that not all advisers had adopted adequate compliance programs and as a result, clients and investors were being harmed.\25\ In the release adopting the Compliance Program Rule, the Commission stated that an adviser's compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser.\26\ The Commission did not, however, identify critical components of a BCP or discuss specific issues or areas that advisers should consider in developing such plans. --------------------------------------------------------------------------- \24\ See rule 206(4)-7; Compliance Program Adopting Release, supra note 15, at section II.A.1. Rule 206(4)-7 makes it unlawful for advisers to provide investment advice unless they adopt and implement written compliance policies and procedures reasonably designed to prevent violations by the adviser and its supervised persons of the Advisers Act and rules thereunder. \25\ The Commission noted that it and state securities authorities had recently discovered unlawful conduct involving a number of advisers, broker-dealers, and other service providers where personnel of these entities engaged in, or actively assisted others in engaging in, inappropriate market timing, late trading of fund shares, and the misuse of material, nonpublic information about fund portfolios. The Commission noted that these personnel had breached their fiduciary obligations to the funds involved and their shareholders by placing their own interests or the interests of the fund adviser ahead of the interests of fund shareholders. See Compliance Program Adopting Release, supra note 15, at section I. \26\ Id. The Commission identified ten areas adviser compliance programs should address, including BCPs. --------------------------------------------------------------------------- As discussed above, an adviser's fiduciary obligations require it to take steps to protect its clients' interests from being placed at risk as a result of the adviser's inability to provide advisory services.\27\ This fiduciary duty fosters trust between the client and its adviser, such that the client relies on the adviser to act in its best interests and safeguard its assets as appropriate, even during times of stress.\28\ If an adviser is unable to provide advisory services after, for example, a natural disaster, a cyber-attack, an act of terrorism, technology failures, or the departure of key personnel, its temporary inability to continue operations may put clients' interests at risk and prevent it from meeting its fiduciary duty to clients. This risk could include the risk of loss if, for example, an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or if clients are unable to access their assets or accounts. As part of its fiduciary duty to protect client interests, an adviser also should take steps to minimize operational and other risks that could lead to a significant business disruption like, for example, a systems failure. In order to do so, advisers should generally assess and inventory the components of their business and minimize the scope of its vulnerability to a significant business disruption. While we recognize that an adviser may not be able to prevent significant business disruptions (e.g., a natural disaster, terrorist attack, loss of service from a third-party), we believe robust planning for significant business disruptions can help to mitigate their effects and, in some cases, minimize the likelihood of their occurrence. --------------------------------------------------------------------------- \27\ See id. at n.22. The Commission also has stated that ``clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations.'' Id. \28\ See generally SEC v. Capital Gains Research Bureau, Inc., supra note 14 at 191 (``A fiduciary owes its clients more than mere honesty and good faith alone. ''); Investment Adviser Association, What is an Investment Adviser?, available at https://www.investmentadviser.org/eweb/dynamicpage.aspx?webcode=whatisia (noting that because advisers owe a fiduciary duty to their clients, they ``[stand] in a special relationship of trust and confidence with [their] clients'' and that such fiduciary duty generally includes the duty to place the clients' interests first ``at all times''). --------------------------------------------------------------------------- Various weather-related events have tested, on a large scale, the effectiveness of existing BCP components of advisers' compliance programs.\29\ In addition, these events provided our examination staff the opportunity to review, observe, and assess the operations and resiliency of BCPs across many advisers. The examination staff followed these reviews by issuing public reports of their findings and effective practices.\30\ --------------------------------------------------------------------------- \29\ For example, Hurricane Katrina in 2005 and, as discussed in this release, Hurricane Sandy in 2012 presented challenges to advisers affected by those storms. \30\ See National Exam Program Risk Alert, SEC Examinations of Business Continuity Plans of Certain Advisers Following Operational Disruptions Caused by Weather-Related Events Last Year (Aug. 27, 2013) (``NEP Risk Alert''), available at https://www.sec.gov/about/offices/ocie/business-continuity-plans-risk-alert.pdf. The examination was part of a joint review by the SEC's OCIE, FINRA and the CFTC of relevant firms' business continuity and disaster recovery planning in the wake of Hurricane Sandy. Together, these entities issued a joint statement setting forth best practices and lessons learned as a result of their review. See Joint Review of Business Continuity, supra note 22; see also SEC Compliance Alert (June 2007) (``Compliance Alert''), available at https://www.sec.gov/about/offices/ocie/complialert.htm. --------------------------------------------------------------------------- Hurricane Sandy broadly impacted the industry and its operations because of the duration and point of impact of the storm, which affected parts of New York, New Jersey, and the surrounding areas, where numerous financial services providers (both markets and participants) are concentrated. In the aftermath of the hurricane, examiners observed that the degree of specificity of advisers' written BCPs varied and that some advisers' BCPs did not ``adequately address and anticipate widespread events.'' \31\ In addition, with respect to alternative locations, examination staff noted that some advisers did not have geographically diverse office locations, even when they recognized that diversification would be appropriate.\32\ Additionally, they observed with respect to vendor relationships and telecommunications/technology, that certain advisers did not evaluate the BCPs of their service providers or engage service providers to ensure their backup servers worked properly, and that some advisers reported that they did not keep updated lists of their vendors and respective contacts.\33\ Moreover, with respect to communications plans, the examination staff observed that some advisers inconsistently planned how to contact and deploy employees during a crisis, inconsistently maintained communications with clients and employees, and did not identify which personnel were responsible for executing and implementing the various portions of the BCP.\34\ Finally, with respect to review and testing, our examination staff reported that some advisers ``inadequately tested their BCPs relative to their advisory businesses.'' \35\ These observations illustrate our experience that business continuity planning among investment advisers [[Page 43535]] can be uneven and, in some instances, may not be sufficiently robust to mitigate the potential adverse effects of a significant business disruption on clients. --------------------------------------------------------------------------- \31\ See NEP Risk Alert, supra note 30, at 3. \32\ See NEP Risk Alert, supra note 30, at 4. \33\ See NEP Risk Alert, supra note 30, at 4-5. \34\ See NEP Risk Alert, supra note 30, at 6. \35\ See NEP Risk Alert, supra note 30, at 7. --------------------------------------------------------------------------- Additionally, the operational complexity of advisers has increased over the years and many advisers' operations are highly dependent on technology, including investment processes (e.g., trading, risk management operations) and client services.\36\ It is critical for investment advisers to focus on resiliency so that they can continue to provide services to their clients when events impact the availability of systems, facilities, and staff. The ability to recover such systems, including third-party vendor provided platforms and services, and business operations in a timeframe that meets business requirements is important to mitigating the consequences of disruptive events.\37\ --------------------------------------------------------------------------- \36\ See, e.g., Blackrock, The Role of Technology Within Asset Management (Aug. 2014), at 1, available at https://www.blackrock.com/corporate/en-us/literature/whitepaper/viewpoint-asset-management-technology-aug-2014.pdf (``Asset managers require systems to facilitate the maintenance of data and flow of information in the investment process, such as trading counterparties and custodians. Technology provides the unseen `plumbing' that ensures information flows smoothly throughout the ecosystem.''). The paper also notes that a robust asset management process requires both experienced professionals and technology, and that integrated investment technology enhances the quality of large volumes of data, supports consistent investment workflows and enables timely communications for both internal functions and with external parties. \37\ See, e.g., infra note 90. --------------------------------------------------------------------------- Based on the staff's observations from examinations, and the ever- growing complexity of, and risks to, operations, we are concerned that some advisers may not have robust BCPs. When a client entrusts an adviser to manage its assets, the client does so with the expectation that the adviser will act in its best interests and safeguard its assets as appropriate, even in times of stress. We believe that without robust business continuity planning, an adviser's clients may be placed at risk in times of stress. Accordingly, to facilitate such robust planning across all SEC-registered advisers, we are proposing to require that these advisers address certain components in their business continuity and transition plans. 2. Transition Planning Operational risks are not limited to affecting the day-to-day operations of an adviser, but can lead to a financial services firm having to cease or wind-down operations while also considering how to safeguard client or investor assets. The 2008 financial crisis demonstrated that providers of financial services are at risk of having to exit the market unexpectedly and having to do so quickly.\38\ As with traditional business continuity planning, regardless of whether the risk is internal or external to the firm, a reasonably designed plan assessing various risks related to a business transition (e.g., operational and other risks related to transitioning client assets) and how to react to transition events should ameliorate the impact of transitions on clients.\39\ After the financial crisis, Congress addressed the need for this type of advance planning for certain institutions in the Dodd-Frank Wall Street Reform and Consumer Protection Act, which mandated regulations that require certain financial institutions to plan for ``rapid and orderly resolution in the event of material financial distress or failure.''\40\ --------------------------------------------------------------------------- \38\ See Financial Crisis Inquiry Commission, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States (Jan. 2011) at 22-23, available at https://www.gpo.gov/fdsys/pkg/GPO-FCIC/pdf/GPO-FCIC.pdf (``In January 2008, Bank of America announced it would acquire the ailing lender Countrywide. . . . Bear Stearns . . . was bought by JP Morgan with government assistance in the spring. Before the summer was over, Fannie Mae and Freddie Mac would be put into conservatorship. Then, in September, Lehman Brothers failed and the remaining investment banks, Merrill Lynch, Goldman Sachs, and Morgan Stanley, struggled as they lost the market's confidence. AIG . . . was rescued by the government. Finally, many commercial banks and thrifts . . . teetered. IndyMac had already failed over the summer; in September, Washington Mutual became the largest bank failure in U.S. history. In October, Wachovia struck a deal to be acquired by Wells Fargo.''). Several of the financial services firms mentioned in this report included asset management subsidiaries. \39\ Both transition planning and business continuity planning relate to instances where an adviser may be unable to provide advisory services and where advance planning for those instances would benefit advisers and their clients. We note that in the Compliance Program Adopting Release, the Commission noted the risks to advisory clients if an adviser ceased operations. See Compliance Program Adopting Release, supra note 15. \40\ See section 165(d) of the Dodd-Frank Act [12 U.S.C. 5365]; see also Resolution Plans Required, 76 FR 67323 (Nov. 1, 2011) (``Resolution Plans''). We are not proposing that advisers adopt resolution plans or ``living wills'' similar to that which certain financial institutions must now adopt under FDIC and Federal Reserve rules because investment advisers do not interact with the government in the same way as banks. For example, advisers do not accept insured ``deposits,'' do not have access to the Federal Reserve discount window, and do not use their own balance sheets when trading client assets. --------------------------------------------------------------------------- In the normal course of business, it is our understanding that advisers routinely transition client accounts without a significant impact to themselves, their clients, or the financial markets.\41\ We believe that much of this is largely attributable to the agency relationship of advisers managing the assets on behalf of their clients and the regulatory framework supporting this relationship whereby advisory client assets for which the adviser has custody are required to be held at a qualified custodian, such as a bank or broker- dealer.\42\ Because client assets custodied by an adviser must be held at a qualified custodian and segregated from the adviser's assets, we have observed that transitioning accounts from one adviser to another can largely be a streamlined process that in many cases may not involve the physical movement or sale of assets.\43\ Pooled investment vehicle clients generally have the ability to terminate the advisory contract of the adviser or remove the governing body that may provide advisory services (e.g., general partner or managing member) and appoint a new adviser or governing body if they so desire, while separate account clients can generally terminate the advisory contract and appoint a new adviser to manage their assets, all while their assets are typically maintained at a qualified custodian.\44\ --------------------------------------------------------------------------- \41\ See, e.g., BlackRock FSOC Comment Letter (noting that ``[t]ransitioning the management of client assets from one manager to another regularly occurs in the normal course of business'' and listing 19 previous examples of advisers or funds exiting the market without great market impact); SIMFA/IAA FSOC Comment Letter (noting that ``managers and funds routinely enter and exit the asset management industry'' and citing an Investment Company Institute paper to note that, in 2013, ``48 mutual fund sponsors left the business without any impact or distress''); Comment Letter of PIMCO to FSOC Notice (Mar. 25, 2015); Vanguard FSOC Comment Letter. In addition, we understand that specialized transition managers exist to manage assets during a transition from one adviser to another. See, e.g., BlackRock FSOC Comment Letter at 66. \42\ See rule 206(4)-2 under the Advisers Act. The use of custodians that traditionally provide those services provide protection for client assets from the adverse effects of stress at an adviser. We also note that approximately 96.7% of SEC-registered advisers are not related to the custodians that hold client assets. Based on data from the Commission's IARD as of January 4, 2016. \43\ Client assets are not part of the adviser's balance sheet. Client assets are not subject to the liquidation or potential bankruptcy process of an asset manager and are not subject to the adviser's creditors. \44\ We note that to the extent a new adviser does not have a relationship with the same custodian used by the previous adviser, assets may need to be transferred to a different custodian. Additionally, we note that complications could arise with respect to the transfer of shareholder records when transitioning client accounts to another adviser. --------------------------------------------------------------------------- In addition, we are aware of instances of non-routine disruptions at large advisory businesses that have resulted in transitions to new advisers or new ownership without appearing to have a significant adverse impact on clients, fund investors, or the financial [[Page 43536]] markets.\45\ Advisers routinely enter and exit the market and are capable of transferring client assets to another adviser or distributing such assets back to the client without negatively impacting the client.\46\ Cases of advisory firms experiencing transition events are often caused by a rapid decrease in assets under management, which can occur for a variety of reasons, including poor performance or an event causing reputational harm.\47\ To help ensure that a transition is as seamless as possible, an adviser must be aware of the impediments that should be addressed to minimize potential client impact. --------------------------------------------------------------------------- \45\ For example, although a unique situation, advisory firm Neuberger Berman spun out of Lehman Brothers during the 2008 financial crisis into a private company. See also infra note 52 (discussing the circumstances of the Neuberger Berman sale). \46\ See supra note 41. \47\ See, e.g., Trevor Hunnicutt, F-Squared Files for Bankruptcy, Investment News (July 8, 2015) (``F-Squared Article''), available at https://www.investmentnews.com/article/20150708/FREE/150709926/f-squared-files-for-bankruptcy (noting that after settling charges with the SEC for false performance claims, F-squared started losing assets under management); Christine Dugas & Sandra Block Strong, Strong Capital, Founder to Pay $140M in Settlement, USA Today (May 20, 2004), available at https://usatoday30.usatoday.com/money/perfi/funds/2004-05-20-strong-settle_x.htm (noting that after Strong Capital Management (``Strong'') and its founder settled charges with the SEC for allowing and engaging in undisclosed frequent trading in Strong mutual funds, Strong funds had a ``net outflow of investor assets totaling $4.9 billion''); see also In the Matter of F-Squared Investments, Inc., Advisers Act Rel. No. 3988 (Dec. 22, 2014) (settled enforcement action); In the Matter of Strong Capital Management, et al., Securities Exchange Act Rel. No. 49741 (May 20, 2004) (settled enforcement action); infra note 60. --------------------------------------------------------------------------- We are also aware of transitions involving funds under stress that have not been seamless or without problem.\48\ For example, in one instance, an adviser's proprietary system used on behalf of a fund client had limitations on the pricing of fund shares that could not be efficiently modified to accommodate certain events, which in turn impeded the processing of fund redemption transactions and the reconciliation, liquidation, and transfer of investor accounts on a timely basis.\49\ In addition, while maintaining assets with a custodian may ease the transfer of those assets, the adviser may have important or private information concerning its clients or their strategies and goals that would need to be transitioned securely and efficiently.\50\ --------------------------------------------------------------------------- \48\ See, e.g., BlackRock FSOC Comment Letter (citing to the wind-down of Long-Term Capital Management in 2000 and Reserve Primary Fund in 2008 and noting that regulatory intervention was necessary for the funds involved). \49\ See In the Matter of The Reserve Fund, et al., Investment Company Act Rel. No. 28386 (Sept. 22, 2008) (finding that the temporary suspension of the right of redemption and postponement of payment for shares which had been submitted for redemption but for which payment had not been made was necessary for the protection of shareholders); see also The Reserve Delays Primary Fund Distributions, MFWire.com (Oct. 14, 2008), available at https://www.mfwire.com/article.asp?storyID=19638&bhcp=1 (``The process of determining accurately the number of shares each investor held in the Primary Fund has proven to be extremely complex and could not be completed in the originally anticipated time frame.''); The Reserve Furnishes More Details On Primary Fund Redemptions, MFWire.com (Oct. 16, 2008), available at https://www.mfwire.com/article.asp?storyID=19656&bhcp=1 (``[W]e have been working diligently to enhance our existing software and add new programs to hasten the distribution process.''). \50\ See generally Regulation S-P, 17 CFR 248 (establishing general requirements and restrictions on a financial institutions' ability to disclose nonpublic personal information about consumers, including clients, to nonaffiliated third parties and exceptions associated therewith). --------------------------------------------------------------------------- Moreover, the 2008 financial crisis illustrated that one firm's distress may at times have a broader impact on the financial markets and overall economy.\51\ Advisers could be impacted by broader market events in a number of ways that could affect an adviser's ability to continue operations and possibly lead to a transition event. For example, advisers are often owned by or affiliated with other financial services firms who themselves may be in distress. An adviser may be affected by such distress to the extent the distress negatively impacts the adviser's reputation, if it relies on a distressed affiliate for certain systems or services, or if it is an asset that a distressed parent sells.\52\ Under circumstances such as these, we are concerned about the adviser's ability to continue to act in the clients' best interests. --------------------------------------------------------------------------- \51\ See generally Joint Report, infra note 72. \52\ See, e.g., Lehman Brothers selling its asset management arm after declaring bankruptcy. Sam Mamudi, Neuberger Berman Sold to Private Equity, Market Watch (Sept. 29, 2008), available at https://www.marketwatch.com/story/neuberger-berman-sold-to-private-equity-for-215-billion. --------------------------------------------------------------------------- Proper planning and preparation for possible distress and other significant disruptions in an adviser's operations is essential so that, if an entity has to exit the market, it can do so in an orderly manner, with minimal or no impact on its clients. As discussed above, an adviser's fiduciary duty obligates it to take steps to protect client interests from being placed at risk as a result of the adviser's inability to provide advisory services and, thus, it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken such steps.\53\ Such advance planning and preparation may minimize an adviser's exposure to operational and other risks and, therefore, lessen the possibility of a significant disruption in its operations, and also may lessen any potential impact on the broader financial markets. Accordingly, and as discussed in more detail below, we believe that SEC-registered advisers should be required to adopt and implement a written business continuity and transition plan that is tailored to the risks associated with the adviser's operations and includes certain components, reflecting its critical role as an agent for its clients. --------------------------------------------------------------------------- \53\ See supra section I.A; see also section 206(4) of the Advisers Act. --------------------------------------------------------------------------- C. Discussion We believe it is appropriate at this time to propose a rule requiring SEC-registered advisers to adopt and implement a business continuity and transition plan\54\ that is reasonably designed to address operational and other risks related to a significant disruption in an adviser's operations and that addresses certain specified components.\55\ We recognize that, pursuant to the Compliance Program Rule, most SEC-registered investment advisers may already have BCPs in place as part of their compliance policies and procedures \56\ and that those plans (or other plans) may also address transition planning.\57\ However, it has been our staff's experience that the robustness of these BCPs is inconsistent across investment advisers. We believe that requiring a business [[Page 43537]] continuity and transition plan that addresses operational and other risks by rule and specifying certain components of such a plan will facilitate the adoption and implementation of robust plans by all SEC- registered investment advisers that address critical areas and that should be effective and workable during a significant disruption in an adviser's operations. Moreover, we believe requiring such plans will benefit advisory clients because advisers will likely be better prepared to deal with business continuity and transition events if and when they occur and will better mitigate risks attendant with their operations and business practices, thereby reducing the likelihood of client harm as the result of a significant disruption in an adviser's operations. --------------------------------------------------------------------------- \54\ We recognize that business continuity planning and transition planning address different circumstances (i.e. one addresses the continuation of a business while the other addresses the winding down of a business). See infra note 60 and accompanying text. However, both business continuity planning and transition planning pertain to instances where an adviser may be unable to provide advisory services and where advance planning for those instances would benefit advisers and their clients. In this release and in proposed rule 206(4)-4, we refer to an adviser adopting ``a'' business continuity and transition plan. The proposed rule would not require an adviser to consolidate all of the components described in proposed rule 206(4)-4 into one document. An adviser may maintain separate plans that address the components identified in proposed rule 206(4)-4. \55\ We note that the Commission has explicitly required BCPs in other contexts, and that FINRA has adopted specific rules on BCPs for broker-dealers. See Regulation SCI Adopting Release, supra note 17; FINRA Rule 4370. Further, NASAA has also issued a model rule for states to apply to state-registered advisers, which tend to be smaller in scale and size than advisers registered with the Commission. See NASAA Model Rule 203(a)-1A. \56\ See, e.g., BlackRock FSOC Comment Letter at 10 (noting that asset managers maintain BCPs); Fidelity FSOC Comment Letter at 32-33 (discussing BCPs). \57\ We understand that in practice, adviser BCPs focus on risks from events that would limit or impact normal operations, such as natural disasters or systems failures, but also can address transition planning. See supra note 39 (discussing the Compliance Program Adopting Release and language therein regarding risks to clients if an adviser ceases operations). --------------------------------------------------------------------------- We are proposing new rule 206(4)-4 under the Advisers Act and amendments to rule 204-2 under the Advisers Act. Under rule 206(4)-4, it would be unlawful for an SEC-registered investment adviser to provide investment advice unless the adviser adopts and implements a written business continuity and transition plan and reviews that plan at least annually. The proposed amendments to rule 204-2 would require those advisers to make and keep copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years, as well as any records documenting the adviser's annual review of its business continuity and transition plan. 1. Adopt and Implement Business Continuity and Transition Plans The proposed rule would require SEC-registered advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations.\58\ These plans would include policies and procedures concerning (1) business continuity after a significant business disruption, and (2) business transition in the event the investment adviser is unable to continue providing investment advisory services to clients. Business continuity situations generally include natural disasters, acts of terrorism, cyber-attacks, equipment or system failures, or unexpected loss of a service provider, facilities, or key personnel. Business transitions generally include situations where the adviser exits the market and thus is no longer able to serve its clients, including when it merges with another adviser, sells its business or a portion thereof,\59\ or in unusual situations, enters bankruptcy proceedings.\60\ --------------------------------------------------------------------------- \58\ See proposed rule 206(4)-4. We note that adviser BCPs are also often referred to as business continuity and disaster recovery plans; however, we have chosen to use the term ``business continuity and transition plan'' to refer to plans required under the proposed rule. We believe, however, that such plans would encompass disaster recovery planning because any robust BCP would need to plan for the recovery of its business operations and systems in order to be able to continue providing services to clients. See proposed rule 206(4)- 4(b)(2)(i) (requiring business continuity and transition plans to include maintenance of critical operations and systems, and the protection, backup, and recovery of data). \59\ See proposed rule 206(4)-4(b). We note with respect to business transitions that there may be circumstances where an adviser is unable to provide advisory services for only a portion of its business, but is able to continue providing services with respect to another portion of its business, and thus, only exits a particular market. An adviser's business continuity and transition plan generally should address the possibility of such a partial transition. Cf. infra note 60 and accompanying text (discussing business transitions generally). \60\ For example, in 2015, F-Squared Investments, Inc. filed for bankruptcy and arranged for its investment strategies to be managed by another adviser. See F-Squared Article, supra note 47. In addition, in 2005, funds managed by Strong were acquired by Wells Fargo & Company and the ``legal entities comprising the Strong . . . complex were subsequently liquidated.'' See BlackRock FSOC Comment Letter at 62-63 (discussing the Strong transition); see also Press Release, Wells Fargo Agrees to Acquire $34 Billion in Assets Under Management From Strong Financial Corporation, Wells Fargo (May 26, 2004), available at https://www.wellscap.com/docs/press_releases/5.26.04.pdf. --------------------------------------------------------------------------- The proposed rule is intended to help ensure that an adviser's policies and procedures minimize material service disruptions and any potential client harm from such disruptions. Advisers should keep this focus at the forefront when reviewing their business operations and developing their policies and procedures. Accordingly, the proposed rule would require an SEC-registered adviser's business continuity and transition plan to include policies and procedures designed to minimize material service disruptions, including policies and procedures that address certain specific components. We recognize that advisers' business models and operations vary, but we believe that every business continuity and transition plan must generally address operational and other risks related to a significant disruption in the adviser's operations and must address certain key components to plan and prepare for such disruptions.\61\ While we believe advisers should generally assess and inventory all of the components of their businesses in order to develop their business continuity and transition plans and tailor their plans to the specific risks their businesses face, we also believe that identifying these key components should facilitate the adoption and implementation of robust BCPs by all SEC-registered investment advisers. --------------------------------------------------------------------------- \61\ See supra notes 30-35 and accompanying text (discussing certain key elements of BCPs). Other regulatory bodies and organizations also have recognized key elements of business continuity plans. See 17 CFR 23.603 (setting forth essential components of BCPs for swap dealers and major swap participants); FINRA Rule 4370 (setting forth minimum elements that a business continuity plan should address); NASAA Model Rule 203(a)-1A (stating certain elements the plan should address); FFIEC Handbook, supra note 17, at G-1 (discussing components of effective BCPs). --------------------------------------------------------------------------- Under the proposed rule, the content of an SEC-registered adviser's business continuity and transition plan would be based upon risks associated with the adviser's operations and would include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following: \62\ (1) Maintenance of critical operations and systems, and the protection, backup, and recovery of data; \63\ (2) pre-arranged alternate physical location(s) of the adviser's office(s) and/or employees; \64\ (3) communications with clients, employees, service providers, and regulators; \65\ (4) identification and assessment of third-party services critical to the operation of the adviser; \66\ and (5) plan of transition that accounts for the possible winding down of the adviser's business or the transition of the adviser's business to others in the [[Page 43538]] event the adviser is unable to continue providing advisory services.\67\ --------------------------------------------------------------------------- \62\ We have modeled the proposed rule on BCP requirements for other financial services firms that we believe share similar vulnerabilities as investment advisers, as well as our staff's examinations experiences, which have highlighted a number of best practices as well as a number of areas for improvement specific to investment advisers. For example, to assist advisers in considering their own business continuity issues, the examination staff previously identified a number of ``lessons learned'' from its examinations of advisers that were affected by Hurricane Katrina. See Compliance Alert, supra note 30. The staff noted certain provisions in disaster recovery plans that appeared to be effective in allowing an adviser to provide ``uninterrupted advisory services to clients in a compliant manner after a disaster'' including (i) a pre-arranged remote location for short-term and possible long-term use; (ii) alternate communication protocols to contact staff and clients; (iii) remote access to business records and client data through appropriately secured means; (iv) temporary lodging for key staff where necessary and effective training of staff on how to fulfill essential duties in the event of a disaster; (v) maintaining accurate and up-to-date contact information for all third-party service providers and familiarity with the BCPs of those providers; (vi) contingency arrangements for loss of key personnel; (vii) periodic testing, evaluation and revision of the plan; and (viii) maintaining sufficient insurance and financial liquidity to prevent any interruption of the performance of compliant advisory services. \63\ See proposed rule 206(4)-4(b)(2)(i). \64\ See proposed rule 206(4)-4(b)(2)(ii). \65\ See proposed rule 206(4)-4(b)(2)(iii). \66\ See proposed rule 206(4)-4(b)(2)(iv). \67\ As discussed more below, the plan of transition would have to include (1) policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; (2) information regarding the corporate governance of the adviser; (3) the identification of any material financial resources available to the adviser; (4) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; and (5) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser's transition. See proposed rule 206(4)-4(b)(2)(v). --------------------------------------------------------------------------- While each SEC-registered adviser's business continuity and transition plan must address the components set forth in the proposed rule, we recognize that the degree to which an adviser's plan addresses a required component will depend upon the nature of each particular adviser's business. We also recognize that business models and operations vary significantly among advisers.\68\ The proposed rule thus would require that the plan be reasonably designed to address the operational and other risks of an adviser and thus advisers need only take into account the risks associated with its particular operations, including the nature and complexity of the adviser's business, its clients, and its key personnel.\69\ For example, we believe that the business continuity and transition plan of a large adviser with multiple locations, offices, or business lines likely would differ significantly from that of a small adviser with a single office or only a few investment professionals and employees. Additionally, we believe that the business continuity and transition plan of an adviser with a complex internal technology infrastructure likely would differ from that of an adviser that primarily uses an outsourced model.\70\ The complexity and risks associated with these diverse business models could be substantially different, and our proposed rule is designed to give advisers the flexibility to create business continuity and transition plans that accommodate such differences. --------------------------------------------------------------------------- \68\ See Comment Letter of Wellington Management Group LLP to FSOC Notice (Mar. 25, 2015) at 2 (``The unique characteristics of today's asset management industry (agency and advice based: Low barriers to entry: High substitutability among managers: And highly competitive) result in a large number of asset management firms that are organized in a variety of models.''). \69\ See, e.g., BlackRock FSOC Comment Letter at 9 (noting that ``understanding the differences in operating models is crucial'' in assessing the potential operational risk of an asset manager). \70\ Id. at 71. A larger adviser may conduct (insource) some or all middle and back office functions (e.g., securities administration, accounting, and recordkeeping) internally. Whereas in an outsourced model, the asset management firm hires third-party providers to perform various middle and back office functions. --------------------------------------------------------------------------- a. Maintenance of Critical Operations and Systems, and the Protection, Backup, and Recovery of Data, Including Client Records The proposed rule would require advisers' business continuity and transition plans to include policies and procedures on the maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records.\71\ With respect to maintaining critical operations/systems, an adviser's plan generally should identify and prioritize critical functions, operations, and systems and consider alternatives and redundancies to help maintain the continuation of operations in the event of a significant business disruption.\72\ When evaluating which operations and systems are critical, advisers generally should consider those that are utilized for prompt and accurate processing of portfolio securities transactions on behalf of clients, including the management, trading, allocation, clearance and settlement of such transactions. Advisers generally should also consider operations and systems that are critical to the valuation and maintenance of client accounts, access to client accounts, and the delivery of funds and securities. This typically will include identification and assessment of third-party services that support certain functions, as activities conducted may involve systems and processes that the adviser controls and others that may be wholly or partially dependent on third-party vendors, which we address below. Advisers generally also should identify which key personnel either provide critical functions to the adviser or support critical operations or systems of the adviser such that the temporary or permanent loss of those individuals would disrupt the adviser's ability to provide services to its clients. --------------------------------------------------------------------------- \71\ We note that Regulation SCI also includes requirements regarding the maintenance of systems. Rule 1001(a) requires each SCI entity to establish, maintain, and enforce policies and procedures that are reasonably designed to ensure that its ``SCI systems'' have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Moreover, rule 1001(a)(2)(v) also requires that these policies and procedures include business continuity and disaster recovery plans that are reasonably designed to achieve two-hour resumption of ``critical SCI systems'' following a wide-scale disruption. 17 CFR 242.1001. We note that in the Regulation SCI Adopting Release, the Commission stated that it would monitor and evaluate the implementation of Regulation SCI, the risks posed by systems of other market participants, and the continued evolution of the securities markets, and in the future may consider extending the types of requirements in Regulation SCI to other market participants, including investment advisers. See Regulation SCI Adopting Release, supra note 17, at 72259. We note that the proposed rule would not apply Regulation SCI to investment advisers. Rather, the Commission is proposing this rule in light of the specific operations and businesses of investment advisers and the risks they present. In addition to Regulation SCI, we note, as discussed above, that our staff has previously highlighted the importance of access to business records and client data as well as backup servers and other telecommunications services in the context of business continuity planning. See supra notes 30 and 33, and accompanying text. We also note that other regulatory bodies and organizations have stressed the importance of critical systems and data protection in the context of BCPs. See, e.g., 17 CFR 23.603(b)(1), (4) and (6) (requiring BCPs to include identification of documents, data, facilities and infrastructure, as well as backup or copying of documents and data, essential to operations, and procedures for and the maintenance of backup facilities, systems and infrastructure); FINRA Rule 4370(c)(1) and (2) (requiring BCPs to address data backup and recovery (both hard copy and electronic) as well as mission critical systems); NASAA Model Rule 203(a)-1A(1) (stating that BCPs should provide for ``protection, backup and recovery of books and records''); SIFMA, Business Continuity Planning Expanded Practices Guidelines (Apr. 2011) (``SIFMA Guidelines'') at 27 and 32, available at https://www.sifma.org/uploadedfiles/services/bcp/sifma-bc-practices-guidelines2011-04.pdf (noting that businesses should ensure ``the functionality and availability of critical business applications'' and ``that redundant copies of vital records'' are securely stored and available during an emergency). \72\ Following the publication of the Interagency Paper, the Commission, together with the Federal Reserve and the Office of the Comptroller of the Currency, issued a joint report that discussed the industry's efforts to implement the recommendations contained in the Interagency Paper (``Joint Report''). The Joint Report notes that the Interagency Paper addresses reasonable recovery time objectives and identifies specific risk-based recovery standards in order ``to assure that there will be a relatively consistent degree of preparedness across'' the industry. See Joint Report on Efforts of the Private Sector to Implement the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System (Apr. 2006) at 3, available at https://www.sec.gov/news/press/studies/2006/soundpractices.pdf; see also MFA FSOC Comment Letter at 45 (citing to the MFA's recommendations to hedge fund managers that they design and implement business continuity/disaster recovery plans ``reasonably designed to: (1) Identify and prioritize critical business functions. . .''). --------------------------------------------------------------------------- We believe that by considering alternatives and redundancies for critical operations and systems in advance of significant business disruptions, an adviser will be able to prioritize, recover, and resume key aspects of its business in a timely manner and consequently be better able to act in its clients' best interests and continue providing services to its clients during such a disruption.\73\ For [[Page 43539]] example, if most securities operations functions (post-trade processing, corporate actions, reconciliation, etc.) are handled internally by the adviser,\74\ then the adviser's plans should address the backup systems or other alternative processes or procedures that will be used or followed in the event of a business disruption where standard operations may not be available. Additionally, we believe that contingency plans with respect to key personnel generally should address both the temporary or permanent loss of such personnel. For example, loss of key personnel could result from an employee's sudden departure from the adviser or could be due to a weather related event that renders the employee temporarily unavailable. Accordingly, an adviser's business continuity and transition plan generally should include short-term arrangements, such as which specific individuals would satisfy the role(s) of key personnel when unavailable, and long- term arrangements regarding succession planning and how an adviser will replace key personnel.\75\ --------------------------------------------------------------------------- \73\ Investment advisers should also generally consider in their business continuity planning circumstances in which a service provider (including another investment adviser that provides operations or systems to the adviser) is permanently unable to provide the adviser with critical operations or systems. See, e.g, Financial Conduct Authority, Outsourcing in the Asset Management Industry: Thematic Project Findings Report (Nov. 2013) (``FCA Paper''), available at https://www.fca.org.uk/static/documents/thematic-reviews/tr13-10.pdf (``Based on our initial assessment of asset managers last year, we concluded that firms in the sample were unprepared for a failure of their service provider.''). The FCA Paper suggested that asset managers should review their own outsourcing arrangements and where appropriate (i) ``enhance their contingency plans for the failure of a service provider providing critical activities, taking into account industry-led guiding principles where applicable'' and (ii) ``assess the effectiveness of their oversight arrangements to oversee critical activities outsourced to a service provider, making sure the required expertise is in place.'' \74\ As discussed above, investment advisers that are also registered broker-dealers will be subject to both the proposed rule and FINRA's rule 4370 regarding BCPs. While we believe the two rules are largely complementary, we note that SEC-registered advisers would have to comply with the requirements of proposed rule 206(4)-4 with respect to their advisory functions. See supra note 18. \75\ An adviser should also consider whether the departure of key personnel may trigger contractual obligations with clients, investors, or counterparties. For example, private funds clients may contain redemption rights for its investors upon the departure of specified investment personnel. --------------------------------------------------------------------------- With respect to data protection, backup, and recovery, a business continuity and transition plan generally should address both hard copy and electronic backup, as appropriate.\76\ A reasonably designed business continuity and transition plan generally should recognize that significant business disruptions may prevent access to electronic copies of data (e.g., power or internet outage) and hard copies of data (e.g., cannot access building where data is located). Such a plan should also recognize the important role electronic records can play in carrying out the adviser's plan of transition in a timely manner. --------------------------------------------------------------------------- \76\ This proposed requirement would be consistent with the existing requirement for SEC-registered investment advisers to maintain specific books and records relating to its investment advisory business. See rule 204-2(a) and (g). The ``books and record'' rule requires advisers to have procedures: to reasonably protect electronic records from loss, alteration, or destruction; to limit access to electronic records; and to assure that electronic records that are created from hard copy are complete, true, and legible. See rule 204-2(g)(3). --------------------------------------------------------------------------- Additionally, in connection with data backup and recovery, a business continuity and transition plan generally should include an inventory of key documents (e.g., organizational documents, contracts, policies and procedures), including the location and description of the item, and a list of the adviser's service providers relationships that are necessary to maintaining functional operations. This documentation generally should include details of the adviser's management structure, risk management processes, and financial and regulatory reporting requirements. We believe such documentation would make it easier for an adviser and its employees to access important operations/systems, documents, and relationships during a significant business disruption. Finally, we note with respect to data protection, backup and recovery, one type of potentially significant business disruption is a cyber-attack. An adviser generally should consider and address as relevant the operational and other risks related to cyber-attacks.\77\ We believe exposure to compliance and operational risks that may be caused by cybersecurity incidents can be mitigated by addressing such risks in the context of business continuity planning.\78\ --------------------------------------------------------------------------- \77\ Our staff recently highlighted a number of measures for advisers to consider in the context of cybersecurity and noted that ``advisers should identify their . . . compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.'' See Cybersecurity Guidance, IM Guidance Update (Apr. 2015), available at https://www.sec.gov/investment/im-guidance-2015-02.pdf. In March 2014, the Commission hosted a roundtable on cybersecurity, which highlighted the Commission's focus on cybersecurity-related issues and a number of Commission actions relating to cybersecurity. The Commission is also focused on cybersecurity risk issues related to investment advisers, including data protection and identity theft vulnerabilities. See Chair Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2014), available at https://www.sec.gov/News/PublicStmt/Detail/PublicStmt/1370541286468; see also Identity Theft Red Flags Rules, Securities Exchange Act Rel. No. 69359 (Apr. 10, 2013); see also Cybersecurity Roundtable, SEC, available at https://www.sec.gov/spotlight/cybersecurity-roundtable.shtml (providing information on the roundtable). We also note that the National Institute of Standards and Technology (``NIST'') has issued a framework for improving cybersecurity and that it recently sought comment on this framework. See NIST, Framework for Improving Critical Infrastructure Cybersecurity (Feb. 12, 2014), available at https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf; NIST, Cybersecurity Framework--Overview, available at https://www.nist.gov/cyberframework/# (discussing requests for comment on the cybersecurity framework). \78\ We recognize that advisers also may have additional policies and procedures to address compliance and operational risks related to cybersecurity incidents. --------------------------------------------------------------------------- b. Pre-Arranged Alternate Physical Location(s) The proposed new rule would also require an adviser's business continuity and transition plan to include pre-arranged alternate physical location(s) of its office(s) and/or employees. As our staff has indicated a number of times, alternate or remote locations are essential for an adviser to continue providing services during a significant business disruption.\79\ Accordingly, when developing business continuity and transition plans, advisers generally should consider the geographic diversity of their offices or remote sites and employees, as well as access to the systems, technology, and resources necessary to continue operations at different locations in the event of a disruption.\80\ For example, an adviser [[Page 43540]] may recognize that a significant business disruption could limit access to its primary or only office for an extended period of time and, therefore, establish a satellite office or plan to use a remote site in another location or geographic region and may also allow remote access by employees so the adviser could continue to have access to the facilities, systems, and personnel necessary to carry on its business.\81\ --------------------------------------------------------------------------- \79\ See supra notes 30 and 32, and accompanying text; see also Regulation SCI Adopting Release, supra note 17 (requiring an SCI entity's business continuity and disaster recovery plan to include ``geographically diverse'' backup and recovery capabilities). We note that other regulatory bodies and organizations have also recognized the importance of alternate sites and geographic diversity in business continuity planning. See, e.g., 17 CFR 23.603(b)(5) (requiring backup facilities, infrastructure and alternative staffing in geographically separate areas); FINRA Rule 4370(c)(6) (requiring BCPs to address ``alternate physical location of employees''); NASAA Model Rule 203(a)-1A(3) (stating that BCPs should provide for ``office relocation in the event of temporary or permanent loss of a principal place of business''); FFIEC Handbook, supra note 17, at G14 (stating that a ``BCP should address site relocation for short-, medium-, and long-term disaster and disruption scenarios''); Interagency Paper, supra note 16 (noting that backup sites should not rely on the same infrastructure components used by the primary site, should not be impaired by a wide-scale evacuation at or the inaccessibility of staff that service the primary site, and should consider staffing needs at the backup site if the firm relies on the same labor pool for both its primary and back up sites). \80\ We are not proposing to require that an adviser's business continuity and transition plan include an alternative location at a specified distance away from its primary location because we believe, as discussed above, that an adviser's plan should be tailored to its particular operations and that, while a specified distance may be appropriate for one adviser's alternate location, it may not be appropriate for all advisers. Nonetheless, we believe advisers generally should consider whether their alternative locations are in such close proximity to each other or to its primary location that they may be sharing common infrastructure providers and thus, that the alternative locations would be similarly affected by an external event. \81\ An adviser should consider the technology, systems, and resources necessary for employees working remotely to continue to securely conduct the adviser's business. --------------------------------------------------------------------------- c. Communications With Clients, Employees, Service Providers, and Regulators Under the proposed rule, a business continuity and transition plan would also need to address communications with clients, employees, service providers, and regulators. We believe that communication plans are an essential element of effective business continuity and transition plans and generally should cover communications with parties involved in the critical aspects of the adviser's operations.\82\ For example, if an adviser's employees are unaware that a disruption has occurred and the adviser's business continuity and transition plan has been activated, the plan will likely fail. An adviser's communication plan generally should cover, among other things, the methods, systems, backup systems, and protocols that will be used for communications, how employees are informed of a significant business disruption, how employees should communicate during such a disruption, and contingency arrangements communicating who would be responsible for taking on other responsibilities in the event of loss of key personnel.\83\ Adviser business continuity and transition plans generally should also address employee training, so that in the event of a significant business disruption employees understand their specific roles and responsibilities and are able to carry out the adviser's plan. --------------------------------------------------------------------------- \82\ As discussed above, our staff has previously noted the important role that communication plans can play in business continuity planning. See supra notes 30 and 34 and accompanying text. Additionally, we note that other regulatory bodies and organizations have focused on communications in the context of BCPs. See, e.g., 17 CFR 23.603(b)(3) (requiring BCPs to include communication plans with respect to employees, vendors, and regulatory authorities); FINRA Rule 4370(c)(4), (5), and (9) (requiring BCPs to address communications with customers, employees and regulators); NASAA Model Rule 203(a)-1A(2) (stating that BCPs should provide for alternate communications with ``customers, key personnel, employees, vendors, service provides. . .and regulators. . . .''); FFIEC Handbook, supra note 17, at G-4 (stating that ``[c]ommunication is a critical aspect of a BCP and should include communication with employees, . . . regulators, vendors/suppliers (detailed contact information), [and] customers (notification procedures) . . . .''). \83\ See supra section I.C.1.a. --------------------------------------------------------------------------- Moreover, advisers should consider when and how it is in their clients' best interests to be informed of a significant business disruption and/or its impact. Accordingly, with respect to clients, a business continuity and transition plan generally should include the process by which the adviser would have prompt access to client records that include the name and relevant contact and account information for each client as well as investors in private funds sponsored by the investment adviser.\84\ These plans generally should include how clients will be made aware of and updated about a significant business disruption that materially impacts ongoing client services (e.g., periodic updates to Web sites and customer service lines) and, when applicable, how clients will be contacted and advised if account access is impacted during such a disruption. --------------------------------------------------------------------------- \84\ For a private fund to qualify for the exclusion from the definition of ``investment company'' in either section 3(c)(1) or 3(c)(7) of the Investment Company Act of 1940 (``Investment Company Act'') or rely on various offering exemptions under the Securities Act of 1933, the private fund is already required to have a reasonable belief regarding certain qualification information with regard to its beneficial owners that are U.S. persons. See, e.g., 17 CFR 270.2a51-1(h), 17 CFR 230.501(a). While the private fund may not be required to have such detailed information about non-U.S. person beneficial owners, we understand it generally has contact information readily available. --------------------------------------------------------------------------- Similarly, an adviser's communication plan with its service providers generally should include, among other things, how the service provider will be notified of a significant business disruption at the adviser as well as how the adviser will be notified of a significant business disruption at a service provider, and how the entities will communicate with one another and clients or investors (where applicable) \85\ during a disruption. With respect to communications with the adviser's regulators, the adviser's business continuity and transition plan generally should include the contact information for relevant regulator(s), and identify the personnel responsible for notifying, as well as under what circumstances it would notify, such regulator(s) of a significant business disruption. --------------------------------------------------------------------------- \85\ For example, pooled investment vehicles generally rely on their investment advisers to arrange for and interact with fund service providers. If an adviser to an investment company, for example, outsources certain back office functions, such as transfer agency to a third-party vendor, its business continuity and transition plan should address coordination of communications with the transfer agent to investors in the fund, as well as with intermediaries servicing investors who also are beneficial owners of the fund. --------------------------------------------------------------------------- d. Identification and Assessment of Third-Party Services Critical to the Operation of the Adviser The proposed rule would require an adviser's business continuity and transition plan to include the identification and assessment of third-party services critical to the operation of the adviser.\86\ We understand advisers frequently outsource certain functions or aspects of their operations or use third-parties' systems or vendors for their middle and back office functions in order to permit the adviser to focus on front office core functions, such as portfolio management and trading.\87\ To the extent critical services are outsourced to third- parties, we believe that an adviser generally should be prepared for significant business disruptions that could impair its ability to act in its clients' best interests by having a business continuity and transition plan that addresses the critical services provided to it by such third parties.\88\ --------------------------------------------------------------------------- \86\ We note that Regulation SCI includes specific requirements with respect to the resumption of ``critical SCI systems,'' differentiating these systems from other systems covered by the regulation. See 17 CFR 242.1000 and 242.1001(a)(2)(v) of Regulation SCI. In addition, as discussed above, our staff has previously noted the importance of addressing third-party relationships in the context of BCPs. See supra notes 30 and 33, and accompanying text. Additionally, we note that other regulatory bodies and organizations have noted that BCPs should address third-party relationships. See, e.g., 17 CFR 23.603(b)(7) (requiring ``identification of potential business interruptions encountered by third parties that are necessary to continued operations'' and ``a plan to minimize the impact''); FINRA Rule 4370(c)(7) (requiring BCPs to address ``critical business constituent, bank, and counterparty impact''); SIFMA Guidelines, supra note 71, at 30 (stating that BCPs should include internal and external business partners and that firms should be familiar with the BCPs and risks of those partners). \87\ For example, we frequently see middle office functions such as administration of the front office and trades and related transactions, including securities operations and processing (confirmation, routing, matching, and settlement trades), pricing/ valuation, reconciliation (both cash and positions), and post trade compliance and reporting, outsourced to third parties. \88\ The nature of advisory business is such that advisers typically depend on a number of third-party service providers and systems vendors (e.g., broker-dealers, custodians, etc.) in providing services to their clients. --------------------------------------------------------------------------- In this regard, an adviser's business continuity and transition plan should identify critical functions and services provided by the adviser to its clients, and third-party vendors supporting or conducting critical functions or services for the adviser and/or on the adviser's behalf.\89\ An adviser generally should [[Page 43541]] consider a variety of factors when identifying and prioritizing which service providers should be deemed critical, such as the day-to-day operational reliance on the service provider and the existence of a backup process or multiple providers, whether or not the service provided includes direct contact with clients or investors, and whether the service provider is maintaining critical records or able to access personally identifiable information, among other things. We would generally consider critical service providers to at least include those providing services related to portfolio management, the custody of client assets, trade execution and related processing, pricing, client servicing and/or recordkeeping, and financial and regulatory reporting. --------------------------------------------------------------------------- \89\ The Joint Report noted that, notwithstanding the use of a service provider to perform various activities, a firm ``cannot shift responsibility for compliance and risk management to the service provider. . . . Should a service provider not have the appropriate level of resilience, a financial institution would be required to move to a provider that can demonstrate an appropriate level of resilience.'' See Joint Report, supra note 72 at 6. We also encourage advisers to be familiar with the terms of their contracts with critical service providers, including any provisions regarding the termination or assignment of the contract and any notice requirements related to those provisions. --------------------------------------------------------------------------- Once an adviser identifies its critical service providers, it should review and assess how these service providers plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect the adviser's operations.\90\ For example, if an adviser's business continuity and transition plan contemplates that it will rely on a particular service provider for a critical service, the adviser generally should be aware of whether the service provider has a BCP and if that BCP provides alternatives, including backup plans, to allow it to continue providing critical services during a significant business disruption. If the service provider does not have a BCP or if its BCP does not provide for such alternatives, the adviser generally should consider alternatives for such critical services, which may include other service providers or internal functions or processes that can serve as a backup or contingency for such critical services.\91\ --------------------------------------------------------------------------- \90\ In late August 2015, Bank of New York Mellon (``BNY Mellon''), a service provider that provides custodial and administrative services to mutual funds, closed-end funds, and exchange-traded funds, experienced a breakdown in one of its third- party systems (SunGard's InvestOne) used to calculate numerous client funds' net asset values (``NAVs''). As a result of this breakdown, BNY Mellon was unable to deliver timely system-generated NAVs to certain clients for several days, which resulted in certain clients pricing their shares using stale or manually calculated NAVs and certain ETFs using stale baskets. Once the automated system was restored, ETF baskets were updated and certain funds had to review the NAVs used while the automated system was down and make any necessary corrections. See, e.g., Stephen Foley, BNY Mellon Close to Resolving Software Glitch, Financial Times (Aug. 31, 2015), available at https://www.ft.com/intl/cms/s/0/47d5860a-4f2b-11e5-b029-b9d50a74fd14.html; Jessica Toonkel & Tim McLaughlin, BNY Mellon Pricing Glitch Affects Billions of Dollars of Funds, Reuters (Aug. 26, 2015), available at https://www.reuters.com/article/bnymellon-funds-nav-idUSL1N1111QY20150826; Barrington Partners White Paper, An Extraordinary Week: Shared Experiences from Inside the Fund Accounting System Failure of 2015 (Nov. 2015), available at https://www.mfdf.org/images/uploads/blog_files/SharedExperiencefromFASystemFailure2015.pdf; Transcript of the BNY Mellon Teleconference Hosted by Gerald Hassell on the Sungard Issue, available at https://www.bnymellon.com/_global-assets/pdf/events/transcript-of-bny-mellon-teleconference-on-sungard-issue.pdf. \91\ We recognize that it may not be feasible or may be cost prohibitive for an adviser to retain backup service providers, vendors, and/or systems for all critical services. In such cases, an adviser should consider backup plans, functions and/or processes to address how it will manage the loss of a critical service. --------------------------------------------------------------------------- We also recognize that advisers often play a key role in identifying, arranging for, and overseeing other service providers for certain of their clients as part of their sponsoring roles. For example, an adviser may arrange for a particular administrator or pricing vendor for a registered investment company client or private fund client.\92\ Accordingly, we believe an adviser should generally review and assess how the critical service providers it arranges and/or oversees for its clients plan to maintain business continuity when faced with significant business disruptions and consider how this planning will affect its clients' operations.\93\ --------------------------------------------------------------------------- \92\ See supra note 85. \93\ See, e.g., supra note 89. --------------------------------------------------------------------------- We understand that many advisers currently take a variety of steps to understand the operational and other risks of their service providers and those of certain clients' critical service providers,\94\ such as reviewing a summary of a service provider's BCP, due diligence questionnaires, an assurance report on controls by an independent party,\95\ certifications or other information regarding a provider's operational resiliency or implementation of compliance policies, procedures, and controls relating to its systems, results of any testing, and conducting onsite visits. Factors such as the significance of the service provider to advisory operations, the type of service provided, and the adviser's ability to require or request actions of its service providers will impact the steps that advisers should consider taking. --------------------------------------------------------------------------- \94\ See, e.g., BlackRock FSOC Comment Letter; see also Risk Principles for Asset Managers, supra note 4, at 19 (``The increased level of outsourcing to third party service providers has changed not only their outsourcing risk profile but such significant changes to an organization's business model can lead to many process and control changes and could therefore increase the exposure to other (operational) risk areas (e.g., country risk and service provider oversight)''); cf. rule 38a-1(a)(2) (requiring registered investment company boards to approve policies and procedures that provide for the oversight of compliance by the fund's investment adviser and certain other named service providers). Such approval must be based on a finding that the policies and procedures are reasonably designed to prevent violations of the federal securities laws by the fund, the investment adviser and the other named service providers. See id. \95\ See Investment Company Institute, Financial Intermediary Controls and Compliance Assessment Engagements (Dec. 2015) at 8, available at https://www.ici.org/pdf/ppr_15_ficca.pdf (identifying a financial intermediary's ``Business Continuity/Disaster Recovery Program'' as one of 17 areas of focus that ``should be addressed on an annual basis as part of the financial intermediary's controls and compliance engagements.''); see also AICPA, Reporting on Controls at a Service Organization (2015), available at https://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AT-00801.pdf. Many advisers review SSAE 16 reports that are prepared by an independent public accountant in accordance with the American Institute of CPAs' Auditing Standards Boards' Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization. These reports provide assurances that the service provider has established a system of internal controls, that the internal controls are suitably designed to achieve specified objectives, and that the internal controls are operating effectively. --------------------------------------------------------------------------- e. Transition Plan Under the proposed rule, an adviser's business continuity and transition plan would have to include a plan of transition that accounts for the possible winding down of the adviser's business or the transition of the adviser's business to others in the event the adviser is unable to continue providing advisory services.\96\ Advisers facing the decision to exit the market commonly do so by: (1) Selling the adviser or substantially all of the assets and liabilities of the adviser, including the existing advisory contracts with its clients, to a new owner; (2) selling certain business lines or operations to [[Page 43542]] another adviser; \97\ or (3) the orderly liquidation of fund clients or termination of separately managed account relationships.\98\ Regardless of the method an adviser chooses to effect a transition, we believe that assessing and planning for potential impediments associated with that method should help an adviser act in its clients' best interests by seeking to mitigate potentially negative effects on its clients and investors.\99\ --------------------------------------------------------------------------- \96\ Cf. FINRA Rule 4370(c)(10) (requiring BCPs to address ``[h]ow the member will assure customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business''); NASAA Model Rule 203(a)-1A(4) (stating that BCPs should provide for the ``[a]ssignment of duties to qualified responsible persons in the event of the death or unavailability of key personnel''). Transition of an adviser's business to others generally would, for example, include a situation where the adviser is a sole proprietor who is no longer able to provide advisory services and is, therefore, transferring its business to another person/firm or winding down operations entirely. Such succession/transition planning generally should be accounted for in the context of an adviser's plan of transition. \97\ See supra note 59 (discussing partial transitions of an adviser's business). \98\ See, e.g., Prudential Financial Inc. 2014 Resolution Plan: Public Section (June 30, 2014), available at https://www.federalreserve.gov/bankinforeg/resolution-plans/prudential-fin-1g-20140701.pdf; American International Group, Inc. Resolution Plan Section 1: Public Section (July 1, 2014), available at https://www.federalreserve.gov/bankinforeg/resolution-plans/aig-1g-20140701.pdf. These two nonbank financial companies have been designated ``systemically'' important by FSOC and also have investment adviser subsidiaries. The publicly-available summaries of their resolution plans filed with the Federal Reserve indicate that they would seek to either sell their advisory businesses or seek Chapter 11 bankruptcy proceedings for their advisory entities. \99\ An adviser may also wish to consider in the context of its transition plan, if and when it would be appropriate to use a transition manager. A transition manager facilitates and coordinates ``the transition of asset management from one manager to another, or from one asset class or investment strategy to another.'' See supra note 41. --------------------------------------------------------------------------- We believe that a plan of transition generally should account for transitions in both normal and stressed market conditions,\100\ and generally should consider each type of advisory client, the adviser's contractual obligations to clients, counterparties, and service providers, and the relevant regulatory regimes under which the adviser operates.\101\ Under the proposed rule, the transition components of a business continuity and transition plan would have to include (1) policies and procedures intended to safeguard, transfer and/or distribute client assets during transition; (2) policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (3) information regarding the corporate governance structure of the adviser; (4) the identification of any material financial resources available to the adviser; and (5) an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser's transition. Each of the proposed required components of an adviser's transition plan is designed to help an adviser be well prepared for a transition so that it can act quickly and in its clients' best interests if and when a transition occurs. --------------------------------------------------------------------------- \100\ See supra notes 38-39 and accompanying text (discussing the 2008 financial crisis and transition planning generally). \101\ In addition to contractual obligations to its clients and vendors, an adviser that provides other services to entities, such as to another adviser, generally should consider its contractual obligations as a service provider to those other entities as it plans for a transition event. --------------------------------------------------------------------------- We believe that preserving the safety of client assets and the ability to promptly produce and transfer the information necessary for the ongoing management of client assets is fundamental to an adviser acting in the best interests of its clients. The adviser's policies and procedures addressing how the adviser intends to safeguard, transfer and/or distribute client assets in the event of a transition generally should consider the unique attributes of each type of the adviser's clients (e.g., registered investment companies, private funds, separately managed accounts) and how the adviser plans to transfer accurate client information to other advisers or their service providers. For example, the transfer of client information with respect to registered investment companies and private funds may be more complex than that of separately managed accounts because registered investment companies and private funds typically have multiple investors, whereas separately managed accounts typically have only one investor. It is our understanding that the methods for safeguarding, transferring, and/or distributing client assets may vary by client type and that the best method for one client might not be the best method for another.\102\ Thus, we believe an adviser's policies and procedures should appropriately account for the different methods in which it plans to safeguard, transfer, and/or distribute assets of its different types of clients. Additionally, if a client account holds assets that would require special instruction or treatment in the event of transition, an adviser's policies and procedures generally should address such instruction or treatment.\103\ --------------------------------------------------------------------------- \102\ For example, if the adviser manages registered investment companies, the investment companies' board(s) may determine that the best method for transferring the assets of these funds is to reorganize them into funds managed by a new adviser. Separately managed accounts, however, would not be reorganized, but may have other considerations unique to them, such as whether a new custodian would be necessary for a new adviser. \103\ For example, it is our understanding that when transitioning accounts from one adviser to another, derivatives positions require special treatment in that they are typically unwound rather than transferred to the new adviser and that the terms of the derivatives instrument may dictate whether and how such unwinding takes place. --------------------------------------------------------------------------- Further, the transition plan should also contain policies and procedures that would facilitate the prompt generation of any client- specific information necessary to transition a client account, such as the identity of custodians, positions, counterparties, collateral, and related records of each client. Similar to the need to have accurate and accessible client information in the event of a business continuity scenario, we believe that this information is necessary to effect a smooth transition of the management of client accounts. We believe senior executives at an investment adviser generally, and especially in times of stress, should be able to quickly identify the important decision-makers within the organization and understand the inter-relationships between the adviser and any affiliated entities to be able to assess whether and how issues at an affiliate may affect the advisory entity. For example, an adviser that uses an affiliate as a qualified custodian may face additional issues if the transition event is related to that affiliate's operations. We believe that this information is necessary if the adviser needs to assess the manner in which it can exit the market with minimal adverse effect on its clients or to take steps necessary to protect itself from issues that may stem from an affiliated entity. Accordingly, with respect to the adviser's corporate governance structure, the transition component of a business continuity and transition plan generally should include an organizational chart and other information about the adviser's ownership and management structure, including the identity and contact information for key personnel, and the identity of affiliates (both foreign and domestic) whose dissolution or distress could lead to a change in or material impact to the adviser's business operations.\104\ --------------------------------------------------------------------------- \104\ An advisory entity may be adversely affected by an affiliate's distress if, for example, the adviser and distressed affiliate share systems, personnel, sources of financing, or similar names. --------------------------------------------------------------------------- Registered investment advisers manage a variety of products and security types, with investments in and investors from various jurisdictions and are subject to a variety of contractual and legal obligations and regulatory regimes. An adviser's ability to seamlessly transition advisory services could be impacted by its or its clients' contractual obligations or the various regulatory regimes under which the adviser or its advisory client may be subject. For example, an adviser's insolvency or termination may trigger a termination clause in a client's [[Page 43543]] derivative contract.\105\ Also, the board and shareholders of a registered investment company must approve an advisory contract with any new adviser \106\ and the Advisers Act requires advisory contracts to include a provision that a contract cannot be assigned without client consent.\107\ Other regulatory regimes may require regulatory approval for certain acts,\108\ which may be further complicated by the need for cross-border cooperation if the adviser operates in multiple jurisdictions \109\ or the adviser's pooled investment vehicle clients are domiciled in different jurisdictions.\110\ Accordingly, we are proposing that an adviser's transition plan include an assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser's transition. --------------------------------------------------------------------------- \105\ Some ISDA contracts include the default provision allowing for the counterparty to terminate a contract upon the change of advisers. \106\ Section 15(a) of the Investment Company Act states that ``[i]t shall be unlawful for any person to serve or act as investment adviser of a registered investment company except pursuant to a written contact, which . . . has been approved by the vote of a majority of the outstanding securities of such registered company . . . .'' Additionally, section 15(c) of the Investment Company Act states that ``it shall be unlawful for any registered investment company having a board of directors to enter into . . . any contract or agreement, written or oral, whereby a person undertakes regularly to serve or act as investment adviser of . . . such company, unless the terms of such contract or agreement and any renewal thereof have been approved by the vote of a majority of directors, who are not parties to such contract or agreement or interested persons of any such party, cast in person at a meeting called for the purpose of voting on such approval.'' But see, e.g., rule 15a-4 under the Investment Company Act (allowing funds, in certain circumstances, to enter into interim advisory agreements without an in-person board meeting and without the fund's shareholders first approving the agreement); see generally JP Morgan Chase/Bear Stearns Asset Management, SEC Staff No-Action Letter (July 14, 2008) (providing staff no-action relief following the US- government-brokered emergency sale of Bear Stearns Companies Inc. to JP Morgan Chase & Co., to allow Bear Stearns Asset Management to continue to serve as investment adviser to its funds without prior in-person approval by the funds' board of directors due to the extraordinary circumstances surrounding the sale of its parent company). \107\ Section 205(a)(2) of the Advisers Act requires any investment advisory contract to contain a provision indicating ``that no assignment of such contract shall be made by the investment adviser without the consent of the other party to the contract.'' Section 202(a)(1) of the Advisers Act defines ``assignment,'' for purposes of the Advisers Act, to include ``any direct or indirect transfer or hypothecation of an investment advisory contract by the assignor or of a controlling block of the assignor's outstanding voting securities by a security holder of the assignor. . . .'' \108\ See, e.g., Third Avenue Trust and Third Avenue Management LLC, Investment Company Act Rel. No. 31943 (Dec. 16, 2015) (Notice and Temporary Order) (permitting the suspension of the right of redemption of Third Avenue Trust's outstanding redeemable securities). \109\ For example, as of January 4, 2016, the number of foreign registrations of SEC-registered investment advisers was 2,279, representing 1,051 SEC-registered investment advisers, some of which were registered in multiple foreign jurisdictions. Additionally, there were 780 foreign investment advisers registered with the Commission as of that same date. Based on data from IARD. \110\ When evaluating options for Long-Term Capital Management, L.P. during its collapse, the effects of the fund filing for bankruptcy were not clear because the fund was managed by an advisory entity domiciled in Delaware and located in Connecticut, while the fund itself was domiciled in the Cayman Islands, where the rights of its counterparties to liquidate collateral under the U.S. Bankruptcy Code would have been delayed because the fund would have likely had to seek bankruptcy protection in the Cayman Islands courts, under Cayman law. See Report of The President's Working Group on Financial Markets, Hedge Funds, Leverage, and the Lessons of Long-Term Capital Management (Apr. 28, 1999), available at https://www.treasury.gov/resource-center/fin-mkts/Documents/hedgfund.pdf. --------------------------------------------------------------------------- Finally, we believe it is important for an adviser to have considered in advance its strategy for either avoiding or facilitating a transition of its business and client accounts in the event the adviser is in material financial distress such that its ability to continue providing advisory services to its clients or otherwise acting in its clients' best interests could be impacted or undermined.\111\ Accordingly, the proposed rule requires that the adviser's plan of transition consider any material financial resources available to the adviser. For example, the adviser could identify any material sources of funding, liquidity, or capital it would seek in times of stress in order to continue operating \112\ or consider how it would implement a reduction of expenses or other alternatives. --------------------------------------------------------------------------- \111\ We note that, in certain circumstances, an adviser is required to ``disclose any financial condition that is reasonably likely to impair [the adviser's] ability to meet contractual commitments to clients.'' See Form ADV, Part 2, Item 18. \112\ When considering any material financial resources available to it, the adviser also could identify any insurance coverage. --------------------------------------------------------------------------- f. Request for Comment We seek comment on the proposed requirement to adopt and implement a business continuity and transition plan, and the proposed components of that plan. Should we require all SEC-registered advisers to adopt and implement business continuity and transition plans? Or should we identify only a subset of SEC-registered advisers that must implement such plans? Which advisers should be in such a subset (e.g., large advisers with assets under management over a specific threshold, advisers affiliated with financial institutions, etc.) and why? Rather than adopting the proposed rule, should the Commission issue guidance under rule 206(4)-7 under the Advisers Act addressing business continuity and transition plans? If so, should that guidance set forth possible elements of such a plan? What, if any, implications will the proposed rule have for investment advisers that are also subject to other regulatory requirements as to business continuity and/or transition planning (e.g., FINRA or CFTC rules on BCPs)? For example, would the proposed rule be inconsistent with an adviser's obligations under other regulatory requirements? Should we require business continuity and transition plans to include each of the proposed components? Alternatively, should the rule require advisers to have a business continuity and transition plan, and specify certain components of a plan in the form of a safe harbor provision? Or, should the rule not specify required components of a plan and instead allow advisers to determine the appropriate components of their plans? Are there any components we should remove from the proposed list of required components? Are there any components we should add or expand upon? For example, with respect to a pre- arranged alternate physical location(s) of the adviser's office(s) and/ or employees, should we require that an adviser's business continuity and transition plan include an alternate location at a specified distance away from its primary location? Should we require an adviser's communication plan to extend to investors in certain types of pooled investment vehicles? If so, which specific types of pooled investment vehicles and how should the term ``investors'' be defined for each type of pooled investment vehicle? Should we require an adviser to have policies and procedures that address the identification, assessment, and review of critical third-party vendors that the adviser arranges or oversees for its clients? Are there any components of the NASAA model rule or guidance, or other rules or guidance addressing BCPs, that we have not addressed in the proposed rule that we should address? Should advisers with certain types of clients, including for example advisers to registered investment companies or sponsors of wrap programs, be required to undergo additional obligations with regard to adopting and implementing a business continuity and transition plan? What additional steps should such advisers be required to take with respect [[Page 43544]] to such clients and/or such clients' service providers? Are each of the proposed components of a business continuity and transition plan clear or should we provide additional information and/or definitions for any of the components? If so, what additional information or definitions are needed? For example, should we provide a definition of ``significant business disruption,'' ``unable to continue providing investment advisory services,'' or ``pooled investment vehicle''? Alternatively, should we require investment advisers to define certain terms, like ``significant business disruption'' or ``unable to continue providing investment advisory services,'' within their plans? Should all advisers be required to include each of the proposed components in a business continuity and transition plan or should certain advisers be exempt from including certain components? If certain advisers should be exempt, why? For example, should only certain advisers be required to adopt and implement the transition plan component of the proposed rule or is there a subset of investment advisers with operations so limited that the adoption and implementation of a transition plan (or certain components of the transition plan requirement) would not be beneficial? If so, what criteria could be used to identify this subset of advisers? Are there alternative or streamlined measures that these advisers could take to facilitate an orderly transition in the event of a significant disruption to the adviser's operations? If these advisers did not have transition plans, should they be required to disclose the absence of such plan? With respect to each of the proposed components of a business continuity and transition plan, we have provided information as to the items and/or actions that we believe generally should be encompassed within a particular component. Is there additional information that we should provide, or any information that we should exclude or modify, regarding any of the proposed components of a plan? Alternatively, instead of permitting advisers the flexibility to draft their plans based on the complexity of their businesses, should we require advisers to address each component in a prescriptive manner by requiring specific mechanisms for addressing particular risks? Should we adopt a more prescriptive rule that calls for a more specific transition plan similar to the ``Living Wills'' required by the Federal Reserve Board and the FDIC for large banks and systemically important non-bank entities? \113\ If so why, and what specifically should the rule require? --------------------------------------------------------------------------- \113\ These resolution plans require, among other things: (1) Information regarding the manner and extent to which any insured depository institution affiliated with the company is adequately protected from risks arising from the activities of any nonbank subsidiaries of the company; (2) full descriptions of the ownership structure, assets, liabilities, and contractual obligations of the company; and (3) identification of the cross-guarantees tied to different securities, identification of the major counterparties, and a process for determining to whom the collateral of the company is pledged. See Resolution Plans, supra note 40. --------------------------------------------------------------------------- As part of the proposed rule, should we require advisers to provide disclosure to their clients about their business continuity and transition plans? If so, what should be the format of such disclosure (e.g., summary of plan, copy of plan)? When or how frequently should this disclosure be provided? Should we require advisers to disclose to their clients incidents where they relied on or activated their business continuity and transition plans? If so, what should be the format of such disclosure? What types of incidents should be disclosed or not disclosed? As part of the proposed rule, should we require advisers to report to the Commission incidents where they rely on their business continuity and transition plans? If so, under what circumstances should advisers be required to report to the Commission and how should advisers report this information? When should the required reporting occur? Should we require advisers to file their business continuity and transition plans, or a summary thereof, with the Commission? Should these filings be made available to the public? Why or why not? Are business continuity and transition plans considered proprietary to an adviser such that disclosing its plan to the public (either through a Commission filing or through disclosure to a client) creates additional risk exposure to the adviser? 2. Annual Review Under the proposed rule, each adviser would be required to review the adequacy of its business continuity and transition plan and the effectiveness of its implementation at least annually. The review generally should consider any changes to the adviser's products, services, operations, critical third-party service providers, structure, business activities, client types, location, and any regulatory changes that might suggest a need to revise the plan. The annual review provision is designed to require advisers to evaluate periodically whether their business continuity and transition plans continue to, or would, work as designed and whether changes are needed for continued adequacy and effectiveness. For example, the review generally should include an analysis of whether a business continuity and transition plan adequately protects client interests from being placed at risk and to mitigate such risks in the event the adviser experiences a significant disruption in its operations. In addition, annual reviews generally should address weaknesses an adviser may have identified in any testing it has done or assessments that have been performed to address the adequacy and effectiveness of its business continuity and transition plan, as well as any lessons learned if an event required the plan to be carried out during the previous year, including any changes made or contemplated as a result of the event. Should we require that business continuity and transition plans be reviewed at least annually, as proposed? Should we expressly require reviews of business continuity and transition plans to be documented in writing? Should we require more frequent or less frequent review of business continuity and transition plans? In addition to annual review, should we require that advisers review their plans when specific events occur? For example, should we require plans be reviewed when an adviser has an event that causes it to rely on its plan? Should we require plans be reviewed based on changes to the adviser's operations or processes, changes in the ownership or business structure of the adviser, compliance or audit recommendations, lessons learned from testing or disruption events, and/or regulatory developments? Should we require advisers to report to the Commission regarding the annual review of their business continuity and transition plans? If so, what should be the format of the report? Should we explicitly require advisers to annually review the business continuity and transition plans of their third-party service providers that provide critical services to the adviser and its clients? If so, how should these reviews be conducted? What types of documentation could be requested to perform these reviews? Should we specifically require advisers to periodically test their business continuity and transition plans or certain material components thereof to assess whether the plans are adequate and effective? If so, how should such testing be conducted? What should be [[Page 43545]] included in the scope of such review? How often should such testing be required? 3. Recordkeeping The proposed amendments would require SEC-registered advisers to maintain copies of all written business continuity and transition plans that are in effect or were in effect at any time during the last five years after the compliance date. We are requiring an adviser to maintain a copy of the plan currently in effect because we believe that it is important that advisers have easy access to necessary information during periods of stress. The proposed rule would also require that advisers keep any records documenting their annual review.\114\ Our rules permit advisers to maintain these records electronically.\115\ These proposed new recordkeeping requirements will assist our examination staff in evaluating an adviser's compliance with the new rule, including evaluating whether the adviser's business continuity and transition plan includes all required components. These proposed requirements track the recordkeeping requirements under rule 204-2 regarding an adviser's compliance policies and procedures. --------------------------------------------------------------------------- \114\ Pursuant to rule 204-2(e)(1) of the Advisers Act, advisers would have to maintain any records documenting their annual review in an easily accessible place for at least five years after the end of the fiscal year in which the review was conducted, the first two years in an appropriate office of the investment adviser. \115\ See rule 204-2(g) under the Advisers Act. --------------------------------------------------------------------------- We request comment on the proposed recordkeeping requirements. Should we require advisers to maintain copies of their business continuity and transition plans that are in effect or were in effect at any time during the last five years, as proposed? If not, what, if any, recordkeeping requirements should we adopt with respect to business continuity and transition plans? Is five years an appropriate retention period? Should it be longer or shorter? Why? Should we require advisers to keep any records documenting their annual review of their business continuity and transition plans, as proposed? II. Economic Analysis A. Introduction The Commission is sensitive to the potential economic effects of proposed rule 206(4)-4 and the proposed amendments to rule 204-2. These effects include benefits and costs to SEC-registered advisers, clients, and fund investors as well as broader implications for market efficiency, competition, and capital formation.\116\ The economic effects of the proposed rule are discussed below in the context of the primary goals of the proposed regulation. --------------------------------------------------------------------------- \116\ The Commission recognizes that there are other entities that could be affected by the proposed rule. For example, vendors might have to adapt to meet the new demands of their clients under the proposed rule and that could change the nature of those product/ service markets, which in turn could have further economic effects on advisers and their clients and investors. However, the effects of the rulemaking on such entities are uncertain and difficult to predict given they are not direct effects of the proposed rule. --------------------------------------------------------------------------- We have sought, where possible, to quantify the costs, benefits, and effects on efficiency, competition, and capital formation expected to result from the proposed regulations. However, as discussed below, in certain cases, we were unable to quantify the economic effects because we lack the information necessary to provide reasonable estimates, such as the extent to which some advisers already have business continuity or transition plans that would satisfy some or all of the requirements of the proposed rule, the likelihood of business disruptions, and the share of costs arising from the proposed rule that advisers will pass through to its clients. Therefore, some of the discussions below are qualitative in nature. Under the proposed rule, the content of an SEC-registered adviser's business continuity and transition plan shall be based upon risks associated with the adviser's operations and shall include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following: (1) Maintenance of critical operations and systems, and the protection, backup, and recovery of data; (2) pre-arranged alternate physical location(s) of the adviser's office(s) and/or employees; (3) communications with clients, employees, service providers, and regulators; (4) identification and assessment of third-party services critical to the operation of the adviser; and (5) plan of transition that accounts for the possible winding down of the adviser's business or the transition of the adviser's business to others in the event the adviser is unable to continue providing advisory services. The proposed rule also requires that each SEC-registered adviser review, no less frequently than annually, the adequacy of its business continuity and transition plan and the effectiveness of its implementation. In addition, the proposed amendments to rule 204-2 under the Advisers Act requires these advisers to make and keep records of all business continuity and transition plans that are in effect or were in effect at any time within the past five years. The goal of these proposals is to require that all advisers have sufficiently robust plans to mitigate the potential adverse effects of significant business disruptions or transition events. Specifically, the proposed rule requires SEC-registered advisers to adopt plans reasonably designed to protect clients and fund investors from the risk that, in the wake of a significant business disruption or transition event, advisers are unable to provide services and continue operations. Such disruptions may put clients' and investors' interests at risk if, for example, an adviser lacks the ability to make trades in a portfolio, is unable to receive or implement directions from clients, or its clients are unable to access their assets or accounts. Because clients and investors should be averse to these outcomes, one might expect all advisers to already have plans in place to minimize the risks posed by significant business disruptions or business transitions without being legally required to do so. It appears, however, that, in the context of business continuity and transition plans, market pressures do not fully align the interests of all advisers with those of their clients and fund investors, as staff has observed that some advisers have adopted plans that may not be sufficiently robust in light of the operational and other risks specific to their businesses. Our staff's observations that business continuity and transition plans are not uniformly robust suggest that both advisers and their clients may not fully take into account, or internalize, the potential benefits of comprehensive business continuity and transition plans as well as the potential costs of operating without them. There are several possible reasons for this misalignment. As an initial matter, the types of business disruptions addressed by this proposal are infrequent, and are not necessarily publicly observable when they do occur; this may make it difficult for market participants to fully internalize the ramifications of those events. For example, an adviser that underestimates the likelihood of a significant disruption or the harm it could cause to the viability of its business may not believe the cost of a more robust business continuity plan is justified. Furthermore, because many advisers may have never experienced a significant business disruption, they might not properly assess whether their existing plans are sufficiently robust. And while some clients and investors may recognize the benefits of business [[Page 43546]] continuity planning and demand it of their advisers, others may not fully understand these benefits due to the rarity of significant disruptions. In addition, staff observations resulting from specific SEC examinations are generally not made public, so any examination findings identified with respect to one adviser's plan will generally provide no guidance to other advisers, or to their clients and investors, as to what robust plans might contain. Although Commission staff has published alerts identifying overall observed weaknesses in advisers' business continuity plans, those alerts provide aggregated, non- specific information that may not inform advisers or their clients and investors of the expected content of robust plans.\117\ Moreover, it is possible that some advisers may not review those alerts and therefore do not adjust their business continuity plans in response to the identified strengths and weaknesses; similarly, many clients and investors, particularly smaller or retail investors, may not review the alerts and thus do not exert pressure on their advisers to address in their own plans the general weaknesses identified by the Commission.\118\ --------------------------------------------------------------------------- \117\ See, e.g., NEP Risk Alert, supra note 30. \118\ We note that, based on staff experience, large institutional clients often have rigorous due diligence processes that evaluate an adviser's operational and other risks, while smaller retail clients may not engage in such a thorough review of operational and other risks. --------------------------------------------------------------------------- Furthermore, advisers generally do not make their business continuity plans (or transition plans) public, though based on Commission staff's experience, we understand that most will provide a summary of those plans or other information related to their operational and other risks to clients and investors upon request. Clients and investors that request, review, and comment on these plans are more likely to exert some degree of pressure on their advisers regarding the content of their plans, thereby leading to more robust plans. Thus, the composition of an adviser's client base may impact the current state of its business continuity and transition plans and may lead to the heterogeneity in the quality of such plans that our staff has observed across advisers. The Commission believes, based on staff experience, that larger institutional clients and investors, compared to smaller or retail clients and investors, are more likely to engage in extensive due diligence processes that involve such review of existing plans. The content of business continuity and transition plans for advisers with larger institutional clients and investors may therefore be more likely to reflect such client or investor input than plans of advisers with only smaller, retail clients or investors. In addition, because plans are not generally public, advisers cannot compare their own plans with those of other advisers to assess the relative strengths and weaknesses of their plans and therefore do not have the opportunity to craft or revise their own plans with the knowledge of how others in the industry are addressing the same issues. These factors, combined with the absence of any specified requirements for components of business continuity plans (or transition plans) in existing regulation, may have contributed to staff's observations that such plans are not uniformly robust. Advisers also may not fully internalize the benefits of transition planning. For example, it is possible that advisers do not necessarily have adequate incentives to ensure that a business transition takes into account all of the various components of a robust plan set forth in the proposed rule, given that an adviser no longer receives fees after that transition. In addition, transition events, like business disruptions, are relatively rare; accordingly, advisers may not properly assess the likelihood of such events, the potential consequences of failing to adequately prepare, or the benefits of ensuring a smooth transition. To address the issues identified above, the proposed rule requires advisers to assess the operational and other risks associated with its business operations and identifies components that must be addressed in business continuity and transition plans. The rule aims to address the lack of uniformly robust plans previously observed by staff and requires each SEC-registered investment adviser to adopt and implement a written business continuity and transition plan based upon the risks associated with the adviser's operations. B. Economic Baseline The investment adviser regulatory regime currently in effect serves as the economic baseline against which the benefits and costs, as well as the impact on efficiency, competition, and capital formation of the proposed rule are discussed. As of January 4, 2016, there were 11,956 SEC-registered investment advisers with approximately $67 trillion in regulatory assets under management. In this market, which has been described as being highly competitive,\119\ advisers are likely to compete on, among other things, fees charged to clients, returns or performance, and the level of services provided to meet client needs. --------------------------------------------------------------------------- \119\ See supra section I.A and note 7. --------------------------------------------------------------------------- The proposed rule would affect all SEC-registered investment advisers, as well as each adviser's clients (including registered funds, private funds, and individual separately managed accounts) and the investors in fund clients. Currently, Commission guidance indicates that an SEC-registered adviser's compliance policies and procedures should include business continuity planning to the extent it is relevant to the adviser's business. The content of those BCPs, however, is not addressed by current Commission rules, and may not specifically include policies and procedures regarding business transitions. As noted previously, our staff has noticed variation in the business continuity and/or transition plans that they have seen during examinations. Some advisers, pursuant to the Compliance Program Rule or as a prudent business practice, have adopted plans which may be consistent with the new requirements being proposed, while others have not. Accordingly, the benefits and costs to a given adviser, client, or fund investor will depend on the current state of the adviser's business continuity and transition plan. C. Benefits and Costs and Effects on Efficiency, Competition, and Capital Formation Taking into account the goals of the proposed rule and the economic baseline, as discussed above, this section explores the benefits and costs of the proposed rule, as well as the potential effects of the proposed rule on efficiency, competition, and capital formation. 1. Benefits Clients and investors in funds managed by SEC-registered advisers, advisers themselves, and the financial markets as a whole may benefit from the proposed rule. In general, we cannot quantify the total benefits to the affected parties because we lack data on certain factors relevant to such an analysis, such as investor preferences and the likelihood of business disruptions. For example, without knowing how risk averse clients are to investing via advisers without robust BCPs, we cannot quantify the benefits they might derive from improvements in those BCPs. Similarly, it is difficult to estimate the probability of the types of business disruptions addressed by the proposed rule, which precludes precisely estimating the ex-ante costs of inadequate plans under the economic [[Page 43547]] baseline. However, we discuss the expected benefits qualitatively below. We anticipate that clients and investors in funds managed by registered advisers will benefit from the proposed rule. Requiring SEC- registered advisers to adopt and implement business continuity and transition plans will likely reduce the risk that investors and advisory clients will be harmed or affected in the event a business continuity or transition issue actually occurs. For example, advanced planning to address issues in the event of a disruption may reduce the risk that advisory accounts might be left unmanaged or that clients do not have access to their funds during an adviser's business interruption or transition, or at least shortens the time of such a disruption. As discussed above, whether it is due to prudent business practices or adherence to the Commission guidance in the Compliance Program Rule, some advisers may already have robust business continuity and transition plans in place that are consistent with the new requirements being proposed. The incremental benefits of the proposed rule to those advisers' clients and investors would likely be less than the benefit to the clients and investors of an adviser without such strong operational controls. The proposed rule will also benefit registered advisers by requiring their business continuity and transition plans to include policies and procedures that address certain specific components, which should help the advisers better prepare for significant disruptions in their operations. While Commission guidance indicates that an SEC- registered adviser's compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser, the Commission has not previously specified what such a BCP should address. To the extent registered advisers have not already adopted and implemented robust BCPs that are consistent with the new requirements being proposed, requiring them to review the risks associated with their operations and plan for significant business disruptions or transitions should encourage them to enhance their ongoing efforts to mitigate risks attendant with their operations and business practices and may help them be better prepared to address business continuity and transition events if and when they occur. Finally, the proposed rule and the planning it requires of advisers could have ancillary benefits for the broader financial markets. For example, consider an adviser with significant assets under management who trades actively enough to be considered a liquidity provider in a particular market. If this adviser were to suffer a significant business disruption event that prevented it from participating in that market for several days, then the liquidity of the market could be negatively affected.\120\ While a business continuity and transition plan would not be able to completely prevent such a disruption, it may decrease the adviser's recovery time and hence the disruption's impact on the market. --------------------------------------------------------------------------- \120\ See, e.g., George O. Aragon & Philip E. Strahan, Hedge funds as liquidity providers: Evidence from the Lehman bankruptcy, J. Financ. Econ., Vol. 103, Issue 3 (Mar. 2012) at 570-587 (concluding that ``the market liquidity of stocks held by Lehman's hedge-fund clients fell more during the [2008 financial] crises than otherwise similar stocks not held by these funds.'') --------------------------------------------------------------------------- 2. Costs As with the benefits, costs of the proposed rule will be shared by advisers and their clients and fund investors. Generally, advisers will incur the direct costs associated with developing and maintaining robust business continuity and transition plans, though some of those costs may ultimately be passed through to their clients and fund investors. These costs are discussed in more detail below. a. Costs to Advisers Proposed rule 206(4)-4 likely will result in an SEC-registered adviser incurring one-time and ongoing operational costs, described in detail below, to adopt and implement a business continuity and transition plan that is reasonably designed to address the operational and other risks related to a significant disruption in the adviser's operations. As an initial matter, it is difficult to determine the estimated costs for advisers with precision because of the variation in existing BCPs and the extent to which such plans will need to be revised to be compliant with the proposed rule. Because Commission guidance indicates that SEC-registered advisers' compliance policies and procedures should address BCPs to the extent that they are relevant to an adviser, the nature of an adviser's existing BCP will also greatly affect the initial costs the adviser would expend to comply with the proposed rule. Advisers whose current BCPs are closely aligned with the requirements of the proposed rule would likely incur lower initial compliance costs relative to advisers whose current BCPs are not closely aligned with the rule's requirements, while all advisers would incur ongoing costs pertaining to the annual review and recordkeeping components of the proposed rule. \121\ --------------------------------------------------------------------------- \121\ The costs estimates provided in this section include total costs for developing and maintaining both business continuity plans and transition plans. We recognize, however, that the portion of these costs attributable to business continuity plans will likely be greater than that attributable to the transition plans, as business continuity plans generally contemplate acquiring and maintaining, for example, more infrastructure, such as secondary storage capabilities, than transition plans and is more likely to involve retaining third-party vendors to assist with the development or maintaining of that infrastructure. Accordingly, the current state of an adviser's business continuity plans may have more effect on the costs to individual advisers than the current state of the adviser's transition plans. --------------------------------------------------------------------------- In addition, because the proposed rule requires an SEC-registered adviser's plan to be based on the particular risks attendant to that adviser's operations, the initial and ongoing costs imposed by the rule would vary significantly among firms depending on the complexity of the adviser's operations. A number of factors pertaining to an adviser's business model can affect the complexity of the adviser's operations. Those factors include the adviser's assets under management, number of employees, number of offices, number and types of clients (e.g., high net worth individuals, private funds, or registered investment companies), types of advisory activities, other business activities or lines of business which may affect the adviser's advisory business, types of investment strategies pursued, and the extent of reliance on service providers (in-sourced vs. out-sourced models). The flexibility of the proposed rule should allow advisers to tailor their business continuity and transition plans to the specific risks their businesses face at the minimum possible cost. The Commission believes that certain of the above factors may be correlated with the adviser's amount of assets under management. For example, an adviser with a large amount of assets under management is more likely to have more employees, multiple locations, offices, numbers and types of clients, and types of business activities than an adviser with fewer assets under management.\122\ Accordingly, we [[Page 43548]] believe that advisers with larger amounts of assets under management are generally more likely to have more complex business operations and may therefore need to expend more resources on adopting, implementing, and maintaining a business continuity and transition plan than advisers with fewer assets under management.\123\ --------------------------------------------------------------------------- \122\ With regard to employee size, SEC-registered advisers with less than $100 million in assets under management have an average of 28 employees and a median of 4 employees, while SEC-registered advisers with over $1 billion in assets under management have an average of 180 employees and a median of 31 employees. Based on data from IARD as of January 4, 2016. With regard to the number of offices maintained by advisers, only 23% of SEC-registered advisers with less than $100 million in assets under management maintain more than one office, while 47% of SEC-registered advisers with over $1 billion in assets maintain one or more offices and 11% of these larger advisers maintain 5 or more offices. Based on data from IARD as of January 4, 2016. \123\ There are notable exceptions: for example, a small adviser with a technology intensive investment strategy may nevertheless have a complex operational risk profile, which could require a more complex business continuity and transition plan. --------------------------------------------------------------------------- i. One-time Costs As noted above, the one-time costs associated with developing and implementing the policies and procedures associated with a business continuity and transition plan will vary significantly among firms depending on the nature and complexity of the adviser's operations and the current state of their systems and processes. Under the proposed rule, SEC-registered advisers need only take into account the risks associated with their particular operations. For example, smaller advisers that do not have a large number or different types of clients or do not maintain numerous offices with numerous employees may not need complex systems if their operations result in risks that are easy to address. On the other hand, a larger adviser with a large number and diverse set of clients, including large registered investment companies, with global offices and thousands of employees may need more complicated and expensive systems and technology. To the extent that adviser size does correlate with operational complexity, SEC examination staff has observed that larger advisers have typically already devoted significant resources to establish systems or technological solutions that address operational and other risks related to business continuity. Based on our staff's experience, we generally estimate that the one-time costs necessary to adopt and implement a business continuity and transition plan would range from approximately $30,000 to $1.5 million \124\ per SEC-registered adviser, depending on the facts and circumstances of a particular adviser's operations and the adequacy of its existing plan. These estimated costs include internal and external costs, explained in more detail below, attributable to the following activities: (1) Mostly internal costs associated with developing policies and procedures related to each required component of the business continuity and transition plan; and (2) external costs associated with integrating and implementing the policies and procedures as described above (including establishing or upgrading current systems and processes to comply with the proposed rule). --------------------------------------------------------------------------- \124\ These estimates are based on the aggregated low-end of the range and the high-end of the range, respectively, of mostly internal costs detailed in the PRA section below and the external costs associated with integrating and implementing the plan. Specifically, these estimates are based on the following calculations, which are described in greater detail in notes 125 through 129: $12,515 low-end estimated internal cost to adviser for developing policies and procedures + $4,000 low-end estimated cost to adviser for external professional fees for developing policies and procedures + $1,000 low-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $5,000 low-end estimated cost to adviser for a prearranged alternative physical location + $0 low-end estimated cost to adviser for a plan of communication + $5,000 low- end estimated cost for third-party oversight = $27,515. $147,310 high-end estimated internal cost to adviser for developing policies and procedures + $20,000 high-end estimated cost to adviser for external professional fees for developing policies and procedures + $750,000 high-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $500,000 high-end estimated cost to adviser for a prearranged alternative physical location + $5,000 high-end estimated cost to adviser for a plan of communication + $50,000 high-end estimated cost for third-party oversight = $1,472,310. See infra, notes 125 through 129. --------------------------------------------------------------------------- We anticipate that developing policies and procedures designed to minimize material service disruptions, including those related to each required component of the business continuity and transition plan will largely be done internally because it will require an evaluation of the adviser's business operations most suited to be conducted by in-house employees familiar with the intricacies of the business operations. These costs are quantified and discussed in more detail in the PRA section below, but in summary, we estimate that this initial one-time cost will range from approximately $17,000 to $170,000, depending on the facts and circumstances of a particular adviser's operations and the comprehensiveness of their existing plan.\125\ --------------------------------------------------------------------------- \125\ See infra section III.A.1. This estimate is based on the following calculations: $12,515 internal cost to representative smaller adviser + $4,000 in external professional fees for representative smaller adviser = $16,515. $147,310 internal cost to representative larger adviser + $20,000 in external professional fees for representative larger adviser = $167,310. --------------------------------------------------------------------------- With respect to integration and implementation of the policies and procedures described above, an adviser may incur external costs to upgrade systems and processes. The external costs incurred by an adviser to meet the required components of the proposed rule would be directly affected by the current state of the adviser's existing systems and processes. For example, the proposed rule specifies that an adviser must address the maintenance of critical operations and systems and the protection, backup, and recovery of data. While our staff observes that most advisers already have systems in place to address the protection, backup, and recovery of data, an adviser that does not already have a system in place would incur the costs associated with implementing an operational solution to protecting its data.\126\ Also, the proposed rule specifies that an adviser's plan include a pre- arranged alternative physical location of its office(s) and/or employees. While many advisers already have back-up locations identified as a co-location in times of business disruptions and equipped their employees to telework if they are unable to travel to the primary office location, an adviser that has not adequately addressed this component of the proposed rule would incur costs to do so in light of the proposed rule.\127\ --------------------------------------------------------------------------- \126\ We estimate an adviser could spend between $1,000 and $750,000 to address the maintenance of critical operations and systems, and the protection, backup and recovery of data. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. For example, smaller advisers may address data backup and recovery by outsourcing storage to a service provider through cloud software, while a large adviser dealing with large amounts of data may find it more cost effective to purchase data servers dedicated to the adviser. \127\ We estimate that an adviser could spend between $5,000 and $500,000 to address having a prearranged alternative physical location. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. For example, a smaller adviser with minimal employees may be able to function by enabling its employees to telework and access the adviser's systems remotely instead of requiring formal meeting space. Larger advisers with many employees, on the other hand, may need to rent office space on a temporary basis or establish co- locations where employees necessary to the operations of an adviser may congregate. --------------------------------------------------------------------------- The proposed rule also requires that the adviser address how it will communicate with clients, employees, service providers, and regulators in the event of a business disruption. While advisers have communication tools as part of its general business operations that enable it to communicate to its stakeholders (i.e., email, phone, etc.), some advisers may have formal, more sophisticated communication infrastructure already in place.\128\ The [[Page 43549]] proposed rule further requires advisers to engage in an assessment of critical third-party vendors, including assessing how service providers will maintain business continuity when faced with significant business disruption. While some advisers currently have robust vendor management programs that take steps to evaluate the resiliency of vendors, including reviewing information regarding their BCPs, due diligence questionnaires or assurance control reports from an independent party, and onsite visits, some advisers do not and will need to incur costs to enhance their review of critical third-party vendors.\129\ --------------------------------------------------------------------------- \128\ We estimate that an adviser could spend between almost nothing to up to $5,000 to address having a plan of communication with its stakeholders. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. For example, a small adviser with minimal employees could manually email or telephone its stakeholders, whereas a large adviser with many employees or clients could choose to use an automated system to trigger a pre-programmed communication plan. \129\ We estimate that an adviser could spend between $5,000 and $50,000 to address the requirement for third-party oversight. The wide range is attributable to the varying methods in which advisers may address this component of the proposed rule. As discussed in section I, many advisers may choose to use in-house personnel to conduct due diligence of critical service providers, while others may choose to pay others to conduct such due diligence on their behalf. --------------------------------------------------------------------------- Aggregating our estimates for the various components of the rule, we estimate that SEC-registered advisers may spend between approximately $11,000 and $1.3 million in additional, initial costs to upgrade systems and processes to comply with the proposed rule depending on the complexity of their operations and the current state of their systems and processes, as described above.\130\ --------------------------------------------------------------------------- \130\ These estimates are based on the aggregated low-end of the range and the high-end of the range, respectively, of mostly internal costs detailed in the PRA section below and the external costs associated with integrating and implementing the plan. Specifically, these estimates are based on the following calculations: $1,000 low-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $5,000 low-end estimated cost to adviser for a prearranged alternative physical location + $0 low-end estimated cost to adviser for a plan of communication + $5,000 low-end estimated cost for third-party oversight = $11,000. $750,000 high-end estimated cost to adviser for maintenance of critical operations and systems and the protection, backup and recovery of data + $500,000 high-end estimated cost to adviser for a prearranged alternative physical location + $5,000 high-end estimated cost to adviser for a plan of communication + $50,000 high-end estimated cost for third-party oversight = $1,305,000. See supra, notes 125 through 129. These estimates include the assumption that large advisers will incur more costs than smaller advisers based on their operational risk profile. Because these estimates do not take into account our staff observations that larger advisers generally already have more robust business continuity plans in place compared to smaller advisers, we believe our estimates may overstate the costs to be incurred by advisers. --------------------------------------------------------------------------- ii. Ongoing Costs In addition to the one-time initial costs described above, each registered adviser would also incur ongoing costs as a result of the proposed rule related to the adviser's review of the adequacy of its business continuity and transition plan and the effectiveness of its implementation. This would involve internal costs associated with updating policies and procedures to reflect changes in an adviser's operational risk profile and costs of compliance and reporting associated with maintaining the plan, but would also include external costs associated with maintaining and upgrading systems, maintaining alternate work locations, and responding to regulatory changes that require revision of the adviser's business continuity and transition plan.\131\ As discussed in the PRA section below, based on staff experience, we estimate that each adviser, in addition to the initial costs described above, would incur ongoing plan-related cost of approximately 25% of the adviser's initial costs in adopting and implementing a business continuity and transition plan. Accordingly, we estimate that an SEC-registered adviser would incur ongoing annual costs associated with the proposed rule that would range from $7,500 to $375,000.\132\ --------------------------------------------------------------------------- \131\ See supra section I.C.2 for more details on annual review requirements. \132\ This estimate is based on the following calculations: .25 x $30,000 = $7,500 and .25 x $1.5 million = $375,000. See supra note 124 and accompanying text (discussing total initial costs ranging from approximately $30,000 to $1.5 million). --------------------------------------------------------------------------- In addition, the proposed amendments to rule 204-2 would require registered advisers to maintain records related to the current plan and any plan in effect in the previous five years, as well as any records documenting the annual review of the plan required by the rule. As described in more detail in the PRA section below, we estimate that such advisers will spend approximately $150 each year on an ongoing basis to meet this requirement. b. Costs to Clients and Investors Some of the costs incurred by advisers as a result of the proposed rule may ultimately be passed on from advisers to clients and fund investors through higher fees. The extent to which costs are transferred to clients and investors depends on several factors, including the supply and demand for adviser services. On the demand side, the extent to which clients and investors respond to fee changes is a function of how highly they value a given adviser's services; the proposed rule may increase this valuation if investors value business continuity and transition plans and hence increase the demand for adviser services at a given fee, but the exact nature of this potential shift and its impact on fees is unknown.\133\ On the supply side, if advisers take investor fee sensitivity into account, under many plausible competition scenarios in an adviser's market segment, it is likely at least some of the cost increases of the proposed rule will be passed on to clients and investors. However, if advisers incur costs associated with changing fees, advisers may not pass on the costs of the proposed rules until they cross some significant threshold. Since we do not have data or other information concerning individual investor fee sensitivities, how advisers take these into account, or the extent to which advisers prefer to keep fees constant, the potential shift in the supply of advisory service and its impact on fees is unknown. --------------------------------------------------------------------------- \133\ See, e.g., John Haslem, Mutual Fund Heterogeneity and Fee Dispersion, J. Wealth. Manag., Vol. 18, No. 1 (Summer 2015) at 41- 48, who argues that because preferences differ across investors, fee sensitivity also varies across investors. --------------------------------------------------------------------------- 3. Effects on Efficiency, Competition, and Capital Formation The Commission has also considered the effects of the proposed rules on efficiency, competition, and capital formation. With respect to efficiency, to the extent that a disruption were to prevent an adviser from executing trades for several days, investors would be unable to make any changes in their investment choices, leading to a potentially inefficient allocation of their capital during this period. To the extent that the proposed rules decrease the recovery time of a disruption for an adviser that many market participants are relying on when conducting their business, they could promote efficient pricing of risk and thus efficient capital allocation during such an event. The proposed rule also could affect competition in the advisory industry. As discussed above, the costs of adopting plans that meet the requirements of the proposed rule will vary depending on an adviser's operations and the extent to which they have already implemented business continuity and transition plans consistent with the rule. To the extent that, in a given market segment, advisers with high adoption costs compete for clients and investors against advisers with low adoption costs, the proposed rule will disproportionally affect the high adoption cost advisers. If some of these advisers are only marginally [[Page 43550]] profitable, they may exit that market segment. Similarly, the proposed rule could, on the margin, raise the barrier to entry for an adviser that otherwise would have entered a given market segment. If the rule results in either adviser exits or increased barriers to entry, reduced competitive pressures could result in increased fees for clients and investors. Finally, the proposed rule may have a small but positive impact on capital formation. Ex-ante, reducing risks to clients and investors associated with business disruptions and transition events could increase such clients' and investors' willingness to invest via advisers, which could be beneficial to capital formation if advisers are more skilled than those clients or investors at identifying sound investment opportunities. In addition, to the extent that the rules reduce any risk premium in assets associated with business disruptions and transition events as discussed above, more robust business continuity and transition plans could promote capital formation. D. Reasonable Alternatives In formulating our proposal, we have considered various reasonable alternatives to certain individual elements of proposed new rule 206(4)-4 and the proposed amendments to rule 204-2. Those alternatives are discussed below. We have also requested comments relating to certain specific aspects of these alternatives, as noted above. 1. Require Public Availability of Business Continuity and Transition Plans First, the Commission could require that SEC-registered advisers publicly disclose a summary of the plans required by the proposed rule in their Form ADVs, and either additionally or as an alternative, provide their business continuity and transition plans to clients upon request. In addition, as an alternative to the recordkeeping requirement, we could require registered advisers to file their business continuity and transition plans (or a portion or summary thereof) with the Commission. Disclosing the plans or a summary of those plans, and the operational and other risks addressed by such plans, could help investors evaluate and compare the operational and other risks associated with particular advisers. If investors could choose among advisers in part based on the level of operational and other risk advisers were willing to bear, advisers might be further incentivized to plan for business disruption events. However, we understand that such information could be considered proprietary by some advisers and the public disclosure of business continuity and transition plans may make advisers more vulnerable to attacks from third parties, such as cybersecurity attacks that target the contingency plans laid out in an adviser's business continuity and transition plan. Furthermore, advisers would incur additional monetary costs associated with the disclosure of the plans. Such costs associated would vary depending on the type of disclosure required (e.g., filing with the Commission, publication on the adviser's Web site, making the plans available upon request, etc.) and whether the adviser currently makes its plans available to clients. In addition, instead of requiring certain components for business continuity plans for all advisers, as in the proposed rule, the Commission could continue imposing only the obligation generally set forth as guidance under the Compliance Program Rule but require public disclosure of any business continuity plans adopted pursuant to that rule. As noted above, the proposed rule's enhanced requirements for business continuity plans impose costs compared to the existing baseline, depending on an adviser's current business continuity plans, so this alternative would avoid the costs associated with complying with the proposed rule. Still, advisers would incur other costs related to disclosure of the existing business continuity plans, as noted above, including the direct monetary costs of publishing or providing the plans, as well as indirect costs such as those associated with revealing the proprietary or sensitive business information identified above. Further, as discussed above, the non-public nature of existing business continuity plans may be a contributing factor to the lack of uniformly robust plans observed by Commission examiners. However, given the other factors discussed above that may also contribute to the lack of sufficiently robust plans among all advisers, the Commission preliminarily believes that only requiring public disclosure of existing business continuity plans without specifying certain components that plans must contain may not fully address its concerns that all advisers have not established sufficiently robust business continuity plans. At the same time, the Commission preliminarily believes that requiring business plans to address the components identified in the proposed rule while not mandating that such plans also be publicly disclosed will result in more uniformly robust plans that address the Commission's concerns. 2. Require Business Continuity Plans and/or Transition Plans, But Do Not Specify Required Components The Commission could also specifically require advisers to adopt business continuity plans and/or transition plans but be silent as to the required components that such plans must contain to address business disruptions and/or transition events.\134\ The proposed rule requires advisers to adopt and implement a business continuity and transition plan with policies and procedures reasonably designed to address operational and other risks related to a significant disruption in an adviser's operations (including policies and procedures concerning business transition), while also identifying specific components that such a plan must address. If, as an alternative, the Commission required business continuity and transition plans but did not identify any specific components the plans must address, registered advisers would have complete flexibility in determining how to best prepare for and respond to business disruptions and transition events. For example, it is possible that certain required components for business continuity and transition plans identified in the proposed rule are less relevant to some advisers, but all advisers would be required to address each of the components under the proposed rule. In contrast, an alternative that did not require specific components be addressed would enable advisers to tailor the plans to their specific business needs, which could potentially result in cost and time-savings compared to the proposed approach. --------------------------------------------------------------------------- \134\ The Commission could take different approaches for business disruptions and transition events. For example, the Commission could either retain the currently proposed approach of specifying certain components for addressing business disruptions or impose more specific mechanisms for addressing certain risks associated with business disruptions, as explained below, while not specifying either the components or the specific mechanisms for addressing transition events. --------------------------------------------------------------------------- However, based on the Commission's experience with not providing specific components a plan should address in the context of business disruptions, under rule 206(4)-7, the Commission is concerned that some registered advisers may not implement sufficiently robust plans to best protect the interests of their clients and investors during a business disruption or transition event if the Commission does not specify [[Page 43551]] certain components. In contrast, the Commission preliminarily believes that the current proposed approach strikes an appropriate balance between specifying certain components of business continuity and transition planning that must be addressed while still providing advisers with flexibility in how to address each of those components and any other operational and other risks that may be relevant to the adviser's operations. In addition, the Commission preliminarily believes that advisers will achieve certain efficiencies in simultaneously addressing both business disruptions and transition events under the proposed approach, which may mitigate additional costs imposed by the proposed approach. 3. Require Specific Mechanisms for Addressing Certain Risks in Every Plan As discussed above, we are proposing a rule that requires SEC- registered advisers to address certain general components, but permits them the flexibility to draft their business continuity and transition plans based on the risks associated with their particular operations. We could alternatively include in the rule prescriptive requirements mandating precisely how registered advisers must address certain specified risks related to either business disruptions or transition events, or both.\135\ --------------------------------------------------------------------------- \135\ As noted above, the Commission could vary its approach for business continuity and transition plans. Specifically, for both business continuity plans and transition plans, the Commission could either (1) retain the more flexible component-based approach currently proposed, (2) mandate specific requirements for addressing business disruptions/transition events, or (3) only require ``reasonably designed'' plans without specifying particular components. --------------------------------------------------------------------------- Specific, mandatory requirements could potentially reduce confusion as to exactly how these advisers are expected to address business disruptions and/or transition events. However, as discussed above, we recognize that advisers' business models and operations vary and that the manner in which each adviser's business continuity and transition plan addresses a required element will depend upon the nature and complexity of the adviser's business. Therefore, a prescriptive one- size-fits-all rule mandating how all advisers must address certain specified risks, including risks a particular business model and operation would not be exposed to, could be inefficient and cause some advisers to incur unnecessary costs by requiring them to address requirements that are not relevant to their specific business. In addition, a prescriptive rule provides less flexibility for registered advisers to address new issues as they arise, particularly concerning changes in technology, again potentially leading to inefficient constraints on how registered advisers prepare for and address various risks. Therefore, we preliminarily believe our proposed approach strikes an appropriate balance between requiring that each adviser have a business continuity and transition plan that addresses certain required components we believe will help SEC-registered advisers to appropriately plan for significant business disruptions and transition events while, at the same time, allowing each adviser the necessary flexibility in creating a business continuity and transition plan to take into account the adviser's own unique operations, the nature and complexity of its business, its clients, and its key personnel. 4. Vary the Requirements of the Proposed Rule for Different Subsets of Registered Advisers Additionally, instead of requiring that all SEC-registered advisers adopt and implement the business continuity and transition plans with the same exact components, we could vary those requirements by adviser. For example, the Commission could provide that various requirements of the rule only apply to a subset of registered advisers (e.g., advisers over a certain asset threshold, advisers that are engaged in activities that the Commission deems to be risky, advisers that are affiliated with other financial industry participants, such as broker-dealers or banks, etc.), or it could provide that certain advisers (such as smaller advisers) are exempted from the rule entirely. As we have discussed above, different types of advisers have different types of operational and other risks and it is possible that requiring every adviser to address each of the risks identified in the proposed rule, even those that may be less likely for certain advisers, could result in unnecessary costs for those advisers. However, the overall purpose of the proposed rule is to provide enhanced protection to clients and investors by requiring all registered advisers to establish sufficiently robust plans, and tailoring the rule to require different components for different types of advisers may result in the interests of some clients and investors not being adequately protected. Specifically, it is possible that, when distinguishing different ``types'' of advisers, any boundaries drawn would be imperfect and any groups of advisers identified by such a rule would themselves not be homogenous, resulting in under or over- inclusive groups. This could result in some clients and investors not receiving adequate protections, while still imposing unnecessary costs on others. In contrast, the proposed rule allows advisers the flexibility to address each required component to the degree that reflects the nature of each particular adviser's business. Accordingly, the Commission believes that the proposed rule strikes an appropriate balance in providing that protection while minimizing the costs of compliance to advisers in ways that would not undermine the Commission's regulatory goals. E. Request for Comment We request comment on our assumptions regarding the costs and benefits of the proposed rule. We request comment on whether the proposed rule, if adopted, would impose a burden on competition. We also request comment on whether the proposed rule, if adopted, would promote efficiency, competition, and capital formation. Commenters are requested to provide empirical data to support their views. In addition to our general request for comment on the costs and benefits of the proposed amendments, we request the following specific comment on certain aspects of our economic analysis. To what extent would advisers and their clients and investors benefit from business continuity and transition plans that are required to contain certain specific components? Please explain. Would advisers, and their clients and investors, benefit more from requiring plans to address certain risks in a specified manner, rather than providing for flexibility as in the proposed rule? Do commenters expect that advisers would incur costs in addition to, or that differ from, the costs we outlined above for both one-time and ongoing costs? Please explain. Would any of the effects and costs of the proposed rule be large enough to affect the behavior of investment advisers or their clients? For example: [cir] Do commenters expect that some advisers may choose to exit the market rather than incur the costs associated with compliance? If so, what segment of the investment adviser market is this mostly likely to be seen in and how many exiting advisers should we expect? Please explain. [cir] Will the costs to clients, in the form of increased fees, result in some clients no longer employing the services of advisers? If so, what types of clients would be most likely to take such actions? Please explain. [[Page 43552]] Do commenters believe that the alternatives the Commission considered are appropriate? Are there other reasonable alternatives that the Commission should consider? If so, please provide additional alternatives and how their costs and benefits would compare to the proposal. Do commenters believe that the analysis of the associated costs and benefits of the alternatives is accurate? If not, please provide more accurate costs and benefits, including any data or statistics that supports those costs and benefits. III. Paperwork Reduction Act The proposed rule and rule amendments under the Advisers Act contain ``collections of information'' within the meaning of the Paperwork Reduction Act of 1995 (``PRA'').\136\ The title for the new collection of information is ``Rule 206(4)-4.'' In addition, the proposed amendments to rule 204-2 would impact the currently approved collection of information titled ``Rule 204-2,'' under OMB control number 3235-0278. These collections of information are mandatory for all investment advisers registered with the Commission. The Commission is submitting these collections of information to the OMB for review in accordance with 44 U.S.C. 3507 (d) and 5 CFR 1320.11. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. --------------------------------------------------------------------------- \136\ 44 U.S.C. 3501 through 3521. --------------------------------------------------------------------------- The collection of information under rule 206(4)-4 is designed to increase the likelihood that advisers are as prepared as possible to continue operations on an ongoing basis and to meet client expectations and legal obligations in the event of a significant disruption to their operations. The respondents are investment advisers registered with the Commission. Responses provided to the Commission in the context of its examination and oversight program are generally kept confidential.\137\ --------------------------------------------------------------------------- \137\ See section 210(b) of the Advisers Act. --------------------------------------------------------------------------- The collection of information under rule 204-2 is necessary for the Commission staff to use in its examination and oversight program. The respondents are investment advisers registered with us. Responses provided to the Commission in the context of its examination and oversight program are generally kept confidential.\138\ The records that an adviser must keep in accordance with the proposed rule must be retained for at least five years.\139\ --------------------------------------------------------------------------- \138\ See section 210(b) of the Advisers Act. \139\ See proposed rule 204-2(a)(20). --------------------------------------------------------------------------- A. The Proposed Rules 1. Rule 206(4)-4 As discussed in section II, we estimate that each adviser would include one-time initial costs to adopt and implement a written business continuity and transition plan, as well as ongoing plan- related costs. There are currently approximately 11,956 investment advisers registered with us.\140\ We estimate that advisers will spend between 50 to 500 hours to initially adopt and implement a business continuity and transition plan depending on the nature of an adviser's current business continuity plan and the complexity of its operations. This range is comprised of our estimates that a representative smaller adviser (defined in this PRA as advisers with less than $100 million in assets under management) would spend 50 hours on this initial effort at a cost of $12,515,\141\ a representative mid-sized adviser (defined in this PRA as advisers with at least $100 million in assets under management but less than $1 billion) would spend 250 hours on this initial effort at a cost of $70,045,\142\ and a representative larger adviser (defined in this PRA as advisers with at least $1 billion in assets under management) would spend 500 hours on this initial effort at a cost of $147,310.\143\ As discussed in section II, exact costs for any given adviser would depend on the facts and circumstances of the adviser's operations and the comprehensiveness of its existing plan. Aggregating the estimates above for all advisers, however, yields a total industry-wide initial hourly burden of 3,404,600 \144\ (as monetized, is equivalent to a one-time aggregate burden of approximately $974.6 million).\145\ Amortized over a three-year period, this would be an annual hourly burden of 95 per adviser\146\ (as monetized, is equivalent to an annual amortized burden per adviser of $27,172).\147\ --------------------------------------------------------------------------- \140\ This is the number of investment advisers registered with us on our IARD System as of January 4, 2016. \141\ This estimate is based on the following calculations: 25 hours x $288 (hourly rate for a compliance manager) = $7,200; 20 hours x $127 (hourly rate for an operations specialist) = $2,540; 5 hours x $555 (hourly rate for a deputy general counsel) = $2,775. $7,200 + $2,540 + 2,775 = $12,515. The hourly wages used are from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. \142\ This estimate is based on the following calculations: 75 hours x $288 (hourly rate for a compliance manager) = $21,600; 60 hours x $127 (hourly rate for an operations specialist) = $7,620; 15 hours x $555 (hourly rate for a deputy general counsel) = $8,325; 50 hours x $264 (hourly rate for a senior systems analyst) = $13,200; 50 hours x $386 (hourly rate for an attorney) = $19,300. $21,600 + $7,620 + $8,325 + $13,200 + $19,300 = $70,045. The hourly wages used are from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work- year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. \143\ This estimate is based on the following calculations: 100 hours x $288 (hourly rate for a compliance manager) = $28,800; 80 hours x $127 (hourly rate for an operations specialist) = $10,160; 20 hours x $555 (hourly rate for a deputy general counsel) = $11,100; 65 hours x $264 (hourly rate for a senior systems analyst) = $17,160; 65 hours x $386 (hourly rate for an attorney) = $25,090; 30 hours x $410 (hourly rate for a computer operations department manager) = $12,300; 30 hours x $271 (hourly rate for a financial reporting manager) = $8,130; 40 hours x $340 (hourly rate for a senior operations manager) = $13,600; 30 hours x $255 (hourly rate for a senior business analyst) = $7,650; 40 hours x $333 (hourly rate for a senior risk management specialist) = $13,320. $28,800 + $10,160 + $11,100 + $17,160 + $25,090 + $12,300 + $8,130 + $13,600 + $7,650 + $13,320 = $147,310. The hourly wages used are from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. \144\ This estimate is based on the following calculations: (2,032 smaller advisers x 50 hours) + (6,636 mid-sized advisers x 250 hours) + (3,288 larger advisers x 500 hours) = 3,404,600 hours. \145\ This estimate is based on the following calculation: (2,032 smaller advisers x $12,515) + (6,636 mid-sized advisers x $70,045) + (3,288 larger advisers x $147,310) = $974.6 million. \146\ This estimate is based on the following calculations: 3,404,600 hours/3 years = 1,134,867 hours per year. 1,134,867 hours/ 11,956 advisers = 95 hours per year per adviser. \147\ This estimate is based on the following calculations: $974.6 million/3 years = $324.87 million per year. $324.87 million/ 11,956 advisers = $27,172 per year per adviser. --------------------------------------------------------------------------- We also anticipate that some advisers may consult with outside legal counsel and/or other outside professionals to assist in drafting policies and procedures and/or to assist in evaluating particular components of a plan. We estimate that the costs associated with such an engagement would include fees for approximately 10 hours for smaller firms, 30 hours for a mid-sized firm, and 50 hours for a larger firm, at an average rate of $400 per hour (estimated hourly rate for outside legal services).\148\ Consequently, for a smaller firm we estimate a total of $4,000 in outside fees [[Page 43553]] for each smaller firm,\149\ $12,000 for each medium firm,\150\ and $20,000 for each larger firm.\151\ Aggregating these estimates for all advisers, yields a total industry wide initial cost burden of $153.5 million attributable to engaging outside legal services for assistance in initially drafting and implementing the BCP.\152\ Amortized over a three-year period, this would be an initial annual cost burden per adviser of $4,282.\153\ --------------------------------------------------------------------------- \148\ We recognize that the costs of retaining outside professionals may vary depending on the nature of the professional services, but for purposes of this PRA analysis we estimate that such costs would be similar to the costs of outside legal services. \149\ This estimate is based on the following calculation: 10 hours x $400 = $4,000. \150\ This estimate is based on the following calculation: 30 hours x $400 = $12,000. \151\ This estimate is based on the following calculation: 50 hours x $400 = $20,000. \152\ This estimate is based on the following calculation: ($4,000 per smaller adviser x 2,032 smaller advisers) + ($12,000 per mid-sized adviser x 6,636 mid-sized advisers) + ($20,000 per larger adviser x 3,288 larger advisers) = $153.5 million. \153\ This estimate is based on the following calculations: $153.5 million/3 years = $51.2 million per year. $51.2 million/ 11,956 advisers = $4,282 per adviser. --------------------------------------------------------------------------- In addition to the initial burden, an adviser would incur ongoing, annual costs associated with its business continuity and transition plan, including the adviser annually reviewing the adequacy of its business continuity and transition plan and the effectiveness of its implementation. Based on staff experience, we estimate these ongoing costs would total approximately 25% of an adviser's initial costs. Accordingly, we estimate that a representative smaller adviser would spend 12.5 hours annually on this effort internally (as monetized, is equivalent to an annual burden of $3,129) while incurring outside costs of $1,000,\154\ a representative mid-sized adviser would spend 62.5 hours annually on this effort internally (as monetized, is equivalent to an annual burden of $17,511) while incurring outside costs of $3,000,\155\ and a representative larger adviser would spend 125 hours annually on this effort internally (as monetized, is equivalent to an annual burden of $36,828) while incurring outside costs of $5,000.\156\ Aggregating the estimates above for all advisers yields a total industry-wide ongoing annual burden of approximately 851,150 hours (as monetized, is equivalent to an annual burden of $243.65 million) \157\ plus outside costs of $38.4 million.\158\ This translates to an annual burden per adviser of 71.2 hours (as monetized, is equivalent to an annual burden of $20,379) and $3,212.\159\ --------------------------------------------------------------------------- \154\ This estimate is based on the following calculations: 0.25 x 50 hours = 12.5 hours. 0.25 x $12,515 = $3,129. 0.25 x $4,000 = $1,000. \155\ This estimate is based on the following calculations: 0.25 x 250 hours = 62.5 hours. 0.25 x $70,045 = $17,511. 0.25 x $12,000 = $3,000. \156\ This estimate is based on the following calculations: 0.25 x 500 hours = 125 hours. 0.25 x $147,310 = $36,828. 0.25 x $20,000 = $5,000. \157\ This estimate is based on the following calculations: (2,032 smaller advisers x 12.5 hours) + (6,636 mid-sized advisers x 62.5 hours) + (3,288 larger advisers x 125 hours) = 851,150 hours. (2,032 smaller advisers x $3,129) + (6,636 mid-sized advisers x $17,511) + (3,288 larger advisers x $36,828) = $243.65 million. \158\ This estimate is based on the following calculation: (2,032 smaller advisers x $1,000) + (6,636 mid-sized advisers x $3,000) + (3,288 larger advisers x $5,000) = $38.4 million. \159\ This estimate is based on the following calculations: 851,150 hours/11,956 advisers = 71.2 hours per adviser. $243.65 million/11,956 advisers = $20,379 per adviser. $38.4 million/11,956 advisers = $3,212 per adviser. --------------------------------------------------------------------------- 2. Rule 204-2 The currently-approved total annual burden estimate for rule 204-2 is 1,986,152 hours. This burden estimate was based on estimates that 10,946 advisers were subject to the rule, and each of these advisers spends an average of 181.45 hours preparing and preserving records in accordance with the rule. Based on updated data as of January 4, 2016, there are 11,956 registered investment advisers.\160\ This increase in the number of registered investment advisers increases the total burden hours of current rule 204-2 from 1,986,152 to 2,169,417, an increase of 183,265 hours.\161\ --------------------------------------------------------------------------- \160\ See supra note 140 and accompanying text. \161\ This estimate is based on the following calculations: (11,956 advisers - 10,946 advisers) * 181.45 hours = 183,265 hours; 183,265 hours + 1,986,152 hours = 2,169,417 hours. --------------------------------------------------------------------------- The proposed amendments to rule 204-2 would require a registered investment adviser to maintain copies of the written business continuity and transition plans drafted under proposed rule 206(4)-4. In addition, the proposed amendments would require a registered investment adviser to retain copies of any records documenting the adviser's annual review of its policies and procedures under proposed rule 206(4)-4. Based on staff experience, we estimate that the proposed amendments to rule 204-2 would increase each registered investment adviser's average annual collection burden under rule 204-2 by 2 hours, from 181.45 hours to 183.45 hours,\162\ and would thus increase the annual aggregate burden for rule 204-2 by 23,912 hours,\163\ from 2,169,417 hours to 2,193,328 hours.\164\ As monetized, the estimated burden for each registered investment adviser's average annual burden under rule 204-2 would increase by approximately $150,\165\ which would increase the estimated monetized aggregate annual burden for rule 204-2 by $1,793,325, from $162,706,275 to $164,499,600.\166\ We estimate that there are no external costs associated with this collection of information under the proposed amendments to rule 204-2. --------------------------------------------------------------------------- \162\ This estimate is based on the following calculation: 181.45 existing hours + 2 new hours = 183.45 hours. \163\ This estimate is based on the following calculation: 11,956 advisers x 2 hours = 23,912 hours. \164\ This estimate is based on the following calculation: 11,956 advisers x 183.45 hours = 2,193,328 hours. \165\ This estimate is based on the following calculation: 2 hours x $75 (hourly rate for an administrative assistant) = $150. The hourly wage used is from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. \166\ This estimate is based on the following calculations: 2,169,417 hours x $75 = $162,706,275. 2,193,328 hours x $75 = $164,499,600. $164,499,600-$162,706,275 = $1,793,325. --------------------------------------------------------------------------- B. Request for Comment We request comment on whether our estimates for burden hours and any external costs as described above are reasonable. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comments in order to: (1) Evaluate whether the proposed collections of information are necessary for the proper performance of the function of the Commission, including whether the information will have practical utility; (2) evaluate the accuracy of the Commission's estimate of the burden of the proposed collections of information; (3) determine whether there are ways to enhance the quality, utility, and clarity of the information to be collected; and (4) determine whether there are ways to minimize the burden of the collections of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology. The agency has submitted the proposed collection of information to OMB for approval. Persons wishing to submit comments on the collection of information requirements of the proposed amendments should direct them to the Office of Management and Budget, Attention Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Washington, DC 20503, and should send a copy to Brent J. Fields, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-1090, with reference to File No. S7- 13-16. OMB is required to make a decision concerning the collections of information between 30 and 60 days after publication of this release; therefore, a comment to OMB is [[Page 43554]] best assured of having its full effect if OMB receives it within 30 days after publication of this release. Requests for materials submitted to OMB by the Commission with regard to these collections of information should be in writing, refer to File No. S7-13-16, and be submitted to the Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE., Washington, DC 20549-2736. IV. Initial Regulatory Flexibility Analysis The Commission has prepared the following Initial Regulatory Flexibility Analysis (``IRFA'') in accordance with section 3(a) of the Regulatory Flexibility Act \167\ regarding our proposed rule 206(4)-4 and proposed amendments to rule 204-2. --------------------------------------------------------------------------- \167\ 5 U.S.C. 603(a). --------------------------------------------------------------------------- A. Reasons for and Objectives of the Proposed Actions Based on staff observations, we are concerned about the adequacy of some advisers' plans to address operational and other risks associated with business resiliency. Establishing strong operational controls that manage these risks, including the risks associated with business continuity and transition, are important practices and should increase the likelihood that advisers are as prepared as possible to continue operations on an ongoing basis and to meet client expectations and legal obligations in the event of a significant disruption in their operations. Accordingly, proposed rule 206(4)-4 would require SEC- registered advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations. We also are proposing specific components be included in such plans in order to address certain disparate practices the staff has previously observed during examinations and to facilitate robust business continuity and transition planning across all SEC-registered advisers. In addition, the proposed rule would require advisers to review their business continuity and transition plans at least annually in order to ensure that advisers are examining the continued adequacy and effectiveness of their plans on an ongoing basis. The proposed amendments to rule 204-2 would require advisers to make and keep all business continuity and transition plans that are in effect or were in effect at any time within the past five years. The proposed amendments would help advisers have easy access to necessary information during periods of stress. B. Legal Basis Proposed rule 206(4)-4 is designed to address certain disparate practices our staff has previously observed during its examinations and to facilitate robust business continuity and transition planning across all SEC-registered advisers. The Commission is proposing new rule 206(4)-4 and amendments to rule 204-2 under the rulemaking authority set forth in sections 204, 206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b-4(b), 80b-6(4), and 80b-11(a)]. C. Small Entities Subject to the Rule and Rule Amendments In developing these proposals, we have considered their potential impact on small entities that would be subject to proposed new rule 206(4)-4 and the proposed amendments to rule 204-2. The proposed new rule and the proposed amendments would affect all advisers registered with the Commission, including certain small entities. Under Commission rules, for the purposes of the Advisers Act and the Regulatory Flexibility Act, an investment adviser generally is a small entity if it: (1) Has assets under management having a total value of less than $25 million; (2) did not have total assets of $5 million or more on the last day of the most recent fiscal year; and (3) does not control, is not controlled by, and is not under common control with another investment adviser that has assets under management of $25 million or more, or any person (other than a natural person) that had total assets of $5 million or more on the last day of its most recent fiscal year.\168\ --------------------------------------------------------------------------- \168\ Rule 0-7(a) under the Advisers Act. --------------------------------------------------------------------------- The proposed new rule and the proposed amendments would not apply to most advisers that are small entities (``small advisers'') because small advisers are generally registered with one or more state securities authorities instead of with the Commission.\169\ Based on IARD data, however, we estimate that as of January 4, 2016, approximately 515 small advisers are registered with the Commission.\170\ Because these small advisers are registered, they, like all SEC-registered investment advisers, would all be subject to proposed new rule 206(4)-4 and the proposed amendments to rule 204-2. --------------------------------------------------------------------------- \169\ See section 203A of the Advisers Act, prohibiting most small advisers from registering with the Commission. \170\ Based on SEC-registered investment adviser responses to Form ADV, Item 5.F and Item 12. --------------------------------------------------------------------------- D. Projected Reporting, Recordkeeping and Other Compliance Requirements Proposed new rule 206(4)-4 and the proposed amendments to rule 204- 2 would impose certain recordkeeping and other compliance requirements on all Commission-registered advisers, including Commission-registered small advisers. Proposed rule 206(4)-4 would require advisers to adopt and implement written business continuity and transition plans reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations. The proposed amendments to rule 204-2 would require advisers to make and keep all business continuity and transition plans that are in effect or were in effect at any time within the past five years. 1. Rule 206(4)-4 As discussed in section II, we estimated that each adviser would incur one-time costs to adopt and implement a written business continuity and transition plan, as well as ongoing plan-related costs. As noted above, there are currently approximately 515 small advisers registered with the Commission. We estimate that each small adviser would incur an average initial burden of 50 hours associated with adopting and implementing a written business continuity and transition plan at a cost of $12,515.\171\ Aggregating the estimated burden for all small advisers yields a total initial hourly burden of 25,750 \172\ (as monetized, is equivalent to a one-time aggregate burden of approximately $6,445,225).\173\ Amortized over a three-year period, this would be an annual hourly burden of 16.7 per small adviser \174\ (as monetized, is equivalent to an annual amortized burden per small adviser of $4,172).\175\ --------------------------------------------------------------------------- \171\ See supra note 141 (discussing the estimated initial cost burden associated with a representative smaller adviser). \172\ This estimate is based on the following calculation: 515 small advisers x 50 hours = 25,750 hours. \173\ This estimate is based on the following calculation: 515 small advisers x $12,515 = $6,445,225. \174\ This estimate is based on the following calculation: 50 hours/3 years = 16.7 hours per year. \175\ This estimate is based on the following calculations: $12,515/3 years = $4,172 per year. --------------------------------------------------------------------------- Our staff also anticipates that some small advisers may consult with outside legal counsel and/or other outside professionals to assist in drafting policies and procedures and/or to provide assistance in evaluating [[Page 43555]] particular components of a plan. We estimate that the costs associated with such an engagement would include fees for approximately 10 hours for small firms at a rate of $400 per hour.\176\ Consequently, for a representative smaller firm we estimate a total of $4,000 in outside fees.\177\ Amortized over a three-year period, this would be an annual burden per small adviser of $1,333.\178\ Accordingly, we estimate that the total annual initial burden on 515 small advisers for adopting and implementing a written business continuity and transition plan would be $686,495.\179\ --------------------------------------------------------------------------- \176\ See supra note 148 and accompanying text. \177\ This estimate is based on the following calculation: 10 hours x $400 per hour = $4,000. \178\ This estimate is based on the following calculation: $4,000/3 years = $1,333 per year. \179\ This estimate is based on the following calculations: 515 small advisers x $1,333 = $686,495. --------------------------------------------------------------------------- In addition to the initial burden, a small adviser would incur ongoing, annual costs associated with its business continuity and transition plan, including the adviser annually reviewing the adequacy of its business continuity plan and the effectiveness of its implementation. Based on staff experience, we estimate that these ongoing costs would total approximately 25% of a small adviser's initial costs. Accordingly, we estimate that each small adviser would spend 12.5 hours annually on this effort internally while incurring outside costs of $1,000.\180\ Aggregating the estimates above for 515 small advisers yields a total ongoing annual burden on small advisers of approximately 6,438 hours \181\ plus outside costs of $515,000.\182\ --------------------------------------------------------------------------- \180\ This estimate is based on the following calculations: 0.25 x 50 hours = 12.5 hours. 0.25 x $4,000 = $1,000. \181\ This estimate is based on the following calculation: 12.5 hours x 515 advisers = 6,438 hours. \182\ This estimate is based on the following calculation: $1,000 x 515 advisers--$515,000. --------------------------------------------------------------------------- 2. Rule 204-2 The currently-approved annual aggregate information collection burden under rule 204-2 is 1,986,152 hours. This approved annual aggregate burden was based on estimates that 10,946 advisers were subject to the rule, of which 478 were small advisers, and each of these advisers spends an average of 181.45 hours preparing and preserving records in accordance with the rule. Based upon updated data as of January 4, 2016, there are 11,956 registered investment advisers,\183\ of which 515 are small advisers.\184\ The increase in the number of registered small advisers increases the total burden hours of current rule 204-2 on small advisers from 86,733 hours to 93,447 hours, an increase of 6,714 hours.\185\ --------------------------------------------------------------------------- \183\ See supra note 140 and accompanying text. \184\ See supra note 170 and accompanying text. \185\ This estimate is based on the following calculations: 515 small advisers x 181.45 hours = 93,447 hours. 478 small advisers x 181.45 hours = 86,733 hours. 93,447 - 86,733 = 6,714. --------------------------------------------------------------------------- The proposed amendments to rule 204-2 would require a registered investment adviser to maintain copies of the written business continuity and transition plans drafted under proposed rule 206(4)-4. In addition, the proposed amendments would require a registered investment adviser to retain copies of any records documenting the adviser's annual review of its policies and procedures under proposed rule 206(4)-4. Based on staff experience, we estimate that the proposed amendments to rule 204-2 would increase each registered investment adviser's average annual collection burden under rule 204-2 by 2 hours, from 181.45 hours to 183.45 hours,\186\ and would thus increase the annual aggregate burden for rule 204-2 by 1,030 hours,\187\ from 93,447 hours to 94,477 hours.\188\ As monetized, the estimated burden for each registered investment adviser's average annual burden under rule 204-2 would increase by approximately $150,\189\ which would increase the estimated monetized aggregate annual burden for rule 204-2 by $77,250, from $7,008,525 to $7,085,775.\190\ We estimate that there are no external costs associated with this collection of information under the proposed amendments to rule 204-2. --------------------------------------------------------------------------- \186\ This estimate is based on the following calculation: 181.45 existing hours + 2 new hours = 183.45 hours. \187\ This estimate is based on the following calculation: 515 small advisers x 2 hours = 1,030 hours. \188\ This estimate is based on the following calculation: 515 small advisers x 183.45 hours = 94,477 hours. \189\ This estimate is based on the following calculation: 2 hours x $75 (hourly rate for an administrative assistant) = $150. The hourly wage used is from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and inflation (as of January 2016) and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. \190\ This estimate is based on the following calculations: 93,447 hours x $75 = $7,008,525. 94,477 hours x $75 = $7,085,775. $7,085,775 - $7,008,525 = $77,250. --------------------------------------------------------------------------- E. Duplicative, Overlapping, or Conflicting Federal Rules We believe there are no federal rules that duplicate, overlap, or conflict with proposed new rule 206(4)-4 and the proposed amendments to rule 204-2. The written business continuity and transition plans that would be required by the proposed new rule would include certain policies and procedures already generally required by other rules under the federal securities laws, but the proposed new rule would not require these policies and procedures to be duplicated. Some of the records an adviser would be required to maintain under the proposed amendments to rule 204-2 also may be required records under the general recordkeeping provisions of rule 204-2 of the Advisers Act, but such overlap would be limited and the Commission would not require the adviser to maintain duplicate copies. F. Significant Alternatives In formulating our proposal, we have considered various reasonable alternatives to the individual elements of proposed new rule 206(4)-4 and the proposed amendments to rule 204-2, specifically as they relate to accomplishing our stated objectives while minimizing any significant economic impact on small entities. The alternatives most relevant to small advisers are discussed below. We have also requested comment relating to certain specific aspects of these and other alternatives above.\191\ --------------------------------------------------------------------------- \191\ See supra section I.C.1.f. --------------------------------------------------------------------------- The Commission considered exempting small advisers from the proposal entirely. The Commission also considered setting forth different business continuity and transition plan requirements for small advisers. However, because small advisers generally face the same types of transition and business continuity issues as larger advisers, although on a smaller scale, we believe small advisers should be subject to the proposed rule to the same extent as larger advisers and be allowed to tailor their business continuity and transition plans to the scope of their business. The proposed rule allows each adviser the necessary flexibility in creating a business continuity and transition plan to take into account the adviser's own unique operations, the nature and complexity of its business, its clients, and its key personnel, and we believe that such flexibility may result in small advisers incurring less costs to comply.\192\ --------------------------------------------------------------------------- \192\ See supra section III.A.1, discussing the lower estimated cost burdens, both initial and ongoing, associated with smaller advisers as compared to larger advisers. --------------------------------------------------------------------------- G. Solicitation of Comments We encourage written comments on matters discussed in this IRFA. We solicit comment on the number of small entities subject to the proposed rule and [[Page 43556]] whether the proposed rule discussed in this release could have an effect on small entities that has not been considered. We request that commenters describe the nature of any impact on small entities and provide empirical data to support the extent of such impact. V. Consideration of Impact on the Economy For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, or ``SBREFA,'' \193\ we must advise OMB whether a proposed regulation constitutes a ``major'' rule. Under SBREFA, a rule is considered ``major'' where, if adopted, it results in or is likely to result in (1) an annual effect on the economy of $100 million or more; (2) a major increase in costs or prices for consumers or individual industries; or (3) significant adverse effects on competition, investment or innovation. --------------------------------------------------------------------------- \193\ Public Law 104-121, Title II, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C., 15 U.S.C. and as a note to 5 U.S.C. 601). --------------------------------------------------------------------------- We request comment on the potential impact of the proposed rule on the economy on an annual basis. Commenters are requested to provide empirical data and other factual support for their views to the extent possible. VI. Statutory Authority The Commission is proposing new rule 206(4)-4 and amendments to rule 204-2 under the rulemaking authority set forth in sections 204, 206(4) and 211(a) of the Advisers Act [15 U.S.C. 80b-4, 80b-6(4), and 80b-11(a)]. List of Subjects in 17 CFR Part 275 Investment advisers, Reporting and recordkeeping requirements. Text of Proposed Rule Amendments For reasons set out in the preamble, title 17, chapter II of the Code of Federal Regulations is proposed to be amended as follows: PART 275--RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940 0 1. The authority citation for part 275 continues to read, in part, as follows: Authority: 15 U.S.C. 80b-2(a)(11)(G), 80b-2(a)(11)(H), 80b- 2(a)(17), 80b-3, 80b-4, 80b-4a, 80b-6(4), 80b-6a, and 80b-11, unless otherwise noted. * * * * * Section 275.204-2 is also issued under 15 U.S.C. 80b-6. * * * * * 0 2. Section 275.204-2 is amended by: 0 a. Reserving paragraph (a)(19); 0 b. Adding paragraph (a)(20); and 0 c. Revising paragraph (e)(1). The addition and revision read as follows: Sec. 275.204-2 Books and records to be maintained by investment advisers. (a) * * * (20)(i) A copy of the investment adviser's business continuity and transition plan formulated pursuant to Sec. 275.206(4)-4 that is in effect, or at any time within the past five years was in effect; (ii) Any records documenting the investment adviser's annual review of the business continuity and transition plan conducted pursuant to Sec. 275.206(4)-4(b). * * * * * (e)(1) All books and records required to be made under the provisions of paragraphs (a) through (c)(1)(i), and (c)(2) of this section (except for books and records required to be made under the provisions of paragraphs (a)(11), (a)(12)(i), (a)(12)(iii), (a)(13)(ii), (a)(13)(iii), (a)(16), (a)(17)(i), and (a)(20)(i) of this section), shall be maintained and preserved in an easily accessible place for a period of not less than five years, from the end of the fiscal year during which the last entry was made on such record, the first two years in an appropriate office of the investment adviser. * * * * * 0 3. Section 275.206(4)-4 is added to read as follows: Sec. 275.206(4)-4 Investment adviser business continuity and transition plan. (a) Prohibition. If you are an investment adviser registered or required to be registered under section 203 of the Act (15 U.S.C. 80b- 3), it shall be unlawful within the meaning of section 206 of the Act (15. U.S.C. 80b-6) for you to provide investment advice to your clients unless you: (1) Business continuity and transition plan. Adopt and implement a written business continuity and transition plan; and (2) Annual review. Review, no less frequently than annually, the adequacy of the business continuity and transition plan and the effectiveness of its implementation. (b) Content of business continuity and transition plan. (1) For purposes of this section, the term business continuity and transition plan means policies and procedures reasonably designed to address operational and other risks related to a significant disruption in the investment adviser's operations, including policies and procedures concerning: (i) Business continuity after a significant business disruption; and (ii) Business transition in the event the investment adviser is unable to continue providing investment advisory services to clients. (2) The content of a business continuity and transition plan shall be based upon risks associated with the adviser's operations and shall include policies and procedures designed to minimize material service disruptions, including policies and procedures that address the following: (i) Maintenance of critical operations and systems, and the protection, backup, and recovery of data, including client records; (ii) Pre-arranged alternate physical location(s) of the adviser's office(s) and/or employees; (iii) Communications with clients, employees, service providers, and regulators; (iv) Identification and assessment of third-party services critical to the operation of the adviser; and (v) Plan of transition that accounts for the possible winding down of the investment adviser's business or the transition of the investment adviser's business to others in the event the investment adviser is unable to continue providing investment advisory services, that includes the following: (A) Policies and procedures intended to safeguard, transfer, and/or distribute client assets during transition; (B) Policies and procedures facilitating the prompt generation of any client-specific information necessary to transition each client account; (C) Information regarding the corporate governance structure of the adviser; (D) Identification of any material financial resources available to the adviser; and (E) An assessment of the applicable law and contractual obligations governing the adviser and its clients, including pooled investment vehicles, implicated by the adviser's transition. By the Commission. Dated: June 28, 2016. Brent J. Fields, Secretary. [FR Doc. 2016-15675 Filed 7-1-16; 8:45 am] BILLING CODE 8011-01-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.