COVID-19 has already had a significant impact on the investment advisory community and its service providers. STRAIT, a provider of regulatory compliance, fund administration, investor services, and management company services has begun communicating with the community its response to developments. These events also potentially present compliance challenges that must be promptly addressed. A framework of how to think about these issues is set forth below.
- Has the firm’s personnel been directly exposed to COVID-19 or is there a need for accommodations to reduce risk?
- Are the firm’s current employee policies adequately covering a response to exposure or risk reduction measures? If so, have they been communicated, initiated and are they working (e.g. effective performance, clear communication channels, critical vendor connectivity, no bypass/breakdown in application of cyber security or confidentiality policies)?
- Is the firm considering or have they adopted employee policy changes to accommodate employee concerns or exposure to COVID-19? If so, what are they, have they been communicated and initiated, and do they effectively address risk/are they working?
Business Continuity Plan
- Do answers to the above questions reflect an adequate disruption to initiate the firm’s disaster recovery-business continuity plan?
- Does the firm’s disaster recovery-business continuity plan adequately address current risks/impacts (e.g. redundancies for key persons, remote access technology, portfolio company impact) and reflect the firm’s developing response to COVID-19, and if not, what edits are required?
- Is this a good opportunity to conduct and document and test of the firm’s disaster recovery-business continuity plan?
Legal Agreements/Regulatory Documents
- How does the firm’s impact from/response to events compare to the its regulatory filings, disclosures and related risk factors? Do PPMs, Form ADVs, DDQs/marketing material, force majeure clauses need to be revised?
- Are portfolio managers trading/managing/monitoring accounts in a way that is counter to disclosed strategy, risk mitigation measures, investment limitations, or otherwise in breach of fiduciary duties?
- Does the firm’s impact from/response to events implicate provisions in investor side-letters (e.g. key man provisions) such that communications or other actions must be taken?
- Does the firm’s impact from/response to events implicate provisions in collateral agreements or credit lines? Do credit lines remain available if needed?
- Does the firm’s impact from/response to events require reminders to employees of established policies (e.g. handling of complaints, approved client communications) or does it demonstrate the need to update the compliance manual due to lack of guidance/controls?
- Are service providers prepared to assist the firm as events develop? Have they provided their disaster recovery-business continuity plans, have they been initiated, and how are they working?
- Do contracts with service providers have adequate SLAs or other provisions to account/compensate for developing events and reduction of service
- Are offshore providers (e.g. Cayman directors, administrators) considering delaying required meetings or relocating temporarily to other jurisdictions?
- Do you have clear line of sight to portfolio management, legal, HR, operations, and executive functions to assess developing firm events and responses?
- Has standardized messaging to clients/investors been developed and has it been determined who should communicate the messaging?
- Has anyone gone “off message”, engaged in rumor mongering, disclosed confidential portfolio/firm information?
- Are there any controls that need to be implemented to prevent unapproved communications, including to media or via unapproved channels (e.g. app-based communication, social media)?
- Are client/investor communications coming into the firm, are they being adequately addressed or redirected, and do they amount to complaints that need to be documented?
STRAIT’s Regulatory Compliance Directors and Associates are attorneys with extensive experience in development of business continuity-disaster recovery plans and crisis management. They are available to aid RIAs in need of help. As always, they are also available to provide:
- Compliance Consulting
- Launch Services
- Regulatory Filings
- Compliance Program Design
- Full Compliance Program Outsourcing