Recent provisions promulgated by the Private Fund Investment Advisers Registration Act of 2010, a section of the Dodd-Frank legislation, requires managers to register with the SEC and implement a suitable compliance program if they either a.) have $100M of AUM (if managing a fund and separate accounts) or, b.) have $150M of AUM (if managing a fund only). Under SEC Rule 206(4)-7 of the Investment Advisers Act of 1940, those managers will need to design and manage a business continuity plan as part of the compliance program.
Since the SEC has stated that an adviser has an obligation to protect its client’s assets from risks resulting from the adviser being unable to provide advisory services, an adviser must create and maintain a business continuity plan which is “reasonably designed” to enable the adviser to meet client obligations in the event of a natural disaster, emergency, or significant business disruption.
In the accompanying Adopting Release Report to Rule 206(4)-7, the SEC specifically noted that, at a minimum, policies and procedures established must address, among a number of other issues, the investment adviser’s or the fund’s business continuity plan. (1)
Globally, there are many business recovery standards developing to meet the needs of international organizations, such as the British Standard Institution’s BS 25999. It is important to assess which standard is appropriate for your organization, taking into consideration the nature of the business, international acceptance of BCP practices in your markets and management’s approach regarding risk management (not only regarding business continuity issues but also risk analysis and mitigation activities).
Fortunately, best practice guidance is available to financial market participants from many credible sources. The SEC has co-authored the Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, and the SMIFA and the MFA have published best practice guidelines for financial industry participants. Additionally, FINRA provides specific guidance for member firms under Rule 4370 (2). These include many areas of focus that are relevant to private fund advisers insofar as that they can provide a framework for best practices:
- Establishing and Maintaining a BCP. Guidance provided addresses the creation and maintenance of a business continuity plan that identifies procedures related to an emergency or other significant business disruption and is “reasonably designed to enable the member [firm] to meet its existing obligations to customers.” The business continuity plan procedures should address existing relationships with other…counter-parties.
- Updating Requirements. Guidance related to the ongoing update of the business continuity plans in the event of any material change to the adviser’s operations, business, structure, or location, and should be reviewed at least annually.
- BCP Details. The rules do not provide specific detailed requirements. Instead, they provide a framework for minimum compliance. The following structure consists of some of key areas that the business continuity plans should address to the extent required.
- Data back-up and recovery (hard copy and electronic);
- All mission critical systems;
- Financial and operational assessments;
- Alternate communications between the member and its customers;
- Alternate communications between the member and its employees;
- Alternate physical location of employees;
- Critical business constituent, bank, and counter-party impact;
- Regulatory reporting;
- Communications with regulators; and
- How the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
- As part of the process, business constituents, banking and counter-party relationships would be identified and analyzed with respect to operational redundancies or required references to needed continuity structure in the context of external and internal events.
- Plan Approval. Guidance related to the designation of a member of senior management who is also a registered principal to approve the business continuity plan and to conduct the annual review.
- Disclosure Requirements. Guidance related to the disclose how the business continuity plan can address and how the firm will respond to future business disruptions of varying scope. The disclosure must, at a minimum, be made in writing to customers at account opening, posted on the firm’s web site (if one exists), and mailed to customers upon request.
- Designating Emergency Contacts. Guidance related to the designation of emergency contact persons. The emergency contact persons should be associated persons. At least one contact person should be both a member of senior management and a registered principal of the firm. If the second contact person is not a registered principal, that person should be a member of senior management who has knowledge of the firm’s business operations. If a firm only has one associated person, then the second contact person should be an individual who has knowledge of the firm’s business operations.
A firm planning a top down approach to business continuity implementation focused on mitigating the affects of disruptions to the business achieved through a plan will need to focus on its strategic business priorities and review the relevance of guidelines within that context. Some specific items to work through in order to accomplish this are proposed by the SMIFA (3):
- Regulatory requirements – SEC guidance may be forthcoming – will FINRA become the model?
- Risk Management including exposures of vendors and to counter parties
- Executive ownership, commitment, and support of the program.
- Program as part of the company culture recognizing it is part of “doing business”
- Adequate funding and staffing
- What business activities are in scope?
- Do you know your exposures?
- Who are your customers and what are their expectations?
- What is your reliance on critical vendors?
- What is your reliance on critical infrastructure, clearing firms, administrators?
- What functions/operations/products are critical?
- What are the minimal resources required to maintain the business for a selected time period?
- What immediately non-critical functions become critical after a given time period?
- What is the “proximity” risk to your firm (internal and external)?
- Investment Adviser: the “adviser” to a private fund, is specifically understood, in the legal sense, to be responsible for compliance to the Investment Advsier Act, as well as to the investment clients they represent.
- Mission critical system: means any system that is necessary, depending on the nature of a
member’s business, to ensure prompt and accurate processing of securities transactions, including, but not limited to, order taking, order entry, execution, comparison, allocation, clearance and settlement of securities transactions, the maintenance of customer accounts, access to customer accounts and the delivery of funds and securities.
- Financial and operational assessment: means a set of written procedures that allow a member to identify changes in its operational, financial, and credit risk exposures.
public register those securities and provide prospective investors with adequate disclosure in the form of an investment prospectus (5).
- Investment Advisers Act of 1940 (As it relates to the Private Fund Investment Advisers Registration Act of 2010): Another act requires the registration of anyone in the business of offering investment advice per se, such as the adviser to an investment company, as well as advisers to institutional and individual clients. The Investment Advisers Act of 1940 promulgates disclosure rules with respect to the adviser’s interests in all transactions it undertakes, and also contains anti-fraud provisions.
- Obtain executive level commitment and strategic insight prior to implementation
- Decide the business and technology mix for the solution and thus the implementation project planning:
- Will application resiliency drive the strategy?
- Will business impact analysis drive the strategy?
- Secure essential ad hoc resources required to manage an effective implementation:
- Legal counsel and compliance assessment
- Operations and IT project management
- Portfolio Management and Trading: codification of clearly defined backup processes and reduced business risk
- Risk and Compliance: Recovery platform designed to mitigate key risks and provide an up-to-date risk and regulatory mechanism for regulatory inquiries
- Client Services: Up-to-date risk management and client reporting transparency for client inquiries and new business requests
- Operations and IT: codification of clearly defined backup processes and reduced operational risk
(1) Mallon, Bart. Business Continuity Plans (Disaster Recovery Plans) | Investment Adviser Registration. Retrieved October 18, 2010, from http://www.hedgefundlawblog.com
(2) Amended by SR-FINRA-2009-036 eff. Dec. 14, 2009.
(3) SIMFA (2008) The Business Continuity Program – Expanded Practices Guidelines. New York. Business Continuity Planning Committee
(4) Securities and Exchange Commission, Division of Investment Management website (www.sec.gov). SME, legal & industry interpretations appended.
(5) “Protecting Investors: A Half Century of Investment Company Regulation”, United Sates Securities and Exchange Commission, Division of Investment Management, May 1992