In response to 9/11, FINRA created Rule 4370, which requires broker-dealers to maintain Business Continuity Plans (BCPs) “reasonably designed to meet existing obligations to customers.” Regulatory focus on this area helped to minimize impacts of Hurricane Sandy on the New York-New Jersey financial industry in 2012.
Is the SEC now requiring Registered Investment Advisers (RIAs) to have BCPs, too? Well, they clearly think it’s a good idea.
That’s the summary point from a National Exam Program Risk Alert published by the SEC on Aug. 27. According to the Alert, SEC audits recently reviewed the BCPs of approximately 40 RIAs in areas affected by Sandy to assess compliance with applicable laws and rules. Rule 204-of the Investment Advisers Act, requires RIAs to maintain books and records “so as to reasonably safeguard them from loss, alteration or destruction.”
For small RIAs, two main objectives of a BCP are:
- Assuring protection of and access to client data during a disaster or disruption (e.g., through a back-up data site); and
- Having an affiliation with another firm (not in the same area) where staff operations can continue to work temporarily through a disaster. BCPs should be written and shared with the RIA’s key staff people. They need not be communicated to the SEC, except during audit or on demand.