When an investment adviser is designing its policies and
procedures you need to identify the risks for their firm so they address those
risks. A big risk is missing an applicable requirement under the regulatory
scheme. So you sit down with the regulations and tie them to your specific
policies and procedures.
An easy one to miss is the requirement for having a
business continuity plan. It's in Rule 206(4)-7.
Oh, you don't see anything about business continuity in
the rule? It's not in the rule, it's in the Release for
We believe that an adviser's fiduciary obligation to its
clients includes the obligation to take steps to protect the clients' interests
from being placed at risk as a result of the adviser's inability to provide
advisory services after, for example, a natural disaster or, in the case of
some smaller firms, the death of the owner or key personnel. The clients of an
adviser that is engaged in the active management of their assets would
ordinarily be placed at risk if the adviser ceased operations. [SEC
Release No. IA-2204]
There is not much in the release to help you understand
what is required, but there are two good places to help you.
One is to look at an intragency paper published by The
Federal Reserve Board, the Office of the Comptroller of the Currency and the
Securities and Exchange Commission on business
continuity objectives. They lay out four broad sound practices for core
clearing and settlement organizations and firms that play significant roles in
critical financial markets:
The other source (more practical source) is the disaster
recovery requirements of broker/dealers. FINRA
Rule 4370 is their emergency preparedness rule. They have a template for small introducing firms to help start
designing a plan.
additional commentary on developments in compliance and ethics, visit Compliance Building,
a blog hosted by Doug Cornelius.