On March 23, 2020, the U.S. Securities and Exchange Commission (“SEC”) modified its announcement “OCIE Statement on Operations and Exams – Health, Safety, Investor Protection and Continued Operations are our Priorities.” Within the announcement the SEC determined that the Office of Compliance Inspections and Examination (“OCIE”) would be continuing their examinations, but in an off-site manner in light of growing health concerns due to the Coronavirus (COVID-19) pandemic.
One current topic of interest within examinations is the strength and efficacy of a firm’s Business Continuity Plan (BCP), as a majority of plans have gone into effect in the current health crisis. As suspected, many firms are now needing to reassess, strategize, and strengthen their own plans for today’s highly fluid market.
Before we start, you may want to ask “does your firm have a Business Continuity Plan?”
Although this may seem like an easy question, some firms including smaller, newly registered or formed firms may not have a BCP in place. It is important to have a BCP in place immediately and if you need assistance, contact the Core Compliance team for this and any other questions regarding your compliance program.
If your firm does have a BCP, OCIE staff (“Staff”) will want to know if the firm activated/implemented its BCP in response to COVID-19. Then they’ll want to examine the following five questions to be answered:
1. What aspects of the plan have been implemented?
Firms will be expected to describe some aspects of their BCP that specifically address maintaining business operations when dealing with the COVID-19 pandemic. Heads up, “remote work” cannot and should not be your only answer. Responses should be comprehensive to each firm’s business model, such as:
• How is client account and communication activity being recorded and supervised?
• Who is considered an “essential” employee to visit for office/business operational requirements, such as mail, payment, etc.?
• How are phones or voicemail messages being returned or answered? How are clients made aware of these business operational changes?
• Are there certain operations that CANNOT be performed remotely?
There are numerous factors and details within the BCP or Pandemic Continuity of Operations Plan that firms should be ready to answer and respond to in order to show the comprehensiveness and depth of their programs.
2. Since implementation of the BCP, has the firm identified any preliminary weaknesses or unforeseen issues? Key examples to consider include:
• Any limitations or operational disturbances in critical systems;
• Issues in connectivity with its personnel working remotely, and/or
• Complications with oversight of third-party vendors or service providers.
The ability to identify, record and report weaknesses and issues is integral to the overall effectiveness of your firm’s BCP. How a firm chooses to respond, pivot and strategize to operational disturbances will also be of interest during the exam.
The last bullet is highly important as many firms regularly operate and partner with various third-party vendors to offer clients a multitude of services and technology offerings. But during this uncertain time and BCP implementation, firms need to ensure their efforts address the resiliency practices of their key third-party vendors, service providers, and business partners (also known as “vendors”). It is imperative to consider if vendors are operating during the COVID-19 outbreak and how effective their own implementations are regarding service. Some key questions for firms to consider among their vendor relationships include:
• What are their business continuity program activities, such as regularly reviewing and updating their BCP?
• What steps or plans do they have in place for disaster recovery for their systems, such as identifying the locations where data is backed up and recovery time objectives?
• What are their business continuity procedures, such as comprehensive continuity strategies and procedures with all their vendors?
• What communication and alert practices are in place and how effective are the internal and external communication plans with their vendors and clients/customers?
During these uncertain times, firms are heavily reliant on their BCPs and OCIE is extremely aware of this. Their mission and commitment to protecting investors doesn’t change, especially at a time when so much uncertainty remains surrounding today’s market and the pandemic outbreak. The SEC and OCIE staff are available to answer questions or discuss issues during this important time.
Core Compliance and our team of experts can help your firm draft or strengthen its Business Continuity Plan or address any concerns you may have regarding an upcoming SEC Regulatory Examination. Contact our team today at (619) 278-0020.