The Office of Compliance Inspections and Examinations ("OCIE") identified compliance issues for broker-dealers and investment advisers resulting from market volatility and operational disruptions due to the COVID-19 pandemic.
In a Risk Alert, OCIE made several recommendations on ways firms can mitigate these compliance risks.
Protection of investors' assets. OCIE recommended that firms implement additional steps for verifying the identity of investors and the authenticity of instructions for disbursement. This would include verifying the authorization of the person making the request and the accuracy of bank account names and numbers. OCIE also encouraged investors, especially elderly and other vulnerable investors, to designate a trusted contact person.
Supervision of personnel. OCIE encouraged firms to review their supervisory and compliance policies and procedures, and modify them, where appropriate, to address oversight concerns stemming from the shift to remote operations. In addition, OCIE suggested that firms address the effect of resource constraints on limited on-site due diligence reviews, the evaluation of third-party managers, investments, and portfolio holding companies.
Practices relating to fees, expenses, and financial transactions. OCIE recommended that firms enhance their monitoring of the accuracy of disclosures, investment valuations, and other calculations.
Investment fraud. OCIE urged firms to be cognizant of the heightened risk of fraud during times of crisis when conducting due diligence on investments, and to report any suspected fraud to the SEC.
Business continuity. OCIE encouraged firms to review their business continuity plans to address the shift to remote operations and to disclose any materially impacted operations to investors, as appropriate.
Protection of sensitive information. OCIE recommended that firms pay special attention to risks associated with access to systems and investor data. OCIE suggested that firms train their personnel on targeted cyberattacks, unsecure communication systems, document encryption, and how to destroy physical records remotely.
The Office of Compliance Inspections and Examinations alerted market participants to reports of sophisticated ransomware attacks targeting SEC registrants and their service providers.