SEC Proposes New Service Provider Oversight Requirements for Investment Advisers

If adopted as proposed, the Proposal requires a registered investment adviser to

• conduct due diligence before outsourcing core advisory functions and to periodically monitor service provider performance and reassess whether to retain them
• maintain books and records related to their due diligence and monitoring requirements
• collect census-type information about their use of service providers
• conduct due diligence and monitoring of third-party recordkeepers, as well as obtain reasonable assurances that service providers meets certain minimum standards

Public comments are due the later of 30 days after publication in the Federal Register or December 27, 2022.

Our Take

The SEC provides observations of potential issues of clients and investors that purportedly illustrate that “more needs to be done to protect clients and enhance oversight of advisers’ outsourced functions.” However, an adviser already owes a fiduciary duty to its clients, a duty that applies even when the adviser outsources some core functions. Under existing interpretations and SEC exam and enforcement practices, an adviser continues to remain liable for performing functions related to its advisory services whether or not they are outsourced. For this reason, it is unclear why it would be necessary to add a specific requirement for an adviser to develop and implement due diligence and monitoring processes when the adviser outsources core advisory functions as it appears to be a problem for which a solution already exists and is widely and commonly adopted by advisers.

Commissioner Hester Peirce, in her dissenting statement, questioned the need for “a rulemaking reconfirming the incontrovertible fact that outsourcing does not terminate an adviser’s fiduciary duty... The actual number of advisers who think that they are off the hook when it comes to outsourced services likely is negligible and, even if it is not, we do not need new rules to hold them to account.”

The Proposal also presents significant interpretive issues with respect to what constitutes a “covered function.” Among the 101 questions on which the SEC requests comments in the Proposal is the question “Is the proposed definition of ‘covered function’ clear?” While the Proposal states that the definition is meant to be defined “more narrowly than all of the functions an investment adviser might outsource to a service provider,” the Proposal is relying on adviser chief compliance officers (CCOs) to make these determinations on a case-by-case basis based on the facts and circumstances of each outsourced covered function. To avoid being second-guessed, CCOs may err on the side of caution and treat each outsourced relationship as a covered function, which will significantly increase the costs of compliance, in terms of both monetary budgets and expanded working hours. Commissioner Mark Uyeda in his dissenting statement pointed out the challenges ahead for adviser CCOs when it comes to interpreting what services should be considered covered functions:

…under a technical reading of the proposed definition of ‘Covered Function,’ almost any function outsourced by an investment adviser could trigger the numerous oversight functions set forth in the proposed rule. What is a chief compliance officer to do? An already burdensome regulatory regime is made ever more burdensome when the functions that trigger the rule’s requirements are not clearly spelled out.

The Proposal — Rule 206(4)-11

The SEC acknowledges that investment advisers have outsourced a wide range of functions for a long time. Noting that regulatory assets under management have roughly tripled over the past decade (from $47 trillion to $128 trillion), the SEC believes that advisers have increased their reliance on third parties to perform certain core advisory functions that they can do more efficiently. These functions include investment research, data analytics, trading and risk management, index creation, and compliance, to name a few. The SEC also points to third-party technology platforms that offer roboadvisory services as an additional area of outsourcing and outsourcing risk.

The SEC also acknowledges that outsourcing can provide benefits to clients but expressed concern that clients could be “significantly harmed” if the adviser does not adequately oversee the service provider. As the basis for the proposed rule, the SEC states that the absence of effective oversight of outsourced functions by an investment adviser “would be misleading, deceptive, and contrary to the public interest. Moreover, disclosure cannot address this deception.”

What Would Be Covered

The proposed rule defines a “covered function” to mean

a function or service that is necessary for the investment adviser to provide its investment advisory services in compliance with the Federal securities laws, and that, if not performed or performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or on the adviser’s ability to provide investment advisory services.

A covered function under the Proposal does not include clerical, ministerial, utility, or general office functions or services.

The Proposal states that whether a particular outsourced service should be deemed a covered function will depend on the facts and circumstances. According to the SEC, those facts and circumstances include whether the adviser itself has entered into an agreement with a third-party to provide a service related to portfolio management (e.g., portfolio valuation) or whether the client has independently selected and contracted with the third-party to provide a service (e.g., custody). What may be a covered function for one adviser may not be a covered function for another adviser, depending on the facts and circumstances.

The Proposal includes corresponding amendments to Form ADV Part 1A and provides a nonexhaustive list of categories of services that an adviser should consider as potentially being a covered function, including

• investment functions such as acting as adviser or subadviser or portfolio management or providing risk or compliance support for investment guidelines or restrictions
• investment portfolio support such as portfolio accounting, asset pricing, trade reconciliation, trading desk functions, trade communication and allocation services, and valuation services
• support services such as regulatory, cybersecurity, and client services

An adviser may identify an unlisted category if it believes the service or function performed by the relevant service provider is not represented by the predetermined categories on the newly amended Form ADV. The proposed ADV amendments also include new disclosures of census-type data about the relevant service providers.

The Proposal also defines a “service provider” as a person or entity that

• performs one or more covered functions
• is not a “supervised person” of the adviser as defined in Section 202(a)(25) of the Advisers Act¹

While the Proposal excludes an adviser’s supervised persons from the definition of a service provider, it does not distinguish between third-party providers and affiliated service providers. The definition also applies to entities that are already subject to compliance with federal securities law such as subadvisers or SEC-registered broker-dealers.

Proposed Due Diligence and Ongoing Monitoring Obligations

The Proposal also requires certain minimum due diligence and ongoing monitoring practices. For example, before engaging a service provider to perform a covered function, an investment adviser is required to “reasonably identify and determine” that it is appropriate to outsource that covered function and that the selected service provider is the appropriate choice to perform such function by evaluating at least six elements:

• nature and scope of the services
• potential risks to clients or to an adviser’s ability to perform its advisory services resulting from the service provider’s performing the covered function, including how to mitigate and manage such risks
• the service provider’s competence, capacity, and resources necessary to perform the covered function in an effective manner
• the service provider’s subcontracting arrangements related to the covered function that would be material to the performance of such function
• ability to obtain reasonable assurance from the service provider that it will coordinate with the adviser for purposes of complying with federal securities law
• ability to obtain reasonable assurance that the service provider will provide a process for the orderly termination of the provision of the covered function by the service provider

The Proposal notes that conducting due diligence is not meant to be a “one-size-fits-all process.” The SEC expects the due diligence practices conducted by the investment adviser to be “reasonably” tailored to fit the nature, scope, and risk profile of a covered function and potential service provider based on applicable facts and circumstances.

The Proposal also requires an investment adviser to monitor the service provider’s performance of the covered function and periodically reassess the selection of the service provider using the six due diligence elements discussed above. The manner and frequency of ongoing monitoring, and the requirement to periodically reassess performance, will depend on the facts and circumstances. Addressing the timing and frequency of ongoing monitoring, the SEC states that an investment adviser should consider the “materiality and criticality of the outsourced covered function to the ongoing business of the adviser and its clients,” the frequency with which the covered function is performed, its overall complexity, and the potential risks to clients if the service provider fails to perform or negligently performs such covered function.

Expanded Books and Records Requirements

The Proposal states that Rule 206(4)-7, the compliance rule, requires an adviser to establish written compliance policies and procedures that would address compliance with Rule 206(4)-11, if adopted.

But the Proposal also amends the books and records rule (Rule 204-2) to require an adviser to retain certain specific records relating to the due diligence assessment of a covered function and associated service provider. Among other things, the Proposal requires an adviser to maintain a list of outsourced covered functions and the name of each applicable service provider as well as a record of the factors that led the adviser to include it in the list as a covered function.

Investment advisers are also required to document their initial due diligence assessment and periodic reassessment of each service provider and to maintain records of written agreements with the service provider as well as policies, procedures, or other documentation showing how the advisers mitigate and manage identified risks at both the covered function and service provider levels.

The Proposal does not specify the type of records that would comply with the new recordkeeping requirements but cites examples including, among other things,

• service-provider-generated performance reports
• a summary of findings of any financial, operational, or third-party assessments of the service provider
• identification of any new or increased service provider risks and a summary of how the adviser will mitigate or manage those risks
• any amendments to service provider agreements including a record of any changes to the nature and scope of the covered function the service provider is to perform
• a record of any inadequate or failed performance by a service provider and the responses from the investment adviser

Proposed Third-Party Recordkeeping Obligations

The Proposal also establishes a framework for due diligence and monitoring of third parties that perform a recordkeeping function for investment advisers. An investment adviser that relies on a third-party to make and/or keep books and records required by the Advisers Act recordkeeping rule is required to conduct due diligence and monitoring of the third-party recordkeeper consistent with new Rule 206(4)-11 as though the recordkeeping function is a covered function and the third-party recordkeeper is a service provider, as each term is defined in the Proposal.

Under the proposed third-party recordkeeping requirements, an investment adviser is required to obtain reasonable assurances that the third-party recordkeeper has the ability to meet four additional specific standards relating to the recordkeeping rule’s requirements:

• adopt and implement internal processes and/or systems for making and/or keeping records that meet the requirements of the recordkeeping rule applicable to the adviser in providing services to the adviser
• make and/or keep records that meet all of the requirements of the recordkeeping rule applicable to the adviser
• provide access to electronic records
• ensure the continued availability of records if the third-party’s operations or relationship with the adviser cease

The Proposal acknowledges that advisers are already subject to a number of rules and regulations that “indirectly address” the oversight of service providers and that the newly proposed requirements may overlap with existing practices currently used by advisers in implementing their policies and procedures under Rule 206(4)-7 and, for advisers of registered investment companies, their compliance procedures and practices under Rule 38a-1 under the Investment Company Act. The Proposal suggests, without specific details, that these new requirements are complementary to existing regulations rather than redundant or conflicting. For the already overly burdened adviser CCOs working through a number of sweeping regulatory proposals introduced by the SEC in the past year, we anticipate that the Proposal will be viewed as adding compliance costs that significantly outweigh any real or theoretical additional safeguards or protections for clients or investors.