COVID-19: Considerations for Alternative Investment Funds: Managing Compliance Risk While Working from Home (WFH)

The coronavirus (COVID-19) pandemic has changed the way investment advisers operate and manage risk. In the past few weeks of quarantine, they have been managing significant market volatility for their clients while working from home (WFH). 

While many have adjusted to the “new normal” and implemented processes to maintain continuity, some investment advisers may be overlooking compliance risks that can arise during this time of remote working. 

New Compliance Risks

Many compliance officers routinely struggle with ‘paper-based’ compliance programs that require manual monitoring and direct oversight to supervise the firm’s activities.  In this new remote working environment, compliance officers cannot walk the floors or easily access company communications, systems, and documents.  As a result, some of the following new risks may arise:  

• Client Communications: Investors and advisers are adopting new ways of working and many may initiate communications outside of normal channels, e.g., by email, video chat, text, or mobile chat apps, etc. that are typically not monitored. This opens firms to significant risks related to the distribution of material non-public information, insider trading, lack of post-trade records, and unapproved marketing messages.

Firms must have the means to monitor communications.  Emails, video conferences, website posts, and social media can be monitored; however, recording mobile devices and other forms of communication is expensive and not easily implemented. In addition to leveraging technology to monitor these communications, training is the best and most effective way to mitigate these risks. Compliance officers should remind (as frequently as necessary) employees of the risks, giving advisers clear directions as to which alternative means of communications may or may not be acceptable and how to work with clients who may be facing similar communications challenges.

• Code of Ethics Compliance: It is understandable that firms and their employees want to help and the volume of charitable donations and political contributions will certainly increase. New gift giving and inadvertent political contributions may be made. Compliance officers are required to approve these transactions and the increased activity may require additional compliance resources to assess any potential conflicts.
• Broker-Dealer Supervision: Dually registered investment advisers who also maintain a registered broker-dealer have additional risks to consider. The Financial Industry Regulatory Authority (FINRA) expects that its members adjust their business continuity plan and supervisory controls to mitigate the risks of remote working.  Learn more about Compliance Supervisory - Assessing the Impact of Remote Working.  
• Data Protection and Privacy: Cyber threats parallel the coronavirus pandemic as bad actors identify opportunities to attack weak security environments. Just yesterday, Marriott International announced a data breach that exposed up to 5.2 million customers’ personal information. This comes at a very tough time for the company as they have furloughed thousands of employees due to the economic impact of COVID-19. Data privacy will be more of a concern for all organizations, including asset managers, who may now be privy to personal information about employees and investors. 

Identification and safeguarding of personal data are fundamental tenets of all data privacy laws and regulations. The SEC has made it clear (OCIE Alert) that investment advisers are responsible for protecting personally identifiable Information (PII).  In addition, firms that capture (employee and investor) information from New York and California residents need to consider compliance with new state regulations.

These laws continue to apply (perhaps particularly) in times of crisis. Compliance officers need to work with their counterparts in technology to define the firm’s data, identify the risks, and establish the controls required to protect and communicate unauthorized access to local and state authorities. See Technology Tips for Funds and Managing Data Privacy Risks in Private Equity for more information.

Regulatory Guidance and Examinations

Regulators have provided guidance and no-action letters to address the challenges faced by financial service firms. Some key communications include:

Regulators are also focused on maintaining continuity of their supervision and will be conducting examinations remotely. The SEC has specifically stated that “Even with increased telework, the SEC remains able and committed to fully executing its mission on behalf of investors, including monitoring market function and working closely with other regulators and market participants.”  

Compliance Culture

As investment advisers continue to manage the business remotely with distributed resources, it is important that they identify and mitigate potential compliance risks.   It’s inevitable that compliance officers may become sick or be preoccupied with family matters.  Although the gap can be filled with temporary support staff it is also important to ensure that compliance is inherent within the firm’s culture and becomes everyone’s responsibility during these unprecedented times.