“Set It and Forget It” Won’t Cut It Anymore: New SEC Proposed Rules Require Investment Advisers to Monitor Outsourced Services

In today’s world, outsourcing has become the norm — and investment advisers have been outsourcing their accounting, custody, and other back-office responsibilities for years. However, with increasing regulatory requirements and an ever-expanding number of investment options and trading strategies to choose from, coupled with pressure to lower fees, busy advisers have started to outsource even more services. For example, outsourcing front office services, such as investment research, data analytics, trading and risk management, and compliance, can be a cost-effective way to manage responsibilities.

Outsourcing also has other benefits, such as reducing the risk of improperly performing a function that firm personnel are not equipped to handle. If advisers don’t have the capacity or ability to perform all the necessary tasks effectively, they may outsource them to specialists, who in turn educate advisers on new industry developments and requirements. Advisers also reap the benefits of the service firm’s investment in technology that streamlines and automates processes. Lastly, hiring a third party can be cheaper than hiring a full-time employee.

The increased use of third-party service providers is something regulators are keenly aware of, including the United States Securities and Exchange Commission (SEC). Regulators understand the benefits of outsourcing and support its use, but they also believe that without the proper controls in place, outsourcing could significantly harm investment advisers’ clients. The SEC is also concerned that once a service provider is engaged, many advisers are not appropriately monitoring and following up to ensure the services are properly performed. These advisers follow a “set it and forget it” mentality, which the SEC believes could lead to potential violations of their fiduciary responsibilities to their clients.

In response to these concerns and in line with its mission to increase adviser oversight, in October 2022 the SEC proposed a new rule and rule amendments under the Investment Advisers Act of 1940 (the Act) to ban Registered Investment Advisers (RIAs) from outsourcing certain services and functions without conducting due diligence and monitoring the service providers. In a 3-2 vote, the SEC proposed new Rule 206(4)-11 (the New Proposed Rule) and amendments to Rule 204-2 (the Recordkeeping Rule) and Form ADV under Act (collectively, the Proposal). The comment period for the Proposal was open through December 27, 2022, and the final rule is still pending.

The Proposal is designed to address what the SEC called the evolving asset management industry and RIAs’ increased use of service providers to perform certain core functions. Regulators believe RIAs should meet minimum requirements prior to and during such outsourcing. This Proposal will impact not just RIAs but also service providers because they will have to help RIAs comply with the rule.

Consider this statement in the Proposal: “When an investment adviser holds itself out to clients and potential clients as providing advisory services, the adviser implies that it remains responsible for the performance of those services and will act in the best interest of the client in doing so. Outsourcing a particular function or service does not change an adviser’s obligations under the Advisers Act and the other Federal securities laws. In addition, the adviser is typically responsible for the advisory services through an agreement with the client that represents or implies the adviser is performing all the functions necessary to provide the advisory services. An adviser remains liable for its obligations, including under the Act, the other Federal securities laws and any contracts entered into with the client, even if the adviser outsources functions. In addition, an adviser cannot waive its fiduciary duty. Accordingly, an adviser should be overseeing outsourced functions to ensure the adviser’s legal obligations are continuing to be met despite the adviser not performing those functions itself. As a fiduciary, an investment adviser cannot just “set it and forget it” when outsourcing.“

The proposal did not cover all forms of outsourcing. Instead, it focused on the functions the SEC views as higher risk. The SEC is seeking to minimize these risks through the New Proposed Rule and amendments under the Act, which would require RIAs to:

• Conduct due diligence prior to engaging certain service providers to perform certain covered services and functions;
• Periodically monitor the performance and continued use of a service provider;
• Provide census-type information about the service provider on Form ADV; and
• Make and/or keep books and records demonstrating their due diligence and monitoring of the service provider and obtain reasonable assurances that the service provider will meet certain standards.

What is a service provider?

In the New Proposed Rule, service providers are defined as persons or entities that (1) perform one or more covered functions and (2) are not a supervised person1 of the adviser. There is no distinction between third-party providers and affiliated service providers. There are also no exceptions for service providers that are subject to the other provisions of the Act (including SEC-registered investment advisers) or other federal securities laws.

What is a covered function?

Per the New Proposed Rule, there are two elements of a covered function: Functions that are necessary for the adviser to provide its investment advisory services in compliance with federal securities laws, and those that, if not performed or if performed negligently, would be reasonably likely to cause a material negative impact on the adviser’s clients or their ability to provide investment advisory services. Clerical, general office functions or services, and certain other functions are excluded from the definition.

The SEC stated that functions or services related to an adviser’s investment decision-making process and portfolio management would generally be considered covered. Examples include functions that:

1. Relate to providing investment guidelines (including maintaining restricted trading lists).
2. Create and provide models related to investment advice.
3. Create and provide custom indexes.
4. Provide investment risk software or services.
5. Provide portfolio management or trading services or software.
6. Provide portfolio accounting services.
7. Provide investment advisory services to an adviser or the adviser’s clients (sub-advisory services).

The SEC noted that it would not consider functions performed by marketers and solicitors to be covered functions since these services are not used to provide investment advice to clients.

Whether a function may have a “material negative impact” if not performed or performed negligently (the second element of a covered function) depends on certain facts and circumstances. These could include a material financial loss to a client or a material disruption in the adviser’s operations that prevents them from making investment decisions. There are a variety of factors that could reasonably have a material negative impact, including but not limited to:

1. The day-to-day operational reliance on the service provider.
2. The existence of a robust internal backup process at the adviser.
3. Whether the service provider is making or maintaining critical records.

The SEC provided examples of potential covered function categories for an adviser to consider:

• Adviser/subadviser
• Client services
• Cybersecurity
• Investment guidelines/restriction compliance
• Investment risk
• Portfolio management (excluding adviser/subadviser)
• Portfolio accounting
• Pricing
• Reconciliation
• Regulatory compliance
• Trading desk
• Trade communication and allocation
• Valuation

Based on the types of services listed, this new Proposal will cover a vast range of providers used by RIAs, such as other advisors, valuation firms, broker-dealers, qualified custodians, index providers, fund administrators, information technology firms, cyber security vendors, compliance advisors, outsourced compliance officers, pricing services, portfolio software vendors, market data providers, risk management services, etc.

There is no requirement for how an RIA might retain a service provider to perform a covered function, but using a written agreement is considered a best practice. However, the Proposed Rule would apply regardless of how the agreement was made.

The Proposal also notes that determining whether an adviser has retained a service provider to perform a covered function would depend on the facts and circumstances. A function may be deemed covered for one adviser but not for another. For example, under the Proposed Rule, an adviser who enters into an agreement with a valuation provider to value all of its clients’ securities, or with a subadviser to manage a certain portion of their portfolio, would be officially engaged with a service provider to perform a function that is necessary to provide its advisory services. However, custodians that are independently selected and retained through a written agreement directly with the adviser’s client, such as a separately managed account (SMA) would not be covered by the Proposed Rule because the client, not the adviser, retained the service provider.

Due Diligence Requirement

The Proposed Rule would require RIAs to document their due diligence process when considering a service provider for a covered function. The SEC outlined many steps and elements of the process. However, it was clear that the due diligence assessment is not intended to be a one-size-fits-all procedure — reasonable due diligence depends on the facts and circumstances specific to the service. The SEC provided six specific elements that should be considered and documented:

1. The nature and scope of the services.
2. Potential risks of the service provider performing the covered function, and how to mitigate and manage these risks.
3. The service provider’s competence, capacity, and resources to perform the covered function.
4. The service provider’s subcontracting arrangements related to the covered function.
5. Reasonable assurances from the service provider about its ability and willingness to coordinate with the RIA to comply with federal securities law.
6. Reasonable assurances from the service provider about its ability and willingness to provide a process for the orderly termination of services.

The Proposed Rule would amend the Recordkeeping Rule to require RIAs to keep certain records related to the due diligence assessment, including a list or other record of covered functions that are outsourced and the name of each service provider, along with the factors that led the RIA to list it as a covered function. A written agreement between the RIA and the service provider can also suffice, provided it explicitly details this information.

Monitoring Requirement

The New Proposed Rule would require the RIA to periodically monitor the Service Provider’s performance of a covered function and determine if it is still appropriate to retain the provider to perform the covered function under the due diligence requirements. How often this must be done would depend on factors such as how frequently the covered function is performed and the complexity of the function, or the risk of a failure to perform or negligently performing the function. The SEC views monitoring as critical to the RIA’s ability to discover and address problems in a timely manner; provide advisory services to clients; and comply with federal securities laws.

Monitoring could include automated scans and reviews of the service provider’s data feeds, periodic meetings with the provider to review service metrics, and contractual requirements to test and approve new systems prior to implementation. RIAs might also need to determine whether there has been any change in the risk profile of a covered function or service provider. The SEC stated that under the Proposal, RIAs should generally consider retaining records such as:

• The service provider’s performance reports.
• Financial, operational, or third-party assessments of a service provider.
• Identification of any new or increased service provider risks and a summary of how the adviser will mitigate such risks.
• Any written policies and procedures applicable to monitoring as part of the amendments to the Recordkeeping Rule.

Amendments to Form ADV

The SEC also proposed amendments to Form ADV that will give both regulators and advisory clients more visibility into service providers that perform covered functions. It proposed creating new item 7.C. in Part 1A of the ADV to indicate whether the RIA has outsourced any covered functions, and new Section 7.C. in Schedule D of the ADV to identify the name of service providers contracted, the location of the service provider’s office, the date the provider was first engaged, and whether the provider is a related person2 of the RIA. Additionally, there would be a requirement to report covered functions that have been outsourced by selecting from a list of predetermined categories, including an “other” category for RIAs to specify an unlisted function.

The SEC feels these disclosures would provide more information about outsourced functions, enabling clients to make better decisions retaining an RIA and enabling the SEC to identify and address and oversee risks related to outsourcing.

Due Diligence and Monitoring Third-Party Recordkeepers

The SEC is also proposing adding a new provision to the Recordkeeping Rule that would apply to RIAs that outsource to third-party recordkeepers. It would require the RIA to perform due diligence and monitoring of that third party consistent with the prescribed methods discussed above for other outsourced covered functions. The RIA would also have to obtain reasonable assurances that the third party:

1. Adopts and implements internal processes and/or systems for making and/or keeping records on behalf of the RIA. These processes must meet the requirements of the Recordkeeping Rule.
2. Provides access to electronic records.
3. Ensures the continued availability of records if the third party’s operations or relationship with the adviser cease.

These requirements were created to protect required records from being lost, manipulated, or destroyed, and to ensure that such records are accessible to the RIA, the SEC, and other regulators.

Our Take

Compliance with these ongoing, stringent requirements could prove extremely costly for RIAs, and particularly for smaller advisers who need to outsource functions for quality and efficiency. RIAs will likely expend more time, money, and energy to comply with the Proposal. This may become a barrier to entry for some advisers.

However, “set it and forget it” just won’t cut it anymore. Regardless of this Proposal’s finality, advisers who outsource should consider instituting some sort of due diligence and provider monitoring now, as it will likely attract the attention of both the SEC and clients — especially institutional investors. It is also a good practice to ensure your clients are serviced properly and your advisory services are performed as expected and in compliance with regulations.

Service providers should also take note of this new Proposal. RIAs will be requesting documentation to support compliance with the Proposal. A comprehensive brochure of your services will help RIAs understand exactly what you offer and if your services would be considered covered in various situations. Information regarding your team’s education, expertise, and certifications related to the covered service should also be readily available.

Additionally, as part of the monitoring process, service providers will need to show proof of performance. Depending on the functions outsourced, that may be complicated to demonstrate. Consider obtaining an independent service auditor report, such as a SOC I Type II (AICPA standards) or an ISAE 3402 (international standards) that will report on the description, design, and operating effectiveness of controls at a service organization. Service providers will also need to prepare regular updates and briefings for the RIAs, which is most likely not part of current practices. Lastly, contracts may need to be enhanced and rewritten to ensure services, risks, and mitigating factors are clearly laid out and expectations are set to comply with the New Proposed Rules.

Whether you are an RIA, thinking of registering as an RIA, or you are a service provider who performs covered functions (this includes sub-advisers, valuation firms, broker-dealers, qualified custodians, index providers, fund administrators, information technology firms, cyber security vendors, compliance advisers, outsourced compliance officers, pricing services, portfolio software vendors, market data providers, risk management services, etc.), you should start thinking about how this new Proposal may impact you and your clients.

Sources

1. https://www.sec.gov/news/press-release/2022-194
2. https://www.sec.gov/rules/proposed/2022/ia-6176.pdf
   1. “Supervised Person” is defined under the Investment Advisers Act as any partner, officer, director (or other person occupying a similar status or performing similar functions), or employee of an investment adviser, or other person who provides investment advice on behalf of the investment adviser and is subject to the supervision and control of the investment adviser.
   2. Related person” is defined as any advisory affiliate and any person that is under common control with an adviser.