Last year, the North American Securities Administrators Association — the organization representing state securities regulators — adopted a model rule to require state-registered investment advisers to establish business continuity and succession plans in the event of a natural disaster, cyberattack or other business disruption such as the death of the owner of a sole proprietorship. State regulators are in the process of approving the model rule, which could take several years or longer to take effect across the country.
On the federal level, the Securities and Exchange Commission in June proposed a similar business continuity plan requirement for SEC-registered advisory firms.
Both regulators cite an adviser's fiduciary obligation to protect clients' interests from being placed at risk as the basis for requiring business continuity plans (BCPs). However, the SEC's justification for the proposed rule leaps beyond core fiduciary principles. Instead, the regulator seeks to assert that an adviser's failure to provide a viable BCP would be subject to anti-fraud provisions of federal securities laws.
Specifically, the proposal states, on page 10 of the 96-page release, “We believe it would be fraudulent and deceptive for an adviser to hold itself out as providing advisory services unless it has taken steps to protect clients' interests from being placed at risk as a result of the adviser's inability (whether temporary or permanent) to provide those services.”
The anti-fraud basis for the rule was troubling to David Blass, general counsel at the Investment Company Institute, and a former senior attorney at the SEC. Mr. Blass wrote in the ICI's comment letter that “we strongly disagree with this statement for which the [proposal] provides no legal support. We are concerned that the statement is vague and may lead to claims of fraud simply because an interruption of advisory services occurs.”
Mr. Blass goes on to make a legal argument as to why this is wrong, and that instead of adopting a new rule, even though ICI agrees with the substance of the proposal, the SEC should simply provide guidance under existing requirements.
In fact, the SEC appears to recognize that offering guidance under existing requirements may be a viable alternative. In seeking comments on the proposed rule, the SEC poses a number of specific questions, one of which is: “Rather than adopting the proposed rule, should the Commission issue guidance under rule 206(4)-7 under the Advisers Act addressing business continuity and transition plans?”
ICI seized the opportunity created by the SEC's question, stating in response “… this provision [under Section 206(4)] permits prophylactic rulemaking that makes unlawful certain acts or omissions that may not be inherently fraudulent and deceptive. Explicitly prophylactic rulemaking of this kind is preferable to what the SEC attempts to do in this proposal, because it acknowledges that certain forms of conduct may be problematic without stating that they are, in and of themselves, fraudulent and deceptive.”
While the SEC's proposal is well-intended and generally well-crafted, the ICI has a good point: It appears to be regulatory overkill to go beyond the realm of fiduciary responsibility to a possible presumption of fraud if BCP preparations fall short. Importantly, ICI also noted: “If the SEC deems that an adviser has not taken sufficient steps with respect to its BCP and transitioning planning, and that this is per se fraudulent and deceptive, then presumably the Commission could bring actions against the adviser under Advisers Act provisions other than Section 206(4).”
No one disagrees with securities regulators' interest in making sure advisory firms are focused on protecting client assets. Indeed, investment management and financial planning courses go into great detail over such issues as how to manage portfolio risk, mitigate property and casualty losses through proper insurance planning, and use appropriate laws to protect retirement assets in the event of a bankruptcy. Risk management is truly part of an adviser's DNA.
As fiduciaries, advisers have twin duties of loyalty and care to their clients. Combined, this translates into putting their clients' interests first. This includes taking reasonable and appropriate steps to protect clients' interests if advisers become temporarily or permanently unable to serve clients in the face of internal disruptions (e.g. operational or personnel matters) or external threats such as natural disasters and cyber-risks. Obviously, it is also in the adviser's interest to avoid reputational harm in the event of a serious business disruption.
The bottom line is that advisers who fail to prepare, implement, monitor and test robust business continuity plans place their clients and themselves at risk. Fiduciary shortfalls in this area should rank high on an adviser's priority list of matters for attention.
Blaine F. Aikin is executive chairman of fi360 Inc.