The following post is part of our hedge fund compliance guide for managers who will be required to register as investment advisers with the SEC. After the Dodd-Frank bill, managers with either $1ooM of AUM (if managing a fund and separate accounts) or $150M of AUM (if managing a fund only) will be required to register and also to implement a compliance program. Under SEC Rule 206(4)-7 those managers will need to generally institute compliance policies and procedures (subject to annual review) and appoint a chief compliance officer. Part of that process will be to institute a business continuity or disaster recovery plan.
The full rule provides:
Rule 206(4)-7 — Compliance Procedures and Practices
If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 it shall be unlawful within the meaning of section 206 of the Act for you to provide investment advice to clients unless you:
a. Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;
b. Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and
c. Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section
Background on BCP Requirement
While the rule does not specifically mention a “business continuity plan,” the SEC has stated that an adviser has a fiduciary obligation to protect client assets from risks resulting from the adviser being unable to provide advisory services. Thus, an adviser must create and maintain a business continuity plan which is “reasonably designed” to enable the adviser to meet client obligations in the event of a natural disaster, emergency, or significant business disruption.
In the accompanying Adopting Release Report to Rule 206(4)-7, the SEC specifically noted that, at a minimum, policies and procedures established must address, among a number of other issues, the investment adviser’s or the fund’s business continuity plan. [HFLB Note: Other issues the adviser’s policies and procedures should address include: (1) portfolio management, (2) trading practices, (3) proprietary trading and personal trading activities, (4) the accuracy of disclosures, (5) safeguarding client assets, (6) the accurate creation and maintenance of required records, (7) marketing advisory services, (8) process to value client holdings and assess fees based on valuations, and (9) safeguards for the privacy protections.]
The SEC did not, however, detail specific requirements for a business continuity plan, other than to state that it must adequately address the procedures necessary for the investment adviser or the fund to fulfill its fiduciary obligation to protect its clients’/investors’ interests from being placed at risk as a result of the investment adviser’s or the fund’s inability to provide investment advisory or related services after a disaster or disruption occurs.
Because the SEC did not provide direct guidance in this respect, we can, among other resources, look toward FINRA rules on this topic.
FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information)
On April 7, 2004, the SEC approved NASD Rules 3510 and 3520 requiring member firms to establish and maintain business continuity plans that meet specified requirements. FINRA Rule 4370 superseded these rules following the consolidation of NASD and other member regulation, enforcement and arbitration functions of the NYSE regulation into FINRA. FINRA Rule 4730 is nearly identical to the previous NASD rules. The following sets forth the rule.
- Establishing and Maintaining a BCP. Requires firms to create and maintain a business continuity plan that identifies procedures related to an emergency or other significant business disruption and is “reasonably designed to enable the member [firm] to meet its existing obligations to customers.” The business continuity plan procedures must address existing relationships with other broker-dealers and counter-parties. The business continuity plan must be made available upon request by FINRA staff.
- Updating Requirements. The firm must update the business continuity plans in the event of any material change to the adviser’s operations, business, structure, or location. In addition, the business continuity plans must be reviewed at least annually.
- BCP Details. The rules do not provide specific detailed requirements. Instead, they provide a framework for minimum compliance. The following is a non-exhaustive list of 10 key areas that the business continuity plans should address to the extent applicable and necessary.
1. Data back-up and recovery (hard copy and electronic);
2. All mission critical systems;
3. Financial and operational assessments;
4. Alternate communications between the member and its customers;
5. Alternate communications between the member and its employees;
6. Alternate physical location of employees;
7. Critical business constituent, bank, and counter-party impact;
8. Regulatory reporting;
9. Communications with regulators; and
10. How the member will assure customers’ prompt access to their funds and securities in the event that the member determines that it is unable to continue its business.
If a firm does not include one of the elements addressed above, it must document the reason. If the firm relies on another entity to perform certain functions, it must document the relationship with that other entity.
- Plan Approval. The firm must designate a member of senior management who is also a registered principal to approve the business continuity plan and to conduct the annual review.
- Disclosure Requirements. The firm must disclose how the business continuity plan can address and how the firm will respond to future business disruptions of varying scope. The disclosure must, at a minimum, be made in writing to customers at account opening, posted on the firm’s web site (if one exists), and mailed to customers upon request.
- Designating Emergency Contacts. The firm must designate two emergency contact persons. The emergency contact persons must be associated persons. At least one contact person must be both a member of senior management and a registered principal of the firm. If the second contact person is not a registered principal, that person must be a member of senior management who has knowledge of the firm’s business operations. If a firm only has one associated person, then the second contact person must be an individual who has knowledge of the firm’s business operations.
- Updating Requirements. The firm must update the emergency contact information in the event of any material change. In addition, the firm’s Executive Representative or designee must review and if necessary, update the information within 17 business days after the end of each calendar quarter.
Having an appropriately tailored business continuity plan for your business is essential from both a regulatory and best practices perspective. Managers should have robust programs in place and be ready to show examiners that all statements in the business continuity plan are completely accurate.
Other related hedge fund law articles:
Cole-Frieman & Mallon LLP provides comprehensive registration and compliance services for SEC registered investment advisers. Bart Mallon, Esq. can be reached directly at 415-868-5345.