Outsourcing by Investment Advisers: SEC’s Proposed Rule Irks Industry
The verdict is in. The comment period for the SEC’s Proposed Rule on Outsourcing by Investment Advisers[i] (the “Proposed Rule”) ended on December 27, 2022 and—at least by some measures—the Proposed Rule has not been well received by the investment management industry. Of the comments provided to the SEC before the end of the comment period, approximately 66% were critical of the Proposed Rule. This figure jumps to approximately 80% if you filter these comments to exclude those who provided input in a personal (i.e., non-professional) capacity.
This article provides an overview of the Proposed Rule, summarizes the significant critical feedback regarding the Proposed Rule and provides guidance for registered investment advisers seeking to get ahead of the obligations the Proposed Rule would impose.
OVERVIEW OF PROPOSED RULE
The Proposed Rule seeks to provide a comprehensive oversight framework for registered investment advisers that outsource core advisory functions. Under this framework, such advisers would be subject to due diligence, monitoring, recordkeeping and other obligations.
While advisers are already subject to a fiduciary duty that requires them to maintain effective oversight over certain service providers, the SEC insists that the adoption of an oversight framework is necessary given advisers’ increasing reliance on outsourcing, the SEC’s lack of visibility into the extent of such outsourcing and the significant risks presented by outsourcing.
The Proposed Rule highlights several risks associated with outsourcing, including the following:
- Risks related to the disruption or interruption of outsourced services;
- Risks of poor oversight of outsourced services;
- Risks involving the potential to defraud, mislead or deceive clients;
- Risks related to the loss and misuse of sensitive client information and data;
- Risks related to the geographic concentration of service provider operations;
- Risks related to the sub-delegation of services; and
- Systemic risk resulting from the reliance on one service provider by several market participants.
Due Diligence Obligations
Under the Proposed Rule, advisers would be required to perform certain due diligence (discussed below) before engaging a service provider[ii] to perform a covered function. A “covered function,” as defined under the Proposed Rule, is a function or service that (i) is necessary for the adviser to provide its investment advisory services in compliance with the Federal securities laws and (ii) if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s abilities to provide investment advisory services.
Although determining whether a function is a “covered function” under the Proposed Rule requires an analysis of the facts and circumstances, the term specifically excludes clerical, ministerial, utility or general office functions. Perhaps confusingly, the Proposed Rule requires advisers outsourcing the maintenance of books and records in compliance with Rule 204-2 (the “Recordkeeping Rule”) of the Investment Advisers Act of 1940 (“Advisers Act”) to treat these services as a covered function.[iii]
Advisers looking to outsource a covered function to a service provider must first perform due diligence to (i) identify the covered function to be outsourced, (ii) determine that it would be appropriate to outsource the function and (iii) determine that it would be appropriate to outsource such function to a particular service provider. This due diligence must consist of (and comply with) the following six elements:[iv]
- Identifying the nature and scope of the covered function the service provider is to perform;
- Identifying, and determining how the adviser will mitigate and manage, the potential risks to clients or to the adviser’s ability to perform its advisory services resulting from (i) engaging a service provider to perform the covered function as a general matter and (ii) engaging a specific provider to perform the covered function;
- Determining that the service provider has the competence, capacity, and resources necessary to perform the covered function in a timely and effective manner;
- Determining whether the service provider has any subcontracting arrangements that would be material to the service provider’s performance of the covered function, and identifying and determining how the investment adviser will mitigate and manage potential risks to clients or to the investment adviser’s ability to perform its advisory services in light of any such subcontracting arrangement;
- Obtaining reasonable assurance from the service provider that it is able to, and will, coordinate with the investment adviser for purposes of the adviser’s compliance with the Federal securities laws, as applicable to the covered function; and
- Obtaining reasonable assurance from the service provider that it is able to, and will, provide a process for orderly termination of its performance of the covered function.
Monitoring Obligations
After an adviser outsources a core advisory function to a service provider, the Proposed Rule would continue to impose robust obligations on the adviser. Specifically, the Proposed Rule would require an adviser to monitor the performance of a covered function in a manner and with such frequency that allows the adviser to determine that it is appropriate to (i) continue to outsource the covered function as a general matter and (ii) continue to outsource the covered function to the service provider.[v] In making these determinations, advisers would be required to perform due diligence that is similar to that performed when initially engaging the service provider.
Recordkeeping Obligations
In addition to requiring due diligence and monitoring obligations, the Proposed Rule seeks to update the Recordkeeping Rule[vi] to require advisers to maintain books and records relating to the following:
- The covered functions outsourced to a service provider, including the name of the service provider and the factors that caused a service or function to be designated a “covered function”;
- The adviser’s due diligence assessment of service providers to which covered functions are outsourced;
- Written agreements entered into with a service provider regarding a covered function; and
- The periodic monitoring of a service provider of a covered function.
Form ADV Disclosure Obligations
The last component of the Proposed Rule’s outsourcing oversight framework would require advisers to disclose, in their Form ADVs, information about service providers engaged to perform covered functions, including the specific covered functions for which the service provider was engaged.
OUTLINE OF CRITICAL FEEDBACK TO PROPOSED RULE
Although several commenters reacted positively to the Proposed Rule, others noted that it is burdensome, costly, unnecessary and exceeds the SEC’s statutory authority. This critical feedback, which mirrors some of the comments made by Commissioner Hester M. Pierce and Commissioner Mark T. Uyeda, is summarized below.
Burdensome and Costly
Commenters predicted that determining whether a service is a “covered function” under the Proposed Rule would increase compliance costs for advisers. For one, advisers may need to engage consultants and attorneys to assist in the analysis. For those covered functions that are highly technical, an adviser may also have to retain a third-party expert to evaluate potential service providers. Even advisers that solely rely on their employees to analyze whether a service is a covered function would be burdened, as these employees would need to find the time to perform this analysis in addition to their existing job responsibilities.
Commenters also raised concerns about the Proposed Rule’s requirement to obtain transparency about an adviser’s service providers—transparency a service provider may be reluctant to provide, given security and other reasonable considerations. For example, the Proposed Rule suggests conducting site visits as a method of performing due diligence on a service provider. Such a due diligence requirement would burden advisers and service providers alike.
However, the burden on service providers does not end there. While the Proposed Rule does not specifically require the renegotiation of existing contracts with service providers, it anticipates changes to service provider agreements in several contexts, including those listed below:
- In order to satisfy an adviser’s due diligence requirement to obtain reasonable assurances from an outsourced service provider that it is able to, and will coordinate with, the adviser for purposes of the adviser’s compliance with the Federal securities laws, an adviser may obtain a representation from the service provider that it is aware of the adviser’s obligations under the Advisers Act and that it will assist the adviser, as applicable, in complying with its obligations as a fiduciary.
- In order to satisfy its requirement to perform due diligence and monitoring of subcontractors used by a service provider, an adviser may obtain contractual comfort that it will be informed of any material incidents that occur with any subcontractor and obtain representations about the steps that the service provider will take to mitigate risks associated with subcontracting arrangements.
Attempting to renegotiate agreements with existing service providers would be a difficult, costly task. Service providers may be reluctant to assist with the adviser’s compliance with its obligations as a fiduciary, fearing that such assistance may subject them to potential liability. Advisers who are unable to renegotiate existing terms with their service providers would be forced to switch to a vendor that may not be the best equipped to serve the adviser’s clients.
Unnecessary
In light of an adviser’s existing fiduciary duty to oversee service providers and an adviser’s inability to waive or modify this duty when outsourcing any service, several commenters viewed the Proposed Rule as unnecessary. Others remarked that existing market dynamics and regulations (e.g., competitive incentives and NFA Compliance Rule 2-9) already promote sufficient oversight of service providers.
Observable data also supports the view, according to some, that the Proposed Rule is unnecessary. Some commenters pointed to the SEC’s history of enforcement actions involving inadequate oversight of service providers, which history suggests that the SEC already has ample authority to regulate outsourcing activities through existing rules and regulations. Reviewing this same history, other commenters noted that there were only two examples involving inadequate service provider oversight over the past four years, indicating that that there is no widespread oversight issue that needs to be addressed.
Outside of Scope of Statutory Authority
The Proposed Rule cites several sections of the Advisers Act as sources of authority for imposing due diligence and monitoring obligations on advisers, including Section 206(4) (authorizing the SEC to propose rules that are reasonably designed to prevent fraud, deception and manipulation), Section 211(a) (authorizing the SEC to issue rules and regulations necessary to exercise functions and powers conferred upon the SEC) and Section 211(h) (authorizing the SEC to (i) facilitate the provision of simple and clear disclosures to investors regarding, among other things, the terms of their relationships with investment advisers and (ii) promulgate rules prohibiting or restricting, among other things, certain sales practices and conflicts of interest for investment advisers that the SEC deems contrary to the public interest and the protection of investors).
Several commenters argued that the Proposed Rule is not within the scope of any of the authority cited by the Proposed Rule. For example, while Section 206(4) of the Advisers Act allows the SEC to adopt rules to prevent fraud, certain aspects of the Proposed Rule are designed merely to prevent sub-par business practices when engaging vendors. Other commenters noted that an adviser’s relationship with a service provider could be deemed deficient, which deficiencies would not rise to the level of fraud, deceit or manipulation were it not for the Proposed Rule being promulgated under Section 206(4) of the Advisers Act.
COMPLIANCE WITH PROPOSED OUTSOURCING RULE OBLIGATIONS
The Proposed Rule does not require an adviser to adopt policies and procedures related to the oversight of service providers performing covered functions. However, were the Proposed Rule to apply to advisers, such policies and procedures would need to be developed given an adviser’s obligations under Rule 206(4)-7 under the Advisers Act. Advisers interested in preparing a policy (or updating an existing one) that factors in the obligations that are contemplated by the Proposed Rule should consider reviewing the checklist below for guidance.
[i] Outsourcing by Investment Advisers, Investment Advisers Act Release No. 6176, 87 FR 68816 (proposed October 26, 2022), available at https://www.sec.gov/rules/proposed/2022/ia-6176.pdf.
[ii] See Id. at 68879 (defining the term “service provider” to include, with respect to an adviser, any person or entity that performs a covered function for the adviser and is not a supervised person of the adviser).
[iii] See Id. at 68878.
[iv] See Id. at 68878-68879.
[v] See Id. at 68879.
[vi] See Id. at 68878.
