Business Continuity planning is no longer just a best practice for hedge funds, as the Securities and Exchange Commission (SEC) now requires most hedge funds to maintain up to date business continuity programs. This article explains the new regulatory mandates and describes a recommended approach that hedge funds can employ to not only meet the spirit and intent of new SEC requirements, but also begin building toward business continuity readiness.
New Rules for Hedge Funds
In July 2010, Congress passed the Dodd-Frank Wall Street Reform and Consumer Protection Act, which has far-reaching implications spanning the entire financial services industry. Prior to the Dodd-Frank Act, hedge funds and investment advisers were not required to register with the SEC if they maintained less than fifteen clients during the previous twelve months and did not present themselves to the public as an investment advisor. With the recent removal of this exemption, many investment advisers, hedge funds and private equity firms are now bound to the requirements set forth in the Investment Advisers Act of 1940. Now, managers with either $100M of assets under management in a fund and separate accounts or managers with $150M of assets under management in only one fund are required to register as an investment adviser with the SEC and implement compliance policies and procedures that will be subject to an annual audit. The full text of the rule is found below:
Rule 206(4)-7 — Compliance Procedures and Practices
If you are an investment adviser registered or required to be registered under section 203 of the Investment Advisers Act of 1940 it shall be unlawful within the meaning of section 206 of the Act for you to provide investment advice to clients unless you:
a. Policies and procedures. Adopt and implement written policies and procedures reasonably designed to prevent violation, by you and your supervised persons, of the Act and the rules that the Commission has adopted under the Act;
b. Annual review. Review, no less frequently than annually, the adequacy of the policies and procedures established pursuant to this section and the effectiveness of their implementation; and
c. Chief compliance officer. Designate an individual (who is a supervised person) responsible for administering the policies and procedures that you adopt under paragraph (a) of this section.
The SEC released Rule 206(4)-7 in February 2004 to foster a fiduciary duty of good faith among registrants to act in the best interest of their clients with reporting, bookkeeping, maintaining records and filing reports with respect to private funds. In an accompanying notice released with the rule, the SEC stated ten areas for inclusion under the policies and procedures provision in the above rule, with the tenth being “business continuity plans”.
Business Continuity Requirements
In footnote 22 of the Final Rule: Compliance Programs of Investment Companies and Investment Advisors document released December 2003, the SEC clarifies the importance of business continuity planning for investment advisors, hedge funds and private equity funds by stating:
“We believe that an adviser’s fiduciary obligation to its clients includes the obligation to take steps to protect the clients’ interests from being placed at risk as a result of the adviser’s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations.”
But, that is the extent of the SEC’s guidance for business continuity planning, which introduces a key challenge. How can hedge funds develop and implement business continuity plans that meet the expectations of the SEC?
FINRA Rule 4370
Avalution recommends hedge fund management utilize FINRA rule 4370 as a guide to provide specific requirements. While it is not specifically required for all SEC registered organizations (such as hedge funds), the SEC co-authored the original version of the rule with the National Association of Securities (NASD). The original version of the rule, which evolved into NYSE Rule 446 and NASD’s Rule 4730, outlines a series of business continuity requirements for financial firms. FINRA’s rule 4370 is now becoming the de-facto standard for all SEC registered financial firms because the SEC was involved in its original creation.
FINRA 4370 states organizations “must create and maintain business continuity plans identifying procedures relating to an emergency or significant business disruption” and update those plans annually or after any significant change to operations, structure or business location. The framework of the business continuity planning must contain these ten minimum compliance elements:
- Books and records backup and recovery (hard copy and electronic).
- Identification of all mission-critical systems and backup for such systems.
- Financial and operational risk assessments.
- Alternate communications between customers and the firm.
- Alternate communications between the firm and its employees.
- Alternate physical location of employees.
- Critical business constituent, bank and counter-party activity.
- Regulatory reporting.
- Communications with regulators.
- How the member or member organization will assure customers prompt access to their funds and securities in the event the member or member organization determines it is unable to continue its business.
The full text of FINRA Rule 4370 can be found here.
In some instances, pieces of the above elements may be irrelevant. If so, an organization can identify which item is not included and specific justification for its omission. In addition to the above requirements, FINRA rule 4370 requires organizations to:
- Address a wide array of specific scenarios for potential business disruptions ranging from building wide, to business district, throughout a city or even the region
- Designate a senior management representative to approve and annually-review the plan
- Disclose to clients how the business continuity plan will be implemented during a significant business interruption in writing when an account is opened, on request by mail and by posting on the company’s website.
Overall, FINRA 4370 provides a solid starting point for establishing a business continuity capability for hedge funds.
Avalution recommends that hedge fund management companies consider the following three steps in order to get started toward a higher level of business continuity readiness:
- Identify experienced professionals – internal or external – who can assist with establishing and maturing the program
- Name a program sponsor, and solicit input from management regarding an appropriate program scope and objectives; define a program governance structure that clarifies long-term roles and responsibilities
- Perform a business impact analysis in order to confirm the program scope and establish acceptable recovery objectives
Following the successful execution of these three activities, the hedge fund management company and its executive team will be well on the way to identifying, implementing and evaluating response/recovery strategies that protect their investor’s interests and position the organization to survive a wide range of catastrophic events that address both regulatory requirements and provide operational stability during potential business interruptions.