While there are many risks to starting a business, one of the greatest is the potential for a low-probability but high-impact “business disruption”, from the unexpected death of a key employee, to a cyber-attack or a natural disaster like a hurricane.
Arguably, having a plan to contend with such business disruptions is simply good business, but the SEC has noted that, in the aftermath of events like Hurricanes Katrina and Sandy, not all RIA firms appear to be sufficiently prepared to contend with a significant business disruption.
Accordingly, the SEC has proposed a new Rule 206(4)-4, which would make it unlawful to provide advisory services to clients unless the RIA has a business continuity and transition plan (that is reviewed at least annually). In fact, the SEC has stated that it views having a business continuity plan as essential for an advisor to fulfill their fiduciary duty; or viewed another way, the firm that isn’t prepared for a business disruption isn’t prepared to fulfill its fiduciary duty to clients.
While still only a proposed rule at this point, the SEC’s effort to require a business continuity plan comes on the heels of a similar Model Rule put forth by NASAA last year for state-registered investment advisers, and seems likely to pass in some form.
For many SEC-registered RIAs, the new rule will simply be a ‘healthy’ nudge to enact continuity plans that should be a matter of good business anyway. Though in some cases, the greatest challenge will not be figuring out business continuity in the event of a disaster, but a transition plan in the event that the advisory firm owner unexpectedly dies – a requirement that necessitates either the orderly wind-down of the business, or establishing a buy/sell agreement now to ensure that another firm can step in to act if necessary. Could such a requirement finally spur interest from more advisory firm sellers in what up until now has been a marketplace dominated by buyers?
Existing SEC Requirements For Business Continuity Plan Under Rule 206(4)-7
Having a plan to ensure continuity for clients in the event of a business disruption – whether internal due to the loss of a key employee, or external from a natural disaster – is arguably just good business sense. To do otherwise would, as the label implies, risk the continuity and outright survival of the business, in the event that a significant business disruption does occur.
Unfortunately, though, the reality is that not every registered investment adviser has an adequate business continuity plan. In some cases, it’s because the firm has tried to create one, but has not sufficiently considered the business disruption risks and how to respond to them. In other cases, the RIA doesn’t have a business continuity plan simply because it’s never bothered to create one and/or would just rather “take the risk”, and hasn’t been challenged to do otherwise by its clients in the marketplace. In fact, the SEC has specifically noted that while institutional investors and ultra high net worth clients commonly ask for an investment firm’s business continuity and disaster recovery plans, the average retail investor does not typically make such inquiries. In other words, while it’s good business to have a business continuity plan, the marketplace alone does not appear to be a sufficient mechanism to ‘force’ firms to adopt such plans.
Accordingly, in 2004 the SEC promulgated Investment Advisers Act Rule 206(4)-7, which required (SEC-registered) investment advisers to formally adopt written compliance procedures, and appoint a Chief Compliance Officer (CCO) to oversee and be accountable for the firm’s implementation of those procedures. And while RIAs were granted flexibility to determine exactly what those compliance processes and procedures would be, based on the needs of the business, the SEC did specifically note that at a minimum the firm’s compliance manual should address a business continuity plan in the event of a natural disaster or the death of an owner or key staff member.
Notwithstanding this requirement, though, the SEC has more recently observed that business continuity plans still vary widely from one RIA to the next, both with respect to the breadth of the plan (the range of business disruptions it anticipates) and the depth of the plan (how thoroughly it addresses the potential issues). And given major natural disasters over the past decade, in particular including Hurricane Katrina in 2005 and Hurricane Sandy in 2012, it has become apparent that not all RIAs are sufficiently prepared for major widespread disaster events. For the SEC, this is a concern not only from the perspective of seeing businesses continue, but also because an advisory firm that is at risk for a business disruption is at risk of failing to deliver on its fiduciary duty of care to clients.
New SEC Proposed Rule 206(4)-4 would Enact Fiduciary Obligation For A Business Continuity Plan (BCP)
Given these concerns, on June 28th the SEC has formally proposed a new Investment Advisers Act Rule 206(4)-4, which would explicitly require RIAs (registered with the SEC) to adopt a formal, written business continuity and transition plan, to ensure they are capable of delivering on their fiduciary obligation to clients. In fact, under the proposed rule, it would be unlawful to provide advice without a written business continuity and transition plan that is reviewed at least annually!
In this context, a “business continuity and transition plan” is defined under the new Rule 206(4)-4(b) to cover two core contingencies: 1) “business continuity after a ‘significant’ business disruption”; and 2) “business transition in the event that the investment adviser is unable to continue providing investment advisory services to clients.”
In other words, business continuity is about continuity of service to clients in the event of an internal (e.g., loss of key personnel) or external (e.g., weather event or cyber attack) business disruption. A transition plan is about ensuring the orderly transition of client investments, advisory services, and client data, in the event that something happens to the advisor themselves and the clients must be transitioned. Notably, this means a “transition plan” isn’t necessarily a requirement to have a “succession plan” – though that would be one way to fulfill the requirement – as it could be a buy-sell exit plan to another advisory firm, or simply an orderly wind-down and dissolution of the advisory business.
Recognizing that not all RIAs have the same needs and issues, the proposed rule ultimately leaves flexibility for the RIA to define its own business continuity plan. Still, given the potential reach of widespread business disruptions (e.g., a major hurricane or other natural disaster, or a cyber-attack, or a loss of a key employee), the rule does define key areas that must be addressed, along with a requirement that it be reviewed annually.
Key Business Continuity Plan (BCP) Requirements Of Proposed Rule 206(4)-4
Under the proposed Rule 206(4)-4, a business continuity plan would be required to address four key areas:
Maintenance of critical operations and protections, and the protection, backup, and recovery of data. A business continuity plan requires knowing which of the key operational functions of the business are critical, and being prepared to maximize business continuity of those functions in the event of a disruption. For the typical RIA, this would likely include the ability to execute trades for client accounts, and the ability to oversee and manage the accounts (which means being able to access portfolio accounting software and trading tools). Notably, a business continuity plan is expected to recognize that “business disruptions” could include no access to electronic data (e.g., an internet/power outage) or no access to hard data (e.g., cannot access the office building), which means it is crucial to have a backup physical list of client contact details, along with contact information for key third-party services/vendors, at a non-office location.
Pre-arranged alternative physical location(s) for adviser’s offices. In the SEC’s view, having an alternative/remove location is essential for an advisor to continue providing services in the event of a significant business disruption. Notably, this doesn’t just mean having an alternative location that is a few miles up the street from the original office, in the event that the office building were to burn down (or some similar business disruption). Given the widespread impact of major weather events like Hurricanes Katrina and Sandy, the SEC suggests that an alternative location may well be in an entirely different geographic region of the country. Ostensibly, this doesn’t necessarily mean the advisor must have an entire second office leased, but at a minimum the advisory firm should have a clearly identified plan/strategy for what alternative location will be used, where it would be, and who to contact to active the alternative location plan.
Communication With Clients, Employees, Service Providers, and Regulators. In order to maintain continuity through a major business disruption, it’s necessary to have a plan to communicate with clients, employees, and key service providers… recognizing that normal internet access may be unavailable, and/or that the advisory firm’s physical office space is inaccessible. This presents challenges regarding not only the means of communication – sending an email may not be feasible if there is a power outage – but also having the information of who to contact (as the advisory firm’s CRM data may not be accessible either). Thus, when it comes to communication, a business continuity plan should have a strategy on how key client contact information will be made available to employees, when and how clients will be contacted, how employees themselves will be notified of the next steps if the business continuity plan is being executed, and how key service providers will be reached and communicated with to notify them of the situation and implement key operations on behalf of clients.
Identification and assessment of third-party services critical to operation of the adviser. In today’s environment, some advisory firms handle the majority of their tasks internally, while others rely heavily on outsourcing and third-party service providers to execute their core operations. Accordingly, the SEC expects that a business continuity plan will clearly identify any/all third-party service providers who are critical to the operation of the advisory firm, and that advisors will vet the business continuity plans of those third-party providers. If a disaster strikes the third-party provider, how will the advisory firm be serviced under their business continuity plan? For the typical RIA, this might include the RIA custodian, and key third-party software systems (e.g., portfolio management and trading software), as well as any operational outsourcing providers. If necessary, advisors should have alternative vendors identified as a fallback.
Key Transition Plan Requirements Of New Rule 206(4)-4
In addition to the requirements for business continuity planning in the event of a business disruption, the proposed Rule 206(4)-4 also explicitly requires a “transition plan” in the event of the death of the advisor(y firm owner).
As noted earlier, this does not necessarily mean the SEC is requiring an advisory firm to have a full succession plan – though that would certainly be one method to ensure continuity of the business and service to clients. Instead, the primary focus is on how the business and its clients would be transitioned if the business is not going to continue in its current form, and instead must be sold to another firm and/or simply wound down altogether.
Accordingly, the key requirements of a business transition plan include:
- Policies and procedures to safeguard, transfer, and/or distribute client assets during a transition;
- Policies and procedures to facilitate the prompt generation of any client-specific information necessary to transition each account (e.g., providing the relevant client files and client data to the successor advisor);
- Information regarding the corporate governance structure of the advisory firm (so a potential buyer or key vendor knows who to contact to execute the transition plan if the primary owner is gone);
- Identification of any material financial resources available to the adviser (to provide operating capital during a transition); and the
- Assessment of applicable law and contractual obligations governing the adviser and impacted by the transition (for instance, will the advisory firm sell the assets and liabilities of the firm, or the business entity itself, and if being sold does the transaction recognize that advisory agreements include a provision that the contract itself cannot be assigned to a third party without client consent?).
Ultimately, the goal is simply to recognize that if the advisory firm will not continue and needs to be transitioned, it should be done in a manner that minimizes any disruption to the actual advisory services that the client is receiving.
Cost-Benefit Analysis And Implications Of Proposed BCP Rules
As a part of its proposed rulemaking process, the SEC includes a cost-benefit analysis of the potential requirement for a business continuity and transition plan for advisory firms.
Of course, it’s difficult to estimate the prospective benefit of having a business continuity plan, not knowing the likelihood of a major business disruption in the first place. It’s hard to estimate the probability of the next major hurricane impacting any particular advisor, or the potential for a major cyber-attack to strike. Though clearly having a plan for dealing with such business disruptions leaves consumers more likely to be well served by their advisors.
The costs, on the other hand, are somewhat more straightforward to estimate. The total cost to develop a business continuity plan will vary to some extent based on the complexity of the firm, and its sheer size alone will dictate much of that complexity (a $100M firm with a median of 4 employees is much more straightforward to handle for business continuity planning than a $1B firm with a median of 28 employees). And given that business continuity plans will vary by the advisory firm and be specific to the advisory firm, most of the ‘cost’ will be the internal staff and labor hours to develop the plan (plus a nominal cost for making arrangements like additional software backups and a reservation for an alternative location).
Accordingly, the SEC estimates that the cost for a small firm (under $100M of AUM) might be about $30,000 of total staff costs plus outside support, and about 50 hours of staff time; for a ‘mid-sized’ firm (between $100M and $1B of AUM), the total cost would be $70,000 of staff and labor costs; and very large firms ($1B up to many billions of AUM) could face costs of several hundred thousand dollars or more if it becomes necessary to maintain separate staff and fully outfitted alternative locations (as a large firm with dozens of staff cannot be quickly and easily relocated).
Of course, the more a firm is already up-to-speed on its business continuity plan, the less the incremental cost will be to comply with the new rule. And once the initial plan is established, maintaining it from there should be less costly; the SEC estimates firms would only face an expense of about 1/4th the initial cost to do their annual review of the business continuity and transition plan, and update it as necessary.
Implications Of A New Requirement For RIA Business Continuity And Transition Plans
The SEC’s decision to require a business continuity and transition plan for SEC-registered investment advisers shouldn’t come as a surprise, given that NASAA put forth a Model Rule last year that would enact similar requirements for state-based RIAs as well. Notably, this also means that even though the SEC’s rule would only apply to RIAs registered with the SEC (generally those over $100M of AUM, or smaller RIAs that operate in 15+ states), state-registered investment advisers will soon have their own rule anyway (as states enact their version of the NASAA Model Rule).
Nonetheless, it remains unclear how many independent RIAs are really prepared to address the SEC’s requirements, without a significant effort. Of course, that is ultimately the point – recognizing that it’s better to go through the motions of figuring out a business continuity plan now, than in real-time when/after a disaster has struck. The SEC estimates a firm with $100M to $1B of AUM may spend 250 hours of staff time sorting through all the implications and decisions in preparing a business continuity plan – a burden that may be ‘manageable’ but is still costly in time, resources, and focus. On the other hand, the SEC’s proposed rule is actually not very different from the NASAA Model Rule either, which similarly requires the firm to address the backup and protection of client data, an alternative means of communication with clients and employees and vendors, a plan for office relocation in the event of a natural disaster, and an assignment of duties to qualified responsible persons in the event of a loss of key personnel.
Although ultimately, I suspect that the primary ‘change’ that will be driven by the proposed SEC rule is not the “business continuity” requirement, but the obligation to formulate a “transition plan” in the event of a death of the owner. As noted earlier, having a(n internal) succession plan is certainly one option to satisfy the requirement, but given that a wind-down probably won’t be appealing (as it dissipates the value of the business!), the new rule may spur fresh interest in third-party “exit plans” where an external buyer commits to a buy/sell agreement with the advisory firm. Especially given that so far, there are very few companies currently forming such agreements (with the notable exceptions being Focus Financial’s “Succession Partners” solution, and our own Pinnacle Advisor Solutions’ PRISM program).
For now, though, the SEC’s rule is just a proposed rule, which now enters a 60-day open comment period. And the SEC includes a long list of areas for feedback, including clarity about whether the new rules would be unduly burdensome on some firms, whether the rule should apply to all SEC-registered investment advisers or just a subset of them, whether a standalone rule is really necessary at all, if there are additional components that should be added as requirements (or some that might be removed), and whether RIAs should be required to publish their business continuity plans, notify clients, or even file them with the SEC to improve industry transparency on the issue.
Those who wish to comment on the rule can submit a comment directly via email to [email protected] (note “File Number S7-13-16” in the subject line, which identifies this particular rule proposal), or you can submit feedback via the SEC’s internet-based public comment form. The comment period will remain open for 60 days after the rule is formally published in the Federal Register (which is anticipated soon).
So what do you think? Is the proposed rule for a business continuity and transition plan for SEC-registered RIAs reasonable? Will you be submitting feedback during the comment period? Please share your own thoughts in the comments below!