By October 5, 2004, investment advisors registered with the U.S. Securities and Exchange Commission ("SEC") must comply with Rule 206(4)-7. The nascent rule dramatically alters the landscape within which investment advisory firms operate and emphasizes the firm's ethical obligations and fiduciary responsibilities, which extend through the firm to each individual firm representative.
The SEC adopted Rule 206(4)-7 in an attempt to protect investors by ensuring that advisors have internal programs to enhance compliance with federal securities laws. The rule requires SEC-registered investment advisors to adopt compliance policies and procedures designed to prevent violations of applicable securities laws, including the Investment Advisers Act of 1940 ("Advisers Act"). The firm must designate a chief compliance officer to administer all adopted policies and procedures, which then must be reviewed on an annual basis in an attempt to ascertain their adequacy and the effectiveness of their implementation.
Although the SEC was silent as to the exact policies and procedures required under the Advisers Act, it is clear that the policies should reflect the advisory firm's reasonable attempt at preventing regulatory violations. Consistent with previously adopted rules, any attempt should consider the specific intricacies of the advisory firm itself and then take into account the practical impact that the policy will have upon the firm's daily operations. It is advisable for the firm to evaluate not only the effect of adoption of any particular policy, but also of the nonadoption of the policy. In certain circumstances, this failure to address an issue of great relevance and importance could result in negative ramifications and an unnecessary exposure to liability for the firm.
Currently, deficiencies are being issued for advisory firms that fail to consider and account for emergency situations that have the potential to interrupt and interfere with the firm's ability to effectively service investment advisory clients. Partly as a result of recent global and domestic events, the SEC mandates business continuity planning for all SEC-registered firms. In fact, requests for such policies have become commonplace during regulatory audits wherein the firm's policy, as well as any corresponding procedures, will be reviewed for their adequacy given the firm's scope and complexity. Attempts at compliance have shown that some firms address business continuity issues by focusing solely upon information technology (e.g., computer back-ups, additional record retention software, etc.), while others focus upon personnel issues (e.g., incapacity of firm key employees, etc.). Regardless of the size or intricacies of the advisory entity, each firm should balance these two general considerations.
The resulting business continuity plan should concentrate on reasonably foreseeable events, and the potential impact each would have on the advisory firm's business as well as its ability to service clients. Even though there has yet to be published a universally accepted sample policy, the contingency planning process should include appropriate provisions that address the impact an emergency situation would have on various aspects of the firm's investment operations, including, but not limited to, employees, clients, physical facilities, communications, information resources, business operations, regulatory concerns, third-party service providers and financial resources, all within the context of losses to the firm's physical infrastructure, business operations and personnel.
Physical losses relate to those tangible elements that constitute the firm's infrastructure. Business operational losses include those elements that serve as the foundation upon which the infrastructure relies (e.g., financial and information resources) as well as those third-party service providers that are essential to the servicing of client accounts (e.g., custodian, etc.). The overall goal is to identify those tangible and intangible assets and relationships that are susceptible to compromise during an emergency situation.
For example, should the firm's office become inaccessible or firm equipment suffer permanent damage, then the firm must address contingencies intended to account for such situations including the safeguarding of client-related records, the ability of the company to continue to implement investment transactions for its clients and the ability for the company's clients to communicate with the firm. At a minimum, plans for storing, maintaining and restoring computer data and other information should be established. However, the planning process may not stop at this point, as the firm must consider the contingency plans established by any third party with which the advisory firm has established a relationship.
Once established, the business continuity plan should remain flexible enough to allow for the business to grow without interference. However, the company must remain vigilant in identifying potential threats to operations and client service as technology progresses. For instance, the firm should account for losses due to cyber-terrorism and other security breaches in the electronic realm. Electronic mail ("e-mail") may contain attachments with executable code that has the potential to compromise confidential client information. Simple steps, such as the implementation of antivirus software, may aid in the prevention of such harmful downloads. On a firmwide level, it may be appropriate to establish as part of the disaster plan an Internet and e-mail usage policy that prohibits the download of nonemployment related correspondence and requires the scanning of all incoming messages by virus protection software. Similarly, the firm's Internet Service Provider should have adequate procedures to identify and quarantine any virus-infected message prior to delivery. However, the firm should have alternative arrangements to account for disaster situations that afflict the Internet Service Provider, such as a back-up provider, in order to mitigate any indirect effect such a disaster would have on the advisory firm itself.
As the advisory business moves into the future, the challenges it faces will become increasingly complex, none more so than preparing for the loss of personnel, such as the firm principal or sole investment advisor representative. In a larger advisory firm, the other key members may be cross-trained to immediately assume the duties of any disabled key person until his/her return or replacement. Similarly, the loss of any investment advisor representative may have a minimal impact on client service, since the clients once serviced by the now-disabled investment advisor representative may be allocated among the firm's other representatives.
However, the situation in a smaller advisory firm (e.g., single member limited liability company, etc.) is dramatically different due to practical constraints and potentially limited resources. There may not be additional principals or multiple investment advisor representatives upon whom the firm may rely. Nonetheless, the fiduciary obligation remains the same for the smaller firm and preparations must be affected, which may include arranging for an unaffiliated third party to notify the clients and/or the custodian of the assets relative to the advisory firm's inability to service the accounts. For the vast majority of investment advisors, the optimal solution is to establish a succession strategy, which looks long term at the overall future vision for the firm. This succession plan may be part of the overall business continuity plan, which itself is concerned with the present operations of the business.
As part of the succession plan, the vast majority of multimember firms generally look internally to other employees to assume ownership and/or management positions. The advisory firm may determine to periodically admit new owners or principals based upon merit, or await a mitigating event such as disability, death or retirement to do so. Planning is the key, and the sooner the better.