David McNeal, Consultant and Contributor of My Compliance Blog
Email Us to schedule a brief session to review needs
Cory Roberson, Principal of FIN Compliance and FIN Lancer
May 26, 2019. According to a study by the North American
Securities Administrators Association (“NASAA”), business continuity and
succession planning is an ongoing concern for many financial service providers,
vendors, consultants, and investment advisors.
Given the growing threats to safeguarding client data, as well as
the rise of the mobile worker, we took a little time to dive further into this
issue that is also referenced in a 2019 NASAA Investment Advisor
Report.
Firms can ease many of these concerns through taking assessments
of its own vulnerabilities, including cybersecurity practices.
What are SEC-firm requirements on these
matters?
Currently, there are no federal statutory requirements for
consultants to implement a business continuity or succession plan. However, the
Securities and Exchange Commission (“SEC”) proposed such a requirement for investment
advisors to implement' business continuity and succession plans. Yet, as it stands today, that rule proposal
has not been finalized. With that said,
a continuity plan is a general expectation for firms to have in place and could
be a rule requirement from another regulatory body that the firm must uphold. (ref amend Rule 204-2;
proposal Rule 206(4)-4))
NASAA and state securities examiner
views on continuity plans
At the state level, the North American Securities Administrators
Association (“NASAA”) requires registered advisors to implement a business
continuity and succession plan to minimize risks “that could result from a sudden significant business disruption (“SBD”). (ref. Model Rule
203(a)-1A or 2002 Rule 411(c)-1A)
A Franklin Templeton case study
on continuity plans
According to the
study, firm participants were asked, “How
prepared is your business continuity and succession plan?” Only 64% of participants were either somewhat
or not completely prepared to address their own business continuity
requirements.
Not very prepared
|
12%
|
Neutral
|
18%
|
Somewhat prepared
|
34%
|
Very prepared
|
28%
|
Important Tips for Business Continuity
and Succession Planning
Consider these steps to effectively implement your plans:
·
Know your Plan;
·
Establish Roles and Responsibilities;
·
Communicate;
·
Practice and Participate.
*Sole proprietors can look at establishing a plan with seeking
business continuity partners*
A solid business continuity plan is only as strong as the firm’s
employees who execute it, and therefore, training and education are critical
elements to the success.
The following are scenarios that could impact a RIA’s business
operations:
·
Equipment or application failure;
·
Disruption of power supply or telecommunication services;
·
Human error;
·
Death/Incapacitation;
·
Natural Disasters (hurricanes, tornadoes, snowstorms, fires);
·
Terrorist Attacks;
·
Cybersecurity incidents (hacking, phishing or fraud);
The death or unavailability of key personnel may also change the
Adviser’s business relationship with creditors and outside vendors, which may
also result in a reduction in the credit available for the Adviser.
Did you know?
Most advisors without a
succession plan recognize the potential perils of not having one:
Fifty-four percent see a
significant risk and 41% see some risk, the FPA study shows. Also, 97% of
them say they will create a plan at some point.
For smaller operations, the
lack of a succession plan is more acute: Just 13% of advisors at firms
managing less than $50 million have a formal plan, compared with 60% of those
at firms with $500 million or more in managed assets.
|
Having a blueprint for how your company will run if you or an
important employee unexpectedly leaves is crucial — not only to your business,
but to your clients.
Advisers should consider the following items when drafting a
Succession Plan to ensure that the policy adequately accounts for the risks
related to the business entity:
Are the clients’ investment advisory contracts with an individual
or a legal entity?
Does an Adviser Representative’s death or unavailability affect
the advisory agreements?
How will the Adviser ensure continuity of services to the client?
What will happen in the event of death or incapacity of the
manager of discretionary accounts?
How will the death or unavailability of certain individual owners
affect the legal ownership of the firm and the registration status of the
entity and/or its new owner(s)?
Does the Adviser only have one person with IARD access?
What will happen if that contact is no longer available?
Who is responsible for dealing with creditors and vendors?
Who will rebate advisory fees if fees are paid in advance?
An effective Disaster Recovery Plan can ensure the uninterrupted
availability of advisory services to clients in a compliant manner after a
disaster.
Some example procedures include:
Contingency arrangements for loss of key personnel, such as the
president or primary portfolio manager, either temporarily or permanently;
The protection, backup, and recovery of books and records through
appropriately secured means that ensure ongoing compliance with Regulation S-P
and other confidentiality requirements;
Maintaining accurate and up-to-date contact information for all
third-party service providers, including custodians, broker-dealers, transfer
agents, pricing services, and research firms;
Alternate communication protocols to contact staff and clients,
such as cell phones, text messaging, web-based email accounts, or an Internet
website;
A pre-arranged remote location for short-term and possible
long-term use.
Temporary lodging for key staff where necessary as a result of a
relocation of the firm;
Maintaining sufficient insurance and financial liquidity to
prevent any interruption to the performance of compliant advisory services;
Familiarity with the business continuity plans of such third-party
service providers;
Effective training of staff on how to fulfill essential duties in
the event of a disaster, including compliance matters; periodic testing,
evaluation, and revision of disaster preparedness plan;
·
Developing a coherent cybersecurity strategy is now one of the
most critical challenges facing Registered Investment Advisors (RIA). Companies
should review their cybersecurity policies and procedures for any compliance
gaps and ensure that employees are adequately trained.
Some examples of common policies that can be included in your
company’s cybersecurity plan include:
● Acceptable
Use
● Acceptable
Encryption
● Data
Breach Response
● Digital
Signature Acceptance
● Email
● Password
Construction/Protection
● Remote
Access
● Router
and Switch Security
● Wireless
Communication
● Technology
Equipment Disposal
● Information
Logging
● Software
Installation
● Server
Security
Third Party Risk Management
If key business functions and related activities are performed by
an affiliate of the fund, a third-party service provider, or some combination
thereof, you should review these four key areas with your vendors at least on
an annual basis:
Business Continuity Programs
Succession Plans
Disaster Recovery Procedures
Cybersecurity Policies
Need help to decipher your firm’s business
continuity, succession, and/or cybersecurity needs. We can help you with some resources to get
started.
Connect with other firms for business continuity, partnerships, and/or other planning
1- Review our Advisor Directory
2 - Create a profile
Compliance and Business Management
FIN Compliance (FINCompliance.io) is a consortium of compliance services including: RIA Consults-Roberson Consults Group, a compliance consulting firm, RIA Review, a compliance-management software tool (SaaS), B-D Review, a RIA/Broker-Dealer compliance management software tool, and FINLancer is a business management portal featuring: E-signature tools; Invoicing integration, Vendor Directory, continuity directory*, business client document portal, and more (available by Q3 2019). Access all services on one site: FINCompliance.io
Connect with other firms for business continuity, partnerships, and/or other planning
1- Review our Advisor Directory
2 - Create a profile
Email Us to schedule a brief session to review needs
.
Impact
FIN Missions (FINmissions.com) provides business support group sessions for other entrepreneurs. In addition, Cory has volunteered for more than fifteen youth programs in locations such as like S. Korea, China, S. Africa, Thailand, and India.
No comments:
Post a Comment